21 iris
iris@venus:~$ ls -la
total 60
drwxr-x--- 3 root iris 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 iris iris 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 iris iris 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 iris iris 807 Apr 23 2023 .profile
drwxr-xr-x 2 root root 4096 Apr 5 06:28 .ssh
-rw-r----- 1 root iris 17484 Apr 5 06:28 eloise
-rw-r----- 1 root iris 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root iris 16 Apr 5 06:28 irispass.txt
-rw-r----- 1 root iris 195 Apr 5 06:27 mission.txt
iris@venus:~$ cat flagz.txt
8===ClrdWOqlZ1vL61zSk9Va===D~~
iris@venus:~$ cat mission.txt
################
# MISSION 0x21 #
################
## EN ##
User eloise has saved her password in a particular way.
## ES ##
La usuaria eloise ha guardado su password de una forma particular.
iris@venus:~$ catt eloise
-bash: catt: command not found
iris@venus:~$ cat eloise
/9j/4AAQSkZJRgABAQEAYABgAAD/4RDSRXhpZgAATU0AKgAAAAgABAE7AAIAAAAEc01MAIdpAAQA
AAABAAAISpydAAEAAAAIAAAQwuocAAcAAAgMAAAAPgAAAAAc6gAAAAgAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFkAMAAgAAABQAABCY
kAQAAgAAABQAABCskpEAAgAAAAM4NQAAkpIAAgAAAAM4NQAA6hwABwAACAwAAAiMAAAAABzqAAAA
CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAMjAyMToxMToxMCAxMDoxODowMwAyMDIxOjExOjEwIDEwOjE4OjAzAAAAcwBNAEwAAAD/4QsW
aHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49J++7vycgaWQ9J1c1
TTBNcENlaGlIenJlU3pOVGN6a2M5ZCc/Pg0KPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczpt
ZXRhLyI+PHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJk
Zi1zeW50YXgtbnMjIj48cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0idXVpZDpmYWY1YmRkNS1i
YTNkLTExZGEtYWQzMS1kMzNkNzUxODJmMWIiIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMv
ZWxlbWVudHMvMS4xLyIvPjxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSJ1dWlkOmZhZjViZGQ1
LWJhM2QtMTFkYS1hZDMxLWQzM2Q3NTE4MmYxYiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUu
Y29tL3hhcC8xLjAvIj48eG1wOkNyZWF0ZURhdGU+MjAyMS0xMS0xMFQxMDoxODowMy44NDk8L3ht
cDpDcmVhdGVEYXRlPjwvcmRmOkRlc2NyaXB0aW9uPjxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0
PSJ1dWlkOmZhZjViZGQ1LWJhM2QtMTFkYS1hZDMxLWQzM2Q3NTE4MmYxYiIgeG1sbnM6ZGM9Imh0
dHA6Ly9wdXJsLm9yZy9kYy9lbGVtZW50cy8xLjEvIj48ZGM6Y3JlYXRvcj48cmRmOlNlcSB4bWxu
czpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPjxyZGY6
bGk+c01MPC9yZGY6bGk+PC9yZGY6U2VxPg0KCQkJPC9kYzpjcmVhdG9yPjwvcmRmOkRlc2NyaXB0
aW9uPjwvcmRmOlJERj48L3g6eG1wbWV0YT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
IAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAog
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAg
ICAgICAgICAgICAgICAgICAgICAgICAgPD94cGFja2V0IGVuZD0ndyc/Pv/bAEMABwUFBgUEBwYF
BggHBwgKEQsKCQkKFQ8QDBEYFRoZGBUYFxseJyEbHSUdFxgiLiIlKCkrLCsaIC8zLyoyJyorKv/b
AEMBBwgICgkKFAsLFCocGBwqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKv/AABEIAGYBigMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUG
BwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR
8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5
eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj
5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQAC
AQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXx
FxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqS
k5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T1
9vf4+fr/2gAMAwEAAhEDEQA/APpGiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAC
iiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK
KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiig
Aooqrql1PZaRd3Vnbfa7iCF5I7ffs81gCQu7BxnpnBpNpK7Gk27ItUVyvw48dQfEPwbDrsFr9idp
HimtjL5hidT03YGcjB6DrWRp3xXg1C88aMNMKaX4UDB777Ru+0uoYsoTbxgqRnJ7etOXu3v2v8hL
Xbvb5nT+I/GPh3wjbpL4k1i108SAlFlf53x12oPmb8BWFovxl+H3iC9W00zxPamdyFRLhHt95PQA
yKoJPoK86+FHw9tPiLby/ET4jR/2ve6lO5tLaZj5MMasVHydCMggKcjA6Emu/wDE3wW8C+JNJktP
+EfsdMlIPlXWnW628kbdj8oAb6MCKLOPxb9g0lsd7WL4d8X6H4ra/XQL77WdPnNvdfuXTy5B1X5l
GenUZFec/APxDqpg13wR4hlM954Yufs8U7EkvFuZQOecArx7EDtVb9nn/j68df8AYcf+bU9L6bWv
+K/zFqlrve34P/I9nkkWKJ5JDhEUsxx0ArK8M+KdH8YaMuq+HLz7ZZM7RiXynjyy9RhwD+lX9R/5
Bd1/1xf/ANBNeWfs0f8AJG4P+v2f+YpR1cl2Sf4jloovu/0PWJ5o7a3knmbbHEpd2xnAAyTWLo3j
XQPEHhebxFpF/wDaNKhEhkuPJkTaEGW+VlDcD2q/rf8AyL+of9esv/oBrxj4Nf8AJsGrf9cr/wD9
ANQ5NKb7K5SV3Bd3Y9GuPip4NtfDOn+IZ9YKaTqMrQ210bSba7gkEEbMryp+8B0NdeDkZHIrwPwp
4THjP9kKDS0QNdLHcXFrntKk8jKPx5X/AIFXffBXxQPFXwp0m4kk33Vmn2O5GckPHwM+5XafxrZx
tKUe35f8P+hnfRPvf71/wDqfEnibR/COiyat4ivVsrGNlVpSjPyxwAFUEk/QU678R6Rp/h1dd1C/
itNNaJZRcXGYxtYZXhsHJyOMZ7Yryr4tr/wm/wAUPCPw+hy1skv9qamAMgRrkKD9QHH/AANag+Im
nx+PPj14a8EX+86JYWTahdW8bbVkb5gAcdsKo9QGbGM1mrtLzbt6Jav8/uLdk9ei1+ey/L7zvPDv
