Agent Sudo

Tools Used:

Environment:

I deployed the machine to get its IP address, then ran an Nmap scan against it. Three services were open: FTP on port 21, SSH on port 22, and Apache on port 80.

1. First Look Through The Website

The webpage on port 80 displayed a message from a character called "Agent R." With nothing else to go on, I ran Gobuster against the site to enumerate hidden directories, but it didn't turn up anything useful.

The challenge hinted at impersonating a different agent, so I used Burp Suite to intercept a request to the site and edit the User-Agent header. Since the page referred to "Agent R," I guessed the agents were named after letters of the alphabet — giving me at most 26 values to try rather than an open-ended guess.

After a few attempts, one response came back with a different header pointing to a PHP page I hadn't found through Gobuster. That page revealed Agent C's real name — Chris — along with a note that he needed to change his password.

2. Finding Credentials

With a confirmed username, I used Hydra against the FTP service with the username chris and the rockyou.txt wordlist:

This cracked the password as crystal. Logging into FTP with those credentials, I downloaded three files.

One was a text file referencing steganography, which pointed me toward a hidden zip archive embedded inside one of the photos. I extracted the hash from the password-protected zip using zip2john, then cracked it with John the Ripper:

That cracked to the password alien. Inside the archive was a base64-encoded string, which I decoded to get area51. That turned out to be the Steghide passphrase, which I used to extract a hidden file from the image containing Agent J's name and password:

3. Accessing the Remote Machine

I used those credentials to log in over SSH and quickly located the user flag. There was also a photo file on the box, which I pulled across to my Kali VM with scp:

The image turned out to be a (fake) photo of the Roswell alien autopsy.

Checking sudo -l showed the user had limited sudo rights. GTFOBins didn't have anything applicable for the binaries listed, so I searched Exploit-DB instead and found a match: CVE-2019-14287, a sudo vulnerability affecting versions before 1.8.28. It allows a user with sudo rights restricted via a "deny this user" rule (!root) to bypass that restriction by specifying a user ID of -1 or 4294967295, which sudo incorrectly resolves to root.

That dropped me into a root shell, where I found the final flag.