[{"data":1,"prerenderedAt":1239},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-agentsudo-writeup":3,"surround-\u002F2025\u002Ftryhackme-agentsudo-writeup":1230},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":6,"draft":6,"readingTime":14,"body":19,"_type":1223,"_id":1224,"_source":1225,"_file":1226,"_stem":1227,"_extension":1228,"_original_dir":1229},"\u002F2025\u002Ftryhackme-agentsudo-writeup","2025",false,"","TryHackMe - Agent Sudo","In this write-up, we will solve TryHackMe's beginner-level 'Agent Sudo' room step-by-step. We will learn how to gain root privileges using web enumeration, FTP brute-forcing with Hydra, extracting hidden data with steganography, and exploiting the CVE-2019-14287 sudo vulnerability, all demonstrated with detailed visuals.","2025-08-19T11:07:27.000Z","https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F1.jpg",[13],"CTF",{"text":15,"minutes":16,"time":17,"words":18},"4 min read",3.905,234300,781,{"type":20,"children":21,"toc":1216},"root",[22,28,44,59,66,88,92,96,109,113,151,196,216,624,637,643,663,668,672,692,696,709,713,718,725,754,758,778,782,786,807,815,843,847,852,856,860,873,891,956,975,979,1007,1011,1017,1054,1129,1187,1206,1210],{"type":23,"tag":24,"props":25,"children":27},"element","pic",{"src":26},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F2.jpg",[],{"type":23,"tag":29,"props":30,"children":31},"p",{},[32,35],{"type":33,"value":34},"text","Target IP: ",{"type":23,"tag":36,"props":37,"children":41},"a",{"href":38,"rel":39},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fagentsudoctf",[40],"nofollow",[42],{"type":33,"value":43},"10.10.171.178",{"type":23,"tag":29,"props":45,"children":46},{},[47,49],{"type":33,"value":48},"Attacker IP: ",{"type":23,"tag":50,"props":51,"children":56},"span",{"className":52,"id":54,"style":55},[53],"example-info","just-like-this","color: #EA5B6F",[57],{"type":33,"value":58},"10.8.13.246",{"type":23,"tag":60,"props":61,"children":63},"h2",{"id":62},"reconnaissance",[64],{"type":33,"value":65},"Reconnaissance",{"type":23,"tag":29,"props":67,"children":68},{},[69,71,78,80,86],{"type":33,"value":70},"Let us begin by running a port scan on the target. To be fast, we will first use ",{"type":23,"tag":72,"props":73,"children":75},"code",{"className":74},[],[76],{"type":33,"value":77},"rustscan",{"type":33,"value":79},", then use ",{"type":23,"tag":72,"props":81,"children":83},{"className":82},[],[84],{"type":33,"value":85},"nmap",{"type":33,"value":87}," for an in-depth scan on the discovered ports.",{"type":23,"tag":24,"props":89,"children":91},{"src":90},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F3.jpg",[],{"type":23,"tag":24,"props":93,"children":95},{"src":94},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F4.jpg",[],{"type":23,"tag":29,"props":97,"children":98},{},[99,101,107],{"type":33,"value":100},"Let’s inspect the website on port ",{"type":23,"tag":72,"props":102,"children":104},{"className":103},[],[105],{"type":33,"value":106},"80",{"type":33,"value":108},".",{"type":23,"tag":24,"props":110,"children":112},{"src":111},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F5.jpg",[],{"type":23,"tag":29,"props":114,"children":115},{},[116,118,124,126,132,134,140,142,149],{"type":33,"value":117},"The page tells us what we need to do. To access the site, we must send our own codename as the ",{"type":23,"tag":72,"props":119,"children":121},{"className":120},[],[122],{"type":33,"value":123},"User-Agent",{"type":33,"value":125},". We do not know our codename, but this message was sent to us by Agent R. So let’s set ",{"type":23,"tag":72,"props":127,"children":130},{"className":128,"id":54,"style":129},[53],"color: #4DFFBE",[131],{"type":33,"value":123},{"type":33,"value":133}," to ",{"type":23,"tag":72,"props":135,"children":137},{"className":136,"id":54,"style":129},[53],[138],{"type":33,"value":139},"R",{"type":33,"value":141}," and try, because that is the only thing we know right now. I will use ",{"type":23,"tag":72,"props":143,"children":146},{"className":144,"id":54,"style":145},[53],"color: #efb11d",[147],{"type":33,"value":148},"BurpSuite",{"type":33,"value":150}," for this, though curl, etc., can also be used.",{"type":23,"tag":152,"props":153,"children":154},"ol",{},[155,165,187],{"type":23,"tag":156,"props":157,"children":158},"li",{},[159,161],{"type":33,"value":160},"Capture our request.",{"type":23,"tag":24,"props":162,"children":164},{"src":163},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F6.jpg",[],{"type":23,"tag":156,"props":166,"children":167},{},[168,170,175,176,181,183],{"type":33,"value":169},"Change our ",{"type":23,"tag":72,"props":171,"children":173},{"className":172},[],[174],{"type":33,"value":123},{"type":33,"value":133},{"type":23,"tag":72,"props":177,"children":179},{"className":178},[],[180],{"type":33,"value":139},{"type":33,"value":182}," and send the request.",{"type":23,"tag":24,"props":184,"children":186},{"src":185},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F7.jpg",[],{"type":23,"tag":156,"props":188,"children":189},{},[190,192],{"type":33,"value":191},"We encounter something new.",{"type":23,"tag":24,"props":193,"children":195},{"src":194},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F8.jpg",[],{"type":23,"tag":29,"props":197,"children":198},{},[199,201,207,209,214],{"type":33,"value":200},"From this we understand there are ",{"type":23,"tag":50,"props":202,"children":204},{"className":203,"id":54,"style":129},[53],[205],{"type":33,"value":206},"25 (active) + 1 (R) = 26",{"type":33,"value":208}," people, i.e., codenames. It occurs to us that there are 26 letters in the English alphabet. What if each letter is set as a codename? If we try all these letters as the ",{"type":23,"tag":72,"props":210,"children":212},{"className":211},[],[213],{"type":33,"value":123},{"type":33,"value":215},", we might find something.",{"type":23,"tag":152,"props":217,"children":218},{},[219,262,305,555,575,584],{"type":23,"tag":156,"props":220,"children":221},{},[222,224,229,231,236,237,241],{"type":33,"value":223},"Configure ",{"type":23,"tag":72,"props":225,"children":227},{"className":226},[],[228],{"type":33,"value":148},{"type":33,"value":230}," to try the entire alphabet as the ",{"type":23,"tag":72,"props":232,"children":234},{"className":233},[],[235],{"type":33,"value":123},{"type":33,"value":108},{"type":23,"tag":24,"props":238,"children":240},{"src":239},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F9.jpg",[],{"type":23,"tag":242,"props":243,"children":244},"ul",{},[245,250],{"type":23,"tag":156,"props":246,"children":247},{},[248],{"type":33,"value":249},"Try to access the site and capture the request.",{"type":23,"tag":156,"props":251,"children":252},{},[253,255,261],{"type":33,"value":254},"Then send this request to ",{"type":23,"tag":72,"props":256,"children":258},{"className":257},[],[259],{"type":33,"value":260},"Intruder",{"type":33,"value":108},{"type":23,"tag":156,"props":263,"children":264},{},[265,267,272,274,278],{"type":33,"value":266},"Add a position on the ",{"type":23,"tag":72,"props":268,"children":270},{"className":269},[],[271],{"type":33,"value":123},{"type":33,"value":273}," header in the request.",{"type":23,"tag":24,"props":275,"children":277},{"src":276},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F10.jpg",[],{"type":23,"tag":242,"props":279,"children":280},{},[281,300],{"type":23,"tag":156,"props":282,"children":283},{},[284,286,291,293,299],{"type":33,"value":285},"Select the ",{"type":23,"tag":72,"props":287,"children":289},{"className":288},[],[290],{"type":33,"value":123},{"type":33,"value":292}," value