群友靶机国庆限定Guoqing

依旧信息收集起手

┌──(root㉿kali)-[~]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.56.102  netmask 255.255.255.0  broadcast 192.168.56.255
        inet6 fe80::20c:29ff:fe66:2ae1  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:66:2a:e1  txqueuelen 1000  (Ethernet)
        RX packets 7  bytes 3105 (3.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 77  bytes 9855 (9.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 32  bytes 3720 (3.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 32  bytes 3720 (3.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

                                                                                                                                                                                   
┌──(root㉿kali)-[~]
└─# nmap -sC -sV -p- 192.168.56.105
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-07 22:04 +08
Nmap scan report for 192.168.56.105
Host is up (0.00052s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: \xE9\x9D\x9E\xE4\xB8\xBB\xE6\xB5\x81\xE7\x82\xAB\xE9\x85\xB7\xE7\xA9\xBA\xE9\x97\xB4 | \xE6\xAC\xA2\xE8\xBF\x8E\xE5\x85\x89\xE4\xB8\xB4
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:73:58:50 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.17 seconds
                                                             

firefox访问，有一个跳转到login.php，但是很难过，我打这个靶机也是到此为止了，因为我用九头蛇爆了很久，字典换了又换，也没有跑出账号密码

看了wp才知道，居然藏在图片里(我了给web+misc啊)

┌──(kali㉿kali)-[~/桌面]
└─$ strings todd.png
IHDR
PLTE
ylVI
uwzGE?VG=
wkb(
zsj-
K4&ocX
eUgE2 
YRH_z
J:&++ ! 
SYXaYb
cjj3EM2@2VIT
iXWtxIs}ukv
whWjqXthUceIceG
JZaHftBSH
tYKcV
ygsj
jseku
%/(5>
/hIDATx
@[ #
Mf,9n
 3335u
rs_()
%+..
V^S^^QQQ
5'';
nW]f
[6oR
{)=]
esIem
(-m_
Yr\AQ
!)Ri
a_A^
ixjQ%
`z>7
_D)MI
8??+
~D)UJ
hgqqqVVvv
J7HSR
isSSS
t_ZZZ>
/9|X
)#M^p
@Eyii
++kk
F(VL
[g:[
ge'`Vx
e(A<
^Iuum
P[Y[
N>.j*
0x6r(
LM-*X
2~-|Sju
LdtR
ouh1m
UK$|
]g^o
a)f8
@3sX
Z^IC
N~'_
!Hrm
?B6mi/
hDX5
X1hn
6{].
'|~u
tS./M{i
cG/^
0juC
ARzL
4{=t
=Jbc
FQ<u
H0x5x
S(*:
mT4^;aw
D~nx
0Tw<=#
RYd2
b       ["
fo3MS~?E
J###M
BC.j.
e7eaY
]g4v
Q"Ke
`7 }
?twws)5r
p~X&
~yFr
"yF4
\{jC
z]4MS
~kvvVq~qqjf
C Hwp
ximGi
9;;+
O1Ll
%6$c
|bHO
$I7Cy
u#o/
Y=99>
cvnv
h{;j
_|1_W$
xiiGiGG
8`=
wJK;
XP.p&
.,<\
W]gC^
P`xx
 ]P.<J
Y&<~
z !K
k"27
.,<z
Ps(0
hWnnn}yy
/u _
wn~z
n~$,
paqa
Eg:;u
G2a4
:A]]
hUUF
hZ4C
ADe
1qk)F
hlT\
3]P*
bY\,
(j``
4__;o
/$N8
hj``
*a$twj
u=__
"PFf
p8WNE
+(OT
pAIA*A
vSu?
Dy<4
1$A4%
TY1Pf
AA      _
X%^&BE
M[Ps
D]8Z*y
,0kDY
"6Dp!mW
#Kd"t=@
{0Sc"
b|74
dXO?
Fehn
GYrt
.sss3s
$Y'9
t:GG
         0E
*sn2
9,."J
3;sn
N2F:GY
.Oa&
bZZZ
:[I'
,.>Zx
`:#0R$
M9Iv
GT*}
-GIr
YVn$q
 qo:{n
v0sf
'qP;
l&7n"
@5v1Tb
RE"*
Sbw23
(S__
zC(@s0
''I:G[;u
:;&.+[
<q)N
3E3EEo
C+z80|{
fHgg
EQG\.
/Y;wns
QcdYn
S&5q
1{GE
<vL{vp0
HNNEy
"D$}
|Dyh
HGy)A
ksyyy
        nS)
/T1i
5iMZ
IEND
todd:toddishandsome

