TryHackMe : Linux Challenges

It is been long time since I update this page so I decided to be active again by writing some stuff that I learned these past few days or weeks. And in this opportunity I decided to play with a module from TryHackMe.The module is very recommended for someone who is still beginner So without wasting more time, happy reading :)

the infamous Mr.Penguin

Task 1 — Linux Challenges Introduction

Answer : 3

As seen in the website, there is SSH credential from user garry with password letmein. By using the given credential, I am succeed to log on to the machine with IP Address and get information about how many files in garry’s home directory.

garry’s home directory

Task 2 — The Basics

Answer : cat flag1.txt

Still in the same directory (/home/garry) as previously, I used cat to view contents of the flag1 which contain not only the flag that we are looking for but also another user credential.

garry’s flag1.txt

Q2.2 : Log into bob’s account using the credentials shown in flag 1.What is flag 2?

Answer :

su bob

cat /home/bob/flag2.txt

As instructed by the question, I logged in as bob by using the previous “treasure” that we found in flag1.txt. Surely after that I accessed bob’s home directory and found the flag2.txt.

bob’s home directory

Q2.3 : Flag 3 is located where bob’s bash history gets stored.

Answer : cat ~/.bash_history

By information received from the question, I decided to check bash history from bob and able to obtain flag 3 which is on the first line of the bash history file.

Q2.4 : Flag 4 is located where cron jobs are created.

Answer : crontab -l

-l in the crontab command is used for displaying the current crontab on standard output.

Q2.5 : Find and retrieve flag 5.

Answer : find / -name flag5* -type f 2>/dev/null

I’m using find command to search flag5 file whereabouts with option or atribute as follow :

  1. “/” slash is used to search files through all the system.
  2. -name is used to define filesname, note: I used asteric in the end of filename because at that time I do not know what the extensions of the flag5 files.
  3. -type is used to define c file’s type in this case is f regular file
  4. 2>/dev/null is used to redirect stderr (i.e., 2) into black hole (i.e., /dev/null)

Q2.6 : “Grep” through flag 6 and find the flag. The first 2 characters of the flag is c9.

Answer : find / -name “flag6*” -type f 2>/dev/null

For this question, I only changed the filename from previous command. But there is another command that can be used to retrieve flag6 which is locate flag6.

Q2.7 : Look at the systems processes. What is flag 7.

Answer : ps -aux | grep flag7

-aux is combination of options from ps with -a used to show processes for all users, -u used to display the process’s user/owner, and -x used to show processes that is not attached to a terminal.

Q2.8 : De-compress and get flag 8.

Answer :

tar -zxvf flag8.tar.gz

cat flag8.txt

Q2.9 : By look in your hosts file, locate and retrieve flag 9.

Answer : cat /etc/hosts

/etc/hosts is system file that helps DNS to translate hostname or domain names to IP address.

Q2.10 : Find all other users on the system. What is flag 10.

Answer : cat /etc/passwd

This command is used to store information of the system’s account such as userID, groupID, home, directory, shell, etc.

Task 3 — Linux Functionality

Answer : cat ~/.bashrc | grep flag 11

.bashrc is a bash shell script that is set up to use in particular environment. A common thing to put in .bashrc are alias.

Q3.2 : Flag12 is located were MOTD’s are usually found on an Ubuntu OS. What is flag12?

Answer : cat /etc/update-motd.d/00-header

Traditionally , Unix motd would live in /etc/motd directory.But Ubuntu on the other hand places login messages in /etc/update-motd.d directory.

Q3.3 : Find the difference between two script files to find flag 13.

Answer : diff /home/bob/flag13/script1 /home/bob/flag13/script2

To obtain flag13, first I am trying to locate the location of the files. After the location of flag13 is found, then I used command diff to look for the difference of two files in this case script1 and script2 which inside flag13 directory.

Q3.4 : Where on the file system are logs typically stored? Find flag 14.

Answer : cat /var/log/flagtourteen.txt

Logs are usually saved in /var. Because log’s content is always changed whenever there is new activity on the system. So that is why, I decided to seek the flag14 inside /var directory.

Q3.5 : Can you find information about the system, such as the kernel version etc. Find flag 15.

Answer : cat /ect/*release

To solve this question, I am actually using another command like hostnamectl, uname -a, cat /etc/proc, but there is no result or no flag found. So thanks for the hints THM, I manage to obtain flag15.

Q3.6 : Flag 16 lies within another system mount.

Answer : cd /media/f/l/a/g/1/6/is && ls

When we talk about system mount, first thing that came on my mind is that it contains media files so that is why I decided to dive into media directory.

Q3.7 : Login to alice’s account and get flag 17. Her password is TryHackMe123

Answer :

su alice

cat /home/alice/flag17

When I was solving the flag17, I am still login as bob and I found flag17 in alice home directory but sadly bob don’t have permission to read the file, so after reading the question for the second time, I change from bob to alice with given credentials and manage to retrieve flag17.

Q3.8 : Find the hidden flag 18.

