Linux Strength Training Tryhackme Writeup

By Shamsher khan This is a Writeup of Tryhackme room “Linux Strength Training”

https://tryhackme.com/room/linuxstrengthtraining

Room link: https://tryhackme.com/room/malstrings
Note: This room is free

Task 2: Finding your way around linux — overview

As a security researcher you will often be required to find specific files/folders on a system based on various conditions ranging from, but not limited to the following:

• filename
• size
• user/group
• date modified
• date accessed
• Its keyword contents

Therefore, we can do this using the following syntax:-

Find files based on filename

find [directory path] -type f -name [filename]

find /home/Andy -type f -name sales.txt

Find Directory based on directory name

find [directory path] -type d -name [filename]

find /home/Andy -type d -name pictures

Find files based on size

find [directory path] -type f -size [size]

find /home/Andy -type f -size 10c
(c for bytes,
k for kilobytes
M megabytes
G for gigabytes
type:'man find' for full information on the  options)

Find files based on username

find [directory path] -type f -user [username]

find /etc/server -type f -user john

Find files based on group name

find [directory path] -type f -group [group name]

find /etc/server -type f -group teamstar

Find files modified after a specific date

find [directory path] -type f -newermt ‘[date and time]’

find / -type f -newermt '6/30/2020 0:00:00'
(all dates/times after 6/30/2020 0:00:00 will be considered a condition to look for)

Find files based on date modified

find [directory path] -type f -newermt [start date range] ! -newermt [end date range]

find / -type f -newermt 2013-09-12 ! -newermt 2013-09-14
(all  dates before 2013-09-12 will be excluded; all dates after 2013-09-14  will be excluded, therefore this only leaves 2013-09-13 as the date to  look for.)

Find files based on date accessed

find [directory path] -type f -newerat [start date range] ! -newerat [end date range]

find / -type f -newerat 2017-09-12 ! -newerat 2017-09-14
(all dates before 2017-09-12 will be excluded; all dates after  2017-09-14 will be excluded, therefore this only leaves 2017-09-13 as  the date to look for.)

Find files with a specific keyword

grep -iRl [directory path/keyword]

grep -iRl '/folderA/flag'

read the manual for the find command

man find

man find

Note: There are many more useful commands aside from the examples above. If you ever have trouble understanding any of the syntax or getting it to work, head on over to explainshell.com to check the syntax and see how this tool can help you on your journey to Linux greatness.

Further notes: if you do not know already, typing CTRL+L allows you to clear the screen quicker rather than typing ‘clear’ all the time. Additionally, hitting the up arrow allows you to return to a previously typed command so you do not have to spend time retyping it again if you made an error. Cool. Finally, placing: 2>/dev/null at the end of your find command can help filter your results to exclude files/directories that you do not have permission to.

Question 1. What is the correct option for finding files based on group

Answer: -group

Question 2. What is format for finding a file with the user named Francis and with a size of 52 kilobytes in the directory /home/francis/

Answer: find /home/francis -type f -user francis -size 52k

Question 3. SSH as topson using his password topson. Go to the /home/topson/chatlogs directory and type the following: grep -iRl ‘keyword’. What is the name of the file that you found using this command?

ssh topson@[Delpoyed Machine IP] then enter the password “topson” when the terminal asks for it.

ssh topson@10.10.31.202

I use the command
cd /home/topson/chatlogs to enter the chatlogs directory. Finally I use the grep-iRl ‘keyword’ to find the file

Answer: 2019–10–11

Type: less [filename] to open the file. Then, before anything, type / before typing: keyword followed by [ENTER]. Notice how that allowed us to search for the first instance of that word in the entire document. For much larger documents this can be useful and if there are many more instances of that word in the document, we would be able to hit enter again to find the next instance in the document.

less 2019–10–11

Then type: / then keyword then Enter

Press Q to exit the less command.

Question 4. What are the characters subsequent to the word you found?