但是此处的todd并非用户名，密码却是正确的
正确的账号密码是admin:toddishandsome

成功登录后台

<!-- 
      <div class="card">
          <a href="hyh" class="hyhforever" target="_blank"></a>
      </div>
      -->

这个注释给了给账号密码，直接试试ssh登录

┌──(root㉿kali)-[~]
└─# ssh hyh@192.168.56.105      
The authenticity of host '192.168.56.105 (192.168.56.105)' can't be established.
ED25519 key fingerprint is SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:1: [hashed name]
    ~/.ssh/known_hosts:3: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.105' (ED25519) to the list of known hosts.
hyh@192.168.56.105's password: 
Linux Guoqing 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
hyh@Guoqing:~$ ls
user.txt
hyh@Guoqing:~$ cat user.txt
flag{user-e2ac255ade95b9268571eb5baf345974}

成功拿到flag

常规查看提权

hyh@Guoqing:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for hyh: 

[1]+  Stopped                 sudo -l

发现没有入手点

查看wp之后，发现在opt底下藏了一个password

hyh@Guoqing:/$ cd opt
hyh@Guoqing:/opt$ ls
password
hyh@Guoqing:/opt$ ./password
Please enter the password for segfault: 

需要segfault的密码

file查看了一下，似乎需要二进制相关的东西(操了，不是这个方向的)

那我不管了，我先把password给搞下来，丢给AI分析

先利用objdump进行反汇编

┌──(root㉿kali)-[/home/kali/桌面]
└─# objdump -d password

password：     文件格式 elf64-x86-64


Disassembly of section .init:

0000000000001000 <_init>:
    1000:       48 83 ec 08             sub    $0x8,%rsp
    1004:       48 8b 05 dd 2f 00 00    mov    0x2fdd(%rip),%rax        # 3fe8 <__gmon_start__>
    100b:       48 85 c0                test   %rax,%rax
    100e:       74 02                   je     1012 <_init+0x12>
    1010:       ff d0                   call   *%rax
    1012:       48 83 c4 08             add    $0x8,%rsp
    1016:       c3                      ret

Disassembly of section .plt:

0000000000001020 <.plt>:
    1020:       ff 35 e2 2f 00 00       push   0x2fe2(%rip)        # 4008 <_GLOBAL_OFFSET_TABLE_+0x8>
    1026:       ff 25 e4 2f 00 00       jmp    *0x2fe4(%rip)        # 4010 <_GLOBAL_OFFSET_TABLE_+0x10>
    102c:       0f 1f 40 00             nopl   0x0(%rax)

0000000000001030 <strcpy@plt>:
    1030:       ff 25 e2 2f 00 00       jmp    *0x2fe2(%rip)        # 4018 <strcpy@GLIBC_2.2.5>
    1036:       68 00 00 00 00          push   $0x0
    103b:       e9 e0 ff ff ff          jmp    1020 <.plt>

0000000000001040 <puts@plt>:
    1040:       ff 25 da 2f 00 00       jmp    *0x2fda(%rip)        # 4020 <puts@GLIBC_2.2.5>
    1046:       68 01 00 00 00          push   $0x1
    104b:       e9 d0 ff ff ff          jmp    1020 <.plt>

0000000000001050 <strlen@plt>:
    1050:       ff 25 d2 2f 00 00       jmp    *0x2fd2(%rip)        # 4028 <strlen@GLIBC_2.2.5>
    1056:       68 02 00 00 00          push   $0x2
    105b:       e9 c0 ff ff ff          jmp    1020 <.plt>

0000000000001060 <printf@plt>:
    1060:       ff 25 ca 2f 00 00       jmp    *0x2fca(%rip)        # 4030 <printf@GLIBC_2.2.5>
    1066:       68 03 00 00 00          push   $0x3
    106b:       e9 b0 ff ff ff          jmp    1020 <.plt>

