TryHackMe: Linux Strength Training Walkthrough

Hello to all,

For the new post, I would like to share knowledge in Linux. You can do the challenges with me by entering this room. The room might look beginner for some player and might be more advance to some player.

I would like to give credit to  DrXploiter and  wannabe12 for amazing rooms and challenges. I learn a lot from this Linux Strength Training which is a free room where anyone can learn from this room.

When I was still doing this room, there are 1874 users (without being subscribed) just play and this room is just 88 days old

Before we start, I will brief a little bit about Linux for those who are new to the Operating System. Linux is a family of an open-source Unix like operating system where it will depend on the Linux Kernel. The first Linux has been released on the 17 September 1991 by Linux Torvalds.

I have completed the machine before posting this walkthrough but I will re-run the challenges just for the sharing purpose. The machine that I will be using for this activity would be Kali Linux via Vmware

Let’s start!

Firstly, we need to deploy the machine for us to play with the challenges

We will be using a lot of the command “find” in the challenges, so it’s good for us to learn a little bit of find command

For answering the question about “What is the correct option for finding files based on group?”

The answer: -group

On the next question, we know the username=francis and size=52k for the answer.
 
The answer: find /home/francis -type f -user francis -size 52k
 
 
 
For the next activity, we will be doing ssh to the server via username: topson and password: topson

 
Once we have successfully login into the server as topson, we need to look into what is been stored within the topson.
 
We need to dive deep into chatlogs as cd /home/topson/chatlogs
 

 
 
We need to get filename by using the command grep -iRl ‘keyword’
 
 
Got it!
 
Let’s see what on the written on the file by using /less <filename> 
 
 
We need to find the keyword within the file by using / keyword 
 
 
Got it!
 
To get the flag on the next question, we need to search the ‘ReadMeIfStuck.txt’ and read what is written inside
 
 
If we need to find the first hint, we need to find an additionalHint. The command to find the file would be as follows:
 
find / -name “additionalHint” 
 
We have found the file’s location and need to access the directory where the file is located and open the file
 
 
 
Oh well!  Another hint that we need to be searching in the directory. We need to use the command “find” again in order to get the files.
 
find / -name “telephonennumbers”
 
We have found the location of the telephone number’s directory and we found a bunch of files resides in the directory. However, there is one file that caught my attention which is readMe.txt
 
 
Let’s open the file!
 
 
We need to find a file that been modified on a certain date by running the command below

find /home/topson/workflows -type f -newermt 2016–09–11 ! -newermt 2016–09–13

 
The output that we get from the following command. We know that the files are located at /home/topson/workflows/xft/eBQRhHvx
 
 
Let’s dig deep into the file and need to search the flag that stored in the file by doing “/Flag”

 

If you found the flag until now, Well Done!

 
Onto the next task, we need to comply with the function of copy, move, rename and create files.

 
The first question on the task that will need to use the command “move” which the answer for the question would be
mv * /home/francis/logs
 
 
Next question can be answered by running the following command such as follows:
scp /home/james/Desktop/script.py john@192.168.10.5:/home/john/scripts

 

How would you rename a folder named -logs to -newlogs

the answer: mv — -logs -newlogs

 

How would you copy the file named encryption keys to the directory of /home/john/logs

the answer: cp “encryption keys” /home/john/logs
 
 
As usual, we need to find the readME_hint.txt ‘s location 

 
 
The output above show that the file is located at /corperateFiles/RecordsFinances/
 
We can look into the file by using the command as cat readME_hint.txt
 
 
We are required to move the MoveMe.txt  to march Folder. We can move the files by using the command such as
 
mv — MoveMe.txt march\ Folder
 
 
After successfully move the file into the march folder, let’s just jump into march folder and run the command ./runMe.sh for receiving the flag. Good job if you did receive the flag on this task.

 
Let’s move on to the hashing task!

 
Firstly, you will need to download hash that been provided in order to answer the first task.

 
 
 
For us to gain the password of the files, you will need to crack via john a.k.a john the ripper. The command that will be using would be something like
 
 
john –format=md5 –wordlist=/home/darknite/Desktop/rockyou.txt hash1.txt
 
 
 
 
The result will normally show the password of the hash1.txt stored which is secret123 but I will not get the password because this is my second time cracking the password
 
 
On to next question, we need to ssh using Sarah credentials and the password given as rainbowtree1230x.
 
ssh sarah@<IP Address>
 
 
Once successfully login into the server via Sarah, We need to find the file using the command find / -name “hashA.txt”
 
 
Let’s verify the hashes type that been used in hashA.txt files by running the following command:
 
cat hashA.txt | hash-identified
 
 
By right, we will be getting MD4 as an output.
 
After we have identified the type of hash that been used as MD4, we can use the following command to crack the password:
 
 
john –format=md4 –wordlist=/home/darknite/Desktop/rockyou.txt hashA.txt
 
 
However, I will not get the password because this is my second time cracking the password
 
 
Next question required us to  find the file using the command find / -name “hashB.txt”
 
Let’s verify the hashes type that been used in hashA.txt files by running the following command:
 
cat hashB.txt | hash-identified
 
 
 
 
By right, we will be getting SHA-1 as an output.
 