Answer: ttitor

Question 5. Read the file named ‘ReadMeIfStuck.txt’. What is the Flag?

I start of by trying to find the ReadMeIfStuck.txt file. I do that with the command

find / -type f -name additionalHINT 2>/dev/null

/ tells the tool to look inside all folders that's inside that path. /  is the highest path possible on Linux, so in this case I search through  the hole file system. 
 -type f tells the tool to only look for files 
 -name additionalHINT tells the tool to only look for that string. 
 Since I don't have access to all folders on the system I will also get  alot of errors when the find tool tries to traverse into them.  2>/dev/null tells the tool to throw away these messages.

This time they want us to find a directory with space. I simply do this with the following command

find / -type d -name telephone\ numbers 2>/dev/null

I use the \ which is an escape character, the escape character lets us  search for a character that otherwise have a special use. In this case  it's " ".

Step one find out where the /workflows directory hides so I can use it to find the file. I do the same as before with the command

find / -type d -name workflows 2>/dev/null

Great, I know where the directory is located, but to find this file I will have to change up my command abit. I no longer have a name of the file, but a date. I use the command

find /home/topson/workflows -type f -newermt 2016–09–11 ! -newermt 2016–09–13

less /home/topson/workflows/xft/eBQRhHvx

Type: / then Flag then Enter . Use Pg Dn until you see the highlighted pattern

Task 3: Working with files

Question 1. Hypothetically, you find yourself in a directory with many files and want to move all these files to the directory of /home/francis/logs. What is the correct command to do this?

Answer: mv * /home/francis/logs

Question 2. Hypothetically, you want to transfer a file from your /home/james/Desktop/ with the name script.py to the remote machine (192.168.10.5) directory of /home/john/scripts using the username of john. What would be the full command to do this?

Answer: scp /home/james/Desktop/script.py john@192.168.10.5:/home/john/scripts

Question 3. How would you rename a folder named -logs to -newlogs

Answer: mv — -logs -newlogs

Question 4. How would you copy the file named encryption keys to the directory of /home/john/logs

Answer: cp “encryption keys” /home/john/logs

Question 5. Find a file named readME_hint.txt inside topson’s directory and read it. Using the instructions it gives you, get the second flag.

First off I use find / -type f -name readME_hint.txt 2>/dev/null

to find the file. Then I read it with cat

I need to move the “MoveMe.txt” into the “march” folder and then execute a sh program to get the flag. I find the folder by

find / -type d -name *march* 2>/dev/null

the two * on the side matches any characters. I use

find / -type f -name *MoveMe.txt* 2>/dev/null
mv -- /home/topson/corperateFiles/RecordsFinances/-MoveMe.txt /home/topson/corperateFiles/RecordsFinances/-march\ folder/
cd -- /home/topson/corperateFiles/RecordsFinances/-march\ folder/

Task 4: Hashing — introduction

What is hashing?

Next we will talk about hashing, which is important for any Linux security researcher. Hashing refers to taking any data input, such as a password and calculating its hash equivalent. The hash equivalent is a long string which cannot be reversed since the act of hashing is known as a one-way function. For example, if you visit: https://www.md5hashgenerator.com/ and type the following: mypassword123 or any other password, you will see how the hash algorithm known as MD5 will calculate and output a MD5 hash equivalent. Therefore, ‘mypassword123’ would have the MD5 hash equivalent of ‘9c87baa223f464954940f859bcf2e233’.

Why is hashing important?

Note: MD5 and SHA1 are both examples of weak hash algorithms which have been proven to be vulnerable to something known as hash collision attacks which is explained further here: https://privacycanada.net/hash-functions/hash-collision-attack/. In short, do not use them because it has been proven that two different inputs can produce the same output (hash equivalent), thus, meaning that your password may produce the same hash as someone with a completely different password. Instead, SHA-256 is widely considered stronger as of today and is recommended.

How to crack hashes?