0000000000001070 <strcspn@plt>:
    1070:       ff 25 c2 2f 00 00       jmp    *0x2fc2(%rip)        # 4038 <strcspn@GLIBC_2.2.5>
    1076:       68 04 00 00 00          push   $0x4
    107b:       e9 a0 ff ff ff          jmp    1020 <.plt>

0000000000001080 <fgets@plt>:
    1080:       ff 25 ba 2f 00 00       jmp    *0x2fba(%rip)        # 4040 <fgets@GLIBC_2.2.5>
    1086:       68 05 00 00 00          push   $0x5
    108b:       e9 90 ff ff ff          jmp    1020 <.plt>

0000000000001090 <strcmp@plt>:
    1090:       ff 25 b2 2f 00 00       jmp    *0x2fb2(%rip)        # 4048 <strcmp@GLIBC_2.2.5>
    1096:       68 06 00 00 00          push   $0x6
    109b:       e9 80 ff ff ff          jmp    1020 <.plt>

00000000000010a0 <__ctype_b_loc@plt>:
    10a0:       ff 25 aa 2f 00 00       jmp    *0x2faa(%rip)        # 4050 <__ctype_b_loc@GLIBC_2.3>
    10a6:       68 07 00 00 00          push   $0x7
    10ab:       e9 70 ff ff ff          jmp    1020 <.plt>

Disassembly of section .plt.got:

00000000000010b0 <__cxa_finalize@plt>:
    10b0:       ff 25 42 2f 00 00       jmp    *0x2f42(%rip)        # 3ff8 <__cxa_finalize@GLIBC_2.2.5>
    10b6:       66 90                   xchg   %ax,%ax

Disassembly of section .text:

00000000000010c0 <_start>:
    10c0:       31 ed                   xor    %ebp,%ebp
    10c2:       49 89 d1                mov    %rdx,%r9
    10c5:       5e                      pop    %rsi
    10c6:       48 89 e2                mov    %rsp,%rdx
    10c9:       48 83 e4 f0             and    $0xfffffffffffffff0,%rsp
    10cd:       50                      push   %rax
    10ce:       54                      push   %rsp
    10cf:       4c 8d 05 3a 04 00 00    lea    0x43a(%rip),%r8        # 1510 <__libc_csu_fini>
    10d6:       48 8d 0d d3 03 00 00    lea    0x3d3(%rip),%rcx        # 14b0 <__libc_csu_init>
    10dd:       48 8d 3d 83 02 00 00    lea    0x283(%rip),%rdi        # 1367 <main>
    10e4:       ff 15 f6 2e 00 00       call   *0x2ef6(%rip)        # 3fe0 <__libc_start_main@GLIBC_2.2.5>
    10ea:       f4                      hlt
    10eb:       0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)

00000000000010f0 <deregister_tm_clones>:
    10f0:       48 8d 3d 71 2f 00 00    lea    0x2f71(%rip),%rdi        # 4068 <__TMC_END__>
    10f7:       48 8d 05 6a 2f 00 00    lea    0x2f6a(%rip),%rax        # 4068 <__TMC_END__>
    10fe:       48 39 f8                cmp    %rdi,%rax
    1101:       74 15                   je     1118 <deregister_tm_clones+0x28>
    1103:       48 8b 05 ce 2e 00 00    mov    0x2ece(%rip),%rax        # 3fd8 <_ITM_deregisterTMCloneTable>
    110a:       48 85 c0                test   %rax,%rax
    110d:       74 09                   je     1118 <deregister_tm_clones+0x28>
    110f:       ff e0                   jmp    *%rax
    1111:       0f 1f 80 00 00 00 00    nopl   0x0(%rax)
    1118:       c3                      ret
    1119:       0f 1f 80 00 00 00 00    nopl   0x0(%rax)

