TryHackMe Walkthrough Link: https://tryhackme.com/room/zthlinux
Learn Linux is a great introductory room from Paradox. As the name suggests, it gives a nice foundation for Linux skills. This is a walkthrough room, so I’m not going to go into a huge amount of detail about the concepts themselves — I’ll leave that in Pars’ capable hands. Instead I’m going to be focusing on the questions, and how to answer them. By this token, I will be bypassing the tasks which don’t actually have any questions to answer: however, I would strongly advise you to read and understand the information that they’re trying to teach, especially if you’re new to Linux.
Let’s get started!
The room covers deploying and logging into the machine in great detail, however I’m just going to quickly screenshot this myself, as I believe that many people have been struggling with this.
I will be using the terminal in both Linux and Windows for this; however, the syntax is identical in both operating systems.
In Linux, open a terminal and use the following syntax:
Type “yes,” when prompted, then hit Enter.
In Windows, press
Ctrl + R then type in
Powershell and hit Enter:
The syntax here is identical:
Remember that the password will be shiba1 when we’re logging in.
For the remainder of this write-up I will be using Linux for simplicity, however, the syntax will be the same from here on out.
Task 6 — Manual Pages and Flags:
The first five tasks are purely tutorial, so we’re going to skip over them here. Again, I would urge you to read that information for yourself.
There is one question for Task 6:
How would you output hello without a newline
We were told in task 5 that the
echo command is used to output text to the console. Looking at the
man page for echo (accessed using
man echo), we can see that the switch for removing the newline is
q to exit the man page.
Let’s put that together. We want to output “hello.” Usually that would be
echo hello, but here we also want to get rid of the new-line after the command, so we’ll add in that
echo -n hello
Which gives us our answer for the question.
Task 7 —
There are two questions for task seven. Both can be answered by looking in the
man page for
ls — we access this once again using
We can see that the switch for outputting all entries is
You’ll need to scroll down a bit for the second question, but further down we can see that the switch to output in a long list format is
As a side note, these two switches are often combined into a single command, which would look like this:
Task 8 —
Just one question for task 8. Once again this can be answered with the man page of
cat (you guessed it:
Take a look:
From this we can see that the switch to number all the lines of the output is
Task 10 — Running A Binary:
Task 9 has no questions, so we’ll be moving on to Task 10, which has three questions.
The first asks us to run a binary called “hello” that’s in the current directory. We do this by referencing the current directory using
., like so:
(Note that I created the
hello binary to serve as an example. This will not work if you try it on the deployed machine)
The second question asks us to run a binary called “hello” that’s inside our home directory, which we reference with a tilde character (
~), like so:
Finally, we’re asked to run a binary called “hello” that’s inside the directory above our current directory. We reference this with two dots (
..), like so:
Task 11 — shiba1:
Task 11 is our first test. Once we solve it, we’ll be given the password for the second user (
We’re asked to create a file called
noot.txt in our home (
~) directory, then run the
shiba1 binary. To create files we use the
touch command (as explained in Task 9). We’ve just covered how to run binaries in Task 10.
Let’s do the challenge:
I’ve blurred the password so that you have to do this for yourself, but if you follow that process you will be given the password to use in the next task.
Task 12 —
In Task 12 we will be using the password that we found earlier to change our account. As the task explains, we use the
su (switch user) command to change which account we’re logged in as.
Normally we would just use this in the format
su <user> — which will work fine for changing our account to
shiba2, but we’re also asked which switch we would use to specify a specific shell. Back to the man pages (
Notice that the switch to specify a shell is
Don’t worry too much about what shells are just now. Essentially, different shells, give you different levels of functionality. The shell that we’ve been using (which gives us a prompt like this:
shiba1@nootnoot) is called bash, but there are lots of other shells, including custom shells that can be downloaded from the internet.
su to upgrade your account now:
Task 14 — “
In Task 14 we have a single question:
How would you output twenty to a file called test
Think way back to the start — how would you output
twenty to the console?
echo of course!
We can use the redirect operator to print this to a file, rather than using the console. The question has asked us to output it to a file called
test, so let’s do that:
echo twenty > test
Here’s a demonstration that this has worked successfully:
Task 18 — “
Environment variables are very useful things. They can be accessed anywhere in the operating system, which makes them ideal for storing information about the system.
