Linux Agency is a TryHackMe room created by 0z09e and Xyan1d3 to help sharpen your linux skills and help you learn basic privilege escalation in a HITMAN theme.
I am by no means a linux guru but I enjoy linux and love working on the command line …so lets get cracking!
Task 1: Deploy the machine
I deployed the machine and decided to stick with the provided TryHackMe attack box provided to subscribers. The cost is minimal and well worth the investment! You can Sign Up here ← Stock non referral link, and is well worth it! If you find something better for the money please let me know.
Task 2: Let’s Jump in
You are provided with a ssh username and password and told that with each flag you find will server as the password for the next user.
Q: SSH into the box as agent47
A:
ssh agent47@ip.address
Task 3: Linux Fundamentals
Q: What is the mission 1 flag?
A: Once you SSH in you will be provided with the
mission1{md5sum}
← that is the answer
So once you get the mission1{md5sum.random.numbers} you need to right click and copy this. Then type
su — mission1
and right-click and paste the mission{md5sum.random.bla} password into the prompt and finish by pressing enter.
Q2: What is the mission2 flag? #hint: Don’t forget to bring the groceries, the list is inside your bag.
A2: type
ls
By performing a directory listing with
ls
we can see a file name that is actually the flag.
Q3: What is the mission3 flag?
A3:
cat flag.txt
Q4: What is the mission4 flag?
A4:
strings ~/flag.txt
Q5: What is the mission5 flag?
A5: A directory listing shows a flag folder, inside the folder is a file called flag.txt.
cat flag/flag.txt
Q6: What is the mission6 flag?
A6:
ls -la
shows a hidden .flag.txt file. Usecat .flag.txt
to show the contents of the flag.A6: A regular
ls
will does not show any files so you need to list hidden files by using als -la
.ls — list directory contents
-l : use long listing format
-a — all : list all files including files starting with a period.
Q7: What is the mission7 flag?
A7:
ls -la
shows a hidden.flag
directory with the flag.txt inside of the .flag directory. Usecat .flag/flag.txt
to show the contents of the flag.A6: A regular
ls
will does not show any files so you need to list hidden files by using als -la
.ls — list directory contents
-l : use long listing format
-a — all : list all files including files starting with a period.
Q8: What is the mission8 flag?
A8: There is a message that says there is no home directory specified so we are logging into the root
/
file system. The basic linux directory structure tells us our home directory should be under/home
. Sure enough the flag is found under/home/mission7/flag.txt
.
Q9: What is the mission9 flag?
A9: A quick look around the home directory and environment variables didn’t reveal anything but a global find revealed the flag.txt at the root of the filesystem.
find — search for files in a directory hierarchy
/
: tells find to start at the root of the file system-type f
: will only search for files
2>/dev/null
: will redirect error messages to/dev/null
#veryhandy
Q10: What is the mission10 flag?
A10: Looking in the directory we can see a rockyou.txt file. Using wc to get a word-count of the file shows there are over 14 million lines in this file. So instead of paging through it all we will perform a grep for mission10 and see if we get a hit. Success!
grep mission10 rockyou.txt
Q11: What is the mission11 flag?
A11 Doing a directory listing in the home folder shows a single folder that contains 8,236 folders with one flag.txt file hidden somewhere in the directory structure.
A quick find command will display the file and a passing a cat command to the -exec
flag will show the contents of the file as well. Because this is mission10’s home folder I intentionally left off the 2>/dev/null
because I should not get any errors here and If I do I would like to see it.
find ./ -type f -name flag.txtfind ./ -type f -name flag.txt -exec cat {} \;
Q12: What is the mission12 flag?
A12: After some poking around and the usual searching gave no results. But looking into the environemnt variables gives us what we are looking for.
env | grep -i flag
Q13: What is the mission13 flag?
A13: A directory listing shows the file flag.txt but we get a permission denied when we try to view it. It shows that mission12 is the owner of the file so all we need to do is give us access to it. a
chmod 600 flag.txt
will give us permissions to read and write to the file.
Q14: What is the mission14 flag?