xc8C+KtUXTdD8QwT3j/chkikhMh9F8xV3H2GTXZMyohd2CqoyWJwAK8c+Mvwv8NQ/Dm91nw7o9po
+qaMou7e40+FYGwpBYNtAzxkgnkEDnrUPxG17WPEX7LcWs2O8TXtpbvfmHr5ZIEvTtnr7ZzxmiUl
ytrdW/Hr/mCV5Jd7/gdZf/HH4b6bfNaXPim2aVTgm3hlmT/vtFK/rXW6J4g0jxJp4vtB1G21C2Jx
5lvIGCn0OOh9jzXnXw/8P/B/V/DVlbaDYeH9Tl8hTIt1FFLd7sclw43g5z6D04qfwz8KrrwT8Wrn
WvCs9taeF9Qttt3ppkfcJRnBRcYwDyMtxuYAYq+Wz5WRe6ujtT4v0NfGI8Km+/4nTQfaBa+S/wDq
/wC9v27fwzmtqvC9Y1bTtF/a4ivNZv7XT7YaJtM91MsSAkHA3MQM16h/wsfwR/0OXh//AMGkH/xV
StYp+v5tFP4mvT8ky3YeLdE1TxNqPh+xvfN1TTFVru38p18sMAR8xAU9R0Jq9qmrafomnyX2sXtv
Y2kf357iQIg9OT39q8e+GeoWeqftFeP73TLuC8tZbe3Mc9vIJEcbUHDDIPIIrM/ssfHH40a1b63P
M3hXws4gjs45CgnmyVJJHPJV8kc4CgY60ldqPdq7B2TlfZOx38fx1+G0t99lXxTAJM43NBMqf99l
Nv45rurS8ttQs4ruwuIrq2mXdHNC4dHHqGHBFcvL8KPAM2mmxfwhpAhKbNyWqrLj/roAHz75zXmX
g63uPhF8dh4Gt7ma48OeIITc2STPkwSAN+uUKn1BQnpVKzfL1E7pc3Y97oryrxX8dbDwf4+v/DOo
6Lcztb28b20lrJ5kl1K+3bEI9oA+8Tkt/DwCSBWfpH7QRPimz0bxn4M1PwuL9wltPdFiGJOAWVo0
IXOBkZxn8aUfetbqOXu7npmr+LdE0HWdL0rVb3yL3VpDFZReU7eawwCMqCF+8OpFbNeIfHHU7TRf
ib8OdT1KYQWlpdTTTSEZ2qpjJOB1+lSJ+0YtrewT+IPBGt6RoF1IFttWmRiJAejbSgGMc4VmOOma
I+9G/W7X+QSun8l+p7UzKiF3YKqjJYnAArgr/wCOPw302+a0ufFNs0qnBNvDLMn/AH2ilf1rO+PN
1fXHwQ1G50CVpIZhE00kBzutmILEEfwkEZ9s9qg+H/h/4P6v4asrbQbDw/qcvkKZFuoopbvdjkuH
G8HOfQenFCTbfkDaSXmei6J4g0jxJp4vtB1G21C2Jx5lvIGCn0OOh9jzXP8Aif4seCvBusf2V4k1
r7He+WsvlfZZpPlOcHKIR2PesHwz8KrrwT8WrnWvCs9taeF9Qttt3ppkfcJRnBRcYwDyMtxuYAYr
n9S0jTdb/a0a01rTrXULb+wQ/k3cCypuB4O1gRmh6uNuv6J/5Bsnfp+tv8zqoPj78M7iZYo/E6Bm
OAZLO4RfxZowB+Nd9ZX1rqVjFeafcxXVtMu+KaFw6OPUEcGubvfhh4EvLGa3n8I6JHHIhVnhsYon
UeodQCp9wRXlfwG1yXw/8PvHDws2oaXoVzNPZK0mPMCozFQ3OAQqngdWJ70XWt+iv/X3js21bq7H
v9FeLQ/tCvqeg2lz4a8E6pruovH5l5aWLNJHZDcwAeVYz8xC5xtHB61btP2h9D1LwtDd6TpGoX+v
TSNCmg2y+ZPvUZJyoJ2Y/i2568cHB38hLU9eorzH4e/GeHxn4muPDes6BeeHNbiQyLaXTFt4ABI5
VSGwc4K9O9enU7NCTuFFFFIYUUUUAFFFFABRRRQAUUUUAFFFFAHhWja4vwo8ZfEfSLldll5Da/pq
kYVt3DKP+Bsi/wDAav8AgvwXeN+zVqVrtZ9X8RWdxfSE53SSSqSgP1UL+dZXx50e08UfEbwd4fsJ
j/at8zwXccRyVtNysS302sR9DXvEEMdtbxwQKEjiUIijooAwBUqN6TXly/Jf0vuKbtUX/gX3/wBP
7zzL9nrXbTVvhDp1nDIv2rS2e3uYc/NGd7MpI9CD/P0r06SRIo2klZURAWZmOAAOpJryXxL8FbuL
xPP4n+GfiGTwzqtwd08AXNvOxOSSB0yeSCGGewrJuPhX8VvF8Q0/x98QbYaUx/ew6ZFgzL3U4jjB
/HcB1wauUnN32ZCioadA+CEq+Ifij8QPFdkrf2dc3Qgt5O0vzMcj8Ap9twqz8ASltr/xB053H2mH
W3ZozwQu5wD+YNeo+FvC+l+DfDltomhQGK0txxuOWdj1dj3Ynn+WBgV594z+D+q3PjGXxh8OfEbe
H9buFxcxuCYbg8cnGcdASCrAkA4BpaRaS2St+T/ND1ldvdu/5r8j0jxBexad4a1O9uCFit7SWVyT
jgITXlXwJ1Wx8K/s/Q6xr9wtnYLczSNMylgqmTYOACfvcVRuvhV8V/GKDTviB4/tP7IJBlh02LDS
jP3SBHGCPruAODg16jc+BdGm+Hb+DI4mh0trT7KoUgso7Pk9Wz82fWlrFSkt2l/mPSTinsn/AMAu
Xmo2mp+C7jUrGYS2dzp7zxS4IDI0ZIbnkcHvXkXwcUr+y/qhI4aG/I9xtI/pVaH4Q/Fm00c+FbTx
/ZJ4YIMQ+RvPER6qPkyB22iTGOOlepad4Ht9A+F0nhDRHGBYy26Szcb5HVsu2AcZZieOlKa92bj1
Vl3HF+9BPo7swP2fP+SHaF9bj/0fJWD4FCeAPjv4o8KTN5Wn65GNW0/cflB5LqPT+P8ACMV3Xwt8
J33gj4cab4f1WW3mu7Qy73tmZozukZxgsAejDtWB8YPhrq/jgaVf+FL210/WLAyxGe4dkDQyIVZc
qrHPpx3NaVZfvHKOu6+//g2ZEFePK/X8f8rr5mZ8G4m8V+LvFXxHuUYJqNybHTtx6W8eBkfXan4q
aivnGm/te6e9x8qaloZjhYnALAsSP/HD+deleDfDcHhDwbpmg220rZQLGzqMB36u34sSfxrnvif8
M08f2djc2GoPpOuaXIZbG/jByp4O04wcZAORyCPqCnaMopaqOn4NX/G4K8k76N/53X5WJ/jFexWH
wd8SyzkBXsXhXJxln+QfqwrmfD/jXTPhv8FfBZ8TWl49vfwR25eKJWWIuNwMm5hhcE9M9DxWOfhD
8RPGN7aW/wAVPGVrfaJayCU2enrtM5HZsRxgf7x3EZOMda9U8V+DNH8Y+E5vD2qwbbN1URmHCtAV
+6ycYBH5Y46Glayb3vb7l/nce7S7X+92/wAjlPEHwB+HviFpJhpB02eXnztNlMQH0TmMf981y3h8
a38KvjJo/gw6/d674f1yBzbw3jbpbMqDjB9Pl7YByeMilt/hr8ZPDEK6b4P+IVlLpkfEQ1GLLovZ
RuikwB6Bse1dJ4C+Elzofih/FvjXXZPEPiNkKRysCI7YEYITPXgkDgAAnA7046O62FK7i09zjfFX
hbR/GH7VkeleI7P7ZZNowkMXmvHllDYOUIP612//AAz58Mf+hZ/8n7n/AOOVO/gHVG+PcfjcT2f9
mrpv2Qxb287fg8427cc/3vwr0KpirRXz/Njd3J/L8keF/CXQtO8NfHzx1pGiW/2axtbeBYYt7PtB
Ck8sSTyT1NO+Ddwnhz4u+PvCupusN7c332y2VzzMmXbjPX5XU/TJ7V2nhnwLqei/F/xV4qup7R7H
WY4kt443YyqVCg7gVAHQ9CaZ8RfhJp/jq7ttWs7+fQ/EFmMQalafewOgYAgnHYggj9KcW1GDfaz+
+4NJykvO6/r7z0GvC/FNzF4n/at8L6fpuZjoVs0t7IhyIzhm2n06oPq+KmbwJ8c7lDYXPxF0+OwY
bDPDFifb65EIbPvvz712/wAN/hdpXw4sbj7LPLqGp3pDXmoXAw8p64A52rkk4yTk8k8YcUuZTfT8
xSfuuPc4ewtYLj9sjU5J4ld7fSFkiLD7jbI1yPfDMPxqb9pxR/whOhSYG9dZi2tjkfI/Q/gK6ey8
A6pbfHrUPGzz2Z02504WqRB284OAnJG3bj5T/F6Uvxi8Bap8QfDenafo09pBLa6gl07XbsqlQrAg
bVbn5hSjpGHk1/6Vf8invL0/9tt+ZyHxstbS++KHwyttTRZLWa/ZZEcZVwXi4PqCeK7/AOLdvZ3H
wh8SpqCoYVsJHXd2dRlCPfcFxWD8VfhZefEXXfDMqXUFvYaa8n2wmVkm2tswYsKRuG0nkjtXNX/w
g+JPiqSPRvG3j6K88MwyA7beLbcTqp43jYBnjqzPg881Nuanybav8QT5ZKfZL9TR8I/EHT/A3wM8
GXHiq2vZYL9fsgkijV1jG5tpfcy4XYO2eBWz4g+APw98QtJMNIOmzy8+dpspiA+icxj/AL5rpdf8
A6D4i8C/8Ind2vlabHEkcAiOGt9gwjITnke+c85zk15lb/DX4yeGIV03wf8AEKyl0yPiIajFl0Xs
o3RSYA9A2Park1KbduuhMU4wS8tRPD41v4VfGTR/Bh1+713w/rkDm3hvG3S2ZUHGD6fL2wDk8ZFZ
