> For the complete documentation index, see [llms.txt](https://angellm.gitbook.io/hacknotes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://angellm.gitbook.io/hacknotes/thm/2025/agentsudo.md). # AgentSudo ## Agent Sudo - Writeup **Date**: 12/01/2025 **Difficulty**: Easy **CTF**: *** You found a secret server located under the deep sea. Your task is to hack inside the server and reveal the truth. ## Enumerate Let’s start by checking the connection with the machine:
We got the ping back, the TTL has a value of 63 so we are against a Linux machine probably. Now let’s do a port scan using nmap:
nmap has discovered 3 open ports: 21 (FTP), 22 (SSH) and 80 (HTTP). Now we can get more info of this ports using nmap:
* port 21 (FTP): vsftpd 3.0.3 * port 22 (SSH): OpenSSH 7.6p1 → Ubuntu Bionic 18.04 (Launchpad) * port 80 (HTTP): Apache httpd 2.4.29 Let’s take a look to the web page:
Seems like we have to use a “codename” as user-agent. I checked the webpage source code but there is nothing interesting there. To manipulate the user-agent parameter, I’ll intercept the web petition with BurpSuite and sent it to the Repeater:
When I use “R” as the user-agent, I get this response:
Now we know that there are 25 employees. Maybe the codename of each agent is a single letter. Let’s send the petition to the Intruder and set the payload:
Now, let’s start the attack:
We can see that the status code of the request with the payload “C” as user-agent is different (302) which means that the page is redirecting us to “agent\_C\_attention.php” page. Let’s take a look:
## Hash cracking and brute-force Seems to be a message sent by Agent R to Agent C telling him that his password is weak. Knowing that, let’s see if we can guess the password of “chris” username for FTP or SSH services using hydra:
First I tried with the 100 most used passwords dictionary for both FTP and SSH services. After not getting a match, I used the 1000 most common one and… we have a match!
Now we have a valid credentials for the FTP service. Let’s see if it works for SSH also:
Nope, it doesn’t. Let’s take a look to the FTP:
There are some files inside, I downloaded them all. There are 2 images:
I’ll check the EXIF info just in case:
Nothing seems interesting there. Let’s check the text file:
So… There is a password and we are being asked for a ZIP password and a steg password… maybe one of this downloaded images has a zip inside it? Let’s use binwalk to investigate them further:
The cute-alien.jpg file seems to be a normal image, but the cuttie.png has something else! Let’s extract it:
If we attempt to decompress the ZIP file, we are asked for a password:
Let’s try to use JohnTheRipper to crack the password. First we have to use **zip2john** tool, and then **john**:
And we get the password! Let’s decompress the ZIP file:
Now we can read another message wrote by Agent R, and a code. It looks weird, so let’s use Cyberchef to check if it is encoded:
Seems to be encoded in Base64, and decoded it shows a clear text. Let’s try to use it as the password to decode the image cute-alien.jpg using an online tool for steganography:
So, it reveals a message wrote by Chris, telling James its login password, so we now have a new credentials. Let’s see if we can connect to FTP or SSH using this credentials:
## Capture the user flag The credentials are not valid for FTP, but they are for SSH! Now we are logged as james at the target machine!
At the home folder of the current user we found the user flag and an image. Let’s download the image using **scp**:
I know that there is something related to the Rosswell incident, but after a reverse image search using tineye website, the photo is called “Rosswell Alien Autopsy” ## Privilege escalation Now, let’s look for privilege escalation. Let’s check the sudoers first:
It looks interesting, let’s search what does it mean. After a quick search it seems that the user james can execute /bin/bash as any user except as root. It also redircts me to a ExploitDB page, where I can see that there is a vulnerability (CVE-2019-14287) that allows privilege escalation:
> Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv -u#-1 returns as 0 which is root's id As it’s explained on the exploit description, there is a vulnerability where, in this conditions where the active user can execute a bash as any other user except as root, the command `sudo -u#-1 /bin/bash` can be executed to gain a root bash.
That’s how we gain root privileges and the root flag. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://angellm.gitbook.io/hacknotes/thm/2025/agentsudo.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.