0000000000001120 <register_tm_clones>:
    1120:       48 8d 3d 41 2f 00 00    lea    0x2f41(%rip),%rdi        # 4068 <__TMC_END__>
    1127:       48 8d 35 3a 2f 00 00    lea    0x2f3a(%rip),%rsi        # 4068 <__TMC_END__>
    112e:       48 29 fe                sub    %rdi,%rsi
    1131:       48 89 f0                mov    %rsi,%rax
    1134:       48 c1 ee 3f             shr    $0x3f,%rsi
    1138:       48 c1 f8 03             sar    $0x3,%rax
    113c:       48 01 c6                add    %rax,%rsi
    113f:       48 d1 fe                sar    $1,%rsi
    1142:       74 14                   je     1158 <register_tm_clones+0x38>
    1144:       48 8b 05 a5 2e 00 00    mov    0x2ea5(%rip),%rax        # 3ff0 <_ITM_registerTMCloneTable>
    114b:       48 85 c0                test   %rax,%rax
    114e:       74 08                   je     1158 <register_tm_clones+0x38>
    1150:       ff e0                   jmp    *%rax
    1152:       66 0f 1f 44 00 00       nopw   0x0(%rax,%rax,1)
    1158:       c3                      ret
    1159:       0f 1f 80 00 00 00 00    nopl   0x0(%rax)

0000000000001160 <__do_global_dtors_aux>:
    1160:       80 3d 11 2f 00 00 00    cmpb   $0x0,0x2f11(%rip)        # 4078 <completed.0>
    1167:       75 2f                   jne    1198 <__do_global_dtors_aux+0x38>
    1169:       55                      push   %rbp
    116a:       48 83 3d 86 2e 00 00    cmpq   $0x0,0x2e86(%rip)        # 3ff8 <__cxa_finalize@GLIBC_2.2.5>
    1171:       00 
    1172:       48 89 e5                mov    %rsp,%rbp
    1175:       74 0c                   je     1183 <__do_global_dtors_aux+0x23>
    1177:       48 8b 3d e2 2e 00 00    mov    0x2ee2(%rip),%rdi        # 4060 <__dso_handle>
    117e:       e8 2d ff ff ff          call   10b0 <__cxa_finalize@plt>
    1183:       e8 68 ff ff ff          call   10f0 <deregister_tm_clones>
    1188:       c6 05 e9 2e 00 00 01    movb   $0x1,0x2ee9(%rip)        # 4078 <completed.0>
    118f:       5d                      pop    %rbp
    1190:       c3                      ret
    1191:       0f 1f 80 00 00 00 00    nopl   0x0(%rax)
    1198:       c3                      ret
    1199:       0f 1f 80 00 00 00 00    nopl   0x0(%rax)

00000000000011a0 <frame_dummy>:
    11a0:       e9 7b ff ff ff          jmp    1120 <register_tm_clones>

