TryHackMe| CTF| AgentSudo

5 min readJul 7, 2021

TryHackMe presents this wonderful box to capture the root flag of the machine. Check out the box https://tryhackme.com/room/agentsudoctf .

1. Enumerate

1.1 Lets find out the number of ports open on this machine

1.2 How you redirect yourself to a secret page?
Visited the homepage with the IP address and there was following content:
Dear agents,
Use your own codename as user-agent to access the site.
From,
Agent R

I found nothing in the page source code and no success with gobuster as well. I need to use a codename. Since R wrote me I changed my user-agent in Chromium with a plug-in called “User-Agent Switcher for Chrome”. Therefore I entered some credentials like A, B, C.

Alternatively, you can also use curl command to get the headers. Just in case you want to be more on CLI.

1.3 What is the agent name?

Once we switch the codename to “C” on either curl command or user-agent we get a message for Chris. This might be a username that I can use later on one of the open ports.

2. BruteForcing

We have a username Chris, we need password to login. We will use hydra to brute force and login to the machine.
Which service will we brute force? Well initially I tried to use SSH to penetrate but that failed. I left me with one option which was FTP. Yes, that works.

2.1 FTP Password

Now I have username and password for the machine, I will use ftp to login to the machine and watch the contents using ls -la . Download the contents on my kali machine using get command. There are several commands for ftp, I have pasted a link in case someone is curious about other commands for different use cases. https://www.howtoforge.com/tutorial/how-to-use-ftp-on-the-linux-shell/

One of the file was called “To_agentJ.txt”:
Dear agent J,
All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn’t be a problem for you.
From,
Agent C

2.2 ZIP file password

After the login I downloaded resources from it, there are two images

cutie.png
cute-alien.jpg

Steps to extract password from cutie.png
1. binwalk -e cutie.png (binwalk is used to identify code and image information hidden in the firmware of the image)
2. This command has provided a directory _cutie.png.extracted, we have a zip file and .txt file in this directory. The problem is that we are not able to unzip the contents of the file 8702.zip. Solution is to use zip2john to unzip.
3. zip2john 8702.zip > anyfilename.txt
4. john --format=zip anyfilename.txt (anyfilename.txt is the same file name as above)

2.3 Steg Password

For .jpg extensions, I tried to use steghide to extract the password but it needed a passphrase. Therefore, I used stegcracker wordlist by default was selected as rockyou.txt. The command gave me the password for the jpg and wrote the contents to the file cute-alen.jpg.out.

2.4 Who is the other agent (full name)?
Reading the contents of the file cute-alien.jpg.out:
Hi james,
Glad you find this message. Your login password is **********!
Don’t ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy,
chris

So the other agent’s name was:

James

2.5 SSH password
In the same note, I found the password the password.

3. Capture the user flag

3.1 What is the user flag?
Logged in via SSH with:

ssh james@<ip address> use the password found in the file above.

cat user_flag.txt

3.2 What is the incident of the photo called?
But there was also a “.jpg” image. To view it I downloaded teh .jpg file on my kali machine :

I made a reverse search with Google images and there was an article about it. It’s called: roswell alien autopsy.

4. Privilege Escalation

4.1 CVE number for the escalation

After checking various other options to escalate privileges, I found sudo -l command giving me some useful results. It means that non root user can not use the /bin/bash. If you google the last line, you will find the results for exploit DB.

CVE number for the escalation can be found on exploit DB.
This fit my case perfectly so let’s get to it! The CVE number needed for this task is CVE-2019–14287.