Host: venus.hackmyvm.eu Port: 5000 User: hacker Pass: havefun!
# 001
hacker@venus:~$ cat mission.txt
################
# MISSION 0x01 #
################
## EN ##
User sophia has saved her password in a hidden file in this folder. Find it and log in as sophia.
## ES ##
La usuaria sophia ha guardado su contraseña en un fichero oculto en esta carpeta.Encuentralo y logueate como sophia.
hacker@venus:~$ ls -al
total 40
drwxr-x--- 2 root hacker 4096 Apr 5 2024 .
drwxr-xr-x 1 root root 4096 Apr 5 2024 ..
-rw-r----- 1 root hacker 31 Apr 5 2024 ...
-rw-r--r-- 1 hacker hacker 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 hacker hacker 3526 Apr 23 2023 .bashrc
-rw-r----- 1 root hacker 16 Apr 5 2024 .myhiddenpazz
-rw-r--r-- 1 hacker hacker 807 Apr 23 2023 .profile
-rw-r----- 1 root hacker 287 Apr 5 2024 mission.txt
-rw-r----- 1 root hacker 2542 Apr 5 2024 readme.txt
hacker@venus:~$ cat .myhiddenpazz
Y1o645M3mR84ejc
hacker@venus:~$ su sophia
Password:
sophia@venus:/pwned/hacker$ cd ~
sophia@venus:~$ ls -al
total 32
drwxr-x--- 2 root sophia 4096 Apr 5 2024 .
drwxr-xr-x 1 root root 4096 Apr 5 2024 ..
-rw-r--r-- 1 sophia sophia 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 sophia sophia 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 sophia sophia 807 Apr 23 2023 .profile
-rw-r----- 1 root sophia 31 Apr 5 2024 flagz.txt
-rw-r----- 1 root sophia 359 Apr 5 2024 mission.txt
sophia@venus:~$ cat flagz.txt
8===LUzzNuv8NB59iztWUIQS===D~~
拿到 flag
# 002
sophia@venus:~$ cat mission.txt
################
# MISSION 0x02 #
################
## EN ##
The user angela has saved her password in a file but she does not remember where ... she only remembers that the file was called whereismypazz.txt
## ES ##
La usuaria angela ha guardado su password en un fichero pero no recuerda donde... solo recuerda que el fichero se llamaba whereismypazz.txt
sophia@venus:~$ find / -type f -name whereismypazz.txt 2>/dev/null
/usr/share/whereismypazz.txt
sophia@venus:~$ cat /usr/share/whereismypazz.txt
oh5p9gAABugHBje
sophia@venus:~$ su angela
Password:
angela@venus:/pwned/sophia$ cd ~
angela@venus:~$ cat flagz.txt
8===SjMYBmMh4bk49TKq7PM8===D~~
获取 flag
# 003
angela@venus:~$ cat mission.txt
################
# MISSION 0x03 #
################
## EN ##
The password of the user emma is in line 4069 of the file findme.txt
## ES ##
La password de la usuaria emma esta en la linea 4069 del fichero findme.txt
angela@venus:~$ cat findme.txt | head -n 4069 | tail -n 1
fIvltaGaq0OUH8O
angela@venus:~$ su emma
Password:
emma@venus:/pwned/angela$ cd ~
emma@venus:~$ cat flagz.txt
8===0daqdDlmd9XogkiHu4yq===D~~
得到 flag
# 004
emma@venus:~$ cat mission.txt
################
# MISSION 0x04 #
################
## EN ##
User mia has left her password in the file -.
## ES ##
La usuaria mia ha dejado su password en el fichero -.
emma@venus:~$ cat ./-
iKXIYg0pyEH2Hos
emma@venus:~$ su mia
Password:
mia@venus:/pwned/emma$ cd ~
mia@venus:~$ cat flagz.txt
8===FBMdY8hel2VMA3BaYJin===D~~
# 005
mia@venus:~$ cat mission.txt
################
# MISSION 0x05 #
################
## EN ##
It seems that the user camila has left her password inside a folder called hereiam
## ES ##
Parece que la usuaria camila ha dejado su password dentro de una carpeta llamada hereiam
mia@venus:~$ find -type d -name hereiam 2>/dev/null
mia@venus:~$ find / -type d -name hereiam 2>/dev/null
/opt/hereiam
mia@venus:~$ cat /opt/hereiam/.here
F67aDmCAAgOOaOc
mia@venus:~$ su camila
Password:
camila@venus:/pwned/mia$ cd ~
camila@venus:~$ cat flagz.txt
8===iDIi5sm1mDuqGmU5Psx6===D~~
# 006
camila@venus:~$ cat mission.txt
################
# MISSION 0x06 #
################
## EN ##
The user luna has left her password in a file inside the muack folder.
