21 iris
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
| iris@venus:~$ ls -la
total 60
drwxr-x--- 3 root iris 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 iris iris 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 iris iris 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 iris iris 807 Apr 23 2023 .profile
drwxr-xr-x 2 root root 4096 Apr 5 06:28 .ssh
-rw-r----- 1 root iris 17484 Apr 5 06:28 eloise
-rw-r----- 1 root iris 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root iris 16 Apr 5 06:28 irispass.txt
-rw-r----- 1 root iris 195 Apr 5 06:27 mission.txt
iris@venus:~$ cat flagz.txt
8===ClrdWOqlZ1vL61zSk9Va===D~~
iris@venus:~$ cat mission.txt
################
# MISSION 0x21 #
################
## EN ##
User eloise has saved her password in a particular way.
## ES ##
La usuaria eloise ha guardado su password de una forma particular.
iris@venus:~$ catt eloise
-bash: catt: command not found
iris@venus:~$ cat eloise
/9j/4AAQSkZJRgABAQEAYABgAAD/4RDSRXhpZgAATU0AKgAAAAgABAE7AAIAAAAEc01MAIdpAAQA
AAABAAAISpydAAEAAAAIAAAQwuocAAcAAAgMAAAAPgAAAAAc6gAAAAgAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFkAMAAgAAABQAABCY
kAQAAgAAABQAABCskpEAAgAAAAM4NQAAkpIAAgAAAAM4NQAA6hwABwAACAwAAAiMAAAAABzqAAAA
CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAMjAyMToxMToxMCAxMDoxODowMwAyMDIxOjExOjEwIDEwOjE4OjAzAAAAcwBNAEwAAAD/4QsW
aHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49J++7vycgaWQ9J1c1
TTBNcENlaGlIenJlU3pOVGN6a2M5ZCc/Pg0KPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczpt
ZXRhLyI+PHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJk
Zi1zeW50YXgtbnMjIj48cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0idXVpZDpmYWY1YmRkNS1i
YTNkLTExZGEtYWQzMS1kMzNkNzUxODJmMWIiIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMv
ZWxlbWVudHMvMS4xLyIvPjxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSJ1dWlkOmZhZjViZGQ1
LWJhM2QtMTFkYS1hZDMxLWQzM2Q3NTE4MmYxYiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUu
Y29tL3hhcC8xLjAvIj48eG1wOkNyZWF0ZURhdGU+MjAyMS0xMS0xMFQxMDoxODowMy44NDk8L3ht
cDpDcmVhdGVEYXRlPjwvcmRmOkRlc2NyaXB0aW9uPjxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0
PSJ1dWlkOmZhZjViZGQ1LWJhM2QtMTFkYS1hZDMxLWQzM2Q3NTE4MmYxYiIgeG1sbnM6ZGM9Imh0
dHA6Ly9wdXJsLm9yZy9kYy9lbGVtZW50cy8xLjEvIj48ZGM6Y3JlYXRvcj48cmRmOlNlcSB4bWxu
czpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPjxyZGY6
bGk+c01MPC9yZGY6bGk+PC9yZGY6U2VxPg0KCQkJPC9kYzpjcmVhdG9yPjwvcmRmOkRlc2NyaXB0
aW9uPjwvcmRmOlJERj48L3g6eG1wbWV0YT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
IAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAog
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAg
ICAgICAgICAgICAgICAgICAgICAgICAgPD94cGFja2V0IGVuZD0ndyc/Pv/bAEMABwUFBgUEBwYF
BggHBwgKEQsKCQkKFQ8QDBEYFRoZGBUYFxseJyEbHSUdFxgiLiIlKCkrLCsaIC8zLyoyJyorKv/b
AEMBBwgICgkKFAsLFCocGBwqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKv/AABEIAGYBigMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUG
BwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR
8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5
eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj
5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQAC
AQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXx
FxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqS
k5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T1
9vf4+fr/2gAMAwEAAhEDEQA/APpGiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAC
iiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK
KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiig
Aooqrql1PZaRd3Vnbfa7iCF5I7ffs81gCQu7BxnpnBpNpK7Gk27ItUVyvw48dQfEPwbDrsFr9idp
HimtjL5hidT03YGcjB6DrWRp3xXg1C88aMNMKaX4UDB777Ru+0uoYsoTbxgqRnJ7etOXu3v2v8hL
Xbvb5nT+I/GPh3wjbpL4k1i108SAlFlf53x12oPmb8BWFovxl+H3iC9W00zxPamdyFRLhHt95PQA
yKoJPoK86+FHw9tPiLby/ET4jR/2ve6lO5tLaZj5MMasVHydCMggKcjA6Emu/wDE3wW8C+JNJktP
+EfsdMlIPlXWnW628kbdj8oAb6MCKLOPxb9g0lsd7WL4d8X6H4ra/XQL77WdPnNvdfuXTy5B1X5l
GenUZFec/APxDqpg13wR4hlM954Yufs8U7EkvFuZQOecArx7EDtVb9nn/j68df8AYcf+bU9L6bWv
+K/zFqlrve34P/I9nkkWKJ5JDhEUsxx0ArK8M+KdH8YaMuq+HLz7ZZM7RiXynjyy9RhwD+lX9R/5
Bd1/1xf/ANBNeWfs0f8AJG4P+v2f+YpR1cl2Sf4jloovu/0PWJ5o7a3knmbbHEpd2xnAAyTWLo3j
XQPEHhebxFpF/wDaNKhEhkuPJkTaEGW+VlDcD2q/rf8AyL+of9esv/oBrxj4Nf8AJsGrf9cr/wD9
ANQ5NKb7K5SV3Bd3Y9GuPip4NtfDOn+IZ9YKaTqMrQ210bSba7gkEEbMryp+8B0NdeDkZHIrwPwp
4THjP9kKDS0QNdLHcXFrntKk8jKPx5X/AIFXffBXxQPFXwp0m4kk33Vmn2O5GckPHwM+5XafxrZx
tKUe35f8P+hnfRPvf71/wDqfEnibR/COiyat4ivVsrGNlVpSjPyxwAFUEk/QU678R6Rp/h1dd1C/
itNNaJZRcXGYxtYZXhsHJyOMZ7Yryr4tr/wm/wAUPCPw+hy1skv9qamAMgRrkKD9QHH/AANag+Im
nx+PPj14a8EX+86JYWTahdW8bbVkb5gAcdsKo9QGbGM1mrtLzbt6Jav8/uLdk9ei1+ey/L7zvPDv
