![\"image-20250628003751047\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506280058568.png\")
<\/div>\n
![\"image-20250628004412429\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506280058569.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Helium]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nRustScan: Because guessing isn't hacking.\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.103:22\nOpen 192.168.10.103:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 12:f6:55:5f:c6:fa:fb:14:15:ae:4a:2b:38:d8:4a:30 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDShbr+Tk6ugvRpNAjWbMqxR1X555LbWq5IVZwq3wXDk+GwY+wauGLd\/ntKyNRJF0aid5QaRZXFfhOvYFHbtpr2i2yW5CUIW\/2aaVwiHXDKL1DXBXcawr0g1+iVWUEg49W5lBdSEIgqRtmJhBjcXLbEq1V5Fvy3BAP\/leOy0ADwwpesjLht50MxE5D7jmZxDEiYavhyOxAcxko4Yp4xXtZ5CkcG741SOYCG6Y77UoFFP50h0oHtJ627+iNvqqWPEQaPNe+0rbJU4C1hkz8Y7OvOeeVaR9JhMg6KTBZTJRB9gC4dlXd9BSP5oOmtpYLitZA5EwYMWaqcwF7v+7S2MNan\n| 256 b7:ac:87:6d:c4:f9:e3:9a:d4:6e:e0:4f:da:aa:22:20 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBCOR5F804dZn6AQsF4+t5s0JH2QPd12FYdNIAa9axn2k62dIRIvu\/okOvmA0rg2HezQEf8boO6\/f3Wf13V9ZDo=\n| 256 fe:e8:05:af:23:4d:3a:82:2a:64:9b:f7:35:e4:44:4a (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFVSupFLBXoYJXyGalYCoVSM7g60dhRbsmKL+eg+k7Z\n80\/tcp open http syn-ack ttl 64 nginx 1.14.2\n|_http-title: RELAX\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-server-header: nginx\/1.14.2\nMAC Address: 08:00:27:C4:16:EB (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Helium]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html,zip\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.103\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,txt,html,zip\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 530]\n\/yay (Status: 301) [Size: 185] [--> http:\/\/192.168.10.103\/yay\/]<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Helium]\n\u2514\u2500$ whatweb http:\/\/$IP\/\nhttp:\/\/192.168.10.103\/ [200 OK] Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[nginx\/1.14.2], IP[192.168.10.103], Title[RELAX], nginx[1.14.2]<\/code><\/pre>\n![\"image-20250628004510365\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n<title>RELAX<\/title>\n<!doctype html>\n<html lang="en">\n\n<!-- Please paul, stop uploading weird .wav files using \/upload_sound -->\n\n<head>\n<style>\nbody {\n background-image: url('screen-1.jpg');\n background-repeat: no-repeat;\n background-attachment: fixed; \n background-size: 100% 100%;\n}\n<\/style>\n <link href="bootstrap.min.css" rel="stylesheet">\n <meta name="viewport" content="width=device-width, initial-scale=1">\n<\/head>\n\n<body>\n<audio src="relax.wav" preload="auto loop" controls><\/audio>\n<\/body><\/code><\/pre>\nwav\u5206\u6790<\/h3>\n
\u4fe1\u606f\u5f88\u591a\uff01\uff01\uff01\uff01\u5bf9\u8c61\u53ebpaul<\/code><\/p>\n\u8fdb\u884c\u5c1d\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Helium]\n\u2514\u2500$ curl -s http:\/\/192.168.10.103\/bootstrap.min.css \n\/yay\/mysecretsound.wav\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Helium]\n\u2514\u2500$ curl -s http:\/\/192.168.10.103\/upload_sound\/\nUpload disabled (or not).<\/code><\/pre>\n\u8fdb\u884c\u4e0b\u8f7d\uff0c\u67e5\u770b\u4e00\u4e0b\u9690\u85cf\u4e86\u5565\uff1a<\/p>\n
# wget http:\/\/$IP\/yay\/mysecretsound.wav \n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Helium]\n\u2514\u2500$ file mysecretsound.wav \nmysecretsound.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Helium]\n\u2514\u2500$ exiftool mysecretsound.wav \nExifTool Version Number : 13.25\nFile Name : mysecretsound.wav\nDirectory : .\nFile Size : 205 kB\nFile Modification Date\/Time : 2020:11:22 14:21:02-05:00\nFile Access Date\/Time : 2025:06:27 12:48:56-04:00\nFile Inode Change Date\/Time : 2025:06:27 12:48:49-04:00\nFile Permissions : -rw-rw-r--\nFile Type : WAV\nFile Type Extension : wav\nMIME Type : audio\/x-wav\nEncoding : Microsoft PCM\nNum Channels : 1\nSample Rate : 44100\nAvg Bytes Per Sec : 88200\nBits Per Sample : 16\nDuration : 2.32 s<\/code><\/pre>\n\u4f7f\u7528Audacity<\/code>\u8fdb\u884c\u67e5\u770b\uff1a<\/p>\n<\/div><\/p>\n\u53d1\u73b0\u9891\u8c31\u56fe\u5b58\u5728\u6587\u5b57\uff1adancingpassyo<\/code>\uff0c\u5c1d\u8bd5\u767b\u5f55\uff0c\u53d1\u73b0\u6210\u529f\uff01<\/p>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\nsudo ln\u63d0\u6743<\/h3>\npaul@helium:~$ sudo -l\nMatching Defaults entries for paul on helium:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser paul may run the following commands on helium:\n (ALL : ALL) NOPASSWD: \/usr\/bin\/ln<\/code><\/pre>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Helium]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nRustScan: Because guessing isn't hacking.