この大会は2020/5/2 0:15(JST)~2020/5/2 7:45(JST)に開催されました。
今回もチームで参戦。結果は430点で614チーム中280位でした。
自分で解けた問題をWriteupとして書いておきます。
Level 1 (Trainer 10)
sshで接続し、次のレベルのパスワードを得る問題。これが22問ある。最初の問題では、ホームディレクトリにlevel1_password ファイルがあるので、そのファイルの内容を見る。
$ ssh level0@trainer.threatsims.com The authenticity of host 'trainer.threatsims.com (167.71.187.239)' can't be established. ECDSA key fingerprint is SHA256:ZODPF0IyXK6JShqdwNxTiOZeuNfS2f7qh6N7cnMXKjA. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'trainer.threatsims.com,167.71.187.239' (ECDSA) to the list of known hosts. level0@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 16:56:37 2020 from 93.43.178.155 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 0 The password for the next level is in this user's home directory level0@trainer:~$ ls -la total 60 drwxr-x--- 6 level0 level0 4096 May 1 16:50 . drwxr-xr-x 26 root root 4096 Mar 5 10:06 .. -rw-r--r-- 1 level0 level0 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 level0 level0 3526 Apr 18 2019 .bashrc -rw-r--r-- 1 level0 level0 0 May 1 15:27 .cloud-locale-test.skip drwx------ 3 level0 level0 4096 May 1 16:50 .config drwx------ 3 level0 level0 4096 May 1 12:51 .gnupg -r--r----- 1 level0 level0 303 Jan 11 11:17 helpme -rw-r----- 1 level1 level0 34 Nov 29 18:07 level1_password drwxr-xr-x 3 level0 level0 4096 Mar 6 15:23 .local -rw-r--r-- 1 level0 level0 807 Apr 18 2019 .profile drwx------ 2 level0 level0 4096 Apr 30 20:51 .ssh -rw------- 1 level0 level0 8431 May 1 16:05 .viminfo -r--r----- 1 level0 level0 86 Mar 24 13:26 welcome_message level0@trainer:~$ cat level1_password 4202c26842398c1d0772ed9eed195113
4202c26842398c1d0772ed9eed195113
Level 2 (Trainer 10)
ホームディレクトリのサブディレクトリにlevel2_password ファイルがあるので、そのファイルの内容を見る。
$ ssh level1@trainer.threatsims.com level1@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 17:05:10 2020 from 62.107.29.101 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 1 The password for the next level is in this user's home directory, but you may have to dig a bit. level1@trainer:~$ ls -la total 52 drwxr-x--- 5 level1 level1 4096 May 1 16:51 . drwxr-xr-x 26 root root 4096 Mar 5 10:06 .. -rw-r--r-- 1 level1 level1 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 level1 level1 3526 Apr 18 2019 .bashrc -rw-r--r-- 1 level1 level1 0 May 1 15:30 .cloud-locale-test.skip drwx------ 3 level1 level1 4096 May 1 15:19 .gnupg -r--r----- 1 level1 level1 373 Mar 24 13:26 helpme drwxr-xr-x 3 level1 level1 4096 May 1 15:39 .local -rw-r--r-- 1 level1 level1 807 Apr 18 2019 .profile drwx------ 2 level1 level1 4096 Nov 29 18:07 some_directory -rw-r--r-- 1 level1 level1 34 Mar 6 15:26 test -rw------- 1 level1 level1 6251 May 1 16:20 .viminfo -r--r----- 1 level1 level1 118 Mar 24 13:26 welcome_message level1@trainer:~$ cd some_directory/ level1@trainer:~/some_directory$ ls level2_password level1@trainer:~/some_directory$ cat level2_password 943430e07fd566bc96aa05fca3c96e48
943430e07fd566bc96aa05fca3c96e48
Level 3 (Trainer 10)
ホームディレクトリのサブディレクトリを何階層も掘っていくと、level3_password ファイルがあるので、そのファイルの内容を見る。
$ ssh level2@trainer.threatsims.com level2@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 17:08:43 2020 from 198.29.34.246 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 2 The password for the next level is in this user's home directory, but you have to dig even deeper. level2@trainer:~$ ls -la total 44 drwxr-x--- 5 level2 level2 4096 May 1 15:31 . drwxr-xr-x 26 root root 4096 Mar 5 10:06 .. -rw-r--r-- 1 level2 level2 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 level2 level2 3526 Apr 18 2019 .bashrc -rw-r--r-- 1 level2 level2 0 May 1 15:31 .cloud-locale-test.skip drwx------ 3 level2 level2 4096 Nov 29 18:07 dir drwx------ 3 level2 level2 4096 May 1 15:20 .gnupg -r--r----- 1 level2 level2 843 Mar 24 13:26 helpme drwxr-xr-x 3 level2 level2 4096 Mar 6 15:49 .local -rw-r--r-- 1 level2 level2 807 Apr 18 2019 .profile -rw------- 1 level2 level2 1283 Mar 7 18:42 .viminfo -r--r----- 1 level2 level2 120 Mar 24 13:26 welcome_message level2@trainer:~$ cd dir level2@trainer:~/dir$ ls another_dir level2@trainer:~/dir$ cd another_dir/ level2@trainer:~/dir/another_dir$ ls another_another_dir level2@trainer:~/dir/another_dir$ cd another_another_dir/ level2@trainer:~/dir/another_dir/another_another_dir$ ls some_directory level2@trainer:~/dir/another_dir/another_another_dir$ cd some_directory/ level2@trainer:~/dir/another_dir/another_another_dir/some_directory$ ls level3_password level2@trainer:~/dir/another_dir/another_another_dir/some_directory$ cat level3_password 2cadca6148093c403d82396252b8c4db
2cadca6148093c403d82396252b8c4db
Level 4 (Trainer 10)
ホームディレクトリに隠しファイルとして.level4_password ファイルがあるので、そのファイルの内容を見る。
$ ssh level3@trainer.threatsims.com level3@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 17:18:59 2020 from 162.237.23.64 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 3 The password for the next level is in this user's home directory, but you might not see it at first. type: man ls read about files that start with a dot (.) level3@trainer:~$ ls -la total 56 drwxr-x--- 3 level3 level3 4096 May 1 17:03 . drwxr-xr-x 26 root root 4096 Mar 5 10:06 .. -rw-r--r-- 1 level3 level3 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 level3 level3 3526 Apr 18 2019 .bashrc -rw-r--r-- 1 level3 level3 0 May 1 15:33 .cloud-locale-test.skip -rwxr-xr-x 1 level3 level3 9788 May 1 17:02 dot drwx------ 3 level3 level3 4096 May 1 15:22 .gnupg -r--r----- 1 level3 level3 355 Mar 24 13:26 helpme -rw------- 1 level3 level3 36 May 1 17:03 .lesshst -rw-r----- 1 level4 level3 34 Nov 29 18:07 .level4_password -rw-r--r-- 1 level3 level3 807 Apr 18 2019 .profile -rw------- 1 level3 level3 1053 May 1 16:26 .viminfo -r--r----- 1 level3 level3 182 Mar 24 13:26 welcome_message level3@trainer:~$ cat .level4_password 72f6af6b0005adb15fbc91e1b140115f
72f6af6b0005adb15fbc91e1b140115f
Level 5 (Trainer 10)
ホームディレクトリの隠しディレクトリの下に隠しファイルとして.level5_password ファイルがあるので、そのファイルの内容を見る。
