I completed this CTF in early December 2023, but SANS requested that no walkthroughs be posted until after January 6. So here we are. This is the walkthrough for the Linux 101 room.
Important Note: I did this walkthrough using a Firefox browser, which didn’t show underscores “_” in their console
First step is just to type ‘yes’ to start.
Next they want us to do a directory listing. The command for this is ‘ls’.
Next they want us to find the troll. I did this with the ‘cat’ command.
In the clue above they want us to remove the troll. We can use the ‘rm’ command for this.
This ask is to view the directory we are currently in. The ‘pwd’ command can do this.
Here they are asking us to do a directory listing but include any hidden files. We can do that with ‘ls -a’.
This question can be answered using the ‘history’ command.
To review environment variables you can use the ‘printenv’ command
In this screenshot, you can see all the environment variables from the previous question. To change into the workshop directory use the ‘cd’ command.
Now, they want us to search though a bazillion files all called toolbox_xx.txt. Somewhere in one of those is the word troll. We can use ‘grep’ to search all these files for that text.
grep -rni "troll"
Above, you can see that we found the troll, but now there is another one. This wants us to execute a file, but we can’t do it until we change the permissions.
chmod 755 present_engine
You can see the previous 2 commands above and the results. We now have a new ask to rename a file. Frist, we have to move into the electrical directory then we use the ‘mv’ command to rename the file.
mv blown_fuse0 fuse0
The above question is asking us to use links or ‘ln’.
ln -s fuse0 fuse1
In the above, we are being asked to copy a file. The ‘cp’ command can do that.
cp fuse1 fuse2
Here they want us to edit a file. In order to do that we need to open the file. I used ‘nano’ to do this.
This will open up an editor so we can add in ‘TROLL_REPELLENT’.
The we click CTRL+F then X to close. It will ask us if we want to save, we type Y for yes and confirm we don’t want to change the name by clicking return.
Here we need to change directories ‘cd’ again and then find a file with the name troll in it.
find * -iname '*troll*'
Back to the ‘find’ command for group troll
find -group troll
More find, but now we want to limit to files of a certain size.
find -size +108k -size -110k
We can find running processes by using the ‘ps’ command.
We need to look and see whats happing on a certain port. We can use ‘netstat’ for that.
Now we need to access the port on the local machine.
Last one. This is tricky, because we want to stop the process via the pid, so we have to use ‘ps’ again to find it. Once we have it we use the ‘kill’ command.
Congratulations, you’ve cleared the room and earned the badge.