00000000000011a5 <caesar_encrypt>:
    11a5:       55                      push   %rbp
    11a6:       48 89 e5                mov    %rsp,%rbp
    11a9:       48 83 ec 20             sub    $0x20,%rsp
    11ad:       48 89 7d e8             mov    %rdi,-0x18(%rbp)
    11b1:       c7 45 fc 00 00 00 00    movl   $0x0,-0x4(%rbp)
    11b8:       e9 8e 01 00 00          jmp    134b <caesar_encrypt+0x1a6>
    11bd:       e8 de fe ff ff          call   10a0 <__ctype_b_loc@plt>
    11c2:       48 8b 10                mov    (%rax),%rdx
    11c5:       8b 45 fc                mov    -0x4(%rbp),%eax
    11c8:       48 63 c8                movslq %eax,%rcx
    11cb:       48 8b 45 e8             mov    -0x18(%rbp),%rax
    11cf:       48 01 c8                add    %rcx,%rax
    11d2:       0f b6 00                movzbl (%rax),%eax
    11d5:       48 0f be c0             movsbq %al,%rax
    11d9:       48 01 c0                add    %rax,%rax
    11dc:       48 01 d0                add    %rdx,%rax
    11df:       0f b7 00                movzwl (%rax),%eax
    11e2:       0f b7 c0                movzwl %ax,%eax
    11e5:       25 00 04 00 00          and    $0x400,%eax
    11ea:       85 c0                   test   %eax,%eax
    11ec:       0f 84 d1 00 00 00       je     12c3 <caesar_encrypt+0x11e>
    11f2:       e8 a9 fe ff ff          call   10a0 <__ctype_b_loc@plt>
    11f7:       48 8b 10                mov    (%rax),%rdx
    11fa:       8b 45 fc                mov    -0x4(%rbp),%eax
    11fd:       48 63 c8                movslq %eax,%rcx
    1200:       48 8b 45 e8             mov    -0x18(%rbp),%rax
    1204:       48 01 c8                add    %rcx,%rax
    1207:       0f b6 00                movzbl (%rax),%eax
    120a:       48 0f be c0             movsbq %al,%rax
    120e:       48 01 c0                add    %rax,%rax
    1211:       48 01 d0                add    %rdx,%rax
    1214:       0f b7 00                movzwl (%rax),%eax
    1217:       0f b7 c0                movzwl %ax,%eax
    121a:       25 00 02 00 00          and    $0x200,%eax
    121f:       85 c0                   test   %eax,%eax
    1221:       74 50                   je     1273 <caesar_encrypt+0xce>
    1223:       8b 45 fc                mov    -0x4(%rbp),%eax
    1226:       48 63 d0                movslq %eax,%rdx
    1229:       48 8b 45 e8             mov    -0x18(%rbp),%rax
    122d:       48 01 d0                add    %rdx,%rax
    1230:       0f b6 00                movzbl (%rax),%eax
    1233:       0f be c0                movsbl %al,%eax
    1236:       83 e8 5e                sub    $0x5e,%eax
    1239:       48 63 d0                movslq %eax,%rdx
    123c:       48 69 d2 4f ec c4 4e    imul   $0x4ec4ec4f,%rdx,%rdx
    1243:       48 c1 ea 20             shr    $0x20,%rdx
    1247:       c1 fa 03                sar    $0x3,%edx
    124a:       89 c1                   mov    %eax,%ecx
    124c:       c1 f9 1f                sar    $0x1f,%ecx
    124f:       29 ca                   sub    %ecx,%edx
    1251:       6b ca 1a                imul   $0x1a,%edx,%ecx
    1254:       29 c8                   sub    %ecx,%eax
    1256:       89 c2                   mov    %eax,%edx
    1258:       89 d0                   mov    %edx,%eax
    125a:       8d 48 61                lea    0x61(%rax),%ecx
    125d:       8b 45 fc                mov    -0x4(%rbp),%eax
    1260:       48 63 d0                movslq %eax,%rdx
    1263:       48 8b 45 e8             mov    -0x18(%rbp),%rax
    1267:       48 01 d0                add    %rdx,%rax
    126a:       89 ca                   mov    %ecx,%edx
    126c:       88 10                   mov    %dl,(%rax)
    126e:       e9 d4 00 00 00          jmp    1347 <caesar_encrypt+0x1a2>
    1273:       8b 45 fc                mov    -0x4(%rbp),%eax
    1276:       48 63 d0                movslq %eax,%rdx
    1279:       48 8b 45 e8             mov    -0x18(%rbp),%rax
    127d:       48 01 d0                add    %rdx,%rax
    1280:       0f b6 00                movzbl (%rax),%eax
    1283:       0f be c0                movsbl %al,%eax
    1286:       83 e8 3e                sub    $0x3e,%eax
    1289:       48 63 d0                movslq %eax,%rdx
    128c:       48 69 d2 4f ec c4 4e    imul   $0x4ec4ec4f,%rdx,%rdx
    1293:       48 c1 ea 20             shr    $0x20,%rdx
    1297:       c1 fa 03                sar    $0x3,%edx
    129a:       89 c1                   mov    %eax,%ecx
    129c:       c1 f9 1f                sar    $0x1f,%ecx
    129f:       29 ca                   sub    %ecx,%edx
    12a1:       6b ca 1a                imul   $0x1a,%edx,%ecx
    12a4:       29 c8                   sub    %ecx,%eax
    12a6:       89 c2                   mov    %eax,%edx
    12a8:       89 d0                   mov    %edx,%eax
    12aa:       8d 48 41                lea    0x41(%rax),%ecx
    12ad:       8b 45 fc                mov    -0x4(%rbp),%eax
    12b0:       48 63 d0                movslq %eax,%rdx
    12b3:       48 8b 45 e8             mov    -0x18(%rbp),%rax
    12b7:       48 01 d0                add    %rdx,%rax
    12ba:       89 ca                   mov    %ecx,%edx
    12bc:       88 10                   mov    %dl,(%rax)
    12be:       e9 84 00 00 00          jmp    1347 <caesar_encrypt+0x1a2>
    12c3:       e8 d8 fd ff ff          call   10a0 <__ctype_b_loc@plt>
    12c8:       48 8b 10                mov    (%rax),%rdx
    12cb:       8b 45 fc                mov    -0x4(%rbp),%eax
    12ce:       48 63 c8                movslq %eax,%rcx
    12d1:       48 8b 45 e8             mov    -0x18(%rbp),%rax
    12d5:       48 01 c8                add    %rcx,%rax
    12d8:       0f b6 00                movzbl (%rax),%eax
    12db:       48 0f be c0             movsbq %al,%rax
    12df:       48 01 c0                add    %rax,%rax
    12e2:       48 01 d0                add    %rdx,%rax
    12e5:       0f b7 00                movzwl (%rax),%eax
    12e8:       0f b7 c0                movzwl %ax,%eax
    12eb:       25 00 08 00 00          and    $0x800,%eax
    12f0:       85 c0                   test   %eax,%eax
    12f2:       74 53                   je     1347 <caesar_encrypt+0x1a2>
    12f4:       8b 45 fc                mov    -0x4(%rbp),%eax
    12f7:       48 63 d0                movslq %eax,%rdx
    12fa:       48 8b 45 e8             mov    -0x18(%rbp),%rax
    12fe:       48 01 d0                add    %rdx,%rax
    1301:       0f b6 00                movzbl (%rax),%eax
    1304:       0f be c0                movsbl %al,%eax
    1307:       8d 50 d3                lea    -0x2d(%rax),%edx
    130a:       48 63 c2                movslq %edx,%rax
    130d:       48 69 c0 67 66 66 66    imul   $0x66666667,%rax,%rax
    1314:       48 c1 e8 20             shr    $0x20,%rax
    1318:       c1 f8 02                sar    $0x2,%eax
    131b:       89 d6                   mov    %edx,%esi
    131d:       c1 fe 1f                sar    $0x1f,%esi
    1320:       29 f0                   sub    %esi,%eax
    1322:       89 c1                   mov    %eax,%ecx
    1324:       89 c8                   mov    %ecx,%eax
    1326:       c1 e0 02                shl    $0x2,%eax
    1329:       01 c8                   add    %ecx,%eax
    132b:       01 c0                   add    %eax,%eax
    132d:       89 d1                   mov    %edx,%ecx
    132f:       29 c1                   sub    %eax,%ecx
    1331:       89 c8                   mov    %ecx,%eax
    1333:       8d 48 30                lea    0x30(%rax),%ecx
    1336:       8b 45 fc                mov    -0x4(%rbp),%eax
    1339:       48 63 d0                movslq %eax,%rdx
    133c:       48 8b 45 e8             mov    -0x18(%rbp),%rax
    1340:       48 01 d0                add    %rdx,%rax
    1343:       89 ca                   mov    %ecx,%edx
    1345:       88 10                   mov    %dl,(%rax)
    1347:       83 45 fc 01             addl   $0x1,-0x4(%rbp)
    134b:       8b 45 fc                mov    -0x4(%rbp),%eax
    134e:       48 63 d0                movslq %eax,%rdx
    1351:       48 8b 45 e8             mov    -0x18(%rbp),%rax
    1355:       48 01 d0                add    %rdx,%rax
    1358:       0f b6 00                movzbl (%rax),%eax
    135b:       84 c0                   test   %al,%al
    135d:       0f 85 5a fe ff ff       jne    11bd <caesar_encrypt+0x18>
    1363:       90                      nop
    1364:       90                      nop
    1365:       c9                      leave
    1366:       c3                      ret