XjnwzqXiz9pxtN0XxFd+Hbn+xUk+22gbftBOV+V0ODn17V3XgL4SXOh+KH8W+Nddk8Q+I2QpHKwI
jtgRghM9eCQOAACcDvWgPAupj48Hxr59p/Zp0v7H5W9vO35znG3bj/gWfalbWPNra/5Owfzcvl+a
ucdJ8AfEt/GbbXPizr2oWMnEtsyyYcenzTMPzBrsdQ8H6T4G+COv6JoMLJbRaVdMzyHc8rmJsux7
k/gOgAAGK76srxRpk2t+EdX0q0aNJ76xmt42kJChnQqCSATjJ9DUzu4SS6mlOynFvozhf2draG3+
CWkyQxKj3Ek8krAcu3msuT+CgfhXO/BK0t1+L/xPmWCMSxal5cbhRlVaWYkD0BKr+Qr0P4W+E77w
R8ONN8P6rLbzXdoZd72zM0Z3SM4wWAPRh2rK+HngDVPCXjfxprGpXFnLb69ei4tVgdi6LvkbDgqA
Dhx0J71tJr2ra7P81+hkl+6t5r82ct4pAT9r7weUG0vpUm8jjd8tx19a9srzzW/AGqal8dfD/jSC
4s103TLJ7eaJ3YTMxEoyoC7SP3g6sO9eh1C+BL1/Nly1nddl+QUUUUhBRRRQAUUUUAFFFFABRRRQ
AU2RFkjZHGVYEEeoNOopNXVmBwPgP4M+Ffh7qtxqWjLd3F7MpRZryRXMKHqqBVUDPqcn3rvqKKq4
BRRRSAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAC
iiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK
KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiig
AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP
/9k=
iris@venus:~$ cat irispass.txt
kYjyoLcnBZ9EJdz
iris@venus:~$ cat eloise | base64 -d
����JFIF``���ExifMM;sML�J���
>������85��85�
�2021:11:10 10:18:032021:11:10 10:18:03sML��
http://ns.adobe.com/xap/1.0/<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?>
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="http://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2021-11-10T10:18:03.849</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>sML</rdf:li></rdf:Seq>
</dc:creator></rdf:Description></rdf:RDF></x:xmpmeta>
........
iris@venus:~$发现似乎是一个照片,尝试进行识别,使用cyberchef,base64解码以后点一下魔术棒得到密码:
yOUJlV0SHOnbSPm22 eloise
eloise@venus:~$ ls -la
total 36
drwxr-x--- 2 root eloise 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 eloise eloise 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 eloise eloise 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 eloise eloise 807 Apr 23 2023 .profile
-rw-r----- 1 root eloise 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root eloise 50 Apr 5 06:28 hi
-rw-r----- 1 root eloise 194 Apr 5 06:27 mission.txt
eloise@venus:~$ cat hi
00000000: 7576 4d77 4644 5172 5157 504d 6547 500a
eloise@venus:~$ cat flagz.txt
8===57CzBLKaEq2N8YBFRu31===D~~
eloise@venus:~$ cat mission.txt
################
# MISSION 0x22 #
################
## EN ##
User lucia has been creative in saving her password.
## ES ##
La usuaria lucia ha sido creativa en la forma de guardar su password.
eloise@venus:~$ xxd hi
00000000: 3030 3030 3030 3030 3a20 3735 3736 2034 00000000: 7576 4
00000010: 6437 3720 3436 3434 2035 3137 3220 3531 d77 4644 5172 51
00000020: 3537 2035 3034 6420 3635 3437 2035 3030 57 504d 6547 500
00000030: 610a a.
eloise@venus:~$ xxd -h
Usage:
xxd [options] [infile [outfile]]
or
xxd -r [-s [-]offset] [-c cols] [-ps] [infile [outfile]]
Options:
-a toggle autoskip: A single '*' replaces nul-lines. Default off.
-b binary digit dump (incompatible with -ps,-i,-r). Default hex.
-C capitalize variable names in C include file style (-i).
-c cols format <cols> octets per line. Default 16 (-i: 12, -ps: 30).
-E show characters in EBCDIC. Default ASCII.
-e little-endian dump (incompatible with -ps,-i,-r).
-g bytes number of octets per group in normal output. Default 2 (-e: 4).
-h print this summary.
-i output in C include file style.
-l len stop after <len> octets.
-n name set the variable name used in C include output (-i).
-o off add <off> to the displayed file position.
-ps output in postscript plain hexdump style.
-r reverse operation: convert (or patch) hexdump into binary.
-r -s off revert with <off> added to file positions found in hexdump.
-d show offset in decimal instead of hex.
-s [+][-]seek start at <seek> bytes abs. (or +: rel.) infile offset.
-u use upper case hex letters.
-v show version: "xxd 2022-01-14 by Juergen Weigert et al.".
eloise@venus:~$ xxd -r hi
uvMwFDQrQWPMeGP23 lucia
lucia@venus:~$ ls -la
total 36
drwxr-x--- 2 root lucia 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 lucia lucia 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 lucia lucia 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 lucia lucia 807 Apr 23 2023 .profile
-rw-r----- 1 root lucia 1998 Apr 5 06:28 dict.txt
-rw-r----- 1 root lucia 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root lucia 397 Apr 5 06:27 mission.txt
lucia@venus:~$ cat flagz.txt
8===5Sr2pqeVTmn8RaaPmTPE===D~~
lucia@venus:~$ cat mission.txt
################
# MISSION 0x23 #
################
## EN ##
The user isabel has left her password in a file in the /etc/xdg folder but she does not remember the name, however she has dict.txt that can help her to remember.
