• HackMyVm,Chapter 1: Venu 复现 01 - 24


    本文为复现篇:

    Refer to bugninja’s Write Up.

    Host: venus.hackmyvm.eu
    Port: 5000
    User: hacker
    Pass: havefun!
    
    • 1
    • 2
    • 3
    • 4

    Flags 01

    readme.txt

    # EN
    Hello hax0r,
    Welcome to the HMVLab Chapter 1: Venus!
    This is a CTF for beginners where you can practice your skills with Linux and CTF
    so lets start! :)
    First of all, the home of each user is in /pwned/USER and in it you will find a file called mission.txt which will contain
    the mission to complete to get the password of the next user.
    It will also contain the flagz.txt file, which if you are registered at https://hackmyvm.eu you can enter to participate in the ranking (optional).
    And for a bit of improvisation, there are secret levels and hidden flags: D
    You will not have write permissions in most folders so if you need to write a script or something
    use /tmp folder, keep in mind that it is frequently deleted ...
    
    And last (and not least) some users can modify the files that are in the
    folder /www, these files are accessible from http://venus.hackmyvm.eu so if you get a user
    that can modify the file /www/hi.txt, you can put a message and it will be reflected in http://venus.hackmyvm.eu/hi.txt. 
    
    If you have questions/ideas or want to comment us anything you can join
    to our Discord: https://discord.gg/DxDFQrJ
    
    Remember there are more people playing so be respectful.
    Hack & Fun! 
    
    # ES
    Hola hax0r,
    Bienvenid@ al HMVLab Chapter 1: Venus!
    Este es un CTF para principiantes donde podras practicar tus habilidades con Linux y los CTF
    asi que vamos a trastear un poco! :)
    Antes de nada, el home de cada usuario se encuentra en /pwned/USUARIO y en el encontraras un fichero llamado mission.txt el cual contendra
    la mision a completar para conseguir la password del siguiente usuario.
    Tambien contendra el fichero flagz.txt, que si estas registrado en https://hackmyvm.eu podras introducir para participar en el ranking (opcional).
    Y para que haya un poco de improvisacion, hay niveles secretos y flags escondidas :D
    No tendras permisos de escritura en la mayoria de carpetas asi que si necesitas escribir algun script o algo
    usa la carpeta /tmp, ten en cuenta que es eliminada de manera frecuente...
    
    Y por ultimo (y no menos importante) algunos usuarios pueden modificar los ficheros que estan en la 
    carpeta /www, estos ficheros son accesibles desde http://venus.hackmyvm.eu asi que si consigues un usuario
    que pueda modificar el fichero /www/hi.txt, podras poner un mensaje y se verá reflejado en http://venus.hackmyvm.eu/hi.txt.
    
    Si tienes dudas/ideas o quieres comentar cualquier cosa puedes unirte 
    a nuestro Discord: https://discord.gg/DxDFQrJ
    
    Recuerda que hay mas gente jugando asi que se respetuoso.
    Hack & Fun! 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43

    mission.txt

    ################
    # MISSION 0x01 #
    ################
    
    ## EN ##
    User sophia has saved her password in a hidden file in this folder. Find it and log in as sophia.
    
    ## ES ##
    La usuaria sophia ha guardado su contraseña en un fichero oculto en esta carpeta.Encuentralo y logueate como sophia.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    hacker@venus:~$ ls -la
    total 36
    drwxr-x---  2 root   hacker 4096 Apr  7  2022 .
    drwxr-xr-x 55 root   root   4096 Apr  7  2022 ..
    -rw-r-----  1 root   hacker   31 Apr  7  2022 ...
    -rw-r--r--  1 hacker hacker  220 Aug  4  2021 .bash_logout
    -rw-r--r--  1 hacker hacker 3526 Aug  4  2021 .bashrc
    -rw-r-----  1 root   hacker   16 Apr  7  2022 .myhiddenpazz
    -rw-r--r--  1 hacker hacker  807 Aug  4  2021 .profile
    -rw-r-----  1 root   hacker  287 Apr  7  2022 mission.txt
    -rw-r-----  1 root   hacker 2542 Apr  7  2022 readme.txt
    hacker@venus:~$ cat .myhiddenpazz 
    Y1o645M3mR84ejc
    hacker@venus:~$
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    hacker@venus:~$ cat .myhiddenpazz 
    Y1o645M3mR84ejc
    hacker@venus:~$ su sophia
    