\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.103:22\nOpen 192.168.10.103:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 12:f6:55:5f:c6:fa:fb:14:15:ae:4a:2b:38:d8:4a:30 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDShbr+Tk6ugvRpNAjWbMqxR1X555LbWq5IVZwq3wXDk+GwY+wauGLd\/ntKyNRJF0aid5QaRZXFfhOvYFHbtpr2i2yW5CUIW\/2aaVwiHXDKL1DXBXcawr0g1+iVWUEg49W5lBdSEIgqRtmJhBjcXLbEq1V5Fvy3BAP\/leOy0ADwwpesjLht50MxE5D7jmZxDEiYavhyOxAcxko4Yp4xXtZ5CkcG741SOYCG6Y77UoFFP50h0oHtJ627+iNvqqWPEQaPNe+0rbJU4C1hkz8Y7OvOeeVaR9JhMg6KTBZTJRB9gC4dlXd9BSP5oOmtpYLitZA5EwYMWaqcwF7v+7S2MNan\n| 256 b7:ac:87:6d:c4:f9:e3:9a:d4:6e:e0:4f:da:aa:22:20 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBCOR5F804dZn6AQsF4+t5s0JH2QPd12FYdNIAa9axn2k62dIRIvu\/okOvmA0rg2HezQEf8boO6\/f3Wf13V9ZDo=\n| 256 fe:e8:05:af:23:4d:3a:82:2a:64:9b:f7:35:e4:44:4a (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFVSupFLBXoYJXyGalYCoVSM7g60dhRbsmKL+eg+k7Z\n80\/tcp open http syn-ack ttl 64 nginx 1.14.2\n|_http-title: RELAX\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-server-header: nginx\/1.14.2\nMAC Address: 08:00:27:C4:16:EB (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Helium]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html,zip\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.103\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,txt,html,zip\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html (Status: 200) [Size: 530]\n\/yay (Status: 301) [Size: 185] [--> http:\/\/192.168.10.103\/yay\/]<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Helium]\n\u2514\u2500$ whatweb http:\/\/$IP\/\nhttp:\/\/192.168.10.103\/ [200 OK] Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[nginx\/1.14.2], IP[192.168.10.103], Title[RELAX], nginx[1.14.2]<\/code><\/pre>\n<\/div><\/p>\n<title>RELAX<\/title>\n<!doctype html>\n<html lang="en">\n\n<!-- Please paul, stop uploading weird .wav files using \/upload_sound -->\n\n<head>\n<style>\nbody {\n background-image: url('screen-1.jpg');\n background-repeat: no-repeat;\n background-attachment: fixed; \n background-size: 100% 100%;\n}\n<\/style>\n <link href="bootstrap.min.css" rel="stylesheet">\n <meta name="viewport" content="width=device-width, initial-scale=1">\n<\/head>\n\n<body>\n<audio src="relax.wav" preload="auto loop" controls><\/audio>\n<\/body><\/code><\/pre>\nwav\u5206\u6790<\/h3>\n
\u4fe1\u606f\u5f88\u591a\uff01\uff01\uff01\uff01\u5bf9\u8c61\u53ebpaul<\/code><\/p>\n\u8fdb\u884c\u5c1d\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Helium]\n\u2514\u2500$ curl -s http:\/\/192.168.10.103\/bootstrap.min.css \n\/yay\/mysecretsound.wav\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Helium]\n\u2514\u2500$ curl -s http:\/\/192.168.10.103\/upload_sound\/\nUpload disabled (or not).<\/code><\/pre>\n\u8fdb\u884c\u4e0b\u8f7d\uff0c\u67e5\u770b\u4e00\u4e0b\u9690\u85cf\u4e86\u5565\uff1a<\/p>\n
# wget http:\/\/$IP\/yay\/mysecretsound.wav \n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Helium]\n\u2514\u2500$ file mysecretsound.wav \nmysecretsound.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Helium]\n\u2514\u2500$ exiftool mysecretsound.wav \nExifTool Version Number : 13.25\nFile Name : mysecretsound.wav\nDirectory : .\nFile Size : 205 kB\nFile Modification Date\/Time : 2020:11:22 14:21:02-05:00\nFile Access Date\/Time : 2025:06:27 12:48:56-04:00\nFile Inode Change Date\/Time : 2025:06:27 12:48:49-04:00\nFile Permissions : -rw-rw-r--\nFile Type : WAV\nFile Type Extension : wav\nMIME Type : audio\/x-wav\nEncoding : Microsoft PCM\nNum Channels : 1\nSample Rate : 44100\nAvg Bytes Per Sec : 88200\nBits Per Sample : 16\nDuration : 2.32 s<\/code><\/pre>\n\u4f7f\u7528Audacity<\/code>\u8fdb\u884c\u67e5\u770b\uff1a<\/p>\n<\/div><\/p>\n\u53d1\u73b0\u9891\u8c31\u56fe\u5b58\u5728\u6587\u5b57\uff1adancingpassyo<\/code>\uff0c\u5c1d\u8bd5\u767b\u5f55\uff0c\u53d1\u73b0\u6210\u529f\uff01<\/p>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\nsudo ln\u63d0\u6743<\/h3>\npaul@helium:~$ sudo -l\nMatching Defaults entries for paul on helium:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser paul may run the following commands on helium:\n (ALL : ALL) NOPASSWD: \/usr\/bin\/ln<\/code><\/pre>\n
![\"image-20250628004510365\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506280058570.png\")
<\/div><\/p>\n![\"image-20250628005213886\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506280058571.png\")
<\/div><\/p>\n![\"image-20250628005521390\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506280058572.png\")
<\/div><\/p>\n![\"image-20250628005700563\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506280058573.png\")
<\/div><\/p>\n