Learn Linux — Write-up

Learn Linux — Write-up

TryHackMe Walkthrough Link: https://tryhackme.com/room/zthlinux

Learn Linux is a great introductory room from Paradox. As the name suggests, it gives a nice foundation for Linux skills. This is a walkthrough room, so I’m not going to go into a huge amount of detail about the concepts themselves — I’ll leave that in Pars’ capable hands. Instead I’m going to be focusing on the questions, and how to answer them. By this token, I will be bypassing the tasks which don’t actually have any questions to answer: however, I would strongly advise you to read and understand the information that they’re trying to teach, especially if you’re new to Linux.

Let’s get started!

Logging in:

The room covers deploying and logging into the machine in great detail, however I’m just going to quickly screenshot this myself, as I believe that many people have been struggling with this.

I will be using the terminal in both Linux and Windows for this; however, the syntax is identical in both operating systems.

In Linux, open a terminal and use the following syntax:

ssh shiba1@<machine-ip>
Logging in on Linux (type “yes” when prompted)

Type “yes,” when prompted, then hit Enter.

In Windows, press Ctrl + R then type in Powershell and hit Enter:

How to Open Powershell in Windows
Opening Powershell

The syntax here is identical:

ssh shiba1@<machine-ip>
Screenshot showing how to log in to the remove machine with Powershell
Logging in with Powershell (type “yes” when prompted)

Remember that the password will be shiba1 when we’re logging in.

For the remainder of this write-up I will be using Linux for simplicity, however, the syntax will be the same from here on out.

Task 6 — Manual Pages and Flags:

The first five tasks are purely tutorial, so we’re going to skip over them here. Again, I would urge you to read that information for yourself.

There is one question for Task 6:

How would you output hello without a newline

We were told in task 5 that the echo command is used to output text to the console. Looking at the man page for echo (accessed using man echo), we can see that the switch for removing the newline is -n:

man page for the echo command
man echo

Press q to exit the man page.

Let’s put that together. We want to output “hello.” Usually that would be echo hello, but here we also want to get rid of the new-line after the command, so we’ll add in that -n switch:

echo -n hello
Demonstration of the echo command with the -n switch activated
Demonstration of echo

Which gives us our answer for the question.

Task 7 — ls:

There are two questions for task seven. Both can be answered by looking in the man page for ls — we access this once again using man ls.

We can see that the switch for outputting all entries is -a:

-a switch from the ls man page
man ls

You’ll need to scroll down a bit for the second question, but further down we can see that the switch to output in a long list format is -l:

-l switch from the ls man page
man ls

As a side note, these two switches are often combined into a single command, which would look like this: ls -al.

Task 8 — cat:

Just one question for task 8. Once again this can be answered with the man page of cat (you guessed it: man cat).

Take a look:

Excerpt from the man page for cat
man cat

From this we can see that the switch to number all the lines of the output is -n.

Task 10 — Running A Binary:

Task 9 has no questions, so we’ll be moving on to Task 10, which has three questions.

The first asks us to run a binary called “hello” that’s in the current directory. We do this by referencing the current directory using ., like so:

Demonstrating executing a binary in the current directory
Execution Demo 1

(Note that I created the hello binary to serve as an example. This will not work if you try it on the deployed machine)

The second question asks us to run a binary called “hello” that’s inside our home directory, which we reference with a tilde character (~), like so:

Demonstrating executing a binary in the home directory
Execution Demo 2

Finally, we’re asked to run a binary called “hello” that’s inside the directory above our current directory. We reference this with two dots (..), like so:

Demonstrating executing a binary in the directory about the current working directory
Execution Demo 3

Task 11 — shiba1:

Task 11 is our first test. Once we solve it, we’ll be given the password for the second user (shiba2).

We’re asked to create a file called noot.txt in our home (~) directory, then run the shiba1 binary. To create files we use the touch command (as explained in Task 9). We’ve just covered how to run binaries in Task 10.