xc8C+KtUXTdD8QwT3j/chkikhMh9F8xV3H2GTXZMyohd2CqoyWJwAK8c+Mvwv8NQ/Dm91nw7o9po
+qaMou7e40+FYGwpBYNtAzxkgnkEDnrUPxG17WPEX7LcWs2O8TXtpbvfmHr5ZIEvTtnr7ZzxmiUl
ytrdW/Hr/mCV5Jd7/gdZf/HH4b6bfNaXPim2aVTgm3hlmT/vtFK/rXW6J4g0jxJp4vtB1G21C2Jx
5lvIGCn0OOh9jzXnXw/8P/B/V/DVlbaDYeH9Tl8hTIt1FFLd7sclw43g5z6D04qfwz8KrrwT8Wrn
WvCs9taeF9Qttt3ppkfcJRnBRcYwDyMtxuYAYq+Wz5WRe6ujtT4v0NfGI8Km+/4nTQfaBa+S/wDq
/wC9v27fwzmtqvC9Y1bTtF/a4ivNZv7XT7YaJtM91MsSAkHA3MQM16h/wsfwR/0OXh//AMGkH/xV
StYp+v5tFP4mvT8ky3YeLdE1TxNqPh+xvfN1TTFVru38p18sMAR8xAU9R0Jq9qmrafomnyX2sXtv
Y2kf357iQIg9OT39q8e+GeoWeqftFeP73TLuC8tZbe3Mc9vIJEcbUHDDIPIIrM/ssfHH40a1b63P
M3hXws4gjs45CgnmyVJJHPJV8kc4CgY60ldqPdq7B2TlfZOx38fx1+G0t99lXxTAJM43NBMqf99l
Nv45rurS8ttQs4ruwuIrq2mXdHNC4dHHqGHBFcvL8KPAM2mmxfwhpAhKbNyWqrLj/roAHz75zXmX
g63uPhF8dh4Gt7ma48OeIITc2STPkwSAN+uUKn1BQnpVKzfL1E7pc3Y97oryrxX8dbDwf4+v/DOo
6Lcztb28b20lrJ5kl1K+3bEI9oA+8Tkt/DwCSBWfpH7QRPimz0bxn4M1PwuL9wltPdFiGJOAWVo0
IXOBkZxn8aUfetbqOXu7npmr+LdE0HWdL0rVb3yL3VpDFZReU7eawwCMqCF+8OpFbNeIfHHU7TRf
ib8OdT1KYQWlpdTTTSEZ2qpjJOB1+lSJ+0YtrewT+IPBGt6RoF1IFttWmRiJAejbSgGMc4VmOOma
I+9G/W7X+QSun8l+p7UzKiF3YKqjJYnAArgr/wCOPw302+a0ufFNs0qnBNvDLMn/AH2ilf1rO+PN
1fXHwQ1G50CVpIZhE00kBzutmILEEfwkEZ9s9qg+H/h/4P6v4asrbQbDw/qcvkKZFuoopbvdjkuH
G8HOfQenFCTbfkDaSXmei6J4g0jxJp4vtB1G21C2Jx5lvIGCn0OOh9jzXP8Aif4seCvBusf2V4k1
r7He+WsvlfZZpPlOcHKIR2PesHwz8KrrwT8WrnWvCs9taeF9Qttt3ppkfcJRnBRcYwDyMtxuYAYr
n9S0jTdb/a0a01rTrXULb+wQ/k3cCypuB4O1gRmh6uNuv6J/5Bsnfp+tv8zqoPj78M7iZYo/E6Bm
OAZLO4RfxZowB+Nd9ZX1rqVjFeafcxXVtMu+KaFw6OPUEcGubvfhh4EvLGa3n8I6JHHIhVnhsYon
UeodQCp9wRXlfwG1yXw/8PvHDws2oaXoVzNPZK0mPMCozFQ3OAQqngdWJ70XWt+iv/X3js21bq7H
v9FeLQ/tCvqeg2lz4a8E6pruovH5l5aWLNJHZDcwAeVYz8xC5xtHB61btP2h9D1LwtDd6TpGoX+v
TSNCmg2y+ZPvUZJyoJ2Y/i2568cHB38hLU9eorzH4e/GeHxn4muPDes6BeeHNbiQyLaXTFt4ABI5
VSGwc4K9O9enU7NCTuFFFFIYUUUUAFFFFABRRRQAUUUUAFFFFAHhWja4vwo8ZfEfSLldll5Da/pq
kYVt3DKP+Bsi/wDAav8AgvwXeN+zVqVrtZ9X8RWdxfSE53SSSqSgP1UL+dZXx50e08UfEbwd4fsJ
j/at8zwXccRyVtNysS302sR9DXvEEMdtbxwQKEjiUIijooAwBUqN6TXly/Jf0vuKbtUX/gX3/wBP
7zzL9nrXbTVvhDp1nDIv2rS2e3uYc/NGd7MpI9CD/P0r06SRIo2klZURAWZmOAAOpJryXxL8FbuL
xPP4n+GfiGTwzqtwd08AXNvOxOSSB0yeSCGGewrJuPhX8VvF8Q0/x98QbYaUx/ew6ZFgzL3U4jjB
/HcB1wauUnN32ZCioadA+CEq+Ifij8QPFdkrf2dc3Qgt5O0vzMcj8Ap9twqz8ASltr/xB053H2mH
W3ZozwQu5wD+YNeo+FvC+l+DfDltomhQGK0txxuOWdj1dj3Ynn+WBgV594z+D+q3PjGXxh8OfEbe
H9buFxcxuCYbg8cnGcdASCrAkA4BpaRaS2St+T/ND1ldvdu/5r8j0jxBexad4a1O9uCFit7SWVyT
jgITXlXwJ1Wx8K/s/Q6xr9wtnYLczSNMylgqmTYOACfvcVRuvhV8V/GKDTviB4/tP7IJBlh02LDS
jP3SBHGCPruAODg16jc+BdGm+Hb+DI4mh0trT7KoUgso7Pk9Wz82fWlrFSkt2l/mPSTinsn/AMAu
Xmo2mp+C7jUrGYS2dzp7zxS4IDI0ZIbnkcHvXkXwcUr+y/qhI4aG/I9xtI/pVaH4Q/Fm00c+FbTx
/ZJ4YIMQ+RvPER6qPkyB22iTGOOlepad4Ht9A+F0nhDRHGBYy26Szcb5HVsu2AcZZieOlKa92bj1
Vl3HF+9BPo7swP2fP+SHaF9bj/0fJWD4FCeAPjv4o8KTN5Wn65GNW0/cflB5LqPT+P8ACMV3Xwt8
J33gj4cab4f1WW3mu7Qy73tmZozukZxgsAejDtWB8YPhrq/jgaVf+FL210/WLAyxGe4dkDQyIVZc
qrHPpx3NaVZfvHKOu6+//g2ZEFePK/X8f8rr5mZ8G4m8V+LvFXxHuUYJqNybHTtx6W8eBkfXan4q
aivnGm/te6e9x8qaloZjhYnALAsSP/HD+deleDfDcHhDwbpmg220rZQLGzqMB36u34sSfxrnvif8
M08f2djc2GoPpOuaXIZbG/jByp4O04wcZAORyCPqCnaMopaqOn4NX/G4K8k76N/53X5WJ/jFexWH
wd8SyzkBXsXhXJxln+QfqwrmfD/jXTPhv8FfBZ8TWl49vfwR25eKJWWIuNwMm5hhcE9M9DxWOfhD
8RPGN7aW/wAVPGVrfaJayCU2enrtM5HZsRxgf7x3EZOMda9U8V+DNH8Y+E5vD2qwbbN1URmHCtAV
+6ycYBH5Y46Glayb3vb7l/nce7S7X+92/wAjlPEHwB+HviFpJhpB02eXnztNlMQH0TmMf981y3h8
a38KvjJo/gw6/d674f1yBzbw3jbpbMqDjB9Pl7YByeMilt/hr8ZPDEK6b4P+IVlLpkfEQ1GLLovZ
RuikwB6Bse1dJ4C+Elzofih/FvjXXZPEPiNkKRysCI7YEYITPXgkDgAAnA7046O62FK7i09zjfFX
hbR/GH7VkeleI7P7ZZNowkMXmvHllDYOUIP612//AAz58Mf+hZ/8n7n/AOOVO/gHVG+PcfjcT2f9
mrpv2Qxb287fg8427cc/3vwr0KpirRXz/Njd3J/L8keF/CXQtO8NfHzx1pGiW/2axtbeBYYt7PtB
Ck8sSTyT1NO+Ddwnhz4u+PvCupusN7c332y2VzzMmXbjPX5XU/TJ7V2nhnwLqei/F/xV4qup7R7H
WY4kt443YyqVCg7gVAHQ9CaZ8RfhJp/jq7ttWs7+fQ/EFmMQalafewOgYAgnHYggj9KcW1GDfaz+
+4NJykvO6/r7z0GvC/FNzF4n/at8L6fpuZjoVs0t7IhyIzhm2n06oPq+KmbwJ8c7lDYXPxF0+OwY
bDPDFifb65EIbPvvz712/wAN/hdpXw4sbj7LPLqGp3pDXmoXAw8p64A52rkk4yTk8k8YcUuZTfT8
xSfuuPc4ewtYLj9sjU5J4ld7fSFkiLD7jbI1yPfDMPxqb9pxR/whOhSYG9dZi2tjkfI/Q/gK6ey8
A6pbfHrUPGzz2Z02504WqRB284OAnJG3bj5T/F6Uvxi8Bap8QfDenafo09pBLa6gl07XbsqlQrAg
bVbn5hSjpGHk1/6Vf8invL0/9tt+ZyHxstbS++KHwyttTRZLWa/ZZEcZVwXi4PqCeK7/AOLdvZ3H
wh8SpqCoYVsJHXd2dRlCPfcFxWD8VfhZefEXXfDMqXUFvYaa8n2wmVkm2tswYsKRuG0nkjtXNX/w
g+JPiqSPRvG3j6K88MwyA7beLbcTqp43jYBnjqzPg881Nuanybav8QT5ZKfZL9TR8I/EHT/A3wM8
GXHiq2vZYL9fsgkijV1jG5tpfcy4XYO2eBWz4g+APw98QtJMNIOmzy8+dpspiA+icxj/AL5rpdf8
A6D4i8C/8Ind2vlabHEkcAiOGt9gwjITnke+c85zk15lb/DX4yeGIV03wf8AEKyl0yPiIajFl0Xs
o3RSYA9A2Park1KbduuhMU4wS8tRPD41v4VfGTR/Bh1+713w/rkDm3hvG3S2ZUHGD6fL2wDk8ZFZ
XjnwzqXiz9pxtN0XxFd+Hbn+xUk+22gbftBOV+V0ODn17V3XgL4SXOh+KH8W+Nddk8Q+I2QpHKwI