$ ssh level4@trainer.threatsims.com level4@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 17:22:20 2020 from 162.237.23.64 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 4 The password for the next level is in this user's home directory, just like the last levels you might have to dig. type: man ls read about files and folders that start with a dot (.) level4@trainer:~$ ls -la total 52 drwxr-x--- 6 level4 level4 4096 May 1 15:47 . drwxr-xr-x 26 root root 4096 Mar 5 10:06 .. -rw-r--r-- 1 level4 level4 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 level4 level4 3526 Apr 18 2019 .bashrc -rw-r--r-- 1 level4 level4 0 May 1 15:34 .cloud-locale-test.skip drwx------ 3 level4 level4 4096 Mar 6 15:36 .config drwx------ 3 level4 level4 4096 May 1 15:22 .gnupg -r--r----- 1 level4 level4 438 Mar 24 13:26 helpme drwx------ 2 level4 level4 4096 Mar 6 16:04 .hidden_dir -rw------- 1 level4 level4 66 May 1 15:47 .lesshst -rw-r--r-- 1 level4 level4 807 Apr 18 2019 .profile drwxr-xr-x 2 level4 level4 4096 Mar 6 16:04 .vim -rw------- 1 level4 level4 2125 Mar 7 18:43 .viminfo -r--r----- 1 level4 level4 208 Mar 24 13:26 welcome_message level4@trainer:~$ cd .hidden_dir/ level4@trainer:~/.hidden_dir$ ls -la total 12 drwx------ 2 level4 level4 4096 Mar 6 16:04 . drwxr-x--- 6 level4 level4 4096 May 1 15:47 .. -rw-r----- 1 level5 level4 34 Nov 29 18:07 .level5_password level4@trainer:~/.hidden_dir$ cat .level5_password 7b6c2552940f47a27fbd729ae0e2893c
7b6c2552940f47a27fbd729ae0e2893c
Level 6 (Trainer 10)
他(level6)のホームディレクトリにlevel6_password ファイルがあるので、そのファイルの内容を見る。
$ ssh level5@trainer.threatsims.com level5@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 17:30:44 2020 from 176.18.84.206 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 5 For this level the password is in level6's home directory. Due to a persmissions error, the level5 user can access it. Think about the directories you have already seen and what file name patterns. level5@trainer:~$ ls -la total 48 drwxr-x--- 5 level5 level5 4096 May 1 16:57 . drwxr-xr-x 26 root root 4096 Mar 5 10:06 .. -rw-r--r-- 1 level5 level5 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 level5 level5 3526 Apr 18 2019 .bashrc -rw-r--r-- 1 level5 level5 0 May 1 15:35 .cloud-locale-test.skip drwx------ 3 level5 level5 4096 Mar 6 15:29 .config drwx------ 3 level5 level5 4096 May 1 15:23 .gnupg -r--r----- 1 level5 level5 354 Mar 24 13:27 helpme -rw------- 1 level5 level5 44 Mar 6 15:41 .lesshst drwxr-xr-x 3 level5 level5 4096 Dec 30 12:30 .local -rwxr-xr-x 1 level5 level5 807 Apr 18 2019 .profile -rw------- 1 level5 level5 2541 May 1 16:23 .viminfo -r--r----- 1 level5 level5 221 Mar 24 13:27 welcome_message level5@trainer:~$ cd .. level5@trainer:/home$ ls -la total 104 drwxr-xr-x 26 root root 4096 Mar 5 10:06 . drwxr-xr-x 18 root root 4096 May 1 04:44 .. drwxr-x--- 6 level0 level0 4096 May 1 16:50 level0 drwxr-x--- 5 level1 level1 4096 May 1 16:51 level1 drwxr-x--- 5 level10 level10 4096 May 1 17:29 level10 drwxr-x--- 5 level11 level11 4096 May 1 17:30 level11 drwxr-x--- 5 level12 level12 4096 May 1 17:25 level12 drwxr-x--- 4 level13 level12 4096 May 1 17:01 level13 drwxr-x--- 3 level14 level14 4096 May 1 16:56 level14 drwxr-x--- 3 level15 level15 4096 May 1 17:16 level15 drwxr-x--- 3 level16 level16 4096 May 1 17:26 level16 drwxr-x--- 5 level17 level17 4096 May 1 17:25 level17 drwxr-x--- 3 level18 level18 4096 May 1 17:30 level18 drwxr-x--- 6 level19 level19 4096 May 1 17:24 level19 drwxr-x--- 5 level2 level2 4096 May 1 17:26 level2 drwxr-x--- 7 level20 level20 4096 May 1 17:31 level20 drwxr-x--- 7 level21 level21 4096 May 1 16:48 level21 drwxr-xr-x 4 level22 level22 4096 May 1 17:30 level22 drwxr-x--- 3 level3 level3 4096 May 1 17:03 level3 drwxr-x--- 6 level4 level4 4096 May 1 15:47 level4 drwxr-x--- 5 level5 level5 4096 May 1 16:57 level5 drwxrwx--- 54 level6 level5 4096 May 1 17:29 level6 drwxr-x--- 4 level7 level7 4096 May 1 17:15 level7 drwxr-x--- 55 level8 level8 4096 May 1 17:29 level8 drwxr-x--- 4 level9 level9 4096 May 1 17:26 level9 drwxr-x--- 2 trainer trainer 4096 Nov 29 18:07 trainer level5@trainer:/home$ cd level6 level5@trainer:/home/level6$ ls 2 dir12 dir17 dir21 dir26 dir30 dir35 dir4 dir44 dir49 dir8 te 8 dir13 dir18 dir22 dir27 dir31 dir36 dir40 dir45 dir5 dir9 welcome_message dir1 dir14 dir19 dir23 dir28 dir32 dir37 dir41 dir46 dir50 file.txt dir10 dir15 dir2 dir24 dir29 dir33 dir38 dir42 dir47 dir6 helpme dir11 dir16 dir20 dir25 dir3 dir34 dir39 dir43 dir48 dir7 level6_password level5@trainer:/home/level6$ cat level6_password 7cb1963d316b9a302cf6c204d35b7302
7cb1963d316b9a302cf6c204d35b7302
Level 7 (Trainer 10)
ホームディレクトリにはディレクトリがたくさんあるので、passwordという名前が付く ファイルを検索すると、level7_passwordが見つかるので、そのファイルの内容を見る。
$ ssh level6@trainer.threatsims.com level6@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 17:35:41 2020 from 207.89.10.91 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 6 The password for the next level is in this user's home directory, however this time there are too many directories to manually dig through. For this level you will need the find command and search for a file that has pass in the title. type: man find read searching for filenames level6@trainer:~$ ls -la total 1596 drwxrwx--- 54 level6 level5 4096 May 1 17:29 . drwxr-xr-x 26 root root 4096 Mar 5 10:06 .. -rw-r--r-- 1 level6 level6 836902 May 1 16:45 2 -rw-r--r-- 1 level6 level6 0 Mar 6 16:45 8 -rw-r--r-- 1 level7 level6 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 level7 level6 3526 Apr 18 2019 .bashrc -rw-r--r-- 1 level6 level6 0 May 1 15:38 .cloud-locale-test.skip drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir1 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir10 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir11 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir12 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir13 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir14 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir15 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir16 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir17 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir18 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir19 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir2 