and click ",{"type":23,"tag":72,"props":294,"children":296},{"className":295},[],[297],{"type":33,"value":298},"Add",{"type":33,"value":108},{"type":23,"tag":156,"props":301,"children":302},{},[303],{"type":33,"value":304},"We will try our letters one by one in the position we added.",{"type":23,"tag":156,"props":306,"children":307},{},[308,310],{"type":33,"value":309},"Create a .txt file and add the following wordlist.",{"type":23,"tag":311,"props":312,"children":316},"pre",{"className":313,"code":314,"language":315,"meta":7,"style":7},"language-txt shiki shiki-themes catppuccin-latte one-dark-pro","A\nB\nC\nD\nE\nF\nG\nH\nI\nJ\nK\nL\nM\nN\nO\nP\nQ\nR\nS\nT\nU\nV\nW\nX\nY\nZ\n","txt",[317],{"type":23,"tag":72,"props":318,"children":319},{"__ignoreMap":7},[320,330,339,348,357,366,375,384,393,402,411,420,429,438,447,456,465,474,483,492,501,510,519,528,537,546],{"type":23,"tag":50,"props":321,"children":324},{"class":322,"line":323},"line",1,[325],{"type":23,"tag":50,"props":326,"children":327},{},[328],{"type":33,"value":329},"A\n",{"type":23,"tag":50,"props":331,"children":333},{"class":322,"line":332},2,[334],{"type":23,"tag":50,"props":335,"children":336},{},[337],{"type":33,"value":338},"B\n",{"type":23,"tag":50,"props":340,"children":342},{"class":322,"line":341},3,[343],{"type":23,"tag":50,"props":344,"children":345},{},[346],{"type":33,"value":347},"C\n",{"type":23,"tag":50,"props":349,"children":351},{"class":322,"line":350},4,[352],{"type":23,"tag":50,"props":353,"children":354},{},[355],{"type":33,"value":356},"D\n",{"type":23,"tag":50,"props":358,"children":360},{"class":322,"line":359},5,[361],{"type":23,"tag":50,"props":362,"children":363},{},[364],{"type":33,"value":365},"E\n",{"type":23,"tag":50,"props":367,"children":369},{"class":322,"line":368},6,[370],{"type":23,"tag":50,"props":371,"children":372},{},[373],{"type":33,"value":374},"F\n",{"type":23,"tag":50,"props":376,"children":378},{"class":322,"line":377},7,[379],{"type":23,"tag":50,"props":380,"children":381},{},[382],{"type":33,"value":383},"G\n",{"type":23,"tag":50,"props":385,"children":387},{"class":322,"line":386},8,[388],{"type":23,"tag":50,"props":389,"children":390},{},[391],{"type":33,"value":392},"H\n",{"type":23,"tag":50,"props":394,"children":396},{"class":322,"line":395},9,[397],{"type":23,"tag":50,"props":398,"children":399},{},[400],{"type":33,"value":401},"I\n",{"type":23,"tag":50,"props":403,"children":405},{"class":322,"line":404},10,[406],{"type":23,"tag":50,"props":407,"children":408},{},[409],{"type":33,"value":410},"J\n",{"type":23,"tag":50,"props":412,"children":414},{"class":322,"line":413},11,[415],{"type":23,"tag":50,"props":416,"children":417},{},[418],{"type":33,"value":419},"K\n",{"type":23,"tag":50,"props":421,"children":423},{"class":322,"line":422},12,[424],{"type":23,"tag":50,"props":425,"children":426},{},[427],{"type":33,"value":428},"L\n",{"type":23,"tag":50,"props":430,"children":432},{"class":322,"line":431},13,[433],{"type":23,"tag":50,"props":434,"children":435},{},[436],{"type":33,"value":437},"M\n",{"type":23,"tag":50,"props":439,"children":441},{"class":322,"line":440},14,[442],{"type":23,"tag":50,"props":443,"children":444},{},[445],{"type":33,"value":446},"N\n",{"type":23,"tag":50,"props":448,"children":450},{"class":322,"line":449},15,[451],{"type":23,"tag":50,"props":452,"children":453},{},[454],{"type":33,"value":455},"O\n",{"type":23,"tag":50,"props":457,"children":459},{"class":322,"line":458},16,[460],{"type":23,"tag":50,"props":461,"children":462},{},[463],{"type":33,"value":464},"P\n",{"type":23,"tag":50,"props":466,"children":468},{"class":322,"line":467},17,[469],{"type":23,"tag":50,"props":470,"children":471},{},[472],{"type":33,"value":473},"Q\n",{"type":23,"tag":50,"props