Venus 21-30

Stage - eloise

flag - 21

8===57CzBLKaEq2N8YBFRu31===D~~

任务目标

/pwned/eloise/mission.txt
################
# MISSION 0x22 #
################

## EN ##
User lucia has been creative in saving her password.

行动

ls -lah
total 36K
drwxr-x--- 2 root   eloise 4.0K Jul 26  2023 .
drwxr-xr-x 1 root   root   4.0K Jul 26  2023 ..
-rw-r--r-- 1 eloise eloise  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 eloise eloise 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 eloise eloise  807 Apr 23  2023 .profile
-rw-r----- 1 root   eloise   31 Jul 26  2023 flagz.txt
-rw-r----- 1 root   eloise   50 Jul 26  2023 hi
-rw-r----- 1 root   eloise  194 Jul 26  2023 mission.txt

xxd -r hi
uvMwFDQrQWPMeGP

Stage - lucia

flag - 22

8===5Sr2pqeVTmn8RaaPmTPE===D~~

任务目标

/pwned/lucia/mission.txt
################
# MISSION 0x23 #
################

## EN ##
The user isabel has left her password in a file in the /etc/xdg folder but she does not remember the name, however she has dict.txt that can help her to remember.

行动

ls -lah
total 36K
drwxr-x--- 2 root  lucia 4.0K Jul 26  2023 .
drwxr-xr-x 1 root  root  4.0K Jul 26  2023 ..
-rw-r--r-- 1 lucia lucia  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 lucia lucia 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 lucia lucia  807 Apr 23  2023 .profile
-rw-r----- 1 root  lucia 2.0K Jul 26  2023 dict.txt
-rw-r----- 1 root  lucia   31 Jul 26  2023 flagz.txt
-rw-r----- 1 root  lucia  397 Jul 26  2023 mission.txt

while IFS= read -r line; do readlink -e /etc/xdg/$line ; done < dict.txt ; cat /etc/xdg/readme
/etc/xdg
/etc/xdg/readme
H5ol8Z2mrRsorC0

Stage - isabel

flag - 23

8===Md2CU83GtVfouhm9U0AS===D~~

任务目标

/pwned/isabel/mission.txt
################
# MISSION 0x24 #
################

## EN ##
The password of the user freya is the only string that is not repeated in different.txt

行动

ls -lah
total 180K
drwxr-x--- 2 root   isabel 4.0K Jul 26  2023 .
drwxr-xr-x 1 root   root   4.0K Jul 26  2023 ..
-rw-r--r-- 1 isabel isabel  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 isabel isabel 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 isabel isabel  807 Apr 23  2023 .profile
-rw-r----- 1 root   isabel 148K Jul 26  2023 different.txt
-rw-r----- 1 root   isabel   31 Jul 26  2023 flagz.txt
-rw-r----- 1 root   isabel  245 Jul 26  2023 mission.txt

uniq -u different.txt
EEDyYFDwYsmYawj

Stage - freya

flag - 24

8===m1rRSv2pdm3sBGmgidul===D~~

任务目标

/pwned/freya/mission.txt
################
# MISSION 0x25 #
################

## EN ##
User alexa puts her password in a .txt file in /free every minute and then deletes it.

行动

ls -lah
total 32K
drwxr-x--- 2 root  freya 4.0K Jul 26  2023 .
drwxr-xr-x 1 root  root  4.0K Jul 26  2023 ..
-rw-r--r-- 1 freya freya  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 freya freya 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 freya freya  807 Apr 23  2023 .profile
-rw-r----- 1 root  freya   31 Jul 26  2023 flagz.txt
-rw-r----- 1 root  freya  262 Jul 26  2023 mission.txt

false; while [$? -ne 0]; do cat /free/* ; done 2>/dev/null
mxq9O3MSxxX9Q3S

Stage - alexa

flag - 25

8===12ALP3eLlJ1GrTBxwJQM===D~~

任务目标

/pwned/alexa/mission.txt
################
# MISSION 0x26 #
################

## EN ##
The password of the user ariel is online! (HTTP)

行动

ls -lah
total 32K
drwxr-x--- 2 root  alexa 4.0K Jul 26  2023 .
drwxr-xr-x 1 root  root  4.0K Jul 26  2023 ..
-rw-r--r-- 1 alexa alexa  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 alexa alexa 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 alexa alexa  807 Apr 23  2023 .profile
-rw-r----- 1 root  alexa   31 Jul 26  2023 flagz.txt
-rw-r----- 1 root  alexa  172 Jul 26  2023 mission.txt