    • 1
    • 2
    • 3
    sophia@venus:/pwned/hacker$ cd ~
    sophia@venus:~$ ls
    flagz.txt  mission.txt
    sophia@venus:~$ cat flagz.txt 
    8===LUzzNuv8NB59iztWUIQS===D~~
    sophia@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6

    Flags 02

    mission.txt

    ################
    # MISSION 0x02 #
    ################
    
    ## EN ##
    The user angela has saved her password in a file but she does not remember where ... she only remembers that the file was called whereismypazz.txt 
    
    ## ES ##
    La usuaria angela ha guardado su password en un fichero pero no recuerda donde... solo recuerda que el fichero se llamaba whereismypazz.txt
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    sophia@venus:~$ find / -name "whereismypazz.txt" 2>/dev/null
    /usr/share/whereismypazz.txt
    sophia@venus:~$ cat /usr/share/whereismypazz.txt
    oh5p9gAABugHBje
    sophia@venus:~$ 
    sophia@venus:~$ su angela
    Password: 
    angela@venus:/pwned/sophia$ cd ~
    angela@venus:~$ ls
    findme.txt  flagz.txt  mission.txt
    angela@venus:~$ cat flagz.txt 
    8===SjMYBmMh4bk49TKq7PM8===D~~
    angela@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13

    Flags 03

    mission.txt

    ################
    # MISSION 0x03 #
    ################
    
    ## EN ##
    The password of the user emma is in line 4069 of the file findme.txt
    
    ## ES ##
    La password de la usuaria emma esta en la linea 4069 del fichero findme.txt
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9

    在这里插入图片描述

    fIvltaGaq0OUH8O

    angela@venus:~$ su emma
    Password: 
    emma@venus:/pwned/angela$ cd ~
    emma@venus:~$ ls
    -  flagz.txt  mission.txt
    emma@venus:~$ cat flagz.txt 
    8===0daqdDlmd9XogkiHu4yq===D~~
    emma@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8

    Flags 04

    missions.txt

    ################
    # MISSION 0x04 #
    ################
    
    ## EN ##
    User mia has left her password in the file -.
    ## ES ##
    La usuaria mia ha dejado su password en el fichero -.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    emma@venus:~$ ls
    -  flagz.txt  mission.txt
    emma@venus:~$ cat ./-
    iKXIYg0pyEH2Hos
    emma@venus:~$ su mia
    Password: 
    mia@venus:/pwned/emma$ cd ~
    mia@venus:~$ ls
    flagz.txt  mission.txt
    mia@venus:~$ cat flagz.txt 
    8===FBMdY8hel2VMA3BaYJin===D~~
    mia@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12

    Flags 05

    missions.txt

    ################
    # MISSION 0x05 #
    ################
    
    ## EN ##
    It seems that the user camila has left her password inside a folder called hereiam 
    
    ## ES ##
    Parece que la usuaria camila ha dejado su password dentro de una carpeta llamada hereiam
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    mia@venus:~$ find / -name "hereiam" 2>/dev/null
    /opt/hereiam
    mia@venus:~$ cd /opt/hereiam/
    mia@venus:/opt/hereiam$ ls
    mia@venus:/opt/hereiam$ ls -la
    total 12
    drwxr-xr-x 2 root root 4096 Apr  7  2022 .
    drwxr-xr-x 1 root root 4096 Apr  7  2022 ..
    -rw-r--r-- 1 root root   16 Apr  7  2022 .here
    mia@venus:/opt/hereiam$ cat .here 
    F67aDmCAAgOOaOc
    mia@venus:/opt/hereiam$ su camila
    Password: 
    camila@venus:/opt/hereiam$ cd ~
    camila@venus:~$ ls
    flagz.txt  mission.txt  muack
    camila@venus:~$ cat flagz.txt 
    8===iDIi5sm1mDuqGmU5Psx6===D~~
    camila@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19

