Linux Agency Tryhackme Writeup (Part1)
Link:https://tryhackme.com/room/linuxagency
We were given ssh username and password for login to the machine via ssh.
As soon as we ssh to the machine , we get the First flag (mission1 flag)
Now , after this i did cd .. (to go back a directory) and found all the missions 1–30 and i tried cd into mission 2 but there was permission denied . so i su(switch user) to mission1 (using the flag we found earlier as password) and cd into mission1 and found the flag (mission2)
Now, i su to mission2 using the flag we found and cd into mission2 and there was file flag.txt
Command : Cat flag.txt
Cat command is used for seeing the contents of a file.
Now, we have mission3 flag as well and so su to mission3 using the flag we found now as password.Inside mission3 we found flag.txt but…
Now, i checked the hint and it was “your are too feline”
Feline means relating to cats ( i was using cat command)
Now , i thought maybe i should check for strings inside the file and ..
Now let’s su to mission4 and cd into mission4.
Inside mission4 , there was a directory called flag and i cd into that and found flag.txt and le’s cat that flag out.
Now, su to mission5 and cd into it and i found .flag.txt file inside and you don't have to do anything , just cat out the file .
Now , su to mission6 and cd into that and i did ls and found nothing , so i thought maybe it’s hidden so i did (command: ls -la) and found a hidden directory .flag and cd into that and found flag.txt
Now , su to mission7 and cd into that.
Now, su to mission8 and cd into that and found nothing . Did ls -la , found nothing and then i thought about that find command and used it.
Command: find / -type f -name flag.txt 2>/dev/null
Now let me explain this command .
- type f= it is a file
- -name = name of the file
- 2>/dev/null = without error.
Now, su to mission 9 and i found a wordlist (rockyou.txt) and if u cat out that file and try to get the flag that way , it would be like finding a needle in a haystack but thanks to Tony Stark as he explained how to find a needle in a haystack ( using a magnet ) 😂.
Command: grep ‘mission10*’ /home/mission9/rockyou.txt
Now , su to mission10 and cd into it. and again find command is our saviour.
Command:find /home/mission10/folder -type f -name flag.txt 2>/dev/null
Now , su to mission11 and cd into it and found nothing and then i starting seeing the contents of all and when i cat out .bashrc , i found
It is base64 encoded , go to cyberchef .
It is the flag but in reverse order .
Now , let’s su to mission12 and permission denied . I couldn’t cat out the file , no strings , not even transfer the file …nothing. Then after a while, i thought maybe i can grant the file permission.
Command : chmod 777 flag.txt ( only read permission is required but i like it this way, providing all three permissions( read, write,execute).
Now , su to mission13 and cat out flag.txt and we found a string(bWlzc2lvbjE0e2Q1OThkZTk1NjM5NTE0Yjk5NDE1MDc2MTdiOWU1NGQyfQo=) .It looks like base64 and it was base64
Hail cyberchef!!!!!
Now , su to mission14 and cat out flag.txt and we found a string (01101101011010010111001101110011011010010110111101101110001100010011010101111011011001100110001100110100001110010011000100110101011001000011100000110001001110000110001001100110011000010110010101100110011001100011000000110001001100010011100000110101011000110011001100110101001101000011011101100110001100100011010100110101001110010011011001111101) . it looks like binary.
Hail cyberchef!!!!
Now , su to mission15 and cat out the flag.txt and found a string (6D697373696F6E31367B38383434313764343030333363346332303931623434643763323661393038657D) . It looks like hex.
Hail cyberchef!!!!!
Now, su to mission16 and cd into it and i found a file called flag and i used {command : file flag }for knowing what it is and it looked like a executable but it was read only so i granted it permission (chmod +x flag).
Now , su to mission17 and we see a flag.java file.
Now , compile that java file using command: javac flag.java
and then run it (command: java flag)
Now , su to mission18 and i found a ruby script (flag.rb)
Command: ruby flag.rb
Now, su to mission19 and found a C program (flag.c) and compiled it .
Command: gcc flag.c -o flag
and then i got flag (program) and i ran it.
Now , su to mission20 and cd into it and found a python script (flag.py)
and ran it using python but it was not installed on it but there was python3 , so i ran it with python3
Command: python3 flag.py
Now , su to mission21 and cd into it and i got this ( see the below image) and i thought let’s get a interactive shell.
Command: python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
Now , su to mission22 and this took me a while . I didn’t know how to escape that python console and after a hour , i asked for a hint from discord and someone(helpme was his name) told me that we can run system commands .
Command: import os
Command: os.system(“whoami”)
i see that i m mission22 and now see it we can get a shell
Command: os.system(“bash”)
Oh man ! Finally
Now, su to mission23 and there was a message ( The hosts will help u )
Now, i thought let’s cat out hosts
Command: cat /etc/hosts
and Now, let’s curl our flag
Now su to mission24 and there was executable bribe
and i noticed that there was a file .viminfo and i thought let’s see it’s content.
Now su to mission25 and no command was working (ls, ls -la, cat Etc.)
Now , i thought to see it it has a path or not .
Command:echo $PATH
And let’s now add a path
Command:export PATH=/bin
Now, su to mission26 and inside it was a image(flag.jpg) Now i used strings to see it’s content.
Command: strings flag.jpg | grep ‘mission27*’
Now su to mission27 and there was a file with multiple extensions and i thought to decompress it .
Command : gzip -d flag.mp3.mp4………………tar.jpg.png.gz
Now , su to mission28 and i got irb( interactive ruby ) and i searched on google to find out how to run system commands in it and it was very simple.
Command: system(“whoami”)
Now , we got the flag ( in reverse order ).
Now, su to mission29 and this one was a bit simple ( see the image and u will know what to do ).
Now , su to mission30 and there was a python script called sources.py and it displayed “Hey I have learn’t python”.
Now there is another directory .git and let’s cd into it. and after looking at the contents of files and roaming around for a while i found viktor’s flag.
Now , we have completed part 1 and passed all the missions and i will do the writeup for it’s second part(privilege escalation part )tomorrow.
Thankyou for reading my writeup and have a nice day.