":475,"children":477},{"class":322,"line":476},18,[478],{"type":23,"tag":50,"props":479,"children":480},{},[481],{"type":33,"value":482},"R\n",{"type":23,"tag":50,"props":484,"children":486},{"class":322,"line":485},19,[487],{"type":23,"tag":50,"props":488,"children":489},{},[490],{"type":33,"value":491},"S\n",{"type":23,"tag":50,"props":493,"children":495},{"class":322,"line":494},20,[496],{"type":23,"tag":50,"props":497,"children":498},{},[499],{"type":33,"value":500},"T\n",{"type":23,"tag":50,"props":502,"children":504},{"class":322,"line":503},21,[505],{"type":23,"tag":50,"props":506,"children":507},{},[508],{"type":33,"value":509},"U\n",{"type":23,"tag":50,"props":511,"children":513},{"class":322,"line":512},22,[514],{"type":23,"tag":50,"props":515,"children":516},{},[517],{"type":33,"value":518},"V\n",{"type":23,"tag":50,"props":520,"children":522},{"class":322,"line":521},23,[523],{"type":23,"tag":50,"props":524,"children":525},{},[526],{"type":33,"value":527},"W\n",{"type":23,"tag":50,"props":529,"children":531},{"class":322,"line":530},24,[532],{"type":23,"tag":50,"props":533,"children":534},{},[535],{"type":33,"value":536},"X\n",{"type":23,"tag":50,"props":538,"children":540},{"class":322,"line":539},25,[541],{"type":23,"tag":50,"props":542,"children":543},{},[544],{"type":33,"value":545},"Y\n",{"type":23,"tag":50,"props":547,"children":549},{"class":322,"line":548},26,[550],{"type":23,"tag":50,"props":551,"children":552},{},[553],{"type":33,"value":554},"Z\n",{"type":23,"tag":156,"props":556,"children":557},{},[558,560,566,567,571],{"type":33,"value":559},"Load this wordlist. Then start the attack with ",{"type":23,"tag":72,"props":561,"children":563},{"className":562},[],[564],{"type":33,"value":565},"Start Attack",{"type":33,"value":108},{"type":23,"tag":24,"props":568,"children":570},{"src":569},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F11.jpg",[],{"type":23,"tag":24,"props":572,"children":574},{"src":573},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F12.jpg",[],{"type":23,"tag":156,"props":576,"children":577},{},[578,580],{"type":33,"value":579},"The attack has started. In the output, one request differs from the others and catches our attention—let’s examine it.",{"type":23,"tag":24,"props":581,"children":583},{"src":582},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F13.jpg",[],{"type":23,"tag":156,"props":585,"children":586},{},[587,589,595,597,601,605,609],{"type":33,"value":588},"This is the ",{"type":23,"tag":72,"props":590,"children":592},{"className":591},[],[593],{"type":33,"value":594},"C",{"type":33,"value":596}," payload. Let’s open it in the browser. Can we get anything from it?",{"type":23,"tag":24,"props":598,"children":600},{"src":599},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F14.jpg",[],{"type":23,"tag":24,"props":602,"children":604},{"src":603},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F15.jpg",[],{"type":23,"tag":24,"props":606,"children":608},{"src":607},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F16.jpg",[],{"type":23,"tag":242,"props":610,"children":611},{},[612],{"type":23,"tag":156,"props":613,"children":614},{},[615,617,623],{"type":33,"value":616},"As seen, we are redirected to ",{"type":23,"tag":72,"props":618,"children":620},{"className":619},[],[621],{"type":33,"value":622},"agent_C_attention.php",{"type":33,"value":108},{"type":23,"tag":29,"props":625,"children":626},{},[627,629,635],{"type":33,"value":628},"From here we understand that the user ",{"type":23,"tag":72,"props":630,"children":632},{"className":631},[],[633],{"type":33,"value":634},"chris",{"type":33,"value":636}," has a weak password.",{"type":23,"tag":60,"props":638,"children":640},{"id":639},"initial-access",[641],{"type":33,"value":642},"Initial