## ES ##
La usuaria luna ha dejado su password en algun fichero dentro de la carpeta muack.
camila@venus:~$ find muack/ -type f -exec cat {} \;
j3vkuoKQwvbhkMc
camila@venus:~$ su luna
Password:
luna@venus:/pwned/camila$ cd ~
luna@venus:~$ cat flagz.txt
8===KCO34FpIq3nBmHbyZvFh===D~~
# 007
luna@venus:~$ cat mission.txt
################
# MISSION 0x07 #
################
## EN ##
The user eleanor has left her password in a file that occupies 6969 bytes.
## ES ##
La usuaria eleanor ha dejado su password en un fichero que ocupa 6969 bytes.
luna@venus:~$ find / -type f -size 6969c -exec cat {} \; 2>/dev/null
UNDchvln6Bmtu7b
luna@venus:~$ su eleanor
Password:
eleanor@venus:/pwned/luna$ cd ~
eleanor@venus:~$ cat flagz.txt
8===Iq5vbyiQl4ipNrLDArjD===D~~
# 008
eleanor@venus:~$ cat mission.txt
################
# MISSION 0x08 #
################
## EN ##
The user victoria has left her password in a file in which the owner is the user violin.
## ES ##
La usuaria victoria ha dejado su password en un fichero en el cual el propietario es el usuario violin.
eleanor@venus:~$ find / -user violin -type f -exec cat {} \; 2>/dev/null
pz8OqvJBFxH0cSj
eleanor@venus:~$ su victoria
Password:
victoria@venus:/pwned/eleanor$ cd ~
victoria@venus:~$ cat flagz.txt
8===NWyTFi9LLqVsZ4OnuZYN===D~~
# 009
目录下面没有写入权限 (750),所以解压到 tmp 目录下
victoria@venus:~$ cat mission.txt
################
# MISSION 0x09 #
################
## EN ##
The user isla has left her password in a zip file.
## ES ##
La usuaria isla ha dejado su password en un fichero zip.
victoria@venus:~$ ls -al
total 36
drwxr-x--- 2 root victoria 4096 Apr 5 2024 .
drwxr-xr-x 1 root root 4096 Apr 5 2024 ..
-rw-r--r-- 1 victoria victoria 220 Apr 23 2023 .bash_logout
-rw-r----- 1 root victoria 3569 Apr 5 2024 .bashrc
-rw-r--r-- 1 victoria victoria 807 Apr 23 2023 .profile
-rw-r----- 1 root victoria 31 Apr 5 2024 flagz.txt
-rw-r----- 1 root victoria 179 Apr 5 2024 mission.txt
-rw-r----- 1 root victoria 220 Apr 5 2024 passw0rd.zip
victoria@venus:~$ unzip passw0rd.zip -d /tmp
Archive: passw0rd.zip
replace /tmp/pwned/victoria/passw0rd.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
extracting: /tmp/pwned/victoria/passw0rd.txt
victoria@venus:~$ cat /tmp/pwned/victoria/passw0rd.txt
D3XTob0FUImsoBb
victoria@venus:~$ su isla
Password:
isla@venus:/pwned/victoria$ cd ~
isla@venus:~$ cat flagz.txt
8===ZyZqc1suvGe4QlkZHFlq===D~~
# 010
sla@venus:~$ cat mission.txt
################
# MISSION 0x10 #
################
## EN ##
The password of the user violet is in the line that begins with a9HFX (these 5 characters are not part of her password.).
## ES ##
El password de la usuaria violet esta en la linea que empieza por a9HFX (sin ser estos 5 caracteres parte de su password.).
isla@venus:~$ grep ^a9HFX passy
a9HFXWKINVzNQLKLDVAc
isla@venus:~$ su violet
Password:
violet@venus:/pwned/isla$ cd ~
violet@venus:~$ cat flagz.txt
8===LzErk0qFPYJj16mNnnYZ===D~~
# 011
violet@venus:~$ cat mission.txt
################
# MISSION 0x11 #
################
## EN ##
The password of the user lucy is in the line that ends with 0JuAZ (these last 5 characters are not part of her password)
## ES ##
El password de la usuaria lucy se encuentra en la linea que acaba por 0JuAZ (sin ser estos ultimos 5 caracteres parte de su password)
violet@venus:~$ ls -al
total 52
drwxr-x--- 2 root violet 4096 Apr 5 2024 .
drwxr-xr-x 1 root root 4096 Apr 5 2024 ..