 
After we have identified the type of hash that been used as SHA-1, we can use the following command to crack the password:
 
 
john –format=SHA-1 –wordlist=/home/darknite/Desktop/rockyou.txt hashB.txt
 
 
 
 
However, I will not get the password because this is my second time cracking the password
 
 
Now, We need to find the file using the command find / -name “hashC.txt”
 
We also need to find the file using the command find / -name “ww.mnf”

 
 
 
 
Let’s verify the hashes type that been used in hashC.txt files by running the following command:
 
cat hashC.txt | hash-identified
 
 
By right, we will be getting SHA-256 as an output.
 
 
After we have identified the type of hash that been used as MD4, we can use the following command to crack the password:
 
 
john –format=SHA-256 –wordlist=/home/darknite/Desktop/rockyou.txt hashC.txt
 
 
 
what is the name of the tool which allows us to decode base64 strings?
the answer: base64
 
 
We need to find the file using the command find / -name “encoded.txt”
 
 
We will need to decrypt the file using base64 by running the command as follows:
 
cat encoded.txt | base64 -d >> crack.txt

 

Once successfully, you need to find any ‘special’ word in the large file.

 
 
Based on the information that we have found in the large file, we need to find the file ent.txt by using  find / -name “ent.txt”
 
 
Inside the ent.txt, there’s a hash have been stored and we need to get the special answer in order to answer the question given.
 
john –format=SHA-md4 –wordlist=/home/darknite/Desktop/rockyou.txt ent.txt
 
 
GOT IT!
 
On the next task, we are required to complete the encryption/decryption using gpg. Let’s go!

 
You wish to encrypt a file called history_logs.txt using the AES-128 scheme. What is the full command to do this?
the answer: gpg –cipher-algo AES-128 –symmetric history_logs.txt
 
 
What is the command to decrypt the file you just encrypted?
 
the answer: gpg history_logs.txt.gpg
 
 
We are required to decrypt layer4.txt and get the flag on this activity. We will continue using the command “find” again to search the layer4.txt and decrypt the file by using the following step
 
 
After a few minutes, we finally are able to get the file layer4.txt with password “bob” and sadly, it’s still an encryption file
 
 
gpg layer4.txt
 
 
We will keep using the same method as above in layer3 until layer1.txt but there is one phrase different on layer2 where it gives direct information as follows:

 
 
 
We will need to find the layer1.txt and decrypt it using the password hacked.
 
 
For the next challenges, we need to crack encrypted GPG file

 
This challenges will need to find the file that called personal.txt.gpg using the wordlist data.txt.
 

We need to crack the password from another machine due to this machine cannot use john the ripper. Before cracking using john the ripper, we need to change gpg file to john file by using the command

gpg2john personal.txt.gpg > personal.txt

The command that used to crack the password would be something like

john –format=gpg –wordlist=/home/darknite/Desktop/data.txt personal,txt

You will get the result something as follows:

 
 
On this second last task, we will be focusing on MySQL command in Linux Operating System.

 
The command that to run in order to login in MySQL Server

mysql -u sarah -p

 

For us to gains access to SQL database, we need to set the source as source employees.sql

 

The next step is to execute the SQL command uses show databases; to show the available databases.

After we finally use the employee’s database, we need to execute SQL command such as use employees; and use show tables; in order to show the tables in this database

Moving on, we need to see if SQL database gives any valuable result by using the SQL command  describe employees;

We have finally got nearer to the flag,  we found that there’s a first_name matching Lobel in the employee’s table. As a result, we need to pull out all the details for Lobel by using the command

select * from employees where first_name like ‘Lobel’;

Final Challenges for this activity!

Firstly, we need to go to /home/shared/chatlogs/ and grep -iRl “Sameer”

SSH Sameer password is inside one of the files.

We need to enter the directory that got a huge size which is home/shared/sql/conf

and we notice that JKpN have fit the size of 50M and we need to read the file by less JKpN

We copy the hast and paste into a new file so that we can easily decrypt it by using the command base64 -d <new file>

The result will show a new directory that we need to go to but however, we need to ssh the server via Sameer’s credentials.

 
ssh sameer@<ip address>
 
 
 
The password for Sameer has been cracked from the previous question. We need to access directly into the following directory /home/sameer/History 
LB/labmind/latestBuild/configBDB/ grep -iRl ebq

 
 

We have found a couple of wordlists that can be used for the password’s cracking. You can combine all three wordlist into one by using cat pLmjwi && cat LmqAQl && cat Ulpsmt >> wordlist.txt

We can filter the wordlist in the wordlist.txt file using the same command as grep -iRl ebq. This method will take some times to get the correct password for the SQL database back-up copy. Eventually, we will get ebqattle as the correct password

Let’s get the password for ‘James’ where you will repeat the step within the task 8 as follows:

mysql -u sarah -p (enter password for password)
source employees.sql
show databases;
use employees;
describe employees;
select * from employees where first_name like ‘James’;

 

In the end, you will able to see the password has been used as last_name on database structure which leads to vuimaxcullings

Once we have gains the ssh password for James, let’s ssh to the server using James’ credentials as follows:

Now, let’s login as root by using the sudo su.

To get the root’s flag, we need to go to /root/ directory and ls -a in order to get the root.txt

Let’s see what been stored in root.txt

-THE END-

Happy Learning Guys!

 
 
 

Author: Wan Ariff

1 thought on “TryHackMe: Linux Strength Training Walkthrough

Leave a Reply

Your email address will not be published. Required fields are marked *