TryHackMe | Linux Agency

Linux Agency is a TryHackMe room created by 0z09e and Xyan1d3 to help sharpen your linux skills and help you learn basic privilege escalation in a HITMAN theme.

Linux Agency

I am by no means a linux guru but I enjoy linux and love working on the command line …so lets get cracking!

Task 1: Deploy the machine

I deployed the machine and decided to stick with the provided TryHackMe attack box provided to subscribers. The cost is minimal and well worth the investment! You can Sign Up here ← Stock non referral link, and is well worth it! If you find something better for the money please let me know.

Task 2: Let’s Jump in

You are provided with a ssh username and password and told that with each flag you find will server as the password for the next user.

Task 2: Instructions

Q: SSH into the box as agent47

A: ssh agent47@ip.address

Task 3: Linux Fundamentals

Q: What is the mission 1 flag?

A: Once you SSH in you will be provided with the mission1{md5sum} ← that is the answer

switching user to mission1 with su

So once you get the mission1{md5sum.random.numbers} you need to right click and copy this. Then type su — mission1 and right-click and paste the mission{md5sum.random.bla} password into the prompt and finish by pressing enter.

Q2: What is the mission2 flag? #hint: Don’t forget to bring the groceries, the list is inside your bag.

A2: type ls

mission1

By performing a directory listing withls we can see a file name that is actually the flag.

Q3: What is the mission3 flag?

A3: cat flag.txt

mission2

Q4: What is the mission4 flag?

A4: strings ~/flag.txt

mission3

Q5: What is the mission5 flag?

A5: A directory listing shows a flag folder, inside the folder is a file called flag.txt.

cat flag/flag.txt

mission4

Q6: What is the mission6 flag?

A6: ls -la shows a hidden .flag.txt file. Use cat .flag.txt to show the contents of the flag.

A6: A regular ls will does not show any files so you need to list hidden files by using a ls -la.

ls — list directory contents

-l : use long listing format
-a — all : list all files including files starting with a period.

mission5

Q7: What is the mission7 flag?

A7: ls -la shows a hidden .flag directory with the flag.txt inside of the .flag directory. Use cat .flag/flag.txt to show the contents of the flag.

A6: A regular ls will does not show any files so you need to list hidden files by using a ls -la.

ls — list directory contents

-l : use long listing format
-a — all : list all files including files starting with a period.

mission6

Q8: What is the mission8 flag?

A8: There is a message that says there is no home directory specified so we are logging into the root / file system. The basic linux directory structure tells us our home directory should be under /home. Sure enough the flag is found under /home/mission7/flag.txt.

mission7

Q9: What is the mission9 flag?

A9: A quick look around the home directory and environment variables didn’t reveal anything but a global find revealed the flag.txt at the root of the filesystem.

find — search for files in a directory hierarchy

/ : tells find to start at the root of the file system
-type f : will only search for files

2>/dev/null : will redirect error messages to /dev/null #veryhandy

mission8

Q10: What is the mission10 flag?

A10: Looking in the directory we can see a rockyou.txt file. Using wc to get a word-count of the file shows there are over 14 million lines in this file. So instead of paging through it all we will perform a grep for mission10 and see if we get a hit. Success!

grep mission10 rockyou.txt

mission9

Q11: What is the mission11 flag?

A11 Doing a directory listing in the home folder shows a single folder that contains 8,236 folders with one flag.txt file hidden somewhere in the directory structure.

A quick find command will display the file and a passing a cat command to the -exec flag will show the contents of the file as well. Because this is mission10’s home folder I intentionally left off the 2>/dev/null because I should not get any errors here and If I do I would like to see it.

find ./ -type f -name flag.txt
find ./ -type f -name flag.txt -exec cat {} \;

Mission 10

Q12: What is the mission12 flag?

A12: After some poking around and the usual searching gave no results. But looking into the environemnt variables gives us what we are looking for.

env | grep -i flag

mission11

Q13: What is the mission13 flag?

A13: A directory listing shows the file flag.txt but we get a permission denied when we try to view it. It shows that mission12 is the owner of the file so all we need to do is give us access to it. a chmod 600 flag.txt will give us permissions to read and write to the file.

mission12

Q14: What is the mission14 flag?