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir20 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir21 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir22 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir23 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir24 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir25 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir26 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir27 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir28 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir29 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir3 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir30 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir31 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir32 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir33 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir34 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir35 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir36 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir37 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir38 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir39 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir4 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir40 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir41 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir42 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir43 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir44 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir45 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir46 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir47 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir48 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir49 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir5 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir50 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir6 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir7 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir8 drwxr-x--- 52 level7 level6 4096 Nov 29 18:07 dir9 -rw-r--r-- 1 level6 level6 69501 Apr 30 20:35 file.txt drwx------ 3 level6 level6 4096 May 1 15:24 .gnupg -r--r----- 1 level6 level6 507 Apr 30 20:47 helpme -rw------- 1 level6 level6 333 May 1 16:36 .joe_state -rw------- 1 level6 level6 134 May 1 17:14 .lesshst -rw-rw-r-- 1 level6 level5 34 Nov 29 18:07 level6_password drwxr-xr-x 3 level6 level6 4096 Dec 30 12:33 .local -rw-r--r-- 1 level7 level6 807 Apr 18 2019 .profile -rw-r--r-- 1 level6 level6 463979 May 1 16:52 te -rw------- 1 level6 level6 1483 May 1 17:15 .viminfo -r--r----- 1 level6 level6 306 Mar 24 13:27 welcome_message level6@trainer:~$ find . | grep password ./dir13/subdir40/level7_password ./level6_password level6@trainer:~$ cat ./dir13/subdir40/level7_password The password for level7 is: RG8geW91IGV2ZW4gbGlmdCBicm8g
Level 8 (Trainer 10)
ホームディレクトリにはファイルがたくさんあるが、1つだけタイムスタンプが異なるファイル(level8_password68)があるので、そのファイルの内容を見る。
$ ssh level7@trainer.threatsims.com level7@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 17:40:14 2020 from 89.64.12.1 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 7 The password for the next level is in the password_directory. For this level though, all files are exactly the same size. You should look through each file to find the one that contains the password. Hint: look for password type: man find man grep man xargs level7@trainer:~$ ls -la total 56 drwxr-x--- 4 level7 level7 4096 May 1 17:15 . drwxr-xr-x 26 root root 4096 Mar 5 10:06 .. -rw-r--r-- 1 level7 level7 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 level7 level7 3526 Apr 18 2019 .bashrc -rw-r--r-- 1 level7 level7 3692 May 1 17:08 cat -rw-r--r-- 1 level7 level7 0 May 1 15:42 .cloud-locale-test.skip drwx------ 3 level7 level7 4096 May 1 08:02 .gnupg -r--r----- 1 level7 level7 1600 Mar 24 13:27 helpme -rw------- 1 level7 level7 46 May 1 16:28 .lesshst drwx------ 2 level7 level7 4096 May 1 17:12 password_directory -rw-r--r-- 1 level7 level7 807 Apr 18 2019 .profile -rw------- 1 level7 level7 12171 May 1 17:15 .viminfo -r--r----- 1 level7 level7 296 Mar 24 13:27 welcome_message level7@trainer:~$ cd password_directory/ level7@trainer:~/password_directory$ ls -la total 412 drwx------ 2 level7 level7 4096 May 1 17:12 . drwxr-x--- 4 level7 level7 4096 May 1 17:15 .. -rw-r--r-- 1 level7 level7 1800 May 1 17:12 cat.txt -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password1 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password10 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password100 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password11 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password12 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password13 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password14 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password15 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password16 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password17 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password18 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password19 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password2 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password20 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password21 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password22 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password23 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password24 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password25 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password26 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password27 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password28 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password29 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password3 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password30 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password31 