ssh

在官网设置自己的key,然后

ssh hacker@dojo.pwn.college

Paths

1

/pwn

2

/challenge/run

3

cd /var/lib/apt/lists/ && /challenge/run

4

cd /proc/452/fd && /challenge/run

5

cd /var/lib/apt/lists/ && /challenge/run

6

如果您当前在 " /var " 目录中,并且您的相对路径是 " asdf ",则完整的解析路径是 " /var/asdf "。 如果您的相对路径是 " asdf/fdsa ",则完整的解析路径将是 " /var/asdf/fdsa ".

challenge/run

7

cd /&&./challenge/run

8

cd /challenge/ && ./run

9

Note that the expansion of ~ is an absolute path, and only the leading ~ is expanded. This means, for example, that ~/~ will be expanded to /home/hacker/~ rather than /home/hacker/home/hacker.

/challenge/run ~/1

Commands

1

cat ~/flag

2

cat /flag

3

cat /opt/ghidra/licenses/flag

4

grep pwn.college /challenge/data.txt

5

ls /challenge/

/challenge/1825-renamed-run-13223

6

hacker@commands~touching-files:/tmp$ touch pwn
hacker@commands~touching-files:/tmp$ touch college
hacker@commands~touching-files:/tmp$ /challenge/run
Success! Here is your flag:
pwn.college{gZpu52mRTVRUxRkSGNgXWjvx1P9.dBzM4QDLzczN0UzW}

7

hacker@commands~removing-files:~$ rm -r delete_me 
hacker@commands~removing-files:~$ /challenge/check
Excellent removal. Here is your reward:
pwn.college{UWyesy1u8GvKr8dpKjublERInEl.dZTOwUDLzczN0UzW}

8

hacker@commands~hidden-files:~$ ls -a /
.           .dockerenv           boot       etc   lib32   media  proc  sbin  tmp
..          .flag-3082426613879  challenge  home  lib64   mnt    root  srv   usr
.authtoken  bin                  dev        lib   libx32  opt    run   sys   var
hacker@commands~hidden-files:~$ cat /.flag-3082426613879 
pwn.college{Y_rf3YmA6SzXv9ytn-gmGN8Opiu.dBTN4QDLzczN0UzW}

9

10

hacker@commands~making-directories:~$ cd /tmp/
hacker@commands~making-directories:/tmp$ ls
bin  hsperfdata_root  tmp.03myKcqN5v
hacker@commands~making-directories:/tmp$ mkdir pwn
hacker@commands~making-directories:/tmp$ cd pwn/
hacker@commands~making-directories:/tmp/pwn$ touch college
hacker@commands~making-directories:/tmp/pwn$ /challenge/
ssh-entrypoint: /challenge/: Is a directory
hacker@commands~making-directories:/tmp/pwn$ /challenge/
DESCRIPTION.md  run             
hacker@commands~making-directories:/tmp/pwn$ /challenge/run
Success! Here is your flag:
pwn.college{4lR-V9bos1PNk42SrgrI-WCTJtH.dFzM4QDLzczN0UzW}

11

find / -name flag

Reading Documents

1

/challenge/challenge --giveflag

2

/challenge/challenge --printfile /flag

3

man challenge

/challenge/challenge --aqzhdf 478

4

man challenge

/flag

/challenge/challenge --nijsi

5

man -K challenge

发现隐藏的文档mnyntphfjl

/challenge/challenge --mnyntp 647

6

/challenge/challenge -h

/challenge/challenge -p

challenge/challenge -g 166

7

help challenge

challenge --secret kjNOquF6

FileGlobbing

1

The * matches any part of the filename except for / or a leading . character.

cd /c*/

./run

2

hacker@globbing~matching-with-:~$ cd /?ha??enge/
hacker@globbing~matching-with-:/challenge$ ./run
You ran me with the working directory of /challenge! Here is your flag:
pwn.college{IDd0kPG_4DvQsbxxK7n9GALuLdn.dJjM4QDLzczN0UzW}

3

/challenge/files$ /challenge/run file_[abhs]

4

/challenge/run /challenge/files/file_[bash]