## ES ##
La usuaria isabel ha dejado su password en un fichero en la carpeta /etc/xdg pero no recuerda el nombre, sin embargo tiene dict.txt que puede ayudarle a recordar.
lucia@venus:~$ head -n 10 dict.txt
s
hack
hacker
handler
hanlder
happening
head
header
headers
lucia@venus:~$ ls /etc/xdg
ls: cannot open directory '/etc/xdg': Permission denied
只能尝试进行爆破了,这里我没写出来,我看了别的师傅写的脚本,学习一下:
while IFS= read -r line; do readlink -e /etc/xdg/$line; done<dict.txt- IFS= 不会对输入行进行分割
- -r 不解释反斜杠
- readlink 用于解析符号链接并返回目标文件的路径。
- -e 返回绝对路径
lucia@venus:~$ while IFS= read -r line; do readlink -e /etc/xdg/$line; done<dict.txt
/etc/xdg
/etc/xdg/readme
lucia@venus:~$ cat /etc/xdg/readme
H5ol8Z2mrRsorC024 isabel
lucia@venus:~$ su isabel
Password:
isabel@venus:/pwned/lucia$ cd ~
isabel@venus:~$ ls -la
total 180
drwxr-x--- 2 root isabel 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 isabel isabel 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 isabel isabel 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 isabel isabel 807 Apr 23 2023 .profile
-rw-r----- 1 root isabel 150544 Apr 5 06:28 different.txt
-rw-r----- 1 root isabel 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root isabel 245 Apr 5 06:27 mission.txt
isabel@venus:~$ cat flagz.txt
8===Md2CU83GtVfouhm9U0AS===D~~
isabel@venus:~$ cat mission.txt
################
# MISSION 0x24 #
################
## EN ##
The password of the user freya is the only string that is not repeated in different.txt
## ES ##
La password de la usuaria freya es el unico string que no se repite en different.txt
isabel@venus:~$ head different.txt -n 10
3e73c17ede4b9b4
3e73c17ede4b9b4
fb834b364abb5eb
fb834b364abb5eb
36771e2733ec17c
36771e2733ec17c
47949b26a7c452a
47949b26a7c452a
371cedbb4a4e593
371cedbb4a4e593
isabel@venus:~$ cat different.txt | uniq -c
2 3e73c17ede4b9b4
2 fb834b364abb5eb
2 36771e2733ec17c
.......
isabel@venus:~$ cat different.txt | uniq -c | sort -n
1 EEDyYFDwYsmYawj
2 00010b0765c11cc
2 00205d587090943
2 00213023c9abfbe
2 002b4e53be7876f
2 0034acdf29fb163
.......
找到了那个密码 EEDyYFDwYsmYawj
isabel@venus:~$ su -l freya
Password:
freya@venus:~$25 freya
freya@venus:~$ ls -la
total 32
drwxr-x--- 2 root freya 4096 Apr 5 06:27 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 freya freya 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 freya freya 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 freya freya 807 Apr 23 2023 .profile
-rw-r----- 1 root freya 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root freya 262 Apr 5 06:27 mission.txt
freya@venus:~$ cat flagz.txt
8===m1rRSv2pdm3sBGmgidul===D~~
freya@venus:~$ cat mission.txt
################
# MISSION 0x25 #
################
## EN ##
User alexa puts her password in a .txt file in /free every minute and then deletes it.
## ES ##
La usuaria alexa pone su password en un fichero .txt en la carpeta /free cada minuto y luego lo borra.
freya@venus:~$ while true; do cat /free/* 2>/dev/null; done
mxq9O3MSxxX9Q3S
mxq9O3MSxxX9Q3S
mxq9O3MSxxX9Q3S
mxq9O3MSxxX9Q3S
mxq9O3MSxxX9Q3S
mxq9O3MSxxX9Q3S
.......
freya@venus:~$ su -l alexa
Password:
alexa@venus:~$26 alexa
alexa@venus:~$ ls -la
total 32
drwxr-x--- 2 root alexa 4096 Apr 5 06:27 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 alexa alexa 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 alexa alexa 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 alexa alexa 807 Apr 23 2023 .profile
-rw-r----- 1 root alexa 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root alexa 172 Apr 5 06:27 mission.txt
alexa@venus:~$ cat flagz.txt
8===12ALP3eLlJ1GrTBxwJQM===D~~
alexa@venus:~$ cat mission.txt
################
# MISSION 0x26 #
################
## EN ##
The password of the user ariel is online! (HTTP)
## ES ##
El password de la usuaria ariel esta online! (HTTP)
alexa@venus:~$ curl http://127.0.1
33EtHoz9a0w2Yqo27 ariel
ariel@venus:~$ ls -la
total 44
drwxr-x--- 2 root ariel 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 ariel ariel 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 ariel ariel 3526 Apr 23 2023 .bashrc
-rw-r----- 1 root ariel 12288 Apr 5 06:28 .goas.swp
-rw-r--r-- 1 ariel ariel 807 Apr 23 2023 .profile
-rw-r----- 1 root ariel 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root ariel 254 Apr 5 06:27 mission.txt
ariel@venus:~$ cat flagz.txt
8===lqTeJ1msxhNjNJCptxmZ===D~~
ariel@venus:~$ cat mission.txt
################
# MISSION 0x27 #
################
## EN ##
Seems that ariel dont save the password for lola, but there is a temporal file.
## ES ##
Parece ser que a ariel no le dio tiempo a guardar la password de lola... menosmal que hay un temporal!
ariel@venus:~$ vim -h
VIM - Vi IMproved 9.0 (2022 Jun 28, compiled May 04 2023 10:24:44)
Usage: vim [arguments] [file ..] edit specified file(s)
or: vim [arguments] - read text from stdin
or: vim [arguments] -t tag edit file where tag is defined
or: vim [arguments] -q [errorfile] edit file with first error
Arguments:
-- Only file names after this
-v Vi mode (like "vi")
-e Ex mode (like "ex")
-E Improved Ex mode
-s Silent (batch) mode (only for "ex")
-d Diff mode (like "vimdiff")
-y Easy mode (like "evim", modeless)
-R Readonly mode (like "view")
-Z Restricted mode (like "rvim")
-m Modifications (writing files) not allowed
-M Modifications in text not allowed
-b Binary mode
-l Lisp mode
-C Compatible with Vi: 'compatible'
-N Not fully Vi compatible: 'nocompatible'
-V[N][fname] Be verbose [level N] [log messages to fname]
-D Debugging mode
-n No swap file, use memory only
-r List swap files and exit
-r (with file name) Recover crashed session
-L Same as -r
-A Start in Arabic mode
-H Start in Hebrew mode
-T <terminal> Set terminal type to <terminal>
--not-a-term Skip warning for input/output not being a terminal
--ttyfail Exit if input or output is not a terminal
-u <vimrc> Use <vimrc> instead of any .vimrc
--noplugin Don't load plugin scripts
-p[N] Open N tab pages (default: one for each file)
-o[N] Open N windows (default: one for each file)
-O[N] Like -o but split vertically
+ Start at end of file
+<lnum> Start at line <lnum>
--cmd <command> Execute <command> before loading any vimrc file
-c <command> Execute <command> after loading the first file
-S <session> Source file <session> after loading the first file
-s <scriptin> Read Normal mode commands from file <scriptin>
-w <scriptout> Append all typed commands to file <scriptout>
-W <scriptout> Write all typed commands to file <scriptout>
-x Edit encrypted files
--startuptime <file> Write startup timing messages to <file>
--log <file> Start logging to <file> early
-i <viminfo> Use <viminfo> instead of .viminfo
--clean 'nocompatible', Vim defaults, no plugins, no viminfo
-h or --help Print Help (this message) and exit
--version Print version information and exit
ariel@venus:~$ vim -r .goas.swp
Thats my little DIc with my old and current passwOrds:
-->ppkJjqYvSCIyAhK
-->cOXlRYXtJWnVQEG
--rxhKeFKveeKqpwp
-->RGBEMbZHZRgXZnu
-->IaOpTdAuhSjGZnu
-->NdnszvjulNellbK
-->GBUguuSpXVjpxLc
-->rSkPlPhymYcerMJ
-->PEOppdOkSqJZweH
-->EKvJoTBYlwtwFmv
-->d3LieOzRGX5wud6
-->mYhQVLDKdJrsIwG
-->DabEJLmAbOQxEnD
-->LkWReDaaLCMDlLf
-->cbjYGSvqAsqIvdg
-->QsymOOVbzSaKmRm
-->bnQgcXYamhSDSff
-->VVjqJGRrnfKmcgD按gg可以到页面顶部第一个字符上面去,使用dd即可删除改行,按dw可以删除单词,按.可以执行上一个命令,如此即可删除掉所有的-->和空白行,然后按
:w /tmp/pass
:q!进行保存,后面可以尝试进行爆破,我使用hydra进行爆破的,也可以尝试使用bash脚本进行爆破:
hgbe02@pwn:~/temp$ hydra -l lola -P pass ssh://venus.hackmyvm.eu:5000
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-01 01:44:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 18 login tries (l:1/p:18), ~2 tries per task
[DATA] attacking ssh://venus.hackmyvm.eu:5000/
[5000][ssh] host: venus.hackmyvm.eu login: lola password: d3LieOzRGX5wud6
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-01 01:44:14下面附上大佬写的脚本,很优雅:
while IFS= read -r line; do echo $line | timeout 2 su lola 2>/dev/null; if [ $? -eq 0 ]; then echo $line; break; fi; done < /tmp/dict.txt28 lola
lola@venus:~$ ls -la
total 36
drwxr-x--- 2 root lola 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 lola lola 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 lola lola 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 lola lola 807 Apr 23 2023 .profile
-rw-r----- 1 root lola 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root lola 272 Apr 5 06:27 mission.txt
-rw-r----- 1 root lola 1438 Apr 5 06:28 pages.txt
lola@venus:~$ cat flagz.txt
8===TMYRw853hx8yKRocFMgM===D~~
lola@venus:~$ cat mission.txt
################
# MISSION 0x28 #
################
## EN ##
The user celeste has left a list of names of possible .html pages where to find her password.