    Flags 06

    ################
    # MISSION 0x06 #
    ################
    
    ## EN ##
    The user luna has left her password in a file inside the muack folder. 
    
    ## ES ##
    La usuaria luna ha dejado su password en algun fichero dentro de la carpeta muack.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    camila@venus:~$ find ./muack/ -type f
    ./muack/111/111/muack
    camila@venus:~$ cat ./muack/111/111/muack
    j3vkuoKQwvbhkMc
    camila@venus:~$ su luna
    Password: 
    luna@venus:/pwned/camila$ cd ~
    luna@venus:~$ ls
    flagz.txt  mission.txt
    luna@venus:~$ cat flagz.txt 
    8===KCO34FpIq3nBmHbyZvFh===D~~
    luna@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12

    Flags 07

    missions.txt

    ################
    # MISSION 0x07 #
    ################
    
    ## EN ##
    The user eleanor has left her password in a file that occupies 6969 bytes. 
    
    ## ES ##
    La usuaria eleanor ha dejado su password en un fichero que ocupa 6969 bytes.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    luna@venus:~$ find / -size 6969c 2>/dev/null
    /usr/share/man/man1/h2xs.1.gz
    /usr/share/moon.txt
    luna@venus:~$ cat /usr/share/moon.txt
    UNDchvln6Bmtu7b
    luna@venus:~$ su eleanor
    Password: 
    eleanor@venus:/pwned/luna$ cd ~
    eleanor@venus:~$ ls
    flagz.txt  mission.txt
    eleanor@venus:~$ cat flagz.txt 
    8===Iq5vbyiQl4ipNrLDArjD===D~~
    eleanor@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13

    Flags 08

    missions.txt

    ################
    # MISSION 0x08 #
    ################
    
    ## EN ##
    The user victoria has left her password in a file in which the owner is the user violin. 
    
    ## ES ##
    La usuaria victoria ha dejado su password en un fichero en el cual el propietario es el usuario violin.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    eleanor@venus:~$ find / -user violin 2>/dev/null
    /usr/local/games/yo
    eleanor@venus:~$ cat /usr/local/games/yo
    pz8OqvJBFxH0cSj
    eleanor@venus:~$ su victoria 
    Password: 
    victoria@venus:/pwned/eleanor$ cd ~
    victoria@venus:~$ ls
    flagz.txt  mission.txt  passw0rd.zip
    victoria@venus:~$ cat flagz.txt 
    8===NWyTFi9LLqVsZ4OnuZYN===D~~
    victoria@venus:~$
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12

    Flags 09

    missions.txt

    ################
    # MISSION 0x09 #
    ################
    
    ## EN ##
    The user isla has left her password in a zip file.
    
    ## ES ##
    La usuaria isla ha dejado su password en un fichero zip.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    victoria@venus:~$ mkdir /tmp/1/
    victoria@venus:~$ ls
    flagz.txt  mission.txt  passw0rd.zip
    victoria@venus:~$ cp passw0rd.zip /tmp/1/
    victoria@venus:~$ cd /tmp/1/
    victoria@venus:/tmp/1$ unzip passw0rd.zip 
    Archive:  passw0rd.zip
      extracting: pwned/victoria/passw0rd.txt  
    victoria@venus:/tmp/1$ ls
    passw0rd.zip  pwned
    victoria@venus:/tmp/1$ cd pwned/victoria/
    victoria@venus:/tmp/1/pwned/victoria$ ls
    passw0rd.txt
    victoria@venus:/tmp/1/pwned/victoria$ cat passw0rd.txt 
    D3XTob0FUImsoBb
    victoria@venus:/tmp/1/pwned/victoria$ su isla
    Password: 
    isla@venus:/tmp/1/pwned/victoria$ cd ~
    isla@venus:~$ ls
    flagz.txt  mission.txt  passy
    isla@venus:~$ cat flagz.txt 
    8===ZyZqc1suvGe4QlkZHFlq===D~~
    isla@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23

