 How's it going everybody? My name is John Hammond. In this video, I want to tackle the agent pseudo room from try hack me So let's jump on over to my screen. I will go ahead and I am joined in the room here So let's go and deploy the machine. Let that spin up It says welcome to another THM exclusive CTF room your task is simple capture the flags Just like any other CTF room have fun. If you're stuck inside the black hole post in the form rats and try I can be discord. Okay, we need to deploy the machine looks like we've done that I have the IP address here. So I'm gonna go fire up my terminal here I'll get into my CTF try hack me directory and I will pseudo open VPN My account so I can connect it to their network. This is a free room So you should be able to access it without being subscribed I'm using my account that is not subscribed and I'll make a directory here for agent pseudo Hop over there and I'll create a simple read me So we have a place to store our notes. I'll also clear out some of all my other stuff from previous recordings We don't need those but let's go ahead and add this stuff in here And I'll export my p address as what it has given us So we have that as a variable we can access within our shell Great. We have deployed the machine. Let's see if it's hit up already. I guess still taking some time No matter Numerate how many ports are open on the machine? Okay, so it looks like we'll go ahead and run nmap once he's up and available I am still connected to him. Just fine, right? Yep All right, I'll stand by until I can see pings Okay, it looks like he is up and running now. So let's go ahead and make an nmap directory I will nmap tack SC tack SV. That's fine. I needed to do that. Anyway, it's really hard to type With a microphone in the way tack on nmap initial and let's do my IP address Let's make this verbose so I can see really what it's doing if it finds any ports 21 80 and 22 Okay, good to know so if 80 is open then we can go poke around with it on the website And I'll do our basic enumeration here Are those the only three ports that we have to work with it looks like it So let's say there are three open ports. That is the correct answer. How do you redirect yourself to a secret page? Well, we have this IP address. So let's go check it out in the web browser here It says dear agents user own codename as a user agent to access the site from agent are Okay, it looks like that's literally all that is in the page here Let's go ahead and Necto this Http this guy Get him spun up. I guess I'll also run a little dirt buster for good measure just because hey opt directory and The url should be this guy. Let's go look for extensions PHP SHH TML JavaScript CSS Python CGI blah blah blah. Let's see if that gets any hits and While that's scanning we can kind of read it What we should really be doing your user own codename as a user agent to access the site from agent are So I'm assuming the codename is referring to agent and then some letter. I guess so Did I do that wrong or no, I guess I just didn't care whatever. Let's go ahead and try that technique then So let's curl that page Yep Use your own username or use your secret agent name. So let's go ahead and supply a header with curl I'll say user agent can be Agent like a right that returns nothing user name agent B that returns nothing different username C codename as a user agent should it be like Lowercase, I wish it would tell me agent a without a space or something agent B Use your own codename to get user access to the site. Are there any other links that I'm supposed to be accessing? I wish I knew agent lowercase agent a B and C Maybe it's just the letters themselves This is taking some time to respond. I feel like I'm just like hammering the box on accident So agent a Like the letter itself. Why is it taking so long? Is the page still there is the site still up? Come on agent pseudo. All right, I guess I'll pause until that returns Okay, I went ahead and stop Nito because maybe that was beating it up And if I'm using user agent a user agent B user agent C all these I could write a script to brute force these but That question is asking. How do you redirect yourself to a secret page? Oh, oh If it's getting a redirect and I guess I should probably include the user agent tack Oh, like tack L and curl so it redirects things Maybe I was wrong all along throughout all that user agent B Now for following redirects user agency. Oh, okay, cool. Now we got a result attention Chris Do you still remember our deal? Please tell agent J about our stuff ASAP also change your dang password It's a week from agent R. So Chris looks like a potential username That is the redirect we've been using I guess that's how we redirect your