As I continue my cybersecurity journey I wanted to publish my notes in order to provide helpful write-ups for other learners on the same journey, with the added benefit of explaining the concepts in a beginner friendly way. I intend to break things down bit by bit and provide further clarification for learners.

The second TryHackMe module is Linux Fundamentals II. This section helps us learn how to connect to a Linux machine remotely using SSH, advance the use of commands by providing flags & switches and use man pages and other root directories on a Ubuntu Linux install to gather further information. We also learn further commands used to interact with the file system, digress into file permissions and switching users.

What is SSH & how Does it Work?

In-browser functionality uses protocol called Secure Shell or SSH for short and is the common means of connecting to and interacting with the command line of a remote Linux machine.

Secure Shell or SSH simply is a protocol between devices in an encrypted form.

Using cryptography, any input we send in a human-readable format is encrypted for travelling over a network -- where it is then unencrypted once it reaches the remote machine.

• SSH allows us to remotely execute commands on another device remotely.

• Any data sent between the devices is encrypted when it is sent over a network such as the Internet

The TryHackMe AttackBox is a Ubuntu Linux machine that is hosted online in the cloud and can be interacted with via your browser.

Using SSH to Login to Your Linux Machine

The syntax to use SSH is very simple. We only need to provide two things:

1. The IP address of the remote machine

2. Correct credentials to a valid account to login with on the remote machine

Now that we are connected, any commands that we execute will now execute on the remote machine -- not our own.

Note: When you type a password into an ssh login prompt there is no visible feedback -- you will not be able to see any text or symbols appear as you type the password. It is still working, however, so just type the password and press enter to login.

Intro to Flags and Switches

A majority of commands allow for arguments to be provided. These arguments are identified by a hyphen and a certain keyword known as flags or switches.

We'll later discuss how we can identify what commands allow for arguments to be provided and understanding what these do exactly.

When using a command, unless otherwise specified, it will perform its default behaviour. For example, ls lists the contents of the working directory. However, hidden files are not shown. We can use flags and switches to extend the behaviour of commands.

Using our ls example, ls informs us that there is only one folder named "folder1" as highlighted in the screenshot below. Note that the contents in the screenshots below are only examples.

However, after using the -a argument (short for --all), we now suddenly have an output with a few more files and folders such as ".hiddenfolder". Files and folders with "." are hidden files. (The command is: ls -a)

Commands that accept these will also have a--help option. This option will list the possible options that the command accepts, provide a brief description and example of how to use it.

This option is, in fact, a formatted output of what is called the man page (short for manual), which contains documentation for Linux commands and applications.

The Man(ual) Page

The manual pages are a great source of information for both system commands and applications available on both a Linux machine, which is accessible on the machine itself and online.

To access this documentation, we can use the mancommand and then provide the command we want to read the documentation for. Using our ls example, we would use man ls to view the manual pages for ls like so:

DIRECTIONAL KEY TO MOVE DOWN TERMINAL PAGE= downward arrow

FLAG-h - provide output from LS to be in human readable format

Press Q - closes man page stands for quit. (vim / escape?)

Definition of man command:

List information about the FILEs (the current directory by default).

Sort entries alphabetically if none of -cftuvSUX nor --sort is speci\u2010

fied.

Filesystem Interaction Continued:

We covered some of the most fundamental commands when interacting with the filesystem on the Linux machine. For example, we covered how to list and find the contents of folders using ls and find and navigating the filesystem using cd.

In this task, we're going to learn some more commands for interacting with the filesystem to allow us to:

• create files and folders

• move files and folders

• delete files and folders

More specifically, the following commands:

Protip: Similarly to using cat, we can provide full file paths, i.e. directory1/directory2/note for all of these commands

Creating Files and Folders (touch, mkdir)

Creating files and folders on Linux is a simple process. First, we'll cover creating a file. The touch command takes exactly one argument -- the name we want to give the file we create. For example, we can create the file "note" by using touch note. It's worth noting that touch simply creates a blank file. You would need to use commands like echo or text editors such as nano to add content to the blank file:

USING TOUCH TO CREATE A NEW FILE:

tryhackme@linux2:~$ touch note

tryhackme@linux2:~$ ls

folder1 note

This is a similar process for making a folder, which just involves using the mkdir command and again providing the name that we want to assign to the directory. For example, creating the directory "mydirectory" using mkdir mydirectory:

USING MKDIR TO CREATE A NEW FOLDER:

tryhackme@linux2:~$ mkdir mydirectory

tryhackme@linux2:~$ ls

folder1 mydirectory note

Removing Files and Folders (rm)

rm is extraordinary out of the commands that we've covered so far. You can simply remove files by using rm. However, you need to provide the -R switch alongside the name of the directory you wish to remove.

