Agent Sudo

Abusing User-agent - Password Cracking - Binwalk - 7zip - Steghide - SSH access - Sudo vulnerability

Initial Enumeration

  • There were three ports open - 21, 22 and 80

  • Enumerating the port 80 leaves us a tricky message saying

Agents,
		Use your Codename to get redirected as ur user-agent

with regards,
Agent R

  • So it's clear that we'll have to modify our user-agent, but to what ?

  • Since the agent who left this message had a Alphabet in the end as R - Agent R

  • So why don't we bruteforce all the alphabets in our User-agent? - C gets approved

  • Now we get redirected to C_attention.php page

  • It leaves us another message saying

Chris,
		blah blah blah ..... ur password is too weak, change it 
with regards,
Agent R

  • We got another userame chris so lets bruteforce his password for ftp access using rockyou.txt

  • We could successfully log in thru ftp and mget * all the jpg, png and .txt files

  • When we use binwalk on cutie.png - It had some embeded zip archive using the -e switch we extracted and saw there's another directory which had another zip file

  • Used 7zip to extract it - but requires a password

  • Using zip2john we could find the password - md5 text which when decrypted gave us a text Area51

  • When we try to use steg-hide on cute-alient.jpg it asked for a passphrase and area51 was the apt one

  • It gave us the ssh user login access for the user james

Privilege Escalation

  • Using the sudo lists command, gave us

(ALL , !root) /bin/bash

  • Quickly googled this phrase and it led us to a sudo vulnerability

  • Checked the sudo version on the system and it was vulnerable to the CVE-2019-14287

sudo -u \#$((0xfffffffff)) /bin/bash
PreviousSimple CTFNextLazy Admin

Last updated