Hashes can be cracked through the method of brute-forcing. This essentially means using a wordlist and inputting each potential password from the wordlist into the hash function to see if we get a hash equivalent output that is equal to any of the hashes stored in the database. However, in the example we store the hash in a text file before specifying a wordlist to which we want to compare out calculated hashes with.

Using a program called John the Ripper we can specify the format of the hash we wish to crack (md5) the wordlist (rockyou.txt) and the wordlist (hash.txt). Please see the full man page for garnering a more complete understanding of all of the commands you can run with this program.

Eventually John the Ripper may find the password if it was contained the wordlist. In the real world, you may have to find a larger wordlist with a strong amount of common password/username combinations. In this example below the password was found to be ‘password’.

Note: If you ever encounter a hash that you do not know the type of you can use a tool called hash-identifier. However, with less widely used hashes the tool will not be accurate and therefore will still rely on you to develop the skill of manually identifying what type of hash it is, however this is out of the scope of this room. The syntax for identifying unknown hashes is as so:

Hash-identifier [hash] as seen below in a real example:

Alternatively you could pipe the output of the file storing the hash to hash-identifier as shown below, which may be quicker.

The result should show us the most likely hash types that the hash most likely is. As you can see there are two most probable hashes. In this case the correct hash was in fact SHA-256, therefore you can see how in most cases the first result is the correct answer, but please be aware that this not always the case since many hash types can appear similar in terms of string formatting.

Question 1. Download the hash file attached to this task and attempt to crack the MD5 hash. What is the password?

Answer: secret123

SSH as sarah using: sarah@[MACHINE:IP] and use the password: rainbowtree1230x

First of I need to find the file, luckily I am starting to get good at this. I use

find / -type f -name hashA.txt 2>/dev/null to find the file.

Question 2. What is the hash type stored in the file hashA.txt

Answer: md4

Question 3. Crack hashA.txt using john the ripper, what is the password?

Answer: admin

Question 4. What is the hash type stored in the file hashB.txt

Answer: SHA-1

Question 5. Find a wordlist with the file extention of ‘.mnf’ and use it to crack the hash with the filename hashC.txt. What is the password?

Hash type is SHA-256

To find the wordlist I use find / -type f -name *.mnf 2>/dev/null

Sarah’s password rainbowtree1230x

we need to download the ‘ww.mnf’ to use it as word-list with JohnTheRipper.
To download the word-list use scp command from your computer:

Answer: unacvaolipatnuggi

Question 6. Crack hashB.txt using john the ripper, what is the password?

Answer: letmein

Task 5: Decoding base64

What is base64

Base64 is a group of binary-to-text encoding schemes that represent binary data in an ASCII string format. In summary, it is just another way in which data can be represented; some systems rely on a base64 encoding of data for processing while others may not. Head over to: https://www.base64encode.net/ and input any text and encode it. You should end up with something similiar below:

As you can see, the string ‘example’ gets coverted to the base64 ‘ZXhhbXBsZQ==’ encoded string. This would allow certain systems to now be able to read and process the data properly.

https://www.base64encode.net/

Why should I care?

There may be times when you encounter base64 converted data in files on a system and needed to convert it to a human readable format. Therefore, we can use the tool ‘base64’ with a pipe to translate it back to something that is human readable.

cat [filename] | base64 -d

to transfer the output to a new text file simply use he > operator followed by the new filename.

Once again, encoding/decoding is changing data format. The data itself does not change, just how it reads.

I encourage you to spend some time reading about encoding. At least enough so you understand the difference between encoding/decoding vs encryption/decryption as beginners sometimes confuse them with each other.

Question 1. what is the name of the tool which allows us to decode base64 strings?

Answer: base64

Question 2. find a file called encoded.txt. What is the special answer?

Now use less command to view file you see instruction to look for ‘special’ keyword in file, type/special and [ENTER] to move through file till you ‘special’ keyword.

