vens 01-20

HackMyVm - venus(1-20)

0x01 隐藏文件查找

################
# MISSION 0x01 #
################

## EN ##
User sophia has saved her password in a hidden file in this folder. Find it and log in as sophia.

hacker@venus:~$ ls -al
total 44
drwxr-x--- 1 root   hacker 4096 Jul 26  2023 .
drwxr-xr-x 1 root   root   4096 Jul 26  2023 ..
-rw-r----- 1 root   hacker   31 Jul 26  2023 ...
-rw-r--r-- 1 hacker hacker  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 hacker hacker 3621 Aug 10  2023 .bashrc
-rw-r----- 1 root   hacker   16 Jul 26  2023 .myhiddenpazz
-rw-r--r-- 1 hacker hacker  807 Apr 23  2023 .profile
-rw-r----- 1 root   hacker  287 Jul 26  2023 mission.txt
-rw-r----- 1 root   hacker 2542 Jul 26  2023 readme.txt

查看隐藏文件

hacker@venus:~$ cat .myhiddenpazz
Y1o645M3mR84ejc

切换到 sophia 用户

hacker@venus:~$ su - sophia

0x02 根据文件名寻找文件

################
# MISSION 0x02 #
################

## EN ##
The user angela has saved her password in a file but she does not remember where ... she only remembers that the file was called whereismypazz.txt

sophia@venus:~$ whereis whereismypazz.txt
whereismypazz.txt: /usr/share/whereismypazz.txt
sophia@venus:~$ cat /usr/share/whereismypazz.txt
oh5p9gAABugHBje

0x03 指定行查询

################
# MISSION 0x03 #
################

## EN ##
The password of the user emma is in line 4069 of the file findme.txt

angela@venus:~$ sed -n '4069p' findme.txt
fIvltaGaq0OUH8O

找到文件的第 4069 行

0x04 读取文件名是-的文件

################
# MISSION 0x04 #
################

## EN ##
User mia has left her password in the file -.

emma@venus:~$ cat ./-
iKXIYg0pyEH2Hos

0x05 查找文件夹

################
# MISSION 0x05 #
################

## EN ##
It seems that the user camila has left her password inside a folder called hereiam

mia@venus:~$ find / -type d -name hereiam 2>/dev/null
/opt/hereiam
mia@venus:~$ ls /opt/hereiam -al
total 12
drwxr-xr-x 2 root root 4096 Jul 26  2023 .
drwxr-xr-x 1 root root 4096 Jul 26  2023 ..
-rw-r--r-- 1 root root   16 Jul 26  2023 .here
mia@venus:~$ cat /opt/hereiam/.here
F67aDmCAAgOOaOc

0x06 根据文件类型查找

################
# MISSION 0x06 #
################

## EN ##
The user luna has left her password in a file inside the muack folder.

camila@venus:~$ ls
flagz.txt  mission.txt  muack
camila@venus:~/muack$ find ./ -type f 2>/dev/null
./111/111/muack
camila@venus:~$ cat muack/111/111/muack
j3vkuoKQwvbhkMc

0x07 根据文件大小查找

################
# MISSION 0x07 #
################

## EN ##
The user eleanor has left her password in a file that occupies 6969 bytes.

luna@venus:~$ find / -type f -size 6969c 2>/dev/null
/usr/share/moon.txt
luna@venus:~$ cat /usr/share/moon.txt
UNDchvln6Bmtu7b

0x08 根据所有者查找

################
# MISSION 0x08 #
################

## EN ##
The user victoria has left her password in a file in which the owner is the user violin.

eleanor@venus:~$ find / -user violin 2>/dev/null
/usr/local/games/yo
eleanor@venus:~$ cat /usr/local/games/yo
pz8OqvJBFxH0cSj

0x09 解压缩包

################
# MISSION 0x09 #
################

## EN ##
The user isla has left her password in a zip file.

-p	与-c 参数类似，会将解压缩的结果显示到屏幕上，但不会执行任何的转换；

victoria@venus:~$ unzip -p pass*
D3XTob0FUImsoBb
还可以解压到tmp进行查看

0x10 查找指定开头行

################
# MISSION 0x10 #
################

## EN ##
The password of the user violet is in the line that begins with a9HFX (these 5 characters are not part of her password.).

isla@venus:~$ grep '^a9HFX' passy
a9HFXWKINVzNQLKLDVAc

0x11 查找指定结尾行

################
# MISSION 0x11 #
################

## EN ##
The password of the user lucy is in the line that ends with 0JuAZ (these last 5 characters are not part of her password

violet@venus:~$ grep '0JuAZ$' end
OCmMUjebG53giud0JuAZ

0x12 指定开有结尾查找字符

################
# MISSION 0x12 #
################

## EN ##
The password of the user elena is between the characters fu and ck

lucy@venus:~$ egrep 'fu(.*)ck' file.yo
fu4xZ5lIKYmfPLg9tck
lucy@venus:~$ grep '^fu.*ck$' file.yo
fu4xZ5lIKYmfPLg9tck

