티스토리 뷰
level8을 풀어보겠다.
[level8@ftz level8]$
ls -al을 입력해서 파일과 디렉토리를 확인하겠다.
[level8@ftz level8]$ ls -al
total 80
drwxr-xr-x 4 root level8 4096 Jan 14 2010 .
drwxr-xr-x 34 root root 4096 Sep 10 2011 ..
-rw------- 1 root root 1 Jan 15 2010 .bash_history
-rw-r--r-- 1 root root 24 Feb 24 2002 .bash_logout
-rw-r--r-- 1 root root 224 Feb 24 2002 .bash_profile
-rw-r--r-- 1 root root 151 Feb 24 2002 .bashrc
-rw-r--r-- 1 root root 400 Sep 24 2000 .cshrc
-rw-r--r-- 1 root root 4742 Sep 24 2000 .emacs
-r--r--r-- 1 root root 319 Sep 24 2000 .gtkrc
-rw-r--r-- 1 root root 100 Sep 24 2000 .gvimrc
-rw-r----- 1 root level8 109 Jan 14 2010 hint
-rw-r--r-- 1 root root 226 Sep 24 2000 .muttrc
-rw-r--r-- 1 root root 367 Sep 24 2000 .profile
drwxr-xr-x 2 root level8 4096 Feb 24 2002 public_html
drwxrwxr-x 2 root level8 4096 Jan 14 2009 tmp
-rw-r--r-- 1 root root 1 May 7 2002 .viminfo
-rw-r--r-- 1 root root 4145 Sep 24 2000 .vimrc
-rw-r--r-- 1 root root 245 Sep 24 2000 .Xdefaults
hint파일을 읽어 보겠다.
[level8@ftz level8]$ cat hint
level9의 shadow 파일이 서버 어딘가에 숨어있다.
그 파일에 대해 알려진 것은 용량이 "2700"이라는 것 뿐이다.
찾고자 하는 파일의 용량만 "2700"이라는 것만 알려주고 있다.
find 명령을 이용해서 쉐도우파일을 찾아보겠다.
[level8@ftz level8]$ find / -size 2700c 2>/dev/null
/var/www/manual/ssl/ssl_intro_fig2.gif
/etc/rc.d/found.txt
/usr/share/man/man3/IO::Pipe.3pm.gz
/usr/share/man/man3/URI::data.3pm.gz
find명령은 전에 우리가 파일의 권한이나 파일의 이름을 아는 경우 그 파일을 찾기 위해 사용했던 명령어이다.
이는 파일의 용량을 알때도 사용할 수 있는데 size를 입력한 후 byte의 단위인 c를 뒤에 입력해준다.
2>/dev/null는 표준에러메시지를 /dev/null으로 버린다고 생각하면 이해가 쉽다.
여러 파일들이 있는데 gif, gz, txt중 txt 파일을 읽어보도록 하겠다.
[level8@ftz level8]$ cd /etc/rc.d
[level8@ftz rc.d]$ ls -al
total 76
drwxr-xr-x 10 root root 4096 Sep 10 2011 .
drwxr-xr-x 52 root root 4096 Jan 4 13:48 ..
-r--r----- 1 root level8 2700 Sep 10 2011 found.txt
drwxr-xr-x 2 root root 4096 Oct 31 2007 init.d
-rwxr-xr-x 1 root root 2338 Feb 19 2003 rc
drwxr-xr-x 2 root root 4096 Oct 31 2007 rc0.d
drwxr-xr-x 2 root root 4096 Oct 31 2007 rc1.d
drwxr-xr-x 2 root root 4096 Oct 31 2007 rc2.d
drwxr-xr-x 2 root root 4096 Dec 19 2007 rc3.d
drwxr-xr-x 2 root root 4096 Oct 31 2007 rc4.d
drwxr-xr-x 2 root root 4096 Oct 31 2007 rc5.d
drwxr-xr-x 2 root root 4096 Oct 31 2007 rc6.d
-rwxr-xr-x 1 root root 545 Sep 10 2011 rc.local
-rwxr-xr-x 1 root root 23299 Feb 25 2003 rc.sysinit
[level8@ftz rc.d]$ cat found.txt
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
히익! 이상한 문자들이 출력되었다. 콜론으로 구분되어있는 여러문자와 숫자들의 배열이 나와있는데 이것은 존 더 리퍼라는 툴을 이용해 해독할 수 있다.
John the Ripper?
John the Ripper는 Solar Designer가 개발한 Unix계열 password crack tool이다.
무료로 다운 받을 수 있으며 다양한 플렛폼을 지원한다.
속도를 높이기 위해 Intel MMX기술이나 AMD K6 프로세서의 특수 기능들을 이용한 최적화된 코드를 집어넣기도 하였다.
우선 john the ripper를 다운 받아야 한다. http://www.openwall.com/john/ 에서 window 버전 zip 파일을 다운받은 후 원하는 경로에 압축을 풀면 된다.
그 다음 found.txt에 있는 암호들을 복사해 txt파일을 만든다. 이름은 마음대로 적어도 된다. 필자는 10120.txt 로 만들었다.
[10120.txt]
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
level9:$1$vkY6sSlG$6RyUXtNMEVGsfY7Xf0wps.:11040:0:99999:7:-1:-1:134549524
그 후 10120.txt를 압축 푼 john the ripper 폴더 아래 있는 run폴더에 저장한다.
그 다음은 cmd 창을 열어 패스워드를 저장한 run 폴더로 이동한다.
마지막으로 "john.exe 10120.txt"를 입력하면 비밀번호가 출력된다.
apple이네. 비밀번호는 apple이네요.
level8을 풀었다.
'Pwnable > FTZ level' 카테고리의 다른 글
[hackerschool FTZ] level9 (0) | 2017.03.23 |
---|---|
[hackerschool FTZ] level7 (2) | 2017.01.03 |
[hackerschool FTZ] level6 (0) | 2016.12.27 |
[hackerschool FTZ] level5 (0) | 2016.12.27 |
[hackerschool FTZ] level4 (0) | 2016.12.26 |