[Hacking walkthrough] THM: Linux Challenges

[Hacking walkthrough] THM: Linux Challenges

Hello there, welcome to another tryhackme CTF write-up. Today, we are going through a Linux challenge. Either you are a new or old Linux system user, this challenge is just for you. This room is created to sharpen up your Linux skill.

Disclaim: If you are looking for flag 25 and the RDP flag, this is not the right walkthrough for you. So far, none of the challengers are able to solve the entire challenge and I have tried my best. Maybe, just maybe in the future, I will try to reattempt the task again.

Update (30/10/2019): Flag 25 and RDP flag are officially marked as unsolvable. Basically, this is a complete walkthrough. Enjoy!

Task 2: Introduction

Task 2-1: Garry’s home directory

First and foremost, ssh to Garry’s SSH shell using the following command.

$ ssh [email protected]<Machine IP>

Require directory list command

$ ls

Answer: 3

Task 3: The basic

Task 3-1: Flag 1

Require Read a file command

$ cat

Answer: f40dc0cff080ad38a6ba9a1c2c038b2c

Task 3-2: Flag 2

Login to bob’s SSH shell for flag 2

Answer: 8e255dfa51c9cce67420d2386cede596

Task 3-3: Flag 3

Use ls -la to list hidden file and directory. The flag is hidden within .bash_history.

Answer: 9daf3281745c2d75fc6e992ccfdedfcd

Task 3-4: Flag 4

Required user defined cornjob command

$ crontab -e

Answer: dcd5d1dcfac0578c99b7e7a6437827f3

Task 3-5: Flag 5

Flag 5 is hidden within bob directory. Use recursive search with -rnw flag

$ grep -rnw /home/bob -e 'flag5'

Answer: bd8f33216075e5ba07c9ed41261d1703

Task 3-6: Flag 6

Require recursive search command

$ cat /home/flag6.txt | grep c9

Answer: c9e142a1e25b24a837b98db589b08be5

Task 3-7: Flag 7

Require system process command

ps -aef

Answer: 274adb75b337307bd57807c005ee6358

Task 3-8: Flag 8

Require tar decompress command

$ tar -xvzf flag8.tar.gz

Answer: 75f5edb76fe98dd5fc9f577a3f5de9bc

Task 3-9: Flag 9

The hosts file located at /etc/hosts

$ cat /etc/hosts

Answer: dcf50ad844f9fe06339041ccc0d6e280

Task 3-10: Flag 10

You can find all user at /etc/passwd

$ /etc/passwd

Answer: 5e23deecfe3a7292970ee48ff1b6d00c

Task 4: Linux functionality

Task 4-1: Flag 11

The alias story within .bashrc file

$ cat .bashrc

Answer: b4ba05d85801f62c4c0d05d3a76432e0

Task 4-2: Flag 12

The banner usually stored at /etc/update-motd.d

$ cat /etc/update-motd.d/00-header

Answer: 01687f0c5e63382f1c9cc783ad44ff7f

Task 4-3: Flag 13

Require different command

$ diff flag13/script1 flag13/script2

Answer: 3383f3771ba86b1ed9ab7fbf8abab531

Task 4-4: Flag 14

Log files are usually store in /var/log

$ cat /var/log/flagtourteen.txt | grep 3

Answer: 71c3a8ad9752666275dadf62a93ef393

Task 4-5: Flag 15

You can find the system information at /etcc/*release

$ cat /etc/*release

Answer: a914945a4b2b5e934ae06ad6f9c6be45

Task 4-6: Flag 16

This one is a little bit tricky.

$ ls /media/f/l/a/g/1/6/is

Answer: cab4b7cae33c87794d82efa1e7f834e6

Task 4-7: Flag 17

Login to alice account and get the flag. (alice:TryHackMe123)

Answer: 89d7bce9d0bab49e11e194b54a601362

Task 4-8: Flag 18

It is a hidden file. List it using ls -la command.

$ cat .flag18

Answer: c6522bb26600d30254549b6574d2cef2

Task 4-9: Flag 19

To read a certain line of a text file, you need sed command

$ sed -n 2345p flag19

Answer: 490e69bd1bf3fc736cce9ff300653a3b

Task 5: Data representation, strings and permission

Task 5-1: Flag 20

Require base64 decoder.

$ cat flag20 | base64 --decode

Answer: 02b9aab8a29970db08ec77ae425f6e68

Task 5-2: Flag 21

You need less instead of cat to read the php file. The flag is inside bob directory.

$ less flag21.php

Answer: g00djob

Task 5-3: Flag 22

Require hex to ASCII converter

$ cat flag22 | xxd -r -p

Answer: 9d1ae8d569c83e03d8a8f61568a0fa7d

Task 5-4: Flag 23

Require a text reverse command

$ cat flag23|rev

Answer: ea52970566f4c090a7348b033852bff5

Task 5-5: Flag 24

To reveal readable strings, you are require strings command.

$ strings /home/garry/flag24

Answer: hidd3nStr1ng

Task 5-6: Flag 25

(Marked as unsolvable)

Task 5-7: Flag 26

The find flag 26, punch in the following command

$ find / -xdev -type f -print0 2>/dev/null | xargs -0 grep -E '^[a-z0-9]{32}$' 2>/dev/null

Answer: 4bceb76f490b24ed577d704c24d6955d

Task 5-8: Flag 27

Alice has sudo permission on reading the root flag.

