venus(1-20)
HackmyVM-venus(1-20)
Host: venus.hackmyvm.eu
Port: 5000
User: hacker
Pass: havefun!
1、查找隐藏文件
################
# MISSION 0x01 #
################
## EN ##
User sophia has saved her password in a hidden file in this folder. Find it and log in as sophia.
## ES ##
La usuaria sophia ha guardado su contraseña en un fichero oculto en esta carpeta.Encuentralo y logueate como sophia.
hacker@venus:~$ ls -la
total 44
drwxr-x--- 1 root hacker 4096 Apr 5 2024 .
drwxr-xr-x 1 root root 4096 Apr 5 2024 ..
-rw-r----- 1 root hacker 31 Apr 5 2024 ...
-rw-r--r-- 1 hacker hacker 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 hacker hacker 3526 Apr 23 2023 .bashrc
-rw-r----- 1 root hacker 16 Apr 5 2024 .myhiddenpazz
-rw-r--r-- 1 hacker hacker 807 Mar 26 14:29 .profile
-rw-r----- 1 root hacker 287 Apr 5 2024 mission.txt
-rw-r----- 1 root hacker 2542 Apr 5 2024 readme.txt
hacker@venus:~$ cat .myhiddenpazz
Y1o645M3mR84ejc
hacker@venus:~$ su - sophia
Password:
-bash: q#: command not found
sophia@venus:~$
2、查找文件
################
# MISSION 0x02 #
################
## EN ##
The user angela has saved her password in a file but she does not remember where ... she only remembers that the file was called whereismypazz.txt
## ES ##
La usuaria angela ha guardado su password en un fichero pero no recuerda donde... solo recuerda que el fichero se llamaba whereismypazz.txt
sophia@venus:~$ find / -name whereismypazz.txt 2>/dev/null
/usr/share/whereismypazz.txt
sophia@venus:~$ cat /usr/share/whereismypazz.txt
oh5p9gAABugHBje
3、按行查找
################
# MISSION 0x03 #
################
## EN ##
The password of the user emma is in line 4069 of the file findme.txt
## ES ##
La password de la usuaria emma esta en la linea 4069 del fichero findme.txt
angela@venus:~$ sed -n '4069p' findme.txt
fIvltaGaq0OUH8O
4、读取文件
################
# MISSION 0x04 #
################
## EN ##
User mia has left her password in the file -.
## ES ##
La usuaria mia ha dejado su password en el fichero -.
emma@venus:~$ cat ./-
iKXIYg0pyEH2Hos
5、查找文件夹
################
# MISSION 0x05 #
################
## EN ##
It seems that the user camila has left her password inside a folder called hereiam
## ES ##
Parece que la usuaria camila ha dejado su password dentro de una carpeta llamada hereiam
mia@venus:~$ find / -type d -name hereiam 2>/dev/null
/opt/hereiam
mia@venus:~$ cd /opt/hereiam
mia@venus:/opt/hereiam$ ls
mia@venus:/opt/hereiam$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Apr 5 2024 .
drwxr-xr-x 1 root root 4096 Apr 5 2024 ..
-rw-r--r-- 1 root root 16 Apr 5 2024 .here
mia@venus:/opt/hereiam$ cat .here
F67aDmCAAgOOaOc
6、按照文件类型
################
# MISSION 0x06 #
################
## EN ##
The user luna has left her password in a file inside the muack folder.
## ES ##
La usuaria luna ha dejado su password en algun fichero dentro de la carpeta muack.
camila@venus:~$ find ./muack -type f 2>/dev/null
./muack/111/111/muack
camila@venus:~$ cat ./muack/111/111/muack
j3vkuoKQwvbhkMc
7、按文件大小查找
################
# MISSION 0x07 #
################
## EN ##
The user eleanor has left her password in a file that occupies 6969 bytes.
