HackMyVm-venus(21-30)
0x21 base64转图片
################
# MISSION 0x21 #
################
## EN ##
User eloise has saved her password in a particular way.
iris@venus:~$ cat eloise
得到内容,找个在线网站转成图片
密码yOUJlV0SHOnbSPm
0x22 十六进制转文本
################
# MISSION 0x22 #
################
## EN ##
User lucia has been creative in saving her password.
eloise@venus:~$ xxd -r hi
uvMwFDQrQWPMeGP
利用xxd命令转换成文本,或者找在线网站解
0x23 利用字典爆破可访问的文件
################
# MISSION 0x23 #
################
## EN ##
The user isabel has left her password in a file in the /etc/xdg folder but she does not remember the name, however she has dict.txt that can help her to remember.
while IFS= read -r line; do readlink -e /etc/xdg/$line ; done < dict.txt 2>/dev/null
lucia@venus:~$ cat /etc/xdg/readme
H5ol8Z2mrRsorC0
0x24 查找唯一不重复的行
################
# MISSION 0x24 #
################
## EN ##
The password of the user freya is the only string that is not repeated in different.txt
-u或——unique:仅显示出一次的行列;
isabel@venus:~$ sort different.txt | uniq -u
EEDyYFDwYsmYawj
isabel@venus:~$ uniq -u different.txt
EEDyYFDwYsmYawj
0x25 查找被持续删除的文件
################
# MISSION 0x25 #
################
## EN ##
User alexa puts her password in a .txt file in /free every minute and then deletes it.
false; while [ $? -ne 0 ];do cat /free/*.txt ;done 2>/dev/null
当上次命令执行成功时,停止循环
freya@venus:~$ false; while [ $? -ne 0 ];do cat /free/*.txt ;done 2>/dev/null
mxq9O3MSxxX9Q3S
0x26 curl访问网页
################
# MISSION 0x26 #
################
## EN ##
The password of the user ariel is online! (HTTP)
alexa@venus:~$ curl 127.0.0.1
33EtHoz9a0w2Yqo
0x27 ssh爆破
################
# MISSION 0x27 #
################
## EN ##
Seems that ariel dont save the password for lola, but there is a temporal file.
ariel@venus:~$ vim -r .goas.swp
ariel@venus:~$ ls -a
. .. .bash_logout .bashrc .goas.swp .profile flagz.txt mission.txt
ariel@venus:~$ su - lola
得到密码
ppkJjqYvSCIyAhK
cOXlRYXtJWnVQEG
xhKeFKveeKqpwp
RGBEMbZHZRgXZnu
IaOpTdAuhSjGZnu
NdnszvjulNellbK
GBUguuSpXVjpxLc
rSkPlPhymYcerMJ
PEOppdOkSqJZweH
EKvJoTBYlwtwFmv
d3LieOzRGX5wud6
mYhQVLDKdJrsIwG
DabEJLmAbOQxEnD
LkWReDaaLCMDlLf
cbjYGSvqAsqIvdg
QsymOOVbzSaKmRm
bnQgcXYamhSDSff
VVjqJGRrnfKmcgD
用hydra进行爆破
hydra -l lola -P passwd.txt ssh://venus.hackmyvm.eu:5000
[5000][ssh] host: venus.hackmyvm.eu login: lola password: d3LieOzRGX5wud6
0x28 目录爆破
################
# MISSION 0x28 #
################
## EN ##
The user celeste has left a list of names of possible .html pages where to find her password.
ssh -L 8877:127.0.0.1:80 [email protected] -p 5000
搭建ssh隧道
gobuster dir -w pages.txt -u http://127.0.0.1:8877 -x html
利用pages.txt进行爆破目录
/cebolla.html (Status: 200) [Size: 16]
Progress: 270 / 272 (99.26%)
curl 127.0.0.1/cebolla.html
VLSNMTKwSV2o8Tn
0x29 利用mysql数据登录
################
# MISSION 0x29 #
################
## EN ##
The user celeste has access to mysql but for what?
登录mysql
mysql -uceleste -p
use venus;
select * from people;
得到用户名密码
将用户名和passwd文件里的进行对比,发现只有一个用户是共有的
| 74 | nina | ixpeqdWuvC5N9kG |
将用户名提取出来
cat userpass.txt | awk -F'[| ]+' '{print $3}'
将密码提取出来
cat userpass.txt | awk -F'[| ]+' '{print $4}'
进行对比,对比前先进行排序
comm vmuser.txt user.txt
0x30 put访问
################
# MISSION 0x30 #
################
## EN ##
The user kira is hidding something in http://localhost/method.php
nina@venus:~$ curl -XPUT http://localhost/method.php
tPlqxSKuT4eP3yr
标签:################,EN,vens,##,30,MISSION,HackMyVm,venus,txt
From: https://www.cnblogs.com/C0rr3ct/p/18037655