## ES ##
La usuaria celeste ha dejado un listado de nombres de posibles paginas .html donde encontrar su password.
lola@venus:~$ cat pages.txt
new-servers
server-updates
SenSage_LEO
1355485668
25101
Real-Time Communication
ulist
VGVsbmV0
15915
mumbo
planet-icon
DealTime_57c
121616253
708303201
suppliers_logos
imagesPage
bar-left
webdev-logo
h-line
34552
479800180
1080410073
symm
1665300941
time-date
image-effects
1412058599
1166197595
1115392848
1083085151
Dotster_47c
agi
grotius
primers
decades
upfront
sitecredits
SSC
Kids-Software
Projector-Accessories
Ink
Microphones
Satellite-Radio
existingcustomers
media-types
junkbuster
symankr
career-opportunities
corner_ur
corner_ul
findlaw
classaction
Factsheets
Comets
symantch
dark_grey
Sunbelt
penguin_log
cswift
eref
symantecpress
symanbr
h_consumerassistanceheader
h_homeb
h_parentsb
h_privacyb
h_consumerassistanceb
h_consumerfaqsb
h_mainheader
dmasponsorship
consumerfaqs
symantde
pc_dots
ci_4958157
themonitor
Columbus
glo
regan
GR2006120500981
uscode49
uscode39
uscode20
DEFAULT
uscode12
toxins
ferris
Jan07
000109
efpa
funders
badads
civicactions
iraq_plans
askthepilot215
mail_cover
081606
092306
book_review
consumerprotection
facta
050518
IWC
ahead
shah
rockertraining
respiratory
197442_1
xCH-computer_accessories
xCH-computer_memory
xCH-networking
xCH-components
xCH-inputdevices
xPP-Monitors
xPP-PC_Desktops
xCH-hardware
116044
20061226
logo_eseminars
cebolla
logo_pcmag
1999-02
pcmagnetwork
40305
breastcancer
infocusRel
key2
xCH-software
check_prices
rev_snapshot
ca-library
pubs1
bullet_P1
bullet_B1
spectral
lola@venus:~$ while IFS= read -r line; do curl -s http://127.0.1/$line ; done < pages.txt 2>/dev/null | grep -v '<'
33EtHoz9a0w2Yqo
33EtHoz9a0w2Yqo但是无法正常进行切换用户,可能是兔子洞,重新改了一下:
lola@venus:~$ while IFS= read -r line; do curl -s http://127.0.0.1/$line.html ; done < pages.txt 2>/dev/null | grep -v '
<'
VLSNMTKwSV2o8Tn29 celeste
celeste@venus:~$ ls -la
total 32
drwxr-x--- 2 root celeste 4096 Apr 5 06:27 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 celeste celeste 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 celeste celeste 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 celeste celeste 807 Apr 23 2023 .profile
-rw-r----- 1 root celeste 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root celeste 179 Apr 5 06:27 mission.txt
celeste@venus:~$ cat flagz.txt
8===TrdsvMy99slFZtd4Cy4Q===D~~
celeste@venus:~$ cat mission.txt
################
# MISSION 0x29 #
################
## EN ##
The user celeste has access to mysql but for what?
## ES ##
La usuaria celeste tiene acceso al mysql, pero para que?
celeste@venus:~$ mysql -uceleste -pVLSNMTKwSV2o8Tn
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 1341
Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| venus |
+--------------------+
2 rows in set (0.002 sec)
MariaDB [(none)]> use venus;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [venus]> show tables;
+-----------------+
| Tables_in_venus |
+-----------------+
| people |
+-----------------+
1 row in set (0.001 sec)
MariaDB [venus]> select * from people;
+-----------+---------------+--------------------------------+
| id_people | uzer | pazz |
+-----------+---------------+--------------------------------+
| 1 | nuna | ixpfdsvcxeqdW |
| 2 | nona | ixpvcxvcxeqdW |
| 3 | manue | ixpfdsfdseqdW |
| 4 | samoa | ixperrewrweqdW |
| 5 | dsaewq | ixpefdsfsqdW |
| 6 | fdsfewrew | ixpedvcxv4qdW |
| 7 | koiuoiudsadas | ixpredsfdeqdW |
| 8 | vcxfdsfew | ixp342432eqdW |
| 9 | dasd | ixpeiuyiuyqdW |
| 10 | helen | uytuytjhgixpeqdW |
| 11 | tudou | ijhgjghxpeqfdfsfddW |
| 12 | fdsoiurew | ixpfdsfsdsvcxvcxeqdW |
| 13 | inan | imbnmnbxpeqdW |
| 14 | zkret | ixpeqkjhkhjkdW |
| 15 | cjhcx | i432423xpeqdW |
| 16 | sfdfdsml | ixpeqdsfsdfdsfW |
| 17 | svcxvcxml | 432423ixpeqdW |
| 18 | xml | ixpejhgjhgqdW |
| 19 | pdf | ixperewrewrewqdW |
| 20 | txt | ixpeuytuytqdW |
| 21 | vcxvcx | ixpefdsfdsfdfdsqdW |
| 22 | dsadsa | ixpeqdjhkjhW |
| 23 | lel | ixpvcxvcxvcxeqdW |
| 24 | lul | ixpeqdmnbmnbmnbmW |
| 25 | dog | ixperewrewrewqdW |
| 26 | cat | ixvcxvdsfsdvpeqdW |
| 27 | pet | ixiufohsyuoirewpeqdW |
| 28 | pzzz | ixvcxvcxvpeqdW |
| 29 | ls | ixpehgfdhdhqdW |
| 30 | vi | ixpetrvvrqdW |
| 31 | tmux | iuovcxoiujvcxixpeqdW |
| 32 | screen | ixpeqrewregfdgdW |
| 33 | yes | ixpebvcgdfgqdW |
| 34 | nop | ixpefdsqdW |
| 35 | haha | 8===xKmPDsJSKpHLzkqKXyjx===D~~ |
| 36 | love | ixpegfdgqdW |
| 37 | dsadsa | fdsvcxvcxixpeqdW |
| 38 | d4t4 | erwerewreixpeqdW |
| 39 | nna | gdfgdixpeqdW |
| 40 | nin | aaafdixpeqdW |
| 41 | tre | fdsafixpeqdW |
| 42 | tfas | igfdgfdgxpeqdW |
| 43 | zcxc | ixfdgdfgpeqdW |
| 44 | yuio | ixpgbvcbvcbeqdW |
| 45 | jhgyurtrt | treterterixpeqdW |
| 46 | lodsa | itreterxpeqdW |
| 47 | zarah | ixpvcbvcbeqdW |
| 48 | zkkad | ixpedfgvbcxbvcqdW |
| 49 | bvher | vcxvcxgfdgfdixpeqdW |
| 50 | dsadsa | ixpeqergdfwer32dW |
| 51 | ch4rm | ixpeewf23qdW |
| 52 | Aza | ixpjhgjgheqdW |
| 53 | avij | ixpegfdgdfgqdW |