Using rm to remove a file

tryhackme@linux2:~$ rm note

tryhackme@linux2:~$ ls

folder1 mydirectory

Using rm recursively to remove a directory

tryhackme@linux2:~$ rm -R mydirectory

tryhackme@linux2:~$ ls

folder1

Copying and Moving Files and Folders (cp, mv)

Copying and moving files is an important functionality on a Linux machine. Starting with cp, this command takes two arguments:

1. the name of the existing file

2. the name we wish to assign to the new file when copying

cp copies the entire contents of the existing file into the new file. In the screenshot below, we are copying "note" to "note2".

USING CP TO COPY A FILE

tryhackme@linux2:~$ cp note note2

tryhackme@linux2:~$ ls

folder1 note note2

Moving a file takes two arguments, just like the cp command. However, rather than copying and/or creating a new file, mv will merge or modify the second file that we provide as an argument. Not only can you use mv to move a file to a new folder, but you can also use mvto rename a file or folder. For example, in the screenshot below, we are renaming the file "note2" to be named "note3". "note3" will now have the contents of "note2".

USING MV TO MOVE A FILE

tryhackme@linux2:~$ mv note2 note3

tryhackme@linux2:~$ ls

folder1 note note3

Determining File Type

What is often misleading and often catches people out is making presumptions from files as to what their purpose or contents may be. Files usually have what's known as an extension to make this easier. For example, text files usually have an extension of ".txt". But this is not necessary.

So far, the files we have used in our examples haven't had an extension. Without knowing the context of why the file is there -- we don't really know its purpose. Enter the file command. This command takes one argument. For example, we'll use file to confirm whether or not the "note" file in our examples is indeed a text file, like so file note.

Permissions

As you would have already found out by now, certain users cannot access certain files or folders. We've previously explored some commands that can be used to determine what access we have and where it leads us.

In our previous tasks, we learned how to extend the use of commands through flags and switches. Take, for example, the ls command, which lists the contents of the current directory. When using the -lswitch, we can see ten columns such as in the screenshot below. However, we're only interested in the first three columns:

DETERMINING THE CONTENTS OF A FILE

tryhackme@linux2:~$ file note

note: ASCII text

PERMISSIONS 101

As you would have already found out by now, certain users cannot access certain files or folders. We've previously explored some commands that can be used to determine what access we have and where it leads us.

In our previous tasks, we learned how to extend the use of commands through flags and switches. Take, for example, the ls command, which lists the contents of the current directory. When using the -lswitch, we can see ten columns such as in the screenshot below. However, we're only interested in the first three columns:

Using ls -lh to list the permissions of all files in the directory

tryhackme@linux2:~$ ls -lh

-rw-r--r-- 1 cmnatic cmnatic 0 Feb 19 10:37 file1

-rw-r--r-- 8 cmnatic cmnatic 0 Feb 19 10:37 file2

Although intimidating, these three columns are very important in determining certain characteristics of a file or folder and whether or not we have access to it. A file or folder can have a couple of characteristics that determine both what actions are allowed and what user or group has the ability to perform the given action -- such as the following:

• Read

• Write

• Execute

Note: Diagram indicates column meanings (not pictured)

- : dash indicates file type. Dash is a regular file, D indicates a directory

rwx- read, write, execute permissions for the file owner

rwx (second listed) - " for the group owner of the file

rwx (listed third) - ' for all other users

(dashes for other users indicates permission not available)

Example: rw r r - owner can read and write but everyone else can only read it

Using su to switch to user2=

tryhackme@linux2:~$ su user2

Password:

user2@linux2:/home/tryhackme$

Let's use the "cmnatic.pem" file in our initial screenshot at the top of this task. It has the "-" indicator highlighting that it is a file and then "rw" followed after. This means that only the owner of the file can read and write to this"cmnatic.pem" file but cannot execute it.