0000000000001367 <main>:
    1367:       55                      push   %rbp
    1368:       48 89 e5                mov    %rsp,%rbp
    136b:       48 81 ec 90 00 00 00    sub    $0x90,%rsp
    1372:       48 b8 76 68 6a 69 64    movabs $0x776f7864696a6876,%rax
    1379:       78 6f 77 
    137c:       48 89 45 f0             mov    %rax,-0x10(%rbp)
    1380:       c7 45 f8 71 72 31 00    movl   $0x317271,-0x8(%rbp)
    1387:       c7 45 fc 00 00 00 00    movl   $0x0,-0x4(%rbp)
    138e:       48 8d 3d 73 0c 00 00    lea    0xc73(%rip),%rdi        # 2008 <_IO_stdin_used+0x8>
    1395:       b8 00 00 00 00          mov    $0x0,%eax
    139a:       e8 c1 fc ff ff          call   1060 <printf@plt>
    139f:       e9 d6 00 00 00          jmp    147a <main+0x113>
    13a4:       48 8d 45 b0             lea    -0x50(%rbp),%rax
    13a8:       48 8d 35 82 0c 00 00    lea    0xc82(%rip),%rsi        # 2031 <_IO_stdin_used+0x31>
    13af:       48 89 c7                mov    %rax,%rdi
    13b2:       e8 b9 fc ff ff          call   1070 <strcspn@plt>
    13b7:       c6 44 05 b0 00          movb   $0x0,-0x50(%rbp,%rax,1)
    13bc:       48 8d 45 b0             lea    -0x50(%rbp),%rax
    13c0:       48 89 c7                mov    %rax,%rdi
    13c3:       e8 88 fc ff ff          call   1050 <strlen@plt>
    13c8:       48 83 f8 0b             cmp    $0xb,%rax
    13cc:       74 2c                   je     13fa <main+0x93>
    13ce:       be 0b 00 00 00          mov    $0xb,%esi
    13d3:       48 8d 3d 5e 0c 00 00    lea    0xc5e(%rip),%rdi        # 2038 <_IO_stdin_used+0x38>
    13da:       b8 00 00 00 00          mov    $0x0,%eax
    13df:       e8 7c fc ff ff          call   1060 <printf@plt>
    13e4:       48 8d 3d 94 0c 00 00    lea    0xc94(%rip),%rdi        # 207f <_IO_stdin_used+0x7f>
    13eb:       b8 00 00 00 00          mov    $0x0,%eax
    13f0:       e8 6b fc ff ff          call   1060 <printf@plt>
    13f5:       e9 80 00 00 00          jmp    147a <main+0x113>
    13fa:       48 8d 55 b0             lea    -0x50(%rbp),%rdx
    13fe:       48 8d 85 70 ff ff ff    lea    -0x90(%rbp),%rax
    1405:       48 89 d6                mov    %rdx,%rsi
    1408:       48 89 c7                mov    %rax,%rdi
    140b:       e8 20 fc ff ff          call   1030 <strcpy@plt>
    1410:       48 8d 85 70 ff ff ff    lea    -0x90(%rbp),%rax
    1417:       48 89 c7                mov    %rax,%rdi
    141a:       e8 86 fd ff ff          call   11a5 <caesar_encrypt>
    141f:       48 8d 55 f0             lea    -0x10(%rbp),%rdx
    1423:       48 8d 85 70 ff ff ff    lea    -0x90(%rbp),%rax
    142a:       48 89 d6                mov    %rdx,%rsi
    142d:       48 89 c7                mov    %rax,%rdi
    1430:       e8 5b fc ff ff          call   1090 <strcmp@plt>
    1435:       85 c0                   test   %eax,%eax
    1437:       75 13                   jne    144c <main+0xe5>
    1439:       48 8d 3d 58 0c 00 00    lea    0xc58(%rip),%rdi        # 2098 <_IO_stdin_used+0x98>
    1440:       e8 fb fb ff ff          call   1040 <puts@plt>
    1445:       b8 00 00 00 00          mov    $0x0,%eax
    144a:       eb 54                   jmp    14a0 <main+0x139>
    144c:       48 8d 3d 6d 0c 00 00    lea    0xc6d(%rip),%rdi        # 20c0 <_IO_stdin_used+0xc0>
    1453:       b8 00 00 00 00          mov    $0x0,%eax
    1458:       e8 03 fc ff ff          call   1060 <printf@plt>
    145d:       83 45 fc 01             addl   $0x1,-0x4(%rbp)
    1461:       83 7d fc 04             cmpl   $0x4,-0x4(%rbp)
    1465:       7e 13                   jle    147a <main+0x113>
    1467:       48 8d 3d 7a 0c 00 00    lea    0xc7a(%rip),%rdi        # 20e8 <_IO_stdin_used+0xe8>
    146e:       e8 cd fb ff ff          call   1040 <puts@plt>
    1473:       b8 01 00 00 00          mov    $0x1,%eax
    1478:       eb 26                   jmp    14a0 <main+0x139>
    147a:       48 8b 15 ef 2b 00 00    mov    0x2bef(%rip),%rdx        # 4070 <stdin@GLIBC_2.2.5>
    1481:       48 8d 45 b0             lea    -0x50(%rbp),%rax
    1485:       be 32 00 00 00          mov    $0x32,%esi
    148a:       48 89 c7                mov    %rax,%rdi
    148d:       e8 ee fb ff ff          call   1080 <fgets@plt>
    1492:       48 85 c0                test   %rax,%rax
    1495:       0f 85 09 ff ff ff       jne    13a4 <main+0x3d>
    149b:       b8 00 00 00 00          mov    $0x0,%eax
    14a0:       c9                      leave
    14a1:       c3                      ret
    14a2:       66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)
    14a9:       00 00 00 
    14ac:       0f 1f 40 00             nopl   0x0(%rax)