    Flags 10

    missions.txt

    ################
    # MISSION 0x10 #
    ################
    
    ## EN ##
    The password of the user violet is in the line that begins with a9HFX (these 5 characters are not part of her password.). 
    
    ## ES ##
    El password de la usuaria violet esta en la linea que empieza por a9HFX (sin ser estos 5 caracteres parte de su password.).
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9

    注 a9HFX 题干说不包含在 password 内

    isla@venus:~$ cat passy | grep ^a9HFX
    a9HFXWKINVzNQLKLDVAc
    isla@venus:~$ su violet
    Password: 
    violet@venus:/pwned/isla$ cd ~
    violet@venus:~$ ls
    end  flagz.txt  mission.txt
    violet@venus:~$ cat flagz.txt 
    8===LzErk0qFPYJj16mNnnYZ===D~~
    violet@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10

    Flags 11

    missions.txt

    ################
    # MISSION 0x11 #
    ################
    
    ## EN ##
    The password of the user lucy is in the line that ends with 0JuAZ (these last 5 characters are not part of her password) 
    
    ## ES ##
    El password de la usuaria lucy se encuentra en la linea que acaba por 0JuAZ (sin ser estos ultimos 5 caracteres parte de su password)
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9

    注 0JuAZ 题干说不包含在 password 内

    violet@venus:~$ cat end | grep 0JuAZ$
    OCmMUjebG53giud0JuAZ
    violet@venus:~$ ls
    end  flagz.txt  mission.txt
    violet@venus:~$ su lucy
    Password: 
    lucy@venus:/pwned/violet$ cd ~
    lucy@venus:~$ ls
    file.yo  flagz.txt  mission.txt
    lucy@venus:~$ cat flagz.txt 
    8===AdCJ4wl8pmbhi770Xbd3===D~~
    lucy@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12

    Flags 12

    missions.txt

    ################
    # MISSION 0x12 #
    ################
    
    ## EN ##
    The password of the user elena is between the characters fu and ck 
    
    ## ES ##
    El password de la usuaria elena esta entre los caracteres fu y ck
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    lucy@venus:~$ cat file.yo | grep ^fu.*ck$
    fu4xZ5lIKYmfPLg9tck
    lucy@venus:~$ su elena
    Password: 
    elena@venus:/pwned/lucy$ cd ~
    elena@venus:~$ ls
    flagz.txt  mission.txt
    elena@venus:~$ cat flagz.txt 
    8===st1pTdqEQ0bvrJfWGwLA===D~~
    elena@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10

    Flags 13

    missions.txt

    ################
    # MISSION 0x13 #
    ################
    
    ## EN ##
    The user alice has her password is in an environment variable. 
    
    ## ES ##
    La password de alice esta en una variable de entorno.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    elena@venus:~$ printenv | grep PASS
    PASS=Cgecy2MY2MWbaqt
    elena@venus:~$ su alice
    Password: 
    alice@venus:/pwned/elena$ cd ~
    alice@venus:~$ ls
    flagz.txt  mission.txt
    alice@venus:~$ cat flagz.txt 
    8===Qj4NNWp8LOC96S9Rtgrk===D~~
    alice@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10