## ES ##
La usuaria eleanor ha dejado su password en un fichero que ocupa 6969 bytes.
luna@venus:~$ find / -type f -size 6969c 2>/dev/null
/usr/share/moon.txt
luna@venus:~$ cat /usr/share/moon.txt
UNDchvln6Bmtu7b
8、按所有者搜索
################
# MISSION 0x08 #
################
## EN ##
The user victoria has left her password in a file in which the owner is the user violin.
## ES ##
La usuaria victoria ha dejado su password en un fichero en el cual el propietario es el usuario violin.
eleanor@venus:~$ find / -type f -user violin 2>/dev/null
/usr/local/games/yo
eleanor@venus:~$ cat /usr/local/games/yo
pz8OqvJBFxH0cSj
9、zip解压
################
# MISSION 0x09 #
################
## EN ##
The user isla has left her password in a zip file.
## ES ##
La usuaria isla ha dejado su password en un fichero zip.
victoria@venus:~$ unzip passw0rd.zip -d /tmp/pass
Archive: passw0rd.zip
replace /tmp/pass/pwned/victoria/passw0rd.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
extracting: /tmp/pass/pwned/victoria/passw0rd.txt
victoria@venus:~$ cat /tmp/pass/pwned/victoria/passw0rd.txt
D3XTob0FUImsoBb
10、字符串查找,以xxx开头
################
# MISSION 0x10 #
################
## EN ##
The password of the user violet is in the line that begins with a9HFX (these 5 characters are not part of her password.).
## ES ##
El password de la usuaria violet esta en la linea que empieza por a9HFX (sin ser estos 5 caracteres parte de su password.).
isla@venus:~$ cat passy | grep -n "^a9HFX"
708:a9HFXWKINVzNQLKLDVAc
11、字符串查找,以xxx结尾
################
# MISSION 0x11 #
################
## EN ##
The password of the user lucy is in the line that ends with 0JuAZ (these last 5 characters are not part of her password)
## ES ##
El password de la usuaria lucy se encuentra en la linea que acaba por 0JuAZ (sin ser estos ultimos 5 caracteres parte de su password)
violet@venus:~$ cat end | grep -n "0JuAZ$"
505:OCmMUjebG53giud0JuAZ
12、字符串查找,以xxx开头,xxx结尾
################
# MISSION 0x12 #
################
## EN ##
The password of the user elena is between the characters fu and ck
## ES ##
El password de la usuaria elena esta entre los caracteres fu y ck
lucy@venus:~$ cat file.yo | grep "^fu.*ck$"
fu4xZ5lIKYmfPLg9tck
13、环境变量
################
# MISSION 0x13 #
################
## EN ##
The user alice has her password is in an environment variable.
## ES ##
La password de alice esta en una variable de entorno.
env | export | prinenv
elena@venus:~$ export
declare -x HOME="/pwned/elena"
declare -x LOGNAME="elena"
declare -x LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=00:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.avif=01;35:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:*~=00;90:*#=00;90:*.bak=00;90:*.old=00;90:*.orig=00;90:*.part=00;90:*.rej=00;90:*.swp=00;90:*.tmp=00;90:*.dpkg-dist=00;90:*.dpkg-old=00;90:*.ucf-dist=00;90:*.ucf-new=00;90:*.ucf-old=00;90:*.rpmnew=00;90:*.rpmorig=00;90:*.rpmsave=00;90:"
declare -x MAIL="/var/mail/elena"
declare -x OLDPWD="/pwned/lucy"
declare -x PASS="Cgecy2MY2MWbaqt"
declare -x PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
declare -x PWD="/pwned/elena"
declare -x SHELL="/bin/bash"
declare -x SHLVL="2"
declare -x TERM="xterm-256color"
declare -x USER="elena"
14、查找密码文件
################
# MISSION 0x14 #
################
## EN ##
The admin has left the password of the user anna as a comment in the file passwd.
## ES ##
El admin ha dejado la password de anna como comentario en el fichero passwd.
alice@venus:~$ cat /etc/passwd | grep "alice"
alice:x:1014:1014:w8NvY27qkpdePox:/pwned/alice:/bin/bash
15、sudo权限问题
################
# MISSION 0x15 #
################
## EN ##
Maybe sudo can help you to be natalia.