Now, find the file ‘ent.txt’. It does not seem to be base64 encoded string. Use hash-identifier to check hashing algorithm. When check using hash-identifier you see it is md4 hash.

Finally, use JohnTheRipper to crack password, use rockyou.txt word-list.

Answer: john

Task 6: Encryption/Decryption using gpg

What is encryption/decryption

Encryption refers to the process of concealing sensitive data by converting it to an unintelligible format. The only way to reverse the process is to use a key; this is known as decryption. For further explanation please visit:https://www.cisco.com/c/en/us/products/security/encryption-explained.html but in short, encryption is just a way to protect data using a private key. For example, the following string ‘secret data’ can be converted to ‘QFnvZbCSffGzrauFXx9icxsN9UHHuU+sCL0sGcUCPGKyRquc9ldAfFIpVI+m8mc/’ using a key derived from the password ‘pass’. It is also important to note that there are many different types of encryption schemes, known as algorithms such as AES-256/128, 3DES, Blowfish, ect. Among these, AES is considered to be the reccomended encryption algorithm to use due to the fact that it has been tested and proven to be a strong scheme. Furthermore, there are two main types of encryption methods, aysmmetric and symmetric. However, in this room we will be focusing on symmetric encryption. If you are interested in knowing the difference or more on encryption please visit: https://www.thesslstore.com/blog/types-of-encryption-encryption-algorithms-how-to-choose-the-right-one/

How to encrypt

As seen below, we have a text file with sensitive information inside of it.

This can be encrypted using the the program gpg to encrypt it using the AES-256 scheme:

gpg — cipher-algo [encryption type] [encryption method] [file to encrypt]

You will notice how it will ask for a password. This is when you can specify a password for gpg to derive the key from.

Then a new encrypted file will be created with the extension gpg as you can see below.

If you attempt to read the contents of this file you will see how it shows unintelligible code.

How to decrypt

Decrypting is very easy as it only takes one line as shown below:

gpg [encrypted file]

Note: You may notice how it does not ask us for the password to decrypt the file, this is because we we have already entered it when we were encrypting the file and so Linux stored the password for quick use. However if we restart our system or attempt to decrypt the file in a different linux machine, it will ask us for the password to decrypt the file.

Remember: You can always use the man pages to learn more about what you can do with gpg.

Now try it for yourself. Make a random text file and enter some readable sentences in there before encrypting and decrypting it as illustrated above.

Question 1. Create a text file write some readable sentence. Encrypt it using gpg, it will ask you to set a password.

Then decrypt using: gpg data.txt.gpg

Question 2. You wish to encrypt a file called history_logs.txt using the AES-128 scheme. What is the full command to do this?

Answer: gpg — cipher-algo AES-128 — symmetric history_logs.txt

Question 3. What is the command to decrypt the file you just encrypted?

Answer: gpg history_logs.txt.gpg

Question 4. Find an encrypted file called layer4.txt, its password is bob. Use this to locate the flag. What is the flag?

Finally, find the ‘layer1.txt’ decrypt it using gpg and password given, you will the flag.

Task 7: Cracking encrypted gpg files

How to crack encrypted files using john the ripper

Now that you have a basic understanding using gpg, the next question is, what if we do not have the password or key to decrypt the file? How can we crack this. Well, similar to how we brute-forced the hashes in task 4 with John the Ripper, we can do the same for encrypted files.

If you are using Kali linux or Parrot OS, you should have a binary add on called gpg2john. This binary program allows us to convert the gpg file into a hash string that john the ripper can understand when it comes to brute-forcing the password against a wordlist. Simply type ‘sudo gpg2john’ into your terminal to ensure you have it. The output should be as seen below. In any case if you do not have it installed head over to: https://github.com/openwall/john and follow the instructions to install it.

