TryHackMe Agent Sudo

Hello Everyone! Today we are going to solve the TryHackMe machine Agent Sudo

Firstly, connect to the THM machine using VPN and start the machine

Start with Nmap scan to find out the open ports and services running on the machine

Note: If you are running as root, you don’t need to use sudo command

nmap -Pn 10.10.113.154

Perform the advance scan to find out the service versions running on the system

Let’s check the IP-address in the browser to find the details in webpage

In the hint we got that we need to manipulate the response, we can either use Burpsuite or in the browser

We got the hidden message in the response and we got the user name of the user

Now, we will use hydra to brute force the FTP using hydra tool and we got the password for the user “Chris”. Now, login inside the FTP

We can download the text file and check the information in the text file and download all the image files also, they might have some hidden information

The first image doesn’t have any information in it and check the second image

We have some information in the text file

In the third image we can see some data that is hidden inside a zip file

We extracted the image and we can see the file name as _cutie.png.extracted

Inside the folder we can see another zip file and now we will unzip it

The unzip was failed because it says wrong password. Now,we will convert the file to john.txt to brute using john tool

Now we have the password for the zip file and we will try to unzip it

We have successfully extracted the file and we will check the data inside the file

Previously this file contains no data. After we gave the correct password and extracted the file. We got some information inside and it looks like a hash value, use hash analyzer and find the hash type and we found it is base64

Decode it!

Now, try to extract the data from the image files, this image contains a message.txt and check the information inside the file

Here, we got the login password as “hackerrules!” and it gave the username as “james” in the message. Now, try to login with the SSH

We successfully got the shell and check for the user file permission

It says “/bin/bash” . Now, check for the exploit in the internet and we found in the Exploit-DB

Check the sudo version in the system and verify with the exploit

Copy the payload from the internet and paste it and execute

We escalated the privileges and got the user_flag.txt. Now navigate to the root directory to find the root flag

This concludes the room and both flags have been captured!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store