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password32 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password33 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password34 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password35 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password36 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password37 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password38 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password39 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password4 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password40 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password41 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password42 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password43 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password44 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password45 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password46 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password47 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password48 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password49 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password5 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password50 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password51 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password52 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password53 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password54 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password55 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password56 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password57 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password58 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password59 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password6 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password60 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password61 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password62 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password63 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password64 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password65 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password66 -rw-r----- 1 level7 level7 70 May 1 15:34 level8_password67 -rw-r----- 1 level8 level7 59 Dec 1 23:46 level8_password68 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password69 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password7 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password70 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password71 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password72 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password73 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password74 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password75 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password76 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password77 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password78 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password79 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password8 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password80 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password81 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password82 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password83 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password84 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password85 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password86 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password87 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password88 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password89 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password9 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password90 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password91 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password92 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password93 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password94 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password95 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password96 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password97 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password98 -rw-r----- 1 level8 level7 59 May 1 05:05 level8_password99 level7@trainer:~/password_directory$ cat level8_password68 The password for level8 is: bGV0J3MgZmluZCBzb21ldGhpbmcg
bGV0J3MgZmluZCBzb21ldGhpbmcg
Level 9 (Trainer 10)
ホームディレクトリにはディレクトリがたくさんあるので、passwordという名前が付く ファイルを検索すると、level9_passwordが見つかるので、そのファイルの内容を見る。
$ ssh level8@trainer.threatsims.com level8@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 17:48:49 2020 from 103.26.49.37 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 8 For this level the password is in an executable hidden in one of these sub-directories. When you run the executable it will print out the flag. To run the executable type: ./executable type: man find After finding and executing the binary, you should try to run the command strings on the it and review the output. type: strings <executable> level8@trainer:~$ ls -la total 712 drwxr-x--- 55 level8 level8 4096 May 1 17:46 . drwxr-xr-x 26 root root 4096 Mar 5 10:06 .. -rw-r--r-- 1 level8 level8 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 level8 level8 3526 Apr 18 2019 .bashrc -rw-r--r-- 1 level8 level8 0 May 1 15:45 .cloud-locale-test.skip -rwxr-x--- 1 level8 level8 16616 May 1 01:41 desktop drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir1 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir10 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir11 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir12 