# LinuxCTF - Linux Challenges

## Task 1 Linux Challenges Introduction

### How many visible files can you see in garrys home directory?

```
garry@ip-10-10-255-137:~$ ls
flag1.txt flag24 flag29
garry@ip-10-10-255-137:~$ ls | wc -l
```

{% hint style="success" %}
3
{% endhint %}

## Task 2 The Basics

### What is flag 1?

```
garry@ip-10-10-255-137:~$ cat flag1.txt
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP4kH0XoKgi3PZc1gDQ%2F-MP4mAZV5ZxbmPnrsLfk%2Fimage.png?alt=media\&token=de2fbbf0-1e70-4c33-9480-f75f54c8b8f5)

{% hint style="success" %}
f40dc0cff080ad38a6ba9a1c2c038b2c
{% endhint %}

### Log into bob's account using the credentials shown in flag 1.

### What is flag 2?

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP4kH0XoKgi3PZc1gDQ%2F-MP4ma6DDhKSrLTUECgp%2Fimage.png?alt=media\&token=be9ec906-489b-46b1-908b-0680714c2a4d)

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP4n38_fXm_aDsTfmpC%2F-MP4nBp2NxDpqaNo5YVT%2Fimage.png?alt=media\&token=bd267763-a836-49f3-bf89-e4b7443062f8)

```
bob@ip-10-10-255-137:~$ cat flag2.txt
```

{% hint style="success" %}
8e255dfa51c9cce67420d2386cede596
{% endhint %}

### Flag 3 is located where bob's bash history gets stored.

```
bob@ip-10-10-255-137:~$ cat .bash_history
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP4nDFhYyKtC9zSwihb%2F-MP4nP-C0VMBd7xnP3vc%2Fimage.png?alt=media\&token=27190990-e15d-46ff-bef0-2a572c4f3b88)

{% hint style="success" %}
9daf3281745c2d75fc6e992ccfdedfcd
{% endhint %}

### Flag 4 is located where cron jobs are created.

```
bob@ip-10-10-255-137:~$ crontab -e
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP4nDFhYyKtC9zSwihb%2F-MP4nZfVYJNieEdzaer6%2Fimage.png?alt=media\&token=2ce019b0-5b73-4ae2-a918-bfafc747273f)

{% hint style="success" %}
dcd5d1dcfac0578c99b7e7a6437827f3
{% endhint %}

### Find and retrieve flag 5.

```
bob@ip-10-10-255-137:~$ cat $(locate flag5.txt)
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP4nDFhYyKtC9zSwihb%2F-MP4nsNghVCjCWy4j0-c%2Fimage.png?alt=media\&token=9f2e52ae-446b-4bfa-957c-8fa0bb425fc0)

{% hint style="success" %}
bd8f33216075e5ba07c9ed41261d1703
{% endhint %}

### "Grep" through flag 6 and find the flag. The first 2 characters of the flag is c9.

```
bob@ip-10-10-177-45:~$ grep 'c9' $(locate flag6.txt)
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP4nDFhYyKtC9zSwihb%2F-MP4oDd7mR9wegYZRz8S%2Fimage.png?alt=media\&token=49db1aa9-f352-4029-a349-eb47ddb68ea5)

```
bob@ip-10-10-177-45:~$ grep -o '\w{32}' $(locate flag6.txt)
bob@ip-10-10-177-45:~$ sed -n "/c9/,/ /p" ../flag6.txt
```

{% hint style="success" %}
&#x20;c9e142a1e25b24a837b98db589b08be5
{% endhint %}

### Look at the systems processes. What is flag 7.

