TryHackMe: Advent of Cyber [Day 4] Training

5 min readSep 12, 2020


Room: Advent of Cyber

Difficulty: Beginner

“With the entire incident, McElferson has been very stressed.

We need all hands on deck now!

To help resolve things faster, she has asked you to help the new intern, (mcsysadmin), get familiar with Linux.”

Access the machine via SSH on port 22 using the command:

ssh mcsysadmin@[your-machines-ip]

username: mcsysadmin
password: bestelf1234

For this challenge you will have to deploy the VM from the question and then use either OpenVPN or the THM virtual Kali Machine (if you are a subscriber) to connect to it. If you need instructions for how to do that, click HERE.

Question #1: How many visible files are there in the home directory (excluding ./ and ../)?

Let’s start by getting to a command line in your attacking machine (OpenVPN or Kali) and connect to the other VM via SSH using the credentials provided above.

Use the ls command to display all the files located in the home directory. Count those files and you will find the answer for flag #1.

Question #2: What is the content of file5?

For this flag, we simply use the cat command to reveal the contents of file5. Another easy flag!

cat file5

Question #3: Which file contains the string ‘password’?

For this next flag, we will use the grep command. This specific syntax will search through all the files in the home directory until it finds the string you specify, password.

grep password *

You are now able to identify which file it is in.

Question #4: What is the IP address in a file in the home folder?

You can certainly use the cat command on each file to search through the contents manually, but there is a more efficient method using regex. If you would like a tutorial that goes into a bit more detail about regex, please check HERE. This is the source I used.

grep -Eo ‘[0–9]{1,3}\.[0–9]{1,3}\.[0–9]{1,3}\.[0–9]{1,3}’ *

Question #5: How many users can log into the machine?

To get the flag for this question we need to check out the /etc/passwd file, which will display all the users who have been on the machine.

Let’s check out the content of that file with the following command:

cat /etc/passwd

You should see something like this:

Kind of confusing, but the way this breaks down is:

[username]:[password]:[UID]:[GID]:[comment]:[home directory]:[default shell]

You will notice that the password field here is usually replaced with an x, since the actual encrypted passwords are stored in a different file, called /etc/shadow. If you would like some more in-depth information about how to decipher all of this, click HERE.

For now, what we are trying to do is narrow down how many users are logging in.

Users will have /bin/bash on the end of their entries, which represents the default login shell they are using to access the Linux system. You can simply look through all of the original output to find them, or use the following command for greater efficiency.

cat /etc/passwd | grep “/bin/bash”

You should now be able to determine how many users can log in.

Question #6: What is the sha1 hash of file8?

This is a rather simple flag. To check the sha1 hash of file8, use the following command:

sha1sum file8

Question #7: What is mcsysadmin’s password hash?

Recall that password hashes are stored in the /etc/shadow file. Let’s try to access them:

cat /etc/shadow

Looks like mcsysadmin does not have permission to view this file!

Perhaps there is another copy of this file somewhere on the system which will be easier to access? Backup files of important information can be quite common. Try this command:

find / -name shadow* 2>/dev/null | head

Breaking this command down, the find command is looking through the root directory for anything named ‘shadow’. The 2>/dev/null part is removing any results that are not relevant because of errors. The | head portion further trims our results by showing only the 10 most recently modified files or folders.

To read more about what the head command can do, click HERE.

Hmm, here we see a file called “/var/shadow.bak”.

.bak is a common backup file extension. Let’s open this up:

cat /var/shadow.bak

Nice! Exactly what we were looking for!

When you input your answer, remember that the hash portion does not include /:18234:0:99999:7:::

Great job, we trained the new intern, mcsysadmin!

Hopefully you learned some things, such as NOT to leave unprotected backup files laying around for people to casually snoop in.

Happy Hacking! ❤