00000000000014b0 <__libc_csu_init>:
    14b0:       41 57                   push   %r15
    14b2:       4c 8d 3d 2f 29 00 00    lea    0x292f(%rip),%r15        # 3de8 <__frame_dummy_init_array_entry>
    14b9:       41 56                   push   %r14
    14bb:       49 89 d6                mov    %rdx,%r14
    14be:       41 55                   push   %r13
    14c0:       49 89 f5                mov    %rsi,%r13
    14c3:       41 54                   push   %r12
    14c5:       41 89 fc                mov    %edi,%r12d
    14c8:       55                      push   %rbp
    14c9:       48 8d 2d 20 29 00 00    lea    0x2920(%rip),%rbp        # 3df0 <__do_global_dtors_aux_fini_array_entry>
    14d0:       53                      push   %rbx
    14d1:       4c 29 fd                sub    %r15,%rbp
    14d4:       48 83 ec 08             sub    $0x8,%rsp
    14d8:       e8 23 fb ff ff          call   1000 <_init>
    14dd:       48 c1 fd 03             sar    $0x3,%rbp
    14e1:       74 1b                   je     14fe <__libc_csu_init+0x4e>
    14e3:       31 db                   xor    %ebx,%ebx
    14e5:       0f 1f 00                nopl   (%rax)
    14e8:       4c 89 f2                mov    %r14,%rdx
    14eb:       4c 89 ee                mov    %r13,%rsi
    14ee:       44 89 e7                mov    %r12d,%edi
    14f1:       41 ff 14 df             call   *(%r15,%rbx,8)
    14f5:       48 83 c3 01             add    $0x1,%rbx
    14f9:       48 39 dd                cmp    %rbx,%rbp
    14fc:       75 ea                   jne    14e8 <__libc_csu_init+0x38>
    14fe:       48 83 c4 08             add    $0x8,%rsp
    1502:       5b                      pop    %rbx
    1503:       5d                      pop    %rbp
    1504:       41 5c                   pop    %r12
    1506:       41 5d                   pop    %r13
    1508:       41 5e                   pop    %r14
    150a:       41 5f                   pop    %r15
    150c:       c3                      ret
    150d:       0f 1f 00                nopl   (%rax)