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir13 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir14 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir15 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir16 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir17 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir18 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir19 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir2 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir20 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir21 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir22 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir23 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir24 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir25 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir26 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir27 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir28 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir29 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir3 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir30 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir31 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir32 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir33 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir34 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir35 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir36 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir37 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir38 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir39 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir4 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir40 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir41 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir42 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir43 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir44 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir45 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir46 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir47 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir48 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir49 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir5 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir50 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir6 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir7 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir8 drwxr-xr-x 52 level9 level8 4096 Dec 2 01:10 dir9 drwx------ 3 level8 level8 4096 May 1 09:16 .gnupg -r--r----- 1 level8 level8 399 Mar 24 13:27 helpme -rw------- 1 level8 level8 201 May 1 17:43 .lesshst drwxr-xr-x 3 level8 level8 4096 Dec 30 12:36 .local -rw-r--r-- 1 level8 level8 446956 May 1 15:48 log -rw-r--r-- 1 level8 level8 0 Dec 30 12:35 ''$'\001''P'$'\020''@h9@8' -rw-r--r-- 1 level8 level8 807 Apr 18 2019 .profile drwx------ 2 level8 level8 4096 May 1 01:38 .ssh -rw------- 1 level8 level8 5154 May 1 17:46 .viminfo -r--r----- 1 level8 level8 368 Mar 24 13:27 welcome_message level8@trainer:~$ find . | grep password ./dir24/subdir13/level9_password level8@trainer:~$ ./dir24/subdir13/level9_password The password is: 96ab15e954f1267ea04c35de2d771c2b
96ab15e954f1267ea04c35de2d771c2b
Level 10 (Trainer 10)
/usr/share/wordlists/rockyou.txtのワードリストにある"evilhacker"の行番号を答える。
$ ssh level9@trainer.threatsims.com level9@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 17:56:42 2020 from 62.107.29.101 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 9 First a bit of history. RockYou was a social media site that suffered a security breach in 2009, losing 32 million passwords. They were storing all the user credentials in plain text in their database. At the time this was the largest breach of passwords and allowed for academic research and password analysis with real data. These passwords were eventually organized into a password list that is commonly used for cracking passwords. For this level we want to find the line number in the rock you wordlist where the password "evilhacker" is found. That line number is the password for level 10. The wordlist can be found at /usr/share/wordlists/rockyou.txt (it's in the same place on kali too) Grep uses a 1-based numbering system meaning the first line is 1 and not 0. type: man grep level9@trainer:~$ ls -la total 60 drwxr-x--- 4 level9 level9 4096 May 1 17:58 . drwxr-xr-x 26 root root 4096 Mar 5 10:06 .. -rw-r--r-- 1 level9 level9 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 level9 level9 3526 Apr 18 2019 .bashrc -rw-r--r-- 1 level9 level9 0 May 1 15:48 .cloud-locale-test.skip -rw------- 1 level9 level9 350 May 1 16:25 DEADJOE drwx------ 3 level9 level9 4096 May 1 10:00 .gnupg -r--r----- 1 level9 level9 340 Mar 24 13:28 helpme -rw------- 1 level9 level9 409 May 1 17:17 .joe_state -rw------- 1 level9 level9 300 May 1 17:58 .lesshst drwxr-xr-x 3 level9 level9 4096 Mar 12 09:27 .local -rw-r--r-- 1 level9 level9 807 Apr 18 2019 .profile -rw------- 1 level9 level9 9278 May 1 17:54 .viminfo -r--r----- 1 level9 level9 818 Mar 24 13:28 welcome_message level9@trainer:~$ grep -n evilhacker /usr/share/wordlists/rockyou.txt 955830:evilhacker
955830
Level 11 (Trainer 10)
ホームディレクトリにあるfail2ban.logから112.85.42.94がBanされた回数を答える。
$ ssh level10@trainer.threatsims.com level10@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 18:02:12 2020 from 117.96.209.150 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 10 For this level you are given a log file from the program fail2ban. Fail2ban is used monitor log files for suspicious activity like too many failed logins. It is commonly deployed for use with Apache or SSH. After a configured number of attempts it will create an iptables (linux firewall) rule to block the ip from communicating with the device for a period of time. The log file is located in your home directory and is called fail2ban.log. The password to level 11 is the number of times 112.85.42.94 was banned. type: man grep man wc level10@trainer:~$ grep 'Ban 112.85.42.94' fail2ban.log | wc -l 192
