Agent sudo Walkthrough : Tryhackme

I started doing CTF for my EJPT exam. Today we are going to do Agent sudo CTF of Tryhackme.

First I did a ping to the IP of the machine to check if it was online or not.

Task 1(Author Note) : NO answer needed


Task 2 :

How many open ports?

Started Nmap scan on the target IP with -sV -O -sC flags to give a version of services running, type of operating system, did default script scan.

The answer to this question is : 3

How you redirect yourself to a secret page?

Started dirb scan in the background but got nothing

As we know port 80 is running so I typed the ip on the browser and got this.

by this, I understood I needed to use Burpsuite, as I have to play with user-agent.

so I changed user agent to R and got this message

so the answer is : user-agent

then changed the user agent name one by one from "A" at "C" I got this message

What is the agent name?

we got agent name "chris"


Task 3:

FTP password

brute forced ftp service with username chris and rockyou.txt wordlist using hydra

ftp password: crystal

Zip file password

After establishing ftp connection downloaded all files to local machine using "get" command.

now we need to analyze those images.

did operations using exiftool and binwalk utilities

here I got to know that there is something zipped with it , so extract it

binwalk -e cutie.png
cd _cutie.png.extracted

now we need to unzip this 8702.zip file but it requires password so use "zip2john" utility to convert this file into john crackable format.

zip2john 8702.zip > hash.txt
john --wordlist /usr/share/wordlists/rockyou.txt hash.txt

which gives us the password "alien"

steg password

now we can unzip this file as we got the password

7z e 8702.zip

now we can read the messsage

this text 'QXJlYTUx' doesn't make any sense so tried to decode it using cyberchef

This gives us Area51.

and this is the password : Area51

Who is the other agent (in full name)?

steghide extract -sf cute-alien.jpg -p Area51

and it gave a txt file named message.txt

other agent name is james

SSH password

With username james with password hackerrules! and I got connection.

password is hackerrules!


Task 4

What is the user flag?

What is the incident of the photo called?

open a new terminal and copy the image to your local machine using the following command

sudo scp james@10.10.216.228:/home/james/Alien_autospy.jpg .

using google image search this image with source fox news

Answer : Roswell Alien Autopsy


Task 5

CVE number for the escalation

while checking the privileges of user james, I found these privileges.

Googled them to check how can I bypass them and got to know this is a vulnerability with CVE 2019-14287

What is the root flag?

executed this command

sudo  -u#-1 /bin/bash

and privileges have been elevated now I can read the root flag

(Bonus) Who is Agent R?

from the root.txt file we can see the answer : DesKel


Thank you, Do comment for any optimization Advice.