Venus 11-20
Stage - lucy
flag - 11
8===AdCJ4wl8pmbhi770Xbd3===D~~
任务目标
/pwned/lucy/mission.txt
################
# MISSION 0x12 #
################
## EN ##
The password of the user elena is between the characters fu and ck
行动
ls -lah
total 48K
drwxr-x--- 2 root lucy 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 lucy lucy 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 lucy lucy 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 lucy lucy 807 Apr 23 2023 .profile
-rw-r----- 1 root lucy 13K Jul 26 2023 file.yo
-rw-r----- 1 root lucy 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root lucy 205 Jul 26 2023 mission.txt
grep -E'fu.*ck|ck.*fu'file.yo
fu4xZ5lIKYmfPLg9tck
Stage - elena
flag - 12
8===st1pTdqEQ0bvrJfWGwLA===D~~
任务目标
/pwned/elena/mission.txt
################
# MISSION 0x13 #
################
## EN ##
The user alice has her password is in an environment variable.
行动
ls -lah
total 32K
drwxr-x--- 2 root elena 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 elena elena 220 Apr 23 2023 .bash_logout
-rw-r----- 1 root elena 3.5K Jul 26 2023 .bashrc
-rw-r--r-- 1 elena elena 807 Apr 23 2023 .profile
-rw-r----- 1 root elena 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root elena 189 Jul 26 2023 mission.txt
env | grep PASS
PASS=Cgecy2MY2MWbaqt
Stage - alice
flag - 13
8===Qj4NNWp8LOC96S9Rtgrk===D~~
任务目�标
/pwned/alice/mission.txt
################
# MISSION 0x14 #
################
## EN ##
The admin has left the password of the user anna as a comment in the file passwd.
行动
ls -lah
total 32K
drwxr-x--- 2 root alice 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 alice alice 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 alice alice 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 alice alice 807 Apr 23 2023 .profile
-rw-r----- 1 root alice 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root alice 231 Jul 26 2023 mission.txt
cat /etc/passwd
......
alice:x:1014:1014:w8NvY27qkpdePox:/pwned/alice:/bin/bash
......
Stage - anna
flag - 14
8===5Y3DhT66fa6Da8RpLKG0===D~~
任务目标
/pwned/anna/mission.txt
################
# MISSION 0x15 #
################
## EN ##
Maybe sudo can help you to be natalia.
行动
ls -lah
total 32K
drwxr-x--- 2 root anna 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 anna anna 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 anna anna 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 anna anna 807 Apr 23 2023 .profile
-rw-r----- 1 root anna 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root anna 152 Jul 26 2023 mission.txt
sudo -l
Matching Defaults entries for anna on venus:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User anna may run the following commands on venus:
(natalia) NOPASSWD: /bin/bash
anna@venus:~$ sudo -u natalia /bin/bash
natalia@venus:/pwned/anna$ whoami
natalia
Stage - natalia
flag - 15
8===JWHa1GQq1AYrBWNXEJrH===D~~
任务目标
/pwned/natalia/mission.txt
################
# MISSION 0x16 #
################
## EN ##
The password of user eva is encoded in the base64.txt file
行动
ls -lah
total 40K
drwxr-x--- 2 root natalia 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 natalia natalia 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 natalia natalia 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 natalia natalia 807 Apr 23 2023 .profile
-rw-r----- 1 root natalia 25 Jul 26 2023 base64.txt
-rw-r----- 1 root natalia 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root natalia 189 Jul 26 2023 mission.txt
-rw-r----- 1 root natalia 16 Jul 26 2023 nataliapass.txt
cat base64.txt | base64 -d
upsCA3UFu10fDAO
Stage - eva
flag - 16
8===22cqk3iGkGYVqnYrHiof===D~~
任务目标
/pwned/eva/mission.txt
################
# MISSION 0x17 #
################
## EN ##
The password of the clara user is found in a file modified on May 1, 1968.