Let’s do the challenge:

Following the necessary steps to complete the shiba1 challenge
Completing the Shiba1 challenge

I’ve blurred the password so that you have to do this for yourself, but if you follow that process you will be given the password to use in the next task.

Task 12 — su:

In Task 12 we will be using the password that we found earlier to change our account. As the task explains, we use the su (switch user) command to change which account we’re logged in as.

Normally we would just use this in the format su <user> — which will work fine for changing our account to shiba2, but we’re also asked which switch we would use to specify a specific shell. Back to the man pages (man su):

Excerpt from the man su page
man su

Notice that the switch to specify a shell is -s.

Don’t worry too much about what shells are just now. Essentially, different shells, give you different levels of functionality. The shell that we’ve been using (which gives us a prompt like this: shiba1@nootnoot) is called bash, but there are lots of other shells, including custom shells that can be downloaded from the internet.

Use su to upgrade your account now:

Using su to switch user to shiba2
Switching User to shiba2

Task 14 — “>“:

In Task 14 we have a single question:

How would you output twenty to a file called test

Think way back to the start — how would you output twenty to the console?

With echo of course!

echo twenty

We can use the redirect operator to print this to a file, rather than using the console. The question has asked us to output it to a file called test, so let’s do that:

echo twenty > test

Here’s a demonstration that this has worked successfully:

Demonstrating the redirect command
Redirect Demonstration

Task 18 — “$“:

Environment variables are very useful things. They can be accessed anywhere in the operating system, which makes them ideal for storing information about the system.

We’ll need these for a later task, so learning how they work is very important.

In terms of the two questions, the first asks:

How would you set nootnoot equal to 1111

Well, we know that we save environment variables like this:
export <variable>=<value>

We just need to substitute in the values we’ve been asked for:

export nootnoot=1111

To access an environment variable we can use echo, like this:
echo $<variable>.

Once again, we can just substitute the value in:

echo $HOME
Using echo to output the contents of echo $HOME
Output of echo $HOME

Once again, I’ve blurred the actual answer so that you have to do this for yourself, but that command will give you the answer.

Task 21 — shiba2:

This is the second challenge. If we complete this then we get the password for the next user (shiba3)

The question is asking us to create an environment variable called test1234 and set it equal to the $USER environment variable. This gives us two things that we need to do.

First up, we know how to set an environment variable:
export <variable>

So that’s the first one out of the way

We also know that we can access the contents of an environment variable by using the dollar sign. Previously we used this with echo (echo $<varname>) to output the contents of the variable, but this time we just need to use the contents.

Let’s put this together:

export test1234=$USER

Here we’re creating an environment variable called test1234 and setting it equal to the value in the $USER variable — exactly as the question asks.

Run the binary, and grab that password!

Completing the steps required for the shiba2 challenge
Completing shiba2 challenge

At this point you should also use su to switch into the shiba3 user before continuing.

Task 24 — chmod:

The task explains file permissions in Linux very well; however, if you still don’t understand them, I have a full blog post on the subject — it’s a lot longer, but goes into more depth. This post will also cover the topic of Task 25 (chown).

In terms for the two questions for task 24, let’s start with the first one:

What permissions mean the user can read the file, the group can read and write to the file, and no one else can read, write or execute the file?

Let’s break this down a bit:

  • User can read the file, so r--
  • Group can read and write, so rw-
  • No one else can read, write or execute, so ---

Let’s convert each of these to octal:

  • User: r-- = 4-- = 4
  • Group: rw- = 42- = 4 + 2 = 6
  • World: --- = 0

Putting these together properly, we get 460, which answers the first question.

See this in practice:

Demonstrating that 460 translates to r--rw----
Demonstration of file permissions

Notice that after I used the chmod command the permissions matched up exactly: r--rw----.

Let’s do the same thing for the second question:

What permissions mean the user can read, write, and execute the file, the group can read, write, and execute the file, and everyone else can read, write, and execute the file.