    Flags 14

    missions.txt

    ################
    # MISSION 0x14 #
    ################
    
    ## EN ##
    The admin has left the password of the user anna as a comment in the file passwd. 
    
    ## ES ##
    El admin ha dejado la password de anna como comentario en el fichero passwd.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    alice@venus:~$ cat /etc/passwd | grep anna
    anna:x:1015:1015::/pwned/anna:/bin/bash
    alice@venus:~$ cat /etc/passwd | grep alice
    alice:x:1014:1014:w8NvY27qkpdePox:/pwned/alice:/bin/bash
    alice@venus:~$ su anna 
    Password: 
    anna@venus:/pwned/alice$ cd ~
    anna@venus:~$ ls
    flagz.txt  mission.txt
    anna@venus:~$ cat flagz.txt 
    8===5Y3DhT66fa6Da8RpLKG0===D~~
    anna@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12

    Flags 15

    missions.txt

    ################
    # MISSION 0x15 #
    ################
    
    ## EN ##
    Maybe sudo can help you to be natalia.
    
    ## ES ##
    Puede que sudo te ayude para ser natalia.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    anna@venus:~$ sudo -u natalia /bin/bash
    natalia@venus:/pwned/anna$ cd ~
    natalia@venus:~$ ls
    base64.txt  flagz.txt  mission.txt  nataliapass.txt
    natalia@venus:~$ cat flagz.txt 
    8===JWHa1GQq1AYrBWNXEJrH===D~~
    natalia@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7

    Flags 16

    missions.txt

    ################
    # MISSION 0x16 #
    ################
    
    ## EN ##
    The password of user eva is encoded in the base64.txt file
    
    ## ES ##
    El password de eva esta encodeado en el fichero base64.txt
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    cat base64.txt 
    dXBzQ0EzVUZ1MTBmREFPCg==
    
    • 1
    • 2

    Encode : dXBzQ0EzVUZ1MTBmREFPCg==
    Decode : upsCA3UFu10fDAO

    natalia@venus:~$ su eva
    Password: 
    eva@venus:/pwned/natalia$ cd ~
    eva@venus:~$ ls
    flagz.txt  mission.txt
    eva@venus:~$ cat flagz.txt 
    8===22cqk3iGkGYVqnYrHiof===D~~
    eva@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8

    Flags 17

    missions.txt

    ################
    # MISSION 0x17 #
    ################
    
    ## EN ##
    The password of the clara user is found in a file modified on May 1, 1968. 
    
    ## ES ##
    La password de la usuaria clara se encuentra en un fichero modificado el 01 de Mayo de 1968.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    eva@venus:~$ find / -type f ! -newermt 1970-01-02 -ls 2>/dev/null
       403708      4 -rw-r--r--   1 root     root           16 Jan  1  1970 /usr/lib/cmdo
    eva@venus:~$ cat /usr/lib/cmdo
    39YziWp5gSvgQN9
    eva@venus:~$ su clara
    Password: 
    clara@venus:/pwned/hacker$ cd ~
    clara@venus:~$ ls
    flagz.txt  mission.txt  protected.zip
    clara@venus:~$ cat flagz.txt 
    8===EJWmHDEQeEN1vIR7NYiH===D~~
    clara@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12

    Flags 18

    missions.txt

    ################
    # MISSION 0x18 #
    ################
    
    ## EN ##
    The password of user frida is in the password-protected zip (rockyou.txt can help you) 
    
    ## ES ##
    La password de frida esta en el zip protegido con password.(rockyou.txt puede ayudarte)
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    └─$ sftp -P 5000 clara@venus.hackmyvm.eu
    
    └─$ 39YziWp5gSvgQN9
    clara@venus.hackmyvm.eu's password: 
    Connected to venus.hackmyvm.eu.
    sftp> ls
    flagz.txt      mission.txt    protected.zip 
    sftp> get protected.zip 
    Fetching /pwned/clara/protected.zip to protected.zip
    /pwned/clara/protected.zip                                                                100%  244     0.6KB/s   00:00    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10

    JohnTheRipper

    └─$ zip2john protected.zip > hash.txt
    
    └─$ john --format=PKZIP --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
    Using default input encoding: UTF-8
    Loaded 1 password hash (PKZIP [32/64])
    Will run 4 OpenMP threads
    Press 'q' or Ctrl-C to abort, almost any other key for status
    pass123          (protected.zip/pwned/clara/protected.txt)     
    1g 0:00:00:00 DONE (2022-11-20 12:46) 100.0g/s 819200p/s 819200c/s 819200C/s 123456..whitetiger
    Use the "--show" option to display all of the cracked passwords reliably
    Session completed. 
    
