cat mission.txt # The password of the user emma is in line 4069 of the file findme.txt vim findme.txt # 输入 :4069 回车, 找到密码 :set number 可以显示行号 # 或者 `sed -n 4069p findme.txt` fI----8O su - emma
MISSION 0x04
1 2 3 4 5
cat mission.txt # User mia has left her password in the file -. cat ./- iK----os su - mia
MISSION 0x05
1 2 3 4 5 6 7 8 9 10 11 12 13 14
cat mission.txt # It seems that the user camila has left her password inside a folder called hereiam
find / -type d -name "hereiam" 2>/dev/null /opt/hereiam
cat mission.txt # The user luna has left her password in a file inside the muack folder. find / -type d -name "muack" 2>/dev/null /pwned/camila/muack
ls -al /pwned/camila/muack # 打开有很多文件夹,用find找到文件 find /pwned/camila/muack -type f 2>/dev/null /pwned/camila/muack/111/111/muack
cat /pwned/camila/muack/111/111/muack j3----Mc
su - luna
MISSION 0x07
1 2 3 4 5 6 7 8
cat mission.txt # The user eleanor has left her password in a file that occupies 6969 bytes. find / -type f -size 6969c 2>/dev/null /usr/share/moon.txt
cat /usr/share/moon.txt UN----7b su - eleanor
MISSION 0x08
1 2 3 4 5 6 7 8
cat mission.txt # The user victoria has left her password in a file in which the owner is the user violin. find / -type f -user violin 2>/dev/null /usr/local/games/yo
cat /usr/local/games/yo pz----Sj su - victoria
MISSION 0x09
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
cat mission.txt # The user isla has left her password in a zip file. # 本目录下有一个 passw0rd.zip unzip passw0rd.zip # 直接解压没有写入权限,本以为可以去 /var/tmp 下搞,不过里面已经有别人留下的了 里面太乱了,可以提前看下文件解压后的内容 unzip -l passw0rd.zip # 解压到 /var/tmp unzip passw0rd.zip -d /var/tmp # 发现没有权限创建文件夹,scp 搞下来: scp -P 5000 [email protected]:/pwned/victoria/passw0rd.zip . # 再本地解压 unzip passw0rd.zip cat pwned/victoria/passw0rd.txt D3----Bb su - isla
MISSION 0x10
1 2 3 4 5 6 7
cat mission.txt # The password of the user violet is in the line that begins with a9HFX (these 5 characters are not part of her password.). # 目录下有一个文件 passy,用正则找到 'a9HFX' 开头的这一行 grep -n '^a9HFX' passy # 708:a9HFXWK----Ac
su - violet
MISSION 0x11
1 2 3 4 5 6 7
cat mission.txt # The password of the user lucy is in the line that ends with 0JuAZ (these last 5 characters are not part of her password)
grep -n '0JuAZ$' end 505:OC----ud0JuAZ
su - lucy
MISSION 0x12
1 2 3 4 5 6 7 8
cat mission.txt # The password of the user elena is between the characters fu and ck # 这次我们换一个方法,用vim 打开文件,然后搜索 vim end # 输入 /fu(?{1-})ck 回车 fu4x----9tck
su - elena
MISSION 0x13
1 2 3 4 5 6 7 8 9
cat mission.txt # The user alice has her password is in an environment variable. env # 看到 PASS=Cg----qt
su - alice
MISSION 0x14
1 2 3 4 5 6
cat mission.txt # The admin has left the password of the user anna as a comment in the file passwd. cat /etc/passwd # 找到 anna 的密码在: # alice:x:1014:1014:w8----ox:/pwned/alice:/bin/bash su - anna