We’ll separate these out again first:

  • User can read, write and execute the file, so rwx
  • Group can read, write and execute the file, so rwx
  • World can read, write and execute the file, so rwx

This means that all three sets of permissions will be the same:
rwx = 421 = 4 + 2 + 1 = 7

Putting that together for all three permission sets, we get 777, which is the answer to the second question.

See this in practice:

Demonstrating that 777 translates to rwxrwxrwx
Demonstration of file permissions

Task 25 — chown:

We have three questions in task 25. The first asks us how we would use the chown command to change the owner of a file called file to be “paradox”.

We know that to specify the owner of a file we can use chown <owner> <file>, so let’s try substituting the values that we have into this:

chown paradox file

Next we want to set both the owner and the group of file to be “paradox”.

To set the owner and group we use chown <owner>:<group> <file>.
Once again, let’s sub our values in:

chown paradox:paradox file

For the last question, let’s head back to our trusty man pages (man chown):

Excerpt from man chown page
man chown

This question is quite sneaky, but the switch we’re looking for is -R, which operates recursively on every file inside a directory as well as all sub-directories.

Task 26 — rm:

Ah, the remove command…

rm can cause nightmares if used carelessly. Unlike in Windows, there is no “recycling bin” in Linux. Once you’ve used rm on something, it ain’t coming back (not without forensic tools at any rate).

Both questions in this task can be answered with the man page for rm (man rm):

Excerpt from man rm page
man rm

From the man page we can see that the switch for deleting every file in a directory will be -r, which will delete everything inside the directory, as well as all subdirectories.

The flag to suppress all warning prompts (as we can see in the man page) is -f, which forces the action.

Task 27 — mv:

There’s just one question for Task 27. We’re asked how we would move a file called file into the /tmp directory.

Well, we can see from the task (and the man page!) that the syntax for mv is: mv <current-location> <new-location>

Assuming that file is in the same directory that we are then we can just fill in the values:

mv file /tmp

Which would move file from our current location, into the /tmp directory.

As a bonus question. How would you move a file called file2 from /home to /tmp? Click on the answer to reveal it: mv /home/file2 /tmp

Task 28 — cd && mkdir:

Remember way back to Task 10? We learnt that we could reference our home directory with a tilde (~). Well, this is what we gotta do here.

We know from the task that the syntax of cd is cd <location>, so let’s do that now:

cd ~

This will take us to our home directory using a relative path.

For the second question we’re using the mkdir command to make a directory. The syntax for this, we’re told, is mkdir <location>. The question specifically asks us to make a directory called test inside the /tmp directory, so let’s do that now:

mkdir /tmp/test
Demonstrating how mkdir works
Demonstration of mkdir

Task 30 — ln:

We have one question for Task 30:

How would I link /home/test/testfile to /tmp/test

Notice that this is not asking for a symbolic link, which means we don’t need the -s switch.

The syntax for linking is ln <target-file> <destination-file>, so let’s sub our values in.

We’re linking /home/test/testfile to /tmp/test, so it looks like this:

ln /home/test/testfile /tmp/test

Task 31 — find:

The find command is incredibly useful. There’s a whole room about it on TryHackMe, which I would recommend completing.

For the first question here we’re looking for a switch that lets us search for files with specific permissions. Our old friend the man page (man find) can help us with that!

The -perm switch from the man find page
man find -> -perm switch

Admittedly it’s slightly convoluted, but it’s in there. We can use -perm to specify permissions.

The next question is slightly easier. We know from Paradox’ explanation that the basic syntax for the find command is find /<location>, which would find all files in that location.

In this case our location is /home, so we want to use find /home.

For the final question in this task, we need to find all files belonging to the user “paradox”. To find every file on the system we can use / as find is recursive. We’re also told in the instructions that searching by user can be done with the -user switch.