    └─$ unzip protected.zip 
    Archive:  protected.zip
    [protected.zip] pwned/clara/protected.txt password: 
    replace pwned/clara/protected.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: yes
     extracting: pwned/clara/protected.txt 
     
    └─$ cd pwned/clara 
    
    └─$ cat protected.txt 
    Ed4ErEUJEaMcXli
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    clara@venus:~$ su frida
    Password: 
    frida@venus:/pwned/clara$ cd ~
    frida@venus:~$ cat flagz.txt 
    8===Ikg2qj8KT2bGJtWvR6hC===D~~
    frida@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6

    Flags 19

    missions.txt

    ################
    # MISSION 0x19 #
    ################
    
    ## EN ##
    The password of eliza is the only string that is repeated (unsorted) in repeated.txt. 
    
    ## ES ##
    La password de eliza es el unico string que se repite (sin estar ordenado) en repeated.txt.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    frida@venus:~$ uniq -d repeated.txt 
    Fg6b6aoksceQqB9
    frida@venus:~$ su eliza
    Password: 
    eliza@venus:/pwned/frida$ cd ~
    eliza@venus:~$ ls
    flagz.txt  mission.txt
    eliza@venus:~$ cat flagz.txt 
    8===zwWIPyDf2ozwVhCTxm1I===D~~
    eliza@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10

    uniq -d testfile 删重

    Flags 20

    missions.txt

    ################
    # MISSION 0x20 #
    ################
    
    ## EN ##
    The user iris has left me her key.
    
    ## ES ##
    La usuaria iris me ha dejado su key.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    eliza@venus:~$ ls -a
    .  ..  .bash_logout  .bashrc  .iris_key  .profile  flagz.txt  mission.txt
    eliza@venus:~$ ls -la
    total 36
    drwxr-x--- 2 root  eliza 4096 Apr  7  2022 .
    drwxr-xr-x 1 root  root  4096 Apr  7  2022 ..
    -rw-r--r-- 1 eliza eliza  220 Aug  4  2021 .bash_logout
    -rw-r--r-- 1 eliza eliza 3526 Aug  4  2021 .bashrc
    -rw-r----- 1 root  eliza 2602 Apr  7  2022 .iris_key
    -rw-r--r-- 1 eliza eliza  807 Aug  4  2021 .profile
    -rw-r----- 1 root  eliza   31 Apr  7  2022 flagz.txt
    -rw-r----- 1 root  eliza  143 Apr  7  2022 mission.txt
    eliza@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13

    [-i identity_file]

    eliza@venus:~$ ssh -i .iris_key iris@localhost
    The authenticity of host 'localhost (127.0.0.1)' can't be established.
    ECDSA key fingerprint is SHA256:ARNXOhO4Aisq1Dv96z2ZNk96a8qycr+JIljSMY+JBe8.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    
    • 1
    • 2
    • 3
    • 4
    iris@venus:~$ ls
    eloise  flagz.txt  irispass.txt  mission.txt
    iris@venus:~$ cat flagz.txt 
    8===ClrdWOqlZ1vL61zSk9Va===D~~
    iris@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5

    Flags 21

    missions.txt

    ################
    # MISSION 0x21 #
    ################
    
    ## EN ##
    User eloise has saved her password in a particular way. 
    
    ## ES ##
    La usuaria eloise ha guardado su password de una forma particular.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    iris@venus:~$ cat eloise 
    /9j/4AAQSkZJRgABAQEAYABgA......CiiigAooooAKKKKAP/9k=
    
    • 1
    • 2

    方法一:

    └─$ cat eloise | base64 -d > eloise.pdf
    
    • 1

    方法二:

    CTF 常见的 base64 转图
    https://tool.jisuapi.com/base642pic.html
    在这里插入图片描述

    yOUJlV0SHOnbSPm

    iris@venus:~$ su eloise
    Password: 
    eloise@venus:/pwned/iris$ cd ~
    eloise@venus:~$ ls
    flagz.txt  hi  mission.txt
    eloise@venus:~$ cat flagz.txt 
    8===57CzBLKaEq2N8YBFRu31===D~~
    eloise@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8

    Flags 22

    missions.txt

    ################
    # MISSION 0x22 #
    ################
    
    ## EN ##
    User lucia has been creative in saving her password.
    
    ## ES ##
    La usuaria lucia ha sido creativa en la forma de guardar su password.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9

    CTF 中分析文件时,经常会看到这样的 16 进制

    eloise@venus:~$ cat hi
    00000000: 7576 4d77 4644 5172 5157 504d 6547 500a
    eloise@venus:~$ cat hi | xxd -r 
    uvMwFDQrQWPMeGP
    eloise@venus:~$ su lucia
    Password: 
    lucia@venus:/pwned/eloise$ cd ~
    lucia@venus:~$ ls
    dict.txt  flagz.txt  mission.txt
    lucia@venus:~$ cat flagz.txt 
    8===5Sr2pqeVTmn8RaaPmTPE===D~~
    lucia@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12

    Flags 23

    missions.txt

    ################
    # MISSION 0x23 #
    ################
    
    ## EN ##
    The user isabel has left her password in a file in the /etc/xdg folder but she does not remember the name, however she has dict.txt that can help her to remember.
    
    ## ES ##
    La usuaria isabel ha dejado su password en un fichero en la carpeta /etc/xdg pero no recuerda el nombre, sin embargo tiene dict.txt que puede ayudarle a recordar.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    lucia@venus:~$ while IFS= read -r line; do cat /etc/xdg/$line; done < dict.txt 2>/dev/null
    H5ol8Z2mrRsorC0
    lucia@venus:~$ su isabel
    Password: 
    isabel@venus:/pwned/lucia$ cd ~
    isabel@venus:~$ ls
    different.txt  flagz.txt  mission.txt
    isabel@venus:~$ cat flagz.txt 
    8===Md2CU83GtVfouhm9U0AS===D~~
    isabel@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10

    Flags 24

    missions.txt

    ################
    # MISSION 0x24 #
    ################
    
    ## EN ##
    The password of the user freya is the only string that is not repeated in different.txt 
    
    ## ES ##
    La password de la usuaria freya es el unico string que no se repite en different.txt
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    isabel@venus:~$ uniq -u different.txt
    EEDyYFDwYsmYawj
    isabel@venus:~$ su freya
    Password: 
    freya@venus:/pwned/isabel$ cd ~
    freya@venus:~$ cat flagz.txt 
    8===m1rRSv2pdm3sBGmgidul===D~~
    freya@venus:~$ 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8

    1-24 方法综合

    1.User sophia has saved her password in a hidden file in this folder. Find it and log in as sophia.
    
    > ls -la
    
    
    2.The user angela has saved her password in a file but she does not remember where ... she only remembers that the file was called whereismypazz.txt 
    
    > find / -name "whereismypazz.txt" 2>/dev/null
    
    
    3.The password of the user emma is in line 4069 of the file findme.txt
    
    > vim findme.txt
    
    
    4.User mia has left her password in the file -.
    
    > cat ./-
    
    
    5.It seems that the user camila has left her password inside a folder called hereiam 
    
    > find / -name "hereiam" 2>/dev/null
    
    
    6.The user luna has left her password in a file inside the muack folder. 
    
    > find ./muack/ -type f
    
    
    7.The user eleanor has left her password in a file that occupies 6969 bytes. 
    
    > find / -size 6969c 2>/dev/null
    
    
    8.The user victoria has left her password in a file in which the owner is the user violin. 
    