-rw-r--r-- 1 violet violet 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 violet violet 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 violet violet 807 Apr 23 2023 .profile
-rw-r----- 1 root violet 16947 Apr 5 2024 end
-rw-r----- 1 root violet 31 Apr 5 2024 flagz.txt
-rw-r----- 1 root violet 327 Apr 5 2024 mission.txt
violet@venus:~$ grep 0JuAZ$ end
OCmMUjebG53giud0JuAZ
violet@venus:~$ su lucy
Password:
lucy@venus:/pwned/violet$ cd ~
lucy@venus:~$ cat flagz.txt
8===AdCJ4wl8pmbhi770Xbd3===D~~
# 012
lucy@venus:~$ cat mission.txt
################
# MISSION 0x12 #
################
## EN ##
The password of the user elena is between the characters fu and ck
## ES ##
El password de la usuaria elena esta entre los caracteres fu y ck
lucy@venus:~$ ls
file.yo flagz.txt mission.txt
lucy@venus:~$ grep ^fu.*ck$ file.yo
fu4xZ5lIKYmfPLg9tck
lucy@venus:~$ su elena
Password:
elena@venus:/pwned/lucy$ cd ~
elena@venus:~$ cat flagz.txt
8===st1pTdqEQ0bvrJfWGwLA===D~~
# 0xA
elena@venus:~$ cat mission.txt
################
# MISSION 0x13 #
################
## EN ##
The user alice has her password is in an environment variable.
## ES ##
La password de alice esta en una variable de entorno.
elena@venus:~$ env | grep FLAG
FLAG=8===KsRAuDDjwjbsukXNIAjI===D~~
# 013
elena@venus:~$ cat mission.txt
################
# MISSION 0x13 #
################
## EN ##
The user alice has her password is in an environment variable.
## ES ##
La password de alice esta en una variable de entorno.
elena@venus:~$ env | grep PASS
PASS=Cgecy2MY2MWbaqt
elena@venus:~$ su alice
Password:
alice@venus:/pwned/elena$ cd ~
alice@venus:~$ cat flagz.txt
8===Qj4NNWp8LOC96S9Rtgrk===D~~
# 014
alice@venus:~$ cat mission.txt
################
# MISSION 0x14 #
################
## EN ##
The admin has left the password of the user anna as a comment in the file passwd.
## ES ##
El admin ha dejado la password de anna como comentario en el fichero passwd.
alice@venus:~$ awk -F: '{ print $5 }' /etc/passwd | grep -v ^$
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
Mailing List Manager
ircd
nobody
systemd Network Management
MySQL Server,,,
systemd Time Synchronization
w8NvY27qkpdePox
alice@venus:~$ su anna
Password:
anna@venus:/pwned/alice$ cd ~
anna@venus:~$ cat flagz.txt
8===5Y3DhT66fa6Da8RpLKG0===D~~
# 015
anna@venus:~$ cat mission.txt
################
# MISSION 0x15 #
################
## EN ##
Maybe sudo can help you to be natalia.
## ES ##
Puede que sudo te ayude para ser natalia.
anna@venus:~$ sudo -l
Matching Defaults entries for anna on venus:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User anna may run the following commands on venus:
(natalia) NOPASSWD: /bin/bash
anna@venus:~$ sudo -u natalia /bin/bash
natalia@venus:/pwned/anna$ cd ~
natalia@venus:~$ cat flagz.txt
8===JWHa1GQq1AYrBWNXEJrH===D~~
# 016
natalia@venus:~$ cat mission.txt
################
# MISSION 0x16 #
################
## EN ##
The password of user eva is encoded in the base64.txt file
## ES ##
El password de eva esta encodeado en el fichero base64.txt
natalia@venus:~$ cat base64.txt | base64 -d
upsCA3UFu10fDAO
natalia@venus:~$ su eva
Password:
eva@venus:/pwned/natalia$ cd ~
eva@venus:~$ cat flagz.txt
8===22cqk3iGkGYVqnYrHiof===D~~
# 017
(2023-1970)*365=19345,时间戳最开始的时间是 1970
-mtime 参数是以修改时间进行筛选
+19345 表示查找最后修改时间距离现在超过 19345 天的文件。 mtime 是以天为单位的,所以这个数字代表大约 53 年。
eva@venus:~$ cat mission.txt
################
# MISSION 0x17 #
################
## EN ##
The password of the clara user is found in a file modified on May 1, 1968.