Let’s try that now:

find / -user paradox

This will find every file on the system belonging to the user “paradox”

Task 32 — grep:

For question one… you guessed it! Let’s have a look at the man page for grep (man grep). We’re looking for a switch that lists line numbers for every string found:

The -n switch from the man grep page
man grep

That looks good. -n will list line numbers for every string found.

For the second question, we’re told in the task that the basic syntax for grep is grep <string-to-find> <file-to-find-it-in>.

Let’s sub the information we’ve been given into this format.

We’re looking for string “boop” in file /tmp/aaaa:

grep boop /tmp/aaaa

Task 33 — shiba3:

The third challenge. This one has a little more in it than the first two.

The first thing we need to do is find the binary. We’ve been told its name though (shiba4) so let’s use the find command to locate it:

Using find to get the binary in /opt/secret/shiba4
Finding the binary

There’s a file called shiba4 in the directory /opt/secret — looks good!

Notice in the find command I used there that I used / to search the entire filesystem, -name to specify the name of the file, -type f to specify that I wanted a file, not a directory, and 2>>/dev/null to discard all errors.

Now, what does the task need us to do next?

We first need to create a directory called test in our home directory. Looks like a job for mkdir:

Using mkdir to create a directory called test
mkdir test

An error. Looks like the directory already exists. Ah, well — we can move on then. We next need to make a file called test1234 inside the test directory. Let’s do this with touch:

touch ~/test/test1234

We can now execute the binary that we found earlier: /opt/secret/shiba4 to receive the password:

Executing the shiba4 binary

Use the password with su to become the shiba4 user, then let’s continue!

Task 35 — sudo:

Sudo is a really good command to learn — you’re going to be using it a lot.

For the first question here, lets *dun dun dun* take a look at the man pages! (man sudo):

-u entry from man sudo page
man sudo

The -u switch will allow us to specify another user to run a command as.

Following on from that, let’s put what we just learnt into practice.

How would we run whoami as a user called jen? Well, with that -u switch!

sudo -u jen whoami

For the last question we are once again back to perusing the manual to look for a switch that gives us our sudo permissions:

-l switch in the man sudo page
man sudo

Using the -l switch to list our permissions seems like it should work!

Task 36 — Adding users and groups:

Just one question for this task: how would we add the user test into the group test?

Well, this command needs to be run as the root user, so we’ll be using sudo here.

We know from the task that the basic syntax for modifying users is:
usermod -a -G <groups> <user>

So lets sub in our values:

sudo usermod -a -G test test

Task 43 — The True Ending:

And here we have it. The one we’ve all been waiting for. The question that’s been driving people insane. What’s the flag at /root/root.txt?

Well, this is not exactly a conventional privesc. Paradox wasn’t lying when he said that all the tools to find it were taught in the room. There’s nothing fancy here.

First thing to do is use sudo -l on each of the four users we have access to. You’ll find that none of them can use sudo, so that’s definitely not an option.

Let’s search for files belonging to each of the shiba users.

find / -user <insert-username-here> -type f 2>>/dev/null

Shiba2 owns an interesting file:

Finding the unusual file
/var/log/test1234 file

We haven’t used that yet in this room, have we?

Let’s have a look at the file permissions using ls -l:

Using ls -l to see the file permissions for /var/log/test1234
File permissions for /var/log/test1234

Right, so look at those file permissions. The file is owned by shiba2 and it’s readable only by its owner and group. That means we’ll need to use su to become shiba2 before we can open the file:

Using su to switch user to shiba2
Switching user to shiba2

We should now be able to open our mysterious file:

cat /var/log/test1234
Getting credentials for nootnoot from /var/log/test1234
Reading /var/log/test1234

Aha! Those look like credentials for the nootnoot user. Let’s switch to that user now:

Using su to switch user to nootnoot
Switching to user nootnoot

Can this user use sudo as root?

Using sudo -l to check privileges of nootnoot
sudo -l

Yep! Full root privileges!

From here it’s a simple matter to read the flag using sudo to pretend to be the root user:

Read the root flag with cat
Root Flag!