We’ll need these for a later task, so learning how they work is very important.
In terms of the two questions, the first asks:
How would you set nootnoot equal to 1111
Well, we know that we save environment variables like this:
We just need to substitute in the values we’ve been asked for:
To access an environment variable we can use
echo, like this:
Once again, we can just substitute the value in:
Once again, I’ve blurred the actual answer so that you have to do this for yourself, but that command will give you the answer.
Task 21 — shiba2:
This is the second challenge. If we complete this then we get the password for the next user (
The question is asking us to create an environment variable called
test1234 and set it equal to the
$USER environment variable. This gives us two things that we need to do.
First up, we know how to set an environment variable:
So that’s the first one out of the way
We also know that we can access the contents of an environment variable by using the dollar sign. Previously we used this with echo (
echo $<varname>) to output the contents of the variable, but this time we just need to use the contents.
Let’s put this together:
Here we’re creating an environment variable called
test1234 and setting it equal to the value in the
$USER variable — exactly as the question asks.
Run the binary, and grab that password!
At this point you should also use
su to switch into the
shiba3 user before continuing.
Task 24 —
The task explains file permissions in Linux very well; however, if you still don’t understand them, I have a full blog post on the subject — it’s a lot longer, but goes into more depth. This post will also cover the topic of Task 25 (
In terms for the two questions for task 24, let’s start with the first one:
What permissions mean the user can read the file, the group can read and write to the file, and no one else can read, write or execute the file?
Let’s break this down a bit:
- User can read the file, so
- Group can read and write, so
- No one else can read, write or execute, so
Let’s convert each of these to octal:
4 + 2=
Putting these together properly, we get
460, which answers the first question.
See this in practice:
Notice that after I used the
chmod command the permissions matched up exactly:
Let’s do the same thing for the second question:
What permissions mean the user can read, write, and execute the file, the group can read, write, and execute the file, and everyone else can read, write, and execute the file.
We’ll separate these out again first:
- User can read, write and execute the file, so
- Group can read, write and execute the file, so
- World can read, write and execute the file, so
This means that all three sets of permissions will be the same:
4 + 2 + 1 =
Putting that together for all three permission sets, we get
777, which is the answer to the second question.
See this in practice:
Task 25 —
We have three questions in task 25. The first asks us how we would use the
chown command to change the owner of a file called
file to be “paradox”.
We know that to specify the owner of a file we can use
chown <owner> <file>, so let’s try substituting the values that we have into this:
chown paradox file
Next we want to set both the owner and the group of
file to be “paradox”.
To set the owner and group we use
chown <owner>:<group> <file>.
Once again, let’s sub our values in:
chown paradox:paradox file
For the last question, let’s head back to our trusty man pages (
This question is quite sneaky, but the switch we’re looking for is
-R, which operates recursively on every file inside a directory as well as all sub-directories.
Task 26 —
Ah, the remove command…
rm can cause nightmares if used carelessly. Unlike in Windows, there is no “recycling bin” in Linux. Once you’ve used
rm on something, it ain’t coming back (not without forensic tools at any rate).
Both questions in this task can be answered with the man page for rm (
man page we can see that the switch for deleting every file in a directory will be
-r, which will delete everything inside the directory, as well as all subdirectories.
The flag to suppress all warning prompts (as we can see in the
man page) is
-f, which forces the action.
Task 27 —
There’s just one question for Task 27. We’re asked how we would move a file called
file into the
Well, we can see from the task (and the man page!) that the syntax for
mv <current-location> <new-location>
file is in the same directory that we are then we can just fill in the values:
mv file /tmp
Which would move
file from our current location, into the
As a bonus question. How would you move a file called
/tmp? Click on the answer to reveal it:
mv /home/file2 /tmp
Task 28 —
cd && mkdir:
Remember way back to Task 10? We learnt that we could reference our home directory with a tilde (
~). Well, this is what we gotta do here.
We know from the task that the syntax of
cd <location>, so let’s do that now:
This will take us to our home directory using a relative path.
For the second question we’re using the
mkdir command to make a directory. The syntax for this, we’re told, is
mkdir <location>. The question specifically asks us to make a directory called
test inside the
/tmp directory, so let’s do that now:
Task 30 —
We have one question for Task 30:
How would I link /home/test/testfile to /tmp/test
Notice that this is not asking for a symbolic link, which means we don’t need the
The syntax for linking is
ln <target-file> <destination-file>, so let’s sub our values in.