192
Level 12 (Trainer 10)
ホームディレクトリにあるmd5findファイル内からmd5文字列を検索する。
$ ssh level11@trainer.threatsims.com level11@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 18:09:07 2020 from 117.96.209.150 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 11 For this level you are given a file that contains the password to the next level. The password is a md5 hash. Research md5 hashes and find it in the file. type: man grep man md5sum google md5 hash level11@trainer:~$ ls -la total 240 drwxr-x--- 5 level11 level11 4096 May 1 18:05 . drwxr-xr-x 26 root root 4096 Mar 5 10:06 .. -rw-r--r-- 1 level11 level11 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 level11 level11 3526 Apr 18 2019 .bashrc -rw-r--r-- 1 level11 level11 0 May 1 16:05 .cloud-locale-test.skip drwx------ 3 level11 level11 4096 May 1 15:34 .gnupg -r--r----- 1 level11 level11 716 Feb 29 13:21 helpme -rw------- 1 level11 level11 129 May 1 17:03 .lesshst drwxr-xr-x 3 level11 level11 4096 May 1 15:58 .local -rw-r--r-- 1 level11 level11 7 May 1 16:47 md5 -rw-rw-rw- 1 level12 level11 59140 Feb 29 13:21 md5find -rwxrwxrwx 1 level11 level11 488 May 1 17:40 md5.py -rw-r--r-- 1 level11 level11 1216 Mar 12 09:48 output.txt -rw-r--r-- 1 level11 level11 807 Apr 18 2019 .profile -rw------- 1 level11 level11 247 May 1 16:09 .python_history -rw-r--r-- 1 level11 level11 2 May 1 17:38 s drwx------ 2 level11 level11 4096 Apr 30 21:44 .ssh -rwxrwxrwx 1 level11 level11 488 May 1 17:39 test.py -rw-r--r-- 1 level11 level11 33 May 1 17:03 test.txt -rw-r--r-- 1 level11 level11 40897 May 1 17:03 um -rw------- 1 level11 level11 7374 May 1 18:00 .viminfo -rw-r--r-- 1 level11 level11 59140 May 1 16:18 wc -r--r----- 1 level11 level11 234 Mar 24 13:28 welcome_message level11@trainer:~$ grep -e "[0-9a-f]\{32\}" md5find 0982e2a869857644074d06b1a4fd1bea
0982e2a869857644074d06b1a4fd1bea
Level 13 (Trainer 10)
スティッキービットが立っているファイルを検索し、最も怪しいファイルの内容を見る。
$ ssh level12@trainer.threatsims.com level12@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 18:13:24 2020 from 117.96.209.150 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 12 For this level you are going to find SUID and SGID binaries in common locations. This is a common privilege escalation technique seen in CTFs and real world. Remember the user you are looking to escalate privileges to is level13. type: man find google SUID google SGID level12@trainer:~$ ls -l total 12 -rwxr-xr-x 1 level12 level12 46 May 1 16:13 cat -rw-r--r-- 1 level12 level12 0 May 1 18:07 find -r--r----- 1 level12 level12 813 Feb 29 23:24 helpme -r--r----- 1 level12 level12 307 Mar 24 13:28 welcome_message level12@trainer:~$ find / -perm -u=s -type f 2>/dev/null /usr/bin/su /usr/bin/sudo /usr/bin/chsh /usr/bin/gpasswd /usr/bin/chfn /usr/bin/umount /usr/bin/mount /usr/bin/newgrp /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/mysecret level12@trainer:~$ /usr/sbin/mysecret f4736e1eb28b1d9055c5f5d58a49b5a6
f4736e1eb28b1d9055c5f5d58a49b5a6
Level 14 (Trainer 10)
"ID"を含む環境変数を検索する。
$ ssh level13@trainer.threatsims.com level13@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 18:23:17 2020 from 46.32.120.132 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 13 For this level you are going to familiarize yourself with environment variables. They are used for a wide variety of applications. Specifically, they can be used for docker and cloud providers to store credentials. They password to level 14 is is the one that ends with ID. type: man environ google environment variables level13@trainer:~$ env | grep ID AWS_ACCESS_KEY_ID=0ea027e3835aa87a4a47465321c5fe75 XDG_SESSION_ID=2947
0ea027e3835aa87a4a47465321c5fe75
Level 15 (Trainer 10)
カーネルのメジャーバージョンを答える。
$ ssh level14@trainer.threatsims.com level14@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 18:30:32 2020 from 78.156.44.229 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 14 For this level you are going to familiarize yourself with the kernel version. We are just looking for the Kernel and Major version (the first two sets of numbers) example: if the version is 2.62.26.1 the password will be 2.62 Understanding Kernel versions can help when search for exploits with tools like searchsploit or exploitdb (Sorry, there isn't any kernel exploits for this box, I hope) type: man uname google linux kernel level14@trainer:~$ cat /proc/version Linux version 4.19.0-8-cloud-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27)
4.19
Level 16 (Trainer 10)
ディストリビューション名を答える。
$ ssh level15@trainer.threatsims.com level15@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 18:36:33 2020 from 70.114.44.15 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 15 For this level you are going to familiarize yourself with the distro version. We are just looking for the distro name. example: Fedora 31, then the password would be Fedora Understanding distro versions can help when searching for exploits with tools like searchsploit or exploitdb (Sorry, there isn't any exploits for this distro, I hope) type: man hostnamectl man lsb_release google linux distro level15@trainer:~$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster
Debian
Level 17 (Trainer 10)
aliasを見る。
$ ssh level16@trainer.threatsims.com level16@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 18:44:11 2020 from 4.26.24.244 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 16 For this level you are going to familiarize yourself with the aliases. They can be very useful and can be used for a variety of actions to speed up your workflow. They can also be very dangerous. type: google alias level16@trainer:~level16@trainer:~$ alias alias bc='bc -l' alias devbox='sshpass -p 6b39034a8045ed996a436f8d09031522 ssh level17@trainer.threatsims.com' alias grep='grep --color=auto' alias ls='ls --color=auto' alias mkdir='mkdir -pv'
6b39034a8045ed996a436f8d09031522
Level 18 (Trainer 10)
ホームディレクトリにある.viminfoの内容を見る。