And we’re done!

Certainly not a conventional privilege escalation, but all the more fun as a result of it!

I hope that you’ve learnt something in the course of this room, and now feel ready to go and tackle some challenges!

50 thoughts on “Learn Linux — Write-up

      1. Hi Alex,
        There should be a big green “Deploy” button in Task 1.
        If you click on that it will give you an IP to connect to 🙂

  1. Hi,
    thanks for the dedication to teach us,

    so i am stuck trying to get the password for shiba3
    when trying to run the binary i first got no such file or directory then when i did ~/shiba2 instead it returns cat: etc/shiba/shiba3 permission denied.

    even when i tried to start over again the binary ./shiba1 doesnt even work again…

    as for my connection i am using the kali machine to ssh into the room machine.

    1. Hi,
      In all honesty I can’t picture what you’re doing here. I would suggest checking your bash prompt to see your current directory (if it’s a tilde ~ you know you’re in the home directory for your current user). The prompt should look something like shiba1@nootnoot:~$. You can use ls to check the contents of your current directory. If the binary you’re trying to isn’t in there then you won’t be able to do it with ./.
      Sounds like this is to do with locations though — pay attention to the screenshots in the write-up if you’re struggling; they’ll show you which directory you need to be in.

      1. Been at it for a while now. “~/”, “./” and ensured that I followed all the previous steps and I still get the ” cat : /etc/shiba/shiba3: Permission denied”. Any suggestions?

        1. Did you ever complete this? i am completely new to linux and have been finding most things make lots of logical sense. however … i am stuck on this task 21 and cant seem to get the password for shiba3 and am not sure where i am going wrong. i have even followed step by step tutorials and STILL no luck.

  2. heyyy

    i am stuckkkk, permission denied after setting variable and running binary, even accessed the etc/shiba directory and found the shiba3 but cant run a cat on it or even chmod to change the permission the permission can only be changed by shiba3 itself i guess, lol shiba4 password was gotten instead,

    please help

  3. Thank you,

    it worked but i am actually shocked why it didnt work yesterrday..and i was on the right directory of shiba2@nootnoot:~$.

  4. Thank you so much for the write-up man!

    Great job, btw loved your ‘Research Room’, great work, and you are just 18!! Well done.

    I would love to follow you on Twitter!

  5. Awesome room, learned some few stuff despite working on Linux every day for the last year, and a great writeup for when I came unglued a couple of times. Particularly on the last challenge.

  6. Hello!
    im stuck into the 10th task.. I just cant acess any file by the ./ ../ or ~/
    and when i create the noot.txt by touch, nothing happens, i cant acess shiba1.

    I dont know what im doing wrong…

    sorry that im so noob and thanks

  7. Hey in task 24 chmod in the beginning you have mentioned that the the syntax of this command is typically chmod .

    Isn’t the syntax chmod ?

  8. Hi, Everyone here in the community……
    i was stucked in the error of ssh…

    ssh: connection refused to host error

    i did deployed the machine & trying to connect to it..but it never connects
    even when i updated openssh-server ,client & ssh itself….nobody in the other communities cant help me….

    Thankyou,i was searching for this …for a month now!!😊

  9. thanks for this was seriously over thinking task 43.

    knew that nootnoot was the only sudo user and i might have to access the user but was over the how to get there.

    thanks again.

  10. Task 33 — shiba3: I do not understand how by us creating a file using touch magically spits out the password. Can someone please explain what im missing here??

    1. The binaries are compiled programs that check to see that you’ve met the conditions of the task.
      So, in that instance, the logic would be:

      If file exists:
          Give Password
          Do Nothing

      No magic involved.

      1. ok now that makes sense. thank you. and you know this because ./ is what you use to run a program from terminal correct?

