sec👨‍💻fortress:~#

Defensive By Offensive!.

View on GitHub

Agent Sudo TRYHACKME

DIFFICULTY : EASY

image

A quick nmap Scan gives us this: image

We can see that we have port 21,22,80 opened, Port 80 looks juicy, We have an Announcement Http-Title.

Moving to the website we get this message:

image

We are asked to use a codename as user-agent to access some information on the site

Changing the value of the User-Agent to C gave us some useful information: image

Now we are known as chris, We have successfully enumerated our target and can now bruteforce FTP on port 21 using hydra:

Syntax: sudo hydra -t 4 -l chris -P /usr/share/wordlists/rockyou.txt -vV 10.10.115.114 ftp image

Login To FTP with ftp chris@10.10.115.114 and mget the files: image

We can run binwalk in other to see all files embeded in each other: image

We can see here that cutie.png has some zip archives, extract the archives with binwalk -e cutie.png, After extraction we get a folder:

image

We get a zip file here and it requires a password, we can bruteforce with john, but first of all create a password hash with zip2john and then bruteforce:

image

We got a password again, use it on the 8702.zip by using the command: image

Make sure to type the password at the end of the prompt and type yes Now we have got a To_agentR.txt file, concatenating it gives us an output that says;

Agent C,

We need to send the picture to 'QXJlYTUx' as soon as possible!

By,
Agent R

Great we have got a base64 encoded data, QXJlYTUx, just do echo QXJlYTUx | base64 -d in your terminal to decode.

I think this should be the password to a steg .jpg file, remember the files we got from FTP, we have another image file, let try it out: image

Time to login through SSH<port 22>:

image

We got the user flag and an image, We are asked to lookup the image 🙃

Priviledge Escalation

Tested this by getting a reverse shell using gtfobins image

Happy Hacking🥱//