| 54 | crom | ixpefdbvvcbrqdW |
| 55 | bubu | ixpetretretqdW |
| 56 | bebe | ixpeghfgfdqdW |
| 57 | baba | ixpeffesfqdW |
| 58 | bael | ixpesdvsdvsdqdW |
| 59 | vaze | ixpe23r23rf23qdW |
| 60 | upper | ixpe43r43rqdW |
| 61 | loz | ixpeqddfsdW |
| 62 | mind | ixpfsdfsdfsdeqdW |
| 63 | mymy | ixpevcxvqdW |
| 64 | ina | ixpee23e32rqdW |
| 65 | ein | ixpejytjytjhgjqdW |
| 66 | n1n4 | ixpehgjghjhghgqdW |
| 67 | where | ixljkgjgpeqdW |
| 68 | you | ixpeqdhggjhgjW |
| 69 | are | ixVCXVCXVCXVCXdW |
| 70 | what | ixpeqhgjggdW |
| 71 | dsaqqqqqq | ixpeqVCXVCXdW |
| 72 | h0j3n | ixpemnbmbnmghqdW |
| 73 | nana | ixpeqVSDFWCdW |
| 74 | nina | ixpeqdWuvC5N9kG |
| 75 | nunu | ixpeSFDSFDSVCXqdW |
| 76 | fdse | ixpeDFSWEF2qdW |
| 77 | dsar | ixpeF43F3F34qdW |
| 78 | yop | ixpeqdWCSDFDSFD |
| 79 | loco | ixpeF43F34F3qdW |
| 80 | zaza | ixpeYUTHNYGTHYTqdW |
| 81 | jhon | ixpeFDSJYTUJTYqdW |
| 82 | tell | ixpeHYTTqdW |
| 83 | ma | uyixptje4FSFWEFqdW |
| 84 | mum | jghixpeqdW |
| 85 | nanaa | 432432ixpeqdW |
| 86 | nnnniinn | irewxpeqdW |
| 87 | iourewoiure | rewixpeqdW |
| 88 | lkjfdsoiu | dsaixpeqdW |
| 89 | vcxnoj | dasdasixpeqdW |
| 90 | ioyuwer | ixpeqdvcxvcxW |
| 91 | kaka | ixpeqdW |
| 92 | nini | ixpeqdvcxW |
| 93 | zong | ixpeqdWfdsfsdf |
| 94 | nana | ixpefdsafdsqdW |
| 95 | ninna | ixpeqOPUIFDSFDSdW |
+-----------+---------------+--------------------------------+
95 rows in set (0.001 sec)找到一个flag,名为haha的flag => 8===xKmPDsJSKpHLzkqKXyjx===D~~
其他长度不一,筛选出长度在15个字符的密码,这是大多数用户的密码:
MariaDB [venus]> select * from people where length(pazz) = 15;
+-----------+----------+-----------------+
| id_people | uzer | pazz |
+-----------+----------+-----------------+
| 16 | sfdfdsml | ixpeqdsfsdfdsfW |
| 44 | yuio | ixpgbvcbvcbeqdW |
| 54 | crom | ixpefdbvvcbrqdW |
| 58 | bael | ixpesdvsdvsdqdW |
| 74 | nina | ixpeqdWuvC5N9kG |
| 77 | dsar | ixpeF43F3F34qdW |
| 78 | yop | ixpeqdWCSDFDSFD |
| 79 | loco | ixpeF43F34F3qdW |
+-----------+----------+-----------------+
8 rows in set (0.005 sec)尝试进行爆破:
sfdfdsml
yuio
crom
bael
nina
dsar
yop
locoixpeqdsfsdfdsfW
ixpgbvcbvcbeqdW
ixpefdbvvcbrqdW
ixpesdvsdvsdqdW
ixpeqdWuvC5N9kG
ixpeF43F3F34qdW
ixpeqdWCSDFDSFD
ixpeF43F34F3qdW但是没有爆破出来,不知道为啥,尝试看一下是否存在用户,发现nina是存在的,尝试登录,成功!
30 nina
celeste@venus:~$ su -l nina
Password:
nina@venus:~$ ls -la
total 32
drwxr-x--- 2 root nina 4096 Apr 5 06:27 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 nina nina 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 nina nina 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 nina nina 807 Apr 23 2023 .profile
-rw-r----- 1 root nina 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root nina 197 Apr 5 06:27 mission.txt
nina@venus:~$ cat flagz.txt
8===VwICIymoA1DczWJau1sG===D~~
nina@venus:~$ cat mission.txt
################
# MISSION 0x30 #
################
## EN ##
The user kira is hidding something in http://localhost/method.php
## ES ##
La usuaria kira esconde algo en http://localhost/method.php
nina@venus:~$ curl -i -s http://localhost/method.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:26:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
I dont like this method!
nina@venus:~$ curl -s -i -X POST http://localhost/method.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:27:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
I dont like this method!
nina@venus:~$ curl -s -i -X HEAD http://localhost/method.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:28:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
^C
nina@venus:~$ curl -s -i -X PUT http://localhost/method.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:29:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
tPlqxSKuT4eP3yr更进一步的尝试:
nina@venus:~$ curl -s -i -X DELETE http://localhost/method.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:30:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
I dont like this method!
nina@venus:~$ curl -s -i -X CONNECT http://localhost/method.php
HTTP/1.1 405 Not Allowed
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:30:15 GMT
Content-Type: text/html
Content-Length: 157
Connection: close
<html>
<head><title>405 Not Allowed</title></head>
<body>
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>
nina@venus:~$ curl -s -i -X OPTIONS http://localhost/method.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:30:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
I dont like this method!
nina@venus:~$ curl -s -i -X TRACE http://localhost/method.php
HTTP/1.1 405 Not Allowed
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:30:44 GMT
Content-Type: text/html
Content-Length: 157
Connection: close
<html>
<head><title>405 Not Allowed</title></head>
<body>
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>
nina@venus:~$ curl -s -i -X PATCH http://localhost/method.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:31:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
8===tPGClekAvQKSYthnLiwz===D~~I dont like this method!哈哈,nice!!!!快夸我!!!