5

/challenge/run [cep]*

6

/challenge/files /challenge/run [^pwn]*

Piping

1

echo PWN > COLLEGE

2

/challenge/run > myflag

cat myflag

3

>>追加模式

/challenge/run >> ~/the-flag

4

FD 0: Standard Input FD 0: 标准输入
FD 1: Standard Output FD1:标准输出
FD 2: Standard Error FD 2:标准误差

/challenge/run 1> myflag 2> instructions

cat myflag

5

echo COLLEGE > PWN&&/challenge/run < PWN

6

/challenge/run > /tmp/data.txt

grep pwn /tmp/data.txt

7

/challenge/run | grep pwn

8

由于没有2|这种形式的运算符
shell中的>&的操作符(就是将文件描述符重定向到另一个文件描述符中),那么就可以用2>&1把标准错误重定向到标准输出,然后再进行管道操作

/challenge/run 2>&1|grep pwn

有趣的是&>也存在

功能是STDOUTSTDERR都重定向导同一个文件

9*

不理解为什么使用

challenge/pwn | tee > /dev/stdout |/c hallenge/college

会打印不出来输出

只能输出到文件之后再读取,疑惑捏

/challenge/pwn | tee output.txt |/challenge/college

cat output.txt

/challenge/pwn --secret IV2arjPS | tee output.txt |/challenge/college

Shell Variables

1

echo $FLAG

2

env | grep pwn

3

PWN=COLLEGE

4

PWN="COLLEGE YEAH"

5

hacker@variables~learn-to-export-variables-into-child-processes:~$ PWN=COLLEGE
You've set the PWN variable to the proper value!
hacker@variables~learn-to-export-variables-into-child-processes:~$ COLLEGE=PWN
You've set the PWN variable to the proper value!
You've set the COLLEGE variable to the proper value!
hacker@variables~learn-to-export-variables-into-child-processes:~$ export PWN
You've set the PWN variable to the proper value!
You've set the COLLEGE variable to the proper value!
hacker@variables~learn-to-export-variables-into-child-processes:~$ sh
$ /challenge/run

6

hacker@variables~setting-variables-with-read:~$ read PWN
COLLEGE
You've set the PWN variable properly! As promised, here is the flag:
pwn.college{EXb5qH9D76ozx34IIM6XLHbdP1n.dhzN1QDLzczN0UzW}

7

read PWN < /challenge/read_me

Path

ls是依靠shell variable中的PATH变量来工作的

hacker@path~the-path-variable:~$ PATH=""
hacker@path~the-path-variable:~$ export PATH
hacker@path~the-path-variable:~$ /challenge/run
Trying to remove /flag...
/challenge/run: line 4: rm: No such file or directory

ChainingCommands

1

;enter类似

/challenge/pwn;/challenge/college

2

/challenge/pwn
/challenge/college

bash 1.sh

3

bash 1.sh|/challenge/solve

ProcessesAndJobs

1

hacker@processes~listing-processes:~$ ps aux > 1.txt |grep challenge
hacker@processes~listing-processes:~$ cat 1.txt |grep challenge
root          49  0.0  0.0   4204  3092 ?        S    06:43   0:00 /challenge/18695-run-32181
hacker@processes~listing-processes:~$ /challenge/18695-run-32181
Yahaha, you found me! Here is your flag:
pwn.college{M1kT70o6bkYNmepttaKvpQ-Wm4g.dhzM4QDLzczN0UzW}

2

hacker@processes~killing-processes:~$ ps -ef |grep dont_run
hacker        49      47  0 06:47 ?        00:00:00 /challenge/dont_run
hacker       118      51  0 06:52 pts/0    00:00:00 grep --color=auto dont_run
hacker@processes~killing-processes:~$ kill 49;/challenge/run
Great job! Here is your payment:
pwn.college{swbWgYKpeas_fR7iYsYwJV1OD2c.dJDN4QDLzczN0UzW}