  11. Hello, thank you very much for your contribution
    I was wondering what exactly optimization level = 2 does in the find command in task 43
    because I tried “find / -user shiba2 -type f >> test.txt” and got a totally different output, and when you use 2 you have to put the operator “>>” without space next to the number “2 >>” already otherwise it doesn’t work.
    I would really appreciate an answer, anyway the room was incredible for the new users like me.

  12. at what point in hacking does the methodology become clear in how to approach a box? I worked on task 43 for 2 hours before coming here. Never once did the idea of “searching for files” from the 4 users… I tried to get a binary to execute like before, i tried, to find the /root/root.txt file n only got permission denied.

    So yeah, at what point in learning does the methodology in how to approach a test become clear??

  13. Used you for the final test. Nicely done.

    Checked all permissions and just missed the file!!

    Will review the null piece which I have not used for what seems an age!

    Thanks again.

  14. Thank you for the write up. However, I have an issue with Task 33. When I run ./shiba2 > noot.txt as user shiba2 I receive the following: Segmentation fault (core dumped). is there a problem with the file that is not working correctly? I can complete all other tasks successfully, but cannot run the shiba2 binary.

    1. Correction. I was able to exit the vm and re-enter and was able to complete the task. My apologies for any unnecessary confusion or troubleshooting.

  15. for the last task 43:

    I followed everything, found out nootnoot had root priviledges, and then pretended to be root by typing:

    sudo cat root/root.txt

    cat: root/root.txt: No such file or directory

    i did as exactly as you said, do you know why I can’t access the root directory from nootnoot?

  16. In task 21, I accidentally ran ‘echo test1234 > $USER’ and I think change the shiba2 file. When I run ‘./shiba2’ I get: ‘./shiba2: line 1: test1234 : command not found’. How do I fix this?

  17. hey, I finished this room thanks to the help of this but I don’t understand task 43 like what made you use shiba2 and not Shiba 3 was it trial and error. I am confused on that I understand everything after that it’s just how you found it was shiba2 also what does this stuff mean
    *** -type f 2>>/dev/null***
    can someone explain please would be greatly appreciated

    1. In terms of the first question, yes, that was just trial and error — or rather, I checked all of them, but only included the correct one in the write-up.
      I have just explained what that part of the find command does in another response, quoted:-
      -type f tells it to look specifically for files. 2>>/dev/null sends all errors to /dev/null — basically discarding them.

  18. Thank you very much, your post has been really useful!
    In particular the explanation regarding the command find.

  19. I got stuck on task 43 and after looking at your walk-through I didnt quite understand the use of -type f 2>>/dev/null can you please explain?

    1. I would recommend taking a look at the TryHackMe room on The Find Command
      That said, -type f tells it to look specifically for files. 2>>/dev/null sends all errors to /dev/null — basically discarding them.

      1. Thanks for the explanation of the /dev/null. Appreciate the help God bless and have a great one!

  20. This was amazing, especially for someone new to all of this. Not going to lie i just used Hydra to attack nootnoot through SSH because i was getting so mad at the last challenge!
    Amazing job man.

  21. Task 11 (creating a noot.txt file):
    I tried creating noot.txt file using the command :
    touch noot.txt
    It gave an error saying permission denied.
    Then I tried using :
    sudo touch noot.txt
    After entering the password it gave and error that we are not sudoers.
    What should I do?

  22. Thank you very much for this write up. It helped me out a lot. I admit I didn’t think of using find 🙂 I was really stuck at the True Ending and your write-up helped out a lot especially trying to understand the flow. Thank you.

    1. I use cmder when I’m on Windows, so I can’t really tell you why cygwin isn’t working for you. I would suspect it either doesn’t have access to the TAP OpenVPN adaptor, or you don’t have your VPN connection set up.

  23. Thanks for the guide. I just think that the wording for many of the challenges is not clear enough, for instance task 21 never states that the environment variable needs to be set. Just says that the binary is already checking for that, and of course when you run the bin it appears to be corrupted or something. I’d have worded it as: “Create a binary that…” Anyway, thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here : *

Reload Image