A14: We can see the flag file in the mission13 home directory but it is base64 encoded.

cat flag.txt | base64 -d

mission13

Q15: What is the mission15 flag?

A15: We can see the flag in the directory but it is only a bunch of ones and zeros… lets see what we can do to convert it.

sed 's/$/P/g;s/^/2i/' flag.txt | dc;echo

Yup that worked ;)

mission14

Q16: What is the mission16 flag?

A16: The directory listing shows us the flag.txt file but when we look at the contents we can see that it only contains letters and numbers …looks a little like hex.

cat flag.txt | xxd -r -p; echo

mission15

Q17: What is the mission17 flag?

A17: A directory listing shows us a flag file, by further inspecting it with file flag we can see that it is an elf executable. So if we make it executable with chmod +x flag we can then execute it. ./flag which will give us the flag.

mission16

Q18: What is the mission18 flag?

A18: There is a flag.java file in the home directory which contains some source code. Since it ends with .java I am assuming that it is in fact java. Lets compile and run it.

javac flag.java # will compile the class file
java flag # will run the file and give the flag

mission17

Q19: What is the mission19 flag?

A19: We can see a flag.rb file which I am assuming is a ruby file. Lets run it.

mission18

Q20: What is the mission20 flag?

A20: In the directory is a flag.c file so we will use gcc file.c to compile it and then run the program.

Q21: What is the mission21 flag?

A21: In the directory is a flag.py file. We can run it with python3 flag.py.

Q22: What is the mission22 flag?

A22: Once we log into mission21 something looks off as I do not have my normal bash prompt. I run a id just to see what account and permissions I have. Then I do a cat /etc/passwd | grep mission21 to see what shell I was supposed to have. Well I decided to switch to bash by typing /bin/bash and boom… the flag is there.

Q23: What is the mission23 flag?

A23: We are immediately provided with a python prompt. So we should be able to perform a simple python escape with import pty; pty.spawn("/bin/bash" and then we can find and cat the flag.txt.

Q24: What is the mission24 flag?

A24: Initially we find a message that states the hosts will help you... maybe you will need curly hairs. This immediately leads me to the /etc/hosts file that shows an entry for mission24.com. Now the curly hint leads me to believe I need to use curl to access the mission24.com site.

Q25: What is the mission25 flag?

A25: We can see an executable file called bribe on the file system. When we run it for the first time it tells us to give some money and we will get the flag.. So lets run ltrace and see what’s happening. Here we can see there are some empty envirnment variables named pocket and init. Lets put some money in the pocket variable with export pocket=money and then re run the program.

Q26: What is the mission26 flag?

A26: any command we run gives us -su: command: No such file or directory which seems like the os cannot find the file. Running an export command we can see that the PATH variable is set to nothing. We should be able to path the commands out manually. by typing /bin/ls we can see a flag.txt file in our current directory. Running /bin/cat flag.txt will work.

Q27: What is the mission27 flag?

A27: In our home directory we can see a flag.jpg file. Inspecting the file with the file command to see what we are dealing with… and there is the flag.

Q28: What is the mission28 flag?

A28: In the directory is a gzip compressed file … I was assuming I was going to be in for some crazy Russian doll type of situation… but that wasn’t the case.

Q29: What is the mission29 flag?

A29: When we log into mission28 we are presented with an interactive ruby shell irb(main):001:0> so we should be able to perform a simple shell escape with exec “/bin/bash”.

Q30: What is the mission30 flag?

A30: We can see a build it directory with some web’ish files. Lets do a quick find command to see if there is anything with mission30 in it… bingo!

Q30: What is victor’s flag?

A30: Initially there is a directory called Escalator with a python script in it. But inspecting the directory further we can see a .git folder. Nice this is a git repo and we may be able to recover some additional information.

Task 4: Privilege Escalation

We now need to su into the viktor account and start performing some privilege escalation.

Q: What is dalia’s flag?

A: After some searching around I found a crontab entry that was being run as dalia. per the crontab entry we only have 30 seconds to get the job done. So after failing the first couple of edits. I just created a while loop to continuously inject my reverse shell into the script every 20 seconds.