jtgRghM9eCQOAACcDvWgPAupj48Hxr59p/Zp0v7H5W9vO35znG3bj/gWfalbWPNra/5Owfzcvl+a
ucdJ8AfEt/GbbXPizr2oWMnEtsyyYcenzTMPzBrsdQ8H6T4G+COv6JoMLJbRaVdMzyHc8rmJsux7
k/gOgAAGK76srxRpk2t+EdX0q0aNJ76xmt42kJChnQqCSATjJ9DUzu4SS6mlOynFvozhf2draG3+
CWkyQxKj3Ek8krAcu3msuT+CgfhXO/BK0t1+L/xPmWCMSxal5cbhRlVaWYkD0BKr+Qr0P4W+E77w
R8ONN8P6rLbzXdoZd72zM0Z3SM4wWAPRh2rK+HngDVPCXjfxprGpXFnLb69ei4tVgdi6LvkbDgqA
Dhx0J71tJr2ra7P81+hkl+6t5r82ct4pAT9r7weUG0vpUm8jjd8tx19a9srzzW/AGqal8dfD/jSC
4s103TLJ7eaJ3YTMxEoyoC7SP3g6sO9eh1C+BL1/Nly1nddl+QUUUUhBRRRQAUUUUAFFFFABRRRQ
AU2RFkjZHGVYEEeoNOopNXVmBwPgP4M+Ffh7qtxqWjLd3F7MpRZryRXMKHqqBVUDPqcn3rvqKKq4
BRRRSAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAC
iiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK
KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiig
AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP
/9k=
iris@venus:~$ cat irispass.txt
kYjyoLcnBZ9EJdz
iris@venus:~$ cat eloise | base64 -d
����JFIF``���ExifMM;sML�J���
>������85��85�
�2021:11:10 10:18:032021:11:10 10:18:03sML��
http://ns.adobe.com/xap/1.0/<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?>
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="http://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2021-11-10T10:18:03.849</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>sML</rdf:li></rdf:Seq>
</dc:creator></rdf:Description></rdf:RDF></x:xmpmeta>
........
iris@venus:~$
|
发现似乎是一个照片,尝试进行识别,使用cyberchef,base64解码以后点一下魔术棒得到密码:
22 eloise
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
| eloise@venus:~$ ls -la
total 36
drwxr-x--- 2 root eloise 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 eloise eloise 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 eloise eloise 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 eloise eloise 807 Apr 23 2023 .profile
-rw-r----- 1 root eloise 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root eloise 50 Apr 5 06:28 hi
-rw-r----- 1 root eloise 194 Apr 5 06:27 mission.txt
eloise@venus:~$ cat hi
00000000: 7576 4d77 4644 5172 5157 504d 6547 500a
eloise@venus:~$ cat flagz.txt
8===57CzBLKaEq2N8YBFRu31===D~~
eloise@venus:~$ cat mission.txt
################
# MISSION 0x22 #
################
## EN ##
User lucia has been creative in saving her password.
## ES ##
La usuaria lucia ha sido creativa en la forma de guardar su password.
eloise@venus:~$ xxd hi
00000000: 3030 3030 3030 3030 3a20 3735 3736 2034 00000000: 7576 4
00000010: 6437 3720 3436 3434 2035 3137 3220 3531 d77 4644 5172 51
00000020: 3537 2035 3034 6420 3635 3437 2035 3030 57 504d 6547 500
00000030: 610a a.
eloise@venus:~$ xxd -h
Usage:
xxd [options] [infile [outfile]]
or
xxd -r [-s [-]offset] [-c cols] [-ps] [infile [outfile]]
Options:
-a toggle autoskip: A single '*' replaces nul-lines. Default off.
-b binary digit dump (incompatible with -ps,-i,-r). Default hex.
-C capitalize variable names in C include file style (-i).
-c cols format <cols> octets per line. Default 16 (-i: 12, -ps: 30).
-E show characters in EBCDIC. Default ASCII.
-e little-endian dump (incompatible with -ps,-i,-r).
-g bytes number of octets per group in normal output. Default 2 (-e: 4).
-h print this summary.
-i output in C include file style.
-l len stop after <len> octets.
-n name set the variable name used in C include output (-i).
-o off add <off> to the displayed file position.
-ps output in postscript plain hexdump style.
-r reverse operation: convert (or patch) hexdump into binary.
-r -s off revert with <off> added to file positions found in hexdump.
-d show offset in decimal instead of hex.
-s [+][-]seek start at <seek> bytes abs. (or +: rel.) infile offset.
-u use upper case hex letters.
-v show version: "xxd 2022-01-14 by Juergen Weigert et al.".
eloise@venus:~$ xxd -r hi
uvMwFDQrQWPMeGP
|
23 lucia
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| lucia@venus:~$ ls -la
total 36
drwxr-x--- 2 root lucia 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 lucia lucia 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 lucia lucia 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 lucia lucia 807 Apr 23 2023 .profile
-rw-r----- 1 root lucia 1998 Apr 5 06:28 dict.txt
-rw-r----- 1 root lucia 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root lucia 397 Apr 5 06:27 mission.txt
lucia@venus:~$ cat flagz.txt
8===5Sr2pqeVTmn8RaaPmTPE===D~~
lucia@venus:~$ cat mission.txt
################
# MISSION 0x23 #
################
## EN ##
The user isabel has left her password in a file in the /etc/xdg folder but she does not remember the name, however she has dict.txt that can help her to remember.
