Advent of Cyber 2025 – Day 1: Linux CLI – Shells Bells (Full Walkthrough)


 

Advent of Cyber 2025 – Day 1: Linux CLI – Shells Bells (Full Walkthrough)

Christmas is in danger — and our first challenge begins with a mystery!
In Advent of Cyber 2025 Day 1, we dive into the Linux Command-Line Interface (CLI) and uncover clues behind the kidnapping of McSkidy. This room teaches the basics of Linux commands and shows how they’re used in security investigations.

Let’s break down the entire room in a clear, beginner-friendly way.

🎄 The Story Begins

McSkidy has been kidnapped, and Wareville’s defenses are failing.
Our first lead points to tbfc-web01, a Linux server managing Christmas wishlists. Hidden inside it are clues about the attack… and maybe McSkidy’s last actions.

Your mission?
Use Linux commands to explore the server and uncover what happened.

🖥️ Connecting to the Machine

Once the machine is started, you get a Linux terminal.
This is where all commands will be typed — no GUI needed.

🔰 Task 1: Learning Basic Linux Commands

1. Say Hello

echo "Hello World!"

2. List Files

ls

This shows files in McSkidy’s home directory.

3. Read a File

cat README.txt

Inside, McSkidy warns about suspicious “Eggsploit” activity.

📁 Task 2: Navigating the File System

Check where you are:

pwd

Move to the Guides folder:

cd Guides

List hidden files:

ls -la

There you find a hidden file: .guide.txt

Read it:

cat .guide.txt

It contains clues related to logs and “eggshells”.

🔍 Task 3: Checking System Logs With Grep

Go to the logs directory:

cd /var/log

Search for failed login attempts:

grep "Failed password" auth.log

You’ll see failed logins from HopSec, revealing that attackers tried to breach the system.

🥚 Task 4: Searching for Eggsploits

Find suspicious files:

find /home/socmas -name *egg*

This reveals:

/home/socmas/2025/eggstrike.sh

Read the script:

cd /home/socmas/2025
cat eggstrike.sh

Inside the script:

  • Wishlist items are sorted and dumped

  • The real wishlist is deleted

  • It gets replaced with eastmas.txt

This confirms the system was sabotaged.

⚙️ Task 5: Understanding Linux Symbols

The script uses:

SymbolMeaning
``
> / >>Redirect output to a file
&&Run next command if the previous succeeds

These are powerful tools in shell scripting.

🔐 Task 6: Checking System Utilities

Useful commands:

  • Check system uptime

    uptime

  • Check IP address

    ip addr

  • View running processes

    ps aux

Attempting to read sensitive files (like /etc/shadow) requires root access.

👑 Task 7: Switching to Root User

Switch to root:

sudo su

Check who you are:

whoami

You are now root, the most powerful user.

📜 Task 8: Checking Bash History

Attackers often leave traces in history logs.

Go to root’s home:

cd /root

Read bash history:

cat .bash_history

Inside, you find upload commands revealing their activities — and a final flag.

🎯 Flags Collected

These are the main flags from Day 1:

  • THM{learning-linux-cli}

  • THM{sir-carrotbane-attacks}

  • THM{until-we-meet-again}

🕵️ Bonus Challenge

There’s a hidden note in:

/home/mcskidy/Documents/

This leads to Side Quest 1.

🎉 Conclusion

Day 1 of Advent of Cyber teaches:

  • Basic Linux commands

  • Navigating directories

  • Reading files

  • Searching logs

  • Identifying suspicious activity

  • Understanding shell scripts

  • Switching to root

  • Viewing bash history

This room is perfect for beginners learning cybersecurity.

More challenges await — this was just the start!

Comments

Post a Comment

Popular Posts