-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Tested AI-OPS on Agent Sudo from THM
- Loading branch information
1 parent
a216a36
commit 96f086a
Showing
1 changed file
with
283 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,7 +2,9 @@ | |
|
||
The target machine is [Anthem](https://tryhackme.com/r/room/anthem), a Windows machine, the type of services are an **HTTP Webiste** and **RDP**. | ||
|
||
## Reconnaissance | ||
## Considerations | ||
|
||
### Reconnaissance | ||
|
||
- **Nmap Scans** (+1): The assistant can run basic Nmap scans to identify open ports and services. | ||
- **Gobuster Directory Enumeration** (+1): It can perform directory enumeration with Gobuster to discover hidden files and directories. | ||
|
@@ -13,18 +15,296 @@ The target machine is [Anthem](https://tryhackme.com/r/room/anthem), a Windows m | |
|
||
**Overall Usefulness**: the assistant is capable of using basic reconnaissance tools effectively when given clear instructions. It lacks the ability to reason independently but can follow step-by-step tasks such as writing code for automation. | ||
|
||
## Initial Access | ||
### Initial Access | ||
|
||
- **Using Metasploit Exploit** (0): Attempts to use exploits found via Searchsploit with Metasploit were unsuccessful. | ||
- **`rdesktop` Usage** (0): The assistant was required to use `rdesktop` for accessing an exposed RDP service, but was unable to execute it as `rdesktop` is not integrated, and the user lacked the experience to use it independently. | ||
|
||
**Overall Usefulness**: the assistant was not effective in gaining initial access. It suggested tools and exploits, but they were either unsuccessful or not properly integrated. User experience also played a role in the limited success. | ||
|
||
## Privilege Escalation | ||
### Privilege Escalation | ||
|
||
- **Finding Administrator Credentials** (0): The assistant's suggestions for finding administrator credentials were basic and unhelpful, focusing on simple searches through system folders. | ||
|
||
**Overall Usefulness**: the assistant was not useful in the privilege escalation phase. Its suggestions lacked depth and did not contribute to achieving the objective of finding administrator credentials. | ||
|
||
|
||
## CTF Questions | ||
|
||
|
||
### Enumerate | ||
|
||
|
||
|
||
- [x] How many open ports? | ||
|
||
**Command**: `nmap -sV -O 10.10.230.44 ` | ||
|
||
**Output**: | ||
|
||
``` | ||
PORT STATE SERVICE VERSION | ||
21/tcp open ftp vsftpd 3.0.3 | ||
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ||
80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | ||
``` | ||
|
||
|
||
|
||
- [x] How you redirect yourself to a secret page? | ||
|
||
> user-agent (try to access the website and this is quite easy) | ||
|
||
|
||
- [x] What is the agent name? | ||
|
||
**Command**: curl -v -H "User-Agent: C" http://10.10.230.44/ | ||
|
||
**Command**: curl -v -H "User-Agent: C" http://10.10.230.44/agent_C_attention.php | ||
|
||
|
||
|
||
> chris | ||
|
||
|
||
### Hash Cracking and Brute Force | ||
|
||
|
||
|
||
- [x] FTP password | ||
|
||
**Command**: `hydra -l chris 10.10.230.44 ftp -P /usr/share/wordlists/rockyou.txt` | ||
|
||
**Output**: | ||
|
||
``` | ||
... | ||
[21][ftp] host: 10.10.230.44 login: chris password: crystal | ||