Next, type the following command below to generate the hash for John the Ripper:

gpg2john [encrypted gpg file] > [filename of the hash you want to create]

The command above allows us to generate the hash for John the Ripper to understand. Next we can begin the fun part of cracking the encrypted file as seen below:

john wordlist=[location/name of wordlist] — format=gpg [name of hash we just created]

The result should reveal the password if you have used a strong wordlist that contains it.

Now try it yourself! Encrypt a file and use a common password contained in the wordlist you wish to use. Follow the instructions above to decrypt as if you are a hacker. If it worked, well done.

Question 1. Find an encrypted file called personal.txt.gpg and find a wordlist called data.txt. Use tac to reverse the wordlist before brute-forcing it against the encrypted file. What is the the password to the encrypted file?

Now I do the same with the wordlist

Now I need to use tac data.txt > reversed_data.txt to reverse the contents of the wordlist. To use john I first need to extract the hash from the personal.txt.gpg. I do that with gpg2john personal.txt.gpg > personal.hash

Now I just need to run john to solve it for me.

Answer: valamanezivonia

Question 2. What is written in this now decrypted file?

Answer: getting stronger in linux

TASK 8: Reading SQL Databases in Linux

What is SQL?

SQL is a language for storing, manipulating and retrieving data from databases. Therefore, it is important to firmly grasp the concept of how to read data from databases in Linux. If your understanding of databases is weak or you understanding nothing about them, please read this first before continuing: https://www.elated.com/mysql-for-absolute-beginners/ as it will explain fully the concept of databases for beginners. The key thing to remember is that developers mostly create ‘relational databases’ which use multiple databases that reference each other for organising data, hence the name ‘relational databases’. Furthermore, each database contains tables of records and each table can consist of multiple columns and rows which store the data in a organised format. Now that we have gotten that out of the way let’s begin.

Since this is a beginners room we will be reading the the database of a local mysql workspace. This can be done as follows:

Service mysql start/stop

Start starts mysql while stop stops it. Additionally, you could use restart if you encounter any issues while mysql is running.

Connect to remote SQL database:

Mysql databases can be hosted for remote access. To access remote databases use the following command:

mysql -u [username] -p -h [host ip]

Open SQL database file locally:

To open mysql file/files locally, simply change to the directory of the mysql file and type mysql as shown below. You’ll be taken to a specialised command prompt for mysql.

Note: In some cases you may have to run mysql -p [password] if the mysql system was configured to require authenticiation.

1. mysql -u [username] -p

Type “source” followed by the filename of the mysql database to specify that you wish to view its database.

2. source [sql filename]

Displaying the databases

After this, you will see how mysql takes a little time to load the database. Once finished, type the following too see all of the relational databases:

SHOW DATABASES;

Choosing a database to view

We can select one of the databases by using the use command followed by the name of it. In the example below we select the ‘employees’ database.

USE [database name]

Displaying the tables in the selected database

We can display which tables inside that database we selected previously using:

SHOW TABLES;

Describing the table data structure

We can also view the table structure of individual tables using the DESCRIBE command:

DESCRIBE [table name]

Displaying all the data stored in a specific table

Now for the really fun part. Let’s display all the data stored in the employees database using the following:

SELECT * FROM [table name]

As seen below, we can see that this database contains some personal employee information.

Question 1. Find a file called employees.sql and read the SQL database. (Sarah and Sameer can log both into mysql using the password: password). Find the flag contained in one of the tables. What is the flag?

First off I need to find the database I use the following command to find it:

find / -type f -name employees.sql 2>/dev/null

I found the database path /home/sarah/serverLx/employees.sql I use the command service mysql status to see if mysql allready is running.

In this case it is so I cd to /home/sarah/serverLx/ and open mysql with

mysql -u sarah -p

providing the password that I got from the question, password=password

-u tells mysql what user it should run as
-p tells mysql that I want to provide a password

First I need to tell mysql what database I want to use, I do this with the

source employees.sql command.

The next step is to load the database and search for the flag. I use the command USE employees; to enter into the employees database since that’s where I was told the flag would be.