A14: We can see the flag file in the mission13 home directory but it is base64 encoded.
cat flag.txt | base64 -d
Q15: What is the mission15 flag?
A15: We can see the flag in the directory but it is only a bunch of ones and zeros… lets see what we can do to convert it.
sed 's/$/P/g;s/^/2i/' flag.txt | dc;echo
Yup that worked ;)
Q16: What is the mission16 flag?
A16: The directory listing shows us the flag.txt file but when we look at the contents we can see that it only contains letters and numbers …looks a little like hex.
cat flag.txt | xxd -r -p; echo
Q17: What is the mission17 flag?
A17: A directory listing shows us a flag file, by further inspecting it with file flag we can see that it is an elf executable. So if we make it executable with
chmod +x flag
we can then execute it../flag
which will give us the flag.
Q18: What is the mission18 flag?
A18: There is a
flag.java
file in the home directory which contains some source code. Since it ends with .java I am assuming that it is in fact java. Lets compile and run it.
javac flag.java # will compile the class filejava flag # will run the file and give the flag
Q19: What is the mission19 flag?
A19: We can see a
flag.rb
file which I am assuming is a ruby file. Lets run it.
Q20: What is the mission20 flag?
A20: In the directory is a
flag.c
file so we will usegcc file.c
to compile it and then run the program.
Q21: What is the mission21 flag?
A21: In the directory is a flag.py file. We can run it with
python3 flag.py
.
Q22: What is the mission22 flag?
A22: Once we log into mission21 something looks off as I do not have my normal bash prompt. I run a id
just to see what account and permissions I have. Then I do a cat /etc/passwd | grep mission21
to see what shell I was supposed to have. Well I decided to switch to bash by typing /bin/bash
and boom… the flag is there.
Q23: What is the mission23 flag?
A23: We are immediately provided with a python prompt. So we should be able to perform a simple python escape with
import pty; pty.spawn("/bin/bash"
and then we can find and cat theflag.txt
.
Q24: What is the mission24 flag?
A24: Initially we find a message that states
the hosts will help you... maybe you will need curly hairs
. This immediately leads me to the/etc/hosts
file that shows an entry for mission24.com. Now the curly hint leads me to believe I need to use curl to access the mission24.com site.
Q25: What is the mission25 flag?
A25: We can see an executable file called
bribe
on the file system. When we run it for the first time it tells us to give some money and we will get the flag.. So lets runltrace
and see what’s happening. Here we can see there are some empty envirnment variables named pocket and init. Lets put some money in the pocket variable withexport pocket=money
and then re run the program.
Q26: What is the mission26 flag?
A26: any command we run gives us -su: command: No such file or directory which seems like the os cannot find the file. Running an export command we can see that the PATH variable is set to nothing. We should be able to path the commands out manually. by typing
/bin/ls
we can see a flag.txt file in our current directory. Running/bin/cat flag.txt
will work.
Q27: What is the mission27 flag?
A27: In our home directory we can see a flag.jpg file. Inspecting the file with the
file
command to see what we are dealing with… and there is the flag.
Q28: What is the mission28 flag?
A28: In the directory is a gzip compressed file … I was assuming I was going to be in for some crazy Russian doll type of situation… but that wasn’t the case.
Q29: What is the mission29 flag?
A29: When we log into mission28 we are presented with an interactive ruby shell
irb(main):001:0>
so we should be able to perform a simple shell escape withexec “/bin/bash”
.
Q30: What is the mission30 flag?
A30: We can see a build it directory with some web’ish files. Lets do a quick find command to see if there is anything with mission30 in it… bingo!
Q30: What is victor’s flag?
A30: Initially there is a directory called Escalator with a python script in it. But inspecting the directory further we can see a .git folder. Nice this is a git repo and we may be able to recover some additional information.
Task 4: Privilege Escalation
We now need to su into the viktor account and start performing some privilege escalation.
Q: What is dalia’s flag?
A: After some searching around I found a crontab entry that was being run as dalia. per the crontab entry we only have 30 seconds to get the job done. So after failing the first couple of edits. I just created a while loop to continuously inject my reverse shell into the script every 20 seconds.