## ES ##
La usuaria isabel ha dejado su password en un fichero en la carpeta /etc/xdg pero no recuerda el nombre, sin embargo tiene dict.txt que puede ayudarle a recordar.
lucia@venus:~$ head -n 10 dict.txt
s
hack
hacker
handler
hanlder
happening
head
header
headers
lucia@venus:~$ ls /etc/xdg
ls: cannot open directory '/etc/xdg': Permission denied
|
只能尝试进行爆破了,这里我没写出来,我看了别的师傅写的脚本,学习一下:
1
| while IFS= read -r line; do readlink -e /etc/xdg/$line; done<dict.txt
|
- IFS= 不会对输入行进行分割
- -r 不解释反斜杠
- readlink 用于解析符号链接并返回目标文件的路径。
- -e 返回绝对路径
1
2
3
4
5
| lucia@venus:~$ while IFS= read -r line; do readlink -e /etc/xdg/$line; done<dict.txt
/etc/xdg
/etc/xdg/readme
lucia@venus:~$ cat /etc/xdg/readme
H5ol8Z2mrRsorC0
|
24 isabel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| lucia@venus:~$ su isabel
Password:
isabel@venus:/pwned/lucia$ cd ~
isabel@venus:~$ ls -la
total 180
drwxr-x--- 2 root isabel 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 isabel isabel 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 isabel isabel 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 isabel isabel 807 Apr 23 2023 .profile
-rw-r----- 1 root isabel 150544 Apr 5 06:28 different.txt
-rw-r----- 1 root isabel 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root isabel 245 Apr 5 06:27 mission.txt
isabel@venus:~$ cat flagz.txt
8===Md2CU83GtVfouhm9U0AS===D~~
isabel@venus:~$ cat mission.txt
################
# MISSION 0x24 #
################
## EN ##
The password of the user freya is the only string that is not repeated in different.txt
## ES ##
La password de la usuaria freya es el unico string que no se repite en different.txt
isabel@venus:~$ head different.txt -n 10
3e73c17ede4b9b4
3e73c17ede4b9b4
fb834b364abb5eb
fb834b364abb5eb
36771e2733ec17c
36771e2733ec17c
47949b26a7c452a
47949b26a7c452a
371cedbb4a4e593
371cedbb4a4e593
isabel@venus:~$ cat different.txt | uniq -c
2 3e73c17ede4b9b4
2 fb834b364abb5eb
2 36771e2733ec17c
.......
isabel@venus:~$ cat different.txt | uniq -c | sort -n
1 EEDyYFDwYsmYawj
2 00010b0765c11cc
2 00205d587090943
2 00213023c9abfbe
2 002b4e53be7876f
2 0034acdf29fb163
.......
|
找到了那个密码 EEDyYFDwYsmYawj
1
2
3
| isabel@venus:~$ su -l freya
Password:
freya@venus:~$
|
25 freya
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| freya@venus:~$ ls -la
total 32
drwxr-x--- 2 root freya 4096 Apr 5 06:27 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 freya freya 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 freya freya 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 freya freya 807 Apr 23 2023 .profile
-rw-r----- 1 root freya 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root freya 262 Apr 5 06:27 mission.txt
freya@venus:~$ cat flagz.txt
8===m1rRSv2pdm3sBGmgidul===D~~
freya@venus:~$ cat mission.txt
################
# MISSION 0x25 #
################
## EN ##
User alexa puts her password in a .txt file in /free every minute and then deletes it.
## ES ##
La usuaria alexa pone su password en un fichero .txt en la carpeta /free cada minuto y luego lo borra.
freya@venus:~$ while true; do cat /free/* 2>/dev/null; done
mxq9O3MSxxX9Q3S
mxq9O3MSxxX9Q3S
mxq9O3MSxxX9Q3S
mxq9O3MSxxX9Q3S
mxq9O3MSxxX9Q3S
mxq9O3MSxxX9Q3S
.......
freya@venus:~$ su -l alexa
Password:
alexa@venus:~$
|
26 alexa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| alexa@venus:~$ ls -la
total 32
drwxr-x--- 2 root alexa 4096 Apr 5 06:27 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 alexa alexa 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 alexa alexa 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 alexa alexa 807 Apr 23 2023 .profile
-rw-r----- 1 root alexa 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root alexa 172 Apr 5 06:27 mission.txt
alexa@venus:~$ cat flagz.txt
8===12ALP3eLlJ1GrTBxwJQM===D~~
alexa@venus:~$ cat mission.txt
################
# MISSION 0x26 #
################
## EN ##
The password of the user ariel is online! (HTTP)
## ES ##
El password de la usuaria ariel esta online! (HTTP)
alexa@venus:~$ curl http://127.0.1
33EtHoz9a0w2Yqo
|
27 ariel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
| ariel@venus:~$ ls -la
total 44
drwxr-x--- 2 root ariel 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 ariel ariel 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 ariel ariel 3526 Apr 23 2023 .bashrc
-rw-r----- 1 root ariel 12288 Apr 5 06:28 .goas.swp
-rw-r--r-- 1 ariel ariel 807 Apr 23 2023 .profile
-rw-r----- 1 root ariel 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root ariel 254 Apr 5 06:27 mission.txt
ariel@venus:~$ cat flagz.txt
8===lqTeJ1msxhNjNJCptxmZ===D~~
ariel@venus:~$ cat mission.txt
################
# MISSION 0x27 #
################
## EN ##
Seems that ariel dont save the password for lola, but there is a temporal file.
## ES ##
Parece ser que a ariel no le dio tiempo a guardar la password de lola... menosmal que hay un temporal!
ariel@venus:~$ vim -h
VIM - Vi IMproved 9.0 (2022 Jun 28, compiled May 04 2023 10:24:44)
Usage: vim [arguments] [file ..] edit specified file(s)
or: vim [arguments] - read text from stdin
or: vim [arguments] -t tag edit file where tag is defined
or: vim [arguments] -q [errorfile] edit file with first error
Arguments:
-- Only file names after this
-v Vi mode (like "vi")
-e Ex mode (like "ex")
-E Improved Ex mode
-s Silent (batch) mode (only for "ex")
-d Diff mode (like "vimdiff")
-y Easy mode (like "evim", modeless)
-R Readonly mode (like "view")
-Z Restricted mode (like "rvim")
-m Modifications (writing files) not allowed
-M Modifications in text not allowed
-b Binary mode
-l Lisp mode
-C Compatible with Vi: 'compatible'
-N Not fully Vi compatible: 'nocompatible'
-V[N][fname] Be verbose [level N] [log messages to fname]
-D Debugging mode
-n No swap file, use memory only
-r List swap files and exit
-r (with file name) Recover crashed session
-L Same as -r
-A Start in Arabic mode
-H Start in Hebrew mode
-T <terminal> Set terminal type to <terminal>
--not-a-term Skip warning for input/output not being a terminal
--ttyfail Exit if input or output is not a terminal
-u <vimrc> Use <vimrc> instead of any .vimrc
--noplugin Don't load plugin scripts
-p[N] Open N tab pages (default: one for each file)
-o[N] Open N windows (default: one for each file)
-O[N] Like -o but split vertically
+ Start at end of file
+<lnum> Start at line <lnum>
--cmd <command> Execute <command> before loading any vimrc file
-c <command> Execute <command> after loading the first file
-S <session> Source file <session> after loading the first file
-s <scriptin> Read Normal mode commands from file <scriptin>
-w <scriptout> Append all typed commands to file <scriptout>
-W <scriptout> Write all typed commands to file <scriptout>
-x Edit encrypted files
--startuptime <file> Write startup timing messages to <file>
--log <file> Start logging to <file> early
-i <viminfo> Use <viminfo> instead of .viminfo
--clean 'nocompatible', Vim defaults, no plugins, no viminfo
-h or --help Print Help (this message) and exit
--version Print version information and exit
ariel@venus:~$ vim -r .goas.swp
Thats my little DIc with my old and current passwOrds:
-->ppkJjqYvSCIyAhK
-->cOXlRYXtJWnVQEG
--rxhKeFKveeKqpwp
-->RGBEMbZHZRgXZnu
-->IaOpTdAuhSjGZnu
-->NdnszvjulNellbK
-->GBUguuSpXVjpxLc
-->rSkPlPhymYcerMJ
-->PEOppdOkSqJZweH
-->EKvJoTBYlwtwFmv
-->d3LieOzRGX5wud6
-->mYhQVLDKdJrsIwG
-->DabEJLmAbOQxEnD
-->LkWReDaaLCMDlLf
-->cbjYGSvqAsqIvdg
-->QsymOOVbzSaKmRm
-->bnQgcXYamhSDSff
-->VVjqJGRrnfKmcgD
|
按gg可以到页面顶部第一个字符上面去,使用dd即可删除改行,按dw可以删除单词,按.可以执行上一个命令,如此即可删除掉所有的-->和空白行,然后按
进行保存,后面可以尝试进行爆破,我使用hydra进行爆破的,也可以尝试使用bash脚本进行爆破:
1
2
3
4
5
6
7
8
9
10
| hgbe02@pwn:~/temp$ hydra -l lola -P pass ssh://venus.hackmyvm.eu:5000
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-01 01:44:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 18 login tries (l:1/p:18), ~2 tries per task
[DATA] attacking ssh://venus.hackmyvm.eu:5000/
[5000][ssh] host: venus.hackmyvm.eu login: lola password: d3LieOzRGX5wud6
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-01 01:44:14
|
下面附上大佬写的脚本,很优雅:
1
| while IFS= read -r line; do echo $line | timeout 2 su lola 2>/dev/null; if [ $? -eq 0 ]; then echo $line; break; fi; done < /tmp/dict.txt
|
28 lola
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
| lola@venus:~$ ls -la
total 36
drwxr-x--- 2 root lola 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 lola lola 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 lola lola 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 lola lola 807 Apr 23 2023 .profile
-rw-r----- 1 root lola 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root lola 272 Apr 5 06:27 mission.txt
-rw-r----- 1 root lola 1438 Apr 5 06:28 pages.txt
lola@venus:~$ cat flagz.txt
8===TMYRw853hx8yKRocFMgM===D~~
lola@venus:~$ cat mission.txt
################
# MISSION 0x28 #
################
## EN ##
The user celeste has left a list of names of possible .html pages where to find her password.
