Linux Challenges

The Linux Challenges room gives a nice introduction to some general Linux commands, and generally usage of Linux commands to find loot.

Task 1# Linux Challenges Introduction

1# Deploy the machine and SSH in

Pretty simple task, just SSH into the box.

ssh garry@
image 60

Once you're in, take a look around to find how many flags there are.

ls -lah
image 61

Task 2#

1# What is flag 1?

cat flag1.txt
image 62

2# Login into bobs account ... what is flag 2?

su bob; #input password from flag1.txt
cd /home/bob;
cat flag2.txt
image 63

3# Flag 3 is located here bob's bash history gets stored.

image 64

4# Flag 4 is located where cron jobs are created.

cd /etc/;
crontab -e
image 66
image 65

5# Find and retrieve flag 5

find flag5 / 2> /dev/null | grep flag5;
cat /lib/terminfo/E/flag5.txt
image 68

#6 "Grep" through flag 6 and find the flag, the first 2 characters of the flag is 'c9'

find flag6 / 2> /dev/null | grep flag6;
cat /home/flag6.txt
image 69

#7 Look at the systems processes. What is flag 7.

ps -aux | grep flag
image 70

#8 Decompress and get flag 8.

find flag8 2> /dev/null | grep flag8;
gzip -d /home/bob/flag8.tar.gz;
cat /home/home/bob/flag8.tar
image 71

#9 By looking in your hosts file, locate and retrieve flag 9.

cat /etc/hosts
image 72

#10 Find all other users on the system. What is flag.

cat /etc/passwd;
cat /etc/passwd | grep 1002 #filters out the flag
image 73
image 74
The file's pretty big, scroll down

Task 3# Linux functionality

#1 Run the command flag11. Locate where you command aliases are stored and get flag 11.

cat /home/bob/.bashrc | grep flag11
image 75

#2 Flag12 is located where MOTDs are usually found on Ubuntu OS. What is flag12?

cat /etc/update-motd.d/* | grep flag -i
image 76
There were a number of fairly large files in /update-motd.d/ so cat all the files the filtered by case-insensitive "flag"

#3 Find the difference between two script files to find flag 13.

find / flag13 2>/dev/null | grep flag13;
diff script1 script2
image 77

4# Where are file system logs usually stored? Find flag 14.

cd /var/log; ls -la | grep flag;
cat /var/log/flagtourteen.txt
image 78
image 79

#5 Can you find information about system, such as the kernel version etc.

cat /etc/*-release
image 80

#6 Flag 16 lies within another system mount

cd /media/f/l/a/g/1/6/is/ #.....
image 81
To get the directory, I smashed the tab button; the folders were one after another and auto completed.

7# Login to Alice's account and get flag 17.

su alice; #input password
cd /home/alice;
ls -la;
cat flag17
image 82

8# Find the hidden flag 18.

ls -lah /home/alice | grep flag18;
cat /home/alice/.flag18
image 83

9# Read the 2345th line of the file that contains flag 19.

sed -n "2345,2345p" /home/alice/flag19
image 84

Task 4# Data Representation, Strings and Permissions

#1 Find and retrieve flag 20.

find / -type f -name flag20 2>/dev/null;
cat /home/alice/flag20;
base64 -d /home/alice/flag20
image 85

#2 Inspect the flag21.php file. Find the flag.

find / -type f -name flag21.php 2>/dev/null;
nano /home/bob/flag21.php; #cat doesn't show the flag
image 87
image 86

#3 Locate and read flag22. Its representative as hex.

xxd -p -r takes the piped output from our cat converts from Hex to readable format.

find / -type f -name flag22 2>/dev/null;
cat/home/alice/flag22 | xxd -p -r
image 88

#4 Locate, read and reverse flag 23.

The rev command reverses a file. I did try tac, which is a reverse cat function, but it didn't seem to work.

find / -type f -name flag23 2>/dev/null;
rev /home/alice/flag23
image 89

#5 Analyze the flag 24 compiled C program. Find a command that might reveal human readable strings when looking in the source code.

strings command reveals, you guessed it, all the strings in a file.

image 90

#6 Flag 25 does not exist.

... nothing here.

#7 Find flag26 by searching all files for a string the begins with 4bceb and is 32 characters long

This took a little tinkering with.

Instead of just running the grep command in the / directory, I ran it for a shorter period of time in each folder.

Eventually finding a result in /var in a shorter period of time that waiting for it to go through all files in the system.

egrep -Re "^4bceb.{27}" 2>/dev/null;
image 91

#8 Locate and retrieve flag 27, which is owned by the root user.

The file is owned by root so we need to sudo cat.

find -type f -name "flag27" 2>/dev/null;
cat /home/flag27;
sudo cat /home/flag27
image 92

#9 Whats the Linux kernel version?

uname -a
image 93

#10 Find the file called flag 29 and do the following operations on it:

  • Remove all spaces in file.
  • Remove all new line spaces.
  • Split by comma and get the last element in the split.
cat /home/garry/flag29 | tr -d ' ' | tr -d '\n' | rev | cut -d "," -f -1 | rev;

This script deletes all the blank spaces, line breaks, then reverses the text, splits by ,, takes the first field, then reverses the first field's value.

image 94

Task 5# SQL, FTP, Groups and RDP

#1 Use curl to find flag 30

In /etc/hosts we can see there s a link to so lets try curl localhost.

cat /etc/hosts;
curl localhost
image 95
#2 Flag 31 is a MySQL database name.
  • MySQL username: root
  • MySQL password: hello
mysql -u root --password; #then input root's password
show databases;
image 96

#3 Bonus flag question, get data out of the table from the database you found above!

Find the tables available in the database.

select table_schema, table_name from information_schema.tables were table schema like  'database_2fb1cab13bf5f4d61de3555430c917f4'
image 97

Then select from that table.

select * from database_2fb1cab13bf5f4d61de3555430c917f4.flags
image 98

#4 Using SCP, FileZilla or another FTP client download flag32.mp3 to reveal flag 32.

From your Kali box not the SSH'd box, run the following to download the flag file.

scp alice@ /home/kali/x.mp3;
mpg123 /home/kali/x.mp3;
image 99
image 100

This will play the MP3 file. The reason why we transfer the MP3 file to our box is because there's no point playing it on an SSH'd box. It'll play on their computer not our own.

5# Flag 33 is located where your personal $PATH's are stored

Took a bit of tinkering, but eventually found it with..

cat /home/*/.profile | grep -i flag
image 102

6# Switch your account back to bob. Using system variables what is flag 34?

You can find your path variables with the env command.

env | grep -i flag
image 103

7# Look at all groups created on the system. What is flag 35?

First tried the groups command, but nothing there. So running cat on the /etc/group file revealed the flag instead--after the _.

cat /etc/group | grep -i flag
image 104

8# Find the user which is apart of the "hacker" group and read flag 36.

If we switched the user to bob earlier, we don't need to do anything special here. Check you're in the hacker group and find flag36.

cat /etc/passwd | cut -d ":" -f 1 | xargs groups | grep hacker;
find / -type f -name flag36 2>/dev/null;
cat /etc/flag36;
image 106

9# Well done! You've completed the LinuxCTF room!

Easy, hit the the correct answer button, and you're complete.

Leave a Comment

Your email address will not be published. Required fields are marked *