secret page User agent. Is that what we need to submit here? Okay, cool. What is the agent name? Yes? It is Chris theoretically. That's good Hatch cracking and brute force done a numerator and machine time to brute your way out. Okay So looks like it needs an FTP password. So if we know our username is chris from This here was kind of a strange way to figure that out But let's go ahead and start with hydra So hydra is great because it'll tell us kind of some syntax here, but we just need a schema there So hydra tack L chris is our name We'll use op rock you to go ahead and hammer stuff and let's put it at FTP on the ip address And let that guy go So I guess I'll pause until we get some hits I guess we could also actually just try and hammer some of the other services too because That account might work just as well on ssh I should grab the ip address if I'm going to Use that so Let's set that up hydra chris rock you And If that is on all on fdp, can we actually netcat to that can I poke around at that netcat interface? So let's netcat Or your ftp, I suppose just to run the client itself over to the ip address looks like it's connecting Chris I guess we should try like basic baby password No maybe gosh This machine Is kind of frustrating to use because it's so slow. I guess I should be on my subscribed account Um, let me not hammer it. Let's just focus on fdp and see if we get any results I guess I'll just pause until something comes back Hopefully Okay, that finally came back looks like we have logging credentials chris and crystal so Let's uh, let's take note of that While it was paused I was going through and kind of adding in Some of the notes that we have thus far so fdp password Let's uh, just include that as our note here Grab the syntax Just spit that guy in I'll call that see that's in bash Uh and crystal is the password Good I just like to kind of have our notes I don't know put together so we have our own reference if we ever go back to this If we learn something from this machine Now let's fdp do that. Let's go ahead and fdp chris at the ip address Or I guess we can just go to the ip address and supply chris as a name FTP probably has no idea what I'm doing when I say that Okay Man Slow box and connection timed out. Are you kidding me? We know what the fdp we know the ip address variable is right that's still in the context of this please Holy cow Make sure you guys are running this from a subscribed account. I don't know why this is taking so long. There we go. Okay chris crystal That's our password and everything great. What do we have here? Oh, okay, let's get all of these. Can I am get all this? Does that work? Yes Thanks Yes I don't always put what argument do I supply to am get to download this at least there's only three of them That's that's totally fine. Okay. So now we have all of those downloaded Let's actually make an fdp directory and let's move qt cute alien and Two agent j into that fdp directory. I probably should have all done that before I did that Let's go check out what this two agent j says all of these alien photos are fake agent r stored the real picture inside of your dictionary your directory What? Okay, okay your login password is somehow stored in the fake picture. It shouldn't be a problem for you Which picture? cute cute alien Let's go check out these what are they actually showing us Cute alien jpeg. That's cute and qt dot png. Okay So if they're inside of the image, can I like strings all of the jpeg ones Blah blah nothing seemingly interesting there. How about strings in that png image? Oh he has Something inside two agent r We have two agent j. So there's clearly something in that png. Let's um Let's go ahead and bin walk tacky on the cutie png He has a zip file in there. Yeah. Yeah. Yeah. Okay. So we extracted that out with bin walk tacky looks like cutie png extracted has Two agent r dot text in there. What what? Is that empty? That is empty. That's weird. This is a file though Um, let's unzip that eight seven oh two zip file. We need a password 7z Okay, we'll replace it. Yeah. Yeah replace that thing. Oh, it doesn't need a password Okay, so let's go ahead and run um zip to john that should be in the opt john ripper run zip to john Run that on our eight seven oh two zip file. Let's redirect that to hashes for john dot text And now let's run hashes for john with john Change that command to actually use john the ripper not visit john script and we'll supply the word list to opt Rock you dot text. So let's see if we can crack that zip file password Okay, looks like the password is alien good enough So I use seven zip to extract that because it didn't seem to behave when I used just regular unzip So seven zip this guy. Yes. Go ahead and remove