## ES ##
La usuaria celeste ha dejado un listado de nombres de posibles paginas .html donde encontrar su password.
lola@venus:~$ cat pages.txt
new-servers
server-updates
SenSage_LEO
1355485668
25101
Real-Time Communication
ulist
VGVsbmV0
15915
mumbo
planet-icon
DealTime_57c
121616253
708303201
suppliers_logos
imagesPage
bar-left
webdev-logo
h-line
34552
479800180
1080410073
symm
1665300941
time-date
image-effects
1412058599
1166197595
1115392848
1083085151
Dotster_47c
agi
grotius
primers
decades
upfront
sitecredits
SSC
Kids-Software
Projector-Accessories
Ink
Microphones
Satellite-Radio
existingcustomers
media-types
junkbuster
symankr
career-opportunities
corner_ur
corner_ul
findlaw
classaction
Factsheets
Comets
symantch
dark_grey
Sunbelt
penguin_log
cswift
eref
symantecpress
symanbr
h_consumerassistanceheader
h_homeb
h_parentsb
h_privacyb
h_consumerassistanceb
h_consumerfaqsb
h_mainheader
dmasponsorship
consumerfaqs
symantde
pc_dots
ci_4958157
themonitor
Columbus
glo
regan
GR2006120500981
uscode49
uscode39
uscode20
DEFAULT
uscode12
toxins
ferris
Jan07
000109
efpa
funders
badads
civicactions
iraq_plans
askthepilot215
mail_cover
081606
092306
book_review
consumerprotection
facta
050518
IWC
ahead
shah
rockertraining
respiratory
197442_1
xCH-computer_accessories
xCH-computer_memory
xCH-networking
xCH-components
xCH-inputdevices
xPP-Monitors
xPP-PC_Desktops
xCH-hardware
116044
20061226
logo_eseminars
cebolla
logo_pcmag
1999-02
pcmagnetwork
40305
breastcancer
infocusRel
key2
xCH-software
check_prices
rev_snapshot
ca-library
pubs1
bullet_P1
bullet_B1
spectral
lola@venus:~$ while IFS= read -r line; do curl -s http://127.0.1/$line ; done < pages.txt 2>/dev/null | grep -v '<'
33EtHoz9a0w2Yqo
33EtHoz9a0w2Yqo
|
但是无法正常进行切换用户,可能是兔子洞,重新改了一下:
1
2
3
| lola@venus:~$ while IFS= read -r line; do curl -s http://127.0.0.1/$line.html ; done < pages.txt 2>/dev/null | grep -v '
<'
VLSNMTKwSV2o8Tn
|
29 celeste
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
| celeste@venus:~$ ls -la
total 32
drwxr-x--- 2 root celeste 4096 Apr 5 06:27 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 celeste celeste 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 celeste celeste 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 celeste celeste 807 Apr 23 2023 .profile
-rw-r----- 1 root celeste 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root celeste 179 Apr 5 06:27 mission.txt
celeste@venus:~$ cat flagz.txt
8===TrdsvMy99slFZtd4Cy4Q===D~~
celeste@venus:~$ cat mission.txt
################
# MISSION 0x29 #
################
## EN ##
The user celeste has access to mysql but for what?
## ES ##
La usuaria celeste tiene acceso al mysql, pero para que?
celeste@venus:~$ mysql -uceleste -pVLSNMTKwSV2o8Tn
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 1341
Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| venus |
+--------------------+
2 rows in set (0.002 sec)
MariaDB [(none)]> use venus;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [venus]> show tables;
+-----------------+
| Tables_in_venus |
+-----------------+
| people |
+-----------------+
1 row in set (0.001 sec)
MariaDB [venus]> select * from people;
+-----------+---------------+--------------------------------+
| id_people | uzer | pazz |
+-----------+---------------+--------------------------------+
| 1 | nuna | ixpfdsvcxeqdW |
| 2 | nona | ixpvcxvcxeqdW |
| 3 | manue | ixpfdsfdseqdW |
| 4 | samoa | ixperrewrweqdW |
| 5 | dsaewq | ixpefdsfsqdW |
| 6 | fdsfewrew | ixpedvcxv4qdW |
| 7 | koiuoiudsadas | ixpredsfdeqdW |
| 8 | vcxfdsfew | ixp342432eqdW |
| 9 | dasd | ixpeiuyiuyqdW |
| 10 | helen | uytuytjhgixpeqdW |
| 11 | tudou | ijhgjghxpeqfdfsfddW |
| 12 | fdsoiurew | ixpfdsfsdsvcxvcxeqdW |
| 13 | inan | imbnmnbxpeqdW |
| 14 | zkret | ixpeqkjhkhjkdW |
| 15 | cjhcx | i432423xpeqdW |
| 16 | sfdfdsml | ixpeqdsfsdfdsfW |
| 17 | svcxvcxml | 432423ixpeqdW |
| 18 | xml | ixpejhgjhgqdW |
| 19 | pdf | ixperewrewrewqdW |
| 20 | txt | ixpeuytuytqdW |
| 21 | vcxvcx | ixpefdsfdsfdfdsqdW |
| 22 | dsadsa | ixpeqdjhkjhW |
| 23 | lel | ixpvcxvcxvcxeqdW |
| 24 | lul | ixpeqdmnbmnbmnbmW |
| 25 | dog | ixperewrewrewqdW |
| 26 | cat | ixvcxvdsfsdvpeqdW |
| 27 | pet | ixiufohsyuoirewpeqdW |
| 28 | pzzz | ixvcxvcxvpeqdW |
| 29 | ls | ixpehgfdhdhqdW |
| 30 | vi | ixpetrvvrqdW |
| 31 | tmux | iuovcxoiujvcxixpeqdW |
| 32 | screen | ixpeqrewregfdgdW |
| 33 | yes | ixpebvcgdfgqdW |
| 34 | nop | ixpefdsqdW |
| 35 | haha | 8===xKmPDsJSKpHLzkqKXyjx===D~~ |
| 36 | love | ixpegfdgqdW |
| 37 | dsadsa | fdsvcxvcxixpeqdW |
| 38 | d4t4 | erwerewreixpeqdW |
| 39 | nna | gdfgdixpeqdW |
| 40 | nin | aaafdixpeqdW |
| 41 | tre | fdsafixpeqdW |
| 42 | tfas | igfdgfdgxpeqdW |
| 43 | zcxc | ixfdgdfgpeqdW |
| 44 | yuio | ixpgbvcbvcbeqdW |
| 45 | jhgyurtrt | treterterixpeqdW |
| 46 | lodsa | itreterxpeqdW |
| 47 | zarah | ixpvcbvcbeqdW |
| 48 | zkkad | ixpedfgvbcxbvcqdW |
| 49 | bvher | vcxvcxgfdgfdixpeqdW |
| 50 | dsadsa | ixpeqergdfwer32dW |
| 51 | ch4rm | ixpeewf23qdW |
| 52 | Aza | ixpjhgjgheqdW |
| 53 | avij | ixpegfdgdfgqdW |
| 54 | crom | ixpefdbvvcbrqdW |
| 55 | bubu | ixpetretretqdW |
| 56 | bebe | ixpeghfgfdqdW |
| 57 | baba | ixpeffesfqdW |
| 58 | bael | ixpesdvsdvsdqdW |
| 59 | vaze | ixpe23r23rf23qdW |
| 60 | upper | ixpe43r43rqdW |
| 61 | loz | ixpeqddfsdW |
| 62 | mind | ixpfsdfsdfsdeqdW |
| 63 | mymy | ixpevcxvqdW |
| 64 | ina | ixpee23e32rqdW |
| 65 | ein | ixpejytjytjhgjqdW |
| 66 | n1n4 | ixpehgjghjhghgqdW |
| 67 | where | ixljkgjgpeqdW |
| 68 | you | ixpeqdhggjhgjW |
| 69 | are | ixVCXVCXVCXVCXdW |
| 70 | what | ixpeqhgjggdW |
| 71 | dsaqqqqqq | ixpeqVCXVCXdW |
| 72 | h0j3n | ixpemnbmbnmghqdW |
| 73 | nana | ixpeqVSDFWCdW |
| 74 | nina | ixpeqdWuvC5N9kG |
| 75 | nunu | ixpeSFDSFDSVCXqdW |
| 76 | fdse | ixpeDFSWEF2qdW |
| 77 | dsar | ixpeF43F3F34qdW |
| 78 | yop | ixpeqdWCSDFDSFD |
| 79 | loco | ixpeF43F34F3qdW |
| 80 | zaza | ixpeYUTHNYGTHYTqdW |
| 81 | jhon | ixpeFDSJYTUJTYqdW |
| 82 | tell | ixpeHYTTqdW |
| 83 | ma | uyixptje4FSFWEFqdW |
| 84 | mum | jghixpeqdW |
| 85 | nanaa | 432432ixpeqdW |
| 86 | nnnniinn | irewxpeqdW |
