Venus 31-40
Stage - veronica
flag - 31
8===iSSeKzoDXsKy8WPuqNPg===D~~
任务目标
/pwned/veronica/mission.txt
################
# MISSION 0x32 #
################
## EN ##
The user veronica uses a lot the password from lana, so she created an alias.
行动
ls -lah
total 32K
drwxr-x--- 2 root veronica 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 veronica veronica 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 veronica veronica 3.5K Jul 26 2023 .bashrc
-rw-r--r-- 1 veronica veronica 807 Apr 23 2023 .profile
-rw-r----- 1 root veronica 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root veronica 228 Jul 26 2023 mission.txt
alias
alias lanapass='UWbc0zNEVVops1v'
alias ls='ls --color=auto'
Stage - lana
flag - 32
8===um3Hno2AsjFjuLWsfmDj===D~~
任务目标
/pwned/lana/mission.txt
################
# MISSION 0x33 #
################
## EN ##
The user noa loves to compress her things.
行动
ls -lah
total 44K
drwxr-x--- 2 root lana 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 lana lana 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 lana lana 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 lana lana 807 Apr 23 2023 .profile
-rw-r----- 1 root lana 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root lana 161 Jul 26 2023 mission.txt
-rw-r----- 1 root lana 10K Jul 26 2023 zip.gz
$ mkdir /tmp/jzcheng;
$ tar -xvf zip.gz -C /tmp/jzcheng
$ cat ... // 得到 noa 的密码 9WWOPoeJrq6ncvJ
# > 非预期
$ cat zip.gz
# pwned/lana/zip0000644000000000000000000000002014223477016012327 0ustar rootroot9WWOPoeJrq6ncvJ
Stage - noa
flag - 33
8===HUNGevKdeKwcCvJru1CC===D~~
任务目标
/pwned/noa/mission.txt
################
# MISSION 0x34 #
################
## EN ##
The password of maia is surrounded by trash
行动
ls -lah
total 36K
drwxr-x--- 2 root noa 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 noa noa 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 noa noa 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 noa noa 807 Apr 23 2023 .profile
-rw-r----- 1 root noa 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root noa 159 Jul 26 2023 mission.txt
-rw-r----- 1 root noa 3.8K Jul 26 2023 trash
strings trash | grep -E '.{15}'
O\nh1hnDPHpydEjoEN
Stage - maia
flag - 34
8===nu8IDScKFAXVcnFutKtG===D~~
任务目标
/pwned/maia/mission.txt
################
# MISSION 0x35 #
################
## EN ##
The user gloria has forgotten the last 2 characters of her password ... They only remember that they were 2 lowercase letters.
行动
ls -lah
total 36K
drwxr-x--- 2 root maia 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 maia maia 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 maia maia 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 maia maia 807 Apr 23 2023 .profile
-rw-r----- 1 root maia 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root maia 16 Jul 26 2023 forget
-rw-r----- 1 root maia 317 Jul 26 2023 mission.txt
/pwned/maia/forget
v7xUVE2e5bjUc??
爆破字典生成
from string import ascii_lowercase
f = open('pazz.txt', 'w+')
for i in ascii_lowercase:
for j in ascii_lowercase:
print(f"v7xUVE2e5bjUc{i}{j}", file=f)
hydra 执行 ssh 爆破
hydra -l gloria -P pazz.txt ssh://venus.hackmyvm.eu:5000
[5000][ssh] host: venus.hackmyvm.eu login: gloria password: v7xUVE2e5bjUcxw
1 of 1 target successfully completed, 1 valid password found
Stage - gloria
flag - 35
8===RZIkEtaEp18tLslTopJj===D~~
任务目标
/pwned/gloria/mission.txt
################
# MISSION 0x36 #
################
## EN ##
User alora likes drawings, that's why she saved her password as ...
行动
ls -lah
total 36K
drwxr-x--- 2 root gloria 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 gloria gloria 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 gloria gloria 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 gloria gloria 807 Apr 23 2023 .profile
-rw-r----- 1 root gloria 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root gloria 1.7K Jul 26 2023 image
-rw-r----- 1 root gloria 222 Jul 26 2023 mission.txt
./image
##########################################################
##########################################################
##########################################################
##########################################################
######## ########## ## ########
######## ########## ## ## #### ########## ########
######## ## ## ## ## ###### ## ## ########
######## ## ## #### ######## ## ## ########
######## ## ## ## #### ## ## ########
######## ########## ## #### ########## ########
######## ## ## ## ## ########
######################## #### ##########################
######## ## #### #### ## ## ## ##########
############ ###### ## ## ## ########
######## ## ## ## ## #### ## ########
############## ## ## ###### ## #### ########
############ ## ## ######## ## ## ##########
######################## #### ## ## #### ########
######## ## #### ## ##########
######## ########## ###### ########## #### ##########
######## ## ## #### ## ###### ########
######## ## ## ## ## ###### ## #### ########
######## ## ## #### ## ## ## ########
######## ########## ## #### ## ##################
######## ## ## ##########
##########################################################
##########################################################
##########################################################
##########################################################
mhrTFCoxGoqUxtw
Stage - alora
flag - 36
8===NSe78N2lM7IbvHzvrC0G===D~~
任务目标
/pwned/alora/mission.txt
################
# MISSION 0x37 #
################
## EN ##
The user julie has created an iso with her password.