/tmp/test, so it looks like this:
ln /home/test/testfile /tmp/test
Task 31 —
find command is incredibly useful. There’s a whole room about it on TryHackMe, which I would recommend completing.
For the first question here we’re looking for a switch that lets us search for files with specific permissions. Our old friend the man page (
man find) can help us with that!
Admittedly it’s slightly convoluted, but it’s in there. We can use
-perm to specify permissions.
The next question is slightly easier. We know from Paradox’ explanation that the basic syntax for the find command is
find /<location>, which would find all files in that location.
In this case our location is
/home, so we want to use
For the final question in this task, we need to find all files belonging to the user “paradox”. To find every file on the system we can use
/ as find is recursive. We’re also told in the instructions that searching by user can be done with the
Let’s try that now:
find / -user paradox
This will find every file on the system belonging to the user “paradox”
Task 32 —
For question one… you guessed it! Let’s have a look at the
man page for
man grep). We’re looking for a switch that lists line numbers for every string found:
That looks good.
-n will list line numbers for every string found.
For the second question, we’re told in the task that the basic syntax for
grep <string-to-find> <file-to-find-it-in>.
Let’s sub the information we’ve been given into this format.
We’re looking for string “boop” in file
grep boop /tmp/aaaa
Task 33 — shiba3:
The third challenge. This one has a little more in it than the first two.
The first thing we need to do is find the binary. We’ve been told its name though (
shiba4) so let’s use the find command to locate it:
There’s a file called
shiba4 in the directory
/opt/secret — looks good!
Notice in the find command I used there that I used
/ to search the entire filesystem,
-name to specify the name of the file,
-type f to specify that I wanted a file, not a directory, and
2>>/dev/null to discard all errors.
Now, what does the task need us to do next?
We first need to create a directory called
test in our home directory. Looks like a job for
An error. Looks like the directory already exists. Ah, well — we can move on then. We next need to make a file called
test1234 inside the
test directory. Let’s do this with
We can now execute the binary that we found earlier:
/opt/secret/shiba4 to receive the password:
Use the password with
su to become the
shiba4 user, then let’s continue!
Task 35 —
Sudo is a really good command to learn — you’re going to be using it a lot.
For the first question here, lets *dun dun dun* take a look at the man pages! (
-u switch will allow us to specify another user to run a command as.
Following on from that, let’s put what we just learnt into practice.
How would we run whoami as a user called jen? Well, with that
sudo -u jen whoami
For the last question we are once again back to perusing the manual to look for a switch that gives us our sudo permissions:
-l switch to list our permissions seems like it should work!
Task 36 — Adding users and groups:
Just one question for this task: how would we add the user
test into the group
Well, this command needs to be run as the root user, so we’ll be using sudo here.
We know from the task that the basic syntax for modifying users is:
usermod -a -G <groups> <user>
So lets sub in our values:
sudo usermod -a -G test test
Task 43 — The True Ending:
And here we have it. The one we’ve all been waiting for. The question that’s been driving people insane. What’s the flag at
Well, this is not exactly a conventional privesc. Paradox wasn’t lying when he said that all the tools to find it were taught in the room. There’s nothing fancy here.
First thing to do is use
sudo -l on each of the four users we have access to. You’ll find that none of them can use sudo, so that’s definitely not an option.
Let’s search for files belonging to each of the shiba users.
find / -user <insert-username-here> -type f 2>>/dev/null
Shiba2 owns an interesting file:
We haven’t used that yet in this room, have we?
Let’s have a look at the file permissions using
Right, so look at those file permissions. The file is owned by
shiba2 and it’s readable only by its owner and group. That means we’ll need to use
su to become
shiba2 before we can open the file:
We should now be able to open our mysterious file:
Aha! Those look like credentials for the
nootnoot user. Let’s switch to that user now:
Can this user use
sudo as root?
Yep! Full root privileges!
From here it’s a simple matter to read the flag using
sudo to pretend to be the root user:
And we’re done!
Certainly not a conventional privilege escalation, but all the more fun as a result of it!
I hope that you’ve learnt something in the course of this room, and now feel ready to go and tackle some challenges!