curl http://localhost
33EtHoz9a0w2Yqo

Stage - ariel

flag - 26

8===lqTeJ1msxhNjNJCptxmZ===D~~

任务目标

/pwned/ariel/mission.txt
################
# MISSION 0x27 #
################

## EN ##
Seems that ariel dont save the password for lola, but there is a temporal file.

行动

ls -lah
total 44K
drwxr-x--- 2 root  ariel 4.0K Jul 26  2023 .
drwxr-xr-x 1 root  root  4.0K Jul 26  2023 ..
-rw-r--r-- 1 ariel ariel  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 ariel ariel 3.5K Apr 23  2023 .bashrc
-rw-r----- 1 root  ariel  12K Jul 26  2023 .goas.swp
-rw-r--r-- 1 ariel ariel  807 Apr 23  2023 .profile
-rw-r----- 1 root  ariel   31 Jul 26  2023 flagz.txt
-rw-r----- 1 root  ariel  254 Jul 26  2023 mission.txt

vim -r .goas.swp
-->ppkJjqYvSCIyAhK
-->cOXlRYXtJWnVQEG
--rxhKeFKveeKqpwp
-->RGBEMbZHZRgXZnu
-->IaOpTdAuhSjGZnu
-->NdnszvjulNellbK
-->GBUguuSpXVjpxLc
-->rSkPlPhymYcerMJ
-->PEOppdOkSqJZweH
-->EKvJoTBYlwtwFmv
-->d3LieOzRGX5wud6
-->mYhQVLDKdJrsIwG
-->DabEJLmAbOQxEnD
-->LkWReDaaLCMDlLf
-->cbjYGSvqAsqIvdg
-->QsymOOVbzSaKmRm
-->bnQgcXYamhSDSff
-->VVjqJGRrnfKmcgD

使用 hydra 进行爆破，得到密码为

d3LieOzRGX5wud6

Stage - lola

flag - 27

8===TMYRw853hx8yKRocFMgM===D~~

任务目标

/pwned/lola/mission.txt
################
# MISSION 0x28 #
################

## EN ##
The user celeste has left a list of names of possible .html pages where to find her password.

行动

ls -lah
total 36K
drwxr-x--- 2 root lola 4.0K Jul 26  2023 .
drwxr-xr-x 1 root root 4.0K Jul 26  2023 ..
-rw-r--r-- 1 lola lola  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 lola lola 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 lola lola  807 Apr 23  2023 .profile
-rw-r----- 1 root lola   31 Jul 26  2023 flagz.txt
-rw-r----- 1 root lola  272 Jul 26  2023 mission.txt
-rw-r----- 1 root lola 1.5K Jul 26  2023 pages.txt

# 创建一个 SSH 隧道（tunnel），将远程服务器 venus.hackmyvm.eu 上的 80 端口转发到本地计算机的 9001 端口。
$ ssh -L 9001:127.0.0.1:80 lola@venus.hackmyvm.eu -p 5000
# 然后再扫描目录
$ dirb http://127.0.0.1:9001/ ./pages.txt -X .html
# 或者 gobuster dir -w pages.txt -u http://127.0.0.1:9001 -x html
# 可以得到一个网页
http://127.0.0.1:9001/cebolla.html
$ curl http://127.0.0.1:9001/cebolla.html
# VLSNMTKwSV2o8Tn   // 得到了 celeste 的密码 VLSNMTKwSV2o8Tn

Stage - celeste

flag - 28

8===TrdsvMy99slFZtd4Cy4Q===D~~

flag - hidden - 0xH

celeste@venus:~$ mysql -uceleste -pVLSNMTKwSV2o8Tn
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 261
Server version: 10.11.3-MariaDB-1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use venus;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [venus]> select  * from people;
......
|        35 | haha          | 8===xKmPDsJSKpHLzkqKXyjx===D~~ |
......