Answer :

ls -la is used for listing all the files and directory inside alice’s home directory including the hidden files.

cat .flag18 is used for read the contain of files.

Q3.9 : Read the 2345th line of the file that contains flag 19.

Answer : sed ‘2345!d’ flag19

I used sed because it is famous stream editor that can perform many functions including find string in the spesific line number. ‘2345!d’ is meaning that delete all line except line number 2345.

Task 4 — Data Representation, Strings and Permissions

Answer :

I found flag20 on alice’s home directory, but the flag is encrypted using base64. So I use this website to help me to decode the flag to ASCII.

Q4.2 : Inspect the flag21.php file. Find the flag.

Answer : less /home/bob/flag21.php

For this question I’m using more command first because of the clue that I got when I first viewed the content of the php file. But it did not give me the flag answer that I’m looking for, therefore I decided to use less command.

Q4.3 : Locate and read flag 22. Its represented as hex.

Answer :

Another cryptography question! for this one I used this website to decrypt from hex to ASCII.

Q4.4 : Locate, read and reverse flag 23.

Answer : cat flag 23 && rev flag23

I am just doing the instruction from the question for solving this flag.

Q4.5 : Analyse the flag 24 compiled C program. Find a command that might reveal human readable strings when looking in the machine code code.

Answer : strings /home/garry/flag24

First I need to search for the location, since I don’t see flag24 in alice’s home directory. After finding out the exact location, I use strings command, strings is used to return readable characters in binary/executable file.

Q4.6 : Find flag 26 by searching the all files for a string that begins with 4bceb and is 32 characters long.

Answer : find / -xdev -type f 2>/dev/null | xargs grep -E ‘4bceb.{27}$’ 2>/dev/null

‘4bceb.{27}$’ means that I’m looking for a string that begins with 4bceb and 27 random characters after it. Just in case if you wondering why I’m not go for 30 characters.

Q4.7 : Locate and retrieve flag 27, which is owned by the root user.

Answer : sudo cat /home/flag27

flag27 is owned by root, but in this case we didn’t know who have read permission. So since at that momment I logged in as alice, I checked the permission that alice have with sudo -l command, and lucky me that alice have permission to read flag27.

Q4.8 : Whats the linux kernel version?

Answer : uname -r

There are actually three ways to check linux kernel version:

  1. uname -r
  2. hostnamectl
  3. cat /etc/proc

Q4.9 : Find the file called flag 29 and do the following operations on it:

  1. Remove all spaces in file.
  2. Remove all new line spaces.
  3. Split by comma and get the last element in the split.

Answer : cat flag29 | tr -d “ \t\n\r”

\t = backspace

\n = new line

\r =return

Task 5 — SQL, FTP, Groups and RDP

Answer : curl

Q5.2 : Flag 31 is a MySQL database name.

MySQL username: root
MySQL password: hello

Answer : mysql > SHOW DATABASES;

I logged in to the database using given mysql username and password. And first thing I checked when I’m on database system is checking the list of database in there and alhamdulillah the flag is one of the database name.

Q5.3 : Bonus flag question, get data out of the table from the database you found above!

Answer : select * from flags;

Refering the screenshot from Q5.3, I take further dive after found flag31 is database name. I checked tables in the flag31 database and found that there is “flags” table that is very eye-catching.

Q5.4 : Using SCP, FileZilla or another FTP client download flag32.mp3 to reveal flag 32.

Answer : play the flag32.mp3

Based on the instruction, it is clear that the answer of the flag is not cryptography and required us to play the mp3 file. First I’m looking for the exact location of the flag.

Next, I used scp to transfer the flag32.mp3 to my Documents directory.

And as expected the flag is inside the mp3. You can just play the mp3 to get the answer. Simple right?

Q5.5 : Flag 33 is located where your personal $PATH’s are stored.

Answer : cat /home/bob/.profile

PATH is an environmental variable in Linux and other Unix-like operating systems that tells the shell which directories to search for executable files (i.e., ready-to-run programs) in response to commands issued by a user.

The first way of setting your $PATH permanently is to modify the $PATH variable in your Bash profile file, located at /home/user/.bash_profile .

We can also set the PATH permanently using a user’s profile file for all programs. User profiles are loaded at login.The PATH variable can be set in the ~/.profile.

Flag33 is not exist inside /.bash_profile, so I checked /.profile and found the flag33 in the first line.

Q5.6 : Switch your account back to bob. Using system variables, what is flag34?

Answer : printenv

I forgot to screenshot the process but I used command “su bob” and then I checked the environmental variables on system using command ‘printenv’. Note : We can see a list of all of our environmental variables by using the env or printenv commands.

Q5.7 : Look at all groups created on the system. What is flag 35?

Answer : cat /etc/group | grep flag35

I used grep to filter and make my self easier to find the flag.

Q5.8 : Find the user which is apart of the “hacker” group and read flag 36.

Answer : cat /etc/flag36

What I did back at that time was searching the location of the flag and then trying to read it as alice. But as seen in the screenshot I got no permission. So I re-read the instruction and changed my account to bob.

purple enthusiast