stuff. We'll override it I'll use alien as my password looks like that worked. Okay. Now to agent r actually has content in it So let's go see What that says agent c we need you to send the picture to That as soon as possible that looks strangely like base 64 Just because of the random capitalization. So let me go ahead and make sure Okay, that is base 64. So that decodes to area 51. We need to send the picture to this as soon as possible so that must be The other alien the cutie alien jpeg and that is a jpeg file So if we're doing stego techniques, oh, we have some of these things we should fill out And we kind of have this notion from the prompt. It's probably a steg thing. We can use steghyde Yeah, yeah, yeah So steghyde syntax is extract and then sf to specify the file that you want to extract out. So that is the Cute alien jpeg and our password is area 51 capital a there we go wrote out the tract data to message.txt So message.txt says hi james Ah Glad you found this message your login password is hacker rules. Don't ask me with a pattern Password looks cheesy. That's agent r is at the password for you your buddy chris. Okay, so hacker rules looks to be a password for James Area 51 is that answer The other agent in full name is james Theoretically and the ssh password is hacker rules. So we submitted all those. All right Now, let's go ahead and log into that box, right? Because we saw ssh was open from our nmap scan So james to that ip address Taking it sweet time While that's going for us. Let's go ahead and zip file was alien area 51 next one james And hacker rules Now task four What is that asking for what is the user flag? It should be easy once we go ahead and log in if that ever loads for us What is that other prompt here? What's the incident of the photo called? What? I don't know what that means I guess we'll see Come on computer I guess i'll pause Okay started and stopped it and now it seemed to go through so Now let's enter the password Hacker rules exclamation point. Oh, come on. Did I not did I not have that copied? Please don't please don't not connect That is the right password right Okay, maybe it did authenticate this time and now it's going to take its sweet time to give me that connection Lots of pausing in this video Okay, now he's in great. So let's tell us we've got our user flag dot text great Go ahead and submit that for our user flag submit Slap that guy in here. What is the incident of the photo called? Okay? So we have this alien autopsy jpeg. I guess we could copy that down But we could very well just run some regular commands If the connection would work holy cow I'm a pause. Okay Okay, looks like we're working now So strings on that guy We don't have that installed. Okay. I guess we can try some xf tool Do we have xf tool accessible to us? No, okay, let's go ahead and try and uh Download that thing then so let's actually make a directory for ssh We'll hop over there. Let's scp james at let's slap that ip address in scp james at ip um, and we want alien autopsy Dot jpeg and let's just put it here So it needs to know that password once it asks for it. There we go And that should download Hopefully I don't know if that syntax is gonna think I mean from the root directory Yep. Okay, let's go from home James Let's try that paste that password in sweet sweet upload and download time Sweet sweet networking What did I just spell it wrong? home james pwd Wow pwd home james alien autopsy dot jpeg That's what that's alien autos taught tospy I spelled their typo wrong Autospy Is that wrong? I feel like that's wrong I feel like it should be autopsy I'm truly sorry for all of you watching this video I feel like I need to pause every time I interact with the machine whatsoever. There we go. Okay. What do we got here? Alien autospy. Oh cringy. I don't want to see that never mind strings that guy Blah blah blah. What is all that at sign in there? at at at at At at at at is the name of my wi-fi network when I go ahead and create a mobile hotspot So if you ever see that out there in the world, you'll know it's me alien autopsy Blah blah blah What is this? What is this asking for? Is there anything else? That I didn't see in that let's go for long strings, let's go from a ten 888888. There's some hidden information from like what Photoshop would put in there. What is it actually referring to? Alien Autos? I don't want to look at this image again, but I feel like I have to gosh, gosh, that's so bad. Let's see if it's a thing. Google image search. So Google image reverse, reverse image search, Google image search. That gives me, there we go. Google image. Let's just grab this file and directory. Let's drag it there. See what we have. Rosswell UFO incident. Oh, gee goodness. I