Linux CLI - Shells Bells | Advent of Cyber 2025 - Day 1

This guide contains the answer and steps necessary to get to them for the Linux CLI - Shells Bells room.

Linux CLI

Linux CLI

Which CLI command would you use to list a directory?

The answer to this question can be found in the text.

Click for answer
ls
Complete on machine: Identify the flag inside of the McSkidy's guide.

After listing the directory, we can see a readme file. Lets read it using: cat README.txt.

This tells us there is a hidden guide in the guides folder. We navigate into it and look for any files using:
cmd
```
cd Guides
ls -la
```
Here we find the file '.guide.txt' which will hold the first flag. Opening it (cat .guide.txt) will automatically answer the question in Tryhackme.

Click for answer
THM{learning-linux-cli}
Which command helped you filter the logs for failed logins?

The answer to this question can be found in the text.

Click for answer
grep
Complete on machine: Identify the flag inside the Eggstrike script.

As stated in the text we look for failed login attempts in the 'auth' log.
cmd
```
grep "Failed password" auth.log
```
This gives us a few failed attempts for user 'socmas'. Next we will look into its home directory for any suspicious files.
cmd
```
find /home/socmas/ -name *eggs*
cat /home/socmas/2025/eggstrike.sh
```
Here we see a possibly malicious script file. Opening it reveals the next flag.

Click for answer
THM{sir-carrotbane-attacks}
Which command would you run to switch to the root user?

The answer to this question can be found in the text.

Click for answer
sudo su
Finally, what flag did Sir Carrotbane leave in the root bash history?

To view the bash history of the roort user, we must first switch to the root user using sudo su. Now we can use history to view the used bash commands.

Indeed we find the flag left behind for us.

Click for answer
THM{until-we-meet-again}
For those who consider themself intermediate and want another challenge, check McSkidy's hidden note in/home/mcskidy/Documents/to get access to the key forSide Quest 1!

Navigating to '/home/mcskidy/Documents/' we find a file called 'read-me-please.txt'. This files contains some information and several clues needed for us to find the key for the first sidequest of 2025. This will be further investigated in [Advent of Cyber '25 Side Quest](https://github.com/Kevinovitz/TryHackMe_Writeups/blob/main/ adventofcyber25sidequest/adventofcyber25sidequest.md)

Click for answer

Table of contents

Linux CLI

Which CLI command would you use to list a directory?

The answer to this question can be found in the text.

Click for answer
ls

Complete on machine: Identify the flag inside of the McSkidy's guide.

After listing the directory, we can see a readme file. Lets read it using: cat README.txt.

This tells us there is a hidden guide in the guides folder. We navigate into it and look for any files using:

cmd

cd Guides
ls -la

Here we find the file '.guide.txt' which will hold the first flag. Opening it (cat .guide.txt) will automatically answer the question in Tryhackme.

Guide

Click for answer
THM{learning-linux-cli}

Which command helped you filter the logs for failed logins?

The answer to this question can be found in the text.

Click for answer
grep

Complete on machine: Identify the flag inside the Eggstrike script.

As stated in the text we look for failed login attempts in the 'auth' log.

cmd

grep "Failed password" auth.log

This gives us a few failed attempts for user 'socmas'. Next we will look into its home directory for any suspicious files.

cmd

find /home/socmas/ -name *eggs*
cat /home/socmas/2025/eggstrike.sh

Here we see a possibly malicious script file. Opening it reveals the next flag.

Script

Click for answer
THM{sir-carrotbane-attacks}

Which command would you run to switch to the root user?

The answer to this question can be found in the text.

Click for answer
sudo su

Finally, what flag did Sir Carrotbane leave in the root bash history?

To view the bash history of the roort user, we must first switch to the root user using sudo su. Now we can use history to view the used bash commands.

History

Indeed we find the flag left behind for us.

Click for answer
THM{until-we-meet-again}

For those who consider themself intermediate and want another challenge, check McSkidy's hidden note in/home/mcskidy/Documents/to get access to the key forSide Quest 1!

Navigating to '/home/mcskidy/Documents/' we find a file called 'read-me-please.txt'. This files contains some information and several clues needed for us to find the key for the first sidequest of 2025. This will be further investigated in [Advent of Cyber '25 Side Quest](https://github.com/Kevinovitz/TryHackMe_Writeups/blob/main/ adventofcyber25sidequest/adventofcyber25sidequest.md)

Click for answer