行动
ls -lah
total 32K
drwxr-x--- 2 root eva 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 eva eva 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 eva eva 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 eva eva 807 Apr 23 2023 .profile
-rw-r----- 1 root eva 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root eva 240 Jul 26 2023 mission.txt
find / -daystart -type f -mtime +$(($(( $(date +%s) - $(date -d
/usr/lib/cmdo
/usr/lib/cmdo
39YziWp5gSvgQN9
Stage - clara
flag - 17
8===EJWmHDEQeEN1vIR7NYiH===D~~
任务目标
/pwned/clara/mission.txt
################
# MISSION 0x18 #
################
## EN ##
The password of user frida is in the password-protected zip (rockyou.txt can help you)
行动
ls -lah
total 40K
drwxr-x--- 1 root clara 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 clara clara 220 Nov 13 12:16 .bash_logout
-rw-r--r-- 1 clara clara 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 clara clara 807 Apr 23 2023 .profile
-rw-r----- 1 root clara 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root clara 247 Jul 26 2023 mission.txt
-rw-r----- 1 root clara 244 Jul 26 2023 protected.zip
使用 base64 将 zip 文件传回本地
UEsDBAoACQAAAMFG+lZzdJ8jHAAAABAAAAAZABwAcHduZWQvY2xhcmEvcHJvdGVjdGVkLnR4dFVU
CQADKd/AZCnfwGR1eAsAAQQAAAAABAAAAAA1p/4kJie4z6wyYuU5N9W7cQ5FIJb5UGmHTrylUEsH
CHN0nyMcAAAAEAAAAFBLAQIeAwoACQAAAMFG+lZzdJ8jHAAAABAAAAAZABgAAAAAAAEAAACkgQAA
AABwd25lZC9jbGFyYS9wcm90ZWN0ZWQudHh0VVQFAAMp38BkdXgLAAEEAAAAAAQAAAAAUEsFBgAA
AAABAAEAXwAAAH8AAAAAAA==
爆破得到压缩包密码和用户密码
pass123
Ed4ErEUJEaMcXli
Stage - frida
flag - 18
8===Ikg2qj8KT2bGJtWvR6hC===D~~
任务目标
/pwned/frida/mission.txt
################
# MISSION 0x19 #
################
## EN ##
The password of eliza is the only string that is repeated (unsorted) in repeated.txt.
行动
ls -lah
total 104K
drwxr-x--- 2 root frida 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 frida frida 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 frida frida 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 frida frida 807 Apr 23 2023 .profile
-rw-r----- 1 root frida 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root frida 250 Jul 26 2023 mission.txt
-rw-r----- 1 root frida 72K Jul 26 2023 repeated.txt
uniq -d repeated.txt
Fg6b6aoksceQqB9
Stage - eliza
flag - 19
8===zwWIPyDf2ozwVhCTxm1I===D~~
任务目标
/pwned/eliza/mission.txt
################
# MISSION 0x20 #
################
## EN ##
The user iris has left me her key.
行动
ls -lah
total 36K
drwxr-x--- 2 root eliza 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 eliza eliza 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 eliza eliza 3.5K Apr 23 2023 .bashrc
-rw-r----- 1 root eliza 2.6K Jul 26 2023 .iris_key
-rw-r--r-- 1 eliza eliza 807 Apr 23 2023 .profile
-rw-r----- 1 root eliza 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root eliza 143 Jul 26 2023 mission.txt
ssh -i .iris_key iris@localhost
Linux venus 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
_____
_______ ______ _____\ \ _____ _____ ______ _____ _____
\ | | | / / | ||\ \ \ \ \ \ \ _____\ \
| / / /|/ / /___/| \ \ | |\ | | | / / \ |
|\ \ \ |/| |__ |___|/ \ \ | | | | | | | | /___/|
\ \ \ | | | \ \| \ | | | \_/ /| ____\ \ | ||
\| \| | | __/ __ | \| | |\ \| / /\ \|___|/
|\ /| |\ \ / \ / /\ \| \ \__ | |/ \ \
| \_______/ | | \____\/ | /_____/ /______/|\ \_____/\ \|\____\ /____/|
\ | | / | | |____/| | | | | | \ | |/___/|| | || | |
\|_____|/ \|____| | | |______|/|_____|/ \|____| | | \|___||____|/
|___|/ |___|/
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *,
[== HMVLabs Chapter 1: Venus ==]
+===========================+
| Respect & |
| Have fun! |
| |
| https://hackmyvm.eu/venus |
+===========================+
Stage - iris
flag - 20
8===ClrdWOqlZ1vL61zSk9Va===D~~
任务目标
/pwned/iris/mission.txt
################
# MISSION 0x21 #
################
## EN ##
User eloise has saved her password in a particular way.
行动
ls -lah
total 60K
drwxr-x--- 3 root iris 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 iris iris 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 iris iris 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 iris iris 807 Apr 23 2023 .profile
drwxr-xr-x 2 root root 4.0K Jul 26 2023 .ssh
-rw-r----- 1 root iris 18K Jul 26 2023 eloise
-rw-r----- 1 root iris 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root iris 16 Jul 26 2023 irispass.txt
-rw-r----- 1 root iris 195 Jul 26 2023 mission.txt
Base64 转图片
yOUJlV0SHOnbSPm