Access",{"type":23,"tag":29,"props":644,"children":645},{},[646,648,654,656,662],{"type":33,"value":647},"Let’s perform a brute-force attack on the ",{"type":23,"tag":72,"props":649,"children":651},{"className":650},[],[652],{"type":33,"value":653},"ftp",{"type":33,"value":655}," service that is open for this user. I will use ",{"type":23,"tag":72,"props":657,"children":659},{"className":658,"id":54,"style":129},[53],[660],{"type":33,"value":661},"hydra",{"type":33,"value":108},{"type":23,"tag":664,"props":665,"children":667},"copy",{"code":666},"hydra -l chris -P \u002Fusr\u002Fshare\u002Fwordlist\u002Frockyou.txt ftp:\u002F\u002F10.10.171.178",[],{"type":23,"tag":24,"props":669,"children":671},{"src":670},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F17.jpg",[],{"type":23,"tag":29,"props":673,"children":674},{},[675,677,683,685,690],{"type":33,"value":676},"We have found the match ",{"type":23,"tag":72,"props":678,"children":680},{"className":679,"id":54,"style":129},[53],[681],{"type":33,"value":682},"chris:crystal",{"type":33,"value":684},". Now let’s log in to ",{"type":23,"tag":72,"props":686,"children":688},{"className":687},[],[689],{"type":33,"value":653},{"type":33,"value":691}," with it.",{"type":23,"tag":24,"props":693,"children":695},{"src":694},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F18.jpg",[],{"type":23,"tag":29,"props":697,"children":698},{},[699,701,707],{"type":33,"value":700},"Let’s download the files on FTP to our machine with ",{"type":23,"tag":72,"props":702,"children":704},{"className":703},[],[705],{"type":33,"value":706},"get \"file\"",{"type":33,"value":708}," and examine them.",{"type":23,"tag":24,"props":710,"children":712},{"src":711},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F19.jpg",[],{"type":23,"tag":29,"props":714,"children":715},{},[716],{"type":33,"value":717},"When we examine the files, we understand that these two images hide secret data. Now let’s extract them.",{"type":23,"tag":719,"props":720,"children":722},"h3",{"id":721},"extracting-data-from-images",[723],{"type":33,"value":724},"Extracting Data from Images",{"type":23,"tag":29,"props":726,"children":727},{},[728,730,736,738,744,746,752],{"type":33,"value":729},"There are many tools for this such as ",{"type":23,"tag":72,"props":731,"children":733},{"className":732},[],[734],{"type":33,"value":735},"strings, binwalk, xxd, exiftool, steghide",{"type":33,"value":737},", etc. We tried ",{"type":23,"tag":72,"props":739,"children":741},{"className":740,"id":54,"style":129},[53],[742],{"type":33,"value":743},"binwalk",{"type":33,"value":745}," and found something in the ",{"type":23,"tag":72,"props":747,"children":749},{"className":748},[],[750],{"type":33,"value":751},"cutie.jpg",{"type":33,"value":753}," file.",{"type":23,"tag":24,"props":755,"children":757},{"src":756},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F20.jpg",[],{"type":23,"tag":29,"props":759,"children":760},{},[761,763,769,771,777],{"type":33,"value":762},"From this output, we understand that a ",{"type":23,"tag":72,"props":764,"children":766},{"className":765},[],[767],{"type":33,"value":768},".zip",{"type":33,"value":770}," was embedded into the image. Let’s extract them with ",{"type":23,"tag":72,"props":772,"children":774},{"className":773},[],[775],{"type":33,"value":776},"binwalk -e cutie.jpg",{"type":33,"value":108},{"type":23,"tag":24,"props":779,"children":781},{"src":780},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F21.jpg",[],{"type":23,"tag":24,"props":783,"children":785},{"src":784},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F22.jpg",[],{"type":23,"tag":29,"props":787,"children":788},{},[789,791,797,799,805],{"type":33,"value":790},"As seen, we have an encrypted zip named ",{"type":23,"tag":72,"props":792,"children":794},{"className":793},[],[795],{"type":33,"value":796},"8702.zip",{"type":33,"value":798},". (We understood it was encrypted when the ",{"type":23,"tag":72,"props":800,"children":802},{"className":801,"id":54,"style":129},[53],[803],{"type":33,"value":804},"7z x 8702.zip",{"type":33,"value":806}," command asked for a password.)",{"type":23,"tag":242,"props":808,"children":809},{},[810],{"type":23,"tag":156,"props":811,"children":812},{},[813],{"type":33,"value":814},"Encrypted zip files keep within themselves the cryptographic “proof” (hash) required to check whether a given password is correct.",{"type":23,"tag":29,"props":816,"children":817},{},[818,820,826,828,834,836,841],{"type":33,"value":819},"With the command ",{"type":23,"tag":72,"props":821,"children":823},{"className":822,"id":54,"style":129},[53],[824],{"type":33,"value":825},"zip2john 8702.zip > zip.hash",{"type":33,"value":827},", we convert these hashes into a format that the ",{"type":23,"tag":72,"props":829,"children":831},{"className":830},[],[832],{"type":33,"value":833},"john",{"type":33,"value":835}," tool understands. Then we use the ",{"type":23,"tag":72,"props":837,"children":839},{"className":838,"id":54,"style":129},[53],[840],{"type":33,"value":833},{"type":33,"value":842}," tool with a wordlist to try the hashes and crack them.",{"type":23,"tag":24,"props":844,"children":846},{"src":845},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F23.jpg",[],{"type":23,"tag":29,"props":848,"children":849},{},[850],{"type":33,"value":851},"We found the password. Now let’s open the archive with this password.",{"type":23,"tag":24,"props":853,"children":855},{"src":854},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F24.jpg",[],{"type":23,"tag":24,"props":857,"children":859},{"src":858},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F25.jpg",[],{"type":23,"tag":29,"props":861,"children":862},{},[863,865,871],{"type":33,"value":864},"From the output we get something like ",{"type":23,"tag":72,"props":866,"children":868},{"className":867,"id":54,"style":145},[53],[869],{"type":33,"value":870},"QXJIYTUx",{"type":33,"value":872},", which looks meaningless. Let’s keep this aside; it might come in handy.",{"type":23,"tag":29,"props":874,"children":875},{},[876,878,883,885],{"type":33,"value":877},"Now we have examined the ",{"type":23,"tag":72,"props":879,"children":881},{"className":880},[],[882],{"type":33,"value":751},{"type":33,"value":884}," file, but we have one more image: ",{"type":23,"tag":72,"props":886,"children":888},{"className":887},[],[889],{"type":33,"value":890},"cute-alien.jpg",{"type":23,"tag":242,"props":892,"children":893},{},[894,907,927,932,947],{"type":23,"tag":156,"props":895,"children":896},{},[897,899,905],{"type":33,"value":898},"Let’s examine this one with ",{"type":23,"tag":72,"props":900,"children":902},{"className":901},[],[903],{"type":33,"value":904},"steghide",{"type":33,"value":906}," as well, because we have a string that could serve as a password.",{"type":23,"tag":156,"props":908,"children":909},{},[910,912,918,920,925],{"type":33,"value":911},"But when we try to examine it with ",{"type":23,"tag":72,"props":913,"children":915},{"className":914},[],[916],{"type":33,"value":917},"steghide extract -sf cute-alien.jpg",{"type":33,"value":919},", ",{"type":23,"tag":72,"props":921,"children":923},{"className":922,"id":54,"style":55},[53],[924],{"type":33,"value":870},{"type":33,"value":926}," does not work for us.",{"type":23,"tag":156,"props":928,"children":929},{},[930],{"type":33,"value":931},"This suggests that it may be an encoded password.",{"type":23,"tag":156,"props":933,"children":934},{},[935,937,943],{"type":33,"value":936},"And yes, we figure out what encoding it is: ",{"type":23,"tag":72,"props":938,"children":940},{"className":939},[],[941],{"type":33,"value":942},"BASE64",{"type":23,"tag":24,"props":944,"children":946},{"src":945},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F26.jpg",[],{"type":23,"tag":156,"props":948,"children":949},{},[950,952],{"type":33,"value":951},"Now let’s decode it.",{"type":23,"tag":24,"props":953,"children":955},{"src":954},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F27.jpg",[],{"type":23,"tag":29,"props":957,"children":958},{},[959,961,967,969,974],{"type":33,"value":960},"We get ",{"type":23,"tag":72,"props":962,"children":964},{"className":963,"id":54,"style":129},[53],[965],{"type":33,"value":966},"Area51",{"type":33,"value":968}," as output; let’s try this for ",{"type":23,"tag":72,"props":970,"children":972},{"className":971},[],[973],{"type":33,"value":917},{"type":33,"value":108},{"type":23,"tag":24,"props":976,"children":978},{"src":977},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F28.jpg",[],{"type":23,"tag":29,"props":980,"children":981},{},[982,984,990,992,998,1000,1006],{"type":33,"value":983},"Yes, it worked; we obtained ",{"type":23,"tag":72,"props":985,"children":987},{"className":986},[],[988],{"type":33,"value":989},"message.txt",{"type":33,"value":991},". From here we obtain the pair ",{"type":23,"tag":72,"props":993,"children":995},{"className":994,"id":54,"style":129},[53],[996],{"type":33,"value":997},"james:hackerrules!",{"type":33,"value":999},". Now with this information let’s connect to the system via ",{"type":23,"tag":72,"props":1001,"children":1003},{"className":1002},[],[1004],{"type":33,"value":1005},"ssh",{"type":33,"value":108},{"type":23,"tag":24,"props":1008,"children":1010},{"src":1009},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F29.jpg",[],{"type":23,"tag":60,"props":1012,"children":1014},{"id":1013},"privilege-escalation",[1015],{"type":33,"value":1016},"Privilege Escalation",{"type":23,"tag":29,"props":1018,"children":1019},{},[1020,1022,1028,1030,1036,1038,1044,1046,1052],{"type":33,"value":1021},"During our manual checks on this system, we notice the following: the user ",{"type":23,"tag":72,"props":1023,"children":1025},{"className":1024},[],[1026],{"type":33,"value":1027},"james",{"type":33,"value":1029}," can run the ",{"type":23,"tag":72,"props":1031,"children":1033},{"className":1032},[],[1034],{"type":33,"value":1035},"\u002Fbin\u002Fbash",{"type":33,"value":1037}," binary as any user except root. And our sudo version is ",{"type":23,"tag":72,"props":1039,"children":1041},{"className":1040},[],[1042],{"type":33,"value":1043},"1.8.21p2",{"type":33,"value":1045},". With a quick search, we understand that this is the ",{"type":23,"tag":72,"props":1047,"children":1049},{"className":1048},[],[1050],{"type":33,"value":1051},"CVE-2019-14287",{"type":33,"value":1053}," vulnerability.",{"type":23,"tag":242,"props":1055,"children":1056},{},[1057,1062],{"type":23,"tag":156,"props":1058,"children":1059},{},[1060],{"type":33,"value":1061},"At its core, the vulnerability stems from a logic flaw in how sudo handles user IDs (UIDs).",{"type":23,"tag":156,"props":1063,"children":1064},{},[1065,1067,1073,1075],{"type":33,"value":1066},"When a user runs ",{"type":23,"tag":72,"props":1068,"children":1070},{"className":1069},[],[1071],{"type":33,"value":1072},"sudo -u \u003Cusername>",{"type":33,"value":1074},":\n",{"type":23,"tag":242,"props":1076,"children":1077},{},[1078,1090,1095,1100],{"type":23,"tag":156,"props":1079,"children":1080},{},[1081,1083,1089],{"type":33,"value":1082},"It finds the UID of ",{"type":23,"tag":72,"props":1084,"children":1086},{"className":1085},[],[1087],{"type":33,"value":1088},"\u003Cusername>",{"type":33,"value":108},{"type":23,"tag":156,"props":1091,"children":1092},{},[1093],{"type":33,"value":1094},"It checks the rule in the sudoers