## ES ##
Puede que sudo te ayude para ser natalia.
anna@venus:~$ sudo -l
Matching Defaults entries for anna on venus:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User anna may run the following commands on venus:
(natalia) NOPASSWD: /bin/bash
anna@venus:~$ sudo -u natalia -i
-i获得交互式shell
16、base64解码
################
# MISSION 0x16 #
################
## EN ##
The password of user eva is encoded in the base64.txt file
## ES ##
El password de eva esta encodeado en el fichero base64.txt
natalia@venus:~$ base64 -d base64.txt
upsCA3UFu10fDAO
17、根据修改日期查找文件
################
# MISSION 0x17 #
################
## EN ##
The password of the clara user is found in a file modified on May 1, 1968.
## ES ##
La password de la usuaria clara se encuentra en un fichero modificado el 01 de Mayo de 1968.
-mtime<24小时数>:查找在指定时间曾被更改过的文件或目录,单位以24小时计算;
计算出天数是19000多天
eva@venus:~$ find / -mtime +19000 2>/dev/null
/usr/lib/cmdo
eva@venus:~$ cat /usr/lib/cmdo
39YziWp5gSvgQN9
18、zip爆破
################
# MISSION 0x18 #
################
## EN ##
The password of user frida is in the password-protected zip (rockyou.txt can help you)
## ES ##
La password de frida esta en el zip protegido con password.(rockyou.txt puede ayudarte)
将压缩包保存到本地
echo "UEsDBAoACQAAAIMzhVhzdJ8jHAAAABAAAAAZABwAcHduZWQvY2xhcmEvcHJvdGVjdGVkLnR4dFVU
CQAD9pkPZvaZD2Z1eAsAAQQAAAAABAAAAACc/uQ52ED8vSTlcON+hM2vBK6cXas6YlcIf/9rUEsH
CHN0nyMcAAAAEAAAAFBLAQIeAwoACQAAAIMzhVhzdJ8jHAAAABAAAAAZABgAAAAAAAEAAACkgQAA
AABwd25lZC9jbGFyYS9wcm90ZWN0ZWQudHh0VVQFAAP2mQ9mdXgLAAEEAAAAAAQAAAAAUEsFBgAA
AAABAAEAXwAAAH8AAAAAAA==" | base64 -d > base.zip
常用参数
-b 或 --brute-force:使用暴力破解算法。
-D 或 --dictionary:使用字典文件进行破解。
-c 或 --charset:指定用于破解的字符集,例如 -c 'aA1!'。
-l 或 --length:指定密码的长度范围,如 -l 1-10。
-u 或 --use-unzip:使用unzip命令来验证密码是否正确。
示例
使用暴力破解方法,指定字符集和密码长度来破解ZIP文件:
fcrackzip -b -c 'aA1' -l 1-10 -u myzipfile.zip
使用字典文件来破解ZIP文件:
fcrackzip -D -p mydictionary.txt -u myzipfile.zip
在这里,-D 表示使用字典文件,-p 后面跟着字典文件的路径。
┌──(root㉿kali)-[~]
└─# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u base.zip
PASSWORD FOUND!!!!: pw == pass123
解压拿到密码
Ed4ErEUJEaMcXli
19、查找重复字符串
################
# MISSION 0x19 #
################
## EN ##
The password of eliza is the only string that is repeated (unsorted) in repeated.txt.
## ES ##
La password de eliza es el unico string que se repite (sin estar ordenado) en repeated.txt.
frida@venus:~$ uniq -d repeated.txt
Fg6b6aoksceQqB9
// -d查找重复行
20、ssh密钥登录
################
# MISSION 0x20 #
################
## EN ##
The user iris has left me her key.
## ES ##
La usuaria iris me ha dejado su key.
eliza@venus:~$ ssh -i .iris_key iris@localhost
浙公网安备 33010602011771号