```
bob@ip-10-10-99-145:~$ ps -aef |grep flag
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP4nDFhYyKtC9zSwihb%2F-MP4p2oFGhMcXtOcv8NU%2Fimage.png?alt=media\&token=b7a27d28-285e-475e-9a7f-2253d206355d)

{% hint style="success" %}
274adb75b337307bd57807c005ee6358
{% endhint %}

### De-compress and get flag 8.

```
bob@ip-10-10-99-145:~$ tar -xvzf flag8.tar.gz flag8.txt
bob@ip-10-10-99-145:~$ cat flag8.txt 
```

{% hint style="success" %}
75f5edb76fe98dd5fc9f577a3f5de9bc
{% endhint %}

### By look in your hosts file, locate and retrieve flag 9.

```
bob@ip-10-10-99-145:~$ tail -n 1 /etc/hosts
```

> 127.0.0.1 dcf50ad844f9fe06339041ccc0d6e280.com

{% hint style="success" %}
dcf50ad844f9fe06339041ccc0d6e280
{% endhint %}

### 10 Find all other users on the system. What is flag 10.

```
bob@ip-10-10-99-145:~$ cat /etc/passwd
```

> 5e23deecfe3a7292970ee48ff1b6d00c:x:1002:1002:,,,:/home/5e23deecfe3a7292970ee48ff1b6d00c:/bin/bash

{% hint style="success" %}
5e23deecfe3a7292970ee48ff1b6d00c
{% endhint %}

## Task 3 Linux Functionality

### Run the command flag11. Locate where your command alias are stored and get flag 11.

```
bob@ip-10-10-99-145:~$ cat .bashrc |grep flag11
```

> alias flag11='echo "You need to look where the alias are created..."' #b4ba05d85801f62c4c0d05d3a76432e0

{% hint style="success" %}
b4ba05d85801f62c4c0d05d3a76432e0
{% endhint %}

### &#x20;Flag12 is located were MOTD's are usually found on an Ubuntu OS. What is flag12?

```
bob@ip-10-10-99-145:~$ cat /etc/update-motd.d/00-header |grep Flag12
```

> &#x20;\# Flag12: 01687f0c5e63382f1c9cc783ad44ff7f

{% hint style="success" %}
01687f0c5e63382f1c9cc783ad44ff7f
{% endhint %}

### Find the difference between two script files to find flag 13.

```
bob@ip-10-10-99-145:~$ cd flag13/ 
bob@ip-10-10-99-145:~/flag13$ dir
script1 script2 
bob@ip-10-10-99-145:~/flag13$ diff script1 script2
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP4pqyZbvaN6UaC3tJr%2F-MP4qZ3nlSq6k_9qLVIO%2Fimage.png?alt=media\&token=2c7ba67a-2f56-475f-8ca1-df6b73b0de2a)

{% hint style="success" %}
3383f3771ba86b1ed9ab7fbf8abab531
{% endhint %}

### Where on the file system are logs typically stored? Find flag 14.

```
tail -n 1 /var/log/$(ls /var/log/ |grep flag)
```

{% hint style="success" %}
71c3a8ad9752666275dadf62a93ef393
{% endhint %}

### Can you find information about the system, such as the kernel version etc.

### Find flag 15.

```
bob@ip-10-10-99-145:~/flag13$ cat /etc/lsb-release
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP4rCFwNosLVpg-_kPY%2F-MP4rfBs1F2KFV6Y69gG%2Fimage.png?alt=media\&token=bdd855dd-3b91-4af3-b837-fc3c9f1a5187)

{% hint style="success" %}
a914945a4b2b5e934ae06ad6f9c6be45
{% endhint %}

### Flag 16 lies within another system mount.

```
bob@ip-10-10-99-145:~$ cd /media/f/l/a/g/1/6/is/cab4b7cae33c87794d82efa1e7f834e6/
```

{% hint style="success" %}
cab4b7cae33c87794d82efa1e7f834e6
{% endhint %}

### Login to alice's account and get flag 17. Her password is TryHackMe123

```
bob@ip-10-10-99-145:~$ ssh alice@localhost
alice@ip-10-10-99-145:~$ cat flag17 
```