| 87 | iourewoiure | rewixpeqdW |
| 88 | lkjfdsoiu | dsaixpeqdW |
| 89 | vcxnoj | dasdasixpeqdW |
| 90 | ioyuwer | ixpeqdvcxvcxW |
| 91 | kaka | ixpeqdW |
| 92 | nini | ixpeqdvcxW |
| 93 | zong | ixpeqdWfdsfsdf |
| 94 | nana | ixpefdsafdsqdW |
| 95 | ninna | ixpeqOPUIFDSFDSdW |
+-----------+---------------+--------------------------------+
95 rows in set (0.001 sec)
|
找到一个flag,名为haha的flag => 8===xKmPDsJSKpHLzkqKXyjx===D~~ 其他长度不一,筛选出长度在15个字符的密码,这是大多数用户的密码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| MariaDB [venus]> select * from people where length(pazz) = 15;
+-----------+----------+-----------------+
| id_people | uzer | pazz |
+-----------+----------+-----------------+
| 16 | sfdfdsml | ixpeqdsfsdfdsfW |
| 44 | yuio | ixpgbvcbvcbeqdW |
| 54 | crom | ixpefdbvvcbrqdW |
| 58 | bael | ixpesdvsdvsdqdW |
| 74 | nina | ixpeqdWuvC5N9kG |
| 77 | dsar | ixpeF43F3F34qdW |
| 78 | yop | ixpeqdWCSDFDSFD |
| 79 | loco | ixpeF43F34F3qdW |
+-----------+----------+-----------------+
8 rows in set (0.005 sec)
|
尝试进行爆破:
sfdfdsml
yuio
crom
bael
nina
dsar
yop
loco
ixpeqdsfsdfdsfW
ixpgbvcbvcbeqdW
ixpefdbvvcbrqdW
ixpesdvsdvsdqdW
ixpeqdWuvC5N9kG
ixpeF43F3F34qdW
ixpeqdWCSDFDSFD
ixpeF43F34F3qdW
但是没有爆破出来,不知道为啥,尝试看一下是否存在用户,发现nina是存在的,尝试登录,成功!
30 nina
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
| celeste@venus:~$ su -l nina
Password:
nina@venus:~$ ls -la
total 32
drwxr-x--- 2 root nina 4096 Apr 5 06:27 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 nina nina 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 nina nina 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 nina nina 807 Apr 23 2023 .profile
-rw-r----- 1 root nina 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root nina 197 Apr 5 06:27 mission.txt
nina@venus:~$ cat flagz.txt
8===VwICIymoA1DczWJau1sG===D~~
nina@venus:~$ cat mission.txt
################
# MISSION 0x30 #
################
## EN ##
The user kira is hidding something in http://localhost/method.php
## ES ##
La usuaria kira esconde algo en http://localhost/method.php
nina@venus:~$ curl -i -s http://localhost/method.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:26:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
I dont like this method!
nina@venus:~$ curl -s -i -X POST http://localhost/method.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:27:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
I dont like this method!
nina@venus:~$ curl -s -i -X HEAD http://localhost/method.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:28:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
^C
nina@venus:~$ curl -s -i -X PUT http://localhost/method.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:29:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
tPlqxSKuT4eP3yr
|
更进一步的尝试:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
| nina@venus:~$ curl -s -i -X DELETE http://localhost/method.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:30:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
I dont like this method!
nina@venus:~$ curl -s -i -X CONNECT http://localhost/method.php
HTTP/1.1 405 Not Allowed
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:30:15 GMT
Content-Type: text/html
Content-Length: 157
Connection: close
<html>
<head><title>405 Not Allowed</title></head>
<body>
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>
nina@venus:~$ curl -s -i -X OPTIONS http://localhost/method.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:30:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
I dont like this method!
nina@venus:~$ curl -s -i -X TRACE http://localhost/method.php
HTTP/1.1 405 Not Allowed
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:30:44 GMT
Content-Type: text/html
Content-Length: 157
Connection: close
<html>
<head><title>405 Not Allowed</title></head>
<body>
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>
nina@venus:~$ curl -s -i -X PATCH http://localhost/method.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:31:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
8===tPGClekAvQKSYthnLiwz===D~~I dont like this method!
|
哈哈,nice!!!!快夸我!!!
31 kira
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
| nina@venus:~$ su -l kira
Password:
kira@venus:~$ ls -la
total 32
drwxr-x--- 2 root kira 4096 Apr 5 06:27 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 kira kira 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 kira kira 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 kira kira 807 Apr 23 2023 .profile
-rw-r----- 1 root kira 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root kira 191 Apr 5 06:27 mission.txt
kira@venus:~$ cat flagz.txt
8===rJun2WyeuGIvabWQvJko===D~~
kira@venus:~$ cat mission.txt
################
# MISSION 31 #
################
## EN ##
The user veronica visits a lot http://localhost/waiting.php
## ES ##
La usuaria veronica visita mucho http://localhost/waiting.php
kira@venus:~$ curl -s -i http://localhost/waiting.php
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:41:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Im waiting for the user-agent PARADISE.
kira@venus:~$ curl -s -i http://localhost/waiting.php -A "PARADISE"
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 30 Jun 2024 18:41:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
QTOel6BodTx2cwX
|
32 veronica
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| kira@venus:~$ su -l veronica
Password:
veronica@venus:~$ ls -la
total 32
drwxr-x--- 2 root veronica 4096 Apr 5 06:27 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 veronica veronica 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 veronica veronica 3559 Apr 5 06:28 .bashrc
-rw-r--r-- 1 veronica veronica 807 Apr 23 2023 .profile
-rw-r----- 1 root veronica 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root veronica 228 Apr 5 06:27 mission.txt
veronica@venus:~$ cat flagz.txt
8===iSSeKzoDXsKy8WPuqNPg===D~~
veronica@venus:~$ cat mission.txt
################
# MISSION 0x32 #
################
## EN ##
The user veronica uses a lot the password from lana, so she created an alias.