行动
ls -lah
total 388K
drwxr-x--- 1 root alora 4.0K Nov 27 15:03 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 alora alora 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 alora alora 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 alora alora 807 Apr 23 2023 .profile
-rw-r----- 1 root alora 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root alora 176 Nov 27 15:03 mission.txt
-rw-r----- 1 root alora 352K Jul 26 2023 music.iso
预期解
$ mkdir /tmp/music
$ sudo mount -o loop music.iso /tmp/music //挂载到本地虚拟机
$ unzip /tmp/music/music.zip -d tmp
$ cat /tmp/pwned/a;ora/music.txt
sjDf4i2MSNgSvOv -- 得到julie的密码 sjDf4i2MSNgSvOv
暴力解
alora@venus:~$ strings music.iso | grep -E '.{15}'
LINUX CDROM
GENISOIMAGE ISO 9660/HFS FILESYSTEM CREATOR (C) 1993 E.YOUNGDALE (C) 1997-2006 J.PEARSON/J.SCHILLING (C) 2006-2007 CDRKIT TEAM 2023072608552300
2023072608552300
0000000000000000
2023072608552300
RRIP_1991ATHE ROCK RIDGE INTERCHANGE PROTOCOL PROVIDES SUPPORT FOR POSIX FILE SYSTEM SEMANTICSPLEASE CONTACT DISC PUBLISHER FOR SPECIFICATION SOURCE. SEE PUBLISHER IDENTIFIER IN PRIMARY VOLUME DESCRIPTOR FOR CONTACT INFORMATION.
pwned/alora/music.txtUT
sjDf4i2MSNgSvOv
pwned/alora/music.txtUT
Stage - julie
flag - 37
8===Iwe1QpxTcx0A8Uusqjfe===D~~
任务目标
/pwned/julie/mission.txt
################
# MISSION 0x38 #
################
## EN ##
The user irene believes that the beauty is in the difference.
行动
ls -lah
total 48K
drwxr-x--- 2 root julie 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 julie julie 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 julie julie 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 julie julie 807 Apr 23 2023 .profile
-rw-r----- 1 root julie 4.7K Jul 26 2023 1.txt
-rw-r----- 1 root julie 4.7K Jul 26 2023 2.txt
-rw-r----- 1 root julie 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root julie 192 Jul 26 2023 mission.txt
diff 1.txt 2.txt
174c174
< 8VeRLEFkBpe2DSD
---
> aNHRdohjOiNizlU
Stage - irene
flag - 38
8===c9hgLkLGzsNw7mB3VEr4===D~~
任务目标
/pwned/irene/mission.txt
################
# MISSION 0x39 #
################
## EN ##
The user adela has lent her password to irene.
行动
ls -lah
total 44K
drwxr-x--- 2 root irene 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 irene irene 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 irene irene 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 irene irene 807 Apr 23 2023 .profile
-rw-r----- 1 root irene 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root irene 1.7K Jul 26 2023 id_rsa.pem
-rw-r----- 1 root irene 451 Jul 26 2023 id_rsa.pub
-rw-r----- 1 root irene 178 Jul 26 2023 mission.txt
-rw-r----- 1 root irene 256 Jul 26 2023 pass.enc
openssl pkeyutl -decrypt -inkey id_rsa.pem -in pass.enc
nbhlQyKuaXGojHx
Stage - adela
flag - 39
8===86XGXQefUeV2eEdrUzxx===D~~
任务目标
/pwned/adela/mission.txt
################
# MISSION 0x40 #
################
## EN ##
User sky has saved her password to something that can be listened to.
行动
ls -lah
total 36K
drwxr-x--- 2 root adela 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r--r-- 1 adela adela 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 adela adela 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 adela adela 807 Apr 23 2023 .profile
-rw-r----- 1 root adela 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root adela 213 Jul 26 2023 mission.txt
-rw-r----- 1 root adela 44 Jul 26 2023 wtf
解密
.--. .- .--. .- .--. .- .-. .- -.. .. ... .
papaparadise
Stage - sky
flag - 40
8===8T2IE4fNIvbs8sh1lnew===D~~
flag - hidden - 0xR
8===nyqRAOwkVRTiMYeePdes===D~~
任务目标
/pwned/sky/mission.txt
################
# MISSION 0x41 #
################
## EN ##
User sarah uses header in http://localhost/key.php
行动
ls -lah
total 36K
drwxr-x--- 2 root sky 4.0K Jul 26 2023 .
drwxr-xr-x 1 root root 4.0K Jul 26 2023 ..
-rw-r----- 1 root sky 31 Jul 26 2023 .bash_history
-rw-r--r-- 1 sky sky 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 sky sky 3.5K Apr 23 2023 .bashrc
-rw-r--r-- 1 sky sky 807 Apr 23 2023 .profile
-rw-r----- 1 root sky 31 Jul 26 2023 flagz.txt
-rw-r----- 1 root sky 184 Jul 26 2023 mission.txt
curl -H
LWOHeRgmIxg7fuS