file.",{"type":23,"tag":156,"props":1096,"children":1097},{},[1098],{"type":33,"value":1099},"If the rule allows running the command with that UID, it proceeds.",{"type":23,"tag":156,"props":1101,"children":1102},{},[1103,1105,1111,1113,1119,1121,1127],{"type":33,"value":1104},"The issue appears when, instead of a username, a numeric UID is given to the ",{"type":23,"tag":72,"props":1106,"children":1108},{"className":1107},[],[1109],{"type":33,"value":1110},"-u",{"type":33,"value":1112}," parameter, and that number is ",{"type":23,"tag":72,"props":1114,"children":1116},{"className":1115},[],[1117],{"type":33,"value":1118},"-1",{"type":33,"value":1120}," (or its unsigned integer equivalent ",{"type":23,"tag":72,"props":1122,"children":1124},{"className":1123},[],[1125],{"type":33,"value":1126},"4294967295",{"type":33,"value":1128},").",{"type":23,"tag":29,"props":1130,"children":1131},{},[1132,1134,1140,1142,1148,1150,1155,1157,1163,1165,1171,1173,1178,1180,1185],{"type":33,"value":1133},"When sudo sees the command ",{"type":23,"tag":72,"props":1135,"children":1137},{"className":1136},[],[1138],{"type":33,"value":1139},"-u#-1",{"type":33,"value":1141},", it checks the security rule (like ",{"type":23,"tag":72,"props":1143,"children":1145},{"className":1144},[],[1146],{"type":33,"value":1147},"!root",{"type":33,"value":1149},"). Since ",{"type":23,"tag":72,"props":1151,"children":1153},{"className":1152},[],[1154],{"type":33,"value":1118},{"type":33,"value":1156}," is not equal to ",{"type":23,"tag":72,"props":1158,"children":1160},{"className":1159},[],[1161],{"type":33,"value":1162},"0",{"type":33,"value":1164},", sudo says “OK, this isn’t root; it satisfies the rule” and passes that check. However, when it comes to actually running the command, the operating system functions that sudo uses (such as ",{"type":23,"tag":72,"props":1166,"children":1168},{"className":1167},[],[1169],{"type":33,"value":1170},"setresuid",{"type":33,"value":1172},") interpret an invalid or special UID like ",{"type":23,"tag":72,"props":1174,"children":1176},{"className":1175},[],[1177],{"type":33,"value":1118},{"type":33,"value":1179}," as UID ",{"type":23,"tag":72,"props":1181,"children":1183},{"className":1182},[],[1184],{"type":33,"value":1162},{"type":33,"value":1186}," (i.e., root).",{"type":23,"tag":1188,"props":1189,"children":1191},"alert",{"type":1190},"info",[1192,1201],{"type":23,"tag":1193,"props":1194,"children":1195},"template",{"v-slot:title":7},[1196],{"type":23,"tag":29,"props":1197,"children":1198},{},[1199],{"type":33,"value":1200},"What is a UID?",{"type":23,"tag":29,"props":1202,"children":1203},{},[1204],{"type":33,"value":1205},"In Linux, every user has a numerical ID. The root user’s ID is always 0. Other users typically have positive integers starting from 1000.",{"type":23,"tag":24,"props":1207,"children":1209},{"src":1208},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-AgentSudo-writeup\u002F30.jpg",[],{"type":23,"tag":1211,"props":1212,"children":1213},"style",{},[1214],{"type":33,"value":1215},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":7,"searchDepth":350,"depth":350,"links":1217},[1218,1219,1222],{"id":62,"depth":332,"text":65},{"id":639,"depth":332,"text":642,"children":1220},[1221],{"id":721,"depth":341,"text":724},{"id":1013,"depth":332,"text":1016},"markdown","content:posts:2025:tryhackme-AgentSudo-writeup.md","content","posts\u002F2025\u002Ftryhackme-AgentSudo-writeup.md","posts\u002F2025\u002Ftryhackme-AgentSudo-writeup","md","\u002Fposts",[1231,1235],{"_path":1232,"title":1233,"date":1234},"\u002F2025\u002Ftryhackme-bountyhacker-writeup","TryHackMe - Bounty Hacker","2025-08-18T08:05:30.000Z",{"_path":1236,"title":1237,"date":1238},"\u002F2025\u002Ftryhackme-lazyadmin-writeup","TryHackMe - LazyAdmin","2025-08-20T08:34:58.000Z",1776934252192]