TryHackMe Agent Sudo room walkthrough
This is a write up covering steps taken to solve a beginner level security challenge Agent Sudo room in TryHackMe platform.
This blog is written as part of task of Masters Certification in Red Team Program from HackerU.
Step 1 : Connect to TryHackMe and start target machine
- Download OpenVPN configuration setting from TryHackMe platform
- Connect to TryHackMe by running the command in kali terminal:
sudo openvpn /pathtoOVPNfile.ovpn
3. Start machine in ‘Agent sudo’ room — target ip address will be displayed in a minute.
Step 2 : Information gathering using Nmap
- Start nmap scan of the target ip:
nmap -A -O <target ip>
Step 3: Detailed Findings
21 : FTP
22 : SSH
80 : http
- Accessing port 80 http
View source code > No info found
2. Navigating to robots.txt > No details found
3. Using dirbuster to find directories and files > Found nothing interesting
4. Observing the message in port 80, used curl to get details
curl -A -L <targetip>
5. As the message suggest using own ‘user-agent’ and signature suggests that codename is alphabet, so trying to use curl with -A flag and different alphabets
curl -A “A” -L <targetip>
curl -A “B” -L <targetip>
curl -A “C” -L <targetip> found agent name chris
6. As FTP port open, trying to brute force using hydra to identified FTP credentials
hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.208.107 ftp 21
7. Logging into FTP using above findings > Found 3 files > copied all 3 files to local machine
8. Opening the copied files
9. Based on above hint now tying to extract data from other 2 image files using stegextract.
Extracting files from images
binwalk cutie.jpg -e
Found _cutie.jpg.extracted > which had 4 files
Cracking .zip file using zip2john
zip2john 8702.zip >test.txt
cracking the hash in test.txt using john > found password to open zip file
Extracting 8702.zip using 7z
7z e 8702.zip
Found message to extract files from cute-alien.jpg
Used cyberchef to crack the hint.
Used steghide to extract hidden message
steghide extract -sf cute-alien.jpg
Found passowrd for agent james
10. Using above information for logging into SSH port with user james and found password > SSH logi successful
11. Found User_flag.txt
12. Checking for privileges, sudo -l
13. Got root access
sudo -u#-1 /bin/bash
With these steps, I was able to answer all questions posted in agent sudo room on TryHackMe.
Thank you for reading this blog..