Agent Sudo

Abusing User-agent - Password Cracking - Binwalk - 7zip - Steghide - SSH access - Sudo vulnerability

Initial Enumeration

• There were three ports open - 21, 22 and 80

• Enumerating the port 80 leaves us a tricky message saying

Agents,
		Use your Codename to get redirected as ur user-agent

with regards,
Agent R

• So it's clear that we'll have to modify our user-agent, but to what ?

• Since the agent who left this message had a Alphabet in the end as R - Agent R

• So why don't we bruteforce all the alphabets in our User-agent? - C gets approved

• Now we get redirected to C_attention.php page

• It leaves us another message saying

Chris,
		blah blah blah ..... ur password is too weak, change it 
with regards,
Agent R

• We got another userame chris so lets bruteforce his password for ftp access using rockyou.txt

• We could successfully log in thru ftp and mget * all the jpg, png and .txt files

• When we use binwalk on cutie.png - It had some embeded zip archive using the -e switch we extracted and saw there's another directory which had another zip file

• Used 7zip to extract it - but requires a password

• Using zip2john we could find the password - md5 text which when decrypted gave us a text Area51

• When we try to use steg-hide on cute-alient.jpg it asked for a passphrase and area51 was the apt one

• It gave us the ssh user login access for the user james

Privilege Escalation

• Using the sudo lists command, gave us

(ALL , !root) /bin/bash

• Quickly googled this phrase and it led us to a sudo vulnerability

• Checked the sudo version on the system and it was vulnerable to the CVE-2019-14287

sudo -u \#$((0xfffffffff)) /bin/bash