The Differences Between Users & Groups

We briefly explored this in Linux fundamentals part 1 (namely, the differences between a regular user and a system user). The great thing about Linux is that permissions can be so granular, that whilst a user technically owns a file, if the permissions have been set, then a group of users can also have either the same or a different set of permissions to the exact same file without affecting the file owner itself.

Let's put this into a real-world context; the system user that runs a web server must have permissions to read and write files for an effective web application. However, companies such as web hosting companies will have to want to allow their customers to upload their own files for their website without being the webserver system user -- compromising the security of every other customer.

I.e.- A low privledge user cannot overwrite files on other peoples websites.

We'll learn the commands necessary to switch between users below:

Switching Between Users

Switching between users on a Linux install is easy work thanks to the su (=substitute user) command. Unless you are the root user (or using root permissions through sudo), then you are required to know two things to facilitate this transition of user accounts:

• The user we wish to switch to

• The user's password

The su command takes a couple of switches that may be of relevance to you. For example, executing a command once you log in or specifying a specific shell to use. I encourage you to read the man page for su to find out more.

NAME

su - change user ID or become superuser

SYNOPSIS

su [options] [username]

DESCRIPTION

The su command is used to become another user during a login session. Invoked without a username, su defaults to becoming the superuser. The optional argument - may be used to provide an environment similar to what the user would expect had the user logged in directly. Additional arguments may be provided after the username, in which case they are supplied to the user's login shell. In particular, an argument of -c will cause the next argument to be treated as a command by most command interpreters. The command will be executed by the shell specified in /etc/passwd for the target user. You can use the -- argument to separate su options from the arguments supplied to the shell.

However, I will cover the -l or --login switch. Simply, by providing the -lswitch to su, we start a shell that is much more similar to the actual user logging into the system - we inherit a lot more properties of the new user, i.e., environment variables and the likes.

Using su to switch to user2 interactively

tryhackme@linux2:~$ su user2

Password:

user2@linux2:/home/tryhackme$

For example, when using suto switch to "user2", our new session drops us into our previous user's home directory.

Using su to switch to user2 interactively

tryhackme@linux2:~$ su -l user2

Password:

user2@linux2:~$ pwd

user2@:/home/user2$

Where now, after using -l, our new session has dropped us into the home directory of "user" automatically.

COMMON DIRECTORIES

/etc. (PRONOUNCED ETSY)

This root directory is one of the most important root directories on your system. The etc folder (short for etcetera) is a commonplace location to store system files that are used by your operating system.

For example, the sudoers file highlighted in the screenshot below contains a list of the users & groups that have permission to run sudo or a set of commands as the root user.

Also highlighted below are the "passwd" and "shadow" files. These two files are special for Linux as they show how your system stores the passwords for each user in encrypted formatting called sha512.

Notable Comments of the /etc directory

tryhackme@linux2:/etc$ ls

shadow passwd sudoers sudoers.d

/var

The "/var" directory, with "var" being short for variable data, is one of the main root folders found on a Linuxinstall. This folder stores data that is frequently accessed or written by services or applications running on the system. For example, log files from running services and applications are written here (/var/log), or other data that is not necessarily associated with a specific user (i.e., databases and the like).

Notable contents of the /var directory

tryhackme@linux2:/var$ ls

backups log opt tmp

/root

Unlike the /homedirectory, the /root folder is actually the home for the "root" system user. There isn't anything more to this folder other than just understanding that this is the home directory for the "root" user. But, it is worth a mention as the logical presumption is that this user would have their data in a directory such as "/home/root" by default.

Notable contents of the /root directory

root@linux2:~# ls

myfile myfolder passwords.xlsx

/tmp

This is a unique root directory found on a Linuxinstall. Short for "temporary", the /tmp directory is volatile and is used to store data that is only needed to be accessed once or twice. Similar to the memory on your computer, once the computer is restarted, the contents of this folder are cleared out.

What's useful for us in pentesting is that any user can write to this folder by default. Meaning once we have access to a machine, it serves as a good place to store things like our enumeration scripts.

Note: this is similar to how ram works on a computer..

Notable contents of the /tmp directory

root@linux2:/tmp# ls

todelete trash.txt rubbish.bin

As always, if you see anything I've missed or have suggestions to add, feel free to drop me a line or let me know in the comments. Happy learning!

-Mary

Sources: TryHackMe Pre-security Pathway: Linux Fundamentals 1-3