【Walkthrough】TryHackMe:Linux Fundamentals Part 3

概要

TryHackMeの「Linux Fundamentals Part 3」のwalkthroughです。

Task3

Q2.Edit "task3" located in "tryhackme"'s home directory using Nano. What is the flag?

catコマンドでファイルの中身を閲覧します。

$ cat ./task3
THM{TEXT_EDITORS}

A.THM{TEXT_EDITORS}

Task4

Q3.Download the file <ip address>.flag.txt onto the TryHackMe AttackBox. Remember, you will need to do this in a new terminal.What are the contents?

Hint.Use wget! It's a hidden file so don't forget the period in .flag.txt when downloading and catting

対象マシンでpythonを使ってhttpサーバーを起動します。

tryhackme@linux3:~$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

wgetコマンドでサーバーからflag.txtファイルをダウンロードし、ファイルの中身を閲覧します。

root@ip-10-10-67-95:~# wget http://10.10.43.27:8000/.flag.txt
--2024-04-18 12:48:48--  http://10.10.43.27:8000/.flag.txt
Connecting to 10.10.43.27:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20 [text/plain]
Saving to: \u2018.flag.txt\u2019

.flag.txt         100%[============>]      20  --.-KB/s    in 0.001s  

2024-04-18 12:48:48 (34.7 KB/s) - \u2018.flag.txt\u2019 saved [20/20]

root@ip-10-10-67-95:~# cat ./.flag.txt 
THM{WGET_WEBSERVER}

A.THM{WGET_WEBSERVER}

Task5

Q2.If we were to launch a process where the previous ID was "300", what would the ID of this new process be?

A.301

Q3.If we wanted to cleanly kill a process, what signal would we send it?

Task5の説明文中Managing Processes項目に記載があります。

Managing Processes
You can send signals that terminate processes; there are a variety of types of signals that correlate to exactly how "cleanly" the process is dealt with by the kernel. To kill a command, we can use the appropriately named kill command and the associated PID that we wish to kill. i.e., to kill PID 1337, we'd use kill 1337.
Below are some of the signals that we can send to a process when it is killed:
SIGTERM - Kill the process, but allow it to do some cleanup tasks beforehand
SIGKILL - Kill the process - doesn't do any cleanup after the fact
SIGSTOP - Stop/suspend a process

A.SIGTERM

Q4.Locate the process that is running on the deployed instance (10.10.43.27). What flag is given?

Hint.Use ps aux to list all running processes. We're looking for a process that seems "out of the ordinary"

ps auxの結果をフラグで使用されてるであろうTHM{の文字列でgrepする。

$ ps aux | grep "THM{"
root         480  0.0  0.0   2364   512 ?        S    11:41   0:00 THM{PROCESSES}

A.THM{PROCESSES}

Q5.What command would we use to stop the service "myservice"?

Hint.systemctl [option] [service]

A.systemctl stop myservice

Q6.What command would we use to start the same service on the boot-up of the system?

Hint.systemctl [option] [service]

A.systemctl enable myservice

Q7.What command would we use to bring a previously backgrounded process back to the foreground?

A.fg

Task6

Q2.When will the crontab on the deployed instance (10.10.43.27) run?

Hint.Take a look at the position and the value within the appropriate column

crontab -eコマンドで確認する。

# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command
@reboot /var/opt/processes.sh

A.@￰reboot

Task8

Q2.What is the IP address of the user who visited the site?

/var/log/apache2/access.log.1ファイルからIPを確認する。

/var/log/apache2/access.log.1

$ cat /var/log/apache2/access.log.1
10.9.232.111 - - [04/May/2021:18:18:16 +0000] "GET /catsanddogs.jpg HTTP/1.1" 200 51395 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"

A.10.9.232.111

Q3.What file did they access?

Q2で確認したアクセスログのパスが/catsanddogsになってる。

A.catsanddogs.jpg