Open in app

Sign in

Write

Sign in

TryHackMe Linux Agency Write-up

Cursemagic
7 min readFeb 1, 2021

--

Hi everyone, today I would like to share my write-up about the Linux Agency room from the TryHackMe platform created by Xyan1d3 and 0z09e. Without further ado, let’s start!

Link to TryHackMe’s Linux Agency Room: https://tryhackme.com/room/linuxagency

Linux Fundamentals

First, ssh into the machine using the given credentials.

And we got the mission1 flag.

Mission1

Let’s change the user to mission1.

And this one is easy…

Mission2

Now, change user to mission2. Display the flag.txt and get the mission2 flag.

Mission3

Change user to mission2.

Let’s get the mission3 flag.

Mission4

Change user to mission3.

Hmm, it seems to be “stolen” by some thieves. It’s ok, we can get it for sure.

What if we try nano?

Mission5

Change user to mission4.

Mission6

Change user to mission5.

Mission7

Changer user to mission6.

Mission8

Change user to mission7.

We need to change the directory to mission7.

Mission9

Changer user to mission8.

The flag is located at / directory.

Mission10

Change user to mission9.

So, after changing our directory to mission9, we saw rockyou.txt. As we know, rockyou.txt is filled with tons of words and we are not able to look through it by scrolling. So, we can use the grep command to get the flag.

Mission11

The question is getting more tricky. Which I like!

Now, change user to mission10. We can see the folder is full of “fake” folders. So, in order to get the flag.txt file we wanted badly, we can use the find function to get the text file.

And we have it.

Mission12

I take some time to find it but failed. So, I take a look at the hit provided. And it stated at EVS.

Mission13

For this flag, we need to change the mode of the flag.txt.

Mission14

Take the encoded strings to CyberChef and we are done.

Or we can just use the command line.

Mission15

For this, we can also use CyberChef. ;D

Look for Binary.

Mission16

The same, CyberChef.

Mission17

The flag is an executable. I can’t find any useful after I use the command “strings”. So, I use chmod +x to make the flag to be executable.

Mission18

We can see it is a java file. So, I tried to look into the file to get a quick answer. But it seems no.

So, we can get the flag by:

Mission19

This mission, yes. The same pattern. It's Ruby time.

So, just run using ruby.

Mission20

This one, C.

So, we should compile the code first.

Then, run it.

Mission21

Python. YES!

Mission22

Mission23

In this task, we encounter a python interactive shell. But as we know, flag.txt is located in the mission’s director. So, we can use the commands to get the flag.txt.

exec() — execute a dynamically created program.
open() — open a file
read() — display the content

To back to the shell, just type exit().

Mission24

I tried to search for quite some time but in vain. But, we can see that the creator state that the “hosts” will help you. Which makes me think about the web. So, go to /var/www/html and display the document of index.html.

Mission25

It’s an executable. Run it and this appears.

I use grep and it works.

Mission26

To change user, just enter exit and change user using su.

Mission27

Now, set up a simple HTTP serv using Python3.

By using wget command, we can download the flag.jpg.

Run exiftool.

Mission28

Now, this file has a bunch of strings behind it. And we need to identify the file type. Same, we just setup the HTTP server.

Run wget command to download the file.

For me, I’ll just use hexed.it and look to the header of the file.

Surprisingly, it just appears.

Mission29

Mission30

I don't know why, but I just grep and get it. XD

Viktor

Yes, the same style to get Viktor's flag. XD

Privilege Escalation

Dalia’s flag

Found this based on the hints given by the creator.

So, we add a command into the file.

Add the Bash TCP reverse shell to the 47.sh. This can be found at https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#bash-tcp

Set up a listener before editing the .sh file.

And we got it.

Silvio’s flag

Great, now we can run sudo -l.

Let's go to GTFOBins for zip.

Run the command.

Run spawn shell.

Obtain the flag.

Reza’s flag

Now, Reza’s turn.

Search in GTFOBins again.

Let’s run it.

Yes, we are Reza now. Remember spawn pty shell.

Jordan’s flag

Jordan’s turn.

To be continue… Stay tuned…

--

--

Cursemagic
Cursemagic

Written by Cursemagic

15 Followers
1 Following

Just learning, together we are strong.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams