Scanning and enumerating
Accessing the website, we see an announcement for the agents.
So, after trying to change the user agent in Firefox, i came across some issues. Contacting the box creator, he told me there was a problem with Firefox. Therefore, i used Chromium and i installed the User Agent Switcher plugin. I started to change the user agent to A, B, then, when i changed it to C this popped up.
Hmm… ok. Now i have a username (chris), and i also get to know that he uses a weak password. The first thing to do was to attack FTP by bruteforcing it as follows.
I logged into FTP server and retrieved the found files (don’t forget to use passive mode).
By viewing the content designated for agent J i find out that there are files inside the images (stenography).
I ran steghide and exiftool against the images and nothing came up. Bun when i tried binwalk, i found a zip file inside one of the images.
I use zip2john, and then john to crack the zip file hash.
After cracking the zip file, i extract the content and view the file for agent R.
I decoded the base64 string and extracted the file from the other image.
Let’s log in into the SSH with
By enumerating the box a little bit, i found that i have sudo right for using bash.
I also knew about a sudo vulnerability which might work, so i gave it a try and successfully prompted a root shell.
And that was it. Pretty easy, you’d just need some patience.