Linux Agency Tryhackme Writeup (Part1)

Thatquietkid
8 min readJan 29, 2021

Link:https://tryhackme.com/room/linuxagency

We were given ssh username and password for login to the machine via ssh.

As soon as we ssh to the machine , we get the First flag (mission1 flag)

Now , after this i did cd .. (to go back a directory) and found all the missions 1–30 and i tried cd into mission 2 but there was permission denied . so i su(switch user) to mission1 (using the flag we found earlier as password) and cd into mission1 and found the flag (mission2)

Now, i su to mission2 using the flag we found and cd into mission2 and there was file flag.txt

Command : Cat flag.txt

Cat command is used for seeing the contents of a file.

Now, we have mission3 flag as well and so su to mission3 using the flag we found now as password.Inside mission3 we found flag.txt but…

Now, i checked the hint and it was “your are too feline”

Feline means relating to cats ( i was using cat command)

Now , i thought maybe i should check for strings inside the file and ..

Now let’s su to mission4 and cd into mission4.

Inside mission4 , there was a directory called flag and i cd into that and found flag.txt and le’s cat that flag out.

Now, su to mission5 and cd into it and i found .flag.txt file inside and you don't have to do anything , just cat out the file .

Now , su to mission6 and cd into that and i did ls and found nothing , so i thought maybe it’s hidden so i did (command: ls -la) and found a hidden directory .flag and cd into that and found flag.txt

Now , su to mission7 and cd into that.

Now, su to mission8 and cd into that and found nothing . Did ls -la , found nothing and then i thought about that find command and used it.

Command: find / -type f -name flag.txt 2>/dev/null

Now let me explain this command .

  • type f= it is a file
  • -name = name of the file
  • 2>/dev/null = without error.

Now, su to mission 9 and i found a wordlist (rockyou.txt) and if u cat out that file and try to get the flag that way , it would be like finding a needle in a haystack but thanks to Tony Stark as he explained how to find a needle in a haystack ( using a magnet ) 😂.
Command: grep ‘mission10*’ /home/mission9/rockyou.txt

Now , su to mission10 and cd into it. and again find command is our saviour.

Command:find /home/mission10/folder -type f -name flag.txt 2>/dev/null

Now , su to mission11 and cd into it and found nothing and then i starting seeing the contents of all and when i cat out .bashrc , i found

It is base64 encoded , go to cyberchef .

It is the flag but in reverse order .

Now , let’s su to mission12 and permission denied . I couldn’t cat out the file , no strings , not even transfer the file …nothing. Then after a while, i thought maybe i can grant the file permission.

Command : chmod 777 flag.txt ( only read permission is required but i like it this way, providing all three permissions( read, write,execute).

Now , su to mission13 and cat out flag.txt and we found a string(bWlzc2lvbjE0e2Q1OThkZTk1NjM5NTE0Yjk5NDE1MDc2MTdiOWU1NGQyfQo=) .It looks like base64 and it was base64

Hail cyberchef!!!!!

Now , su to mission14 and cat out flag.txt and we found a string (01101101011010010111001101110011011010010110111101101110001100010011010101111011011001100110001100110100001110010011000100110101011001000011100000110001001110000110001001100110011000010110010101100110011001100011000000110001001100010011100000110101011000110011001100110101001101000011011101100110001100100011010100110101001110010011011001111101) . it looks like binary.

Hail cyberchef!!!!

Now , su to mission15 and cat out the flag.txt and found a string (6D697373696F6E31367B38383434313764343030333363346332303931623434643763323661393038657D) . It looks like hex.

Hail cyberchef!!!!!

Now, su to mission16 and cd into it and i found a file called flag and i used {command : file flag }for knowing what it is and it looked like a executable but it was read only so i granted it permission (chmod +x flag).

i gave it chmod 777 again by mistake but i have shown the command in the next image

Now , su to mission17 and we see a flag.java file.

Now , compile that java file using command: javac flag.java

and then run it (command: java flag)

Now , su to mission18 and i found a ruby script (flag.rb)

Command: ruby flag.rb

Now, su to mission19 and found a C program (flag.c) and compiled it .

Command: gcc flag.c -o flag

and then i got flag (program) and i ran it.

Now , su to mission20 and cd into it and found a python script (flag.py)

and ran it using python but it was not installed on it but there was python3 , so i ran it with python3

Command: python3 flag.py

Now , su to mission21 and cd into it and i got this ( see the below image) and i thought let’s get a interactive shell.

Command: python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

Now , su to mission22 and this took me a while . I didn’t know how to escape that python console and after a hour , i asked for a hint from discord and someone(helpme was his name) told me that we can run system commands .

Command: import os

Command: os.system(“whoami”)

i see that i m mission22 and now see it we can get a shell

Command: os.system(“bash”)

Oh man ! Finally

Now, su to mission23 and there was a message ( The hosts will help u )

Now, i thought let’s cat out hosts

Command: cat /etc/hosts

and Now, let’s curl our flag

Now su to mission24 and there was executable bribe

and i noticed that there was a file .viminfo and i thought let’s see it’s content.

Now su to mission25 and no command was working (ls, ls -la, cat Etc.)

Now , i thought to see it it has a path or not .

Command:echo $PATH

And let’s now add a path

Command:export PATH=/bin

Now, su to mission26 and inside it was a image(flag.jpg) Now i used strings to see it’s content.

Command: strings flag.jpg | grep ‘mission27*’

Now su to mission27 and there was a file with multiple extensions and i thought to decompress it .

Command : gzip -d flag.mp3.mp4………………tar.jpg.png.gz

Now , su to mission28 and i got irb( interactive ruby ) and i searched on google to find out how to run system commands in it and it was very simple.

Command: system(“whoami”)

Now , we got the flag ( in reverse order ).

Now, su to mission29 and this one was a bit simple ( see the image and u will know what to do ).

Now , su to mission30 and there was a python script called sources.py and it displayed “Hey I have learn’t python”.

Now there is another directory .git and let’s cd into it. and after looking at the contents of files and roaming around for a while i found viktor’s flag.

Now , we have completed part 1 and passed all the missions and i will do the writeup for it’s second part(privilege escalation part )tomorrow.

Thankyou for reading my writeup and have a nice day.

--

--