Q: What is silvio’s flag?
A: running a sudo -l you find out that dalia can run zip as silvio. But in order to accomplish this we need a better shell than a simple netcat listerner. This can be accomplished by using python to spawn a pty shell using the pty module.
python -c 'import pty;pty.spawn("/bin/bash")
To stabilize the shell you will need to background the shell with
ctrl-z
the typestty raw -echo ; fg
to adjust the terminal and bring it back in the foreground. Next typereset
and enter
We should now have a fully interactive terminal with tab completion and be able to run other commands… like sudo.
seeing that we can run zip as silvio we can refer to gtfo bins
Because we can only run zip as silvio we need to modify the sudo command with
sudo -u silvio
to run zip as the user we want.
Now we can go to silvio’s home directory and get the flag.
Q: What is reza’s flag?
Here we can check our sudo rights with
sudo -l
and it shows we can run git as user reza.A quick look into gtfo bins we find a usable way to spawn a shell using git once we add in the -u reza modification.
Q: What is jordan’s flag?
A: Sudo -l show us that we can run a python script as jordan. But when we run it we get notified that the script cannot find the shop module. Unfortunately /opt/scripts is not writable so we need to find a place that is writable to create our shop.py module and then instruct python to look for it there.
first we need to create the shop.py module to spawn a shell for us and then get the Gun-Shop.py script to launch it for us.
echo “import pty;pty.spawn(‘/bin/bash’)” > /tmp/shop.py
Now we can specify the PYTHONPATH variable on the command line by typing
sudo -u jordan PYTHONPATH=/tmp/ script.py
Information on PYTHONPATH can be found here.
Q: what is ken’s flag?
A: Here we run a sudo -l and find that we can run less as ken.
we are running the
ls
command and piping it tosudo -u ken less
Now we see the output of the ls command inside of less. From here if we type
!/bin/bash
we will launch a bash shell as user ken.
Q: What is sean’s flag?
A: This is similar to the last one except with vim… and we can escape a similar way by invoking vim’s execute command function by typing
:!/bin/bash
With all of that said, I could not find a flag file… so I assumed that the file would contain
sean{hashorsomethiing}
So I figured I would just search all the files containing what looked like the flag.I was unable to find the flag .txt file anywhere on the file system so I did a search through the filesystem and got a good hit.
find /home /opt /var /usr /mnt /etc /tmp -type f -exec egrep -iH ‘sean\{.*\}’ {} \; 2>/dev/null
Hmmm what is that base64 in there?
Q: What is penelope’s flag?
A: Lets take a look at that base64 near sean’s flag. Here we get penelope’s password so we can switch user and grab the flag.txt in penelope’s home directory.
Q: what is maya’s flag?
A: Well that red suid binary looks like it might have some promise. It is suid by maya, assuming that the flag is in her directory we should be able to read it with
base64
.
Q: what is roberts’s Passphrase?
A: Inside of maya’s home directory we can see a directory called old_rober_ssh that contains a set of SSH keys. Lets crack the passphrase with john the ripper back on our attack box.
After a few moments the passphrase is cracked.
Lets look for a place to use this passphrase.
After some initial struggling I looked to see what ports were listening on the host and saw a few ports that looked promising.
ssh -p 2222 robert@127.0.0.1
After logging in as robert we can see a robert.txt file but it obviously isn’t the user.txt file we needed.
But sudo is an option but !root doesn’t help much… lets see if its vulnerable to bypass.
After a lot of searching and getting nowhere I looked at the hint
HINT: Blue whale was a bad game. Wasn’t it ???
Ok, I’m assuming it’s a docker escape….
Following the HakTricks docker-breakout we need to run a couple of commands to mount the host filesystem.
find / -name docker.sock 2>/dev/null
/tmp/docker images #lucky they left this executable in the /tmp dir ;)
/tmp/docker run -it -v /:/host/ mangoman chroot /host/ bash
What a fun room! It took a couple of sessions and a lot of time to get it completed, but well worth it.