$ ssh level17@trainer.threatsims.com level17@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 18:53:29 2020 from 176.18.84.206 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 17 For this level you are going to familiarize yourself with user artifacts. Look in this user's home directory to see if there are any files left behind that may contain useful information. type: man vim level17@trainer:~$ ls -la total 64 drwxr-x--- 5 level17 level17 4096 May 1 18:54 . drwxr-xr-x 26 root root 4096 Mar 5 10:06 .. -rw-r--r-- 1 level17 level17 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 level17 level17 3526 Apr 18 2019 .bashrc -rw-r--r-- 1 level17 level17 0 May 1 17:23 .cloud-locale-test.skip drwx------ 3 level17 level17 4096 May 1 15:45 .gnupg -r--r----- 1 level17 level17 533 Mar 3 01:10 helpme -rw------- 1 level17 level17 222 May 1 17:46 .joe_state -rw------- 1 level17 level17 12288 May 1 18:32 .joe_state.swp -rw------- 1 level17 level17 45 May 1 18:42 .lesshst drwxr-xr-x 3 level17 level17 4096 May 1 16:27 .local -rw-r--r-- 1 level17 level17 807 Apr 18 2019 .profile drwxr-xr-x 2 level17 level17 4096 May 1 18:35 .vim -r--r--r-- 1 level18 level17 1289 Mar 3 10:21 .viminfo -r--r----- 1 level17 level17 234 Mar 3 01:10 welcome_message level17@trainer:~$ cat .viminfo # This viminfo file was generated by Vim 8.1. # You may edit it if you're careful! # Viminfo version |1,4 # Value of 'encoding' when this file was written *encoding=utf-8 # hlsearch on (H) or off (h): ~h # Command Line History (newest to oldest): :wq |2,0,1583196421,,"wq" # Search String History (newest to oldest): # Expression History (newest to oldest): # Input Line History (newest to oldest): # Debug Line History (newest to oldest): # Registers: "a LINE 0 ssh level18@localhost |3,0,10,1,1,0,1583196413,"ssh level18@localhost" ""b LINE 0 9a42b1822710d790a393800f2896a8f7 |3,1,11,1,1,0,1583196418,"9a42b1822710d790a393800f2896a8f7" # File marks: '0 11 0 ~/password |4,48,11,0,1583196421,"~/password" '1 12 0 ~/password |4,49,12,0,1583196243,"~/password" '2 11 0 ~/password |4,50,11,0,1583196243,"~/password" # Jumplist (newest first): -' 11 0 ~/password |4,39,11,0,1583196421,"~/password" -' 12 0 ~/password |4,39,12,0,1583196368,"~/password" -' 11 0 ~/password |4,39,11,0,1583196243,"~/password" -' 8 0 ~/password |4,39,8,0,1583196224,"~/password" # History of marks within files (newest to oldest): > ~/password * 1583196420 0 " 11 0 ^ 6 1 . 6 1 + 6 0 + 3 7 + 1 3 + 11 0 + 10 0 + 9 0 + 8 0 + 12 0 + 6 1 a 1 0 b 2 0 c 3 0 d 4 0
9a42b1822710d790a393800f2896a8f7
Level 19 (Trainer 10)
ホームディレクトリにある.bash_historyの内容を見る。
$ ssh level18@trainer.threatsims.com level18@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 19:00:57 2020 from 117.96.209.150 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 18 For this level you are going to continue familiarizing yourself with user artifacts. Look in this user's home directory to see if there are any files left behind that may contain useful information. type: man bash level18@trainer:~$ cat ~/.bash_history whoami uanme -a w id ps -ef netstat -an cat /proc/version cat /etc/*-release pwd ls -la cat /etc/profile cat ~/.bashrc awk -F ":" '!/nologin/{print $1}' /etc/passwd find / -perm -g=s -type f 2>/dev/null ssh level19@localhost b06a246b0646b337f319316b9232151c whoami ssh level19@127.0.0.1 pwd ls -la
b06a246b0646b337f319316b9232151c
Level 20 (Trainer 10)
ホームディレクトリの.sshディレクトリ配下のlevel20_id_rsaを使って、level20ユーザとしてログインする。そのホームディレクトリにあるlevel20_passwordの内容を見る。
$ ssh level19@trainer.threatsims.com level19@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 19:05:21 2020 from 217.138.206.85 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 19 For this level you are going to continue familiarizing yourself with user artifacts. Look in this user's home directory to see if there are any files left behind that may contain useful information. type: man ssh level19@trainer:~$ ls -la total 80 drwxr-x--- 6 level19 level19 4096 May 1 19:09 . drwxr-xr-x 26 root root 4096 Mar 5 10:06 .. -rw-r--r-- 1 level19 level19 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 level19 level19 3526 Apr 18 2019 .bashrc -rw-r--r-- 1 level19 level19 0 May 1 17:33 .cloud-locale-test.skip drwx------ 3 level19 level19 4096 May 1 15:47 .gnupg -r--r----- 1 level19 level19 526 Mar 24 13:30 helpme -rw------- 1 level19 level19 62 May 1 18:45 .lesshst -rw-r--r-- 1 level19 level19 374 May 1 19:07 level20_id_rsa drwxr-xr-x 3 level19 level19 4096 May 1 16:30 .local -rw-r--r-- 1 level19 level19 344 Mar 7 17:11 magic.mgc -rw-r--r-- 1 level19 level19 807 Apr 18 2019 .profile -rw------- 1 level19 level19 7 May 1 16:54 .python_history drwxr-x--- 2 level19 level19 4096 May 1 18:51 .ssh drwxr-xr-x 2 level19 level19 4096 Apr 30 22:16 .vim -rw------- 1 level19 level19 8680 May 1 19:09 .viminfo -r--r----- 1 level19 level19 245 Mar 3 23:54 welcome_message -rw------- 1 level19 level19 1823 May 1 17:09 yes -rw-r--r-- 1 level19 level19 397 May 1 17:09 yes.pub level19@trainer:~$ ls -la .ssh total 24 drwxr-x--- 2 level19 level19 4096 May 1 18:51 . drwxr-x--- 6 level19 level19 4096 May 1 19:09 .. -rw-r--r-- 1 level19 level19 444 Apr 30 22:37 known_hosts -rw------- 1 level19 level19 1811 Mar 3 23:54 level20_id_rsa -rw------- 1 level19 level19 1811 May 1 18:50 level20_id_rsa.old -rw-r--r-- 1 level19 level19 1811 May 1 18:51 level20_id_rsa.older level19@trainer:~$ exit logout Connection to trainer.threatsims.com closed. $ scp level19@trainer.threatsims.com:~/.ssh/level20_id_rsa . level19@trainer.threatsims.com's password: level20_id_rsa 100% 1811 9.8KB/s 00:00 $ ssh -i level20_id_rsa level20@trainer.threatsims.com Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 19:17:39 2020 from 49.35.114.2 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 20 For this level you are going to continue familiarizing yourself with user artifacts. Look in this user's home directory to see if there are any files left behind that may contain useful information. type: man file man tar level20@trainer:~$ ls -la total 64 drwxr-x--- 7 level20 level20 4096 May 1 19:18 . drwxr-xr-x 26 root root 4096 Mar 5 10:06 .. -rw-rw---- 1 level21 level20 2048 Mar 4 22:39 backup.tgz -rw-r--r-- 1 level20 level20 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 level20 level20 3526 Apr 18 2019 .bashrc -rw-r--r-- 1 level20 level20 0 May 1 17:58 .cloud-locale-test.skip drwx------ 3 level20 level20 4096 May 1 15:34 .gnupg -r--r----- 1 level20 level20 466 Mar 24 13:30 helpme -rw-rw---- 1 level20 level20 64 Mar 4 00:22 level20_password -rw-r--r-- 1 level20 level20 32 Mar 4 22:20 level21_password -rw-r--r-- 1 level20 level20 807 Apr 18 2019 .profile drwxr-x--- 2 level20 level19 4096 Apr 30 22:58 .ssh drwxr-xr-x 2 level20 level20 4096 May 1 16:45 temp drwxr-xr-x 2 level20 level20 4096 May 1 18:04 tr drwxr-xr-x 2 level20 level20 4096 Apr 30 22:56 .vim -rw------- 1 level20 level20 1355 May 1 16:46 .viminfo -r--r----- 1 level20 level20 260 Mar 4 22:39 welcome_message level20@trainer:~$ cat level20_password The password for level20 is: 5cf82d972614f73422f899f90cfce80f