MISSION 0x15
1 2 3 4 5 6
cat mission.txt # Maybe sudo can help you to be natalia. sudo -l # (natalia) NOPASSWD: /bin/bash sudo -u natalia /bin/bash cd
MISSION 0x16
1 2 3 4 5
cat mission.txt # The password of user eva is encoded in the base64.txt file cat base64.txt | base64 -d up----AO su - eva
MISSION 0x17
1 2 3 4 5 6 7 8 9
cat mission.txt # The password of the clara user is found in a file modified on May 1, 1968. find / -type f ! -newermt "1968-05-02 00:00:00" 2>/dev/null # 感觉这个方法应该可以,但是找不到文件,想起来 linux 中最早的时间是 1970-01-01,所以这个题目是故意坑你的。因为这个时间按照时间戳来算是负数,换成: find / -type f ! -newermt "1970-01-01 00:00:00" 2>/dev/null # 找到文件后 cat /usr/lib/cmdo 39----N9 su - clara
MISSION 0x18
1 2 3 4 5 6 7 8 9 10 11 12
cat mission.txt # The password of user frida is in the password-protected zip (rockyou.txt can help you) # 本目录下有一个 protected.zip,机器上权限不够,scp 搞下来 scp -P 5000 [email protected]:/pwned/clara/protected.zip . # 拿 hash zip2john protected.zip > zip.hash # 然后用 rockyou.txt 破解 john protected.hash --wordlist=/usr/share/wordlists/rockyou.txt # 拿到密码,解压 unzip protected.zip # 下一关 su - frida
MISSION 0x19
1 2 3 4 5 6
cat mission.txt # The password of eliza is the only string that is repeated (unsorted) in repeated.txt # only string 说的只有一个这样的字符串,是重复的,也就是连续重复的 grep -Pzo '(?m)(.+\n)\1' repeated.txt # 找到密码 su - eliza
MISSION 0x20
1 2 3 4 5
cat mission.txt # The user iris has left me her key. cat .iris_key # 用这个 key 登陆 ssh [email protected] -i .iris_key
MISSION 0x21
1 2 3 4 5 6 7 8 9 10 11 12
cat mission.txt # User eloise has saved her password in a particular way. # 本目录下有一个文件,eloise file eloise # eloise: ASCII text # 看起来是个 base64 编码 cat eloise | base64 -d # 看到文件头是JFIF 是个jpg文件 cat eloise | base64 -d > /var/tmp/eloise.jpg scp -P 5000 [email protected]:/var/tmp/eloise.jpg . # 打开图片,看到密码,注意这里有个坑,多看看字母、数字、大小写 su - eloise
MISSION 0x22
1 2 3 4 5 6 7 8 9
cat mission.txt # User lucia has been creative in saving her password. # 本目录下有一个文件,hi cat hi # 00000000: 7576 4d77 4644 5172 5157 504d 6547 500a # Hexdmp 一下 ,看到密码 xxd -r hi
su - lucia
MISSION 0x23
1 2 3 4 5 6 7 8 9
cat mission.txt # The user isabel has left her password in a file in the /etc/xdg folder but she does not remember the name, however she has dict.txt that can help her to remember.
# 本目录下有一个文件,dict.txt (里面有一个 hidden flag)
# 用dict.txt中的每一行作为参数,执行cat命令 xargs -a dict.txt -I {} cat /etc/xdg/{} 2 # 发现密码 su - isabel
MISSION 0x24
1 2 3 4 5 6
cat mission.txt # The password of the user freya is the only string that is not repeated in different.txt # 只有一个不重复的字符串 sort different.txt | uniq -u # 找到密码 su - freya
MISSION 0x25
1 2 3 4 5 6 7 8
cat mission.txt # User alexa puts her password in a .txt file in /free every minute and then deletes it. # /free 这个目录下有一个 txt 文件,马上回删掉 watch -n 1 cat /free/*.txt # 等待一分钟,看到密码,手动停掉,如果你不够快的话,可以写个循环 whiletrue; docat /free/*.txt; sleep 1;done; # 其实也不是一分钟,了解linux crontab的话,可以知道,是 0 秒的时后执行的. su - alexa