    > find / -user violin 2>/dev/null
    
    
    9.The user isla has left her password in a zip file.
    
    > cp passw0rd.zip /tmp/1/
    > cd /tmp/1/
    > unzip passw0rd.zip 
    
    
    10.The password of the user violet is in the line that begins with a9HFX (these 5 characters are not part of her password.). 
    
    > cat passy | grep ^a9HFX
    
    
    11.The password of the user lucy is in the line that ends with 0JuAZ (these last 5 characters are not part of her password) 
    
    > cat end | grep 0JuAZ$
    
    
    12.The password of the user elena is between the characters fu and ck 
    
    > cat file.yo | grep ^fu.*ck$
    
    
    13.The user alice has her password is in an environment variable. 
    
    > printenv | grep PASS
    
    
    14.The admin has left the password of the user anna as a comment in the file passwd. 
    
    > cat /etc/passwd | grep anna
    
    
    15.Maybe sudo can help you to be natalia.
    
    > sudo -u natalia /bin/bash
    
    
    16.The password of user eva is encoded in the base64.txt file
    
    > cat base64.txt 
    dXBzQ0EzVUZ1MTBmREFPCg==
    
    
    17.The password of the clara user is found in a file modified on May 1, 1968. 
    
    > find / -type f ! -newermt 1970-01-02 -ls 2>/dev/null
    
    
    18.The password of user frida is in the password-protected zip (rockyou.txt can help you) 
    
    └─$ sftp -P 5000 clara@venus.hackmyvm.eu
    sftp> ls
    sftp> get protected.zip 
    
    └─$ zip2john protected.zip > hash.txt
    └─$ john --format=PKZIP --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
    └─$ unzip protected.zip 
    
    
    19.The password of eliza is the only string that is repeated (unsorted) in repeated.txt. 
    
    > uniq -d repeated.txt 
    
    
    20.The user iris has left me her key.
    
    > ssh -i .iris_key iris@localhost
    
    
    21.User eloise has saved her password in a particular way. 
    
    > cat eloise | base64 -d > eloise.pdf
    
    
    22.User lucia has been creative in saving her password.
    
    > cat hi | xxd -r 
    
    
    23.The user isabel has left her password in a file in the /etc/xdg folder but she does not remember the name, however she has dict.txt that can help her to remember.
    
    > while IFS= read -r line; do cat /etc/xdg/$line; done < dict.txt 2>/dev/null
    
    
    24.The password of the user freya is the only string that is not repeated in different.txt 
    
    > uniq -u different.txt
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75
    • 76
    • 77
    • 78
    • 79
    • 80
    • 81
    • 82
    • 83
    • 84
    • 85
    • 86
    • 87
    • 88
    • 89
    • 90
    • 91
    • 92
    • 93
    • 94
    • 95
    • 96
    • 97
    • 98
    • 99
    • 100
    • 101
    • 102
    • 103
    • 104
    • 105
    • 106
    • 107
    • 108
    • 109
    • 110
    • 111
    • 112
    • 113
    • 114
    • 115
    • 116
    • 117
    • 118
    • 119
    • 120
    • 121
    • 122
    • 123
    • 124
    • 125
    • 126
    • 127
  • 相关阅读:
    Leetcode《图解数据结构》刷题日志【第三周】(2022/10/31-2022/11/06)
    windows flask服务卡死的问题
    基于SpringBoot+VUE实现教材管理系统
    分享十万级TPS的IM即时通讯综合消息系统的架构
    C#重点问题之Struct和Class的异同
    【函数】删除顺序表中第一个值等于x的元素
    linux 压缩webfile文件夹 webfile.tar.gz和webfile.tar的区别
    【FPGA教程案例47】图像案例7——基于FPGA的RGB图像转化为灰度图实现,通过MATLAB进行辅助验证
    java计算机毕业设计ssm党支部在线学习系统
    国产AI网址
  • 原文地址:https://blog.csdn.net/qq_62260856/article/details/127622645