0000000000001510 <__libc_csu_fini>:
    1510:       c3                      ret

Disassembly of section .fini:

0000000000001514 <_fini>:
    1514:       48 83 ec 08             sub    $0x8,%rsp
    1518:       48 83 c4 08             add    $0x8,%rsp
    151c:       c3                      ret

丢给AI分析，同时这里也可以注意到有一个caesar_encrypt的函数
最后AI得到的答案是segfaultno1
所以用户是segfault:segfaultno1
直接切换用户
论如何切换用户

hyh@Guoqing:/home/segfault$ su segfault
Password: 
segfault@Guoqing:~$ ls
name1.txt  name2.txt  name3.txt
segfault@Guoqing:~$ id
uid=1000(segfault) gid=1000(segfault) groups=1000(segfault)

接下来我看到的知识盲区，关于pspy(没接触过)
官方仓库

似乎是使攻击者在还没获得root权限的情况下可以监控整个系统的进程情况
一篇介绍博客

但是在当前的目标机上是没有这玩意的

利用scp传文件

scp /home/kali/pspy hyh@192.168.56.105:/home/segfault/

注意到rsync这个地方很不对劲,会把文件复制到backup(这不就纯预留的后门吗)
rsync简介

通过搜索得到rsync的提权方法，然后按照如下文章进行提权即可
rsync提权

成功的带flag
又是令人受益匪浅的靶机