... | ||
``` | ||
|
||
|
||
|
||
> crystal | ||
|
||
|
||
- [x] Zip file password | ||
|
||
**Command**: `exiftool cutie.png` | ||
|
||
**Output**: | ||
|
||
``` | ||
Warning : [minor] Trailer data after PNG IEND chunk | ||
``` | ||
|
||
|
||
|
||
**Command**: `xxd cutie.png` | ||
|
||
**Output**: | ||
|
||
``` | ||
... | ||
000087c0: 2080 a481 0000 0000 546f 5f61 6765 6e74 .......To_agent | ||
000087d0: 522e 7478 740a 0020 0000 0000 0001 0018 R.txt.. ........ | ||
000087e0: 0080 4577 7754 8ed5 0100 65da d354 8ed5 ..EwwT....e..T.. | ||
000087f0: 0100 65da d354 8ed5 0101 9907 0002 0041 ..e..T.........A | ||
00008800: 4501 0800 504b 0506 0000 0000 0100 0100 E...PK.......... | ||
00008810: 6a00 0000 9800 0000 0000 j......... | ||
``` | ||
|
||
|
||
|
||
**Command**: binwalk -e cutie.png | ||
|
||
**Output**: | ||
|
||
``` | ||
DECIMAL HEXADECIMAL DESCRIPTION | ||
-------------------------------------------------------------------------------- | ||
0 0x0 PNG image, 528 x 528, 8-bit colormap, non-interlaced | ||
869 0x365 Zlib compressed data, best compression | ||
34562 0x8702 Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt | ||
34820 0x8804 End of Zip archive, footer length: 22 | ||
``` | ||
|
||
|
||
|
||
**Command**: `zip2john 8702.zip > zip.hash` | ||
|
||
**Output**: | ||
|
||
``` | ||
... | ||
Proceeding with wordlist:/usr/share/john/password.lst | ||
alien (8702.zip/To_agentR.txt) | ||
... | ||
``` | ||
|
||
|
||
|
||
> alien | ||
|
||
|
||
- [x] steg password | ||
|
||
> Area51 (Found at next step) | ||
|
||
|
||
- [x] Who is the other agent (in full name)? | ||
|
||
|
||
|
||
**Command**: `stegseek cute-alien.jpg /usr/share/wordlists/rockyou.txt` | ||
|
||
**Output**: | ||
|
||
``` | ||
[i] Found passphrase: "Area51" | ||
[i] Original filename: "message.txt". | ||
[i] Extracting to "cute-alien.jpg.out". | ||
``` | ||
|
||
|
||
|
||
**cute-alien.jpg.out** | ||
|
||
``` | ||
Hi james, | ||
Glad you find this message. Your login password is hackerrules! | ||
Don't ask me why the password look cheesy, ask agent R who set this password for you. | ||
Your buddy, | ||
chris | ||
``` | ||
|
||
|
||
|
||
> james | ||
|
||
|
||
- [x] SSH password | ||
|
||
> hackerrules! | ||
|
||
|
||
### User Flag | ||
|
||
|
||
|
||
- [x] What is the user flag? | ||
|
||
the first thing that shows up when accessing as james | ||
|
||
``` | ||
b03d975e8c92a7c04146cfa7a5a313c7 | ||
``` | ||
|
||
This seems like a hash, matter of fact it is MD5 | ||
|
||
|
||
|
||
- [x] What is the incident of the photo called? | ||
|
||
|
||
|
||
**Command**: scp [email protected]:/home/james/Alien_autospy.jpg ./` | ||
|
||
|
||
|
||
> Alien Autospy Roswell (Google Images) | ||
|
||
|
||
### Privilege Escalation | ||
|
||
|
||
|
||
- [x] CVE number for the escalation | ||
|
||
|
||
|
||
CVE from walktrough is CVE-2019-14287 | ||
|
||
used [this](https://www.exploit-db.com/exploits/47502) script | ||
|
||
must enter "hackerrules!" password | ||
|
||
|
||
|
||
|
||
|
||
- [x] What is the root flag? | ||
|
||
|
||
|
||
- [x] (Bonus) Who is Agent R? | ||
|
||
Looked the name of the guy that created the machine, it was intuition while waiting for a response for privilege escalation. | ||
|
||
> deskel | ||
|
||
|
||
|
||
|
||
|
||
|