Skip to main content

Working with Linux CLI

Overview

Room URL: https://tryhackme.com/room/linuxcli-aoc2025-o1fpqkvxti
Difficulty: Easy
Category: Linux Command Line
Date Completed: 12/1/2025

Objective

Investigate the compromise of TBFC's systems by mastering essential Linux command-line tools. Navigate the filesystem using cd and pwd, uncover hidden files and security guides using ls -la, analyze system logs with grep to identify failed login attempts from HopSec Island, and locate the malicious Eggstrike script using the find command. Successfully demonstrate your ability to examine suspicious shell scripts, understand command piping and output redirection, and gather evidence of Sir Carrotbane's attack on the SOC-MAS ordering platform to protect Wareville's Christmas systems.

Table of Contents

Introduction
Walk Through
Lessons Learned
Resources

Introduction

With McSkidy potentially compromised and HopSec's attacks escalating, you're thrust into the heart of TBFC's investigation armed only with a command-line interface. While most users panic without a graphical desktop, cybersecurity professionals know that the Linux CLI is far more powerful than any GUI—it's the weapon of choice for defenders and attackers alike. As you navigate McSkidy's home directory and follow cryptic clues left behind, you'll uncover evidence of Sir Carrotbane's malicious Eggstrike campaign that threatens to replace Christmas wishes with an "EASTMAS" invasion. Through mastering essential CLI commands—from basic file listing with ls to powerful log analysis with grep and file discovery with find—you'll learn not just how to operate Linux, but how to think like a SOC analyst hunting for evidence of compromise. This challenge teaches you that Linux isn't intimidating; it's liberating.

Linux Commands

Command Syntax Purpose
echo echo "text" Display text or output to the terminal
ls ls [directory] List files and directories in the current or specified location
cat cat [filename] Display the contents of a file to standard output
cd cd [directory] Change to a different directory
pwd pwd Print the current working directory path
ls -la ls -la [directory] List all files including hidden ones (prefixed with .) with detailed information like permissions and ownership
grep grep "search_term" [filename] Search for specific text patterns within a file
find find [path] -name [pattern] Search for files matching a specific name or pattern in a directory and its subdirectories
uptime uptime Display how long the system has been running and current load average
ip addr ip addr Check and display the system's IP address configuration
ps aux ps aux List all currently running processes on the system
sudo su sudo su Switch to the root (administrator) user
whoami whoami Display the current logged-in user
exit exit Exit the current user session or terminal
history history Display the command history for the current user

CLI Features

Special Symbol Name Purpose Example
| Pipe Send the output from the first command as input to the second command cat unordered-list.txt | sort | uniq
> Output Redirect (Overwrite) Redirect command output to a file, overwriting any existing content some-long-command > /home/mcskidy/output.txt
>> Output Redirect (Append) Redirect command output to a file, appending to the end of existing content echo "new line" >> /home/mcskidy/output.txt
&& Logical AND Execute the second command only if the first command completes successfully grep "secret" message.txt && echo "Secret found!"

Walk Through

  1. First question is what command would you use to list the files in a directory?
    1. ls
  2. What flag did you see in McSkidy's Guide?
    1. Upon loggin into McSkidy's dekstop, there is a README.md file in his root directory.
    2. Used cat README.tx to display the contents of the file.
      1. "For all TBFC members, Yesterday I spotted yet another Eggsploit on our servers. Not sure what it means yet, but Wareville is in danger. To be prepared, I'll write the security guide by tomorrow. As a precaution, I'll also hide the guide from plain view. ~McSkidy"
    3. Used cd Documents to chang directories into McSkidy's documnets folder.
    4. Knowing that there are hidden files, used ls -lsa to view all files in this folder.
      1. Found a read-me-please.txt files
      2. mcskiddyrmp.png
    5. Used cd../ to reture to the home directory.
    6. Ran ls -lsa on all folder to see where to focus next.
    7. The only other folder that had content was the Guides folder
      1. Used cd Guides to change directories to Guides folder.
      2. Used ls -lsa to list all files
      3. Found file called .guides.txt (Used . to hide the file)
        1. cat .guides.txt to display the contents
        2. day1flag1.png
  3. What command helped you filter logs for failed logins?
    1. grep
  4. What flag did you find in the Eggstrike script?
    1. Used cd /home to move to the directory that has everyone's home folder
    2. Used find -name *egg* to search everyone's home folder for egg related files (only searches folder McSkidy has access to)
    3. Found file at /home/socmas/2025/eggstrike.sh
    4. cd /home/socmas/2025 to move to the folder containing eggstrike
    5. cat eggstrike.sh to display contents in terminal
    6. day1flag2.png
  5. Which command would you run to switch to the sudo user?
    1. sudo su
  6. What flag did Sir Carrotbane leave in the root bash history?
    1. su root to switch to the root user
    2. history to display the bash history
    3. day1flag3.png
  7. Side quest from McSkidy Documents folder read-me-please.txt

    1. su eddi_knapp to switch users

    2. cd to move to eddi_knapp home directory

    3. ls -lsa Documents revealed 2 files

      1. mcskidy_note.txt.gpg
        1. This file is encrypted with gpg
      2. notes_on_photos.txt
        1. Photo notes:
          • backup all images weekly
          • sync with phone when connected
          • organize into 3 folders per year

    4. After this I then switched to the Pictures folder using cd ../Pictures

    5. Used ls -lsa to view all files in this directory

      1. found a file called .easter_egg
      2. cat .easter_egg
        • rabbit.png
      3. This revealed a passphrase fragment of c0M1nG
        1. PASSFRAG3 indicates this is the 3rd part of the passphrase
      4. I used cd fix_passfrag_backups_20251111162432 to explore the folder
        1. ls -lsa to view all files
        2. starting with the first one cat .bashrc.bak
          • pass1.png
          • This revealed part 1 of the passphrase 3ast3r
        3. All of the files in this folder only reaveal part 1 of the passphrase

Lessons Learned

  • Linux CLI Mastery is Essential for Defenders: The command line is not just a tool—it's the foundation of cybersecurity work. Understanding core commands like ls -la (viewing hidden files), grep (searching logs), find (locating malicious artifacts), and cat (reading file contents) transforms you from a bystander into an active investigator. Most servers worldwide run Linux, making CLI proficiency non-negotiable for any security professional.
  • Evidence Lives in Logs and Hidden Files: Attackers hide their tracks, but they can't erase everything. By combining log analysis with file discovery techniques, you uncovered the Eggstrike malware script that Sir Carrotbane used to compromise the wishlist system. This reinforces a critical lesson: always check /var/log/ for failed login attempts, use grep to filter noise from noise, and remember that hidden files (prefixed with .) often contain both legitimate configurations and attacker artifacts.

Resources

TryHackMe

Back to top