Agent Sudo
Abusing User-agent - Password Cracking - Binwalk - 7zip - Steghide - SSH access - Sudo vulnerability
Initial Enumeration
There were three ports open -
21
,22
and80
Enumerating the port 80 leaves us a tricky message saying
Agents,
Use your Codename to get redirected as ur user-agent
with regards,
Agent R
So it's clear that we'll have to modify our
user-agent
, but to what ?Since the agent who left this message had a Alphabet in the end as
R
- Agent RSo why don't we bruteforce all the alphabets in our User-agent? - C gets approved
Now we get redirected to
C_attention.php
pageIt leaves us another message saying
Chris,
blah blah blah ..... ur password is too weak, change it
with regards,
Agent R
We got another userame
chris
so lets bruteforce his password for ftp access usingrockyou.txt
We could successfully log in thru ftp and
mget *
all the jpg, png and .txt filesWhen we use binwalk on cutie.png - It had some embeded zip archive using the -e switch we extracted and saw there's another directory which had another zip file
Used 7zip to extract it - but requires a password
Using zip2john we could find the password - md5 text which when decrypted gave us a text
Area51
When we try to use steg-hide on cute-alient.jpg it asked for a passphrase and area51 was the apt one
It gave us the ssh user login access for the user
james
Privilege Escalation
Using the sudo lists command, gave us
(ALL , !root) /bin/bash
Quickly googled this phrase and it led us to a sudo vulnerability
Checked the sudo version on the system and it was vulnerable to the CVE-2019-14287
sudo -u \#$((0xfffffffff)) /bin/bash
Last updated