## ES ##
La usuaria veronica usa mucho la password de lana, asi que ha creado un alias.
veronica@venus:~$ alias
alias lanapass='UWbc0zNEVVops1v'
alias ls='ls --color=auto'
|
33 lana
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
| veronica@venus:~$ su -l lana
Password:
lana@venus:~$ ls -la
total 44
drwxr-x--- 2 root lana 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 lana lana 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 lana lana 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 lana lana 807 Apr 23 2023 .profile
-rw-r----- 1 root lana 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root lana 161 Apr 5 06:27 mission.txt
-rw-r----- 1 root lana 10240 Apr 5 06:28 zip.gz
lana@venus:~$ cat flagz.txt
8===um3Hno2AsjFjuLWsfmDj===D~~
lana@venus:~$ cat mission.txt
################
# MISSION 0x33 #
################
## EN ##
The user noa loves to compress her things.
## ES ##
A la usuaria noa le gusta comprimir sus cosas.
lana@venus:~$ gunzip -h
Usage: gzip [OPTION]... [FILE]...
Compress or uncompress FILEs (by default, compress FILES in-place).
Mandatory arguments to long options are mandatory for short options too.
-c, --stdout write on standard output, keep original files unchanged
-d, --decompress decompress
-f, --force force overwrite of output file and compress links
-h, --help give this help
-k, --keep keep (don't delete) input files
-l, --list list compressed file contents
-L, --license display software license
-n, --no-name do not save or restore the original name and timestamp
-N, --name save or restore the original name and timestamp
-q, --quiet suppress all warnings
-r, --recursive operate recursively on directories
--rsyncable make rsync-friendly archive
-S, --suffix=SUF use suffix SUF on compressed files
--synchronous synchronous output (safer if system crashes, but slower)
-t, --test test compressed file integrity
-v, --verbose verbose mode
-V, --version display version number
-1, --fast compress faster
-9, --best compress better
With no FILE, or when FILE is -, read standard input.
Report bugs to <bug-gzip@gnu.org>.
lana@venus:~$ gunzip -d zip.gz
gzip: zip.gz: not in gzip format
lana@venus:~$ file zip.gz
zip.gz: POSIX tar archive (GNU)
lana@venus:~$ cat zip.gz
pwned/lana/zip0000644000000000000000000000002014603715036012326 0ustar rootroot9WWOPoeJrq6ncvJ
|
34 noa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
| lana@venus:~$ su -l noa
Password:
noa@venus:~$ ls -la
total 36
drwxr-x--- 2 root noa 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 noa noa 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 noa noa 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 noa noa 807 Apr 23 2023 .profile
-rw-r----- 1 root noa 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root noa 159 Apr 5 06:27 mission.txt
-rw-r----- 1 root noa 3818 Apr 5 06:28 trash
noa@venus:~$ cat flagz.txt
8===HUNGevKdeKwcCvJru1CC===D~~
noa@venus:~$ cat mission.txt
################
# MISSION 0x34 #
################
## EN ##
The password of maia is surrounded by trash
## ES ##
La password de maia esta rodeada de basura
venus:~$ file trash
trash: data
noa@venus:~$ strings trash
b;pK
*&dv
|.-
wsG9
D55-
\|gu
1q#^
YV!)}
f}nP
T735
5GOj'
g3-5v)S~hK
{Xu7
O;rTl,
]Bokc
04`0
X:Uf
;Vtr3
`vr)
k` I
<(;pQ
@$LiJ
u7TI
*Q{r%
;%gzDB
b%/*
3g?d
=I+"
xfFN
\nh1hnDPHpydEjoEN
! 2L~8
JmN8
@%`j
, ^,
e&xvN2
_cKn
.c|0
)|hd&
hl(p
fEr:
OdBb
?OsP
dnN9
J7e(
JL6(
wI;%vz
apPD
a5qi
|otr
4TTm
toyi
*f|F
.%J`t
noa@venus:~$ strings trash | grep -E '^.{15,}$'
\nh1hnDPHpydEjoEN
|
-E 正则^ 行的开始. 表示任意字符- {15,} 数量下限为15
$ 行尾
35 maia
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
| noa@venus:~$ su -l maia
Password:
maia@venus:~$ ls -la
total 36
drwxr-x--- 2 root maia 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 maia maia 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 maia maia 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 maia maia 807 Apr 23 2023 .profile
-rw-r----- 1 root maia 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root maia 16 Apr 5 06:28 forget
-rw-r----- 1 root maia 317 Apr 5 06:27 mission.txt
maia@venus:~$ cat flagz.txt
8===nu8IDScKFAXVcnFutKtG===D~~
maia@venus:~$ cat mission.txt
################
# MISSION 0x35 #
################
## EN ##
The user gloria has forgotten the last 2 characters of her password ... They only remember that they were 2 lowercase letters.
## ES ##
La usuaria gloria ha olvidado los 2 ultimos caracteres de su password... Solo recuerdan que eran 2 letras minusculas.
maia@venus:~$ cat forget
v7xUVE2e5bjUc??
hgbe02@pwn:~/temp$ for a in {a..z}; do for b in {a..z}; do echo "v7xUVE2e5bjUc$a$b" >> pass; done; done
hgbe02@pwn:~/temp$ head -n 20 pass
v7xUVE2e5bjUcaa
v7xUVE2e5bjUcab
v7xUVE2e5bjUcac
v7xUVE2e5bjUcad
v7xUVE2e5bjUcae
v7xUVE2e5bjUcaf
v7xUVE2e5bjUcag
v7xUVE2e5bjUcah
v7xUVE2e5bjUcai
v7xUVE2e5bjUcaj
v7xUVE2e5bjUcak
v7xUVE2e5bjUcal
v7xUVE2e5bjUcam
v7xUVE2e5bjUcan
v7xUVE2e5bjUcao
v7xUVE2e5bjUcap
v7xUVE2e5bjUcaq
v7xUVE2e5bjUcar
v7xUVE2e5bjUcas
v7xUVE2e5bjUcat
hgbe02@pwn:~/temp$ hydra -l gloria -P pass ssh://venus.hackmyvm.eu:5000
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-01 03:14:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 676 login tries (l:1/p:676), ~43 tries per task
[DATA] attacking ssh://venus.hackmyvm.eu:5000/
[STATUS] 98.00 tries/min, 98 tries in 00:01h, 579 to do in 00:06h, 16 active
[STATUS] 103.33 tries/min, 310 tries in 00:03h, 367 to do in 00:04h, 16 active
[5000][ssh] host: venus.hackmyvm.eu login: gloria password: v7xUVE2e5bjUcxw
[STATUS] 96.57 tries/min, 676 tries in 00:07h, 1 to do in 00:01h, 2 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-01 03:21:19
|
36 gloria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
| maia@venus:~$ su -l gloria
Password:
gloria@venus:~$ ls -la
total 36
drwxr-x--- 2 root gloria 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 gloria gloria 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 gloria gloria 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 gloria gloria 807 Apr 23 2023 .profile
-rw-r----- 1 root gloria 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root gloria 1713 Apr 5 06:28 image
-rw-r----- 1 root gloria 222 Apr 5 06:27 mission.txt
gloria@venus:~$ cat flagz.txt
8===RZIkEtaEp18tLslTopJj===D~~
gloria@venus:~$ cat mission.txt
################
# MISSION 0x36 #
################
## EN ##
User alora likes drawings, that's why she saved her password as ...
