👽{THM}Agent Sudo

Introduction

Welcome to another THM exclusive CTF room. Your task is simple, capture the flags just like the other CTF room. Have Fun! If you are stuck inside the black hole, post on the forum or ask in the TryHackMe discord.

Step 1 - Enumerate

Basic enumerate to find any port open .

It show that 3 open port. Let moving into port 80.

Since we notice use codename to access the site. Let open on burpsuite and change user-agent

to Agent C. (I try R and randomize abcd..) Only C show another directory.

Next we proceed to it directory in web.

We got some hint here. Possible username chris and notice that agent R remind chris to change the password due weak one. So let proceed to brute-force.

Step 2 - Cracking

In this case, I will use hydra to brute-force it.

hydra -l <usrname> -P <path/list/password> <THM_Machine> <port>

We got access to ftp. Let find anything

I do some basic thing for stega, notice on both images got embeded file. Let extract it and another image need password.

It contain another zip. This time, it require password. Let brute again. Using zip2john to find hash then crack the hash using john.

zip2john <filename> < <outputname>

john <outputname>

It show like base64, let decrypt it. Or if not sure, can use cyberchef

echo <text> | base64 -d

POV using Magic in Cyberchef

Let move to another image, but this time with password since at early agent R said this image contain password.

Step 3 - Gaining Access

Since we got the username : pass. Let login as ssh,

Let find our objective here. We got our first flag here.

Next moving to privilege escalate.

Step 4 - Privilege Escalation

Next we try to check user sudo permission. .

This mean, user hacker can run the binary /bin/bash as any user.

Exploit it using CVE-2019-14287

Patch

Best advice, always update your software component. For this issue, sudo version have vulnerability.

Learning.

CVE-2019-14287 SUDO is program dedicated for Linux used in delegated privilege. Previous version sudo < 1.8.28, enable malicious user to execute arbitrary command as root user even in cases root access is disallowed.

This happen in configuration sudo security policy (sudoers), where user sudo permission being configure.

This mean, James is allowed to run bash command as any user except for root, where it supposedly not allowed user gain access as root.

However, security people found that, the function fail to parse all value correctly and result to be root where it bypass security policy entry we set above.

Exploit

sudo -u#-1 id -u

OR

sudo -u#-1 bin/bash