31 kira
nina@venus:~$ su -l kira
Password:
kira@venus:~$ ls -la
total 32
drwxr-x--- 2 root kira 4096 Apr 5 06:27 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 kira kira 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 kira kira 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 kira kira 807 Apr 23 2023 .profile
-rw-r----- 1 root kira 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root kira 191 Apr 5 06:27 mission.txt
kira@venus:~$ cat flagz.txt
8===rJun2WyeuGIvabWQvJko===D~~
kira@venus:~$ cat mission.txt
################
# MISSION 31 #
################
## EN ##
The user veronica visits a lot http://localhost/waiting.php
## ES ##
La usuaria veronica visita mucho http://localhost/waiting.php
kira@venus:~$ curl -s -i http://localhost/waiting.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:41:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Im waiting for the user-agent PARADISE.
kira@venus:~$ curl -s -i http://localhost/waiting.php -A "PARADISE"
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:41:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
QTOel6BodTx2cwX32 veronica
kira@venus:~$ su -l veronica
Password:
veronica@venus:~$ ls -la
total 32
drwxr-x--- 2 root veronica 4096 Apr 5 06:27 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 veronica veronica 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 veronica veronica 3559 Apr 5 06:28 .bashrc
-rw-r--r-- 1 veronica veronica 807 Apr 23 2023 .profile
-rw-r----- 1 root veronica 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root veronica 228 Apr 5 06:27 mission.txt
veronica@venus:~$ cat flagz.txt
8===iSSeKzoDXsKy8WPuqNPg===D~~
veronica@venus:~$ cat mission.txt
################
# MISSION 0x32 #
################
## EN ##
The user veronica uses a lot the password from lana, so she created an alias.
## ES ##
La usuaria veronica usa mucho la password de lana, asi que ha creado un alias.
veronica@venus:~$ alias
alias lanapass='UWbc0zNEVVops1v'
alias ls='ls --color=auto'33 lana
veronica@venus:~$ su -l lana
Password:
lana@venus:~$ ls -la
total 44
drwxr-x--- 2 root lana 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 lana lana 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 lana lana 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 lana lana 807 Apr 23 2023 .profile
-rw-r----- 1 root lana 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root lana 161 Apr 5 06:27 mission.txt
-rw-r----- 1 root lana 10240 Apr 5 06:28 zip.gz
lana@venus:~$ cat flagz.txt
8===um3Hno2AsjFjuLWsfmDj===D~~
lana@venus:~$ cat mission.txt
################
# MISSION 0x33 #
################
## EN ##
The user noa loves to compress her things.
## ES ##
A la usuaria noa le gusta comprimir sus cosas.
lana@venus:~$ gunzip -h
Usage: gzip [OPTION]... [FILE]...
Compress or uncompress FILEs (by default, compress FILES in-place).
Mandatory arguments to long options are mandatory for short options too.
-c, --stdout write on standard output, keep original files unchanged
-d, --decompress decompress
-f, --force force overwrite of output file and compress links
-h, --help give this help
-k, --keep keep (don't delete) input files
-l, --list list compressed file contents
-L, --license display software license
-n, --no-name do not save or restore the original name and timestamp
-N, --name save or restore the original name and timestamp
-q, --quiet suppress all warnings
-r, --recursive operate recursively on directories
--rsyncable make rsync-friendly archive
-S, --suffix=SUF use suffix SUF on compressed files
--synchronous synchronous output (safer if system crashes, but slower)
-t, --test test compressed file integrity
-v, --verbose verbose mode
-V, --version display version number
-1, --fast compress faster
-9, --best compress better
With no FILE, or when FILE is -, read standard input.
Report bugs to <bug-gzip@gnu.org>.
lana@venus:~$ gunzip -d zip.gz
gzip: zip.gz: not in gzip format
lana@venus:~$ file zip.gz
zip.gz: POSIX tar archive (GNU)
lana@venus:~$ cat zip.gz
pwned/lana/zip0000644000000000000000000000002014603715036012326 0ustar rootroot9WWOPoeJrq6ncvJ34 noa
lana@venus:~$ su -l noa
Password:
noa@venus:~$ ls -la
total 36
drwxr-x--- 2 root noa 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 noa noa 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 noa noa 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 noa noa 807 Apr 23 2023 .profile
-rw-r----- 1 root noa 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root noa 159 Apr 5 06:27 mission.txt
-rw-r----- 1 root noa 3818 Apr 5 06:28 trash
noa@venus:~$ cat flagz.txt
8===HUNGevKdeKwcCvJru1CC===D~~
noa@venus:~$ cat mission.txt
################
# MISSION 0x34 #
################
## EN ##
The password of maia is surrounded by trash
## ES ##
La password de maia esta rodeada de basura
venus:~$ file trash
trash: data
noa@venus:~$ strings trash
b;pK
*&dv
|.-
wsG9
D55-
\|gu
1q#^
YV!)}
f}nP
T735
5GOj'
g3-5v)S~hK
{Xu7
O;rTl,
]Bokc
04`0
X:Uf
;Vtr3
`vr)
k` I
<(;pQ
@$LiJ
u7TI
*Q{r%
;%gzDB
b%/*
3g?d
=I+"
xfFN
\nh1hnDPHpydEjoEN
! 2L~8
JmN8
@%`j
, ^,
e&xvN2
_cKn
.c|0
)|hd&
hl(p
fEr:
OdBb
?OsP
dnN9
J7e(
JL6(
wI;%vz
apPD
a5qi
|otr
4TTm
toyi
*f|F
.%J`t
noa@venus:~$ strings trash | grep -E '^.{15,}$'
\nh1hnDPHpydEjoEN-E正则^行的开始.表示任意字符- {15,} 数量下限为15
$行尾
35 maia
noa@venus:~$ su -l maia
Password:
maia@venus:~$ ls -la
total 36
drwxr-x--- 2 root maia 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 maia maia 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 maia maia 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 maia maia 807 Apr 23 2023 .profile
-rw-r----- 1 root maia 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root maia 16 Apr 5 06:28 forget
-rw-r----- 1 root maia 317 Apr 5 06:27 mission.txt
maia@venus:~$ cat flagz.txt
8===nu8IDScKFAXVcnFutKtG===D~~
maia@venus:~$ cat mission.txt
################
# MISSION 0x35 #
################
## EN ##
The user gloria has forgotten the last 2 characters of her password ... They only remember that they were 2 lowercase letters.
## ES ##
La usuaria gloria ha olvidado los 2 ultimos caracteres de su password... Solo recuerdan que eran 2 letras minusculas.
maia@venus:~$ cat forget
v7xUVE2e5bjUc??
hgbe02@pwn:~/temp$ for a in {a..z}; do for b in {a..z}; do echo "v7xUVE2e5bjUc$a$b" >> pass; done; done
hgbe02@pwn:~/temp$ head -n 20 pass
v7xUVE2e5bjUcaa
v7xUVE2e5bjUcab
v7xUVE2e5bjUcac
v7xUVE2e5bjUcad
v7xUVE2e5bjUcae
v7xUVE2e5bjUcaf
v7xUVE2e5bjUcag
v7xUVE2e5bjUcah
v7xUVE2e5bjUcai
v7xUVE2e5bjUcaj
v7xUVE2e5bjUcak
v7xUVE2e5bjUcal
v7xUVE2e5bjUcam
v7xUVE2e5bjUcan
v7xUVE2e5bjUcao
v7xUVE2e5bjUcap
v7xUVE2e5bjUcaq
v7xUVE2e5bjUcar
v7xUVE2e5bjUcas
v7xUVE2e5bjUcat
hgbe02@pwn:~/temp$ hydra -l gloria -P pass ssh://venus.hackmyvm.eu:5000
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-01 03:14:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 676 login tries (l:1/p:676), ~43 tries per task
[DATA] attacking ssh://venus.hackmyvm.eu:5000/
[STATUS] 98.00 tries/min, 98 tries in 00:01h, 579 to do in 00:06h, 16 active
[STATUS] 103.33 tries/min, 310 tries in 00:03h, 367 to do in 00:04h, 16 active
[5000][ssh] host: venus.hackmyvm.eu login: gloria password: v7xUVE2e5bjUcxw
[STATUS] 96.57 tries/min, 676 tries in 00:07h, 1 to do in 00:01h, 2 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-01 03:21:1936 gloria
maia@venus:~$ su -l gloria
Password:
gloria@venus:~$ ls -la
total 36
drwxr-x--- 2 root gloria 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 gloria gloria 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 gloria gloria 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 gloria gloria 807 Apr 23 2023 .profile
-rw-r----- 1 root gloria 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root gloria 1713 Apr 5 06:28 image
-rw-r----- 1 root gloria 222 Apr 5 06:27 mission.txt
gloria@venus:~$ cat flagz.txt
8===RZIkEtaEp18tLslTopJj===D~~
gloria@venus:~$ cat mission.txt
################
# MISSION 0x36 #
################
## EN ##
User alora likes drawings, that's why she saved her password as ...