MISSION 0x26
1 2 3 4 5
cat mission.txt # The password of the user ariel is online! (HTTP) curl localhost # 找到密码 su - ariel
MISSION 0x27
1 2 3 4 5 6 7 8
cat mission.txt # Seems that ariel dont save the password for lola, but there is a temporal file. # 本目录下有一个文件,.goas.swp 这种是 vim 的临时文件 vim .goas # 会提示你是否恢复,输入 r 回车 或者 vim -r .goas # 可能还有一个提示,告诉你现在有几个人,那几个历史,选择一个,我 选的 1,root 用户的。 # 里面有一堆密码,挨个试试就行,或者 hydra 跑一下,不过按照出题一般的规律,都是中间偏下,我试了 3 个就出来了。 su - lola
MISSION 0x28
1 2 3 4 5 6 7 8 9 10 11 12
cat mission.txt # The user celeste has left a list of names of possible .html pages where to find her password. # 本目录下有一个文件,pages.txt cat pages.txt # 里面是一堆文件名,配合 xargs xargs -a pages.txt -I {} curl localhost/{} 2>/dev/null # 或者 直接去/var/www/html/下找 xargs -a pages.txt -I {} find /var/www/html/ -name "{}.html" 2>/dev/null # 找到密码 /var/www/html/cebolla.html curl localhost/cebolla.html su - celeste
MISSION 0x29
1 2 3 4 5 6 7 8 9 10 11 12
cat mission.txt # The user celeste has access to mysql but for what? mysql -u celeste -p show databases; use venus; show tables; select * from people; # 此处有一个 hidden flag # 里面有一堆用户,那下一个用户是谁呢? cat /etc/passwd # celeste的下一个用户是 nina,sql 中也有,于是 su - nina
MISSION 0x30
1 2 3 4 5 6 7 8 9 10
cat mission.txt # The user kira is hidding something in http://localhost/method.php curl localhost/method.php # I dont like this method! # 用 POST 请求 curl -X POST localhost/method.php # 还是没有,HTTP一共就没几个Method,常用的GET,POST,PUT,DELETE,HEAD,OPTIONS,TRACE,CONNECT curl -X PUT localhost/method.php # 找到密码 su - kira
MISSION 0x31
1 2 3 4 5 6 7 8
cat mission.txt # The user veronica visits a lot http://localhost/waiting.php curl localhost/waiting.php # Im waiting for the user-agent PARADISE # 用 user-agent 请求 curl -A "PARADISE" localhost/waiting.php # 找到密码 su - veronica
MISSION 0x32
1 2 3 4 5
cat mission.txt # The user veronica uses a lot the password from lana, so she created an alias alias # 找到密码 su - lana
MISSION 0x33
1 2 3 4 5 6 7 8 9 10
cat mission.txt # The user noa loves to compress her things. # 本目录下有一个文件,zip.gz # 先scp scp -P 5000 [email protected]:/pwned/lana/zip.gz . # 然后解压 tar -zxvf zip.gz cat pwned/lana/zip # 找到密码 su - noa
MISSION 0x34
1 2 3 4 5 6 7 8 9 10
cat mission.txt # The password of maia is surrounded by trash # 本目录下有一个文件,trash file trash # trash: OpenPGP Secret Key # 看起来是个 gpg 文件,去折腾了一会 OpenPGP Secret Key,直接 vim,在众多乱码中找到密码,才悟到这个题目的意思。 surrounded by trash
# 后来看到大傻子的 wp,发现这个文件是个二进制文件,用 strings 命令就可以看到密码了。 strings trash su - maia
MISSION 0x35
1 2 3 4 5 6 7 8 9 10 11 12 13
cat mission.txt # The user gloria has forgotten the last 2 characters of her password ... They only remember that they were 2 lowercase letters.