don't want those pictures, man. Rosswell UFO. So that looks like army reveals flying disk. That's not the amount of letters that it needs. What else do we got? Fox News. Rosswell alien footage. Oh, oh, oh, oh, oh, the freaking picture. Get out of my life. Rosswell alien footage. Does that work? No. Did I spell it wrong? I guess I'll just look at this picture more. Get out of here Fox News. Alien autopsy. Oh, oh, it's autopsy footage is just something that I read in the URL and got freaked out. So alien autopsy autopsy spelled correctly. There we go. Okay, I hate those though. That's not like a question enough with the extraordinary stuff. Let's get real CVE number for escalation. Oh, okay, let's do some things now. So we're on the box. Let's go ahead and actually put Lynn P's in there. So I'm going to SCP my own op Lynn P's to James at the IP address. Do I have IP? Is it a thing? Yeah, okay. Let's go ahead and put it in DevSHM just because that's good place to hide stuff. shared memory. Typically world writable. Typically world readable. There he goes. Okay, so back in the box now, let's go ahead and move into DevSHM. It's Mark Lynn P's as executable. And let's let him go. Okay. My user can pseudo things. That's good. Good to know root is the one that we need but we are in the pseudo group. Often IDs pseudo is in there. Some things are running. Okay, trying to go from the top. pseudo version is kind of old. Good stuff in there. GCC is installed. Maybe we could do a kernel exploit, throw some dirty cow maybe. What was that path information? Nothing out of the ordinary. I'll look for the set you ID binaries because it seems to be pretty common lately and a lot of the try hack me rooms have been going through. What is this our sync pseudo all no password all? Is that a thing? Can I do that? Because it has a lot of set you ID. But a lot of these look pretty normal. Let's let's let us run but let's SSH pass tack P hacker rules SSH James at IP dollars on IP so we are logged in SSH pass just quick syntax so I can go ahead and actually supply the password on the command line like as an argument. I hope that IP is an actual variable that's set in this case that will log in just fine. But he's still going. Okay, good. Let's see if that pseudo thing is like a thing pseudo tech L. Oh, hacker rules, exclamation point. user James remember the following commands on agent pseudo all not root bin bash what? Oh, that's a that's the CVE. That was a recent pseudo bug. See this thing this thing I made a video on it. Caleb and I talked about this. When you specify the user ID of a count that doesn't exist. It's normal like a weird misconfiguration but let's tack you. Is that right? Number one. Number one, bin bash. What is it? What is that? What is that syntax? Oh, doesn't it doesn't need a space after it? Yeah. Okay, that's it. That's that. Now that's that's that's that prevest. So the bug is if you specify anything other than root, it will be searching for the users and you can specify attack you with the count ID or user ID that doesn't exist, like negative one. And that will fail. And I guess some into overflow thing that will determine that Oh, and it'll it'll select root. And then you'll be able to do it. The CVE information gets a lot more into it. But this is the bug. And I did a video on it sometime ago. You can see that on my channel. John Hammond pseudo bug. Yeah, this guy under 1.828. So that's cool. Get these stupid alien pictures out of my face. Now that we're root, we own the box, right? So let's go in a root. Let's cat root dot text. Congratulations on this box. The box of design for try hack me. There is your flag. Deskel is his name. And that must be the author of the box. Must be the box creator. Does it say doesn't. Well, okay. So that was that that was agent pseudo. It turns out I was an idiot and I was having a lot of connectivity issues because I had to open open VPN sessions going from what I recorded earlier and when I've been recording now. So my fault. I'm a failure. Thanks. Thanks for watching. That was that that was that's kind of cool. It was good to get that exposure with that pseudo vulnerability. See that kind of out there in a little exercise and the hacking and the hash cracking and brute force was also kind of neat. So hope you guys enjoyed this video. If you did, please do press that like button, the comment thing, the subscribe or whatever all of those YouTube algorithm things. Love to see you guys on Patreon PayPal discord. There's a link in the description. It's an awesome, awesome community full of tons of smart people way smarter than me. And that's that my face is really white with this light bright. Oh gosh, I'm an alien. I'm area 51. Thanks, everybody. Bye.