https://tryhackme.com/room/linuxcli-aoc2025-o1fpqkvxti
Created by: tryhackme, Maxablancas, TactfulTurtle
It’s that time of the year again! Advent of Cyber at TryHackMe. I always enjoy this event. Last year, I was unable to participate due to college sucking up all of my time, so I’m excited to be back! This room is guided by THM’s protagonist, McSkidy!
“The unthinkable has happened – McSkidy has been kidnapped. Without her, Wareville’s defenses are faltering, and Christmas itself hangs by a thread. But panic won’t save the season. A long road lies ahead to uncover what truly happened. The TBFC (The Best Festival Company) team already brainstorms what to do next, and their first lead points to the tbfc-web01, a Linux server processing Christmas wishlists. Somewhere within its data may lie the truth: traces of McSkidy’s final actions, or perhaps the clues to King Malhare’s twisted vision for EASTMAS.”
This first room surrounds the linux terminal. This is a beginner friendly room and starts off with a few basic commands.
McSkiddy shows how to find hidden files/folders within Linux with the ls -la command. With this, we obtain our first Advent flag! At this point, we know the answer to the first question as well.
Next, we move on to the powerful grep command. While in the /var/log, if you ls -la, you get a lot of files and folders. Per THM, /var/log is “…where all the security events(logs) are stored.” In order to make it easier, let’s use grep to search for what we need. McSkidy wants us to look at the auth.log.
That’s a lot of failed passwords from eggbox! Next up is the find command. With it, we find a file ending in .sh extension which means it’s a script! Scripts are used by admins but also attackers to automate commands.
Sir Carrotbane seems to be the one who has attacked the server and replaced the Xmas Wishlist with an Eastmas one! Going to the website, we see the details of what has transpired.
THM goes over some other Linux commands as well, such as uptime, ip addr, and ps aux. They also bring up /etc/shadow, which is where every username and hashed password is stored. Next up, we wanna switch to root command with sudo su. We are doing this because we are unable to look at the command history with our current account.
Now, let’s look at the bash history. Instead of doing cat .bash_history, you can also just use the history command. Doing so, we obtain our last flag for the room!
Let’s check out the other questions we need to answer.
There is also an option to start a side quest. There is a hint in the room that tells you where to go, and you can follow along if you wish. I might try and do this later, but I really want to just focus on doing the main Advent events and keep doing the SOC path.