Q: What is silvio’s flag?

A: running a sudo -l you find out that dalia can run zip as silvio. But in order to accomplish this we need a better shell than a simple netcat listerner. This can be accomplished by using python to spawn a pty shell using the pty module.

python -c 'import pty;pty.spawn("/bin/bash")

To stabilize the shell you will need to background the shell with ctrl-z the type stty raw -echo ; fg to adjust the terminal and bring it back in the foreground. Next type reset and enter

We should now have a fully interactive terminal with tab completion and be able to run other commands… like sudo.

seeing that we can run zip as silvio we can refer to gtfo bins

https://gtfobins.github.io/gtfobins/zip/

Because we can only run zip as silvio we need to modify the sudo command with sudo -u silvio to run zip as the user we want.

Now we can go to silvio’s home directory and get the flag.

Q: What is reza’s flag?

Here we can check our sudo rights with sudo -l and it shows we can run git as user reza.

A quick look into gtfo bins we find a usable way to spawn a shell using git once we add in the -u reza modification.

Q: What is jordan’s flag?

A: Sudo -l show us that we can run a python script as jordan. But when we run it we get notified that the script cannot find the shop module. Unfortunately /opt/scripts is not writable so we need to find a place that is writable to create our shop.py module and then instruct python to look for it there.

first we need to create the shop.py module to spawn a shell for us and then get the Gun-Shop.py script to launch it for us.

echo “import pty;pty.spawn(‘/bin/bash’)” > /tmp/shop.py

Now we can specify the PYTHONPATH variable on the command line by typing sudo -u jordan PYTHONPATH=/tmp/ script.py

Information on PYTHONPATH can be found here.

Q: what is ken’s flag?

A: Here we run a sudo -l and find that we can run less as ken.

we are running the ls command and piping it to sudo -u ken less

Now we see the output of the ls command inside of less. From here if we type !/bin/bash we will launch a bash shell as user ken.

Q: What is sean’s flag?

A: This is similar to the last one except with vim… and we can escape a similar way by invoking vim’s execute command function by typing :!/bin/bash

With all of that said, I could not find a flag file… so I assumed that the file would contain sean{hashorsomethiing} So I figured I would just search all the files containing what looked like the flag.

I was unable to find the flag .txt file anywhere on the file system so I did a search through the filesystem and got a good hit.

find /home /opt /var /usr /mnt /etc /tmp -type f -exec egrep -iH ‘sean\{.*\}’ {} \; 2>/dev/null

Hmmm what is that base64 in there?

Q: What is penelope’s flag?

A: Lets take a look at that base64 near sean’s flag. Here we get penelope’s password so we can switch user and grab the flag.txt in penelope’s home directory.

Q: what is maya’s flag?

A: Well that red suid binary looks like it might have some promise. It is suid by maya, assuming that the flag is in her directory we should be able to read it with base64.

Q: what is roberts’s Passphrase?

A: Inside of maya’s home directory we can see a directory called old_rober_ssh that contains a set of SSH keys. Lets crack the passphrase with john the ripper back on our attack box.

After a few moments the passphrase is cracked.

Lets look for a place to use this passphrase.

After some initial struggling I looked to see what ports were listening on the host and saw a few ports that looked promising.

ssh -p 2222 robert@127.0.0.1

After logging in as robert we can see a robert.txt file but it obviously isn’t the user.txt file we needed.

But sudo is an option but !root doesn’t help much… lets see if its vulnerable to bypass.

sudo bypass

After a lot of searching and getting nowhere I looked at the hint

HINT: Blue whale was a bad game. Wasn’t it ???

Ok, I’m assuming it’s a docker escape….

Docker Breakout

Following the HakTricks docker-breakout we need to run a couple of commands to mount the host filesystem.

find / -name docker.sock 2>/dev/null

/tmp/docker images #lucky they left this executable in the /tmp dir ;)

/tmp/docker run -it -v /:/host/ mangoman chroot /host/ bash

What a fun room! It took a couple of sessions and a lot of time to get it completed, but well worth it.

Thank you to Xyan1d3 and 0z9e for a great room!