## ES ##
La password de la usuaria clara se encuentra en un fichero modificado el 01 de Mayo de 1968.
eva@venus:~$ find / -type f -mtime +19345 -exec cat {} \; 2>/dev/null
39YziWp5gSvgQN9
eva@venus:~$ su clara
Password:
clara@venus:/pwned/eva$ cd ~
clara@venus:~$ cat flagz.txt
8===EJWmHDEQeEN1vIR7NYiH===D~~
# 018
在 kali 机器上下载要破解的 zip scp -P 5000 [email protected]:~/protected.zip ./
┌──(root㉿gddfeng)-[~]
└─# gzip -d /usr/share/wordlists/rockyou.txt.gz
┌──(root㉿gddfeng)-[~]
└─# zip2john protected.zip > hash
Created directory: /root/.john
ver 1.0 efh 5455 efh 7875 protected.zip/pwned/clara/protected.txt PKZIP Encr: 2b chk, TS_chk, cmplen=28, decmplen=16, crc=239F7473 ts=3383 cs=3383 type=0
┌──(root㉿gddfeng)-[~]
└─# john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pass123 (protected.zip/pwned/clara/protected.txt)
1g 0:00:00:00 DONE (2024-10-09 10:59) 100.0g/s 1638Kp/s 1638Kc/s 1638KC/s 123456..cocoliso
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(root㉿gddfeng)-[~]
└─# unzip protected.zip
Archive: protected.zip
[protected.zip] pwned/clara/protected.txt password:
extracting: pwned/clara/protected.txt
┌──(root㉿gddfeng)-[~]
└─# cat pwned/clara/protected.txt
Ed4ErEUJEaMcXli
得到密码 Ed4ErEUJEaMcXli
clara@venus:~$ cat mission.txt
################
# MISSION 0x18 #
################
## EN ##
The password of user frida is in the password-protected zip (rockyou.txt can help you)
## ES ##
La password de frida esta en el zip protegido con password.(rockyou.txt puede ayudarte)
clara@venus:~$ su frida
Password:
frida@venus:/pwned/clara$ cd ~;cat flagz.txt
8===Ikg2qj8KT2bGJtWvR6hC===D~~
# 019
################
# MISSION 0x19 #
################
## EN ##
The password of eliza is the only string that is repeated (unsorted) in repeated.txt.
## ES ##
La password de eliza es el unico string que se repite (sin estar ordenado) en repeated.txt.
frida@venus:~$ uniq -d repeated.txt
Fg6b6aoksceQqB9
frida@venus:~$ su eliza
Password:
eliza@venus:/pwned/frida$ cd ~;cat flagz.txt
8===zwWIPyDf2ozwVhCTxm1I===D~~
# 020
################
# MISSION 0x20 #
################
## EN ##
The user iris has left me her key.
## ES ##
La usuaria iris me ha dejado su key.
eliza@venus:~$ ssh [email protected] -i .iris_key
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ED25519 key fingerprint is SHA256:JQMeqhRR4E5l3ltY/S1hK0srs1Q3KaXzC6Qga/MvPqM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
iris@venus:~$ cat flagz.txt
8===ClrdWOqlZ1vL61zSk9Va===D~~
# 021
iris@venus:~$ cat mission.txt
################
# MISSION 0x21 #
################
## EN ##
User eloise has saved her password in a particular way.
## ES ##
La usuaria eloise ha guardado su password de una forma particular.
iris@venus:~$ ls -al
total 60
drwxr-x--- 3 root iris 4096 Apr 5 2024 .
drwxr-xr-x 1 root root 4096 Apr 5 2024 ..
-rw-r--r-- 1 iris iris 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 iris iris 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 iris iris 807 Apr 23 2023 .profile
drwxr-xr-x 2 root root 4096 Apr 5 2024 .ssh
-rw-r----- 1 root iris 17484 Apr 5 2024 eloise
-rw-r----- 1 root iris 31 Apr 5 2024 flagz.txt
-rw-r----- 1 root iris 16 Apr 5 2024 irispass.txt
-rw-r----- 1 root iris 195 Apr 5 2024 mission.txt