任务目标

/pwned/celeste/mission.txt
################
# MISSION 0x29 #
################

## EN ##
The user celeste has access to mysql but for what?

行动

ls -lah
total 32K
drwxr-x--- 2 root    celeste 4.0K Jul 26  2023 .
drwxr-xr-x 1 root    root    4.0K Jul 26  2023 ..
-rw-r--r-- 1 celeste celeste  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 celeste celeste 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 celeste celeste  807 Apr 23  2023 .profile
-rw-r----- 1 root    celeste   31 Jul 26  2023 flagz.txt
-rw-r----- 1 root    celeste  179 Jul 26  2023 mission.txt

mysql -uceleste -pVLSNMTKwSV2o8Tn -e''use venus;select * from people where length(pazz)=15;'
+-----------+----------+-----------------+
| id_people | uzer     | pazz            |
+-----------+----------+-----------------+
|        16 | sfdfdsml | ixpeqdsfsdfdsfW |
|        44 | yuio     | ixpgbvcbvcbeqdW |
|        54 | crom     | ixpefdbvvcbrqdW |
|        58 | bael     | ixpesdvsdvsdqdW |
|        74 | nina     | ixpeqdWuvC5N9kG |
|        77 | dsar     | ixpeF43F3F34qdW |
|        78 | yop      | ixpeqdWCSDFDSFD |
|        79 | loco     | ixpeF43F34F3qdW |
+-----------+----------+-----------------+

根据 /etc/passwd 的记录，可以定位到 nina 这个用户

Stage - nina

flag - 29

8===VwICIymoA1DczWJau1sG===D~~

任务目标

/pwned/nina/mission.txt
################
# MISSION 0x30 #
################

## EN ##
The user kira is hidding something in http://localhost/method.php

行动

ls -lah
total 32K
drwxr-x--- 2 root nina 4.0K Jul 26  2023 .
drwxr-xr-x 1 root root 4.0K Jul 26  2023 ..
-rw-r--r-- 1 nina nina  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 nina nina 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 nina nina  807 Apr 23  2023 .profile
-rw-r----- 1 root nina   31 Jul 26  2023 flagz.txt
-rw-r----- 1 root nina  197 Jul 26  2023 mission.txt

curl -XPUT http://localhost/method.php
tPlqxSKuT4eP3yr

Stage - kira

flag - 30

8===rJun2WyeuGIvabWQvJko===D~~

任务目标

/pwned/kira/mission.txt
################
# MISSION 31 #
################

## EN ##
The user veronica visits a lot http://localhost/waiting.php

行动

ls -lah
total 32K
drwxr-x--- 2 root kira 4.0K Jul 26  2023 .
drwxr-xr-x 1 root root 4.0K Jul 26  2023 ..
-rw-r--r-- 1 kira kira  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 kira kira 3.5K Apr 23  2023 .bashrc
-rw-r--r-- 1 kira kira  807 Apr 23  2023 .profile
-rw-r----- 1 root kira   31 Jul 26  2023 flagz.txt
-rw-r----- 1 root kira  191 Jul 26  2023 mission.txt

curl -A PARADISE http://localhost/waiting.php
QTOel6BodTx2cwX

Stage - eloise​

flag - 21​

任务目标​

行动​

Stage - lucia​

flag - 22​

任务目标​

行动​

Stage - isabel​

flag - 23​

任务目标​

行动​

Stage - freya​

flag - 24​

任务目标​

行动​

Stage - alexa​

flag - 25​

任务目标​

行动​

Stage - ariel​

flag - 26​

任务目标​

行动​

Stage - lola​

flag - 27​

任务目标​

行动​

Stage - celeste​

flag - 28​

flag - hidden - 0xH​

任务目标​

行动​

Stage - nina​

flag - 29​

任务目标​

行动​

Stage - kira​

flag - 30​

任务目标​

行动​

Stage - eloise

flag - 21

任务目标

行动

Stage - lucia

flag - 22

任务目标

行动

Stage - isabel

flag - 23

任务目标

行动

Stage - freya

flag - 24

任务目标

行动

Stage - alexa

flag - 25

任务目标

行动

Stage - ariel

flag - 26

任务目标

行动

Stage - lola

flag - 27

任务目标

行动

Stage - celeste

flag - 28

flag - hidden - 0xH

任务目标

行动

Stage - nina

flag - 29

任务目标

行动

Stage - kira

flag - 30

任务目标

行动