At this point I know that the flag is in one of these tables, however I have no clue in which one. I use the DESCRIBE employees; to see if that gives me a hint in where to look.

Now, you can notice that the flag contains ‘{‘ symbol from the format given in answer space. From employee table which datatype will have that symbol, so int cannot have because it has all number only, data also cannot have that symbol, same applies for gender.
Lastly, it is narrowed down to first_name and last_name because it is using varchar datatype. We’ll use pattern to find the flag.
You can find more info on w3schools: https://www.w3schools.com/SQL/func_sqlserver_patindex.asp

TASK 9: Final Challenge

Question 1 .Go to the /home/shared/chatlogs directory and read the first chat log named: LpnQ. Use this to help you to proceed to the next task.

Question 2. What is Sameer’s SSH password?

First of I need to distinguish the relevant parts of the message. For this question I want to find Sameer’s SSH password.
Lucy says that the new security engineer has accidently stored a SSH password in plain text somwhere. I check to see if I can find anything by just searching for Sameer inside a file with
grep -iRl Sameer /home 2>/dev/null I find three chatlogs one being the one I just read. I view the others and find the SSH password

-i is supplied to make a non case sensitive search. 
 -R is supplied to search through all files recursivly 
 -l is supplied to only print files that matches the word I'm searching for. 
 I search in /home because I'm mainly looking for chatlogs and they are  stored under home/shared in this case. I use /home instead of  /home/shared because I want to search both home/shared and home/sarah at  the same time.

Answer: thegreatestpasswordever000

Question 2 . What is the password for the sql database back-up copy

By refering back to the second message I’m told that I need to sign in to Sameers account and search for it. I’m also told that I should look for a file about 50mb in the home/shared/sql/conf. By finding that file I will know where the wordlists are stored and that the wordlist I’m looking for has a word starting with “ebq” inside it. First off I ssh into Sameer’s account. After that I use find /home/shared/sql/ -type f -size 50M to search for the file. I find a file filled with Lipsum text when I cat it, I open it with nano to search for it, but I see that the information is at the top

aG9tZS9zYW1lZXIvSGlzdG9yeSBMQi9sYWJtaW5kL2xhdGVzdEJ1aWxkL2NvbmZpZ0JEQgo=

I know the wordlist directory is encoded with base since I see the “=” padding at the end. I write to base64 code to a file and use base64 -d base.txt

and get the directory that the wordlist is in. Now I need to find the wordlist, I use grep -iRl ebq /home/sameer/History\ LB/labmind/latestBuild/configBDB/ to search for the wordlist. I find three wordlists, I append to eachother to make one big wordlist. I do this with cat >>

Next I need to find and download the actual backup, I was told it would be

/home/shared/sql/

directory according to Sameer in a previous message. The backup would be named with the date of the message(2020–08–13). I search for it with

find /home/shared/sql/ -type f -name *2020–08–13* 2>/dev/null

and I found it. Now I need to copy it to my local machine with

scp sameer@10.10.4.233:/home/shared/sql/2020–08–13.zip.gpg .

s mention in chat that the password begins with letters ‘ebq’. Use grep command to word-list that only contains letters ‘ebq’. You will find 3 files. Now combine these 3 files into 1 new file to make a complete word-list.

move wordlist.txt to sameer’s home directory

now use the grep command to search for words in the wordlist.txt that will start from ebq

grep -e ebq wordlist.txt

Enter newWordlist passwrd one by one and you will get password ebqattle

Question 3. Find the SSH password of the user James. What is the password?

unzip 2020-08-13.zip

notice that it has employees.sql database file, lets open mysql as sarah and use the following commands:

mysql -u sarah -p (enter password for password)
source employees.sql
show databases;
use employees;
describe employees;
select * from employees where first_name like ‘James’;

Question 4. SSH as james and change the user to root?

Question 5. What is the root flag?

You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!