## ES ##
A la usuaria alora le gustan los dibujos, por eso ha guardado su password como...
gloria@venus:~$ file image
image: ASCII text
gloria@venus:~$ cat image
##########################################################
##########################################################
##########################################################
##########################################################
######## ########## ## ########
######## ########## ## ## #### ########## ########
######## ## ## ## ## ###### ## ## ########
######## ## ## #### ######## ## ## ########
######## ## ## ## #### ## ## ########
######## ########## ## #### ########## ########
######## ## ## ## ## ########
######################## #### ##########################
######## ## #### #### ## ## ## ##########
############ ###### ## ## ## ########
######## ## ## ## ## #### ## ########
############## ## ## ###### ## #### ########
############ ## ## ######## ## ## ##########
######################## #### ## ## #### ########
######## ## #### ## ##########
######## ########## ###### ########## #### ##########
######## ## ## #### ## ###### ########
######## ## ## ## ## ###### ## #### ########
######## ## ## #### ## ## ## ########
######## ########## ## #### ## ##################
######## ## ## ##########
##########################################################
##########################################################
##########################################################
##########################################################
|
拿微信扫一下得到密码:mhrTFCoxGoqUxtw
37 alora
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
| gloria@venus:~$ su -l alora
Password:
alora@venus:~$ ls -la
total 384
drwxr-x--- 2 root alora 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 alora alora 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 alora alora 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 alora alora 807 Apr 23 2023 .profile
-rw-r----- 1 root alora 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root alora 176 Apr 5 06:27 mission.txt
-rw-r----- 1 root alora 360448 Apr 5 06:28 music.iso
alora@venus:~$ cat flagz.txt
8===NSe78N2lM7IbvHzvrC0G===D~~
alora@venus:~$ cat mission.txt
################
# MISSION 0x37 #
################
## EN ##
The user julie has created an iso with her password.
## ES ##
La usuaria julie ha creado una iso con su password.
alora@venus:~$ file music.iso
music.iso: ISO 9660 CD-ROM filesystem data 'CDROM'
alora@venus:~$ strings music.iso
CD001
LINUX CDROM
GENISOIMAGE ISO 9660/HFS FILESYSTEM CREATOR (C) 1993 E.YOUNGDALE (C) 1997-2006 J.PEARSON/J.SCHILLING (C) 2006-2007 CDRKIT TEAM
2024040506284600
2024040506284600
0000000000000000
2024040506284600
CD001
MUSIC.ZIP;1RR
music.zipPX$
RRIP_1991ATHE ROCK RIDGE INTERCHANGE PROTOCOL PROVIDES SUPPORT FOR POSIX FILE SYSTEM SEMANTICSPLEASE CONTACT DISC PUBLISHER FOR SPECIFICATION SOURCE. SEE PUBLISHER IDENTIFIER IN PRIMARY VOLUME DESCRIPTOR FOR CONTACT INFORMATION.
pwned/alora/music.txtUT
sjDf4i2MSNgSvOv
pwned/alora/music.txtUT
|
得到密码,尝试常规做法挂载试试:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| alora@venus:~$ mkdir /tmp/temp_music
alora@venus:~$ mount -o loop music.iso /tmp/temp_music
mount: /tmp/temp_music: mount failed: Operation not permitted.
alora@venus:~$ sudo mount -o loop music.iso /tmp/temp_music
[sudo] password for alora:
alora is not in the sudoers file.
This incident has been reported to the administrator.
# 传到本地机器中
hgbe02@pwn:~/temp$ mkdir /tmp/music
hgbe02@pwn:~/temp$ sudo mount -o loop music.iso /tmp/music
[sudo] password for hgbe02:
mount: /tmp/music: WARNING: source write-protected, mounted read-only.
hgbe02@pwn:~/temp$ unzip /tmp/music/music.zip -d tmp
Archive: /tmp/music/music.zip
extracting: tmp/pwned/alora/music.txt
hgbe02@pwn:~/temp$ cat /tmp/pwned/a;ora/music.txt
cat: /tmp/pwned/a: No such file or directory
-bash: ora/music.txt: No such file or directory
hgbe02@pwn:~/temp$ cat tmp/pwned/alora/music.txt
sjDf4i2MSNgSvOv
hgbe02@pwn:~/temp$ sudo umount /tmp/music
|
这里下载到本地,我是用的termius,然后SFTP传过来的。
38 julie
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| alora@venus:~$ su -l julie
Password:
julie@venus:~$ ls -la
total 48
drwxr-x--- 2 root julie 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 julie julie 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 julie julie 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 julie julie 807 Apr 23 2023 .profile
-rw-r----- 1 root julie 4802 Apr 5 06:28 1.txt
-rw-r----- 1 root julie 4802 Apr 5 06:28 2.txt
-rw-r----- 1 root julie 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root julie 192 Apr 5 06:27 mission.txt
julie@venus:~$ cat flagz.txt
8===Iwe1QpxTcx0A8Uusqjfe===D~~
julie@venus:~$ cat mission.txt
################
# MISSION 0x38 #
################
## EN ##
The user irene believes that the beauty is in the difference.
## ES ##
La usuaria irene cree que en la diferencia esta lo bonito.
julie@venus:~$ diff 1.txt 2.txt
174c174
< 8VeRLEFkBpe2DSD
---
> aNHRdohjOiNizlU
|
俩都有可能,尝试一下是否可以进行切换。
39 irene
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| julie@venus:~$ su -l irene
Password:
irene@venus:~$ ls -la
total 44
drwxr-x--- 2 root irene 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 irene irene 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 irene irene 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 irene irene 807 Apr 23 2023 .profile
-rw-r----- 1 root irene 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root irene 1704 Apr 5 06:28 id_rsa.pem
-rw-r----- 1 root irene 451 Apr 5 06:28 id_rsa.pub
-rw-r----- 1 root irene 178 Apr 5 06:27 mission.txt
-rw-r----- 1 root irene 256 Apr 5 06:28 pass.enc
irene@venus:~$ cat flagz.txt
8===c9hgLkLGzsNw7mB3VEr4===D~~
irene@venus:~$ cat mission.txt
################
# MISSION 0x39 #
################
## EN ##
The user adela has lent her password to irene.
## ES ##
La usuaria adela le ha dejado prestada su password a irene.
irene@venus:~$ openssl pkeyutl -decrypt -inkey id_rsa.pem -in pass.enc
nbhlQyKuaXGojHx
|
40 adela
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| irene@venus:~$ su -l adela
Password:
adela@venus:~$ ls -la
total 36
drwxr-x--- 2 root adela 4096 Apr 5 06:28 .
drwxr-xr-x 1 root root 4096 Apr 5 06:27 ..
-rw-r--r-- 1 adela adela 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 adela adela 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 adela adela 807 Apr 23 2023 .profile
-rw-r----- 1 root adela 31 Apr 5 06:27 flagz.txt
-rw-r----- 1 root adela 213 Apr 5 06:27 mission.txt
-rw-r----- 1 root adela 44 Apr 5 06:28 wtf
adela@venus:~$ cat flagz.txt
8===86XGXQefUeV2eEdrUzxx===D~~
adela@venus:~$ cat mission.txt
################
# MISSION 0x40 #
################
## EN ##
User sky has saved her password to something that can be listened to.
## ES ##
La usuaria sky ha guardado su password en algo que puede ser escuchado.
adela@venus:~$ cat wtf
.--. .- .--. .- .--. .- .-. .- -.. .. ... .
|
使用cyberchef进行解密,是莫斯密码:PAPAPARADISE,小写即为papaparadise