The venus target machine is suitable for those who just started playing CTF and want to practice Linux skills
Target address: https://hackmyvm.eu/venus/
A total of 50 missions are given, submitting 50 flags on this surface will count as customs clearance
(Currently the number one submitted 58 flags
Target machine introduction:
venus 21-30 mission
- mission 21
- mission 22
- mission 23
- mission 24
- mission 25
- mission 26
- mission 27
- mission 28
- mission 29
- mission 30
Following the previous mission 20
mission 21
~$ ls eloise flagz.txt irispass.txt mission.txt ~$ cat mission.txt ################# # MISSION 0x21 # ################# ## EN ## User eloise has saved her password in a particular way. User eloise saved her password in a special way ##ES## La usuaria eloise ha guardado su password de una forma particular.
scp -P 5000 [email protected]:~/eloise . download to local base64 -d eloise | file - /dev/stdin: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=4], baseline, precision 8, 394x102, components 3 Base64 decoding, the file type is jpg base64 -d eloise > test.jpg
mission 22
~$ ls flagz.txt hi mission.txt ~$ cat mission.txt ################# # MISSION 0x22 # ################# ## EN ## User lucia has been creative in saving her password. User lucia got creative with saving passwords ##ES## La usuaria lucia ha sido creativa en la forma de guardar su password.
hi
files are binary files
eloise@venus:~$ xxd -r hi
mission 23
~$ ls dict.txt flagz.txt mission.txt ~$ cat mission.txt ################# # MISSION 0x23 # ################# ## EN ## The user isabel has left her password in a file in the /etc/xdg folder but she does not remember the name, however she has dict.txt that can help her to remember. User isabel puts the password in a file in the /etc/xdg folder, but she can't remember the name, but she has dict.txt to help her remember ##ES## La usuaria isabel ha dejado su password en un fichero en la carpeta /etc/xdg pero no recuerda el nombre, sin embargo tiene dict.txt que puede ayudarle a recordar.
lucia
cannot directly access the /etc
directory, use the given dict.txt
to write a bash
script blasting
while IFS= read -r line; do readlink -e /etc/xdg/$line ; done <dict.txt 2>/dev/null or combined with cat while IFS= read -r line; do cat /etc/xdg/$line ; done <dict.txt 2>/dev/null 'IFS= ' indicates that the internal field separator is set to a space Read each line in dict.txt for while do statement
mission 24
~$ ls different.txt flagz.txt mission.txt ~$ cat mission.txt ################# # MISSION 0x24 # ################# ## EN ## The password of the user freya is the only string that is not repeated in different.txt The password for user freya is the only string in different.txt that does not repeat ##ES## La password de la usuaria freya es el unico string que no se repite en different.txt
Find no repeated strings (line
sort different.txt | uniq -u Sort first, then find non-duplicate rows
or use awk
awk 'NR==FNR{a[$0] + + ;next}a[$0]==1' different.txt different.txt NR==FNR This is a mode which is only executed when processing the first file different.txt. In awk, NR means the current line number, and FNR means the line number of the current file. awk parses the first argument different.txt, in NR==FNR mode, and builds an array named a with each line in the text file as a key. a[$0] + + is used to count the number of occurrences of each line in the text file. next instructs awk to process the next line. Awk parses the second parameter different.txt, at a[$0]==1 , awk checks the line whose occurrence count is 1 in the array a, and outputs If you modify a[$0]==1 to a[$0]==2 , it means that only the rows with 2 occurrences are output
mission 25
~$ cat mission.txt ################# # MISSION 0x25 # ################# ## EN ## User alexa puts her password in a .txt file in /free every minute and then deletes it. User alexa puts her password in a .txt file at /free all the time and then deletes it ##ES## La usuaria alexa pone su password en un fichero .txt en la carpeta /free cada minuto y luego lo borra.