{% hint style="success" %}
89d7bce9d0bab49e11e194b54a601362
{% endhint %}

### Find the hidden flag 18.

```
alice@ip-10-10-99-145:~$ cat .flag18
```

{% hint style="success" %}
c6522bb26600d30254549b6574d2cef2
{% endhint %}

### Read the 2345th line of the file that contains flag 19.

```
alice@ip-10-10-99-145:~$ awk 'NR==2345' flag19
alice@ip-10-10-99-145:~$ sed '2345!d' flag19 
```

{% hint style="success" %}
490e69bd1bf3fc736cce9ff300653a3b
{% endhint %}

## Task 4 Data Representation, Strings and Permissions

### Find and retrieve flag 20.

```
alice@ip-10-10-71-95:~$ cat $(locate flag20) |base64 -d 
```

{% hint style="success" %}
02b9aab8a29970db08ec77ae425f6e68
{% endhint %}

### Inspect the flag21.php file. Find the flag.

```
alice@ip-10-10-129-13:~$ cat $(locate flag21.php)
alice@ip-10-10-129-13:~$ less $(locate flag21.php)
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP4tbMoOsW8jvOsH2HY%2F-MP4ufXT4I8ofF1GvI1e%2Fimage.png?alt=media\&token=1fd22cac-0be0-44bd-8bd2-b48d1afa5a05)

{% hint style="success" %}
g00djob
{% endhint %}

### Locate and read flag 22. Its represented as hex.

```
alice@ip-10-10-71-95:~$ cat flag22 |xxd -r -p
```

{% hint style="success" %}
&#x20;9d1ae8d569c83e03d8a8f61568a0fa7d
{% endhint %}

### Locate, read and reverse flag 23.

```
alice@ip-10-10-71-95:~$ cat $(locate flag23) |rev
```

{% hint style="success" %}
ea52970566f4c090a7348b033852bff5
{% endhint %}

### Analyse the flag 24 compiled C program. Find a command that might reveal human readable strings when looking in the source code.

```
alice@ip-10-10-71-95:~$ strings $(locate flag24) |grep flag
```

{% hint style="success" %}
hidd3nStr1ng
{% endhint %}

### Flag 25 does not exist.

{% hint style="success" %}
No answer needed
{% endhint %}

### Locate and retrieve flag 26.

```
find / -xdev -type f -print0 2>/dev/null | xargs -0 grep -E '^[a-z0-9]{32}$' 2>/dev/null
alice@ip-10-10-71-95:~$ cat /var/cache/apache2/mod_cache_disk/config.json
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP4wW-zE7juLqG2LG4N%2F-MP4yAUBkMVFbWayT4jJ%2Fimage.png?alt=media\&token=ea076549-a304-4771-9c9e-060fe5f65069)

{% hint style="success" %}
4bceb76f490b24ed577d704c24d6955d
{% endhint %}

### Locate and retrieve flag 27, which is owned by the root user.

```
locate flag27
sudo -l
sudo /bin/cat /home/flag27
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP4wW-zE7juLqG2LG4N%2F-MP4woOABcRfXQL25iNp%2Fimage.png?alt=media\&token=c3eeee4d-3118-4775-96ea-d0b1ece77c3f)

{% hint style="success" %}
6fc0c805702baebb0ecc01ae9e5a0db5
{% endhint %}

### Whats the linux kernel version?

```
alice@ip-10-10-71-95:~$ uname -r
4.4.0-1075-aws
```

{% hint style="success" %}
4.4.0-1075-aws
{% endhint %}

### Find the file called flag 29 and do the following operations on it:

Remove all spaces in file. Remove all new line spaces. Split by comma and get the last element in the split.

```
alice@ip-10-10-71-95:~$ cat $(locate flag29) | tr -d ' ' | tr -d '\n' |awk -F',' '{print $NF}'
fastidiisuscipitmeaei
alice@ip-10-10-71-95:~$ cat $(locate flag29) | tr -d ' ' | tr -d '\n' |awk -F',' '{print $NF}' |grep -E "[0-9a-z]"
```

{% hint style="success" %}
fastidiisuscipitmeaei
{% endhint %}

## Task 5 SQL, FTP, Groups and RDP

### Use curl to find flag 30.