5cf82d972614f73422f899f90cfce80f
Level 21 (Trainer 10)
ホームディレクトリにあるbackup.tgzを展開して、展開されたlevel21_passwordの内容を見る。
$ ssh level20@trainer.threatsims.com level20@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 19:23:07 2020 from 219.100.84.82 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 20 For this level you are going to continue familiarizing yourself with user artifacts. Look in this user's home directory to see if there are any files left behind that may contain useful information. type: man file man tar level20@trainer:~$ ls -l total 28 -rw-rw---- 1 level21 level20 2048 Mar 4 22:39 backup.tgz -r--r----- 1 level20 level20 466 Mar 24 13:30 helpme -rw-rw---- 1 level20 level20 64 Mar 4 00:22 level20_password -rw-r--r-- 1 level20 level20 32 Mar 4 22:20 level21_password drwxr-xr-x 2 level20 level20 4096 May 1 16:45 temp drwxr-xr-x 2 level20 level20 4096 May 1 18:04 tr -r--r----- 1 level20 level20 260 Mar 4 22:39 welcome_message level20@trainer:~$ tar xvf backup.tgz level21_password $ cat level21_password 65230da2ead4ba2ed76ee2605cadcd4d
65230da2ead4ba2ed76ee2605cadcd4d
Level 22 (Trainer 10)
ホームディレクトリにあるmybackupのファイル種別を確認するとbz2であることがわかる。展開されたmybackup.outの内容を見る。
$ ssh level21@trainer.threatsims.com level21@trainer.threatsims.com's password: Linux trainer 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 1 19:26:18 2020 from 176.18.182.188 ==================================================================== || || || .--. Welcom to the Linux Trainer! || || | o_o| || || | ==>| To view the level instructions again || || / / \ \ type: cat welcome_message || || ( | | ) || || /' |_____/'\ Getting Stuck? Need help with a level? || || \___)--(___/ type: cat helpme || || || || Use "su - level#" to change levels || || || || feedback: nopresearcher@gmail.com || || || || || ==================================================================== Welcome to Level 21 For this level you are going to continue familiarizing yourself with user artifacts. Look in this user's home directory to see if there are any files left behind that may contain useful information. type: man file level21@trainer:~$ ls -l total 56 -rw-r----- 1 level21 level21 33 May 1 17:51 asfd -r--r----- 1 level21 level21 561 Mar 24 13:30 helpme drwxr-xr-x 2 level21 level21 4096 May 1 18:44 kk drwxr-xr-x 2 level21 level21 4096 May 1 15:58 lol -rw-rw---- 1 level22 level21 62 Mar 8 22:42 mybackup -rw-rw---- 1 level21 level21 33 Mar 8 22:42 mybackup.out -rw-rw---- 1 level21 level21 33 Mar 8 22:42 mybackup.out.bak -rwxrwxrwx 1 level21 level21 62 Mar 7 19:40 rec00001mybackup.bz2 -rw------- 1 level21 level21 62 Mar 7 20:58 rec00001rec00001mybackup.bz2.old drwxr-xr-x 2 level21 level21 4096 May 1 16:42 temp drwxr-xr-x 2 level21 level21 4096 May 1 16:46 test -rw-r--r-- 1 level21 level21 0 May 1 15:58 test6 drwxr-xr-x 2 level21 level21 4096 May 1 19:26 tmp -r--r----- 1 level21 level21 247 Mar 5 10:10 welcome_message -rw-r----- 1 level21 level21 33 May 1 18:56 yo level21@trainer:~$ file mybackup mybackup: bzip2 compressed data, block size = 900k level21@trainer:~$ cat mybackup.out 643b2616b33de99b179c33950970d519
Web Recon 1 (Tiger King 20)
HTMLソースのコメントにフラグが書いてある。
<!-- I don't know how many times I have to say it! derp{CaroleBaskinDidIt} -->
derp{CaroleBaskinDidIt}
Web Recon 2 (Tiger King 20)
http://joe-tk.threatsims.com/robots.txtにアクセスすると、フラグが書いてあった。
User-agent: BigCatRescue
Disallow: *
User-agent: derp{JeffLoweStoleMyTigers}
Disallow: *
User-agent: *
Disallow: /admin
derp{JeffLoweStoleMyTigers}
Eating Sweets (Tiger King 30)
クッキーのJoesMessageにbase64文字列がセットされている。
ZGVycHtQZW9wbGVDb21lVG9TZWVNZX0=
$ echo ZGVycHtQZW9wbGVDb21lVG9TZWVNZX0= | base64 -d derp{PeopleComeToSeeMe}
derp{PeopleComeToSeeMe}
Tom Nook - Internet traffic - Part I (Forensics 20)
No.21パケットでflag.txtをPOSTしている。
DERP{WayToCatchMyForeignServer}
FIXED: Tom Nook - Internet traffic - Part II (Forensics 40)
パスワード付きZIPが添付されている。
$ fcrackzip -u -D -p dict/rockyou.txt SecretACBankStatement.zip PASSWORD FOUND!!!!: pw == 0853483757
このパスワードで解凍すると、PDFが展開される。この文書の中にフラグが書かれていた。
DERP{TomNookDrivesTheBoat}
Do you feel me? (Crypto, Ciphers, and Encodings 10)
問題は以下の通り、点字で書かれている。
⠙⠑⠗⠏{⠊⠓⠁⠧⠑⠕⠗⠊⠛⠊⠝⠎⠊⠝⠞⠓⠑⠋⠗⠑⠝⠉⠓⠁⠗⠍⠽⠂⠦⠂⠔}点字の対応表を見てデコードする。
derp{ihaveoriginsinthefrencharmy1819}
n Eggs (Crypto, Ciphers, and Encodings 10)
ベーコニアン暗号。https://www.dcode.fr/bacon-cipherで復号する。
DERPILOVEBACON
All about that base (Crypto, Ciphers, and Encodings 10)
base64デコードする。
$ echo ZGVycHtJc1RoaXNFbmNyeXB0aW9ufQ== | base64 -d derp{IsThisEncryption}
derp{IsThisEncryption}
All about that base remix (Crypto, Ciphers, and Encodings 10)
base32デコードする。
>>> import base64
>>> base64.b32decode('MRSXE4D3KRUGS42JONCGKZSFNZRXE6LQORUW63RBPU======')
'derp{ThisIsDefEncryption!}'
derp{ThisIsDefEncryption!}
et tu brute (Crypto, Ciphers, and Encodings 10)
シーザー暗号(rot13)。https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。
derp{AnOldieButAGoodie}
AFSC 29331 (Crypto, Ciphers, and Encodings 10)
モールス信号。https://morsecode.world/international/translator.htmlでデコードする。
DERP DITTY BOPPERS
Why are they even in that order in the fist place? (Crypto, Ciphers, and Encodings 10)
アルファベットのインデックスとして、文字にする。
11111111112222222 12345678901234567890123456 abcdefghijklmnopqrstuvwxyz
derplongestcomboever
Don't touch the third rail (Crypto, Ciphers, and Encodings 10)
Rail Fence Cipher。https://www.geocachingtoolbox.com/index.php?lang=en&page=railFenceCipherで復号する。
derp{ZigzagCipherFTW}