3

/challenge/run

ctrl +c

4

unix中ctrl+z是暂停程序

/challenge/run
ctrl+z
/challenge/run

5

fg用于恢复暂停的进程

/challenge/run
ctrl+z
fg

6

See that T? That means that the process is suspended due to our Ctrl-Z. The S in bash’s STAT column means that bash is sleeping while waiting for input. the R in ps’s column means that it’s actively running, and the + means that it’s in the foreground!

ps -o user,pip,stat,cmd

/challenge/run

ctrl+z

bg

/challenge/run

7

/challenge/run

bg

fg

8

不需要暂停程序化然后再用bg放到后台运行

可以直接/challenge &直接放到后台运行

/challenge/run &

UnderstandingPermissions

hacker@processes~starting-backgrounded-processes:~$ ls -l
total 52
-rw-r--r-- 1 root   hacker   58 Jun 28 10:25 1
-rw-r--r-- 1 hacker hacker   34 Jun 29 06:35 1.sh
-rw-r--r-- 1 hacker hacker 1198 Jun 29 06:45 1.txt
-rw-r--r-- 1 hacker hacker    4 Jun 29 05:11 COLLEGE
drwxr-xr-x 2 hacker hacker 4096 May  9 11:00 Desktop
-rw-r--r-- 1 hacker hacker    8 Jun 29 05:33 PWN
-rw-r--r-- 1 root   hacker   58 Jun 28 10:25 a
drwxr-xr-x 2 hacker hacker 4096 May 10 14:00 demo
-rw-r--r-- 1 hacker hacker  829 Jun 29 05:28 instructions
drwxr-xr-x 2 hacker hacker 4096 May 13 09:44 leap
-rw-r--r-- 1 hacker hacker   93 Jun 29 05:28 myflag
-rw-r--r-- 1 root   hacker   17 Jun 29 06:07 output.txt
-rw-r--r-- 1 hacker hacker  435 Jun 29 05:30 the-flag

d表示是一个directory

-表示是一个normalfile

接下来的9个字符是文件或目录的实际访问权限,分为3个字符,表示文件的所有者

每三个字符为一组,表示文件的owner对文件的权限;

表示user对当前文件的权限

以及others对当前文件的权限

r - user can read the file (or list the directory)
w - user can modify the files (or create/delete files in the directory)
x - user can execute the file as a program (or can enter the directory, e.g., using `cd`)
- - nothing

1

2

chmod可以用=来直接设置权限

a=-直接取消世界组的权限

3

chown [username] [file]

chown will give the ownership of that file to the specified user它会将该文件的所有权授予指定的用户。

Additionally, you can edit the group ownership by using chgrp:此外,您还可以使用 chgrp 命令来编辑组的所有权:

chgrp [groupname] [file]
hacker@permissions~my-dentist-said-i-need-to-chown:~$ chown hacker /flag
hacker@permissions~my-dentist-said-i-need-to-chown:~$ cat /flag
pwn.college{stoZ4X4fMlGzLueu7fS0UsENrKf.dFTM2QDLzczN0UzW}

4

直接看源程序发现flag在/etc/ctfconfg

chmod +x getflag

./getflag

5

he permission of a file with SUID list look like this:带有SUID权限的文件的权限设置如下所示:

-rwsr-xr-x 1 root root 232416 Dec 1 11:45 /usr/bin/sudo

The s part in place of the executable bit means that the program is executable with SUID. It means that the user can essentially execute this program as the owner (in this case, the root user).代码中的 s 部分代表可执行权限位,这意味着该程序具有 SUID 权限。这意味着用户实际上可以以所有者(本例中为 root 用户)的身份运行此程序。

As the owner of a file, you can set a file’s SUID bit by using chmod:作为文件的所有者,您可以通过 chmod 命令设置文件的 SUID 位:

chmod u+s [**program**]

hacker@permissions~i-tried-to-tell-a-setuid-joke-but-it-escalated-too-q:~$ chmod u+s /challenge/getroot
hacker@permissions~i-tried-to-tell-a-setuid-joke-but-it-escalated-too-q:~$ /challenge/getroot
Now you are root!
<ll-a-setuid-joke-but-it-escalated-too-q:/home/hacker# cat /flag