0x13 查看环境变量

################
# MISSION 0x13 #
################

## EN ##
The user alice has her password is in an environment variable.

elena@venus:~$ env | grep PASS
PASS=Cgecy2MY2MWbaqt

printenv或export

0x14 查看 passwd 文件

################
# MISSION 0x14 #
################

## EN ##
The admin has left the password of the user anna as a comment in the file passwd.

alice@venus:~$ cat /etc/passwd | grep 'alice'
alice:x:1014:1014:w8NvY27qkpdePox:/pwned/alice:/bin/bash

0x15 sudo 无密码提权

################
# MISSION 0x15 #
################

## EN ##
Maybe sudo can help you to be natalia.

anna@venus:~$ sudo -l
Matching Defaults entries for anna on venus:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User anna may run the following commands on venus:
    (natalia) NOPASSWD: /bin/bash
anna@venus:~$ sudo -u natalia -i
-i 得到一个交互式shell

0x16 base64 解码

################
# MISSION 0x16 #
################

## EN ##
The password of user eva is encoded in the base64.txt file

natalia@venus:~$ cat base64.txt | base64 -d
upsCA3UFu10fDAO

0x17 按修改时间查找文件

################
# MISSION 0x17 #
################

## EN ##
The password of the clara user is found in a file modified on May 1, 1968.

-mtime<24小时数>：查找在指定时间曾被更改过的文件或目录，单位以24小时计算；
计算出天数是19000多天

eva@venus:~$ find / -mtime +19000 2>/dev/null
/usr/lib/cmdo

0x18 压缩包爆破

################
# MISSION 0x18 #
################

## EN ##
The password of user frida is in the password-protected zip (rockyou.txt can help you)

clara@venus:~$ base64 protected.zip
UEsDBAoACQAAAMFG+lZzdJ8jHAAAABAAAAAZABwAcHduZWQvY2xhcmEvcHJvdGVjdGVkLnR4dFVU
CQADKd/AZCnfwGR1eAsAAQQAAAAABAAAAAA1p/4kJie4z6wyYuU5N9W7cQ5FIJb5UGmHTrylUEsH
CHN0nyMcAAAAEAAAAFBLAQIeAwoACQAAAMFG+lZzdJ8jHAAAABAAAAAZABgAAAAAAAEAAACkgQAA
AABwd25lZC9jbGFyYS9wcm90ZWN0ZWQudHh0VVQFAAMp38BkdXgLAAEEAAAAAAQAAAAAUEsFBgAA
AAABAAEAXwAAAH8AAAAAAA==

得到 base64，保存到本地，进行爆破

密码是pass123
clara@venus:~$ unzip -p protected.zip
[protected.zip] pwned/clara/protected.txt password:
Ed4ErEUJEaMcXli

0x19 查找重复行

################
# MISSION 0x19 #
################

## EN ##
The password of eliza is the only string that is repeated (unsorted) in repeated.txt.

frida@venus:~$ uniq -d repeated.txt
eb5467ab16852b1
Fg6b6aoksceQqB9

-d 参数显示重复行

0x20 SSH 密钥登录

################
# MISSION 0x20 #
################

## EN ##
The user iris has left me her key.

eliza@venus:~$ ls -al
total 36
drwxr-x--- 2 root  eliza 4096 Jul 26  2023 .
drwxr-xr-x 1 root  root  4096 Jul 26  2023 ..
-rw-r--r-- 1 eliza eliza  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 eliza eliza 3526 Apr 23  2023 .bashrc
-rw-r----- 1 root  eliza 2602 Jul 26  2023 .iris_key
-rw-r--r-- 1 eliza eliza  807 Apr 23  2023 .profile
-rw-r----- 1 root  eliza   31 Jul 26  2023 flagz.txt
-rw-r----- 1 root  eliza  143 Jul 26  2023 mission.txt
eliza@venus:~$ ssh -i .iris_key iris@localhost

HackMyVm - venus(1-20)​

0x01 隐藏文件查找​

0x02 根据文件名寻找文件​

0x03 指定行查询​

0x04 读取文件名是-的文件​

0x05 查找文件夹​

0x06 根据文件类型查找​

0x07 根据文件大小查找​

0x08 根据所有者查找​

0x09 解压缩包​

0x10 查找指定开头行​

0x11 查找指定结尾行​

0x12 指定开有结尾查找字符​

0x13 查看环境变量​

0x14 查看 passwd 文件​

0x15 sudo 无密码提权​

0x16 base64 解码​

0x17 按修改时间查找文件​

0x18 压缩包爆破​

0x19 查找重复行​

0x20 SSH 密钥登录​

HackMyVm - venus(1-20)

0x01 隐藏文件查找

0x02 根据文件名寻找文件

0x03 指定行查询

0x04 读取文件名是-的文件

0x05 查找文件夹

0x06 根据文件类型查找

0x07 根据文件大小查找

0x08 根据所有者查找

0x09 解压缩包

0x10 查找指定开头行

0x11 查找指定结尾行

0x12 指定开有结尾查找字符

0x13 查看环境变量

0x14 查看 passwd 文件

0x15 sudo 无密码提权

0x16 base64 解码

0x17 按修改时间查找文件

0x18 压缩包爆破

0x19 查找重复行

0x20 SSH 密钥登录