$ sudo cat /home/flag27

Answer: 6fc0c805702baebb0ecc01ae9e5a0db5

Task 5-9: Flag 28

Require uname comamnd

$ uname -a

Answer: 4.4.0-1075-aws

Task 5-10: Flag 29

Follow the following step to reveal the flag. (Garry)

$ cat flag29 | tr -d ' ' >flag29_noS
$ cat flag29_noS | tr -d '/n' >flag29_noSN
$ cat flag29_noSN

Answer: fastidiisuscipitmeaei

Task 6: SQL, FTP, Groups, and RDP

Task 6-1: Flag 30

There are two ways to solve this problem. Through the browser or the curl command. Since this is the Linux challenge, I suggested curl.

$ curl localhost

Answer: fe74bb12fe03c5d8dfc245bdd1eae13f

Task 6-2: Flag 31

If you are an expert on backend web production, this should be a piece a cat for you. Firstly, log in to MySQL using the following command.

$ mysql -u root -p

After that enter the password. The first thing you need to do is check all the available databases.


Answer: 2fb1cab13bf5f4d61de3555430c917f4

Task 6-3: Flag 31_A

A bonus flag. After identifying the database, you need to list all the table.

mysql> USE database_2fb1cab13bf5f4d61de3555430c917f4

Look like we have a flag table inside the database. To read the content inside the table, u need to select all.

mysql> SELECT * FROM flags;

Answer: ee5954ee1d4d94d61c2f823d7b9d733c

Task 6-4: Flag 32

Download the flag from Alice directory using Filezilla and listen to it. Easy!

Answer: tryhackme1337

Task 6-5: Flag 33

The .profile is the correct location to store your $PATH (Bob directory)

Answer: 547b6ceee3c5b997b625de99b044f5cf

Task 6-6: Flag 34

To list the enviroment variable, you need printenv command.

$ printenv

Answer: 7a88306309fe05070a7c5bb26a6b2def

Task 6-7: Flag 35

getent is the answer.

$ getent group

Answer: 769afb6

Task 6-8: Flag 36

The flag file is located at /etc. Who has the permission to read it?

$ id
$ cat /etc/flag36

Look like bob is the chosen one.

Answer: 83d233f2ffa388e5f0b053848caed1eb

Task 6-9: Flag 37

You need remote access to the bob desktop. Punch in the following command in your own machine.

$ rdesktop -u bob -p linuxrules

The answer to this task is pending. But I found an interesting backup folder called deja-dup. Perhaps that is the answer?


That’s all for the Linux CTF challenge. Hope you learn something today. See you again 😉

Easter egg

This easter egg is for the Cross-site scripting in tryhackme (XSS). This is the solution to Task 8. Just for future reference, nothing personal. If you are interested in knowing how XSS works, you can try the XSS room.

Task 8-1: xss"><!--><svg/onload=alert("Hello")>
Task 8-2: xss"><!--><svg/onload=prompt("Hello")>
Task 8-3: xss"><!--><svg/onload=alert(Hello)>
Task 8-4: xss"><!--><svg/onclick=alert("Hello")>

Share the knowledge

This Post Has 13 Comments

  1. Anonymous

    Thank you! I would not get the questions and solutions

  2. juanito

    Can you explain Task 5-7: Flag 26 ?

    1. Kelcy66

      Searching the entire file system for 32 characters flag.

  3. Guilherme Da Costa Botossi

    For Flag 26, I changed a little bit

    find / -xdev -type f -exec grep -i -E ‘^[a-z0-9]{32}$’ {} \; 2>/dev/null

  4. Anonymous

    which steps are followed in flag 17?

    i dont understand the hint “Are Alice’s private keys permissions correct? /home/alice/.ssh/… Download her private key, fix its permission errors and SSH into her account.”

    1. Kelcy66

      It was an oopsie by the creater.

  5. INnOut

    Im legit trying to learn here. not tying just to get answers… for “flag13” it shows $ diff flag13/script1 flag13/script2

    Im trying to understand how you knew to use flag13 for part of the search and how you new that the script file was names 1 and 2

    thank for replies

    1. Kelcy66

      look at the file size.

    2. SK2073

      INnOut I am a noob here, but i will try to answer your question

      If you did a
      find / -name flag13* 2>>/dev/null/
      you should find out that flag13 was a dir, inside that folder there was the 2 files
      a ls -la should show you the where huge and a cat of them should get you nowhere and it is here the diff came into play to find the key

    3. sk2073

      I am a noob, but I will try to explain

      If you did a
      find / -name flag13* 2>>/dev/null/
      you should find that flag13 was a dir
      the 2 files in there, script1 and script2 is huge, so doing a cat on them will get you nowhere and this is where diff cames into play

      1. INnOut

        Ok that does help. Thank you for the reply

  6. Anonymous

    in task 6-79 ( flag36) how did you find out the location of the flag or did you just seach through whole root directory

  7. INnOut

    On flag19 when doing the command what is the “p” in 2345p?? is this the “page” to look on?

Leave a Reply