The password is in a .txt
file in the /free
folder, and it is constantly created and deleted
Here also use the bash
script
false; while [ $? -ne 0 ];do cat /free/*.txt ;done 2>/dev/null Among them, the spaces in while [] cannot be saved Command explanation: This is the loop command false; if it was not found last time, return false, if false is used here, it will be true while [ $? -ne 0 ] Check the exit code of the previous command, if it is not 0, continue Therefore, the termination condition is 'the result of the last operation is true', use false at the beginning, and the exit code checked by while is 0, terminate
mission 26
~$ cat mission.txt ################# # MISSION 0x26 # ################# ## EN ## The password of the user ariel is online! (HTTP) ##ES## El password de la usuaria ariel esta online! (HTTP)
curl http://localhost
mission 27
~$ ls -a . .. .bash_logout .bashrc .goas.swp .profile flagz.txt mission.txt ~$ cat mission.txt ################# # MISSION 0x27 # ################# ## EN ## Seems that ariel dont save the password for lola, but there is a temporal file. It seems that ariel doesn't save lola's password, but there is a temporary file ##ES## Parece ser que a ariel no le dio tiempo a guardar la password de lola... menosmal que hay un temporal!
vim
temporary file .goas.swp
vim -r .goas.swp
After opening it is
Ctrl V
to enter the block mode, select the redundant d to delete, and make a dictionary
Save as, exit :w /tmp/dict.txt :q!
Download to the local, blast with hydra
scp -P 5000 [email protected]:/tmp/dict.txt . hydra -l lola -P dict.txt ssh://venus.hackmyvm.eu:5000
You can also directly use the bash
script to blast
while IFS= read -r line; do echo $line | timeout 2 su lola 2>/dev/null; if [ $? -eq 0 ]; then echo $line; break; fi; done < /tmp/ dict.txt Read each line in /tmp/dict.txt and use it as the password to try to log in as the lola user, until successful login or all passwords have been tried timeout 2 The su lola command attempts to log in as the lola user within 2 seconds. If the login is successful, a status code of 0 is returned, otherwise a non-zero status code is returned. if [ $? -eq 0 ]; then echo $line; break; fi; Judge the exit status code of the last command, if the status code is 0, it means the login is successful, output the currently attempted password and jump out of the loop
mission 28
~$ ls flagz.txt mission.txt pages.txt ~$ cat mission.txt ################# # MISSION 0x28 # ################# ## EN ## The user celeste has left a list of names of possible .html pages where to find her password. User celeste left a list of names of possible .html pages where her password could be found ##ES## La usuaria celeste ha dejado un listado de nombres de possibles paginas .html donde encontrar su password.
Directly find
find /var/www -name *.html 2>/dev/null Use curl again
Or, download the given pages.txt
to the local, build ssh tunnel
and use tools to blast
ssh -L 2333:127.0.0.1:80 [email protected] -p 5000 gobuster blasting gobuster dir -w pages.txt -u http://127.0.0.1:2333 -x html
mission 29
~$ cat mission.txt ################# # MISSION 0x29 # ################# ## EN ## The user celeste has access to mysql but for what? ##ES## La usuaria celeste tiene acceso al mysql, pero para que?
Prompt that the current user can use mysql
mysql -uceleste -p show databases; use venus; show tables; select * from people;
Get a bunch of id_people
uzer
pazz
data in this format
| 1 | nuna | ixpfdsvcxeqdW | | 2 | nona | ixpvcxvcxeqdW |
build dictionary
Copy to venus.txt
, because it is a corresponding relationship, and the default separator of hydra -C
is a colon
sed
handles the following format
sed -i 's/.*|\s*\([^ ]*\)\s*|\s*\([^ ]*\)\s*|.*/\1:\2 /g' venus.txt
get the following format
nuna:ixpfdsvcxeqdW nona:ixpvcxvcxeqdW
ssh
blasting
hydra -C venus.txt ssh://venus.hackmyvm.eu:5000
mission 30
~$ cat mission.txt ################# # MISSION 0x30 # ################# ## EN ## The user kira is hiding something in http://localhost/method.php ##ES## La usuaria kira esconde algo en http://localhost/method.php
~$ curl localhost/method.php I don't like this method! ~$ curl -XPUT http://localhost/method.php