## ES ##
A la usuaria alora le gustan los dibujos, por eso ha guardado su password como...
gloria@venus:~$ file image
image: ASCII text
gloria@venus:~$ cat image
##########################################################
##########################################################
##########################################################
##########################################################
######## ########## ## ########
######## ########## ## ## #### ########## ########
######## ## ## ## ## ###### ## ## ########
######## ## ## #### ######## ## ## ########
######## ## ## ## #### ## ## ########
######## ########## ## #### ########## ########
######## ## ## ## ## ########
######################## #### ##########################
######## ## #### #### ## ## ## ##########
############ ###### ## ## ## ########
######## ## ## ## ## #### ## ########
############## ## ## ###### ## #### ########
############ ## ## ######## ## ## ##########
######################## #### ## ## #### ########
######## ## #### ## ##########
######## ########## ###### ########## #### ##########
######## ## ## #### ## ###### ########
######## ## ## ## ## ###### ## #### ########
######## ## ## #### ## ## ## ########
######## ########## ## #### ## ##################
######## ## ## ##########
##########################################################
##########################################################
##########################################################
##########################################################拿微信扫一下得到密码:mhrTFCoxGoqUxtw
37 alora
gloria@venus:~$ su -l alora
Password:
alora@venus:~$ ls -la
total 384
drwxr-x--- 2 root alora 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 alora alora 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 alora alora 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 alora alora 807 Apr 23 2023 .profile
-rw-r----- 1 root alora 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root alora 176 Apr 5 06:27 mission.txt
-rw-r----- 1 root alora 360448 Apr 5 06:28 music.iso
alora@venus:~$ cat flagz.txt
8===NSe78N2lM7IbvHzvrC0G===D~~
alora@venus:~$ cat mission.txt
################
# MISSION 0x37 #
################
## EN ##
The user julie has created an iso with her password.
## ES ##
La usuaria julie ha creado una iso con su password.
alora@venus:~$ file music.iso
music.iso: ISO 9660 CD-ROM filesystem data 'CDROM'
alora@venus:~$ strings music.iso
CD001
LINUX CDROM
GENISOIMAGE ISO 9660/HFS FILESYSTEM CREATOR (C) 1993 E.YOUNGDALE (C) 1997-2006 J.PEARSON/J.SCHILLING (C) 2006-2007 CDRKIT TEAM
2024040506284600
2024040506284600
0000000000000000
2024040506284600
CD001
MUSIC.ZIP;1RR
music.zipPX$
RRIP_1991ATHE ROCK RIDGE INTERCHANGE PROTOCOL PROVIDES SUPPORT FOR POSIX FILE SYSTEM SEMANTICSPLEASE CONTACT DISC PUBLISHER FOR SPECIFICATION SOURCE. SEE PUBLISHER IDENTIFIER IN PRIMARY VOLUME DESCRIPTOR FOR CONTACT INFORMATION.
pwned/alora/music.txtUT
sjDf4i2MSNgSvOv
pwned/alora/music.txtUT得到密码,尝试常规做法挂载试试:
alora@venus:~$ mkdir /tmp/temp_music
alora@venus:~$ mount -o loop music.iso /tmp/temp_music
mount: /tmp/temp_music: mount failed: Operation not permitted.
alora@venus:~$ sudo mount -o loop music.iso /tmp/temp_music
[sudo] password for alora:
alora is not in the sudoers file.
This incident has been reported to the administrator.
# 传到本地机器中
hgbe02@pwn:~/temp$ mkdir /tmp/music
hgbe02@pwn:~/temp$ sudo mount -o loop music.iso /tmp/music
[sudo] password for hgbe02:
mount: /tmp/music: WARNING: source write-protected, mounted read-only.
hgbe02@pwn:~/temp$ unzip /tmp/music/music.zip -d tmp
Archive: /tmp/music/music.zip
extracting: tmp/pwned/alora/music.txt
hgbe02@pwn:~/temp$ cat /tmp/pwned/a;ora/music.txt
cat: /tmp/pwned/a: No such file or directory
-bash: ora/music.txt: No such file or directory
hgbe02@pwn:~/temp$ cat tmp/pwned/alora/music.txt
sjDf4i2MSNgSvOv
hgbe02@pwn:~/temp$ sudo umount /tmp/music这里下载到本地,我是用的termius,然后SFTP传过来的。
38 julie
alora@venus:~$ su -l julie
Password:
julie@venus:~$ ls -la
total 48
drwxr-x--- 2 root julie 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 julie julie 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 julie julie 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 julie julie 807 Apr 23 2023 .profile
-rw-r----- 1 root julie 4802 Apr 5 06:28 1.txt
-rw-r----- 1 root julie 4802 Apr 5 06:28 2.txt
-rw-r----- 1 root julie 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root julie 192 Apr 5 06:27 mission.txt
julie@venus:~$ cat flagz.txt
8===Iwe1QpxTcx0A8Uusqjfe===D~~
julie@venus:~$ cat mission.txt
################
# MISSION 0x38 #
################
## EN ##
The user irene believes that the beauty is in the difference.
## ES ##
La usuaria irene cree que en la diferencia esta lo bonito.
julie@venus:~$ diff 1.txt 2.txt
174c174
< 8VeRLEFkBpe2DSD
---
> aNHRdohjOiNizlU俩都有可能,尝试一下是否可以进行切换。
39 irene
julie@venus:~$ su -l irene
Password:
irene@venus:~$ ls -la
total 44
drwxr-x--- 2 root irene 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 irene irene 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 irene irene 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 irene irene 807 Apr 23 2023 .profile
-rw-r----- 1 root irene 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root irene 1704 Apr 5 06:28 id_rsa.pem
-rw-r----- 1 root irene 451 Apr 5 06:28 id_rsa.pub
-rw-r----- 1 root irene 178 Apr 5 06:27 mission.txt
-rw-r----- 1 root irene 256 Apr 5 06:28 pass.enc
irene@venus:~$ cat flagz.txt
8===c9hgLkLGzsNw7mB3VEr4===D~~
irene@venus:~$ cat mission.txt
################
# MISSION 0x39 #
################
## EN ##
The user adela has lent her password to irene.
## ES ##
La usuaria adela le ha dejado prestada su password a irene.
irene@venus:~$ openssl pkeyutl -decrypt -inkey id_rsa.pem -in pass.enc
nbhlQyKuaXGojHx40 adela
irene@venus:~$ su -l adela
Password:
adela@venus:~$ ls -la
total 36
drwxr-x--- 2 root adela 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 adela adela 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 adela adela 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 adela adela 807 Apr 23 2023 .profile
-rw-r----- 1 root adela 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root adela 213 Apr 5 06:27 mission.txt
-rw-r----- 1 root adela 44 Apr 5 06:28 wtf
adela@venus:~$ cat flagz.txt
8===86XGXQefUeV2eEdrUzxx===D~~
adela@venus:~$ cat mission.txt
################
# MISSION 0x40 #
################
## EN ##
User sky has saved her password to something that can be listened to.
## ES ##
La usuaria sky ha guardado su password en algo que puede ser escuchado.
adela@venus:~$ cat wtf
.--. .- .--. .- .--. .- .-. .- -.. .. ... .使用cyberchef进行解密,是莫斯密码:PAPAPARADISE,小写即为papaparadise