```
alice@ip-10-10-71-95:~$ curl localhost
flag30:fe74bb12fe03c5d8dfc245bdd1eae13f
```

{% hint style="success" %}
fe74bb12fe03c5d8dfc245bdd1eae13f
{% endhint %}

### Flag 31 is a MySQL database name.

> MySQL username: root
>
> MySQL password: hello

```
alice@ip-10-10-71-95:~$ mysql -u root -p 
Enter password:
Welcome to the MySQL monitor.
Commands end with ; or \g.
Your MySQL connection id is 6 Server version: 5.7.25-0ubuntu0.16.04.2 (Ubuntu)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+-------------------------------------------+
| Database |
+-------------------------------------------+
| information_schema |
| database_2fb1cab13bf5f4d61de3555430c917f4 |
| mysql |
| performance_schema |
| sys |
+-------------------------------------------+
5 rows in set (0.00 sec)
```

{% hint style="success" %}
2fb1cab13bf5f4d61de3555430c917f4
{% endhint %}

### Bonus flag question, get data out of the table from the database you found above!

```
mysql> use database_2fb1cab13bf5f4d61de3555430c917f4 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed mysql> show tables; 
+-----------------------------------------------------+ 
| Tables_in_database_2fb1cab13bf5f4d61de3555430c917f4 |
+-----------------------------------------------------+
| flags |
+-----------------------------------------------------+
1 row in set (0.00 sec)

mysql> select * from flags; 
+----+----------------------------------+
| id | flag | +----+----------------------------------+
| 1 | ee5954ee1d4d94d61c2f823d7b9d733c |
+----+----------------------------------+
1 row in set (0.00 sec)
```

{% hint style="success" %}
ee5954ee1d4d94d61c2f823d7b9d733c
{% endhint %}

### Using SCP, FileZilla or another FTP client download flag32.mp3 to reveal flag 32.

```
scp alice@10.10.71.95:flag32.mp3 . 
alice@10.10.71.95's password: 
flag32.mp3 100% 10KB 196.7KB/s 00:00
audacity flag32.mp3
```

{% hint style="success" %}
tryhackme1337
{% endhint %}

### Flag 33 is located where your personal $PATH's are stored.

```
bob@ip-10-10-71-95:~$ head -n 1 .profile
Flag 33: 547b6ceee3c5b997b625de99b044f5cf
```

{% hint style="success" %}
547b6ceee3c5b997b625de99b044f5cf
{% endhint %}

### Switch your account back to bob. Using system variables, what is flag34?

```
bob@ip-10-10-71-95:~$ printenv |grep flag 
flag34=7a88306309fe05070a7c5bb26a6b2def
```

{% hint style="success" %}
7a88306309fe05070a7c5bb26a6b2def
{% endhint %}

### Look at all groups created on the system. What is flag 35?

```
bob@ip-10-10-71-95:~$ cat /etc/group |grep flag
flag35_769afb6:x:1005:
bob@ip-10-10-71-95:~$ getent group |grep flag
flag35_769afb6:x:1005:
```

{% hint style="success" %}
769afb6
{% endhint %}

### Find the user which is apart of the "hacker" group and read flag 36.

```
bob@ip-10-10-71-95:~$ locate flag36 /etc/flag36
bob@ip-10-10-71-95:~$ ls -lah /etc/flag36
-rw-r----- 1 root hacker 33 Feb 19 2019 /etc/flag36 
bob@ip-10-10-71-95:~$ cat /etc/group |grep hacker hacker:x:1004:bob 
bob@ip-10-10-71-95:~$ cat /etc/flag36 
83d233f2ffa388e5f0b053848caed1eb
```

{% hint style="success" %}
83d233f2ffa388e5f0b053848caed1eb
{% endhint %}

### Well done! You've completed the LinuxCTF room!

{% hint style="success" %}
No answer needed
{% endhint %}