cat mission.txt # User alora likes drawings, that's why she saved her password as ... file image # image: ASCII text # 嗯?文本? cat image # 是个二维码,用手机扫一下,得到密码
MISSION 0x37
1 2 3 4 5 6 7 8 9 10
cat mission.txt # The user julie has created an iso with her password. # 本目录下有一个文件,iso file music.iso # music.iso: ISO 9660 CD-ROM filesystem data 'CDROM' # 既然有密码,那么 strings music.iso # 找到密码
su - julie
MISSION 0x38
1 2 3 4 5 6
cat mission.txt # The user irene believes that the beauty is in the difference. # 本目录下有1.txt 2.txt diff 1.txt 2.txt # 找到密码 su - irene
MISSION 0x39
1 2 3 4 5 6 7 8 9 10 11
cat mission.txt # The user adela has lent her password to irene. -rw-r----- 1 root irene 1704 Jul 26 2023 id_rsa.pem -rw-r----- 1 root irene 451 Jul 26 2023 id_rsa.pub -rw-r----- 1 root irene 178 Jul 26 2023 mission.txt -rw-r----- 1 root irene 256 Jul 26 2023 pass.enc
cat mission.txt # User sky has saved her password to something that can be listened to. # 本目录下有一个文件,wtf cat wtf # .--. .- .--. .- .--. .- .-. .- -.. .. ... . # 用摩斯密码解密,找到密码,注意密码小写 su - sky
MISSION 0x41
1 2 3 4 5 6 7 8
# User sarah uses header in http://localhost/key.php # 这里输入 history 有一个 hidden flag (有一个 .bash_history 文件) curl -H "key" localhost/key.php # Key header is true? 看来是要用 key:true curl -H "key: true" localhost/key.php
# 找到密码 su - sarah
MISSION 0x42
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
cat mission.txt # The password of mercy is hidden in this directory. # 本目录下有一个文件, 我找了很久才发现 drwxr-x--- 2 root sarah 4096 Jul 26 2023 . drwxr-xr-x 1 root root 4096 Jul 26 2023 .. -rw-r----- 1 root sarah 16 Jul 26 2023 ... -rw-r--r-- 1 sarah sarah 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 sarah sarah 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 sarah sarah 807 Apr 23 2023 .profile -rw-r----- 1 root sarah 31 Jul 26 2023 flagz.txt -rw-r----- 1 root sarah 175 Jul 26 2023 mission.txt
cat ... # 找到密码 su - mercy
MISSION 0x43
1 2 3 4 5 6
cat mission.txt # User mercy is always wrong with the password of paula. # 既然经常错,那么 history # 找到密码 su - paula
MISSION 0x44
1 2 3 4 5 6 7 8 9 10 11
cat mission.txt # The user karla trusts me, she is part of my group of friends. # 我的组里? 看下: groups # paula hidden # 我有一个 hidden 的组,那么,看下 组hidden都有那些文件 find / -group hidden 2>/dev/null # /usr/src/.karl-a cat /usr/src/.karl-a # 找到密码 su - karla
MISSION 0x45
1 2 3 4 5 6 7 8 9 10
cat mission.txt # User denise has saved her password in the image. # 本目录下有一个文件,yuju.jpg file yuju.jpg # yuju.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=4], baseline, precision 8, 442x463, components 3
cat mission.txt # The user zora is screaming doas! # 用 doas 命令 doas -u zora /bin/bash cd
MISSION 0x47
1 2 3 4 5 6
cat mission.txt # The user belen has left her password in venus.hmv # 没有其他提示了。直接 curl 一下? curl venus.hmv # 找到密码 su - belen
MISSION 0x48
1 2 3 4 5 6 7 8 9
cat mission.txt # It seems that belen has stolen the password of the user leona... # 本目录下有一个文件,stolen.txt cat stolen.txt # $1$leona$lhWp56YnWAMz6z32Bw53L0 # 这是个 hash,用 john 破解 john stolen.txt --wordlist=/usr/share/wordlists/rockyou.txt # 找到密码 su - leona
MISSION 0x49
1 2 3 4 5 6 7 8 9
cat mission.txt # User ava plays a lot with the DNS of venus.hmv lately... # dns ? cat /etc/resolv.conf # 看到 nameserver 127.0.0.11 # 查看所有 dns 配置 cat /etc/bind/* # 找到密码 su - ava
MISSION 0x50
1 2 3 4
cat mission.txt # The password of maria is somewhere... # 最后一关,果然没有提示了. 最后看了别人的 WP 才知道,密码竟然是那个摩斯密码。。。 su - maria
